Detecting DGA-Based Malicious Software Using Network Flow Information
First Claim
Patent Images
1. A computer-implemented method comprising:
- using a computing device, in a communications network that comprises at least a plurality of hosts, receiving network flow information from one or more other computing devices that are configured as observation points, and based upon the network flow information, determining a number of domain name server requests originating from a particular host among the plurality of hosts, wherein the domain name server requests are directed to one or more domain name servers;
using the computing device, determining a number of internet protocol addresses contacted by the particular host;
using the computing device, determining that malware exists on the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted.
1 Assignment
0 Petitions
Accused Products
Abstract
Detecting DGA-based malware is disclosed. In an embodiment, a number of domain name server requests originating from a particular host among a plurality of hosts is determined. The number of domain name server requests are directed to one or more domain name servers. A number of internet protocol addresses contacted by the particular host is determined. Based on the number of domain name server requests and the number of internet protocol addresses contacted existence of malware on the particular host is determined.
-
Citations
20 Claims
-
1. A computer-implemented method comprising:
-
using a computing device, in a communications network that comprises at least a plurality of hosts, receiving network flow information from one or more other computing devices that are configured as observation points, and based upon the network flow information, determining a number of domain name server requests originating from a particular host among the plurality of hosts, wherein the domain name server requests are directed to one or more domain name servers; using the computing device, determining a number of internet protocol addresses contacted by the particular host; using the computing device, determining that malware exists on the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 16, 17, 18, 19, 20)
-
-
11. A data processing apparatus configured with improved detection of DGA-based malware based upon network flow information, comprising:
-
one or more processors; one or more interfaces that are configured to couple to a communications network that comprises at least a plurality of hosts; one or more non-transitory computer-readable storage media storing one or more sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform; receiving network flow information from one or more other computing devices that are configured as observation points, and based upon the network flow information, determining a number of domain name server requests originating from a particular host among the plurality of hosts, wherein the domain name server requests are directed to one or more domain name servers; determining a number of internet protocol addresses contacted by the particular host; determining that malware exists on the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted. - View Dependent Claims (12, 13, 14, 15)
-
Specification