System and method for detecting DNS traffic anomalies

US 9,172,716 B2
Filed: 11/08/2012
Issued: 10/27/2015
Est. Priority Date: 11/08/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for analyzing Domain Name System (DNS) lookup data, comprising:

calculating, by a processor, a plurality of traffic scores for a network address that includes a domain name based on a set of DNS lookup data associated with the network address, wherein the set of DNS lookup data includes a plurality of source network addresses of queriers;

obtaining two or more traffic scores of the plurality of traffic scores based on numbers of unique Recursive Name Servers (RNSs) requesting the network address during a same time window within two or more respective time periods, wherein the two or more traffic scores include a current traffic score that corresponds to the same time window of a current time period and a previous traffic score that corresponds to the same time window of at least one previous time period;

calculating an updated traffic score based on an average of the current traffic score and the previous traffic score;

updating the current traffic score based on the updated traffic score;

calculating, subsequent to updating the current traffic score, a first variance based on a variation between the two or more traffic scores;

calculating two or more geolocation percentages for the network address based on different geolocations associated with one or more of the plurality of source network addresses of one or more of the queriers requesting the network address during the same time window of the two or more respective time periods;

calculating a second variance for the network address based on a variation between the two or more geolocation percentages; and

determining a rank of the network address based on the first and second variances.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for analyzing domain name system (“DNS”) lookup data perform operations that may include: calculating traffic scores for a network address based on a set of DNS lookup data associated with the network address, where the set of DNS lookup data includes a plurality of query records having one or more queried network addresses; calculating a first variance and a second variance for the network address based on the traffic scores for the network address; and determining a rank of the network address based on the first and second variances.

Citations

26 Claims

1. A computer-implemented method for analyzing Domain Name System (DNS) lookup data, comprising:
- calculating, by a processor, a plurality of traffic scores for a network address that includes a domain name based on a set of DNS lookup data associated with the network address, wherein the set of DNS lookup data includes a plurality of source network addresses of queriers;
  
  obtaining two or more traffic scores of the plurality of traffic scores based on numbers of unique Recursive Name Servers (RNSs) requesting the network address during a same time window within two or more respective time periods, wherein the two or more traffic scores include a current traffic score that corresponds to the same time window of a current time period and a previous traffic score that corresponds to the same time window of at least one previous time period;
  
  calculating an updated traffic score based on an average of the current traffic score and the previous traffic score;
  
  updating the current traffic score based on the updated traffic score;
  
  calculating, subsequent to updating the current traffic score, a first variance based on a variation between the two or more traffic scores;
  
  calculating two or more geolocation percentages for the network address based on different geolocations associated with one or more of the plurality of source network addresses of one or more of the queriers requesting the network address during the same time window of the two or more respective time periods;
  
  calculating a second variance for the network address based on a variation between the two or more geolocation percentages; and
  
  determining a rank of the network address based on the first and second variances.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-implemented method of claim 1, further comprising;
    - receiving the DNS lookup data from a top-level domain DNS server.
  - 3. The computer-implemented method of claim 1, wherein the DNS lookup data is related to a group of network addresses.
  - 4. The computer-implemented method of claim 1, wherein each time period corresponds to a week and each time window corresponds to a day of the week, the method further comprising:
    - obtaining a first daily traffic score calculated based on a number of unique RNSs requesting the network address during a specific day of a first week;
      
      obtaining a second daily traffic score calculated based on a number of unique RNSs requesting the network address during the specific day of at least one week prior to the first week;
      
      calculating an updated daily traffic score based on an average of the first daily traffic score and the second deli traffic scores;
      
      updating the first daily traffic score based on the updated daily traffic score; and
      
      calculating, subsequent to updating the first daily traffic score, the first variance based on a variation between the first and second daily traffic scores.
  - 5. The computer-implemented method of claim 1, wherein each time period corresponds to a week and each time window corresponds to a day of the week, the method further comprising:
    - calculating a current daily traffic score for a current day of a current week.
  - 6. The computer-implemented method of claim 5, further comprising:
    - calculating an updated daily traffic score based on an average of the current daily traffic score and a previous daily traffic score corresponding to the current day of one or more previous weeks; and
      
      updating the current daily traffic score based on the updated daily traffic score.
  - 7. The computer-implemented method of claim 6, further comprising:
    - calculating the first variance, subsequent to updating the current daily traffic score, based on a variation between the previous daily traffic score and the current daily traffic score.
  - 8. The computer-implemented method of claim 1, wherein calculating the updated traffic score further comprises:
    - normalizing the previous traffic score based on a number of time periods in the at least one previous time period.
  - 9. The computer-implemented method of claim 1, further comprising:
    - updating at least one of the two or more geolocation percentages at least once a day, wherein updating the at least one geolocation percentage includes removing a geolocation of the different geolocations having an amount of traffic below a threshold within a predetermined period.
  - 10. The computer-implemented method of claim 1, herein the two or more respective time periods have a same duration.
  - 11. The computer-implemented method of claim 1, further comprising:
    - calculating the second variance, based on a variation between two or more daily geolocation percentages over a series of two or more days.
  - 12. The computer-implemented method of claim 1, further comprising:
    - determining if the network address has traffic anomalies based on the rank.
  - 13. The computer-implemented method of claim 1, further comprising:
    - detecting a traffic variation that corresponds to a holiday in a time period of the two or more time periods; and
      
      modifying, based on the traffic variation, at least one traffic score of the two or more traffic scores, wherein the at least one traffic score is associated with the time period.

14. A system for analyzing Domain Name System (DNS) lookup data, comprising:
- a processor; and
  
  a memory communicatively coupled to the processor;
  
  wherein the processor is configured to perform operations comprising;
  
  calculating a plurality of traffic scores for a network address that includes a domain name based on a set of DNS lookup data associated with the network address, wherein the set of DNS lookup data includes a plurality of source network addresses of queriers;
  
  obtaining two or more traffic scores of the plurality of traffic scores based on numbers of unique Recursive Name Servers (RNSs) requesting the network address during a same time window within two or more respective time periods wherein the two or more traffic scores include a current traffic score that corresponds to the same time window of a current time period and a previous traffic score that corresponds to the same time window of at least one previous time period;
  
  calculating an updated traffic score based on an average of the current traffic score and the previous traffic score;
  
  updating the current traffic score based on the updated traffic score;
  
  calculating, subsequent to updating the current traffic score a first variance based on a variation between the two or more traffic scores;
  
  calculating two or more geoiocation percentages for the network address based on different geolocations associated with one or more of the plurality of source network addresses of one or more of the queriers requesting the network address during the same time window of the two or more respective time periods;
  
  calculating a second variance for the network address based on a variation between the two or more geolocation percentages; and
  
  determining a rank of the network address based on the first and second variances.
- View Dependent Claims (15, 16, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The system of claim 14, wherein the processor is further configured to perform operations comprising:
    - receiving the DNS lookup data from a top-level domain DNS server.
  - 16. The system of claim 14, wherein the DNS lookup data is related to a group of network addresses.
  - 18. The system of claim 14, wherein each time period corresponds to a week and each time window corresponds to a day of the week, and wherein the processor is further configured to perform operations comprising:
    - calculating a current daily traffic score for a current day of a current week.
  - 19. The system of claim 18, wherein the processor is further configured to perform operations comprising:
    - calculating an updated daily traffic score based on an average of the current daily traffic score and a previous daily traffic score corresponding to the current day of one or more previous weeks; and
      
      updating the current daily traffic score based on the updated daily traffic score.
  - 20. The system of claim 19, wherein the processor is urther configured to perform operations comprising:
    - calculating the first variance, subsequent to updating the current daily traffic score, based on a variation between the previous daily traffic score and the current daily traffic score.
  - 21. The system of claim 14, wherein the processor is further configured to perform operations comprising:
    - normalizing the previous traffic score based on a number of time periods in the at least one previous time period.
  - 22. The system of claim 14, wherein the processor is further configured to perform operations comprising:
    - updating at least one of the two or more geolocation percentages at least once a day, wherein updating the at least one geolocation percentage includes removing a geolocation of the different geolocations having an amount of traffic below a threshold within a predetermined period.
  - 23. The system of claim 14, wherein the two or more respective time periods have a same duration.
  - 24. The system of claim 14, wherein the processor is further configured to perform operations comprising:
    - calculating the second variance based on a variation between two or more daily geolocation percentages over a series of two or more days.
  - 25. The system of claim 14, wherein the processor is further configured to perform operations comprising:
    - determining if the network address has traffic area anomalies based on the rank.
  - 26. The system of claim 14, wherein the processor is further configured to perform operations comprising:
    - detecting a traffic variation that corresponds in time to a holiday in a time period of the two or more time periods; and
      
      modifying, based on the traffic variation, at least one traffic score of the two or more traffic scores, wherein the at least one traffic score is associated with the time period.

17. The system of cairn 14, wherein each time period corresponds to a week and each time window corresponds to a day of the week, and wherein the processor is further configured to perform operations comprising:
- obtaining a first daily traffic score calculated based on a number of unique RNSs requesting the network address during a specific day of a first week;
  
  obtaining a second daily traffic score calculated based on a number of unique RNSs requesting the network address during the specific day of at least one week prior to the first week;
  
  calculating an updated daily traffic score based on an average of the first daily traffic score and the second daily traffic score;
  
  updating the first daily traffic score based on the updated daily traffic score; and
  
  calculating, subsequent to updating the first daily traffic score, the first variance based on a variation between the first and second daily traffic scores.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Mugali, Aditya Anand Jr., Simpson, Andrew W., Walker, Scott King
Primary Examiner(s)
Alam, Hosain
Assistant Examiner(s)
MCQUITERY, DIEDRA M

Application Number

US13/672,277
Publication Number

US 20130117282A1
Time in Patent Office

1,083 Days
Field of Search

707748-754, 707/E17.005, 707/E17.014, 707/603, 707/723, 707/736, 707/741, 707/999.007, 707/999.104, 707/999.107, 707/999.2, 707/705, 709223-224, 709/250, 709/206, 709/217, 709/225, 709/226, 709/230, 709/231, 709/201, 709/219, 709/227, 709/228, 709/245, 726 22- 24, 719/318
US Class Current

1/1
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

System and method for detecting DNS traffic anomalies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting DNS traffic anomalies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links