US Pat. No. 9,218,335

AUTOMATED LANGUAGE DETECTION FOR DOMAIN NAMES

VERISIGN, INC., Reston, ...

1. A method for detecting a language of an Internationalized Domain Name (IDN), the method comprising:
receiving, by an I/O interface, a string of characters for the IDN;
receiving a user selected language, via the I/O interface, corresponding to the IDN;
determining a plurality of candidate languages based on the user selected language, wherein the plurality of candidate languages
comprises the user selected language and other languages that share some or all characters with the user selected language
or that belong to the same language family as the user selected language;

receiving training data, comprising a plurality of multi-gram analyses for each language of the plurality of candidate languages;
analyzing, by a processor, the string of characters based on the training data, wherein the analyzing includes extracting
a set of multi-grams from the string of characters and comparing the extracted set of multi-grams with the training data;

detecting the language of the IDN based on results of the analyzing;
determining that the language of the IDN that was detected does not match the user selected language;
rejecting the IDN for generating a domain name in response to the determination that the language of the IDN that was detected
does not match the user selected language, wherein rejecting the IDN for generating a domain name comprises transmitting a
warning to a user;

receiving, in response to the warning, an indication from the user, via the I/O interface, to use the IDN to generate a domain
name; and

using the IDN to generate a domain name in response to receiving the indication from the user.

US Pat. No. 9,065,794

SYSTEMS AND METHODS FOR PROVIDING DOMAIN NAME SUGGESTIONS

VERISIGN, INC., Reston, ...

1. A computer-implemented method for providing targeted domain name suggestions, comprising:
receiving an indication from a user;
storing the indication in a user profile associated with the user;
identifying at least one suggested domain name by:
extracting a term from an information source, wherein the information source includes at least one of a domain tag cloud,
a non-existent domain (NXD) data source, a social aggregator source, a text message source, a news source, a personalized
source, a website, or an RSS feed source;

generating, by one or more processors, one or more domain name suggestions based on the term; and
recording the one or more domain name suggestions in at least one memory; and
providing the one or more domain name suggestions to the user,
wherein:
the user profile includes:
one or more topics of interest, and
one or more information sources to use in the generating one or more domain name suggestions;
the information source is one of the one or more information sources included in the user profile;
the extracting the term comprises:
parsing the term from the information source based on a frequency of the term in the information source;
associating the term with one or more topics;
the method further comprises:
comparing the one or more domain name suggestions with a list of domain names associated with botnets;
periodically sending the user the one or more domain name suggestions based on stored user preferences, wherein the one or
more domain name suggestions are provided to the user based on the one or more topics of interest in the stored user preferences
and the one or more topics associated with the term.

US Pat. No. 9,049,229

EVALUATION OF DNS PRE-REGISTRATION DATA TO PREDICT FUTURE DNS TRAFFIC

VERISIGN, INC., Reston, ...

1. A method for predicting future network traffic, comprising:
receiving non-existent domain (NXD) requests from a plurality of name servers for one or more candidate domains over a first
period of time;

calculating a variance in the NXD responses for the one or more candidate domains over time, wherein a higher variance indicates
lower expected traffic levels;

based on at least the calculated variance and received NXD requests, predicting at least one of expected name-in-use response
levels for the one or more candidate domains, expected click traffic for the one or more candidate domains, or a combination
thereof; and

providing an indication of the expected name-in-use response levels, expected click traffic, or a combination thereof to a
purchaser, wherein the indication comprises at least one of relative monetization values for the one or more candidate domains,
value ratings for the one or more candidate domains according to a predetermined baseline, or predicted traffic statistics
for the one or more candidate domains.

US Pat. No. 9,384,097

METHOD AND SYSTEM FOR RECOVERY OF A FAILED REGISTRY

VERISIGN, INC., Reston, ...

1. A method of recovering a failed registry, the method comprising:
accessing a plurality of archived registry zone files for the failed registry, wherein each of the archived registry zone
files comprises at least domain names, registrar IDs, and status information represented in a first predetermined format;

accessing archived bulk WHOIS data for the failed registry, wherein the archived bulk WHOIS data comprises at least nameserver
server names, IP addresses, and status information represented in a second predetermined format;

validating, at a recovery registry in response to failure of the failed registry, one of the plurality of the archived registry
zone files based on a comparison between the plurality of the archived registry zone files and the archived bulk WHOIS data;

publishing the one of the plurality of the archived registry zone files to the recovery registry's nameservers;
initiating a root zone change request, wherein the root zone change causes the recovery registry to operate in place of the
failed registry; and

updating authoritative nameservers of the recovery registry.

US Pat. No. 9,172,716

SYSTEM AND METHOD FOR DETECTING DNS TRAFFIC ANOMALIES

VERISIGN, INC, Reston, V...

1. A computer-implemented method for analyzing Domain Name System (DNS) lookup data, comprising:
calculating, by a processor, a plurality of traffic scores for a network address that includes a domain name based on a set
of DNS lookup data associated with the network address, wherein the set of DNS lookup data includes a plurality of source
network addresses of queriers;

obtaining two or more traffic scores of the plurality of traffic scores based on numbers of unique Recursive Name Servers
(RNSs) requesting the network address during a same time window within two or more respective time periods, wherein the two
or more traffic scores include a current traffic score that corresponds to the same time window of a current time period and
a previous traffic score that corresponds to the same time window of at least one previous time period;

calculating an updated traffic score based on an average of the current traffic score and the previous traffic score;
updating the current traffic score based on the updated traffic score:
calculating, subsequent to updating the current traffic score, a first variance based on a variation between the two or more
traffic scores;

calculating two or more geolocation percentages for the network address based on different geolocations associated with one
or more of the plurality of source network addresses of one or more of the queriers requesting the network address during
the same time window of the two or more respective time periods;

calculating a second variance for the network address based on a variation between the two or more geolocation percentages;
and

determining a rank of the network address based on the first and second variances.

US Pat. No. 9,094,467

METHOD AND SYSTEM FOR PREDICTING DOMAIN NAME REGISTRATION RENEWAL PROBABILITY

VERISIGN, INC., Reston, ...

1. A non-transitory computer readable storage medium including instructions which when executed cause a processor to perform
a method for determining probability of a domain name registration renewal, the method comprising:
receiving input associated with a domain name, the input including information related to website content data and at least
one of registration data, domain name system (DNS) name server data or DNS traffic data, wherein the input further includes
information related to at least one of DNS name server functionality or website functionality;

organizing the received information into a plurality of categories;
assigning a weighted value to each of the plurality of categories;
aggregating the weighted values for the plurality of categories to determine a combined weighted value for the domain name;
and

determining a probability in a range between 0.01 percent and 99.9 percent of the domain name being renewed corresponding
to the combined weighted value for the domain name.

US Pat. No. 9,172,673

SYSTEMS AND METHODS FOR DOMAIN NAME EXCHANGE

VERISIGN, INC, Reston, V...

1. A computer-implemented method of processing a domain name exchange, comprising:
selecting a domain record associated with an existing domain name registration, wherein a first domain name is stored in the
domain record as a domain name attribute of the existing domain name registration;

receiving, by a computer, a second domain name;
exchanging, by the computer, the first domain name for the second domain name in a domain name exchange, wherein the exchanging
includes replacing the first domain name in the domain record with the second domain name as the domain name attribute of
the existing domain name registration;

recording the domain name exchange in a domain name exchange history, wherein the domain name exchange history indicates that
the second domain name replaces the first domain name as the domain name attribute of the existing domain name registration;

updating, by the computer, a domain name server with the second domain name;
processing, by the computer after the first domain name is replaced with the second domain name, the first domain name to
make the first domain name available for registration by a new registrant; and

providing information indicating a history of the domain name exchange in response to a user request.

US Pat. No. 9,160,623

METHOD AND SYSTEM FOR PARTITIONING RECURSIVE NAME SERVERS

VERISIGN, INC., Reston, ...

1. A method of providing user-based domain name system (DNS) filtering, the method comprising:
provisioning a first name server with a first policy, associated with a first user, for resolving DNS requests;
provisioning a second name server with a second policy, associated with a second user, for resolving DNS requests;
receiving, at the first name server, a first DNS request associated with the first user, wherein the first DNS request comprises
a source internet protocol (IP) address and is related to a first website;

determining, at the first name sever, that the first user is allowed access to the first website based on the source IP address
and the first policy;

providing a first DNS response that includes an address of the first website;
receiving, at the second name server, a second DNS request associated with the second user, wherein the second DNS request
comprises the source IP address and is related to the first website;

determining, at the second name sever, that the second user is not allowed access to the first website based on the source
IP address and the second policy; and

providing a second DNS response that includes a different address not associated with the first website.

US Pat. No. 9,405,796

SYSTEMS AND METHODS FOR ANALYZING REGISTRAR AND HOSTING PROVIDER RELATIONSHIPS

VERISIGN, INC., Reston, ...

1. A computer-implemented method for analyzing domain name registrar and hosting provider relationships, the method comprising:
receiving a list of domain names;
determining registrar information and hosting provider information associated with each domain name of the list of domain
names; and

generating a registrar-to-hosting-provider graph based on the registrar information and the hosting provider information associated
with each domain name, wherein:

the registrar-to-hosting-provider graph comprises:
nodes representing registrars and nodes representing hosting providers; and
edges comprising one or more edge attributes representing one or more common associations between the registrars and the hosting
providers;

the one or more edge attributes comprise a number of domain names of the list of domain names; and
each edge corresponds to at least one domain name associated with a registrar and a hosting provider.

US Pat. No. 9,269,080

HIERARCHICAL PUBLISH/SUBSCRIBE SYSTEM

VERISIGN, INC., Reston, ...

1. A method for publishing a publication message, the method comprising:
receiving, at one of a plurality of first relays, a subscription request from a first client;
transmitting the subscription request from the one of the plurality of first relays to each member of a first grouping of
central relays;

receiving, at the one of the plurality of first relays, a publication request from a second client, the publication request
including the publication message;

transmitting the publication message from the one of the plurality of first relays to a member of the first grouping of central
relays and to a member of a second grouping of central relays, wherein each grouping of central relays comprises more than
one central relay and each grouping of central relays is located at a different geographic location, whereby the member of
the central relays in the first grouping of central relays is operable to publish the publication message to remaining central
relays in the first grouping of central relays on behalf of the one of the plurality of first relays and whereby the member
of the central relays in the second grouping of central relays is operable to publish the publication message to remaining
central relays in the second grouping of central relays on behalf of the one of the plurality of first relays;

determining, at the one of the plurality of first relays, that information in the subscription request matches information
in the publication request; and

transmitting the publication message from the one of the plurality of first relays to the first client.

US Pat. No. 9,195,316

EVALUATING TYPEABILITY OF DOMAIN NAMES

VERISIGN, INC., Reston, ...

1. A method for assessing an identifier, the method comprising:
receiving a string of characters making up the identifier;
determining a keyboard type for a keyboard;
determining a finger positioning corresponding to a position of a typer's fingers on the keyboard; and
calculating, by a calculator module, a typeability score for the identifier based on the string of characters and the keyboard
type, wherein the typeability score signifies a difficulty of typing the identifier on the keyboard type, and wherein the
typeability score is further based on the finger positioning.

US Pat. No. 9,148,334

CHARACTERIZING UNREGISTERED DOMAIN NAMES

VERISIGN, INC., Reston, ...

1. A computer-implemented method, the method comprising:
receiving a plurality of resolution requests for domain names, each resolution request of the plurality of resolution requests
including at least one unregistered domain name, wherein the at least one unregistered domain name is not registered with
a domain name system registry;

forming a list of the plurality of resolution requests for the plurality of unregistered domain names, wherein the list separately
lists unregistered domain names that share only a top-level domain and a second-level domain;

receiving a request for a number of occurrences in the list for a particular unregistered domain name;
providing the number of occurrences in the list for the particular unregistered domain name; and
determining a score for the particular unregistered domain name based on the number of occurrences.

US Pat. No. 9,065,855

SYSTEMS AND METHODS FOR AUTOMATICALLY PROVIDING WHOIS SERVICE TO TOP LEVEL DOMAINS

VERISIGN, INC., Reston, ...

1. A computer-implemented method for establishing top level domains, comprising:
receiving, at a first computer system, a first domain data associated with a first top level domain and a second domain data
associated with a second top level domain;

associating a first network address corresponding to a second computer system to the first top level domain and a second network
address corresponding to the second computer system to the second top level domain;

updating the first to level domain, wherein the updating comprises transmitting the first domain data to the second computer
system, whereby the second computer system:

compares the first domain data to stored domain data in the second computer system; and
updates the stored domain data in the second computer system with the first domain data, based on the comparing;
provisioning the second top level domain, wherein the provisioning comprises transmitting the second domain data to the second
computer system, whereby the second computer system initiates a second registration data lookup service for the second top
level domain using the second domain data; and

initiating assignment of the first network address as an authoritative network address for the first top level domain and
the second network address as an authoritative network address for the second top level domain.

US Pat. No. 9,225,702

TRANSPARENT CLIENT AUTHENTICATION

VERISIGN, INC., Reston, ...

1. A method for registering an application at a client computer to a service at a server for later re-authentication, the
method comprising:
sending from the servers to the application at the client, a service identifier;
receiving at the server, from the application at the client, an application-service identifier, wherein the application-service
identifier is generated at the client based upon the service identifier and an application identifier of the application;

receiving at the server, from the application at the client, a registration nonce and an application-service key, wherein
the application-service key is based upon the registration nonce, the service identifier and a secret application key;

storing at the server the registration nonce, the application-service identifier and the application-service key;
computing at the server an expected proof of possession of the secret application key and receiving from the client a proof
of possession; and

determining the application is authentic if the expected proof of possession corresponds to the received proof of possession.

US Pat. No. 9,130,917

DNSSEC SIGNING SERVER

VERISIGN, INC., Reston, ...

1. A Domain Name System Security Extensions (DNSSEC) signing server configured to interact with at least one DNSSEC client
application and one or more digital signature modules that are configured to be executed by a processor, the DNSSEC signing
server comprising:
a processor implemented in hardware; and
a storage device including computer readable code that, when executed by the hardware processor, causes the DNSSEC signing
server to act as an authoritative server to:

receive a signing request from the at least one DNSSEC client application to digitally sign a first data included in the signing
request, the first data includes domain name system (DNS) data, and the one or more digital signature modules are configured
to sign certain parts of the DNS data according to a DNSSEC protocol, without signing an entire zone;

determine a type of signing function from among a plurality of signing functions based on the signing request;
determine at least one of an active Key Signing Key (KSK) and an active Zone Signing Key (ZSK) from among one or more keys
to digitally sign the first data based on the type that is determined;

transmit the first data to one of the plurality of digital signature modules to be digitally signed;
use the at least one of active KSK and active ZSK to digitally sign the first data in response to receiving the first data;
receive a digital signature based on the first data from one of the one or more digital signature modules; and
provide the digital signature based on the first data to the at least one DNSSEC client application.

US Pat. No. 9,063,936

IMAGE, AUDIO, AND METADATA INPUTS FOR KEYWORD RESOURCE NAVIGATION LINKS

VERISIGN, INC., Reston, ...

1. A computer-implemented method of generating resource navigation links based on inputs comprising:
receiving, at a computer, an input source, wherein the input source corresponds to at least one of an image data file, an
audio data file, or metadata source;

processing, via the computer, the input source to extract information from the input source;
building, via the computer, a submission string based on the extracted information, wherein the building comprises prioritizing
words in the extracted information to place more significant words at a beginning of the submission string;

submitting the submission string to a resource navigation link tool;
receiving a resource navigation link from the resource navigation link tool when the submission string correlates with one
or more keywords in the resource navigation link; and

submitting the submission string to an internet search engine when the submission string does not correlate with the one or
more keywords in the resource navigation link.

US Pat. No. 9,369,427

RECOVERY OF A FAILED REGISTRY

VERISIGN, INC., Reston, ...

1. A computer-implemented method comprising:
receiving a first zone data for a zone for a registry;
receiving at least one of escrow data and survey data for the registry;
archiving the first zone data into a data repository;
reconciling ownership of the first zone data based on the at least one of escrow data and survey data;
publishing archived zone data based on the first zone data into a DNS service; and
launching the DNS service for the zone.

US Pat. No. 9,288,332

SYSTEM AND METHOD FOR PROVIDING HIGH RELIABILITY NETWORK

VERISIGN, INC., Reston, ...

1. A method comprising:
receiving, by a network control device in a network, a message associated with a computer system requesting one or more services
provided by the network;

sending, by the network control device, a request to one or more context servers for context information about the message,
wherein the request includes a data key that identifies the message;

receiving, by the network control device, the context information from at least one of the context servers, wherein the context
information includes identification information that matches the data key, and a timestamp of a previously processed message
associated with the computer system requesting the one or more services; and

processing, by the network control device, the message based on the context information.

US Pat. No. 9,213,930

SECURE BARCODES

VERISIGN, INC., Reston, ...

1. A non-transitory computer readable storage medium comprising instructions that cause one or more processors to perform
a method comprising:
receiving target content data;
verifying the target content data;
generating an identifier corresponding to the target content data that has been verified;
generating resolution data comprising an n-dimensional barcode that includes identifier information corresponding to the identifier
and address information corresponding to an internet protocol (IP) address of a trusted third party; and

providing the resolution data to a user.

US Pat. No. 9,058,381

METHOD OF AND APPARATUS FOR IDENTIFYING MACHINE-GENERATED TEXTUAL IDENTIFIERS

VERISIGN, INC., Reston, ...

1. A computer-implemented method of identifying machine-generated domain resolution requests, the method comprising:
maintaining, in a memory, a log of requests to resolve nonexistent domains;
identifying, using a processor, from among the requests a set of unique nonexistent domains, wherein each domain in the set
of unique nonexistent domains comprises a set of characters;

analyzing, using the processor, the set of characters comprising each domain in the set of unique nonexistent domains according
to a set of classification rules to assign a taxonomical set classification from a plurality of taxonomical set classifications
to each domain, wherein the plurality of taxonomical set classifications comprises machine generated and non-machine generated;

determining, using the processor, a set of requestors that queried each domain in the set of unique nonexistent domains and
a number of times that each requestor in the set of requestors queried each domain in the set of unique nonexistent domains;

assigning, using the processor, a requestor-type classification to each requestor in the set of requestors as a machine or
a non-machine according to the number of times that each requestor queried nonexistent domains that were assigned the machine
generated taxonomical set classification;

calculating a numerical probability score for each unique nonexistent domain based on a combination of the taxonomical set
classification and the requestor-type classification;

classifying each unique nonexistent domain as machine generated or non-machine generated based on whether the numerical probability
score exceeds a predetermined threshold;

maintaining a count of the number of requests for nonexistent domains within each of the plurality of taxonomical set classifications;
identifying, using the processor, log records of requests made for nonexistent domain names within the machine-generated taxonomical
set classification as being the log records of suspicious requests;

creating a set of candidate domains by using the processor to filter out the nonexistent domains corresponding to the log
records of suspicious requests;

identifying a set of nonexistent domains having the highest number of requests from the set of candidate domains; and
suggesting for registration at least one domain from the set of nonexistent domains.

US Pat. No. 9,380,019

COMMAND PERFORMANCE MONITORING

VERISIGN, INC., Reston, ...

1. A method, comprising:
selecting a top-level domain (TLD) from a plurality of TLD's in one group of a plurality of groups of TLD's, wherein each
of the groups is associated with an attribute and a plurality of commands;

selecting a command from a plurality of commands, including at least one of a session command testing at least one of network
connectivity, login credentials of a user, and grants of a user, query command testing a database read operation, and transform
command testing a database write operation,

wherein the selection of the command is based on the selected TLD;
selecting a network interface from a plurality of network interfaces to facilitate execution of the command based on the one
group upon which the command is to be executed;

transmitting a request including the selected command to the TLD;
monitoring performance of a command at the selected TLD; and
providing the monitored performance for determining compliance with a service level agreement for the TLD based on the monitored
executed performance.

US Pat. No. 9,292,612

INTERNET PROFILE SERVICE

VERISIGN, INC., Reston, ...

1. A computer-implemented method for generating a domain profile, comprising:
determining, using a processor, a purpose associated with a first domain by accessing a first web page associated with the
first domain, wherein the determining comprises:

determining whether content is obtainable by resolving the first domain and accessing the first web page;
in response to determining that content is obtainable, determining whether the first web page results in a redirection;
in response to determining that the first web page does not result in a redirection, determining whether retrieved content
of the first web page is content from another web page;

comparing the retrieved content with predetermined data to determine contextual matches;
in response to determining that the retrieved content is not content from another web page, determining, based on the contextual
matches, whether the purpose associated with the first domain is to receive advertising traffic; and

in response to determining that the purpose of the first domain is not to receive advertising traffic, determining, based
on the contextual matches, whether the purpose of the first domain is commercial;

determining, based on the contextual matches, a category associated with the first domain, wherein the category associated
with the first domain is distinct from the purpose associated with the first domain and defines a commercial sector of the
first domain; and

storing, in a memory, the purpose associated with the first domain and the category associated with the first domain.

US Pat. No. 9,202,079

PRIVACY PRESERVING DATA QUERYING

VERISIGN, INC., Reston, ...

1. A computer-implemented method for preserving privacy of a query of a data set comprising:
receiving, at a computer, a client computer request for information from a data set of a tokenized data holder, wherein the
request includes a tokenized query term, wherein the tokenized query term was tokenized by a first tokenizing authority computer
different from the client computer and from a computer of an owner of the tokenized data holder, and operatively coupled to
the client computer and to the tokenized data holder through a network, whereby a requestor does not have access to an entirety
of the data set of the tokenized data holder; and

determining, via the computer, whether the tokenized query term is contained in the data set, wherein the data set comprises
a store of tokenized terms, wherein the tokenized query term corresponds to a tokenized input associated with a query term,
whereby the owner of the tokenized data holder does not learn the query term;

wherein the tokenized terms have each been tokenized by a second tokenizing authority computer based on a tokenizing function
equivalent to a tokenizing function of the first tokenizing authority, wherein the second tokenizing authority computer is
different from the client computer and from a computer of an owner of the tokenized data holder.

US Pat. No. 9,075,886

SYSTEMS AND METHODS FOR DETECTING THE STOCKPILING OF DOMAIN NAMES

VERISIGN, INC., Reston, ...

1. A computer-implemented method, performed by at least one processor, comprising:
initiating, by at least one processor of a domain name registry, a first web crawl of a website hosted at a device whose address
is registered with a domain name registrar in association with a domain name at a first time that is prior to an expiration
of a registration of the domain name with the domain name registrar;

receiving, in connection with the first web crawl, first website information corresponding to first information located on
the website and first registration information related to the registration of the domain name with the domain name registrar;

initiating, by the domain name registry at least one processor, a second web crawl of the website at a second time that is
after the expiration of the registration of the domain name with the domain name registrar;

receiving, in connection with the second web crawl, second website information corresponding to second information located
on the website and second registration information related to the registration of the domain name with the domain name registrar;

comparing, by the domain name registry at least one processor, at least one of the first website information with the second
website information and the first registration information with the second registration information;

detecting, based on the comparing of the at least one of the first website information with the second website information
and the first registration information with the second registration information, a change in the registration of the domain
name:

determining, based on the change, a web server that hosts the domain name; and
determining, by the domain name registry at least one processor and based on the change comparing, whether the domain name
has been stockpiled by the domain name registrar by keeping the domain name active while withholding the expired domain name
from resale and maintaining ownership of the domain name.

US Pat. No. 9,053,320

METHOD OF AND APPARATUS FOR IDENTIFYING REQUESTORS OF MACHINE-GENERATED REQUESTS TO RESOLVE A TEXTUAL IDENTIFIER

VERISIGN, INC, Reston, V...

1. A method of identifying one or more sources of machine-generated domain resolution requests, the method comprising:
defining a plurality of taxonomical sets to contain character strings having particular syntax characteristics, wherein each
of the plurality of taxonomical sets is either for character strings of domains having machine generated syntax characteristics,
or for character strings of domains having non-machine generated syntax characteristics, wherein the plurality of taxonomical
sets include a set of unresolvable domains exhibiting a syntax characteristic of existing registered domains, wherein the
syntax characteristic of existing registered domains is selected from the set of syntax characteristics consisting of:

(i) a character string length less than a threshold number of characters;
(ii) a soundex equivalent of a registered textual identifier;
(iii) a keyboard-equivalent entry of a registered textual identifier;
(iv) an edit distance from a registered textual identifier that is less than a threshold value; and
(v) an n-gram analysis of character frequency distributions observed within the domain name;
maintaining a log of requests to one or more DNS servers to resolve unresolvable domains, each request made by a requestor;
identifying, after the defining, from among the requests a set of unresolvable domains requested within a given time period;
classifying, after the defining, the domains within the set of unresolvable domains into the plurality of taxonomical sets;
maintaining a count of a number of requests for each unresolvable domain made by each requestor within each of the taxonomical
sets; and

identifying requestors exhibiting a threshold level of machine generated traffic directed to at least one unresolvable domain
based at least in part on at least one count of the number of requests for each unresolvable domain made by each requestor
within each of the taxonomical sets.

US Pat. No. 9,473,455

DATA PLANE PACKET PROCESSING TOOL CHAIN

VERISIGN, INC., Reston, ...

1. A method of processing in a data plane, comprising:
creating, via an application operating in userland mode, a plurality of Domain Name System (DNS) packets, wherein each packet
comprises a DNS lookup instance;

acquiring, via a userland poll mode driver, the plurality of DNS packets;
processing, via the userland poll mode driver, the plurality of DNS packets in the data plane, wherein processing the plurality
of DNS packets comprises querying one or more databases storing DNS information;

generating response packets that comprise responses to the plurality of DNS packets; and
sending the response packets from the data plane via the userland poll mode driver, wherein an operating system monitors a
performance of the application and the userland poll mode driver,

wherein the processing comprises processing without using a hypervisor by:
causing the userland poll mode driver to acquire the plurality of DNS packets from the operating system; and
sending the plurality of DNS packets to the data plane; and
wherein the operating system accesses memory shared with one or more applications causing the userland poll mode driver to
acquire the plurality of DNS packets from the operating system.

US Pat. No. 9,473,530

CLIENT-SIDE ACTIVE VALIDATION FOR MITIGATING DDOS ATTACKS

VERISIGN, INC., Reston, ...

6. A computer-implemented method of mitigating denial-of-service (DoS) attacks, comprising:
intercepting, by a first server system, network requests directed to a second server system, wherein the network requests
originate from clients;

providing, by the first server system to the clients, responses to the network requests, wherein the responses include embedded
client-side scripts that subject the clients to one or more challenge mechanisms, wherein providing further includes:

receiving a first hypertext transfer protocol (HTTP) request from a first client directed to the second server system;
sending, by the first server system to the first client, a response to the first HTTP request, wherein the response includes
a plurality of set-cookie directives to set a challenge cookie on the first client, wherein at least one of the plurality
of set-cookie directives is valid and configured to set the challenge cookie to a correct value, and wherein at least one
of the plurality of set-cookie directives is invalid and configured to set the challenge cookie to an incorrect value;

determining that the first client has set the challenge cookie to the correct value; and
categorizing the first client as non-suspect in response to a determination that the first client has set the challenge cookie
to the correct value;

identifying one or more non-suspect clients, the one or more non-suspect clients corresponding to requesting clients that
successfully complete the one or more challenge mechanisms;

identifying one or more suspect clients, the one or more suspect clients corresponding to requesting clients that do not successfully
complete the one or more challenge mechanisms; and

forwarding, by the first server system to the second server system, network requests corresponding to the one or more non-suspect
clients.

US Pat. No. 9,245,114

METHOD AND SYSTEM FOR AUTOMATIC DETECTION AND ANALYSIS OF MALWARE

VERISIGN, INC., Reston, ...

1. A method of detecting malicious software, the method comprising:
storing, by an analysis system, a memory baseline for a first system, the memory baseline including information stored in
volatile memory of the first system and non-volatile memory of the first system;

providing, by the analysis system, a file to the first system;
executing, by the analysis system, the file on the first system using an operating system of the first system after the storing
the memory baseline;

terminating, by the analysis system, operation of the operating system of the first system after executing the file;
storing, by the analysis system, a post-execution memory map of the first system while operation of the operating system of
the first system is terminated, the post-execution memory map including information stored in the volatile memory of the first
system and the non-volatile memory of the first system after the executing the file;

analyzing, by the analysis system, the memory baseline and the post-execution memory map, wherein analyzing comprises:
determining the presence of one or more processes that changed from the memory baseline to the post-execution memory map,
determining timestamps associated with the one or more processes, and
identifying behaviors that indicate attempts to conceal a rootkit during the operation of the operating system;
determining that the file comprises malicious software based on the analyzing;
determining a timeline of activities performed by the malicious software based on the timestamps; and
providing a report of the malicious software including a list of the one or more processes that changed and the timeline.

US Pat. No. 9,184,919

SYSTEMS AND METHODS FOR GENERATING AND USING MULTIPLE PRE-SIGNED CRYPTOGRAPHIC RESPONSES

VERISIGN, INC., Reston, ...

1. A computer-implemented method, comprising:
generating multiple cryptographic datasets corresponding to a single encryption key, each cryptographic dataset having a different
validity period;

upon a user request, identifying one or more cryptographic datasets that are still valid among the multiple cryptographic
datasets;

identifying a cryptographic dataset having a shortest validity period among the one or more cryptographic datasets that are
still valid; and

providing the identified cryptographic dataset to the user in response to identifying the cryptographic dataset having the
shortest validity period.

US Pat. No. 9,124,592

METHOD AND SYSTEM FOR APPLICATION LEVEL LOAD BALANCING IN A PUBLISH/SUBSCRIBE MESSAGE ARCHITECTURE

VERISIGN, INC., Reston, ...

1. A method of publishing a message, the method comprising:
receiving a subscription request at a first remote relay from a first client, wherein the subscription request includes a
target;

transmitting a subscription message from the remote relay to each of a first set of central relays, wherein the subscription
message includes the target;

receiving a publication request at a second remote relay from a second client, wherein the publication request includes a
message string characterized by a pattern;

transmitting a publication message from the second remote relay to a first central relay of the first set of central relays
and a second central relay of a second set of central relays, wherein the publication message includes the message string;

determining, at the first central relay, that the target matches at least a portion of the pattern;
transmitting the message string from the first central relay to the first remote relay;
determining, at the first remote relay, that the target matches at least a portion of the pattern; and
transmitting the message string to the first client.

US Pat. No. 9,448,897

PROCESS FOR SELECTING AN AUTHORITATIVE NAME SERVER

VERISIGN, INC., Reston, ...

9. A non-transitory computer-readable medium having stored thereon executable instructions that, when executed by at least
one processor, cause the at least one processor to perform a method to:
determine that a server is non-responsive;
identify a set of servers associated with a same service provider as the service provider of the non-responsive server; and
update a memory to associate an indicator with each of the servers in the set of servers, the indicator indicating the set
of servers should not be tried.

US Pat. No. 9,563,672

NXD QUERY MONITOR

VERISIGN, INC., Reston, ...

1. A computer-implemented method, comprising:
monitoring, using a computing apparatus, non-existent domain (NXD) queries including a brand domain;
determining, using the computing apparatus, whether a predetermined number of the NXD queries include a lower-level domain
that matches a predetermined keyword;

calculating a variance from a normal volume range of NXD queries in a time period;
adjusting the normal volume range of NXD queries based on a calendar event;
determining that the variance from the normal volume range of NXD queries in the time period is greater than a predetermined
threshold; and

initiating an action related to registration of a domain name including the predetermined keyword when it is determined that
the predetermined number of NXD queries include the lower-level domain that matches the predetermined keyword and wherein
the action is initiated when it is determined that the variance from the normal volume range of NXD queries in the time period
is greater than the predetermined threshold.

US Pat. No. 9,473,520

SYSTEMS AND METHODS FOR INCUBATING MALWARE IN A VIRTUAL ORGANIZATION

VERISIGN, INC., Reston, ...

1. A system for tracking malware operator behavior patterns in a network environment simulated for an extended period of time,
comprising:
a non-transitory memory storing instructions; and
a processor device executing the instructions to cause the system to perform a method comprising:
receiving organizational data that describes a virtual organization, wherein the organizational data comprises a plurality
of simulated users that are logged into a plurality of simulated machines;

creating user profiles for the plurality of simulated users using career detail information obtained from searching a website
so that the user profiles are compatible with the virtual organization;

providing, using the processor device, a simulated computer network of the virtual organization based at least partially on
the organizational data and the user profiles, wherein after the simulated computer network is provided, at least one malware
is installed on the simulated computer network to create an incubator;

monitoring one or more interactions between the simulated computer network and an operator of the malware, wherein the one
or more interactions comprise the operator of the malware illicitly gathering information related to the user profiles; and

building a malware operator profile that characterizes the operator of the malware based on the one or more interactions.

US Pat. No. 9,363,288

PRIVACY PRESERVING REGISTRY BROWSING

Verisign, Inc., Reston, ...

1. A method for preserving privacy of a domain name related request, comprising:
receiving, at a computer, a client computer request for information related to a domain name, wherein the request comprises
at least one tokenized string representing the domain name, wherein the tokenized string was tokenized by a first tokenizing
authority computer different from the client computer and operatively coupled to the client computer through a network, wherein
the tokenized string was tokenized by a tokenizing authority computer at least in part by application of a cryptographic function,
wherein the request comprises a request to determine domain name registration availability;

comparing, via the computer, the at least one tokenized string to the store of tokenized strings, wherein the tokenized terms
have been tokenized by a second tokenizing authority based on a tokenizing function equivalent to a tokenizing function of
the first tokenizing authority, wherein the second tokenizing authority computer is different from the client computer and
from the store of tokenized strings;

determining if the at least one tokenized string is contained in the store of tokenized strings; and
returning an indication whether the at least one tokenized string is contained in the store of tokenized strings.

US Pat. No. 9,535,971

METHOD AND SYSTEM FOR AUDITING TRANSACTION DATA FROM DATABASE OPERATIONS

VERISIGN, INC., Reston, ...

1. A method, implemented by at least one processor, for validating domain name system (DNS) registry transaction data, the
method comprising:
receiving, by the at least one processor, transaction data associated with a DNS registry database, wherein the transaction
data is associated with DNS registry operations comprising at least one of: adding an Internet domain name, deleting an Internet
domain name, renewing an Internet domain name, modifying an Internet domain name, restoring an Internet domain name, transferring
an Internet domain name, adding an Internet domain name server, deleting an Internet domain name server, or modifying an Internet
domain name server;

obtaining one or more profiles from a profile database communicatively coupled with the DNS registry, wherein the one or more
profiles comprise metadata describing one or more DNS registry operations comprising at least: adding an Internet domain name,
deleting an Internet domain name, renewing an Internet domain name, modifying an Internet domain name, restoring an Internet
domain name, transferring an Internet domain name, adding an Internet domain name server, deleting an Internet domain name
server, and modifying an Internet domain name server;

comparing, by the processor, the transaction data to the one or more profiles, wherein an alert is generated for transactions
that do not match at least one of the one or more profiles; and

determining, based on the one or more profiles, whether the transaction data is supposed to correlate with log data, wherein,
for transaction data that is not supposed to correlate with log data, providing an indication that the transaction data is
valid, and wherein, for transaction data that is supposed to correlate with log data:

receiving, by the processor, log data associated with the transaction data; and
correlating the transaction data with the log data associated with the transaction data, wherein a chain of custody is established
for transaction data that correlates with the log data associated with the transaction data, and wherein an alert is generated
for transaction data that is supposed to correlate with log data but does not correlate with the log data associated with
the transaction data, indicating that at least one transaction represented by the transaction data is potentially invalid.

US Pat. No. 9,455,880

METHOD AND SYSTEM FOR INTELLIGENT ROUTING OF REQUESTS OVER EPP

VERISIGN, INC., Reston, ...

1. A computer-implemented method for routing requests received using an Extensible Provisioning Protocol (EPP), the method
comprising:
receiving, from a requestor, a request to connect to a domain name system (DNS)-related service via the EPP, the request including
extensible markup language (XML), wherein the XML includes information about the DNS-related service to which the request
is directed;

analyzing the XML to determine XML namespace information;
determining the DNS-related service to which the request is directed based at least in part on the XML namespace information;
and

routing the request to the DNS-related service thereby providing the requestor access to the DNS-related service.

US Pat. No. 9,202,513

SYSTEMS AND METHODS FOR PROVIDING ACCESS TO RESOURCES THROUGH ENHANCED SIGNALS

VERISIGN, INC., Reston, ...

1. A computer-implemented method for providing access to a resource via an enhanced signal, the method comprising:
receiving, by a computing device from a registration server, a resource identifier for encoding within a signal, the resource
identifier including a set of pre-defined policies for file management on a user device within a secure zone, wherein the
set of pre-defined policies for file management include disallowing email forwarding;

encoding, by the computing device, the received resource identifier to create an encoded resource identifier;
embedding, by the computing device, the encoded resource identifier within the signal to create the enhanced signal; and
broadcasting the enhanced signal to one or more user devices within the secure zone.

US Pat. No. 9,219,769

EFFICIENT MULTIPLE FILTER PACKET STATISTICS GENERATION

VERISIGN, INC., Reston, ...

1. A method for managing data streams, comprising:
receiving a data stream on at least one network interface card;
performing operations on the data stream using a first process running a plurality of first threads for the at least one network
interface card, the operations comprising:

distributing at least some portions of the data stream among a plurality of buffers for processing by the plurality of first
threads,

reading the at least some portions of the data stream from the plurality of buffers using separate multiple dedicated first
process threads;

filtering the at least some portions of the data stream read from the plurality of buffers using the separate multiple dedicated
first process threads;

processing the at least some portions of the data stream with the separate multiple dedicated first process threads; and
storing the at least some portions of the data stream that are processed in one of a plurality of dedicated shared memories;
performing operations on the at least some portions of the data stream that are processed using at least one group of second
multiple processes with at least one group of second threads,

wherein the first process and the at least one group of second multiple processes are independent and communicate via the
shared memory;

wherein the plurality of first threads for the network interface cards are different than the at least one group of second
threads; and

wherein the performing operations on the at least some portions of the data stream that are processed using at least one group
of second multiple processes with at least one group of second threads includes analyzing the at least some portions of the
data stream and generating statistical information based on the analyzing.

US Pat. No. 9,779,238

CLASSIFYING MALWARE BY ORDER OF NETWORK BEHAVIOR ARTIFACTS

VERISIGN, INC., Reston, ...

1. A computer-implemented method of determining whether an executable file is malware by using network behavioral artifacts,
the method comprising:
generating network behavioral artifacts for each executable file included in a training corpus comprising one or more executable
files classified as benign and one or more executable files classified as malware;

assigning, by an electronic hardware processor, for each executable file included in the training corpus, a respective string
of character sets to represent the network behavioral artifacts generated for the executable file;

forming, for each executable file included in the training corpus, a respective feature vector based on the respective string
of character sets, wherein the respective feature vector indicates, for each contiguous character substring included in a
plurality of contiguous character substrings, how many instances of the contiguous character substring appear in the respective
string of character sets;

training a machine learning system based on the respective feature vectors;
generating a feature vector for an unknown executable file;
classifying, by the machine learning system, the unknown executable file as one of likely benign and likely malware based
on the feature vector for the unknown executable file; and

outputting the classification of the unknown executable file.

US Pat. No. 9,569,753

HIERARCHICAL PUBLISH/SUBSCRIBE SYSTEM PERFORMED BY MULTIPLE CENTRAL RELAYS

VERISIGN, INC., Reston, ...

1. A method for transmitting messages in a publish/subscribe message system, the method comprising:
receiving, at a central relay of a first group of more than one co-located central relays, a subscription request from a first
remote relay on behalf of a first client;

recording, at the central relay of the first group, subscription information of the first client based on the subscription
request;

receiving, at the central relay of the first group of more than one co-located central relays, a publication request from
a second remote relay on behalf of a second client, wherein the publication request includes a message;

recording, at the central relay, publication information from the message;
transmitting, by the central relay, the publication information to other members of the first group of co-located central
relays and to each member of second group of more than one co-located central relays in a different geographic location than
the first group; and

transmitting the message to the first client.

US Pat. No. 9,489,514

CLASSIFYING MALWARE BY ORDER OF NETWORK BEHAVIOR ARTIFACTS

VERISIGN, INC., Reston, ...

1. A method of determining whether an executable file is malware by using network behavioral artifacts, the method comprising:
identifying a training corpus comprising plurality of benign executable files and a plurality of malware executable files;
associating, by an electronic hardware processor, each of a plurality of network behavioral artifacts with a respective character
set;

assigning, by an electronic hardware processor, each executable file from the training corpus a respective string of character
sets, wherein each string of character sets represents temporally ordered network behavior artifacts of a respective executable
file from the training corpus, whereby a plurality of strings of character sets is obtained;

obtaining, by an electronic hardware processor, for each of the plurality of strings of character sets and for a fixed n>1,
a respective set of contiguous substrings of length n;

ordering, by an electronic hardware processor, a union of the respective sets of contiguous substrings of length n, whereby
an ordered universe of contiguous substrings of length n is obtained;

forming, for each executable file from the training corpus and by an electronic hardware processor, a respective feature vector,
wherein each respective feature vector comprises a tally list comprising counts of contiguous substrings of length n in the
respective set of contiguous n-grams for the respective executable file from the training corpus, whereby a plurality of feature
vectors is obtained;

classifying, by an electronic hardware processor, each respective feature vector of the plurality of feature vectors as associated
with either a benign executable file or a malware executable file from the training corpus, whereby a set of classified feature
vectors is obtained;

training a machine learning system with the set of classified feature vectors, wherein the machine learning system comprises
an electronic hardware processor;

identifying an unknown executable file;
generating, by an electronic hardware processor, a feature vector for the unknown executable file;
submitting the feature vector for the unknown executable file to the machine learning system;
obtaining, by an electronic hardware processor, a classification of the unknown executable file as one of likely benign and
likely malware; and

outputting, by an electronic hardware processor, the classification of the unknown executable file.

US Pat. No. 9,299,386

SYSTEMS AND METHODS FOR PROVIDING ACCESS TO RESOURCES THROUGH ENHANCED AUDIO SIGNALS

VERISIGN, INC., Reston, ...

1. A computer-implemented method for providing access to a resource, the method comprising:
concurrently receiving, by a microphone associated with a user device, a primary broadcast audio signal, the primary audio
signal including audio content for user consumption, and an enhanced broadcast audio signal, the enhanced broadcast audio
signal including a resource identifier that is encoded in the enhanced broadcast audio signal, wherein the resource identifier
is associated with the resource and wherein the enhanced broadcast audio signal further includes authentication information
to authenticate the resource;

detecting, by the user device, the resource identifier within the enhanced broadcast audio signal;
extracting, via a processor, the resource identifier from the enhanced broadcast audio signal;
transmitting, to a resolution server, a request for access information, wherein the request includes the resource identifier
that was extracted from the enhanced broadcast audio signal and location information;

receiving, from the resolution server, the requested access information for accessing the resource via the network;
authenticating the resource with the resolution server based on the authentication data; and
retrieving, by the user device, the resource using the received access information.

US Pat. No. 9,083,695

CONTROL AND MANAGEMENT OF ELECTRONIC MESSAGING

VERISIGN, INC., Reston, ...

1. A computer-implemented method comprising:
creating, by a processor, a velocity record for a message that indicates a rate at which digital signatures are created at
a time when the velocity record is created; and

sending the velocity record to a recipient.

US Pat. No. 9,323,859

DYNAMIC CLIENT SIDE NAME SUGGESTION SERVICE

VERISIGN, INC., Reston, ...

1. A method, performed by a processor, for providing Internet domain name suggestions, comprising:
opening a web page on a browser in response to a user selection of a link, wherein the web pace includes visible content;
automatically parsing the web page;
obtaining at least one keyword from the parsing;
generating a first query from the at least one keyword;
generating a plurality of domain name suggestions based at least on the first query;
determining a plurality of domain traffic scores for the plurality of domain name suggestions;
providing ranked domain name suggestions that includes one or more of the plurality of domain name suggestions ranked based
on the plurality of domain traffic scores associated with the plurality of domain name suggestions;

displaying one or more of the ranked domain name suggestions;
receiving a user-highlighted portion of the visible content of the web page displayed during the parsing;
refining the first query with one or more keywords derived from the user-highlighted portion of the visible content to generate
a second query, wherein the user-highlighted portion of the visible content comprises at least one of a title of the web page,
text in the web page, an image in the web page, or an advertisement in the web page;

generating one or more domain name suggestions based on the second query; and
providing the one or more domain name suggestions.

US Pat. No. 9,405,905

SYSTEMS AND METHODS FOR IDENTIFYING ASSOCIATIONS BETWEEN MALWARE SAMPLES

VERISIGN, INC., Reston, ...

1. A method, performed by a processor, for identifying associations between binary samples, comprising:
receiving a plurality of binary samples;
determining one or more file types associated with the plurality of binary samples;
extracting type-specific metadata from the plurality of binary samples, the type-specific metadata for a binary sample from
the plurality of binary samples including a set of attributes of the binary sample that are unique for a file type associated
with the binary sample;

identifying a set of associations between the plurality of binary samples based on the extracted metadata, each association
characterized by at least one attribute in the set of attributes that the associated binary samples have in common;

receiving a reference sample corresponding to a known malware sample;
identifying that the reference sample is associated with at least one binary sample among the plurality of binary samples;
generating data corresponding to a malware alert in response to identifying that the reference sample is associated with the
at least one binary sample;

communicating the data to a front-end system; and
generating, at the front-end system, a display corresponding to the malware alert using the data.

US Pat. No. 9,811,599

METHODS AND SYSTEMS FOR PROVIDING CONTENT PROVIDER-SPECIFIED URL KEYWORD NAVIGATION

VERISIGN, INC., Reston, ...

1. An apparatus for retrieving a webpage associated with a domain-specific keyword, comprising:
a memory; and
a processor communicatively coupled to the memory, the processor being configured to:
receive an instruction from a client to request a first resource defined by a first URL, wherein the first URL includes a
keyword in the form of a fragment identifier, wherein the keyword is specified by the client;

send a first HTTP request to a first web server associated with a domain specified by the first URL;
receive a first HTTP response from the first web server, wherein the first HTTP response communicates a client-executable
program; and

execute the client-executable program upon receipt without further client input, wherein executing the client-executable program
comprises:

determining a second URL associated with the first URL, the second URL being associated with a target page and being established
by a third party not associated with the domain.

US Pat. No. 9,552,281

UTILIZING A TEST AUTOMATION TOOL IN A TEST AUTOMATION ENVIRONMENT

VERISIGN, INC., Reston, ...

1. A method of providing a test environment, comprising:
accessing, via the test environment, a plurality of script files, in a plurality of scripting languages, coded to perform
a set of test operations, wherein the plurality of script files are accessed concurrently;

invoking a set of object-oriented handlers based on the set of test operations contained in the plurality of script files,
wherein invoking the set of object-oriented handlers comprises:

loading each scripting language of the plurality of scripting languages;
interfacing an object-oriented handler of the set of object-oriented handlers into each scripting language of the plurality
of scripting languages, wherein interfacing the object-oriented handler of the set of object-oriented handlers into each scripting
language of the plurality of scripting languages comprises creating a variable in the scripting language and loading a class
from the object-oriented handler;

bringing each object-oriented handler of the set of object-oriented handlers in scope;
establishing a handler object context for each object-oriented handler of the set of object-oriented handlers; and
loading classes required by one or more of the set of object-oriented handlers;
initiating the set of test operations using the set of object-oriented handlers;
determining that the set of test operations are complete; and
bringing each object-oriented handler of the set of object-oriented handlers out of scope by suspending each object-oriented
handler in response to determining that the set of test operations are complete.

US Pat. No. 9,577,910

SYSTEMS AND METHODS FOR CONFIGURING A PROBE SERVER NETWORK USING A RELIABILITY MODEL

VERISIGN, INC., Reston, ...

1. A method of managing a network, comprising:
accessing a network topology map for a network comprising a plurality of network components, wherein the plurality of network
components include a plurality of probe servers, a plurality of name servers, and a plurality of connections between the plurality
of probe servers and the plurality of name servers;

accessing a set of reliability data for the network;
providing a network model based on the network topology map and the set of reliability data, wherein the network model includes
the plurality of network components arranged according to a plurality of pyramids each containing (1) one name server of the
plurality of name servers at an apex of the pyramid, (2) two or more probe servers of the plurality of probe servers at a
base of the pyramid, and (3) two or more connections of the plurality of connections that connect the name server, without
any other of the plurality of name servers intervening, to the two or more probe servers;

generating network model results for the network based on the network model;
identifying, based on the network model results, a minimum number of probe servers for use in the plurality of probe servers
required to support a target service level to monitor the plurality of name servers; and

updating the network model to include the minimum number of probe servers required to support the target service level for
the network.

US Pat. No. 9,342,698

PROVIDING PRIVACY ENHANCED RESOLUTION SYSTEM IN THE DOMAIN NAME SYSTEM

VERISIGN, INC., Reston, ...

1. A non-transitory computer-readable medium encoded with instructions that, when executed on a processor, perform a method
of minimizing the disclosure of a domain name contained in a domain name system (DNS) query, the method comprising:
determining a first label and a second label associated with a domain name included in a domain name system (DNS) query;
querying a first nameserver for a first resource record type associated with the first label without revealing information
related to the second label by removing information related to the second label from the DNS query;

receiving a first response from the first nameserver, the first response including the first resource record type which directs
a resolver to a second nameserver;

querying the second nameserver for a second resource record type associated with the first label and the second label;
receiving a second response from the second nameserver, the second response including the second resource record type; and
transmitting at least the second resource record type in response to the DNS query.

US Pat. No. 9,235,829

HIERARCHICAL PUBLISH/SUBSCRIBE SYSTEM

VERISIGN, INC., Reston, ...

1. A method for publishing a message, the method comprising:
receiving, at a first relay, a subscription request from a first client, wherein the subscription request includes a target;
recording, at the first relay, subscription information of the first client based on the subscription request;
receiving, at the first relay, a publication request from a second client, wherein the publication request includes a message
string characterized by a pattern;

determining, by the first relay, that the second client is not on a black list of clients stored at the first relay;
determining, by the first relay, that the target matches at least a portion of the pattern;
determining, by the first relay, that the publication request is a local publication request based on a predetermined policy
rule, wherein the local publication request is a publication request for one or more clients connected to the first relay,
wherein the predetermined policy rule comprises one or more of: designating publication requests from a particular set of
one or more clients as local publication requests, or designating publication messages having a specific pattern as local
publication requests; and

transmitting the message string to the first client based on the determining that the publication request is a local publication
request.

US Pat. No. 9,197,487

HIGH PERFORMANCE DNS TRAFFIC MANAGEMENT

VERISIGN, INC., Reston, ...

1. A method, implemented using a computing system, for managing network traffic, the method comprising:
receiving a request from a requestor, the request including a domain name and resource record type;
looking up, using the computing system, an initial traffic management rule in at least one table, using the domain name and
resource record type as a search key, wherein the initial traffic management rule specifies a first variable that affects
the initial traffic management rule;

iterating, based on the initial traffic management rule, until an answer to the request is found, wherein the iterating comprises:
determining, using the computing system, a value for another variable specified in a successive traffic management rule obtained
from the at least one table; and looking up, using the computing system, in the at least one table the answer or another successive
traffic management rule using the domain name and the value for the another variable of the successive traffic management
rule as a search key, wherein the at least one table includes a plurality of indicators relating the initial traffic management
rule, the successive traffic management rule, and the another successive traffic management rule, wherein the initial traffic
management rule, the successive traffic management rule, and the another successive traffic management rule correspond to
different traffic management scenarios; and providing the answer to the requestor.

US Pat. No. 9,047,589

HIERARCHICAL PUBLISH AND SUBSCRIBE SYSTEM

VERISIGN, INC., Reston, ...

1. A computer-implemented method of subscribing and publishing a publication message, the method comprising
receiving a first subscription request at a remote relay from a first client, wherein the first subscription request includes
a target;

transmitting a subscription message from the remote relay to a single one of a plurality of central relays based on the first
subscription request, wherein the transmitting includes the remote relay subscribing to the single one of a plurality of central
relays on behalf of the first client and wherein the subscription message includes the target;

entering a subscription, at the single one of a plurality of central relays, based on the received subscription message and
not forwarding the received subscription message;

receiving a publication message at the remote relay from a second client, wherein the publication message includes a pattern;
transmitting the publication message to each of the central relays of the plurality of central relays,
determining, by the remote relay, that the target from the subscription request matches at least a portion of the pattern
in the publication message; and

transmitting at least a portion of the publication message from the remote relay to the first client.

US Pat. No. 9,531,603

RECONCILING INTERNET DNS ZONE FILE CHANGES WITH ORIGIN CHANGE REQUESTS

VERISIGN, INC., Reston, ...

1. A method for monitoring Domain Name System (DNS) zone file changes, the method comprising:
obtaining at least one zone change request;
parsing the at least one zone change request to obtain at least one change request unit, wherein each change request unit
constitutes a single executable instruction;

obtaining a last published zone file;
obtaining an unpublished new zone file;
comparing the last published zone file to the new zone file to obtain at least one difference object, wherein the at least
one difference object identifies a DNS record type, a DNS record, and a difference type;

matching the at least one difference object to the at least one change request unit to identify at least one unmatched difference
object;

providing a human readable report comprising an indication of the at least one unmatched difference object.

US Pat. No. 9,769,189

SYSTEMS AND METHODS FOR BEHAVIOR-BASED AUTOMATED MALWARE ANALYSIS AND CLASSIFICATION

VERISIGN, INC., Reston, ...

1. A method of identifying malware, comprising:
accessing a set of samples, the set of samples comprising samples of different types of malware;
running the set of samples on one or more computer systems;
extracting, based on running the set of samples, a set of artifacts from the set of samples, wherein the set of artifacts
includes information associated with a registry or a memory;

determining a set of features from the set of artifacts for at least one sample in the set of samples;
selecting one of a set of algorithms based on one or more selection features or parameters;
analyzing the set of features using the one of the set of algorithms; and
identifying, based at least partially on analyzing the set of features, malware in the set of samples by at least one of classifying
or clustering samples in the set of samples into the different types of malware.

US Pat. No. 9,646,100

METHODS AND SYSTEMS FOR PROVIDING CONTENT PROVIDER-SPECIFIED URL KEYWORD NAVIGATION

VERISIGN, INC., Reston, ...

1. An apparatus for retrieving a webpage associated with a domain-specific keyword, comprising:
a memory; and
a processor communicatively coupled to the memory, the processor being configured to:
receive an instruction from a client to request a first resource defined by a first URL, wherein the first URL includes a
keyword in the form of a fragment identifier, wherein the keyword is specified by the client;

send a first HTTP request to a first web server associated with a domain specified by the first URL;
receive a first HTTP response from the first web server, wherein the first HTTP response includes a client-executable program;
and

execute the client-executable program upon receipt to, without user input:
determine, without user input, a second URL associated with the first URL by the client-executable program retrieving the
second URL from a keyword registry database based on matching the keyword and the domain to the second URL, the keyword registry
database comprising data mapping the keyword and the domain to the second URL, the second URL being associated with a target
page; and

provide, without user input, the second URL to the client.

US Pat. No. 9,578,125

SYSTEMS, DEVICES, AND METHODS FOR PROTECTING ACCESS PRIVACY OF CACHED CONTENT

Verisign, Inc., Reston, ...

1. A computer-implemented method, comprising:
receiving, at a device, a request for content from a first user device, wherein a cached version of the content is locally
stored at the device;

initiating, by a processor, a time delay based on a determination that the first user device has not previously requested
the content; and

transmitting the cached version of the content to the first user device after the time delay.

US Pat. No. 9,344,446

SYSTEMS AND METHODS FOR MALWARE DETECTION AND SCANNING

VERISIGN, INC., Reston, ...

17. A non-transitory computer-readable medium containing instructions that, when executed by a computing device, cause the
computing device to perform a method to:
receive, at a virtual machine controller in the computing device, a malware scan request comprising a type and version of
an internet browser and one or more parameters, the one or more parameters comprising target uniform resource identifiers
(URIs), uniform resource locators (URLs), and/or uniform resource names (URNs) used to identify web pages upon which malware
scanning is to be performed, wherein at least two of the plurality of virtual machines are within a same domain or a same
netblock;

launch, by the virtual machine controller, a plurality of virtual machines in the computing device, in response to the received
malware scan request;

instruct, by the virtual machine controller, each of the plurality of virtual machines of the computing device to:
launch an internet browser of the type and version,
request data from a webserver hosting a web page over a network via the internet browser, wherein at least one of the plurality
of virtual machines that are within the same domain or the same netblock is rate-limited; and

perform, in the virtual machine of the computing device, analysis on the web page using one or more analysis tools;
receive, from each of the plurality of virtual machines, results of the performed analysis; and
store, in a storage, the results of the performed analysis for malware analysis.

US Pat. No. 9,300,684

METHODS AND SYSTEMS FOR STATISTICAL ABERRANT BEHAVIOR DETECTION OF TIME-SERIES DATA

VERISIGN, INC., Reston, ...

1. A computer-implemented method for detecting aberrant behavior in time-series data, comprising:
obtaining, via one or more processors, from a database associated with a Domain Name System (DNS) server, first time-series
observation data;

storing, via the one or more processors, in a round robin database and as an entry in a first layer of the round robin database,
a first value corresponding to a number of queries that occurred during a first time interval of a first length, wherein each
entry in the first layer of the round robin database corresponds to a time interval of the first length;

storing, via the one or more processors, in the round robin database and as an entry in the first layer of the round robin
database, a second value corresponding to a number of queries that occurred during a second time interval of the first length;

storing, via the one or more processors, in the round robin database and as an entry in a second layer of the round robin
database, a third value corresponding to a number of queries that occurred during a third time interval of a second length
larger than the first length, wherein:

each entry in the second layer of the round robin database corresponds to a time interval of the second length;
the third value comprises an aggregation of the first value and the second value; and
the third time interval comprises the first time interval and the second time interval;
determining, via the one or more processors and using entries in the second layer of the round robin database, time-series
prediction data representative of a predicted trend of the first time-series observation data;

determining, via the one or more processors, a standard deviation value representative of a deviation between the first time-series
observation data and the time-series prediction data;

determining, via the one or more processors, a threshold based, at least in part, on the standard deviation value; and
detecting, via the one or more processors, aberrant behavior corresponding to malicious software in second time-series observation
data by:

determining second time-series prediction data representative of a predicted trend of the second time-series observation data;
determining second time-series deviation data between the second time-series observation data and the second time-series prediction
data; and

comparing one or more values of the second time-series deviation data with a threshold;
replacing the threshold with an updated threshold based, at least in part, on the second time-series observation data; and
providing, via one or more input/output (I/O) devices, an indication that botnet activity exists based on detecting the aberrant
behavior corresponding to malicious software.

US Pat. No. 9,288,227

SYSTEMS AND METHODS FOR TRANSPARENTLY MONITORING NETWORK TRAFFIC FOR DENIAL OF SERVICE ATTACKS

VERISIGN, INC., Reston, ...

1. A computer-implemented method for monitoring network connections by a mitigation service, the mitigation service monitoring
network traffic in one direction between a client computer and a server computer, the method comprising:
receiving, from the client computer, a connection request that is configured to establish a network connection between the
client computer and the server computer, wherein the connection request comprises at least one parameter corresponding to
the network connection;

sending, to the client computer in response to the connection request, a single response that is configured to cause a reply
by the client computer, wherein the single response comprises a single packet with an acknowledgement sequence number that
is the same as a sequence number received in the connection request and wherein the acknowledgement sequence number does not
interrupt the establishment of the network connection between the client computer and the server computer and does not complete
the establishment of the network connection between the client computer and the server computer;

determining whether the reply is received from the client computer; and
in response to determining that the reply is received from the client computer:
sending the connection request to the server computer without altering an identification of the client computer in the request.

US Pat. No. 9,218,334

PRONOUNCEABLE DOMAIN NAMES

VERISIGN, INC., Reston, ...

1. A computer-implemented method of generating pronounceable domain names, comprising:
providing a list of character strings;
determining a first probability that a character string in the list of character strings is pronounceable based on a phonetic
model;

determining a second probability that a character string in the list of character strings is pronounceable based on a character
order model;

filtering the list of character strings through a first filter based on the first probability to produce a first filtered
list of character strings;

filtering the list of character strings through a second filter based on the second probability to produce a second filtered
list of character strings; and

generating, by a processor, a list of pronounceable domain names based on the first filtered list of character strings and
the second filtered list of character strings.

US Pat. No. 9,961,110

SYSTEMS AND METHODS FOR PRE-SIGNING OF DNSSEC ENABLED ZONES INTO RECORD SETS

VERISIGN, INC., Reston, ...

1. A method of conducting domain name system (DNS) operations, comprising:accessing, by a processor of a DNS device, a set of policies for operation of a DNS, wherein the DNS uses domain name system with security extensions (DNSSEC), and the DNS device supports a zone of a DNS network;
generating, by the processor, a set of answers to a plurality of questions associated with a set of domain names of the zone, wherein, based on the set of policies, a first question of the plurality of questions corresponds to a plurality of answers in the set of answers;
generating a set of signed answers from the set of answers and a set of key data;
storing the set of signed answers as records in a zone file;
receiving via the DNS network, a question from a resolver;
retrieving a signed answer from the stored set of signed answers based on the question received from the resolver and the set of policies, and
transmitting via the DNS network, the signed answer to the resolver,
wherein the records in the zone file comprise a plurality of records storing the plurality of answers corresponding to the first question, each of the plurality of records storing a respective one of the plurality of answers.

US Pat. No. 9,762,556

REGISTERING, MANAGING, AND COMMUNICATING WITH IOT DEVICES USING DOMAIN NAME SYSTEM PROCESSES

VERISIGN, INC., Reston, ...

1. A method for registering an internet of things (“IoT”) device with a domain name system (“DNS”) registry, the method comprising:
obtaining, at a DNS server, an identifier, IP address, and a public key of an asymmetric key pair associated with the IoT
device from a network gateway device that is in communication with the IoT device, wherein the asymmetric key pair is provisioned
onto the IoT device and an associated private key stored within a memory of the IoT device at a time that IoT device is manufactured
or during a predetermined time window after manufacturing;

creating at least one DNS record for the IoT device;
assigning a domain name associated with the internet protocol (“IP”) address to the IoT device;
storing the identifier, IP address, the domain name, and the public key in the at least one DNS record; and
providing confirmation of the registration to the IoT device.

US Pat. No. 9,749,307

DNSSEC SIGNING SERVER

VERISIGN, INC., Reston, ...

1. A Domain Name System Security Extensions (DNSSEC) signing server configured to interact with at least one DNSSEC client
application executing on a DNSSEC client device and a plurality of digital signature logic modules, the DNSSEC signing server
comprising:
a hardware processor; and
a storage device including computer readable code that, when executed by the processor, causes the signing server to:
receive a signing request from the at least one DNSSEC client application executing on the DNSSEC client device to sign first
data, wherein the first data comprises domain name system (DNS) data included in the signing request;

determine at least one of an active Key Signing Key (KSK) and an active Zone Signing Key (ZSK) to be used to sign the first
data based on a top-level domain (TLD) identifier in the DNS data included in the signing request;

transmit the first data to one of the plurality of digital signature logic modules;
receive a digitally signed version of the first data from the one of the digital signature logic modules; and
provide the digitally signed version of the first data to the at least one DNSSEC client application.

US Pat. No. 9,721,099

SYSTEMS AND METHODS FOR IDENTIFYING ASSOCIATIONS BETWEEN MALWARE SAMPLES

Verisign, Inc., Reston, ...

1. A method, performed by a processor, for identifying associations between binary samples, comprising:
accessing, via the processor, a set of associations between a plurality of binary samples, wherein a first association included
in the set of associations is characterized by at least one attribute that is unique for a file type associated with the plurality
of binary samples; and

providing a user interface, on a display device, that enables navigation of at least one of the set of associations and type-specific
metadata associated with the plurality of binary samples.

US Pat. No. 9,705,851

EXTENDING DNSSEC TRUST CHAINS TO OBJECTS OUTSIDE THE DNS

VERISIGN, INC., Reston, ...

1. A method of providing data, the method comprising:
receiving at a first Domain Name System (DNS) server, over an electronic computer network, a first DNS resource record request
from a client computer, wherein the first DNS resource record request comprises a first domain name;

providing, by the first DNS server to the client computer and in response to the first DNS resource record request, a first
DNS resource record comprising a URI for a first non-DNS service;

whereby the client computer derives a target URI from the URI for the first non-DNS service, contacts a second non-DNS service
at the target URI for requested data, and receives the requested data from the second non-DNS service;

receiving, at a second DNS server, over the electronic computer network, a second DNS resource record request from the client
computer, the second DNS resource record request comprising a second domain name;

providing, by the second DNS server to the client computer and in response to the second DNS resource record request, a second
DNS resource record comprising cryptographic authentication information corresponding to the second domain name;

whereby the client computer cryptographically validates the requested data using the cryptographic authentication information;
receiving at a third DNS server, prior to the receiving at the first DNS server, over the electronic computer network, a third
DNS resource record request from the client computer, the third DNS resource record request comprising a third domain name;
and

replying to the client computer that the third DNS resource record request corresponds to a non-existent record,
whereby resolution logic consequently directs the client computer to send the first DNS resource record request.

US Pat. No. 9,996,628

PROVIDING AUDIO-ACTIVATED RESOURCE ACCESS FOR USER DEVICES BASED ON SPEAKER VOICEPRINT

VERISIGN, INC., Reston, ...

1. A computer system for providing audio-activated resource access for user devices, the computer system comprising:a processor; and
a memory coupled to the processor, the memory storing instructions to cause the processor to perform operations comprising:
capturing audio at a user device;
determining a geographic location of the user device;
loading a speaker recognition program from a non-volatile computer-readable medium on the user device;
analyzing the audio that is captured by the speaker recognition program;
determining an identity of speaker that produced the audio based on a speaker voiceprint;
transmitting, over a network, an identifier of the speaker of the captured audio identified by the speaker recognition program and the geographic location of the user device to a resource provider server system that is separate from the speaker recognition program to determine a corresponding geographic specific resource based on the geographic location of the user device and a pre-registered speaker identity to resource pairing identifier stored at the resource provider server system;
receiving the corresponding geographic specific resource from the resource provider server system, wherein the corresponding geographic specific resource comprises at least one of a Uniform Resource Locator (URL), a Uniform Resource Identifier (URI), a Uniform Resource Number (URN), a domain name, or an Internet Protocol (IP) address, a hostname, Media Access Control (MAC) addresses, Ethernet Hardware Address (EHA) addresses, Bluetooth addresses, an International Mobile Subscriber Identity (IMSI), a subscriber identity module, subscriber identification module (SIM), a Removable User Identity Module (R-UIM), an Internet eXchange (IPX), or X.25, BLNA; and
activating, by the processor, an application to cause a web browser to navigate to a web page based on the corresponding geographic specific resource that is based on the pre-registered speaker identity to resource pairing identifier.

US Pat. No. 9,935,771

METHODS AND SYSTEMS FOR BOOTSTRAPPING

VERISIGN, INC., Reston, ...

1. A method for bootstrapping a relying entity comprising:receiving, based on an identifier provisioned at the relying entity, a plurality of instances of a security credential of an information system, the plurality of instances of the security credential being associated, respectively, with a plurality of certifying entities, wherein the information system is the Domain Name System (DNS) and the security credential is a Domain Name System Security Extensions root key;
verifying, by a processor, authenticity of the plurality of instances of the security credential using information of the plurality of certifying entities provisioned at the relying entity;
determining, by the processor, matches between the plurality of instances of the security credential;
determining, by the processor, based on the matches, that a first instance of the security credential in the plurality of instances of the security credential satisfies a policy provisioned at the relying entity; and
verifying, by the processor, authenticity of information requested from the information system using the first instance of the security credential.

US Pat. No. 9,800,544

SYSTEMS AND METHODS FOR MULTI-TENANT GENERIC TOP LEVEL DOMAIN DEPLOYMENT

VERISIGN, INC., Reston, ...

1. A computer implemented method of providing registry services, the method comprising:
identifying one or more top level domains (“TLD”) to be serviced;
creating, by a processor, a modified version of a TLD group from an existing TLD group for the one or more top level domains;
provisioning the one or more top level domains; and
registering the one or more top level domains with the modified version of the TLD group,
wherein the one or more top level domains in the modified version of the TLD group share at least one characteristic, the
at least one characteristic comprising volume of traffic expected, a particular feature set that is based on a data service
provided by the one or more top level domains, or specific business requirements.

US Pat. No. 9,742,723

INTERNET PROFILE SERVICE

VERISIGN, INC., Reston, ...

1. A computer-implemented method, comprising:
receiving a first webpage associated with a domain;
determining a plurality of additional webpages associated with the domain based on hyperlinks in the first webpage;
extracting content from the first webpage and the plurality of additional webpages;
determining technical data associated with the first webpage and the plurality of additional webpages;
processing the content and the technical data through a signature marker set to determine a contextual match;
determining a purpose of the domain based on the contextual match;
determining, based on the content, a category associated with the domain, wherein the category is distinct from the purpose
and defines a commercial sector of the domain;

generating a domain profile for the domain, wherein the domain profile comprises an indication of the purpose of the domain
and an indication of the category associated with the domain;

storing, in a memory, the domain profile;
receiving a query comprising at least one of a purpose and a category;
adding the domain to a list of identified domains based on a determination that the at least one of a purpose and a category
corresponds to at least one of the purpose and the category associated with the domain profile; and

outputting the list of identified domains for display in response to the query.

US Pat. No. 9,769,035

DOMAIN POPULARITY SCORING

VERISIGN, INC., Reston, ...

1. A method for scoring a domain, comprising:
receiving requests to resolve the domain at a domain resolution server, wherein each request to resolve the domain comprises
one of a plurality of domain name strings that map to the domain;

determining a specified domain name string format for the domain, wherein the specified domain name string format comprises
a domain name string format that does not include a “www” string;

determining that one or more of the plurality of domain names strings match the specified domain name string format of a plurality
of domain name string formats for the domain;

maintaining separate counters for each of the plurality of domain name string formats for the domain;
automatically incrementing a first counter for each of the one or more of the plurality of domain names strings that match
the specified domain name string format, wherein a second counter associated with a second domain name string format is a
counter associated with domain name strings that include a “www” string;

obtaining information from a web page associated with the domain; and
automatically calculating a score for the domain by a computer processor based upon the first counter and the information
from the web page associated with the domain.

US Pat. No. 9,727,657

MULTI-MODE BARCODE RESOLUTION SYSTEM

VeriSign, Inc., Reston, ...

1. A computer-implemented method for selectively translating and presenting data content specified in scanned multi-mode barcodes,
the method comprising:
inputting, by an optical scanning component of a scanning device, graphical data representing a barcode pattern, wherein the
scanning device includes one or more processors coupled to the optical scanning component;

translating, by the scanning device, the graphical data into barcode information;
detecting, by the scanning device, that a plurality of distinct data items is present in the barcode information, wherein
each data item of the plurality of distinct data items specifies human-understandable content and an action to be taken by
the scanning device to provide the human-understandable content;

transmitting, to a remote server, a request for a preference order for execution of a plurality of actions specified by the
plurality of distinct data items, wherein the remote server includes at least one processor programmed to receive and answer,
via at least one network connection, requests for preference orders for execution of actions specified by distinct data items
in multi-mode barcodes;

receiving, in response to the request, the preference order indicating a ranking of the plurality of distinct data items;
determining an order in which the plurality of actions specified by the plurality of distinct data items are to be taken by
the scanning device based on the ranking;

selecting a preferred data item in the plurality of distinct data items for which the scanning device is capable of taking
the action specified by the preferred data item, wherein the action specified by the preferred data item has a higher ranking
in the preference order than other actions specified by all other data items in the plurality of distinct data items that
the scanning device is capable of taking; and

providing, by the scanning device, the human-understandable content via the action specified by the preferred data item.

US Pat. No. 10,019,526

SYSTEMS AND METHODS FOR CREATING AND USING KEYWORD NAVIGATION ON THE INTERNET

VERISIGN, INC., Reston, ...

1. A system, comprising:a processor; and
a memory coupled to the processor, the memory storing instructions to direct the processor to perform operations comprising:
determining that a domain name controller is authorized for keyword navigation;
receiving, via keyword registration user interface, from the domain name controller of a plurality of webpages of a web site hosted by a web server, a keyword and information identifying a webpage of the plurality of webpages;
storing, in a database, the keyword in association with the information identifying the webpage;
receiving a search string from the web server, wherein the search string is entered via a search user interface at the website by a website visitor;
locating in the database the keyword associated with the website and matching the search string based on authorization of the domain name controller for keyword navigation;
determining a domain name of the webpage associated with the matching keyword, the matching keyword being generated by a domain name controller that has been authenticated as being authorized by a registrant of the domain name to set up the matching keyword for the domain name;
determining a web page address of one of the plurality of web pages hosted at the website associated with the matching keyword,
retrieving a description for the web page address associated with the matching keyword, and
generating data used to display the domain name, the web page address, the description, and the matching keyword to the user, wherein the description is displayed as a hyperlink that causes a browser to be directed to the determined web page address of the one of the plurality of web pages hosted at the website.

US Pat. No. 9,912,543

DNS PACKAGE IN A PARTITIONED NETWORK

VERISIGN, INC., Reston, ...

1. A method for domain name resolution, the method comprising:
obtaining, at a recursive domain name server, a domain name resolution request for a domain name;
providing the domain name resolution request over a local communication channel to a co-located root domain name server based
on a local policy, wherein the co-located root domain name server is operable to provide a network address corresponding to
a co-located top-level domain (“TLD”) name server based on a TLD in the domain name resolution request, wherein the co-located
TLD name server provides a network address corresponding to a co-located second-level domain (“SLD”) name server based on
a SLD in the domain name resolution request, wherein the recursive domain name server, the co-located root name server, the
co-located TLD name server, and the co-located SLD name server are co-located and integrated within a single deployable hardware
device package;

validating a response received by the recursive name server based on a Domain Name System Security Extensions (“DNSSEC”) certificate,
wherein the recursive name server is configured to perform domain name resolution even when the DNSSEC certificate expires;
and

providing an internet protocol address for the domain name in the domain name resolution request based on a record stored
in the SLD name server.

US Pat. No. 9,794,221

RECOVERY OF A FAILED REGISTRY

VERISIGN, INC., Reston, ...

1. A system for recovering a registry comprising:
a non-transitory memory storing instructions; and
a processor configured to execute the instructions to cause the system to perform a method comprising:
receiving zone data and ownership information associated with the registry;
archiving the zone data and the ownership information;
publishing the zone data into a Domain Name System (DNS) service; and
enabling DNS Security (DNSSEC) extensions on a zone associated with the zone data.

US Pat. No. 9,613,146

SEARCHABLE WEB WHOIS

VERISIGN, INC., Reston, ...

1. A computer-implemented search method comprising:
storing domain names and owner information associated with the domain names in one or more networked databases;
indexing suffixes of the domain names and suffixes of text-searchable portions of the owner information, wherein the suffixes
of the domain names and the suffixes of the text-searchable portions of the owner information each has a minimum length of
characters;

storing, in one or more text indexes, the suffixes of the domain names and the suffixes of the text-searchable portions of
the owner information;

searching, in response to a search request, the one or more text indexes for at least one of a matching domain name or matching
owner information that satisfies the search request;

querying the one or more networked databases for at least one of corresponding owner information associated with the matching
domain name or one or more corresponding domain names associated with the matching owner information; and

providing search results based on the querying, wherein the search results include at least one of (1) the matching domain
name and the corresponding owner information or (2) the matching owner information and the one or more corresponding domain
names.

US Pat. No. 10,050,831

QUERY LATENCY OF A DNS SERVICE

VERISIGN, INC., Reston, ...

1. A computer-implemented method, comprising:accessing a set of data related to a plurality of domain name system (DNS) requests transmitted via transport control protocol (TCP) for a plurality of subnets in a network;
selecting a subset of the set of data that is a representative sample of the set of data;
estimating latency of the subset of the data for the set of all data; and
modifying a portion of the network based on the estimated latency of the subset of the data.

US Pat. No. 10,033,535

MULTIFACETED ASSERTION DIRECTORY SYSTEM

VERISIGN, INC., Reston, ...

1. A method of providing one or more assertions about a subject, comprising:obtaining, at a first assertion directory access server and over a network, a first assertion about a first attribute of the subject from a first assertion provider;
obtaining, at a second assertion directory access server and over the network, a second assertion about a second attribute of the subject from a second assertion provider;
providing, from the first assertion directory access server and the second assertion directory access server, the first assertion and the second assertion, respectively, to an assertion directory authority server over the network;
obtaining, at a third assertion directory access server and over the network, a first request for the first assertion, the second assertion, or both the first assertion and the second assertion from a relying party;
providing, by the third assertion directory access server and over the network, a second request for the first assertion, the second assertion, or both the first assertion and the second assertion to the assertion directory authority server;
obtaining, by the third assertion directory access server and over the network, the first assertion, the second assertion, or both the first assertion and the second assertion from the assertion directory authority server based on one or more access control policies that are associated with the first assertion or the second assertion and are maintained by the assertion directory authority server; and
providing, by the third assertion directory access server and over the network, the first assertion, the second assertion, or both the first assertion and the second assertion to the relying party.

US Pat. No. 9,910,836

CONSTRUCTION OF PHONETIC REPRESENTATION OF A STRING OF CHARACTERS

VERISIGN, INC., Reston, ...

1. A method, comprising:
accessing a string of characters;
parsing the string of characters into a first string of graphemes;
adding one or more characters to the first string of graphemes to represent missing characters in the string of characters
to create a second string of graphemes;

grouping the second string of graphemes into a plurality of pseudo-graphemes based on a probability determined by a trained
discrete estimator, wherein two or more graphemes in the string of graphemes that are phonetized together are grouped to a
single pseudo-grapheme;

accessing a first data structure that maps each pseudo-grapheme in the string of pseudo-graphemes to one or more universal
phonetic representations based on an international phonetic alphabet, wherein the first data structure comprises a plurality
of first nodes with each first node of the plurality of first nodes having a respective weight assigned that corresponds to
a pronunciation of a grapheme;

determining one or more phonetic representations for each pseudo-grapheme in the string of pseudo-graphemes based on the first
data structure;

accessing a second data structure that maps the one or more universal phonetic representations to one or more graphemes, wherein
the second data structure comprises a plurality of second nodes with each second node of the plurality of second nodes having
a respective weight assigned that corresponds to a likely representation of a grapheme;

determining at least one grapheme representation for one or more of the one or more phonetic representations based on the
second data structure; and

constructing a phonetic representation of the string of characters based on the at least one grapheme representation that
was determined.

US Pat. No. 9,785,629

AUTOMATED LANGUAGE DETECTION FOR DOMAIN NAMES

VERISIGN, INC., Reston, ...

1. A method for automatically detecting a language of an Internationalized Domain Name (IDN), the method comprising:
receiving, via an I/O interface, a string of characters for the IDN;
determining, using one or more processors, a plurality of candidate languages based on analyzing the string of characters
for the IDN, wherein the determining comprises: extracting a set of multi-grams from the string of characters, comparing the
set of multi-grams against stored multi-grams which were previously extracted from samples of loaded training data for each
language of a set of candidate languages, and calculating a probability score for each language of the set of candidate languages,
and wherein each language in the plurality of candidate languages shares some or all characters with the other languages in
the plurality of candidate languages or belongs to the same language family as the other languages in the plurality of candidate
languages;

presenting, via an I/O interface, the plurality of candidate languages to a user;
receiving, via an I/O interface, a user selected language of the plurality of candidate languages corresponding to the IDN;
and

using the IDN to automatically generate a domain name in response to receiving the user selected language.

US Pat. No. 9,781,091

PROVISIONING FOR SMART NAVIGATION SERVICES

VERISIGN, INC., Reston, ...

1. A method of provisioning a navigation service, the method comprising:
receiving, at the navigation service, over a computer network, and from a name owner or a keyword service, an electronic authorization
to resolve command data comprising a keyword, an entity name associated with the name owner, and other data to at least one
network locator using the keyword service, whereby the keyword service stores in keyword service persistent memory at least
one rule correlating at least the entity name and the other data to the at least one network locator;

obtaining a network locator for the keyword service;
receiving, over the computer network and from a client computer, command data comprising the entity name and the other data;
providing, over the computer network and to the keyword service, at least the entity name and the other data, whereby the
keyword service correlates the entity name and the other data to the at least one network locator;

obtaining, over the computer network and from the keyword service, the at least one network locator;
providing, over the computer network and to the client computer, the at least one network locator.

US Pat. No. 9,742,730

SYSTEMS AND METHODS FOR AUTOMATICALLY PROVIDING WHOIS SERVICE TO TOP LEVEL DOMAINS

VERISIGN, INC., Reston, ...

1. A computer-implemented method for establishing top level domains, comprising:
receiving, at a first computer system, a first domain data associated with a first top level domain and a second domain data
associated with a second top level domain;

associating a first network address corresponding to a second computer system to the first top level domain and a second network
address corresponding to the second computer system to the second top level domain;

provisioning the first top level domain, wherein provisioning the first top level domain comprises transmitting the first
domain data to the second computer system with an indication that personal information is public, whereby the second computer
system initiates a public registration data lookup service for the first top level domain using the first domain data;

provisioning the second top level domain, wherein provisioning the second top level domain comprises transmitting the second
domain data to the second computer system with an indication that personal information is private, whereby the second computer
system initiates a private registration data lookup service for the second top level domain using the second domain data;
and

initiating assignment of the first network address as an authoritative network address for the public registration data lookup
service and the second network address as an authoritative network address for the private registration data lookup service.

US Pat. No. 10,148,441

SYSTEMS, DEVICES, AND METHODS FOR DETECTING DOUBLE SIGNING IN A ONE-TIME USE SIGNATURE SCHEME

VERISIGN, INC., Reston, ...

1. A system comprising:a processing system of a device comprising one or more processors; and
a memory system comprising one or more computer-readable media, wherein the one or more computer-readable media contain instructions that, when executed by the processing system, cause the processing system to perform operations comprising:
receiving a message, wherein the message comprises a signature generated using a one-time use private key of a hash-based one-time use public/private key pair;
determining a one-time use public key of the hash-based one-time public/private key pair based on the message;
determining that the hash-based one-time use public/private key pair was used more than once by comparing the one-time use public key to a list of public keys associated with previously received messages, wherein the list of public keys is included in a first transaction database that maintains a first log of transactions;
generating an alert based on determining that the hash-based one-time use public/private key pair was used more than once; and
performing, based on the signature, one or more punitive operations in relation to a sender of the message, wherein the one or more punitive operations comprises forging a signature associated with the one-time use private key based on the message and a previous message of the previously received messages, wherein the previous message is signed using the one-time use private key.

US Pat. No. 10,075,467

SYSTEMS, DEVICES, AND METHODS FOR IMPROVED NETWORK SECURITY

VERISIGN, INC., Reston, ...

1. A system comprising:one or more processors; and
a memory that is coupled to the one or more processors and includes instructions, wherein, when the one or more processors execute the instructions, the one or more processors are configured to perform operations comprising:
obtaining network flow data comprising one or more network flows comprising network packets received from a set of source IP addresses over a network;
analyzing the network flow data based on a pre-determined format of the network flow data to generate one or more unique flow combinations, wherein each unique flow combination is associated with a different source internet protocol (IP) address and represents at least one of the one or more network flows;
creating a daily flow count of a plurality of flow counts for each unique flow combination in the network flow data;
for each unique flow combination, incrementing by one the daily flow count associated with the unique flow combination and corresponding to a given date when at least one network flow of the one or more network flows represented by the unique flow combination is associated with a network interaction that occurred on the given date;
generating a candidate list of persistent clients that includes source IP addresses associated with unique flow combinations that have daily flow counts that meet a threshold;
filtering the candidate list of persistent clients based on a filtering criteria to generate a filtered candidate list of persistent clients;
ranking the filtered candidate list of persistent clients using a ranking metric; and
determining a list of persistent clients based on the ranking of the filtered candidate list of persistent clients.

US Pat. No. 10,061,785

BULK MANAGEMENT OF REGISTRY OBJECTS

VERISIGN, INC., Reston, ...

1. A method of managing a domain name system, comprising:receiving a request for bulk modification of a set of records, wherein the set of records corresponds to registry objects managed by different registrars;
designating a use case for the request for bulk modification, wherein the use case indicates that each modification of a plurality of modifications in the request for bulk modification is associated with a same type of action, and wherein the use case is associated with a set of parameters;
accessing a set of registry policies; and
executing, using a processor, the bulk modification of the set of records by:
performing a first operation of the bulk modification associated with a first record of the set of records that satisfies the set of registry policies and the set of parameters;
denying a performance of a second operation of the bulk modification associated with a second record of the set of records based on identifying that the second operation would result in a violation of a parameter of the set of parameters; and
denying a performance of a third operation of the bulk modification associated with a third record of the set of records based on identifying that the third operation would result in a violation of a registry policy of the set of registry policies.

US Pat. No. 10,057,207

SMART NAVIGATION FOR SHORTENED URLS

VERISIGN, INC., Reston, ...

1. A computer-implemented method for resolving an identifier over the internet without using a domain name system (DNS) by obtaining, from electronically stored data representing a first identifier in a first name space, electronically stored data representing a second identifier in a second name space, the method comprising:obtaining, at a first electronic navigation service comprising an electronic server computer, from an executing browser configured with an internet protocol address of the first electronic navigation service, and over the internet without using the DNS, electronically stored data representing the first identifier in the first name space;
obtaining, from an electronic directory communicatively coupled to the first navigation service, electronically stored data representing a rule mapping the first identifier in the first name space to the second identifier in the second name space;
applying the rule to the first identifier in the first name space, whereby the second identifier in the second name space is obtained; and
providing electronically stored data representing the second identifier to the executing browser over the internet, wherein the second identifier is resolvable to a network locator by a second navigation service;
whereby the second identifier is obtained without resolving the first identifier using the DNS.

US Pat. No. 10,015,134

METHODS AND SYSTEMS FOR CREATING NEW DOMAINS

VERISIGN, INC., Reston, ...

1. A computer-implemented method of registering a new top level domain, comprising:receiving, at a first system via a user interface, a client request to register an unregistered top level domain as a new top level domain in a registry in a domain name system (DNS), the client request including domain data, the domain data comprising a domain name for the new top level domain and a data definition selected from one of choices, the choices comprising:
data defining one or more services to be supported by the new top level domain,
data defining one or more features to be supported by the new top level domain, wherein the one or more features include DNS security extensions (DNSSEC) or domain name levels, and
data defining one or more policies to be enforced by the new top level domain, wherein the one or more policies include domain labels or name server requirements;
creating a data structure comprising the domain data including the data definition selected from one of the choices; and
transmitting a create domain request including the data structure to the registry in the DNS, wherein the registry creates, in response to the create domain request, the new top level domain in the registry based on the data structure.

US Pat. No. 9,947,311

SYSTEMS AND METHODS FOR AUTOMATIC PHONETIZATION OF DOMAIN NAMES

VERISIGN, INC., Reston, ...

1. A method, comprising:receiving, from a user, a string of characters;
determining components of the string of characters, wherein the components of the string of characters comprise one or more graphemes that are related in the string of characters;
determining universal phonetic representations for the components of the string of characters;
determining pronunciations for the universal phonetic representations;
constructing a pronunciation of the string of characters based at least partially on the pronunciations of the universal phonetic representations;
sending, to the user, a sound file representing the pronunciation of the string of characters;
receiving a user sound file created by the user using a microphone, the user sound file representing a custom pronunciation associated with a subset of the universal phonetic representations corresponding to a portion of the pronunciation of the string of characters;
constructing a new pronunciation of the string of characters based at least partially on the pronunciations for the universal phonetic representations and the custom pronunciation associated with the subset of the universal phonetic representations; and
sending, to the user, a new sound file representing the new pronunciation of the string of characters, wherein the new sound file comprises a combination of a portion of the sound file representing the pronunciation of the string of characters and the user sound file.

US Pat. No. 9,912,678

TECHNIQUES FOR AUTOMATICALLY MITIGATING DENIAL OF SERVICE ATTACKS VIA ATTACK PATTERN MATCHING

VERISIGN, INC., Reston, ...

1. A method for mitigating a denial of service attack, the method comprising:
determining that a number of requests transmitted by a first client to a server during a first time period is greater than
a first threshold;

in response, classifying the first client as a top talker;
generating one or more first attack patterns based on the requests transmitted by the first client to the server;
determining, at least partially in parallel with generating the one or more first attack patterns, that a number of requests
transmitted by a second client to a server during a second time period is greater than the first threshold;

identifying additional requests being transmitted by at least one of the first client and the second client to the server;
determining that a number of the additional requests transmitted by the at least one of the first client and the second client
to the server matches the one or more first attack patterns; and

preventing one or more of the additional requests from being transmitted to the server if the number of additional requests
is greater than a second threshold.

US Pat. No. 9,742,799

CLIENT-SIDE ACTIVE VALIDATION FOR MITIGATING DDOS ATTACKS

VERISIGN, INC., Reston, ...

13. A computer-implemented method of mitigating denial-of-service (DoS) attacks, comprising:
intercepting, by a first server system, network requests originating from one or more clients, wherein the network requests
comprise hypertext transfer protocol (HTTP) requests;

for each of the one or more clients, subjecting the client to one or more challenge mechanisms by:
sending, by the first server system, a response to an HTTP request received from the client, wherein the response includes
an embedded client-side script and a plurality of set-cookie directives to set a challenge cookie on the client, wherein at
least one of the plurality of set-cookie directives is valid and sets the challenge cookie to a correct value, and wherein
at least one of the plurality of set-cookie directives is invalid and sets the challenge cookie to an incorrect value;

determining that the client has set the challenge cookie to the correct value; and
categorizing the client as non-suspect in response to a determination that the first client has set the challenge cookie to
the correct value;

identifying one or more non-suspect clients corresponding to one or more of the one or more clients that successfully complete
the one or more challenge mechanisms; and

processing the network requests corresponding to the one or more non-suspect clients.

US Pat. No. 9,769,117

DOMAIN NAME VARIANT GENERATION

VERISIGN, INC., Reston, ...

1. A computer-implemented method, comprising:
accessing, via a processor implemented at least in part in hardware, historical domain name information, the historical domain
name information including a plurality of historical domain names;

identifying a pair of graphemes including a first grapheme and a second grapheme by comparing the plurality of historical
domain names, wherein the second grapheme is a variant of the first grapheme;

calculating a degree of similarity of the pair of graphemes based at least partially on a frequency in which the first grapheme
is substituted by the second grapheme in the plurality of historical domain names;

receiving a domain name, wherein at least one grapheme in the domain name includes the first grapheme;
generating a domain name variant based on the pair of graphemes and the at least one grapheme in the domain name;
calculating a likelihood of confusion of the domain name variant with the domain name based on the degree of similarity of
the pair of graphemes; and

providing the domain name variant and the likelihood of confusion of the domain name variant with the domain name.

US Pat. No. 9,720,980

EVALUATING TYPEABILITY OF DOMAIN NAMES

VERISIGN, INC., Reston, ...

1. A method for assessing an identifier, the method comprising:
receiving a string of characters making up the identifier;
determining a keyboard type for a keyboard;
calculating, by a calculator module, a typeability score for the identifier based on the string of characters and the keyboard
type, wherein the typeability score signifies a difficulty of typing the identifier on the keyboard type, and wherein the
typeability score is a raw typeability score; and

calculating a normalized typeability score via dividing the raw typeability score by a maximal typeability score or by a number
of characters in the string of characters.

US Pat. No. 9,715,512

BULK MANAGEMENT OF REGISTRY OBJECTS

VERISIGN, INC., Reston, ...

1. A method of managing a domain name system, comprising:
receiving, at a domain name registry, a request for bulk modification of a set of records in the domain name registry, wherein
the set of records comprises one or more records for a bulk set of domain names managed by different registrars;

designating a use case for the request for bulk modification, wherein the use case indicates that each modification of a plurality
of modifications in the request for bulk modification is associated with a same type of action, and wherein the use case is
associated with a set of parameters;

accessing a set of registry policies governing data stored in the domain name registry;
verifying the request for bulk modification of the set of records against the set of registry policies;
removing one or more domain names from the bulk set of domain names in response to identifying that a first requested action
associated with the one or more domain names would result in a violation of a parameter of the set of parameters;

removing, based at least partially on the verification, at least one domain name from the bulk set of domain names in response
to identifying that a second requested action associated with the at least one domain name would result in a violation of
a registry policy of the set of registry policies; and

scheduling the programmatic execution of the bulk modification to the set of records which satisfy the set of registry policies
and the set of parameters.

US Pat. No. 9,967,290

SYSTEMS AND METHODS FOR AUTOMATING CLIENT-SIDE DISCOVERY OF PUBLIC KEYS OF EXTERNAL CONTACTS THAT ARE SECURED BY DANE USING DNSSEC

VERISIGN, INC., Reston, ...

1. A method of digitally securing a digital object from a first user in a first domain to a second user in a second domain using a domain name system (“DNS”) provider, the method comprising:accessing, at a client device of the first user, a client-side local policy, wherein the local policy comprises one or more zones managed by one or more DNS providers and secured by DNS-based authentication of named entities (“DANE”) using DNS security extensions (“DNSSEC”);
constructing, by at least one hardware processor of the client device, a DNS query for a cryptographic credential for the second user based, at least in part, on a zone of the one or more zones in the local policy;
providing, to a DNS provider of the one or more DNS providers through a DNS resolver over a network, a request for the cryptographic credential for the second user;
obtaining, over a network, the cryptographic credential for the second user from a DNS provider of the one or more DNS providers;
digitally securing, by at least one hardware processor of the client device, the digital object using the cryptographic credential; and
providing, by the client device over a network, the digital object that is secured using the cryptographic credential to the second user.

US Pat. No. 9,900,281

COMPUTER-IMPLEMENTED METHOD, APPARATUS, AND COMPUTER-READABLE MEDIUM FOR PROCESSING NAMED ENTITY QUERIES USING A CACHED FUNCTIONALITY IN A DOMAIN NAME SYSTEM

VERISIGN, INC., Reston, ...

1. A computer-implemented method for responding to a domain name system (“DNS”) query request from a requestor using information
supplied by an authoritative name server, the computer-implemented method comprising:
obtaining, by a DNS resolution server over a network, a DNS query for a named resource from a requestor, wherein the DNS query
comprises information comprising a requestor-based contextual information related to the requestor, wherein the requestor-based
contextual information comprises geo-location data of the requestor;

providing, by the DNS resolution server, authentication information to the authoritative name server to authenticate the DNS
resolution server;

obtaining at least a portion of a zone file of a domain name space using the DNS query and information on how to access information
about the named resource that is not local to the DNS resolution server from the authoritative name server based on the DNS
query obtained from the requestor for the DNS resolution server that is authenticated by the authoritative name server, wherein
the information about the named resource that is not local comprises a plurality of attributes associated with the named resource,
the plurality of attributes comprising an availability indicator that indicates an availability of a server instance on which
the named recourse is hosted and a security indicator that indicates a security level related to a potential requestor that
may request access to the named resource;

applying one or more rules to the portion of the zone file, the requestor-based contextual information, a named resource-based
contextual information, and the information about the named resource that is not local to the DNS resolution server;

determining, by a hardware processor of the DNS resolution server, an answer to the DNS query based on the one or more rules
that are applied; and

providing, to the requestor, the answer to the DNS query, wherein the answer is a DNS record associated with the named resource.

US Pat. No. 9,705,682

EXTENDING DNSSEC TRUST CHAINS TO OBJECTS OUTSIDE THE DNS

VERISIGN, INC., Reston, ...

1. A method of providing data, the method comprising:
receiving at a first Domain Name System (DNS) server, over an electronic computer network, a first DNS resource record request
from a client computer, wherein the first DNS resource record request comprises a first domain name;

providing, by the first DNS server to the client computer and in response to the first DNS resource record request, a first
DNS resource record comprising a URI for a first non-DNS service;

whereby the client computer derives a target URI from the URI for the first non-DNS service, contacts a second non-DNS service
at the target URI for requested data, and receives the requested data from the second non-DNS service;

receiving, at a second DNS server, over the electronic computer network, a second DNS resource record request from the client
computer, the second DNS resource record request comprising a second domain name;

providing, by the second DNS server to the client computer and in response to the second DNS resource record request, a second
DNS resource record comprising cryptographic authentication information corresponding to the second domain name;

whereby the client computer cryptographically validates the requested data using the cryptographic authentication information;
receiving at a third DNS server, prior to the receiving at the first DNS server, over the electronic computer network, a third
DNS resource record request from the client computer, the third DNS resource record request comprising a third domain name;
and

replying to the client computer that the third DNS resource record request corresponds to a non-existent record,
whereby resolution logic consequently directs the client computer to send the first DNS resource record request,
wherein the receiving the first DNS resource record request and the providing the first DNS resource record occur after the
receiving the second DNS resource record request and the providing the second DNS resource record.

US Pat. No. 9,633,197

SYSTEMS AND METHODS FOR DEVICE DETECTION AND AUTHORIZATION IN A IOT FRAMEWORK

Verisign, Inc., Reston, ...

1. A method implemented by a computer for automatically admitting a device to a computer network, the method comprising:
receiving, from the one or more authorized devices in the computer network, first data that is associated with one or more
sensing modalities, wherein the one or more sensing modalities are detected by the one or more of the one or more of the authorized
devices during a defined time window;

identifying, via a processor, a new device to be admitted to the computer network;
constructing a time sequence of proximity events of the new device, within the defined time window, based on the first data,
wherein each proximity event is associated with a physical proximity between the new device and at least one of the one or
more sensing modalities;

determining that the time sequence of the proximity events matches an expected time sequence of expected proximity events;
and

admitting the new device to the computer network based on the determining.

US Pat. No. 10,038,706

SYSTEMS, DEVICES, AND METHODS FOR SEPARATING MALWARE AND BACKGROUND EVENTS

VERISIGN, INC., Reston, ...

1. A system comprising:a processing system of a device comprising one or more processors; and
a memory system comprising one or more computer-readable media, wherein the one or more computer-readable media contain instructions that, when executed by the processing system, cause the processing system to perform operations comprising:
receiving traffic data comprising malware events and background noise;
converting the traffic data into a feature vector;
performing a signal processing algorithm on the feature vector to determine an unmixing matrix that separates the feature vector into a first subcomponent including the malware events and a second subcomponent including the background noise, wherein the signal processing algorithm is associated with a malware family and is trained on a first set of sample feature vectors corresponding to malware traffic generated by a device affected by the malware family and a second set of sample feature vectors corresponding to sample background noise generated by a second device unaffected by the malware family;
determining a score for the malware events using a malware classification algorithm associated with the malware family; and
applying a label associated with the malware family to the traffic data based on the score.

US Pat. No. 9,935,950

SYSTEMS AND METHODS FOR ESTABLISHING OWNERSHIP AND DELEGATION OWNERSHIP OF IOT DEVICES USING DOMAIN NAME SYSTEM SERVICES

VERISIGN, INC., Reston, ...

1. A method for establishing ownership of a component of an internet of things (“IoT”) device, the method comprising:receiving, at a registration service, a request to register the component of the IoT device, the request comprising a public key of the component of the IoT device, an identifier of the component of the IoT device, and a public key of an owner of the component of the IoT device;
generating, via the registration service, an authorization file that includes rights information associated with the component of the IoT device;
determining a qualified name for the component of the IoT device based on a name associated with the owner of the component of the IoT device;
generating one or more domain name system (“DNS”) records for the component of the IoT device, the one or more DNS records comprising the authorization file and an authentication file that identifies a chain of ownership of the component of the IoT device; and
storing the one or more DNS records in a registry.

US Pat. No. 9,866,536

PRIVACY PRESERVING REGISTRY BROWSING

VERISIGN, INC., Reston, ...

1. A method for preserving privacy of a domain name related request, comprising:
receiving, from a client computer, a request for information related to a domain name and comprising at least one tokenized
string representing the domain name, wherein the tokenized string was tokenized by a first tokenizing authority computer based
on a first tokenizing function, and the first tokenizing authority computer is different than the client computer;

comparing the at least one tokenized string to a store of tokenized strings, wherein the tokenized strings in the store have
been tokenized by a second tokenizing authority computer based on the first tokenizing function or a tokenizing function equivalent
to the first tokenizing function, and the second tokenizing authority computer is different than the client computer and a
computer that holds the store of tokenized strings; and

determining whether the at least one tokenized string is contained in the store of tokenized strings to generate a result.

US Pat. No. 9,762,405

HIERARCHICAL PUBLISH/SUBSCRIBE SYSTEM

VERISIGN, INC., Reston, ...

1. A method for publishing a publication message, the method comprising:
receiving, at one of a plurality of first relays, a subscription request from a first client;
transmitting the subscription request from the one of the plurality of first relays to each member of a first set of geographically
dispersed central relays;

receiving, at the one of the plurality of first relays, a publication request from a second client, the publication request
including the publication message;

transmitting the publication message from the one of the plurality of first relays to a member of the first set of geographically
dispersed central relays and to a member of a second set of geographically dispersed central relays, whereby the member of
the geographically dispersed central relays in the first set of geographically dispersed central relays is operable to publish
the publication message to remaining geographically dispersed central relays in the first set of geographically dispersed
central relays on behalf of the one of the plurality of first relays and whereby the member of the geographically dispersed
central relays in the second set of geographically dispersed central relays is operable to publish the publication message
to remaining geographically dispersed central relays in the second set of geographically dispersed central relays on behalf
of the one of the plurality of first relays;

determining, at the one of the plurality of first relays, that information in the subscription request matches information
in the publication request; and

transmitting the publication message from the one of the plurality of first relays to the first client.

US Pat. No. 10,110,614

STRENGTHENING INTEGRITY ASSURANCES FOR DNS DATA

VERISIGN, INC., Reston, ...

1. A method of resolving Domain Name System (DNS) queries, the method comprising:obtaining, at a first DNS recursive resolver, a first DNS query for a domain name record from a requestor;
determining, by at least one hardware processor of the first DNS recursive resolver, that the first DNS recursive resolver does not contain an answer to the first DNS query stored in a memory;
providing, by the first DNS recursive resolver, one or more queries to a respective one or more witnesses;
obtaining, by the first DNS recursive resolver, one or more answers from the one or more witnesses;
accessing, from a memory of the first DNS recursive resolver, a policy, wherein the policy specifies a type of associated evidence of correctness the requestor is willing to accept;
determining, by at least one hardware processor of the first DNS recursive resolver, an answer to the first DNS query based on the policy, the one or more answers from the one or more witnesses, and evidence of correctness associated with at least one of: the one or more witnesses and the one or more answers; and
providing, by the first DNS recursive resolver, the answer to the requestor.

US Pat. No. 10,021,129

SYSTEMS AND METHODS FOR MALWARE DETECTION AND SCANNING

VERISIGN, INC., Reston, ...

1. A computer-implemented method operating in a computing system for malware scanning and detection, the method comprising:launching, in a computing device of the computing system, a controller virtual machine;
launching, in the computing device, a plurality of honeypot virtual machines (HPVMs), each HPVM including an internet browser;
selecting, by the controller virtual machine, a subset of the plurality of HPVMs to access one or more web pages based on rate-limiting criteria associated with the one or more web pages;
transmitting, by the controller virtual machine, instructions to the subset of the plurality of HPVMs to access one or more web pages;
requesting, the subset of the plurality of HPVMs, data from one or more web pages; and
performing analysis on the one or more web pages using one or more analysis tools, wherein performing analysis on the one or more web pages includes:
performing monitoring and recording of system application programming interface (API) calls,
creating software objects associated with the one or more web pages,
performing antivirus scanning of the software objects,
de-obfuscating JavaScript associated with the software objects, and
correlating data associated with the performed analysis to determine if the one or more web pages includes a malicious web page.

US Pat. No. 10,009,181

EXTENDING DNSSEC TRUST CHAINS TO OBJECTS OUTSIDE THE DNS

VERISIGN, INC., Reston, ...

1. A method of providing data, the method comprising:receiving at a first Domain Name System (DNS) server, over an electronic computer network, a first DNS resource record request from a client computer, wherein the first DNS resource record request comprises a first domain name;
providing, by the first DNS server to the client computer and in response to the first DNS resource record request, a first DNS resource record comprising information sufficient to derive a target URI;
whereby the client computer derives a target URI from the information sufficient to derive a target URI, contacts a non-DNS service at the target URI for requested data, and receives the requested data from the non-DNS service;
receiving, at a second DNS server, over the electronic computer network, a second DNS resource record request from the client computer, the second DNS resource record request comprising a second domain name;
providing, by the second DNS server to the client computer and in response to the second DNS resource record request, a second DNS resource record comprising cryptographic authentication information corresponding to the second domain name;
whereby the client computer cryptographically validates the requested data using the cryptographic authentication information;
receiving at a third DNS server, prior to the receiving at the first DNS server, over the electronic computer network, a third DNS resource record request from the client computer, the third DNS resource record request comprising a third domain name; and
providing, by the third DNS server to the client computer and in response to the third DNS resource record request, an insufficient response;
whereby resolution logic consequently directs the client computer to send the first DNS resource record request, and wherein the requested data is associated with the third domain name.

US Pat. No. 10,102,189

CONSTRUCTION OF A PHONETIC REPRESENTATION OF A GENERATED STRING OF CHARACTERS

VERISIGN, INC., Reston, ...

1. A method, comprising:generating a string of characters based on a set of rules;
parsing the string of characters into a first string of graphemes;
adding one or more characters to the first string of graphemes to represent missing characters in the string of characters to create a second string of graphemes;
grouping the second string of graphemes into a plurality of pseudo-graphemes, wherein two or more graphemes in the second string of graphemes that are phonetized together are grouped to a single pseudo-grapheme;
accessing a first data structure that maps each pseudo-grapheme in the plurality of pseudo-graphemes to one or more universal phonetic representations based on an international phonetic alphabet, wherein the first data structure comprises a plurality of first nodes with each first node of the plurality of first nodes having a respective weight assigned that corresponds to a pronunciation of a first grapheme;
determining one or more phonetic representations for each pseudo-grapheme in the plurality of pseudo-graphemes based on the first data structure;
accessing a second data structure that maps the one or more universal phonetic representations to one or more graphemes in a third string of graphemes, wherein the second data structure comprises a plurality of second nodes with each second node of the plurality of second nodes having a respective weight assigned that corresponds to a likely representation of a second grapheme;
determining at least one grapheme representation for one or more of the one or more phonetic representations based on the second data structure;
constructing a second phonetic representation of the string of characters based on the at least one grapheme representation that was determined;
providing the second phonetic representation to a domain name verifier to determine that the phonetic representation is available to be registered as a domain name; and
providing an offer to a user to register the second phonetic representation with a domain name system.

US Pat. No. 10,083,291

AUTOMATING INTERNET OF THINGS SECURITY PROVISIONING

VERISIGN, INC., Reston, ...

1. A computer-implemented method for establishing trust in an internet of things (“IoT”) device when provisioning the IoT device, the method comprising:receiving, at a registration service executing on a hardware processor, a provisioning request from the IoT device for provisioning the IoT device within a network, wherein the provisioning request is signed with a private key stored within a memory of the IoT device and associated with a public key having a many-to-one relationship with a plurality of private keys, wherein the private key is included in the plurality of private keys;
determining, via the hardware processor, a verification item associated with the private key based on which the provisioning request is signed;
performing, via the hardware processor, one or more cryptographic operations on the verification item to determine that one or more provisioning operations are authorized; and
performing, via the hardware processor, the one or more provisioning operations to establish a verifiable identification for the IoT device within the network.

US Pat. No. 9,613,128

SYSTEMS AND METHODS FOR A CACHE-SENSITIVE INDEX USING PARTIAL KEYS

VERISIGN, INC., Reston, ...

1. A computer-implemented method of loading records into a search tree, comprising:
generating a sorted list of groups, by:
reading a record from a database;
populating a first full key, wherein a pointer to the first full key is in a first node of a group and the pointer to the
first full key points to the record;

pushing the group onto a stack;
popping a top two stack entries in the stack based on a determination that a number of records in the top two stack entries
is a power of two;

combining the top two stack entries into a sorted list;
pushing the sorted list onto the stack;
based on a determination that the number of records in the top two stack entries is not a power of two, reading a current
record from the database and populating a current full key, wherein a pointer to the current full key is a first node of a
current group and the pointer to the current full key points to the current record;

pushing the current group onto the stack; and
based on a determination that there are no additional records to read in the database, combining all stack entries in the
stack to generate the sorted list of groups, wherein:

each group of the sorted list of groups comprises at least one node; and
each node of the sorted list of groups comprises at least one pointer to a full key;
generating a search tree, wherein the sorted list of groups corresponds to leaf nodes of the search tree;
generating a root node and non-leaf nodes of the search tree; and
generating partial keys for each full key with a pointer in the leaf nodes, each full key with a pointer in the non-leaf nodes,
and each full key with a pointer in the root node of the search tree, wherein each partial key is a fixed size and comprises:

a byte offset indicating a position the partial key differs from the corresponding full key; and
a subset of the corresponding full key.

US Pat. No. 10,084,746

HIGH PERFORMANCE DNS TRAFFIC MANAGEMENT

VERISIGN, INC., Reston, ...

1. A method, implemented via a computing system, for managing network traffic, the method comprising:receiving, by a resolution server via a network, a set of traffic management rules;
translating, by the resolution server, each traffic management rule of the set of traffic management rules into corresponding entries in one or more traffic management tables, wherein each traffic management rule of the set of traffic management rules corresponds to one or more rows in the one or more traffic management tables;
receiving, by the resolution server, a Domain Name System (DNS) query from a client computer via the network, wherein the DNS query includes a domain name and resource record type;
upon receiving the DNS query, searching, by the resolution server, an initial traffic management rule in one of the one or more traffic management tables without executing a traffic management script, based on the domain name and resource record type as a search key, wherein the initial traffic management rule specifies a first variable that affects a DNS answer;
iterating, based on the initial traffic management rule, until the DNS answer to the DNS query is found, wherein the iterating comprises:
fetching, via the computing system, a value for another variable specified in a successive traffic management rule obtained from one of the one or more traffic management tables; and
searching, via the computing system, in one of the one or more traffic management tables the DNS answer or another successive traffic management rule based on the domain name, and the value for the another variable of the successive traffic management rule as a search key; and
transmitting, by the resolution server, the DNS answer to the client computer.

US Pat. No. 10,102,203

METHOD FOR WRITING A FOREIGN LANGUAGE IN A PSEUDO LANGUAGE PHONETICALLY RESEMBLING NATIVE LANGUAGE OF THE SPEAKER

VERISIGN, INC., Reston, ...

1. A method of converting a string of characters in a first language into a phonetic representation of a second language, the method comprising:receiving the string of characters in the first language;
parsing the string of characters in the first language into a first string of graphemes in the first language;
adding one or more characters to the first string of graphemes to represent missing characters in the string of characters to create a second string of graphemes;
grouping the second string of graphemes into a plurality of pseudo-graphemes based on a probability determined by a trained discrete estimator, wherein two or more graphemes in the string of graphemes that are phonetized together are grouped to a single pseudo-grapheme;
accessing a first data structure that maps each pseudo-grapheme in the string of pseudo-graphemes in the first language to one or more universal phonetic representations based on an international phonetic alphabet, wherein the first data structure comprises a plurality of first nodes with each first node of the plurality of first nodes having a respective weight assigned that corresponds to a likely pronunciation of a grapheme;
determining one or more phonetic representations for each pseudo-grapheme in the string of pseudo-graphemes in the first language based on the first data structure;
accessing a second data structure that maps the one or more universal phonetic representations to one or more graphemes in the second language, wherein the second data structure comprises a plurality of second nodes with each second node of the plurality of second nodes having a respective weight assigned that corresponds to a likely representation of a grapheme in the second language;
determining at least one grapheme representation in the second language for one or more of the one or more phonetic representation based on the second data structure; and
constructing the phonetic representation of the string of characters in the second language based on the grapheme representation in the second language that was determined.

US Pat. No. 10,075,423

PROVISIONING FOR SMART NAVIGATION SERVICES

VERISIGN, INC., Reston, ...

1. A computer-implemented method of provisioning a navigation service, the method comprising:receiving, over a computer network, and by the navigation service, an electronic authorization to resolve command data comprising a keyword and an entity name associated with a name owner to at least one network locator using a keyword service;
receiving, from the keyword service, and by the navigation service, at least one rule correlating at least the keyword and the entity name to the at least one network locator;
receiving, over a computer network, by the navigation service, and from a client computer, the command data;
applying the at least one rule to at least the keyword and the entity name to obtain the at least one network locator; and
providing, over a computer network, by the navigation service, and to the client computer, a response to the command data comprising the at least one network locator.

US Pat. No. 10,333,968

TECHNIQUES FOR DETECTING ATTACKS IN A PUBLISH-SUBSCRIBE NETWORK

VERISIGN, INC., Reston, ...

1. A computer-implemented method for detecting a network attack in a publish-subscribe network, the method comprising:generating a current system model that represents a current state of the publish-subscribe network, the current system model including:
a set of state-related indicators representing an operational state of the publish-subscribe network, wherein the set of state-related indicators includes at least one of a topic fan-in or a topic fan-out, and
a set of flow-related indicators representing an overall traffic flow through the publish-subscribe network;
generating a first probability that the publish-subscribe network is subject to attack, based on a first indicator included in the set of state-related indicators;
generating a second probability that the publish-subscribe network is subject to attack, based on a second indicator in the set of flow-related indicators;
combining the first probability with the second probability to generate a third probability;
determining that the third probability exceeds a first threshold value; and
in response, dispatching a first handler configured to address the network attack.

US Pat. No. 10,348,760

INTEGRATED USER CHALLENGE PRESENTATION FOR DDOS MITIGATION SERVICE

VERISIGN, INC., Reston, ...

1. A system for providing distributed denial-of-service (DDoS) mitigation service, the system comprising:a memory storing instructions;
a processor, operably connected to the memory, that executes the instructions to perform operations comprising:
receiving, from a web server, an image of a web page of the web server;
intercepting, from a user device, a request to access the web server;
generating an integrated user challenge page comprising a user challenge test and the image of the web page, wherein the image of the web page comprises an image of at least a portion of the web page;
transmitting, prior to establishing any connection between the user device and the web server, the integrated user challenge page to the user device;
processing an answer to the user challenge test received from the user device; and
determining whether the answer is correct.

US Pat. No. 10,185,741

SMART NAVIGATION SERVICES

VERISIGN, INC., Reston, ...

1. A method of providing a navigation service, implemented using a computer system, comprising:receiving, at a navigation service and via the internet, a request for a network resource provided by a navigation client, the request derived from a formatted command string provided to the navigation client, the formatted command string consisting of an entity name portion and a keyword portion, wherein the entity name portion comprises an entity name and a name space identifier abutting the entity name, wherein the name space identifier is selected from the group consisting of: @, fb, in, and “.”, wherein the keyword portion comprises a keyword and a keyword delimiter abutting the keyword, wherein the request comprises the entity name and the keyword, and wherein the navigation service is not a domain name system navigation service;
obtaining, from at least one database of the navigation service, a network locator corresponding to the entity name portion and the keyword portion, wherein the at least one database comprises data associating the entity name and the keyword with the network locator, the data provided to the navigation service by an entity corresponding to the entity name; and
providing, in response to the receiving, to the navigation client, and via the internet, the network locator.

US Pat. No. 10,063,519

AUTOMATICALLY OPTIMIZING WEB APPLICATION FIREWALL RULE SETS

VERISIGN, INC., Reston, ...

1. A computer-implemented method for configuring a rule set to protect web applications from on-line attacks, the method comprising:identifying a first completed filtering operation associated with applying a first rule included in the rule set to a first request to access a web application received from a first client;
computing a first quality score associated with the first rule based on the first completed filtering operation and a first reputation value indicating a likelihood that the first client is legitimate;
determining that the first quality score indicates that the first rule does not satisfy a quality criterion; and
disabling the first rule in the rule set to generate a second rule set.

US Pat. No. 10,257,046

EVALUATION OF DNS PRE-REGISTRATION DATA TO PREDICT FUTURE DNS TRAFFIC

VERISIGN, INC., Reston, ...

1. A method for predicting future network traffic, comprising:receiving non-existent domain (NXD) requests from a plurality of name servers for one or more candidate domains over a first period of time;
determining a total number of NXD requests sent by each of the plurality of name servers over the first period of time;
determining the size of each of the plurality of name servers based on the determined total number of NXD requests sent by each name server over the first period of time; and
based on at least the determined size of each of the plurality of name servers, predicting at least one of an expected name-in-use response level for the one or more candidate domains, an expected click traffic for the one or more candidate domains, or a combination thereof.

US Pat. No. 10,182,032

SYSTEMS AND METHODS FOR SETTING REGISTRY SERVICE STATUS

VERISIGN, INC., Reston, ...

1. A computer-implemented method of managing status codes of provisioned objects, comprising:receiving, by a Domain Name System (DNS) registry server, an Extensible Provisioning Protocol (EPP) command comprising a provisioned object and a request to change a first status set related to the provisioned object from a DNS registrar, the first status set corresponding to a group of more than one status codes, wherein the provisioned object comprises a domain name, a host name, or a contact information that is provisioned using the EPP;
receiving, by the DNS registry server, a reason to change the first status set from the DNS registrar using the EPP, wherein the reason comprises a service reason number a descriptor of the reason;
determining, by at least one hardware processor of the DNS registry server, that the reason to change the first status set is valid;
determining, by at least one hardware processor of the DNS registry server, that one or more status codes in a previously assigned second status set implemented by the DNS registry server or the DNS registrar is not altered by the request;
changing, by at least one hardware processor of the DNS registry server, one or more of the status codes associated with the provisioned object in a record of a database, according to the request to change the first status set; and
maintaining the one or more status codes in the second status set for the provisioned object that are active with the first status set, wherein one or more status codes of the second status set are not removed,
wherein the status codes are related to a court order, a transfer dispute lock, or combinations thereof, wherein the first status set or the second status set comprise a self-expiration time after which the first status set or the second status set is automatically removed, automatically changed from active or inactive, or automatically changed from inactive to active.

US Pat. No. 10,171,415

CHARACTERIZATION OF DOMAIN NAMES BASED ON CHANGES OF AUTHORITATIVE NAME SERVERS

VERISIGN, INC., Reston, ...

1. A computer-implemented method, comprising:receiving a data set corresponding to name server operations for a plurality of domain names, wherein each name server operation of the name server operations is associated with a time unit;
determining, using one or more processors, an identifier for each domain name in the plurality of domain names based on the name server operations, wherein:
the identifier comprises a Name Server Switching Footprint (NSSF), textual data, and indicates name server switching operations associated with the domain name; and
the NSSF comprises a string with a first value that represents a number of add operations associated with a number of name servers added to an authoritative list of name servers for the domain name and a second value that represents a number of delete operations associated with a number of name servers deletions to the authoritative list of name servers for the domain name;
determining the identifier comprising determining the NSSF by building a string for each time unit and concatenating the strings together;
determining that an NSSF of a first domain name of the plurality of domain names is associated with a malicious domain name use by matching the first value and the second value to corresponding first and second values in an NSSF associated with the malicious domain name use; and
in response to determining that the NSSF of the first domain name is associated with a malicious domain name use, adding the first domain name to a blacklist to prevent a malicious use of the first domain name.

US Pat. No. 10,153,905

HASH-BASED ELECTRONIC SIGNATURES FOR DATA SETS SUCH AS DNSSEC

VERISIGN, INC., Reston, ...

1. A method of electronically signing domain name system (DNS) records stored in a zone file for an internet DNS zone, the method comprising:electronically accessing a plurality of DNS resource records of a DNS zone stored on one or more DNS servers of a distributed DNS database;
generating a plurality of leaf nodes from the plurality of DNS resource records by applying a hash function to the DNS resource records;
constructing a recursive hash tree from the plurality of leaf nodes, wherein the recursive hash tree comprises a plurality of nodes, the plurality of nodes comprising a root node and the plurality of leaf nodes, wherein each node of the plurality of nodes comprises either a leaf node or a hash of data comprising one or more child nodes;
storing the root node in a DNS key (DNSKEY) resource record for a zone signing key (ZSK) for the zone;
publishing, in a DNS resource record signature (RRSIG) resource record, validation data comprising path data from the recursive hash tree, whereby a DNS client validates at least one of the DNS resource records using at least the validation data and the root node;
obtaining a hash-based signature on data comprising the ZSK for the zone using a second recursive hash tree, wherein the hash-based signature is not algebraically based; and
storing the hash-based signature in an RRSIG resource record associated with the DNSKEY resource record for the ZSK;
whereby a DNS client validates the ZSK using at least the hash-based signature from the RRSIG resource record associated with the DNSKEY resource record for the ZSK.

US Pat. No. 10,367,825

METHOD AND SYSTEM FOR PARALLEL VALIDATION OF DOMAIN NAME SYSTEM SECURITY EXTENSION RECORDS

VERISIGN, INC., Reston, ...

1. A parallelized method for authenticating a domain name system (DNS) query using domain name system security extensions (DNSSEC), the method comprising:obtaining, at a validating DNSSEC-aware DNS client, a DNS query for a resource record for a fully qualified domain name (FQDN);
segmenting the FQDN into more than one specific sub-FQDN;
providing, in parallel, a DNS query for a DNSSEC-related resource record for each of the more than one specific sub-FQDN to a respective authoritative name server or recursive resolver;
obtaining, in parallel, the DNSSEC-related resource record for each of the more than one specific sub-FQDN;
validating, in parallel, the DNSSEC-related resource record for each of the more than one specific sub-FQDN;
combining each of the DNSSEC-related resource records for each of the more than one specific sub-FQDN; and
verifying a chain of trust of the DNSSEC-related resource records.

US Pat. No. 10,346,627

PRIVACY PRESERVING DATA QUERYING

VERISIGN, INC., Reston, ...

1. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor, cause the at least one processor to respond to a query for information while preserving privacy of the query by performing the steps of:obtaining a plurality of tokenized data terms that are associated with a database, wherein the plurality of tokenized data terms are derived from a plurality of blinded data terms corresponding to a plurality of data terms using at least a first tokenizing authority and a first tokenizing function;
receiving, via a network and from a client computer different from a source of the plurality of data terms, a query for information that includes a tokenized query term derived using at least blinding, and the first tokenizing function or a related second tokenizing function; and
determining whether the tokenized query term is included in the plurality of tokenized data terms to generate a result without revealing any of the plurality of data terms.

US Pat. No. 10,250,618

ACTIVE VALIDATION FOR DDOS AND SSL DDOS ATTACKS

VERISIGN, INC., Reston, ...

1. A computer-implemented method of mitigating against a denial of service (DoS) attack, comprising:detecting a DoS attack or potential DoS attack against a first server system comprising one or more servers;
in response to detecting the DoS attack or potential DoS attack, receiving, at a second server system comprising one or more servers, network traffic directed to the first server system;
subjecting requesting clients to at least one challenge mechanism by directing clients to complete the at least one challenge mechanism until a portion of network traffic originating from non-suspect clients reaches a threshold, the at least one challenge mechanism comprising challenging requesting clients to request Secure Sockets Layer (SSL) session resumption;
identifying one or more non-suspect clients, the one or more non-suspect clients corresponding to requesting clients that successfully complete the at least one challenge mechanism;
identifying one or more suspect clients, the one or more suspect clients corresponding to requesting clients that do not successfully complete the at least one challenge mechanism; and
forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system.

US Pat. No. 10,237,231

MULTIPLE PROVISIONING OBJECT OPERATION

VERISIGN, INC., Reston, ...

1. A computer-implemented method for managing multiple provisioned domain name system (“DNS”) registry objects, the method comprising:receiving, at a DNS registry, a first multiple domain extensible provisioning protocol (“EPP”) command from a registrar on behalf of a registrant to group multiple provisioned DNS registry objects to be managed together;
receiving, at the DNS registry, a second multiple domain EPP command from the registrar to perform an action for each of the provisioned DNS registry object of the multiple provisioned DNS registry objects, wherein the second multiple domain EPP command comprises one or more of: a multiple domain renew operation to extend a validity period of each DNS registry object, or a multiple domain delete operation to delete an instance of each DNS registry object;
comparing the action with one or more allowable actions in a policy maintained by the registry;
determining, by a processor, that the action is allowable based on the comparing; and
performing, based on the determining, the action on each of the multiple provisioned DNS registry objects in one transaction.

US Pat. No. 10,230,760

REAL-TIME CLOUD-BASED DETECTION AND MITIGATION OF DNS DATA EXFILTRATION AND DNS TUNNELING

VERISIGN, INC., Reston, ...

1. A computer-implemented method for managing a domain name system (DNS) based attack, the method comprising:receiving a first DNS request directed to a first domain name;
determining that a first characteristic associated with a first fully qualified domain name (FQDN) included in the first DNS request exceeds a first threshold value;
in response, computing a distance between the first FQDN and a second FQDN included in a second DNS request also directed to the first domain name; and
incrementing a first count value associated with the first domain name based on the distance.

US Pat. No. 10,193,911

TECHNIQUES FOR AUTOMATICALLY MITIGATING DENIAL OF SERVICE ATTACKS VIA ATTACK PATTERN MATCHING

VERISIGN, INC., Reston, ...

1. A method for mitigating a denial of service attack, the method comprising:determining that a number of requests transmitted by a first client to a server during a first time period is greater than a first threshold;
in response, classifying the first client as a top talker;
generating one or more first attack patterns based on the requests transmitted by the first client to the server;
determining, at least partially in parallel with generating the one or more first attack patterns, that a number of requests transmitted by a second client to a server during a second time period is greater than the first threshold;
identifying additional requests being transmitted by at least one of the first client and the second client to the server;
determining that a number of the additional requests transmitted by the at least one of the first client and the second client to the server matches the one or more first attack patterns; and
in response, performing one or more operations to address the additional requests being transmitted to the server.

US Pat. No. 10,178,055

HIERARCHICAL PUBLISH AND SUBSCRIBE SYSTEM

VERISIGN, INC., Reston, ...

1. A method of publishing a publication message including a pattern, the method comprising:receiving, at a first central relay of a plurality of central relays, a subscription request from a first client, wherein the subscription request includes a condition associated with a target, and wherein the plurality of central relays are located at a first data center;
receiving, at a second relay, a publication request from a second client, wherein the publication request includes the publication message, wherein the second client comprises a domain name system (DNS) service and the publication message comprises a predetermined character or a predetermined character string that is indicative of a statistic of a functioning of the DNS service;
transmitting the publication message from the second relay to all of the plurality of central relays if the second relay is not one of the plurality of central relays;
transmitting the publication message to all of the plurality of central relays except for the second relay if the second relay is one of the plurality of central relays;
determining that a pattern based on the predetermined character or the predetermined character string in the publication message satisfies the condition associated with the target; and
transmitting the publication message from the first central relay to the first client.

US Pat. No. 10,140,282

INPUT STRING MATCHING FOR DOMAIN NAMES

VERISIGN, INC., Reston, ...

1. A computer-implemented method, comprising:accessing a first input string that includes a keyword to be compared;
generating a Universal character set transformation format (UTF)-encoded input string from the first input string;
parsing the UTF-encoded input string via an n-gram parser to generate a plurality of input string n-grams;
accessing a second input string that includes a domain to be compared;
determining that the second input string includes a top-level domain suffix;
stripping the top-level domain suffix from the second input string to create a modified second input string;
generating a UTF-encoded domain string from the modified second input string that includes the domain;
parsing the UTF-encoded domain string to generate a plurality of domain string n-grams from the UTF-encoded domain string;
comparing the plurality of input string n-grams to the plurality of domain string n-grams;
identifying a match between the first input string that includes the keyword and the second input string that includes the domain based on the comparison of the plurality of input string n-grams to the plurality of domain string n-grams;
generating a relevance score for the identified match, wherein the relevance score is based on a first input string n-gram from the plurality of input string n-grams that match the plurality of domain string n-grams; and
returning the second input string that includes a domain based on determining that the relevance score meets a threshold value and one or more variants of the domain that include one or more graphemes that are different from one or more graphemes in the domain.

US Pat. No. 10,404,650

DOMAIN NAME REGISTRATION RESERVATION THROUGH THE USE OF ENCODING DOMAIN NAMES

VERISIGN, INC., Reston, ...

1. A method of facilitating registration of a target domain name with the domain name system (DNS), the method comprising:receiving a request to register an encoding domain name with the DNS, the encoding domain name comprising an indication of a temporal event and of a target domain name;
registering the encoding domain name to a registrant, wherein the registering the encoding domain name confers to the registrant a right to register the target domain name upon a specified condition, wherein the specified condition comprises an occurrence of the temporal event;
receiving a request initiated by the registrant to register the target domain name; and
registering the target domain name to the registrant after satisfaction of the specified condition.

US Pat. No. 10,395,031

SYSTEMS AND METHODS FOR MALWARE DETECTION AND SCANNING

VERISIGN, INC., Reston, ...

1. A computer-implemented method, operating in a hub computing device, for malware scanning and detection, the method comprising:receiving, by the hub computing device from a separate controller computing device, a malware scan request having:
a first portion that includes an identification of a target website, and
a second portion that includes instructions to scan the target website;
identifying, by the hub computing device, a plurality of first spoke honeypot computing devices for performing the malware scan request on the target website, wherein:
at least one first spoke honeypot computing device of the plurality of first spoke honeypot computing devices is separate from the hub computing device,
at least one first spoke honeypot computing device is configured to use a second spoke honeypot computing device as a proxy, and
the second spoke honeypot computing device appears to originate from a different address than the plurality of first spoke honeypot computing devices;
sending, by the hub computing device to the plurality of first spoke honeypot computing devices, the malware scan request received from the controller computing device, wherein at least one first spoke honeypot computing device of the plurality of first spoke honeypot computing devices is configured to route the malware scan request to the second spoke honeypot computing device;
receiving, by the hub computing device from at least one first spoke honeypot computing device of the plurality of first spoke honeypot computing devices, a first set of results associated with performing the malware scan request, wherein performing the malware scan request includes visiting the target website by at least one first spoke honeypot computing device of the plurality of first spoke honeypot computing devices or by the second spoke honeypot computing device; and
sending, to the controller computing device, the first set of results associated with performing the malware scan request.

US Pat. No. 10,375,017

DETECTING AND MITIGATING REGISTRAR COLLUSION IN DROP-ADD ACQUISITIONS OF DOMAIN NAMES

VERISIGN, INC., Reston, ...

1. A system for detecting domain name system (DNS) registrar collusion, comprising:a collusion detector at a DNS registry; and
a non-transitory memory storing instructions that, when executed by at least one processor of the collusion detector, cause the collusion detector to perform a method comprising:
obtaining information related to a plurality of name acquisition requests, wherein a plurality of DNS registrars submit the plurality of name acquisition requests attempting to acquire one or more targeted domain names in a drop pool of expired domain names, wherein the drop pool of expired domain names comprises one or more domain names that are scheduled to be dropped from the DNS registry after a registration period of each of the one or more domain names has expired;
providing, for the plurality of DNS registrars, a plurality of attempt sets containing the one or more targeted domain names, wherein the plurality of attempt sets each contains at least one targeted domain name that a respective DNS registrar of the plurality of DNS registrars attempted to acquire via at least one of the plurality of name acquisition requests;
determining a similarity of overlap between two or more attempt sets of the plurality of attempt sets corresponding to a pair of DNS registrars of the plurality of DNS registrars;
estimating a likelihood of collusion between the pair of DNS registrars based on the similarity; and
performing mitigation actions in response to the likelihood of collusion.

US Pat. No. 10,298,543

REAL-TIME ASSOCIATION OF A POLICY-BASED FIREWALL WITH A DYNAMIC DNS HOSTNAME

VERISIGN, INC., Reston, ...

1. A computer-implemented method for associating a firewall policy with a dynamic domain name system (DNS) hostname, the method comprising:associating, by a policy configuration portal in an external network, a first hostname with a first network address associated with a device in an internal network;
setting, by the policy configuration portal, a first firewall policy configuration associated with the first hostname to include the first network address;
receiving, by the policy configuration portal, a first address update message that associates the first hostname with a second network address, wherein the second address is associated with the device in the internal network;
in response to receiving the first address update message, associating, by the policy configuration portal, the second network address with the first hostname; and
modifying the first firewall policy configuration to include the second network address instead of the first network address.

US Pat. No. 10,270,755

AUTHENTICATED NAME RESOLUTION

VERISIGN, INC., Reston, ...

1. A method for authenticating a DNS request, comprising:receiving at an authenticating server comprising an electronic processor a DNS resolution request including a domain name and authentication information, wherein the information is not in the domain name, and wherein the authentication information comprises at least one of a username/password combination, or a security certificate;
validating, on the authenticating server comprising an electronic processor, the authentication information;
determining, by the authenticating server comprising an electronic processor, a DNS action based on the validation of the authentication information, wherein the DNS action comprises at least one of: sending a response message with an IP address, network layer identifier, or service location identifier; delaying sending a response message; sending a response message with an IP address corresponding to a website address containing authentication instructions; or responding with an alternative IP address corresponding to a special version of a resource configured to look just like the resource; and
executing, on the authenticating server comprising an electronic processor, the DNS action.

US Pat. No. 10,230,691

SYSTEMS, DEVICES, AND METHODS FOR IMPROVED DOMAIN NAME SYSTEM FIREWALL PROTECTION

VERISIGN, INC., Reston, ...

11. A computer-implemented method, comprising:receiving, from a client device in a local network, a first Domain Name System (DNS) request, the first DNS request comprising a domain name associated with a local service device within the local network;
determining that the first DNS request is associated with a customer of a DNS firewall service;
determining that a record associated with the domain name cannot be found at the DNS firewall server;
sending, to the client device in the local network, a first response comprising a first status indicating that:
a server failure error has occurred in response to determining that the record could not be found at the DNS firewall server, and
the first DNS request is associated with the customer,
wherein the client device:
sends, in response to the first status, a second DNS request to an internal DNS server;
receives, from the internal DNS server, a DNS response comprising an Internet Protocol (IP) address associated with the local service device; and
sends, to the local service device, a communication using the IP address.

US Pat. No. 10,412,045

DOMAIN NAME REGISTRATION RESERVATION THROUGH THE USE OF ENCODING DOMAIN NAMES FOR POOLS

VERISIGN, INC., Reston, ...

1. A method of facilitating registration of a target domain name with the domain name system (DNS), the method comprising:receiving a request to register an encoding domain name with the DNS, the encoding domain name comprising an indication of a temporal event and of a pool of domain names;
registering the encoding domain name to a registrant, wherein the registering the encoding domain name confers to the registrant a right to register a target domain name of the registrant's selection from the pool of domain names upon a specified condition, wherein the specified condition comprises an occurrence of the temporal event;
receiving a request initiated by the registrant to register the target domain name; and
registering the target domain name to the registrant after satisfaction of the specified condition.

US Pat. No. 10,326,794

ANYCAST-BASED SPOOFED TRAFFIC DETECTION AND MITIGATION

VERISIGN, INC., Reston, ...

1. A system comprising:a processing system comprising one or more processors; and
a memory system comprising one or more computer-readable media, wherein the one or more computer-readable media contain instructions that, when executed by the processing system, cause the processing system to perform operations comprising:
determining a first hop-count of a first data query from a first transmitting device to a first server;
building a first hop-count profile for the first transmitting device based on the first hop-count that is determined;
determining a second hop-count of a second data query from the first transmitting device to a second server;
building a second hop-count profile for the first transmitting device based on the second hop-count that is determined;
determining a third hop-count of a third data query appearing to be from the first transmitting device to the first server;
determining a fourth hop-count of a fourth data query appearing to be from the first transmitting device to the second server;
comparing the third hop-count and the fourth hop-count to the first hop-count profile and the second hop-count profile, respectively; and
determining whether the third hop-count differs from the first hop-count profile by more than a predetermined amount.

US Pat. No. 10,320,744

SYSTEMS, DEVICES, AND METHODS FOR DYNAMIC ALLOCATION OF DOMAIN NAME ACQUISITION RESOURCES

VERISIGN, INC., Reston, ...

1. A system for dynamically allocating domain name acquisition resources, comprising:a processing system of a device comprising one or more processors; and
a memory system comprising one or more computer-readable media, wherein the one or more computer-readable media contain instructions that, when executed by the processing system, cause the processing system to perform operations comprising:
receiving an indication of an available domain name acquisition resource and an available time window from a registrar;
receiving, from a device, a request for available domain name acquisition resources during a requested time window, wherein the available time window is within the requested time window;
determining a list of domain name acquisition resources available during the requested time window, wherein the list comprises the available domain name acquisition resource indicated by the registrar;
transmitting, to the device, the list of available domain name acquisition resources;
receiving, from the device, a selection of the available domain name acquisition resource from the list, a specified time window within the available time window, and an indication of a domain name to request during the specified time window;
generating a communication comprising an indication of the domain name to request during the specified time window; and
transmitting the communication to the registrar, wherein the communication results in the registrar sending a plurality of requests for the domain name to a domain name registry during the specified time window.

US Pat. No. 10,282,484

SYSTEMS AND METHODS FOR ONTOLOGICAL SEARCHING IN AN IOT ENVIRONMENT

VERISIGN, INC., Reston, ...

1. A method for creating a searchable registry for Internet of Things (“IoT”) devices and associated data feeds, the method comprising:registering a first IoT device and a first data feed associated with the first IoT device in a first record with the searchable registry;
creating a first set of relationships between the first record and existing records of other IoT devices and associated data feeds;
associating the first record with one or more ontology terms of a hierarchical ontology describing at least one of the first IoT device, the first data feed, and the first set of relationships, wherein the hierarchical ontology is generated based on an imported ontology specified in web ontology language (OWL);
applying search criteria of a request to the ontology terms of the hierarchical ontology; and
providing a response to the request, the response including the first record having one or more associated ontology terms that match the search criteria.

US Pat. No. 9,473,455

DATA PLANE PACKET PROCESSING TOOL CHAIN

VERISIGN, INC., Reston, ...

1. A method of processing in a data plane, comprising:
creating, via an application operating in userland mode, a plurality of Domain Name System (DNS) packets, wherein each packet
comprises a DNS lookup instance;

acquiring, via a userland poll mode driver, the plurality of DNS packets;
processing, via the userland poll mode driver, the plurality of DNS packets in the data plane, wherein processing the plurality
of DNS packets comprises querying one or more databases storing DNS information;

generating response packets that comprise responses to the plurality of DNS packets; and
sending the response packets from the data plane via the userland poll mode driver, wherein an operating system monitors a
performance of the application and the userland poll mode driver,

wherein the processing comprises processing without using a hypervisor by:
causing the userland poll mode driver to acquire the plurality of DNS packets from the operating system; and
sending the plurality of DNS packets to the data plane; and
wherein the operating system accesses memory shared with one or more applications causing the userland poll mode driver to
acquire the plurality of DNS packets from the operating system.

US Pat. No. 9,473,530

CLIENT-SIDE ACTIVE VALIDATION FOR MITIGATING DDOS ATTACKS

VERISIGN, INC., Reston, ...

6. A computer-implemented method of mitigating denial-of-service (DoS) attacks, comprising:
intercepting, by a first server system, network requests directed to a second server system, wherein the network requests
originate from clients;

providing, by the first server system to the clients, responses to the network requests, wherein the responses include embedded
client-side scripts that subject the clients to one or more challenge mechanisms, wherein providing further includes:

receiving a first hypertext transfer protocol (HTTP) request from a first client directed to the second server system;
sending, by the first server system to the first client, a response to the first HTTP request, wherein the response includes
a plurality of set-cookie directives to set a challenge cookie on the first client, wherein at least one of the plurality
of set-cookie directives is valid and configured to set the challenge cookie to a correct value, and wherein at least one
of the plurality of set-cookie directives is invalid and configured to set the challenge cookie to an incorrect value;

determining that the first client has set the challenge cookie to the correct value; and
categorizing the first client as non-suspect in response to a determination that the first client has set the challenge cookie
to the correct value;

identifying one or more non-suspect clients, the one or more non-suspect clients corresponding to requesting clients that
successfully complete the one or more challenge mechanisms;

identifying one or more suspect clients, the one or more suspect clients corresponding to requesting clients that do not successfully
complete the one or more challenge mechanisms; and

forwarding, by the first server system to the second server system, network requests corresponding to the one or more non-suspect
clients.