Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data

US 7,639,714 B2
Filed: 11/12/2004
Issued: 12/29/2009
Est. Priority Date: 11/12/2003
Status: Active Grant

First Claim

Patent Images

1. A method, implemented on a processor, of detecting anomalous payloads transmitted through a network, comprising the steps of:

receiving at least one payload within the network;

determining, using the processor, a length for data contained in the at least one payload;

generating, using the processor, a byte value statistical distribution of data contained in the at least one payload received within the network;

selecting, using the processor, from a plurality of model byte value statistical distributions, a model byte value statistical distribution representative of normal payloads transmitted through the network based at least in part on the determined length, wherein the model byte value statistical distribution has a predetermined length range and is selected such that the determined length for the data contained in the at least one payload is included within the predetermined length range;

comparing, using the processor, at least one portion of the generated statistical distribution to a corresponding portion of a selected model distribution; and

identifying, using the processor, whether the at least one payload is an anomalous payload based, at least in part, on differences detected between the at least one portion of the byte value statistical distribution for the at least one payload and the corresponding portion of the selected model distribution.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus and medium are provided for detecting anomalous payloads transmitted through a network. The system receives payloads within the network and determines a length for data contained in each payload. A statistical distribution is generated for data contained in each payload received within the network, and compared to a selected model distribution representative of normal payloads transmitted through the network. The model payload can be selected such that it has a predetermined length range that encompasses the length for data contained in the received payload. Anomalous payloads are then identified based on differences detected between the statistical distribution of received payloads and the model distribution. The system can also provide for automatic training and incremental updating of models.

399 Citations

40 Claims

1. A method, implemented on a processor, of detecting anomalous payloads transmitted through a network, comprising the steps of:
- receiving at least one payload within the network;
  
  determining, using the processor, a length for data contained in the at least one payload;
  
  generating, using the processor, a byte value statistical distribution of data contained in the at least one payload received within the network;
  
  selecting, using the processor, from a plurality of model byte value statistical distributions, a model byte value statistical distribution representative of normal payloads transmitted through the network based at least in part on the determined length, wherein the model byte value statistical distribution has a predetermined length range and is selected such that the determined length for the data contained in the at least one payload is included within the predetermined length range;
  
  comparing, using the processor, at least one portion of the generated statistical distribution to a corresponding portion of a selected model distribution; and
  
  identifying, using the processor, whether the at least one payload is an anomalous payload based, at least in part, on differences detected between the at least one portion of the byte value statistical distribution for the at least one payload and the corresponding portion of the selected model distribution.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The method of claim 1, wherein the predetermined length range of the selected model distribution is based on partitions selected using kernel estimates for the byte value statistical distribution of all normal payloads.
  - 3. The method of claim 1, wherein the predetermined length range of the selected model distribution is based on partitions selected by applying at least one clustering algorithm to the byte value statistical distribution of all normal payloads.
  - 4. The method of claim 1, wherein byte value the statistical distribution of the at least one payload is a byte value distribution of the average frequency and variance of data contained in the at least one payload, and the selected model distribution is a byte value distribution of the average frequency and variance representative of normal payloads.
  - 5. The method of claim 1, wherein the byte value statistical distribution of the at least one payload is a byte value distribution of data contained in the at least one payload, and the selected model distribution is a byte value distribution representative of normal payloads.
  - 6. The method of claim 5, wherein the byte value distribution of the at least one payload is a byte frequency count of data contained in the at least one payload, and the selected model distribution is a byte frequency count for normal payloads.
  - 7. The method of claim 5, wherein the byte value distribution of the at least one payload is a rank ordered byte frequency count of data contained in the at least one payload, and the selected model distribution is a rank ordered byte frequency count for normal payloads.
  - 8. The method of claim 1, wherein:
    - the step of comparing further comprises a step of measuring a distance metric between the byte value statistical distribution of data contained in the at least one payload and the selected model distribution; and
      
      the step of identifying further comprises a step of identifying anomalous payloads as payloads that, at least in part, exceed a predetermined distance metric.
  - 9. The method of claim 8, wherein the distance metric is calculated based on a Mahalanobis distance between the byte value statistical distribution of data contained in the at least one payload and the selected model distribution.
  - 10. The method of claim 8, wherein the byte value statistical distribution of data contained in the at least one payload has a decaying profile, and wherein measurement of the distance metric is initiated at the decaying end.
  - 11. The method of claim 8, further comprising the steps of:
    - setting an alert threshold corresponding to a desired number of alerts for detected anomalous payloads; and
      
      automatically adjusting the predetermined distance metric until the alert threshold is reached.
  - 12. The method of claim 1, wherein the predetermined length range is selected from at least a prefix portion of the selected model distribution.
  - 13. The method of claim 1, wherein the predetermined length range is selected from at least a suffix portion of the selected model distribution.
  - 14. The method of claim 1, wherein the predetermined length range is selected from at least a central portion of the selected model distribution.
  - 15. The method of claim 1, wherein the predetermined length range of the selected model distribution is selected from a partition group consisting of:
    - 0-50 bytes, 50-150 bytes, 150-155 bytes, 0-255 bytes, less than 1000 bytes, greater than 2000 bytes, and greater than 10,000 bytes.
  - 16. The method of claim 1, wherein the byte value statistical distribution for the at least one payload and a statistical distribution of the selected model distribution are generated using an n-gram distribution, wherein each n-gram is a variable byte grouping.
  - 17. The method of claim 16, wherein n is a mixed value of byte groupings.
  - 18. The method of claim 16, wherein n=1.
  - 19. The method of claim 16, wherein n=2.
  - 20. The method of claim 16, wherein n=3.
  - 21. The method of claim 1, further comprising a step of determining whether a detected anomalous payload is a virus or worm.
  - 22. The method of claim 21, further comprising the steps of:
    - identifying a port which has been probed by the virus or worm;
      
      comparing egress traffic to the byte value statistical distribution for the virus or worm in order to detect probes to the same port on other machines; and
      
      detecting propagation of the worm or virus based on the step of comparing.
  - 23. The method of claim 21, further comprising a step of assigning different weight factors to selected byte values.
  - 24. The method of claim 23, wherein higher weight factors are assigned to byte values corresponding to operational codes of a computer system.
  - 25. The method of claim 21, further comprising a step of generating a signature for any anomalous payload determined to be the virus or worm.
  - 26. The method of claim 25, wherein the step of generating a signature further comprises the steps of:
    - identifying the longest common string for data contained in the payload determined to be the virus or worm; and
      
      generating the signature based, at least in part, on the longest common string.
  - 27. The method of claim 25, wherein the step of generating further comprises the steps of:
    - identifying the longest common subsequence for data contained in the payload determined to be the virus or worm; and
      
      generating the signature based, at least in part, on the longest common subsequence.
  - 28. The method of claim 25, further comprising a step of exchanging virus or worm signatures with one or more servers.

29. A system for detecting anomalous payloads transmitted through a network, comprising:
- a computer coupled to the network, and receiving at least one payload through the network; and
  
  one or more model distributions representative of normal payloads received through the network;
  
  said computer being configured to;
  
  determine a length for data contained in said at least one payload,generate a byte value statistical distribution of data contained in said at least one payload received within the network,selecting, from the one or more model distributions, a model byte value statistical distribution based at least in part on the determined length, wherein the model byte value statistical distribution has a predetermined length range and is selected such that the determined length for the data contained in the at least one payload is included in the predetermined length range;
  
  compare at least one portion of said generated byte value statistical distribution to a corresponding portion of said selected model byte value statistical distribution of said one or more model distributions, andidentify whether said at least one payload is an anomalous payload based, at least in part, on differences detected between the at least one portion of the byte value statistical distribution for said at least one payload and the corresponding portion of said selected byte value model distribution.
- View Dependent Claims (30, 31, 32)
- - 30. The system of claim 29, wherein said computer is further configured to:
    - measure a distance metric between the byte value statistical distribution of data contained in said at least one payload and said selected byte value model distribution; and
      
      identify anomalous payloads as payloads that, at least in part, exceed a predetermined distance metric.
  - 31. The system of claim 29, wherein said computer is further configured to:
    - set an alert threshold corresponding to a desired number of alerts for detected anomalous payloads; and
      
      automatically adjust said predetermined distance metric until said alert threshold is reached.
  - 32. The system of claim 29, wherein said computer comprises at least one port and is further configured to:
    - determine whether a detected anomalous payload is a virus or worm;
      
      identify one of said ports which has been probed by said virus or worm; and
      
      detect propagation of said worm or virus by comparing egress traffic to the byte value statistical distribution for said virus or worm in order to detect probes to the same port on at least one other computer.

33. A computer readable storage medium storing instructions executable by a computer for modeling payload data received in a network, the instructions causing said computer to perform the method of:
- receiving at least one payload through the network;
  
  determining a length for data contained in the at least one payload;
  
  generating a byte value statistical distribution of data contained in the at least one payload received within the network;
  
  selecting, from a plurality of model byte value statistical distributions, a model byte value statistical distribution representative of normal payloads transmitted through the network based at least in part on the determined length, wherein the model byte value statistical distribution has a predetermined length range and is selected such that the determined length for the data contained in the at least one payload is included within the predetermined length range;
  
  comparing at least one portion of the generated statistical distribution to a corresponding portion of the selected model distribution; and
  
  identifying whether the at least one payload is an anomalous payload based, at least in part, on differences detected between the at least one portion of the byte value statistical distribution for said the at least one payload and the corresponding portion of the selected model distribution.
- View Dependent Claims (34, 35, 36)
- - 34. The computer readable storage medium of claim 33, further comprising instructions for causing said computer to perform the acts of:
    - measuring a distance metric between the byte value statistical distribution of data contained in said at least one payload and said selected model distribution; and
      
      identifying anomalous payloads as payloads that, at least in part, exceed a predetermined distance metric.
  - 35. The computer readable storage medium of claim 33, further comprising instructions for causing said computer to perform the acts of:
    - setting an alert threshold corresponding to a desired number of alerts for detected anomalous payloads; and
      
      automatically adjusting said predetermined distance metric until said alert threshold is reached.
  - 36. The computer readable storage medium of claim 33, further comprising instructions for causing said computer to perform the acts of:
    - determining whether a detected anomalous payload is a virus or worm;
      
      identifying one of said ports which has been probed by said virus or worm; and
      
      detecting propagation of said worm or virus by comparing egress traffic to the byte value statistical distribution for said virus or worm in order to detect probes to the same port on at least one other computer.

37. A system for detecting anomalous payloads transmitted through a network, comprising:
- means for receiving at least one payload through the network;
  
  means for determining a length for data contained in said at least one payload;
  
  means for generating a byte value statistical distribution of data contained in said at least one payload received within the network;
  
  means for selecting, from a plurality of model byte value statistical distributions, a model byte value statistical distribution representative of normal payloads transmitted through the network based at least in part on the determined length, wherein the model byte value statistical distribution has a predetermined length range and is selected such that the determined length for the data contained in the at least one payload is included within the predetermined length range;
  
  means for comparing at least one portion of the generated statistical distribution to a corresponding portion of the selected model distribution; and
  
  means for identifying whether the at least one payload is an anomalous payload based, at least in part, on differences detected between the at least one portion of the byte value statistical distribution for said the at least one payload and the corresponding portion of said the selected model distribution.
- View Dependent Claims (38, 39, 40)
- - 38. The system of claim 37, further comprising:
    - means for measuring a distance metric between the byte value statistical distribution of data contained in said at least one payload and said selected model distribution; and
      
      means for identifying anomalous payloads as payloads that, at least in part, exceed a predetermined distance metric.
  - 39. The system of claim 37, further comprising:
    - means for setting an alert threshold corresponding to a desired number of alerts for detected anomalous payloads; and
      
      means for automatically adjusting said predetermined distance metric until said alert threshold is reached.
  - 40. The system of claim 37, further comprising:
    - means for determining whether a detected anomalous payload is a virus or worm;
      
      means for identifying one of said ports which has been probed by said virus or worm; and
      
      means for detecting propagation of said worm or virus by comparing egress traffic to the byte value statistical distribution for said virus or worm in order to detect probes to the same port on at least one other computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Stolfo, Salvatore J., Wang, Ke
Primary Examiner(s)
Moe, Aung S
Assistant Examiner(s)
Pasia, Redentor M

Application Number

US10/986,447
Publication Number

US 20050281291A1
Time in Patent Office

1,873 Days
Field of Search

370229-231, 370/235, 370/250, 370252-253, 370/389, 370/392, 370/401, 370/476, 370470-472, 370/474, 713/176, 713188-189, 726/1, 726/3, 726/11, 726/13, 726/14, 726 22- 25, 709223-225
US Class Current

370/474
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

H04L 43/00   Arrangements for monitoring...

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/0218   Distributed architectures, ...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

399 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

399 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links