SYSTEMS, METHODS, AND MEDIA FOR DETECTING NETWORK ANOMALIES
First Claim
1. A method for detecting network anomalies, the method comprising:
- receiving a communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network;
applying a probabilistic model to the received communication protocol message to determine whether the communication protocol message is anomalous based on determining that at least one n-gram in the communication protocol message is anomalous,wherein the probabilistic model uses at least one Markov chain specified by one or more parameters to determine a probability that the argument string is anomalous based on n-grams in the argument string, andwherein the probabilistic model was trained based on content and structure of an argument string included in each of a plurality of communication protocol messages included in a training dataset; and
performing a predetermined action in response to determining that the communication protocol message is anomalous.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.
-
Citations
30 Claims
-
1. A method for detecting network anomalies, the method comprising:
-
receiving a communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network; applying a probabilistic model to the received communication protocol message to determine whether the communication protocol message is anomalous based on determining that at least one n-gram in the communication protocol message is anomalous, wherein the probabilistic model uses at least one Markov chain specified by one or more parameters to determine a probability that the argument string is anomalous based on n-grams in the argument string, and wherein the probabilistic model was trained based on content and structure of an argument string included in each of a plurality of communication protocol messages included in a training dataset; and performing a predetermined action in response to determining that the communication protocol message is anomalous. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 30)
-
-
11. A system for detecting network anomalies, the system comprising:
-
a processor that is configured to; receive a communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network; apply a probabilistic model to the received communication protocol message to determine whether the communication protocol message is anomalous based on determining that at least one n-gram in the communication protocol message is anomalous, wherein the probabilistic model uses at least one Markov chain specified by one or more parameters to determine a probability that the argument string is anomalous based on n-grams in the argument string, and wherein the probabilistic model was trained based on content and structure of an argument string included in each of a plurality of communication protocol messages included in a training dataset; and perform a predetermined action in response to determining that the communication protocol message is anomalous. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform method for detecting network anomalies, the method comprising:
-
receiving a communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network; applying a probabilistic model to the received communication protocol message to determine whether the communication protocol message is anomalous based on determining that at least one n-gram in the communication protocol message is anomalous, wherein the probabilistic model uses at least one Markov chain specified by one or more parameters to determine a probability that the argument string is anomalous based on n-grams in the argument string, and wherein the probabilistic model was trained based on content and structure of an argument string included in each of a plurality of communication protocol messages included in a training dataset; and performing a predetermined action in response to determining that the communication protocol message is anomalous. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
-
Specification