Detection of infected network devices and fast-flux networks by tracking URL and DNS resolution changes
First Claim
1. A method, comprising:
- monitoring, by a computing device, a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP);
monitoring the one or more received network addresses (IP) resolved for the one or more URLs to provide a URL-to-IP associations list, wherein the URL-to-IP associations list is configured to store one or more suspicious URLs;
generating a suspicious URL log based on the URL-to-IP associations list, wherein the suspicious URL log comprises a first suspicious URL;
determining a list of client devices that queried the first suspicious URL during a first time period; and
generating an event related to a single-flux action being active based on the list of client devices.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for detecting Fast-Flux malware are presented. Domain name system (DNS) lookup requests to DNS servers from a local area network (LAN) to a wide area network (WAN) are monitored. The DNS lookup requests comprise requests to resolve uniform resource locators (URLs) to network addresses. The network addresses (IP) received from the DNS servers for the DNS lookup requests are monitored provide a URL-to-IP associations list. The DNS servers used for the DNS lookup requests for the URLs are monitored to provide a DNS Domain-to-DNS server associations list. A suspicious URL log based on the URL-to-IP associations list, and a suspicious DNS log based on the DNS Domain-to-DNS server associations list are generated.
22 Citations
20 Claims
-
1. A method, comprising:
-
monitoring, by a computing device, a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP); monitoring the one or more received network addresses (IP) resolved for the one or more URLs to provide a URL-to-IP associations list, wherein the URL-to-IP associations list is configured to store one or more suspicious URLs; generating a suspicious URL log based on the URL-to-IP associations list, wherein the suspicious URL log comprises a first suspicious URL; determining a list of client devices that queried the first suspicious URL during a first time period; and generating an event related to a single-flux action being active based on the list of client devices. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method, comprising:
-
monitoring by a network traffic monitor a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP); monitoring the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list; generating a suspicious DNS log based on the DNS Domain-to-DNS server associations list, wherein the suspicious DNS log comprises a first suspicious DNS Domain; determining a list of client devices that queried the first suspicious DNS Domain during a first time period; and generating an event related to a double-flux action being active based on the list of client devices. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system, comprising:
-
at least one hardware processor; and a non-transitory computer readable medium storing at least software that, when executed by the at least one hardware processor, cause the system to perform tasks comprising; monitoring a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP); monitoring the one or more received network addresses (IP) resolved for the one or more URLs to provide a URL-to-IP associations list, wherein the URL-to-IP associations list is configured to store one or more suspicious URLs; generating a suspicious URL log based on the URL-to-IP associations list, wherein the suspicious URL log comprises a first suspicious URL; determining a list of client devices that queried the first suspicious URL during a first time period; and generating a first event related to a single-flux action being active based on the list of client devices. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification