Detecting network attacks based on network records

US 9,426,171 B1
Filed: 09/29/2014
Issued: 08/23/2016
Est. Priority Date: 09/29/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, by a computer system and from a client device, a domain name system record associated with an access of the client device to a network-based resource, the domain name system record retrieved from data storage of an Internet service provider facilitating the access to the network-based resource, the domain name system record comprising at least one of a domain name or a host name of the network-based resource;

accessing, by the computer system, a trusted domain name system record that comprises at least one of the domain name or the host name of the network-based resource, the trusted domain name system record accessed from a trusted computing resource other than the data storage of the Internet service provider;

determining, by the computer system, a mismatch between the received domain name system record and the trusted domain name system record based at least in part on a comparison of at least one of;

the domain name from the received domain name system record and the domain name from the trusted domain name system record, or the host name from the received domain name system record and the host name from the trusted domain name system record;

detecting, by the computer system, that the access of the client device to the network-based resource comprises an unauthorized redirection based at least in part on an untrusted server associated with domain name system records stored at the data storage of the Internet service provider; and

initiating a corrective action based at least in part on the unauthorized redirection, the corrective action comprising;

generating a flag indicative of the unauthorized redirection through a network of the Internet service provider;

determining that a number of unauthorized redirections through the network of the Internet service provider exceeds a threshold based at least in part on the flag; and

detecting that the domain name system records stored at the data storage of the Internet service provider have been altered based at least in part on the number of unauthorized redirections exceeding the threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for analyzing access to a network-based resource may be provided. For example, a client record associated with the access to the network-based resource over a network may be compared to a provider record. The client record may indicate an address of the network based resource and can be received from a computing resource. The provider record can also indicate the address and can be received from a trusted computing resource. Based on the comparison, an issue associated with the access to the network-based resource over the network may be detected.

Citations

20 Claims

1. A computer-implemented method, comprising:
- receiving, by a computer system and from a client device, a domain name system record associated with an access of the client device to a network-based resource, the domain name system record retrieved from data storage of an Internet service provider facilitating the access to the network-based resource, the domain name system record comprising at least one of a domain name or a host name of the network-based resource;
  
  accessing, by the computer system, a trusted domain name system record that comprises at least one of the domain name or the host name of the network-based resource, the trusted domain name system record accessed from a trusted computing resource other than the data storage of the Internet service provider;
  
  determining, by the computer system, a mismatch between the received domain name system record and the trusted domain name system record based at least in part on a comparison of at least one of;
  
  the domain name from the received domain name system record and the domain name from the trusted domain name system record, or the host name from the received domain name system record and the host name from the trusted domain name system record;
  
  detecting, by the computer system, that the access of the client device to the network-based resource comprises an unauthorized redirection based at least in part on an untrusted server associated with domain name system records stored at the data storage of the Internet service provider; and
  
  initiating a corrective action based at least in part on the unauthorized redirection, the corrective action comprising;
  
  generating a flag indicative of the unauthorized redirection through a network of the Internet service provider;
  
  determining that a number of unauthorized redirections through the network of the Internet service provider exceeds a threshold based at least in part on the flag; and
  
  detecting that the domain name system records stored at the data storage of the Internet service provider have been altered based at least in part on the number of unauthorized redirections exceeding the threshold.
- View Dependent Claims (2, 3, 20)
- - 2. The computer-implemented method of claim 1, wherein the network-based resource comprises a web site, wherein the data storage comprises a recursive name server of the Internet service provider, wherein the received domain name system record is associated with the web site and is retrieved from the recursive name server based at least in part on a domain name system query of the client device, wherein the trusted domain name system record is retrieved from a trusted name server based at least in part on another domain name system query of the computer system.
  - 3. The computer-implemented method of claim 2, wherein detecting an unauthorized change comprises:
    - identifying that the received domain name system record was changed in the data storage of the Internet service provider based at least in part on the mismatch.
  - 20. The computer-implemented method of claim 1, wherein the network-based resource comprises a web page, wherein the web page embeds an object that, when executed on the client device, causes the client device to transmit the domain name system record from a local storage of the client device to the computer system.

4. One or more non-transitory computer-readable storage media storing computer-executable instructions that, when executed by one or more computing systems, configure the one or more computing systems to perform operations comprising:
- accessing a client domain name system record associated with an access of a client device to a network-based resource, the client domain name system record retrieved from a computing resource of an Internet service provider facilitating the access to the network-based resource, the client domain name system record comprising at least one of a domain name or a host name of the network-based resource;
  
  accessing a trusted domain name system record that comprises at least one of the domain name or the host name of the network-based resource, the trusted domain name system record from a trusted computing resource;
  
  determining a mismatch between the client domain name system record and the trusted domain name system record based at least in part on a comparison of at least one of;
  
  the domain name from the received domain name system record and the domain name from the trusted domain name system record, or the host name from the received domain name system record and the host name from the trusted domain name system record;
  
  detecting, based at least in part on the mismatch, that the access of the client device to the network-based resource comprises an unauthorized redirection;
  
  determining a number of unauthorized redirections of accesses of client devices to the network-based resource, the accesses based at least in part on domain name system records stored at the computing resource of the Internet service provider; and
  
  detecting that the domain name system records have been altered based at least in part on the number of unauthorized redirections exceeding a threshold.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12)
- - 5. The one or more non-transitory computer-readable storage media of claim 4, wherein the computing resource comprises a recursive name server, wherein the trusted computing resource comprises a trusted name server, wherein the client domain name system record is generated based at least in part on a domain name system request to the recursive name server.
  - 6. The one or more non-transitory computer-readable storage media of claim 4, wherein the client domain name system record is received over an out-of-band channel from the client device accessing the network-based resource over an in-band channel, wherein the out-of-band channel is configured to facilitate communication between the client device and a control plane of the one or more computing systems, and wherein the in-band-channel is configured to facilitate communication between the client device and a data plane of the one or more computing systems.
  - 7. The one or more non-transitory computer-readable storage media of claim 4, wherein the client domain name system record is received from the client device based at least in part on the client device accessing the network-based resource.
  - 8. The one or more non-transitory computer-readable storage media of claim 4, wherein accessing the trusted domain name system record comprises submitting by the one or more computing systems a domain name system query to a trusted domain name system name server.
  - 9. The one or more non-transitory computer-readable storage media of claim 4, wherein the one or more computing systems comprise the client device, wherein accessing the client domain name system record comprises retrieving the client domain name system record from memory of the client device, wherein accessing the trusted domain name system record comprises retrieving the trusted domain name system record from the memory of the client device, and wherein the client domain name system record and the trusted domain name system record are compared locally at the client device.
  - 10. The one or more non-transitory computer-readable storage media of claim 9, further comprising transmitting from the client device information about the unauthorized redirection to a computing device of a provider of the network-based resource over an out-of-band channel.
  - 11. The one or more non-transitory computer-readable storage media of claim 10, wherein the computing device of the provider is configured to collect data associated with the accesses of the client devices to the network-based resource to detect whether the domain name system records are altered at the computing resource of the Internet service provider.
  - 12. The one or more non-transitory computer-readable storage media of claim 10, wherein accessing the trusted domain name system record comprises one or more of:
    - receiving the trusted domain name system record from the computing device of the provider over an out-of-band channel, or receiving an identifier of the trusted computing resource over the out-of-band channel and querying the trusted computing resource to receive the trusted domain name system record.

13. A system, comprising:
- a memory configured to store computer-executable instructions; and
  
  a processor configured to access the memory and execute the computer-executable instructions to collectively at least;
  
  receive a client domain name system record associated with an access of a client device to a network-based resource of a provider, the client domain name system record provided from a computing resource of an Internet service provider to the client device and comprising at least one of a domain name or a host name of the network-based resource, the computing resource facilitating the access to the network-based resource;
  
  identify a trusted domain name system record of the network-based resource, the trusted domain name system record provided by a trusted computing resource and comprising at least one of the domain name or the host name of the network-based resource;
  
  determine a mismatch between the client domain name system record and the trusted domain name system record based at least in part on a comparison of at least one of;
  
  the domain name from the client domain name system record and the domain name from the trusted domain name system record, or the host name from the client domain name system record and the host name from the trusted domain name system record; and
  
  detect, based at least in part on the mismatch, that the access of the client device to the network-based resource comprises an unauthorized redirection;
  
  determine a number of unauthorized redirections of accesses of client devices to the network-based resource, the accesses based at least in part on domain name system records stored at the computing resource of the Internet service provider; and
  
  detect that the domain name system records have been altered based at least in part on the number of unauthorized redirections exceeding a threshold.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the network-based resource comprises a web site, wherein the mismatch indicates that the host name or the domain name from the client domain name system record is associated with an autonomous system number unrelated to the provider.
  - 15. The system of claim 13, wherein the computer-executable instructions, when executed by the processor, further configure the system to at least identify that the client device is an at risk device.
  - 16. The system of claim 13, wherein the computer-executable instructions, when executed by the processor, further configure the system to at least receive client domain name system records associated with the accesses of client devices to the network-based resource.
  - 17. The system of claim 16, wherein the unauthorized redirection is further detected based at least in part on the client domain name system records.
  - 18. The system of claim 13, wherein the computer-executable instructions, when executed by the processor, further configure the system to at least:
    - record information associated with the client device accessing a network-based document, the network-based document associated with the network-based resource and generated to be accessible to the client device without redirection;
      
      determine that the information comprises data indicative of a redirection to the network-based document; and
      
      confirm the unauthorized redirection based at least in part on the redirection.
  - 19. The system of claim 13, wherein determining the mismatch is triggered by an event, and wherein the event comprises detecting another mismatch between a client hash and a trusted hash of a portion of the network-based resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Jezorek, Matthew Ryan, Van Horenbeeck, Maarten, Lai, Richie
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US14/500,869
Time in Patent Office

694 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 61/4511   using domain name system [DNS]

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

Detecting network attacks based on network records

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting network attacks based on network records

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links