Domain classification based on client request behavior

US 9,191,402 B2
Filed: 01/25/2013
Issued: 11/17/2015
Est. Priority Date: 01/25/2013
Status: Active Grant

First Claim

Patent Images

1. A method of processing communication in a computer network, comprising:

processing network traffic by web server or a nameserver to determine information related to requests from a plurality of clients for a plurality of domains, the information including for each client a set of domains associated with requests from the client and including for each domain a set of clients associated with requests for the domain;

generating by an application server security rankings for the plurality of clients based on a predetermined classification for one or more of the plurality of domains and an iterative determination using a security ranking for the plurality of domains, wherein the security ranking for each client is determined from the set of domains associated with the client;

generating by the application server the security rankings for the plurality of domains based on the security ranking for the plurality of clients, wherein the security ranking for each domain is based on the security rankings of the set of clients associated with requests for the each domain;

generating by the application server a domain classification for the plurality of domains based on the security rankings of the plurality of domains; and

processing additional network traffic by the web server or the nameserver using the domain classification for the plurality of domains.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for domain classification using the network request behavior of clients are provided. The network requests of a plurality of clients are analyzed to determine a domain corresponding to each request. This information can be used to associate a set of domains with each individual client. Because of the reciprocal nature of a network request, the information is also used to associate a set of clients with each individual domain. Within the plurality of domains associated with the plurality of clients, there may exist known domains having a classification and unknown domains having no classification. Based on the correlation of clients and domains from their respective associations, the system generates domain classification information for at least one of the unknown domains.

102 Citations

View as Search Results

24 Claims

1. A method of processing communication in a computer network, comprising:
- processing network traffic by web server or a nameserver to determine information related to requests from a plurality of clients for a plurality of domains, the information including for each client a set of domains associated with requests from the client and including for each domain a set of clients associated with requests for the domain;
  
  generating by an application server security rankings for the plurality of clients based on a predetermined classification for one or more of the plurality of domains and an iterative determination using a security ranking for the plurality of domains, wherein the security ranking for each client is determined from the set of domains associated with the client;
  
  generating by the application server the security rankings for the plurality of domains based on the security ranking for the plurality of clients, wherein the security ranking for each domain is based on the security rankings of the set of clients associated with requests for the each domain;
  
  generating by the application server a domain classification for the plurality of domains based on the security rankings of the plurality of domains; and
  
  processing additional network traffic by the web server or the nameserver using the domain classification for the plurality of domains.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method according to claim 1, wherein processing additional network traffic comprises:
    - receiving a plurality of domain name system (DNS) requests at the nameserver from the plurality of clients for the plurality of domains; and
      
      generating a plurality of DNS replies at the nameserver for the plurality of DNS requests based on the domain classification for the plurality of domains.
  - 3. A method according to claim 2, wherein generating a domain classification for the plurality of domains comprises:
    - determining for each domain whether the security ranking for the each domain indicates an association with malware; and
      
      updating domain name information for a first domain having a security ranking beyond a threshold.
  - 4. A method according to claim 3, wherein:
    - the plurality of DNS requests includes a first DNS request for domain name information associated with the first domain; and
      
      generating the plurality of DNS replies includes generating a first DNS reply for the first DNS request including domain name information associated with an alternate domain in response to the domain name information for the first domain.
  - 5. A method according to claim 4, wherein:
    - the domain name information for the alternate domain is associated with a block page service including the web server.
  - 6. A method according to claim 1, wherein processing additional network traffic comprises:
    - receiving at the web server a plurality of resource requests from the plurality of clients, the plurality of resource requests being associated with the plurality of domains; and
      
      generating at the web server a plurality of replies for the plurality of resource requests based on the domain classification for the plurality of domains.
  - 7. A method according to claim 1, further comprising:
    - iteratively generating the security rankings for the plurality of clients and the security rankings for the plurality of domains;
      
      wherein the security ranking for each client is based on a reciprocal determination from the security rankings of the set of domains associated with the each client; and
      
      wherein the security ranking for each domain is based on a reciprocal determination for the security rankings of the set of clients associated with the each domain.
  - 8. A method according to claim 7, wherein:
    - iteratively generating the security ranking for each client comprises aggregating the security ranking for each domain in the set of domains associated with the each client; and
      
      iteratively generating the security ranking for each domain comprises aggregating the security ranking for each client in the set of clients associated with the each domain.
  - 9. A method according to claim 8, wherein:
    - iteratively generating the security ranking for each client comprises testing for convergence of the security ranking for the each client; and
      
      iteratively generating the security ranking for each domain comprises testing for convergence of the security ranking for the each domain.
  - 10. A method according to claim 9, wherein:
    - testing for convergence of the security ranking for each client comprises determining whether a change in the security ranking for the each client is within a threshold between iterations; and
      
      testing for convergence of the security ranking for each domain comprises determining whether a change in the security ranking for the each domain is within a threshold between iterations.

11. A method of managing user requests for domain-related resources, comprising:
- accessing information related to network requests from a plurality of clients for a plurality of domains, the information including for each client a set of domains associated with network requests from the each client and including for each domain a set of clients associated with network requests for the each domain;
  
  generating a security ranking for the plurality of clients, the security ranking generated for each client being based on the set of domains associated with the each client;
  
  generating a security ranking for the plurality of domains, the security ranking generated for each domain is based on aggregating the security racking for each client associated with requests for the each domain;
  
  receiving by a web server or an application server a first network request associated with a first domain of the plurality of domains; and
  
  generating by the web server or the application server a first reply to the first network request associated with the first domain based on the security ranking of the first domain.
- View Dependent Claims (12, 13, 14, 15)
- - 12. A method according to claim 11, wherein generating a security ranking for each domain includes, for each domain:
    - determining a security ranking for each client in the set of clients associated with network requests for the each domain;
      
      modifying the security ranking for each client based on a number of domains associated with the each client; and
      
      wherein aggregating the security ranking for each client includes aggregating the modified security ranking for each client to generate the security ranking for the each domain.
  - 13. A method according to claim 11, further comprising:
    - generating domain name information for the plurality of domains based on the security ranking generated for each domain, wherein the domain name information for the first domain is generated based on the security ranking for the first domain to indicate that the first domain is associated with malware.
  - 14. A method according to claim 13, wherein:
    - generating the security ranking for each client includes recursively generating the security ranking on a numerical scale with four or more possible values.
  - 15. A method according to claim 13, wherein:
    - the first network reply to the first network request associated with the first domain includes a resource from an alternate domain.

16. A computer readable storage medium having computer readable instructions for programming a processor to perform a method of domain classification, the method comprising:
- accessing information related to network requests from a plurality of clients for a plurality of domains, the information including a group of domains associated with each client and a group of clients associated with each domain, the plurality of domains including a first set of domains having a known security classification and a second set of domains having an unknown security classification;
  
  initializing a security ranking for the first set of domains based on the known security classification;
  
  iteratively generating a security ranking for the plurality of clients, the security ranking generated for each client being based on the security rankings of each domain in the group of domains associated with the each client, wherein iteratively generating the security ranking for each client comprises testing for convergence of the security ranking for the each client;
  
  iteratively generating a security ranking for the plurality of domains, the security ranking generated for each domain being based on the security rankings of each client in the group of clients associated with the each domain; and
  
  generating a domain classification for the second set of domains based on a corresponding security ranking; and
  
  processing network traffic by a web server or a nameserver using the domain classification for the second set of domains.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. A computer readable storage medium according to claim 16, wherein processing network traffic comprises:
    - receiving at the nameserver a plurality of domain name system (DNS) requests from the plurality of clients for the plurality of domains; and
      
      generating by the nameserver a plurality of DNS replies for the plurality of DNS requests based on the domain classification for the second set of the plurality of domains.
  - 18. A computer readable storage medium according to claim 17, wherein generating a domain classification for the second set of domains comprises:
    - determining for each domain in the second set of domains whether the security ranking for the each domain indicates an association with malware; and
      
      updating domain name information for a first domain having a security ranking beyond a threshold.
  - 19. A computer readable storage medium according to 18, wherein:
    - the plurality of DNS requests includes a first DNS request for domain name information associated with the first domain; and
      
      generating the plurality of DNS replies includes generating a first DNS reply for the first DNS request including domain name information associated with an alternate domain in response to the domain name information for the first domain.
  - 20. A computer readable storage medium according to claim 19, wherein:
    - the domain name information for the alternate domain is associated with a block page service at the web server.
  - 21. A computer readable storage medium according to claim 16, wherein processing network traffic comprises:
    - receiving at the web server a plurality of resource requests from the plurality of clients, the plurality of resource requests being associated with the plurality of domains; and
      
      generating by the web server a plurality of replies for the plurality of resource requests based on the domain classification for the second set of domains.
  - 22. A computer readable storage medium according to claim 16, wherein:
    - the security ranking for each client is based on a reciprocal determination from the security rankings of the list of domains associated with the each client; and
      
      the security ranking for each domain is based on a reciprocal determination for the security rankings of the list of clients associated with the each domain.

23. A system for generating domain information, comprising:
- at least one storage device including information related to network requests from a plurality of clients for a plurality of domains, the information including for each client a group of domains associated with requests from the client and including for each domain a group of clients associated with requests for the domain; and
  
  a processor in communication with the at least one storage device, the processor executes computer readable instructions to generate security rankings for the plurality of clients based on a predetermined classification of a first set of the plurality of domains, generate security rankings for the plurality of domains based on the security ranking for the plurality of clients, generate a domain classification for a second set of the plurality of domains based on the security rankings of the second set of the plurality of domains, and process network traffic using the domain classification for the second set of the plurality of domains;
  
  wherein the security ranking for each client is determined from the group of domains associated with the client; and
  
  wherein the security ranking for each domain is based on a summation of the security rankings of the group of clients associated with requests for the each domain.
- View Dependent Claims (24)
- - 24. A system according to claim 23, further comprising:
    - at least one recursive DNS nameserver in communication with subscriber information and the domain classifications for the second set of the plurality of domains;
      
      wherein the at least one recursive DNS nameserver receives a first request for domain name information for a first domain in the second set of domains and generates a reply with domain name information for an alternate domain based on the domain classification for the first domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
OpenDNS Incorporated (Cisco Systems, Inc.)
Inventors
Yan, Ping
Primary Examiner(s)
NGUYEN, TU T

Application Number

US13/750,712
Publication Number

US 20140215628A1
Time in Patent Office

1,026 Days
Field of Search

726/25
US Class Current

1/1
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Domain classification based on client request behavior

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

102 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Domain classification based on client request behavior

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links