Patents by Inventor Salvatore J. Stolfo

Salvatore J. Stolfo has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20190190943
    Abstract: Methods, systems and media for evaluating layered computer security products are provided. In some embodiments, the method comprises: (a) identifying portions of attack data associated with an attack; (b) linking the portions of attack data; (c) testing security products using the linked attack data, at least two of the security products using different portions of the linked attack data; (d) storing the results of the testing; (e) repeating (a)-(d) for multiple attacks; receiving information identifying a subset of the security products from a remote computing device; identifying a first set of detected attacks for each of the plurality of security product using the stored results; determining a number of attacks in a union of each of the first sets of identified attacks; determining a detection rate for the identified security products based on the union and the number of tested attacks; and causing the detection rate to be presented.
    Type: Application
    Filed: July 27, 2018
    Publication date: June 20, 2019
    Inventors: Nathaniel Gordon Boggs, Salvatore J. Stolfo
  • Publication number: 20190190937
    Abstract: A method, apparatus, and medium are provided for tracing the origin of network transmissions. Connection records are maintained at computer system for storing source and destination addresses. The connection records also maintain a statistical distribution of data corresponding to the data payload being transmitted. The statistical distribution can be compared to that of the connection records in order to identify the sender. The location of the sender can subsequently be determined from the source address stored in the connection record. The process can be repeated multiple times until the location of the original sender has been traced.
    Type: Application
    Filed: July 23, 2018
    Publication date: June 20, 2019
    Inventor: Salvatore J. Stolfo
  • Publication number: 20190182279
    Abstract: Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.
    Type: Application
    Filed: July 26, 2018
    Publication date: June 13, 2019
    Inventors: Yingbo Song, Angelos D. Keromytis, Salvatore J. Stolfo
  • Patent number: 10305919
    Abstract: In accordance with some embodiments of the present invention, systems and methods that protect an application from attacks are provided. In some embodiments of the present invention, input from an input source, such as traffic from a communication network, can be routed through a filtering proxy that includes one or more filters, classifiers, and/or detectors. In response to the input passing through the filtering proxy to the application, a supervision framework monitors the input for attacks (e.g., code injection attacks). The supervision framework can provide feedback to tune the components of the filtering proxy.
    Type: Grant
    Filed: May 9, 2016
    Date of Patent: May 28, 2019
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Michael E. Locasto, Salvatore J. Stolfo, Angelos D. Keromytis, Ke Wang
  • Publication number: 20190020672
    Abstract: A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique.
    Type: Application
    Filed: July 3, 2018
    Publication date: January 17, 2019
    Applicant: THE TRUSTEES OF COLUMBIA UNIVERSITY IN THE CITY OF NEW YORK
    Inventors: Salvatore J. Stolfo, Eleazar Eskin, Manasi Bhattacharyya, Shlomo Herskop
  • Patent number: 10181026
    Abstract: Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack.
    Type: Grant
    Filed: January 6, 2017
    Date of Patent: January 15, 2019
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J. Stolfo, Wei-Jen Li, Angelos D. Keromytis, Elli Androulaki
  • Patent number: 10178104
    Abstract: Methods, media, and systems for securing communications between a first node and a second node are provided. In some embodiments, methods for securing communication between a first node and a second node are provided. The methods comprising: receiving at least one model of behavior of the second node at the first node; and authorizing the first node to receive traffic from the second node based on the difference between the at least one model of behavior of the second node and at least one model of behavior of the first node.
    Type: Grant
    Filed: May 5, 2017
    Date of Patent: January 8, 2019
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J. Stolfo, Gabriela F. Ciocarlie, Vanessa Frias-Martinez, Janak Parekh, Angelos D. Keromytis, Joseph Sherrick
  • Patent number: 10178113
    Abstract: Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and generating anomaly detection models are provided. In some embodiments, methods for sanitizing anomaly detection models are provided. The methods including: receiving at least one abnormal anomaly detection model from at least one remote location; comparing at least one of the at least one abnormal anomaly detection model to a local normal detection model to produce a common set of features common to both the at least one abnormal anomaly detection model and the local normal detection model; and generating a sanitized normal anomaly detection model by removing the common set of features from the local normal detection model.
    Type: Grant
    Filed: July 13, 2015
    Date of Patent: January 8, 2019
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Gabriela F. Ciocarlie, Angelos Stavrou, Salvatore J. Stolfo, Angelos D. Keromytis
  • Patent number: 10146939
    Abstract: Systems, methods, and media for outputting a dataset based upon anomaly detection are provided. In some embodiments, methods for outputting a dataset based upon anomaly detection: receive a training dataset having a plurality of n-grams, which plurality includes a first plurality of distinct training n-grams each being a first size; compute a first plurality of appearance frequencies, each for a corresponding one of the first plurality of distinct training n-grams; receive an input dataset including first input n-grams each being the first size; define a first window in the input dataset; identify as being first matching n-grams the first input n-grams in the first window that correspond to the first plurality of distinct training n-grams; compute a first anomaly detection score for the input dataset using the first matching n-grams and the first plurality of appearance frequencies; and output the input dataset based on the first anomaly detection score.
    Type: Grant
    Filed: November 8, 2016
    Date of Patent: December 4, 2018
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J. Stolfo, Ke Wang, Janak Parekh
  • Patent number: 10069854
    Abstract: Methods, systems and media for evaluating layered computer security products are provided. In some embodiments, the method comprises: (a) identifying portions of attack data associated with an attack; (b) linking the portions of attack data; (c) testing security products using the linked attack data, at least two of the security products using different portions of the linked attack data; (d) storing the results of the testing; (e) repeating (a)-(d) for multiple attacks; receiving information identifying a subset of the security products from a remote computing device; identifying a first set of detected attacks for each of the plurality of security product using the stored results; determining a number of attacks in a union of each of the first sets of identified attacks; determining a detection rate for the identified security products based on the union and the number of tested attacks; and causing the detection rate to be presented.
    Type: Grant
    Filed: November 18, 2013
    Date of Patent: September 4, 2018
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Nathaniel Gordon Boggs, Salvatore J Stolfo
  • Patent number: 10061753
    Abstract: Systems and methods are presented for content extraction from markup language text. The content extraction process may parse markup language text into a hierarchical data model and then apply one or more filters. Output filters may be used to make the process more versatile. The operation of the content extraction process and the one or more filters may be controlled by one or more settings set by a user, or automatically by a classifier. The classifier may automatically enter settings by classifying markup language text and entering settings based on this classification. Automatic classification may be performed by clustering unclassified markup language texts with previously classified markup language texts.
    Type: Grant
    Filed: June 20, 2016
    Date of Patent: August 28, 2018
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Suhit Gupta, Gail Kaiser, Salvatore J. Stolfo
  • Patent number: 10063576
    Abstract: Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.
    Type: Grant
    Filed: December 29, 2015
    Date of Patent: August 28, 2018
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Yingbo Song, Angelos D. Keromytis, Salvatore J. Stolfo
  • Patent number: 10063574
    Abstract: A method, apparatus, and medium are provided for tracing the origin of network transmissions. Connection records are maintained at computer system for storing source and destination addresses. The connection records also maintain a statistical distribution of data corresponding to the data payload being transmitted. The statistical distribution can be compared to that of the connection records in order to identify the sender. The location of the sender can subsequently be determined from the source address stored in the connection record. The process can be repeated multiple times until the location of the original sender has been traced.
    Type: Grant
    Filed: March 4, 2015
    Date of Patent: August 28, 2018
    Assignee: The Trustees of Columbia University in the City of New York
    Inventor: Salvatore J. Stolfo
  • Patent number: 10055251
    Abstract: Mechanisms for injecting code into embedded devices are provided. In some embodiments, once the code is injected into the embedded device, the injected code can analyze and modify the code of the embedded device (e.g., firmware) to create the execution environment for the injected code. For example, the injected code can identify program instruction locations in the code of the embedded device into which jump instructions can be placed. The injected code can also insert at least one jump instruction at an identified program instruction location in the code of the embedded device. In response to the execution of a jump instruction, the injected code can save a context of the code of the embedded device to memory and loading a payload context into a processor of the embedded device. The payload context can then be executed by the processor of the embedded device.
    Type: Grant
    Filed: April 22, 2010
    Date of Patent: August 21, 2018
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Ang Cui, Salvatore J. Stolfo
  • Patent number: 10038704
    Abstract: Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.
    Type: Grant
    Filed: September 4, 2015
    Date of Patent: July 31, 2018
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J. Stolfo, Tal Malkin, Angelos D. Keromytis, Vishal Misra, Michael Locasto, Janak Parekh
  • Patent number: 10002249
    Abstract: Systems, methods, and media for outputting data based on anomaly detection are provided. In some embodiments, a method for outputting data based on anomaly detection is provided, the method comprising: receiving, using a hardware processor, an input dataset; identifying grams in the input dataset that substantially include distinct byte values; creating an input subset by removing the identified grams from the input dataset; determining whether the input dataset is likely to be anomalous based on the identified grams, and determining whether the input dataset is likely to be anomalous by applying the input subset to a binary anomaly detection model to check for an n-gram in the input subset; and outputting the input dataset based on the likelihood that the input dataset is anomalous.
    Type: Grant
    Filed: February 27, 2015
    Date of Patent: June 19, 2018
    Assignee: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J Stolfo, Ke Wang, Janak Parekh
  • Patent number: 9971891
    Abstract: Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: receiving a first set of user actions; generating a second set of user actions based on the first set of user actions and a model of user activity; conveying the second set of user actions to an application inside the computing environment; determining whether state information of the application matches an expected state after the second set of user actions is conveyed to the application; and determining whether covert malware is present in the computing environment based at least in part on the determination.
    Type: Grant
    Filed: August 13, 2013
    Date of Patent: May 15, 2018
    Assignee: The Trustees of Columbia University in the City of the New York
    Inventors: Brian M. Bowen, Pratap V. Prabhu, Vasileios P. Kemerlis, Stylianos Sidiroglou, Salvatore J. Stolfo, Angelos D. Keromytis
  • Publication number: 20180124081
    Abstract: A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique.
    Type: Application
    Filed: July 11, 2017
    Publication date: May 3, 2018
    Applicant: THE TRUSTEES OF COLUMBIA UNIVERSITY IN THE CITY OF NEW YORK
    Inventors: Salvatore J. Stolfo, Eleazar Eskin, Manasi Bhattacharyya, Shlomo Herskop
  • Publication number: 20180077165
    Abstract: Methods, media, and systems for securing communications between a first node and a second node are provided. In some embodiments, methods for securing communication between a first node and a second node are provided. The methods comprising: receiving at least one model of behavior of the second node at the first node; and authorizing the first node to receive traffic from the second node based on the difference between the at least one model of behavior of the second node and at least one model of behavior of the first node.
    Type: Application
    Filed: May 5, 2017
    Publication date: March 15, 2018
    Applicant: The Trustees of Columbia University in the City of New York
    Inventors: Salvatore J. Stolfo, Gabriela F. Ciocarlie, Vanessa Frias-Martinez, Janak Parekh, Angelos D. Keromytis, Joseph Sherrick
  • Patent number: 9870455
    Abstract: The interaction of a plurality of users with a computer system is monitored and measurements are made of different features of this interaction such as process creation, registry key changes, and file system actions. These measurements are then analyzed to identify those features that are more discriminatory. The set of features is then used to develop for each user a model of his/her interaction with the computer system that can then be used to authenticate that user when interacting with the computer system at a later time. Advantageously, these steps are performed automatically and may be performed periodically or even continuously to verify that each user of the computer system is indeed the individual he/she purports to be. Illustratively, the feature extraction is performed using Fisher's criteria; and the user model is developed using a Gaussian mixture model. A method for updating the user model is also disclosed.
    Type: Grant
    Filed: February 8, 2016
    Date of Patent: January 16, 2018
    Assignee: Allure Security Technology Inc.
    Inventors: Yingbo Song, Salvatore J. Stolfo