DGA behavior detection
First Claim
Patent Images
1. A system for Domain Generation Algorithm (DGA) behavior detection, comprising:
- a processor of a security device configured to;
receive passive Domain Name System (DNS) data that comprises a plurality of DNS responses; and
apply a signature to the passive DNS data to detect DGA behavior, wherein apply the signature to the passive DNS data to detect DGA behavior further comprises to;
parse each of the plurality of DNS responses to determine whether one or more of the plurality of DNS responses correspond to a non-existent domain (NXDOMAIN) response, comprising to;
determine whether a length of a top-level domain (TLD) of a domain name associated with a DNS response is equal to zero or is greater than three, the DNS response corresponding to the NXDOMAIN response; and
in response to a determination that the length of the TLD is equal to zero or is greater than three, disregard the DNS response with respect to the DGA behavior; and
a memory coupled to the processor and configured to provide the processor with instructions.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for Domain Generation Algorithm (DGA) behavior detection are provided. In some embodiments, a system, process, and/or computer program product for DGA behavior detection includes receiving passive Domain Name System (DNS) data that comprises a plurality of DNS responses at a security device; and applying a signature to the passive DNS data to detect DGA behavior, in which applying the signature to the passive DNS data to detect DGA behavior further comprises: parsing each of the plurality of DNS responses to determine whether one or more of the plurality of DNS responses correspond to a non-existent domain (NXDOMAIN) response.
68 Citations
20 Claims
-
1. A system for Domain Generation Algorithm (DGA) behavior detection, comprising:
-
a processor of a security device configured to; receive passive Domain Name System (DNS) data that comprises a plurality of DNS responses; and apply a signature to the passive DNS data to detect DGA behavior, wherein apply the signature to the passive DNS data to detect DGA behavior further comprises to; parse each of the plurality of DNS responses to determine whether one or more of the plurality of DNS responses correspond to a non-existent domain (NXDOMAIN) response, comprising to; determine whether a length of a top-level domain (TLD) of a domain name associated with a DNS response is equal to zero or is greater than three, the DNS response corresponding to the NXDOMAIN response; and in response to a determination that the length of the TLD is equal to zero or is greater than three, disregard the DNS response with respect to the DGA behavior; and a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method of Domain Generation Algorithm (DGA) behavior detection, comprising:
-
receiving passive Domain Name System (DNS) data that comprises a plurality of DNS responses at a security device; and applying a signature to the passive DNS data to detect DGA behavior using a processor of the security device, wherein applying the signature to the passive DNS data to detect DGA behavior further comprises; parsing each of the plurality of DNS responses to determine whether one or more of the plurality of DNS responses correspond to a non-existent domain (NXDOMAIN) response, comprising; determining whether a length of a top-level domain (TLD) of a domain name associated with a DNS response is equal to zero or is greater than three, the DNS response corresponding to the NXDOMAIN response; and in response to a determination that the length of the TLD is equal to zero or is greater than three, disregarding the DNS response with respect to the DGA behavior.
-
-
20. A computer program product for Domain Generation Algorithm (DGA) behavior detection, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
-
receiving passive Domain Name System (DNS) data that comprises a plurality of DNS responses; and applying a signature to the passive DNS data to detect DGA behavior, wherein applying the signature to the passive DNS data to detect DGA behavior further comprises; parsing each of the plurality of DNS responses to determine whether one or more of the plurality of DNS responses correspond to a non-existent domain (NXDOMAIN) response, comprising; determining whether a length of a top-level domain (TLD) of a domain name associated with a DNS response is equal to zero or is greater than three, the DNS response corresponding to the NXDOMAIN response; and in response to a determination that the length of the TLD is equal to zero or is greater than three, disregarding the DNS response with respect to the DGA behavior.
-
Specification