公开(公告)号：US07975010B1

公开(公告)日：2011-07-05

申请号：US11088348

申请日：2005-03-23

申请人： Sourabh Satish

发明人： Sourabh Satish

IPC分类号： G06F15/16

CPC分类号： G06Q10/107 ,  H04L51/12 ,  Y10S707/99948

摘要： Computer implemented methods, apparati, and computer readable media for determining whether an electronic message (30) is likely to contain spam. A method embodiment of the present invention comprises the steps of comparing (11) addresses associated with the electronic message (30) with addresses in an address book (21) of a recipient (20) of the electronic message (30); counting (12) instances for which an address associated with the electronic message (30) matches an address in the address book (21); and determining (13) whether spam is likely present in the electronic message (30) by calculating whether a pre-selected condition (70) is satisfied, said pre-selected condition (70) being based upon a count of said matches and at least one predetermined threshold (80).

摘要翻译： 用于确定电子消息（30）是否可能包含垃圾邮件的计算机实现的方法，装置和计算机可读介质。 本发明的方法实施例包括以下步骤：将与电子消息（30）相关联的地址与电子消息（30）的接收者（20）的地址簿（21）中的地址进行比较; 计数（12）与电子消息（30）相关联的地址与地址簿（21）中的地址匹配的实例; 以及（13）通过计算是否满足预选条件（70）来确定（13）电子消息（30）中是否可能存在垃圾信息，所述预选条件（70）基于所述匹配的计数，并且至少 一个预定阈值（80）。

公开(公告)号：US07966278B1

公开(公告)日：2011-06-21

申请号：US12056379

申请日：2008-03-27

申请人： Sourabh Satish

发明人： Sourabh Satish

IPC分类号： G06F9/44

CPC分类号： G06F8/61 ,  G06F11/006 ,  G06F11/3428 ,  G06F11/3452 ,  G06F21/57

摘要： A computer-implemented method for determining the health impact of an application based on information obtained from like-profiled computing systems may comprise: 1) obtaining a plurality of computing-system profiles, 2) obtaining system-health-evaluation results for each of the plurality of computing-system profiles, 3) identifying, by analyzing the plurality of computing-system profiles, a first set of like-profiled computing systems, 4) identifying, by analyzing the plurality of computing-system profiles, a second set of like-profiled computing systems that is substantially identical to the first set of like-profiled computing systems but for a first application installed on the second set of like-profiled computing systems, and 5) determining the health impact of the first application by comparing system-health-evaluation results from the first set of like-profiled computing systems with system-health-evaluation results from the second set of like-profiled computing systems. Corresponding systems and computer-readable media are also disclosed.

摘要翻译： 基于从相似轮廓计算系统获得的信息来确定应用的健康影响的计算机实现的方法可以包括：1）获得多个计算系统简档，2）获得系统健康评估结果 多个计算系统简档，3）通过分析多个计算系统简档来识别第一组相似剖面的计算系统，4）通过分析多个计算系统简档来识别第二组相似 该计算系统基本上与第一组相似的计算系统相同，但是安装在第二组相似计算系统上的第一应用程序，以及5）通过比较系统级别的计算系统来确定第一应用的健康影响， 来自第一组类似计算机系统的健康评估结果，具有来自第二组相似计算系统的系统健康评估结果。 还公开了相应的系统和计算机可读介质。

公开(公告)号：US07958102B1

公开(公告)日：2011-06-07

申请号：US11729397

申请日：2007-03-28

申请人： Sourabh Satish ,  Brian Hernacki

发明人： Sourabh Satish ,  Brian Hernacki

IPC分类号： G06F17/30

CPC分类号： G06F21/6245

摘要： Method and apparatus for searching a storage system for confidential data is described. One aspect of the invention relates to searching a computer for confidential data related to user. User information comprising the confidential data is obtained from a digital identity for the user. A rule that provides a secure representation of the user information is generated. A storage system in the computer is searched using the rule to detect one or more instances of the user information within at least one file.

摘要翻译： 描述了用于搜索存储系统的机密数据的方法和装置。 本发明的一个方面涉及在计算机上搜索与用户有关的机密数据。 从用户的数字身份获得包含机密数据的用户信息。 生成提供用户信息的安全表示的规则。 使用规则搜索计算机中的存储系统以检测至少一个文件内的用户信息的一个或多个实例。

公开(公告)号：US07941850B1

公开(公告)日：2011-05-10

申请号：US11317320

申请日：2005-12-23

申请人： Sourabh Satish

发明人： Sourabh Satish

IPC分类号： G06F21/00

CPC分类号： G06F21/554

摘要： A method includes determining if an attempt to recreate a requested resource is made, and, if so, if the requested resource is a suspicious resource. If the requested resource is a suspicious resource, identification of an originating process is made. A determination is made if the originating process is a non-trusted originating process or a trusted originating process. If the originating process is the non-trusted originating process, a protective action is taken. In this manner, self-repairing and persistent malicious code is identified and removed with minimal adverse impact on system functionality.

摘要翻译： 一种方法包括确定是否尝试重新创建所请求的资源，并且如果是，则所请求的资源是可疑资源。 如果请求的资源是可疑资源，则进行源进程的识别。 如果发起过程是不可信的发起过程或信任的始发过程，则确定。 如果始发过程是不可信的始发过程，则采取保护措施。 以这种方式，自我修复和持久的恶意代码被识别和删除，对系统功能的不利影响最小。

公开(公告)号：US07752664B1

公开(公告)日：2010-07-06

申请号：US11313183

申请日：2005-12-19

申请人： Sourabh Satish ,  Brian Hernacki

发明人： Sourabh Satish ,  Brian Hernacki

IPC分类号： G06F21/00

CPC分类号： G06F21/55

摘要： An anti-spyware manager uses domain name service resolution queries to combat spyware. The anti-spyware manager maintains a list of domain names associated with spyware, monitors domain name service queries, and detects queries on domain names on the list. Responsive to detecting a domain name service query on a domain name associated with spyware, the anti-spyware manager forces the domain name service query to resolve to an address not associated with the domain name. Because attempts by spyware to communicate with its home server are now routed to the forced address, the spyware is unable to communicate with its homer server, and thus can neither steal information nor download updates of itself. Additionally, the anti-spyware manager can identify computers that are infected with spyware and clean or quarantine them.

摘要翻译： 反间谍软件管理器使用域名服务解析查询来打击间谍软件。 反间谍软件管理器维护与间谍软件相关联的域名列表，监视域名服务查询，并检测列表上的域名查询。 响应于检测与间谍软件相关联的域名的域名服务查询，反间谍软件管理器强制域名服务查询解析为与域名无关的地址。 由于间谍软件与其家庭服务器通信的尝试现在被路由到强制地址，间谍软件无法与其连接的服务器进行通信，因此既不能窃取信息也不能下载本身的更新。 此外，反间谍软件管理器可以识别感染间谍软件的计算机，并对其进行清理或隔离。

公开(公告)号：US20100162393A1

公开(公告)日：2010-06-24

申请号：US12338456

申请日：2008-12-18

申请人： William E. Sobel ,  Sourabh Satish

发明人： William E. Sobel ,  Sourabh Satish

IPC分类号： G06F21/00

CPC分类号： H04L63/1466 ,  G06F21/554 ,  H04L63/1416 ,  H04L67/02

摘要： A computer-implemented method for detecting man-in-the-browser attacks may include identifying a transaction fingerprint associated with a web site. The method may also include tracking a user's input to the web site. The user's input may be received through a web browser. The method may further include intercepting an outgoing submission to the web site. The method may additionally include determining whether, in light of the transaction fingerprint, the user's input generated the outgoing submission. Various other methods, systems, and computer-readable media are also disclosed.

摘要翻译： 用于检测浏览人员浏览器攻击的计算机实现的方法可以包括识别与网站相关联的交易指纹。 该方法还可以包括跟踪用户对网站的输入。 可以通过网络浏览器接收用户的输入。 该方法可以进一步包括拦截向网站的外发提交。 该方法还可以包括根据交易指纹确定用户的输入是否产生了外发提交。 还公开了各种其它方法，系统和计算机可读介质。

公开(公告)号：US07620983B1

公开(公告)日：2009-11-17

申请号：US10802672

申请日：2004-03-16

申请人： Sourabh Satish

发明人： Sourabh Satish

IPC分类号： G06F11/00 ,  G06F15/16

CPC分类号： G06F21/554

摘要： Providing security comprises accessing a database configured to store operational information associated with a process, determining a first behavior using the operational information wherein the first behavior is associated with the process, monitoring the process, and comparing a second behavior with the first behavior wherein the second behavior is attempted by the process.

摘要翻译： 提供安全性包括访问被配置为存储与进程相关联的操作信息的数据库，使用所述操作信息确定第一行为，其中所述第一行为与所述过程相关联，监视所述过程，以及将第二行为与所述第一行为进行比较，其中所述第二行为 该过程尝试了行为。

公开(公告)号：US07562391B1

公开(公告)日：2009-07-14

申请号：US11109215

申请日：2005-04-18

申请人： Carey S. Nachenberg ,  Sourabh Satish

发明人： Carey S. Nachenberg ,  Sourabh Satish

IPC分类号： G06F11/00 ,  G06F17/30

CPC分类号： G06F21/55 ,  G06F21/52 ,  G06F2221/2151

摘要： Certain events, such as data input operating system calls, are likely to initiate a buffer overflow attack. A timing module generates timestamps that indicate when such possible initiating events occur. The timestamp is associated with a particular process and/or thread executing on the computer. If subsequent evidence of a buffer overflow attack is detected on the computer, the timestamps are consulted to determine if a possible initiating event occurred recently. If there is a recent initiating event, a buffer overflow attack is declared. Evidence of a buffer overflow attack can include receiving a signal from the processor indicating that the processor was asked to execute an instruction residing in non-executable memory. Evidence of a buffer overflow attack can also include detecting an action on the computer that malicious software is likely to perform, such as opening a file or network connection, being performed by an instruction residing in non-executable memory.

摘要翻译： 某些事件（如数据输入操作系统调用）可能会发生缓冲区溢出攻击。 定时模块生成指示何时发生这种可能的发起事件的时间戳。 时间戳与计算机上执行的特定进程和/或线程相关联。 如果在计算机上检测到缓冲区溢出攻击的后续证据，则查询时间戳以确定最近是否发生可能的启动事件。 如果存在最近的启动事件，则会声明缓冲区溢出攻击。 缓冲区溢出攻击的证据可以包括从处理器接收指示处理器被要求执行驻留在不可执行存储器中的指令的信号。 缓冲区溢出攻击的证据还可以包括检测由驻留在不可执行存储器中的指令执行恶意软件可能执行的操作，例如打开文件或网络连接。

公开(公告)号：US07552479B1

公开(公告)日：2009-06-23

申请号：US11088144

申请日：2005-03-22

申请人： Matthew Conover ,  Sourabh Satish

发明人： Matthew Conover ,  Sourabh Satish

IPC分类号： G06F12/14 ,  H04L9/00

CPC分类号： G06F21/565

摘要： On start up of a process, a critical imported functions table including resolved addresses of critical imported functions that an application, such as a host intrusion detection system application depends upon to have data integrity, is dynamically allocated and marked read only to impede modification by malicious code. The critical imported functions are hooked so that execution of a call to a critical imported function is made using a corresponding entry in the critical imported functions table rather than an entry in a current process IAT, which may have been modified by malicious code. The current process IAT is evaluated to determine whether it has changed from an initial start up state, in a way that is indicative of an evasion attempt by malicious code. If an evasion attempt is detected, a notification is provided to a user and/or system administrator. Optionally, protective action is taken, such as saving a copy of the current process IAT to permit later analysis of the change.

摘要翻译： 在进程启动时，关键的导入功能表包括主要入侵检测系统应用程序等应用程序依赖于数据完整性的关键导入功能的解析地址，被动态分配并标记为只读，以阻止恶意修改 码。 关键的导入功能被挂接，以便使用关键的导入功能表中的相应条目执行对关键导入功能的调用，而不是当前进程IAT中可能已被恶意代码修改的条目。 评估当前进程IAT以确定它是否从初始启动状态改变，以指示恶意代码的逃避尝试的方式。 如果检测到逃避尝试，则向用户和/或系统管理员提供通知。 可选地，采取保护措施，例如保存当前过程IAT的副本以允许稍后分析变更。

公开(公告)号：US20090089290A1

公开(公告)日：2009-04-02

申请号：US11865073

申请日：2007-10-01

申请人： Carey Nachenberg ,  Michael Spertus ,  Sourabh Satish ,  Gerry Egan

发明人： Carey Nachenberg ,  Michael Spertus ,  Sourabh Satish ,  Gerry Egan

IPC分类号： G06F17/30

CPC分类号： G06F21/51 ,  G06F21/56 ,  H04L63/1416

摘要： Computer-implemented methods and systems for creating or updating approved-file and trusted-domain databases and verifying the legitimacy of files are disclosed. A method for creating or updating an approved-file database may comprise intercepting a first file, identifying a source domain associated with the first file, identifying a trusted-domain database, determining whether a database record for the source domain associated with the first file exists within the trusted-domain database, creating a hash value for the first file if a database record for the source domain associated with the first file exists within the trusted-domain database, and storing the hash value for the first file in an approved-file database. Methods and systems for verifying the legitimacy of a file and for creating or updating a trusted-domain database are also disclosed.

摘要翻译： 公开了用于创建或更新已批准文件和可信域数据库以及验证文件合法性的计算机实现的方法和系统。 用于创建或更新批准文件数据库的方法可以包括拦截第一文件，识别与第一文件相关联的源域，标识可信域数据库，确定是否存在与第一文件相关联的源域的数据库记录 在受信任域数据库内，如果在受信任域数据库内存在与第一个文件相关联的源域的数据库记录，并将第一个文件的哈希值存储在已批准文件中，则为第一个文件创建哈希值 数据库。 还公开了用于验证文件的合法性以及用于创建或更新可信域数据库的方法和系统。