Security threat detection based on indications in big data of access to newly registered domains

US 8,826,434 B2
Filed: 07/31/2013
Issued: 09/02/2014
Est. Priority Date: 07/25/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

separating data collected from one or more traffic logs into a set of events, each event in the set of events including a portion of the data collected from the one or more traffic logs;

extracting a set of accessed domain names from the set of events, wherein each accessed domain name in the set of accessed domain names is extracted from at least one event in the set of events, and wherein each accessed domain name in the set of accessed domain names serves an accessed webpage;

identifying a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar;

comparing respective registration times of accessed domain names in the set of accessed domain names to identify a particular accessed domain name in the set of accessed domain names, wherein a particular registration time is indicative of when the particular accessed domain name was registered with the registrar, and wherein the particular registration time is recent relative to registration times for other accessed domain names in the set of accessed domain names;

determining an access count that represents a total number of events in the set of events that are associated with the particular accessed domain name; and

analyzing the access count relative to the registration time to determine if the access count exceeds a threshold number; and

causing further access to a site represented by the particular accessed domain name to be blocked when the access count exceeds the threshold number.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name.

141 Citations

27 Claims

1. A computer-implemented method, comprising:
- separating data collected from one or more traffic logs into a set of events, each event in the set of events including a portion of the data collected from the one or more traffic logs;
  
  extracting a set of accessed domain names from the set of events, wherein each accessed domain name in the set of accessed domain names is extracted from at least one event in the set of events, and wherein each accessed domain name in the set of accessed domain names serves an accessed webpage;
  
  identifying a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar;
  
  comparing respective registration times of accessed domain names in the set of accessed domain names to identify a particular accessed domain name in the set of accessed domain names, wherein a particular registration time is indicative of when the particular accessed domain name was registered with the registrar, and wherein the particular registration time is recent relative to registration times for other accessed domain names in the set of accessed domain names;
  
  determining an access count that represents a total number of events in the set of events that are associated with the particular accessed domain name; and
  
  analyzing the access count relative to the registration time to determine if the access count exceeds a threshold number; and
  
  causing further access to a site represented by the particular accessed domain name to be blocked when the access count exceeds the threshold number.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 25)
- - 2. The method of claim 1, further comprising:
    - receiving a communication corresponding to an indication as to when the particular accessed domain name was registered with the registrar,wherein the particular registration time is identified based on the communication.
  - 3. The method of claim 1, further comprising:
    - determining that the particular accessed domain name had not been detected in events received prior to the receipt of the set of events;
      
      identifying a first access time of the particular accessed domain name based on a time of receipt of an event in the set of events that includes the particular accessed domain name or based on a time included in one or more events in the set of events that includes the particular accessed domain name.
  - 4. The method of claim 1, wherein the display comprises a graph, a table or a message.
  - 5. The method of claim 1, wherein the particular registration time is identified based on a communication received from Internet Corporation for Assigned Names and Numbers (ICANN).
  - 6. The method of claim 1, further comprising:
    - identifying a subset of the set of accessed domain names, wherein a respective registration time for each accessed domain name in the subset of accessed domain names is within a defined time period, wherein the subset includes the particular accessed domain name, and wherein the subset includes at least two accessed domain names; and
      
      determining, for each accessed domain name in the subset, a respective access count that represents a subtotal number of events in the set of events that are associated with the accessed domain name;
      
      causing display of simultaneous representations of the respective registration time and the respective access count for each accessed domain name in the subset.
  - 7. The method of claim 1, further comprising:
    - receiving an input corresponding to a selection of the particular accessed domain name; and
      
      presenting additional detail pertaining to events in the set of events that included the particular accessed domain name.
  - 8. The method of claim 1, further comprising:
    - identifying a subset of the set of accessed domain names, wherein a respective registration time for each accessed domain name in the subset of accessed domain names is within a defined time period, wherein the subset includes the particular accessed domain name, and wherein the subset includes at least two accessed domain names; and
      
      determining, for each accessed domain name in the subset, a respective access count that represents a subtotal number of events in the set of events that are associated with the accessed domain name.
  - 25. The method of claim 1, further comprising:
    - causing an indication of the access count to be displayed.

9. A system, comprising:
- one or more data processors; and
  
  a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform operations including;
  
  separating data collected from one or more traffic logs into a set of events, each event in the set of events including a portion of the data collected from the one or more traffic logs;
  
  extracting a set of accessed domain names from the set of events, wherein each accessed domain name in the set of accessed domain names is extracted from at least one event in the set of events, and wherein each accessed domain name in the set of accessed domain names serves an accessed webpage;
  
  identifying a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar;
  
  comparing respective registration times of accessed domain names in the set of accessed domain names to identify a particular accessed domain name in the set of accessed domain names, wherein a particular registration time is indicative of when the particular accessed domain name was registered with the registrar, and wherein the particular registration time is recent relative to registration times for other accessed domain names in the set of accessed domain names;
  
  determining an access count that represents a total number of events in the set of events that are associated with the particular accessed domain name; and
  
  analyzing the access count relative to the registration time to determine if the access count exceeds a threshold number; and
  
  causing further access to a site represented by the particular accessed domain name to be blocked when the access count exceeds the threshold number.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 26)
- - 10. The system of claim 9, wherein the operations further comprise:
    - receiving a communication corresponding to an indication as to when the particular accessed domain name was registered with the registrar,wherein the particular registration time is identified based on the communication.
  - 11. The system of claim 9, wherein the operations further comprise:
    - determining that the particular accessed domain name had not been detected in events received prior to the receipt of the set of events;
      
      identifying a first access time of the particular accessed domain name based on a time of receipt of an event in the set of events that includes the particular accessed domain name or based on a time included in one or more events in the set of events that includes the particular accessed domain name.
  - 12. The system of claim 9, wherein the display comprises a graph, a table or a message.
  - 13. The system of claim 9, wherein the particular registration time is identified based on a communication received from Internet Corporation for Assigned Names and Numbers (ICANN).
  - 14. The system of claim 9, wherein the operations further comprise:
    - identifying a subset of the set of accessed domain names, wherein a respective registration time for each accessed domain name in the subset of accessed domain names is within a defined time period, wherein the subset includes the particular accessed domain name, and wherein the subset includes at least two accessed domain names; and
      
      determining, for each accessed domain name in the subset, a respective access count that represents a subtotal number of events in the set of events that are associated with the accessed domain name;
      
      causing display of simultaneous representations of the respective registration time and the respective access count for each accessed domain name in the subset.
  - 15. The system of claim 9, wherein the operations further comprise:
    - receiving an input corresponding to a selection of the particular accessed domain name; and
      
      presenting additional detail pertaining to events in the set of events that included the particular access domain name.
  - 16. The system of claim 9, wherein the operations further comprise:
    - identifying a subset of the set of accessed domain names, wherein a respective registration time for each accessed domain name in the subset of accessed domain names is within a defined time period, wherein the subset includes the particular accessed domain name, and wherein the subset includes at least two accessed domain names; and
      
      determining, for each accessed domain name in the subset, a respective access count that represents a subtotal number of events in the set of events that are associated with the accessed domain name.
  - 26. The system of claim 9, wherein the operations further comprise:
    - causing an indication of the access count to be displayed.

17. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause one or more data processors to:
- separating data collected from one or more traffic logs into a set of events, each event in the set of events including a portion of the data collected from the one or more traffic logs;
  
  extracting a set of accessed domain names from the set of events, wherein each accessed domain name in the set of accessed domain names is extracted from at least one event in the set of events, and wherein each accessed domain name in the set of accessed domain names serves an accessed webpage;
  
  identifying a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar;
  
  comparing respective registration times of accessed domain names in the set of accessed domain names to identify a particular accessed domain name in the set of accessed domain names, wherein a particular registration time is indicative of when the particular accessed domain name was registered with the registrar, and wherein the particular registration time is recent relative to registration times for other accessed domain names in the set of accessed domain names;
  
  determining an access count that represents a total number of events in the set of events that are associated with the particular accessed domain name; and
  
  analyzing the access count relative to the registration time to determine if the access count exceeds a threshold number; and
  
  causing further access to a site represented by the particular accessed domain name to be blocked when the access count exceeds the threshold number.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 27)
- - 18. The computer-program product of claim 17, wherein the operations further comprise:
    - receiving a communication corresponding to an indication as to when the particular accessed domain name was registered with the registrar,wherein the particular registration time is identified based on the communication.
  - 19. The computer-program product of claim 17, wherein the operations further comprise:
    - determining that the particular accessed domain name had not been detected in events received prior to the receipt of the set of events;
      
      identifying a first access time of the particular accessed domain name based on a time of receipt of an event in the set of events that includes the particular accessed domain name or based on a time included in one or more events in the set of events that includes the particular accessed domain name.
  - 20. The computer-program product of claim 17, wherein the display comprises a graph, a table or a message.
  - 21. The computer-program product of claim 17, wherein the particular registration time is identified based on a communication received from Internet Corporation for Assigned Names and Numbers (ICANN).
  - 22. The computer-program product of claim 17, wherein the operations further comprise:
    - identifying a subset of the set of accessed domain names, wherein a respective registration time for each accessed domain name in the subset of accessed domain names is within a defined time period, wherein the subset includes the particular accessed domain name, and wherein the subset includes at least two accessed domain names; and
      
      determining, for each accessed domain name in the subset, a respective access count that represents a subtotal number of events in the set of events that are associated with the accessed domain name;
      
      causing display of simultaneous representations of the respective registration time and the respective access count for each accessed domain name in the subset.
  - 23. The computer-program product of claim 17, wherein the operations further comprise:
    - receiving an input corresponding to a selection of the particular accessed domain name; and
      
      presenting additional detail pertaining to events in the set of events that included the particular access domain name.
  - 24. The computer-program product of claim 17, wherein the operations further comprise:
    - identifying a subset of the set of accessed domain names, wherein a respective registration time for each accessed domain name in the subset of accessed domain names is within a defined time period, wherein the subset includes the particular accessed domain name, and wherein the subset includes at least two accessed domain names; and
      
      determining, for each accessed domain name in the subset, a respective access count that represents a subtotal number of events in the set of events that are associated with the accessed domain name.
  - 27. The computer-program product of claim 17, wherein the operations further comprise:
    - causing an indication of the access count to be displayed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Merza, Munawar Monzy
Primary Examiner(s)
Okeke, Izunna

Application Number

US13/956,262
Publication Number

US 20130318603A1
Time in Patent Office

398 Days
Field of Search
US Class Current

726/23
CPC Class Codes

A61G 17/0073   Cardboard

A61G 17/04   Fittings for coffins

A61G 17/041   Handles

A61G 17/042   Linings and veneer

A61G 17/044   Corpse supports

G06F 21/50   Monitoring users, programs ...

G06T 11/206   Drawing of charts or graphs

H04L 61/4511   using domain name system [DNS]

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 67/02   based on web technology, e....

Security threat detection based on indications in big data of access to newly registered domains

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

141 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

Security threat detection based on indications in big data of access to newly registered domains

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

141 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others