公开(公告)号：US20130031633A1

公开(公告)日：2013-01-31

申请号：US13573314

申请日：2012-09-10

申请人： Andrew Honig ,  Andrew Howard ,  Eleazar Eskin ,  Salvatore J. Stolfo

发明人： Andrew Honig ,  Andrew Howard ,  Eleazar Eskin ,  Salvatore J. Stolfo

IPC分类号： G06F21/00

CPC分类号： H04L63/14 ,  G06F17/30091 ,  G06F17/30294 ,  G06F17/30477 ,  G06F21/554 ,  G06F21/566 ,  G06N7/005 ,  G06N99/005 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433

摘要： A system and methods for detecting intrusions in the operation of a computer system comprises a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format. A data warehouse is configured to receive the data record from the sensor in the predetermined data format and to store the data in a SQL database. A detection model generator is configured to request data records from the data warehouse in the predetermined data format, to generate an intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format. A detector is configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model. A data analysis engine is configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records.

摘要翻译： 一种用于在计算机系统的操作中检测入侵的系统和方法，包括：传感器，被配置为收集关于计算机系统的操作的信息，将信息格式化成具有预定格式的数据记录，并且以预定的方式发送数据 数据格式。 数据仓库配置为以预定数据格式从传感器接收数据记录，并将数据存储在SQL数据库中。 检测模型生成器被配置为以预定数据格式从数据仓库请求数据记录，以基于所述数据记录生成入侵检测模型，并根据预定数据格式将入侵检测模型发送到数据仓库。 检测器被配置为从传感器接收预定数据格式的数据记录，并且将数据记录实时地分类为正常操作之一和基于所述入侵检测模型的攻击。 数据分析引擎被配置为根据预定数据格式从数据仓库请求数据记录，并对数据记录执行数据处理功能。

公开(公告)号：US07299007B2

公开(公告)日：2007-11-20

申请号：US09775194

申请日：2001-02-01

申请人： Eleazar Eskin

发明人： Eleazar Eskin

IPC分类号： H04B7/00

CPC分类号： H04W4/02 ,  G01S1/68 ,  H04L29/06 ,  H04L67/04 ,  H04L67/18 ,  H04L67/303 ,  H04L67/306 ,  H04L69/329 ,  H04W4/00 ,  H04W4/12 ,  H04W84/10 ,  H04W88/02 ,  H04W88/14

摘要： An application development platform enables applications to be created easily for, e.g., mobile devices that have short-range wireless communication capability. The development platform exposes a carefully chosen core set of services through an API. Each of the applications can broadcast its services to local and remote devices. Message delivery between devices is guaranteed even for messages that cannot be delivered directly by local short-range wireless transmission. Message delivery through other channels, including the Internet, can occur transparently to the user. Each device can be associated with an “owner”, which can be a person or a entity. Services can be customized to the owner based on stored information that maps owners to devices. Information associated with each of the owners of devices can be stored centrally and used in connection with providing the services at each of the mobile devices. Virtual GPS capabilities can be provided for mobile devices that do not have GPS chips.

摘要翻译： 应用开发平台使得能够容易地为例如具有短距离无线通信能力的移动设备创建应用。 开发平台通过API公开了精心挑选的核心服务集。 每个应用程序可以将其服务广播到本地和远程设备。 即使对于无法通过本地短距离无线传输直接传送的消息，也保证设备之间的消息传送。 通过其他渠道（包括互联网）发送的邮件可以透明地发送给用户。 每个设备可以与“所有者”相关联，“所有者”可以是个人或实体。 可以根据将所有者映射到设备的存储信息，为所有者定制服务。 与设备所有者中的每一个相关联的信息可以集中存储并与在每个移动设备处提供服务相结合使用。 可以为没有GPS芯片的移动设备提供虚拟GPS功能。

公开(公告)号：US07225343B1

公开(公告)日：2007-05-29

申请号：US10352342

申请日：2003-01-27

申请人： Andrew Honig ,  Andrew Howard ,  Eleazar Eskin ,  Salvatore J. Stolfo

发明人： Andrew Honig ,  Andrew Howard ,  Eleazar Eskin ,  Salvatore J. Stolfo

IPC分类号： H04L9/00

CPC分类号： H04L63/14 ,  G06F17/30091 ,  G06F17/30294 ,  G06F17/30477 ,  G06F21/554 ,  G06F21/566 ,  G06N7/005 ,  G06N99/005 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433

摘要： A system and methods for detecting intrusions in the operation of a computer system comprises a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format. A data warehouse is configured to receive the data record from the sensor in the predetermined data format and to store the data in a database. A detection model generator is configured to request data records from the data warehouse in the predetermined data format, to generate an intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format. A detector is configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model. A data analysis engine is configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records.

摘要翻译： 一种用于在计算机系统的操作中检测入侵的系统和方法，包括：传感器，被配置为收集关于计算机系统的操作的信息，将信息格式化成具有预定格式的数据记录，并且以预定的方式发送数据 数据格式。 数据仓库被配置为以预定数据格式从传感器接收数据记录，并将数据存储在数据库中。 检测模型生成器被配置为以预定数据格式从数据仓库请求数据记录，以基于所述数据记录生成入侵检测模型，并根据预定数据格式将入侵检测模型发送到数据仓库。 检测器被配置为从传感器接收预定数据格式的数据记录，并且将数据记录实时地分类为正常操作之一和基于所述入侵检测模型的攻击。 数据分析引擎被配置为根据预定数据格式从数据仓库请求数据记录，并对数据记录执行数据处理功能。

公开(公告)号：US07162741B2

公开(公告)日：2007-01-09

申请号：US10208402

申请日：2002-07-30

申请人： Eleazar Eskin ,  Salvatore J. Stolfo

发明人： Eleazar Eskin ,  Salvatore J. Stolfo

IPC分类号： H04L9/32 ,  G06F11/00 ,  G06F11/22 ,  G06F11/30 ,  G06F11/32 ,  G06F11/34 ,  G06F11/36 ,  G06F12/14 ,  G06F12/16 ,  G06F7/04 ,  G06F7/58

CPC分类号： H04L63/1416 ,  Y10S707/99953 ,  Y10S707/99956

摘要： A system and methods of monitoring sequences of operations in a process running on a computer system. A probabilistic detection model is defined which is configured to determine a predictive probability of an occurrence of a final operation in the sequence of operations that is conditional on a calculated number of previous operations in the sequence of operations. The probabilistic detection model is trained from a plurality of predetermined sequences of operations to calculate the number of previous operations evaluated in the probabilistic detection model. The predictive probability for the final operation in the sequence of operations is determined by using the probabilistic detection model. If the predictive probability is below a predetermined threshold, the sequence of operations is identified as an intrusion. The probabilistic detection model may use sparse distribution trees to generate a model which determines the optimal number of previous operations to be evaluated (i.e., the window size) and position of wildcards. The system and methods may be used to monitor sequences of system calls, application function calls, and machine code instructions, for example.

摘要翻译： 在计算机系统上运行的进程中监视操作顺序的系统和方法。 定义概率检测模型，其被配置为确定在所述操作序列中出现最终操作的预测概率，其以所计算的操作序列中的先前操作的数量为条件。 从多个预定的操作序列训练概率检测模型，以计算在概率检测模型中评估的先前操作的数量。 通过使用概率检测模型来确定操作顺序中的最终操作的预测概率。 如果预测概率低于预定阈值，则将该操作序列识别为入侵。 概率检测模型可以使用稀疏分布树来生成确定要评估的先前操作的最佳数量（即，窗口大小）和通配符的位置的模型。 例如，系统和方法可以用于监视系统调用，应用程序函数调用和机器代码指令的顺序。

公开(公告)号：US09924305B2

公开(公告)日：2018-03-20

申请号：US11974110

申请日：2007-10-11

申请人： Eleazar Eskin

发明人： Eleazar Eskin

IPC分类号： H04B7/00 ,  H04W4/02 ,  G01S1/68 ,  H04L29/06 ,  H04L29/08 ,  H04B1/68 ,  H04W4/00 ,  H04W4/12 ,  H04W84/10 ,  H04W88/02 ,  H04W88/14

CPC分类号： H04W4/02 ,  G01S1/68 ,  H04L29/06 ,  H04L67/04 ,  H04L67/18 ,  H04L67/303 ,  H04L67/306 ,  H04L69/329 ,  H04W4/00 ,  H04W4/12 ,  H04W84/10 ,  H04W88/02 ,  H04W88/14

摘要： An application development platform enables applications to be created easily for, e.g., mobile devices that have short-range wireless communication capability. The development platform exposes a carefully chosen core set of services through an API. Each of the applications can broadcast its services to local and remote devices. Message delivery between devices is guaranteed even for messages that cannot be delivered directly by local short-range wireless transmission. Message delivery through other channels, including the Internet, can occur transparently to the user. Each device can be associated with an “owner”, which can be a person or a entity. Services can be customized to the owner based on stored information that maps owners to devices. Information associated with each of the owners of devices can be stored centrally and used in connection with providing the services at each of the mobile devices. Virtual GPS capabilities can be provided for mobile devices that do not have GPS chips.

公开(公告)号：US08544087B1

公开(公告)日：2013-09-24

申请号：US12022425

申请日：2008-01-30

申请人： Eleazar Eskin ,  Andrew Oliver Arnold ,  Michael Prerau ,  Leonid Portnoy ,  Salvatore J. Stolfo

发明人： Eleazar Eskin ,  Andrew Oliver Arnold ,  Michael Prerau ,  Leonid Portnoy ,  Salvatore J. Stolfo

IPC分类号： G06F12/14 ,  G06F12/16

CPC分类号： H04L41/06 ,  G06F21/552 ,  H04L41/142 ,  H04L63/1416

摘要： A method for unsupervised anomaly detection, which are algorithms that are designed to process unlabeled data. Data elements are mapped to a feature space which is typically a vector space . Anomalies are detected by determining which points lies in sparse regions of the feature space. Two feature maps are used for mapping data elements to a feature apace. A first map is a data-dependent normalization feature map which we apply to network connections. A second feature map is a spectrum kernel which we apply to system call traces.

摘要翻译： 一种用于无监督异常检测的方法，它们是用于处理未标记数据的算法。 数据元素被映射到通常是向量空间的特征空间。 通过确定哪些点位于特征空间的稀疏区域来检测异常。 两个特征图用于将数据元素映射到特征空间。 第一张地图是我们适用于网络连接的依赖于数据的规范化特征图。 第二个特征图是我们应用于系统调用轨迹的频谱内核。

公开(公告)号：US07913306B2

公开(公告)日：2011-03-22

申请号：US12154405

申请日：2008-05-21

申请人： Frank Apap ,  Andrew Honig ,  Hershkop Shlomo ,  Eleazar Eskin ,  Salvatore J. Stolfo

发明人： Frank Apap ,  Andrew Honig ,  Hershkop Shlomo ,  Eleazar Eskin ,  Salvatore J. Stolfo

IPC分类号： G06F21/22 ,  G06F11/30

CPC分类号： G06F21/552 ,  H04L63/1416

摘要： A method for detecting intrusions in the operation of a computer system is disclosed which comprises gathering features from records of normal processes that access the files system of the computer, such as the Windows registry, and generating a probabilistic model of normal computer system usage based on occurrences of said features. The features of a record of a process that accesses the Windows registry are analyzed to determine whether said access to the Windows registry is an anomaly. A system is disclosed, comprising a registry auditing module configured to gather records regarding processes that access the Windows registry; a model generator configured to generate a probabilistic model of normal computer system usage based on records of a plurality of processes that access the Windows registry and that are indicative of normal computer system usage; and a model comparator configured to determine whether the access of the Windows registry is an anomaly.

摘要翻译： 公开了一种用于检测计算机系统操作中的入侵的方法，其包括从访问诸如Windows注册表的计算机的文件系统的正常进程的记录中收集特征，并且基于以下方式生成基于计算机系统的正常计算机系统使用的概率模型： 出现所述特征。 分析访问Windows注册表的进程记录的功能，以确定对Windows注册表的访问是否为异常。 公开了一种系统，其包括注册表审核模块，其被配置为收集关于访问所述Windows注册表的进程的记录; 模型生成器，其被配置为基于访问Windows注册表并且指示正常的计算机系统使用的多个进程的记录来生成正常计算机系统使用的概率模型; 以及配置为确定Windows注册表的访问是否是异常的模型比较器。

公开(公告)号：US20080039019A1

公开(公告)日：2008-02-14

申请号：US11974110

申请日：2007-10-11

申请人： Eleazar Eskin

发明人： Eleazar Eskin

IPC分类号： H04B7/00

CPC分类号： H04W4/02 ,  G01S1/68 ,  H04L29/06 ,  H04L67/04 ,  H04L67/18 ,  H04L67/303 ,  H04L67/306 ,  H04L69/329 ,  H04W4/00 ,  H04W4/12 ,  H04W84/10 ,  H04W88/02 ,  H04W88/14

摘要： An application development platform enables applications to be created easily for, e.g., mobile devices that have short-range wireless communication capability. The development platform exposes a carefully chosen core set of services through an API. Each of the applications can broadcast its services to local and remote devices. Message delivery between devices is guaranteed even for messages that cannot be delivered directly by local short-range wireless transmission. Message delivery through other channels, including the Internet, can occur transparently to the user. Each device can be associated with an “owner”, which can be a person or a entity. Services can be customized to the owner based on stored information that maps owners to devices. Information associated with each of the owners of devices can be stored centrally and used in connection with providing the services at each of the mobile devices. Virtual GPS capabilities can be provided for mobile devices that do not have GPS chips.

摘要翻译： 应用开发平台使得能够容易地为例如具有短距离无线通信能力的移动设备创建应用。 开发平台通过API公开了精心挑选的核心服务集。 每个应用程序可以将其服务广播到本地和远程设备。 即使对于无法通过本地短距离无线传输直接传送的消息，也保证设备之间的消息传送。 通过其他渠道（包括互联网）发送的邮件可以透明地发送给用户。 每个设备可以与“所有者”相关联，“所有者”可以是个人或实体。 可以根据将所有者映射到设备的存储信息，为所有者定制服务。 与设备所有者中的每一个相关联的信息可以集中存储并与在每个移动设备处提供服务相结合使用。 可以为没有GPS芯片的移动设备提供虚拟GPS功能。

公开(公告)号：US20150058982A1

公开(公告)日：2015-02-26

申请号：US13987690

申请日：2013-08-20

申请人： Eleazar Eskin ,  Andrew Arnold ,  Michael Prerau ,  Leonid Portnoy ,  Salvatore J. Stolfo

发明人： Eleazar Eskin ,  Andrew Arnold ,  Michael Prerau ,  Leonid Portnoy ,  Salvatore J. Stolfo

IPC分类号： H04L29/06

CPC分类号： H04L63/1425 ,  G06F17/30914

摘要： A method for unsupervised anomaly detection, which are algorithms that are designed to process unlabeled data. Data elements are mapped to a feature space which is typically a vector space d. Anomalies are detected by determining which points lies in sparse regions of the feature space. Two feature maps are used for mapping data elements to a feature apace. A first map is a data-dependent normalization feature map which we apply to network connections. A second feature map is a spectrum kernel which we apply to system call traces.

摘要翻译： 一种用于无监督异常检测的方法，它们是用于处理未标记数据的算法。 数据元素被映射到通常是向量空间d的特征空间。 通过确定哪些点位于特征空间的稀疏区域来检测异常。 两个特征图用于将数据元素映射到特征空间。 第一张地图是我们适用于网络连接的依赖于数据的规范化特征图。 第二个特征图是我们应用于系统调用轨迹的频谱内核。

公开(公告)号：US20090083855A1

公开(公告)日：2009-03-26

申请号：US12154405

申请日：2008-05-21

申请人： Frank Apap ,  Andrew Honig ,  Hershkop Shlomo ,  Eleazar Eskin ,  Salvatore J. Stolfo

发明人： Frank Apap ,  Andrew Honig ,  Hershkop Shlomo ,  Eleazar Eskin ,  Salvatore J. Stolfo

IPC分类号： G06F21/22 ,  G06F11/30

CPC分类号： G06F21/552 ,  H04L63/1416

摘要： A method for detecting intrusions in the operation of a computer system is disclosed which comprises gathering features from records of normal processes that access the files system of the computer, such as the Windows registry, and generating a probabilistic model of normal computer system usage based on occurrences of said features. The features of a record of a process that accesses the Windows registry are analyzed to determine whether said access to the Windows registry is an anomaly. A system is disclosed, comprising a registry auditing module configured to gather records regarding processes that access the Windows registry; a model generator configured to generate a probabilistic model of normal computer system usage based on records of a plurality of processes that access the Windows registry and that are indicative of normal computer system usage; and a model comparator configured to determine whether the access of the Windows registry is an anomaly.

摘要翻译： 公开了一种用于检测计算机系统操作中的入侵的方法，其包括从访问诸如Windows注册表的计算机的文件系统的正常进程的记录中收集特征，并且基于以下方式生成基于计算机系统的正常计算机系统使用的概率模型： 出现所述特征。 分析访问Windows注册表的进程记录的功能，以确定对Windows注册表的访问是否为异常。 公开了一种系统，其包括注册表审核模块，其被配置为收集关于访问所述Windows注册表的进程的记录; 模型生成器，其被配置为基于访问Windows注册表并且指示正常的计算机系统使用的多个进程的记录来生成正常计算机系统使用的概率模型; 以及配置为确定Windows注册表的访问是否是异常的模型比较器。