Network protection service

US 9,185,127 B2
Filed: 07/06/2011
Issued: 11/10/2015
Est. Priority Date: 07/06/2011
Status: Active Grant

First Claim

Patent Images

1. A network protection method, the method comprising:

receiving, within an internet service provider network, a Domain Name System (DNS) request in a system including a DNS resolver;

logging the DNS request;

classifying the DNS request based on an analysis of a DNS name associated with the DNS request;

taking a security action based on the classification;

analyzing network traffic and content after taking the security action; and

providing a feedback loop based on the analysis of the network traffic to improve future DNS request classifications, in which the feedback loop refers to live, real-time collection of DNS usage patterns from various network protection system (NPS) deployments.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network protection method is provided. The network protection method may include receiving a Domain Name System (DNS) request, logging the DNS request, classifying the DNS request based on an analysis of a DNS name associated with the DNS request, taking a security action based on the classification, analyzing network traffic after taking the security action, and providing substantially real-time feedback associated with the network traffic to improve future DNS request classifications. The method may further include receiving a DNS response and logging the DNS response. The analysis of the DNS name may include receiving DNS data related to the DNS name from a plurality of sources, receiving reputation data related to the plurality of sources, scoring each of the plurality of sources based on the reputation data, and aggregating the DNS data related to the DNS name based on the scoring.

119 Citations

View as Search Results

20 Claims

1. A network protection method, the method comprising:
- receiving, within an internet service provider network, a Domain Name System (DNS) request in a system including a DNS resolver;
  
  logging the DNS request;
  
  classifying the DNS request based on an analysis of a DNS name associated with the DNS request;
  
  taking a security action based on the classification;
  
  analyzing network traffic and content after taking the security action; and
  
  providing a feedback loop based on the analysis of the network traffic to improve future DNS request classifications, in which the feedback loop refers to live, real-time collection of DNS usage patterns from various network protection system (NPS) deployments.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, further comprising:
    - receiving the DNS response; and
      
      logging the DNS response.
  - 3. The method of claim 1, wherein the analysis of the DNS name includes:
    - receiving DNS data related to the DNS name from a plurality of sources;
      
      receiving reputation data related to the plurality of sources;
      
      scoring each of the plurality of sources based on the reputation data; and
      
      aggregating the DNS data related to the DNS name based on the scoring.
  - 4. The method of claim 3, wherein the analysis is further based on associations of the DNS name.
  - 5. The method of claim 3, wherein the aggregation includes averaging results of the scoring.
  - 6. The method of claim 3, wherein the analysis is prioritized based on popularity of the DNS name.
  - 7. The method of claim 3, wherein the analysis includes determining whether the DNS request includes data related to another network protocol.
  - 8. The method of claim 3, further comprising periodically updating the plurality of sources.
  - 9. The method of claim 3, wherein the DNS data includes one or more of the following:
    - a domain owner associated with the DNS name, whether or not the DNS name has been associated with a malicious activity, whether or not the DNS name has been set up for future malicious activities, reputation of an Internet Protocol (IP) address associated with the DNS name, and the name, IP address, and the reputation of an authoritative server used to lookup an answer for the DNS name.
  - 10. The method of claim 3, wherein the plurality of sources includes the network providing real-time feedback associated with the network traffic.
  - 11. The method of claim 1, wherein classifying includes attributing one or more categories to the DNS request.
  - 12. The method of claim 11, wherein at least one of the categories is indicative of a misconfigured network resource.
  - 13. The method of claim 11, wherein at least one of the categories is indicative of a botnet.
  - 14. The method of claim 11, wherein at least one of the categories is indicative of an illegal site.
  - 15. The method of claim 1, wherein taking the security action includes generating a list of domains having an impact on traffic associated with the network.
  - 16. The method of claim 1, wherein the security action includes one or more of the following:
    - blocking the DNS request, providing a DNS response, providing a mitigated DNS response, and monitoring network traffic after serving a DNS response.
  - 17. The method of claim 16, wherein the blocking the DNS request occurs based on a classification of the DNS name associated with the DNS request as malicious or unwanted.
  - 18. The method of claim 16, wherein the blocking the DNS request is based on results of a security action that monitors the entire traffic.
  - 19. The method of claim 1, wherein the analysis is further based on information received from an agent residing on an end-user machine.
  - 20. The method of claim 1, wherein the analysis further includes the active gathering of unrecognized domain names.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Akamai Technologies, Inc.
Original Assignee
Nominum Incorporated (Akamai Technologies, Inc.)
Inventors
Neou, Vivian, Wilbourn, Robert S., Wu, Handong, Liu, Eileen, Shannon, Colleen, Bretheim, Sam
Primary Examiner(s)
Revak, Christopher

Application Number

US13/177,504
Publication Number

US 20130014253A1
Time in Patent Office

1,588 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 2463/144 Detection or countermeasure...

H04L 63/1441 Countermeasures against mal...

Network protection service

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Network protection service

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others