公开(公告)号：US20100077481A1

公开(公告)日：2010-03-25

申请号：US12234717

申请日：2008-09-22

申请人： Alexey Polyakov ,  Marc Seinfeld ,  Jigar J. Mody ,  Ning Sun ,  Tony Lee ,  Chengyun Chu

发明人： Alexey Polyakov ,  Marc Seinfeld ,  Jigar J. Mody ,  Ning Sun ,  Tony Lee ,  Chengyun Chu

IPC分类号： G06F21/00

CPC分类号： G06F21/552 ,  G06F21/568

摘要： A malware analysis system is described that provides information about malware execution history on a client computer and allows automated back-end analysis for faster creation of identification signatures and removal instructions. The malware analysis system collects threat information on client computers and sends the threat information to a back-end analysis component for automated analysis. The back-end analysis component analyzes the threat information by comparing the threat information to information about known threats. The system builds a signature for identifying the threat family and a mitigation script for neutralizing the threat. The system sends the signature and mitigation data to client computers, which use the information to mitigate the threat. Thus, the malware analysis system detects and mitigates threats more quickly than previous systems by reducing the burden on technicians to manually create environments for reproducing the threats and manually analyze the threat behavior.

摘要翻译： 描述了恶意软件分析系统，其提供关于客户端计算机上的恶意软件执行历史的信息，并允许自动后端分析，以更快地创建身份签名和删除指令。 恶意软件分析系统在客户端计算机上收集威胁信息，并将威胁信息发送到后端分析组件进行自动分析。 后端分析组件通过将威胁信息与已知威胁信息进行比较来分析威胁信息。 该系统构建一个用于识别威胁系列的签名和用于中和威胁的缓解脚本。 系统将签名和缓解数据发送到客户端计算机，客户端计算机使用该信息来减轻威胁。 因此，恶意软件分析系统通过减轻技术人员手动创建用于再现威胁的环境并手动分析威胁行为的负担，可以更快地检测和减轻威胁。

公开(公告)号：US20070162975A1

公开(公告)日：2007-07-12

申请号：US11326890

申请日：2006-01-06

申请人： Adam Overton ,  Alexey Polyakov ,  Andrew Newman ,  Jason Garms ,  Ronald Franczyk ,  Scott Field ,  Sterling Reasor

发明人： Adam Overton ,  Alexey Polyakov ,  Andrew Newman ,  Jason Garms ,  Ronald Franczyk ,  Scott Field ,  Sterling Reasor

IPC分类号： G06F12/14

CPC分类号： H04L63/1416 ,  G06F21/561

摘要： Generally described, a method, software system, and computer-readable medium are provided for efficiently collecting data this useful in developing software systems to identify and protect against malware. In accordance with one embodiment, a method for collecting data to determine whether a malware is propagating in a networking environment is provided. More specifically, the method includes receiving preliminary data sets at a server computer from a plurality of client computers that describes attributes of a potential malware. Then a determination is made regarding whether secondary data is needed to implement systems for protecting against the potential malware. If secondary data is needed, the method causes the secondary data to be collected when an additional preliminary data set is received from a client computer.

摘要翻译： 通常描述，提供了一种方法，软件系统和计算机可读介质，用于有效地收集在开发软件系统中有用的数据，以识别和防止恶意软件。 根据一个实施例，提供了一种用于收集数据以确定恶意软件是否在网络环境中传播的方法。 更具体地说，该方法包括从描述潜在恶意软件的属性的多个客户端计算机在服务器计算机处接收初始数据集。 然后确定是否需要辅助数据来实施防止潜在恶意软件的系统。 如果需要辅助数据，则当从客户端计算机接收到附加的初始数据集时，该方法将导致辅助数据被收集。

公开(公告)号：US20080016572A1

公开(公告)日：2008-01-17

申请号：US11485066

申请日：2006-07-12

申请人： Ryan M. Burkhardt ,  Alexey Polyakov

发明人： Ryan M. Burkhardt ,  Alexey Polyakov

IPC分类号： G06F12/14

CPC分类号： G06F21/57

摘要： To detect the presence of malicious software in a system, selected data in memory of the system is stored in a designated storage location and analyzed by a known safe operating system. In an example configuration, a snapshot of system memory is downloaded to a dedicated device coupled to the motherboard of the system. A clean, uncorrupted operating system is loaded into the dedicated device, and the snapshot is analyzed utilizing the clean operating system. If malicious software is detected, the system is repaired using the clean operating system. In an example embodiment, this process is initiated when the system goes into a hibernation state, and/or during a system restoration operation.

摘要翻译： 为了检测系统中是否存在恶意软件，系统存储器中的选定数据被存储在指定的存储位置并由已知的安全操作系统进行分析。 在示例配置中，将系统存储器的快照下载到耦合到系统主板的专用设备。 一个干净，不破坏的操作系统被加载到专用设备中，并且使用干净的操作系统来分析快照。 如果检测到恶意软件，则使用干净的操作系统修复系统。 在示例实施例中，当系统进入休眠状态时和/或在系统恢复操作期间启动该过程。

公开(公告)号：US20070055711A1

公开(公告)日：2007-03-08

申请号：US11210565

申请日：2005-08-24

申请人： Alexey Polyakov ,  Neil Cowie

发明人： Alexey Polyakov ,  Neil Cowie

IPC分类号： G06F17/30

CPC分类号： G06F21/566

摘要： A generic RootKit detector is disclosed that identifies when a malware, commonly known as RootKit, is resident on a computer. In one embodiment, the generic RootKit detector performs a method that compares the properties of different versions of a library used by the operating system to provide services to an application program. In this regard, when a library is loaded into memory, an aspect of the generic RootKit detector compares two versions of the library; a potentially infected version in memory and a second version stored in a protected state on a storage device. If certain properties of the first version of the library are different from the second version, a determination is made that a RootKit is infection the computer.

摘要翻译： 公开了通用的RootKit检测器，其识别通常称为RootKit的恶意软件何时驻留在计算机上。 在一个实施例中，通用RootKit检测器执行一种比较操作系统使用的库的不同版本的属性以向应用程序提供服务的方法。 在这方面，当一个库加载到内存中时，通用RootKit检测器的一个方面比较了库的两个版本; 存储器中的潜在受感染版本和存储在存储设备上的受保护状态的第二版本。 如果库的第一个版本的某些属性与第二个版本不同，则确定RootKit会感染计算机。

公开(公告)号：US08667583B2

公开(公告)日：2014-03-04

申请号：US12234717

申请日：2008-09-22

申请人： Alexey Polyakov ,  Marc Seinfeld ,  Jigar J. Mody ,  Ning Sun ,  Tony Lee ,  Chengyun Chu

发明人： Alexey Polyakov ,  Marc Seinfeld ,  Jigar J. Mody ,  Ning Sun ,  Tony Lee ,  Chengyun Chu

IPC分类号： G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00

CPC分类号： G06F21/552 ,  G06F21/568

摘要： A malware analysis system is described that provides information about malware execution history on a client computer and allows automated back-end analysis for faster creation of identification signatures and removal instructions. The malware analysis system collects threat information on client computers and sends the threat information to a back-end analysis component for automated analysis. The back-end analysis component analyzes the threat information by comparing the threat information to information about known threats. The system builds a signature for identifying the threat family and a mitigation script for neutralizing the threat. The system sends the signature and mitigation data to client computers, which use the information to mitigate the threat. Thus, the malware analysis system detects and mitigates threats more quickly than previous systems by reducing the burden on technicians to manually create environments for reproducing the threats and manually analyze the threat behavior.

摘要翻译： 描述了恶意软件分析系统，其提供关于客户端计算机上的恶意软件执行历史的信息，并允许自动后端分析，以更快地创建身份签名和删除指令。 恶意软件分析系统在客户端计算机上收集威胁信息，并将威胁信息发送到后端分析组件进行自动分析。 后端分析组件通过将威胁信息与已知威胁信息进行比较来分析威胁信息。 该系统构建一个用于识别威胁系列的签名和用于中和威胁的缓解脚本。 系统将签名和缓解数据发送到客户端计算机，客户端计算机使用该信息来减轻威胁。 因此，恶意软件分析系统通过减轻技术人员手动创建用于再现威胁的环境并手动分析威胁行为的负担，可以更快地检测和减轻威胁。

公开(公告)号：US20060294592A1

公开(公告)日：2006-12-28

申请号：US11170792

申请日：2005-06-28

申请人： Alexey Polyakov ,  Gretchen Loihle ,  Mihai Costea ,  Robert Hensing ,  Scott Field ,  Vincent Orgovan ,  Yi-Min Wang ,  Yun Lin

发明人： Alexey Polyakov ,  Gretchen Loihle ,  Mihai Costea ,  Robert Hensing ,  Scott Field ,  Vincent Orgovan ,  Yi-Min Wang ,  Yun Lin

IPC分类号： G06F12/14

CPC分类号： G06F21/566

摘要： Embodiments of a RootKit detector are directed to identifying a RootKit on a computer that is designed to conceal malware. Aspects of the RootKit detector leverage services provided by kernel debugger facilities to automatically obtain data in specified data structures that are maintained by an operating system. Then the data obtained from the kernel debugger facilities is processed with an integrity checker that determines whether the data contains properties sufficient to declare that a RootKit is resident on the computer.

公开(公告)号：US20070180530A1

公开(公告)日：2007-08-02

申请号：US11377713

申请日：2006-03-15

申请人： Surendra Verma ,  Dana Groff ,  Jonathan Cargille ,  Andrew Herron ,  Christian Allred ,  Neal Christiansen ,  Alexey Polyakov

发明人： Surendra Verma ,  Dana Groff ,  Jonathan Cargille ,  Andrew Herron ,  Christian Allred ,  Neal Christiansen ,  Alexey Polyakov

IPC分类号： G06F12/14

CPC分类号： G06F21/566 ,  G06F21/56 ,  Y10S707/99945 ,  Y10S707/99953

摘要： Aspects of the subject matter described herein relate to antivirus protection and transactions. In aspects, a filter detects that a file is participating in a transaction and then may cause the file to be scanned together with any changes that have made to the file during the transaction. After a file is scanned, a cache entry may be updated to indicate that the file is clean. The cache entry may be used subsequently for like-type states. For example, if the file was scanned inside a transaction, the cache entry may be used later in the transaction. If the file was scanned outside a transaction, the cache entry may be used later for requests pertaining to files not in a transaction. Cache entries may be discarded when they are invalid or no longer useful.

摘要翻译： 本文所述主题的方面涉及防病毒保护和交易。 在方面，过滤器检测到文件正在参与事务，然后可能导致文件与事务中对文件所做的任何更改一起进行扫描。 扫描文件后，可能会更新缓存条目以指示文件干净。 缓存条目可以随后用于类型状态。 例如，如果文件在事务中被扫描，则高速缓存条目可以在事务中稍后使用。 如果文件在事务之外被扫描，则缓存条目可以稍后用于与不在事务中的文件相关的请求。 缓存条目无效或不再有用时可能会被丢弃。

公开(公告)号：US20070136455A1

公开(公告)日：2007-06-14

申请号：US11608625

申请日：2006-12-08

申请人： Tony Lee ,  Jigar Mody ,  Ying Lin ,  Adrian Marinescu ,  Alexey Polyakov

发明人： Tony Lee ,  Jigar Mody ,  Ying Lin ,  Adrian Marinescu ,  Alexey Polyakov

IPC分类号： G06F15/173

CPC分类号： G06F21/564

摘要： The present invention is directed to a method and system for automatically classifying an application into an application group which is previously classified in a knowledge base. More specifically, a runtime behavior of an application is captured as a series of events which are monitored and recorded during the execution of the application. The series of events are analyzed to find a proper application group which shares common runtime behavior patterns with the application. The knowledge base of application groups is previously constructed based on a large number of sample applications. The construction of the knowledge base is done in such a manner that each sample application can be classified into application groups based on a set of classification rules in the knowledge base. The set of classification rules are applied to a new application in order to classify the new application into one of the application groups.

摘要翻译： 本发明涉及一种用于将应用程序自动分类为先前分类到知识库中的应用组的方法和系统。 更具体地，应用程序的运行时行为被捕获为在应用程序的执行期间被监视和记录的一系列事件。 分析一系列事件，以找到与应用程序共享公共运行时行为模式的正确应用程序组。 基于大量示例应用程序，先前构建了应用程序组的知识库。 以知识库中的一组分类规则将每个样本应用程序分类到应用组中的方式进行知识库的构建。 将一组分类规则应用于新应用程序，以便将新应用程序分类到其中一个应用程序组中。