Detecting network anomalies by probabilistic modeling of argument strings with markov chains
First Claim
1. A method for detecting network anomalies, the method comprising:
- receiving, by a hardware processor, a communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network;
applying a probabilistic model to the received communication protocol message to determine whether the communication protocol message is anomalous based on determining that at least one n-gram in the communication protocol message is anomalous,wherein the probabilistic model uses at least one Markov chain specified by one or more parameters to determine a probability that the argument string is anomalous based on n-grams in the argument string, andwherein the probabilistic model was trained based on content and structure of an argument string included in each of a plurality of communication protocol messages included in a training dataset; and
performing a predetermined action in response to determining that the communication protocol message is anomalous.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.
16 Citations
30 Claims
-
1. A method for detecting network anomalies, the method comprising:
-
receiving, by a hardware processor, a communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network; applying a probabilistic model to the received communication protocol message to determine whether the communication protocol message is anomalous based on determining that at least one n-gram in the communication protocol message is anomalous, wherein the probabilistic model uses at least one Markov chain specified by one or more parameters to determine a probability that the argument string is anomalous based on n-grams in the argument string, and wherein the probabilistic model was trained based on content and structure of an argument string included in each of a plurality of communication protocol messages included in a training dataset; and performing a predetermined action in response to determining that the communication protocol message is anomalous. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for detecting network anomalies, the system comprising:
-
a processor that is configured to; receive a communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network; apply a probabilistic model to the received communication protocol message to determine whether the communication protocol message is anomalous based on determining that at least one n-gram in the communication protocol message is anomalous, wherein the probabilistic model uses at least one Markov chain specified by one or more parameters to determine a probability that the argument string is anomalous based on n-grams in the argument string, and wherein the probabilistic model was trained based on content and structure of an argument string included in each of a plurality of communication protocol messages included in a training dataset; and perform a predetermined action in response to determining that the communication protocol message is anomalous. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform method for detecting network anomalies, the method comprising:
-
receiving a communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network; applying a probabilistic model to the received communication protocol message to determine whether the communication protocol message is anomalous based on determining that at least one n-gram in the communication protocol message is anomalous, wherein the probabilistic model uses at least one Markov chain specified by one or more parameters to determine a probability that the argument string is anomalous based on n-grams in the argument string, and wherein the probabilistic model was trained based on content and structure of an argument string included in each of a plurality of communication protocol messages included in a training dataset; and performing a predetermined action in response to determining that the communication protocol message is anomalous. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification