Sinkholing bad network domains by registering the bad network domains on the internet

US 9,405,903 B1
Filed: 10/31/2013
Issued: 08/02/2016
Est. Priority Date: 10/31/2013
Status: Active Grant

First Claim

Patent Images

1. A system for sinkholing bad network domains by registering the bad network domains on the Internet, comprising:

a processor configured to;

generate one or more signatures for a plurality of bad network domains;

distribute the one or more signatures to a plurality of security devices to determine a set of candidate bad network domains for sinkholing;

select a bad network domain included in the set of candidate bad network domains for sinkholing based on a detection of a threshold number of connections that were attempted to the bad network domain based on logged signature matches, wherein the bad network domain is associated with an identified malware;

register the bad network domain with a domain registry to a valid IP address in order to sinkhole the bad network domain, wherein the bad network domain is sinkholed by registering the bad network domain such that an authoritative DNS server can translate the registered bad network domain to the valid IP address, and wherein the valid IP address is associated with a device controlled by a cloud security service provider; and

identify a host that is infected with the identified malware based on an attempt by the host to connect to the valid IP address, wherein the host received a DNS query response that resolved the registered bad network domain to the valid IP address; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for sinkholing bad network domains by registering the bad network domains on the Internet are provided. In some embodiments, sinkholing bad network domains by registering the bad network domains on the Internet includes determining a network domain is a bad network domain, in which the bad network domain is determined to be associated with an identified malware (e.g., malware that has been identified and has been determined to be associated with the bad domain), and the bad network domain is sinkholed by registering the bad network domain with a sinkholed IP address; and identifying a host that is infected with the identified malware based on an attempt by the host to connect to the sinkholed IP address.

142 Citations

21 Claims

1. A system for sinkholing bad network domains by registering the bad network domains on the Internet, comprising:
- a processor configured to;
  
  generate one or more signatures for a plurality of bad network domains;
  
  distribute the one or more signatures to a plurality of security devices to determine a set of candidate bad network domains for sinkholing;
  
  select a bad network domain included in the set of candidate bad network domains for sinkholing based on a detection of a threshold number of connections that were attempted to the bad network domain based on logged signature matches, wherein the bad network domain is associated with an identified malware;
  
  register the bad network domain with a domain registry to a valid IP address in order to sinkhole the bad network domain, wherein the bad network domain is sinkholed by registering the bad network domain such that an authoritative DNS server can translate the registered bad network domain to the valid IP address, and wherein the valid IP address is associated with a device controlled by a cloud security service provider; and
  
  identify a host that is infected with the identified malware based on an attempt by the host to connect to the valid IP address, wherein the host received a DNS query response that resolved the registered bad network domain to the valid IP address; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system recited in claim 1, wherein the processor is further configured to:
    - determine that the bad network domain is not a registered network domain prior to registering the bad network domain with the domain registry to the valid IP address in order to sinkhole the bad network domain.
  - 3. The system recited in claim 1, wherein the processor is further configured to:
    - determine that the bad network domain is a non-existent domain (NXDOMAIN) prior to registering the bad network domain with the domain registry to the valid IP address in order to sinkhole the bad network domain.
  - 4. The system recited in claim 1, wherein the processor is further configured to:
    - generate a log for each attempted host connection to the valid IP address.
  - 5. The system recited in claim 1, wherein the processor is further configured to:
    - determine that the bad network domain is not a registered network domain prior to registering the bad network domain with the domain registry to the valid IP address in order to sinkhole the bad network domain; and
      
      generate a log for each attempted host connection to the valid IP address.
  - 6. The system recited in claim 1, wherein register the bad network domain with the domain registry to the valid IP address in order to sinkhole the bad network domain further comprises:
    - determine that the bad network domain is a registered network domain; and
      
      change the registered network domain for the bad network domain with the domain registry to a new IP address in order to sinkhole the bad network domain using the new IP address, wherein the new IP address corresponds to the valid IP address.
  - 7. The system recited in claim 1, wherein the processor is further configured to:
    - receive a plurality of malware samples; and
      
      execute each of the plurality of malware samples to identify the plurality of bad network domains.

8. A method of sinkholing bad network domains by registering the bad network domains on the Internet, comprising:
- generating one or more signatures for a plurality of bad network domains;
  
  distributing the one or more signatures to a plurality of security devices to determine a set of candidate bad network domains for sinkholing;
  
  selecting a bad network domain included in the set of candidate bad network domains for sinkholing based on a detection of a threshold number of connections that were attempted to the bad network domain based on logged signature matches, wherein the bad network domain is associated with an identified malware;
  
  registering the bad network domain with a domain registry to a valid IP address in order to sinkhole the bad network domain, wherein the bad network domain is sinkholed by registering the bad network domain such that an authoritative DNS server can translate the registered bad network domain to the valid IP address, and wherein the valid IP address is associated with a device controlled by a cloud security service provider; and
  
  identifying a host that is infected with the identified malware based on an attempt by the host to connect to the valid IP address, wherein the host received a DNS query response that resolved the registered bad network domain to the valid IP address.
- View Dependent Claims (9, 10, 11, 12, 18, 19)
- - 9. The method of claim 8, further comprising:
    - determining that the bad network domain is not a registered network domain prior to registering the bad network domain with the domain registry to the valid IP address in order to sinkhole the bad network domain.
  - 10. The method of claim 8, further comprising:
    - determining that the bad network domain is a non-existent domain (NXDOMAIN) prior to registering the bad network domain with the domain registry to the valid IP address in order to sinkhole the bad network domain.
  - 11. The method of claim 8, further comprising:
    - generating a log for each attempted host connection to the valid IP address.
  - 12. The method of claim 8, wherein registering the bad network domain with the domain registry to the valid IP address in order to sinkhole the bad network domain further comprises:
    - determining that the bad network domain is a registered network domain; and
      
      changing the registered network domain for the bad network domain with the domain registry to a new IP address in order to sinkhole the bad network domain using the new IP address, wherein the new IP address corresponds to the valid IP address.
  - 18. The method of claim 8, further comprising:
    - determining that the bad network domain is not a registered network domain prior to registering the bad network domain with the domain registry to the valid IP address in order to sinkhole the bad network domain; and
      
      generating a log for each attempted host connection to the valid IP address.
  - 19. The method of claim 8, further comprising:
    - receiving a plurality of malware samples; and
      
      executing each of the plurality of malware samples to identify the plurality of bad network domains.

13. A computer program product for sinkholing bad network domains by registering the bad network domains on the Internet, the computer program product being embodied in a non-transitory tangible computer readable storage medium and comprising computer instructions for:
- generating one or more signatures for a plurality of bad network domains;
  
  distributing the one or more signatures to a plurality of security devices to determine a set of candidate bad network domains for sinkholing;
  
  selecting a bad network domain included in the set of candidate bad network domains for sinkholing based on a detection of a threshold number of connections that were attempted to the bad network domain based on logged signature matches, wherein the bad network domain is associated with an identified malware;
  
  registering the bad network domain with a domain registry to a valid IP address in order to sinkhole the bad network domain, wherein the bad network domain is sinkholed by registering the bad network domain such that an authoritative DNS server can translate the registered bad network domain to the valid IP address, and wherein the valid IP address is associated with a device controlled by a cloud security service provider; and
  
  identifying a host that is infected with the identified malware based on an attempt by the host to connect to the valid IP address, wherein the host received a DNS query response that resolved the registered bad network domain to the valid IP address.
- View Dependent Claims (14, 15, 16, 17, 20, 21)
- - 14. The computer program product recited in claim 13, further comprising computer instructions for:
    - determining that the bad network domain is not a registered network domain prior to registering the bad network domain with the domain registry to the valid IP address in order to sinkhole the bad network domain.
  - 15. The computer program product recited in claim 13, further comprising computer instructions for:
    - determining that the bad network domain is a non-existent domain (NXDOMAIN) prior to registering the bad network domain with the domain registry to the valid IP address in order to sinkhole the bad network domain.
  - 16. The computer program product recited in claim 13, further comprising computer instructions for:
    - generating a log for each attempted host connection to the valid IP address.
  - 17. The computer program product recited in claim 13, wherein registering the bad network domain with the domain registry to the valid IP address in order to sinkhole the bad network domain further comprises:
    - determining that the bad network domain is a registered network domain; and
      
      changing the registered network domain for the bad network domain with the domain registry to a new IP address in order to sinkhole the bad network domain using the new IP address, wherein the new IP address corresponds to the valid IP address.
  - 20. The computer program product recited in claim 13, further comprising computer instructions for:
    - determining that the bad network domain is not a registered network domain prior to registering the bad network domain with the domain registry to the valid IP address in order to sinkhole the bad network domain; and
      
      generating a log for each attempted host connection to the valid IP address.
  - 21. The computer program product recited in claim 13, further comprising computer instructions for:
    - receiving a plurality of malware samples; and
      
      executing each of the plurality of malware samples to identify the plurality of bad network domains.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Xu, Wei, Xie, Huagang, Zuk, Nir
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Corum, Jr., William

Application Number

US14/068,272
Time in Patent Office

1,006 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 2221/2101   Auditing as a secondary aspect

H04L 61/4511   using domain name system [DNS]

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Sinkholing bad network domains by registering the bad network domains on the internet

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

142 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Sinkholing bad network domains by registering the bad network domains on the internet

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

142 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links