US Patent 9875355 DNS query analysis for detection of malicious software

A method and system are disclosed for detecting malicious software on host server computers or instances running on the host server computers. A pattern of behavior of how the malicious software makes Domain Name System (DNS) requests and/or responses can be used to detect the malicious software. The pattern of behavior can be based on actions that the tenants take in order to make the DNS requests, such as repeating the same requests at fixed time intervals, or requesting a plurality of DNS requests in batches, wherein at least a threshold percentage of which are not resolvable, or using statistically random domain names with the requests. The pattern of behavior can also be associated with responses to the DNS requests, such as when the response includes a text message, and the text message includes encrypted or statistically random data.