Client-server Payload Profiling
Definition
Comparing client-server request and response payloads to a baseline profile to identify outliers.
How it works
Profiling request and response payloads across multiple clients to a single server to develop a baseline of their characteristics. May take into account request/response sizes, entropy, frequency, and rhythm. Finally, identify outliers as they may indicate a malicious payload delivery and subsequent server exploitation.
Considerations
- Collecting metrics to establish a profile can be challenging since user behavior can change easily.
- Employees may work different hours or inconsistent schedules which will cause false positives.
- Collection of network activity to generate metrics is a computationally intensive process.
- Users may log into different workstations which may cause false positives.
References
The following references were used to develop the Client-server Payload Profiling knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
Method and system for detecting malicious payloads
MITRE Comments
Extraction of network flow data and using unsupervised machine learning to create a standard baseline. During the monitoring phase, abnormal network metadata will result in an alert.