×

Method and system for detecting and responding to attacking networks

  • US 8,566,928 B2
  • Filed: 10/03/2006
  • Issued: 10/22/2013
  • Est. Priority Date: 10/27/2005
  • Status: Active Grant
First Claim
Patent Images

1. A method of detecting a collection of compromised networks and/or computers, comprising:

  • performing processing associated with collecting Domain Name System (DNS) data, utilizing a detection system in communication with a database, the DNS data generated by a DNS server and/or similar device, wherein the DNS data comprises DNS queries, wherein the collected DNS data comprises DNS query rate information, and wherein the collecting DNS data from the DNS server comprises;

    performing processing associated with identifying a command and control (C&

    C) computer in a first network, comprising;

    performing processing associated with determining whether a computer has a suspicious DNS request rate, comprising;

    performing processing associated with calculating a canonical sub-level domain (SLD) request rate for a given SLD, wherein the canonical SLD request rate is calculated as the total number of requests to third level domains (3LDs) present in the given SLD plus any request to the given SLD, and performing processing associated with determining whether the canonical SLD request rate of the given SLD significantly deviates from the mean of canonical request rates of SLDs;

    when the DNS request rate is suspicious, performing processing associated with determining whether the DNS data has an exponential request rate comprising;

    performing processing associated with sorting DNS request rates per epoch, and performing processing associated with determining whether there is exponential activity over a longer time epoch; and

    when the DNS data has an exponential request rate, performing processing associated with identifying the computer as the C&

    C computer; and

    performing processing associated with recording an IP address and/or traffic information from a compromised computer when the compromised computer contacts another computer;

    performing processing associated with examining the collected DNS data relative to DNS data from known comprised and/or uncompromised computers; and

    performing processing associated with determining an existence of the collection of compromised networks and/or computers, and/or an identity of compromised networks and/or computers, based on the examination.

View all claims
  • 8 Assignments
Timeline View
Assignment View
    ×
    ×