Methods and systems for detecting compromised computers
First Claim
Patent Images
1. A method of detecting and remediating a network of compromised computers, comprising:
- collecting, using a hardware processor, Domain Name System (DNS) data for a domain;
examining, using the hardware processor, the collected data to determine whether third level domain requests exceed second level domain requests for the domain; and
responsive to determining that the third level domain requests exceed the second level domain requests for the domain, determining that the domain is associated with a command and control computer for a botnet.
6 Assignments
0 Petitions
Accused Products
Abstract
A system and method for detecting a first network of compromised computers in a second network of computers, comprising: collecting Domain Name System (DNS) data for the second network; examining the collected data relative to DNS data from known comprised and/or uncompromised computers in the second network; and determining the existence of the first network and/or the identity of compromised computers in the second network based on the examination.
284 Citations
19 Claims
-
1. A method of detecting and remediating a network of compromised computers, comprising:
-
collecting, using a hardware processor, Domain Name System (DNS) data for a domain; examining, using the hardware processor, the collected data to determine whether third level domain requests exceed second level domain requests for the domain; and responsive to determining that the third level domain requests exceed the second level domain requests for the domain, determining that the domain is associated with a command and control computer for a botnet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. An information handling device for detecting and remediating a network of compromised computers, comprising:
-
at least one hardware processor; and a computer readable storage device having computer readable program code embodied therewith and executable by the at least one hardware processor, the computer readable program code comprising; computer readable program code that collects Domain Name System (DNS) data for a domain; computer readable program code that examines the collected data to determine whether third level domain requests exceed second level domain requests for the domain; and responsive to determining that the third level domain requests exceed the second level domain requests for the domain, computer readable program code that determines that the domain is associated with a command and control computer for a botnet.
-
-
19. A method of detecting and remediating a network of compromised computers, comprising:
-
collecting, using a hardware processor, Domain Name System (DNS) data for a domain; examining, using the hardware processor, the collected data to determine whether third level domain exceed of second level domain requests for the domain; and determining, based on the examining, that the domain is associated with a command and control computer for a botnet, wherein determining that the domain is associated with a command and control computer comprises determining a canonical SLD request rate.
-
Specification