Detection of infected network devices and fast-flux networks by tracking URL and DNS resolution changes

US 9,609,012 B2
Filed: 02/12/2016
Issued: 03/28/2017
Est. Priority Date: 09/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

monitoring, by a computing device, a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP);

monitoring the one or more received network addresses (IP) resolved for the one or more URLs to provide a URL-to-IP associations list, wherein the URL-to-IP associations list is configured to store one or more suspicious URLs;

generating a suspicious URL log based on the URL-to-IP associations list, wherein the suspicious URL log comprises a first suspicious URL;

determining a list of client devices that queried the first suspicious URL during a first time period; and

generating an event related to a single-flux action being active based on the list of client devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting Fast-Flux malware are presented. Domain name system (DNS) lookup requests to DNS servers from a local area network (LAN) to a wide area network (WAN) are monitored. The DNS lookup requests comprise requests to resolve uniform resource locators (URLs) to network addresses. The network addresses (IP) received from the DNS servers for the DNS lookup requests are monitored provide a URL-to-IP associations list. The DNS servers used for the DNS lookup requests for the URLs are monitored to provide a DNS Domain-to-DNS server associations list. A suspicious URL log based on the URL-to-IP associations list, and a suspicious DNS log based on the DNS Domain-to-DNS server associations list are generated.

22 Citations

20 Claims

1. A method, comprising:
- monitoring, by a computing device, a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP);
  
  monitoring the one or more received network addresses (IP) resolved for the one or more URLs to provide a URL-to-IP associations list, wherein the URL-to-IP associations list is configured to store one or more suspicious URLs;
  
  generating a suspicious URL log based on the URL-to-IP associations list, wherein the suspicious URL log comprises a first suspicious URL;
  
  determining a list of client devices that queried the first suspicious URL during a first time period; and
  
  generating an event related to a single-flux action being active based on the list of client devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising indicating a presence of a malware program in the LAN based on the suspicious URL log.
  - 3. The method of claim 1, further comprising:
    - configuring a resource association list comprising the URL-to-IP associations list; and
      
      configuring a suspicious resource log comprising the suspicious URL log.
  - 4. The method of claim 3, further comprising:
    - counting a total number of association changes in the resource association list; and
      
      logging the suspicious resource log, if the total number of association changes is greater than a total-association-change threshold.
  - 5. The method of claim 3, further comprising:
    - counting a number of association changes in the resource association list in a time-period; and
      
      logging the suspicious resource log, if the number of association changes in the time-period is greater than a time-period-association-changes threshold.
  - 6. The method of claim 3, further comprising:
    - calculating an association change frequency of the resource association list; and
      
      logging the suspicious resource log, if the association change frequency is greater than an association-change-frequency threshold.
  - 7. The method of claim 3, further comprising:
    - calculating a pattern in the resource association list; and
      
      logging the suspicious resource log, if the pattern is found among a pattern history.

8. A method, comprising:
- monitoring by a network traffic monitor a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP);
  
  monitoring the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list;
  
  generating a suspicious DNS log based on the DNS Domain-to-DNS server associations list, wherein the suspicious DNS log comprises a first suspicious DNS Domain;
  
  determining a list of client devices that queried the first suspicious DNS Domain during a first time period; and
  
  generating an event related to a double-flux action being active based on the list of client devices.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, further comprising indicating a presence of a malware program in the LAN based on the suspicious DNS log.
  - 10. The method of claim 8, further comprising:
    - configuring a resource association list the DNS Domain-to-DNS server associations list; and
      
      configuring a suspicious resource log comprising the suspicious DNS log.
  - 11. The method of claim 10, further comprising:
    - counting a total number of association changes in the resource association list; and
      
      logging the suspicious resource log, if the total number of association changes is greater than a total-association-change threshold.
  - 12. The method of claim 10, further comprising:
    - counting a number of association changes in the resource association list in a time-period; and
      
      logging the suspicious resource log, if the number of association changes in the time-period is greater than a time-period-association-changes threshold.
  - 13. The method of claim 10, further comprising:
    - calculating an association change frequency of the resource association list; and
      
      logging the suspicious resource log, if the association change frequency is greater than an association-change-frequency threshold.
  - 14. The method of claim 10, further comprising:
    - calculating a pattern in the resource association list; and
      
      logging the suspicious resource log, if the pattern is found among a pattern history.

15. A system, comprising:
- at least one hardware processor; and
  
  a non-transitory computer readable medium storing at least software that, when executed by the at least one hardware processor, cause the system to perform tasks comprising;
  
  monitoring a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP);
  
  monitoring the one or more received network addresses (IP) resolved for the one or more URLs to provide a URL-to-IP associations list, wherein the URL-to-IP associations list is configured to store one or more suspicious URLs;
  
  generating a suspicious URL log based on the URL-to-IP associations list, wherein the suspicious URL log comprises a first suspicious URL;
  
  determining a list of client devices that queried the first suspicious URL during a first time period; and
  
  generating a first event related to a single-flux action being active based on the list of client devices.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the tasks further comprise:
    - monitoring the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list;
      
      generating a suspicious DNS log based on the DNS Domain-to-DNS server associations list, wherein the suspicious DNS log comprises a first suspicious DNS Domain;
      
      determining a list of client devices that queried the first suspicious DNS Domain during a first time period; and
      
      generating a second event related to a double-flux action being active based on the list of client devices.
  - 17. The system of claim 15, further comprising indicating a presence of a malware program in the LAN based on the suspicious URL log.
  - 18. The system of claim 15, further comprising:
    - configuring a resource association list comprising the URL-to-IP associations list; and
      
      configuring a suspicious resource log comprising the suspicious URL log.
  - 19. The system of claim 18, further comprising:
    - counting a total number of association changes in the resource association list; and
      
      logging the suspicious resource log, if the total number of association changes is greater than a total-association-change threshold.
  - 20. The system of claim 18, further comprising:
    - calculating a pattern in the resource association list; and
      
      logging the suspicious resource log, if the pattern is found among a pattern history.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Davis, Aaron R., Aldrich, Timothy M.
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US15/043,501
Publication Number

US 20160173519A1
Time in Patent Office

410 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 61/4511   using domain name system [DNS]

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/168   above the transport layer

Detection of infected network devices and fast-flux networks by tracking URL and DNS resolution changes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of infected network devices and fast-flux networks by tracking URL and DNS resolution changes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links