Search

US-12627694-B2 - DNS early threat response

US12627694B2US 12627694 B2US12627694 B2US 12627694B2US-12627694-B2

Abstract

Various techniques for providing a DNS Early Threat Executive Response System (DETERS) are disclosed. In some embodiments, DETERS is a comprehensive DNS threat detection, response, and reporting system with a modular analytics architecture that allows for early detection of suspicious activity in near real-time. DETERS can identify threats before they are able to spread or compromise systems. DETERS uses a combination of streaming and batch processing, as well as historical DNS information. The DNS-centric design allows a DNS resolver to quickly mitigate threats and for the reporting system to alert users allowing them to take further actions that are reflected in the DNS resolver response policy.

Inventors

  • Renée Carol Burton
  • Darin Johnson

Assignees

  • INFOBLOX INC.

Dates

Publication Date
20260512
Application Date
20240530

Claims (20)

  1. 1 . A system, comprising: a processor configured to: monitor Domain Name System (DNS) network activity at a central DNS resolver; filter the DNS network activity at a primary detector to forward a subset of domains that were not previously analyzed or were recently registered for further security analysis; identify a suspicious domain from the subset of domains at a secondary detector in near real-time, comprising to: filter, based on a reputation score, the subset of domains to obtain a set of filtered domains, wherein the reputation score includes one or more of the following: an associated name server reputation score, and/or a top-level domain (TLD) reputation score; and confirm, based on a secure sockets layer (SSL) certificate information, a filtered domain of the set of filtered domains to obtain the suspicious domain; and perform an action in response to the identified suspicious domain; and a memory coupled to the processor and configured to provide the processor with instructions.
  2. 2 . The system recited in claim 1 , wherein the primary detector is configured to filter the DNS network activity based on a historical profile of previously queried domains.
  3. 3 . The system recited in claim 1 , wherein the primary detector is configured to filter the DNS network activity based on client IP address historical records including one or more of the following: (1) time of day to detect a device anomaly, and (2) a compromised device and/or geolocation information.
  4. 4 . The system recited in claim 1 , wherein the secondary detector is configured to score each of the subset of domains based on one or more of the following: hosted in a bad top level domain (TLD), hosted with a bad name server based on reputation, a known bad Autonomous System Name (ASN), associated with a domain generation algorithm (DGA) structure, and associated with a domain lookalike structure.
  5. 5 . The system recited in claim 1 , wherein the DNS network activity is filtered based on a network for a plurality of monitored enterprise, university, and/or government networks.
  6. 6 . The system recited in claim 1 , wherein a cloud resolver forwards the DNS network activity to a cloud-based DNS security.
  7. 7 . The system recited in claim 1 , wherein the processor is further configured to: perform additional security analysis on the suspicious domain using a confirmation queue to validate that the suspicious domain is malicious and to promote the suspicious domain to a longer term block or to determine that the domain is not suspicious and to not block the now validated as legitimate domain.
  8. 8 . The system recited in claim 1 , wherein the processor is further configured to perform the following action in response to identification of the suspicious domain: block the suspicious domain in near real-time at a DNS security platform, wherein the suspicious domain is blocked at least for a predetermined period of time.
  9. 9 . The system recited in claim 1 , wherein the processor is further configured to perform the following action in response to confirmation that the suspicious domain is malicious: block a spear phishing attack at a DNS security platform.
  10. 10 . The system recited in claim 1 , wherein the processor is further configured to: report the suspicious domain for a first network based on a DNS security policy associated with the first network.
  11. 11 . A method, comprising: monitoring Domain Name System (DNS) network activity at a central DNS resolver; filtering the DNS network activity at a primary detector to forward a subset of domains that were not previously analyzed or were recently registered for further security analysis; identifying a suspicious domain from the subset of domains at a secondary detector in near real-time, comprising: filtering, based on a reputation score, the subset of domains to obtain a set of filtered domains, wherein the reputation score includes one or more of the following: an associated name server reputation score, and/or a top-level domain (TLD) reputation score; and confirming, based on a secure sockets layer (SSL) certificate information, a filtered domain of the set of filtered domains to obtain the suspicious domain; and performing an action in response to the identified suspicious domain.
  12. 12 . The method of claim 11 , wherein the primary detector is configured to filter the DNS network activity based on a historical profile of previously queried domains.
  13. 13 . The method of claim 11 , wherein the primary detector is configured to filter the DNS network activity based on client IP address historical records including one or more of the following: (1) time of day to detect a device anomaly, and (2) a compromised device and/or geolocation information.
  14. 14 . The method of claim 11 , wherein the secondary detector is configured to score each of the subset of domains based on one or more of the following: hosted in a bad top level domain (TLD), hosted with a bad name server based on reputation, a known bad Autonomous System Name (ASN), associated with a domain generation algorithm (DGA) structure, and associated with a domain lookalike structure.
  15. 15 . The method of claim 11 , wherein the DNS network activity is filtered based on a network for a plurality of monitored enterprise, university, and/or government networks.
  16. 16 . The method of claim 11 , wherein a cloud resolver forwards the DNS network activity to a cloud-based DNS security.
  17. 17 . A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: monitoring Domain Name System (DNS) network activity at a central DNS resolver; filtering the DNS network activity at a primary detector to forward a subset of domains that were not previously analyzed or were recently registered for further security analysis; identifying a suspicious domain from the subset of domains at a secondary detector in near real-time, comprising: filtering, based on a reputation score, the subset of domains to obtain a set of filtered domains, wherein the reputation score includes one or more of the following: an associated name server reputation score, and/or a top-level domain (TLD) reputation score; and confirming, based on a secure sockets layer (SSL) certificate information, a filtered domain of the set of filtered domains to obtain the suspicious domain; and performing an action in response to the identified suspicious domain.
  18. 18 . The computer program product of claim 17 , wherein the primary detector is configured to filter the DNS network activity based on a historical profile of previously queried domains.
  19. 19 . The computer program product of claim 17 , wherein the primary detector is configured to filter the DNS network activity based on client IP address historical records including one or more of the following: (1) time of day to detect a device anomaly, and (2) a compromised device and/or geolocation information.
  20. 20 . The computer program product of claim 17 , wherein the secondary detector is configured to score each of the subset of domains based on one or more of the following: hosted in a bad top level domain (TLD), hosted with a bad name server based on reputation, a known bad Autonomous System Name (ASN), associated with a domain generation algorithm (DGA) structure, and associated with a domain lookalike structure.

Description

CROSS REFERENCE TO OTHER APPLICATIONS This application claims priority to U.S. Provisional Patent Application No. 63/521,437 entitled DNS EARLY THREAT RESPONSE filed Jun. 16, 2023, which is incorporated herein by reference for all purposes. BACKGROUND OF THE INVENTION Domain Name System network services are generally ubiquitous in IP-based networks. Generally, a client (e.g., a computing device) attempts to connect to a server(s) over the Internet by using web addresses (e.g., Uniform Resource Locators (URLs) including domain names or fully qualified domain names). Web addresses are translated into IP addresses. The Domain Name System (DNS) is responsible for performing this translation from web addresses into IP addresses. Specifically, requests including web addresses are sent to DNS servers that generally reply with corresponding IP addresses or with an error message in case the domain has not been registered, a non-existent domain. BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings. FIG. 1 shows an overall dataflow of a DNS Early Threat Response System (DETERS) in accordance with some embodiments. FIG. 2 illustrates a DETERS spear phishing use case timeline in accordance with some embodiments. FIG. 3 is a logic flow for the DETERS primary detection of suspicious domains in accordance with some embodiments. FIG. 4 illustrates the secondary detectors in DETERS that are responsible for refining the findings of the primary detectors, annotating those detections, and making the results available for the response system in accordance with some embodiments. FIG. 5 is a flow diagram for a DNS early threat response system in accordance with some embodiments. FIG. 6 is another flow diagram for a DNS early threat response system in accordance with some embodiments. DETAILED DESCRIPTION The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions. A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured. Domain Name System network services are generally ubiquitous in IP-based networks. Generally, a client (e.g., a computing device) attempts to connect to a server(s) over the Internet by using web addresses (e.g., Uniform Resource Locators (URLs) including domain names or fully qualified domain names (FQDNs)). Web addresses are translated into IP addresses. The Domain Name System (DNS) is responsible for performing this translation from web addresses into IP addresses. Specifically, requests including web addresses are sent to DNS servers that generally reply with corresponding IP addresses or with an error message in case the domain has not been registered, a non-existent domain (e.g., an NX Domain response is returned by DNS servers for a non-existent domain). Overview of Techniques for a DNS Early Threat Executive Response System (DETERS) Various techniques for providing a DNS Early Threat Executive Response System (DETERS) are disclosed. The disclosed DETERS solution can be implemented in various system, process, and/or computer program embodiments, such as will be further described below with respect to various embodiment