Detecting suspicious network behaviors based on domain name service failures

Assignee

• Narus, Inc. · US

Inventors

• Pengkui Luo · Minneapolis, US
• Ruben Torres · Sunnyvale, US
• Zhi-Li Zhang · Minneapolis, US
• Sabyasachi Saha · Sunnyvale, US
• Sung-Ju Lee · Redwood City, US
• Antonio Nucci · San Jose, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L2463/144
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A method for detecting a malicious node in a network. The method includes obtaining a plurality of failed domain name service (DNS) queries from the network, wherein each of the plurality of failed DNS queries is initiated from a client node of the network and comprises an effective second-level domain (eSLD) name, generating, by a computer processor and using a pre-determined clustering algorithm, a cluster from a plurality of eSLD names comprising the eSLD name of each of the plurality of failed DNS queries, wherein the cluster comprises a portion of the plurality of eSLD names that is selected based on the pre-determined clustering algorithm, determining, by the computer processor and using a pre-determined formula, a score representing statistical characteristics of the cluster, and assigning, in response to the score meeting a pre-determined criterion, a malicious status to the client node.