System, method, and computer program product for preventing a modification to a domain name system setting

US 9,294,505 B2
Filed: 10/20/2014
Issued: 03/22/2016
Est. Priority Date: 08/13/2010
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor;

a memory configured to store a domain name system setting; and

logic, wherein the logic is configured to;

detect an attempt for modification of the domain name system setting stored within the memory;

identify an attribute of the modification;

verify a source of the attempt by generating a hash of the source in order to compare the source against a whitelist including predetermined non-malicious sources;

verify the attribute of the modification by comparing the attribute of the modification against at least one of a whitelist including known good attributes and a blacklist including known at least potentially malicious attributes; and

prevent the modification of the domain name system setting responsive to the verifying of the source of the attempt being indicative that the source is a potentially malicious source and the verifying of the attribute of the modification being indicative that the attribute of the modification is a potentially malicious attribute.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for preventing a modification to a domain name system setting. In use, an attempt to modify a domain name system setting is detected. Additionally, a source of the attempt and an attribute of the modification are verified. Further, the modification to the domain name system setting is prevented, based on the verification.

20 Citations

20 Claims

1. A system, comprising:
- a processor;
  
  a memory configured to store a domain name system setting; and
  
  logic, wherein the logic is configured to;
  
  detect an attempt for modification of the domain name system setting stored within the memory;
  
  identify an attribute of the modification;
  
  verify a source of the attempt by generating a hash of the source in order to compare the source against a whitelist including predetermined non-malicious sources;
  
  verify the attribute of the modification by comparing the attribute of the modification against at least one of a whitelist including known good attributes and a blacklist including known at least potentially malicious attributes; and
  
  prevent the modification of the domain name system setting responsive to the verifying of the source of the attempt being indicative that the source is a potentially malicious source and the verifying of the attribute of the modification being indicative that the attribute of the modification is a potentially malicious attribute.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The system of claim 1, wherein the logic is further configured to retrieve at least one of the whitelist including predetermined non-malicious sources, the whitelist including known good attributes, and the blacklist including known at least potentially malicious attributes from the memory.
  - 3. The system of claim 1, wherein the logic is further configured to retrieve at least one of the whitelist including predetermined non-malicious sources, the whitelist including known good attributes, and the blacklist including known at least potentially malicious attributes from a database.
  - 4. The system of claim 1, wherein the logic is further configured to retrieve at least one of the whitelist including predetermined non-malicious sources, the whitelist including known good attributes, and the blacklist including known at least potentially malicious attributes from a server.
  - 5. The system of claim 1, wherein the domain name system setting includes a setting of a value in a registry.
  - 6. The system of claim 1, wherein the domain name system setting includes an Internet Protocol (IP) address setting.
  - 7. The system of claim 1, wherein the attempt for modification of the domain name system setting includes an attempt to change or replace an Internet Protocol (IP) address to a malicious IP address.
  - 8. The system of claim 1, wherein the attempt for modification of the domain name system setting includes an attempted write operation to the domain name system setting.
  - 9. The system of claim 1, wherein the attempt for modification of the domain name system setting includes an attempted create operation of the domain name system setting.
  - 10. The system of claim 1, wherein the logic is further configured to intercept the attempt for modification of the domain name system setting.
  - 11. The system of claim 1, wherein the source of the attempt includes a process.
  - 12. The system of claim 1, wherein the source of the attempt includes a file.
  - 13. The system of claim 1, wherein the source of the attempt is further verified by comparing the source of the attempt against a blacklist containing known at least potentially malicious sources.
  - 14. The system of claim 1, wherein the whitelist includes predetermined non-malicious sources including a list of hashes of the predetermined non-malicious sources.
  - 15. The system of claim 14, wherein the logic is further configured to verify the source of the attempt by comparing the hash of the source against the list of hashes of the predetermined non-malicious sources.
  - 16. The system of claim 1, wherein the source of the attempt is verified at a first server and the attribute of the modification is verified at a second server.
  - 17. The system of claim 1, wherein the source of the attempt and the attribute of the modification are verified at a single server.
  - 18. The system of claim 1, wherein preventing modification of the domain name system setting includes blocking the modification of the domain name system setting.
  - 19. The system of claim 1, wherein preventing modification of the domain name system setting includes undoing the modification of the domain name system setting.
  - 20. The system of claim 1, wherein preventing modification of the domain name system setting includes removing the source of the attempt.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Kumar, Lokesh, Ramachetty, Harinath Vishwanath, Kishore, Nandi Dharma
Primary Examiner(s)
Whipple, Brian P

Application Number

US14/518,907
Publication Number

US 20150040227A1
Time in Patent Office

519 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

System, method, and computer program product for preventing a modification to a domain name system setting

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System, method, and computer program product for preventing a modification to a domain name system setting

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others