Method and system for detecting malicious domain names at an upper DNS hierarchy

US 9,686,291 B2
Filed: 12/04/2013
Issued: 06/20/2017
Est. Priority Date: 02/01/2011
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a malicious domain name, comprising:

collecting statistical information about a domain name from at least one non-recursive domain name system name server (RDNS NS), wherein the domain name statistical information comprises at least one of requester diversity information and requester profile information;

wherein the requester diversity information identifies each RDNS NS that queries the domain name as either localized or globally distributed, and wherein the requester profile information identifies each RDNS NS as being associated with one of internet service provider networks and enterprise networks; and

utilizing the collected domain name statistical information to determine the reputation of a domain name and whether a domain name is malicious or benign.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for detecting a malicious domain name, comprising: collecting domain name statistical information from a non-recursive domain name system name server (RDNS NS); and utilizing the collected domain name statistical information to determine if a domain name is malicious or benign.

Citations

22 Claims

1. A method for detecting a malicious domain name, comprising:
- collecting statistical information about a domain name from at least one non-recursive domain name system name server (RDNS NS), wherein the domain name statistical information comprises at least one of requester diversity information and requester profile information;
  
  wherein the requester diversity information identifies each RDNS NS that queries the domain name as either localized or globally distributed, and wherein the requester profile information identifies each RDNS NS as being associated with one of internet service provider networks and enterprise networks; and
  
  utilizing the collected domain name statistical information to determine the reputation of a domain name and whether a domain name is malicious or benign.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the domain name statistical information also comprises at least one of reputation information and requester diversity information.
  - 3. The method of claim 2, wherein the reputation information classifies a domain name as malignant or benign utilizing historic information about domain name resolution.
  - 4. The method of claim 1, further comprising:
    - determining whether an additional domain name is malicious based on how close the additional domain name'"'"'s statistical information is to the known malicious domain name'"'"'s statistical information.
  - 5. The method of claim 4, wherein the additional domain name is a new domain name.
  - 6. The method of claim 1, wherein the requester diversity information comprises diversity in terms of network location of the RDNS NSs that query a domain name;
    - or the requester profile information comprises a level of popularity of the querying RDNS NSs that query a domain name;
      
      or both.
  - 7. The method of claim 1, wherein collecting domain name information from the non-RDNS NS comprises monitoring DNS traffic flowing towards the non-RDNS NS.
  - 8. The method of claim 7, wherein monitoring DNS traffic flowing towards the non-RDNS NS allows monitoring of DNS queries from servers around the Internet that attempt to resolve a domain name for which the non-RDNS NS has authority or is a point of delegation.
  - 9. The method of claim 1, wherein a sensor is attached to or by the non RDNS NS.
  - 10. The method of claim 1, wherein a DNS operator is able to detect and remediate a malicious domain name within his or her name space.
  - 11. The method of claim 1, wherein the non-RDNS name server comprises:
    - a top level domain name server (TLD NS), or an authoritative name server (AUTH NS), or a root name server (NS), or any combination thereof.

12. A system for detecting a malicious domain name, comprising:
- a processor configured for;
  
  collecting statistical information about a domain name from at least one non-recursive domain name system name server (RDNS NS), wherein the domain name statistical information comprises at least one of requester diversity information and requester profile information;
  
  wherein the requester diversity information identifies each RDNS NS that queries the domain name as either localized or globally distributed, and wherein the requester profile information identifies each RDNS NS as being associated with one of internet service provider networks and enterprise networks; and
  
  utilizing the collected domain name statistical information to determine the reputation of a domain name and whether a domain name is malicious or benign.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the domain name statistical information also comprises reputation information.
  - 14. The system of claim 12, further comprising:
    - determining whether an additional domain name is malicious based on how close the additional domain name'"'"'s statistical information is to the known malicious domain name'"'"'s statistical information.
  - 15. The system of claim 14, wherein the additional domain name is a new domain name.
  - 16. The system of claim 12, wherein:
    - the requester diversity information comprises diversity in terms of network location of the RDNS NSs that query a domain name;
      
      or the requester profile information comprises a level of popularity of the querying RDNS NSs that query a domain name, or both.
  - 17. The system of claim 12, wherein the reputation information classifies a domain name as malignant or benign utilizing historic information about domain name resolution.
  - 18. The system of claim 12, wherein collecting domain name information from the non-RDNS NS comprises monitoring DNS traffic flowing towards the non-RDNS NS.
  - 19. The system of claim 18, wherein monitoring DNS traffic flowing towards the non-RDNS NS allows monitoring of DNS queries from servers around the Internet that attempt to resolve a domain name for which the non-RDNS NS has authority or is a point of delegation.
  - 20. The system of claim 12, wherein a sensor is attached to or by the non RDNS NS.
  - 21. The system of claim 12, wherein a DNS operator is able to detect and remediate a malicious domain name within his or her name space.
  - 22. The system of claim 12, wherein the non-RDNS name server comprises:
    - a top level domain name server (TLD NS), or an authoritative name server (AUTH NS), or a root name server (NS), or any combination thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc.
Original Assignee
Damballa Incorporated
Inventors
Perdisci, Roberto, Lee, Wenke, Vasiloglou, II, Nikolaos, Antonakakis, Manos
Primary Examiner(s)
Gergiso, Techane

Application Number

US14/096,803
Publication Number

US 20140157414A1
Time in Patent Office

1,294 Days
Field of Search

713 23, 709223
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1483   service impersonation, e.g....

Method and system for detecting malicious domain names at an upper DNS hierarchy

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting malicious domain names at an upper DNS hierarchy

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links