Techniques for identifying potential malware domain names

US 8,631,498 B1
Filed: 12/23/2011
Issued: 01/14/2014
Est. Priority Date: 12/23/2011
Status: Active Grant

First Claim

Patent Images

1. A system for identifying potential malware domain names comprising:

one or more processors communicatively coupled to a network, wherein the one or more processors are configured to;

receive a request for network data, wherein the request for network data comprises a domain name;

apply a lexical and linguistic analysis to the domain name, wherein the lexical and linguistic analysis comprises machine learning configured to establish at least one classifier for performing and fine-tuning potential malware domain name detection; and

identify whether the domain name is a potential malware domain name based on the lexical and linguistic analysis.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for identifying potential malware domain names are disclosed. In one particular exemplary embodiment, the techniques may be realized as a system for identifying potential malware domain names. The system may comprise one or more processors communicatively coupled to a network. The one or more processors may be configured to receive a request for network data, where the request for network data may comprise a domain name. The one or more processors may also be configured to apply a lexical and linguistic analysis to the domain name. The one or more processors may also be configured to identify whether the domain name is a potential malware domain name based on the lexical and linguistic analysis.

23 Citations

View as Search Results

20 Claims

1. A system for identifying potential malware domain names comprising:
- one or more processors communicatively coupled to a network, wherein the one or more processors are configured to;
  
  receive a request for network data, wherein the request for network data comprises a domain name;
  
  apply a lexical and linguistic analysis to the domain name, wherein the lexical and linguistic analysis comprises machine learning configured to establish at least one classifier for performing and fine-tuning potential malware domain name detection; and
  
  identify whether the domain name is a potential malware domain name based on the lexical and linguistic analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the domain name comprises a Uniform Resource Locator (URL).
  - 3. The system of claim 1, wherein the lexical and linguistic analysis comprises analyzing lexical features of the domain name, the lexical features comprising at least one of the following:
    - hyphen count;
      
      keyword count;
      
      character length;
      
      word-to-digit ratio;
      
      top level domain or domain origination; and
      
      predetermined suspicious alphanumeric character sequences.
  - 4. The system of claim 1, wherein the lexical and linguistic analysis comprises a keyword analysis based on separating the domain name into constituent keywords or sub-keywords.
  - 5. The system of claim 1, wherein the lexical and linguistic analysis comprises a phonetic analysis based on at least one of a pronunciation dictionary and a number of phonemes identified in the domain name.
  - 6. The system of claim 1, wherein the lexical and linguistic analysis comprises a language model analysis based on applying N-gram statistical analysis to an actual native language of the domain name and actual visitor.
  - 7. The system of claim 6, wherein the N-gram is a trigram.
  - 8. The system of claim 6, wherein the statistical analysis yields a probability value that indicates the probability that the domain name is a potential malware domain name.
  - 9. The system of claim 1, wherein the one or more processors, in the event the domain name is identified as a potential malware domain name, are further configured to perform at least one of the following:
    - deny the request for network data;
      
      transmit a notification that the domain name is a potential malware domain name;
      
      request authorization to request network data, add to a malware domain blacklist; and
      
      build a classifier configured to provide fine-tuned identification of potential malware domain names.

10. A method for identifying potential malware domain names comprising:
- receiving, at a potential malware domain identification module, a request for network data, wherein the request for network data comprises a domain name;
  
  applying a lexical and linguistic analysis to the domain name, wherein the lexical and linguistic analysis comprises machine learning configured to establish at least one classifier for performing and fine-tuning potential malware domain name detection; and
  
  identifying whether the domain name is a potential malware domain name based on the lexical and linguistic analysis.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The method of claim 10, wherein the domain name comprises a Uniform Resource Locator (URL).
  - 12. The method of claim 10, wherein the lexical and linguistic analysis comprises analyzing lexical features of the domain name, the lexical features comprising at least one of the following:
    - hyphen count;
      
      keyword count;
      
      character length;
      
      word-to-digit ratio;
      
      top level domain or domain origination; and
      
      predetermined suspicious alphanumeric character sequences.
  - 13. The method of claim 10, wherein the lexical and linguistic analysis comprises a keyword analysis based on separating the domain name into constituent keywords or sub-keywords.
  - 14. The method of claim 10, wherein the lexical and linguistic analysis comprises a phonetic analysis based on at least one a pronunciation dictionary, and a number of phonemes identified in the domain name.
  - 15. The method of claim 10, wherein the lexical and linguistic analysis comprises a language model analysis based on applying N-gram statistical analysis to native language of the domain name and actual visitor.
  - 16. The method of claim 15, wherein the N-gram is a trigram.
  - 17. The method of claim 15, wherein the statistical analysis yields a probability value that indicates the probability that the domain name is a potential malware domain name.
  - 18. The method of claim 10, wherein the potential malware domain identification module, in the event the domain name is identified as a potential malware domain name, performs at least one of the following:
    - deny the request for network data;
      
      transmit a notification that the domain name is a potential malware domain name;
      
      request authorization to request network data, add to a malware domain blacklist; and
      
      build a classifier configured to provide fine-tuned identification of potential malware domain names.
  - 19. A non-transitory computer-readable storage medium storing a computer program of instructions configured to be readable by at least one computer processor for instructing the at least one computer processor to execute a computer process for performing the method of claim 10.

20. An article of manufacture for identifying potential malware domain names, the article of manufacture comprising:
- at least one non-transitory processor readable storage medium; and
  
  instructions stored on the at least one medium;
  
  wherein the instructions are configured to be readable from the at least one medium by at least one processor and thereby cause the at least one processor to operate so as to;
  
  receive, at a potential malware domain identification module, a request for network data, wherein the request for network data comprises a domain name;
  
  apply a lexical and linguistic analysis to the domain name, wherein the lexical and linguistic analysis comprises machine learning configured to establish at least one classifier for performing and fine-tuning potential malware domain name detection; and
  
  identify whether the domain name is a potential malware domain name based on the lexical and linguistic analysis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Wilhelm, Jeffrey Scott, Hart, Michael Andrew, Sundaram, Sharada
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
GUIRGUIS, MICHAEL M

Application Number

US13/336,730
Time in Patent Office

753 Days
Field of Search

726/25, 726/22
US Class Current

726/25
CPC Class Codes

H04L 2101/30   Types of network names

H04L 61/4511   using domain name system [DNS]

H04L 63/145   the attack involving the pr...

H04L 63/1483   service impersonation, e.g....

Techniques for identifying potential malware domain names

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for identifying potential malware domain names

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links