Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for detecting Fast-Flux malware, the method comprising: monitoring by a network traffic monitor a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP); monitoring the one or more received network addresses (IP) resolved for the one or more URLs to provide a URL-to-IP associations list, wherein the URL-to-IP associations list is configured to store one or more suspicious URLs; monitoring the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list; generating a suspicious URL log based on the URL-to-IP associations list and a suspicious DNS log based on the DNS Domain-to-DNS server associations list; determining whether a designated suspicious URL from the suspicious URL log matches designated data in the suspicious DNS log; and after determining that the designated suspicious URL from the suspicious URL log matches the designated data in the suspicious DNS log, generating an event indicating a combination of flux actions are active.
2. The method of claim 1 , further comprising indicating a presence of a malware program in the LAN based on the suspicious DNS log and the suspicious URL log.
3. The method of claim 1 , further comprising: configuring a resource association list comprising the URL-to-IP associations list or the DNS Domain-to-DNS server associations list; and configuring a suspicious resource log comprising the suspicious URL log or the suspicious DNS log.
4. The method of claim 3 , further comprising: counting a total number of association changes in the resource association list; and logging the suspicious resource log, if the total number of association changes is greater than a total-association-change threshold.
5. The method of claim 3 , further comprising: counting a number of association changes in the resource association list in a time-period; and logging the suspicious resource log, if the number of association changes in the time-period is greater than a time-period-association-changes threshold.
6. The method of claim 3 , further comprising: calculating an association change frequency of the resource association list; and logging the suspicious resource log, if the association change frequency is greater than an association-change-frequency threshold.
7. The method of claim 3 , further comprising: calculating a pattern in the resource association list; and logging the suspicious resource log, if the pattern is found among a pattern history.
8. A system for detecting Fast-Flux malware, the system comprising: at least one hardware processor; and a network traffic monitor operating on the at least one hardware processor and configured to: monitor a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP); monitor the one or more received network addresses (IP) resolved for resolving the one or more URLs to provide a URL-to-IP associations list; monitor the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list; and a malware detector configured to: generate a suspicious URL log based on the URL-to-IP associations list and a suspicious DNS log based on the DNS Domain-to-DNS server associations list; determine whether a designated suspicious URL from the suspicious URL log matches designated data in the suspicious DNS log; after determining that the designated suspicious URL from the suspicious URL log matches the designated data in the suspicious DNS log, generate an event indicating a combination of flux actions are active; and indicate a presence of a malware program in the LAN based on the suspicious URL log and the suspicious DNS log.
9. The system of claim 8 , wherein: a resource association list comprises the URL-to-IP associations list or the DNS Domain-to-DNS server associations list; and a suspicious resource log comprises the suspicious URL log or the suspicious DNS log.
10. The system of claim 9 , wherein the malware detector is further configured to: count a total number of association changes in the resource association list; and log the suspicious resource log, if the total number of association changes is greater than a total-association-change threshold.
11. The system of claim 9 , wherein the malware detector is further configured to: count a number of association changes in the resource association list in a time-period; and log the suspicious resource log, if the number of association changes in the time-period is greater than a time-period-association-changes threshold.
12. The system of claim 9 , wherein the malware detector is further configured to: calculate an association change frequency of the resource association list; and log the suspicious resource log, if the association change frequency is greater than an association-change-frequency threshold.
13. The system of claim 9 , wherein the malware detector is further configured to: calculate a pattern in the resource association list; and log the suspicious resource log, if the pattern is found among a pattern history.
14. A non-transitory computer readable storage medium comprising computer-executable instructions for detecting Fast-Flux malware, the computer-executable instructions comprising: monitoring by a network traffic monitor a plurality of domain name system (DNS) lookup requests to one or more DNS servers initiated by one or more network devices in a local area network (LAN) to a wide area network (WAN), the DNS lookup requests comprising a plurality of requests to resolve one or more uniform resource locators (URLs) to one or more received network addresses (IP); monitoring the one or more received network addresses (IP) resolved for resolving the one or more URLs to provide a URL-to-IP associations list; monitoring the one or more DNS servers used for the DNS lookup requests for resolving the URLs to provide a DNS Domain-to-DNS server associations list; generate a suspicious URL log based on the URL-to-IP associations list and a suspicious DNS log based on the DNS Domain-to-DNS server associations list; determining whether a designated suspicious URL from the URL-to-IP associations list matches designated data in the DNS Domain-to-DNS server associations list; and after determining that the designated suspicious URL from the URL-to-IP associations list matches the designated data in the DNS Domain-to-DNS server associations list, generating an event indicating a combination of flux actions are active.
15. The non-transitory computer readable storage medium of claim 14 , further comprising computer-executable instructions comprising: indicating a presence of a malware program in the LAN based on the suspicious DNS log or the suspicious URL log.
16. The non-transitory computer readable storage medium of claim 14 , further comprising computer-executable instructions comprising: configuring a resource association list comprising the URL-to-IP associations list or the DNS Domain-to-DNS server associations list; and configuring a suspicious resource log comprising the suspicious URL log or the suspicious DNS log.
17. The non-transitory computer readable storage medium of claim 16 , further comprising computer-executable instructions comprising: counting a total number of association changes in the resource association list; and logging the suspicious resource log, if the total number of association changes is greater than a total-association-change threshold.
18. The non-transitory computer readable storage medium of claim 16 , further comprising computer-executable instructions comprising: counting a number of association changes in the resource association list in a time-period; and logging the suspicious resource log, if the number of association changes in the time-period is greater than a time-period-association-changes threshold.
19. The non-transitory computer readable storage medium of claim 16 , further comprising computer-executable instructions comprising: calculating an association change frequency of the resource association list; and logging the suspicious resource log, if the association change frequency is greater than an association-change-frequency threshold.
20. The non-transitory computer readable storage medium of claim 16 , further comprising computer-executable instructions comprising: calculating a pattern in the resource association list; and logging the suspicious resource log, if the pattern is found among a pattern history.
Unknown
February 23, 2016
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.