ML-based encrypted file classification for identifying encrypted data movement
Saved in:
| Title: | ML-based encrypted file classification for identifying encrypted data movement |
|---|---|
| Patent Number: | 11947,682 |
| Publication Date: | April 02, 2024 |
| Appl. No: | 17/860037 |
| Application Filed: | July 07, 2022 |
| Abstract: | The disclosed technology teaches facilitate User and Entity Behavior Analytics (UEBA) by classifying a file being transferred as encrypted or not. The technology involves monitoring movement of a files by a user over a wide area network, detecting file encryption for the files using a trained classifier, wherein the detecting includes processing by the classifier some or all of the following features extracted from each of the files: a chi-square randomness test; an arithmetic mean test; a serial correlation coefficient test; a Monte Carlo-Pi test; and a Shannon entropy test, counting a number of the encrypted files moved by the user in a predetermined period, comparing a predetermined maximum number of encrypted files allowed in the predetermined period to the count of the encrypted files moved by the user and detecting that the user has moved more encrypted files than the predetermined maximum number, and generating an alert. |
| Inventors: | Netskope, Inc. (Santa Clara, CA, US) |
| Assignees: | Netskope, Inc. (Santa Clara, CA, US) |
| Claim: | 1. A computer-implemented method of detecting exfiltration designed to defeat data loss protection (DLP) by encryption before evaluation, including: intercepting, by a network security system server interposed on a network between a cloud-based application and a user endpoint, movement of a plurality of files by a user over the network to the cloud-based application, wherein the network security system server monitors traffic on the network associated with the user endpoint of the user; detecting, by the network security system server, file encryption for each file of the plurality of files using a trained machine learning (ML) classifier, wherein the detecting comprises: for each file of the plurality of files: determining a file type of the respective file, calculating two or more metrics for the respective file, the two or more metrics selected from: a chi-square metric based on a chi-square randomness test that measures a degree to which a distribution of sampled bytes varies from an expected distribution of bytes from the respective file; an arithmetic mean metric based on an arithmetic mean test that compares an arithmetic mean of the sampled bytes to an expected mean of the bytes from the respective file; a serial correlation coefficient metric based on a serial correlation coefficient test that calculates a serial correlation coefficient between pairs of successive sampled bytes from the respective file; a Monte Carlo-Pi metric based on a Monte Carlo-Pi test that maps concatenated bytes as coordinates of a square and calculates a degree to which a proportion of the mapped concatenated bytes that fall within a circle circumscribed by the square varies from an expected proportion that corresponds to mapping from the respective file; and an entropy metric based on a Shannon entropy test of randomness of the respective file, providing the two or more metrics and the file type as input to the trained ML classifier trained to classify the respective file as encrypted or unencrypted based on the two or more metrics and the file type, and receiving a classification of the respective file from the trained ML classifier based on the input; counting, by the network security system server, a number of the plurality of files classified as encrypted and moved by the user during a predetermined period of time; determining, by the network security system server, a predetermined maximum number of encrypted files the user is allowed to move during the predetermined period of time; comparing, by the network security system server, the predetermined maximum number for the user to the number counted; detecting, by the network security system server, based on the comparing, that the user has moved more encrypted files than the predetermined maximum number; and generating, by the network security system server, an alert that the user has moved more than the predetermined maximum number of encrypted files allowed to be moved. |
| Claim: | 2. The computer-implemented method of claim 1 , wherein the predetermined maximum number of encrypted files allowed to be moved is based on a determined typical movement pattern. |
| Claim: | 3. The computer-implemented method of claim 2 , wherein the determined typical movement pattern is based on what is typical for the user, determined by monitoring the user for at least 15 days. |
| Claim: | 4. The computer-implemented method of claim 2 , wherein the determined typical movement pattern is based on what is typical for an organization, determined based on collecting at least 1000 user-days of data for users within the organization. |
| Claim: | 5. The computer-implemented method of claim 2 , wherein determining normal movement patterns requires a minimum number of user-day data points. |
| Claim: | 6. The computer-implemented method of claim 5 , wherein the minimum number of user-day data points includes both workday and non-workday data points. |
| Claim: | 7. The computer-implemented method of claim 1 , wherein the network security system server monitors the traffic using API connections to cloud-based applications to capture the traffic originating from the cloud-based applications to the user endpoint and monitors inline traffic originating from the user endpoint. |
| Claim: | 8. The computer-implemented method of claim 1 , wherein the calculating the two or more metrics for the respective file comprises sampling the respective file, and wherein the sampling is between 10 KB and 250 KB in size. |
| Claim: | 9. A non-transitory computer readable storage medium impressed with computer program instructions to detect exfiltration designed to defeat data loss protection (DLP) by encryption before evaluation, the instructions, when executed on a processor, implement a method comprising: intercepting traffic over a network between a cloud-based application and a user endpoint by a network security system interposed on the network between the cloud-based application and the user endpoint; detecting, based on the traffic, movement of a plurality of files by a user of the user endpoint over the network to the cloud-based application; detecting file encryption for each file of the plurality of files using a trained machine learning (ML) classifier, wherein the detecting comprises: for each file of the plurality of files: determining a file type of the respective file, calculating two or more metrics for the respective file, the two or metrics selected from: a chi-square metric based on a chi-square randomness test that measures a degree to which a distribution of sampled bytes varies from an expected distribution of bytes from the respective file; an arithmetic mean metric based on an arithmetic mean test that compares an arithmetic mean of the sampled bytes to an expected mean of the bytes from the respective file; a serial correlation coefficient metric based on a serial correlation coefficient test that calculates a serial correlation coefficient between pairs of successive sampled bytes from the respective file; a Monte Carlo-Pi metric based on a Monte Carlo-Pi test that maps concatenated bytes as coordinates of a square and calculates a degree to which a proportion of the mapped concatenated bytes that fall within a circle circumscribed by the square varies from an expected proportion that corresponds to mapping from the respective file; and an entropy metric based on a Shannon entropy test of randomness of the respective file, providing the two or more metrics and the file type as input to the trained ML classifier trained to classify the respective file as encrypted or unencrypted based on the two or more metrics and the file type, and receiving a classification of the respective file from the trained ML classifier based on the input; counting a number of the plurality of files classified as encrypted and moved by the user during a predetermined period of time; determining a predetermined maximum number of encrypted files the user is allowed to move during the predetermined period of time; comparing the predetermined maximum number for the user to the number counted; detecting that the user has moved more encrypted files than the predetermined maximum number; and generating an alert that the user has moved more than the predetermined maximum number of encrypted files allowed to be moved. |
| Claim: | 10. The non-transitory computer readable storage medium of claim 9 , wherein the predetermined maximum number of encrypted files allowed to be moved is based on a determined typical movement pattern. |
| Claim: | 11. The non-transitory computer readable storage medium of claim 10 , wherein the typical movement pattern is based on one of what is typical for the user, determined by monitoring the user for at least 15 days and what is typical for an organization, determined based on collecting at least 700 user-days of data for users within the organization. |
| Claim: | 12. The non-transitory computer readable storage medium of claim 10 , wherein determining normal movement patterns requires a minimum number of user-day data points. |
| Claim: | 13. The non-transitory computer readable storage medium of claim 12 , wherein the minimum number of user-day data points includes both workday and non-workday data points. |
| Claim: | 14. The non-transitory computer readable storage medium of claim 9 , wherein the intercepting the traffic comprises using API connections to the cloud-based application to capture the traffic originating from the cloud-based application to the user endpoint and capturing inline traffic originating from the user endpoint. |
| Claim: | 15. A system including one or more processors coupled to memory, the memory loaded with computer instructions to detect exfiltration designed to defeat data loss protection (DLP) by encryption before evaluation, the instructions, when executed on the processors, implement actions comprising: intercepting traffic over a network between a cloud-based application and a user endpoint by the system interposed on the network between the cloud-based application and the user endpoint; detecting, based on the traffic, movement of a plurality of files by a user of the user endpoint over the network to the cloud-based application; detecting file encryption for each file of the plurality of files using a trained machine learning (ML) classifier, wherein the detecting comprises: for each file of the plurality of files: determining a file type of the respective file, calculating two or more metrics for the respective file, the two or more metrics selected from: a chi-square metric based on a chi-square randomness test that measures a degree to which a distribution of sampled bytes varies from an expected distribution of bytes from the respective file; an arithmetic mean metric based on an arithmetic mean test that compares an arithmetic mean of the sampled bytes to an expected mean of the bytes from the respective file; a serial correlation coefficient metric based on a serial correlation coefficient test that calculates a serial correlation coefficient between pairs of successive sampled bytes from the respective file; a Monte Carlo-Pi metric based on a Monte Carlo-Pi test that maps concatenated bytes as coordinates of a square and calculates a degree to which a proportion of the mapped concatenated bytes that fall within a circle circumscribed by the square varies from an expected proportion that corresponds to mapping from the respective file; and an entropy metric based on a Shannon entropy test of randomness of the respective file, providing the two or more metrics and the file type as input to the trained ML classifier trained to classify the respective file as encrypted or unencrypted based on the two or more metrics and the file type, and receiving a classification of the respective file from the trained ML classifier based on the input; counting a number of the plurality of files classified as encrypted and moved by the user during a predetermined period of time; determining a predetermined maximum number of encrypted files the user is allowed to move during the predetermined period of time; comparing the predetermined maximum number for the user to the number counted; detecting that the user has moved more encrypted files than the predetermined maximum number; and generating an alert that the user has moved more than the predetermined maximum number of encrypted files allowed to be moved. |
| Claim: | 16. The system of claim 15 , wherein the predetermined maximum number of encrypted files allowed to be moved is based on a determined typical movement pattern. |
| Claim: | 17. The system of claim 16 , wherein determining normal movement patterns requires a minimum number of user-day data points. |
| Claim: | 18. The system of claim 17 , wherein the minimum number of user-day data points includes both workday and non-workday data points. |
| Claim: | 19. The system of claim 15 , wherein the intercepting the traffic comprises using API connections to the cloud-based application and capturing inline traffic originating from the user endpoint. |
| Claim: | 20. The system of claim 15 , wherein the calculating the two or more metrics for the respective file comprises sampling the respective file, and wherein the sampling is between 10 KB and 250 KB in size. |
| Patent References Cited: | 6574655 June 2003 Libert et al. 6829654 December 2004 Jungck 6898636 May 2005 Adams et al. 6981155 December 2005 Lyle et al. 7231426 June 2007 Hall et al. 7296058 November 2007 Throop 7475146 January 2009 Bazot et al. 7536439 May 2009 Jaladanki et al. 7587499 September 2009 Haghpassand 7743003 June 2010 Tong et al. 7996373 August 2011 Zoppas et al. 8130747 March 2012 Li et al. 8280986 October 2012 Deprun 8281372 October 2012 Vidal 8438630 May 2013 Clifford 8549300 October 2013 Kumar et al. 8613070 December 2013 Borzycki et al. 8776249 July 2014 Margolin 8819772 August 2014 Bettini et al. 8893278 November 2014 Chechik 8914461 December 2014 Murai 9069436 June 2015 Fieweger et al. 9069992 June 2015 Vaikar et al. 9171008 October 2015 Prahlad et al. 9185095 November 2015 Moritz et al. 9270765 February 2016 Narayanaswamy et al. 9275345 March 2016 Song et al. 9338187 May 2016 Oprea et al. 9398102 July 2016 Narayanaswamy et al. 9553860 January 2017 Meyer 9613190 April 2017 Ford et al. 9928377 March 2018 Narayanaswamy et al. 9998496 June 2018 Narayanaswamy et al. 10229269 March 2019 Patton 10235520 March 2019 Bae 10248507 April 2019 Batishchev 10291657 May 2019 Narayanaswamy et al. 10349304 July 2019 Kim et al. 10404755 September 2019 Narayanaswamy et al. 10404756 September 2019 Narayanaswamy et al. 10462116 October 2019 Sharifi Mehr et al. 10491638 November 2019 Narayanaswamy et al. 10594730 March 2020 Summers et al. 10992699 April 2021 Sites et al. 11019101 May 2021 Narayanaswamy et al. 20010011238 August 2001 Eberhard et al. 20010054157 December 2001 Fukumoto 20020016773 February 2002 Ohkuma et al. 20020138593 September 2002 Novak et al. 20040268451 December 2004 Robbin et al. 20050086197 April 2005 Boubez et al. 20050289354 December 2005 Borthakur et al. 20060253600 November 2006 Hannuksela 20070220251 September 2007 Rosenberg et al. 20070245420 October 2007 Yong et al. 20070289006 December 2007 Ramachandran et al. 20080034418 February 2008 Venkatraman et al. 20080127303 May 2008 Wrighton et al. 20080216174 September 2008 Vogel et al. 20080229428 September 2008 Camiel 20080301231 December 2008 Mehta et al. 20090225762 September 2009 Davidson et al. 20100024008 January 2010 Hopen et al. 20100146269 June 2010 Baskaran 20100188975 July 2010 Raleigh 20110016197 January 2011 Shiimori et al. 20110047590 February 2011 Carr et al. 20110131408 June 2011 Cook et al. 20110154506 June 2011 O'Sullivan et al. 20110196914 August 2011 Tribbett 20110247045 October 2011 Rajagopal et al. 20110276828 November 2011 Tamaki et al. 20120020307 January 2012 Henderson et al. 20120237908 September 2012 Fitzgerald et al. 20130254885 September 2013 Devost 20130268677 October 2013 Marshall et al. 20140007182 January 2014 Qureshi et al. 20140007222 January 2014 Qureshi et al. 20140026181 January 2014 Kiang et al. 20140032691 January 2014 Barton et al. 20140096249 April 2014 Dupont et al. 20140165148 June 2014 Dabbiere et al. 20140165213 June 2014 Stuntebeck 20140245381 August 2014 Stuntebeck et al. 20140310392 October 2014 Ho 20150067845 March 2015 Chari et al. 20150172120 June 2015 Dwarampudi et al. 20150254469 September 2015 Butler 20150286819 October 2015 Coden et al. 20160149941 May 2016 Thakur et al. 20160261621 September 2016 Srivastava et al. 20160269467 September 2016 Lee et al. 20160277374 September 2016 Reid et al. 20160285918 September 2016 Peretz et al. 20160292445 October 2016 Lindemann 20160366126 December 2016 Sharifi 20170063720 March 2017 Foskett et al. 20170091453 March 2017 Cochin 20170091482 March 2017 Sarin et al. 20170093867 March 2017 Burns et al. 20170206353 July 2017 Jai et al. 20170264640 September 2017 Narayanaswamy et al. 20180063182 March 2018 Jones et al. 20180219888 August 2018 Apostolopoulos 20180375892 December 2018 Ganor 20190034295 January 2019 Bourgeois et al. 20200034537 January 2020 Chen 20200036747 January 2020 Humphries 20200128047 April 2020 Biswas et al. 20200320214 October 2020 Harris et al. 20200358804 November 2020 Crabtree et al. 20200404007 December 2020 Singh et al. 20210029137 January 2021 Wright et al. 20210037559 February 2021 Hande et al. 20210081542 March 2021 Brannon 20210142209 May 2021 Patil et al. 20210152555 May 2021 Djosic et al. 20210192361 June 2021 Mumme 20210256126 August 2021 Yan 20220066647 March 2022 Krasner et al. 20230073061 March 2023 Chow 2006109187 October 2006 2006137057 December 2006 2007009255 January 2007 2008017008 February 2008 2009094654 July 2009 2012058487 May 2012 |
| Other References: | Cha, S., Kim, H., “Detecting Encrypted Traffic: A Machine Learning Approach”, International Workshop on Information Security Applications 2016, pp. 54-65. [retrieved on May 31, 2023], from the internet: Pont, J., Arief, B., Hernandez-Castro, J. (2020). Why Current Statistical Approaches to Ransomware Detection Fail, ISC 2020: Information Security, pp. 199-216. [retrieved on May 31, 2023], from the internet: Cheng et al., “Cloud Security For Dummies, Netskope Special Edition,” John Wiley & Sons, Inc., dated 2015, 53 pages. cited by applicant “Netskope Introspection,” netSkope, Inc., 2015, 3 pgs. cited by applicant Netskope, “Data Loss Prevention and Monitoring in the Cloud”, Nov. 2014, 18 pages. cited by applicant “Cloud Data Loss Prevention Reference Architecture”, Netskope, Sep. 2015, WP-88-1, 2 pages. cited by applicant “The Netskope Active Platform Enabling Safe Migration to the Cloud”, Apr. 2015, DS-1-8, Netskope, Inc., 6 pages. cited by applicant “The Netskope Advantage: Three “Must-Have” Requirements for Cloud Access Security Brokers”, Jul. 2015, WP-12-2, 4 pages. cited by applicant “Netskope The 15 Critical CASB Use Cases”, Netskope Inc., EB-141-1, dated 2015, 19 pages. cited by applicant “Repave the Cloud-Data Breach Collision Course,” netSkope, Inc., 2014, 6 pgs. cited by applicant Netskope, “The 5 Steps to Cloud Confidence,” netSkope Inc., 2014, 11 pgs. cited by applicant “Netskope Cloud Confidence Index,” netSkope, Inc., 2015, 4 pgs. cited by applicant Anonymous, KeyView—Data Sheet, Micro Focus, dated May 2021, 3 pages. cited by applicant Ke et al., LightGBM: A Highly Efficient Gradient Boosting Decision Tree, 31st Conference on Neural Information Processing Systems (NIPS 2017), dated 2017, 9 pages. cited by applicant Anonymous, How to evaluate chi squared result?, Stack Exchange, retreieved on Jun. 23, 2022, 12 pages. Retrieved from the internet [URL: https://crypto.stackexchange.com/questions/57936/how-to-evaluate-chi-squared-result ]. cited by applicant Yi Zhang et al., Netskope, Inc. KDE Hyper Parameter Determination, NetSkope, Inc. Aug. 13, 2020, 8 pgs. cited by applicant Netskope, Netskope Active Cloud DLP, dated 2015, 4 pages. cited by applicant Langford, John, “vowpal_wabbit”, 2 pages, [retrieved on Aug. 24, 2016], Retrieved from the Internet< https://github.com/JohnLangford/vowpal_wabbit >. cited by applicant “LIBLINEAR—A Library for Large Linear Classification”, 3 pages, [retrieved on Aug. 24, 2016], Retrieved from the Internet< https://www.csie.ntu.edu.tw/˜cjlin/liblinear/>. cited by applicant “LIBSVM”, 2 pages, [retrieved on Aug. 24, 2016], Retrieved from the Internet< https://en.wikipedia.org/wiki/LIBSVM>. cited by applicant Sindhwani, Vikas, “SVMlin: Fast Linear SVM Solvers for Supervised and Semi-supervised Learning”, 4 pages, [retrieved on Aug. 24, 2016], Retrieved from the Internet <http://vikas.sindhwani.org/svmlin.html>. cited by applicant Wiki, “JohnLangford/vowpal_wabbit”, 2 pages, [retrieved on Aug. 24, 2016], Retrieved from the Internet< https://github.com/JohnLangford/vowpal_wabbit/wiki>. cited by applicant Zhao, Y., et al., “Bayesian Statistical Inference in Machine Learning Anomaly Detection,” 2010 International Conference on Communications and Intelligence Information Security, Nanning, 2010, pp. 113-116, doi: 10.1109/ICCIIS.2010.48. cited by applicant Anonymous, Installing Box Sync, Box, retrieved on Feb. 6, 2019, 13 pages. Retrieved from the internet [URL: https://community.box.com/t5/Using-Box-Sync/Installing-Box-Sync/ta-p/85]. cited by applicant Richardson et al., RESTful Web Services, O'Reilly Publication, dated May 2007, 448 pages. cited by applicant Richardson et al., RESTful Web APIs, O'Reilly Publication, dated Sep. 2013, 404 pages. cited by applicant Allamaraju, RESTful Web Services Cookbook, O'Reilly Publication, dated Mar. 2010, 314 pages. cited by applicant Masse, REST API—Design Rulebook, O'Reilly publication, dated 2012, 114 pages. cited by applicant Daigneau, Service Design Patterns—Fundamental Design Solutions for SOAP/WSDL and RESTful Web Services, Perason Education, dated 2012, 60 pages. cited by applicant Bremler-Barr et al., “Deep Packet Inspection as a Service”, 12 pages. cited by applicant Gowadia et al., “RDF Metadata for XML Access Control”, Proceedings of the ACM Workshop on XML Security 2003. Fairfax, VA, Oct. 31, 2003, pp. 39-48, XP001198168. cited by applicant Khanuja et al., “Role of Metadata in Forensic Analysis of Database Attacks”, IEEE, 2014, 6 pages. cited by applicant Kuwabara et al., “Use of Metadata for Access Control and Version Management in RDF Database”, Sep. 12, 2011, Knowledge-Based and Intelligent Information and Engineering Systems, Springer Berling Heidelberg, pp. 326-336, XP019164752. cited by applicant Laminin Solutions: “Metadata Permissions Protects Confidential Information”, Feb. 19, 2013, pp. 1-2 XP002770913. cited by applicant PCT/US2017/021969—International Search Report and Written Opinion dated Jun. 22, 2017, 11 pages. cited by applicant Sumit Khurana, et al., “Performance evaluation of Virtual Machine (VM) scheduling policies in Cloud computing (spaceshared & timeshared)”; 2013 Fourth International Conference on Computing, Communications and Networking Technologies (ICCCNT); Year: Jul. 2013; pp. 1-5. cited by applicant U.S. Appl. No. 16/409,685—Office Action dated Jul. 14, 2020, 28 pages. cited by applicant Yague et al., “A Metadata-based access control model for web services”, Computer Science Department, Internet Research, vol. 15, No. 1, University of Malaga, Malaga, Spain, Dec. 31, 2005, pp. 99-116, XP002770914. cited by applicant Kark et al, “Trends: Calculating the Cost of a Security Breach”, Forrester Research, Inc. Apr. 10, 2007, 7 pgs. cited by applicant “Data Breach: The Cloud Multiplier Effect”, Ponemon Institute, Jun. 4, 2014, 27 pages. cited by applicant Riley et al, “Magic Quadrant for Cloud Access Security Brokers”, Nov. 30, 2017, 28 pages, downloaded from—https://go.netskope.com/typ-gartner-mq-for-casb.html. cited by applicant Lakshman et al., “Cassandra—A Decentralized Structured Storage System”, 2009, 6 pages. cited by applicant DeCandia et al., “Dynamo: Amazon's Highly Available Key-value Store”, SOSP '07, Oct. 14-17, 2007, 16 pages. cited by applicant Parrend et al., Foundations and applications of artificial Intelligence for zero-day and multi-step attack detection, EURASIP Journal on Information Security (2018) 2018:4, 21 pgs. cited by applicant Felix Gaehtgens , Buyer's Guide for Choosing an IAM Solution, Dec. 21, 2017, 13 pgs (downloaded from https://www.gartner.com/doc/reprints?id=1-242JE28B&ct=200901&st=sb ). cited by applicant Rick Wicklin, How to visualize a kernel density estimate, 2016,(downloaded from http://proc-x.com/2016/07/how-to-visualize-a-kernel-density-estimate/). cited by applicant U.S. Appl. No. 14/198,499, filed Mar. 5, 2014, U.S. Pat. No. 9,398,102, Jul. 19, 2016, Issued. cited by applicant U.S. Appl. No. 14/198,508, filed Mar. 5, 2014, U.S. Pat. No. 9,270,765, Feb. 23, 2016, Issued. cited by applicant U.S. Appl. No. 15/213,250, filed Jul. 18, 2016, U.S. Pat. No. 9,998,496, Jun. 12, 2018, Issued. cited by applicant U.S. Appl. No. 15/990,507, filed May 25, 2018, U.S. Pat. No. 10,404,755, Sep. 3, 2019, Issued. cited by applicant U.S. Appl. No. 15/990,509, filed May 25, 2018, U.S. Pat. No. 10,404,756, Sep. 3, 2019, Issued. cited by applicant U.S. Appl. No. 15/990,512, filed May 25, 2018, U.S. Pat. No. 10,491,638, Nov. 26, 2019, Issued. cited by applicant U.S. Appl. No. 16/554,482, filed Aug. 28, 2019, U.S. Pat. No. 11,184,398, Nov. 23, 2021, Issued. cited by applicant U.S. Appl. No. 17/533,075, filed Nov. 22, 2021, Pending. cited by applicant U.S. Appl. No. 15/368,240, filed Dec. 2, 2016, U.S. Pat. No. 10,826,940, Nov. 3, 2020, Issued. cited by applicant U.S. Appl. No. 15/368,246, filed Dec. 2, 2016, U.S. Pat. No. 11,109,101, May 25, 2021, Issued. cited by applicant U.S. Appl. No. 16/000,132, filed Jun. 5, 2018, U.S. Pat. No. 10,291,657, May 14, 2019, Issued. cited by applicant U.S. Appl. No. 16/409,685, filed May 10, 2019, U.S. Pat. No. 10,979,458, Apr. 13, 2021, Issued. cited by applicant U.S. Appl. No. 16/783,146, filed Feb. 5, 2020, U.S. Pat. No. 10,812,531, Oct. 20, 2020, Issued. cited by applicant U.S. Appl. No. 17/227,074, filed Apr. 9, 2021, Pending. cited by applicant U.S. Appl. No. 15/256,483, filed Sep. 2, 2016, U.S. Pat. No. 10,270,788, Apr. 23, 2019, Issued. cited by applicant U.S. Appl. No. 16/389,861, filed Apr. 19, 2019, U.S. Pat. No. 11,025,653, Jun. 1, 2021, Issued. cited by applicant U.S. Appl. No. 17/332,879, filed May 27, 2021, Pending. cited by applicant U.S. Appl. No. 17/326,240, filed May 20, 2021, U.S. Pat. No. 11,310,282, Apr. 19, 2022, Pending. cited by applicant U.S. Appl. No. 17/723,345, filed Apr. 18, 2022, Pending. cited by applicant U.S. Appl. No. 17/326,243, filed May 20, 2021, Pending. cited by applicant U.S. Appl. No. 17/326,253, filed May 20, 2021, Pending. cited by applicant U.S. Appl. No. 17/860,035, filed Jul. 7, 2022, Pending. cited by applicant PCT/US2014/021174, Mar. 6, 2014, WO 2014/138388, Sep. 12, 2014, Nationalized. cited by applicant PCT/US2017/021969, Mar. 10, 2017, WO 2017/156497, Sep. 14, 2017, Nationalized. cited by applicant PCT/US2022/030133, May 19, 2022, Pending. cited by applicant Casino, Fran , et al., “Hedge: Efficient Traffic Classification of Encrypted and Compressed Packets”, IEEE Transactions on Information Forensics and Security, vol. 14, No. I I, Nov. 2019, 11 pages, 2916-2926. cited by applicant Cha, Seunghun , et al., “Detecting Encrypted Traffic: A Machine Learning Approach”, Department of Software, Sungkyunkwan University, Suwon, Republic of Korea, Springer International Publishing AG 2017; WISA 2016, LNCS 10144; DOI: 10.1007 /978-3-319-56549-1-5, 12 pages, 54-65. cited by applicant Cheng, Guang , et al., “Encrypted Traffic Identification Based on N-gram Entropy and Cumulative Sum Test”, CPI 2018, Jun. 20-22, 2018, Seoul, Republic of Korea, ACM ISBN 978-1-4503-6466-9/18/06, https://doi.org/10.1145/3226052.3226057, 6 pages. cited by applicant De Gaspari, Fabio , et al., “ENCOD: Distinguishing Compressed and Encrypted File Fragments”, Dipartimento di Informatica, Sapienza Universita di Roma, Rome, Italy, Springer Nature Switzerland AG 2020, M. Kutylowski et al. (Eds.): NSS 2020, LNCS 12570, pp. 42-62, 2020, 21 pages, 42-62. cited by applicant Final Office Action issued by United States Patent & Trademark Office dated Jun. 22, 2023 for U.S. Appl. No. 17/860,035. cited by applicant |
| Assistant Examiner: | Park, Sangseok |
| Primary Examiner: | Chea, Philip J |
| Accession Number: | edspgr.11947682 |
| Database: | USPTO Patent Grants |
Be the first to leave a comment!