System and method for detecting DNS traffic anomalies
First Claim
Patent Images
1. A computer-implemented method for analyzing Domain Name System (DNS) lookup data, comprising:
- calculating, by a processor, a plurality of traffic scores for a network address that includes a domain name based on a set of DNS lookup data associated with the network address, wherein the set of DNS lookup data includes a plurality of source network addresses of queriers;
obtaining two or more traffic scores of the plurality of traffic scores based on numbers of unique Recursive Name Servers (RNSs) requesting the network address during a same time window within two or more respective time periods, wherein the two or more traffic scores include a current traffic score that corresponds to the same time window of a current time period and a previous traffic score that corresponds to the same time window of at least one previous time period;
calculating an updated traffic score based on an average of the current traffic score and the previous traffic score;
updating the current traffic score based on the updated traffic score;
calculating, subsequent to updating the current traffic score, a first variance based on a variation between the two or more traffic scores;
calculating two or more geolocation percentages for the network address based on different geolocations associated with one or more of the plurality of source network addresses of one or more of the queriers requesting the network address during the same time window of the two or more respective time periods;
calculating a second variance for the network address based on a variation between the two or more geolocation percentages; and
determining a rank of the network address based on the first and second variances.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for analyzing domain name system (“DNS”) lookup data perform operations that may include: calculating traffic scores for a network address based on a set of DNS lookup data associated with the network address, where the set of DNS lookup data includes a plurality of query records having one or more queried network addresses; calculating a first variance and a second variance for the network address based on the traffic scores for the network address; and determining a rank of the network address based on the first and second variances.
-
Citations
26 Claims
-
1. A computer-implemented method for analyzing Domain Name System (DNS) lookup data, comprising:
-
calculating, by a processor, a plurality of traffic scores for a network address that includes a domain name based on a set of DNS lookup data associated with the network address, wherein the set of DNS lookup data includes a plurality of source network addresses of queriers; obtaining two or more traffic scores of the plurality of traffic scores based on numbers of unique Recursive Name Servers (RNSs) requesting the network address during a same time window within two or more respective time periods, wherein the two or more traffic scores include a current traffic score that corresponds to the same time window of a current time period and a previous traffic score that corresponds to the same time window of at least one previous time period; calculating an updated traffic score based on an average of the current traffic score and the previous traffic score; updating the current traffic score based on the updated traffic score; calculating, subsequent to updating the current traffic score, a first variance based on a variation between the two or more traffic scores; calculating two or more geolocation percentages for the network address based on different geolocations associated with one or more of the plurality of source network addresses of one or more of the queriers requesting the network address during the same time window of the two or more respective time periods; calculating a second variance for the network address based on a variation between the two or more geolocation percentages; and determining a rank of the network address based on the first and second variances. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for analyzing Domain Name System (DNS) lookup data, comprising:
-
a processor; and a memory communicatively coupled to the processor; wherein the processor is configured to perform operations comprising; calculating a plurality of traffic scores for a network address that includes a domain name based on a set of DNS lookup data associated with the network address, wherein the set of DNS lookup data includes a plurality of source network addresses of queriers; obtaining two or more traffic scores of the plurality of traffic scores based on numbers of unique Recursive Name Servers (RNSs) requesting the network address during a same time window within two or more respective time periods wherein the two or more traffic scores include a current traffic score that corresponds to the same time window of a current time period and a previous traffic score that corresponds to the same time window of at least one previous time period; calculating an updated traffic score based on an average of the current traffic score and the previous traffic score; updating the current traffic score based on the updated traffic score; calculating, subsequent to updating the current traffic score a first variance based on a variation between the two or more traffic scores; calculating two or more geoiocation percentages for the network address based on different geolocations associated with one or more of the plurality of source network addresses of one or more of the queriers requesting the network address during the same time window of the two or more respective time periods; calculating a second variance for the network address based on a variation between the two or more geolocation percentages; and determining a rank of the network address based on the first and second variances. - View Dependent Claims (15, 16, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
17. The system of cairn 14, wherein each time period corresponds to a week and each time window corresponds to a day of the week, and wherein the processor is further configured to perform operations comprising:
-
obtaining a first daily traffic score calculated based on a number of unique RNSs requesting the network address during a specific day of a first week; obtaining a second daily traffic score calculated based on a number of unique RNSs requesting the network address during the specific day of at least one week prior to the first week; calculating an updated daily traffic score based on an average of the first daily traffic score and the second daily traffic score; updating the first daily traffic score based on the updated daily traffic score; and calculating, subsequent to updating the first daily traffic score, the first variance based on a variation between the first and second daily traffic scores.
-
Specification