	US RE50,377 E1
	DNS misuse detection through attribute cardinality tracking
Andrew David Mortensen, Ann Arbor, MI (US); and Alan Saqui, Ann Arbor, MI (US)
Assigned to ARBOR NETWORKS, INC., Westford, MA (US)
Filed by Arbor Networks, Inc., Westford, MA (US)
Filed on Aug. 3, 2023, as Appl. No. 18/230,092.
Application 18/230,092 is a reissue of application No. 16/030,733, filed on Jul. 9, 2018, granted, now 11,095,671, issued on Aug. 17, 2021.
Int. Cl. H04L 29/06 (2006.01); H04L 9/40 (2022.01); H04L 12/26 (2006.01); H04L 29/12 (2006.01); H04L 43/08 (2022.01); H04L 61/4511 (2022.01)

CPC H04L 63/1425 (2013.01) [H04L 43/08 (2013.01); H04L 61/4511 (2022.05); H04L 63/1483 (2013.01)]

18 Claims

1. A computer-implemented method to detect particular Domain Name System (DNS) misuse, the method comprising:

obtaining monitored network data ~~, the monitored network data~~ including respective instances of request traffic ~~, the request traffic being~~ associated with DNS requests that request resolution of a name that belongs to at least one identified domain , each DNS request being sent from a source address of one or more stub resolver, each instance of request traffic including the source address, the name for which DNS resolution is requested, and the at least one identified domain associated with a corresponding DNS request;

tracking over time an approximation of a first cardinality of names indicated for a selected domain of the at least one identified domain and included in the [ respective ] instances of request traffic, wherein the first cardinality includes a number of unique names of names indicated in instances of the request traffic for the selected domain, the first cardinality being approximated and tracked using a probabilistic algorithm, rather than counting;

tracking over time an approximation of a second cardinality of source addresses associated with the selected domain and included in the [ respective ] instances of request traffic, wherein the second cardinality includes a number of unique source addresses of the source addresses indicated in instances of the request traffic for the selected domain, the second cardinality being approximated and tracked using the probabilistic algorithm, rather than counting;

detecting a combination of a first condition of the approximation of the first cardinality and ~~the~~ [ a ] second condition of the approximation of the second cardinality, wherein the combination of the first and second conditions indicates ~~the~~ [ an ] occurrence of a specific DNS misuse; and

~~performing an action to at least one of output a notification of and correct a condition associated with~~ [ enabling traffic filtering of requests to at least one DNS resolver based on ] the ~~detected~~ occurrence of the specific DNS misuse.