Patents by Inventor Angelos D. Keromytis

Angelos D. Keromytis has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 8407785
    Abstract: In accordance with some embodiments of the disclosed subject matter, systems, methods, and media for protecting a digital data processing device from attack are provided. For example, in some embodiments, a method for protecting a digital data processing device from attack is provided, that includes, within a virtual environment: receiving at least one attachment to an electronic mail; and executing the at least one attachment; and based on the execution of the at least one attachment, determining whether anomalous behavior occurs.
    Type: Grant
    Filed: August 18, 2006
    Date of Patent: March 26, 2013
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Stylianos Sidiroglou, Angelos D. Keromytis, Salvatore J. Stolfo
  • Patent number: 8407160
    Abstract: Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and generating anomaly detection models are provided. In some embodiments, methods for generating sanitized data are provided. The methods including: dividing a first training dataset comprised of a plurality of training data items into a plurality of data subsets each including at least one training data item of the plurality of training data items of the first training dataset; based on the plurality of data subsets, generating a plurality of distinct anomaly detection micro-models; testing at least one data item of the plurality of data items of a second training dataset of training data items against each of the plurality of micro-models to produce a score for the at least one tested data item; and generating at least one output dataset based on the score for the at least one tested data item.
    Type: Grant
    Filed: November 15, 2007
    Date of Patent: March 26, 2013
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Gabriela Cretu, Angelos Stavrou, Salvatore J. Stolfo, Angelos D. Keromytis, Michael E. Locasto
  • Patent number: 8381295
    Abstract: Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.
    Type: Grant
    Filed: July 9, 2010
    Date of Patent: February 19, 2013
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J Stolfo, Tal Malkin, Angelos D Keromytis, Vishal Misra, Michael Locasto, Janak Parekh
  • Patent number: 8228815
    Abstract: Systems and methods for computing data transmission characteristics of a network path are disclosed. In some embodiments, the network path has a sending host, at least one intermediate host, and a receiving host, and the data transmission characteristics are computed based on single-ended measurements performed at the sending host.
    Type: Grant
    Filed: December 28, 2009
    Date of Patent: July 24, 2012
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Angelos D. Keromytis, Sambuddho Chakravarty, Angelos Stavrou
  • Publication number: 20120151270
    Abstract: Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
    Type: Application
    Filed: November 21, 2011
    Publication date: June 14, 2012
    Inventors: Salvatore J. Stolfo, Angelos D. Keromytis, Stylianos Sidiroglou
  • Publication number: 20120144484
    Abstract: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
    Type: Application
    Filed: February 15, 2012
    Publication date: June 7, 2012
    Applicant: The Trustees of Columbia University in the City of New York
    Inventors: Angelos D. Keromytis, Salvatore J. Stolfo
  • Patent number: 8135994
    Abstract: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
    Type: Grant
    Filed: October 30, 2007
    Date of Patent: March 13, 2012
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Angelos D. Keromytis, Salvatore J. Stolfo
  • Patent number: 8074115
    Abstract: Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
    Type: Grant
    Filed: October 25, 2006
    Date of Patent: December 6, 2011
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J. Stolfo, Angelos D. Keromytis, Stelios Sidiroglou
  • Publication number: 20110214161
    Abstract: Methods, media, and systems for securing communications between a first node and a second node are provided. In some embodiments, methods for securing communication between a first node and a second node are provided. The methods comprising: receiving at least one model of behavior of the second node at the first node; and authorizing the first node to receive traffic from the second node based on the difference between the at least one model of behavior of the second node and at least one model of behavior of the first node.
    Type: Application
    Filed: October 31, 2006
    Publication date: September 1, 2011
    Applicant: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J. Stolfo, Gabriela F. Ciocarlie, Vanessa Frias-Martinez, Janak Parekh, Angelos D. Keromytis, Joseph Sherrick
  • Publication number: 20110167493
    Abstract: Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.
    Type: Application
    Filed: May 27, 2009
    Publication date: July 7, 2011
    Inventors: Yingbo Song, Angelos D. Keromytis, Salvatore J. Stolfo
  • Publication number: 20110167494
    Abstract: Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: generating simulated user activity outside of the computing environment; conveying the simulated user activity to an application inside the computing environment; and determining whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity.
    Type: Application
    Filed: December 31, 2010
    Publication date: July 7, 2011
    Inventors: Brian M. Bowen, Pratap V. Prabhu, Vasileios P. Kemerlis, Stylianos Sidiroglou, Salvatore J. Stolfo, Angelos D. Keromytis
  • Patent number: 7962798
    Abstract: Methods, systems, and media for enabling a software application to recover from a fault condition, and for protecting a software application from a fault condition, are provided. In some embodiments, methods include detecting a fault condition during execution of the software application, restoring execution of the software application to a previous point of execution, the previous point of execution occurring during execution of a first subroutine in the software application, and forcing the first subroutine to forego further execution and return to a caller of the first subroutine.
    Type: Grant
    Filed: April 17, 2007
    Date of Patent: June 14, 2011
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Michael E. Locasto, Angelos D. Keromytis, Salvatore J. Stolfo, Angelos Stavrou, Gabriela Cretu, Stylianos Sidiroglou, Jason Nieh, Oren Laadan
  • Patent number: 7904959
    Abstract: In accordance with some embodiments, systems and methods that protect an application from attacks are provided. In some embodiments, traffic from a communication network is received by an anomaly detection component. The anomaly detection component monitors the received traffic and routes the traffic either to the protected application or to a honeypot, where the honeypot shares all state information with the application. If the received traffic is routed to the honeypot, the honeypot monitors the traffic for an attack. If an attack occurs, the honeypot repairs the protected application (e.g., discarding any state changes incurred from the attack, reverting to previously saved state information, etc.).
    Type: Grant
    Filed: October 10, 2007
    Date of Patent: March 8, 2011
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Stylianos Sidiroglou, Angelos D. Keromytis, Kostas G. Anagnostakis
  • Publication number: 20100293407
    Abstract: Systems, methods, and media for recovering an application from a fault or an attack are disclosed herein. In some embodiments, a method is provided for enabling a software application to recover from a fault condition. The method includes specifying constrained data items and assigning a set of repair procedures to the constrained data items. The method further includes detecting a fault condition on the constrained data items during execution of the software application, which triggers at least one repair procedure. The triggered repair procedures are executed and the execution of the software application is restored. In some embodiments, the restoring comprises providing memory rollback to a point of execution of the software application before the fault condition was detected.
    Type: Application
    Filed: January 28, 2008
    Publication date: November 18, 2010
    Applicant: THE TRUSTEES OF COLUMBIA UNIVERSITY IN THE CITY OF
    Inventors: Michael E. Locasto, Angelos D. Keromytis, Angelos Stavrou, Gabriela F. Ciocarlie
  • Publication number: 20100281542
    Abstract: Systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.
    Type: Application
    Filed: July 15, 2010
    Publication date: November 4, 2010
    Applicant: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J. Stolfo, Angelos D. Keromytis, Vishal Misra, Michael E. Locasto, Janak Parekh
  • Publication number: 20100281541
    Abstract: Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.
    Type: Application
    Filed: July 9, 2010
    Publication date: November 4, 2010
    Applicant: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J. Stolfo, Tal Malkin, Angelos D. Keromytis, Vishal Misra, Michael Locasto, Janak Parekh
  • Publication number: 20100235879
    Abstract: Systems, methods, and media for enforcing a security policy in a network are provided, including, for example, receiving a plurality of events describing component behavior detected by a plurality of sensors, each sensor monitoring a different component of a plurality of components; attributing a first event of the plurality of events to a first principal; attributing a second event of the plurality of events to a second principal; determining whether the first and second events are correlated; storing a data structure that attributes each of the first and second events to the first principal, if it is determined that the first and second events are correlated; comparing the second event to the security policy; and modifying network behavior to enforce the security policy against the first principal based on the comparison of the second event to the security policy and the attribution of the second event to the first principal.
    Type: Application
    Filed: December 8, 2009
    Publication date: September 16, 2010
    Inventors: Matthew Burnside, Angelos D. Keromytis
  • Patent number: 7784097
    Abstract: Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.
    Type: Grant
    Filed: November 24, 2004
    Date of Patent: August 24, 2010
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J. Stolfo, Angelos D. Keromytis, Vishal Misra, Michael E. Locasto, Janak Parekh
  • Patent number: 7779463
    Abstract: Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.
    Type: Grant
    Filed: June 9, 2004
    Date of Patent: August 17, 2010
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J. Stolfo, Tal Malkin, Angelos D. Keromytis, Vishal Misra, Michael Locasto, Janak Parekh
  • Publication number: 20100157834
    Abstract: Systems and methods for computing data transmission characteristics of a network path are disclosed. In some embodiments, the network path has a sending host, at least one intermediate host, and a receiving host, and the data transmission characteristics are computed based on single-ended measurements performed at the sending host.
    Type: Application
    Filed: December 28, 2009
    Publication date: June 24, 2010
    Applicant: The Trustees of Columbia University in the City of New York
    Inventors: Angelos D. Keromytis, Sambuddho Chakravarty, Angelos Stavrou