Detecting DNS fast-flux anomalies

US 8,260,914 B1
Filed: 06/22/2010
Issued: 09/04/2012
Est. Priority Date: 06/22/2010
Status: Active Grant

First Claim

Patent Images

1. A method for detecting automatically generated malicious domain names in a network, comprising:

identifying a plurality of domain name service (DNS) queries in the network, wherein the plurality of DNS queries share a common attribute;

analyzing, using a central processing unit (CPU) of a computer, the plurality of DNS queries to identify a plurality of alphanumeric elements embedded in a set of domain names associated with the plurality of DNS queries;

analyzing, using the CPU, the plurality of alphanumeric elements to determine a distribution metric of the set domain names; and

generating an alert of domain fluxing based on the distribution metric according to a pre-determined criterion.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting automatically generated malicious domain names in a network. The method includes identifying a plurality of domain name service (DNS) queries in the network, wherein the plurality of DNS queries share a common attribute, analyzing, using a central processing unit (CPU) of a computer, the plurality of DNS queries to identify a plurality of alphanumeric elements embedded in a set of domain names associated with the plurality of DNS queries, analyzing, using the CPU, the plurality of alphanumeric elements to determine a distribution metric of the set of domain names, and generating an alert based on the distribution metric according to a pre-determined criterion.

498 Citations

16 Claims

1. A method for detecting automatically generated malicious domain names in a network, comprising:
- identifying a plurality of domain name service (DNS) queries in the network, wherein the plurality of DNS queries share a common attribute;
  
  analyzing, using a central processing unit (CPU) of a computer, the plurality of DNS queries to identify a plurality of alphanumeric elements embedded in a set of domain names associated with the plurality of DNS queries;
  
  analyzing, using the CPU, the plurality of alphanumeric elements to determine a distribution metric of the set domain names; and
  
  generating an alert of domain fluxing based on the distribution metric according to a pre-determined criterion.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - identifying, in the network and in response to generating the alert, a source node of the plurality of DNS queries; and
      
      facilitating in performing a network security operation with respect to the source node,wherein the automatically generated malicious domain names are used for at least one selected from a group consisting of controlling a botnet and conducting a spam email campaign.
  - 3. The method of claim 1, wherein the common attribute comprises a top level domain name corresponding to the plurality of DNS queries.
  - 4. The method of claim 1, wherein the common attribute comprises an IP address that each of the plurality of DNS queries is mapped to.
  - 5. The method of claim 1, wherein the common attribute comprises a connected component that each of the plurality of DNS queries belongs to, the method further comprising performing connected component analysis of a IP-domain bipartite graph of the plurality of domain name service (DNS) queries.
  - 6. The method of claim 1, wherein each of the plurality of alphanumeric elements consists of at least one selected from a group consisting of a single alphanumeric character and n-consecutive alphanumeric characters where n represents an integer greater than one.
  - 7. The method of claim 1, wherein the distribution metric comprises information entropy of the plurality of alphanumeric elements.

8. A system for detecting automatically generated malicious domain names in a network, comprising:
- a detecting program configured to capture a plurality of domain name service (DNS) queries in the network, wherein the plurality of DNS queries share a common attribute;
  
  an analyzer program configured to;
  
  analyze the plurality of DNS queries to identify a plurality of alphanumeric elements embedded in a set of domain names associated with the plurality of DNS queries; and
  
  analyze the plurality of alphanumeric elements to determine a distribution metric of the set of domain names; and
  
  a processor and memory storing instructions when executed by the processor comprising functionality to;
  
  compare the distribution metric and a pre-determined threshold to generate a result; and
  
  generate an alert of domain fluxing based on the distribution metric according to a predetermined criterion.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, the instructions when executed by the processor further comprising functionality to:
    - identify, in the network and in response to generating the alert of domain fluxing, a source node of the plurality of DNS queries; and
      
      facilitating in performing a network security operation with respect to the source node,wherein the automatically generated malicious domain names are used for at least one selected from a group consisting of controlling a botnet and conducting a spam email campaign.
  - 10. The system of claim 8, wherein the common attribute comprises a top level domain name corresponding to the plurality of DNS queries.
  - 11. The system of claim 8, wherein the common attribute comprises an IP address that each of the plurality of DNS queries is mapped to.
  - 12. The system of claim 8, wherein the common attribute comprises a connected component that each of the plurality of DNS queries belongs to, the system further comprising a program for performing connected component analysis of an IP-domain bipartite graph of the plurality of domain name service (DNS) queries.
  - 13. The system of claim 8, wherein each of the plurality of alphanumeric elements consists of at least one selected from a group consisting of a single alphanumeric character and n-consecutive alphanumeric characters where n represents an integer greater than one.
  - 14. The system of claim 8, wherein the distribution metric comprises information entropy of the plurality of alphanumeric elements.

15. A non-transitory computer readable medium storing instructions for detecting automatically generated malicious domain names network in a network, the instructions when executed by a processor of a computer comprising functionality to:
- identify a plurality of domain name service (DNS) queries in the network, wherein the plurality of DNS queries share a common attribute;
  
  analyze the plurality of DNS queries to identify a plurality of alphanumeric elements embedded in a set of domain names associated with the plurality of DNS queries;
  
  analyze the plurality of alphanumeric elements to determine a distribution metric of the set of domain names; and
  
  generate an alert of domain fluxing based on the distribution metric according to a pre-determined criterion.
- View Dependent Claims (16)
- - 16. The non-transitory computer readable medium of claim 15, the instructions when executed by the processor further comprising functionality to:
    - identify, in the network and in response to generating the alert of domain fluxing, a source node of the plurality of DNS queries; and
      
      facilitate in performing a network security operation with respect to the source node,wherein the automatically generated malicious domain names are used for at least one selected from a group consisting of controlling a botnet and conducting a spam email campaign.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
Narus, Inc. (Gen Digital Inc.)
Inventors
Ranjan, Supranamaya
Primary Examiner(s)
HIGA, BRENDAN Y

Application Number

US12/821,098
Time in Patent Office

805 Days
Field of Search

709217-219, 709223-229, 726 12- 13, 726 22- 25
US Class Current

709/224
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 61/4511   using domain name system [DNS]

H04L 63/12   Applying verification of th...

Detecting DNS fast-flux anomalies

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

498 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Detecting DNS fast-flux anomalies

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

498 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others