| CPC H04L 63/1425 (2013.01) [H04L 61/4511 (2022.05); H04L 63/0245 (2013.01); H04L 63/1441 (2013.01)] | 20 Claims |
|
1. A method comprising:
identifying a first plurality of domain names associated with corresponding ones of one or more malicious domain campaigns; and
identifying at least a subset of a second plurality of domain names associated with the one or more malicious domain campaigns based on processing first characteristics of the first plurality of domain names and second characteristics of the second plurality of domain names with a clustering algorithm, wherein identifying the at least the subset of the second plurality of domain names comprises,
seeding the clustering algorithm with the first characteristics of the first plurality of domain names, wherein the first characteristics and the second characteristics at least include characteristics indicated in passive domain name system (DNS) records corresponding to the first plurality of domain names and the second plurality of domain names, respectively;
applying the clustering algorithm to the first characteristics and the second characteristics to obtain a plurality of clusters; and
for each cluster of at least a subset of the plurality of clusters, associating the cluster with a malicious domain campaign in the one or more malicious domain campaigns based, at least in part, on those of the first characteristics corresponding to one or more of the first plurality of domain names associated with the malicious domain campaign being in the cluster, wherein the at least the subset of the second plurality of domain names correspond to one or more of the second characteristics in the at least the subset of the plurality of clusters.
|