Security threat detection based on indications in big data of access to newly registered domains
First Claim
Patent Images
1. A computer-implemented method, comprising:
- separating data collected from one or more traffic logs into a set of events, each event in the set of events including a portion of the data collected from the one or more traffic logs;
extracting a set of accessed domain names from the set of events, wherein each accessed domain name in the set of accessed domain names is extracted from at least one event in the set of events, and wherein each accessed domain name in the set of accessed domain names serves an accessed webpage;
identifying a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar;
comparing respective registration times of accessed domain names in the set of accessed domain names to identify a particular accessed domain name in the set of accessed domain names, wherein a particular registration time is indicative of when the particular accessed domain name was registered with the registrar, and wherein the particular registration time is recent relative to registration times for other accessed domain names in the set of accessed domain names;
determining an access count that represents a total number of events in the set of events that are associated with the particular accessed domain name; and
analyzing the access count relative to the registration time to determine if the access count exceeds a threshold number; and
causing further access to a site represented by the particular accessed domain name to be blocked when the access count exceeds the threshold number.
1 Assignment
0 Petitions
Accused Products
Abstract
Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name.
141 Citations
27 Claims
-
1. A computer-implemented method, comprising:
-
separating data collected from one or more traffic logs into a set of events, each event in the set of events including a portion of the data collected from the one or more traffic logs; extracting a set of accessed domain names from the set of events, wherein each accessed domain name in the set of accessed domain names is extracted from at least one event in the set of events, and wherein each accessed domain name in the set of accessed domain names serves an accessed webpage; identifying a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar; comparing respective registration times of accessed domain names in the set of accessed domain names to identify a particular accessed domain name in the set of accessed domain names, wherein a particular registration time is indicative of when the particular accessed domain name was registered with the registrar, and wherein the particular registration time is recent relative to registration times for other accessed domain names in the set of accessed domain names; determining an access count that represents a total number of events in the set of events that are associated with the particular accessed domain name; and analyzing the access count relative to the registration time to determine if the access count exceeds a threshold number; and causing further access to a site represented by the particular accessed domain name to be blocked when the access count exceeds the threshold number. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 25)
-
-
9. A system, comprising:
-
one or more data processors; and a non-transitory computer-readable storage medium containing instructions which when executed on the one or more data processors, cause the one or more processors to perform operations including; separating data collected from one or more traffic logs into a set of events, each event in the set of events including a portion of the data collected from the one or more traffic logs; extracting a set of accessed domain names from the set of events, wherein each accessed domain name in the set of accessed domain names is extracted from at least one event in the set of events, and wherein each accessed domain name in the set of accessed domain names serves an accessed webpage; identifying a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar; comparing respective registration times of accessed domain names in the set of accessed domain names to identify a particular accessed domain name in the set of accessed domain names, wherein a particular registration time is indicative of when the particular accessed domain name was registered with the registrar, and wherein the particular registration time is recent relative to registration times for other accessed domain names in the set of accessed domain names; determining an access count that represents a total number of events in the set of events that are associated with the particular accessed domain name; and analyzing the access count relative to the registration time to determine if the access count exceeds a threshold number; and causing further access to a site represented by the particular accessed domain name to be blocked when the access count exceeds the threshold number. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 26)
-
-
17. A computer-program product tangibly embodied in a non-transitory machine-readable storage medium, including instructions configured to cause one or more data processors to:
-
separating data collected from one or more traffic logs into a set of events, each event in the set of events including a portion of the data collected from the one or more traffic logs; extracting a set of accessed domain names from the set of events, wherein each accessed domain name in the set of accessed domain names is extracted from at least one event in the set of events, and wherein each accessed domain name in the set of accessed domain names serves an accessed webpage; identifying a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar; comparing respective registration times of accessed domain names in the set of accessed domain names to identify a particular accessed domain name in the set of accessed domain names, wherein a particular registration time is indicative of when the particular accessed domain name was registered with the registrar, and wherein the particular registration time is recent relative to registration times for other accessed domain names in the set of accessed domain names; determining an access count that represents a total number of events in the set of events that are associated with the particular accessed domain name; and analyzing the access count relative to the registration time to determine if the access count exceeds a threshold number; and causing further access to a site represented by the particular accessed domain name to be blocked when the access count exceeds the threshold number. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 27)
-
Specification