Method and systems for detecting compromised networks and/or computers
First Claim
Patent Images
1. A method of detecting a collection of compromised networks and/or computers, comprising:
- performing processing associated with collecting Domain Name System (DNS) data, utilizing a detection system in communication with a database, the DNS data generated by a DNS server and/or similar device, wherein the DNS data comprises DNS queries, wherein the collected DNS data comprises DNS query rate information, and wherein the collecting DNS data from the DNS server comprises;
performing processing associated with identifying a command and control (C&
C) computer in a first network;
when the DNS data of a computer has an exponential request rate, wherein determining the exponential request rate comprises sorting DNS request rates per current epoch and determining whether there is exponential activity over the current epoch and an epoch longer than the current epoch; and
performing processing associated with recording an IP address and/or traffic information from a compromised computer when the compromised computer contacts another computer;
performing processing associated with examining the collected DNS data relative to DNS data from known compromised and/or uncompromised computers; and
performing processing associated with determining an existence of the collection of compromised networks and/or computers, and/or an identity of compromised networks and/or computers, based on the examination.
8 Assignments
0 Petitions
Accused Products
Abstract
Collect Domain Name System (DNS) data, the DNS data generated by a DNS server and/or similar device, wherein the DNS data comprises DNS queries, wherein the collected DNS data comprises DNS query rate information. Examine the collected DNS data relative to DNS data from known compromised and/or uncompromised computers. Determine an existence of the collection of compromised networks and/or computers, and/or an identity of compromised networks and/or computers, based on the examination.
-
Citations
52 Claims
-
1. A method of detecting a collection of compromised networks and/or computers, comprising:
performing processing associated with collecting Domain Name System (DNS) data, utilizing a detection system in communication with a database, the DNS data generated by a DNS server and/or similar device, wherein the DNS data comprises DNS queries, wherein the collected DNS data comprises DNS query rate information, and wherein the collecting DNS data from the DNS server comprises; performing processing associated with identifying a command and control (C&
C) computer in a first network;when the DNS data of a computer has an exponential request rate, wherein determining the exponential request rate comprises sorting DNS request rates per current epoch and determining whether there is exponential activity over the current epoch and an epoch longer than the current epoch; and performing processing associated with recording an IP address and/or traffic information from a compromised computer when the compromised computer contacts another computer; performing processing associated with examining the collected DNS data relative to DNS data from known compromised and/or uncompromised computers; and performing processing associated with determining an existence of the collection of compromised networks and/or computers, and/or an identity of compromised networks and/or computers, based on the examination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
27. A system for detecting a collection of compromised networks and/or computers, comprising:
a computer constructed and arranged to perform processing associated with collecting Domain Name System (DNS) data, utilizing a detection system in communication with a database, the DNS data generated by a DNS server and/or similar device, wherein the DNS data comprises DNS queries, wherein the collected DNS data comprises DNS query rate information, and wherein the collecting DNS data from the DNS server comprises; performing processing associated with identifying a command and control (C&
C) computer in a first networkwhen the DNS data of a computer has an exponential request rate, wherein determining the exponential request rate comprises sorting DNS request rates per current epoch and determining whether there is exponential activity over the current epoch and an epoch longer than the current epoch; and performing processing associated with recording an IP address and/or traffic information from a compromised computer when the compromised computer contacts another computer; performing processing associated with examining the collected DNS data relative to DNS data from known compromised and/or uncompromised computers; and performing processing associated with determining an existence of the collection of compromised networks and/or computers, and/or an identity of compromised networks and/or computers, based on the examination. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
Specification