Patents by Inventor Angelos D. Keromytis

Angelos D. Keromytis has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20140337978
    Abstract: Systems, methods, and media for generating bait information for trap-based defenses are provided. In some embodiments, methods for generating bait information for trap-based defenses include: recording historical information of a network; translating the historical information; and generating bait information by tailoring the translated historical information.
    Type: Application
    Filed: July 23, 2014
    Publication date: November 13, 2014
    Inventors: Angelos D. Keromytis, Salvatore J. Stolfo
  • Publication number: 20140331324
    Abstract: Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack.
    Type: Application
    Filed: July 21, 2014
    Publication date: November 6, 2014
    Inventors: Salvatore J. Stolfo, Wei-Jen Li, Angelos D. Keromytis, Elli Androulaki
  • Patent number: 8844033
    Abstract: Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.
    Type: Grant
    Filed: May 27, 2009
    Date of Patent: September 23, 2014
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Yingbo Song, Angelos D. Keromytis, Salvatore J. Stolfo
  • Patent number: 8819825
    Abstract: Systems, methods, and media for generating bait information for trap-based defenses are provided. In some embodiments, methods for generating bait information for trap-based defenses include: recording historical information of a network; translating the historical information; and generating bait information by tailoring the translated historical information.
    Type: Grant
    Filed: May 31, 2007
    Date of Patent: August 26, 2014
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Angelos D. Keromytis, Salvatore J. Stolfo
  • Publication number: 20140215276
    Abstract: Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
    Type: Application
    Filed: August 30, 2013
    Publication date: July 31, 2014
    Inventors: Salvatore J. Stolfo, Angelos D. Keromytis, Stylianos Sidiroglou
  • Publication number: 20140189654
    Abstract: Systems, methods, and media for testing software patches are provided. The methods include: injecting a software patch into a program; determining a portion of the program modified by the software patch; concurrently executing a first instance of the portion of the program prior to modification by the software patch and a second instance of the portion of the program that has been modified by the software patch; obtaining a first outcome of the first instance and a second outcome of the second instance; comparing the first outcome and the second outcome with a policy associated with the program; and determining whether the software patch has executed correctly based at least in part on the comparison.
    Type: Application
    Filed: March 7, 2014
    Publication date: July 3, 2014
    Inventors: Angelos D. Keromytis, Stylianos Sidiroglou
  • Patent number: 8763103
    Abstract: In accordance with some embodiments of the present invention, systems and methods that protect an application from attacks are provided. In some embodiments of the present invention, input from an input source, such as traffic from a communication network, can be routed through a filtering proxy that includes one or more filters, classifiers, and/or detectors. In response to the input passing through the filtering proxy to the application, a supervision framework monitors the input for attacks (e.g., code injection attacks). The supervision framework can provide feedback to tune the components of the filtering proxy.
    Type: Grant
    Filed: April 21, 2006
    Date of Patent: June 24, 2014
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Michael E. Locasto, Salvatore J. Stolfo, Angelos D. Keromytis, Ke Wang
  • Publication number: 20140173734
    Abstract: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
    Type: Application
    Filed: February 20, 2014
    Publication date: June 19, 2014
    Inventors: Angelos D. Keromytis, Salvatore J. Stolfo
  • Publication number: 20140101746
    Abstract: Systems and methods for inhibiting attacks with a network are provided. In some embodiments, methods for inhibiting attacks by forwarding packets through a plurality of intermediate nodes when being transmitted from a source node to a destination node are provided, the methods comprising: receiving a packet at one of the plurality of intermediate nodes; determining at the selected intermediate node whether the packet has been sent to the correct one of the plurality of intermediate nodes based on a pseudo random function; and forwarding the packet to the destination node, based on the determining. In some embodiments an intermediate node is selected based on a pseudo random function. In some embodiments, systems and methods for establishing access to a multi-path network are provided.
    Type: Application
    Filed: December 11, 2013
    Publication date: April 10, 2014
    Applicant: The Trustees of Columbia University in the City of New York
    Inventors: Angelos Stavrou, Angelos D. Keromytis
  • Patent number: 8694833
    Abstract: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
    Type: Grant
    Filed: July 15, 2013
    Date of Patent: April 8, 2014
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Angelos D. Keromytis, Salvatore J. Stolfo
  • Patent number: 8683450
    Abstract: Systems, methods, and media for testing software patches are provided (200). The methods include: injecting a software patch into a program (202); running multiple instances of a part of the program containing the software patch (204); obtaining outcomes of the multiple instances (208); and determining, using the outcomes, whether the software patch is executed properly (210).
    Type: Grant
    Filed: May 31, 2007
    Date of Patent: March 25, 2014
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Angelos D. Keromytis, Stylianos Sidiroglou
  • Patent number: 8667588
    Abstract: Systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.
    Type: Grant
    Filed: July 15, 2010
    Date of Patent: March 4, 2014
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J. Stolfo, Angelos D. Keromytis, Vishal Misra, Michael E. Locasto, Janak Parekh
  • Patent number: 8631484
    Abstract: Systems and methods for inhibiting attacks with a network are provided. In some embodiments, methods for inhibiting attacks by forwarding packets through a plurality of intermediate nodes when being transmitted from a source node to a destination node are provided, the methods comprising: receiving a packet at one of the plurality of intermediate nodes; determining at the selected intermediate node whether the packet has been sent to the correct one of the plurality of intermediate nodes based on a pseudo random function; and forwarding the packet to the destination node, based on the determining. In some embodiments an intermediate node is selected based on a pseudo random function. In some embodiments, systems and methods for establishing access to a multi-path network are provided.
    Type: Grant
    Filed: March 14, 2008
    Date of Patent: January 14, 2014
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Angelos Stavrou, Angelos D. Keromytis
  • Publication number: 20130333037
    Abstract: Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: receiving a first set of user actions; generating a second set of user actions based on the first set of user actions and a model of user activity; conveying the second set of user actions to an application inside the computing environment; determining whether state information of the application matches an expected state after the second set of user actions is conveyed to the application; and determining whether covert malware is present in the computing environment based at least in part on the determination.
    Type: Application
    Filed: August 13, 2013
    Publication date: December 12, 2013
    Inventors: Brian M. Bowen, Pratap V. Prabhu, Vasileios P. Kemerlis, Stylianos Sidiroglou, Salvatore J. Stolfo, Angelos D. Keromytis
  • Patent number: 8601322
    Abstract: Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
    Type: Grant
    Filed: November 21, 2011
    Date of Patent: December 3, 2013
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J. Stolfo, Angelos D. Keromytis, Stylianos Sidiroglou
  • Publication number: 20130305098
    Abstract: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
    Type: Application
    Filed: July 15, 2013
    Publication date: November 14, 2013
    Inventors: Angelos D. Keromytis, Salvatore J. Stolfo
  • Patent number: 8549646
    Abstract: Methods, media and systems for responding to a Denial of Service (DoS) attack are provided. In some embodiments, a method includes detecting a DoS attack, migrating one or more processes that provide a service to an unaffected system; authenticating users that are authorized to use the service; and routing traffic generated by authenticated users to the unaffected system.
    Type: Grant
    Filed: October 20, 2006
    Date of Patent: October 1, 2013
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Angelos Stavrou, Angelos D. Keromytis, Jason Nieh, Vishal Misra, Daniel Rubenstein
  • Patent number: 8528091
    Abstract: Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: generating simulated user activity outside of the computing environment; conveying the simulated user activity to an application inside the computing environment; and determining whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity.
    Type: Grant
    Filed: December 31, 2010
    Date of Patent: September 3, 2013
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Brian M. Bowen, Pratap V. Prabhu, Vasileios P. Kemerlis, Stylianos Sidiroglou, Salvatore J. Stolfo, Angelos D. Keromytis
  • Patent number: 8516575
    Abstract: Systems, methods, and media for enforcing a security policy in a network are provided, including, for example, receiving a plurality of events describing component behavior detected by a plurality of sensors, each sensor monitoring a different component of a plurality of components; attributing a first event of the plurality of events to a first principal; attributing a second event of the plurality of events to a second principal; determining whether the first and second events are correlated; storing a data structure that attributes each of the first and second events to the first principal, if it is determined that the first and second events are correlated; comparing the second event to the security policy; and modifying network behavior to enforce the security policy against the first principal based on the comparison of the second event to the security policy and the attribution of the second event to the first principal.
    Type: Grant
    Filed: December 8, 2009
    Date of Patent: August 20, 2013
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Matthew Burnside, Angelos D. Keromytis
  • Patent number: 8489931
    Abstract: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
    Type: Grant
    Filed: February 15, 2012
    Date of Patent: July 16, 2013
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Angelos D. Keromytis, Salvatore J. Stolfo