Detection of infected network devices and fast-flux networks by tracking URL and DNS resolution changes

US 9,270,693 B2
Filed: 09/19/2013
Issued: 02/23/2016
Est. Priority Date: 09/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method for detecting Fast-Flux malware, the method comprising:

monitoring by a network traffic monitor a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP);

monitoring the one or more received network addresses (IP) resolved for the one or more URLs to provide a URL-to-IP associations list, wherein the URL-to-IP associations list is configured to store one or more suspicious URLs;

monitoring the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list;

generating a suspicious URL log based on the URL-to-IP associations list and a suspicious DNS log based on the DNS Domain-to-DNS server associations list;

determining whether a designated suspicious URL from the suspicious URL log matches designated data in the suspicious DNS log; and

after determining that the designated suspicious URL from the suspicious URL log matches the designated data in the suspicious DNS log, generating an event indicating a combination of flux actions are active.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting Fast-Flux malware are presented. Domain name system (DNS) lookup requests to DNS servers from a local area network (LAN) to a wide area network (WAN) are monitored. The DNS lookup requests comprise requests to resolve uniform resource locators (URLs) to network addresses. The network addresses (IP) received from the DNS servers for the DNS lookup requests are monitored provide a URL-to-IP associations list. The DNS servers used for the DNS lookup requests for the URLs are monitored to provide a DNS Domain-to-DNS server associations list. A suspicious URL log based on the URL-to-IP associations list, and a suspicious DNS log based on the DNS Domain-to-DNS server associations list are generated.

20 Citations

View as Search Results

20 Claims

1. A method for detecting Fast-Flux malware, the method comprising:
- monitoring by a network traffic monitor a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP);
  
  monitoring the one or more received network addresses (IP) resolved for the one or more URLs to provide a URL-to-IP associations list, wherein the URL-to-IP associations list is configured to store one or more suspicious URLs;
  
  monitoring the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list;
  
  generating a suspicious URL log based on the URL-to-IP associations list and a suspicious DNS log based on the DNS Domain-to-DNS server associations list;
  
  determining whether a designated suspicious URL from the suspicious URL log matches designated data in the suspicious DNS log; and
  
  after determining that the designated suspicious URL from the suspicious URL log matches the designated data in the suspicious DNS log, generating an event indicating a combination of flux actions are active.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising indicating a presence of a malware program in the LAN based on the suspicious DNS log and the suspicious URL log.
  - 3. The method of claim 1, further comprising:
    - configuring a resource association list comprising the URL-to-IP associations list or the DNS Domain-to-DNS server associations list; and
      
      configuring a suspicious resource log comprising the suspicious URL log or the suspicious DNS log.
  - 4. The method of claim 3, further comprising:
    - counting a total number of association changes in the resource association list; and
      
      logging the suspicious resource log, if the total number of association changes is greater than a total-association-change threshold.
  - 5. The method of claim 3, further comprising:
    - counting a number of association changes in the resource association list in a time-period; and
      
      logging the suspicious resource log, if the number of association changes in the time-period is greater than a time-period-association-changes threshold.
  - 6. The method of claim 3, further comprising:
    - calculating an association change frequency of the resource association list; and
      
      logging the suspicious resource log, if the association change frequency is greater than an association-change-frequency threshold.
  - 7. The method of claim 3, further comprising:
    - calculating a pattern in the resource association list; and
      
      logging the suspicious resource log, if the pattern is found among a pattern history.

8. A system for detecting Fast-Flux malware, the system comprising:
- at least one hardware processor; and
  
  a network traffic monitor operating on the at least one hardware processor and configured to;
  
  monitor a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP);
  
  monitor the one or more received network addresses (IP) resolved for resolving the one or more URLs to provide a URL-to-IP associations list;
  
  monitor the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list; and
  
  a malware detector configured to;
  
  generate a suspicious URL log based on the URL-to-IP associations list and a suspicious DNS log based on the DNS Domain-to-DNS server associations list;
  
  determine whether a designated suspicious URL from the suspicious URL log matches designated data in the suspicious DNS log;
  
  after determining that the designated suspicious URL from the suspicious URL log matches the designated data in the suspicious DNS log, generate an event indicating a combination of flux actions are active; and
  
  indicate a presence of a malware program in the LAN based on the suspicious URL log and the suspicious DNS log.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8, wherein:
    - a resource association list comprises the URL-to-IP associations list or the DNS Domain-to-DNS server associations list; and
      
      a suspicious resource log comprises the suspicious URL log or the suspicious DNS log.
  - 10. The system of claim 9, wherein the malware detector is further configured to:
    - count a total number of association changes in the resource association list; and
      
      log the suspicious resource log, if the total number of association changes is greater than a total-association-change threshold.
  - 11. The system of claim 9, wherein the malware detector is further configured to:
    - count a number of association changes in the resource association list in a time-period; and
      
      log the suspicious resource log, if the number of association changes in the time-period is greater than a time-period-association-changes threshold.
  - 12. The system of claim 9, wherein the malware detector is further configured to:
    - calculate an association change frequency of the resource association list; and
      
      log the suspicious resource log, if the association change frequency is greater than an association-change-frequency threshold.
  - 13. The system of claim 9, wherein the malware detector is further configured to:
    - calculate a pattern in the resource association list; and
      
      log the suspicious resource log, if the pattern is found among a pattern history.

14. A non-transitory computer readable storage medium comprising computer-executable instructions for detecting Fast-Flux malware, the computer-executable instructions comprising:
- monitoring by a network traffic monitor a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP);
  
  monitoring the one or more received network addresses (IP) resolved for resolving the one or more URLs to provide a URL-to-IP associations list;
  
  monitoring the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list;
  
  generate a suspicious URL log based on the URL-to-IP associations list and a suspicious DNS log based on the DNS Domain-to-DNS server associations list;
  
  determining whether a designated suspicious URL from the URL-to-IP associations list matches designated data in the DNS Domain-to-DNS server associations list; and
  
  after determining that the designated suspicious URL from the URL-to-IP associations list matches the designated data in the DNS Domain-to-DNS server associations list, generating an event indicating a combination of flux actions are active.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer readable storage medium of claim 14, further comprising computer-executable instructions comprising:
    - indicating a presence of a malware program in the LAN based on the suspicious DNS log or the suspicious URL log.
  - 16. The non-transitory computer readable storage medium of claim 14, further comprising computer-executable instructions comprising:
    - configuring a resource association list comprising the URL-to-IP associations list or the DNS Domain-to-DNS server associations list; and
      
      configuring a suspicious resource log comprising the suspicious URL log or the suspicious DNS log.
  - 17. The non-transitory computer readable storage medium of claim 16, further comprising computer-executable instructions comprising:
    - counting a total number of association changes in the resource association list; and
      
      logging the suspicious resource log, if the total number of association changes is greater than a total-association-change threshold.
  - 18. The non-transitory computer readable storage medium of claim 16, further comprising computer-executable instructions comprising:
    - counting a number of association changes in the resource association list in a time-period; and
      
      logging the suspicious resource log, if the number of association changes in the time-period is greater than a time-period-association-changes threshold.
  - 19. The non-transitory computer readable storage medium of claim 16, further comprising computer-executable instructions comprising:
    - calculating an association change frequency of the resource association list; and
      
      logging the suspicious resource log, if the association change frequency is greater than an association-change-frequency threshold.
  - 20. The non-transitory computer readable storage medium of claim 16, further comprising computer-executable instructions comprising:
    - calculating a pattern in the resource association list; and
      
      logging the suspicious resource log, if the pattern is found among a pattern history.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Davis, Aaron R., Aldrich, Timothy M.
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US14/031,050
Publication Number

US 20150082431A1
Time in Patent Office

887 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 61/4511   using domain name system [DNS]

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/168   above the transport layer

Detection of infected network devices and fast-flux networks by tracking URL and DNS resolution changes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of infected network devices and fast-flux networks by tracking URL and DNS resolution changes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links