There is a significant amount of malicious behaviour over the Internet today. In the present application when reference to malicious behaviour means activities in which a host device connected to a network is attacked by some malicious code which attempts to install itself onto the victim device and then carry out functionality which the legitimate user of the device is not aware of and which is done for the benefit of a third party rather than for the benefit of the legitimate user of the host device. Important examples include computer viruses, computer worms and computer Trojans. A computer virus is generally considered to be a piece of malicious executable code that requires a host file (e.g. a program or a document) in order to propagate, a computer worm is similar except that it can replicate and propagate itself from one host on a network to another without needing to be embedded within a host file, and a Trojan is an executable file (i.e. a computer program) which appears to be useful but in fact has some ulterior function which it carries out when executed which is unknown to the legitimate user.
One common use of worms by malicious parties is to infect a large number of victim computers to form so-called “botnets” in which each infected computer is referred to commonly as a “zombie”. Such Botnets of zombies can then be used to perform malicious activities where the use of a large number of computers acting in concert is of benefit—for example such botnets are known to be used for sending spam emails or for carrying our Distributed Denial Of Service (DDOS) attacks, etc.
Most anti-virus software used today is software which is host-based (i.e. it resides on a host device) and is signature based, which means that it scans through files stored on the host computer (or just received on the computer e.g. by way of an attachment to an email, etc.) and checks the contents of each file against a dictionary of virus signatures. Note that generally the virus signature is the viral code. So finding a virus signature in a file is equivalent to finding the virus itself).
Relatively recently research has been conducted on the possibility of detecting malicious behaviour on a network by observing Domain Name System (DNS). An example of a recent technical paper investigating this idea is “The Domain Name Service as an IDS” by Antoine Schonewille and Dirk-Jan van Helmond published in 2006, a copy of which can be found at the following Internet location http://staff.science.uva.nl/˜delaat/snb-2005-2006/p12/report.pdf at the priority date of the present application and the contents of which are hereby incorporated by reference. From this paper it is clear that an analysis of DNS requests is not considered to be a very reliable approach on its own because of the occurrence of many false positives. It suggests that this technique should instead be used with other behaviour monitoring techniques such as detecting connections being made to known blacklisted sites (where a botnet controller might be operating), in particular it suggests using the NetFlow tools (and more specifically the nfDump tool) to operate in combination with DNS request analysis the latter being able to provide more useful information to an administrator who is alerted to the potentially suspicious behaviour of an infected host.
US 2004/0123141 describes a dynamic multi-tier intrusion detection system for a computer network in which a hierarchy of agents at different levels co-operate to identify malicious behaviour on a network. A number of local intrusion detection agents each communicate with a single network intrusion detection agent, while a number of network intrusion detection agents all co-operate with a single global intrusion detection element. The system can identify malicious behaviour based not only on classic signature detection (i.e. detecting a match with content of incoming packets of data to known content comprising malicious software code) but also on suspicious network behaviour, especially since if a number of local agents detect or behave in similar manners, this can be detected and deemed suspicious by one of the agents higher up in the hierarchy (e.g. a network or global agent).
WO 2007/010395 describes a DNS gatekeeper system which prevents outbound connections from being made unless they are initiated after making a DNS enquiry. Normal outbound connections it is suggested are made only after performing a DNS lookup however this is said to be not generally the case for malicious programs.