Apparatus method and medium for detecting payload anomaly using N-gram distribution of normal data
First Claim
Patent Images
1. A method for verifying a file type, the method comprising:
- receiving, using a hardware processor, a file identified as corresponding to a first file type from a first source;
generating a byte value statistical distribution of the data included in the file received from the first source;
selecting a model byte value statistical distribution representative of the first file type from model byte value statistical distributions representative of a plurality of file types;
determining a distance metric between the byte value statistical distribution of the data included in the file and the selected model byte value statistical distribution; and
verifying that a file type of the received file is the first file type based on a comparison of the distance metric to a distance metric threshold indicating that the file type of received file is the first file type.
0 Assignments
0 Petitions
Accused Products
Abstract
A method, apparatus and medium are provided for detecting anomalous payloads transmitted through a network. The system receives payloads within the network and determines a length for data contained in each payload. A statistical distribution is generated for data contained in each payload received within the network, and compared to a selected model distribution representative of normal payloads transmitted through the network. The model payload can be selected such that it has a predetermined length range that encompasses the length for data contained in the received payload. Anomalous payloads are then identified based on differences detected between the statistical distribution of received payloads and the model distribution. The system can also provide for automatic training and incremental updating of models.
78 Citations
19 Claims
-
1. A method for verifying a file type, the method comprising:
-
receiving, using a hardware processor, a file identified as corresponding to a first file type from a first source; generating a byte value statistical distribution of the data included in the file received from the first source; selecting a model byte value statistical distribution representative of the first file type from model byte value statistical distributions representative of a plurality of file types; determining a distance metric between the byte value statistical distribution of the data included in the file and the selected model byte value statistical distribution; and verifying that a file type of the received file is the first file type based on a comparison of the distance metric to a distance metric threshold indicating that the file type of received file is the first file type. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for verifying a file type, the system comprising:
a hardware processor that is programmed to; receive a file identified as corresponding to a first file type from a first source; generate a byte value statistical distribution of the data included in the file received from the first source; select a model byte value statistical distribution representative of the first file type from model byte value statistical distributions representative of a plurality of file types; determine a distance metric between the byte value statistical distribution of the data included in the file and the selected model byte value statistical distribution; and verify that a file type of the received file is the first file type based on a comparison of the distance metric to a distance metric threshold indicating that the file type of received file is the first file type. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
19. A non-transitory computer-readable medium containing instructions that, when executed by a processor, cause the processor to perform a method for verifying a file type, the method comprising:
-
receiving a file identified as corresponding to a first file type from a first source; generating a byte value statistical distribution of the data included in the file received from the first source; selecting a model byte value statistical distribution representative of the first file type from model byte value statistical distributions representative of a plurality of file types; determining a distance metric between the byte value statistical distribution of the data included in the file and the selected model byte value statistical distribution; and verifying that a file type of the received file is the first file type based on a comparison of the distance metric to a distance metric threshold indicating that the file type of received file is the first file type.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeTrustees Of Columbia University In The City Of New York (Columbia University)
-
Original AssigneeTrustees Of Columbia University In The City Of New York (Columbia University)
-
InventorsStolfo, Salvatore J, Wang, Ke
-
Primary Examiner(s)PASIA, REDENTOR M
-
Application NumberUS14/146,533Publication NumberTime in Patent Office789 DaysField of Search370/392, 370/401, 370/470, 370471-474, 370/476, 726/1, 726/3, 726/11, 726/13, 726/14, 726/22, 726/23, 726/24, 726/25, 713/176, 713/189US Class Current1/1CPC Class CodesG06F 21/55 Detecting local intrusion o...G06F 21/552 involving long-term monitor...G06F 21/554 involving event detection a...G06F 21/56 Computer malware detection ...G06F 21/562 Static detectionG06F 21/563 by source code analysisG06F 21/564 by virus signature recognitionH04L 43/00 Arrangements for monitoring...H04L 43/0876 Network utilisation, e.g. v...H04L 63/0218 Distributed architectures, ...H04L 63/0245 Filtering by information in...H04L 63/0263 Rule managementH04L 63/029 Firewall traversal, e.g. tu...H04L 63/1425 Traffic logging, e.g. anoma...H04L 63/145 the attack involving the pr...
