Identification of malware sites using unknown URL sites and newly registered DNS addresses

US 8,966,625 B1
Filed: 05/24/2011
Issued: 02/24/2015
Est. Priority Date: 05/24/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

perform a heuristic analysis for information associated with a network site, wherein performing a heuristic analysis for information associated with a network site further comprises;

determine whether the network site has a change in DNS information, the change in DNS information including a change in ownership of a network uniform resource locator (URL) and a new IP address outside of the same subnet;

in the event that the DNS information of the network site has changed, determine when the change in the DNS information occurred;

determine whether an IP address related to the network site is periodically unavailable based on DNS presence information; and

determine source information associated with the network site, wherein the source information includes geographical information associated with the network site and IP network related source information, wherein the determining of the source information is based on a regional Internet registry (RIR) and a border gateway protocol (BGP) table; and

assign a score based on the heuristic analysis, wherein the score indicates whether the network site is potentially malicious; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, identification of malware sites using unknown URL sites and newly registered DNS addresses includes performing a heuristic analysis for information associated with a network site; and assigning a score based on the heuristic analysis, in which the score indicates whether the network site is potentially malicious. In some embodiments, the system includes a security appliance that is in communication with the Internet. In some embodiments, the network site is associated with a network domain and/or a network uniform resource locator (URL). In some embodiments, performing a heuristic analysis for information associated with a network site further includes determining if a network site has recently been registered. In some embodiments, performing a heuristic analysis for information associated with a network site further includes determining if a network site is associated with recently changed DNS information. In some embodiments, performing a heuristic analysis for information associated with a network site further includes determining geographical information as well as an IP network location associated with the network site.

193 Citations

24 Claims

1. A system, comprising:
- a processor configured to;
  
  perform a heuristic analysis for information associated with a network site, wherein performing a heuristic analysis for information associated with a network site further comprises;
  
  determine whether the network site has a change in DNS information, the change in DNS information including a change in ownership of a network uniform resource locator (URL) and a new IP address outside of the same subnet;
  
  in the event that the DNS information of the network site has changed, determine when the change in the DNS information occurred;
  
  determine whether an IP address related to the network site is periodically unavailable based on DNS presence information; and
  
  determine source information associated with the network site, wherein the source information includes geographical information associated with the network site and IP network related source information, wherein the determining of the source information is based on a regional Internet registry (RIR) and a border gateway protocol (BGP) table; and
  
  assign a score based on the heuristic analysis, wherein the score indicates whether the network site is potentially malicious; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system recited in claim 1, wherein the system includes a security appliance that is in communication with the Internet, wherein the network site is associated with a network domain and/or the network uniform resource locator (URL).
  - 3. The system recited in claim 1, wherein performing a heuristic analysis for information associated with a network site further comprises:
    - determine if the network site has recently been registered.
  - 4. The system recited in claim 1, wherein the assign of the score comprises:
    - compare the score with a predefined threshold; and
      
      in the event that the score exceeds the predefined threshold, determine that the network site is potentially malicious.
  - 5. The system recited in claim 1, wherein the performing of the heuristic analysis for information associated with a network site further comprises:
    - analyzing human readability of the network site based on an analysis of links between pages of the same network site to measure navigability of the network site, an analysis of links to and from other network sites to identify links to and from suspicious network sites, an analysis of an amount of plain text, script, hypertext markup language (HTML) content, and/or uniform resource locator (URL) suitable for human navigation of the network site, or any combination thereof.

6. A method, comprising:
- performing a heuristic analysis for information associated with a network site using a processor of a device in communication with a network, wherein performing a heuristic analysis for information associated with a network site further comprises;
  
  determining whether the network site has a change in DNS information, the change in DNS information including a change in ownership of a network uniform resource locator (URL) and a new IP address outside of the same subnet;
  
  in the event that the DNS information of the network site has changed, determining when the change in the DNS information occurred;
  
  determining whether an IP address related to the network site is periodically unavailable based on DNS presence information; and
  
  determining source information associated with the network site, wherein the source information includes geographical information associated with the network site and IP network related source information, wherein the determining of the source information is based on a regional Internet registry (RIR) and a border gateway protocol (BGP) table; and
  
  assigning a score based on the heuristic analysis, wherein the score indicates whether the network site is potentially malicious.
- View Dependent Claims (7)
- - 7. The method of claim 6, wherein the device includes a security appliance that is in communication with the Internet, and wherein the network site is associated with a network domain and/or the network uniform resource locator (URL).

8. A system, comprising:
- a processor configured to;
  
  determine if a network site has recently been registered;
  
  determine whether the network site has a change in DNS information, the change in DNS information including a change in ownership of a network uniform resource locator (URL) and a new IP address outside of the same subnet;
  
  in the event that the DNS information of the network site has changed, determine when the change in the DNS information occurred;
  
  determine whether an IP address related to the network site is periodically unavailable based on DNS presence information;
  
  determine source information associated with the network site, wherein the source information includes geographical information associated with the network site and IP network related source information, wherein the determining of the source information is based on a regional Internet registry (RIR) and a border gateway protocol (BGP) table; and
  
  assign a score based on a length of time since a domain registration, whether the DNS information of the network site has changed, and the source information associated with the network site, wherein the score indicates whether the network site is potentially malicious; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.

9. A system, comprising:
- a processor configured to;
  
  determine a plurality of network sites that have recently been registered;
  
  determine whether a network site has a change in DNS information, the change in DNS information including a change in ownership of a network uniform resource locator (URL) and a new IP address outside of the same subnet;
  
  in the event that the DNS information of the network site has changed, determine when the change in the DNS information occurred;
  
  determine whether an IP address related to the network site is periodically unavailable based on DNS presence information;
  
  determine source information associated with the network site, wherein the source information includes geographical information associated with the network site and IP network related source information, wherein the determining of the source information is based on a regional Internet registry (RIR) and a border gateway protocol (BGP) table; and
  
  generate a list of potentially malicious network sites based on the plurality of network sites that have recently been registered, whether the DNS information of the network site has changed, and the source information associated with the network site, anda memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 10. The system recited in claim 9, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - generate a list of DNS changes for a plurality of network sites; and
      
      store the list of DNS changes.
  - 11. The system recited in claim 9, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - determine that a first network site is a potentially malicious site based on a threshold.
  - 12. The system recited in claim 9, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - determine that a first network site is a potentially malicious site; and
      
      publish the first network site to a firewall for blocking access to/from the first network site.
  - 13. The system recited in claim 9, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - determine that a first network site is a potentially malicious site; and
      
      block access to/from the first network site.
  - 14. The system recited in claim 9, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - determine that a first network site is a suspicious site; and
      
      monitor access to/from the first network site to determine whether the first network site is a potentially malicious site, wherein the network site is monitored to determine whether the network site is a botnet site.
  - 15. The system recited in claim 9, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - determine that a first network site is a potential malware site based on URL sites and newly registered DNS addresses.
  - 16. The system recited in claim 9, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - determine that a first network site is a potential malware site based on DNS activity.
  - 17. The system recited in claim 9, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - determine that a first network site is a potential malware site based on DNS presence information, wherein the DNS presence information indicates that the first network site with a first IP address is periodically unavailable.
  - 18. The system recited in claim 9, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - determine that a first network site is a potential malware site based on IP address changes.
  - 19. The system recited in claim 9, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - apply a security policy based on a determination that a first network site is a potential malware site; and
      
      report that the first network site is a potential malware site.
  - 20. The system recited in claim 9, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - request zone file access to determine recently changed domain names and associated IP addresses for a plurality of network sites.
  - 21. The system recited in claim 9, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - determine that a first network site is a potential malware site; and
      
      verify that the first network site is a malware site if a virus sample attempts to connect to the suspicious network site.
  - 22. The system recited in claim 9, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - determine that a first network site is a potential malware site;
      
      inspect the first network site to determine content available on the first network site; and
      
      verify that the first network site is a malware site if the first network site does not include or has a limited amount of any of the following;
      
      plain text, script, and/or HTML content, and URLs suitable for human navigation of the web site.
  - 23. The system recited in claim 9, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - receive an outbound request to access a first network site; and
      
      communicate the first network site to a security cloud service to request whether the first network site is a potentially malicious site or malware site.
  - 24. The system recited in claim 9, wherein the memory is further configured to provide the processor with instructions which when executed cause the processor to:
    - communicate one or more botnet reports to a security cloud service, wherein the security cloud service aggregates the one or more botnet reports to correlate potentially suspicious botnet behavior to determine whether one or more network sites are potentially malicious sites and/or malware sites.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Zuk, Nir, Xie, Huagang, Lazzarato, Renzo
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Lakhia, Viral

Application Number

US13/115,014
Time in Patent Office

1,372 Days
Field of Search

726 22- 25, 726/12, 726 3- 4, 713/2, 709/220
US Class Current

726/22
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 63/168   above the transport layer

Identification of malware sites using unknown URL sites and newly registered DNS addresses

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

193 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Identification of malware sites using unknown URL sites and newly registered DNS addresses

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

193 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links