US 12,261,869 B2
Malware detection for proxy server networks
Paul Michael Martini, Boston, MA (US)
Assigned to iboss, Inc., San Diego, CA (US)
Filed by iboss, Inc., Boston, MA (US)
Filed on Jun. 22, 2023, as Appl. No. 18/339,738.
Application 18/339,738 is a continuation of application No. 17/945,892, filed on Sep. 15, 2022, granted, now 11,722,509.
Application 17/945,892 is a continuation of application No. 17/828,678, filed on May 31, 2022, granted, now 11,489,858, issued on Nov. 1, 2022.
Application 17/828,678 is a continuation of application No. 15/256,418, filed on Sep. 2, 2016, abandoned.
Prior Publication US 2023/0336577 A1, Oct. 19, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); G06F 21/56 (2013.01); H04L 61/4511 (2022.01); H04L 61/59 (2022.01); H04L 67/02 (2022.01); H04L 67/562 (2022.01); H04L 101/35 (2022.01)
CPC H04L 63/1425 (2013.01) [G06F 21/567 (2013.01); H04L 61/4511 (2022.05); H04L 61/59 (2022.05); H04L 63/0281 (2013.01); H04L 63/1416 (2013.01); H04L 63/1441 (2013.01); H04L 63/164 (2013.01); H04L 63/168 (2013.01); H04L 67/02 (2013.01); H04L 67/562 (2022.05); H04L 2101/35 (2022.05); H04L 2463/144 (2013.01)] 16 Claims
OG exemplary drawing
 
1. A computer-implemented method executed by one or more processors, the method comprising:
receiving, by a proxy in data communication with a local area network (LAN), proxy connection requests from client devices on the LAN, the proxy connection requests including a hostname and configured to direct the proxy to establish communication with a computer identified by the hostname on behalf of the client devices;
actively monitoring, by an anti-malware system in data communication with the LAN, the proxy connection requests, the active monitoring being after the proxy connection requests have been transmitted out of the LAN and before the proxy connection requests are received by the proxy;
determining, by the anti-malware system, identities of the client devices based on the proxy connection requests;
sending, by the proxy, first domain name system (DNS) requests in response to receiving the proxy connection requests;
receiving, by the proxy, first DNS responses from one or more DNS server in response to the first DNS requests;
sending, by the anti-malware system, second DNS requests in response to determining identities of the client devices;
receiving, by the anti-malware system, second DNS responses from the one or more DNS servers in response to the second DNS requests;
determining, by the anti-malware system, that the one of the second DNS responses is associated with a particular client device out of a plurality of client devices;
updating, by the anti-malware system, DNS usage information for the particular client device based on the identified DNS responses including the hostname from the proxy connection request; and
determining, by the anti-malware system, that the particular client is exhibiting anomalous behavior based on the updated DNS usage information.