Patents by Inventor Angelos D. Keromytis

Angelos D. Keromytis has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 11599628
    Abstract: Systems, methods, and media for detecting the presence of return-oriented programming (ROP) payloads are provided, comprising: identifying a potential gadget address space; determining if a piece of the data corresponds to an address of the potential gadget address space; and in response to determining that the piece of the data corresponds to an address of the potential gadget address space: determining whether a plurality of operations, each associated one of a plurality instructions beginning at the address, indicates that an ROP payload is present in the data, and indicating that an ROP payload is present in the data in response to making a determination that a plurality of operations indicates that an ROP payload is present in the data a given number of times.
    Type: Grant
    Filed: May 7, 2021
    Date of Patent: March 7, 2023
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Michalis Polychronakis, Angelos D. Keromytis
  • Publication number: 20220058077
    Abstract: Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
    Type: Application
    Filed: March 16, 2021
    Publication date: February 24, 2022
    Inventors: Salvatore J. Stolfo, Angelos D. Keromytis, Stylianos Sidiroglou
  • Patent number: 11106799
    Abstract: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
    Type: Grant
    Filed: September 23, 2019
    Date of Patent: August 31, 2021
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Angelos D. Keromytis, Salvatore J. Stolfo
  • Publication number: 20210264022
    Abstract: Systems, methods, and media for detecting the presence of return-oriented programming (ROP) payloads are provided, comprising: identifying a potential gadget address space; determining if a piece of the data corresponds to an address of the potential gadget address space; and in response to determining that the piece of the data corresponds to an address of the potential gadget address space: determining whether a plurality of operations, each associated one of a plurality instructions beginning at the address, indicates that an ROP payload is present in the data, and indicating that an ROP payload is present in the data in response to making a determination that a plurality of operations indicates that an ROP payload is present in the data a given number of times.
    Type: Application
    Filed: May 7, 2021
    Publication date: August 26, 2021
    Inventors: Michalis Polychronakis, Angelos D. Keromytis
  • Publication number: 20210096941
    Abstract: Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
    Type: Application
    Filed: May 13, 2020
    Publication date: April 1, 2021
    Inventors: Salvatore J. Stolfo, Angelos D. Keromytis, Stylianos Sidiroglou
  • Patent number: 10902111
    Abstract: Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack.
    Type: Grant
    Filed: December 11, 2018
    Date of Patent: January 26, 2021
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J. Stolfo, Wei-Jen Li, Angelos D. Keromytis, Elli Androulaki
  • Patent number: 10819726
    Abstract: Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.
    Type: Grant
    Filed: July 26, 2018
    Date of Patent: October 27, 2020
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Yingbo Song, Angelos D. Keromytis, Salvatore J. Stolfo
  • Publication number: 20200019705
    Abstract: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
    Type: Application
    Filed: September 23, 2019
    Publication date: January 16, 2020
    Applicant: The Trustees of Columbia University in the City of New York
    Inventors: Angelos D. Keromytis, Salvatore J. Stolfo
  • Publication number: 20190370460
    Abstract: Systems, methods, and media for detecting the presence of return-oriented programming (ROP) payloads are provided, comprising: identifying a potential gadget address space; determining if a piece of the data corresponds to an address of the potential gadget address space; and in response to determining that the piece of the data corresponds to an address of the potential gadget address space: determining whether a plurality of operations, each associated one of a plurality instructions beginning at the address, indicates that an ROP payload is present in the data, and indicating that an ROP payload is present in the data in response to making a determination that a plurality of operations indicates that an ROP payload is present in the data a given number of times.
    Type: Application
    Filed: January 25, 2019
    Publication date: December 5, 2019
    Inventors: Michalis Polychronakis, Angelos D. Keromytis
  • Publication number: 20190311113
    Abstract: Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack.
    Type: Application
    Filed: December 11, 2018
    Publication date: October 10, 2019
    Inventors: Salvatore J. Stolfo, Wei-Jen Li, Angelos D. Keromytis, Elli Androulaki
  • Patent number: 10423788
    Abstract: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
    Type: Grant
    Filed: August 25, 2016
    Date of Patent: September 24, 2019
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Angelos D. Keromytis, Salvatore J. Stolfo
  • Publication number: 20190250979
    Abstract: Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
    Type: Application
    Filed: October 30, 2018
    Publication date: August 15, 2019
    Inventors: Salvatore J. Stolfo, Angelos D. Keromytis, Stylianos Sidiroglou
  • Publication number: 20190250978
    Abstract: Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
    Type: Application
    Filed: October 30, 2018
    Publication date: August 15, 2019
    Inventors: Salvatore J. Stolfo, Angelos D. Keromytis, Stylianos Sidiroglou
  • Patent number: 10367797
    Abstract: Methods, systems, and media for automatically authenticating a user account using multiple services are provided. In accordance with some embodiments of the disclosed subject matter, methods for authenticating a user using multiple services are provided, the methods comprising: receiving, from a client device, first credentials for a target service account; authenticating the target service account based on the first credentials; issuing a redirecting request that directs the client device to at least one vouching service in response to authenticating the target service account; receiving a vouching response indicating that the client device has authenticated a vouching service account with the at least one vouching service, wherein the vouching response includes a vouching token; and providing the client device with access to the target service account in response to determining that the vouching service account is associated with the target service account.
    Type: Grant
    Filed: August 7, 2014
    Date of Patent: July 30, 2019
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Angelos D. Keromytis, Elias Athanasopoulos, Georgios Kontaxis, Georgios Portokalidis
  • Publication number: 20190182279
    Abstract: Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.
    Type: Application
    Filed: July 26, 2018
    Publication date: June 13, 2019
    Inventors: Yingbo Song, Angelos D. Keromytis, Salvatore J. Stolfo
  • Patent number: 10305919
    Abstract: In accordance with some embodiments of the present invention, systems and methods that protect an application from attacks are provided. In some embodiments of the present invention, input from an input source, such as traffic from a communication network, can be routed through a filtering proxy that includes one or more filters, classifiers, and/or detectors. In response to the input passing through the filtering proxy to the application, a supervision framework monitors the input for attacks (e.g., code injection attacks). The supervision framework can provide feedback to tune the components of the filtering proxy.
    Type: Grant
    Filed: May 9, 2016
    Date of Patent: May 28, 2019
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Michael E. Locasto, Salvatore J. Stolfo, Angelos D. Keromytis, Ke Wang
  • Patent number: 10192049
    Abstract: Systems, methods, and media for detecting the presence of return-oriented programming (ROP) payloads are provided, comprising: identifying a potential gadget address space; determining if a piece of the data corresponds to an address of the potential gadget address space; and in response to determining that the piece of the data corresponds to an address of the potential gadget address space: determining whether a plurality of operations, each associated one of a plurality instructions beginning at the address, indicates that an ROP payload is present in the data, and indicating that an ROP payload is present in the data in response to making a determination that a plurality of operations indicates that an ROP payload is present in the data a given number of times.
    Type: Grant
    Filed: November 11, 2016
    Date of Patent: January 29, 2019
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Michalis Polychronakis, Angelos D. Keromytis
  • Patent number: 10181026
    Abstract: Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack.
    Type: Grant
    Filed: January 6, 2017
    Date of Patent: January 15, 2019
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J. Stolfo, Wei-Jen Li, Angelos D. Keromytis, Elli Androulaki
  • Patent number: 10178104
    Abstract: Methods, media, and systems for securing communications between a first node and a second node are provided. In some embodiments, methods for securing communication between a first node and a second node are provided. The methods comprising: receiving at least one model of behavior of the second node at the first node; and authorizing the first node to receive traffic from the second node based on the difference between the at least one model of behavior of the second node and at least one model of behavior of the first node.
    Type: Grant
    Filed: May 5, 2017
    Date of Patent: January 8, 2019
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J. Stolfo, Gabriela F. Ciocarlie, Vanessa Frias-Martinez, Janak Parekh, Angelos D. Keromytis, Joseph Sherrick
  • Patent number: 10178113
    Abstract: Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and generating anomaly detection models are provided. In some embodiments, methods for sanitizing anomaly detection models are provided. The methods including: receiving at least one abnormal anomaly detection model from at least one remote location; comparing at least one of the at least one abnormal anomaly detection model to a local normal detection model to produce a common set of features common to both the at least one abnormal anomaly detection model and the local normal detection model; and generating a sanitized normal anomaly detection model by removing the common set of features from the local normal detection model.
    Type: Grant
    Filed: July 13, 2015
    Date of Patent: January 8, 2019
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Gabriela F. Ciocarlie, Angelos Stavrou, Salvatore J. Stolfo, Angelos D. Keromytis