US-12621316-B2 - DNS automated intelligence

Abstract

Various techniques for providing a DNS automated intelligence solution are disclosed. In some embodiments, a DNS Automated Intelligence System (DAISy) is disclosed that includes a system designed to create threat intelligence for use in protective DNS, or DNS Detection and Response systems which control access to internet resources at a DNS resolver. The disclosed DAISy solution includes the ingestion of raw source data, the curation and refinement of this source data into specialized data sets used for identifying threats, active processes to increase visibility into internet domain names, and can also include human-in-the-loop acceleration that allows for rapid automation, and a modular incorporation of DNS-specific signatures for identification of suspicious domain names. The disclosed DAISy solution is self-sustaining, automated, and incorporates human guidance. Moreover, it is effective for scaling the detection of malicious and suspicious domains, which is not possible with existing traditional approaches to DNS security.

Inventors

• Renée Carol Burton
• Christopher June Kim
• Laura Teixeira da Rocha
• Chance Mitchell Tudor

Assignees

• INFOBLOX INC.

Dates

Publication Date

20260505

Application Date

20240530

Claims (13)

1. 1 . A system, comprising: a processor configured to: selectively aggregate DNS data from a plurality of networks; automatically classify DNS resources from the aggregated DNS data, comprising to: identify a new domain from the aggregated DNS data; determine at least one name server associated with the new domain; classify the at least one name server based on a set of existing DNS signatures, wherein one DNS signature of the set of existing DNS signatures includes a set of characteristics, wherein the set of characteristics includes one or more of the following: a top level domain (TLD), a name server, autonomous system number (ASN), and/or a mail server; determine that the at least one name server is malicious; and in response to a determination that the at least one name server is malicious, determine that the at least one name server is a new threat domain; send new threat domains to a DNS threat feed; and perform the following action in response to identification of the new threat domain, comprising to: block the new threat domain at a DNS security platform; and a memory coupled to the processor and configured to provide the processor with instructions.
2. 2 . The system recited in claim 1 , wherein a new domain server is identified as a compromised or an inherently malicious or suspicious name server.
3. 3 . The system recited in claim 1 , wherein a new domain server is identified as a compromised or an inherently malicious or suspicious name server, and wherein new domains associated with the new domain server are monitored to identify new malicious domains.
4. 4 . The system recited in claim 1 , wherein the aggregated DNS data is collected from a plurality of monitored enterprise, university, and/or government networks.
5. 5 . The system recited in claim 1 , wherein the processor is further configured to: report a new threat domain for a first network based on a DNS security policy associated with the first network.
6. 6 . The system recited in claim 1 , wherein the processor is further configured to: quarantine an unclassified domain for further security professional review to update configuration for a classifier.
7. 7 . The system recited in claim 1 , wherein the processor is further configured to: automatically generate a new DNS signature for a new DNS threat using a statistical classifier.
8. 8 . The system recited in claim 1 , wherein the processor is further configured to: periodically revisit the new threat domains during a predetermined time window to update threat intelligence information associated with the new threat domains.
9. 9 . A method, comprising: selectively aggregating DNS data from a plurality of networks; automatically classifying DNS resources from the aggregated DNS data, comprising: identifying a new domain from the aggregated DNS data; determining at least one name server associated with the new domain; classifying the at least one name server based on a set of existing DNS signatures, wherein one DNS signature of the set of existing DNS signatures includes a set of characteristics, wherein the set of characteristics includes one or more of the following: a top level domain (TLD), a name server, autonomous system number (ASN), and/or a mail server; determining that the at least one name server is malicious; and in response to a determination that the at least one name server is malicious, determining that the at least one name server is a new threat domain; sending new threat domains to a DNS threat feed; and performing the following action in response to identification of the new threat domain, comprising: blocking the new threat domain at a DNS security platform.
10. 10 . The method of claim 9 , wherein a new domain server is identified as a compromised or an inherently malicious or suspicious name server.
11. 11 . The method of claim 9 , wherein a new domain server is identified as a compromised or an inherently malicious or suspicious name server, and wherein new domains associated with the new domain server are monitored to identify new malicious domains.
12. 12 . The method of claim 9 , wherein the aggregated DNS data is collected from a plurality of monitored enterprise, university, and/or government networks.
13. 13 . A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: selectively aggregating DNS data from a plurality of networks; automatically classifying DNS resources from the aggregated DNS data, comprising: identifying a new domain from the aggregated DNS data; determining at least one name server associated with the new domain; classifying the at least one name server based on a set of existing DNS signatures, wherein one DNS signature of the set of existing DNS signatures includes a set of characteristics, wherein the set of characteristics includes one or more of the following: a top level domain (TLD), a name server, autonomous system number (ASN), and/or a mail server; determining that the at least one name server is malicious; and in response to a determination that the at least one name server is malicious, determining that the at least one name server is a new threat domain; sending new threat domains to a DNS threat feed; and performing the following action in response to identification of the new threat domain, comprising: blocking the new threat domain at a DNS security platform.

Description

CROSS REFERENCE TO OTHER APPLICATIONS This application claims priority to U.S. Provisional Patent Application No. 63/538,587 entitled DNS AUTOMATED INTELLIGENCE filed Sep. 15, 2023, which is incorporated herein by reference for all purposes. BACKGROUND OF THE INVENTION Domain Name System network services are generally ubiquitous in IP-based networks. Generally, a client (e.g., a computing device) attempts to connect to a server(s) over the Internet by using web addresses (e.g., Uniform Resource Locators (URLs) including domain names or fully qualified domain names). Web addresses are translated into IP addresses. The Domain Name System (DNS) is responsible for performing this translation from web addresses into IP addresses. Specifically, requests including web addresses are sent to DNS servers that generally reply with corresponding IP addresses or with an error message in case the domain has not been registered, a non-existent domain. BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings. FIG. 1 illustrates DNS Automated Intelligence System (DAISy) components from when we first see DNS resources (e.g., domains and IP address) in the systems from a plurality of networks to their final destination (e.g., a DNS Detection and Response (DDR) resolver) in accordance with some embodiments. FIG. 2 illustrates a simplified view of the DAISy process for a single observed domain name acme.tld in accordance with some embodiments. FIG. 3 is a flow diagram that illustrates the processing performed using the DAISy name server techniques to discover both new domains and name servers and to determine whether the domains and name servers are suspicious, malicious, or unknown in accordance with some embodiments. FIG. 4 illustrates an overview of the DAISy system and its components in accordance with some embodiments. FIG. 5 is a hypothetical example of a threat researcher manually creating a DNS signature after identifying DNS textual and configuration patterns in accordance with some embodiments. FIG. 6 illustrates automated DNS signature generation in accordance with some embodiments. FIG. 7 illustrates an overview of domain lifecycle in accordance with some embodiments. FIG. 8 illustrates a human acceleration component in accordance with some embodiments. FIG. 9 is a flow diagram for providing DNS automated intelligence in accordance with some embodiments. FIG. 10 is another flow diagram for providing DNS automated intelligence in accordance with some embodiments. DETAILED DESCRIPTION The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions. A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured. Domain Name System network services are generally ubiquitous in IP-based networks. Generally, a client (e.g., a computing device) attempts to connect to a server(s) over the Internet by using web addresses (e.g., Uniform Resource Locators (URLs) including domain names or fully qualified domain names (FQDNs)). Web addresses are translated into IP addresses. The Domain Name System (DNS) translates domain names, which can themselves be web