Security threat detection using domain name registrations
US-9432396-B2 · Aug 30, 2016 · US
Security threat detection using access patterns and domain name registrations
US9648037B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9648037-B2 |
| Application number | US-201615224652-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 31, 2016 |
| Priority date | Jul 25, 2013 |
| Publication date | May 9, 2017 |
| Grant date | May 9, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: extracting a set of accessed domain names from a set of events stored in a field-searchable data store; receiving a communication corresponding to an indication as to when each accessed domain name in the set was registered with a registrar; identifying a respective registration time for each accessed domain name in the set of accessed domain names based on the communication, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar; determining, for each accessed domain name in the set of accessed domain names, an access count corresponding to how many times the set of events indicates that the accessed domain name in the set of accessed domain names was accessed; identifying a subset of accessed domain names in the set of accessed domain names that have usage patterns that are not expected based on normal usage patterns using the identified respective registration time of each accessed domain name in the subset and an associated access count; causing display of information relating to each accessed domain name in the subset indicating that the accessed domain name is a potential security threat; wherein the method is performed by one or more computing devices. 2. The method of claim 1 , wherein the respective registration time comprises an age from a first time when the accessed domain name was registered with the registrar to a current time. 3. The method of claim 1 , wherein the display of information comprises at least one of: a graph, a scatter plot, a table, or a message. 4. The method of claim 1 , wherein the respective registration time is identified based on a communication received from Internet Corporation for Assigned Names and Numbers (ICANN). 5. The method of claim 1 , further comprising: identifying a second subset of the set of accessed domain names, wherein a respective registration time for each accessed domain name in the second subset of accessed domain names is within a defined time period, and wherein the second subset includes at least two accessed domain names; determining, for each accessed domain name in the second subset, a respective access count corresponding to how many times the set of events indicates that each accessed domain name in the second subset was accessed; causing display of simultaneous representations of the respective registration time and the respective access count for each accessed domain name in the second subset. 6. The method of claim 1 , further comprising: receiving an input corresponding to a selection of a particular identified accessed domain name; presenting additional detail pertaining to events in the set of events that included the particular identified accessed domain name. 7. The method of claim 1 , further comprising: receiving an input that includes a rule pertaining to a particular domain name, the rule indicating that access to the particular domain name is to be blocked; and causing access for the particular domain name to be blocked. 8. The method of claim 1 , further comprising: determining that the access count for a particular accessed domain name in the subset exceeds a threshold number; and causing access to the particular accessed domain name in the subset to be blocked. 9. The method of claim 1 , wherein an event in the set of events includes machine data. 10. The method of claim 1 , wherein each accessed domain name in the set of accessed domain names corresponds to an accessed Web page. 11. One or more non-transitory storage media storing instructions which, when executed by one or more computing devices, cause: extracting a set of accessed domain names from a set of events stored in a field-searchable data store; receiving a communication corresponding to an indication as to when each accessed domain name in the set was registered with a registrar; identifying a respective registration time for each accessed domain name in the set of accessed domain names based on the communication, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar; determining, for each accessed domain name in the set of accessed domain names, an access count corresponding to how many times the set of events indicates that the accessed domain name in the set of accessed domain names was accessed; identifying a subset of accessed domain names in the set of accessed domain names that have usage patterns that are not expected based on normal usage patterns using the identified respective registration time of each accessed domain name in the subset and an associated access count; causing display of information relating to each accessed domain name in the subset indicating that the accessed domain name is a potential security threat; wherein the method is performed by one or more computing devices. 12. The one or more non-transitory storage media of claim 11 , wherein the respective registration time comprises an age from a first time when the accessed domain name was registered with the registrar to a current time. 13. The one or more non-transitory storage media of claim 11 , wherein the display of information comprises at least one of: a graph, a scatter plot, a table, or a message. 14. The one or more non-transitory storage media of claim 11 , further comprising: receiving an input that includes a rule pertaining to a particular domain name, the rule indicating that access to the particular domain name is to be blocked; and causing access for the particular domain name to be blocked. 15. An apparatus, comprising: an event extraction device, implemented at least partially by hardware, that extracts a set of accessed domain names from a set of events stored in a field-searchable data store; a domain name evaluation device, implemented at least partially by hardware, that receives a communication corresponding to an indication as to when each accessed domain name in the set was registered with a registrar; wherein the domain name evaluation device identifies a respective registration time for each accessed domain name in the set of accessed domain names based on the communication, wherein the respective registration time is indicative of when the accessed domain name was registered with a registrar; a domain name access counter device, implemented at least partially by hardware, that determines, for each accessed domain name in the set of accessed domain names, an access count corresponding to how many times the set of events indicates that the accessed domain name in the set of accessed domain names was accessed; a domain name evaluation device, implemented at least partially by hardware, that identifies a subset of accessed domain names in the set of accessed domain names that have usage patterns that are not expected based on normal usage patterns using the identified respective registration time of each accessed domain name in the subset and an associated access count; a display processor, implemented at least partially by hardware, that causes display of information relating to each accessed domain name in the subset indicating that the accessed domain name is a potential security threat. 16. The apparatus of claim 15 , wherein the respective registration time comprises an age from a first time when the accessed domain name was registered with the registrar to a current time. 17. The apparatus of claim 15 , wherein the display of information comprises at least one of: a graph, a scatter plot, a table, or a message.
Assignees
Inventors
Classifications
Linings and veneer · CPC title
Handles · CPC title
Corpse supports · CPC title
based on web technology, e.g. hypertext transfer protocol [HTTP] · CPC title
- H04L63/1441Primary
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9648037B2 cover?
- Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since regist…
- Who is the assignee on this patent?
- Splunk Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1441. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 09 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).