Detecting DGA-based malicious software using network flow information
First Claim
Patent Images
1. A computer-implemented method comprising:
- using a computing device, in a communications network that comprises at least a plurality of hosts, receiving network flow information from one or more other computing devices that are configured as observation points, and based upon the network flow information, determining a number of domain name server requests originating from a particular host among the plurality of hosts, wherein the domain name server requests are directed to one or more domain name servers;
using the computing device,determining, based on the network flow information, a number of requests originating from an endpoint of the particular host, wherein the endpoint is a unique combination of an internet protocol address of the particular host, a port number associated with a port on the particular host and a communication protocol used in transmitting a particular packet that originated from the particular host;
determining, based on, at least in part, the number of requests originating from the endpoint of the particular host, a number of internet protocol addresses contacted by the particular host;
using the computing device, determining that malware exists on the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted, wherein determining that malware exists on the particular host includes one or more of;
determining a ratio of the number of domain name server requests to the number of internet protocol addresses contacted, determining whether the ratio exceeds a particular threshold value, determining an average value of ratios computed for the one or more other computing devices and comparing the average value with the ratio determined for the particular host, or determining a number of peers of the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted and determining a median of the number of peers.
1 Assignment
0 Petitions
Accused Products
Abstract
Detecting DGA-based malware is disclosed. In an embodiment, a number of domain name server requests originating from a particular host among a plurality of hosts is determined. The number of domain name server requests are directed to one or more domain name servers. A number of internet protocol addresses contacted by the particular host is determined. Based on the number of domain name server requests and the number of internet protocol addresses contacted existence of malware on the particular host is determined.
17 Citations
18 Claims
-
1. A computer-implemented method comprising:
-
using a computing device, in a communications network that comprises at least a plurality of hosts, receiving network flow information from one or more other computing devices that are configured as observation points, and based upon the network flow information, determining a number of domain name server requests originating from a particular host among the plurality of hosts, wherein the domain name server requests are directed to one or more domain name servers; using the computing device, determining, based on the network flow information, a number of requests originating from an endpoint of the particular host, wherein the endpoint is a unique combination of an internet protocol address of the particular host, a port number associated with a port on the particular host and a communication protocol used in transmitting a particular packet that originated from the particular host; determining, based on, at least in part, the number of requests originating from the endpoint of the particular host, a number of internet protocol addresses contacted by the particular host; using the computing device, determining that malware exists on the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted, wherein determining that malware exists on the particular host includes one or more of;
determining a ratio of the number of domain name server requests to the number of internet protocol addresses contacted, determining whether the ratio exceeds a particular threshold value, determining an average value of ratios computed for the one or more other computing devices and comparing the average value with the ratio determined for the particular host, or determining a number of peers of the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted and determining a median of the number of peers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A data processing apparatus configured with improved detection of domain generating algorithm (DGA)-based malware based upon network flow information, comprising:
-
one or more processors; one or more interfaces that are configured to couple to a communications network that comprises at least a plurality of hosts; one or more non-transitory computer-readable storage media storing one or more sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform; receiving network flow information from one or more other computing devices that are configured as observation points, and based upon the network flow information, determining a number of domain name server requests originating from a particular host among the plurality of hosts, wherein the domain name server requests are directed to one or more domain name servers; determining, based on the network flow information, a number of requests originating from an endpoint of the particular host, wherein the endpoint is a unique combination of an internet protocol address of the particular host, a port number associated with a port on the particular host and a communication protocol used in transmitting a particular packet that originated from the particular host; determining, based on, at least in part, the number of requests originating from the endpoint of the particular host, a number of internet protocol addresses contacted by the particular host; determining that malware exists on the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted, wherein determining that malware exists on the particular host includes one or more of; determining a ratio of the number of domain name server requests to the number of internet protocol addresses contacted, determining whether the ratio exceeds a particular threshold value, determining an average value of ratios computed for the one or more other computing devices and comparing the average value with the ratio determined for the particular host, or determining a number of peers of the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted and determining a median of the number of peers. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification