公开(公告)号：US08489931B2

公开(公告)日：2013-07-16

申请号：US13397670

申请日：2012-02-15

申请人： Angelos D. Keromytis ,  Salvatore J. Stolfo

发明人： Angelos D. Keromytis ,  Salvatore J. Stolfo

IPC分类号： G06F11/00

CPC分类号： G06F21/566 ,  G06F11/08 ,  G06F11/3688 ,  G06F2221/033 ,  G06N7/005 ,  H04L63/1425

摘要： Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.

摘要翻译： 提供了用于检测函数调用异常序列的方法，介质和系统。 该方法可以包括通过使用压缩模型来压缩由程序执行所产生的函数调用序列; 以及基于函数调用序列被压缩的程度来确定功能调用序列中函数调用的异常序列的存在。 所述方法还可以包括执行至少一个已知程序; 观察由所述至少一个已知节目的执行而进行的至少一个函数调用序列; 在由所述至少一个已知程序进行的所述至少一个功能调用序列中分配每种类型的功能调用唯一标识符; 以及通过记录至少一个唯一标识符序列来创建所述压缩模型的至少一部分。

公开(公告)号：US20110167493A1

公开(公告)日：2011-07-07

申请号：US12994550

申请日：2009-05-27

申请人： Yingbo Song ,  Angelos D. Keromytis ,  Salvatore J. Stolfo

发明人： Yingbo Song ,  Angelos D. Keromytis ,  Salvatore J. Stolfo

IPC分类号： G06F21/00

CPC分类号： H04L63/1425 ,  H04L63/1416 ,  H04L63/1466 ,  H04L67/02 ,  H04L69/16

摘要： Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.

摘要翻译： 提供了检测网络异常的系统，方法和介质。 在一些实施例中，接收具有参数串的通信协议消息的训练数据集。 确定与每个参数串相关联的内容和结构，并且使用确定的每个参数串的内容和结构来训练概率模型。 接收具有通过计算机网络从第一处理器发送到第二处理器的参数串的通信协议消息。 将接收到的通信协议消息与概率模型进行比较，然后确定通信协议消息是否是异常的。

公开(公告)号：US20100011243A1

公开(公告)日：2010-01-14

申请号：US11785317

申请日：2007-04-17

申请人： Michael E. Locasto ,  Angelos D. Keromytis ,  Salvatore J. Stolfo ,  Angelos Stavrou ,  Gabriela Cretu ,  Stylianos Sidiroglou ,  Jason Nieh ,  Oren Laadan

发明人： Michael E. Locasto ,  Angelos D. Keromytis ,  Salvatore J. Stolfo ,  Angelos Stavrou ,  Gabriela Cretu ,  Stylianos Sidiroglou ,  Jason Nieh ,  Oren Laadan

IPC分类号： G06F11/14

CPC分类号： G06F11/1438

摘要： Methods, systems, and media for enabling a software application to recover from a fault condition, and for protecting a software application from a fault condition, are provided. In some embodiments, methods include detecting a fault condition during execution of the software application, restoring execution of the software application to a previous point of execution, the previous point of execution occurring during execution of a first subroutine in the software application, and forcing the first subroutine to forego further execution and return to a caller of the first subroutine.

摘要翻译： 提供了用于使软件应用程序从故障状态恢复并用于保护软件应用程序免受故障状况的方法，系统和媒体。 在一些实施例中，方法包括在执行软件应用期间检测故障状况，将软件应用程序的执行恢复到先前的执行点，在执行软件应用程序中的第一子程序期间发生的先前执行点，并强制执行 第一个子程序放弃进一步执行并返回第一个子程序的调用者。

公开(公告)号：US20090083855A1

公开(公告)日：2009-03-26

申请号：US12154405

申请日：2008-05-21

申请人： Frank Apap ,  Andrew Honig ,  Hershkop Shlomo ,  Eleazar Eskin ,  Salvatore J. Stolfo

发明人： Frank Apap ,  Andrew Honig ,  Hershkop Shlomo ,  Eleazar Eskin ,  Salvatore J. Stolfo

IPC分类号： G06F21/22 ,  G06F11/30

CPC分类号： G06F21/552 ,  H04L63/1416

摘要： A method for detecting intrusions in the operation of a computer system is disclosed which comprises gathering features from records of normal processes that access the files system of the computer, such as the Windows registry, and generating a probabilistic model of normal computer system usage based on occurrences of said features. The features of a record of a process that accesses the Windows registry are analyzed to determine whether said access to the Windows registry is an anomaly. A system is disclosed, comprising a registry auditing module configured to gather records regarding processes that access the Windows registry; a model generator configured to generate a probabilistic model of normal computer system usage based on records of a plurality of processes that access the Windows registry and that are indicative of normal computer system usage; and a model comparator configured to determine whether the access of the Windows registry is an anomaly.

摘要翻译： 公开了一种用于检测计算机系统操作中的入侵的方法，其包括从访问诸如Windows注册表的计算机的文件系统的正常进程的记录中收集特征，并且基于以下方式生成基于计算机系统的正常计算机系统使用的概率模型： 出现所述特征。 分析访问Windows注册表的进程记录的功能，以确定对Windows注册表的访问是否为异常。 公开了一种系统，其包括注册表审核模块，其被配置为收集关于访问所述Windows注册表的进程的记录; 模型生成器，其被配置为基于访问Windows注册表并且指示正常的计算机系统使用的多个进程的记录来生成正常计算机系统使用的概率模型; 以及配置为确定Windows注册表的访问是否是异常的模型比较器。

公开(公告)号：US07448084B1

公开(公告)日：2008-11-04

申请号：US10352343

申请日：2003-01-27

申请人： Frank Apap ,  Andrew Honig ,  Hershkop Shlomo ,  Eleazar Eskin ,  Salvatore J. Stolfo

发明人： Frank Apap ,  Andrew Honig ,  Hershkop Shlomo ,  Eleazar Eskin ,  Salvatore J. Stolfo

IPC分类号： G06F21/22 ,  G06F11/30

CPC分类号： G06F21/552 ,  H04L63/1416

摘要： A method for detecting intrusions in the operation of a computer system is disclosed which comprises gathering features from records of normal processes that access the files system of the computer, such as the Windows registry, and generating a probabilistic model of normal computer system usage based on occurrences of said features. The features of a record of a process that accesses the Windows registry are analyzed to determine whether said access to the Windows registry is an anomaly. A system is disclosed, comprising a registry auditing module configured to gather records regarding processes that access the Windows registry; a model generator configured to generate a probabilistic model of normal computer system usage based on records of a plurality of processes that access the Windows registry and that are indicative of normal computer system usage; and a model comparator configured to determine whether the access of the Windows registry is an anomaly.

摘要翻译： 公开了一种用于检测计算机系统操作中的入侵的方法，其包括从访问诸如Windows注册表的计算机的文件系统的正常进程的记录中收集特征，并且基于以下方式生成基于计算机系统的正常计算机系统使用的概率模型： 出现所述特征。 分析访问Windows注册表的进程记录的功能，以确定对Windows注册表的访问是否为异常。 公开了一种系统，其包括注册表审核模块，其被配置为收集关于访问所述Windows注册表的进程的记录; 模型生成器，其被配置为基于访问Windows注册表并且指示正常的计算机系统使用的多个进程的记录来生成正常计算机系统使用的概率模型; 以及配置为确定Windows注册表的访问是否是异常的模型比较器。

公开(公告)号：US07424619B1

公开(公告)日：2008-09-09

申请号：US10269694

申请日：2002-10-11

申请人： Wei Fan ,  Salvatore J. Stolfo

发明人： Wei Fan ,  Salvatore J. Stolfo

IPC分类号： G06F11/30 ,  G06F11/00 ,  G06F17/30 ,  H04L9/32 ,  H04L12/56 ,  H04L12/26 ,  H04L12/24 ,  G05B13/02

CPC分类号： H04L63/1425 ,  G06F21/552 ,  H04L41/16 ,  H04L43/00

摘要： In a method of generating an anomaly detection model for classifying activities of a computer system, using a training set of data corresponding to activity on the computer system, the training set comprising a plurality of instances of data having features, and wherein each feature in said plurality of features has a plurality of values. For a selected feature and a selected value of the selected feature, a quantity is determined which corresponds to the relative sparsity of such value. The quantity may correspond to the difference between the number occurrences of the selected value and the number of occurrences of the most frequently occurring value. These instances are classified as anomaly and added to the training set of normal data to generate a rule set or other detection model.

摘要翻译： 在产生用于对计算机系统的活动进行分类的异常检测模型的方法中，使用与计算机系统上的活动相对应的数据的训练集合，所述训练集合包括具有特征的多个数据实例，并且其中所述 多个特征具有多个值。 对于所选特征和所选特征的选定值，确定与该值相对稀疏度对应的数量。 数量可以对应于所选值的出现次数与最常发生值的出现次数之间的差异。 这些实例被分类为异常，并添加到正常数据的训练集中以生成规则集或其他检测模型。

公开(公告)号：US5920848A

公开(公告)日：1999-07-06

申请号：US10677

申请日：1998-01-22

申请人： Daniel Schutzer ,  William Hull Forster, Jr. ,  Huanrui Hu ,  Wenke Lee ,  Salvatore J. Stolfo ,  Wei Fan

发明人： Daniel Schutzer ,  William Hull Forster, Jr. ,  Huanrui Hu ,  Wenke Lee ,  Salvatore J. Stolfo ,  Wei Fan

IPC分类号： G06Q20/00 ,  G06Q20/10 ,  G06Q20/18 ,  G06Q40/00 ,  G06F17/60

CPC分类号： G06Q40/02 ,  G06Q20/10 ,  G06Q20/108 ,  G06Q20/18 ,  G06Q40/128

摘要： The present invention relates to the use of computerized intelligent agents to facilitate the integration of networked performance of financial transactions with computerized methods of financial accounting. Incorporated into this combined financial transaction/financial accounting system are intelligent agents that automatically analyze the system information to provide users with financial advice. This invention permits the automated performance on-line of a wide variety of financial transactions and integrates these transactions with computerized financial accounting. All of this information is collated and analyzed automatically by intelligent agents, which generate user-specific financial reports, profiles, and advice, and under appropriate conditions take action.

摘要翻译： 本发明涉及使用计算机智能代理来促进金融交易的联网绩效与计算机化的财务会计方法的整合。 并入该组合的金融交易/财务会计系统是智能代理，可自动分析系统信息，为用户提供财务咨询。 本发明允许在线进行各种金融交易的自动化表现，并将这些交易与计算机化的财务会计相结合。 所有这些信息都由智能代理自动整理和分析，这些代理生成用户特定的财务报告，配置文件和建议，并在适当的条件下采取行动。

公开(公告)号：US5717915A

公开(公告)日：1998-02-10

申请号：US610639

申请日：1996-03-04

申请人： Salvatore J. Stolfo ,  Mauricio A. Hernandez

发明人： Salvatore J. Stolfo ,  Mauricio A. Hernandez

IPC分类号： G06F7/14 ,  G06F7/32 ,  G06F17/30 ,  G06F7/06 ,  G06F7/20

CPC分类号： G06F7/14 ,  G06F17/30256 ,  G06F17/30489 ,  G06F7/32 ,  Y10S707/99935 ,  Y10S707/99937

摘要： The semantic integration problem for merging multiple databases of very large size, the merge/purge problem, can be solved by multiple runs of the sorted neighborhood method or the clustering method with small windows followed by the computation of the transitive closure over the results of each run. The sorted neighborhood method works well under this scheme but is computationally expensive due to the sorting phase. An alternative method based on data clustering that reduces the complexity to linear time making multiple runs followed by transitive closure feasible and efficient. A method is provided for identifying duplicate records in a database, each record having at least one field and a plurality of keys, including the steps of sorting the records according to a criteria applied to a first key; comparing a number of consecutive sorted records to each other, wherein the number is less than a number of records in said database and identifying a first group of duplicate records; storing the identity of the first group; sorting the records according to a criteria applied to a second key; comparing a number of consecutive sorted records to each other, wherein the number is less than a number of records in said database and identifying a second group of duplicate records; storing the identity of the second group; and subjecting the union of the first and second groups to transitive closure.

公开(公告)号：US5668897A

公开(公告)日：1997-09-16

申请号：US488333

申请日：1995-06-07

申请人： Salvatore J. Stolfo

发明人： Salvatore J. Stolfo

IPC分类号： G06F17/30 ,  G06K9/00 ,  G06K9/36

CPC分类号： G06F17/30595 ,  G06F17/30247 ,  G06F17/30256 ,  G06K9/00 ,  G06K2209/015

摘要： A method for processing an image, consisting of a foreground and a background, to produce a highly compressed and accurate representation of the image, including the steps of scanning the image to create a digital image of the image, comparing the digital image against a codebook of stored digital images; matching the digital image with one of the stored digital images of the codebook; producing an index code identifying the background of the stored digital image as having matched the digital image; subtracting the stored digital image from the digital image to produce a second digital image representing the foreground of the stored digital image; and storing the second digital image with the index code. Techniques are also provided to enable merge/purge of the database(s) thereby created.

摘要翻译： 一种用于处理由前景和背景组成的图像以产生图像的高度压缩和精确表示的方法，包括扫描图像以创建图像的数字图像的步骤，将数字图像与码本进行比较 存储的数字图像; 将数字图像与码本的所存储的数字图像之一进行匹配; 产生将所存储的数字图像的背景识别为与数字图像相匹配的索引码; 从数字图像中减去所存储的数字图像，以产生表示所存储的数字图像的前景的第二数字图像; 并存储具有索引码的第二数字图像。 还提供了技术来使得能够合并/清除由此创建的数据库。

公开(公告)号：US10476908B2

公开(公告)日：2019-11-12

申请号：US15233563

申请日：2016-08-10

申请人： Salvatore J. Stolfo ,  Carl Sable

发明人： Salvatore J. Stolfo ,  Carl Sable

IPC分类号： H04L29/06 ,  G06F17/27 ,  G06N20/00 ,  G06F17/22 ,  G06N7/00

摘要： A system that generates decoy emails and documents by automatically detecting concepts such as dates, times, people, and locations in e-mails and documents, and shifting those concepts. The system may also generate an email or document reciting a URL associated with a fake website and purported login credentials for the fake website. The system may send an alert to a user of the system when someone seeks to access the fake website.