What technology area does this patent fall under?

Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.

When was this patent published?

Publication date Thu Nov 17 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Detecting Domains Generated By A Domain Generation Algorithm

US2016337391A1 · US · A1

Patent metadata
Field	Value
Publication number	US-2016337391-A1
Application number	US-201514708890-A
Country	US
Kind code	A1
Filing date	May 11, 2015
Priority date	May 11, 2015
Publication date	Nov 17, 2016
Grant date	—

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Apparatus and techniques for determining whether a domain name has been generated by a domain generation algorithm (DGA) are disclosed. A first domain name is classified as either a likely domain generation algorithm (DGA) domain name or a likely non-DGA domain name, based on one or more features of the first domain name. In addition, statistics are determined regarding requests for the first domain name. Additional domain names are identified that share an infrastructure with the first domain name. A determination is made regarding whether the first domain name and/or one or more of the additional domain names are likely to have been generated by a DGA, based on a result of one or more of the classifying, the statistics, or the identifying. A security vulnerability related to one or more of the likely DGA domain names is then mitigated.

First claim

Opening claim text (preview).

What is claimed is: 1 . A method comprising: at a computing device, classifying a first domain name as either a likely domain generation algorithm (DGA) domain name or a likely non-DGA domain name, based on one or more features of the first domain name; determining statistics regarding requests for the first domain name; identifying any additional domain names that share an infrastructure with the first domain name; determining whether one or more of the first domain name and one or more of the additional domain names are likely to have been generated by a DGA, based on a result of one or more of the classifying, the statistics, or the identifying; and mitigating a security vulnerability related to one or more of the likely DGA domain names. 2 . The method of claim 1 , further comprising: training classification logic to perform the classifying of the first domain name. 3 . The method of claim 1 , wherein the mitigating comprises one or more of: blocking access to domains identified by one or more of the first domain name and the one or more of the additional domain names; monitoring access to the domains identified by one or more of the first domain name and the one or more of the additional domain names; or asserting an alarm condition in response to access to the domains identified by one or more of the first domain name and the one or more of the additional domain names. 4 . The method of claim 1 , wherein classifying comprises evaluating one or more properties of a string of characters in the first domain name. 5 . The method of claim 1 , wherein the determining of the statistics regarding the requests for the first domain name comprises: determining statistics regarding how many requests are made at a domain name server for the first domain name over time. 6 . The method of claim 1 , wherein the identifying of any additional domain names that use the infrastructure comprises identifying any additional domain names that use a domain name server also used by the first domain name. 7 . The method of claim 1 , further comprising, repeating one or more of the classifying, determining, or identifying, with respect to a second domain name, where the second domain name is one of the first domain name, or one of the one or more additional domain names. 8 . An apparatus comprising: one or more processors; one or more memory devices in communication with the one or more processors; and a network interface unit in communication with the one or more processors, wherein the one or more processors are configured to: classify a first domain name as either a likely domain generation algorithm (DGA) domain name or a likely non-DGA domain name, based on evaluation of one or more features of the first domain name, resulting in a classification of the first domain name; determine statistics regarding requests for the first domain name; identify any additional domain names that share an infrastructure with the first domain name resulting in an identification of additional domain names; and determine whether one or more of the first domain name and one or more of the additional domain names are likely to have been generated by a DGA, based on the classification, the identification, or the statistics, in order to mitigate a security vulnerability related to one or more of the likely DGA domain names. 9 . The apparatus of claim 8 , wherein the one or more processors are configured to train classification logic to classify the first domain name. 10 . The apparatus of claim 8 , wherein the one or more processors are configured to mitigate the security vulnerability by: blocking access to domains identified by one or more of the first domain name and the one or more of the additional domain names; monitoring access to the domains identified by one or more of the first domain name and the one or more of the additional domain names; or asserting an alarm condition in response to access to the domains identified by one or more of the first domain name and the one or more of the additional domain names. 11 . The apparatus of claim 8 , wherein the one or more processors are configured to classify the first domain name by evaluating one or more properties of a string of characters in the first domain name. 12 . The apparatus of claim 8 , wherein one or more processors are configured to determine the statistics regarding the requests for the first domain name by determining statistics regarding how many requests are made at a domain name server for the first domain name over time. 13 . The apparatus of claim 8 , wherein the one or more processors are configured to identify any additional domain names that use the infrastructure by identifying any additional domain names that use a domain name server also used by the first domain name. 14 . The apparatus of claim 8 , wherein the one or more processors are further configured to: classify a second domain name as either a likely domain generation algorithm (DGA) domain name or a likely non-DGA domain name, based on evaluation of one or more features of the second domain name; determine statistics regarding requests for the second domain name; or identify any additional domain names that share an infrastructure with the second domain name, where the second domain name is one of the first domain name or one of the one or more additional domain names. 15 . One or more computer readable non-transitory storage media encoded with software comprising computer executable instructions that when executed by one or more processors, cause the one or more processors to: classify a first domain name as either a likely domain generation algorithm (DGA) domain name or a likely non-DGA domain name, based on evaluation of one or more features of a first domain name, resulting in a classification of the first domain name; determine statistics regarding requests for the first domain name; identify any additional domain names that share an infrastructure with the first domain name, resulting in an identification of additional domain names; and wherein the computer executable instructions further cause the processor to determine whether one or more of the first domain name and one or more of the additional domain names are likely to have been generated by a DGA, based on the classification, the identification, or the statistics in order to mitigate a security vulnerability related to one or more of the likely DGA domain names. 16 . The computer readable non-transitory storage media of claim 15 , wherein the executable instructions further cause the one or more processors to train classification logic to classify the first domain name. 17 . The computer readable non-transitory storage media of claim 15 , wherein the executable instructions that cause the one or more processors to mitigate the security vulnerability comprise executable instructions that cause the one or more processors to perform one or more of: blocking access to domains identified by one or more of the first domain name and the one or more of the additional domain names; monitoring access to the domains identified by one or more of the first domain name and the one or more of the additional domain names; or asserting an alarm condition in response to access to the domains identified by one or more of the first domain name and the one or more of the additional domain names. 18 . The computer readable non-transitory storage media of claim 15 , wherein the executable instructions that, when executed by the one or more pr

Assignees

Cisco Tech Inc

Inventors

Mckinney Steve

Classifications

H04L63/1416
Event detection, e.g. attack signature detection · CPC title
H04L63/145
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
H04L43/04
Processing captured monitoring data, e.g. for logfile generation · CPC title
H04L63/1433Primary
Vulnerability analysis · CPC title

Patent family

Related publications grouped by family.

View patent family 57277306

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US2016337391A1 cover?: Apparatus and techniques for determining whether a domain name has been generated by a domain generation algorithm (DGA) are disclosed. A first domain name is classified as either a likely domain generation algorithm (DGA) domain name or a likely non-DGA domain name, based on one or more features of the first domain name. In addition, statistics are determined regarding requests for the first d…
Who is the assignee on this patent?: Cisco Tech Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/1433. Mapped technology areas include Electricity.
When was this patent published?: Publication date Thu Nov 17 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).