Detection of infected network devices and fast-flux networks by tracking URL and DNS resolution changes
First Claim
1. A method for detecting Fast-Flux malware, the method comprising:
- monitoring by a network traffic monitor a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP);
monitoring the one or more received network addresses (IP) resolved for the one or more URLs to provide a URL-to-IP associations list, wherein the URL-to-IP associations list is configured to store one or more suspicious URLs;
monitoring the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list;
generating a suspicious URL log based on the URL-to-IP associations list and a suspicious DNS log based on the DNS Domain-to-DNS server associations list;
determining whether a designated suspicious URL from the suspicious URL log matches designated data in the suspicious DNS log; and
after determining that the designated suspicious URL from the suspicious URL log matches the designated data in the suspicious DNS log, generating an event indicating a combination of flux actions are active.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for detecting Fast-Flux malware are presented. Domain name system (DNS) lookup requests to DNS servers from a local area network (LAN) to a wide area network (WAN) are monitored. The DNS lookup requests comprise requests to resolve uniform resource locators (URLs) to network addresses. The network addresses (IP) received from the DNS servers for the DNS lookup requests are monitored provide a URL-to-IP associations list. The DNS servers used for the DNS lookup requests for the URLs are monitored to provide a DNS Domain-to-DNS server associations list. A suspicious URL log based on the URL-to-IP associations list, and a suspicious DNS log based on the DNS Domain-to-DNS server associations list are generated.
20 Citations
20 Claims
-
1. A method for detecting Fast-Flux malware, the method comprising:
-
monitoring by a network traffic monitor a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP); monitoring the one or more received network addresses (IP) resolved for the one or more URLs to provide a URL-to-IP associations list, wherein the URL-to-IP associations list is configured to store one or more suspicious URLs; monitoring the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list; generating a suspicious URL log based on the URL-to-IP associations list and a suspicious DNS log based on the DNS Domain-to-DNS server associations list; determining whether a designated suspicious URL from the suspicious URL log matches designated data in the suspicious DNS log; and after determining that the designated suspicious URL from the suspicious URL log matches the designated data in the suspicious DNS log, generating an event indicating a combination of flux actions are active. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detecting Fast-Flux malware, the system comprising:
-
at least one hardware processor; and a network traffic monitor operating on the at least one hardware processor and configured to; monitor a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP); monitor the one or more received network addresses (IP) resolved for resolving the one or more URLs to provide a URL-to-IP associations list; monitor the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list; and a malware detector configured to; generate a suspicious URL log based on the URL-to-IP associations list and a suspicious DNS log based on the DNS Domain-to-DNS server associations list; determine whether a designated suspicious URL from the suspicious URL log matches designated data in the suspicious DNS log; after determining that the designated suspicious URL from the suspicious URL log matches the designated data in the suspicious DNS log, generate an event indicating a combination of flux actions are active; and indicate a presence of a malware program in the LAN based on the suspicious URL log and the suspicious DNS log. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A non-transitory computer readable storage medium comprising computer-executable instructions for detecting Fast-Flux malware, the computer-executable instructions comprising:
-
monitoring by a network traffic monitor a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP); monitoring the one or more received network addresses (IP) resolved for resolving the one or more URLs to provide a URL-to-IP associations list; monitoring the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list; generate a suspicious URL log based on the URL-to-IP associations list and a suspicious DNS log based on the DNS Domain-to-DNS server associations list; determining whether a designated suspicious URL from the URL-to-IP associations list matches designated data in the DNS Domain-to-DNS server associations list; and after determining that the designated suspicious URL from the URL-to-IP associations list matches the designated data in the DNS Domain-to-DNS server associations list, generating an event indicating a combination of flux actions are active. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification