-
61.发明申请公开(公告)号:US20190182279A1
公开(公告)日:2019-06-13
申请号:US16046528
申请日:2018-07-26
摘要: Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.
-
公开(公告)号:US09009829B2
公开(公告)日:2015-04-14
申请号:US12565394
申请日:2009-09-23
申请人: Salvatore J. Stolfo , Angelos D. Keromytis , Brian M. Bowen , Shlomo Hershkop , Vasileios P. Kemerlis , Pratap V. Prabhu , Malek Ben Salem
发明人: Salvatore J. Stolfo , Angelos D. Keromytis , Brian M. Bowen , Shlomo Hershkop , Vasileios P. Kemerlis , Pratap V. Prabhu , Malek Ben Salem
CPC分类号: G06F21/554 , G06F21/552 , G06F21/566 , G06F2221/034 , G06F2221/2123 , H04L63/1466
摘要: Methods, systems, and media for providing trap-based defenses are provided. In accordance with some embodiments, a method for providing trap-based defenses is provided, the method comprising: generating decoy information based at least in part on actual information in a computing environment, wherein the decoy information is generated to comply with one or more document properties; embedding a beacon into the decoy information; and inserting the decoy information with the embedded beacon into the computing environment, wherein the embedded beacon provides a first indication that the decoy information has been accessed by an attacker and wherein the embedded beacon provides a second indication that differentiates between the decoy information and the actual information.
摘要翻译: 提供了用于提供基于陷阱的防御的方法,系统和媒体。 根据一些实施例,提供了一种用于提供基于陷阱的防御的方法,所述方法包括:至少部分地基于计算环境中的实际信息生成诱饵信息,其中所述诱饵信息被生成以符合一个或多个文档 属性; 将信标嵌入诱饵信息中; 以及将具有所嵌入的信标的诱饵信息插入所述计算环境中,其中所述嵌入式信标提供所述诱饵信息已被攻击者访问的第一指示,并且其中所述嵌入信标提供区分所述诱饵信息和所述实际信息之间的第二指示 信息。
-
63.发明申请SYSTEMS, METHODS, AND MEDIA FOR OUTPUTTING DATA BASED UPON ANOMALY DETECTION 审中-公开基于异常检测的输出数据的系统,方法和媒体公开(公告)号:US20150058981A1
公开(公告)日:2015-02-26
申请号:US13891031
申请日:2013-05-09
申请人: Salvatore J. Stolfo , Ke Wang , Janak Parekh
发明人: Salvatore J. Stolfo , Ke Wang , Janak Parekh
IPC分类号: H04L29/06
CPC分类号: G06F21/56 , G06F21/564 , G06F2221/034 , H04L63/1416 , H04L63/1425
摘要: Systems, methods, and media for outputting data based on anomaly detection are provided. In some embodiments, a method for outputting data based on anomaly detection is provided, the method comprising: receiving, using a hardware processor, an input dataset; identifying grams in the input dataset that substantially include distinct byte values; creating an input subset by removing the identified grams from the input dataset; determining whether the input dataset is likely to be anomalous based on the identified grams, and determining whether the input dataset is likely to be anomalous by applying the input subset to a binary anomaly detection model to check for an n-gram in the input subset; and outputting the input dataset based on the likelihood that the input dataset is anomalous.
摘要翻译: 提供了基于异常检测输出数据的系统,方法和媒体。 在一些实施例中,提供了一种用于基于异常检测输出数据的方法,所述方法包括:使用硬件处理器接收输入数据集; 识别基本上包含不同字节值的输入数据集中的克数; 通过从输入数据集中移除所识别的克来创建输入子集; 基于所识别的克确定输入数据集是否可能是异常的,并且通过将输入子集应用于二进制异常检测模型来确定输入数据集是否可能是异常的,以检查输入子集中的n-gram; 并且基于输入数据集是异常的可能性来输出输入数据集。
-
公开(公告)号:US20140373150A1
公开(公告)日:2014-12-18
申请号:US14476142
申请日:2014-09-03
CPC分类号: H04L63/1425 , H04L63/1416 , H04L63/1466 , H04L67/02 , H04L69/16
摘要: Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.
摘要翻译: 提供了检测网络异常的系统,方法和介质。 在一些实施例中,接收具有参数串的通信协议消息的训练数据集。 确定与每个参数串相关联的内容和结构,并且使用确定的每个参数串的内容和结构来训练概率模型。 接收具有通过计算机网络从第一处理器发送到第二处理器的参数串的通信协议消息。 将接收到的通信协议消息与概率模型进行比较,然后确定通信协议消息是否是异常的。
-
65.发明授权Methods, media, and systems for detecting attack on a digital processing device 有权用于检测对数字处理设备的攻击的方法,媒体和系统公开(公告)号:US08789172B2
公开(公告)日:2014-07-22
申请号:US12406814
申请日:2009-03-18
IPC分类号: G06F11/00
CPC分类号: G06F21/50 , G06F21/56 , G06F21/562 , G06F21/566
摘要: Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack. In some embodiments, the methods include: selecting a data segment in at least one portion of an electronic document; determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; and determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.
摘要翻译: 提供了检测攻击的方法,媒体和系统。 在一些实施例中,所述方法包括:将文档的至少一部分与静态检测模型进行比较; 基于文档与静态检测模型的比较来确定攻击代码是否包括在文档中; 执行文档的至少一部分; 基于所述文档的至少一部分的执行来确定所述文档中是否包含攻击代码; 并且如果基于文档与静态检测模型的比较和文档的至少部分的执行中的至少一个来确定攻击代码被包括在文档中,则报告攻击的存在。 在一些实施例中,所述方法包括:在电子文档的至少一部分中选择数据段; 确定是否可以改变任意选择的数据段,而不会导致电子文档在由相应的程序处理时导致错误; 响应于确定可以改变任意选择的数据段,任意地更改电子文档的至少一部分中的数据段以产生改变的电子文档; 以及当所述改变的电子文档被相应的程序处理时,确定相应的程序是否产生错误状态。
-
66.发明申请System and methods for adaptive model generation for detecting intrusion in computer systems 有权用于检测计算机系统入侵的自适应模型生成的系统和方法公开(公告)号:US20130031633A1
公开(公告)日:2013-01-31
申请号:US13573314
申请日:2012-09-10
IPC分类号: G06F21/00
CPC分类号: H04L63/14 , G06F17/30091 , G06F17/30294 , G06F17/30477 , G06F21/554 , G06F21/566 , G06N7/005 , G06N99/005 , H04L63/1416 , H04L63/1425 , H04L63/1433
摘要: A system and methods for detecting intrusions in the operation of a computer system comprises a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format. A data warehouse is configured to receive the data record from the sensor in the predetermined data format and to store the data in a SQL database. A detection model generator is configured to request data records from the data warehouse in the predetermined data format, to generate an intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format. A detector is configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model. A data analysis engine is configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records.
摘要翻译: 一种用于在计算机系统的操作中检测入侵的系统和方法,包括:传感器,被配置为收集关于计算机系统的操作的信息,将信息格式化成具有预定格式的数据记录,并且以预定的方式发送数据 数据格式。 数据仓库配置为以预定数据格式从传感器接收数据记录,并将数据存储在SQL数据库中。 检测模型生成器被配置为以预定数据格式从数据仓库请求数据记录,以基于所述数据记录生成入侵检测模型,并根据预定数据格式将入侵检测模型发送到数据仓库。 检测器被配置为从传感器接收预定数据格式的数据记录,并且将数据记录实时地分类为正常操作之一和基于所述入侵检测模型的攻击。 数据分析引擎被配置为根据预定数据格式从数据仓库请求数据记录,并对数据记录执行数据处理功能。
-
67.发明申请METHODS, MEDIA, AND SYSTEMS FOR DETECTING AN ANOMALOUS SEQUENCE OF FUNCTION CALLS 有权用于检测功能调用异常序列的方法,媒体和系统公开(公告)号:US20120144484A1
公开(公告)日:2012-06-07
申请号:US13397670
申请日:2012-02-15
IPC分类号: G06F21/00
CPC分类号: G06F21/566 , G06F11/08 , G06F11/3688 , G06F2221/033 , G06N7/005 , H04L63/1425
摘要: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
摘要翻译: 提供了用于检测函数调用异常序列的方法,介质和系统。 该方法可以包括通过使用压缩模型来压缩由程序执行所产生的函数调用序列; 以及基于函数调用序列被压缩的程度来确定功能调用序列中函数调用的异常序列的存在。 所述方法还可以包括执行至少一个已知程序; 观察由所述至少一个已知节目的执行而进行的至少一个函数调用序列; 在由所述至少一个已知程序进行的所述至少一个功能调用序列中分配每种类型的功能调用唯一标识符; 以及通过记录至少一个唯一标识符序列来创建所述压缩模型的至少一部分。
-
68.发明授权Methods, media, and systems for detecting an anomalous sequence of function calls 有权用于检测函数调用异常序列的方法,介质和系统公开(公告)号:US08135994B2
公开(公告)日:2012-03-13
申请号:US12447946
申请日:2007-10-30
IPC分类号: G06F11/00
CPC分类号: G06F21/566 , G06F11/08 , G06F11/3688 , G06F2221/033 , G06N7/005 , H04L63/1425
摘要: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
摘要翻译: 提供了用于检测函数调用异常序列的方法,介质和系统。 该方法可以包括通过使用压缩模型来压缩由程序执行所产生的函数调用序列; 以及基于函数调用序列被压缩的程度来确定功能调用序列中函数调用的异常序列的存在。 所述方法还可以包括执行至少一个已知程序; 观察由所述至少一个已知节目的执行而进行的至少一个函数调用序列; 在由所述至少一个已知程序进行的所述至少一个功能调用序列中分配每种类型的功能调用唯一标识符; 以及通过记录至少一个唯一标识符序列来创建所述压缩模型的至少一部分。
-
69.发明申请METHODS, MEDIA, AND SYSTEMS FOR SECURING COMMUNICATIONS BETWEEN A FIRST NODE AND A SECOND NODE 有权用于保护第一个节点和第二个节点之间的通信的方法,媒体和系统公开(公告)号:US20110214161A1
公开(公告)日:2011-09-01
申请号:US12092224
申请日:2006-10-31
申请人: Salvatore J. Stolfo , Gabriela F. Ciocarlie , Vanessa Frias-Martinez , Janak Parekh , Angelos D. Keromytis , Joseph Sherrick
发明人: Salvatore J. Stolfo , Gabriela F. Ciocarlie , Vanessa Frias-Martinez , Janak Parekh , Angelos D. Keromytis , Joseph Sherrick
IPC分类号: G06F21/20
CPC分类号: H04L63/102 , H04L63/145
摘要: Methods, media, and systems for securing communications between a first node and a second node are provided. In some embodiments, methods for securing communication between a first node and a second node are provided. The methods comprising: receiving at least one model of behavior of the second node at the first node; and authorizing the first node to receive traffic from the second node based on the difference between the at least one model of behavior of the second node and at least one model of behavior of the first node.
摘要翻译: 提供了用于保护第一节点和第二节点之间的通信的方法,媒体和系统。 在一些实施例中,提供了用于确保第一节点和第二节点之间的通信的方法。 所述方法包括:在所述第一节点处接收所述第二节点的至少一个行为模型; 并且基于所述第二节点的所述至少一个行为模型与所述第一节点的行为的至少一个模型之间的差异,授权所述第一节点从所述第二节点接收流量。
-
70.发明申请Systems and Methods for Correlating and Distributing Intrusion Alert Information Among Collaborating Computer Systems 有权在协作计算机系统中关联和分发入侵警报信息的系统和方法公开(公告)号:US20100281542A1
公开(公告)日:2010-11-04
申请号:US12837302
申请日:2010-07-15
CPC分类号: H04L63/1408
摘要: Systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.
摘要翻译: 系统和方法提供警报相关器和警报分发器,其能够检测到攻击的早期迹象并且迅速地传播到协作系统。 警报相关器利用数据结构来关联警报检测,并提供可以向其他协作系统透露威胁信息的机制。 警报分配器使用有效的技术来对协作系统进行分组,然后根据时间表在某些成员之间传递数据。 以这种方式,数据可以定期分布,而不会产生过多的流量负载。
-
-
-
-
-
-
-
-
-
搜索结果
99 条记录 (耗时 0.035 秒)
