US 11,792,157 B1
Detection of DNS beaconing through time-to-live and transmission analyses
Abhinav Mishra, San Francisco, CA (US); Giovanni Mola, San Francisco, CA (US); Ram Sriharsha, Oakland, CA (US); and Zhaohui Wang, San Francisco, CA (US)
Assigned to Splunk Inc., San Francisco, CA (US)
Filed by SPLUNK Inc., San Francisco, CA (US)
Filed on Sep. 9, 2022, as Appl. No. 17/941,502.
Application 17/941,502 is a continuation of application No. 17/514,814, filed on Oct. 29, 2021, granted, now 11,477,161.
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 61/4511 (2022.01); H04L 67/141 (2022.01); G06F 40/205 (2020.01); H04L 43/067 (2022.01); H04L 47/28 (2022.01)
CPC H04L 61/4511 (2022.05) [G06F 40/205 (2020.01); H04L 43/067 (2013.01); H04L 47/286 (2013.01); H04L 67/141 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computerized method comprising:
performing a time-to-live (TTL) analysis resulting in a determination of a TTL run length distribution, wherein applying the TTL analysis includes generating a vector of TTL values for a plurality of domain name system (DNS) records corresponding to a communication session between a first source device and a first DNS, and determining the TTL run length distribution for the plurality of DNS records based on the vector of the TTL values;
performing a transmission threshold analysis including obtaining a number of transmissions that have occurred within the communication session, and performing a threshold comparison between a threshold number of transmissions that have occurred and a predetermined threshold;
determining whether DNS beaconing is present within the communication session based on results of the TTL analysis and the transmission threshold analysis; and
responsive to determining that DNS beaconing is present, generating an alert indicating that DNS beaconing is present.