Detecting DGA-Based Malicious Software Using Network Flow Information

US 20160036836A1
Filed: 07/31/2014
Published: 02/04/2016
Est. Priority Date: 07/31/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

using a computing device, in a communications network that comprises at least a plurality of hosts, receiving network flow information from one or more other computing devices that are configured as observation points, and based upon the network flow information, determining a number of domain name server requests originating from a particular host among the plurality of hosts, wherein the domain name server requests are directed to one or more domain name servers;

using the computing device, determining a number of internet protocol addresses contacted by the particular host;

using the computing device, determining that malware exists on the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting DGA-based malware is disclosed. In an embodiment, a number of domain name server requests originating from a particular host among a plurality of hosts is determined. The number of domain name server requests are directed to one or more domain name servers. A number of internet protocol addresses contacted by the particular host is determined. Based on the number of domain name server requests and the number of internet protocol addresses contacted existence of malware on the particular host is determined.

36 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- using a computing device, in a communications network that comprises at least a plurality of hosts, receiving network flow information from one or more other computing devices that are configured as observation points, and based upon the network flow information, determining a number of domain name server requests originating from a particular host among the plurality of hosts, wherein the domain name server requests are directed to one or more domain name servers;
  
  using the computing device, determining a number of internet protocol addresses contacted by the particular host;
  
  using the computing device, determining that malware exists on the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 16, 17, 18, 19, 20)
- - 2. The computer-implemented method of claim 1, further comprising:
    - for the particular host, determining a ratio of the number of domain name server requests to the number of internet protocol addresses contacted;
      
      determining that a value based on the ratio is higher than a particular threshold value;
      
      determining that malware exists on the particular host based on the determination that the value is higher than the particular threshold value.
  - 3. The computer-implemented method of claim 2, further comprising determining the particular threshold value based on a previous threshold value and a plurality of ratios, wherein each ratio of the plurality of ratios is associated with a different corresponding host of the plurality of hosts and is a ratio of domain name server requests originating from the corresponding host to internet protocol addresses contacted by the corresponding host.
  - 4. The computer-implemented method of claim 1, further comprising determining the number of internet protocol addresses contacted by the particular host based only upon the network flow information associated with the particular host.
  - 5. The computer-implemented method of claim 1, wherein the network flow information is from any of a NetFlow protocol or an Internet Protocol Flow Information Export (IPFIX) protocol.
  - 6. The computer-implemented method of claim 1, further comprising:
    - determining, based on the network flow information, a number of requests originating from an endpoint of the particular host, wherein the endpoint is a unique combination of an internet protocol address of the particular host, a port number associated with a port on the particular host and a communication protocol used in transmitting a particular packet that originated from the particular host;
      
      determining the number of internet protocol addresses contacted by the particular host, based, at least in part, on the number of requests originating from the endpoint of the particular host.
  - 7. The computer-implemented method of claim 6, further comprising:
    - determining whether a certain endpoint of a certain network node is a service;
      
      identifying, from the network flow information, one or more packets directed to the certain endpoint from the endpoint of the particular host as request packets;
      
      determining, based on the identified request packets, the number of requests originating from the endpoint of the particular host;
      
      determining, based, at least in part, on the number of requests originating from the endpoint of the particular host, the number of internet protocol addresses contacted by the particular host.
  - 8. The computer-implemented method of claim 7, further comprising:
    - determining a number of peers of the certain endpoint of the certain network node;
      
      determining, based on the number of peers of the certain endpoint, a median of the number of peers difference for the certain endpoint;
      
      determining the median of the number of peers difference for the certain endpoint is greater than zero;
      
      determining, based, at least in part on that the median of the number of peers difference for the certain endpoint is greater than zero, the certain endpoint of the certain network node is a service.
  - 9. The computer-implemented method of claim 8, further comprising:
    - determining a number of unsuccessful connections originating from the certain endpoint;
      
      determining the number of unsuccessful connections originating from the certain endpoint is not greater than a threshold number of unsuccessful connections that are acceptable for a service;
      
      determining, based, at least in part on that the median of the number of peers difference for the certain endpoint is greater than zero and that the number of unsuccessful connections originating from the certain endpoint is not greater than the threshold number of unsuccessful connections that are acceptable for a service, the certain endpoint of the certain network node is a service.
  - 10. The computer-implemented method of claim 8, further comprising:
    - determining the certain endpoint does not communicate on ports with a port number greater than 1023;
      
      determining, based, at least in part on that the median of the number of peers difference for the certain endpoint is greater than zero and that the certain endpoint does not communicate on ports with a port number greater than 1023, the certain endpoint of the certain network node is a service.
  - 16. The apparatus of claim 1, the storage media further comprising instructions which when executed cause the one or more processors to perform:
    - determining, based on the network flow information, a number of requests originating from an endpoint of the particular host, wherein the endpoint is a unique combination of an internet protocol address of the particular host, a port number associated with a port on the particular host and a communication protocol used in transmitting a particular packet that originated from the particular host;
      
      determining the number of internet protocol addresses contacted by the particular host, based, at least in part, on the number of requests originating from the endpoint of the particular host.
  - 17. The apparatus of claim 16, the storage media further comprising instructions which when executed cause the one or more processors to perform:
    - determining a certain endpoint of a certain network node is a service;
      
      identifying, from the network flow information, one or more packets directed to the certain endpoint from the endpoint of the particular host as request packets;
      
      determining, based on the identified request packets, the number of requests originating from the endpoint of the particular host;
      
      determining, based, at least in part, on the number of requests originating from the endpoint of the particular host, the number of internet protocol addresses contacted by the particular host.
  - 18. The apparatus of claim 17, the storage media further comprising instructions which when executed cause the one or more processors to perform:
    - determining a number of peers of the certain endpoint of the certain network node;
      
      determining, based on the number of peers of the certain endpoint, a median of the number of peers difference for the certain endpoint;
      
      determining the median of the number of peers difference for the certain endpoint is greater than zero;
      
      determining, based, at least in part on that the median of the number of peers difference for the certain endpoint is greater than zero, the certain endpoint of the certain network node is a service.
  - 19. The apparatus of claim 18, the storage media further comprising instructions which when executed cause the one or more processors to perform:
    - determining a number of unsuccessful connections originating from the certain endpoint;
      
      determining the number of unsuccessful connections originating from the certain endpoint is not greater than a threshold number of unsuccessful connections that are acceptable for a service;
      
      determining, based, at least in part on that the median of the number of peers difference for the certain endpoint is greater than zero and that the number of unsuccessful connections originating from the certain endpoint is not greater than the threshold number of unsuccessful connections that are acceptable for a service, the certain endpoint of the certain network node is a service.
  - 20. The apparatus of claim 18, the storage media further comprising instructions which when executed cause the one or more processors to perform:
    - determining the certain endpoint does not communicate on ports with a port number greater than 1023;
      
      determining, based, at least in part on that the median of the number of peers difference for the certain endpoint is greater than zero and that the certain endpoint does not communicate on ports with a port number greater than 1023, the certain endpoint of the certain network node is a service.

11. A data processing apparatus configured with improved detection of DGA-based malware based upon network flow information, comprising:
- one or more processors;
  
  one or more interfaces that are configured to couple to a communications network that comprises at least a plurality of hosts;
  
  one or more non-transitory computer-readable storage media storing one or more sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;
  
  receiving network flow information from one or more other computing devices that are configured as observation points, and based upon the network flow information, determining a number of domain name server requests originating from a particular host among the plurality of hosts, wherein the domain name server requests are directed to one or more domain name servers;
  
  determining a number of internet protocol addresses contacted by the particular host;
  
  determining that malware exists on the particular host based on the number of domain name server requests and the number of internet protocol addresses contacted.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus of claim 11, the storage media further comprising instructions which when executed cause the one or more processors to perform:
    - for the particular host, determining a ratio of the number of domain name server requests to the number of internet protocol addresses contacted;
      
      determining that a value based on the ratio is higher than a particular threshold value;
      
      determining that malware exists on the particular host based on the determination that the value is higher than the particular threshold value.
  - 13. The apparatus of claim 12, the storage media further comprising instructions which when executed cause the one or more processors to perform determining the particular threshold value based on a previous threshold value and a plurality of ratios, wherein each ratio of the plurality of ratios is associated with a different corresponding host of the plurality of hosts and is a ratio of domain name server requests originating from the corresponding host to internet protocol addresses contacted by the corresponding host.
  - 14. The apparatus of claim 11, the storage media further comprising instructions which when executed cause the one or more processors to perform determining the number of internet protocol addresses contacted by the particular host based only upon the network flow information associated with the particular host.
  - 15. The apparatus of claim 14, wherein the network flow information is from any of a NetFlow protocol or an Internet Protocol Flow Information Export (IPFIX) protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
GRILL, MARTIN, NIKOLAEV, IVAN

Granted Patent

US 9,654,484 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 67/104   Peer-to-peer [P2P] networks

Detecting DGA-Based Malicious Software Using Network Flow Information

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting DGA-Based Malicious Software Using Network Flow Information

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links