Blocking domain name access using access patterns and domain name registrations
US-9756068-B2 · Sep 5, 2017 · US
Performing rule-based actions for domain names accessed by particular parties
US10567423B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10567423-B2 |
| Application number | US-201816051408-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 31, 2018 |
| Priority date | Jul 25, 2013 |
| Publication date | Feb 18, 2020 |
| Grant date | Feb 18, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: extracting a set of accessed domain names from a set of events stored in a field-searchable data store; identifying a respective access party for at least some of the accessed domain names in the set of accessed domain names, wherein the respective access party is the party that accessed the accessed domain name; identifying a subset of accessed domain names in the set of accessed domain names accessed by one or more particular respective access parties and meet a first criterion, wherein the first criterion is based on a recency of registration of an accessed domain name in the set of accessed domain names, and wherein the recency of registration comprises an age from a first time when the accessed domain name was registered with a registrar to a current time; determining, for each accessed domain name in the subset of accessed domain names, an associated access count corresponding to how many times the set of events indicates that the accessed domain name was accessed; performing an action for each accessed domain name in the subset of accessed domain names that has an associated access count that meets a second criterion according to one or more rules associated with the accessed domain name; wherein the method is performed by one or more computing devices. 2. The method of claim 1 , wherein the one or more rules include blocking access to the accessed domain name. 3. The method of claim 1 , wherein the one or more rules include preventing a device from accessing the accessed domain name. 4. The method of claim 1 , wherein at least one of the one or more rules is user-generated. 5. The method of claim 1 , wherein the first criterion is further based on registration of the accessed domain name within a defined time period. 6. The method of claim 1 , wherein the first criterion is further based on accessed domain names that are newly observed. 7. The method of claim 1 , further comprising: receiving a communication corresponding to an indication as to when each accessed domain name in the subset was registered with the registrar; and wherein the recency of registration is based on the communication. 8. The method of claim 1 , wherein the recency of registration is identified based on a communication received from Internet Corporation for Assigned Names and Numbers (ICANN). 9. The method of claim 1 , wherein the second criterion is based on a threshold count. 10. The method of claim 1 , wherein each accessed domain name in the set of accessed domain names corresponds to an accessed Web page. 11. The method of claim 1 , further comprising: receiving a selection of a particular accessed domain name; causing display of information related to the particular accessed domain name. 12. The method of claim 1 , further comprising: causing display of information related to the subset of accessed domain names in a scatter plot graph. 13. The method of claim 1 , further comprising: causing display of information related to the subset of accessed domain names in a table. 14. One or more non-transitory computer-readable media, storing one or more sequences of instructions, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform: extracting a set of accessed domain names from a set of events stored in a field-searchable data store; identifying a respective access party for at least some of the accessed domain names in the set of accessed domain names, wherein the respective access party is the party that accessed the accessed domain name; identifying a subset of accessed domain names in the set of accessed domain names that have a respective access party that meets a first criterion, wherein the first criterion is based on a recency of registration of an accessed domain name in the set of accessed domain names, and wherein the recency of registration comprises an age from a first time when the accessed domain name was registered with a registrar to a current time; determining, for each accessed domain name in the subset of accessed domain names, an associated access count corresponding to how many times the set of events indicates that the accessed domain name was accessed; performing an action for each accessed domain name in the subset of accessed domain names that has an associated access count that meets a second criterion according to one or more rules associated with the accessed domain name. 15. The one or more non-transitory storage media of claim 14 , wherein the one or more rules include blocking access to the accessed domain name. 16. The one or more non-transitory storage media of claim 14 , wherein the one or more rules include preventing a device from accessing the accessed domain name. 17. An apparatus, comprising: an event extraction device, implemented at least partially by hardware, that extracts a set of accessed domain names from a set of events stored in a field-searchable data store; a domain name evaluation device, implemented at least partially by hardware, that identifies a respective access party for at least some of the accessed domain names in the set of accessed domain names, wherein the respective access party is the party that accessed the accessed domain name; wherein the domain name evaluation device identifies a subset of accessed domain names in the set of accessed domain names that have a respective access party that meets a first criterion, wherein the first criterion is based on a recency of registration of an accessed domain name in the set of accessed domain names, and wherein the recency of registration comprises an age from a first time when the accessed domain name was registered with a registrar to a current time; a domain name access counter device, implemented at least partially by hardware, that determines, for each accessed domain name in the subset of accessed domain names, an associated access count corresponding to how many times the set of events indicates that the accessed domain name was accessed; a rule execution device, implemented at least partially by hardware, that performs an action for each accessed domain name in the subset of accessed domain names that has an associated access count that meets a second criterion according to one or more rules associated with the accessed domain name. 18. The apparatus of claim 17 , wherein the one or more rules include blocking access to the accessed domain name. 19. The apparatus of claim 17 , wherein the one or more rules include preventing a device from accessing the accessed domain name. 20. The one or more non-transitory storage media of claim 14 , wherein the first criterion is further based on registration of the accessed domain name within a defined time period.
Assignees
Inventors
Classifications
Linings and veneer · CPC title
Handles · CPC title
Corpse supports · CPC title
Event detection, e.g. attack signature detection · CPC title
Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10567423B2 cover?
- Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since regist…
- Who is the assignee on this patent?
- Splunk Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1441. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 18 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).