Methodology, system and computer readable medium for detecting file encryption
First Claim
1. A computerized method for determining whether a data stream is in a cyphertext format, wherein said data stream is characterized by a plurality of data bytes, each having an associated byte value, said method comprising:
- performing a statistical analysis of the associated data stream'"'"'s byte values to compute a statistical result having a resultant value indicative of a level of uniformity for a frequency distribution of the byte values in the data stream;
controlling an output device to display output corresponding to an existence of cyphertext if the resultant value indicates uniformity of the frequency distribution.
5 Assignments
0 Petitions
Accused Products
Abstract
A method, computer readable medium and system for determining whether a data stream is in cyphertext format statistically analyzes the data stream to compute a resultant value indicative of a level of uniformity for a frequency distribution of the data stream'"'"'s byte values. When applied to one or more files an average byte value may be computed for the data stream and a chi-square statistical analysis of the data bytes performed, with the resultant value computed based on the chi-square value. The resultant is then compared to a pre-determined threshold value to determine whether the file has been encrypted. The computer-readable medium has executable instructions for reading the data stream portions of files to compute a resultant value for each file and control an output device to display appropriate output. The encryption detection system comprises a storage device, an output device and a processor programmed in accordance with the foregoing.
-
Citations
27 Claims
-
1. A computerized method for determining whether a data stream is in a cyphertext format, wherein said data stream is characterized by a plurality of data bytes, each having an associated byte value, said method comprising:
-
performing a statistical analysis of the associated data stream'"'"'s byte values to compute a statistical result having a resultant value indicative of a level of uniformity for a frequency distribution of the byte values in the data stream;
controlling an output device to display output corresponding to an existence of cyphertext if the resultant value indicates uniformity of the frequency distribution. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable medium having executable instructions for performing a method comprising:
-
reading a data stream portion associated with each of a plurality of files, each said data stream portion characterized by a plurality of data bytes, each having an associated byte value;
computing a resultant value that is indicative of a level of uniformity for a frequency distribution of associated byte values throughout the data stream portion; and
controlling an output device to display output corresponding to an existence of data encryption if the resultant value indicates uniformity of the frequency distribution. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computerized method for determining whether a selected file contains cyphertext, wherein the selected file includes a header portion corresponding to a file type and a data portion that includes a data stream characterized by a plurality of data bytes, each having an associated byte value, said computerized method comprising:
-
computing an average byte value for the data stream;
performing a chi-square statistical analysis of the data bytes to compute a total chi-square value corresponding to a statistical difference of each byte'"'"'s value from the average byte value;
computing a resultant value based upon the chi-square value, whereby said resultant value indicates a level of uniformity for a frequency distribution of the associated byte values throughout the data stream;
comparing said resultant value to a predetermined threshold value; and
generating output indicative of data encryption upon a determination that the threshold value exceeds the resultant value. - View Dependent Claims (17, 18, 19)
-
-
20. A computerized method for searching a target set of directories within a hierarchical file system of a computational device to determine whether any files within each of said directories is in a cyphertext format, wherein each of said data files includes a header portion and a data portion that includes a data stream characterized by a plurality of data bytes, each having an associated byte value, said computerized methodology comprising, sequentially with respect to each of said files in each of said directories:
-
computing an average byte value for the data stream;
performing a statistical analysis of the data bytes to compute a statistical value corresponding to a statistical difference of each byte'"'"'s value from the average byte value;
computing a resultant value based upon the statistical value, whereby said resultant value indicates a level of uniformity for a frequency distribution of the associated byte values throughout the data stream;
comparing said resultant value to a predetermined threshold value and generating one of;
first output indicative of data non-encryption if said resultant value is less than the threshold value; and
second output indicative of data encryption if said threshold value exceeds the resultant value and said header portion is uncorrelated to a known file type. - View Dependent Claims (21, 22, 23)
-
-
24. An encryption detection system for identifying an existence of cyphertext in a data stream that is characterized by a plurality of data bytes each having an associated byte value, said system comprising:
-
a storage device;
an output device; and
a processor programmed to;
perform a statistical analysis of the data stream'"'"'s associated byte values to compute a statistical result having a resultant value indicative of a level of uniformity for a frequency distribution of the associated byte values throughout the data stream; and
control an output device to display output corresponding to an existence of cyphertext if the resultant value indicates uniformity of the frequency distribution. - View Dependent Claims (25, 27)
-
-
26. An encryption detection system for identifying an existence of cyphertext in respective data streams, wherein each of said data streams is characterized by a plurality of data bytes each having an associated byte value, said system comprising:
-
storage means;
output means; and
processing means for;
performing a statistical analysis of each data stream'"'"'s associated byte values to compute a statistical result having a resultant value indicative of a level of uniformity for a frequency distribution of the associated byte values throughout the data stream; and
controlling an output device to display output corresponding to an existence of cyphertext if the resultant value indicates uniformity of the frequency distribution.
-
Specification