METHOD AND SYSTEM FOR DETECTING MALICIOUS AND/OR BOTNET-RELATED DOMAIN NAMES

US 20100037314A1
Filed: 08/10/2009
Published: 02/11/2010
Est. Priority Date: 08/11/2008
Status: Active Grant

First Claim

Patent Images

1. A method of detecting at least one malicious and/or botnet-related domain name, comprising:

reviewing at least one domain name used in Domain Name System (DNS) traffic in at least one network;

searching for information about the at least one domain name, the information related to;

information about the at least one domain name in at least one domain name white list and/or at least one domain name suspicious list; and

information about the at least one domain name using an Internet search engine,wherein the Internet search engine determines if there are no search results or at least one search result with a link to at least one malware analysis site; and

designating the at least one domain name as malicious and/or botnet-related based on the information.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system of detecting a malicious and/or botnet-related domain name, comprising: reviewing a domain name used in Domain Name System (DNS) traffic in a network; searching for information about the domain name, the information related to: information about the domain name in a domain name white list and/or a domain name suspicious list; and information about the domain name using an Internet search engine, wherein the Internet search engine determines if there are no search results or search results with a link to at least one malware analysis site; and designating the domain name as malicious and/or botnet-related based on the information.

548 Citations

24 Claims

1. A method of detecting at least one malicious and/or botnet-related domain name, comprising:
- reviewing at least one domain name used in Domain Name System (DNS) traffic in at least one network;
  
  searching for information about the at least one domain name, the information related to;
  
  information about the at least one domain name in at least one domain name white list and/or at least one domain name suspicious list; and
  
  information about the at least one domain name using an Internet search engine,wherein the Internet search engine determines if there are no search results or at least one search result with a link to at least one malware analysis site; and
  
  designating the at least one domain name as malicious and/or botnet-related based on the information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the at least one domain name is monitored and statistics are gathered related to the at least one domain name.
  - 3. The method of claim 2, wherein the statistics include:
    - a number of queries to each domain name during a time period;
      
      a number of distinct resolved IP addresses observed during the time period;
      
      or a number of distinct source IP addresses the queried each domain name during the time period;
      
      or any combination thereof.
  - 4. The method of claim 2, wherein the at least one domain name to be monitored is part of at least one sample chosen from a plurality of domain names.
  - 5. The method of claim 1, wherein the at least one malicious and/or botnet-related domain name is further classified as malicious or questionable.
  - 6. The method of claim 1, wherein the at least one domain name is ranked based on probabilities related to how malicious and/or botnet-related the at least one domain name is.
  - 7. The method of claim 1, wherein the information further comprises performing at least one reverse lookup on the at least one domain name.
  - 8. The method of claim 1, wherein the at least one domain name to be monitored is filtered.
  - 9. The method of claim 1, wherein the at least one domain name to be monitored is filtered by determining if a second level domain (2LD) of the at least one domain name is in at least one domain name white list.
  - 10. The method of claim 9, wherein the at least one domain name to be monitored is further filtered by determining if a top level domain (TLD) of the at least one domain name is in at least one domain name suspicious list.
  - 11. The method of claim 10, wherein the at least one domain name to be monitored is further filtered by determining if the second level domain (2LD) of the at least one domain name is in a DDNS 2LD suspicious list.
  - 12. The method of claim 1, wherein the information is related to:
    - information regarding whether or not a resolved IP address of the at least one domain name is that of at least one DSL or at least one dial-up connection; and
      
      /orinformation on geographic location of the at least one resolved IP address, at least one Autonomous System (AS) number, or at least one AS name.

13. A computerized system for performing malware analysis on at least one guest environment, the system comprising:
- at least one server coupled to at least one network;
  
  at least one user terminal coupled to the at least one network;
  
  at least one application coupled to the at least one server and/or the at least one user terminal, wherein the at least one application is configured for;
  
  reviewing at least one domain name used in Domain Name System (DNS) traffic in at least one network;
  
  searching for information about the at least one domain name, the information related to;
  
  information about the at least one domain name in at least one domain name white list and/or at least one domain name suspicious list; and
  
  information about the at least one domain name using an Internet search engine,wherein the Internet search engine determines if there are no search results or at least one search result with a link to at least one malware analysis site; and
  
  designating the at least one domain name as malicious and/or botnet-related based on the information.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13, wherein the at least one domain name is monitored and statistics are gathered related to the at least one domain name.
  - 15. The system of claim 14, wherein the statistics include:
    - a number of queries to each domain name during a time period;
      
      a number of distinct resolved IP addresses observed during the time period;
      
      or a number of distinct source IP addresses the queried each domain name during the time period;
      
      or any combination thereof.
  - 16. The system of claim 13, wherein the at least one domain name to be monitored is part of at least one sample chosen from a plurality of domain names.
  - 17. The system of claim 13, wherein the at least one malicious and/or botnet-related domain name is further classified as malicious or questionable.
  - 18. The system of claim 13, wherein the at least one domain name is ranked based on probabilities related to how malicious and/or botnet-related the at least one domain name is.
  - 19. The system of claim 13, wherein the information further comprises performing at least one reverse lookup on the at least one domain name.
  - 20. The system of claim 13, wherein the at least one domain name to be monitored is filtered.
  - 21. The system of claim 13, wherein the at least one domain name to be monitored is filtered by determining if a second level domain (2LD) of the at least one domain name is in at least one domain name white list.
  - 22. The system of claim 21, wherein the at least one domain name to be monitored is further filtered by determining if a top level domain (TLD) of the at least one domain name is in at least one domain name suspicious list.
  - 23. The system of claim 22, wherein the at least one domain name to be monitored is further filtered by determining if the second level domain (2LD) of the at least one domain name is in a DDNS 2LD suspicious list.
  - 24. The system of claim 13, wherein the information is related to:
    - information regarding whether or not a resolved IP address of the at least one domain name is that of at least one DSL or at least one dial-up connection; and
      
      /orinformation on geographic location of the at least one resolved IP address, at least one Autonomous System (AS) number, or at least one AS name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc.
Original Assignee
Damballa Incorporated
Inventors
PERDISCI, Roberto, LEE, Wenke

Granted Patent

US 10,027,688 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 2463/144 Detection or countermeasure...

H04L 63/1416 Event detection, e.g. attac...

METHOD AND SYSTEM FOR DETECTING MALICIOUS AND/OR BOTNET-RELATED DOMAIN NAMES

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

548 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

METHOD AND SYSTEM FOR DETECTING MALICIOUS AND/OR BOTNET-RELATED DOMAIN NAMES

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

548 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others