US9270693B2ActiveUtilityA1

Detection of infected network devices and fast-flux networks by tracking URL and DNS resolution changes

67
Assignee: BOEING COPriority: Sep 19, 2013Filed: Sep 19, 2013Granted: Feb 23, 2016
Est. expirySep 19, 2033(~7.2 yrs left)· nominal 20-yr term from priority
H04L 63/1441H04L 61/1511H04L 63/0227H04L 63/1425H04L 63/168H04L 2463/144H04L 63/1416H04L 61/4511
67
PatentIndex Score
2
Cited by
24
References
20
Claims

Abstract

A system and method for detecting Fast-Flux malware are presented. Domain name system (DNS) lookup requests to DNS servers from a local area network (LAN) to a wide area network (WAN) are monitored. The DNS lookup requests comprise requests to resolve uniform resource locators (URLs) to network addresses. The network addresses (IP) received from the DNS servers for the DNS lookup requests are monitored provide a URL-to-IP associations list. The DNS servers used for the DNS lookup requests for the URLs are monitored to provide a DNS Domain-to-DNS server associations list. A suspicious URL log based on the URL-to-IP associations list, and a suspicious DNS log based on the DNS Domain-to-DNS server associations list are generated.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A method for detecting Fast-Flux malware, the method comprising:
 monitoring by a network traffic monitor a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP); 
 monitoring the one or more received network addresses (IP) resolved for the one or more URLs to provide a URL-to-IP associations list, wherein the URL-to-IP associations list is configured to store one or more suspicious URLs; 
 monitoring the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list; 
 generating a suspicious URL log based on the URL-to-IP associations list and a suspicious DNS log based on the DNS Domain-to-DNS server associations list; 
 determining whether a designated suspicious URL from the suspicious URL log matches designated data in the suspicious DNS log; and 
 after determining that the designated suspicious URL from the suspicious URL log matches the designated data in the suspicious DNS log, generating an event indicating a combination of flux actions are active. 
 
     
     
       2. The method of  claim 1 , further comprising indicating a presence of a malware program in the LAN based on the suspicious DNS log and the suspicious URL log. 
     
     
       3. The method of  claim 1 , further comprising:
 configuring a resource association list comprising the URL-to-IP associations list or the DNS Domain-to-DNS server associations list; and 
 configuring a suspicious resource log comprising the suspicious URL log or the suspicious DNS log. 
 
     
     
       4. The method of  claim 3 , further comprising:
 counting a total number of association changes in the resource association list; and 
 logging the suspicious resource log, if the total number of association changes is greater than a total-association-change threshold. 
 
     
     
       5. The method of  claim 3 , further comprising:
 counting a number of association changes in the resource association list in a time-period; and 
 logging the suspicious resource log, if the number of association changes in the time-period is greater than a time-period-association-changes threshold. 
 
     
     
       6. The method of  claim 3 , further comprising:
 calculating an association change frequency of the resource association list; and 
 logging the suspicious resource log, if the association change frequency is greater than an association-change-frequency threshold. 
 
     
     
       7. The method of  claim 3 , further comprising:
 calculating a pattern in the resource association list; and 
 logging the suspicious resource log, if the pattern is found among a pattern history. 
 
     
     
       8. A system for detecting Fast-Flux malware, the system comprising:
 at least one hardware processor; and 
 a network traffic monitor operating on the at least one hardware processor and configured to:
 monitor a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP); 
 monitor the one or more received network addresses (IP) resolved for resolving the one or more URLs to provide a URL-to-IP associations list; 
 monitor the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list; and 
 
 a malware detector configured to:
 generate a suspicious URL log based on the URL-to-IP associations list and a suspicious DNS log based on the DNS Domain-to-DNS server associations list; 
 determine whether a designated suspicious URL from the suspicious URL log matches designated data in the suspicious DNS log; 
 after determining that the designated suspicious URL from the suspicious URL log matches the designated data in the suspicious DNS log, generate an event indicating a combination of flux actions are active; and 
 indicate a presence of a malware program in the LAN based on the suspicious URL log and the suspicious DNS log. 
 
 
     
     
       9. The system of  claim 8 , wherein:
 a resource association list comprises the URL-to-IP associations list or the DNS Domain-to-DNS server associations list; and 
 a suspicious resource log comprises the suspicious URL log or the suspicious DNS log. 
 
     
     
       10. The system of  claim 9 , wherein the malware detector is further configured to:
 count a total number of association changes in the resource association list; and 
 log the suspicious resource log, if the total number of association changes is greater than a total-association-change threshold. 
 
     
     
       11. The system of  claim 9 , wherein the malware detector is further configured to:
 count a number of association changes in the resource association list in a time-period; and 
 log the suspicious resource log, if the number of association changes in the time-period is greater than a time-period-association-changes threshold. 
 
     
     
       12. The system of  claim 9 , wherein the malware detector is further configured to:
 calculate an association change frequency of the resource association list; and 
 log the suspicious resource log, if the association change frequency is greater than an association-change-frequency threshold. 
 
     
     
       13. The system of  claim 9 , wherein the malware detector is further configured to:
 calculate a pattern in the resource association list; and 
 log the suspicious resource log, if the pattern is found among a pattern history. 
 
     
     
       14. A non-transitory computer readable storage medium comprising computer-executable instructions for detecting Fast-Flux malware, the computer-executable instructions comprising:
 monitoring by a network traffic monitor a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP); 
 monitoring the one or more received network addresses (IP) resolved for resolving the one or more URLs to provide a URL-to-IP associations list; 
 monitoring the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list; 
 generate a suspicious URL log based on the URL-to-IP associations list and a suspicious DNS log based on the DNS Domain-to-DNS server associations list; 
 determining whether a designated suspicious URL from the URL-to-IP associations list matches designated data in the DNS Domain-to-DNS server associations list; and 
 after determining that the designated suspicious URL from the URL-to-IP associations list matches the designated data in the DNS Domain-to-DNS server associations list, generating an event indicating a combination of flux actions are active. 
 
     
     
       15. The non-transitory computer readable storage medium of  claim 14 , further comprising computer-executable instructions comprising: indicating a presence of a malware program in the LAN based on the suspicious DNS log or the suspicious URL log. 
     
     
       16. The non-transitory computer readable storage medium of  claim 14 , further comprising computer-executable instructions comprising:
 configuring a resource association list comprising the URL-to-IP associations list or the DNS Domain-to-DNS server associations list; and 
 configuring a suspicious resource log comprising the suspicious URL log or the suspicious DNS log. 
 
     
     
       17. The non-transitory computer readable storage medium of  claim 16 , further comprising computer-executable instructions comprising:
 counting a total number of association changes in the resource association list; and 
 logging the suspicious resource log, if the total number of association changes is greater than a total-association-change threshold. 
 
     
     
       18. The non-transitory computer readable storage medium of  claim 16 , further comprising computer-executable instructions comprising:
 counting a number of association changes in the resource association list in a time-period; and 
 logging the suspicious resource log, if the number of association changes in the time-period is greater than a time-period-association-changes threshold. 
 
     
     
       19. The non-transitory computer readable storage medium of  claim 16 , further comprising computer-executable instructions comprising:
 calculating an association change frequency of the resource association list; and 
 logging the suspicious resource log, if the association change frequency is greater than an association-change-frequency threshold. 
 
     
     
       20. The non-transitory computer readable storage medium of  claim 16 , further comprising computer-executable instructions comprising:
 calculating a pattern in the resource association list; and 
 logging the suspicious resource log, if the pattern is found among a pattern history.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.