-
公开(公告)号:US08904520B1
公开(公告)日:2014-12-02
申请号:US12407772
申请日:2009-03-19
IPC分类号: H04L29/06
CPC分类号: H04L63/1425 , G06F21/56 , G06F21/564 , G06F21/566 , G06F2221/034 , G06F2221/2101 , H04L63/145 , H04L67/22
摘要: A communication between an entity and a host is identified. Reputation information associated with a set of other entities that communicate with the host is identified. A reputation score associated with the host is generated based on the reputation information associated with a set of other entities. A reputation score associated with the entity is generated based on the reputation score associated with the host.
摘要翻译: 识别实体和主机之间的通信。 识别与与主机通信的一组其他实体相关联的信誉信息。 基于与一组其他实体相关联的信誉信息生成与主机相关联的信誉评分。 基于与主机相关联的信誉评分,生成与该实体相关联的信誉评分。
-
公开(公告)号:US08510836B1
公开(公告)日:2013-08-13
申请号:US12831004
申请日:2010-07-06
申请人: Carey S. Nachenberg
发明人: Carey S. Nachenberg
IPC分类号: G06F21/00 , G06F17/00 , G06F12/14 , G06F11/00 , G06F15/18 , G06F15/16 , G06Q30/00 , H04L12/58 , H04L29/06 , G06F7/00 , G06F17/30
CPC分类号: G06F21/565 , H04L51/12 , H04L63/145
摘要: A computer generates a reputation score for a file based at least in part on the lineage of the file. A security module on a client monitors file creations on the client and identifies a parent file creating a child file. The security module provides a lineage report describing the lineage relationship to a security server. The security server uses lineage reports from the client to generate one or more lineage scores for the files identified by the reports. The security server aggregates the lineage scores for files reported by multiple clients. The aggregated lineage scores are used by the security server to generate reputation scores for files. The reputation score for a file indicates a likelihood that the file is malicious. The security server reports the reputation scores to the clients, and the clients use the reputation scores to determine whether files detected at the clients are malicious.
摘要翻译: 计算机至少部分地基于文件的谱系生成文件的信誉分数。 客户端上的安全模块监视客户端上的文件创建,并标识创建子文件的父文件。 安全模块提供描述与安全服务器的谱系关系的谱系报告。 安全服务器使用客户端的谱系报告为报告识别的文件生成一个或多个谱系分数。 安全服务器聚合由多个客户端报告的文件的谱系分数。 安全服务器使用聚合谱系分数来生成文件的信誉分数。 文件的声誉分数表示文件是恶意的可能性。 安全服务器向客户端报告信誉评分,客户端使用信誉分数来确定在客户端检测到的文件是否是恶意的。
-
公开(公告)号:US08413244B1
公开(公告)日:2013-04-02
申请号:US12944121
申请日:2010-11-11
申请人: Carey S. Nachenberg
发明人: Carey S. Nachenberg
IPC分类号: G06F21/00
CPC分类号: H04L63/145 , G06F21/565 , G06F2221/2151
摘要: Techniques for classifying unknown files taking into account temporal proximity between unknown files and files with known classifications are disclosed. In response to a classification request for a target file, client systems hosting (or hosted) instances of the target file are identified. For each system, files created around the time the target file was created on the system are identified. Within the identified files, files with known classifications are identified, and a score is determined for each such file to measure temporal proximity between the creation of the file and the creation of the target file. Local temporal proximity scores aggregate the scores for the client system. Global temporal proximity scores measures an aspect of the local temporal proximity scores for all identified client systems. The global temporal proximity scores are fed into a classifier to determine a classification, which is returned in response to the classification request.
摘要翻译: 公开了考虑到未知文件与具有已知分类的文件之间的时间接近度的未知文件的分类技术。 响应于目标文件的分类请求,标识目标文件的托管(或托管)实例的客户机系统。 对于每个系统,标识在系统上创建目标文件时创建的文件。 在识别的文件中,识别具有已知分类的文件,并且为每个这样的文件确定分数以测量文件的创建和目标文件的创建之间的时间接近度。 本地时间邻近分数聚合客户系统的分数。 全局时间邻近分数测量所有识别的客户端系统的局部时间接近分数的一个方面。 全局时间邻近分数被馈送到分类器中以确定响应于分类请求返回的分类。
-
公开(公告)号:US07634809B1
公开(公告)日:2009-12-15
申请号:US11078451
申请日:2005-03-11
IPC分类号: H04L29/06
CPC分类号: H04L63/1416 , H04L29/12066 , H04L61/1511 , H04L63/102
摘要: An enterprise network can have sanctioned and unsanctioned servers on it. Sanctioned servers are approved by an administrator and perform tasks such as web page serving and mail routing. Unsanctioned servers are not approved by the administrator and represent possible security risks. A service monitor accesses one or more metadata sources having information describing the enterprise network, such as domain name system (DNS) records on the Internet. The service monitor analyzes the metadata and creates a security profile for the enterprise network. The security profile identifies the sanctioned servers. The service monitor monitors network traffic for compliance with the security profile, and detects unsanctioned servers on the network. The service monitor reports violations of the profile and informs the administrator of the unsanctioned servers.
摘要翻译: 企业网络可以对其进行认证和未经授权的服务器。 经过认证的服务器由管理员批准,并执行诸如网页服务和邮件路由等任务。 未经授权的服务器未经管理员批准,并可能导致安全隐患。 服务监视器访问具有描述企业网络的信息的一个或多个元数据源,诸如因特网上的域名系统(DNS)记录。 服务监视器分析元数据并创建企业网络的安全配置文件。 安全配置文件标识被认可的服务器。 服务监视器监视网络流量以符合安全性配置文件,并检测网络上未经授权的服务器。 服务监视器报告违反配置文件的情况,并通知管理员未经授权的服务器。
-
公开(公告)号:US20090282476A1
公开(公告)日:2009-11-12
申请号:US11618215
申请日:2006-12-29
IPC分类号: G06F11/00
CPC分类号: G06F21/577 , G06F21/50
摘要: A reputation server is coupled to multiple clients via a network. Each client has a security module that detect malware at the client. The security module computes a hygiene score based on detected malware and provides it to the reputation server. The security module monitors client encounters with entities such as files, programs, and websites. When a client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The security module evaluates the reputation score and optionally cancels an activity involving the entity. The reputation server computes reputation scores for the entities based on the clients' hygiene scores and operations performed in response to the evaluations. The reputation server prioritizes malware submissions from the client security modules based on the reputation scores.
摘要翻译: 信誉服务器通过网络耦合到多个客户端。 每个客户端都有一个安全模块来检测客户端的恶意软件。 安全模块根据检测到的恶意软件计算卫生分数,并将其提供给信誉服务器。 安全模块监视客户端遇到的文件,程序和网站等实体。 当客户端遇到实体时,安全模块从信誉服务器获取该实体的信誉分数。 安全模块评估信誉分数,并可选择取消涉及实体的活动。 信誉服务器根据客户的卫生评分和响应评估进行的操作,计算实体的信誉评分。 信誉服务器根据信誉评分对客户端安全模块提交的恶意软件进行优先级排序。
-
公开(公告)号:US07483993B2
公开(公告)日:2009-01-27
申请号:US10264721
申请日:2002-10-04
CPC分类号: H04L63/0227 , G06F21/56 , H04L63/145
摘要: An access control system (200) enables a computer network (1) to prevent execution of computer code that may contain computer viruses. An access control console (201) generates an access control message (260) including control parameters such as a time limit (255). Said time limit (255) is disseminated to computers (2, 3) on the network (1). Said computers (2, 3) use the time limit (255) to determine the executability of computer code. Access control system (200) also enables blocking data communications with suspicious or susceptible programs in network (1) during virus outbreaks.
摘要翻译: 访问控制系统(200)使得计算机网络(1)能够防止可能包含计算机病毒的计算机代码的执行。 访问控制台(201)生成包括诸如时间限制(255)的控制参数的访问控制消息(260)。 所述时间限制(255)被传播到网络(1)上的计算机(2,3)。 所述计算机(2,3)使用所述时间限制(255)来确定计算机代码的可执行性。 访问控制系统(200)还可以在病毒爆发期间阻止与网络(1)中的可疑或易感程序的数据通信。
-
公开(公告)号:US07203959B2
公开(公告)日:2007-04-10
申请号:US10388903
申请日:2003-03-14
申请人: Carey S. Nachenberg , Elias E. Guy
发明人: Carey S. Nachenberg , Elias E. Guy
CPC分类号: H04L63/0281 , G06F21/567 , G06F21/568 , H04L63/12 , H04L63/145
摘要: Methods, systems, and computer readable media for managing transmission of a requested computer file (140) from a remote host compute (125) to a client computer (120). A proxy server computer (110) receives a first chunk (315) of the requested computer file (140). The proxy server (120) generates a hash of the chunk (315) and compares the hash to a hash of a chunk of previously downloaded file. If the two hashes are identical, the chunk (315) of the requested computer file (140) is passed to the client computer (120).
摘要翻译: 用于管理所请求的计算机文件(140)从远程主机计算机(125)传输到客户端计算机(120)的方法,系统和计算机可读介质。 代理服务器计算机(110)接收所请求的计算机文件(140)的第一块(315)。 代理服务器(120)生成块(315)的散列,并将散列与先前下载的块的块的散列进行比较。 如果两个散列是相同的,则所请求的计算机文件(140)的块(315)被传送到客户端计算机(120)。
-
公开(公告)号:US06349311B1
公开(公告)日:2002-02-19
申请号:US09241794
申请日:1999-02-01
IPC分类号: G06F1200
CPC分类号: G06F17/30345 , G06F8/658 , Y10S707/99954
摘要: A computer readable file of a first state (3.0) is updated to a second state (3.2) through the use of an incremental update (112) which provides the information necessary to construct the file of the second version (3.2) from a file of the first version (3.2). In order to allow for future access to the first version (3.0), without maintaining a copy of the file of the first version (3.0), a back-update file (206) is created. The back-update file (206) provides the information necessary to construct a file of the first state (3.0) from a file of the second state (3.2).
摘要翻译: 通过使用增量更新(112)将第一状态(3.0)的计算机可读文件更新为第二状态(3.2),所述增量更新(112)提供从第二版本(3.2)的文件构建第二版本(3.2)的文件所需的信息 第一版(3.2)。 为了允许将来访问第一版本(3.0),在不维护第一版本(3.0)的文件的副本的情况下,创建后退更新文件(206)。 后退更新文件(206)提供从第二状态(3.2)的文件构建第一状态(3.0)的文件所需的信息。
-
公开(公告)号:US5854916A
公开(公告)日:1998-12-29
申请号:US757935
申请日:1996-11-27
申请人: Carey S. Nachenberg
发明人: Carey S. Nachenberg
CPC分类号: G06F21/568 , G06F21/564 , G06F21/565 , G06F21/566
摘要: A computer-implemented method for executing a computer file in a CPU emulator (154) to detect a computer virus. The method includes simulating (302) the execution of a predetermined number of instructions of the computer file in the CPU emulator (154), suspending (303) the execution, constructing (304) a state record, temporarily storing (305) the state record in memory, comparing (306) the constructed state record to state records stored in a state cache (158), and indicating (308) that the file is virus free when the constructed state record matches one of the stored state records.
-
10.发明授权Processor emulator module having a variable pre-fetch queue size for program execution 失效具有用于程序执行的可变预取队列大小的处理器模拟器模块
公开(公告)号:US5765030A
公开(公告)日:1998-06-09
申请号:US684580
申请日:1996-07-19
CPC分类号: G06F21/564 , G06F21/566
摘要: An emulation module (110) includes a pre-fetch queue (116) having an adjustable size (126) to eliminate any dependence of virus decryption routines on the size of the pre-fetch queue (116) when emulating executable files to test for the presence of virus infections. An executable file is tested by setting (210, 258) the size of the emulator's pre-fetch queue (116) and emulating (220) the file under the guidance of an emulation control module (130). Emulated instructions are monitored and a flag is set (230) when any instructions are modified (224) after being copied to the pre-fetch queue and subsequently executed (228). Emulation continues until the emulation control module (130) indicates (230) that the file should be scanned for virus signatures. If no virus signatures are detected (234) and the flag is set (244), the size of the pre-fetch queue is reduced (258) and the process is repeated. An executable file is declared virus-free (250) if the file is emulated (220) without setting the flag (230) and no virus signatures are detected (234). The executable file is declared virus-infected (240) when virus signatures are detected (234), independent of whether the flag is set (230). For Intel processors, pre-fetch queue sizes of 32, 16, 8, and zero bytes may be emulated.
摘要翻译: 仿真模块(110)包括具有可调整大小(126)的预取队列(116),以在模拟可执行文件以测试所述预取队列(116)的大小时消除病毒解密例程对于所述预取队列(116)的大小的任何依赖 存在病毒感染。 通过在仿真控制模块(130)的指导下设置(210,258)模拟器的预取队列(116)的大小并仿真(220)文件来测试可执行文件。 在复制到预取队列并随后执行(228)之后,当任何指令被修改(224)时,监视仿真指令并设置标志(230)。 仿真继续,直到仿真控制模块(130)指示(230)文件应被扫描为病毒签名。 如果没有检测到病毒签名(234)并且标志被设置(244),则预取队列的大小减小(258),并且重复该过程。 如果文件被仿真(220)而不设置标志(230)并且没有检测到病毒签名(234),则可执行文件被声明为无病毒(250)。 当检测到病毒签名(234)时,可执行文件被声明为病毒感染(240),与标志是否被设置无关(230)。 对于Intel处理器,可以模拟32,16,8和零字节的预取队列大小。
-
-
-
-
-
-
-
-
-
搜索结果
46 条记录 (耗时 0.027 秒)
