CPC H04L 61/4511 (2022.05) [G06F 40/205 (2020.01); H04L 43/067 (2013.01); H04L 47/286 (2013.01); H04L 67/141 (2013.01)] | 20 Claims |
1. A computerized method comprising:
performing a time-to-live (TTL) analysis resulting in a determination of a TTL run length distribution, wherein applying the TTL analysis includes generating a vector of TTL values for a plurality of domain name system (DNS) records corresponding to a communication session between a first source device and a first DNS, and determining the TTL run length distribution for the plurality of DNS records based on the vector of the TTL values;
performing a transmission threshold analysis including obtaining a number of transmissions that have occurred within the communication session, and performing a threshold comparison between a threshold number of transmissions that have occurred and a predetermined threshold;
determining whether DNS beaconing is present within the communication session based on results of the TTL analysis and the transmission threshold analysis; and
responsive to determining that DNS beaconing is present, generating an alert indicating that DNS beaconing is present.
|