Identification of malware sites using unknown URL sites and newly registered DNS addresses
First Claim
1. A system, comprising:
- a processor configured to;
perform a heuristic analysis for information associated with a network site, wherein performing a heuristic analysis for information associated with a network site further comprises;
determine whether the network site has a change in DNS information, the change in DNS information including a change in ownership of a network uniform resource locator (URL) and a new IP address outside of the same subnet;
in the event that the DNS information of the network site has changed, determine when the change in the DNS information occurred;
determine whether an IP address related to the network site is periodically unavailable based on DNS presence information; and
determine source information associated with the network site, wherein the source information includes geographical information associated with the network site and IP network related source information, wherein the determining of the source information is based on a regional Internet registry (RIR) and a border gateway protocol (BGP) table; and
assign a score based on the heuristic analysis, wherein the score indicates whether the network site is potentially malicious; and
a memory coupled to the processor and configured to provide the processor with instructions.
1 Assignment
0 Petitions
Accused Products
Abstract
In some embodiments, identification of malware sites using unknown URL sites and newly registered DNS addresses includes performing a heuristic analysis for information associated with a network site; and assigning a score based on the heuristic analysis, in which the score indicates whether the network site is potentially malicious. In some embodiments, the system includes a security appliance that is in communication with the Internet. In some embodiments, the network site is associated with a network domain and/or a network uniform resource locator (URL). In some embodiments, performing a heuristic analysis for information associated with a network site further includes determining if a network site has recently been registered. In some embodiments, performing a heuristic analysis for information associated with a network site further includes determining if a network site is associated with recently changed DNS information. In some embodiments, performing a heuristic analysis for information associated with a network site further includes determining geographical information as well as an IP network location associated with the network site.
-
Citations
24 Claims
-
1. A system, comprising:
-
a processor configured to; perform a heuristic analysis for information associated with a network site, wherein performing a heuristic analysis for information associated with a network site further comprises; determine whether the network site has a change in DNS information, the change in DNS information including a change in ownership of a network uniform resource locator (URL) and a new IP address outside of the same subnet; in the event that the DNS information of the network site has changed, determine when the change in the DNS information occurred; determine whether an IP address related to the network site is periodically unavailable based on DNS presence information; and determine source information associated with the network site, wherein the source information includes geographical information associated with the network site and IP network related source information, wherein the determining of the source information is based on a regional Internet registry (RIR) and a border gateway protocol (BGP) table; and assign a score based on the heuristic analysis, wherein the score indicates whether the network site is potentially malicious; and a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method, comprising:
-
performing a heuristic analysis for information associated with a network site using a processor of a device in communication with a network, wherein performing a heuristic analysis for information associated with a network site further comprises; determining whether the network site has a change in DNS information, the change in DNS information including a change in ownership of a network uniform resource locator (URL) and a new IP address outside of the same subnet; in the event that the DNS information of the network site has changed, determining when the change in the DNS information occurred; determining whether an IP address related to the network site is periodically unavailable based on DNS presence information; and determining source information associated with the network site, wherein the source information includes geographical information associated with the network site and IP network related source information, wherein the determining of the source information is based on a regional Internet registry (RIR) and a border gateway protocol (BGP) table; and assigning a score based on the heuristic analysis, wherein the score indicates whether the network site is potentially malicious. - View Dependent Claims (7)
-
-
8. A system, comprising:
-
a processor configured to; determine if a network site has recently been registered; determine whether the network site has a change in DNS information, the change in DNS information including a change in ownership of a network uniform resource locator (URL) and a new IP address outside of the same subnet; in the event that the DNS information of the network site has changed, determine when the change in the DNS information occurred; determine whether an IP address related to the network site is periodically unavailable based on DNS presence information; determine source information associated with the network site, wherein the source information includes geographical information associated with the network site and IP network related source information, wherein the determining of the source information is based on a regional Internet registry (RIR) and a border gateway protocol (BGP) table; and assign a score based on a length of time since a domain registration, whether the DNS information of the network site has changed, and the source information associated with the network site, wherein the score indicates whether the network site is potentially malicious; and a memory coupled to the processor and configured to provide the processor with instructions.
-
-
9. A system, comprising:
-
a processor configured to; determine a plurality of network sites that have recently been registered; determine whether a network site has a change in DNS information, the change in DNS information including a change in ownership of a network uniform resource locator (URL) and a new IP address outside of the same subnet; in the event that the DNS information of the network site has changed, determine when the change in the DNS information occurred; determine whether an IP address related to the network site is periodically unavailable based on DNS presence information; determine source information associated with the network site, wherein the source information includes geographical information associated with the network site and IP network related source information, wherein the determining of the source information is based on a regional Internet registry (RIR) and a border gateway protocol (BGP) table; and generate a list of potentially malicious network sites based on the plurality of network sites that have recently been registered, whether the DNS information of the network site has changed, and the source information associated with the network site, and a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification