×

System and method for detecting DNS traffic anomalies

  • US 9,172,716 B2
  • Filed: 11/08/2012
  • Issued: 10/27/2015
  • Est. Priority Date: 11/08/2011
  • Status: Active Grant
First Claim
Patent Images

1. A computer-implemented method for analyzing Domain Name System (DNS) lookup data, comprising:

  • calculating, by a processor, a plurality of traffic scores for a network address that includes a domain name based on a set of DNS lookup data associated with the network address, wherein the set of DNS lookup data includes a plurality of source network addresses of queriers;

    obtaining two or more traffic scores of the plurality of traffic scores based on numbers of unique Recursive Name Servers (RNSs) requesting the network address during a same time window within two or more respective time periods, wherein the two or more traffic scores include a current traffic score that corresponds to the same time window of a current time period and a previous traffic score that corresponds to the same time window of at least one previous time period;

    calculating an updated traffic score based on an average of the current traffic score and the previous traffic score;

    updating the current traffic score based on the updated traffic score;

    calculating, subsequent to updating the current traffic score, a first variance based on a variation between the two or more traffic scores;

    calculating two or more geolocation percentages for the network address based on different geolocations associated with one or more of the plurality of source network addresses of one or more of the queriers requesting the network address during the same time window of the two or more respective time periods;

    calculating a second variance for the network address based on a variation between the two or more geolocation percentages; and

    determining a rank of the network address based on the first and second variances.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×