Anomaly detection through header field entropy
First Claim
Patent Images
1. A computer-implemented method comprising:
- detecting, using a sensor installed on an endpoint, a first plurality of flows associated with the endpoint;
determining a first entropy associated with at least one of a plurality of header fields for the first plurality of flows, the plurality of header fields having various entropy values and determined to indicate malicious flows;
determining whether the first entropy is greater than a predetermined amount, the predetermined amount being a cutoff level indicative of a malicious flow and based on a second entropy associated with a second plurality of flows;
determining the first plurality of flows is anomalous when the first entropy is determined to be greater than the predetermined amount; and
cutting off the first plurality of flows when the first plurality of flows is determined to be anomalous,wherein,the at least one of the plurality of header fields includes multiple ones of the plurality of header fields, andthe first entropy is determined based on a combined entropy of the multiple ones of the plurality of header fields.
1 Assignment
0 Petitions
Accused Products
Abstract
An approach for detecting anomalous flows in a network using header field entropy. This can be useful in detecting anomalous or malicious traffic that may attempt to “hide” or inject itself into legitimate flows. A malicious endpoint might attempt to send a control message in underutilized header fields or might try to inject illegitimate data into a legitimate flow. These illegitimate flows will likely demonstrate header field entropy that is higher than legitimate flows. Detecting anomalous flows using header field entropy can help detect malicious endpoints.
-
Citations
18 Claims
-
1. A computer-implemented method comprising:
-
detecting, using a sensor installed on an endpoint, a first plurality of flows associated with the endpoint; determining a first entropy associated with at least one of a plurality of header fields for the first plurality of flows, the plurality of header fields having various entropy values and determined to indicate malicious flows; determining whether the first entropy is greater than a predetermined amount, the predetermined amount being a cutoff level indicative of a malicious flow and based on a second entropy associated with a second plurality of flows; determining the first plurality of flows is anomalous when the first entropy is determined to be greater than the predetermined amount; and cutting off the first plurality of flows when the first plurality of flows is determined to be anomalous, wherein, the at least one of the plurality of header fields includes multiple ones of the plurality of header fields, and the first entropy is determined based on a combined entropy of the multiple ones of the plurality of header fields. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer-readable medium having computer readable instructions that, when executed by a processor of a computer, cause the computer to:
-
detect, using a sensor installed on an endpoint, a first plurality of flows associated with the endpoint; determine a first entropy associated with at least one of a plurality of header fields for the first plurality of flows, the plurality of header fields having various entropy values and determined to indicate malicious flows; determine whether the first entropy is greater than a predetermined amount, the predetermined amount being a cutoff level indicative of a malicious flow and based on a second entropy associated with a second plurality of flows; determine the first plurality of flows is anomalous when the first entropy is determined to be greater than the predetermined amount; and cutoff the first plurality of flows when the first plurality of flows is determined to be anomalous, wherein, the at least one of the plurality of header fields includes multiple ones of the plurality of header fields, and the first entropy is determined based on a combined entropy of the multiple ones of the plurality of header fields. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system comprising:
-
a processor; a memory including instructions that when executed by the processor, cause the system to; detect, using a sensor installed on an endpoint, a first plurality of flows associated with the endpoint; determine first entropy associated with at least one of a plurality of header fields for the first plurality of flows, the plurality of header fields having various entropy values and determined to indicate malicious flows; determine whether the first entropy is greater than a predetermined amount, the predetermined amount being a cutoff level indicative of a malicious flow and based on a second entropy associated with a second plurality of flows; determine the first plurality of flows is anomalous when the first entropy is determined to be greater than the predetermined amount; and cut off the first plurality of flows when the first plurality of flows is determined to be anomalous, wherein, the at least one of the plurality of header fields includes multiple ones of the plurality of header fields, and the first entropy is determined based on a combined entropy of the multiple ones of the plurality of header fields. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification