Systems and methods for identifying malicious domains using internet-wide DNS lookup patterns

US 8,713,676 B2
Filed: 05/13/2011
Issued: 04/29/2014
Est. Priority Date: 05/13/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of determining that a newly-registered domain is potentially malicious, the method comprising:

determining, by a processor, a number of unique name servers that sent a query for the newly-registered domain during a period of time;

determining, by the processor, that the number of unique servers exceeds a predetermined threshold of servers;

identifying the newly-registered domain as one of malicious and potentially malicious when it is determined that the number of unique name servers exceeds the predetermined threshold of servers;

in response to determining that the number of unique name servers exceeds the predetermined threshold of servers, determining a confidence level based on an amount by which the number of unique name servers exceeds the predetermined threshold of servers; and

automatically adding the newly-registered domain to a blacklist when the confidence level is high.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for identifying domains as malicious based on Internet-wide DNS lookup patterns. Disclosed embodiments look for variance in the servers that look up a domain and also look at the popularity growth (quantity of queries from unique addresses) of a domain after registration to identify malicious domains. Other disclosed embodiments measure the similarity of servers that query a domain and cluster domains based on the similarity of those servers. Disclosed embodiments may use such temporal and spatial lookup patterns as input to a blacklist process to more effectively and quickly blacklist domains based on their Internet-wide lookup patterns.

Citations

28 Claims

1. A computer-implemented method of determining that a newly-registered domain is potentially malicious, the method comprising:
- determining, by a processor, a number of unique name servers that sent a query for the newly-registered domain during a period of time;
  
  determining, by the processor, that the number of unique servers exceeds a predetermined threshold of servers;
  
  identifying the newly-registered domain as one of malicious and potentially malicious when it is determined that the number of unique name servers exceeds the predetermined threshold of servers;
  
  in response to determining that the number of unique name servers exceeds the predetermined threshold of servers, determining a confidence level based on an amount by which the number of unique name servers exceeds the predetermined threshold of servers; and
  
  automatically adding the newly-registered domain to a blacklist when the confidence level is high.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - for the period of time, determining an average number of queries per day for the newly registered domain;
      
      determining that the average number of queries exceeds a predetermined threshold of queries per day; and
      
      identifying the newly-registered domain as one of malicious and potentially malicious in response to determining that the average number of queries exceeds a predetermined threshold of queries per day.
  - 3. The method of claim 1, wherein each unique name server is an aggregation of name servers sharing a same IP address prefix.
  - 4. The method of claim 1, further comprising:
    - in response to determining that the number of unique name servers exceeds the predetermined threshold of servers, determining a confidence level based on an amount by which the number of unique name servers exceeds the predetermined threshold of servers; and
      
      limiting traffic to the newly-registered domain when the confidence level is not high.
  - 5. The method of claim 1, further comprising:
    - adjusting the predetermined threshold of servers based on data used to identify the newly-registered domain as one of malicious and potentially malicious.
  - 6. The method of claim 1, further comprising:
    - responsive to identifying the newly-registered domain as one of malicious and potentially malicious;
      
      identifying an IP address associated with a registration record for the newly-registered domain, anddetermining a confidence level based on whether the IP address is associated with a tainted server.

7. A system for determining that a newly-registered domain is potentially malicious, the system comprising:
- a processor; and
  
  a memory having instructions, that when executed by the processor, cause the processor to perform operations including;
  
  determining, by a processor, a number of unique name servers that sent a query for the newly-registered domain during a period of time,determining, by the processor, that the number of unique name servers exceeds a predetermined threshold of servers;
  
  identifying the newly-registered domain as one of malicious and potentially malicious in response to determining that the number of unique name servers exceeds the predetermined threshold of servers; and
  
  responsive to identifying the newly-registered domain as one of malicious and potentially malicious;
  
  identifying an IP address associated with a registration record for the newly-registered domain, anddetermining a confidence level based on whether the IP address is associated with a tainted server.
- View Dependent Claims (8, 9)
- - 8. The system of claim 7, wherein the operations performed by the processor further comprise:
    - for the period of time, determining an average number of queries per day for the newly-registered domain;
      
      determining that the average number of queries exceeds a predetermined threshold of queries per day; and
      
      identifying the newly-registered domain as one of malicious and potentially malicious when it is determined that the average number of queries exceeds a predetermined threshold of queries per day.
  - 9. The system of claim 7, wherein each unique server is an aggregation of servers sharing a same IP address prefix.

10. A tangible non-transitory computer-readable medium storing instructions for determining that a newly-registered domain is potentially malicious, the instructions causing one or more computer processors to perform operations, comprising:
- determining a number of unique name servers that sent a query for the newly-registered domain during a period of time;
  
  determining that the number of unique name servers exceeds a predetermined threshold of servers;
  
  identifying the newly-registered domain as one of malicious and potentially malicious in response to determining that the number of unique name servers exceeds the predetermined threshold of servers; and
  
  responsive to identifying the newly-registered domain as one of malicious and potentially malicious;
  
  identifying an IP address associated with a registration record for the newly-registered domain, anddetermining a confidence level based on whether the IP address is associated with a tainted server.

11. A computer-implemented method for identifying an Internet domain as potentially malicious comprising:
- identifying unique name servers that query the Internet domain during a first day;
  
  identifying unique name servers that query the domain during a second day;
  
  determining, by a processor, a similarity of the unique name servers that queried the Internet domain during the first day and the unique name servers that queried the Internet domain during the second day;
  
  determining, by the processor, that the similarity meets a predetermined threshold;
  
  identifying the Internet domain as one of malicious and potentially malicious in response to determining that the similarity meets the predetermined threshold;
  
  determining a confidence level based on a difference between the similarity and the predetermined threshold; and
  
  automatically adding the domain to a blacklist when the confidence level is high.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, further comprising:
    - identifying unique name servers that query the domain for a series of days, and wherein determining the similarity further comprises calculating a series of values representing the similarity of the unique name servers that query the domain for pairs of consecutive days in the series of days;
      
      analyzing the series of values for high variability; and
      
      identifying the domain as one of malicious and potentially malicious when the series of values demonstrates high variability.
  - 13. The method of claim 11, wherein determining the similarity comprises calculating a Jaccard index.
  - 14. The method of claim 11, further comprising:
    - determining a confidence level based on a difference between the similarity and the predetermined threshold; and
      
      limiting traffic to the domain when the confidence level is not high.
  - 15. The method of claim 11, further comprising:
    - adjusting the predetermined threshold based on data used to flag the domain as one of malicious and potentially malicious.

16. A system for identifying an Internet domain as potentially malicious comprising:
- a processor; and
  
  a memory having instructions that, when executed by the processor, cause the processor to perform operations comprising;
  
  identifying unique name servers that query the domain during a first day,identifying unique name servers that query the domain during a second day,determining, by a processor, the similarity of the name servers that queried the domain during the first day and the name servers that queried the domain during the second day,determining, by the processor, that the similarity meets a predetermined threshold;
  
  identifying the domain as one of malicious and potentially malicious in response to determining that the similarity of the servers meets the predetermined threshold;
  
  determining a confidence level based on a difference between the similarity of the servers and the predetermined threshold; and
  
  automatically adding the domain to a blacklist when the confidence level is high.
- View Dependent Claims (17, 18)
- - 17. The system of claim 16, wherein the operations further comprise:
    - identifying unique name servers that query the domain for a series of days, and wherein determining the similarity further comprises calculating a series of values representing the similarity of the unique name servers that query the domain for pairs of consecutive days in the series of days;
      
      analyzing the series of values for high variability; and
      
      identifying the domain as one of malicious and potentially malicious when the series of values demonstrates high variability.
  - 18. The system of claim 16, wherein the operations further comprise:
    - determining a confidence level based on a difference between the similarity and the predetermined threshold; and
      
      limiting traffic to the domain when the confidence level is not high.

19. A tangible non-transitory computer-readable medium storing instructions for identifying an Internet domain as potentially malicious, the instructions causing one or more computer processors to perform operations, comprising:
- identifying unique name servers that query the domain during a first day;
  
  identifying unique name servers that query the domain during a second day;
  
  determining the similarity of the name servers that queried the domain during the first day and the name servers that queried the domain during the second day;
  
  determining that the similarity meets a predetermined threshold;
  
  identifying the domain as one of malicious and potentially malicious in response to determining that the similarity of the servers meets a predetermined threshold;
  
  determining a confidence level based on a difference between the similarity and the predetermined threshold; and
  
  automatically adding the domain to a blacklist when the confidence level is high.

20. A computer-implemented method for identifying an Internet domain as potentially malicious comprising:
- identifying, by a processor, a set of domains, the set including at least one known malicious domain;
  
  determining, by the processor, a number of name servers that query each domain in the set of domains for each day over a period of time;
  
  for a plurality of pairs of domains from the set of domains, analyzing a similarity of name servers that queried a first domain of the pair of domains and name servers that queried a second domain of the pair of domains;
  
  grouping domains in the set of domains based on the analyzing;
  
  identifying domains in a group that contains the known malicious domain as one of malicious and potentially malicious;
  
  determining a confidence level for each group of domains that the domains in the group are malicious; and
  
  automatically adding a domain to a blacklist when the confidence level is high.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The method of claim 20, wherein each server is an aggregation of servers sharing a same IP address prefix.
  - 22. The method of claim 20, wherein analyzing the similarity comprises calculating a pairwise Jaccard index for the pair of domains.
  - 23. The method of claim 20, wherein the identifying domains includes automatically adding the domains to a blacklist.
  - 24. The method of claim 20, further comprising:
    - determining a confidence level for each group of domains that the domains in the group are malicious; and
      
      limiting traffic to a domain when the confidence level is not high.

25. A system for identifying an Internet domain as potentially malicious comprising:
- a processor; and
  
  a memory having instructions that, when executed by the processor, cause the processor to perform operations comprising;
  
  identifying, by a processor, a set of domains, the set including at least one known malicious domain,determining, by the processor, a number of name servers that query each domain in the set of domains for each day over a period of time,for a plurality of pairs of domains from the set of domains, analyzing a similarity of name servers that queried a first domain of the pair of domains and name servers that queried a second domain of the pair of domains,grouping the domains based on the analyzing;
  
  identifying domains in a group that contains the known malicious domain as one of malicious and potentially malicious;
  
  determining a confidence level for each group of domains that the domains in the group are malicious; and
  
  automatically adding a domain to a blacklist when the confidence level is high.
- View Dependent Claims (26, 27)
- - 26. The system of claim 25, wherein each server in the set of servers is an aggregation of servers sharing a same IP address prefix.
  - 27. The system of claim 25, wherein the operations further comprise:
    - determining a confidence level for each group of domains that the domains in the group are malicious; and
      
      limiting the traffic to a domain when the confidence level is not high.

28. A tangible non-transitory computer-readable medium storing instructions for identifying an Internet domain as potentially malicious, the instructions causing one or more computer processors to perform operations, comprising:
- identifying a set of domains, the set including at least one known malicious domain;
  
  determining a number of name servers that query each domain in the set of domains for each day over a period of time;
  
  for a plurality of pairs of domains from the set of domains, analyzing a similarity of name servers that queried a first domain of the pair of domains and name servers that queried a second domain of the pair of domains;
  
  grouping the domains based on the analyzing;
  
  identifying domains in a group that contains the known malicious domain as one of malicious and potentially malicious;
  
  determining a confidence level for each group of domains that the domains in the group are malicious; and
  
  automatically adding a domain to a blacklist when the confidence level is high.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Georgia Tech Research Corporation (University System of Georgia), VeriSign, Inc.
Original Assignee
Georgia Tech Research Corporation (University System of Georgia), VeriSign, Inc.
Inventors
Pandrangi, Ramakant, Feamster, Nicholas G., Hao, Shuang
Primary Examiner(s)
Rahman, Mohammad L

Application Number

US13/107,201
Publication Number

US 20110283357A1
Time in Patent Office

1,082 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1425 Traffic logging, e.g. anoma...

Systems and methods for identifying malicious domains using internet-wide DNS lookup patterns

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for identifying malicious domains using internet-wide DNS lookup patterns

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links