公开(公告)号：US08225401B2

公开(公告)日：2012-07-17

申请号：US12338456

申请日：2008-12-18

申请人： William E. Sobel ,  Sourabh Satish

发明人： William E. Sobel ,  Sourabh Satish

IPC分类号： H04L29/06 ,  G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  H04L9/32

CPC分类号： H04L63/1466 ,  G06F21/554 ,  H04L63/1416 ,  H04L67/02

摘要： A computer-implemented method for detecting man-in-the-browser attacks may include identifying a transaction fingerprint associated with a web site. The method may also include tracking a user's input to the web site. The user's input may be received through a web browser. The method may further include intercepting an outgoing submission to the web site. The method may additionally include determining whether, in light of the transaction fingerprint, the user's input generated the outgoing submission. Various other methods, systems, and computer-readable media are also disclosed.

摘要翻译： 用于检测浏览人员浏览器攻击的计算机实现的方法可以包括识别与网站相关联的交易指纹。 该方法还可以包括跟踪用户对网站的输入。 可以通过网络浏览器接收用户的输入。 该方法还可以包括拦截向网站的外发提交。 该方法还可以包括根据交易指纹确定用户的输入是否产生了外发提交。 还公开了各种其它方法，系统和计算机可读介质。

公开(公告)号：US08225104B1

公开(公告)日：2012-07-17

申请号：US11245776

申请日：2005-10-06

申请人： Sourabh Satish

发明人： Sourabh Satish

IPC分类号： G06F21/00

CPC分类号： G06F21/00 ,  G06F21/53 ,  G06F21/54 ,  G06F21/62 ,  G06F2221/2141 ,  H04L9/32

摘要： An execution environment of a computer computes an initial effective permissions set for managed code based on user identity evidence, code evidence and/or a security policy and executes the code with this permissions set. If the managed code requests a data access, the execution environment considers data evidence that indicates the trustworthiness of the requested data. The data evidence can be based on the source of the data, the location of the data, the content of the data itself, or other factors. The execution environment computes a new effective permissions set for the managed code based on the data evidence and the security policy. This new effective permissions set is applied to the managed code while the code accesses the data. The execution environment restores the initial permissions set once the managed code completes the data access.

摘要翻译： 计算机的执行环境根据用户身份证据，代码证据和/或安全策略计算托管代码的初始有效权限集，并使用该权限集执行代码。 如果托管代码请求数据访问，则执行环境会考虑指示所请求数据的可信赖性的数据证据。 数据证据可以基于数据的来源，数据的位置，数据本身的内容或其他因素。 执行环境根据数据证据和安全策略计算托管代码的新的有效权限集。 当代码访问数据时，这个新的有效权限集应用于托管代码。 一旦托管代码完成数据访问，执行环境将恢复初始权限集。

公开(公告)号：US08190755B1

公开(公告)日：2012-05-29

申请号：US11645958

申请日：2006-12-27

申请人： Sourabh Satish ,  Brian Hernacki ,  Shane Pereira

发明人： Sourabh Satish ,  Brian Hernacki ,  Shane Pereira

IPC分类号： G06F15/16

CPC分类号： H04L63/102 ,  H04L61/2015

摘要： Method and apparatus for host authentication in a network implementing network access control is described. In an example, a network access control (NAC) server receives network address requests from hosts on a network. If a host is compliant with an established security policy, the NAC server determines a unique indicium for the host and records the unique indicium along with a network address leased to the host by a dynamic host configuration protocol (DHCP) server. When a host requests access to a resource on the network, the host is authenticated by determining whether its asserted network address is valid. If valid, a pre-computed unique indicium for that address is obtained and compared with a unique indicium for the host. If the indicia match, the host is allowed access to the resource. Otherwise, the host is blocked from access to the resource.

摘要翻译： 描述了实现网络访问控制的网络中的主机认证的方法和装置。 在一个示例中，网络访问控制（NAC）服务器从网络上的主机接收网络地址请求。 如果主机符合已建立的安全策略，则NAC服务器为主机确定唯一的标记，并通过动态主机配置协议（DHCP）服务器将唯一标记与租用的主机的网络地址一起记录。 当主机请求访问网络上的资源时，通过确定其断言的网络地址是否有效来验证主机。 如果有效，则获得该地址的预先计算的唯一标记，并与主机的唯一标记进行比较。 如果标记匹配，则允许主机访问资源。 否则，主机被阻止访问资源。

公开(公告)号：US08190732B1

公开(公告)日：2012-05-29

申请号：US12004710

申请日：2007-12-21

申请人： Shaun Cooley ,  Keith Newstadt ,  Laura Garcia-Manrique ,  Sourabh Satish ,  Brian Hernacki ,  Timothy G. Brown

发明人： Shaun Cooley ,  Keith Newstadt ,  Laura Garcia-Manrique ,  Sourabh Satish ,  Brian Hernacki ,  Timothy G. Brown

IPC分类号： G06F15/173

CPC分类号： G06Q30/08 ,  G06Q50/01

摘要： A method and apparatus for providing information associated with service providers using a social network is described. In one embodiment, a method of providing indicia of familiarity with the service providers comprises identifying one or more relationships between one or more service providers and a user using a social network associated with the user and generating information regarding the one or more relationships, wherein the information comprises a social distance between the user and each service provider of the one or more service providers where the social distance represents an indicia of familiarity between the user and each service provider of the one or more service providers.

摘要翻译： 描述了使用社交网络提供与服务提供商相关联的信息的方法和装置。 在一个实施例中，提供对服务提供商熟悉的标记的方法包括：识别一个或多个服务提供者与使用与用户相关联的社交网络的用户之间的一个或多个关系，并且生成关于一个或多个关系的信息，其中 信息包括用户和一个或多个服务提供商的每个服务提供商之间的社交距离，其中社交距离表示用户与一个或多个服务提供商的每个服务提供商之间的熟悉程度的标记。

公开(公告)号：US08190647B1

公开(公告)日：2012-05-29

申请号：US12560298

申请日：2009-09-15

申请人： Shane Pereira ,  Zulfikar Ramzan ,  Sourabh Satish

发明人： Shane Pereira ,  Zulfikar Ramzan ,  Sourabh Satish

IPC分类号： G06F17/30

CPC分类号： G06F21/566 ,  G06F21/562

摘要： A decision tree for classifying computer files is constructed. Computational complexities of a set of candidate attributes are determined. A set of attribute vectors are created for a set of training files with known classification. A node is created to represent the set. A weighted impurity reduction score is calculated for each candidate attribute based on the computational complexity of the attribute. If a stopping criterion is satisfied then the node is set as a leaf node. Otherwise the node is set as a branch node and the attribute with the highest weighted impurity reduction score is selected as the splitting attribute for the branch node. The set of attribute vectors are split into subsets based on their attribute values of the splitting attribute. The above process is repeated for each subset. The tree is then pruned based on the computational complexities of the splitting attributes.

摘要翻译： 构建了用于分类计算机文件的决策树。 确定一组候选属性的计算复杂度。 为一组具有已知分类的训练文件创建一组属性向量。 创建一个节点来表示集合。 基于属性的计算复杂度，为每个候选属性计算加权杂质减少分数。 如果满足停止条件，则将节点设置为叶节点。 否则将节点设置为分支节点，并将具有最高加权杂质减少分数的属性选为分支节点的分割属性。 基于分割属性的属性值，将属性向量集分为子集。 对于每个子集重复上述过程。 然后根据分割属性的计算复杂度修剪树。

公开(公告)号：US08112806B1

公开(公告)日：2012-02-07

申请号：US12259212

申请日：2008-10-27

申请人： William E. Sobel ,  Sourabh Satish ,  Bruce McCorkendale

发明人： William E. Sobel ,  Sourabh Satish ,  Bruce McCorkendale

IPC分类号： G06F11/00

CPC分类号： G06F21/85 ,  G06F21/55 ,  H04L63/1425

摘要： Computers are monitored for malware communicating directly with the NIC. The infection of computers with NIC level malware is detected. Operating system level network packet transmission statistics are monitored, as are transmission counters maintained by the NIC. The operating system level transmission statistics are compared to the NIC level transmission counters for a given period of time. If the NIC counters indicate the occurrence of a greater number of transmissions than as is indicated by the operating system level statistics, it is concluded that the computer is infected with NIC level malware.

摘要翻译： 监视计算机，以直接与NIC通信的恶意软件。 检测到具有NIC级恶意软件的计算机感染。 监视操作系统级网络数据包传输统计信息，以及由NIC维护的传输计数器。 将操作系统级传输统计信息与NIC级传输计数器进行比较，给定的时间段。 如果NIC计数器指示比操作系统级别统计信息显示更多的传输次数，则可以断定计算机感染了NIC级恶意软件。

公开(公告)号：US08079030B1

公开(公告)日：2011-12-13

申请号：US11685534

申请日：2007-03-13

申请人： Sourabh Satish ,  Brian Hernacki

发明人： Sourabh Satish ,  Brian Hernacki

IPC分类号： G06F9/455 ,  H04L29/06

CPC分类号： H04L63/14 ,  H04L63/20

摘要： A computer has a hypervisor that supervises a virtual machine. The virtual machine includes a guest security module that enforces a security policy on network traffic entering and exiting the virtual machine. Malicious software (malware) uses stealth network communications to avoid the guest security module and attempts to communicate with its home base. A security module within the hypervisor has access to all network communications entering and exiting the computer. The security module communicates with the guest security module to identify communications of which the guest security module is aware. The security module analyzes the network communications for the computer to identify a stealth network communication of which the guest security module is unaware. The security module alters the stealth network communication, thereby prevent the malware from communicating with its home base.

摘要翻译： 计算机具有管理虚拟机的管理程序。 该虚拟机包括客户端安全模块，该模块对进入和退出虚拟机的网络流量实施安全策略。 恶意软件（恶意软件）使用隐形网络通信来避免访客安全模块，并尝试与其家庭基地进行通信。 管理程序内的安全模块可访问进入和退出计算机的所有网络通信。 安全模块与访客安全模块进行通信，以识别客人安全模块知道哪些通信。 安全模块分析计算机的网络通信，以识别访客安全模块不知道的隐形网络通信。 安全模块改变隐形网络通信，从而防止恶意软件与其家庭基础通信。

公开(公告)号：US08078909B1

公开(公告)日：2011-12-13

申请号：US12045256

申请日：2008-03-10

申请人： Sourabh Satish

发明人： Sourabh Satish

IPC分类号： G06F11/00

CPC分类号： G06F11/3089 ,  G06F11/302 ,  G06F21/50 ,  G06F21/57

摘要： A template is received, the template comprising information describing an expected file system state. A discrepancy detection module compares an expected file system state from the template with an actual or requested state of the file system of a computer. If discrepancies between the expected state and the actual or requested file system state are detected, then an action is performed to respond to the discrepancy.

摘要翻译： 接收到模板，该模板包括描述预期文件系统状态的信息。 差异检测模块将来自模板的预期文件系统状态与计算机的文件系统的实际或请求状态进行比较。 如果检测到预期状态与实际或请求的文件系统状态之间的差异，则执行动作以响应差异。

公开(公告)号：US08006116B1

公开(公告)日：2011-08-23

申请号：US12058943

申请日：2008-03-31

申请人： William E. Sobel ,  Sourabh Satish

发明人： William E. Sobel ,  Sourabh Satish

IPC分类号： G06F11/00

CPC分类号： G06F11/3409 ,  G06F11/0706 ,  G06F11/076 ,  G06F11/1446

摘要： A computer-implemented method for storing information that identifies the state of health of a computing system at the time a backup of the computing system is created may comprise: 1) identifying a backup of the computing system, 2) performing an evaluation of the computing system's health, and then 3) storing health information that identifies the state of health of the computing system when the backup was created as metadata to the backup. Similarly, a method for determining whether to restore a backup of a computing system based on health information may comprise: 1) identifying a backup of the computing system, 2) identifying health information stored as metadata to the backup that identifies the state of health of the computing system when the backup was created, and 3) determining, based on the health information, whether to restore the backup. Corresponding systems and computer-readable media are also disclosed.

摘要翻译： 用于存储在创建计算系统的备份时识别计算系统的健康状态的计算机实现的方法可以包括：1）识别计算系统的备份，2）执行计算的评估 系统的健康状况，然后3）将创建备份时的计算机系统健康状况的健康信息存储到备份中。 类似地，用于基于健康信息来确定是否恢复计算系统的备份的方法可以包括：1）识别计算系统的备份; 2）识别存储为元数据的健康信息给备份，其识别健康状况的健康状况 创建备份时的计算系统，以及3）根据健康信息确定是否还原备份。 还公开了相应的系统和计算机可读介质。

公开(公告)号：US07945953B1

公开(公告)日：2011-05-17

申请号：US11176855

申请日：2005-07-06

申请人： Govind Salinas ,  Matthew Conover ,  Sourabh Satish

发明人： Govind Salinas ,  Matthew Conover ,  Sourabh Satish

IPC分类号： H04L29/00

CPC分类号： G06F21/54 ,  G06F12/1441 ,  G06F21/52 ,  G06F21/577

摘要： A method and system detect buffer overflows and RLIBC attacks by determining if a critical call initiating function is a “potential threat”. In one embodiment, a critical call initiating function is considered a potential threat if the value of the return address of the critical call initiating function points to a location in memory between the location of the highest Thread Environment Block (TEB) or Process Environment Block (PEB) and the location of the lowest Thread Environment Block (TEB) or PEB. In another embodiment, a critical call initiating function making a call to a predefined critical operating system function is considered a potential threat if the value of the return address of the critical call initiating function points to the beginning of a new function with a zero offset.

摘要翻译： 通过确定关键呼叫发起功能是否是“潜在威胁”，方法和系统检测缓冲区溢出和RLIBC攻击。 在一个实施例中，如果临界呼叫发起功能的返回地址的值指向存储器中最高线程环境块（TEB）或过程环境块（TEB）的位置之间的位置，则将关键呼叫发起功能视为潜在威胁 PEB）和最低线程环境块（TEB）或PEB的位置。 在另一个实施例中，如果临时呼叫发起功能的返回地址的值指向具有零偏移的新功能的开始，则对呼叫预定义的关键操作系统功能的关键呼叫发起功能被认为是潜在的威胁。