Method and system for detecting malicious domain names at an upper DNS hierarchy
First Claim
Patent Images
1. A method for detecting a malicious domain name, comprising:
- performing processing associated with collecting domain name statistical information from a non-recursive domain name system name server (non-RDNS NS), the domain name statistical information based on first order statistical features, the first order statistical features comprising;
mean, standard deviation, variance of requesters for a domain name, domain name statistical information on diversity of IP addresses associated with a recursive device that queries a domain name d, a relative volume of queries from a set of a querying recursive device and historic information related to a IP space pointed to by the domain d; and
performing processing associated with utilizing the collected domain name statistical information to determine query patterns at an upper domain name system hierarchy to determine if a domain name is malicious or benign, the upper domain name system hierarchy comprising;
an authoritative name server level, a top-level domain name server level, a root name server level, or any combination thereof.
12 Assignments
0 Petitions
Accused Products
Abstract
A method and system for detecting a malicious domain name, comprising: collecting domain name statistical information from a non-recursive domain name system name server (RDNS NS); and utilizing the collected domain name statistical information to determine if a domain name is malicious or benign.
264 Citations
24 Claims
-
1. A method for detecting a malicious domain name, comprising:
-
performing processing associated with collecting domain name statistical information from a non-recursive domain name system name server (non-RDNS NS), the domain name statistical information based on first order statistical features, the first order statistical features comprising;
mean, standard deviation, variance of requesters for a domain name, domain name statistical information on diversity of IP addresses associated with a recursive device that queries a domain name d, a relative volume of queries from a set of a querying recursive device and historic information related to a IP space pointed to by the domain d; andperforming processing associated with utilizing the collected domain name statistical information to determine query patterns at an upper domain name system hierarchy to determine if a domain name is malicious or benign, the upper domain name system hierarchy comprising;
an authoritative name server level, a top-level domain name server level, a root name server level, or any combination thereof. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for detecting a malicious domain name, comprising:
-
a processing device configured for; performing processing associated with collecting domain name statistical information from a non-recursive domain name system name server (non-RDNS NS) in communication with the processing device, the domain name statistical information based on first order statistical features, the first order statistical features comprising;
mean, standard deviation, variance of requesters for a domain name, domain name statistical information on diversity of IP addresses associated with a recursive device that queries a domain name d, a relative volume of queries from a set of a querying recursive devices, and historic information related to a IP space pointed to by the domain d; andperforming processing associated with utilizing the collected domain name statistical information to determine query patterns at an upper domain name system hierarchy to determine if a domain name is malicious or benign, the upper domain name system hierarchy comprising;
an authoritative name server level, a top-level domain name server level, a root name server level, or any combination thereof. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification