Abstract: A method of logging internet requests includes defining a plurality of field types of interest and receiving a request from the internet including one or more fields. The method also includes determining that a first field type of a first field of the one or more fields matches one of the plurality of field types of interest and caching at least a portion of the first field in a cache. The method further includes determining that a second field type of a second field of the one or more fields matches one of the plurality of field types of interest caching at least a portion of the second field in the cache. The method includes transmitting the cache to a server, determining, a number of occurrences of a field value of at least one of the first field type or the second field type, and providing a report including the number of occurrences of the field value.

Abstract: Techniques for providing a service to registered users over a network such as the internet are disclosed. The techniques can be used to hide the service from unregistered entities. Further, the techniques can thwart certain types of so-called denial-of-service attacks.

Abstract: Methods and systems for providing a secure SSL certificate escrow service comprise: providing a secure upload webpage for a private key holder to upload an encrypted copy of a private key; receiving the encrypted copy of the private key from the private key holder via the secure upload webpage; storing the encrypted copy of the private key in memory; providing a secure decryption webpage for the private key holder to enable the private key escrow service to decrypt the private key; receiving an instruction to decrypt the private key from the private key holder through the secure decryption webpage; and decrypting the private key in response to the instruction to decrypt the private key.

Abstract: Systems and methods for scoring a domain web traffic based on DNS traffic requests received at an authoritative name server to resolve the domain name. A request to resolve the domain name is received at an authoritative name server. A counter, such as a server counter or a hit counter, for the domain name is incremented based on the received request. A score, such as a domain traffic score or a domain rank, is calculated based upon a count of the counter. Calculating the score may also include applying a weighting factor to the counters based on information about a requesting set of resolvers and other domains/websites that may be linking and driving traffic to the domain whose traffic score is being calculated. Examples of relevant set of resolvers information may include location, traffic levels, traffic type and architecture of the set of resolvers.

Abstract: A computer implemented method of providing registry services is disclosed. The method includes identifying one or more top level domains to be serviced; creating, by a processor, a TLD group for the one or more top level domains, wherein top level domains in the TLD group share at least one characteristic; provisioning the one or more top level domains; and registering the one or more top level domains with the TLD group.

Abstract: A system, method, and computer-readable medium, is described that implements a domain name registration suggestion tool that receives one or more inputs, extracts information from the inputs into a submission string, submits the submission string to a domain name suggestion tool, and receives domain name suggestions based on the submission string. Inputs types may include images, audio clips, and metadata. The inputs sources may be processed to extract information related to the image source to build the submission string.

Abstract: A method for administering a top-level domain by analyzing domain name registrations for requests for suspicious or malicious domain names. A request to register a domain name is received. The requested domain name's information may be stored in a registry database. The requested domain name may also be conditionally stored in the domain name system (DNS) zone. The requested domain name is compared to a list of botnet domain names stored in a watch list database. If the requested domain name corresponds to one of the botnet domain names, the requested domain name is prevented from being added to the DNS zone or is removed from the DNS zone, if it has already been stored there. The information regarding the requested domain name is stored in the registry database, even if the domain name does not ultimately stay in the DNS zone.

Abstract: Methods and systems provide tracking or logging requests to resolve non-existent domain (NXDomains) and organizing the NXDomains to support searching of the domain names including ranking the NXDomains based on popularity, e.g, number of hits or potential traffic based on the number of requests made for the NXDomain. NXDomain logs may be organized so that it supports searching by creating an inverted index including n-grams of the NXDomains. Searching includes identifying a target substring in one or more of the indexes, selecting those matching NXDomains satisfying some threshold criteria, and displaying the NXDomains in a selected order such as by demand or popularity associated with, for example, a selected geographical location from which resolution requests targeting respective NXDomains originate.

Abstract: Systems and methods for instantaneously updating a DNS system database containing DNS records using partitions and atomic switching are disclosed. In one or more implementations, the system may include clients, a network, and a DNS system. Clients may communicate with the DNS system using the network in order to provide DNS record updates to a DNS system database. The DNS system includes distributed denial of service (“DDOS”) protection proxies, a firewall, and zone relays, allowing clients to specify which name servers are authorized to communicate with the DNS system. The DNS system also supports bulk updates of DNS records without causing clients to experience a reduction in performance, by writing DNS records to a hard disk and simultaneously saving the DNS records to the database in batches.

Abstract: Systems and methods are disclosed for analyzing network traffic data to detect anomalies in the data and determine their causes. In one implementation, a system includes a processor and a memory. The memory stores instructions that cause the processor to generate a time series of network traffic values. The processor calculates deviation scores for time entries within the time series and detects anomalies in the time series by comparing the deviation score to a predetermined range. If the processor detects an anomaly, it may determine a list of IP addresses of computers on the network that may have caused the anomaly.

Abstract: A method and system to mitigate an attack over the Internet includes collecting information related to a plurality of client IP addresses from a plurality of sources and analyzing the collected information to determine confidence scores for the plurality of client IP addresses. The method and system also include receiving network traffic from the Internet and limiting network traffic from a first subset of the plurality of client IP addresses characterized by a confidence score less than a first threshold. The method, and system further include determining a level of the network traffic and limiting network traffic from a second subset of the plurality of client IP addresses characterized by a confidence score less than a second threshold greater than the first threshold.

Abstract: Systems and methods for creating a list of trustworthy resolvers in a domain name system. A computer receives a resolver profile for a resolver sending queries to a domain name server. The resolver profile is based on any, or a combination, of a top-talker status of the resolver, a normalcy of distribution of domain names queried, a continuity of distribution of query type, and a RD bit status, and information related to query traffic based on the topology of the domain name server. Resolver profiles can be compared to a trust policy to determine whether the resolver is trustworthy. Resolvers deemed trustworthy can be added to a list of trustworthy resolvers. Embodiments can detect the occurrence of a network-based attack. Embodiments can mitigate the effect of a network-based attack by responding only to queries from resolvers on the list of trustworthy resolvers.

Abstract: A method for compressing a set of small strings may include calculating n-gram frequencies for a plurality of n-grams over the set of small strings, selecting a subset of n-grams from the plurality of n-grams based on the calculated n-gram frequencies, defining a mapping table that maps each n-gram of the subset of n-grams to a unique code, and compressing the set of small strings by replacing n-grams within each small string in the set of small strings with corresponding unique codes from the mapping table. The method may use linear optimization to select a subset of n-grams that achieves a maximum space saving amount over the set of small strings for inclusion in the mapping table. The unique codes may be variable-length one or two byte codes. The set of small strings may be domain names.

Abstract: Systems and methods for scoring a domain including analyzing counter data and information obtained from a web site associated with the domain. Methods may include receiving requests to resolve the domain at an authoritative domain resolution server. A counter may be incremented for the domain based on the received requests. Information may be obtained from a web page associated with the domain. For example, obtaining information from the web page may include obtaining quantitative, qualitative, and/or functional information from the web page, such as link information, a status of network links corresponding to the link information, and associated ratios. The status of link information may include searching for functional details and/or results, such as, domain redirections, domain errors, mirror content, and commonly linked sites. A score may be calculated for the domain based upon the counter data and the information obtained from the web page associated with the domain.

Abstract: A system and method for establishing a chain of trust from a registrant to a registry. A registrant request to a registrar to change a domain name record includes at least one registrant factor, such as a one time password. The registrar can formulate an extended EPP command that includes the factor to effectuate the change and send it to a registry. The registry can verify the at least one factor using at least one validation server. If the factor is successfully verified, the EPP can be processed by the registry. If the factor is not verified, the EPP command may not be processed and an error message may be generated and sent to the registrar.

Abstract: Systems and methods are disclosed for collecting network traffic logs at a plurality of network sites, such as DNS name servers and network routers, and transmitting data extracted from the network traffic logs to a central repository. In one implementation, a system includes a processor and a memory. The memory stores instructions that cause the processor to retrieve PCAP files from a plurality of servers and extract data from the PCAP files. The data comprises header data and digest data. The processor stores the header data and the digest data in a header/digest pair. In another aspect, the processor retrieves a sample of the PCAP files from each of the plurality of servers rather than retrieving all PCAP files.

Abstract: Embodiments relate to systems, devices, and computer-implemented methods for preventing determination of previous access of sensitive content by receiving, from a user, a request for content at a device in an information centric network, where a cached version of the content is locally stored at the device; initiating a time delay based on a determination that the user has not previously requested the content; and transmitting the cached version of the content to the user after the time delay.

Abstract: An apparatus and a non-transitory computer-readable medium may perform a method of minimizing the disclosure of a domain name contained in a DNS query. The method may include: determining a first label and a second label associated with a domain name included in a DNS query; querying a first nameserver for the first label without revealing the second label to the first nameserver; receiving a response from the first nameserver directing a resolver to a second nameserver; and querying the second nameserver for the first label and the second label.

Abstract: Systems and methods are disclosed for identifying associations between binary samples, such as e-mail files and their attachments or a document and an executable program associated with the document. In one implementation, the method includes receiving a plurality of binary samples, and extracting metadata from the plurality of binary samples. The metadata for a binary sample from the plurality of binary samples includes a set of attributes of the binary sample. The method further includes identifying a set of associations between the plurality of binary samples based on the extracted metadata. Each association is characterized by at least one attribute the associated binary samples have in common, and each association has a confidence level indicative of a strength of the association. The method also includes identifying associations with a confidence level that exceeds a predefined threshold.

Abstract: A Domain Name System (“DNS”) package and a method for providing domain name resolution services in a partitioned network are disclosed. The system may include one or more built-in root name servers; one or more built-in top level domain (“TLD”) name servers; and a recursive name server. The recursive name server may be configured to query the one or more built-in root name servers during domain name resolution. Moreover, the one or more built-in root name servers may be configured to provide a network address corresponding to one of the built-in TLD name servers in response to a domain name resolution query sent by the recursive name server.