Systems and methods for detecting malware domain names
US-11457022-B1 · Sep 27, 2022 · US
Systems and methods for IP mass host verification
US12549513B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12549513-B2 |
| Application number | US-202318317826-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 15, 2023 |
| Priority date | Jan 26, 2021 |
| Publication date | Feb 10, 2026 |
| Grant date | Feb 10, 2026 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems, methods, and products for identifying IP mass hosts and determining whether they are good or bad. One embodiment is a method including selecting a first candidate IP address, identifying a set of domains hosted at the IP address, and identifying registrants of the domains. A number of unique ones of the registrants is determined and if the number of unique registrants exceeds a threshold number, the candidate IP address is deemed an IP mass host. Otherwise, the candidate IP address is deemed not to be an IP mass host. For an IP mass host, domains that have bad reputations are identified, and it is determined whether the bad domains comprise at least a threshold percentage of the total hosted domains. If the IP mass host has at least the threshold percentage of bad domains, the IP mass host is deemed a bad mass host.
First claim
Opening claim text (preview).
What is claimed is: 1 . An automated method for providing cyberthreat protection, the method comprising: selecting a first candidate Internet Protocol (IP) address from a list of IP addresses having identified bad reputations; identifying a plurality of domains hosted at the first candidate IP address by accessing Domain Name Service (DNS) records for the first candidate IP address over a defined look back period; identifying one or more registrants of the plurality of domains hosted at the first candidate IP address by performing a WHOIS lookup for each domain of the plurality of domains; determining a number of unique registrants within the one or more registrants of the plurality of domains hosted at the first candidate IP address; comparing the determined number of unique registrants hosted at the first candidate IP address to a threshold number; storing an indication that the first candidate IP address is a mass host based on the determined number of unique registrants hosted at the first candidate IP address exceeding the threshold number; determining a percentage of domains of the plurality of domains that have bad reputations exceeds a threshold percentage; storing an indication that the first candidate IP address is a good mass host; and removing the first candidate IP address from the list of IP addresses having identified bad reputations. 2 . The method of claim 1 , wherein selecting the first candidate IP address comprises accessing a release candidate list containing a plurality of IP addresses and selecting the first candidate IP address from the plurality of IP addresses. 3 . The method of claim 2 , further comprising, prior to selecting the first candidate IP address from the release candidate list, compiling the release candidate list from a bad reputation list containing IP addresses that have been identified as having bad reputations. 4 . The method of claim 3 , wherein storing the indication that the first candidate IP address is a mass host comprises maintaining the first candidate IP address on the bad reputation list. 5 . The method of claim 1 , further comprising identifying ones of the plurality of domains that have bad reputations and storing an indication that the first candidate is not a bad mass host when the identified ones of the plurality of domains that have bad reputations is below a threshold percentage of the plurality of domains. 6 . The method of claim 1 , wherein identifying the plurality of domains hosted at the first candidate IP address comprises identifying domains that map to the first candidate IP address. 7 . The method of claim 6 , wherein the identified domains include only domains that map to the first candidate IP address during the defined look back period. 8 . The method of claim 1 , wherein identifying the plurality of domains hosted at the first candidate IP address comprises examining an IP mass hosting style certificate corresponding to the first candidate IP address, wherein the IP mass hosting style certificate contains information identifying the plurality of domains. 9 . The method of claim 1 , wherein the threshold number comprises 1. 10 . An automated system for providing cyberthreat protection comprising: a processor coupled to a memory that stores one or more instructions, the instructions executable by the processor to perform: selecting a first candidate Internet Protocol (IP) address from a list of IP addresses having identified bad reputations; identifying a plurality of domains hosted at the first candidate IP address by accessing Domain Name Service (DNS) records for the first candidate IP address over a defined look back period; identifying one or more registrants of the plurality of domains hosted at the first candidate IP address by performing a WHOIS lookup for each domain of the plurality of domains; determining a number of unique registrants within the one or more registrants of the plurality of domains hosted at the first candidate IP address; comparing the determined number of unique registrants hosted at the first candidate IP address to a threshold number; storing an indication that the first candidate IP address is a mass host based on the determined number of unique registrants hosted at the first candidate IP address exceeding the threshold number; determining a percentage of domains of the plurality of domains that have bad reputations exceeds a threshold percentage; storing an indication that the first candidate IP address is a good mass host; and removing the first candidate IP address from the list of IP addresses having identified bad reputations. 11 . The system of claim 10 , wherein selecting the first candidate IP address comprises accessing a release candidate list containing a plurality of IP addresses and selecting the first candidate IP address from the plurality of IP addresses. 12 . The system of claim 10 , wherein identifying the plurality of domains hosted at the first candidate IP address comprises identifying domains that map to the first candidate IP address. 13 . The system of claim 10 , wherein identifying the plurality of domains hosted at the first candidate IP address comprises examining an IP mass hosting style certificate corresponding to the first candidate IP address, wherein the IP mass hosting style certificate contains information identifying the plurality of domains. 14 . The system of claim 10 , wherein the instructions further comprise identifying ones of the plurality of domains that have bad reputations and storing an indication that the first candidate is not a bad mass host when the identified ones of the plurality of domains that have bad reputations is below a threshold percentage of the plurality of domains. 15 . A computer program product comprising a non-transitory computer-readable medium storing instructions executable by one or more processors to perform: selecting a first candidate Internet Protocol (IP) address from a list of IP addresses having identified bad reputations; identifying a plurality of domains hosted at the first candidate IP address by accessing Domain Name Service (DNS) records for the first candidate IP address over a defined look back period; identifying one or more registrants of the plurality of domains hosted at the first candidate IP address by performing a WHOIS lookup for each domain of the plurality of domains; determining a number of unique registrants within the one or more registrants of the plurality of domains hosted at the first candidate IP address; comparing the determined number of unique registrants hosted at the first candidate IP address to a threshold number; storing an indication that the first candidate IP address is a mass host based on the determined number of unique registrants hosted at the first candidate IP address exceeding the threshold number; determining a percentage of domains of the plurality of domains that have bad reputations exceeds a threshold percentage; storing an indication that the first candidate IP address is a good mass host; and removing the first candidate IP address from the list of IP addresses having identified bad reputations. 16 . The computer program product of claim 15 , wherein identifying the plurality of domains hosted at the first candidate IP address comprises identifying domains that map to the first candidate IP address. 17 . The computer program product of claim 15 , wherein identifying the plurality of domains hosted at the first candidate IP address comprises examining an IP mass hosting style certificate co
Assignees
Inventors
Classifications
of the same type · CPC title
Threshold monitoring · CPC title
Lookup mechanisms between a plurality of directories; Synchronisation of directories, e.g. metadirectories · CPC title
using domain name system [DNS] · CPC title
Administrative registration, e.g. for domain names at internet corporation for assigned names and numbers [ICANN] · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12549513B2 cover?
- Systems, methods, and products for identifying IP mass hosts and determining whether they are good or bad. One embodiment is a method including selecting a first candidate IP address, identifying a set of domains hosted at the IP address, and identifying registrants of the domains. A number of unique ones of the registrants is determined and if the number of unique registrants exceeds a thresho…
- Who is the assignee on this patent?
- Proofpoint Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L61/5046. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 10 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).