Detecting DGA-based malicious software using network flow information

US 9,654,484 B2
Filed: 07/31/2014
Issued: 05/16/2017
Est. Priority Date: 07/31/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

using a computing device, in a communications network that comprises at least a plurality of hosts, receiving network flow information from one or more other computing devices that are configured as observation points, and based upon the network flow information, determining a number of domain name server requests originating from a particular host among the plurality of hosts, wherein the domain name server requests are directed to one or more domain name servers;

using the computing device,determining, based on the network flow information, a number of requests originating from an endpoint of the particular host, wherein the endpoint is a unique combination of an internet protocol address of the particular host, a port number associated with a port on the particular host and a communication protocol used in transmitting a particular packet that originated from the particular host;

determining, based on, at least in part, the number of requests originating from the endpoint of the particular host, a number of internet protocol addresses contacted by the particular host;

using the computing device, determining that malware exists on the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted, wherein determining that malware exists on the particular host includes one or more of;

determining a ratio of the number of domain name server requests to the number of internet protocol addresses contacted, determining whether the ratio exceeds a particular threshold value, determining an average value of ratios computed for the one or more other computing devices and comparing the average value with the ratio determined for the particular host, or determining a number of peers of the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted and determining a median of the number of peers.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting DGA-based malware is disclosed. In an embodiment, a number of domain name server requests originating from a particular host among a plurality of hosts is determined. The number of domain name server requests are directed to one or more domain name servers. A number of internet protocol addresses contacted by the particular host is determined. Based on the number of domain name server requests and the number of internet protocol addresses contacted existence of malware on the particular host is determined.

17 Citations

View as Search Results

18 Claims

1. A computer-implemented method comprising:
- using a computing device, in a communications network that comprises at least a plurality of hosts, receiving network flow information from one or more other computing devices that are configured as observation points, and based upon the network flow information, determining a number of domain name server requests originating from a particular host among the plurality of hosts, wherein the domain name server requests are directed to one or more domain name servers;
  
  using the computing device,determining, based on the network flow information, a number of requests originating from an endpoint of the particular host, wherein the endpoint is a unique combination of an internet protocol address of the particular host, a port number associated with a port on the particular host and a communication protocol used in transmitting a particular packet that originated from the particular host;
  
  determining, based on, at least in part, the number of requests originating from the endpoint of the particular host, a number of internet protocol addresses contacted by the particular host;
  
  using the computing device, determining that malware exists on the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted, wherein determining that malware exists on the particular host includes one or more of;
  
  determining a ratio of the number of domain name server requests to the number of internet protocol addresses contacted, determining whether the ratio exceeds a particular threshold value, determining an average value of ratios computed for the one or more other computing devices and comparing the average value with the ratio determined for the particular host, or determining a number of peers of the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted and determining a median of the number of peers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, further comprising:
    - determining that a value based on the ratio;
      
      determining that malware exists on the particular host based on the determination that the value is higher than the particular threshold value.
  - 3. The computer-implemented method of claim 2, further comprising determining the particular threshold value based on a previous threshold value and a plurality of ratios, wherein each ratio of the plurality of ratios is associated with a different corresponding host of the plurality of hosts and is a ratio of domain name server requests originating from the corresponding host to internet protocol addresses contacted by the corresponding host.
  - 4. The computer-implemented method of claim 1, further comprising determining the number of internet protocol addresses contacted by the particular host based only upon the network flow information associated with the particular host.
  - 5. The computer-implemented method of claim 1, wherein the network flow information is from any of a NetFlow protocol or an Internet Protocol Flow Information Export (IPFIX) protocol.
  - 6. The computer-implemented method of claim 1, further comprising:
    - determining whether a certain endpoint of a certain network node is a service;
      
      identifying, from the network flow information, one or more packets directed to the certain endpoint from the endpoint of the particular host as request packets;
      
      determining, based on the one or more packets, the number of requests originating from the endpoint of the particular host;
      
      determining, based, at least in part, on the number of requests originating from the endpoint of the particular host, the number of internet protocol addresses contacted by the particular host.
  - 7. The computer-implemented method of claim 6, further comprising:
    - determining a number of peers of the certain endpoint of the certain network node;
      
      determining, based on the number of peers of the certain endpoint, a median of the number of peers for the certain endpoint;
      
      determining the median of the number of peers for the certain endpoint is greater than zero;
      
      determining, based, at least in part on that the median of the number of peers for the certain endpoint is greater than zero, the certain endpoint of the certain network node is a service.
  - 8. The computer-implemented method of claim 7, further comprising:
    - determining a number of unsuccessful connections originating from the certain endpoint;
      
      determining the number of unsuccessful connections originating from the certain endpoint is not greater than a threshold number of unsuccessful connections that are acceptable for a service;
      
      determining, based, at least in part on that the median of the number of peers for the certain endpoint is greater than zero and that the number of unsuccessful connections originating from the certain endpoint is not greater than the threshold number of unsuccessful connections that are acceptable for a service, the certain endpoint of the certain network node is a service.
  - 9. The computer-implemented method of claim 7, further comprising:
    - determining the certain endpoint does not communicate on ports with a port number greater than 1023;
      
      determining, based, at least in part on that the median of the number of peers for the certain endpoint is greater than zero and that the certain endpoint does not communicate on ports with a port number greater than 1023, the certain endpoint of the certain network node is a service.

10. A data processing apparatus configured with improved detection of domain generating algorithm (DGA)-based malware based upon network flow information, comprising:
- one or more processors;
  
  one or more interfaces that are configured to couple to a communications network that comprises at least a plurality of hosts;
  
  one or more non-transitory computer-readable storage media storing one or more sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;
  
  receiving network flow information from one or more other computing devices that are configured as observation points, and based upon the network flow information, determining a number of domain name server requests originating from a particular host among the plurality of hosts, wherein the domain name server requests are directed to one or more domain name servers;
  
  determining, based on the network flow information, a number of requests originating from an endpoint of the particular host, wherein the endpoint is a unique combination of an internet protocol address of the particular host, a port number associated with a port on the particular host and a communication protocol used in transmitting a particular packet that originated from the particular host;
  
  determining, based on, at least in part, the number of requests originating from the endpoint of the particular host, a number of internet protocol addresses contacted by the particular host;
  
  determining that malware exists on the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted, wherein determining that malware exists on the particular host includes one or more of;
  
  determining a ratio of the number of domain name server requests to the number of internet protocol addresses contacted, determining whether the ratio exceeds a particular threshold value, determining an average value of ratios computed for the one or more other computing devices and comparing the average value with the ratio determined for the particular host, or determining a number of peers of the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted and determining a median of the number of peers.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus of claim 10, the storage media further comprising instructions which when executed cause the one or more processors to perform:
    - determining that a value based on the ratio;
      
      determining that malware exists on the particular host based on the determination that the value is higher than the particular threshold value.
  - 12. The apparatus of claim 11, the storage media further comprising instructions which when executed cause the one or more processors to perform determining the particular threshold value based on a previous threshold value and a plurality of ratios, wherein each ratio of the plurality of ratios is associated with a different corresponding host of the plurality of hosts and is a ratio of domain name server requests originating from the corresponding host to internet protocol addresses contacted by the corresponding host.
  - 13. The apparatus of claim 10, the storage media further comprising instructions which when executed cause the one or more processors to perform determining the number of internet protocol addresses contacted by the particular host based only upon the network flow information associated with the particular host.
  - 14. The apparatus of claim 13, wherein the network flow information is from any of a NetFlow protocol or an Internet Protocol Flow Information Export (IPFIX) protocol.
  - 15. The apparatus of claim 10, the storage media further comprising instructions which when executed cause the one or more processors to perform:
    - determining a certain endpoint of a certain network node is a service;
      
      identifying, from the network flow information, one or more packets directed to the certain endpoint from the endpoint of the particular host as request packets;
      
      determining, based on the one or more packets, the number of requests originating from the endpoint of the particular host;
      
      determining, based, at least in part, on the number of requests originating from the endpoint of the particular host, the number of internet protocol addresses contacted by the particular host.
  - 16. The apparatus of claim 15, the storage media further comprising instructions which when executed cause the one or more processors to perform:
    - determining a number of peers of the certain endpoint of the certain network node;
      
      determining, based on the number of peers of the certain endpoint, a median of the number of peers for the certain endpoint;
      
      determining the median of the number of peers for the certain endpoint is greater than zero;
      
      determining, based, at least in part on that the median of the number of peers for the certain endpoint is greater than zero, the certain endpoint of the certain network node is a service.
  - 17. The apparatus of claim 16, the storage media further comprising instructions which when executed cause the one or more processors to perform:
    - determining a number of unsuccessful connections originating from the certain endpoint;
      
      determining the number of unsuccessful connections originating from the certain endpoint is not greater than a threshold number of unsuccessful connections that are acceptable for a service;
      
      determining, based, at least in part on that the median of the number of peers for the certain endpoint is greater than zero and that the number of unsuccessful connections originating from the certain endpoint is not greater than the threshold number of unsuccessful connections that are acceptable for a service, the certain endpoint of the certain network node is a service.
  - 18. The apparatus of claim 16, the storage media further comprising instructions which when executed cause the one or more processors to perform:
    - determining the certain endpoint does not communicate on ports with a port number greater than 1023;
      
      determining, based, at least in part on that the median of the number of peers for the certain endpoint is greater than zero and that the certain endpoint does not communicate on ports with a port number greater than 1023, the certain endpoint of the certain network node is a service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Grill, Martin, Nikolaev, Ivan
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US14/448,637
Publication Number

US 20160036836A1
Time in Patent Office

1,020 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 67/104   Peer-to-peer [P2P] networks

Detecting DGA-based malicious software using network flow information

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Detecting DGA-based malicious software using network flow information

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others