ANOMALY DETECTION THROUGH HEADER FIELD ENTROPY
First Claim
Patent Images
1. A computer-implemented method comprising:
- detecting, using a sensor installed on an endpoint, a plurality of flows associated with the endpoint;
determining an entropy associated with a header field for the plurality of flows;
determining that the entropy is greater than a predetermined amount; and
determining that the plurality of flows is anomalous.
1 Assignment
0 Petitions
Accused Products
Abstract
An approach for detecting anomalous flows in a network using header field entropy. This can be useful in detecting anomalous or malicious traffic that may attempt to “hide” or inject itself into legitimate flows. A malicious endpoint might attempt to send a control message in underutilized header fields or might try to inject illegitimate data into a legitimate flow. These illegitimate flows will likely demonstrate header field entropy that is higher than legitimate flows. Detecting anomalous flows using header field entropy can help detect malicious endpoints.
-
Citations
20 Claims
-
1. A computer-implemented method comprising:
-
detecting, using a sensor installed on an endpoint, a plurality of flows associated with the endpoint; determining an entropy associated with a header field for the plurality of flows; determining that the entropy is greater than a predetermined amount; and determining that the plurality of flows is anomalous. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable medium having computer readable instructions that, when executed by a processor of a computer, cause the computer to:
-
detect, using a sensor installed on an endpoint, a plurality of flows associated with the endpoint; determine an entropy associated with a header field for the plurality of flows; determine that the entropy is greater than a predetermined amount; and determine that the plurality of flows is anomalous. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system comprising:
a processor; memory including instructions that when executed by the processor, cause the system to; detect, using a sensor installed on an endpoint, a plurality of flows associated with the endpoint; determine an entropy associated with a header field for the plurality of flows; determine that the entropy is greater than a predetermined amount; and determine that the plurality of flows is anomalous. - View Dependent Claims (16, 17, 18, 19, 20)
Specification