Method and system for detecting and responding to attacking networks
First Claim
Patent Images
1. A method of detecting a collection of compromised networks and/or computers, comprising:
- performing processing associated with collecting Domain Name System (DNS) data, utilizing a detection system in communication with a database, the DNS data generated by a DNS server and/or similar device, wherein the DNS data comprises DNS queries, wherein the collected DNS data comprises DNS query rate information, and wherein the collecting DNS data from the DNS server comprises;
performing processing associated with identifying a command and control (C&
C) computer in a first network, comprising;
performing processing associated with determining whether a computer has a suspicious DNS request rate, comprising;
performing processing associated with calculating a canonical sub-level domain (SLD) request rate for a given SLD, wherein the canonical SLD request rate is calculated as the total number of requests to third level domains (3LDs) present in the given SLD plus any request to the given SLD, and performing processing associated with determining whether the canonical SLD request rate of the given SLD significantly deviates from the mean of canonical request rates of SLDs;
when the DNS request rate is suspicious, performing processing associated with determining whether the DNS data has an exponential request rate comprising;
performing processing associated with sorting DNS request rates per epoch, and performing processing associated with determining whether there is exponential activity over a longer time epoch; and
when the DNS data has an exponential request rate, performing processing associated with identifying the computer as the C&
C computer; and
performing processing associated with recording an IP address and/or traffic information from a compromised computer when the compromised computer contacts another computer;
performing processing associated with examining the collected DNS data relative to DNS data from known comprised and/or uncompromised computers; and
performing processing associated with determining an existence of the collection of compromised networks and/or computers, and/or an identity of compromised networks and/or computers, based on the examination.
8 Assignments
0 Petitions
Accused Products
Abstract
A system and method for detecting a first network of compromised computers in a second network of computers, comprising: collecting Domain Name System (DNS) data for the second network; examining the collected data relative to DNS data from known comprised and/or uncompromised computers in the second network; and determining the existence of the first network and/or the identity of compromised computers in the second network based on the examination.
197 Citations
48 Claims
-
1. A method of detecting a collection of compromised networks and/or computers, comprising:
-
performing processing associated with collecting Domain Name System (DNS) data, utilizing a detection system in communication with a database, the DNS data generated by a DNS server and/or similar device, wherein the DNS data comprises DNS queries, wherein the collected DNS data comprises DNS query rate information, and wherein the collecting DNS data from the DNS server comprises; performing processing associated with identifying a command and control (C&
C) computer in a first network, comprising;performing processing associated with determining whether a computer has a suspicious DNS request rate, comprising;
performing processing associated with calculating a canonical sub-level domain (SLD) request rate for a given SLD, wherein the canonical SLD request rate is calculated as the total number of requests to third level domains (3LDs) present in the given SLD plus any request to the given SLD, and performing processing associated with determining whether the canonical SLD request rate of the given SLD significantly deviates from the mean of canonical request rates of SLDs;when the DNS request rate is suspicious, performing processing associated with determining whether the DNS data has an exponential request rate comprising;
performing processing associated with sorting DNS request rates per epoch, and performing processing associated with determining whether there is exponential activity over a longer time epoch; andwhen the DNS data has an exponential request rate, performing processing associated with identifying the computer as the C&
C computer; andperforming processing associated with recording an IP address and/or traffic information from a compromised computer when the compromised computer contacts another computer; performing processing associated with examining the collected DNS data relative to DNS data from known comprised and/or uncompromised computers; and performing processing associated with determining an existence of the collection of compromised networks and/or computers, and/or an identity of compromised networks and/or computers, based on the examination. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 17, 18, 19, 20, 21, 22, 23, 24, 33, 34, 35, 36, 37, 38, 39, 47)
-
-
9. A system for detecting a collection of compromised networks and/or computers, comprising:
-
a computer, adapted to receive Domain Name System (DNS) data from a DNS server utilizing a detection system in communication with a database, the detection system configured for; performing processing associated with collecting Domain Name System (DNS) data, utilizing a detection system in communication with a database, the DNS data generated by a DNS server and/or similar device, wherein the DNS data comprises DNS queries, wherein the collected DNS data comprises DNS query rate information, and wherein the collecting DNS data from the DNS server comprises; performing processing associated with identifying a command and control (C&
C) computer in a first network, comprising;performing processing associated with determining whether a computer has a suspicious DNS request rate, comprising;
performing processing associated with calculating a canonical sub-level domain (SLD) request rate for a given SLD, wherein the canonical SLD request rate is calculated as the total number of requests to third level domains (3LDs) present in the given SLD plus any request to the given SLD, and performing processing associated with determining whether the canonical SLD request rate of the given SLD significantly deviates from the mean of canonical request rates of SLDs;when the DNS request rate is suspicious, performing processing associated with determining whether the DNS data has an exponential request rate comprising;
performing processing associated with sorting DNS request rates per epoch, and performing processing associated with determining whether there is exponential activity over a longer time epoch; andwhen the DNS data has an exponential request rate, performing processing associated with identifying the computer as the C&
C computer; andperforming processing associated with recording an IP address and/or traffic information from a compromised computer when the compromised computer contacts another computer; performing processing associated with examining the collected DNS data relative to DNS data from known comprised and/or uncompromised computers; and performing processing associated with determining an existence of the collection of compromised networks and/or computers, and/or an identity of compromised networks and/or computers, based on the examination. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 25, 26, 27, 28, 29, 30, 31, 32, 40, 41, 42, 43, 44, 45, 46, 48)
-
Specification