Apparatus method and medium for tracing the origin of network transmissions using n-gram distribution of data
First Claim
1. A method of identifying an origin computer system transmitting anomalous data across a computer network to an end target computer system, the method comprising:
- retrieving, using a hardware processor, a connection record that contains transmission information with a first computer system across the computer network;
generating, using the hardware processor, a byte value statistical distribution of data contained in a data payload corresponding to the connection record;
determining, using the hardware processor, a first distance between the byte value statistical distribution of data contained in the data payload and a model distribution of data contained in normal payloads transmitted across the computer network;
identifying, using the hardware processor, the data payload as a suspect data payload based on the first distance; and
designating, using the hardware processor, the first computer system as a suspect computer system in response to identifying the suspect data payload.
0 Assignments
0 Petitions
Accused Products
Abstract
A method, apparatus, and medium are provided for tracing the origin of network transmissions. Connection records are maintained at computer system for storing source and destination addresses. The connection records also maintain a statistical distribution of data corresponding to the data payload being transmitted. The statistical distribution can be compared to that of the connection records in order to identify the sender. The location of the sender can subsequently be determined from the source address stored in the connection record. The process can be repeated multiple times until the location of the original sender has been traced.
118 Citations
21 Claims
-
1. A method of identifying an origin computer system transmitting anomalous data across a computer network to an end target computer system, the method comprising:
-
retrieving, using a hardware processor, a connection record that contains transmission information with a first computer system across the computer network; generating, using the hardware processor, a byte value statistical distribution of data contained in a data payload corresponding to the connection record; determining, using the hardware processor, a first distance between the byte value statistical distribution of data contained in the data payload and a model distribution of data contained in normal payloads transmitted across the computer network; identifying, using the hardware processor, the data payload as a suspect data payload based on the first distance; and designating, using the hardware processor, the first computer system as a suspect computer system in response to identifying the suspect data payload. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for identifying an origin computer system transmitting anomalous data across a computer network to an end target computer system, the system comprising:
-
a memory; and a hardware processor that, when executing computer executable instructions stored in the memory, is configured to; retrieve a connection record that contains transmission information with a first computer system across the computer network; generate a byte value statistical distribution of data contained in a data payload corresponding to the connection record; determine a first distance between the byte value statistical distribution of data contained in the data payload and a model distribution of data contained in normal payloads transmitted across the computer network; identify the data payload as a suspect data payload based on the first distance; and designate the first computer system as a suspect computer system in response to identifying the suspect data payload. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for identifying an origin computer system transmitting anomalous data across a computer network to an end target computer system, the method comprising:
-
retrieving, using a hardware processor, a connection record that contains transmission information with a first computer system across the computer network; generating, using the hardware processor, a byte value statistical distribution of data contained in a data payload corresponding to the connection record; determining, using the hardware processor, a first distance between the byte value statistical distribution of data contained in the data payload and a model distribution of data contained in normal payloads transmitted across the computer network; identifying, using the hardware processor, the data payload as a suspect data payload based on the first distance; and designating, using the hardware processor, the first computer system as a suspect computer system in response to identifying the suspect data payload. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification