You are here
Real-time Malicious Code Detection in Network Traffic: The PAYL Payload Anomaly Detector
Title: Director of Security Services
Phone: (212) 206-1900
Email: shannon@sysd.com
Phone: (212) 206-1900
Email: hlw@sysd.com
This proposal, a collaboration between Columbia University and System Detection Inc., concerns the research of a new payload anomaly detector, we call PAYL, that has been demonstrated to detect malicious code in network traffic. The core concept is to statistically model normal content and detect anomalous packet content indicative of malicious exploit code. The approach is very fast to compute, is state-less, does not parse the input stream, generates a small model, and can be easily modified to an incremental online learning algorithm to deal with changing network traffic. The method provides a compact signature of newly detected exploits, and preserves the privacy of content data. We believe the method will be highly competitive with other approaches that are based upon code emulation or simulation techniques. We focus on solving the false positive problem, typically associated with anomaly detectors, by employing other correlated models to identify true positives with high accuracy and confidence by analyzing only a subset of network data in each packet or connection. The successful results of the research and development will be commercialized by System Detection Inc., by embedding a new plug-in detector to their Antura security product for the prevention of new attack exploits.
* Information listed above is at the time of submission. *