Behavioral DNS tunneling identification
US11606385B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Feb 13, 2020 |
| Grant date | Mar 14, 2023 |
| Priority date | — |
| Expiry date | May 17, 2041 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04L63/1425
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
Methods, apparatus and computer software products for protecting a computing system implement embodiments of the present invention that include extracting, from data traffic transmitted over a data network connecting a plurality of computing devices to multiple Internet hosting services, respective sets of transmissions from the computing devices to the Internet hosting services, and identifying, in a given set of the transmissions from a given computing device, multiple domain name system (DNS) requests for an identical second-level domain (2LD) and for different respective sub-domains within the 2LD. A number of the different sub-domains within the 2LD and a data size of the multiple DNS requests are computed, and when the number of the different sub-domains and the data size of the multiple DNS requests exceed a predefined criterion, a preventive action is initiated to inhibit DNS tunneling from at least the given computing device.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.