SYSTEMS AND METHODS FOR DETECTING MALWARE INFECTIONS VIA DOMAIN NAME SERVICE TRAFFIC ANALYSIS

US 20170155667A1
Filed: 11/30/2015
Published: 06/01/2017
Est. Priority Date: 11/30/2015
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method for detecting malware infections via domain name service traffic analysis, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

detecting, on the computing device, a failed domain name service request originating from the computing device;

creating a record comprising information about the failed domain name request and a static unique identifier for the computing device;

correlating the record with a set of previous records about failed domain name service requests originating from the computing device with the static unique identifier;

determining, based on correlating the record with the set of previous records, that the computing device is infected with malware that generated the failed domain name service request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for detecting malware infections via domain name service traffic analysis may include (1) detecting, on the computing device, a failed domain name service request originating from the computing device, (2) creating a record including information about the failed domain name request and a static unique identifier for the computing device, (3) correlating the record with a set of previous records about failed domain name service requests originating from the computing device with the static unique identifier, and (4) determining, based on correlating the record with the set of previous records, that the computing device is infected with malware that generated the failed domain name service request. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for detecting malware infections via domain name service traffic analysis, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- detecting, on the computing device, a failed domain name service request originating from the computing device;
  
  creating a record comprising information about the failed domain name request and a static unique identifier for the computing device;
  
  correlating the record with a set of previous records about failed domain name service requests originating from the computing device with the static unique identifier;
  
  determining, based on correlating the record with the set of previous records, that the computing device is infected with malware that generated the failed domain name service request.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein:
    - creating the record comprises sending a message from the computing device to a network-level analysis system;
      
      correlating the record with the set of previous records comprises correlating, by the network-level analysis system, the message with a set of previous messages sent by the computing device with the static unique identifier;
      
      determining that the computing device is infected with the malware comprises determining, by the network-level analysis system, that the computing device is infected with malware.
  - 3. The computer-implemented method of claim 1, wherein the set of previous records about failed domain name service requests originating from the computing device with the static unique identifier comprises records of failed domain name service requests originating from the computing device with the static unique identifier on a plurality of different networks.
  - 4. The computer-implemented method of claim 1, wherein determining that the computing device is infected with the malware comprises determining that the computing device with the static unique identifier has generated a percentage of failed domain name service requests that exceeds a predetermined threshold for benign percentages of failed domain name service requests.
  - 5. The computer-implemented method of claim 4, wherein the predetermined threshold for benign percentages of failed domain name service requests comprises a statistical norm of failed domain name service requests across a plurality of computing devices.
  - 6. The computer-implemented method of claim 1, further comprising performing a malware remediation action on the computing device with the static unique identifier based on determining that the computing device is infected with the malware.
  - 7. The computer-implemented method of claim 1, wherein the static unique identifier comprises an identifier that is not assigned to the computing device by a network and that can only be changed by an administrator.

8. A system for detecting malware infections via domain name service traffic analysis, the system comprising:
- a detection module, stored in memory, that detects, on the computing device, a failed domain name service request originating from the computing device;
  
  a creation module, stored in memory, that creates a record comprising information about the failed domain name request and a static unique identifier for the computing device;
  
  a correlation module, stored in memory, that correlates the record with a set of previous records about failed domain name service requests originating from the computing device with the static unique identifier;
  
  a determination module, stored in memory, that determines, based on correlating the record with the set of previous records, that the computing device is infected with malware that generated the failed domain name service request;
  
  at least one physical processor configured to execute the detection module, the creation module, the correlation module, and the determination module.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein:
    - the creation module creates the record by sending a message from the computing device to a network-level analysis system;
      
      the correlation module correlates the record with the set of previous records by correlating, by the network-level analysis system, the message with a set of previous messages sent by the computing device with the static unique identifier;
      
      the determination module determines that the computing device is infected with the malware by determining, by the network-level analysis system, that the computing device is infected with malware.
  - 10. The system of claim 8, wherein the set of previous records about failed domain name service requests originating from the computing device with the static unique identifier comprises records of failed domain name service requests originating from the computing device with the static unique identifier on a plurality of different networks.
  - 11. The system of claim 8, wherein the determination module determines that the computing device is infected with the malware by determining that the computing device with the static unique identifier has generated a percentage of failed domain name service requests that exceeds a predetermined threshold for benign percentages of failed domain name service requests.
  - 12. The system of claim 11, wherein the predetermined threshold for benign percentages of failed domain name service requests comprises a statistical norm of failed domain name service requests across a plurality of computing devices.
  - 13. The system of claim 8, further comprising a remediation module, stored in memory, that performs a malware remediation action on the computing device with the static unique identifier based on determining that the computing device is infected with the malware.
  - 14. The system of claim 8, wherein the static unique identifier comprises an identifier that is not assigned to the computing device by a network and that can only be changed by an administrator.

15. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- detect, on the computing device, a failed domain name service request originating from the computing device;
  
  create a record comprising information about the failed domain name request and a static unique identifier for the computing device;
  
  correlate the record with a set of previous records about failed domain name service requests originating from the computing device with the static unique identifier;
  
  determine, based on correlating the record with the set of previous records, that the computing device is infected with malware that generated the failed domain name service request.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable medium of claim 15, wherein the one or more computer-readable instructions cause the computing device to:
    - create the record by sending a message from the computing device to a network-level analysis system;
      
      correlate the record with the set of previous records by correlating, by the network-level analysis system, the message with a set of previous messages sent by the computing device with the static unique identifier;
      
      determine that the computing device is infected with the malware by determining, by the network-level analysis system, that the computing device is infected with malware.
  - 17. The non-transitory computer-readable medium of claim 15, wherein the set of previous records about failed domain name service requests originating from the computing device with the static unique identifier comprises records of failed domain name service requests originating from the computing device with the static unique identifier on a plurality of different networks.
  - 18. The non-transitory computer-readable medium of claim 15, wherein the one or more computer-readable instructions cause the computing device to determine that the computing device is infected with the malware by determining that the computing device with the static unique identifier has generated a percentage of failed domain name service requests that exceeds a predetermined threshold for benign percentages of failed domain name service requests.
  - 19. The non-transitory computer-readable medium of claim 18, wherein the predetermined threshold for benign percentages of failed domain name service requests comprises a statistical norm of failed domain name service requests across a plurality of computing devices.
  - 20. The non-transitory computer-readable medium of claim 15, wherein the one or more computer-readable instructions cause the computing device to perform a malware remediation action on the computing device with the static unique identifier based on determining that the computing device is infected with the malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sobel, William E.

Application Number

US14/954,425
Publication Number

US 20170155667A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

SYSTEMS AND METHODS FOR DETECTING MALWARE INFECTIONS VIA DOMAIN NAME SERVICE TRAFFIC ANALYSIS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR DETECTING MALWARE INFECTIONS VIA DOMAIN NAME SERVICE TRAFFIC ANALYSIS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links