公开(公告)号：US20130305098A1

公开(公告)日：2013-11-14

申请号：US13942632

申请日：2013-07-15

申请人： Angelos D. Keromytis ,  Salvatore J. Stolfo

发明人： Angelos D. Keromytis ,  Salvatore J. Stolfo

IPC分类号： G06F11/36

CPC分类号： G06F21/566 ,  G06F11/08 ,  G06F11/3688 ,  G06F2221/033 ,  G06N7/005 ,  H04L63/1425

摘要： Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.

摘要翻译： 提供了用于检测函数调用异常序列的方法，介质和系统。 该方法可以包括通过使用压缩模型来压缩由程序执行所产生的函数调用序列; 以及基于函数调用序列被压缩的程度来确定功能调用序列中函数调用的异常序列的存在。 所述方法还可以包括执行至少一个已知程序; 观察由所述至少一个已知节目的执行而进行的至少一个函数调用序列; 在由所述至少一个已知程序进行的所述至少一个功能调用序列中分配每种类型的功能调用唯一标识符; 以及通过记录至少一个唯一标识符序列来创建所述压缩模型的至少一部分。

公开(公告)号：US20120151270A1

公开(公告)日：2012-06-14

申请号：US13301741

申请日：2011-11-21

申请人： Salvatore J. Stolfo ,  Angelos D. Keromytis ,  Stylianos Sidiroglou

发明人： Salvatore J. Stolfo ,  Angelos D. Keromytis ,  Stylianos Sidiroglou

IPC分类号： G06F11/00

CPC分类号： G06F11/0772 ,  G06F11/0718 ,  G06F11/0751 ,  G06F11/079 ,  G06F11/3652

摘要： Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.

摘要翻译： 提供了用于检测异常程序执行的方法，介质和系统。 在一些实施例中，提供了用于检测异常程序执行的方法，包括：在仿真器中执行程序的至少一部分; 将在仿真器中产生的函数调用与所述程序的至少一部分的函数调用模型进行比较; 并根据比较将功能调用识别为异常。 在一些实施例中，提供了用于检测异常程序执行的方法，包括：修改程序以包括程序执行期间进行的程序级函数调用的指示; 将在仿真器中进行的程序级功能调用的至少一个指标与所述程序的至少一部分的函数调用模型进行比较; 以及基于所述比较，将与所述至少一个所述指示符相对应的功能调用识别为异常。

公开(公告)号：US20110167494A1

公开(公告)日：2011-07-07

申请号：US12982984

申请日：2010-12-31

申请人： Brian M. Bowen ,  Pratap V. Prabhu ,  Vasileios P. Kemerlis ,  Stylianos Sidiroglou ,  Salvatore J. Stolfo ,  Angelos D. Keromytis

发明人： Brian M. Bowen ,  Pratap V. Prabhu ,  Vasileios P. Kemerlis ,  Stylianos Sidiroglou ,  Salvatore J. Stolfo ,  Angelos D. Keromytis

IPC分类号： G06F21/00

CPC分类号： G06F21/56 ,  G06F21/566 ,  G06F21/577 ,  H04L63/1441 ,  H04L63/1491

摘要： Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: generating simulated user activity outside of the computing environment; conveying the simulated user activity to an application inside the computing environment; and determining whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity.

摘要翻译： 提供了用于检测隐蔽恶意软件的方法，系统和媒体。 根据一些实施例，提供了一种用于在计算环境中检测隐匿恶意软件的方法，所述方法包括：在所述计算环境之外生成模拟用户活动; 将所述模拟用户活动传达到所述计算环境内的应用; 以及确定是否已经被未经授权的实体访问与所述模拟用户活动相对应的诱饵。

公开(公告)号：US20100077483A1

公开(公告)日：2010-03-25

申请号：US12565394

申请日：2009-09-23

申请人： Salvatore J. Stolfo ,  Angelos D. Keromytis ,  Brian M. Bowen ,  Shlomo Hershkop ,  Vasileios P. Kemerlis ,  Pratap V. Prabhu ,  Malek Ben Salem

发明人： Salvatore J. Stolfo ,  Angelos D. Keromytis ,  Brian M. Bowen ,  Shlomo Hershkop ,  Vasileios P. Kemerlis ,  Pratap V. Prabhu ,  Malek Ben Salem

IPC分类号： G06F11/00

CPC分类号： G06F21/554 ,  G06F21/552 ,  G06F21/566 ,  G06F2221/034 ,  G06F2221/2123 ,  H04L63/1466

摘要： Methods, systems, and media for providing trap-based defenses are provided. In accordance with some embodiments, a method for providing trap-based defenses is provided, the method comprising: generating decoy information based at least in part on actual information in a computing environment, wherein the decoy information is generated to comply with one or more document properties; embedding a beacon into the decoy information; and inserting the decoy information with the embedded beacon into the computing environment, wherein the embedded beacon provides a first indication that the decoy information has been accessed by an attacker and wherein the embedded beacon provides a second indication that differentiates between the decoy information and the actual information.

摘要翻译： 提供了用于提供基于陷阱的防御的方法，系统和媒体。 根据一些实施例，提供了一种用于提供基于陷阱的防御的方法，所述方法包括：至少部分地基于计算环境中的实际信息生成诱饵信息，其中所述诱饵信息被生成以符合一个或多个文档 属性; 将信标嵌入诱饵信息中; 以及将具有所嵌入的信标的诱饵信息插入所述计算环境中，其中所述嵌入式信标提供所述诱饵信息已被攻击者访问的第一指示，并且其中所述嵌入信标提供区分所述诱饵信息和所述实际信息之间的第二指示 信息。

公开(公告)号：US20090241191A1

公开(公告)日：2009-09-24

申请号：US12302774

申请日：2007-05-31

申请人： Angelos D. Keromytis ,  Salvatore J. Stolfo

发明人： Angelos D. Keromytis ,  Salvatore J. Stolfo

IPC分类号： G06F15/173 ,  G06F21/00

CPC分类号： H04L63/1491 ,  H04L43/0876 ,  H04L51/22 ,  H04L63/1408 ,  H04L63/145

摘要： Systems, methods, and media for generating bait information for trap-based defenses are provided. In some embodiments, methods for generating bait information for trap-based defenses include: recording historical information of a network; translating the historical information; and generating bait information by tailoring the translated historical information.

摘要翻译： 提供了用于生成基于陷阱的防御的诱饵信息的系统，方法和媒体。 在一些实施例中，用于产生用于基于陷阱的防御的诱饵信息的方法包括：记录网络的历史信息; 翻译历史信息; 并通过定制翻译的历史信息产生诱饵信息。

公开(公告)号：US20150186647A1

公开(公告)日：2015-07-02

申请号：US14634101

申请日：2015-02-27

申请人： Salvatore J. Stolfo ,  Ke Wang ,  Janak Parekh

发明人： Salvatore J. Stolfo ,  Ke Wang ,  Janak Parekh

IPC分类号： G06F21/56

CPC分类号： G06F21/56 ,  G06F21/564 ,  G06F2221/034 ,  H04L63/1416 ,  H04L63/1425

摘要： Systems, methods, and media for outputting data based on anomaly detection are provided. In some embodiments, a method for outputting data based on anomaly detection is provided, the method comprising: receiving, using a hardware processor, an input dataset; identifying grams in the input dataset that substantially include distinct byte values; creating an input subset by removing the identified grams from the input dataset; determining whether the input dataset is likely to be anomalous based on the identified grams, and determining whether the input dataset is likely to be anomalous by applying the input subset to a binary anomaly detection model to check for an n-gram in the input subset; and outputting the input dataset based on the likelihood that the input dataset is anomalous.

摘要翻译： 提供了基于异常检测输出数据的系统，方法和媒体。 在一些实施例中，提供了一种用于基于异常检测输出数据的方法，所述方法包括：使用硬件处理器接收输入数据集; 识别基本上包含不同字节值的输入数据集中的克数; 通过从输入数据集中移除所识别的克来创建输入子集; 基于所识别的克确定输入数据集是否可能是异常的，并且通过将输入子集应用于二进制异常检测模型来确定输入数据集是否可能是异常的，以检查输入子集中的n-gram; 并且基于输入数据集是异常的可能性来输出输入数据集。

公开(公告)号：US20090193293A1

公开(公告)日：2009-07-30

申请号：US12280970

申请日：2007-02-28

申请人： Salvatore J. Stolfo ,  Ke Wang ,  Janak Parekh

发明人： Salvatore J. Stolfo ,  Ke Wang ,  Janak Parekh

IPC分类号： G06F11/00

CPC分类号： G06F21/56 ,  G06F21/564 ,  G06F2221/034 ,  H04L63/1416 ,  H04L63/1425

摘要： Systems, methods, and media for outputting data based on anomaly detection are provided. In some embodiments, methods for outputting data based on anomaly detection include: receiving a known-good dataset; storing distinct n-grams from the known-good dataset to form a binary anomaly detection model; receiving known-good new n-grams; computing a rate of receipt of distinct n-grams in the new n-grams; determining whether further training of the anomaly detection model is necessary based on the rate of receipt on distinct n-grams; using the binary anomaly detection model to determine whether an input dataset contains an anomaly; and outputting the input dataset based on whether the input dataset contains an anomaly.

摘要翻译： 提供了基于异常检测输出数据的系统，方法和媒体。 在一些实施例中，用于基于异常检测输出数据的方法包括：接收已知的数据集; 从已知的数据集中存储不同的n-gram，形成二进制异常检测模型; 接收已知好的新n克; 计算在新的n克中收到不同n克的比率; 根据不同n-gram的收货率确定是否需要进一步训练异常检测模型; 使用二进制异常检测模型来确定输入数据集是否包含异常; 以及基于输入数据集是否包含异常来输出输入数据集。

公开(公告)号：US20150058981A1

公开(公告)日：2015-02-26

申请号：US13891031

申请日：2013-05-09

申请人： Salvatore J. Stolfo ,  Ke Wang ,  Janak Parekh

发明人： Salvatore J. Stolfo ,  Ke Wang ,  Janak Parekh

IPC分类号： H04L29/06

CPC分类号： G06F21/56 ,  G06F21/564 ,  G06F2221/034 ,  H04L63/1416 ,  H04L63/1425

摘要： Systems, methods, and media for outputting data based on anomaly detection are provided. In some embodiments, a method for outputting data based on anomaly detection is provided, the method comprising: receiving, using a hardware processor, an input dataset; identifying grams in the input dataset that substantially include distinct byte values; creating an input subset by removing the identified grams from the input dataset; determining whether the input dataset is likely to be anomalous based on the identified grams, and determining whether the input dataset is likely to be anomalous by applying the input subset to a binary anomaly detection model to check for an n-gram in the input subset; and outputting the input dataset based on the likelihood that the input dataset is anomalous.

摘要翻译： 提供了基于异常检测输出数据的系统，方法和媒体。 在一些实施例中，提供了一种用于基于异常检测输出数据的方法，所述方法包括：使用硬件处理器接收输入数据集; 识别基本上包含不同字节值的输入数据集中的克数; 通过从输入数据集中移除所识别的克来创建输入子集; 基于所识别的克确定输入数据集是否可能是异常的，并且通过将输入子集应用于二进制异常检测模型来确定输入数据集是否可能是异常的，以检查输入子集中的n-gram; 并且基于输入数据集是异常的可能性来输出输入数据集。

公开(公告)号：US20150058982A1

公开(公告)日：2015-02-26

申请号：US13987690

申请日：2013-08-20

申请人： Eleazar Eskin ,  Andrew Arnold ,  Michael Prerau ,  Leonid Portnoy ,  Salvatore J. Stolfo

发明人： Eleazar Eskin ,  Andrew Arnold ,  Michael Prerau ,  Leonid Portnoy ,  Salvatore J. Stolfo

IPC分类号： H04L29/06

CPC分类号： H04L63/1425 ,  G06F17/30914

摘要： A method for unsupervised anomaly detection, which are algorithms that are designed to process unlabeled data. Data elements are mapped to a feature space which is typically a vector space d. Anomalies are detected by determining which points lies in sparse regions of the feature space. Two feature maps are used for mapping data elements to a feature apace. A first map is a data-dependent normalization feature map which we apply to network connections. A second feature map is a spectrum kernel which we apply to system call traces.

摘要翻译： 一种用于无监督异常检测的方法，它们是用于处理未标记数据的算法。 数据元素被映射到通常是向量空间d的特征空间。 通过确定哪些点位于特征空间的稀疏区域来检测异常。 两个特征图用于将数据元素映射到特征空间。 第一张地图是我们适用于网络连接的依赖于数据的规范化特征图。 第二个特征图是我们应用于系统调用轨迹的频谱内核。

公开(公告)号：US08769684B2

公开(公告)日：2014-07-01

申请号：US12628587

申请日：2009-12-01

申请人： Salvatore J. Stolfo ,  Malek Ben Salem ,  Shlomo Hershkop

发明人： Salvatore J. Stolfo ,  Malek Ben Salem ,  Shlomo Hershkop

IPC分类号： G06F21/00 ,  G06F21/55 ,  G06F21/50 ,  H04L29/06 ,  G06F21/56

CPC分类号： H04L63/1416 ,  G06F21/50 ,  G06F21/55 ,  G06F21/552 ,  G06F21/554 ,  G06F21/566 ,  H04L29/06884 ,  H04L29/06897 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1491

摘要： Methods, systems, and media for masquerade attack detection by monitoring computer user behavior are provided. In accordance with some embodiments, a method for detecting masquerade attacks is provided, the method comprising: monitoring a first plurality of user actions and access of decoy information in a computing environment; generating a user intent model for a category that includes at least one of the first plurality of user actions; monitoring a second plurality of user actions; comparing the second plurality of user actions with the user intent model by determining deviation from the generated user intent model; identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the decoy information in the computing environment.

摘要翻译： 提供了通过监控计算机用户行为进行伪装攻击检测的方法，系统和媒体。 根据一些实施例，提供了一种用于检测伪装攻击的方法，所述方法包括：在计算环境中监视第一多个用户动作和诱捕信息的访问; 为包括所述第一多个用户动作中的至少一个的类别生成用户意图模型; 监视第二多个用户动作; 通过确定与所生成的用户意图模型的偏差来比较第二多个用户动作与用户意图模型; 至少部分地基于所述比较来识别所述第二多个用户动作是否是伪装攻击; 以及响应于识别所述第二多个用户动作是所述伪装攻击而响应于响应于确定所述第二多个用户动作包括访问所述计算环境中的诱饵信息而产生警报。