Detecting botnets
First Claim
Patent Images
1. A method comprising:
- receiving, at a first sensor, first domain name system (DNS) information including one or more first internet protocol (IP) addresses corresponding to a first domain name;
determining a first number of unique subnets which are based on the one or more first IP addresses and which are unique in all subnet classes;
sending, to one or more other sensors, a first alert that includes the first DNS information when the first number of unique subnets exceeds a first threshold;
wherein the method is performed by one or more processors.
1 Assignment
0 Petitions
Accused Products
Abstract
A method is disclosed for distributed detection of botnets via a plurality of sensors on a network. According to embodiments, DNS information, including domain names and addresses, is received at a sensor, the number of unique subnets corresponding to a domain name is determined and an alert is sent to other sensors when the number of unique subnets exceeds a first threshold. Other embodiments are also disclosed.
145 Citations
24 Claims
-
1. A method comprising:
-
receiving, at a first sensor, first domain name system (DNS) information including one or more first internet protocol (IP) addresses corresponding to a first domain name; determining a first number of unique subnets which are based on the one or more first IP addresses and which are unique in all subnet classes; sending, to one or more other sensors, a first alert that includes the first DNS information when the first number of unique subnets exceeds a first threshold; wherein the method is performed by one or more processors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer-readable medium storing one or more sequences of instructions that, when executed by one or more processors, causes the processors to perform:
-
receiving, at a first sensor, first domain name system (DNS) information including one or more first internet protocol (IP) addresses corresponding to a first domain name; determining a first number of unique subnets which are based on the one or more first IP addresses and which are unique in all subnet classes; sending, to one or more other sensors, a first alert that includes the first DNS information when the first number of unique subnets exceeds a first threshold. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An apparatus comprising:
-
one or more processors; an information acquisition module configured to receive, at a first sensor, first domain name system (DNS) information including one or more first internet protocol (IP) addresses corresponding to a first domain name; a subnet analyzer module configured to determine a first number of unique subnets which are based on the one or more first IP addresses and which are unique in all subnet classes; an address distribution module configured to send, to one or more other sensors, a first alert that includes the first DNS information when the first number of unique subnets exceeds a first threshold. - View Dependent Claims (20, 21, 22, 23, 24)
-
Specification