Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data
First Claim
1. A method, implemented on a processor, of detecting anomalous payloads transmitted through a network, comprising the steps of:
- receiving at least one payload within the network;
determining, using the processor, a length for data contained in the at least one payload;
generating, using the processor, a byte value statistical distribution of data contained in the at least one payload received within the network;
selecting, using the processor, from a plurality of model byte value statistical distributions, a model byte value statistical distribution representative of normal payloads transmitted through the network based at least in part on the determined length, wherein the model byte value statistical distribution has a predetermined length range and is selected such that the determined length for the data contained in the at least one payload is included within the predetermined length range;
comparing, using the processor, at least one portion of the generated statistical distribution to a corresponding portion of a selected model distribution; and
identifying, using the processor, whether the at least one payload is an anomalous payload based, at least in part, on differences detected between the at least one portion of the byte value statistical distribution for the at least one payload and the corresponding portion of the selected model distribution.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, apparatus and medium are provided for detecting anomalous payloads transmitted through a network. The system receives payloads within the network and determines a length for data contained in each payload. A statistical distribution is generated for data contained in each payload received within the network, and compared to a selected model distribution representative of normal payloads transmitted through the network. The model payload can be selected such that it has a predetermined length range that encompasses the length for data contained in the received payload. Anomalous payloads are then identified based on differences detected between the statistical distribution of received payloads and the model distribution. The system can also provide for automatic training and incremental updating of models.
399 Citations
40 Claims
-
1. A method, implemented on a processor, of detecting anomalous payloads transmitted through a network, comprising the steps of:
-
receiving at least one payload within the network; determining, using the processor, a length for data contained in the at least one payload; generating, using the processor, a byte value statistical distribution of data contained in the at least one payload received within the network; selecting, using the processor, from a plurality of model byte value statistical distributions, a model byte value statistical distribution representative of normal payloads transmitted through the network based at least in part on the determined length, wherein the model byte value statistical distribution has a predetermined length range and is selected such that the determined length for the data contained in the at least one payload is included within the predetermined length range; comparing, using the processor, at least one portion of the generated statistical distribution to a corresponding portion of a selected model distribution; and identifying, using the processor, whether the at least one payload is an anomalous payload based, at least in part, on differences detected between the at least one portion of the byte value statistical distribution for the at least one payload and the corresponding portion of the selected model distribution. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A system for detecting anomalous payloads transmitted through a network, comprising:
-
a computer coupled to the network, and receiving at least one payload through the network; and one or more model distributions representative of normal payloads received through the network; said computer being configured to; determine a length for data contained in said at least one payload, generate a byte value statistical distribution of data contained in said at least one payload received within the network, selecting, from the one or more model distributions, a model byte value statistical distribution based at least in part on the determined length, wherein the model byte value statistical distribution has a predetermined length range and is selected such that the determined length for the data contained in the at least one payload is included in the predetermined length range; compare at least one portion of said generated byte value statistical distribution to a corresponding portion of said selected model byte value statistical distribution of said one or more model distributions, and identify whether said at least one payload is an anomalous payload based, at least in part, on differences detected between the at least one portion of the byte value statistical distribution for said at least one payload and the corresponding portion of said selected byte value model distribution. - View Dependent Claims (30, 31, 32)
-
-
33. A computer readable storage medium storing instructions executable by a computer for modeling payload data received in a network, the instructions causing said computer to perform the method of:
-
receiving at least one payload through the network; determining a length for data contained in the at least one payload; generating a byte value statistical distribution of data contained in the at least one payload received within the network; selecting, from a plurality of model byte value statistical distributions, a model byte value statistical distribution representative of normal payloads transmitted through the network based at least in part on the determined length, wherein the model byte value statistical distribution has a predetermined length range and is selected such that the determined length for the data contained in the at least one payload is included within the predetermined length range; comparing at least one portion of the generated statistical distribution to a corresponding portion of the selected model distribution; and identifying whether the at least one payload is an anomalous payload based, at least in part, on differences detected between the at least one portion of the byte value statistical distribution for said the at least one payload and the corresponding portion of the selected model distribution. - View Dependent Claims (34, 35, 36)
-
-
37. A system for detecting anomalous payloads transmitted through a network, comprising:
-
means for receiving at least one payload through the network; means for determining a length for data contained in said at least one payload; means for generating a byte value statistical distribution of data contained in said at least one payload received within the network; means for selecting, from a plurality of model byte value statistical distributions, a model byte value statistical distribution representative of normal payloads transmitted through the network based at least in part on the determined length, wherein the model byte value statistical distribution has a predetermined length range and is selected such that the determined length for the data contained in the at least one payload is included within the predetermined length range; means for comparing at least one portion of the generated statistical distribution to a corresponding portion of the selected model distribution; and means for identifying whether the at least one payload is an anomalous payload based, at least in part, on differences detected between the at least one portion of the byte value statistical distribution for said the at least one payload and the corresponding portion of said the selected model distribution. - View Dependent Claims (38, 39, 40)
-
Specification