System, method, and computer program product for preventing a modification to a domain name system setting

US 8,869,272 B2
Filed: 08/13/2010
Issued: 10/21/2014
Est. Priority Date: 08/13/2010
Status: Expired due to Fees

First Claim

Patent Images

1. At least one non-transitory tangible computer readable storage medium having instructions stored thereon, the instructions when executed on a machine cause the machine to:

detect an attempt for modification of a domain name system setting;

identify an attribute of the modification;

verify a source of the attempt by executing a hash in order to compare the source against a whitelist that includes predetermined non-malicious sources;

verify the attribute of the modification by comparing the attribute of the modification against at least one of a whitelist containing known good attributes and a blacklist containing known at least potentially malicious attributes;

prevent the modification to the domain name system setting when the verifying of the source of the attempt is indicative that the source is a potentially malicious source and the verifying of the attribute of the modification is indicative that the attribute of the modification is a potentially malicious attribute.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for preventing a modification to a domain name system setting. In use, an attempt to modify a domain name system setting is detected. Additionally, a source of the attempt and an attribute of the modification are verified. Further, the modification to the domain name system setting is prevented, based on the verification.

24 Citations

View as Search Results

15 Claims

1. At least one non-transitory tangible computer readable storage medium having instructions stored thereon, the instructions when executed on a machine cause the machine to:
- detect an attempt for modification of a domain name system setting;
  
  identify an attribute of the modification;
  
  verify a source of the attempt by executing a hash in order to compare the source against a whitelist that includes predetermined non-malicious sources;
  
  verify the attribute of the modification by comparing the attribute of the modification against at least one of a whitelist containing known good attributes and a blacklist containing known at least potentially malicious attributes;
  
  prevent the modification to the domain name system setting when the verifying of the source of the attempt is indicative that the source is a potentially malicious source and the verifying of the attribute of the modification is indicative that the attribute of the modification is a potentially malicious attribute.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer readable storage medium of claim 1, wherein the domain name system setting includes a setting of a value in a registry.
  - 3. The computer readable storage medium of claim 1, wherein the domain name system setting includes an Internet Protocol (IP) address setting.
  - 4. The computer readable storage medium of claim 1, wherein the attempt to modify the domain name system setting includes an attempt to change or replace an internet protocol (IP) address to a malicious IP address.
  - 5. The computer readable storage medium of claim 1, wherein the computer program product is operable such that the attempt to modify the domain name system setting is intercepted.
  - 6. The computer readable storage medium of claim 1, wherein the source of the attempt includes a process.
  - 7. The computer readable storage medium of claim 1, wherein the source of the attempt is verified by comparing the source of the attempt against one or more data structures.
  - 8. The computer readable storage medium of claim 1, wherein the source of the attempt is verified by comparing the source of the attempt against a blacklist containing known at least potentially malicious sources.
  - 9. The computer readable storage medium of claim 1, wherein the attribute of the modification is verified by comparing the attribute of the modification against one or more data structures.
  - 10. The computer readable storage medium of claim 1, wherein the computer program product is operable such that the source of the attempt is verified at one server, and the attribute of the modification is verified at another server.
  - 11. The computer readable storage medium of claim 1, wherein the computer program product is operable such that both the source of the attempt and the attribute of the modification are verified at a single server.
  - 12. The computer readable storage medium of claim 1, wherein the modification to the domain name system setting is prevented if the source of the attempt is determined to be a malicious source or at least a potentially malicious source.

13. A method to be performed by a computer that includes a processor and a memory, comprising:
- detecting an attempt for modification of a domain name system setting;
  
  identifying an attribute of the modification;
  
  verifying a source of the attempt by executing a hash in order to compare the source against a whitelist that includes predetermined non-malicious sources;
  
  verifying the attribute of the modification by comparing the attribute of the modification against at least one of a whitelist containing known good attributes and a blacklist containing known at least potentially malicious attributes;
  
  preventing the modification to the domain name system setting when the verifying of the source of the attempt is indicative that the source is a potentially malicious source and the verifying of the attribute of the modification is indicative that the attribute of the modification is a potentially malicious attribute.

14. A system, comprising:
- a processor; and
  
  a memory, wherein the system is configured for;
  
  detecting an attempt for modification of a domain name system setting;
  
  identifying an attribute of the modification;
  
  verifying a source of the attempt by executing a hash in order to compare the source against a whitelist that includes predetermined non-malicious sources;
  
  verifying the attribute of the modification by comparing the attribute of the modification against at least one of a whitelist containing known good attributes and a blacklist containing known at least potentially malicious attributes;
  
  preventing the modification to the domain name system setting when the verifying of the source of the attempt is indicative that the source is a potentially malicious source and the verifying of the attribute of the modification is indicative that the attribute of the modification is a potentially malicious attribute.
- View Dependent Claims (15)
- - 15. The system of claim 14, wherein the processor is coupled to the memory via a bus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Kumar, Lokesh, Ramachetty, Harinath Vishwanath, Kishore, Nandi Dharma
Primary Examiner(s)
Whipple, Brian P

Application Number

US12/856,534
Publication Number

US 20130247183A1
Time in Patent Office

1,530 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

System, method, and computer program product for preventing a modification to a domain name system setting

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

System, method, and computer program product for preventing a modification to a domain name system setting

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others