Detecting botnet domains

US 10,652,260 B1
Filed: 11/08/2017
Issued: 05/12/2020
Est. Priority Date: 11/08/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

monitoring network traffic associated with a plurality of clients in a network;

based on the monitoring, storing information related to a plurality of domains that are queried by the plurality of clients;

identifying one or more suspect clients of the plurality of clients in the network based on the stored information;

determining a subset of suspect domains of the plurality of domains based on the stored information related to the plurality of domains queried by the one or more suspect clients;

based on the monitoring and the storing, determining client activity information related to;

(i) a number of clients querying each domain of the subset of suspect domains, (ii) identities of the clients querying each domain of the subset of suspect domains, (iii) a number of total domains each of the clients queries over a defined time window, and (iv) for each domain of the subset of suspect domains, a proportion of the clients that query that domain over two consecutive time windows;

determining a polytope region for a first client of the one or more suspect clients based on the client activity information;

comparing each domain of the subset of suspect domains to the polytope region for the first client;

associating at least a first domain of the subset of suspect domains with a group of blocked domains if the first domain falls within the polytope region for the first client; and

blocking at least one of a query or an access attempt by one of the plurality of clients to the first domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and an apparatus for detecting botnet domains is described. In one embodiment, the method includes monitoring network traffic associated with a plurality of clients in a network. Based on the monitoring, information related to a plurality of domains that are queried is stored. The method includes identifying one or more suspect clients in the network based on the stored information and determining a subset of suspect domains based on the stored information related to the domains queried by the suspect clients. The method can include determining client activity information and using the client activity information to determine a polytope region for a client. The method includes comparing each suspect domain to the polytope region and associating a domain with a group of blocked domains if the domain falls within the polytope region.

22 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- monitoring network traffic associated with a plurality of clients in a network;
  
  based on the monitoring, storing information related to a plurality of domains that are queried by the plurality of clients;
  
  identifying one or more suspect clients of the plurality of clients in the network based on the stored information;
  
  determining a subset of suspect domains of the plurality of domains based on the stored information related to the plurality of domains queried by the one or more suspect clients;
  
  based on the monitoring and the storing, determining client activity information related to;
  
  (i) a number of clients querying each domain of the subset of suspect domains, (ii) identities of the clients querying each domain of the subset of suspect domains, (iii) a number of total domains each of the clients queries over a defined time window, and (iv) for each domain of the subset of suspect domains, a proportion of the clients that query that domain over two consecutive time windows;
  
  determining a polytope region for a first client of the one or more suspect clients based on the client activity information;
  
  comparing each domain of the subset of suspect domains to the polytope region for the first client;
  
  associating at least a first domain of the subset of suspect domains with a group of blocked domains if the first domain falls within the polytope region for the first client; and
  
  blocking at least one of a query or an access attempt by one of the plurality of clients to the first domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the stored information related to the plurality of domains comprises domain name system (DNS) records.
  - 3. The method of claim 2, wherein the DNS records include at least a requestor client Internet Protocol (IP) address and a requested domain.
  - 4. The method of claim 1, wherein identifying the one or more suspect clients includes comparing a relationship between clients in the network with domains queried by clients over consecutive time windows.
  - 5. The method of claim 4, wherein comparing the relationship between clients with domains queried by those clients includes determining that a client is a suspect client when:
    - (i) the client has queried at least two similar domains of the plurality of domains as at least one other client, and (ii) the client has made a substantially similar number of queries to the plurality of domains over a defined time window as at least one other client.
  - 6. The method of claim 1, further comprising:
    - determining a polytope region for each client of the one or more suspect clients based on the client activity information;
      
      comparing each domain of the subset of suspect domains to the polytope region for each client of the one or more suspect clients; and
      
      wherein the associating includes associating a domain of the subset of suspect domains with the group of blocked domains if the domain falls within the polytope region of any of the one or more suspect clients.
  - 7. The method of claim 1, further comprising removing a domain of the subset of suspect domains from the subset of suspect domains if the domain falls outside of the polytope region for the first client.

8. A non-transitory computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to perform operations comprising:
- monitoring network traffic associated with a plurality of clients in a network;
  
  based on the monitoring, storing information related to a plurality of domains that are queried by the plurality of clients;
  
  identifying one or more suspect clients of the plurality of clients in the network based on the stored information;
  
  determining a subset of suspect domains of the plurality of domains based on the stored information related to the plurality of domains queried by the one or more suspect clients;
  
  based on the monitoring and the storing, determining client activity information related to;
  
  (i) a number of clients querying each domain of the subset of suspect domains, (ii) identities of the clients querying each domain of the subset of suspect domains, (iii) a number of total domains each of the clients queries over a defined time window, and (iv) for each domain of the subset of suspect domains, a proportion of the clients that query that domain over two consecutive time windows;
  
  determining a polytope region for a first client of the one or more suspect clients based on the client activity information;
  
  comparing each domain of the subset of suspect domains to the polytope region for the first client;
  
  associating at least a first domain of the subset of suspect domains with a group of blocked domains if the first domain falls within the polytope region for the first client; and
  
  blocking at least one of a query or an access attempt by one of the plurality of clients to the first domain.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer readable storage media of claim 8, wherein the stored information related to the plurality of domains comprises domain name system (DNS) records.
  - 10. The non-transitory computer readable storage media of claim 9, wherein the DNS records include at least a requestor client Internet Protocol (IP) address and a requested domain.
  - 11. The non-transitory computer readable storage media of claim 8, wherein identifying the one or more suspect clients includes comparing a relationship between clients in the network with domains queried by clients over consecutive time windows.
  - 12. The non-transitory computer readable storage media of claim 11, wherein comparing the relationship between clients with domains queried by those clients includes determining that a client is a suspect client when:
    - (i) the client has queried at least two similar domains of the plurality of domains as at least one other client, and (ii) the client has made a substantially similar number of queries to the plurality of domains over a defined time window as at least one other client.
  - 13. The non-transitory computer readable storage media of claim 8, further comprising instructions that cause the processor to:
    - determine a polytope region for each client of the one or more suspect clients based on the client activity information;
      
      compare each domain of the subset of suspect domains to the polytope region for each client of the one or more suspect clients; and
      
      associate a domain of the subset of suspect domains with the group of blocked domains if the domain falls within the polytope region of any of the one or more suspect clients.
  - 14. The non-transitory computer readable storage media of claim 8, further comprising instructions for removing a domain of the subset of suspect domains from the subset of suspect domains if the domain falls outside of the polytope region for the first client.

15. An apparatus comprising:
- a communication interface configured to enable network communications; and
  
  a processor coupled with the communication interface, and configured to;
  
  monitor network traffic associated with a plurality of clients in a network;
  
  based on the monitoring, store information related to a plurality of domains that are queried by the plurality of clients;
  
  identify one or more suspect clients of the plurality of clients in the network based on the stored information;
  
  determine a subset of suspect domains of the plurality of domains based on the stored information related to the plurality of domains queried by the one or more suspect clients;
  
  based on the monitoring and the storing, determine client activity information related to;
  
  (i) a number of clients querying each domain of the subset of suspect domains, (ii) identities of the clients querying each domain of the subset of suspect domains, (iii) a number of total domains each of the clients queries over a defined time window, and (iv) for each domain of the subset of suspect domains, a proportion of the clients that query that domain over two consecutive time windows;
  
  determine a polytope region for a first client of the one or more suspect clients based on the client activity information;
  
  compare each domain of the subset of suspect domains to the polytope region for the first client;
  
  associate at least a first domain of the subset of suspect domains with a group of blocked domains if the first domain falls within the polytope region for the first client; and
  
  block at least one of a query or an access attempt by one of the plurality of clients to the first domain.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein identifying the one or more suspect clients includes comparing a relationship between clients in the network with domains queried by clients over consecutive time windows.
  - 17. The apparatus of claim 16, wherein comparing the relationship between clients with domains queried by those clients includes determining that a client is a suspect client when:
    - (i) the client has queried at least two similar domains of the plurality of domains as at least one other client, and (ii) the client has made a substantially similar number of queries to the plurality of domains over a defined time window as at least one other client.
  - 18. The apparatus of claim 15, wherein the processor is configured to:
    - determine a polytope region for each client of the one or more suspect clients based on the client activity information;
      
      compare each domain of the subset of suspect domains to the polytope region for each client of the one or more suspect clients; and
      
      associate a domain of the subset of suspect domains with the group of blocked domains if the domain falls within the polytope region of any of the one or more suspect clients.
  - 19. The apparatus of claim 15, wherein the plurality of clients and the apparatus are on the same network.
  - 20. The apparatus of claim 15, wherein the apparatus is located outside the network that includes the plurality of clients.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Rodriguez, David, Scarfo, Andrea Michelle, Mahjoub, Dhia
Primary Examiner(s)
Parsons, Theodore C
Assistant Examiner(s)
Ho, Thomas

Application Number

US15/806,613
Time in Patent Office

916 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 43/062   related to network traffic

H04L 43/08   Monitoring or testing based...

H04L 61/4511   using domain name system [DNS]

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Detecting botnet domains

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting botnet domains

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links