SYSTEMS AND METHODS OF IDENTIFYING SUSPICIOUS HOSTNAMES

摘要

A method includes receiving a set of strings and applying one or more filters to generate a subset of strings that are determined to correspond to strings of interest. The method also includes retrieving domain name system (DNS) information associated with a first string of the subset. The method includes executing a rule-based engine to determine, based on application of one or more rules to the DNS information, whether to add the first string to a set of suspicious hostnames.

主权项

1. A method comprising:
receiving, via an input interface, a string that corresponds to a hostname; identifying, at a computing device, a data structure that indicates frequencies of occurrence of each of a plurality of n-grams in a first set of strings; and applying, at the computing device, a filter to determine whether to classify the string as potentially suspicious, the filter including an entropy filter and at least one other filter, wherein the filter is configured to classify the string as potentially suspicious in response to the entropy filter and the at least one other filter each indicating that the string is potentially suspicious, wherein the entropy filter is configured to indicate that the string is potentially suspicious based on an n-gram entropy of the string, and wherein the n-gram entropy of the string is a function of the frequency of occurrence, indicated by the data structure, for each n-gram in the string.