公开(公告)号：US11477161B1

公开(公告)日：2022-10-18

申请号：US17514814

申请日：2021-10-29

Applicant: SPLUNK Inc.

Inventor： Abhinav Mishra ,  Giovanni Mola ,  Ram Sriharsha ,  Zhaohui Wang

IPC: H04L61/4511 ,  H04L67/141 ,  H04L43/067 ,  H04L47/28 ,  G06F40/205

Abstract: A computerized method is disclosed that includes accessing domain name server (DNS) record data including a plurality of DNS records spanning a first time period, performing a time-to-live (TTL) analysis to determine a TTL run length distribution for the DNS record data, wherein the TTL analysis includes: generating a vector of the TTL values of each DNS record ordered sequentially in time, parsing the vector of the TTL values into segments, where a segment consists of one or more TTL values where a current TTL value is less than an immediately preceding TTL value, and determining the TTL run length distribution, determining whether DNS beaconing is present based on a result of the TTL analysis and in response to determining that DNS beaconing is present, generating an alert for a system administrator.

公开(公告)号：US11792157B1

公开(公告)日：2023-10-17

申请号：US17941502

申请日：2022-09-09

Applicant: SPLUNK Inc.

Inventor： Abhinav Mishra ,  Giovanni Mola ,  Ram Sriharsha ,  Zhaohui Wang

IPC: H04L61/4511 ,  H04L67/141 ,  G06F40/205 ,  H04L43/067 ,  H04L47/28

CPC classification number: H04L61/4511 ,  G06F40/205 ,  H04L43/067 ,  H04L47/286 ,  H04L67/141

Abstract: The disclosure provides implementations for determining whether domain name server (DNS) beaconing is present within a communication session. Some implementations provide a method that includes multiple analyses directed to analyzing each of a time-to-live (TTL) run length distribution for a plurality of DNS records within the communication session and analyzing whether the communication is comprised of at least a threshold number of transmissions. As used in the analyses, the communication session may be comprised of transmissions between a first source device and a first DNS. When DNS beaconing is detected within the communication session, some implementations of the disclosure provide for generating an alert to an administrator or other user.

公开(公告)号：US12056169B1

公开(公告)日：2024-08-06

申请号：US17513670

申请日：2021-10-28

Applicant: SPLUNK Inc.

Inventor： Abhinav Mishra ,  Giovanni Mola ,  Ram Sriharsha ,  Abraham Starosta ,  Zhaohui Wang

IPC: G06F7/00 ,  G06F16/33 ,  G06F16/35 ,  G06N20/00

CPC classification number: G06F16/334 ,  G06F16/35 ,  G06N20/00

Abstract: A computerized method is disclosed that includes operations of training a machine learning model using a labeled training set of data, wherein the machine learning model is configured to classify domain name server (DNS) records, obtaining DNS record data including at least a first DNS Txt record, applying the trained machine learning model to the first DNS Txt record to classify the first DNS Txt record and responsive to the classification of the first DNS Txt record, generating a flag for a system administrator. The trained machine learning model may classify the first DNS Txt record using logistic regression. In some instances, applying the trained machine learning model to the first DNS Txt record includes performing a tokenizing operation on the first DNS Txt record to generate a tokenized first DNS Txt record.