-
公开(公告)号:US20190190943A1
公开(公告)日:2019-06-20
申请号:US16047427
申请日:2018-07-27
CPC分类号: H04L63/1433 , H04L9/08 , H04L43/028 , H04L63/1416 , H04L63/1425 , H04L63/1491
摘要: Methods, systems and media for evaluating layered computer security products are provided. In some embodiments, the method comprises: (a) identifying portions of attack data associated with an attack; (b) linking the portions of attack data; (c) testing security products using the linked attack data, at least two of the security products using different portions of the linked attack data; (d) storing the results of the testing; (e) repeating (a)-(d) for multiple attacks; receiving information identifying a subset of the security products from a remote computing device; identifying a first set of detected attacks for each of the plurality of security product using the stored results; determining a number of attacks in a union of each of the first sets of identified attacks; determining a detection rate for the identified security products based on the union and the number of tested attacks; and causing the detection rate to be presented.
-
82.发明申请公开(公告)号:US20190190937A1
公开(公告)日:2019-06-20
申请号:US16042716
申请日:2018-07-23
申请人: Salvatore J. Stolfo
发明人: Salvatore J. Stolfo
CPC分类号: H04L63/1425 , G06F21/55 , G06F21/552 , G06F21/554 , G06F21/56 , G06F21/562 , G06F21/563 , G06F21/564 , H04L43/00 , H04L43/0876 , H04L63/0218 , H04L63/0245 , H04L63/0263 , H04L63/029 , H04L63/145
摘要: A method, apparatus, and medium are provided for tracing the origin of network transmissions. Connection records are maintained at computer system for storing source and destination addresses. The connection records also maintain a statistical distribution of data corresponding to the data payload being transmitted. The statistical distribution can be compared to that of the connection records in order to identify the sender. The location of the sender can subsequently be determined from the source address stored in the connection record. The process can be repeated multiple times until the location of the original sender has been traced.
-
83.发明授权Methods, media, and systems for detecting attack on a digital processing device 有权用于检测对数字处理设备的攻击的方法,媒体和系统公开(公告)号:US08789172B2
公开(公告)日:2014-07-22
申请号:US12406814
申请日:2009-03-18
IPC分类号: G06F11/00
CPC分类号: G06F21/50 , G06F21/56 , G06F21/562 , G06F21/566
摘要: Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack. In some embodiments, the methods include: selecting a data segment in at least one portion of an electronic document; determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; and determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.
摘要翻译: 提供了检测攻击的方法,媒体和系统。 在一些实施例中,所述方法包括:将文档的至少一部分与静态检测模型进行比较; 基于文档与静态检测模型的比较来确定攻击代码是否包括在文档中; 执行文档的至少一部分; 基于所述文档的至少一部分的执行来确定所述文档中是否包含攻击代码; 并且如果基于文档与静态检测模型的比较和文档的至少部分的执行中的至少一个来确定攻击代码被包括在文档中,则报告攻击的存在。 在一些实施例中,所述方法包括:在电子文档的至少一部分中选择数据段; 确定是否可以改变任意选择的数据段,而不会导致电子文档在由相应的程序处理时导致错误; 响应于确定可以改变任意选择的数据段,任意地更改电子文档的至少一部分中的数据段以产生改变的电子文档; 以及当所述改变的电子文档被相应的程序处理时,确定相应的程序是否产生错误状态。
-
84.发明申请System and methods for adaptive model generation for detecting intrusion in computer systems 有权用于检测计算机系统入侵的自适应模型生成的系统和方法公开(公告)号:US20130031633A1
公开(公告)日:2013-01-31
申请号:US13573314
申请日:2012-09-10
IPC分类号: G06F21/00
CPC分类号: H04L63/14 , G06F17/30091 , G06F17/30294 , G06F17/30477 , G06F21/554 , G06F21/566 , G06N7/005 , G06N99/005 , H04L63/1416 , H04L63/1425 , H04L63/1433
摘要: A system and methods for detecting intrusions in the operation of a computer system comprises a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format. A data warehouse is configured to receive the data record from the sensor in the predetermined data format and to store the data in a SQL database. A detection model generator is configured to request data records from the data warehouse in the predetermined data format, to generate an intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format. A detector is configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model. A data analysis engine is configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records.
摘要翻译: 一种用于在计算机系统的操作中检测入侵的系统和方法,包括:传感器,被配置为收集关于计算机系统的操作的信息,将信息格式化成具有预定格式的数据记录,并且以预定的方式发送数据 数据格式。 数据仓库配置为以预定数据格式从传感器接收数据记录,并将数据存储在SQL数据库中。 检测模型生成器被配置为以预定数据格式从数据仓库请求数据记录,以基于所述数据记录生成入侵检测模型,并根据预定数据格式将入侵检测模型发送到数据仓库。 检测器被配置为从传感器接收预定数据格式的数据记录,并且将数据记录实时地分类为正常操作之一和基于所述入侵检测模型的攻击。 数据分析引擎被配置为根据预定数据格式从数据仓库请求数据记录,并对数据记录执行数据处理功能。
-
85.发明授权Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data 有权使用正常数据的n-gram分布检测有效载荷异常的装置方法和介质公开(公告)号:US07639714B2
公开(公告)日:2009-12-29
申请号:US10986447
申请日:2004-11-12
申请人: Salvatore J. Stolfo , Ke Wang
发明人: Salvatore J. Stolfo , Ke Wang
CPC分类号: H04L63/1425 , G06F21/55 , G06F21/552 , G06F21/554 , G06F21/56 , G06F21/562 , G06F21/563 , G06F21/564 , H04L43/00 , H04L43/0876 , H04L63/0218 , H04L63/0245 , H04L63/0263 , H04L63/029 , H04L63/145
摘要: A method, apparatus and medium are provided for detecting anomalous payloads transmitted through a network. The system receives payloads within the network and determines a length for data contained in each payload. A statistical distribution is generated for data contained in each payload received within the network, and compared to a selected model distribution representative of normal payloads transmitted through the network. The model payload can be selected such that it has a predetermined length range that encompasses the length for data contained in the received payload. Anomalous payloads are then identified based on differences detected between the statistical distribution of received payloads and the model distribution. The system can also provide for automatic training and incremental updating of models.
摘要翻译: 提供了一种用于检测通过网络发送的异常有效载荷的方法,装置和介质。 系统在网络内接收有效载荷并确定每个载荷中包含的数据的长度。 为包含在网络中接收的每个有效载荷中的数据生成统计分布,并与代表通过网络传输的正常有效载荷的所选模型分布进行比较。 可以选择模型有效载荷,使得其具有预定的长度范围,其包含包含在接收到的有效载荷中的数据的长度。 然后根据接收到的有效载荷的统计分布和模型分布之间检测到的差异来识别异常有效载荷。 该系统还可以提供模型的自动训练和增量更新。
-
86.发明授权System and methods for adaptive model generation for detecting intrusions in computer systems 有权用于检测计算机系统入侵的自适应模型生成的系统和方法公开(公告)号:US07225343B1
公开(公告)日:2007-05-29
申请号:US10352342
申请日:2003-01-27
IPC分类号: H04L9/00
CPC分类号: H04L63/14 , G06F17/30091 , G06F17/30294 , G06F17/30477 , G06F21/554 , G06F21/566 , G06N7/005 , G06N99/005 , H04L63/1416 , H04L63/1425 , H04L63/1433
摘要: A system and methods for detecting intrusions in the operation of a computer system comprises a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format. A data warehouse is configured to receive the data record from the sensor in the predetermined data format and to store the data in a database. A detection model generator is configured to request data records from the data warehouse in the predetermined data format, to generate an intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format. A detector is configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model. A data analysis engine is configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records.
摘要翻译: 一种用于在计算机系统的操作中检测入侵的系统和方法,包括:传感器,被配置为收集关于计算机系统的操作的信息,将信息格式化成具有预定格式的数据记录,并且以预定的方式发送数据 数据格式。 数据仓库被配置为以预定数据格式从传感器接收数据记录,并将数据存储在数据库中。 检测模型生成器被配置为以预定数据格式从数据仓库请求数据记录,以基于所述数据记录生成入侵检测模型,并根据预定数据格式将入侵检测模型发送到数据仓库。 检测器被配置为从传感器接收预定数据格式的数据记录,并且将数据记录实时地分类为正常操作之一和基于所述入侵检测模型的攻击。 数据分析引擎被配置为根据预定数据格式从数据仓库请求数据记录,并对数据记录执行数据处理功能。
-
公开(公告)号:US07162741B2
公开(公告)日:2007-01-09
申请号:US10208402
申请日:2002-07-30
申请人: Eleazar Eskin , Salvatore J. Stolfo
发明人: Eleazar Eskin , Salvatore J. Stolfo
IPC分类号: H04L9/32 , G06F11/00 , G06F11/22 , G06F11/30 , G06F11/32 , G06F11/34 , G06F11/36 , G06F12/14 , G06F12/16 , G06F7/04 , G06F7/58
CPC分类号: H04L63/1416 , Y10S707/99953 , Y10S707/99956
摘要: A system and methods of monitoring sequences of operations in a process running on a computer system. A probabilistic detection model is defined which is configured to determine a predictive probability of an occurrence of a final operation in the sequence of operations that is conditional on a calculated number of previous operations in the sequence of operations. The probabilistic detection model is trained from a plurality of predetermined sequences of operations to calculate the number of previous operations evaluated in the probabilistic detection model. The predictive probability for the final operation in the sequence of operations is determined by using the probabilistic detection model. If the predictive probability is below a predetermined threshold, the sequence of operations is identified as an intrusion. The probabilistic detection model may use sparse distribution trees to generate a model which determines the optimal number of previous operations to be evaluated (i.e., the window size) and position of wildcards. The system and methods may be used to monitor sequences of system calls, application function calls, and machine code instructions, for example.
摘要翻译: 在计算机系统上运行的进程中监视操作顺序的系统和方法。 定义概率检测模型,其被配置为确定在所述操作序列中出现最终操作的预测概率,其以所计算的操作序列中的先前操作的数量为条件。 从多个预定的操作序列训练概率检测模型,以计算在概率检测模型中评估的先前操作的数量。 通过使用概率检测模型来确定操作顺序中的最终操作的预测概率。 如果预测概率低于预定阈值,则将该操作序列识别为入侵。 概率检测模型可以使用稀疏分布树来生成确定要评估的先前操作的最佳数量(即,窗口大小)和通配符的位置的模型。 例如,系统和方法可以用于监视系统调用,应用程序函数调用和机器代码指令的顺序。
-
88.发明授权
公开(公告)号:US5748780A
公开(公告)日:1998-05-05
申请号:US259527
申请日:1994-06-14
申请人: Salvatore J. Stolfo
发明人: Salvatore J. Stolfo
CPC分类号: G06Q20/042 , G06F17/30256 , G06K9/00 , G06K2209/015
摘要: A method for processing an image, consisting of a foreground and a background, to produce a highly compressed and accurate representation of the image, including the steps of scanning the image to create a digital image of the image, comparing the digital image against a codebook of stored digital images; matching the digital image with one of the stored digital images of the codebook; producing an index code identifying the background of the stored digital image as having matched the digital image; subtracting the stored digital image from the digital image to produce a second digital image representing the foreground of the stored digital image; and storing the second digital image with the index code. An apparatus is also provided for compressing images having a foreground and a background, consisting of an image scanner, a template image storage device for storing background templates, a processor system for matching a scanned image of the image with one of the background templates, resulting in a template identifier, a processor system for compensating the scanned image for the matched template to produce a foreground image, and a data compression system for compressing the foreground image.
摘要翻译: 一种用于处理由前景和背景组成的图像以产生图像的高度压缩和精确表示的方法,包括扫描图像以创建图像的数字图像的步骤,将数字图像与码本进行比较 存储的数字图像; 将数字图像与码本的所存储的数字图像之一进行匹配; 产生将所存储的数字图像的背景识别为与数字图像相匹配的索引码; 从数字图像中减去所存储的数字图像,以产生表示所存储的数字图像的前景的第二数字图像; 并存储具有索引码的第二数字图像。 还提供了一种用于压缩具有前景和背景的图像的装置,包括图像扫描器,用于存储背景模板的模板图像存储装置,用于将图像的扫描图像与背景模板之一匹配的处理器系统,产生 在模板标识符中,用于补偿用于匹配模板的扫描图像以产生前景图像的处理器系统,以及用于压缩前景图像的数据压缩系统。
-
公开(公告)号:US5497486A
公开(公告)日:1996-03-05
申请号:US213795
申请日:1994-03-15
CPC分类号: G06F7/14 , G06F17/30256 , G06F17/30489 , G06F7/32 , Y10S707/99935 , Y10S707/99937
摘要: The semantic integration problem for merging multiple databases of very large size, the merge/purge problem, can be solved by multiple runs of the sorted neighborhood method or the clustering method with small windows followed by the computation of the transitive closure over the results of each run. The sorted neighborhood method works well under this scheme but is computationally expensive due to the sorting phase. An alternative method based on data clustering that reduces the complexity to linear time making multiple runs followed by transitive closure feasible and efficient. A method is provided for identifying duplicate records in a database, each record having at least one field and a plurality of keys, including the steps of sorting the records according to a criteria applied to a first key; comparing a number of consecutive sorted records to each other, wherein the number is less than a number of records in said database and identifying a first group of duplicate records; storing the identity of the first group; sorting the records according to a criteria applied to a second key; comparing a number of consecutive sorted records to each other, wherein the number is less than a number of records in said database and identifying a second group of duplicate records; storing the identity of the second group; and subjecting the union of the first and second groups to transitive closure.
摘要翻译: 合并/清除问题的多个数据库的语义集成问题可以通过多次运行的排序邻域方法或使用小窗口的聚类方法来解决,然后计算每个结果的传递闭包 跑。 排序的邻域方法在该方案下工作良好,但是由于分类阶段,计算费用很高。 一种基于数据聚类的替代方法,可以将复杂度降低到线性时间,从而实现多次运行,然后传递闭包可行且高效。 提供了一种用于识别数据库中的重复记录的方法,每个记录具有至少一个字段和多个密钥,包括根据应用于第一密钥的准则对记录进行排序的步骤; 将多个连续排序的记录彼此进行比较,其中所述数目小于所述数据库中的记录数量,并且识别第一组重复记录; 存储第一组的身份; 根据应用于第二个键的标准对记录进行排序; 将多个连续排序的记录彼此进行比较,其中所述数量小于所述数据库中的记录数量,并且识别第二组重复记录; 存储第二组的身份; 并使第一组和第二组的联合进行传递闭合。
-
公开(公告)号:US4843540A
公开(公告)日:1989-06-27
申请号:US903031
申请日:1986-09-02
申请人: Salvatore J. Stolfo
发明人: Salvatore J. Stolfo
IPC分类号: G06F15/173 , G06F15/80
CPC分类号: G06F15/17343 , G06F15/8023
摘要: A parallel data processing system is formed as a binary tree of data processing elements. Each of the elements includes an interface unit having registers coupled to registers in the interface unit of adjacent higher and lower order elements in the binary tree. Signals comprising instructions and data for processing in the elements are broadcast to the elements via the coupled registers for simultaneous processing in the elements. Processing results are compared and reported via the registers in a resolve/report operation.
摘要翻译: 并行数据处理系统形成为数据处理元件的二叉树。 每个元件包括具有耦合到二叉树中的相邻较高和较低阶元件的接口单元中的寄存器的寄存器的接口单元。 包括用于在元件中处理的指令和数据的信号通过耦合寄存器广播到元件,用于在元件中进行同时处理。 处理结果通过解析/报告操作中的寄存器进行比较和报告。
-
-
-
-
-
-
-
-
-
搜索结果
99 条记录 (耗时 0.048 秒)
