公开(公告)号：EP3108401B1

公开(公告)日：2019-10-16

申请号：EP15752745.8

申请日：2015-02-23

申请人： Cyphort Inc.

发明人： BURT, Alexander ,  BILOGORSKIY, Mikola ,  NAVARAJ, McEnroe ,  JAS, Frank ,  HAN, Liang ,  TING, Yucheng ,  KENYAN, Manikandan ,  GONG, Fengmin ,  GOLSHAN, Ali ,  SINGH, Shishir

IPC分类号： H04L29/06 ,  G06F21/56

公开(公告)号：EP3352110A1

公开(公告)日：2018-07-25

申请号：EP18153061.9

申请日：2018-01-23

申请人： Cyphort Inc.

发明人： MOHANTA, Abhijit ,  SALDANHA, Anoop Wilbur

IPC分类号： G06F21/56 ,  G06F21/53 ,  H04L29/06

摘要： A network device may include a memory and one or more processors configured to analyze execution of suspicious data; detect one or more states of execution of the suspicious data; determine that the one or more states of execution are to be assigned a priority level; and extract at least a portion of the suspicious data from one or more locations based on determining that the one or more states of execution are to be assigned a priority level.

公开(公告)号：EP3111330A4

公开(公告)日：2018-03-14

申请号：EP15752643

申请日：2015-02-24

申请人： CYPHORT INC

发明人： VU NEAL ,  JAS FRANK ,  GONG FENGMIN ,  JAMES ANTHONY ,  GOLSHAN ALI ,  SINGH SHISHIR

IPC分类号： H04L29/06 ,  G06F11/00 ,  G06F21/56

CPC分类号： H04L63/145 ,  G06F21/561 ,  G06F21/566

摘要： A system configured to detect malware is described. The system including an infection verification pack configured to perform behavior detonation; identify a malware object based on machine-learning; and select one or more persistent artifacts of the malware on the target system based on one or more algorithms applied to behavior traces of the malware object to select one or more persistent artifacts of the malware on the target system.

公开(公告)号：EP2774038A4

公开(公告)日：2015-08-19

申请号：EP12844780

申请日：2012-11-05

申请人： CYPHORT INC

发明人： GOLSHAN ALI ,  BINDER JAMES S

IPC分类号： G06F11/00 ,  G06F9/455 ,  G06F11/36 ,  G06F21/53 ,  G06F21/56 ,  H04L29/06

CPC分类号： G06F21/566 ,  G06F9/45541 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/552 ,  G06F21/554 ,  G06F21/567 ,  G06F2009/45587 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/145 ,  H04L2463/144

摘要： Systems and methods for virtualization and emulation malware enabled detection are described. In some embodiments, a method comprises intercepting an object, instantiating and processing the object in a virtualization environment, tracing operations of the object while processing within the virtualization environment, detecting suspicious behavior associated with the object, instantiating an emulation environment in response to the detected suspicious behavior, processing, recording responses to, and tracing operations of the object within the emulation environment, detecting a divergence between the traced operations of the object within the virtualization environment to the traced operations of the object within the emulation environment, re-instantiating the virtualization environment, providing the recorded response from the emulation environment to the object in the virtualization environment, monitoring the operations of the object within the re-instantiation of the virtualization environment, identifying untrusted actions from the monitored operations, and generating a report regarding the identified untrusted actions of the object.

公开(公告)号：EP2774039A1

公开(公告)日：2014-09-10

申请号：EP12845692.8

申请日：2012-11-05

申请人： Cyphort Inc.

发明人： GOLSHAN, Ali ,  BINDER, James, S.

IPC分类号： G06F11/00

CPC分类号： G06F21/566 ,  G06F9/45541 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/552 ,  G06F21/554 ,  G06F21/567 ,  G06F2009/45587 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/145 ,  H04L2463/144

摘要： Systems and methods for virtualization and emulation malware enabled detection are described. In some embodiments, a method comprises intercepting an object, instantiating and processing the object in a virtualization environment, tracing operations of the object while processing within the virtualization environment, detecting suspicious behavior associated with the object, instantiating an emulation environment in response to the detected suspicious behavior, processing, recording responses to, and tracing operations of the object within the emulation environment, detecting a divergence between the traced operations of the object within the virtualization environment to the traced operations of the object within the emulation environment, re-instantiating the virtualization environment, providing the recorded response from the emulation environment to the object in the virtualization environment, monitoring the operations of the object within the re-instantiation of the virtualization environment, identifying untrusted actions from the monitored operations, and generating a report regarding the identified untrusted actions of the object.