Systems and methods for identifying malicious domains using internet-wide DNS lookup patterns
First Claim
1. A computer-implemented method of determining that a newly-registered domain is potentially malicious, the method comprising:
- determining, by a processor, a number of unique name servers that sent a query for the newly-registered domain during a period of time;
determining, by the processor, that the number of unique servers exceeds a predetermined threshold of servers;
identifying the newly-registered domain as one of malicious and potentially malicious when it is determined that the number of unique name servers exceeds the predetermined threshold of servers;
in response to determining that the number of unique name servers exceeds the predetermined threshold of servers, determining a confidence level based on an amount by which the number of unique name servers exceeds the predetermined threshold of servers; and
automatically adding the newly-registered domain to a blacklist when the confidence level is high.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are disclosed for identifying domains as malicious based on Internet-wide DNS lookup patterns. Disclosed embodiments look for variance in the servers that look up a domain and also look at the popularity growth (quantity of queries from unique addresses) of a domain after registration to identify malicious domains. Other disclosed embodiments measure the similarity of servers that query a domain and cluster domains based on the similarity of those servers. Disclosed embodiments may use such temporal and spatial lookup patterns as input to a blacklist process to more effectively and quickly blacklist domains based on their Internet-wide lookup patterns.
-
Citations
28 Claims
-
1. A computer-implemented method of determining that a newly-registered domain is potentially malicious, the method comprising:
-
determining, by a processor, a number of unique name servers that sent a query for the newly-registered domain during a period of time; determining, by the processor, that the number of unique servers exceeds a predetermined threshold of servers; identifying the newly-registered domain as one of malicious and potentially malicious when it is determined that the number of unique name servers exceeds the predetermined threshold of servers; in response to determining that the number of unique name servers exceeds the predetermined threshold of servers, determining a confidence level based on an amount by which the number of unique name servers exceeds the predetermined threshold of servers; and automatically adding the newly-registered domain to a blacklist when the confidence level is high. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for determining that a newly-registered domain is potentially malicious, the system comprising:
-
a processor; and a memory having instructions, that when executed by the processor, cause the processor to perform operations including; determining, by a processor, a number of unique name servers that sent a query for the newly-registered domain during a period of time, determining, by the processor, that the number of unique name servers exceeds a predetermined threshold of servers; identifying the newly-registered domain as one of malicious and potentially malicious in response to determining that the number of unique name servers exceeds the predetermined threshold of servers; and responsive to identifying the newly-registered domain as one of malicious and potentially malicious; identifying an IP address associated with a registration record for the newly-registered domain, and determining a confidence level based on whether the IP address is associated with a tainted server. - View Dependent Claims (8, 9)
-
-
10. A tangible non-transitory computer-readable medium storing instructions for determining that a newly-registered domain is potentially malicious, the instructions causing one or more computer processors to perform operations, comprising:
-
determining a number of unique name servers that sent a query for the newly-registered domain during a period of time; determining that the number of unique name servers exceeds a predetermined threshold of servers; identifying the newly-registered domain as one of malicious and potentially malicious in response to determining that the number of unique name servers exceeds the predetermined threshold of servers; and responsive to identifying the newly-registered domain as one of malicious and potentially malicious; identifying an IP address associated with a registration record for the newly-registered domain, and determining a confidence level based on whether the IP address is associated with a tainted server.
-
-
11. A computer-implemented method for identifying an Internet domain as potentially malicious comprising:
-
identifying unique name servers that query the Internet domain during a first day; identifying unique name servers that query the domain during a second day; determining, by a processor, a similarity of the unique name servers that queried the Internet domain during the first day and the unique name servers that queried the Internet domain during the second day; determining, by the processor, that the similarity meets a predetermined threshold; identifying the Internet domain as one of malicious and potentially malicious in response to determining that the similarity meets the predetermined threshold; determining a confidence level based on a difference between the similarity and the predetermined threshold; and automatically adding the domain to a blacklist when the confidence level is high. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A system for identifying an Internet domain as potentially malicious comprising:
-
a processor; and a memory having instructions that, when executed by the processor, cause the processor to perform operations comprising; identifying unique name servers that query the domain during a first day, identifying unique name servers that query the domain during a second day, determining, by a processor, the similarity of the name servers that queried the domain during the first day and the name servers that queried the domain during the second day, determining, by the processor, that the similarity meets a predetermined threshold; identifying the domain as one of malicious and potentially malicious in response to determining that the similarity of the servers meets the predetermined threshold; determining a confidence level based on a difference between the similarity of the servers and the predetermined threshold; and automatically adding the domain to a blacklist when the confidence level is high. - View Dependent Claims (17, 18)
-
-
19. A tangible non-transitory computer-readable medium storing instructions for identifying an Internet domain as potentially malicious, the instructions causing one or more computer processors to perform operations, comprising:
-
identifying unique name servers that query the domain during a first day; identifying unique name servers that query the domain during a second day;
determining the similarity of the name servers that queried the domain during the first day and the name servers that queried the domain during the second day;determining that the similarity meets a predetermined threshold; identifying the domain as one of malicious and potentially malicious in response to determining that the similarity of the servers meets a predetermined threshold; determining a confidence level based on a difference between the similarity and the predetermined threshold; and automatically adding the domain to a blacklist when the confidence level is high.
-
-
20. A computer-implemented method for identifying an Internet domain as potentially malicious comprising:
-
identifying, by a processor, a set of domains, the set including at least one known malicious domain; determining, by the processor, a number of name servers that query each domain in the set of domains for each day over a period of time; for a plurality of pairs of domains from the set of domains, analyzing a similarity of name servers that queried a first domain of the pair of domains and name servers that queried a second domain of the pair of domains; grouping domains in the set of domains based on the analyzing; identifying domains in a group that contains the known malicious domain as one of malicious and potentially malicious; determining a confidence level for each group of domains that the domains in the group are malicious; and automatically adding a domain to a blacklist when the confidence level is high. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A system for identifying an Internet domain as potentially malicious comprising:
-
a processor; and a memory having instructions that, when executed by the processor, cause the processor to perform operations comprising; identifying, by a processor, a set of domains, the set including at least one known malicious domain, determining, by the processor, a number of name servers that query each domain in the set of domains for each day over a period of time, for a plurality of pairs of domains from the set of domains, analyzing a similarity of name servers that queried a first domain of the pair of domains and name servers that queried a second domain of the pair of domains, grouping the domains based on the analyzing; identifying domains in a group that contains the known malicious domain as one of malicious and potentially malicious; determining a confidence level for each group of domains that the domains in the group are malicious; and automatically adding a domain to a blacklist when the confidence level is high. - View Dependent Claims (26, 27)
-
-
28. A tangible non-transitory computer-readable medium storing instructions for identifying an Internet domain as potentially malicious, the instructions causing one or more computer processors to perform operations, comprising:
-
identifying a set of domains, the set including at least one known malicious domain; determining a number of name servers that query each domain in the set of domains for each day over a period of time; for a plurality of pairs of domains from the set of domains, analyzing a similarity of name servers that queried a first domain of the pair of domains and name servers that queried a second domain of the pair of domains; grouping the domains based on the analyzing; identifying domains in a group that contains the known malicious domain as one of malicious and potentially malicious; determining a confidence level for each group of domains that the domains in the group are malicious; and automatically adding a domain to a blacklist when the confidence level is high.
-
Specification