公开(公告)号：US07461339B2

公开(公告)日：2008-12-02

申请号：US10970604

申请日：2004-10-21

Applicant: Jerry Chinghsien Liao ,  En-Yi Liao

Inventor： Jerry Chinghsien Liao ,  En-Yi Liao

IPC: G06F17/00

CPC classification number: G06Q10/107 ,  G06F17/2264 ,  G06F21/552 ,  G06F21/606 ,  G06F2221/2115 ,  H04L51/08 ,  H04L51/12 ,  H04L51/18 ,  H04L63/1441 ,  H04L63/1483

Abstract: A software module at an e-mail gateway server scans incoming e-mail messages suspected of being phishing messages and inserts a script program into the head or body of the message in HTML form. The message is converted into an HTML document if necessary. The script program is written in a language such as VBScript, JScript, ECMAScript or JavaScript and can be run in a browser. The modified message is delivered to the recipient. When the e-mail client software on the user's desktop encounters the HTML content a browser starts up and the script program is executed by the browser. The script program can then take any action necessary to counter any hostile content of the message such as providing a warning message, comparing hyperlinks, intercepting a redirect request, warning about suspect attachments, etc.

Abstract translation: 电子邮件网关服务器上的软件模块扫描疑似网络钓鱼邮件的传入电子邮件，并将脚本程序以HTML格式插入邮件的头部或正文中。 如果需要，该消息将转换为HTML文档。 脚本程序使用VBScript，JScript，ECMAScript或JavaScript等语言编写，可以在浏览器中运行。 修改的邮件将传递给收件人。 当用户桌面上的电子邮件客户端软件遇到HTML内容时，浏览器启动，脚本程序由浏览器执行。 脚本程序可以采取必要的措施来对抗消息的任何恶意内容，例如提供警告消息，比较超链接，拦截重定向请求，关于可疑附件的警告等。

公开(公告)号：US07203960B1

公开(公告)日：2007-04-10

申请号：US10600059

申请日：2003-06-20

Applicant: Mark Wendell Painter

Inventor： Mark Wendell Painter

IPC: G06F21/00

CPC classification number: H04L63/1408 ,  G06F21/564

Abstract: The present application describes an anti-virus network system and method guaranteeing a maximum scan delay for streaming data. The maximum scan period can be predetermined or dynamically calculated. The time to scan an incoming data stream is estimated and compared against the maximum scan time. If the estimated scan time does not exceed the maximum scan time, then the incoming data stream is scanned for computer virus otherwise the data stream is transmitted without the virus scan.

Abstract translation: 本申请描述了一种防病毒网络系统和方法，用于保证流数据的最大扫描延迟。 可以预定或动态地计算最大扫描周期。 扫描输入数据流的时间被估计并与最大扫描时间进行比较。 如果估计的扫描时间没有超过最大扫描时间，则传入数据流被扫描计算机病毒，否则数据流被传输而不进行病毒扫描。

公开(公告)号：US20060101334A1

公开(公告)日：2006-05-11

申请号：US10970604

申请日：2004-10-21

Applicant: Jerry Liao ,  En-Yi Liao

Inventor： Jerry Liao ,  En-Yi Liao

IPC: G06F17/21 ,  G06F9/44

CPC classification number: G06Q10/107 ,  G06F17/2264 ,  G06F21/552 ,  G06F21/606 ,  G06F2221/2115 ,  H04L51/08 ,  H04L51/12 ,  H04L51/18 ,  H04L63/1441 ,  H04L63/1483

Abstract: A software module at an e-mail gateway server scans incoming e-mail messages suspected of being phishing messages and inserts a script program into the head or body of the message in HTML form. The message is converted into an HTML document if necessary. The script program is written in a language such as VBScript, JScript, ECMAScript or JavaScript and can be run in a browser. The modified message is delivered to the recipient. When the e-mail client software on the user's desktop encounters the HTML content a browser starts up and the script program is executed by the browser. The script program can then take any action necessary to counter any hostile content of the message such as providing a warning message, comparing hyperlinks, intercepting a redirect request, warning about suspect attachments, etc.

Abstract translation: 电子邮件网关服务器上的软件模块扫描传入的疑似网络钓鱼邮件的电子邮件，并将脚本程序以HTML格式插入邮件的头部或正文中。 如果需要，该消息将转换为HTML文档。 脚本程序使用VBScript，JScript，ECMAScript或JavaScript等语言编写，可以在浏览器中运行。 修改的邮件将传递给收件人。 当用户桌面上的电子邮件客户端软件遇到HTML内容时，浏览器启动，脚本程序由浏览器执行。 脚本程序可以采取必要的措施来对抗消息的任何恶意内容，例如提供警告消息，比较超链接，拦截重定向请求，关于可疑附件的警告等。

公开(公告)号：US11354409B1

公开(公告)日：2022-06-07

申请号：US16787204

申请日：2020-02-11

Applicant: Trend Micro Inc.

Inventor： Ian Kenefick

IPC: G06F21/55 ,  G06F21/56 ,  G06F9/54

Abstract: An agent on an endpoint computer computes a locality-sensitive hash value for an API call sequence of an executing process. This value is sent to a cloud computer which includes an API call sequence blacklist database of locality-sensitive hash values. A search is performed using a balanced tree structure of the database using the received hash value and a match is determined based upon whether or not a metric distance is under or above a distance threshold. The received value may also be compared to a white list of locality-sensitive hash values. Attribute values of the executing process are also received from the endpoint computer and may be used to inform whether or not the executing process is deemed to be malicious. An indication of malicious or not is returned to the endpoint computer and if malicious, the process may be terminated and its subject file deleted.

公开(公告)号：US09942200B1

公开(公告)日：2018-04-10

申请号：US14558669

申请日：2014-12-02

Applicant: Dan Tan ,  Lei Wang ,  Bin Shi ,  Liulin Yang

Inventor： Dan Tan ,  Lei Wang ,  Bin Shi ,  Liulin Yang

IPC: H04L29/06

CPC classification number: H04L63/0272 ,  H04L63/0281 ,  H04L63/0823 ,  H04L63/083

Abstract: A user is provisioned for a Web service by supplying a user name and password. A digital certificate and VPN identifier are generated and downloaded to the user's computer. The VPN identifier and user identifier are stored into a database. The user accesses the Web service and establishes a VPN using the certificate and VPN identifier. A user identifier, user name or user password is not required. A gateway computer uses the VPN identifier to access the database previously established during the provisioning session to retrieve the user identifier. Retrieval of the user identifier validates that the computing device is authorized to use the Web service. The gateway computer stores the client IP address and a mapping to the user identifier into a database. A proxy server retrieves the user identifier from the database using the IP address and includes the user identifier in Web traffic for a remote computer.

公开(公告)号：US09756069B1

公开(公告)日：2017-09-05

申请号：US14152944

申请日：2014-01-10

Applicant: Yuefeng Li ,  Qiang Huang ,  Hu Cao

Inventor： Yuefeng Li ,  Qiang Huang ,  Hu Cao

IPC: G06F21/56 ,  H04L29/06

CPC classification number: H04L63/145 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/562 ,  G06F2009/45587

Abstract: A virtual machine is used to perform a raw scan for evasive malware on a host computer without requiring an interrupt or restart of a host operating system. An antivirus program installs a raw scanner virtual machine. The raw scanner virtual machine is triggered to scan files and memory for malware. The raw scan results are collected by the antivirus program for analysis, such as for use in generating a report or for removal of malware. The memory and files of the host are mapped to a guest space of the virtual machine.

公开(公告)号：US09349002B1

公开(公告)日：2016-05-24

申请号：US13904291

申请日：2013-05-29

Applicant: Lei Zhang ,  Zhentao Huang ,  Franson Fang

Inventor： Lei Zhang ,  Zhentao Huang ,  Franson Fang

IPC: G06F21/56

CPC classification number: G06F21/56 ,  G06F21/563 ,  G06F21/564

Abstract: Known malicious Android applications are collected and their functions are extracted. Similarity values are calculated between pairs of functions and those functions with a low similarity value are grouped together and assigned a unique similarity identifier. A common set of functions or common set of similarity identifiers are identified within the applications. If at least one function in the common set is determined to be malicious then the common set is added to a blacklist database either by adding functions or by adding similarity identifiers. To classify an unknown Android application, first the functions in the application are extracted. These functions are then compared to the set of functions identified in the blacklist database. If each function in the set of functions is present (either by matching or by similarity) in the group of extracted functions from the unknown application then the unknown application is classified as malicious.

Abstract translation: 收集已知的恶意Android应用程序，并提取其功能。 在函数对之间计算相似度值，并且将具有低相似性值的那些函数分组在一起并且分配唯一的相似性标识符。 在应用程序中识别一组常用的相似性标识符集。 如果公共集中的至少一个功能被确定为恶意的，则通过添加功能或添加相似性标识符将公用集添加到黑名单数据库。 要分类一个未知的Android应用程序，首先提取应用程序中的功能。 然后将这些功能与黑名单数据库中标识的功能集进行比较。 如果该组函数中的每个函数在来自未知应用程序的提取函数组中存在（通过匹配或相似性），则未知应用程序被分类为恶意的。

公开(公告)号：US09317686B1

公开(公告)日：2016-04-19

申请号：US13943534

申请日：2013-07-16

Applicant: Hua Ye ,  Weichao Dai ,  Xiaodong Huang

Inventor： Hua Ye ,  Weichao Dai ,  Xiaodong Huang

IPC: G06F21/00 ,  G06F21/56 ,  G06F11/14

CPC classification number: G06F11/1448 ,  G06F11/1451 ,  G06F11/1461 ,  G06F11/3003 ,  G06F21/52 ,  G06F21/566 ,  G06F21/568 ,  G06F2201/86 ,  G06F2201/865

Abstract: Operating system events are monitored and a file change request of a process is detected. If the process is suspicious, then the file to be changed is backed up and then the process is allowed to change the file as requested. If it is later determined that the process is ransomware, the process is blocked and further file backups are halted. The original file is recovered and the encrypted file is discarded. If it is later determined that the process is not malicious, then further file backups are halted. Any backup files are discarded. Ransomware may be detected by comparing a file extension of the process with file extensions of any files requested to be changed, by comparing file extensions of any files requested to be changed, or by an analysis of behavior of the process itself.

Abstract translation: 监视操作系统事件，并检测到进程的文件更改请求。 如果进程是可疑的，则要备份更改的文件，然后允许进程根据请求更改文件。 如果稍后确定该进程是ransomware，则该进程被阻止，进一步的文件备份被停止。 恢复原始文件，并丢弃加密文件。 如果后来确定进程不是恶意的，则会进一步停止文件备份。 任何备份文件都被丢弃。 可以通过将请求改变的任何文件的文件扩展名，或通过对进程本身的行为的分析进行比较来比较该进程的文件扩展名与要更改的任何文件的文件扩展名的Ransomware。

公开(公告)号：US09226159B1

公开(公告)日：2015-12-29

申请号：US13418265

申请日：2012-03-12

Applicant: Jing Cao ,  Xiangdong Ruan ,  Juliang Jiang

Inventor： Jing Cao ,  Xiangdong Ruan ,  Juliang Jiang

IPC: H04M1/66 ,  H04W12/12

CPC classification number: H04W12/12 ,  H04L63/101 ,  H04W12/08

Abstract: A central computer of a telecommunications company handles an incoming call from a caller. The telephone number of the caller is checked against a white list or blacklist and handled accordingly. If the caller is unknown, a question is played to the caller (optionally selected randomly) along with a number of possible answers. The answers are presented randomly, associated with random identifiers, etc. If the caller selects the correct answer then the call is routed to the receiver's telephone. If not, then the call is terminated or other action taken as specified. The incoming call may also be handled by a mobile telephone or computing device at the user's home or business. The mobile telephone may alert the user when answering the incoming call or wait until the question is answered correctly before ringing the telephone.

Abstract translation: 电信公司的中央计算机处理来自呼叫者的来电。 根据白名单或黑名单检查主叫方的电话号码，并相应处理。 如果来电者未知，则向呼叫者播放一个问题（可选择随机选择）以及许多可能的答案。 答案随机呈现，与随机标识符等相关联。如果主叫方选择正确的答案，则呼叫被路由到接收者的电话。 如果没有，则呼叫被终止或按照指定采取其他动作。 来电也可以由移动电话或计算设备在用户的家庭或业务处理。 移动电话可以在应答来电时提醒用户，或者等到电话响铃之前才能正确应答问题。

公开(公告)号：US09208322B1

公开(公告)日：2015-12-08

申请号：US14028474

申请日：2013-09-16

Applicant: Kun Ma ,  Liang Sun ,  Xiaoqiang Tong

Inventor： Kun Ma ,  Liang Sun ,  Xiaoqiang Tong

IPC: G06F13/00 ,  G06F21/57

CPC classification number: G06F21/577 ,  G06F21/563 ,  G06F2221/033

Abstract: A binary application suitable for the .Net framework is disassembled into human readable code. Or, CIL or MSIL code is obtained. The methods are put into a representation indicating which methods of the code call other methods. A source method call chain having a source API and a sink method call chain having a sink API are discerned from the representation. APIs are put into the same format as the methods to allow matching. A method in common between the two call chains indicates that a privacy leak exists. The application is downloaded from a remote server to a computing device where the analysis occurs.

Abstract translation: 适用于.Net框架的二进制应用程序被拆分成人类可读的代码。 或者，获得CIL或MSIL代码。 这些方法被置于表示代码中哪些方法调用其他方法的表示。 具有源API的源方法调用链和具有宿API的宿方法调用链从该表示中识别出来。 API被放入与允许匹配的方法相同的格式。 两个调用链之间的共同方法表明存在隐私泄漏。 应用程序从远程服务器下载到分析发生的计算设备。