Palo Alto Networks, Inc.
IDENTIFICATION OF MALICIOUS DOMAIN CAMPAIGNS USING UNSUPERVISED CLUSTERING

Abstract:

The technology presented herein enables the use of a clustering algorithm to identify additional malicious domains based on known malicious domains. In a particular embodiment, a method provides identifying a first plurality of domain names associated with a malicious domain campaign and seeding a first clustering algorithm with the first plurality of domain names. After seeding the first clustering algorithm, the method provides using the first clustering algorithm to process passive domain name system (DNS) records to identify and group a second plurality of domain names associated with the malicious domain campaign.