-
公开(公告)号:US10423788B2
公开(公告)日:2019-09-24
申请号:US15247154
申请日:2016-08-25
摘要: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
-
公开(公告)号:US20160366169A1
公开(公告)日:2016-12-15
申请号:US14982888
申请日:2015-12-29
IPC分类号: H04L29/06
CPC分类号: H04L63/1425 , H04L63/1416 , H04L63/1466 , H04L67/02 , H04L69/16
摘要: Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.
摘要翻译: 提供了检测网络异常的系统,方法和介质。 在一些实施例中,接收具有参数串的通信协议消息的训练数据集。 确定与每个参数串相关联的内容和结构,并且使用确定的每个参数串的内容和结构来训练概率模型。 接收具有通过计算机网络从第一处理器发送到第二处理器的参数串的通信协议消息。 将接收到的通信协议消息与概率模型进行比较,然后确定通信协议消息是否是异常的。
-
3.发明授权Systems, methods, and media for generating bait information for trap-based defenses 有权用于产生基于陷阱的防御的诱饵信息的系统,方法和媒体公开(公告)号:US08819825B2
公开(公告)日:2014-08-26
申请号:US12302774
申请日:2007-05-31
IPC分类号: G06F21/00
CPC分类号: H04L63/1491 , H04L43/0876 , H04L51/22 , H04L63/1408 , H04L63/145
摘要: Systems, methods, and media for generating bait information for trap-based defenses are provided. In some embodiments, methods for generating bait information for trap-based defenses include: recording historical information of a network; translating the historical information; and generating bait information by tailoring the translated historical information.
摘要翻译: 提供了用于生成基于陷阱的防御的诱饵信息的系统,方法和媒体。 在一些实施例中,用于产生用于基于陷阱的防御的诱饵信息的方法包括:记录网络的历史信息; 翻译历史信息; 并通过定制翻译的历史信息产生诱饵信息。
-
4.发明申请METHODS, MEDIA, AND SYSTEMS FOR DETECTING AN ANOMALOUS SEQUENCE OF FUNCTION CALLS 审中-公开用于检测功能调用异常序列的方法,媒体和系统公开(公告)号:US20140173734A1
公开(公告)日:2014-06-19
申请号:US14185175
申请日:2014-02-20
IPC分类号: H04L29/06
CPC分类号: G06F21/566 , G06F11/08 , G06F11/3688 , G06F2221/033 , G06N7/005 , H04L63/1425
摘要: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
摘要翻译: 提供了用于检测函数调用异常序列的方法,介质和系统。 该方法可以包括通过使用压缩模型来压缩由程序执行所产生的函数调用序列; 以及基于函数调用序列被压缩的程度来确定功能调用序列中函数调用的异常序列的存在。 所述方法还可以包括执行至少一个已知程序; 观察由所述至少一个已知节目的执行而进行的至少一个函数调用序列; 在由所述至少一个已知程序进行的所述至少一个功能调用序列中分配每种类型的功能调用唯一标识符; 以及通过记录至少一个唯一标识符序列来创建所述压缩模型的至少一部分。
-
5.发明授权Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems 有权在协作计算机系统之间关联和分发入侵警报信息的系统和方法公开(公告)号:US08667588B2
公开(公告)日:2014-03-04
申请号:US12837302
申请日:2010-07-15
IPC分类号: H04L29/06
CPC分类号: H04L63/1408
摘要: Systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.
摘要翻译: 系统和方法提供警报相关器和警报分发器,其能够检测到攻击的早期迹象并且迅速地传播到协作系统。 警报相关器利用数据结构来关联警报检测,并提供可以向其他协作系统透露威胁信息的机制。 警报分配器使用有效的技术来对协作系统进行分组,然后根据时间表在某些成员之间传递数据。 以这种方式,数据可以定期分布,而不会产生过多的流量负载。
-
公开(公告)号:US08631484B2
公开(公告)日:2014-01-14
申请号:US12048533
申请日:2008-03-14
CPC分类号: H04L63/1458 , H04L63/08 , H04L63/0823 , H04L63/12 , H04L63/123 , H04L63/1416 , H04L2463/141
摘要: Systems and methods for inhibiting attacks with a network are provided. In some embodiments, methods for inhibiting attacks by forwarding packets through a plurality of intermediate nodes when being transmitted from a source node to a destination node are provided, the methods comprising: receiving a packet at one of the plurality of intermediate nodes; determining at the selected intermediate node whether the packet has been sent to the correct one of the plurality of intermediate nodes based on a pseudo random function; and forwarding the packet to the destination node, based on the determining. In some embodiments an intermediate node is selected based on a pseudo random function. In some embodiments, systems and methods for establishing access to a multi-path network are provided.
摘要翻译: 提供了用于抑制网络攻击的系统和方法。 在一些实施例中,提供了当从源节点发送到目的地节点时通过将多个中间节点转发分组来抑制攻击的方法,所述方法包括:在所述多个中间节点之一处接收分组; 在所选择的中间节点处,确定所述分组是否已经基于伪随机函数发送到所述多个中间节点中的正确的一个; 以及基于所述确定将所述分组转发到所述目的地节点。 在一些实施例中,基于伪随机函数来选择中间节点。 在一些实施例中,提供了用于建立对多路径网络的访问的系统和方法。
-
公开(公告)号:US08528091B2
公开(公告)日:2013-09-03
申请号:US12982984
申请日:2010-12-31
申请人: Brian M. Bowen , Pratap V. Prabhu , Vasileios P. Kemerlis , Stylianos Sidiroglou , Salvatore J. Stolfo , Angelos D. Keromytis
发明人: Brian M. Bowen , Pratap V. Prabhu , Vasileios P. Kemerlis , Stylianos Sidiroglou , Salvatore J. Stolfo , Angelos D. Keromytis
CPC分类号: G06F21/56 , G06F21/566 , G06F21/577 , H04L63/1441 , H04L63/1491
摘要: Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: generating simulated user activity outside of the computing environment; conveying the simulated user activity to an application inside the computing environment; and determining whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity.
摘要翻译: 提供了用于检测隐蔽恶意软件的方法,系统和媒体。 根据一些实施例,提供了一种用于在计算环境中检测隐匿恶意软件的方法,所述方法包括:在所述计算环境之外生成模拟用户活动; 将所述模拟用户活动传达到所述计算环境内的应用; 以及确定是否已经被未经授权的实体访问与所述模拟用户活动相对应的诱饵。
-
公开(公告)号:US08381295B2
公开(公告)日:2013-02-19
申请号:US12833743
申请日:2010-07-09
申请人: Salvatore J Stolfo , Tal Malkin , Angelos D Keromytis , Vishal Misra , Michael Locasto , Janak Parekh
发明人: Salvatore J Stolfo , Tal Malkin , Angelos D Keromytis , Vishal Misra , Michael Locasto , Janak Parekh
IPC分类号: H04L29/06
CPC分类号: H04L63/1416 , G06F21/552 , G06F21/554 , H04L63/145 , H04L63/1475 , H04L63/1491
摘要: Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.
-
9.发明授权公开(公告)号:US08074115B2
公开(公告)日:2011-12-06
申请号:US12091150
申请日:2006-10-25
IPC分类号: G06F11/00
CPC分类号: G06F11/0772 , G06F11/0718 , G06F11/0751 , G06F11/079 , G06F11/3652
摘要: Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
摘要翻译: 提供了用于检测异常程序执行的方法,介质和系统。 在一些实施例中,提供了用于检测异常程序执行的方法,包括:在仿真器中执行程序的至少一部分; 将在仿真器中产生的函数调用与所述程序的至少一部分的函数调用模型进行比较; 并根据比较将功能调用识别为异常。 在一些实施例中,提供了用于检测异常程序执行的方法,包括:修改程序以包括程序执行期间进行的程序级函数调用的指示; 将在仿真器中进行的程序级功能调用的至少一个指标与所述程序的至少一部分的函数调用模型进行比较; 以及基于所述比较,将与所述至少一个所述指示符相对应的功能调用识别为异常。
-
10.发明申请公开(公告)号:US20080141374A1
公开(公告)日:2008-06-12
申请号:US11870043
申请日:2007-10-10
IPC分类号: G06F21/06
CPC分类号: G06F21/554
摘要: In accordance with some embodiments, systems and methods that protect an application from attacks are provided. In some embodiments, traffic from a communication network is received by an anomaly detection component. The anomaly detection component monitors the received traffic and routes the traffic either to the protected application or to a honeypot, where the honeypot shares all state information with the application. If the received traffic is routed to the honeypot, the honeypot monitors the traffic for an attack. If an attack occurs, the honeypot repairs the protected application (e.g., discarding any state changes incurred from the attack, reverting to previously saved state information, etc.).
摘要翻译: 根据一些实施例,提供了保护应用免受攻击的系统和方法。 在一些实施例中,来自通信网络的业务由异常检测组件接收。 异常检测组件监视接收的流量,并将流量路由到受保护的应用程序或蜜罐,蜜罐与应用程序共享所有状态信息。 如果接收到的流量被路由到蜜罐,那么蜜罐会监视流量的攻击。 如果发生攻击,蜜罐将修复受保护的应用程序(例如,丢弃从攻击中导致的任何状态更改,恢复到以前保存的状态信息等)。
-
-
-
-
-
-
-
-
-
搜索结果
71 条记录 (耗时 0.177 秒)
