Method and system for detecting malicious domain names at an upper DNS hierarchy

US 8,631,489 B2
Filed: 01/25/2012
Issued: 01/14/2014
Est. Priority Date: 02/01/2011
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a malicious domain name, comprising:

performing processing associated with collecting domain name statistical information from a non-recursive domain name system name server (non-RDNS NS), the domain name statistical information based on first order statistical features, the first order statistical features comprising;

mean, standard deviation, variance of requesters for a domain name, domain name statistical information on diversity of IP addresses associated with a recursive device that queries a domain name d, a relative volume of queries from a set of a querying recursive device and historic information related to a IP space pointed to by the domain d; and

performing processing associated with utilizing the collected domain name statistical information to determine query patterns at an upper domain name system hierarchy to determine if a domain name is malicious or benign, the upper domain name system hierarchy comprising;

an authoritative name server level, a top-level domain name server level, a root name server level, or any combination thereof.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for detecting a malicious domain name, comprising: collecting domain name statistical information from a non-recursive domain name system name server (RDNS NS); and utilizing the collected domain name statistical information to determine if a domain name is malicious or benign.

264 Citations

24 Claims

1. A method for detecting a malicious domain name, comprising:
- performing processing associated with collecting domain name statistical information from a non-recursive domain name system name server (non-RDNS NS), the domain name statistical information based on first order statistical features, the first order statistical features comprising;
  
  mean, standard deviation, variance of requesters for a domain name, domain name statistical information on diversity of IP addresses associated with a recursive device that queries a domain name d, a relative volume of queries from a set of a querying recursive device and historic information related to a IP space pointed to by the domain d; and
  
  performing processing associated with utilizing the collected domain name statistical information to determine query patterns at an upper domain name system hierarchy to determine if a domain name is malicious or benign, the upper domain name system hierarchy comprising;
  
  an authoritative name server level, a top-level domain name server level, a root name server level, or any combination thereof.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the domain name statistical information comprises requester diversity information, or requester profile information, or both.
  - 3. The method of claim 2, wherein the domain name statistical information also comprises reputation information.
  - 4. The method of claim 3, wherein the reputation information classifies a domain name as malignant or benign utilizing historic information about domain name resolution.
  - 5. The method of claim 2, wherein the requester diversity information comprises diversity in terms of a network location of the recursive device that queries a domain name.
  - 6. The method of claim 2, wherein the requester profile information comprises a level of popularity of the querying recursive device that queries a domain name.
  - 7. The method of claim 1, further comprising:
    - performing processing associated with determining whether an additional domain name is malicious based on how close the additional domain name'"'"'s statistical information is to the known malicious domain name'"'"'s statistical information.
  - 8. The method of claim 7, wherein the additional domain name is a new domain name.
  - 9. The method of claim 1, wherein collecting domain name information from the non-RDNS NS comprises monitoring DNS traffic flowing towards the non-RDNS NS.
  - 10. The method of claim 9, wherein monitoring DNS traffic flowing towards the non-RDNS NS allows monitoring of DNS queries from servers around the Internet that attempt to resolve a domain name for which the non-RDNS NS has authority or is a point of delegation.
  - 11. The method of claim 1, wherein a sensor is attached to or by the non-RDNS NS.
  - 12. The method of claim 1, wherein a DNS operator is able to detect and remediate a malicious domain name within his or her name space.

13. A system for detecting a malicious domain name, comprising:
- a processing device configured for;
  
  performing processing associated with collecting domain name statistical information from a non-recursive domain name system name server (non-RDNS NS) in communication with the processing device, the domain name statistical information based on first order statistical features, the first order statistical features comprising;
  
  mean, standard deviation, variance of requesters for a domain name, domain name statistical information on diversity of IP addresses associated with a recursive device that queries a domain name d, a relative volume of queries from a set of a querying recursive devices, and historic information related to a IP space pointed to by the domain d; and
  
  performing processing associated with utilizing the collected domain name statistical information to determine query patterns at an upper domain name system hierarchy to determine if a domain name is malicious or benign, the upper domain name system hierarchy comprising;
  
  an authoritative name server level, a top-level domain name server level, a root name server level, or any combination thereof.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13, wherein the domain name statistical information comprises requester diversity information, or requester profile information, or both.
  - 15. The system of claim 14, wherein the domain name statistical information also comprises reputation information.
  - 16. The system of claim 15, wherein the reputation information classifies a domain name as malignant or benign utilizing historic information about domain name resolution.
  - 17. The system of claim 14, wherein the requester diversity information comprises diversity in terms of network location of the recursive device that queries a domain name.
  - 18. The system of claim 14, wherein the requester profile information comprises a level of popularity of the querying recursive devices that queries a domain name.
  - 19. The system of claim 13, further comprising:
    - performing processing associated with determining whether an additional domain name is malicious based on how close the additional domain name'"'"'s statistical information is to the known malicious domain name'"'"'s statistical information.
  - 20. The system of claim 19, wherein the additional domain name is a new domain name.
  - 21. The system of claim 13, wherein collecting domain name information from the non-RDNS NS comprises monitoring DNS traffic flowing towards the non-RDNS NS.
  - 22. The system of claim 21, wherein monitoring DNS traffic flowing towards the non-RDNS NS allows monitoring of DNS queries from servers around the Internet that attempt to resolve a domain name for which the non-RDNS NS has authority or is a point of delegation.
  - 23. The system of claim 13, wherein a sensor is attached to or by the non-RDNS NS.
  - 24. The system of claim 13, wherein a DNS operator is able to detect and remediate a malicious domain name within his or her name space.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc.
Original Assignee
Damballa Incorporated
Inventors
Antonakakis, Manos, Perdisci, Roberto, Lee, Wenke, Vasiloglou, Nikolaos
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/358,303
Publication Number

US 20120198549A1
Time in Patent Office

720 Days
Field of Search

726/22, 709/223
US Class Current

726/22
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1483   service impersonation, e.g....

Method and system for detecting malicious domain names at an upper DNS hierarchy

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

264 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting malicious domain names at an upper DNS hierarchy

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

264 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links