Method and systems for detecting compromised networks and/or computers

US 9,306,969 B2
Filed: 08/30/2013
Issued: 04/05/2016
Est. Priority Date: 10/27/2005
Status: Active Grant

First Claim

Patent Images

1. A method of detecting a collection of compromised networks and/or computers, comprising:

performing processing associated with collecting Domain Name System (DNS) data, utilizing a detection system in communication with a database, the DNS data generated by a DNS server and/or similar device, wherein the DNS data comprises DNS queries, wherein the collected DNS data comprises DNS query rate information, and wherein the collecting DNS data from the DNS server comprises;

performing processing associated with identifying a command and control (C&

C) computer in a first network;

when the DNS data of a computer has an exponential request rate, wherein determining the exponential request rate comprises sorting DNS request rates per current epoch and determining whether there is exponential activity over the current epoch and an epoch longer than the current epoch; and

performing processing associated with recording an IP address and/or traffic information from a compromised computer when the compromised computer contacts another computer;

performing processing associated with examining the collected DNS data relative to DNS data from known compromised and/or uncompromised computers; and

performing processing associated with determining an existence of the collection of compromised networks and/or computers, and/or an identity of compromised networks and/or computers, based on the examination.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Collect Domain Name System (DNS) data, the DNS data generated by a DNS server and/or similar device, wherein the DNS data comprises DNS queries, wherein the collected DNS data comprises DNS query rate information. Examine the collected DNS data relative to DNS data from known compromised and/or uncompromised computers. Determine an existence of the collection of compromised networks and/or computers, and/or an identity of compromised networks and/or computers, based on the examination.

Citations

52 Claims

1. A method of detecting a collection of compromised networks and/or computers, comprising:
- performing processing associated with collecting Domain Name System (DNS) data, utilizing a detection system in communication with a database, the DNS data generated by a DNS server and/or similar device, wherein the DNS data comprises DNS queries, wherein the collected DNS data comprises DNS query rate information, and wherein the collecting DNS data from the DNS server comprises;
  
  performing processing associated with identifying a command and control (C&
  
  C) computer in a first network;
  
  when the DNS data of a computer has an exponential request rate, wherein determining the exponential request rate comprises sorting DNS request rates per current epoch and determining whether there is exponential activity over the current epoch and an epoch longer than the current epoch; and
  
  performing processing associated with recording an IP address and/or traffic information from a compromised computer when the compromised computer contacts another computer;
  
  performing processing associated with examining the collected DNS data relative to DNS data from known compromised and/or uncompromised computers; and
  
  performing processing associated with determining an existence of the collection of compromised networks and/or computers, and/or an identity of compromised networks and/or computers, based on the examination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The method of claim 1, wherein the performing processing associated with identifying a command and control (C&
    - C) computer in a first network further comprises;
      
      performing processing associated with determining whether a computer has a suspicious DNS request rate, comprising;
      
      performing processing associated with calculating a canonical sub-level domain (SLD) request rate for a given SLD, wherein the canonical SLD request rate is calculated as the total number of requests to third level domains (3LDs) present in the given SLD plus any request to the given SLD, andperforming processing associated with determining whether the canonical SLD request rate of the given SLD significantly deviates from the mean of canonical request rates of SLDs.
  - 3. The method of claim 1, wherein the performing processing associated with identifying a command and control (C&
    - C) computer in a first network further comprises;
      
      when the DNS request rate is suspicious, performing processing associated with determining whether the DNS data has an exponential request rate comprising;
      
      performing processing associated with sorting DNS request rates per epoch, andperforming processing associated with determining whether there is exponential activity over a longer time epoch.
  - 4. The method of claim 1, wherein collecting DNS data further comprises:
    - performing processing associated with replacing an IP address of the C&
      
      C computer with an IP address of another computer, causing the compromised computer seeking to contact the C&
      
      C computer to be redirected to the other computer.
  - 5. The method of claim 4, wherein the other computer comprises a sinkhole computer.
  - 6. The method of claim 4, further comprising:
    - performing processing associated with isolating the collection of compromised networks and/or computers from its C&
      
      C computer, causing the collection of compromised networks and/or computers to lose the ability to act as a coordinated group.
  - 7. The method of claim 5, further comprising:
    - analyzing traffic from the compromised computer to the sinkhole computer to obtain information about a malware author.
  - 8. The method of claim 1, further comprising:
    - utilizing time zone and time of release information to predict optimal release time information for an attack.
  - 9. The method of claim 1, wherein determining the existence of the collection of compromised networks and/or computers is accomplished without contacting any networks or computers in the collection of compromised networks and/or computers.
  - 10. The method of claim 1, wherein collecting DNS data comprises:
    - performing processing associated with determining whether a source Internet Protocol (IP) address performing reconnaissance belongs to a compromised computer, the source IP address looking up at least one subject IP address; and
      
      when the source IP is known to belong to a compromised computer, performing processing associated with designating the at least one subject IP addresses as a compromised computer.
  - 11. The method of claim 10, wherein determining whether the source IP address belongs to a compromised computer comprises:
    - performing processing associated with determining whether the source IP address is a known compromised computer utilizing a DNS-based Blackhole List (DNSBL) and/or another list of compromised computers.
  - 12. The method of claim 11, wherein determining whether the source IP address belongs to a compromised computer comprises:
    - performing processing associated with determining whether the source IP address is also the subject IP address.
  - 13. The method of claim 11, wherein determining whether the source IP address belongs to a compromised computer comprises:
    - performing processing associated with determining a look-up ratio for the source IP address, the look-up ratio comprising the number of IP addresses the source IP address queries divided by the number of IP addresses that issue a look-up for the source IP address; and
      
      when the look-up ratio for the source IP address is high, designating the source IP address as a compromised computer.
  - 14. The method of claim 11, wherein determining whether the source IP address belongs to a compromised computer comprises:
    - performing processing associated with determining a look-up ratio for the source IP address, the look-up ratio comprising the number of IP addresses the source IP queries divided by the number of IP addresses that issue a look-up for the source IP address;
      
      when the look-up ratio for the source IP address is low, performing processing associated with determining whether the look-up arrival rate mirrors the email arrival rate; and
      
      when the look-up arrival rate does not mirror the email arrival rate, performing processing associated with designating the source IP address as a compromised computer.
  - 15. The method of claim 14, wherein determining whether the look-up arrival rate mirrors the email arrival rate further comprises:
    - performing processing associated with identifying a list of known and/or probably legitimate IP addresses using a DNSBL service;
      
      for each of the known and/or probably legitimate IP addresses, performing processing associated with determining its average look-up arrival rate;
      
      performing processing associated with determining an average look-up arrival rate from the source IP address;
      
      performing processing associated with comparing the average look-up rates of the known and/or probably legitimate IP addresses to the arrival rate from the source IP address; and
      
      when the average look-up rates of the known and/or probably legitimate IP addresses differ significantly from the arrival rate from the source IP address, performing processing associated with designating the source IP address as a compromised computer.
  - 16. The method of claim 15, wherein identifying a list of known IPs comprises:
    - when the DNSBL service has controlled access, performing processing associated with recording IP addresses of approved users.
  - 17. The method of claim 15, wherein identifying a list of probably legitimate IPs comprises:
    - when the DNSBL service allows anonymous access, performing processing associated with monitoring the source IP addresses of incoming look-up requests, and recording these source IP addresses;
      
      performing processing associated with connecting to the IP address to determine whether the IP address is running on a known server; and
      
      when the IP address is running on a known server, performing processing associated with designating the IP address as probably legitimate.
  - 18. The method of claim 1, wherein collecting DNS data comprises:
    - performing processing associated with identifying open recursive DNS servers; and
      
      performing processing associated with priority ranking domain names.
  - 19. The method of claim 18, wherein the determining comprises:
    - performing processing associated with utilizing the open recursive DNS servers and the priority-ranked domain names to determine whether the open recursive DNS servers are compromised computers.
  - 20. The method of claim 19, further comprising:
    - performing processing associated with ranking sizes of networks of compromised computers;
      
      performing processing associated with estimating a number of compromised computers in a network;
      
      performing processing associated with assessing to what extent a given network has compromised computers;
      
      performing processing associated with determining a lower bound calculation of a compromised computer population;
      
      orperforming processing associated with determining an upper bound calculation of a compromised computer population;
      
      orany combination of the above.
  - 21. The method of claim 19, wherein utilizing the open recursive DNS servers and the priority-ranked domains in a recursive query comprises:
    - performing processing associated with sending at least one non-recursive query to the DNS server for a newly registered domain until the DNS server returns an NXDOMAIN answer;
      
      performing processing associated with immediately sending a recursive query to the DNS server for the newly registered domain; and
      
      performing processing associated with designating the DNS server as open recursive when the answer returned by the DNS server is not NXDOMAIN.
  - 22. The method of claim 18, wherein identifying open recursive DNS servers comprises:
    - performing processing associated with organizing IPv4 routable addresses into units;
      
      performing processing associated with determining a classless interdomain routing (CIDR) priority ranking score (CPRS) value for each unit utilizing DNS server information;
      
      performing processing associated with sorting the units a list in descending order utilizing the CPRS value; and
      
      performing processing associated with determining whether a DNS server is an open recursive DNS server for DNS servers in the top of the list.
  - 23. The method of claim 22, wherein determining the CPRS value comprises:
    - performing processing associated with giving a value of 1.0 for each DNS server known to exist in the unit;
      
      performing processing associated with giving a value of 0.01 for each IP address known to run on a DNS server; and
      
      performing processing associated with giving a value of 0.1 for each IP address with no DNS server information.
  - 24. The method of claim 22, further comprising:
    - performing processing associated with determining the number of DNS servers behind a load balancing server.
  - 25. The method of claim 1, wherein the DNS data is non-recursive.
  - 26. The method of claim 1, wherein the performing processing associated with collecting Domain Name System (DNS) data comprises:
    - analyzing the DNS data to determine whether the DNS data has an exponential request rate.

27. A system for detecting a collection of compromised networks and/or computers, comprising:
- a computer constructed and arranged to perform processing associated with collecting Domain Name System (DNS) data, utilizing a detection system in communication with a database, the DNS data generated by a DNS server and/or similar device, wherein the DNS data comprises DNS queries, wherein the collected DNS data comprises DNS query rate information, and wherein the collecting DNS data from the DNS server comprises;
  
  performing processing associated with identifying a command and control (C&
  
  C) computer in a first networkwhen the DNS data of a computer has an exponential request rate, wherein determining the exponential request rate comprises sorting DNS request rates per current epoch and determining whether there is exponential activity over the current epoch and an epoch longer than the current epoch; and
  
  performing processing associated with recording an IP address and/or traffic information from a compromised computer when the compromised computer contacts another computer;
  
  performing processing associated with examining the collected DNS data relative to DNS data from known compromised and/or uncompromised computers; and
  
  performing processing associated with determining an existence of the collection of compromised networks and/or computers, and/or an identity of compromised networks and/or computers, based on the examination.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 28. The system of claim 27, wherein the computer is constructed and arranged to perform processing associated with identifying a command and control (C&
    - C) computer in a first network by further;
      
      performing processing associated with determining whether a computer has a suspicious DNS request rate, comprising;
      
      performing processing associated with calculating a canonical sub-level domain (SLD) request rate for a given SLD, wherein the canonical SLD request rate is calculated as the total number of requests to third level domains (3LDs) present in the given SLD plus any request to the given SLD, andperforming processing associated with determining whether the canonical SLD request rate of the given SLD significantly deviates from the mean of canonical request rates of SLDs.
  - 29. The system of claim 27, wherein the computer is constructed and arranged to perform processing associated with identifying a command and control (C&
    - C) computer in a first network by further;
      
      when the DNS request rate is suspicious, performing processing associated with determining whether the DNS data has an exponential request rate comprising;
      
      performing processing associated with sorting DNS request rates per epoch, andperforming processing associated with determining whether there is exponential activity over a longer time epoch.
  - 30. The system of claim 27, wherein the computer is constructed and arranged to collect DNS data by further:
    - performing processing associated with replacing an IP address of the C&
      
      C computer with an IP address of another computer, causing the compromised computer seeking to contact the C&
      
      C computer to be redirected to the other computer.
  - 31. The system of claim 30, wherein the other computer comprises a sinkhole computer.
  - 32. The system of claim 30, wherein the computer is further constructed and arranged to:
    - perform processing associated with isolating the collection of compromised networks and/or computers from its C&
      
      C computer, causing the collection of compromised networks and/or computers to lose the ability to act as a coordinated group.
  - 33. The system of claim 31, wherein the computer is further constructed and arranged to:
    - analyze traffic from the compromised computer to the sinkhole computer to obtain information about a malware author.
  - 34. The system of claim 27, wherein the computer is further constructed and arranged to:
    - utilizing time zone and time of release information to predict optimal release time information for an attack.
  - 35. The system of claim 27, wherein the computer is constructed and arranged to determine the existence of the collection of compromised networks and/or computers without contacting any networks or computers in the collection of compromised networks and/or computers.
  - 36. The system of claim 27, wherein the computer is constructed and arranged to collect DNS data by further:
    - performing processing associated with determining whether a source Internet Protocol (IP) address performing reconnaissance belongs to a compromised computer, the source IP address looking up at least one subject IP address; and
      
      when the source IP is known to belong to a compromised computer, performing processing associated with designating the at least one subject IP addresses as a compromised computer.
  - 37. The system of claim 36, wherein the computer is constructed and arranged to determine whether the source IP address belongs to a compromised computer by further:
    - performing processing associated with determining whether the source IP address is a known compromised computer utilizing a DNS-based Blackhole List (DNSBL) and/or another list of compromised computers.
  - 38. The system of claim 27, wherein the computer is constructed and arranged to determine whether the source IP address belongs to a compromised computer by further:
    - performing processing associated with determining whether the source IP address is also the subject IP address.
  - 39. The system of claim 27, wherein the computer is constructed and arranged to determine whether the source IP address belongs to a compromised computer by further:
    - performing processing associated with determining a look-up ratio for the source IP address, the look-up ratio comprising the number of IP addresses the source IP address queries divided by the number of IP addresses that issue a look-up for the source IP address; and
      
      when the look-up ratio for the source IP address is high, designating the source IP address as a compromised computer.
  - 40. The system of claim 37, wherein the computer is constructed and arranged to determine whether the source IP address belongs to a compromised computer by further:
    - performing processing associated with determining a look-up ratio for the source IP address, the look-up ratio comprising the number of IP addresses the source IP queries divided by the number of IP addresses that issue a look-up for the source IP address;
      
      when the look-up ratio for the source IP address is low, performing processing associated with determining whether the look-up arrival rate mirrors the email arrival rate; and
      
      when the look-up arrival rate does not mirror the email arrival rate, performing processing associated with designating the source IP address as a compromised computer.
  - 41. The system of claim 40, wherein the computer is constructed and arranged to determine whether the look-up arrival rate mirrors the email arrival rate by further:
    - performing processing associated with identifying a list of known and/or probably legitimate IP addresses using a DNSBL service;
      
      for each of the known and/or probably legitimate IP addresses, performing processing associated with determining its average look-up arrival rate;
      
      performing processing associated with determining an average look-up arrival rate from the source IP address;
      
      performing processing associated with comparing the average look-up rates of the known and/or probably legitimate IP addresses to the arrival rate from the source IP address; and
      
      when the average look-up rates of the known and/or probably legitimate IP addresses differ significantly from the arrival rate from the source IP address, performing processing associated with designating the source IP address as a compromised computer.
  - 42. The system of claim 41, wherein the computer is constructed and arranged to identify a list of known IPs by further:
    - when the DNSBL service has controlled access, performing processing associated with recording IP addresses of approved users.
  - 43. The system of claim 41, wherein the computer is constructed and arranged to identify a list of probably legitimate IPs by further:
    - when the DNSBL service allows anonymous access, performing processing associated with monitoring the source IP addresses of incoming look-up requests, and recording these source IP addresses;
      
      performing processing associated with connecting to the IP address to determine whether the IP address is running on a known server; and
      
      when the IP address is running on a known server, performing processing associated with designating the IP address as probably legitimate.
  - 44. The system of claim 27, wherein the computer is constructed and arranged to collect DNS data by further:
    - performing processing associated with identifying open recursive DNS servers; and
      
      performing processing associated with priority ranking domain names.
  - 45. The system of claim 44, wherein the computer is constructed and arranged to determine by further:
    - performing processing associated with utilizing the open recursive DNS servers and the priority-ranked domain names to determine whether the open recursive DNS servers are compromised computers.
  - 46. The system of claim 45, wherein the computer is further constructed and arranged to:
    - performing processing associated with ranking sizes of networks of compromised computers;
      
      performing processing associated with estimating a number of compromised computers in a network;
      
      performing processing associated with assessing to what extent a given network has compromised computers;
      
      performing processing associated with determining a lower bound calculation of a compromised computer population;
      
      orperforming processing associated with determining an upper bound calculation of a compromised computer population;
      
      orany combination of the above.
  - 47. The system of claim 45, wherein the computer is constructed and arranged to utilize the open recursive DNS servers and the priority-ranked domains in a recursive query by further:
    - performing processing associated with sending at least one non-recursive query to the DNS server for a newly registered domain until the DNS server returns an NXDOMAIN answer;
      
      performing processing associated with immediately sending a recursive query to the DNS server for the newly registered domain; and
      
      performing processing associated with designating the DNS server as open recursive when the answer returned by the DNS server is not NXDOMAIN.
  - 48. The system of claim 44, wherein the computer is constructed and arranged to identify open recursive DNS servers by further:
    - performing processing associated with organizing IPv4 routable addresses into units;
      
      performing processing associated with determining a classless interdomain routing (CIDR) priority ranking score (CPRS) value for each unit utilizing DNS server information;
      
      performing processing associated with sorting the units a list in descending order utilizing the CPRS value; and
      
      performing processing associated with determining whether a DNS server is an open recursive DNS server for DNS servers in the top of the list.
  - 49. The system of claim 48, wherein the computer is constructed and arranged to determine the CPRS value by further:
    - performing processing associated with giving a value of 1.0 for each DNS server known to exist in the unit;
      
      performing processing associated with giving a value of 0.01 for each IP address known to run on a DNS server; and
      
      performing processing associated with giving a value of 0.1 for each IP address with no DNS server information.
  - 50. The system of claim 48, wherein the computer is further constructed and arranged to:
    - performing processing associated with determining the number of DNS servers behind a load balancing server.
  - 51. The system of claim 27, wherein the DNS data is non-recursive.
  - 52. The system of claim 27, wherein the computer is constructed and arranged to perform processing associated with collecting Domain Name System (DNS) data by further:
    - analyzing the DNS data to determine whether the DNS data has an exponential request rate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc.
Original Assignee
Georgia Tech Research Corporation (University System of Georgia)
Inventors
Dagon, David, Feamster, Nick, Lee, Wenke, Edmonds, Robert, Lipton, Richard, Ramachandran, Anirudh
Primary Examiner(s)
LEE, JASON T

Application Number

US14/015,661
Publication Number

US 20140245436A1
Time in Patent Office

949 Days
Field of Search

726/22
US Class Current

1/1
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

H04L 2463/144   Detection or countermeasure...

H04L 61/4511   using domain name system [DNS]

H04L 61/5076   Update or notification mech...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

Method and systems for detecting compromised networks and/or computers

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Method and systems for detecting compromised networks and/or computers

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links