利索-全球专利检索

  1. 登录
  2. 注册

搜索结果

99 条记录 (耗时 0.037 秒)

    System and methods for detecting intrusions in a computer system by monitoring operating system registry accesses
    92.
    发明授权
    System and methods for detecting intrusions in a computer system by monitoring operating system registry accesses 有权
    通过监视操作系统注册表访问来检测计算机系统中的入侵的系统和方法

    公开(公告)号:US07913306B2

    公开(公告)日:2011-03-22

    申请号:US12154405

    申请日:2008-05-21

    申请人: Frank Apap Andrew Honig Hershkop Shlomo Eleazar Eskin Salvatore J. Stolfo

    发明人: Frank Apap Andrew Honig Hershkop Shlomo Eleazar Eskin Salvatore J. Stolfo

    IPC分类号: G06F21/22 G06F11/30

    CPC分类号: G06F21/552 H04L63/1416

    摘要: A method for detecting intrusions in the operation of a computer system is disclosed which comprises gathering features from records of normal processes that access the files system of the computer, such as the Windows registry, and generating a probabilistic model of normal computer system usage based on occurrences of said features. The features of a record of a process that accesses the Windows registry are analyzed to determine whether said access to the Windows registry is an anomaly. A system is disclosed, comprising a registry auditing module configured to gather records regarding processes that access the Windows registry; a model generator configured to generate a probabilistic model of normal computer system usage based on records of a plurality of processes that access the Windows registry and that are indicative of normal computer system usage; and a model comparator configured to determine whether the access of the Windows registry is an anomaly.

    摘要翻译: 公开了一种用于检测计算机系统操作中的入侵的方法,其包括从访问诸如Windows注册表的计算机的文件系统的正常进程的记录中收集特征,并且基于以下方式生成基于计算机系统的正常计算机系统使用的概率模型: 出现所述特征。 分析访问Windows注册表的进程记录的功能,以确定对Windows注册表的访问是否为异常。 公开了一种系统,其包括注册表审核模块,其被配置为收集关于访问所述Windows注册表的进程的记录; 模型生成器,其被配置为基于访问Windows注册表并且指示正常的计算机系统使用的多个进程的记录来生成正常计算机系统使用的概率模型; 以及配置为确定Windows注册表的访问是否是异常的模型比较器。

    Systems and Methods for Correlating and Distributing Intrusion Alert Information Among Collaborating Computer Systems
    93.
    发明申请
    Systems and Methods for Correlating and Distributing Intrusion Alert Information Among Collaborating Computer Systems 有权
    在协作计算机系统中关联和分发入侵警报信息的系统和方法

    公开(公告)号:US20100281541A1

    公开(公告)日:2010-11-04

    申请号:US12833743

    申请日:2010-07-09

    申请人: Salvatore J. Stolfo Tal Malkin Angelos D. Keromytis Vishal Misra Michael Locasto Janak Parekh

    发明人: Salvatore J. Stolfo Tal Malkin Angelos D. Keromytis Vishal Misra Michael Locasto Janak Parekh

    IPC分类号: G06F11/00

    CPC分类号: H04L63/1416 G06F21/552 G06F21/554 H04L63/145 H04L63/1475 H04L63/1491

    摘要: Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.

    摘要翻译: 提供了在协作计算机系统之间关联和分发入侵警报信息的系统和方法。 这些系统和方法提供警报相关器和警报分发器,其使得能够检测到攻击的早期迹象并且迅速地传播到协作系统。 警报相关器利用数据结构来关联警报检测,并提供可以向其他协作系统透露威胁信息的机制。 警报分配器使用有效的技术来对协作系统进行分组,然后根据时间表在某些成员之间传递数据。 以这种方式,数据可以定期分布,而不会产生过多的流量负载。

    METHODS, SYSTEMS, AND MEDIA FOR MASQUERADE ATTACK DETECTION BY MONITORING COMPUTER USER BEHAVIOR
    94.
    发明申请
    METHODS, SYSTEMS, AND MEDIA FOR MASQUERADE ATTACK DETECTION BY MONITORING COMPUTER USER BEHAVIOR 有权
    监控计算机用户行为的MASTERERADE攻击检测方法,系统和媒体

    公开(公告)号:US20100269175A1

    公开(公告)日:2010-10-21

    申请号:US12628587

    申请日:2009-12-01

    申请人: Salvatore J. Stolfo Malek Ben Salem Shlomo Hershkop

    发明人: Salvatore J. Stolfo Malek Ben Salem Shlomo Hershkop

    IPC分类号: G06F11/00

    CPC分类号: H04L63/1416 G06F21/50 G06F21/55 G06F21/552 G06F21/554 G06F21/566 H04L29/06884 H04L29/06897 H04L63/1408 H04L63/1425 H04L63/1491

    摘要: Methods, systems, and media for masquerade attack detection by monitoring computer user behavior are provided. In accordance with some embodiments, a method for detecting masquerade attacks is provided, the method comprising: monitoring a first plurality of user actions and access of decoy information in a computing environment; generating a user intent model for a category that includes at least one of the first plurality of user actions; monitoring a second plurality of user actions; comparing the second plurality of user actions with the user intent model by determining deviation from the generated user intent model; identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the decoy information in the computing environment.

    摘要翻译: 提供了通过监控计算机用户行为进行伪装攻击检测的方法,系统和媒体。 根据一些实施例,提供了一种用于检测伪装攻击的方法,所述方法包括:在计算环境中监视第一多个用户动作和诱捕信息的访问; 为包括所述第一多个用户动作中的至少一个的类别生成用户意图模型; 监视第二多个用户动作; 通过确定与所生成的用户意图模型的偏差来比较第二多个用户动作与用户意图模型; 至少部分地基于所述比较来识别所述第二多个用户动作是否是伪装攻击; 以及响应于识别所述第二多个用户动作是所述伪装攻击而响应于响应于确定所述第二多个用户动作包括访问所述计算环境中的诱饵信息而产生警报。

    Detecting probes and scans over high-bandwidth, long-term, incomplete network traffic information using limited memory
    96.
    发明授权
    Detecting probes and scans over high-bandwidth, long-term, incomplete network traffic information using limited memory 有权
    使用有限的内存检测探测和扫描高带宽,长期,不完整的网络流量信息

    公开(公告)号:US07752665B1

    公开(公告)日:2010-07-06

    申请号:US10620156

    申请日:2003-07-14

    申请人: Seth Jerome Robertson Salvatore J. Stolfo

    发明人: Seth Jerome Robertson Salvatore J. Stolfo

    IPC分类号: G06F11/30 G08B23/00 G06F12/14

    CPC分类号: H04L63/1458

    摘要: A method for detecting surveillance activity in a computer communication network comprising automatic detection of malicious probes and scans and adaptive learning. Automatic scan/probe detection in turn comprises modeling network connections, detecting connections that are likely probes originating from malicious sources, and detecting scanning activity by grouping source addresses that are logically close to one another and by recognizing certain combinations of probes. The method is implemented in a scan/probe detector, preferably in combination with a commercial or open-source intrusion detection system and an anomaly detector. Once generated, the model monitors online activity to detect malicious behavior without any requirement for a priori knowledge of system behavior. This is referred to as “behavior-based” or “mining-based detection.” The three main components may be used separately or in combination with each other. The alerts produced by each may be presented to an analyst, used for generating reports (such as trend analysis), or correlated with alerts from other detectors. Through correlation, the invention prioritizes alerts, reduces the number of alerts presented to an analyst, and determines the most important alerts.

    摘要翻译: 一种用于检测计算机通信网络中的监视活动的方法,包括自动检测恶意探测和扫描以及自适应学习。 自动扫描/探测检测反过来包括建模网络连接,检测可能来自恶意源的探测的连接,以及通过将逻辑上接近彼此的源地址分组并通过识别探测器的某些组合来检测扫描活动。 该方法在扫描/探针检测器中实现,优选地与商业或开源入侵检测系统和异常检测器组合。 一旦生成,该模型监视在线活动以检测恶意行为,而不需要对系统行为的先验知识。 这被称为“基于行为”或“基于挖掘的检测”。三个主要组件可以单独使用或者彼此组合使用。 由每个警报产生的警报可能会提交给分析人员,用于生成报告(如趋势分析)或与来自其他检测器的警报相关。 通过相关性,本发明优先处理警报,减少提供给分析人员的警报数量,并确定最重要的警报。

    METHODS, SYSTEMS, AND MEDIA FOR BAITING INSIDE ATTACKERS
    97.
    发明申请
    METHODS, SYSTEMS, AND MEDIA FOR BAITING INSIDE ATTACKERS 有权
    用于打击攻击者的方法,系统和媒体

    公开(公告)号:US20100077483A1

    公开(公告)日:2010-03-25

    申请号:US12565394

    申请日:2009-09-23

    申请人: Salvatore J. Stolfo Angelos D. Keromytis Brian M. Bowen Shlomo Hershkop Vasileios P. Kemerlis Pratap V. Prabhu Malek Ben Salem

    发明人: Salvatore J. Stolfo Angelos D. Keromytis Brian M. Bowen Shlomo Hershkop Vasileios P. Kemerlis Pratap V. Prabhu Malek Ben Salem

    IPC分类号: G06F11/00

    CPC分类号: G06F21/554 G06F21/552 G06F21/566 G06F2221/034 G06F2221/2123 H04L63/1466

    摘要: Methods, systems, and media for providing trap-based defenses are provided. In accordance with some embodiments, a method for providing trap-based defenses is provided, the method comprising: generating decoy information based at least in part on actual information in a computing environment, wherein the decoy information is generated to comply with one or more document properties; embedding a beacon into the decoy information; and inserting the decoy information with the embedded beacon into the computing environment, wherein the embedded beacon provides a first indication that the decoy information has been accessed by an attacker and wherein the embedded beacon provides a second indication that differentiates between the decoy information and the actual information.

    摘要翻译: 提供了用于提供基于陷阱的防御的方法,系统和媒体。 根据一些实施例,提供了一种用于提供基于陷阱的防御的方法,所述方法包括:至少部分地基于计算环境中的实际信息生成诱饵信息,其中所述诱饵信息被生成以符合一个或多个文档 属性; 将信标嵌入诱饵信息中; 以及将具有所嵌入的信标的诱饵信息插入所述计算环境中,其中所述嵌入式信标提供所述诱饵信息已被攻击者访问的第一指示,并且其中所述嵌入信标提供区分所述诱饵信息和所述实际信息之间的第二指示 信息。

    System and methods for detecting malicious email transmission
    98.
    发明授权
    System and methods for detecting malicious email transmission 有权
    用于检测恶意电子邮件传输的系统和方法

    公开(公告)号:US07657935B2

    公开(公告)日:2010-02-02

    申请号:US10222632

    申请日:2002-08-16

    申请人: Salvatore J. Stolfo Eleazar Eskin Shlomo Herskop Manasi Bhattacharyya

    发明人: Salvatore J. Stolfo Eleazar Eskin Shlomo Herskop Manasi Bhattacharyya

    IPC分类号: G06F11/00 G06F12/14

    CPC分类号: H04L63/1425 H04L51/12 H04L63/145

    摘要: A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique.

    摘要翻译: 检测违反计算机系统的电子邮件安全策略的发生的系统和方法。 与通过计算机系统传输以前的电子邮件相关的模型被定义为从与先前的电子邮件相关的统计数据得出的。 对于要分析的所选电子邮件,将收集有关所选电子邮件的统计信息。 这样的统计数据可以指所选电子邮件的行为或其他功能,附件到电子邮件或电子邮件帐户。 通过将先前的电子邮件传输模型应用于与所选择的电子邮件相关的统计数据来确定是否发生了电子邮件安全策略的违规。 该模型可能是统计或概率。 先前电子邮件传输的模型可以包括将电子邮件收件人分组成团体。 如果特定电子邮件的电子邮件收件人在多个集团中,则可能会发生违反安全政策的决定。