US Patent 10075458 Cognitive and contextual detection of malicious DNS

From a record of a packet in a Domain Name System (DNS) communication between a DNS client and a DNS server, an input feature is constructed. Using the packet, a metadata item supporting the input feature is computed. Using a processor and a memory to execute a trained cognitive classification model, and by supplying the input feature and the supporting metadata item as inputs to the cognitive classification model, a transmission of the packet is classified as malicious use of DNS tunneling between the DNS client and the DNS server. From the cognitive classification model, a classification of the packet as malicious, and a confidence value in the malicious classification are output. By generating a notification, the DNS client is caused to cease the malicious use of the DNS tunneling.