Search

US-12621314-B2 - DNS recursive PTR signals analysis

US12621314B2US 12621314 B2US12621314 B2US 12621314B2US-12621314-B2

Abstract

Cyber-security techniques are described for monitoring a cloud environment and identifying potential problems, including malicious threats, to the monitored cloud environment using operational telemetry. Techniques are described for monitoring and collecting data related to reverse or recursive DNS (rDNS) traffic associated with a monitored cloud environment. The recursive DNS traffic includes recursive DNS (rDNS) requests originating from the cloud environment and responses to those requests received from DNS resolvers. This collected data is then analyzed to identify potential threats to the monitored cloud environment. The collected data may be analyzed to identify potential sources of threats and to identify one or more portions of the cloud environment that are the targets of the threats. The analysis may trigger alerts to be generated, actions to be performed (e.g., protective measures), reports to be generated, patterns to be recognized, etc.

Inventors

  • Christopher Robert BAKER
  • Peter Martin HANILY
  • Ryan Daniel SCHILCHER
  • Jonathan Philip TAIMANGLO

Assignees

  • ORACLE INTERNATIONAL CORPORATION

Dates

Publication Date
20260505
Application Date
20230913

Claims (20)

  1. 1 . A computer implemented method comprising: monitoring, by a cloud defense system, reverse DNS traffic associated with a monitored environment, the reverse DNS (rDNS) traffic comprising a set of one or more reverse DNS resolver requests originating from the monitored environment and a set of one or more responses generated by one or more DNS resolvers in response to the set of one or more reverse DNS resolver requests; collecting, by the cloud defense system, and storing raw data based upon the monitoring of the reverse DNS traffic, the raw data including data related to the set of one or more reverse DNS resolver requests and the set of one or more responses; augmenting, by the cloud defense system, the raw data to generate augmented data, wherein augmenting the raw data includes obtaining at least a portion of the augmented data from a registrar based at least in part on the raw data, or includes organizing the raw data across a dimension of the raw data; identifying, by the cloud defense system, an irregular network activity associated with the monitored environment by determining, based at least in part on the augmented data, that a baseline network activity has been exceeded; and outputting, by the cloud defense system, a signal indicative of the irregular network activity.
  2. 2 . The computer implemented method of claim 1 , wherein identifying the irregular network activity comprises identifying a portion of the monitored environment that is experiencing the irregular network activity, the portion of the monitored environment comprising one or more components of the monitored environment.
  3. 3 . The method of claim 2 , wherein the one or more components of the monitored environment include at least one of: a virtual cloud network (VCN) within the monitored environment, a region within the monitored environment, a set of one or more VCNs associated with a customer of a cloud service provider, a data center within the monitored environment, a virtual machine and a host machine.
  4. 4 . The computer implemented method of claim 1 , wherein identifying the irregular network activity comprises identifying a source of the irregular network activity.
  5. 5 . The computer implemented method of claim 4 , wherein the source is at least one of: (i) a portion of the monitored environment or (ii) a component external to the monitored environment.
  6. 6 . The computer implemented method of claim 4 , wherein identifying the source comprises performing identifying at least one of: a first IP address associated with the source that triggered at least one reverse DNS request in the set of one or more reverse DNS resolver requests, a first fully qualified domain name (FQDN) associated with the first IP address, or an owner associated with the first FQDN.
  7. 7 . The computer implemented method of claim 1 , further comprising: initiating, by the cloud defense system, a set of one or more actions responsive to outputting the signal indicative of the irregular network activity.
  8. 8 . The computer implemented method of claim 7 , wherein the set of one or more actions at least perform one of the following: (i) changing a set of rules associated with a component of the cloud defense system, (ii) quarantining a system within a cloud server provider infrastructure (CSPI), and (iii) causing an alert to be generated.
  9. 9 . The computer implemented method of claim 1 , wherein augmenting the raw data includes at least one of: adding information obtained from the registrar, replacing the raw data, or combining rDNS requests from a first virtual cloud network.
  10. 10 . The computer implemented method of claim 1 wherein the identifying the irregular network activity comprises: generating a first baseline using prior augmented data, the prior augmented data generated prior to generating the first baseline; determining a deviation from the first baseline; and identifying the deviation as the irregular network activity.
  11. 11 . The computer implemented method of claim 10 , wherein: the first baseline identifies a portion of the monitored environment and a first threshold associated with the portion of the monitored environment; and determining the deviation comprises determining, based upon the augmented data, that the first threshold associated with the portion has been exceeded.
  12. 12 . The computer implemented method of claim 11 , wherein the first baseline represents a number of rDNS requests within the set of one or more rDNS resolver requests transmitted by the portion of the monitored environment.
  13. 13 . The computer implemented method of claim 11 , wherein the first baseline represents a number of rDNS requests within the set of one or more rDNS resolver requests transmitted by the portion of the monitored environment to resolve a set of one or more IP addresses.
  14. 14 . The computer implemented method of claim 11 , wherein the first baseline is different from a second baseline identifying a second portion of the monitored environment with a second threshold that is different from the first threshold.
  15. 15 . The computer implemented method of claim 1 , wherein the set of one or more reverse DNS resolver requests are generated by one or more VCNs, one or more regions, or one or more virtual machines.
  16. 16 . The computer implemented method of claim 1 , the raw data and an external registrar are used when generating the augmented data.
  17. 17 . A cloud defense system comprising: one or more storage media storing instructions; one or more processors configured to execute the instructions to cause the cloud defense system to; monitor reverse DNS traffic associated with a monitored environment to obtain raw data, the reverse DNS traffic comprising a set of one or more reverse DNS resolver requests originating from the monitored environment and a set of one or more responses generated by one or more DNS resolvers in response to the set of one or more reverse DNS resolver requests, wherein the raw data includes data related to the set of one or more reverse DNS resolver requests and the set of one or more responses; generate, using the raw data, augmented data by obtaining at least a portion of the augmented data from a registrar based at least in part on the raw data, or organizing the raw data across a dimension of the raw data; determine, based at least in part on the augmented data, that a baseline network activity has been exceeded; and generate, based at least in part on the determination that the baseline network activity has been exceeded, one or more alerts or one or more reports, or identify one or more patterns in the augmented data.
  18. 18 . The cloud defense system of claim 17 , wherein the raw data indicates a virtual network where a reverse DNS resolver request originated, and wherein the processors are further configured to execute the instructions to cause the cloud defense system to identify portions of the monitored environment that are experiencing irregular network activity.
  19. 19 . The cloud defense system of claim 17 , wherein the baseline network activity indicates a first baseline for a first network activity source transmitting traffic to the monitored environment and a second baseline for a second network activity source transmitting traffic to the monitored environment, the second baseline is different than the first baseline.
  20. 20 . A non-transitory computer-readable medium storing a set of instructions, the set of instructions when executed by one or more processors cause processing to be performed comprising: monitoring, by a cloud defense system, reverse DNS traffic associated with a monitored environment, the reverse DNS traffic comprising a set of one or more reverse DNS resolver requests originating from the monitored environment and a set of one or more responses generated by one or more DNS resolvers in response to the set of one or more reverse DNS resolver requests; collecting, by the cloud defense system, and storing raw data based upon the monitoring of the reverse DNS traffic, the raw data including data related to the set of one or more reverse DNS resolver requests and the set of one or more responses; augmenting, by the cloud defense system, the raw data to generate augmented data, wherein augmenting the raw data includes obtaining at least a portion of the augmented data from a registrar based at least in part on the raw data, or includes organizing the raw data across a dimension of the raw data; identifying, by the cloud defense system, an irregular network activity associated with the monitored environment by determining, based at least in part on the augmented data, that a baseline network activity has been exceeded; and outputting, by the cloud defense system, a signal indicative of the irregular network activity.

Description

BACKGROUND The adoption of cloud services has seen a meteoric rise in the last few years. This has resulted in a growing number of cloud services providers (CSPs) offering one or more cloud services to subscribing customers. In a typical scenario, a CSP provides a cloud environment comprising CSP-provided infrastructure that is used for providing one or more services offered by the CSP to its customers. The cloud environment can include networked compute resources, memory resources, networking resources, software resources, and other types of resources that are used for provision of the cloud services. The cloud environment typically comprises a physical network layer (referred to as a substrate layer) on top of which one or more virtual networks are supported and used to provide the cloud services. Due to their distributed nature and complexity, CSP-provided cloud environments are highly vulnerable to malicious cyber-attacks. For a CSP, being able to protect the CSP's cloud environment from cyber-attacks unleashed by bad actors is of utmost importance. This is important for protecting the data and other customer resources that customers have entrusted to the CSP. Bad publicity arising from security breaches can ruin a CSP's business. CSPs are thus always on the lookout for new and innovative ways to better protect their cloud environments. SUMMARY The present disclosure relates to cyber-security techniques, and more particularly to techniques for monitoring a cloud environment and identifying potential problems, including malicious threats, to the monitored cloud environment using operational telemetry. In certain implementations, techniques are described for monitoring and collecting data related to reverse or recursive DNS (rDNS) traffic associated with a monitored cloud environment. The recursive DNS traffic includes recursive DNS (rDNS) requests originating from the cloud environment and responses to those requests received from DNS resolvers. This collected data is then analyzed to identify potential threats to the monitored cloud environment. The collected data may be analyzed to identify potential sources of threats and to identify one or more portions of the cloud environment that are the targets of the threats. The present disclosure relates to monitoring DNS recursive resolver traffic, specifically PTR record resolutions. Through such monitoring, the regions, VCNs, and/or host machines associated with each rDNS request can be tracked to establish how many regions, VCNs, and/or host machines attempted to resolve each PTR record. After collecting data, the observations can be aggregated, analyzed, and/or stored for subsequent use. Analysis of rDNS request and response data may include determining systems being targeted by irregular activity (e.g., malicious actors, abnormal activity) and/or determining what and/or who is the cause of the irregular activity. As a result of the analysis, alerts may be generated, actions performed (e.g., protective measures), reports generated, patterns recognized, etc. Various embodiments are described herein, including methods, systems, non-transitory computer-readable storage media storing programs, code, or instructions executable by one or more processors, and the like. Some embodiments may be implemented by using a computer program product, comprising computer program/instructions which, when executed by a processor, cause the processor to perform any of the methods described in the disclosure. In certain implementations, techniques (e.g., methods, systems, computer readable mediums) comprise monitoring, by a cloud defense system, reverse DNS traffic associated with a monitored environment, the reverse DNS traffic comprising a set of one or more reverse DNS resolver requests originating from the monitored environment and a set of one or more responses generated by one or more DNS resolvers in response to the set of one or more reverse DNS resolver requests. The techniques may further comprise monitoring, by the cloud defense system, one or more responses to the set of one or more reverse DNS resolver requests. The techniques may further comprise collecting, by the cloud defense system, and storing raw data based upon the monitoring of the reverse DNS traffic, augmenting, by the cloud defense system, the raw data to generate augmented data, and identifying, by the cloud defense system, using the augmented data, an irregular network activity associated with the monitored environment. The techniques may further comprise outputting, by the cloud defense system, a signal indicative of the irregular network activity. In certain implementations, identifying the irregular network activity comprises identifying a portion of the monitored environment that is experiencing the irregular network activity, the portion of the monitored environment comprising one or more components of the monitored environment. In certain implementations, the one or more components of the monit