Apparatus method and medium for tracing the origin of network transmissions using N-gram distribution of data

US 9,003,528 B2
Filed: 07/17/2012
Issued: 04/07/2015
Est. Priority Date: 11/12/2003
Status: Active Grant

First Claim

Patent Images

1. A method of tracing the location of an origin computer system that initially transmits a suspect data payload across a computer network to an end target computer system, the method comprising:

creating, using a hardware processor, a connection record for a transmission to a first computer system through the computer network of a plurality of computer systems;

generating, using the hardware processor, a byte value statistical distribution of data contained in a data payload corresponding to the connection record;

calculating, using the hardware processor, a distance between the byte value statistical distribution of data contained in the data payload and a model distribution representative of normal payloads transmitted through the computer network;

identifying, using the hardware processor, the data payload as a suspect data payload based on the calculated distance;

setting, using the hardware processor, the first computer system as a suspect computer system;

upon determining at least one byte value statistical distribution that is similar to the byte value statistical distribution of the data contained in the suspect data payload, determining, using the hardware processor, address information associated with the at least one byte value statistical distribution; and

setting, using the hardware processor, a second computer system associated with the address information as the suspect computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus, and medium are provided for tracing the origin of network transmissions. Connection records are maintained at computer system for storing source and destination addresses. The connection records also maintain a statistical distribution of data corresponding to the data payload being transmitted. The statistical distribution can be compared to that of the connection records in order to identify the sender. The location of the sender can subsequently be determined from the source address stored in the connection record. The process can be repeated multiple times until the location of the original sender has been traced.

Citations

24 Claims

1. A method of tracing the location of an origin computer system that initially transmits a suspect data payload across a computer network to an end target computer system, the method comprising:
- creating, using a hardware processor, a connection record for a transmission to a first computer system through the computer network of a plurality of computer systems;
  
  generating, using the hardware processor, a byte value statistical distribution of data contained in a data payload corresponding to the connection record;
  
  calculating, using the hardware processor, a distance between the byte value statistical distribution of data contained in the data payload and a model distribution representative of normal payloads transmitted through the computer network;
  
  identifying, using the hardware processor, the data payload as a suspect data payload based on the calculated distance;
  
  setting, using the hardware processor, the first computer system as a suspect computer system;
  
  upon determining at least one byte value statistical distribution that is similar to the byte value statistical distribution of the data contained in the suspect data payload, determining, using the hardware processor, address information associated with the at least one byte value statistical distribution; and
  
  setting, using the hardware processor, a second computer system associated with the address information as the suspect computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising selecting the model statistical distribution from a plurality of model byte frequency statistical distributions based at least in part on a length of the data contained in the data payload.
  - 3. The method of claim 1, wherein the at least one byte value statistical distribution and the byte value statistical distribution of the data contained in the suspect data payload are byte frequency count.
  - 4. The method of claim 1, wherein the at least one byte value statistical distribution and the byte value statistical distribution of the data contained in the suspect data payload are rank ordered byte frequency count.
  - 5. The method of claim 1, wherein determining at least one byte value distribution that is similar to the byte value statistical distribution of the data contained in the suspect data payload further comprises:
    - measuring a distance metric between the at least one byte value statistical distribution and the byte value statistical distribution of the data contained in the suspect data payload; and
      
      determining that the at least one byte value statistical distribution is similar to the byte value statistical distribution of the data contained in the suspect data payload based at least in part on comparing the distance metric to a predetermined distance.
  - 6. The method of claim 5, wherein the distance metric is calculated based on a Mahalanobis distance between the at least one byte value statistical distribution and the byte value statistical distribution of the data contained in the suspect data payload.
  - 7. The method of claim 1, further comprising assigning different weight factors to selected byte values of the byte value statistical distribution of the data contained in the suspect data payload.
  - 8. The method of claim 7, wherein higher weight factors are assigned to byte values corresponding to operational codes of a computer system.

9. A system for tracing the location of an origin computer system that initially transmits a suspect data payload across a computer network to an end target computer system, the system comprising:
- a processor that;
  
  creates a connection record for a transmission to a first computer system through the computer network of a plurality of computer systems;
  
  generates a byte value statistical distribution of data contained in a data payload corresponding to the connection record;
  
  identifies the data payload as a suspect data payload based on differences detected between the byte value statistical distribution of data contained in the suspect data payload and a model statistical distribution representative of normal payloads transmitted through the computer network;
  
  calculates a distance between the byte value statistical distribution of data contained in the data payload and a model distribution representative of normal payloads transmitted through the computer network;
  
  identifies the data payload as a suspect data payload based on the calculated distance;
  
  sets the first computer system as a suspect computer system;
  
  upon determining at least one byte value statistical distribution that is similar to the byte value statistical distribution of the data contained in the suspect data payload, determines address information associated with the at least one byte value statistical distribution; and
  
  sets a second computer system associated with the address information as the suspect computer system.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the processor is further configured to select the model statistical distribution from a plurality of model byte frequency statistical distributions based at least in part on a length of the data contained in the data payload.
  - 11. The system of claim 9, wherein the at least one byte value statistical distribution and the byte value statistical distribution of the data contained in the suspect data payload are byte frequency count.
  - 12. The system of claim 9, wherein the at least one byte value statistical distribution and the byte value statistical distribution of the data contained in the suspect data payload are rank ordered byte frequency count.
  - 13. The system of claim 9, wherein the processor is further configured to:
    - measure a distance metric between the at least one byte value statistical distribution and the byte value statistical distribution of the data contained in the suspect data payload; and
      
      determine that the at least one byte value statistical distribution is similar to the byte value statistical distribution of the data contained in the suspect data payload based at least in part on comparing the distance metric to a predetermined distance.
  - 14. The system of claim 13, wherein the distance metric is calculated based on a Mahalanobis distance between the at least one byte value statistical distribution and the byte value statistical distribution of the data contained in the suspect data payload.
  - 15. The system of claim 9, wherein the processor is further configured to assign different weight factors to selected byte values of the byte value statistical distribution of the data contained in the suspect data payload.
  - 16. The system of claim 15, wherein higher weight factors are assigned to byte values corresponding to operational codes of a computer system.

17. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for tracing the location of an origin computer system that initially transmits a suspect data payload across a computer network to an end target computer system, the method comprising:
- creating a connection record for a transmission to a first computer system through the computer network of a plurality of computer systems;
  
  generating a byte value statistical distribution of data contained in a data payload corresponding to the connection record;
  
  calculating a distance between the byte value statistical distribution of data contained in the data payload and a model distribution representative of normal payloads transmitted through the computer network;
  
  identifying the data payload as a suspect data payload based on the calculated distance;
  
  setting the first computer system as a suspect computer system;
  
  upon determining at least one byte value statistical distribution that is similar to the byte value statistical distribution of the data contained in the suspect data payload, determining address information associated with the at least one byte value statistical distribution; and
  
  setting a second computer system associated with the address information as the suspect computer system.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the method further comprises selecting the model statistical distribution from a plurality of model byte frequency statistical distributions based at least in part on a length of the data contained in the data payload.
  - 19. The non-transitory computer-readable medium of claim 17, wherein the at least one byte value statistical distribution and the byte value statistical distribution of the data contained in the suspect data payload are byte frequency count.
  - 20. The non-transitory computer-readable medium of claim 17, wherein the at least one byte value statistical distribution and the byte value statistical distribution of the data contained in the suspect data payload are rank ordered byte frequency count.
  - 21. The non-transitory computer-readable medium of claim 17, wherein determining at least one byte value distribution that is similar to the byte value statistical distribution of the data contained in the suspect data payload further comprises:
    - measuring a distance metric between the at least one byte value statistical distribution and the byte value statistical distribution of the data contained in the suspect data payload; and
      
      determining that the at least one byte value statistical distribution is similar to the byte value statistical distribution of the data contained in the suspect data payload based at least in part on comparing the distance metric to a predetermined distance.
  - 22. The non-transitory computer-readable medium of claim 21, wherein the distance metric is calculated based on a Mahalanobis distance between the at least one byte value statistical distribution and the byte value statistical distribution of the data contained in the suspect data payload.
  - 23. The non-transitory computer-readable medium of claim 17, wherein the method further comprises assigning different weight factors to selected byte values of the byte value statistical distribution of the data contained in the suspect data payload.
  - 24. The non-transitory computer-readable medium of claim 23, wherein higher weight factors are assigned to byte values corresponding to operational codes of a computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Stolfo, Salvatore J.
Primary Examiner(s)
Schwartz, Darren B

Application Number

US13/550,711
Publication Number

US 20130174255A1
Time in Patent Office

994 Days
Field of Search

726 11- 15, 726 22- 24
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

H04L 43/00   Arrangements for monitoring...

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/0218   Distributed architectures, ...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Apparatus method and medium for tracing the origin of network transmissions using N-gram distribution of data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus method and medium for tracing the origin of network transmissions using N-gram distribution of data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links