公开(公告)号：US11288090B1

公开(公告)日：2022-03-29

申请号：US16105557

申请日：2018-08-20

申请人： Ang Cui ,  Salvatore J. Stolfo

发明人： Ang Cui ,  Salvatore J. Stolfo

IPC分类号： G06F9/46 ,  G06F21/52 ,  G06F21/57 ,  G06F8/656 ,  G06F9/48 ,  G06F21/50 ,  G06F21/51 ,  G06F21/64 ,  G06F21/00 ,  G06F9/445

摘要： Methods, systems, and media for injecting code into embedded devices are provided. In accordance with some embodiments, methods for injecting code into embedded devices are provided, the methods comprising: embedding payload execution code into an embedded device; identifying program instructions in code of the embedded device into which jump instructions can be placed; inserting at least one jump instruction at an identified program instruction; allocating memory for storing an execution context of an injected payload; saving a context of the code of the embedded device to memory; loading and executing a payload context into a processor of the embedded device; determining when execution of the payload context is to be interrupted; and in response to determining that the execution of the payload context is to be interrupted, saving the payload context, restoring the context of the code of the embedded device, and continuing execution of the code of the embedded device.

公开(公告)号：US20220070215A1

公开(公告)日：2022-03-03

申请号：US17462585

申请日：2021-08-31

申请人： Salvatore J. Stolfo ,  Shlomo Hershkop

发明人： Salvatore J. Stolfo ,  Shlomo Hershkop

IPC分类号： H04L29/06

摘要： Enhanced attribution of phishers and assessment of the danger level posed by phishing campaigns by applying machine learning techniques to analyze the contents of phishing websites. The danger level may be determined as a function of the amount and kind of sensitive personal information the site attempts to steal. Profiling phisher behavior may be used as advanced threat intelligence to help predict targeted website for spoofing and/or phishing campaigns. Profiling phisher behavior may be accomplished by a focused analysis of the displayed items or words generated by the code with which the phisher labels webform input fields across different websites. The model of phisher behavior may reveal a phisher's motive and intent and may be used to investigate organized phishing teams. Rating phishing sites may inform response strategies and provide more informed critical browser messaging to the user.

公开(公告)号：US20210051176A1

公开(公告)日：2021-02-18

申请号：US16995783

申请日：2020-08-17

申请人： Salvatore J. Stolfo ,  Shlomo Hershkop

发明人： Salvatore J. Stolfo ,  Shlomo Hershkop

IPC分类号： H04L29/06 ,  G06N20/00 ,  G06K9/62

摘要： Systems and methods used to thwart attackers' attempts to steal digital credentials from computer network users and protect users from credential and identity theft via website spoofing and phishing campaigns.

公开(公告)号：US20170031883A1

公开(公告)日：2017-02-02

申请号：US15187577

申请日：2016-06-20

申请人： Suhit Gupta ,  Gail Kaiser ,  Salvatore J. Stolfo

发明人： Suhit Gupta ,  Gail Kaiser ,  Salvatore J. Stolfo

IPC分类号： G06F17/22 ,  G06F17/30

CPC分类号： G06F17/2247 ,  G06F17/30864 ,  G06F17/30908 ,  G06F17/30914

摘要： Systems and methods are presented for content extraction from markup language text. The content extraction process may parse markup language text into a hierarchical data model and then apply one or more filters. Output filters may be used to make the process more versatile. The operation of the content extraction process and the one or more filters may be controlled by one or more settings set by a user, or automatically by a classifier. The classifier may automatically enter settings by classifying markup language text and entering settings based on this classification. Automatic classification may be performed by clustering unclassified markup language texts with previously classified markup language texts.

摘要翻译： 介绍了从标记语言文本中提取内容的系统和方法。 内容提取过程可以将标记语言文本解析成分层数据模型，然后应用一个或多个过滤器。 输出滤波器可用于使该过程更加通用。 内容提取处理和一个或多个过滤器的操作可以由用户设置的一个或多个设置或由分类器自动地控制。 分类器可以通过分类标记语言文本并根据此分类输入设置来自动输入设置。 可以通过将未分类的标记语言文本与先前分类的标记语言文本进行聚类来执行自动分类。

公开(公告)号：US08544087B1

公开(公告)日：2013-09-24

申请号：US12022425

申请日：2008-01-30

申请人： Eleazar Eskin ,  Andrew Oliver Arnold ,  Michael Prerau ,  Leonid Portnoy ,  Salvatore J. Stolfo

发明人： Eleazar Eskin ,  Andrew Oliver Arnold ,  Michael Prerau ,  Leonid Portnoy ,  Salvatore J. Stolfo

IPC分类号： G06F12/14 ,  G06F12/16

CPC分类号： H04L41/06 ,  G06F21/552 ,  H04L41/142 ,  H04L63/1416

摘要： A method for unsupervised anomaly detection, which are algorithms that are designed to process unlabeled data. Data elements are mapped to a feature space which is typically a vector space . Anomalies are detected by determining which points lies in sparse regions of the feature space. Two feature maps are used for mapping data elements to a feature apace. A first map is a data-dependent normalization feature map which we apply to network connections. A second feature map is a spectrum kernel which we apply to system call traces.

摘要翻译： 一种用于无监督异常检测的方法，它们是用于处理未标记数据的算法。 数据元素被映射到通常是向量空间的特征空间。 通过确定哪些点位于特征空间的稀疏区域来检测异常。 两个特征图用于将数据元素映射到特征空间。 第一张地图是我们适用于网络连接的依赖于数据的规范化特征图。 第二个特征图是我们应用于系统调用轨迹的频谱内核。

公开(公告)号：US07913306B2

公开(公告)日：2011-03-22

申请号：US12154405

申请日：2008-05-21

申请人： Frank Apap ,  Andrew Honig ,  Hershkop Shlomo ,  Eleazar Eskin ,  Salvatore J. Stolfo

发明人： Frank Apap ,  Andrew Honig ,  Hershkop Shlomo ,  Eleazar Eskin ,  Salvatore J. Stolfo

IPC分类号： G06F21/22 ,  G06F11/30

CPC分类号： G06F21/552 ,  H04L63/1416

摘要： A method for detecting intrusions in the operation of a computer system is disclosed which comprises gathering features from records of normal processes that access the files system of the computer, such as the Windows registry, and generating a probabilistic model of normal computer system usage based on occurrences of said features. The features of a record of a process that accesses the Windows registry are analyzed to determine whether said access to the Windows registry is an anomaly. A system is disclosed, comprising a registry auditing module configured to gather records regarding processes that access the Windows registry; a model generator configured to generate a probabilistic model of normal computer system usage based on records of a plurality of processes that access the Windows registry and that are indicative of normal computer system usage; and a model comparator configured to determine whether the access of the Windows registry is an anomaly.

摘要翻译： 公开了一种用于检测计算机系统操作中的入侵的方法，其包括从访问诸如Windows注册表的计算机的文件系统的正常进程的记录中收集特征，并且基于以下方式生成基于计算机系统的正常计算机系统使用的概率模型： 出现所述特征。 分析访问Windows注册表的进程记录的功能，以确定对Windows注册表的访问是否为异常。 公开了一种系统，其包括注册表审核模块，其被配置为收集关于访问所述Windows注册表的进程的记录; 模型生成器，其被配置为基于访问Windows注册表并且指示正常的计算机系统使用的多个进程的记录来生成正常计算机系统使用的概率模型; 以及配置为确定Windows注册表的访问是否是异常的模型比较器。

公开(公告)号：US20100269175A1

公开(公告)日：2010-10-21

申请号：US12628587

申请日：2009-12-01

申请人： Salvatore J. Stolfo ,  Malek Ben Salem ,  Shlomo Hershkop

发明人： Salvatore J. Stolfo ,  Malek Ben Salem ,  Shlomo Hershkop

IPC分类号： G06F11/00

CPC分类号： H04L63/1416 ,  G06F21/50 ,  G06F21/55 ,  G06F21/552 ,  G06F21/554 ,  G06F21/566 ,  H04L29/06884 ,  H04L29/06897 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1491

摘要： Methods, systems, and media for masquerade attack detection by monitoring computer user behavior are provided. In accordance with some embodiments, a method for detecting masquerade attacks is provided, the method comprising: monitoring a first plurality of user actions and access of decoy information in a computing environment; generating a user intent model for a category that includes at least one of the first plurality of user actions; monitoring a second plurality of user actions; comparing the second plurality of user actions with the user intent model by determining deviation from the generated user intent model; identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the decoy information in the computing environment.

摘要翻译： 提供了通过监控计算机用户行为进行伪装攻击检测的方法，系统和媒体。 根据一些实施例，提供了一种用于检测伪装攻击的方法，所述方法包括：在计算环境中监视第一多个用户动作和诱捕信息的访问; 为包括所述第一多个用户动作中的至少一个的类别生成用户意图模型; 监视第二多个用户动作; 通过确定与所生成的用户意图模型的偏差来比较第二多个用户动作与用户意图模型; 至少部分地基于所述比较来识别所述第二多个用户动作是否是伪装攻击; 以及响应于识别所述第二多个用户动作是所述伪装攻击而响应于响应于确定所述第二多个用户动作包括访问所述计算环境中的诱饵信息而产生警报。

公开(公告)号：US07752665B1

公开(公告)日：2010-07-06

申请号：US10620156

申请日：2003-07-14

申请人： Seth Jerome Robertson ,  Salvatore J. Stolfo

发明人： Seth Jerome Robertson ,  Salvatore J. Stolfo

IPC分类号： G06F11/30 ,  G08B23/00 ,  G06F12/14

CPC分类号： H04L63/1458

摘要： A method for detecting surveillance activity in a computer communication network comprising automatic detection of malicious probes and scans and adaptive learning. Automatic scan/probe detection in turn comprises modeling network connections, detecting connections that are likely probes originating from malicious sources, and detecting scanning activity by grouping source addresses that are logically close to one another and by recognizing certain combinations of probes. The method is implemented in a scan/probe detector, preferably in combination with a commercial or open-source intrusion detection system and an anomaly detector. Once generated, the model monitors online activity to detect malicious behavior without any requirement for a priori knowledge of system behavior. This is referred to as “behavior-based” or “mining-based detection.” The three main components may be used separately or in combination with each other. The alerts produced by each may be presented to an analyst, used for generating reports (such as trend analysis), or correlated with alerts from other detectors. Through correlation, the invention prioritizes alerts, reduces the number of alerts presented to an analyst, and determines the most important alerts.

摘要翻译： 一种用于检测计算机通信网络中的监视活动的方法，包括自动检测恶意探测和扫描以及自适应学习。 自动扫描/探测检测反过来包括建模网络连接，检测可能来自恶意源的探测的连接，以及通过将逻辑上接近彼此的源地址分组并通过识别探测器的某些组合来检测扫描活动。 该方法在扫描/探针检测器中实现，优选地与商业或开源入侵检测系统和异常检测器组合。 一旦生成，该模型监视在线活动以检测恶意行为，而不需要对系统行为的先验知识。 这被称为“基于行为”或“基于挖掘的检测”。三个主要组件可以单独使用或者彼此组合使用。 由每个警报产生的警报可能会提交给分析人员，用于生成报告（如趋势分析）或与来自其他检测器的警报相关。 通过相关性，本发明优先处理警报，减少提供给分析人员的警报数量，并确定最重要的警报。

公开(公告)号：US07657935B2

公开(公告)日：2010-02-02

申请号：US10222632

申请日：2002-08-16

申请人： Salvatore J. Stolfo ,  Eleazar Eskin ,  Shlomo Herskop ,  Manasi Bhattacharyya

发明人： Salvatore J. Stolfo ,  Eleazar Eskin ,  Shlomo Herskop ,  Manasi Bhattacharyya

IPC分类号： G06F11/00 ,  G06F12/14

CPC分类号： H04L63/1425 ,  H04L51/12 ,  H04L63/145

摘要： A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique.

摘要翻译： 检测违反计算机系统的电子邮件安全策略的发生的系统和方法。 与通过计算机系统传输以前的电子邮件相关的模型被定义为从与先前的电子邮件相关的统计数据得出的。 对于要分析的所选电子邮件，将收集有关所选电子邮件的统计信息。 这样的统计数据可以指所选电子邮件的行为或其他功能，附件到电子邮件或电子邮件帐户。 通过将先前的电子邮件传输模型应用于与所选择的电子邮件相关的统计数据来确定是否发生了电子邮件安全策略的违规。 该模型可能是统计或概率。 先前电子邮件传输的模型可以包括将电子邮件收件人分组成团体。 如果特定电子邮件的电子邮件收件人在多个集团中，则可能会发生违反安全政策的决定。