Distributed frequency data collection via DNS

US 20090083413A1
Filed: 09/24/2007
Published: 03/26/2009
Est. Priority Date: 09/24/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method of monitoring data traffic comprising:

detecting occurrence of a transfer of a block of data with respect to a network node;

generating an indicator that is specifically related to contents of said block of data; and

reporting said transfer, including utilizing said indicator in a Domain Name Service (DNS) request.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Domain Name Service (DNS) requests are used as the reporting vehicle for ensuring that security-related information can be transferred from a network. As one possibility, a central facility for a security provider may maintain a data collection capability that is based upon receiving the DNS requests containing the information being reported. In an email application, if a data block is embedded within or attached to an email message, an algorithm is applied to the data block to generate an indicator that is specifically related to the contents of the data block. As one possibility, the algorithm may generate a hash that provides a “digital fingerprint” having a reasonable likelihood that the hash is unique to the data block. By embedding the hash within a DNS request, the request becomes a report that the data block has been accessed.

79 Citations

View as Search Results

29 Claims

1. A method of monitoring data traffic comprising:
- detecting occurrence of a transfer of a block of data with respect to a network node;
  
  generating an indicator that is specifically related to contents of said block of data; and
  
  reporting said transfer, including utilizing said indicator in a Domain Name Service (DNS) request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 wherein generating said indicator includes applying a particular algorithm to said block of data to define said indicator as a digital fingerprint that is a function of said algorithm.
  - 3. The method of claim 2 wherein generating said indicator includes outputting a hash as a consequence of applying said algorithm, said reporting including forming said DNS request to include said hash.
  - 4. The method of claim 1 wherein said reporting includes transmitting said DNS request to a remote site via a global communications network, thereby enabling said remote site to determine a count of occurrences of transfers of said block of data.
  - 5. The method of claim 4 further comprising receiving instructions from said remote site as a response to said DNS request, said instructions being relevant to processing of said data traffic being monitored.
  - 6. The method of claim 4 wherein said remote site is maintained by a central security provider enabled to select and implement corrective action on a basis of said count of occurrences of transfers.
  - 7. The method of claim 6 wherein generating said indication is executed at one of a plurality of independent networks that are enabled to exchange data with said central security provider, said networks using a same algorithm to generate hashes upon said occurrences of transfers of blocks of data.
  - 8. The method of claim 7 further comprising enabling said central security provider to receive DNS requests from each said network, wherein at least some of said DNS requests include said hashes.
  - 9. The method of claim 1 further comprising combining a plurality of different said indications to form an aggregated said DNS request.
  - 10. The method of claim 1 wherein detecting said transfer is specific to monitoring email transmissions.
  - 11. The method of claim 10 wherein said block of data is an attachment of an email message.
  - 12. The method of claim 10 wherein said block of data is an image which is a component of an email message.
  - 13. The method of claim 10 wherein said indicator is generated to identify Uniform Resource Locators (URLs) detected within said email transmissions.
  - 14. The method of claim 10 wherein said indicator is generated to identify IP addresses relevant to said email transmissions.
  - 15. The method of claim 1 wherein said indicator is generated to identify an IP address of a source of said block of data.

16. A method of providing security for a plurality of networks comprising:
- receiving Domain Name Service (DNS) requests originating from said networks, including DNS requests that include hashes determined at said networks by applications of an algorithm to transferred data blocks;
  
  determining frequencies of transfers of different data blocks based on receiving said DNS requests that include different said hashes; and
  
  forwarding security updates to said networks at least partially on a basis of determinations of said frequencies.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The method of claim 16 wherein forwarding said security updates relates to updating email security rules for application by spam filters of said networks.
  - 18. The method of claim 17 wherein said hashes are formed upon applying said algorithm to components of emails exchanged via the Internet, said components including attachments and embedded images.
  - 19. The method of claim 16 wherein receiving said DNS requests includes identifications of domain names containing said hashes.
  - 20. The method of claim 16 wherein at least some of said DNS requests include indications of counts of transfers of said data blocks at individual said networks.
  - 21. The method of claim 16 wherein each said DNS request includes a digital signature verifying the source of said DNS request, thereby enabling authentification of authorization to affect determinations of said frequencies.

22. A network comprising:
- a plurality of user devices;
  
  a network email server configured to enable email exchanges to and from said user devices;
  
  a network email security device configured to filter said email exchanges, said network email security device including an algorithm component specific to generating digital signatures for components of email messages, said network email security device having a reporting component specific to forming and transmitting domain names that include said digital signatures; and
  
  a network firewall connected along a path from the Internet and each of said user devices and said network email security devices.
- View Dependent Claims (23, 24, 25)
- - 23. The network of claim 22 wherein said reporting component is configured to transmit said domain names as DNS requests.
  - 24. The network of claim 22 wherein said algorithm component is configured to generate a hash for data blocks that are transferred in said email exchanges, said data blocks including images and file attachments.
  - 25. The network of claim 22 wherein said reporting component is configured to transmit said domain names to a central security provider, said network email security device being responsive to security updates received from said central security provider.

26. A method of collecting data from a plurality of nodes comprising:
- at each of said nodes, determining information that is to be reported in order to enable data collection;
  
  utilizing DNS requests as reporting vehicles for transmitting said information via the Internet, including embedding said information within said DNS requests in a format consistent with a protocol for transmissions via said Internet and further including forwarding said DNS requests for purposes of enabling said data collection; and
  
  collecting said information as a consequence of said DNS requests.
- View Dependent Claims (27, 28, 29)
- - 27. The method of claim 26 wherein formatting said DNS requests includes incorporating a unique feature into said DNS requests from a particular one of said nodes, such that said DNS requests are not satisfied by operation of a local DNS server.
  - 28. The method of claim 27 wherein said formatting utilizes time stamping to provide said unique feature.
  - 29. The method of claim 27 wherein said formatting utilizes incorporating an incremented count for duplicate said DNS requests from said particular node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barracuda Networks Incorporated
Original Assignee
Barracuda Networks Incorporated
Inventors
Evans, Joseph Wilson, Levow, Zachary S.

Application Number

US11/903,605
Publication Number

US 20090083413A1
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

Distributed frequency data collection via DNS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed frequency data collection via DNS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links