What technology area does this patent fall under?

Primary CPC classification H04L63/1458. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Dec 31 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Profiling domain name system (DNS) traffic

US12184688B2 · US · B2

Patent metadata
Field	Value
Publication number	US-12184688-B2
Application number	US-201615349912-A
Country	US
Kind code	B2
Filing date	Nov 11, 2016
Priority date	Nov 11, 2016
Publication date	Dec 31, 2024
Grant date	Dec 31, 2024

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

In one embodiment, a profiling engine analyzes DNS transaction data that is logged by a recursive resolver to generate profiling results that are used to manage network activity. In operation, the profiling engine computes scores based on the DNS transaction data and scoring criteria. The profiling engine may compute any number of scores at any level of granularity. For example, the profiling engine may compute a score for each source IP address that is associated with the DNS transaction data. Subsequently, the profiling engine generates profiling results based on the scores and profiling criteria. Notably, DNS queries are typically the first step of longer transaction chains that result in the transfer of data to and from the network. Consequently, the profiling engine may provide more timely and comprehensive insight into network activities than conventional network management tools that analyze data at layers that are further down transaction chains.

First claim

Opening claim text (preview).

What is claimed is: 1. A computer-implemented method for profiling domain name system (DNS) traffic, the method comprising: receiving DNS transaction data that is associated with DNS logging operations performed by a DNS server; receiving identification data that associates a first set of identification data to a second set of identification data, wherein the first set of identification data comprises Internet Protocol (IP) addresses, wherein the second set of identification data comprises one or more user identifiers; partitioning, based on the second set of identification data, the DNS transaction data into a plurality of data partitions, wherein a given data partition included in the plurality of data partitions corresponds to a distinct user identifier of the second set of identification data; and for a first data partition of the plurality of data partitions: receiving content categorization data from at least one data feed, wherein the content categorization data identifies a social media data; determining a first score based on (i) one or more domain names specified in the first data partition, (ii) the content categorization data, and (iii) at least one scoring criteria, wherein the first data partition corresponds to a first user identifier of the one or more user identifiers; evaluating the first score based on profiling criteria to determine a first profiling result for the first user identifier; and causing one or more operations involving the first profiling result to be performed, wherein the one or more operations relate to at least one of: managing an activity, persistent storage or data analysis. 2. The computer-implemented method of claim 1 , wherein partitioning the DNS transaction data comprises: selecting one or more DNS transactions included in the DNS transaction data that share the first user identifier as a first identifying characteristic in a set of identifying characteristics; and generating the first data partition based on the one or more DNS transactions. 3. The computer-implemented method of claim 1 , wherein partitioning the DNS transaction data comprises: performing, based on the first user identifier, one or more comparison operations between one or more DNS transactions included in the DNS transaction data and the identification data to select one or more DNS transactions; and generating the first data partition based on the one or more selected DNS transactions. 4. The computer-implemented method of claim 3 , wherein: the one or more user identifiers are included in a set of identifying characteristics, and the set of identifying characteristics further comprises at least one of a media access control (MAC) address or a certificate. 5. The computer-implemented method of claim 4 , wherein each data partition further corresponds to a different identifying characteristic included in the set of identifying characteristics. 6. The computer-implemented method of claim 1 , wherein the DNS transaction data comprises at least one of a DNS query or a DNS response. 7. The computer-implemented method of claim 1 , wherein evaluating the first score comprises performing one or more comparison operations between the first score and a predetermined threshold, specified in a first profiling criterion that is included in the profiling criteria, to determine whether the first score fits a predetermined profile specified in the first profiling criterion. 8. The computer-implemented method of claim 1 , wherein evaluating the first score comprises applying the profiling criteria to the first score to generate a profile of network activities. 9. The computer-implemented method of claim 1 , wherein determining the first score comprises generating the first score based on a set of DNS queries associated with the first data partition that were initiated to resolve a first domain name. 10. The computer-implemented method of claim 1 , further comprising: receiving a threat feed from at least one data feed, wherein the threat feed identifies a potentially malicious web site, wherein determining the first score is further based on the threat feed. 11. The computer-implemented method of claim 1 , wherein the IP addresses of the first set of identification data comprise source IP addresses, wherein the first user identifier is associated with a plurality of source IP addresses. 12. The computer-implemented method of claim 1 , wherein the social media data comprises a domain name associated with a social networking website. 13. The computer-implemented method of claim 1 , wherein determining the first score comprises: computing a percentage of the one or more domain names specified in the first data partition that relate to the content categorization data, wherein the profiling criteria comprises at least one predetermined percentage that relates to the content categorization data. 14. One or more non-transitory computer-readable storage media including instructions that, when executed by one or more processors, cause the one or more processors to profile domain name system (DNS) traffic by performing the steps of: receiving DNS transaction data that is associated with DNS logging operations performed by a DNS server; receiving identification data that associates a first set of identification data to a second set of identification data, wherein the first set of identification data comprises Internet Protocol (IP) addresses, wherein the second set of identification data comprises one or more user identifiers; partitioning, based on the second set of identification data, the DNS transaction data into a plurality of data partitions, wherein a given data partition included in the plurality of data partitions corresponding to a distinct user identifier the second set of identification data; and for a first data partition of the plurality of data partitions: receiving content categorization data from at least one data feed, wherein the content categorization data identifies a social media data; determining a first score based on (i) one or more domain names specified in the first data partition, (ii) the content categorization data, and (iii) at least one scoring criteria, wherein the first data partition corresponds to a first user identifier of the one or more user identifiers; evaluating the first score based on profiling criteria to determine a first profiling result for the first user identifier; and causing one or more operations involving the first profiling result to be performed, wherein the one or more operations relate to at least one of: managing an activity, persistent storage, or data analysis. 15. The one or more non-transitory computer-readable storage media of claim 14 , wherein partitioning the DNS transaction data comprises: selecting one or more DNS transactions included in the DNS transaction data that share the first user identifier as a first identifying characteristic in a set of identifying characteristics; and generating the first data partition based on the one or more DNS transactions. 16. The one or more non-transitory computer-readable storage media of claim 14 , wherein partitioning the DNS transaction data comprises: performing, based on the first user identifier, one or more comparison operations between one or more DNS transactions included in the DNS transaction data and the identification data to select one or more DNS transactions; and generating the first data partition based on the one or more selected DNS transactions. 17. The one or more non-transitory computer-readable storage media of claim 16 ,

Assignees

Verisign Inc

Inventors

Classifications

G06Q10/40
Business processes related to social networking or social networking services · CPC title
H04L61/4511
using domain name system [DNS] · CPC title
H04L63/1425
Traffic logging, e.g. anomaly detection · CPC title
G06Q30/02
Marketing; Price estimation or determination; Fundraising · CPC title
G06Q30/0201
Market modelling; Market analysis; Collecting market data · CPC title

Patent family

Related publications grouped by family.

View patent family 60269664

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US12184688B2 cover?: In one embodiment, a profiling engine analyzes DNS transaction data that is logged by a recursive resolver to generate profiling results that are used to manage network activity. In operation, the profiling engine computes scores based on the DNS transaction data and scoring criteria. The profiling engine may compute any number of scores at any level of granularity. For example, the profiling e…
Who is the assignee on this patent?: Verisign Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/1458. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Dec 31 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).