Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data
First Claim
1. A method of detecting anomalous payloads transmitted through a network, comprising the steps of:
- receiving at least one payload within the network;
determining a length for data contained in the at least one payload;
generating a statistical distribution of data contained in the at least one payload received within the network;
comparing at least one portion of the generated statistical distribution to a corresponding portion of a selected model distribution representative of normal payloads transmitted through the network;
wherein the selected model distribution has a predetermined length range that encompasses the length for data contained in the at least one payload; and
identifying whether the at least one payload is an anomalous payload based, at least in part, on differences detected between the at least one portion of the statistical distribution for the at least one payload and the corresponding portion of the model distribution.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, apparatus and medium are provided for detecting anomalous payloads transmitted through a network. The system receives payloads within the network and determines a length for data contained in each payload. A statistical distribution is generated for data contained in each payload received within the network, and compared to a selected model distribution representative of normal payloads transmitted through the network. The model payload can be selected such that it has a predetermined length range that encompasses the length for data contained in the received payload. Anomalous payloads are then identified based on differences detected between the statistical distribution of received payloads and the model distribution. The system can also provide for automatic training and incremental updating of models.
108 Citations
67 Claims
-
1. A method of detecting anomalous payloads transmitted through a network, comprising the steps of:
-
receiving at least one payload within the network;
determining a length for data contained in the at least one payload;
generating a statistical distribution of data contained in the at least one payload received within the network;
comparing at least one portion of the generated statistical distribution to a corresponding portion of a selected model distribution representative of normal payloads transmitted through the network;
wherein the selected model distribution has a predetermined length range that encompasses the length for data contained in the at least one payload; and
identifying whether the at least one payload is an anomalous payload based, at least in part, on differences detected between the at least one portion of the statistical distribution for the at least one payload and the corresponding portion of the model distribution. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A method of modeling payload data received in a network, comprising the steps of:
-
receiving a plurality of payload data in the network;
creating a payload length distribution for all payload data received;
partitioning the payload length distribution into a plurality of payload ranges;
generating a statistical distribution for each received payload data; and
constructing a model payload for each payload range based on the statistical distributions of all received payload data encompassed by the payload range. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
-
-
47. A system for detecting anomalous payloads transmitted through a network, comprising:
-
a computer coupled to the network, and receiving at least one payload through the network; and
at least one model distributions representative of normal payloads received through the network;
said computer being configured to;
determine a length for data contained in said at least one payload, generate a statistical distribution of data contained in said at least one payload received within the network, compare at least one portion of said generated statistical distribution to a corresponding portion of a selected one of said model distributions having a predetermined length range that encompasses the length for data contained in said at least one, and identify whether said at least one payload is an anomalous payload based, at least in part, on differences detected between the at least one portion of the statistical distribution for said at least one payload and the corresponding portion of said selected model distribution. - View Dependent Claims (48, 49, 50)
-
-
51. A system for modeling payload data received in a network, comprising:
-
a computer coupled to the network, and receiving a plurality of payload data through the network;
said computer being configure to;
create a payload length distribution for all payload data received, partition said payload length distribution into a plurality of payload ranges, generate a statistical distribution for each received payload data, and construct a model payload for each payload range based on the statistical distributions of all received payload data encompassed by said payload range. - View Dependent Claims (52, 53)
-
-
54. A computer readable medium carrying instructions executable by a computer for modeling payload data received in a network, said instructions causing said computer to perform the acts of:
-
receiving at least one payload through the network;
determining a length for data contained in the at least one payload;
generating a statistical distribution of data contained in the at least one payload received within the network;
comparing at least one portion of the generated statistical distribution to a corresponding portion of a selected one of said model distributions having a predetermined length range that encompasses the length for data contained in said received payload; and
identifying whether the at least one payload is an anomalous payload based, at least in part, on differences detected between the at least one portion of the statistical distribution for said at least one payload and the corresponding portion of said selected model distribution. - View Dependent Claims (55, 56, 57)
-
-
58. A computer readable medium carrying instructions executable by a computer for modeling payload data received in a network, said instructions causing said computer to perform the acts of:
-
receiving a plurality of payload data through the network;
creating a payload length distribution for all payload data received;
partitioning said payload length distribution into a plurality of payload ranges;
generating a statistical distribution for each received payload data; and
constructing a model payload for each payload range based on the statistical distributions of all received payload data encompassed by the payload range. - View Dependent Claims (59, 60)
-
-
61. A system for detecting anomalous payloads transmitted through a network, comprising:
-
means for receiving at least one payload through the network;
means for determining a length for data contained in said at least one payload;
means for generating a statistical distribution of data contained in said at least one payload received within the network;
means for comparing at least one portion of the generated statistical distribution to a corresponding portion of a selected one of said model distributions having a predetermined length range that encompasses the length for data contained in said received payload; and
means for identifying whether the at least one payload is an anomalous payload based, at least in part, on differences detected between the at least one portion of the statistical distribution for said at least one payload and the corresponding portion of said selected model distribution. - View Dependent Claims (62, 63, 64)
-
-
65. A system for modeling payload data received in a network, comprising:
-
means for receiving a plurality of payload data through the network;
means for creating a payload length distribution for all payload data received;
means for partitioning said payload length distribution into a plurality of payload ranges;
means for generating a statistical distribution for each received payload data; and
means for constructing a model payload for each payload range based on the statistical distributions of all received payload data encompassed by the payload range. - View Dependent Claims (66, 67)
-
Specification