METHOD AND SYSTEM FOR DETECTING AND RESPONDING TO ATTACKING NETWORKS

US 20080028463A1
Filed: 10/03/2006
Published: 01/31/2008
Est. Priority Date: 10/27/2005
Status: Active Grant

First Claim

Patent Images

1. A method of detecting a first network of compromised computers in a second network of computers, comprising:

collecting Domain Name System (DNS) data for the second network;

examining the collected data relative to DNS data from known comprised and/or uncompromised computers in the second network; and

determining the existence of the first network and/or the identity of compromised computers in the second network based on the examination.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting a first network of compromised computers in a second network of computers, comprising: collecting Domain Name System (DNS) data for the second network; examining the collected data relative to DNS data from known comprised and/or uncompromised computers in the second network; and determining the existence of the first network and/or the identity of compromised computers in the second network based on the examination.

571 Citations

56 Claims

1. A method of detecting a first network of compromised computers in a second network of computers, comprising:
- collecting Domain Name System (DNS) data for the second network;
  
  examining the collected data relative to DNS data from known comprised and/or uncompromised computers in the second network; and
  
  determining the existence of the first network and/or the identity of compromised computers in the second network based on the examination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 27, 28, 29, 30, 31, 32, 33, 34, 43, 44, 45, 46, 47, 48, 49)
- - 2. The method of claim 1, wherein the DNS data comprises DNS queries.
  - 3. The method of claim 1, wherein the collected data compromises DNS query rate information.
  - 4. The method of claim 1, wherein collecting DNS data comprises:
    - identifying a command and control (C&
      
      C) computer in the first network;
      
      replacing an IP address of the C&
      
      C computer with an IP address of another computer, causing a compromised computer seeking to contact the C&
      
      C computer to be redirected to the other computer; and
      
      recording the IP address and/or traffic information from the compromised computer when the compromised computer contacts the other computer.
  - 5. The method of claim 4, wherein the other computer is a sinkhole computer.
  - 6. The method of claim 1, further comprising:
    - observing time zone and time of release information for the collected data.
  - 7. The method of claim 4, wherein identifying the C&
    - C computer comprises;
      
      determining if a computer in the first network has a suspicious DNS request rate;
      
      if the DNS request rate is suspicious, determining if the DNS data has an exponential request rate; and
      
      if the DNS data has an exponential request rate, identifying the computer as the C&
      
      C computer.
  - 8. The method of claim 7, wherein determining if the computer in the first network has a suspicious DNS request rate comprises:
    - calculating a canonical sub-level domain (SLD) request rate for a given SLD; and
      
      determining if the canonical SLD request rate significantly deviates from the mean SLD request rate.
  - 9. The method of claim 7, wherein determining if the DNS data has an exponential request rate comprises:
    - sorting DNS request rates per hour; and
      
      determining if there is exponential activity over a 24 hour period.
  - 10. The method of claim 1, wherein determining the existence of the first network is accomplished without contacting any computers in the first network.
  - 11. The method of claim 4, further comprising:
    - isolating the first network from its C&
      
      C computer, causing the first network to lose its ability to act as a coordinated group.
  - 12. The method of claim 4, further comprising:
    - analyzing traffic from the compromised computer to the sinkhole computer to obtain information about a malware author.
  - 13. The method of claim 6, further comprising:
    - utilizing time zone and time of release information to predict optimal release time information for an attack.
  - 27. The method of claim 1, wherein collecting DNS data comprises:
    - determining if a source Internet Protocol (IP) address performing reconnaissance belongs to a compromised computer, the source IP address looking up at least one subject IP addresses; and
      
      if the source IP is known to belong to a compromised computer, designating the at least one subject IP addresses as a compromised computer.
  - 28. The method of claim 27, wherein determining if the source IP address belongs to a compromised computer comprises:
    - determining if the source IP address is a known compromised computer utilizing DNSBL and/or another list of compromised computers.
  - 29. The method of claim 28, wherein determining if the source IP address belongs to a compromised computer comprises:
    - determining whether the source IP address is also the subject IP address.
  - 30. The method of claim 28, wherein determining if the source IP address belongs to a compromised computer comprises:
    - determining a look-up ratio for the source IP address, the look-up ratio comprising the number of IP addresses the source IP address queries divided by the number of IP addresses that issue a look-up for the source IP address; and
      
      if the look-up ratio for the source IP address is high, designating the source IP address as a compromised computer.
  - 31. The method of claim 28, wherein determining if the source IP address belongs to a compromised computer comprises:
    - determining a look-up ratio for the source IP address, the look-up ratio comprising the number of IP addresses the source IP queries divided by the number of IP addresses that issue a look-up for the source IP address;
      
      if the look-up ratio for the source IP address is low, determining whether the look-up arrival rate mirrors the email arrival rate; and
      
      if the look-up arrival rate does not mirror the email arrival rate, designating the source IP address as a compromised computer.
  - 32. The method of claim 31, wherein determining whether the look-up arrival rate mirrors the email arrival rate further comprises:
    - identifying a list of known and/or probably legitimate IP addresses using a DNSBL service;
      
      for each of the known and/or probably legitimate IP addresses, determining its average look-up arrival rate;
      
      determining an average look-up arrival rate from the source IP address;
      
      comparing the average look-up rates of the known and/or probably legitimate IP addresses to the arrival rate from the source IP address; and
      
      if the average look-up rates of the known and/or probably legitimate IP addresses differ significantly from the arrival rate from the source IP address, designating the source IP address as a compromised computer.
  - 33. The method of claim 32, wherein identifying a list of known IPs comprises:
    - if the DNSBL service has controlled access, recording IP addresses of approved users.
  - 34. The method of claim 32, wherein identifying a list of probably legitimate IPs comprises:
    - if the DNSBL service allows anonymous access, monitoring the source IP addresses of incoming look-up requests, and recording these source IP addresses;
      
      connecting to the IP address to determine if the IP address is running on a known server; and
      
      if the IP address is running on a known server, designating the IP address as probably legitimate.
  - 43. The method of claim 1, wherein collecting DNS data comprises:
    - identifying open recursive DNS servers in the second network; and
      
      priority ranking domain names in the second network.
  - 44. The method of claim 43, wherein the determining comprises:
    - utilizing the open recursive DNS servers and the priority-ranked domain names to determine if the open recursive DNS servers are compromised computers.
  - 45. The method of claim 44, further comprising:
    - ranking sizes of networks of compromised computers;
      
      estimating a number of compromised computers in a network;
      
      assessing to what extent a given network has compromised computers;
      
      determining a lower bound calculation of a compromised computer population;
      
      ordetermining an upper bound calculation of a compromised computer population;
      
      orany combination thereof.
  - 46. The method of claim 43, wherein identifying open recursive DNS servers comprises:
    - organizing IPv4 routable addresses into units;
      
      determining a CPRS value for each unit utilizing DNS server information;
      
      sorting the units a list in descending order utilizing the CPRS value; and
      
      determining if a DNS server is an open recursive DNS server for DNS servers in the top of the list.
  - 47. The method of claim 46, wherein determining the CPRS value comprises:
    - giving a value of 1.0 for each DNS server known to exist in the unit;
      
      giving a value of 0.01 for each IP address known to run on a DNS server; and
      
      giving a value of 0.1 for each IP address with no DNS server information.
  - 48. The method of claim 44, wherein utilizing the open recursive DNS servers and the priority-ranked domains in a recursive query comprises:
    - sending at least one non-recursive query to the DNS server for a newly registered domain until the DNS server returns an NXDOMAIN answer;
      
      immediately sending a recursive query to the DNS server for the newly registered domain; and
      
      if the answer returned by the DNS server is not NXDOMAIN, designating the DNS server as open recursive.
  - 49. The method of claim 46, further comprising determining the number of DNS servers behind a load balancing server.

14. A system for detecting a first network of compromised computers in a second network of computers, comprising:
- a computer, adapted to be connected to the second network and receive Domain Name System (DNS) data for the second network, the computer capable of;
  
  collecting DNS data for the second network;
  
  examining the collected data relative to DNS data from known comprised and/or uncompromised computers in the second network; and
  
  determining the existence of the first network and/or the identity of compromised computers in the second network based on the examination.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 35, 36, 37, 38, 39, 40, 41, 42, 50, 51, 52, 53, 54, 55, 56)
- - 15. The system of claim 14, wherein the DNS data comprises DNS queries.
  - 16. The system of claim 14, wherein the collected data compromises DNS query rate information.
  - 17. The system of claim 14, wherein collecting DNS data comprises:
    - identifying a command and control (C&
      
      C) computer in the first network;
      
      replacing an IP address of the C&
      
      C computer with an IP address of another computer, causing a compromised computer seeking to contact the C&
      
      C computer to be redirected to the other computer; and
      
      recording the IP address and/or traffic information from the compromised computer when the compromised computer contacts the other computer.
  - 18. The system of claim 17, wherein the other computer is a sinkhole computer.
  - 19. The system of claim 17, wherein the computer is further capable of:
    - observing time zone and time of release information for the collected data.
  - 20. The system of claim 17, wherein identifying the C&
    - C computer comprises;
      
      determining if a computer in the first network has a suspicious DNS request rate;
      
      if the DNS request rate is suspicious, determining if the DNS data has an exponential request rate; and
      
      if the DNS data has an exponential request rate, identifying the computer as the C&
      
      C computer.
  - 21. The system of claim 20, wherein determining if the computer in the first network has a suspicious DNS request rate comprises:
    - calculating a canonical sub-level domain (SLD) request rate for a given SLD; and
      
      determining if the canonical SLD request rate significantly deviates from the mean SLD request rate.
  - 22. The system of claim 20, wherein determining if the DNS data has an exponential request rate comprises:
    - sorting DNS request rates per hour; and
      
      determining if there is exponential activity over a 24 hour period.
  - 23. The system of claim 14, wherein determining the existence of the first network is accomplished without contacting any computers in the first network.
  - 24. The system of claim 17, wherein the computer is further capable of:
    - isolating the first network from its C&
      
      C computer, causing the first network to lose its ability to act as a coordinated group.
  - 25. The system of claim 17, wherein the computer is further capable of:
    - analyzing traffic from the compromised computer to the sinkhole computer to obtain information about a malware author.
  - 26. The system of claim 19, wherein the computer is further capable of:
    - utilizing time zone and time of release information to predict optimal release time information for an attack.
  - 35. The system of claim 14, wherein collecting DNS data comprises:
    - determining if a source Internet Protocol (IP) address performing reconnaissance belongs to a compromised computer, the source IP address looking up at least one subject IP addresses; and
      
      if the source IP is known to belong to a compromised computer, designating the at least one subject IP addresses as a compromised computer.
  - 36. The system of claim 35, wherein determining if the source IP address belongs to a compromised computer comprises:
    - determining if the source IP address is a known compromised computer utilizing DNSBL and/or another list of compromised computers.
  - 37. The system of claim 35, wherein determining if the source IP address belongs to a compromised computer comprises:
    - determining whether the source IP address is also the subject IP address.
  - 38. The system of claim 35, wherein determining if the source IP address belongs to a compromised computer comprises:
    - determining a look-up ratio for the source IP address, the look-up ratio comprising the number of IP addresses the source IP address queries divided by the number of IP addresses that issue a look-up for the source IP address; and
      
      if the look-up ratio for the source IP address is high, designating the source IP address as a compromised computer.
  - 39. The system of claim 35, wherein determining if the source IP address belongs to a compromised computer comprises:
    - determining a look-up ratio for the source IP address, the look-up ratio comprising the number of IP addresses the source IP queries divided by the number of IP addresses that issue a look-up for the source IP address;
      
      if the look-up ratio for the source IP address is low, determining whether the look-up arrival rate mirrors the email arrival rate; and
      
      if the look-up arrival rate does not mirror the email arrival rate, designating the source IP address as a compromised computer.
  - 40. The system of claim 39, wherein determining whether the look-up arrival rate mirrors the email arrival rate further comprises:
    - identifying a list of known and/or probably legitimate IP addresses using a DNSBL service;
      
      for each of the known and/or probably legitimate IP addresses, determining its average look-up arrival rate;
      
      determining an average look-up arrival rate from the source IP address;
      
      comparing the average look-up rates of the known and/or probably legitimate IP addresses to the arrival rate from the source IP address; and
      
      if the average look-up rates of the known and/or probably legitimate IP addresses differ significantly from the arrival rate from the source IP address, designating the source IP address as a compromised computer.
  - 41. The system of claim 40, wherein identifying a list of known IPs comprises:
    - if the DNSBL service has controlled access, recording IP addresses of approved users.
  - 42. The system of claim 40, wherein identifying a list of probably legitimate IPs comprises:
    - if the DNSBL service allows anonymous access, monitoring the source IP addresses of incoming look-up requests, and recording these source IP addresses;
      
      connecting to the IP address to determine if the IP address is running on a known server; and
      
      if the IP address is running on a known server, designating the IP address as probably legitimate.
  - 50. The system of claim 14, wherein collecting DNS data comprises:
    - identifying open recursive DNS servers in the second network; and
      
      priority ranking domain names in the second network.
  - 51. The system of claim 50, wherein the determining comprises:
    - utilizing the open recursive DNS servers and the priority-ranked domain names to determine if the open recursive DNS servers are compromised computers.
  - 52. The system of claim 51, further comprising:
    - ranking sizes of networks of compromised computers;
      
      estimating a number of compromised computers in a network;
      
      assessing to what extent a given network has compromised computers;
      
      determining a lower bound calculation of a compromised computer population;
      
      ordetermining an upper bound calculation of a compromised computer population;
      
      orany combination thereof.
  - 53. The system of claim 50, wherein identifying open recursive DNS servers comprises:
    - organizing IPv4 routable addresses into units;
      
      determining a CPRS value for each unit utilizing DNS server information;
      
      sorting the units a list in descending order utilizing the CPRS value; and
      
      determining if a DNS server is an open recursive DNS server for DNS servers in the top of the list.
  - 54. The system of claim 53, wherein determining the CPRS value comprises:
    - giving a value of 1.0 for each DNS server known to exist in the unit;
      
      giving a value of 0.01 for each IP address known to run on a DNS server; and
      
      giving a value of 0.1 for each IP address with no DNS server information.
  - 55. The system of claim 51, wherein utilizing the open recursive DNS servers and the priority-ranked domains in a recursive query comprises:
    - sending at least one non-recursive query to the DNS server for a newly registered domain until the DNS server returns an NXDOMAIN answer;
      
      immediately sending a recursive query to the DNS server for the newly registered domain; and
      
      if the answer returned by the DNS server is not NXDOMAIN, designating the DNS server as open recursive.
  - 56. The system of claim 55, further comprising determining the number of DNS servers behind a load balancing server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ecrime Management Strategies, Inc.
Original Assignee
Damballa Incorporated
Inventors
Dagon, David, Feamster, Nick, Edmonds, Robert, Lee, Weake, Lipton, Richard, Ramachandran, Anirudh

Granted Patent

US 8,566,928 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

H04L 2463/144   Detection or countermeasure...

H04L 61/4511   using domain name system [DNS]

H04L 61/5076   Update or notification mech...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

METHOD AND SYSTEM FOR DETECTING AND RESPONDING TO ATTACKING NETWORKS

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

571 Citations

56 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR DETECTING AND RESPONDING TO ATTACKING NETWORKS

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

571 Citations

56 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links