Detecting network anomalies by probabilistic modeling of argument strings with markov chains

US 10,063,576 B2
Filed: 12/29/2015
Issued: 08/28/2018
Est. Priority Date: 05/27/2008
Status: Active Grant

First Claim

Patent Images

1. A method for detecting network anomalies, the method comprising:

receiving, using a hardware processor, a communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network;

applying, using the hardware processor, a probabilistic model to the received communication protocol message to determine whether the communication protocol message is anomalous based on determining that at least one n-gram in the communication protocol message is anomalous, wherein the probabilistic model uses at least one Markov chain specified by one or more parameters to determine a probability that the argument string is anomalous based on n-grams in the argument string; and

performing, using the hardware processor, a predetermined action in response to determining that the communication protocol message is anomalous.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.

20 Citations

21 Claims

1. A method for detecting network anomalies, the method comprising:
- receiving, using a hardware processor, a communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network;
  
  applying, using the hardware processor, a probabilistic model to the received communication protocol message to determine whether the communication protocol message is anomalous based on determining that at least one n-gram in the communication protocol message is anomalous, wherein the probabilistic model uses at least one Markov chain specified by one or more parameters to determine a probability that the argument string is anomalous based on n-grams in the argument string; and
  
  performing, using the hardware processor, a predetermined action in response to determining that the communication protocol message is anomalous.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the one or more parameters includes gram size, and wherein the probabilistic model was trained based on the gram size.
  - 3. The method of claim 1, wherein the one or more parameters includes mixture size that specifies a number of Markov chains to use in the probabilistic model and wherein the at least one Markov chain is a mixture of Markov chains specified by the mixture size.
  - 4. The method of claim 1, further comprising:
    - receiving a plurality of packets transmitted from the first processor to the second processor across the computer network;
      
      assembling the plurality of packets to form the communication protocol message; and
      
      extracting the argument string from the communication protocol message.
  - 5. The method of claim 1, wherein the communication protocol message is a Hypertext Transfer Protocol (HTTP) request message.
  - 6. The method of claim 1, wherein the probabilistic model was trained based on content and structure of the argument string included in each of a plurality of communication protocol messages.
  - 7. The method of claim 6, wherein the content and the structure associated with each of the argument strings further comprises one or more variable names, a corresponding argument value for each of the variable names, and a layout with respect to each of the variable names.
  - 8. The method of claim 1, wherein the at least one Markov chain comprises one or more Markov models of transition probabilities in n-grams of the communication protocol message.
  - 9. The method of claim 1, wherein the predetermined action comprises issuing an alert.
  - 10. The method of claim 1, wherein applying the probabilistic model further comprises calculating a normality score for the received communication protocol message using the probabilistic model.

11. A system for detecting network anomalies, the system comprising:
- a memory; and
  
  a hardware processor that, when executing computer-executable instructions stored in the memory, is configured to;
  
  receive a communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network;
  
  apply a probabilistic model to the received communication protocol message to determine whether the communication protocol message is anomalous based on determining that at least one n-gram in the communication protocol message is anomalous, wherein the probabilistic model uses at least one Markov chain specified by one or more parameters to determine a probability that the argument string is anomalous based on n-grams in the argument string; and
  
  perform a predetermined action in response to determining that the communication protocol message is anomalous.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the one or more parameters includes gram size, and wherein the probabilistic model was trained based on the gram size.
  - 13. The system of claim 11, wherein the one or more parameters includes mixture size that specifies a number of Markov chains to use in the probabilistic model and wherein the at least one Markov chain is a mixture of Markov chains specified by the mixture size.
  - 14. The system of claim 11, wherein the hardware processor is further configured to:
    - receive a plurality of packets transmitted from the first processor to the second processor across the computer network;
      
      assemble the plurality of packets to form the communication protocol message; and
      
      extract the argument string from the communication protocol message.
  - 15. The system of claim 11, wherein the communication protocol message is a Hypertext Transfer Protocol (HTTP) request message.
  - 16. The system of claim 11, wherein the probabilistic model was trained based on content and structure of the argument string included in each of a plurality of communication protocol messages.
  - 17. The system of claim 16, wherein the content and the structure associated with each of the argument strings further comprises one or more variable names, a corresponding argument value for each of the variable names, and a layout with respect to each of the variable names.
  - 18. The system of claim 11, wherein the at least one Markov chain comprises one or more Markov models of transition probabilities in n-grams of the communication protocol message.
  - 19. The system of claim 11, wherein the predetermined action comprises issuing an alert.
  - 20. The system of claim 11, wherein the hardware processor further configured to calculate a normality score for the received communication protocol message using the probabilistic model.

21. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform method for detecting network anomalies, the method comprising:
- receiving a communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network;
  
  applying a probabilistic model to the received communication protocol message to determine whether the communication protocol message is anomalous based on determining that at least one n-gram in the communication protocol message is anomalous, wherein the probabilistic model uses at least one Markov chain specified by one or more parameters to determine a probability that the argument string is anomalous based on n-grams in the argument string; and
  
  performing a predetermined action in response to determining that the communication protocol message is anomalous.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Song, Yingbo, Keromytis, Angelos D., Stolfo, Salvatore J.
Primary Examiner(s)
Patel, Haresh N

Application Number

US14/982,888
Publication Number

US 20160366169A1
Time in Patent Office

973 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

H04L 67/02   based on web technology, e....

H04L 69/16   Implementation or adaptatio...

Detecting network anomalies by probabilistic modeling of argument strings with markov chains

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting network anomalies by probabilistic modeling of argument strings with markov chains

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links