Enriching netflow data with passive DNS data for botnet detection
US10460101B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Jun 6, 2017 |
| Grant date | Oct 29, 2019 |
| Priority date | — |
| Expiry date | Jan 31, 2038 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04L67/02
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
In one example, a system includes a processor, memory, and a botnet detection application stored in memory and executed by the processor and configured to: obtain (i) Netflow data indicating one or more IP addresses accessed by a computer and (ii) passive Domain Name System (DNS) data indicating respective one or more domains associated with each of the one or more IP addresses; generate features associated with the computer based on the Netflow data and passive DNS data; generate probability data based on the Netflow data and passive DNS data, wherein the probability data indicates a probability that the computer accessed the one or more domains; assign weights to the features based on the probability data to provide weighted features; and determine whether the computer is likely to be part of a botnet based on the weighted features.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.