Client-server Payload Profiling
Comparing client-server request and response payloads to a baseline profile to identify outliers.
How it works
Profiling request and response payloads across multiple clients to a single server to develop a baseline of their characteristics. May take into account request/response sizes, entropy, frequency, and rhythm. Finally, identify outliers as they may indicate a malicious payload delivery and subsequent server exploitation.
- Collecting metrics to establish a profile can be challenging since user behavior can change easily.
- Employees may work different hours or inconsistent schedules which will cause false positives.
- Collection of network activity to generate metrics is a computationally intensive process.
- Users may log into different workstations which may cause false positives.
Method and system for detecting malicious payloads
Extraction of network flow data and using unsupervised machine learning to create a standard baseline. During the monitoring phase, abnormal network metadata will result in an alert.