×

DGA behavior detection

  • US 9,917,852 B1
  • Filed: 06/29/2015
  • Issued: 03/13/2018
  • Est. Priority Date: 06/29/2015
  • Status: Active Grant
First Claim
Patent Images

1. A system for Domain Generation Algorithm (DGA) behavior detection, comprising:

  • a processor of a security device configured to;

    receive passive Domain Name System (DNS) data that comprises a plurality of DNS responses; and

    apply a signature to the passive DNS data to detect DGA behavior, wherein apply the signature to the passive DNS data to detect DGA behavior further comprises to;

    parse each of the plurality of DNS responses to determine whether one or more of the plurality of DNS responses correspond to a non-existent domain (NXDOMAIN) response, comprising to;

    determine whether a length of a top-level domain (TLD) of a domain name associated with a DNS response is equal to zero or is greater than three, the DNS response corresponding to the NXDOMAIN response; and

    in response to a determination that the length of the TLD is equal to zero or is greater than three, disregard the DNS response with respect to the DGA behavior; and

    a memory coupled to the processor and configured to provide the processor with instructions.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×