DNS based enforcement for confinement and detection of network malicious activities
First Claim
1. A system for detection and confinement of network malicious activities originating from a local host on a local network to a remote host outside of said local network, comprising:
- a local domain name server (DNS) server for receiving from said local host a request for an outbound connection to said remote host, completing a DNS lookup to obtain the IP address of said remote host, and generating a conformity indication; and
a local enforcement unit connected between said local network and the remote host, for blocking establishment of said outbound connection by default, until it receives said conformity indication.
12 Assignments
0 Petitions
Accused Products
Abstract
Malicious network activities do not make use of the Domain Name System (DNS) protocol to reach remote targets outside a local network. This DNS-based enforcement system for confinement and detection of network malicious activities requires that every connection toward a resource located outside the local network is blocked by default by the local enforcement box, e.g. a firewall or a proxy. Outbound connections are allowed to leave the local network only when authorized directly by an entity called the DNS Gatekeeper.
-
Citations
19 Claims
-
1. A system for detection and confinement of network malicious activities originating from a local host on a local network to a remote host outside of said local network, comprising:
-
a local domain name server (DNS) server for receiving from said local host a request for an outbound connection to said remote host, completing a DNS lookup to obtain the IP address of said remote host, and generating a conformity indication; and
a local enforcement unit connected between said local network and the remote host, for blocking establishment of said outbound connection by default, until it receives said conformity indication. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 12)
-
-
10. A method for detection and confinement of network malicious activities originating from a local host on a local network to a remote host outside of said local network, comprising the steps of:
-
a) generating a conformity indication in response to a DNS lookup performed by said local host into a local domain name system (DNS) server on said local network, with a view to obtain the IP address of said remote host;
b) generating a connection authorization indication using an enforcement unit, based on said conformity indication and a list with specified exceptions including local hosts that are allowed to access specified remote resources without a DNS lookup; and
c) blocking establishment of said outbound connection by default, until receipt of said connection authorization indication. - View Dependent Claims (11, 13, 14, 15, 16, 17, 18, 19)
-
Specification