×

Method and systems for detecting compromised networks and/or computers

  • US 9,306,969 B2
  • Filed: 08/30/2013
  • Issued: 04/05/2016
  • Est. Priority Date: 10/27/2005
  • Status: Active Grant
First Claim
Patent Images

1. A method of detecting a collection of compromised networks and/or computers, comprising:

  • performing processing associated with collecting Domain Name System (DNS) data, utilizing a detection system in communication with a database, the DNS data generated by a DNS server and/or similar device, wherein the DNS data comprises DNS queries, wherein the collected DNS data comprises DNS query rate information, and wherein the collecting DNS data from the DNS server comprises;

    performing processing associated with identifying a command and control (C&

    C) computer in a first network;

    when the DNS data of a computer has an exponential request rate, wherein determining the exponential request rate comprises sorting DNS request rates per current epoch and determining whether there is exponential activity over the current epoch and an epoch longer than the current epoch; and

    performing processing associated with recording an IP address and/or traffic information from a compromised computer when the compromised computer contacts another computer;

    performing processing associated with examining the collected DNS data relative to DNS data from known compromised and/or uncompromised computers; and

    performing processing associated with determining an existence of the collection of compromised networks and/or computers, and/or an identity of compromised networks and/or computers, based on the examination.

View all claims
  • 8 Assignments
Timeline View
Assignment View
    ×
    ×