Apparatus method and medium for tracing the origin of network transmissions using N-gram distribution of data
First Claim
1. A method of tracing the location of an origin computer system that initially transmits a suspect data payload across a computer network to an end target computer system, the method comprising:
- creating, using a hardware processor, a connection record for a transmission to a first computer system through the computer network of a plurality of computer systems;
generating, using the hardware processor, a byte value statistical distribution of data contained in a data payload corresponding to the connection record;
calculating, using the hardware processor, a distance between the byte value statistical distribution of data contained in the data payload and a model distribution representative of normal payloads transmitted through the computer network;
identifying, using the hardware processor, the data payload as a suspect data payload based on the calculated distance;
setting, using the hardware processor, the first computer system as a suspect computer system;
upon determining at least one byte value statistical distribution that is similar to the byte value statistical distribution of the data contained in the suspect data payload, determining, using the hardware processor, address information associated with the at least one byte value statistical distribution; and
setting, using the hardware processor, a second computer system associated with the address information as the suspect computer system.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, apparatus, and medium are provided for tracing the origin of network transmissions. Connection records are maintained at computer system for storing source and destination addresses. The connection records also maintain a statistical distribution of data corresponding to the data payload being transmitted. The statistical distribution can be compared to that of the connection records in order to identify the sender. The location of the sender can subsequently be determined from the source address stored in the connection record. The process can be repeated multiple times until the location of the original sender has been traced.
-
Citations
24 Claims
-
1. A method of tracing the location of an origin computer system that initially transmits a suspect data payload across a computer network to an end target computer system, the method comprising:
-
creating, using a hardware processor, a connection record for a transmission to a first computer system through the computer network of a plurality of computer systems; generating, using the hardware processor, a byte value statistical distribution of data contained in a data payload corresponding to the connection record; calculating, using the hardware processor, a distance between the byte value statistical distribution of data contained in the data payload and a model distribution representative of normal payloads transmitted through the computer network; identifying, using the hardware processor, the data payload as a suspect data payload based on the calculated distance; setting, using the hardware processor, the first computer system as a suspect computer system; upon determining at least one byte value statistical distribution that is similar to the byte value statistical distribution of the data contained in the suspect data payload, determining, using the hardware processor, address information associated with the at least one byte value statistical distribution; and setting, using the hardware processor, a second computer system associated with the address information as the suspect computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for tracing the location of an origin computer system that initially transmits a suspect data payload across a computer network to an end target computer system, the system comprising:
a processor that; creates a connection record for a transmission to a first computer system through the computer network of a plurality of computer systems; generates a byte value statistical distribution of data contained in a data payload corresponding to the connection record; identifies the data payload as a suspect data payload based on differences detected between the byte value statistical distribution of data contained in the suspect data payload and a model statistical distribution representative of normal payloads transmitted through the computer network; calculates a distance between the byte value statistical distribution of data contained in the data payload and a model distribution representative of normal payloads transmitted through the computer network; identifies the data payload as a suspect data payload based on the calculated distance; sets the first computer system as a suspect computer system; upon determining at least one byte value statistical distribution that is similar to the byte value statistical distribution of the data contained in the suspect data payload, determines address information associated with the at least one byte value statistical distribution; and sets a second computer system associated with the address information as the suspect computer system. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
17. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for tracing the location of an origin computer system that initially transmits a suspect data payload across a computer network to an end target computer system, the method comprising:
-
creating a connection record for a transmission to a first computer system through the computer network of a plurality of computer systems; generating a byte value statistical distribution of data contained in a data payload corresponding to the connection record; calculating a distance between the byte value statistical distribution of data contained in the data payload and a model distribution representative of normal payloads transmitted through the computer network; identifying the data payload as a suspect data payload based on the calculated distance; setting the first computer system as a suspect computer system; upon determining at least one byte value statistical distribution that is similar to the byte value statistical distribution of the data contained in the suspect data payload, determining address information associated with the at least one byte value statistical distribution; and setting a second computer system associated with the address information as the suspect computer system. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification