SYSTEMS AND METHODS FOR DETECTING MALWARE INFECTIONS VIA DOMAIN NAME SERVICE TRAFFIC ANALYSIS
First Claim
1. A computer-implemented method for detecting malware infections via domain name service traffic analysis, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- detecting, on the computing device, a failed domain name service request originating from the computing device;
creating a record comprising information about the failed domain name request and a static unique identifier for the computing device;
correlating the record with a set of previous records about failed domain name service requests originating from the computing device with the static unique identifier;
determining, based on correlating the record with the set of previous records, that the computing device is infected with malware that generated the failed domain name service request.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for detecting malware infections via domain name service traffic analysis may include (1) detecting, on the computing device, a failed domain name service request originating from the computing device, (2) creating a record including information about the failed domain name request and a static unique identifier for the computing device, (3) correlating the record with a set of previous records about failed domain name service requests originating from the computing device with the static unique identifier, and (4) determining, based on correlating the record with the set of previous records, that the computing device is infected with malware that generated the failed domain name service request. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
20 Claims
-
1. A computer-implemented method for detecting malware infections via domain name service traffic analysis, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
detecting, on the computing device, a failed domain name service request originating from the computing device; creating a record comprising information about the failed domain name request and a static unique identifier for the computing device; correlating the record with a set of previous records about failed domain name service requests originating from the computing device with the static unique identifier; determining, based on correlating the record with the set of previous records, that the computing device is infected with malware that generated the failed domain name service request. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detecting malware infections via domain name service traffic analysis, the system comprising:
-
a detection module, stored in memory, that detects, on the computing device, a failed domain name service request originating from the computing device; a creation module, stored in memory, that creates a record comprising information about the failed domain name request and a static unique identifier for the computing device; a correlation module, stored in memory, that correlates the record with a set of previous records about failed domain name service requests originating from the computing device with the static unique identifier; a determination module, stored in memory, that determines, based on correlating the record with the set of previous records, that the computing device is infected with malware that generated the failed domain name service request; at least one physical processor configured to execute the detection module, the creation module, the correlation module, and the determination module. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
detect, on the computing device, a failed domain name service request originating from the computing device; create a record comprising information about the failed domain name request and a static unique identifier for the computing device; correlate the record with a set of previous records about failed domain name service requests originating from the computing device with the static unique identifier; determine, based on correlating the record with the set of previous records, that the computing device is infected with malware that generated the failed domain name service request. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification