公开(公告)号：US20160224794A1

公开(公告)日：2016-08-04

申请号：US15021032

申请日：2013-10-29

Applicant: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Inventor： Tony Roberts ,  Mike Wray ,  Nigel Edwards

IPC: G06F21/57 ,  G06F21/56 ,  G06F21/62

CPC classification number: G06F21/577 ,  G06F9/45558 ,  G06F21/562 ,  G06F21/566 ,  G06F21/6218 ,  G06F2009/45587

Abstract: Virtual machine introspection can include performing an offline analysis of a virtual machine hard disk image. Core operating system files associated with the operating system can be located during the offline analysis. Operating system structure symbols can be accessed from a symbol server based on the core operating system files. Introspection of the virtual machine can be performed using the accessed operating system structure symbols.

Abstract translation: 虚拟机内省可以包括执行虚拟机硬盘映像的脱机分析。 可以在离线分析期间找到与操作系统相关联的核心操作系统文件。 可以从基于核心操作系统文件的符号服务器访问操作系统结构符号。 可以使用所访问的操作系统结构符号来执行虚拟机的内省。

公开(公告)号：US20160217287A1

公开(公告)日：2016-07-28

申请号：US15078675

申请日：2016-03-23

Applicant: UNIVERSITY OF VIRGINA PATENT FOUNDATION

Inventor： Jack W. DAVIDSON ,  Jason D. HISER

IPC: G06F21/57 ,  G06F21/14

CPC classification number: G06F21/562 ,  G06F21/10 ,  G06F21/14 ,  G06F21/52 ,  G06F21/53 ,  G06F21/57 ,  G06F21/572 ,  G06F21/602 ,  G06F2221/033 ,  G06F2221/0724 ,  H04L2209/16

Abstract: Method, system and computer program product for applying existing anti-tampering and obfuscation techniques to virtual machine technology and offers several distinct advantages. The anti-tampering and obfuscation transforms can be applied continuously to prevent adversaries from gaining information about the program through emulation or dynamic analysis. In addition, the encryption can be used to prevent hackers from gaining information using static attacks. The use of a virtual machine also allows for low overhead execution of the obfuscated binaries as well as finer adjustment of the amount of overhead that can be tolerated. In addition, more protection can be applied to specific portions of the application that can tolerate slowdown. The in-corporation of a virtual machine also makes it easy to extend the technology to integrate new developments and resistance mechanisms, leading to less development time, increased savings, and quicker deployment.

Abstract translation: 将现有的防篡改和混淆技术应用于虚拟机技术的方法，系统和计算机程序产品，并提供了几个明显的优势。 可以不间断地应用反篡改和混淆变换，以防止对手通过仿真或动态分析获得有关程序的信息。 另外，可以使用加密来防止黑客通过静态攻击获取信息。 使用虚拟机还允许混淆二进制文件的低开销执行以及可容忍的开销量的更精细的调整。 此外，更多的保护可以应用于可以忍受减速的应用的特定部分。 虚拟机的整合也使得将技术扩展到整合新的开发和阻力机制变得容易，从而减少开发时间，增加节省和更快的部署。

公开(公告)号：US20160212161A1

公开(公告)日：2016-07-21

申请号：US15082791

申请日：2016-03-28

Applicant: GLASSWALL (IP) LIMITED

Inventor： Samuel Harrison Hutton

IPC: H04L29/06 ,  G06F17/30

CPC classification number: G06F21/577 ,  G06F17/3053 ,  G06F17/30598 ,  G06F21/53 ,  G06F21/55 ,  G06F21/56 ,  G06F21/562 ,  G06F2221/034 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1425

Abstract: A system and method for calculating a risk assessment for an electronic file is described. A database of checks, organized into categories, can be used to scan electronic files. The categories of checks can include weights assigned to them. An analyser can analyse electronic files using the checks. Issues identified by the analyser can be weighted using the weights to determine a risk assessment for the electronic file.

Abstract translation: 描述用于计算电子文件的风险评估的系统和方法。 可以使用分类的检查数据库来扫描电子文件。 检查类别可以包括分配给它们的权重。 分析仪可以使用检查分析电子文件。 可以使用权重对分析仪识别的问题进行加权，以确定电子文件的风险评估。

公开(公告)号：US09378374B2

公开(公告)日：2016-06-28

申请号：US14066625

申请日：2013-10-29

Applicant: Tencent Technology (Shenzhen) Company Limited

Inventor： Qing Wang ,  Hao Ran Guo ,  Yi Xia Yuan ,  Xun Chang Zhan ,  Chun You Lin ,  Peng Tao Li ,  Jia Shun Song

IPC: G06F21/56 ,  G06F21/57 ,  G06F9/445

CPC classification number: G06F21/577 ,  G06F8/62 ,  G06F21/562

Abstract: The present disclosure discloses method and device for prompting program uninstallation and belongs to the field of the Internet. The method comprises: performing a security assessment of an application program installed on a mobile terminal, thereby obtaining a security assessment result; obtaining security identification information corresponding to the security assessment result based on pre-stored correlations between security assessment results and security identification information; establishing a correlation between the obtained security identification information and the application program, and displaying the correlation to a user. By performing a security assessment of an application program installed on a mobile terminal, obtaining security identification information, and establishing a correlation between the security identification information and the application program, a user can quickly uninstall and clean up malware with hidden security issues based on the security identification information, thereby safeguarding safe running of the mobile terminal.

Abstract translation: 本公开公开了一种用于提示程序卸载的方法和装置，属于因特网领域。 该方法包括：对安装在移动终端上的应用程序进行安全评估，从而获得安全评估结果; 基于安全评估结果和安全识别信息之间的预先存储的相关性，获得与安全评估结果相对应的安全识别信息; 建立所获得的安全识别信息和应用程序之间的相关性，并且向用户显示相关性。 通过对安装在移动终端上的应用程序进行安全评估，获取安全识别信息，并建立安全识别信息与应用程序之间的相关性，用户可以基于 安全识别信息，从而保护移动终端的安全运行。

公开(公告)号：US20160164887A1

公开(公告)日：2016-06-09

申请号：US14905938

申请日：2014-07-17

Applicant: BEIJING QIHOO TECHNOLOGY COMPANY LIMITED

Inventor： Qingdong KONG

IPC: H04L29/06

CPC classification number: H04L63/145 ,  G06F21/562 ,  G06F21/567 ,  H04L63/0263 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/205

Abstract: Disclosed are a malicious program finding and killing device, method and server. The device comprises: one or more non-transitory computer readable medium configured to store computer-executable instructions; at least one processor to execute the computer-executable instructions to perform operations comprising: sending information to a server, and receiving information returned by the server; starting a scan task to scan an object to be scanned, calculating an index tag of a file scanned, send the index tag to the server, and receiving a script returned by the server, the script being found according to the index tag and corresponding to the file scanned; and executing the received script to find and kill the malicious program in the file scanned.

Abstract translation: 披露的是恶意程序查找和杀死设备，方法和服务器。 该设备包括：一个或多个非暂时性计算机可读介质，被配置为存储计算机可执行指令; 执行所述计算机可执行指令以执行操作的至少一个处理器，包括：向服务器发送信息，以及接收由所述服务器返回的信息; 启动扫描任务以扫描要扫描的对象，计算扫描的文件的索引标签，将索引标签发送到服务器，并接收服务器返回的脚本，根据索引标签找到脚本，并对应于 文件扫描; 并执行接收到的脚本来查找和杀死扫描文件中的恶意程序。

公开(公告)号：US20160127393A1

公开(公告)日：2016-05-05

申请号：US14745903

申请日：2015-06-22

Applicant: Ashar Aziz ,  Henry Uyeno ,  Jay Manni ,  Amin Sukhera ,  Stuart Staniford

Inventor： Ashar Aziz ,  Henry Uyeno ,  Jay Manni ,  Amin Sukhera ,  Stuart Staniford

IPC: H04L29/06 ,  H04L12/58

CPC classification number: H04L63/1416 ,  G06F21/56 ,  G06F21/562 ,  H04L51/12 ,  H04L63/123 ,  H04L63/126 ,  H04L63/1425 ,  H04L63/145 ,  H04L63/168

Abstract: An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.

Abstract translation: 分析消息中包含的恶意软件的电子消息。 可以分析电子消息的文本以检测和处理电子消息本身中的恶意软件内容。 本技术可以分析电子消息和电子消息的附件以检测统一的资源位置（URL），识别URL是否可疑，并分析所有可疑URL以确定它们是否是恶意软件。 分析可以包括在虚拟环境中重新播放可疑URL，虚拟环境模拟预期的计算设备以接收电子消息。 如果确定重播的URL是恶意的，恶意URL将添加到整个计算机系统中更新的黑名单中。

公开(公告)号：US09319430B2

公开(公告)日：2016-04-19

申请号：US14306890

申请日：2014-06-17

Applicant: International Business Machines Corporation

Inventor： Jerome R. Bell, Jr. ,  Mari F. Heiser ,  Heather M. Hinton ,  Neil I. Readshaw ,  Karthik Sivakumar

IPC: H04L29/06

CPC classification number: G06F21/562 ,  G06F8/62 ,  G06F8/65 ,  G06F21/126 ,  G06F21/14 ,  G06F21/54 ,  G06F21/564 ,  G06F21/57 ,  G06F21/577 ,  G06F2221/033 ,  H04L63/1433 ,  H04L63/20

Abstract: The method includes identifying an instance of software installed. The method further includes determining a fingerprint corresponding to the instance of software installed. The method further includes determining a security risk associated with the instance of software installed. The method further includes identifying a software management policy for the instance of software based upon the fingerprint, security risk, and designated purpose of the computing device. In one embodiment, the method further includes in response to identifying the software management policy, enforcing, by one or more computer processors, the software management policy on the instance of software installed on the computing device.

公开(公告)号：US09317679B1

公开(公告)日：2016-04-19

申请号：US14073815

申请日：2013-11-06

Applicant: Symantec Corporation

Inventor： Sandeep Bhatkar ,  Fanglu Guo ,  Susanta Nanda

IPC: H04L29/06 ,  G06F11/00 ,  G06F21/50

CPC classification number: H04L63/1441 ,  G06F21/562 ,  G06F21/563 ,  G06F21/57

Abstract: A computer-implemented method for detecting malicious documents based on component-object reuse may include (1) identifying a plurality of malicious documents, (2) identifying a plurality of component objects that are contained within at least one malicious document from the plurality of malicious documents, (3) receiving an unknown document, (4) determining that at least one component object from the plurality of component objects was used to create the unknown document, and (5) performing a security action on the unknown document in response to determining that the component object was used to create the unknown document. Various other methods, systems, and computer-readable media are also disclosed.

Abstract translation: 用于基于组件对象重用来检测恶意文档的计算机实现的方法可以包括（1）识别多个恶意文档，（2）从多个恶意识别包含在至少一个恶意文档中的多个组件对象 文件，（3）接收未知文件，（4）确定来自多个组件对象的至少一个组件对象被用于创建未知文档，以及（5）响应于确定对未知文档执行安全动作 组件对象用于创建未知文档。 还公开了各种其它方法，系统和计算机可读介质。

公开(公告)号：US20160098560A1

公开(公告)日：2016-04-07

申请号：US14971168

申请日：2015-12-16

Applicant: Cisco Technology, Inc.

Inventor： Oliver Friedrichs ,  Alfred Huger ,  Zulfikar Ramzan

IPC: G06F21/56 ,  G06F21/55 ,  G06F17/30

CPC classification number: G06F21/565 ,  G06F17/30091 ,  G06F17/30368 ,  G06F21/552 ,  G06F21/56 ,  G06F21/562 ,  G06F21/564 ,  G06F2221/033

Abstract: Techniques are provided for the detection of malicious software (malware) on a general purpose computing device. A challenge in detecting malicious software is that files are typically scanned for the presence of malicious intent only once (and subsequent rescanning is typically performed in a simplistic manner). Existing methods in the art do not address how to most effectively rescan collections of files in a way that tries to optimize performance and efficacy. These methods may also be useful if additional information is now available regarding a file that might be useful to an end-user or an administrator, even though the file's core disposition might not have changed. More specifically, we describe methods, components, and systems that perform data analytics to intelligently rescan file collections for the purpose of retroactively identifying malware and retroactively identifying clean files.

Abstract translation: 提供技术用于检测通用计算设备上的恶意软件（恶意软件）。 检测恶意软件的一个挑战是通常只扫描文件一次存在恶意意图（后来的重新扫描通常以简单的方式执行）。 本领域中现有的方法并不涉及如何以尝试优化性能和功效的方式最有效地重新扫描文件集合。 如果有关可能对最终用户或管理员可能有用的文件的附加信息，即使该文件的核心配置可能没有更改，这些方法也可能很有用。 更具体地说，我们描述执行数据分析以智能地重新扫描文件集合的方法，组件和系统，目的是追溯识别恶意软件和追溯识别干净的文件。

公开(公告)号：US20160087999A1

公开(公告)日：2016-03-24

申请号：US14494723

申请日：2014-09-24

Applicant: Michael Schneider ,  Paul Gartside ,  David Oxley ,  Ramon Peypoch

Inventor： Michael Schneider ,  Paul Gartside ,  David Oxley ,  Ramon Peypoch

IPC: H04L29/06

CPC classification number: H04L63/1408 ,  G06F21/562

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive data in a data flow, extract a data visa from the data flow, wherein the data visa is related to the data, and determine a reputation of the data from the data visa. The data visa can include reputation determination information obtained by previous network elements in the data flow. In addition, the electronic device can update the data visa, and communicate the updated data visa and data to a next network element in the data flow.

Abstract translation: 本文描述的特定实施例提供了一种电子设备，其可以被配置为在数据流中接收数据，从数据流提取数据签证，其中数据签证与数据相关，并且从数据中确定数据的信誉 签证。 数据签证可以包括由数据流中的先前网络元素获得的信誉确定信息。 此外，电子设备可以更新数据签证，并将更新的数据签证和数据传送到数据流中的下一个网络元素。