Patent · US Active

Identifying command and control endpoint used by domain generation algorithm (DGA) malware

US10362044B2 · kind B2 · utility

0Cited by

5References

21Claims

0Family size

Assignee

International Business Machines Corporation · US

Inventors

Xin Hu · White Plains, US
Jiyong Jang · Ossining, US
Douglas Lee Schales · Campion Road, US
Marc Philippe Stoecklin · Bern, CH
Ting Wang · White Plains, US

Key dates

Filing date	Aug 8, 2017
Grant date	Jul 23, 2019
Priority date	—
Expiry date	Dec 22, 2037

Classification

Technology area (CPC G)Physics
CPC primaryG06F21/577
WIPO fieldDigital communication
WIPO sectorElectrical engineering

Abstract

A command endpoint used by Domain Generation Algorithm (DGA) malware is identified using machine learning-based clustering. According to this technique, at least one attribute associated with a candidate resolved DNS name is identified. The candidate resolved DNS name has associated therewith a set of names that are failed DNS lookups but that cluster with the candidate resolved DNS name. A set of additional names that share the at least one attribute with the candidate resolved DNS name are then identified. For the set of additional names, an extent to which the set of additional names also clusters with the set of names that are failed DNS lookups is then determined. The candidate resolved DNS name is characterized as associated with the command endpoint when the set of additional names cluster with the set of names that are failed DNS lookups to a configurable degree.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.