You are here

Real-time Malicious Code Detection in Network Traffic: The PAYL Payload Anomaly Detector

Award Information
Agency: Department of Homeland Security
Branch: N/A
Contract: NBCHC050007
Agency Tracking Number: 0421001
Amount: $98,597.00
Phase: Phase I
Program: SBIR
Solicitation Topic Code: H-SB04.2-002
Solicitation Number: N/A
Timeline
Solicitation Year: N/A
Award Year: 2004
Award Start Date (Proposal Award Date): N/A
Award End Date (Contract End Date): N/A
Small Business Information
5 West 19th Street Suite 2000
New York, NY 10011
United States
DUNS: N/A
HUBZone Owned: No
Woman Owned: No
Socially and Economically Disadvantaged: No
Principal Investigator
 Gregory Shannon
 Director of Security Services
 (212) 206-1900
 shannon@sysd.com
Business Contact
 Harvey Weiss
Phone: (212) 206-1900
Email: hlw@sysd.com
Research Institution
N/A
Abstract

This proposal, a collaboration between Columbia University and System Detection Inc., concerns the research of a new payload anomaly detector, we call PAYL, that has been demonstrated to detect malicious code in network traffic. The core concept is to statistically model normal content and detect anomalous packet content indicative of malicious exploit code. The approach is very fast to compute, is state-less, does not parse the input stream, generates a small model, and can be easily modified to an incremental online learning algorithm to deal with changing network traffic. The method provides a compact signature of newly detected exploits, and preserves the privacy of content data. We believe the method will be highly competitive with other approaches that are based upon code emulation or simulation techniques. We focus on solving the false positive problem, typically associated with anomaly detectors, by employing other correlated models to identify true positives with high accuracy and confidence by analyzing only a subset of network data in each packet or connection. The successful results of the research and development will be commercialized by System Detection Inc., by embedding a new plug-in detector to their Antura security product for the prevention of new attack exploits.

* Information listed above is at the time of submission. *

US Flag An Official Website of the United States Government