Abstract: A method includes receiving a set of strings and applying one or more filters to generate a subset of strings that are determined to correspond to strings of interest. The method also includes retrieving domain name system (DNS) information associated with a first string of the subset. The method includes executing a rule-based engine to determine, based on application of one or more rules to the DNS information, whether to add the first string to a set of suspicious hostnames.

Abstract: A machine includes a processor and a memory connected to the processor. The memory stores instructions executed by the processor to preserve a second level domain, track requests for subdomains of the second level domain, determine the size of encoded subdomain data and determine the size of response data for subdomain requests. When the ratio of the number of unique subdomains versus the number of subdomain requests is over a first threshold a first satisfied condition is established. It is determined, in response to the first satisfied condition, when the size of the subdomain data exceeds a second threshold and the size of response data exceeds a third threshold to establish a second satisfied condition corresponding to deemed domain name system tunnel activity. It is determined, in response to the first satisfied condition, when the size of the subdomain data exceeds the second threshold to establish a third satisfied condition corresponding to deemed domain name system data exfiltration activity.

Abstract: A method includes receiving a set of strings and applying one or more filters to generate a subset of strings that are determined to correspond to strings of interest. The method also includes retrieving domain name system (DNS) information associated with a first string of the subset. The method includes executing a rule-based engine to determine, based on application of one or more rules to the DNS information, whether to add the first string to a set of suspicious hostnames.

Abstract: A method includes receiving a set of strings and applying one or more filters to generate a subset of strings that are determined to correspond to strings of interest. The method also includes retrieving domain name system (DNS) information associated with a first string of the subset. The method includes executing a rule-based engine to determine, based on application of one or more rules to the DNS information, whether to add the first string to a set of suspicious hostnames.

Abstract: A machine includes a processor and a memory connected to the processor. The memory stores instructions executed by the processor to preserve a second level domain, track requests for subdomains of the second level domain, determine the size of encoded subdomain data and determine the size of response data for subdomain requests. When the ratio of the number of unique subdomains versus the number of subdomain requests is over a first threshold a first satisfied condition is established. It is determined, in response to the first satisfied condition, when the size of the subdomain data exceeds a second threshold and the size of response data exceeds a third threshold to establish a second satisfied condition corresponding to deemed domain name system tunnel activity. It is determined, in response to the first satisfied condition, when the size of the subdomain data exceeds the second threshold to establish a third satisfied condition corresponding to deemed domain name system data exfiltration activity.

Abstract: A method includes receiving a set of strings and applying one or more filters to generate a subset of strings that are determined to correspond to strings of interest. The method also includes retrieving domain name system (DNS) information associated with a first string of the subset. The method includes executing a rule-based engine to determine, based on application of one or more rules to the DNS information, whether to add the first string to a set of suspicious hostnames.