Method and system for detecting DGA-based malware

US 9,922,190 B2
Filed: 01/24/2013
Issued: 03/20/2018
Est. Priority Date: 01/25/2012
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a domain generation algorithm (DGA), comprising:

obtaining, from an electronic database, a plurality of non-existent (NX) domain names comprising a top-level domain (TLD), a second-level domain (2LD), and a third-level domain (3LD);

clustering, utilizing a name-based clustering module, a portion of the plurality of NX domain names based on at least one of n-gram features (NGF), entropy-based features (EBF), and structural domain features (SDF);

wherein the TLD, 2LD, and 3LD are all utilized by the name-based clustering module;

clustering, utilizing a graph clustering module, another portion of the plurality of NX domain names based on groups of assets that queried the NX domain names;

associating, utilizing a daily clustering correlation module, one or more NX domain names from the name based clustering model with one or more NX domain names from the graph clustering model;

responsive to the daily clustering, associating, utilizing a temporal clustering correlation module, one or more NX domain names from different clusters based on a rolling window of two consecutive epochs; and

determining whether a DGA that generated the clustered NX domain is unknown.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and method for detecting a domain generation algorithm (DGA), comprising: performing processing associated with clustering, utilizing a name-based features clustering module accessing information from an electronic database of NX domain information, the randomly generated domain names based on the similarity in the make-up of the randomly generated domain names; performing processing associated with clustering, utilizing a graph clustering module, the randomly generated domain names based on the groups of assets that queried the randomly generated domain names; performing processing associated with determining, utilizing a daily clustering correlation module and a temporal clustering correlation module, which clustered randomly generated domain names are highly correlated in daily use and in time; and performing processing associated with determining the DGA that generated the clustered randomly generated domain names.

Citations

18 Claims

1. A method for detecting a domain generation algorithm (DGA), comprising:
- obtaining, from an electronic database, a plurality of non-existent (NX) domain names comprising a top-level domain (TLD), a second-level domain (2LD), and a third-level domain (3LD);
  
  clustering, utilizing a name-based clustering module, a portion of the plurality of NX domain names based on at least one of n-gram features (NGF), entropy-based features (EBF), and structural domain features (SDF);
  
  wherein the TLD, 2LD, and 3LD are all utilized by the name-based clustering module;
  
  clustering, utilizing a graph clustering module, another portion of the plurality of NX domain names based on groups of assets that queried the NX domain names;
  
  associating, utilizing a daily clustering correlation module, one or more NX domain names from the name based clustering model with one or more NX domain names from the graph clustering model;
  
  responsive to the daily clustering, associating, utilizing a temporal clustering correlation module, one or more NX domain names from different clusters based on a rolling window of two consecutive epochs; and
  
  determining whether a DGA that generated the clustered NX domain is unknown.
- View Dependent Claims (2, 3, 4, 5, 6, 13, 14, 15)
- - 2. The method of claim 1, further comprising:
    - responsive to determining that a DGA is unknown sending the unknown DGA to a DGA classification module.
  - 3. The method of claim 2, further comprising:
    - modeling the DGA.
  - 4. The method of claim 3, further comprising:
    - providing a report about the DGA.
  - 5. The method of claim 1, further comprising:
    - monitoring DNS traffic below a local recursive DNS server;
      
      wherein the DNS traffic is stored in the electronic database.
  - 6. The method of claim 1, wherein unknown DGA are used to train new DGA classifier modules.
  - 13. The method of claim 1, wherein the clustering is based on n-gram features, and wherein the n-gram features comprise:
    - measuring a frequency distribution of one or more n-grams across the TLD, 2LD, and 3LD of the portion of the plurality of NX domain names.
  - 14. The method of claim 1, wherein the clustering is based on entropy-based features, and wherein the entropy-based features comprise:
    - determining a level of randomness for the portion of the plurality of NX domain names based on computing an entropy of a character distribution for the 2LD and the 3LD.
  - 15. The method of claim 1, wherein the clustering is based on structural domain features, and wherein the structural domain features comprise:
    - determining an average, median, standard deviation, and variance for the portion of the plurality of NX domain names based on a length and number of domain levels for each NX domain.

7. A system for detecting a domain generation algorithm (DGA), comprising:
- a non-transitory device comprising a processor 2obtain, form an electronic database, a plurality of non-existent (NX) domain names comprising a top-level domain (TLD), a second-level domain (2LD), and a third-level domain (3LD);
  
  cluster, utilizing a name-based clustering module, a portion of the plurality of NX domain names based on at least one of n-gram features (NGF), entropy-based features (EBF), and structural-domain features (SDF);
  
  wherein the TLD, 2LD, and 3LD are all utilized by the name-based clustering module;
  
  cluster, utilizing a graph clustering module, another portion of the plurality of NX domain names based on groups of assets that queried the NX domain names;
  
  associate, utilizing a daily clustering correlation module, one or more NX domain from the name based clustering model with one or more NX domain names from the graph clustering model;
  
  responsive to the daily clustering, associate, utilizing a temporal clustering correlation module, one or more NX domain names from different clusters based on a rolling window of two consecutive epochs; and
  
  determine whether a DGA that generated the clustered NX domain names is unknown.
- View Dependent Claims (8, 9, 10, 11, 12, 16, 17, 18)
- - 8. The system of claim 7, wherein the processor is further configured to:
    - responsive to the determination that a DGA is unknown sending the unknown DGA to a DGA classification module.
  - 9. The system of claim 8, wherein the processor is further configured to:
    - model the DGA.
  - 10. The system of claim 9, wherein the processor is further configured to:
    - provide a report about the DGA.
  - 11. The system of claim 7, wherein the processor is further configured to:
    - monitor DNS traffic below a local recursive DNS server.
  - 12. The system of claim 8, wherein unknown DGA are used to train new DGA classifier modules.
  - 16. The system of claim 7, wherein the clustering is based on n-gram features, and wherein the n-gram features comprise:
    - measuring a frequency distribution of one or more n-grams across the TLD, 2LD, and 3LD of the portion of the plurality of NX domain names.
  - 17. The system of claim 7, wherein the clustering is based on entropy-based features, and wherein the entropy-based features comprise:
    - determining a level of randomness for the portion of the plurality of NX domain names based on computing an entropy of a character distribution for the 2LD and the 3LD.
  - 18. The system of claim 7, wherein the clustering is based on structural domain features, and wherein the structural domain features comprise:
    - determining an average, median, standard deviation, and variance for the portion of the plurality of NX domain names based on a length and number of domain levels for each NX domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc.
Original Assignee
Damballa Incorporated
Inventors
Antonakakis, Manos, Perdisci, Roberto, Lee, Wenke, Vasiloglou, II, Nikolaos
Primary Examiner(s)
WILLIAMS, JEFFERY L

Application Number

US13/749,205
Publication Number

US 20130191915A1
Time in Patent Office

1,881 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/14   for detecting or protecting...

Method and system for detecting DGA-based malware

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting DGA-based malware

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links