Security threat detection of newly registered domains
First Claim
Patent Images
1. A method, comprising:
- extracting a set of accessed domain names from a set of events by applying a late binding schema to the set of events;
identifying a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar or when the accessed domain name was first detected within the set of events;
identifying a subset of accessed domain names in the set of accessed domain names for which the identified respective registration time of each accessed domain name in the subset is recent relative to times for other accessed domain names in the set of accessed domain names;
determining, for each accessed domain name in the subset, an access count corresponding to how many times the set of events indicates that the accessed domain name in the subset was accessed;
causing display of information relating to the access count;
wherein the method is performed by one or more computing devices.
1 Assignment
0 Petitions
Accused Products
Abstract
Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name.
-
Citations
30 Claims
-
1. A method, comprising:
-
extracting a set of accessed domain names from a set of events by applying a late binding schema to the set of events; identifying a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar or when the accessed domain name was first detected within the set of events; identifying a subset of accessed domain names in the set of accessed domain names for which the identified respective registration time of each accessed domain name in the subset is recent relative to times for other accessed domain names in the set of accessed domain names; determining, for each accessed domain name in the subset, an access count corresponding to how many times the set of events indicates that the accessed domain name in the subset was accessed; causing display of information relating to the access count; wherein the method is performed by one or more computing devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. An apparatus, comprising:
-
a subsystem, implemented at least partially in hardware, that extracts a set of accessed domain names from a set of events by applying a late binding schema to the set of events; a subsystem, implemented at least partially in hardware, that identifies a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar or when the accessed domain name was first detected within the set of events; a subsystem, implemented at least partially in hardware, that identifies a subset of accessed domain names in the set of accessed domain names for which the identified respective registration time of each accessed domain name in the subset is recent relative to times for other accessed domain names in the set of accessed domain names; a subsystem, implemented at least partially in hardware, that determines, for each accessed domain name in the subset, an access count corresponding to how many times the set of events indicates that the accessed domain name in the subset was accessed; a subsystem, implemented at least partially in hardware, that causes display of information relating to the access count. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
-
-
23. A non-transitory computer-readable medium storing one or more sequences of instructions, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform:
-
extracting a set of accessed domain names from a set of events by applying a late binding schema to the set of events; identifying a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar or when the accessed domain name was first detected within the set of events; identifying a subset of accessed domain names in the set of accessed domain names for which the identified respective registration time of each accessed domain name in the subset is recent relative to times for other accessed domain names in the set of accessed domain names; determining, for each accessed domain name in the subset, an access count corresponding to how many times the set of events indicates that the accessed domain name in the subset was accessed; causing display of information relating to the access count; wherein the method is performed by one or more computing devices. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
Specification