Systems and methods for using DNS messages to selectively collect computer forensic data
Uloženo v:
| Název: | Systems and methods for using DNS messages to selectively collect computer forensic data |
|---|---|
| Patent Number: | 10862,854 |
| Datum vydání: | December 08, 2020 |
| Appl. No: | 16/405140 |
| Application Filed: | May 07, 2019 |
| Abstrakt: | Described systems and methods allow a selective collection of computer security data from client devices such as personal computers, smartphones, and Internet of Things (IoT) devices. A security application executing on each client device comprises a domain name service (DNS) proxy that tags outgoing DNS messages with a client ID. The DNS server selects a client for to data collection by returning a DNS reply comprising a service activation flag. Some embodiments thus enable a per-DNS-message selectivity of data collection. In some embodiments, subsequent network access requests by the selected clients are re-routed to a security server for analysis. |
| Inventors: | Bitdefender IPR Management Ltd. (Nicosia, CY) |
| Assignees: | Bitdefender IPR Management Ltd. (Nicosia, CY) |
| Claim: | 1. A method comprising employing at least one hardware processor of a computer system to: intercept a domain name service (DNS) reply message received at the computer system, the DNS reply message comprising a target internet protocol (IP) address indicating a network location of a remote resource, the DNS reply message further comprising a service activation flag; determine according to a value of the service activation flag whether a forensic data collection service is active; in response, if the service activation flag indicates that the forensic data collection service is active, modify the DNS reply message by replacing the target IP address with a dummy IP address; intercept an electronic communication directed towards a destination IP address; determine whether the destination IP address matches the dummy IP address; and in response to determining whether the destination IP address matches the dummy IP address, if the destination IP address matches the dummy IP address, perform a forensic data collection procedure for characterizing emerging malware, the forensic data collection procedure comprising transmitting a set of metadata characterizing the electronic communication to a remote security server. |
| Claim: | 2. The method of claim 1 , wherein performing the forensic data collection procedure further comprises employing the at least one hardware processor to re-route the electronic communication via a tunnel connecting the computer system to the remote security server. |
| Claim: | 3. The method of claim 1 , wherein the set of metadata includes the target IP address and a timestamp of the electronic communication. |
| Claim: | 4. The method of claim 3 , wherein the set of metadata further comprises an indicator of a size of a payload of the electronic communication. |
| Claim: | 5. A computer system comprising at least one hardware processor configured to execute a domain name service (DNS) proxy and a communication manager, wherein: the DNS proxy is configured to: intercept a DNS reply message received at the computer system, the DNS reply message comprising a target internet protocol (IP) address indicating a network location of a remote resource, the DNS reply message further comprising a service activation flag, determine according to a value of the service activation flag whether a forensic data collection service is active, and in response, if the service activation flag indicates that the forensic data collection service is active, modify the DNS reply message by replacing the target IP address with a dummy IP address; and the communication manager is configured to: intercept an electronic communication directed towards a destination IP address, determine whether the destination IP address matches the dummy IP address, and in response to determining whether the destination IP address matches the dummy IP address, if the destination IP address matches the dummy IP address, perform a forensic data collection procedure for characterizing emerging malware, the forensic data collection procedure comprising transmitting a set of metadata characterizing the electronic communication to a remote security server. |
| Claim: | 6. The method of claim 1 , wherein performing the forensic data collection procedure further comprises employing the at least one hardware processor to re-route the electronic communication via a tunnel connecting the computer system to the remote security server. |
| Claim: | 7. The computer system of claim 5 , wherein the set of metadata includes the target IP address and a timestamp of the electronic communication. |
| Claim: | 8. The computer system of claim 7 , wherein the set of metadata further comprises an indicator of a size of a payload of the electronic communication. |
| Claim: | 9. A non-transitory computer-readable medium storing instructions which, when executed by at least one hardware processor of a computer system, cause the computer system to form a domain name service (DNS) proxy and a communication manager, wherein: the DNS proxy is configured to: intercept a DNS reply message received at the computer system, the DNS reply message comprising a target internet protocol (IP) address indicating a network location of a remote resource, the DNS reply message further comprising a service activation flag, determine according to a value of the service activation flag whether a forensic data collection service is active, and in response, if the service activation flag indicates that the forensic data collection service is active, modify the DNS reply message by replacing the target IP address with a dummy IP address; and the communication manager is configured to: intercept an electronic communication directed towards a destination IP address, determine whether the destination IP address matches the dummy IP address, and in response to determining whether the destination IP address matches the dummy IP address, if the destination IP address matches the dummy IP address, perform a forensic data collection procedure for characterizing emerging malware, the forensic data collection procedure comprising transmitting a set of metadata characterizing the electronic communication to a remote security server. |
| Claim: | 10. A server computer system comprising at least one hardware processor configured to engage in domain name service (DNS) transactions with a plurality of client systems, and further configured to: in response to a determination that an Internet domain is suspected of malice, determine a target device profile according to the Internet domain, the target device profile collectively representing electronic devices characterized by being located within a selected geographic area and executing a selected operating system; in response to receiving a DNS query message comprising the Internet domain, identify according to the DNS query message a client system where the DNS query message originated; in response to identifying the client system, determine whether the client system matches the target device profile; in response to determining whether the client system matches the target device profile, when the client system matches the target device profile, transmit a DNS reply message to the client system, the DNS reply message comprising a target Internet Protocol (IP) address associated with the domain name, the DNS reply message further configured to include a service activation flag; and in response to determining whether the client system matches the target device profile, when the client system does not match the target device profile, transmit another DNS reply message to the client system, the other DNS reply message comprising the target IP address and further configured to not include the service activation flag; wherein the client system is configured to interpret receiving the service activation flag as a trigger for performing a forensic data collection procedure according to an electronic communication directed to or incoming from the target IP address. |
| Claim: | 11. The server computer system of claim 10 , wherein the at least one hardware processor is further configured to: in response to determining whether the client system matches the target device profile, when the client system matches the target device profile, determine whether the client system is eligible for forensic data collection according to a count of DNS query messages previously received from the client system; and in response, transmit the DNS reply message including the service activation flag only when the client system is eligible for forensic data collection. |
| Claim: | 12. The server computer system of claim 10 , wherein the at least one hardware processor is further configured to: in response to determining whether the client system matches the target device profile, when the client system matches the target device profile, determine whether the client system is eligible for forensic data collection according to a count of DNS query messages including the domain name previously received at the server computer system; and in response, transmit the DNS reply message including the service activation flag only when the client system is eligible for forensic data collection. |
| Claim: | 13. The server computer system of claim 10 , wherein the at least one hardware processor is further configured to: in response to determining whether the client system matches the target device profile, when the client system matches the target device profile, determine whether the client system is eligible for forensic data collection according to a count of distinct client systems having transmitted DNS query messages to the server computer system within a selected time interval; and in response, transmit the DNS reply message including the service activation flag only when the client system is eligible for forensic data collection. |
| Claim: | 14. The server computer system of claim 10 , wherein the at least one hardware processor is further configured to: in response to determining whether the client system matches the target device profile, when the client system matches the target device profile, lookup a client profile database to determine whether a selected software application is installed for execution on the client system; and in response, transmit the DNS reply message including the service activation flag only when the selected software application is installed for execution on the client system. |
| Claim: | 15. The server computer system of claim 10 , wherein the at least one hardware processor is further configured to: in response to determining whether the client system matches the target device profile, when the client system matches the target device profile, randomly select the client system for forensic data collection; and in response, transmit the DNS reply message including the service activation flag only when the client system is selected for forensic data collection. |
| Claim: | 16. The server computer system of claim 10 , wherein the target device profile represents electronic devices further characterized by being of a selected appliance type. |
| Claim: | 17. The server computer system of claim 10 , wherein the at least one hardware processor is further configured to identify the client system according to a client ID included in the DNS query message, the client ID uniquely identifying the client system among the plurality of client systems. |
| Claim: | 18. The server computer system of claim 17 , wherein the client ID comprises a hash value. |
| Claim: | 19. The method of claim 1 , wherein the forensic data collection procedure further comprises transmitting an indicator of a current state of a client system selected from the plurality of client systems according to whether the electronic communication originated at the client system. |
| Claim: | 20. The computer system of claim 5 , wherein the forensic data collection procedure further comprises transmitting an indicator of a current state of a client system selected from the plurality of client systems according to whether the electronic communication originated at the client system. |
| Patent References Cited: | 5500897 March 1996 Hartman 8220031 July 2012 Leterrier et al. 8260914 September 2012 Ranjan 8327448 December 2012 Eldar et al. 8576845 November 2013 Csaszar et al. 8763117 June 2014 Carothers 9325735 April 2016 Xie et al. 9455909 September 2016 Parla et al. 9819696 November 2017 Minea et al. 9912630 March 2018 Chan et al. 2012/0084860 April 2012 Cao et al. 2012/0254996 October 2012 Wilbourn et al. 2014/0310811 October 2014 Hentunen 2014/0344917 November 2014 Parla 2015/0381570 December 2015 Martini 2016/0036848 February 2016 Reddy et al. 2017/0171146 June 2017 Sharma et al. 2019/0052658 February 2019 Clarke 2019/0097965 March 2019 Linari et al. |
| Other References: | Brumley et al., “Automatically identifying trigger-based behavior in malware,” Botnet Detection, Series vol. 36, pp. 65-88, Springer US, Jan. 2008. cited by applicant Crandall et al., “Temporal search: Detecting hidden malware timebombs with virtual machines,” ACM Sigplan Notices, vol. 41. No. 11, pp. 25-36, ACM, New York, NY, USA, Oct. 2006. cited by applicant Stack Overflow, “Regular expression for matching HH:MM time format,” https://stackoverflow.com/questions/7536755/regular-expression-for-matching-hhmm-time-format, Stack Exchange Network, New York, USA, Sep. 2011-Apr. 2015. cited by applicant Kolbitsch et al., “Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries,” IEEE Symposium on Security and Privacy, Piscataway, NJ, USA, May 2010. cited by applicant European Patent Office, International Search Report and Written Opinion dated Dec. 15, 2016 for PCT International Application No. PCT/EP2016/076343, international filling date Nov. 2, 2016, priority date Nov. 4, 2015. cited by applicant USPTO, Office Action dated Apr. 6, 2017 for U.S. Appl. No. 14/932,765, filed Nov. 4, 2015. cited by applicant European Patent Office, International Search Report and Written Opinion dated Sep. 29, 2020 for PCT International Application No. PCT/EP2020/068644, international filing date Jul. 2, 2020, priority date May 7, 2019. cited by applicant |
| Primary Examiner: | Vu, Viet D |
| Attorney, Agent or Firm: | Law Office of Andrei D Popovici, PC |
| Přístupové číslo: | edspgr.10862854 |
| Databáze: | USPTO Patent Grants |
| Abstrakt: | Described systems and methods allow a selective collection of computer security data from client devices such as personal computers, smartphones, and Internet of Things (IoT) devices. A security application executing on each client device comprises a domain name service (DNS) proxy that tags outgoing DNS messages with a client ID. The DNS server selects a client for to data collection by returning a DNS reply comprising a service activation flag. Some embodiments thus enable a per-DNS-message selectivity of data collection. In some embodiments, subsequent network access requests by the selected clients are re-routed to a security server for analysis. |
|---|