Security threat detection using domain name registrations

US 9,432,396 B2
Filed: 08/01/2015
Issued: 08/30/2016
Est. Priority Date: 07/25/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

extracting a set of accessed domain names from a set of events stored in a field-searchable data store;

identifying a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar;

identifying a subset of accessed domain names in the set of accessed domain names for which the identified respective registration time of each accessed domain name in the subset is recent relative to times for other accessed domain names in the set of accessed domain names;

determining, for each accessed domain name in the subset, an access count corresponding to how many times the set of events indicates that the accessed domain name in the subset was accessed;

causing display of information relating to the access count corresponding to each accessed domain name in the subset;

wherein the method is performed by one or more computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name.

Citations

30 Claims

1. A method, comprising:
- extracting a set of accessed domain names from a set of events stored in a field-searchable data store;
  
  identifying a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar;
  
  identifying a subset of accessed domain names in the set of accessed domain names for which the identified respective registration time of each accessed domain name in the subset is recent relative to times for other accessed domain names in the set of accessed domain names;
  
  determining, for each accessed domain name in the subset, an access count corresponding to how many times the set of events indicates that the accessed domain name in the subset was accessed;
  
  causing display of information relating to the access count corresponding to each accessed domain name in the subset;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - receiving a communication corresponding to an indication as to when each accessed domain name in the subset was registered with a registrar;
      
      wherein the respective registration time is identified based on the communication.
  - 3. The method of claim 1, wherein the respective registration time comprises an age from a first time when the accessed domain name was registered with the registrar to a current time.
  - 4. The method of claim 1, wherein the display of information comprises at least one of:
    - a graph, a scatter plot, a table, or a message.
  - 5. The method of claim 1, wherein the respective registration time is identified based on a communication received from Internet Corporation for Assigned Names and Numbers (ICANN).
  - 6. The method of claim 1, further comprising:
    - identifying a second subset of the set of accessed domain names, wherein a respective registration time for each accessed domain name in the second subset of accessed domain names is within a defined time period, and wherein the second subset includes at least two accessed domain names;
      
      determining, for each accessed domain name in the second subset, a respective access count corresponding to how many times the set of events indicates that each accessed domain name in the second subset was accessed;
      
      causing display of simultaneous representations of the respective registration time and the respective access count for each accessed domain name in the second subset.
  - 7. The method of claim 1, further comprising:
    - receiving an input corresponding to a selection of a particular identified accessed domain name;
      
      presenting additional detail pertaining to events in the set of events that included the particular identified accessed domain name.
  - 8. The method of claim 1, further comprising:
    - identifying a second subset of the set of accessed domain names, wherein a respective registration time for each accessed domain name in the second subset of accessed domain names is within a defined time period, and wherein the second subset includes at least two accessed domain names;
      
      determining, for each accessed domain name in the second subset, a respective access count that represents how many times the set of events indicates that the accessed domain name in the second subset was accessed.
  - 9. The method of claim 1, further comprising:
    - determining that the access count for a particular accessed domain name in the subset exceeds a threshold number; and
      
      causing access to the particular accessed domain name in the subset to be blocked.
  - 10. The method of claim 1, wherein an event in the set of events includes unstructured data.
  - 11. The method of claim 1, wherein an event in the set of events includes machine data.
  - 12. The method of claim 1, wherein an event in the set of events includes structured data.
  - 13. The method of claim 1, wherein each accessed domain name in the set of accessed domain names corresponds to an accessed Web page.

14. An apparatus, comprising:
- an event extraction device, implemented at least partially by hardware, that extracts a set of accessed domain names from a set of events stored in a field-searchable data store;
  
  a domain name evaluation device, implemented at least partially by hardware, that identifies a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar;
  
  a registration time comparison device, implemented at least partially by hardware, that identifies a subset of accessed domain names in the set of accessed domain names for which the identified respective registration time of each accessed domain name in the subset is recent relative to times for other accessed domain names in the set of accessed domain names;
  
  a domain name access counter device, implemented at least partially by hardware, that determines, for each accessed domain name in the subset, an access count corresponding to how many times the set of events indicates that the accessed domain name in the subset was accessed;
  
  a display processor, implemented at least partially by hardware, that causes display of information relating to the access count corresponding to each accessed domain name in the subset.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The apparatus of claim 14, further comprising:
    - a communication receiver, implemented at least partially by hardware, that receives a communication corresponding to an indication as to when each accessed domain name in the subset was registered with a registrar;
      
      wherein the respective registration time is identified based on the communication.
  - 16. The apparatus of claim 14, wherein the respective registration time comprises an age from a first time when the accessed domain name was registered with the registrar to a current time.
  - 17. The apparatus of claim 14, wherein the display of information comprises at least one of:
    - a graph, a scatter plot, a table, or a message.
  - 18. The apparatus of claim 14,wherein the domain name evaluation device identifies a second subset of the set of accessed domain names, wherein a respective registration time for each accessed domain name in the second subset of accessed domain names is within a defined time period, and wherein the second subset includes at least two accessed domain names;
    - wherein the domain name access counter device determines, for each accessed domain name in the second subset, a respective access count corresponding to how many times the set of events indicates that each accessed domain name in the second subset was accessed; and
      
      wherein the display processor causes display of simultaneous representations of the respective registration time and the respective access count for each accessed domain name in the second subset.
  - 19. The apparatus of claim 14, further comprising:
    - a user input receiver, implemented at least partially by hardware, that receives an input corresponding to a selection of a particular identified accessed domain name;
      
      wherein the display processor causes display of additional detail pertaining to events in the set of events that included the particular identified accessed domain name.
  - 20. The apparatus of claim 14, further comprising:
    - wherein the domain name access counter device determines that the access count for a particular accessed domain name in the subset exceeds a threshold number; and
      
      a domain name access block device, implemented at least partially by hardware, that causes access to the particular accessed domain name in the subset to be blocked.
  - 21. The apparatus of claim 14, wherein an event in the set of events includes at least one of:
    - unstructured data, machine data, or structured data.

22. One or more non-transitory storage media storing instructions which, when executed by one or more computing devices, cause:
- extracting a set of accessed domain names from a set of events stored in a field-searchable data store;
  
  identifying a respective registration time for each accessed domain name in the set of accessed domain names, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar;
  
  identifying a subset of accessed domain names in the set of accessed domain names for which the identified respective registration time of each accessed domain name in the subset is recent relative to times for other accessed domain names in the set of accessed domain names;
  
  determining, for each accessed domain name in the subset, an access count corresponding to how many times the set of events indicates that the accessed domain name in the subset was accessed;
  
  causing display of information relating to the access count corresponding to each accessed domain name in the subset.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The one or more non-transitory storage media of claim 22, wherein the instructions which, when executed by the one or more computing devices, cause:
    - receiving a communication corresponding to an indication as to when each accessed domain name in the subset was registered with a registrar;
      
      wherein the respective registration time is identified based on the communication.
  - 24. The one or more non-transitory storage media of claim 22, wherein the respective registration time comprises an age from a first time when the accessed domain name was registered with the registrar to a current time.
  - 25. The one or more non-transitory storage media of claim 22, wherein the display of information comprises at least one of:
    - a graph, a scatter plot, a table, or a message.
  - 26. The one or more non-transitory storage media of claim 22, wherein the instructions which, when executed by the one or more computing devices, cause:
    - identifying a second subset of the set of accessed domain names, wherein a respective registration time for each accessed domain name in the second subset of accessed domain names is within a defined time period, and wherein the second subset includes at least two accessed domain names;
      
      determining, for each accessed domain name in the second subset, a respective access count corresponding to how many times the set of events indicates that each accessed domain name in the second subset was accessed;
      
      causing display of simultaneous representations of the respective registration time and the respective access count for each accessed domain name in the second subset.
  - 27. The one or more non-transitory storage media of claim 22, wherein the instructions which, when executed by the one or more computing devices, cause:
    - receiving an input corresponding to a selection of a particular identified accessed domain name;
      
      presenting additional detail pertaining to events in the set of events that included the particular identified accessed domain name.
  - 28. The one or more non-transitory storage media of claim 22, wherein the instructions which, when executed by the one or more computing devices, cause:
    - determining that the access count for a particular accessed domain name in the subset exceeds a threshold number; and
      
      causing access to the particular accessed domain name in the subset to be blocked.
  - 29. The one or more non-transitory storage media of claim 22, wherein an event in the set of events includes at least one of:
    - unstructured data, machine data, or structured data.
  - 30. The one or more non-transitory storage media of claim 22, wherein each accessed domain name in the set of accessed domain names corresponds to an accessed Web page.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc. (Cisco Systems, Inc.)
Original Assignee
Splunk Inc. (Cisco Systems, Inc.)
Inventors
Merza, Munawar Monzy
Primary Examiner(s)
Okeke, Izunna

Application Number

US14/815,972
Publication Number

US 20160036851A1
Time in Patent Office

395 Days
Field of Search
US Class Current

1/1
CPC Class Codes

A61G 17/0073   Cardboard

A61G 17/04   Fittings for coffins

A61G 17/041   Handles

A61G 17/042   Linings and veneer

A61G 17/044   Corpse supports

G06F 21/50   Monitoring users, programs ...

G06T 11/206   Drawing of charts or graphs

H04L 61/4511   using domain name system [DNS]

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 67/02   based on web technology, e....

Security threat detection using domain name registrations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Security threat detection using domain name registrations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links