DNS misuse detection through attribute cardinality tracking
US11095671B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Jul 9, 2018 |
| Grant date | Aug 17, 2021 |
| Priority date | — |
| Expiry date | Feb 26, 2039 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04L63/1483
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
A system and computer-implemented method to detect particular Domain Name System (DNS) misuse, wherein the method includes obtaining monitored network data. The monitored network data includes respective instances of request traffic. The request traffic is associated with DNS requests that request resolution of a name that belongs to at least one identified domain. Each DNS request is sent from a source address of one or more stub resolver; the source address of the stub resolver may be spoofed. Each instance of request traffic includes the source address, the name for which DNS resolution is requested to be resolved, and the at least one identified domain associated with a corresponding DNS request. The method further includes tracking over time, using a probabilistic algorithm, an approximation of a first cardinality of names belonging to a selected domain of the at least one identified domain included in the instances of request traffic. The method further includes tracking over time, using the probabilistic algorithm, an approximation of a second cardinality of source addresses associated with the selected domain included in the instances of request traffic. The method further …
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.