NETWORK ANOMALY DETECTION
First Claim
1. A non-transitory machine-readable storage medium encoded with instructions executable by a hardware processor of a computing device for network anomaly detection, the machine-readable storage medium comprising instructions to cause the hardware processor to:
- receive, from each of a plurality of packet capture devices of a private network, domain name system (DNS) query packets that were sent by a particular client computing device operating on the private network, each DNS query packet specifying i) a destination DNS server, ii) a query domain name, and iii) a source address that specifies the particular client computing device;
provide at least one of the DNS query packets to a DNS traffic analyzer that is trained to identify DNS anomalies based on characteristics of the at least one DNS query packets;
receive anomaly output from the DNS traffic analyzer, the anomaly output indicating a DNS anomaly that was identified for the at least one DNS query packets; and
in response to receiving the anomaly output, provide a user device with data specifying the identified DNS anomaly.
2 Assignments
0 Petitions
Accused Products
Abstract
Examples relate to detecting network anomalies. In one example, a computing device may: receive, from each of a plurality of packet capture devices of a private network, domain name system (DNS) query packets that were sent by a particular client computing device operating on the private network, each DNS query packet specifying i) a destination DNS server, ii) a query domain name, and iii) a source address that specifies the particular client computing device; provide at least one of the DNS query packets to a DNS traffic analyzer that is trained to identify DNS anomalies based on characteristics of the DNS query packets; receive anomaly output from the DNS traffic analyzer, the anomaly output indicating a DNS anomaly that was identified for the DNS query packets; and in response to receiving the anomaly output, provide a user device with data specifying the identified DNS anomaly.
-
Citations
15 Claims
-
1. A non-transitory machine-readable storage medium encoded with instructions executable by a hardware processor of a computing device for network anomaly detection, the machine-readable storage medium comprising instructions to cause the hardware processor to:
-
receive, from each of a plurality of packet capture devices of a private network, domain name system (DNS) query packets that were sent by a particular client computing device operating on the private network, each DNS query packet specifying i) a destination DNS server, ii) a query domain name, and iii) a source address that specifies the particular client computing device; provide at least one of the DNS query packets to a DNS traffic analyzer that is trained to identify DNS anomalies based on characteristics of the at least one DNS query packets; receive anomaly output from the DNS traffic analyzer, the anomaly output indicating a DNS anomaly that was identified for the at least one DNS query packets; and in response to receiving the anomaly output, provide a user device with data specifying the identified DNS anomaly. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computing device for network anomaly detection, the computing device comprising:
-
a hardware processor; and a data storage device storing instructions that, when executed by the hardware processor, cause the hardware processor to; obtain, from a plurality of network packet capture devices of a private network, a set of domain name system (DNS) packets, each DNS packet i) being addressed to a DNS server, and ii) having a source address that specifies a client computing device included in the private network; identify, from the set of DNS packets, whitelist DNS packets that specify a whitelisted domain name included in a whitelist of domain names; identify, from the set of DNS packets, blacklist DNS packets that specify a blacklisted domain name included in a blacklist of domain names; identify, from the set of DNS packets, a set of unknown DNS packets by excluding, from the set of DNS packets, each whitelist DNS packet and blacklist DNS packet; analyze, for a particular client computing device included in the private network, unknown DNS packets having a particular source address that specifies the particular client computing device; and identify, based on at least one characteristic of the analyzed unknown DNS packets, a DNS anomaly for the client computing device. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method for network anomaly detection, implemented by a hardware processor, the method comprising:
-
obtaining, from a plurality of network packet capture devices of a private network, domain name system (DNS) query packets that were sent by a plurality of client computing devices operating on the private network, each DNS query packet specifying i) a destination DNS server, ii) a query domain name, and iii) a source address that specifies one of the plurality of client computing devices; identifying, from the DNS query packets, a set of client DNS packets for a particular client, each client DNS packet specifying a source address associated with the particular client; identifying, based on at least one characteristic of the set of client DNS packets, a DNS anomaly for the particular client; and providing, to a user device, data specifying the DNS anomaly. - View Dependent Claims (12, 13, 14, 15)
-
Specification