Abstract: The present disclosure is related to a computer-implemented method and system for distinguishing human-driven Doman Name System (DNS) queries from Machine-to-Machine (M2M) DNS queries. The method includes receiving a DNS query, which includes a domain name, generating a probability score for the domain name based on one or more predetermined rules, and categorizing the DNS query as a human-driven DNS query or a M2M DNS query based on the probability score.

Abstract: A device control system is associated with individual devices connected through a network control point to a gateway and thereby to the Internet. The gateway inserts an EDNS0 pseudo resource record into an additional data section in each DNS query initiated by an individual device, the EDNS0 pseudo resource record identifying the initiating device. A dynamic policy enforcement engine in front of the DNS engine intercepts the DNS query, identifies the initiating device, and selects a policy that applies to the device. The dynamic policy enforcement engine may provide parental control and security service to the individual device by blocking the DNS query or passing it to the DNS engine according to the policy. A component that intercepts DNS queries may provide several additional types of services to the individual devices, including advertising, messaging, mobile device tracking, individual device application control, and delivery of individualized content.

Abstract: A system for mediating Internet service includes a DNS server and a DNS policy engine associated with the DNS server. The DNS policy engine can be configured to apply one or more DNS policies selected by the DNS policy engine to DNS queries received by the DNS server from a client, analyze the DNS query based on predetermined criteria, and based on the analysis, and selectively redirect a data request associated with the client to a proxy server for further mediation. The system can further include a proxy server and a proxy policy engine associated with the proxy server. The proxy policy engine can be configured to apply one or more proxy policies selected by the proxy policy engine to at least one of data requests received by the proxy server from a client and data responses returned to the proxy server from an IP address.

Abstract: A computer-implemented method for detecting anomalies in DNS requests comprises receiving a plurality of DNS requests generated within a predetermined period. The predetermined period includes a plurality of DNS data fragments. The method further includes receiving a first DNS request and selecting a plurality of second DNS requests from the plurality of DNS requests such that each of the second DNS requests is a subset of the first DNS request. The method also includes calculating a count value for each of the DNS data fragments, where each of the count values represents a number of instances the second DNS requests appear within one of the DNS data fragments. In some embodiments, the count values for each of the DNS data fragments can be normalized. The method further includes determining an anomaly trend, for example, based on determining that at least one of the count values exceeds a predetermined threshold value.

Abstract: A method for improving client subnet efficiency by equivalence class aggregation includes receiving a Domain Name System (DNS) query from a client, determining, based on predetermined class criteria, that the client is associated with an equivalency class, searching a cache associated with the equivalence class for an answer corresponding to the DNS query, and upon locating the answer, serving the answer to the client. If it is determined that the cache does not include the answer, the method proceeds with querying, by a recursive server, an authoritative server using client subnet data associated with the equivalence class, receiving the answer from the authoritative server, storing the answer to the cache associated with the equivalency class, and serving the answer to the client. The client subnet data may include a representative CIDR block, the representative CIDR block being used to make queries on behalf of all clients associated with the equivalence class.

Abstract: The present disclosure is related to a computer-implemented method and system for distinguishing human-driven Domain Name System (DNS) queries from Machine-to-Machine (M2M) DNS queries. The method includes receiving a DNS query, which includes a domain name, generating a probability score for the domain name based on one or more predetermined rules, and categorizing the DNS query as a human-driven DNS query or a M2M DNS query based on the probability score.

Abstract: A device control system is associated with individual devices connected through a network control point to a gateway and thereby to the Internet. The gateway inserts an EDNS0 pseudo resource record into an additional data section in each DNS query initiated by an individual device, the EDNS0 pseudo resource record identifying the initiating device. A dynamic policy enforcement engine in front of the DNS engine intercepts the DNS query, identifies the initiating device, and selects a policy that applies to the device. The dynamic policy enforcement engine may provide parental control and security service to the individual device by blocking the DNS query or passing it to the DNS engine according to the policy. A component that intercepts DNS queries may provide several additional types of services to the individual devices, including advertising, messaging, mobile device tracking, individual device application control, and delivery of individualized content.

Abstract: Provided is a method for delegation of local content delivery service. The method includes receiving a Domain Name System (DNS) query from a client to resolve a domain name to a network address associated with content provider by a content provider, determining that distribution of the content has been delegated by a content provider to a local content server associated with an Internet Service Provider (ISP), and based on predetermined criteria, resolving the domain name to the local content server. The resolution can include responding to the DNS query with an answer from a caching server, and returning, to the client, the answer pointing to the local content server, wherein upon receiving the answer, the client can establish a data communication channel with the local content server. The content can be downloaded to the local content server upon a request received by a provisioning system associated with the ISP.

Abstract: Provided is a method for delegation of local content delivery service. The method includes receiving a Domain Name System (DNS) query from a client to resolve a domain name to a network address associated with content provider by a content provider, determining that distribution of the content has been delegated by a content provider to a local content server associated with an Internet Service Provider (ISP), and based on predetermined criteria, resolving the domain name to the local content server. The resolution can include responding to the DNS query with an answer from a caching server, and returning, to the client, the answer pointing to the local content server, wherein upon receiving the answer, the client can establish a data communication channel with the local content server. The content can be downloaded to the local content server upon a request received by a provisioning system associated with the ISP.

Abstract: A computer-implemented method for detecting anomalies in DNS requests comprises receiving a plurality of DNS requests generated within a predetermined period. The predetermined period includes a plurality of DNS data fragments. The method further includes receiving a first DNS request and selecting a plurality of second DNS requests from the plurality of DNS requests such that each of the second DNS requests is a subset of the first DNS request. The method also includes calculating a count value for each of the DNS data fragments, where each of the count values represents a number of instances the second DNS requests appear within one of the DNS data fragments. In some embodiments, the count values for each of the DNS data fragments can be normalized. The method further includes determining an anomaly trend, for example, based on determining that at least one of the count values exceeds a predetermined threshold value.

Abstract: A method for improving client subnet efficiency by equivalence class aggregation includes receiving a Domain Name System (DNS) query from a client, determining, based on predetermined class criteria, that the client is associated with an equivalency class, searching a cache associated with the equivalence class for an answer corresponding to the DNS query, and upon locating the answer, serving the answer to the client. If it is determined that the cache does not include the answer, the method proceeds with querying, by a recursive server, an authoritative server using client subnet data associated with the equivalence class, receiving the answer from the authoritative server, storing the answer to the cache associated with the equivalency class, and serving the answer to the client. The client subnet data may include a representative CIDR block, the representative CIDR block being used to make queries on behalf of all clients associated with the equivalence class.

Abstract: A method predicting a network activity associated with a given network site is provided. The method can include receiving a request to predict a probability of network activity associated with the network site, analyzing historical data associated with the network site, and, based on the analysis, determining the probability of the network activity in future. The method can further include monitoring the network site, ascertaining evidence associated with the network activity, and, based on the evidence, adjusting treatment of the network site. Additionally, the method can include comparing the probability to a predetermined threshold probability and, based on the comparison, selectively taking an action concerning the network site.

Abstract: A system for providing a Domain Name System (DNS) service may include providing an agent for installation on a subscriber device. The subscriber device may be connected to the DNS service via an entry point device. The system includes receiving, from the agent, agent data indicative of a subscriber identifier and a unique identifier associated with the entry point device. The system may then determine, based on the agent data, a current Internet Protocol (IP) address associated with the entry point device and associate the unique identifier with the subscriber identifier. The system may then dynamically map the subscriber identifier to the current IP address and provide DNS service to the subscriber device based on the current IP address.

Abstract: A device control system is associated with individual devices connected through a network control point to a gateway and thereby to the Internet. The gateway inserts an EDNS0 pseudo resource record into an additional data section in each DNS query initiated by an individual device, the EDNS0 pseudo resource record identifying the initiating device. A dynamic policy enforcement engine in front of the DNS engine intercepts the DNS query, identifies the initiating device, and selects a policy that applies to the device. The dynamic policy enforcement engine may provide parental control and security service to the individual device by blocking the DNS query or passing it to the DNS engine according to the policy. A component that intercepts DNS queries may provide several additional types of services to the individual devices, including advertising, messaging, mobile device tracking, individual device application control, and delivery of individualized content.

Abstract: Provided is a method for delegation of local content delivery service. The method includes receiving a Domain Name System (DNS) query from a client to resolve a domain name to a network address associated with content provider by a content provider, determining that distribution of the content has been delegated by a content provider to a local content server associated with an Internet Service Provider (ISP), and based on predetermined criteria, resolving the domain name to the local content server. The resolution can include responding to the DNS query with an answer from a caching server, and returning, to the client, the answer pointing to the local content server, wherein upon receiving the answer, the client can establish a data communication channel with the local content server. The content can be downloaded to the local content server upon a request received by a provisioning system associated with the ISP.

Abstract: A method predicting a network activity associated with a given network site is provided. The method can include receiving a request to predict a probability of network activity associated with the network site, analyzing historical data associated with the network site, and, based on the analysis, determining the probability of the network activity in future. The method can further include monitoring the network site, ascertaining evidence associated with the network activity, and, based on the evidence, adjusting treatment of the network site. Additionally, the method can include comparing the probability to a predetermined threshold probability and, based on the comparison, selectively taking an action concerning the network site.

Abstract: A computer-implemented method for detecting anomalies in DNS requests comprises receiving a plurality of DNS requests generated within a predetermined period. The predetermined period includes a plurality of DNS data fragments. The method further includes receiving a first DNS request and selecting a plurality of second DNS requests from the plurality of DNS requests such that each of the second DNS requests is a subset of the first DNS request. The method also includes calculating a count value for each of the DNS data fragments, where each of the count values represents a number of instances the second DNS requests appear within one of the DNS data fragments. In some embodiments, the count values for each of the DNS data fragments can be normalized. The method further includes determining an anomaly trend, for example, based on determining that at least one of the count values exceeds a predetermined threshold value.

Abstract: A device control system is associated with individual devices connected through a network control point to a gateway and thereby to the Internet. The gateway inserts an EDNS0 pseudo resource record into an additional data section in each DNS query initiated by an individual device, the EDNS0 pseudo resource record identifying the initiating device. A dynamic policy enforcement engine in front of the DNS engine intercepts the DNS query, identifies the initiating device, and selects a policy that applies to the device. The dynamic policy enforcement engine may provide parental control and security service to the individual device by blocking the DNS query or passing it to the DNS engine according to the policy. A component that intercepts DNS queries may provide several additional types of services to the individual devices, including advertising, messaging, mobile device tracking, individual device application control, and delivery of individualized content.

Abstract: A method for supplementing a content policy is provided. The method may include receiving a request to access network content associated with a network content, with the network content including additional network content associated with one or more linked network contents. The method may confirm that the network content is associated with the content policy. The content policy may include a list of pre-approved network contents. Based on the confirmation, the method may selectively provide access to the network content and apply the content policy to the additional network content associated with the one or more linked network contents. A policy enforcement module may determine whether or not the additional network content should be included in the network content, and, based on the determination, selectively allow inclusion of the additional network content within the network content.

Abstract: Provided are computer-implemented methods and systems for analyzing domain name system requests and developing profiles associated with these requests. Multiple requests received from the same internet protocol (IP) address may be analyzed to differentiate computer systems used to generate these requests, applications provided on these computer systems, and even different users. The requests are analyzed based on text string content (e.g., domain and subdomain names) and timing. One or more profiles are developed and continuously updated based on requests received from the same IP address. These profiles may be used in real time to provide feedback to the users (e.g., deliver marketing content) or for subsequent analysis of comprehensive data sets (e.g., to identify behavior patterns). For example, a profile may be used to identify a number and types of computers in the household, a number and demographic information of users, and other such identifiers.