主权项 |
1. A system for discovering and selecting candidates for sinkholing of network domains, comprising:
a hardware processor configured to:
collect passive DNS data from a plurality of security devices to discover candidates for sinkholing of domain names;select one or more domain names that are most commonly queried by distinct client devices based on the passive DNS data, wherein each of the one or more domain names is not yet registered, wherein the selecting of the one or more domain names that are most commonly queried comprises to:
rank commonly queried domain names based on number of queries by the distinct client devices; andselect N most commonly queried domain names to obtain the one or more domain names, N being an integer greater than zero;apply a Domain Generation Algorithm (DGA) filter to remove any DGA generated domain names from the candidates for sinkholing of domain names, wherein the DGA filter includes a plurality of DGA generated domain names based on an emulated analysis of malware, wherein the applying of the DGA filter comprises to:
determine whether a domain name of the one or more domain names has not been queried by at least a threshold number of distinct hosts, the distinct hosts corresponding to unique IP addresses; andin the event that the domain name of the one or more domain names has not been queried by at least the threshold number of distinct hosts, remove the domain name from the one or more domain names; andautomatically register each of the one or more domain names with a domain registry to a sinkholed IP address in order to sinkhole each of the one or more domain names; and a memory coupled to the hardware processor and configured to provide the hardware processor with instructions. |