Systems and methods to detect and monitor dns tunneling
US-2019058718-A1 · Feb 21, 2019 · US
Identification of a DNS packet as malicious based on a value
US10686817B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10686817-B2 |
| Application number | US-201515754282-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 21, 2015 |
| Priority date | Sep 21, 2015 |
| Publication date | Jun 16, 2020 |
| Grant date | Jun 16, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Examples determine a number of hosts, within an enterprise, which are resolving a particular domain. Based on the number of hosts within the enterprise resolving the particular domain, the examples identify whether the particular domain is benign.
First claim
Opening claim text (preview).
We claim: 1. A method, executable by a computing device, the method comprising: determining a number of hosts, within an enterprise, resolving a particular domain; and identifying whether the particular domain is benign based on the number of hosts resolving the particular domain, wherein identifying whether the particular domain is benign based the number of hosts resolving the particular domain comprises: identifying the domain as benign if the number of hosts resolving the particular domain is above a threshold; and identifying the domain as malicious if the number of hosts resolving the particular domain is below the threshold. 2. The method of claim 1 wherein identifying whether the particular domain is benign based on the number of hosts resolving the particular domain comprises: determining a number of resolutions corresponding to the particular domain; and in response to the identified number of hosts and the identified number of resolutions, identifying whether the particular domain is benign. 3. The method of claim 2 wherein a higher number of resolutions indicates that the particular domain is benign. 4. The method of claim 2 wherein determining the number of resolutions corresponding to the particular domain comprises: determining an aggregate number of domain name system (DNS) packets resolving the particular domain over a period of time. 5. The method of claim 1 comprising: discarding a domain name system (DNS) log associated with the particular domain in response to the identification of the particular domain as benign. 6. The method of claim 1 comprising: in response to the identification the particular domain as benign, incorporating the particular domain name into a whitelist. 7. A non-transitory machine-readable storage medium comprising instructions that when executed by a processing resource cause a computing device to: determine a number of hosts resolving a particular domain; determine a number of resolutions corresponding to the particular domain; and identify whether the particular domain is benign based on the number of hosts and the number of resolutions, wherein to identify whether the particular domain is benign based on the number of hosts and the number of resolutions comprises instructions that when executed by the processing resource causes the computing device to: identify the particular domain as benign if the number of hosts and the number of resolutions are each above a threshold; and identify the domain as malicious if the number of hosts or the number of resolutions are below the threshold. 8. The non-transitory machine-readable medium of claim 7 wherein to determine the number of resolutions corresponding to the particular domain comprises instructions that when executed by the processing resource causes the computing device to: determine an aggregate number of domain name system (DNS) packets resolving the particular domain over a period of time. 9. The non-transitory machine-readable storage medium of claim 7 comprising instructions that when executed by the processing resource cause the computing device to: discard DNS traffic log in response to the identification the particular domain is benign; and incorporate the particular domain into a whitelist. 10. The non-transitory machine-readable medium of claim 7 , wherein a higher number of hosts and a higher number of resolutions indicates the particular domain is benign. 11. The non-transitory machine-readable storage medium of claim 7 comprising instructions that when executed by the processing resource cause the computing device to: in response to the identification the particular domain as benign, incorporating the particular domain name into a whitelist. 12. A networking system comprising: an appliance to: process domain name system (DNS) traffic between a DNS server and hosts; determine a number of hosts, within an enterprise, resolving a particular domain; determine a number of resolutions corresponding to the particular domain; and identify whether the particular domain is benign based on the number of hosts and the number of resolutions, wherein to identify whether the particular domain is benign, the appliance is to: identify the particular domain as benign if the number of hosts and the number of resolutions are above a threshold; and identify the particular domain as malicious if the number of hosts or the number of resolutions are below the threshold. 13. The system of claim 12 further comprising: a domain name system (DNS) server to exchange DNS traffic with the number of hosts. 14. The system of claim 12 , wherein a higher number of hosts and a higher number of resolutions indicates the particular domain is benign. 15. The system of claim 12 , the appliance to: discard a domain name system (DNS) log associated with the particular domain in response to the identification of the particular domain as benign. 16. The system of claim 12 , the appliance to: in response to the identification the particular domain as benign, incorporate the particular domain name into a whitelist.
Assignees
Inventors
Classifications
- H04L61/4511Primary
using domain name system [DNS] · CPC title
Event detection, e.g. attack signature detection · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10686817B2 cover?
- Examples determine a number of hosts, within an enterprise, which are resolving a particular domain. Based on the number of hosts within the enterprise resolving the particular domain, the examples identify whether the particular domain is benign.
- Who is the assignee on this patent?
- Hewlett Packard Entpr Dev Lp
- What technology area does this patent fall under?
- Primary CPC classification H04L61/4511. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jun 16 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).