公开(公告)号：US08375450B1

公开(公告)日：2013-02-12

申请号：US12573300

申请日：2009-10-05

Applicant: Jonathan James Oliver ,  Cheng-Lin Hou ,  Lili Diao ,  YiFun Liang ,  Jennifer Rihn

Inventor： Jonathan James Oliver ,  Cheng-Lin Hou ,  Lili Diao ,  YiFun Liang ,  Jennifer Rihn

IPC: G06F21/00

CPC classification number: H04L63/1416 ,  G06F21/564 ,  G06F21/565 ,  G06F21/567

Abstract: A training model for malware detection is developed using common substrings extracted from known malware samples. The probability of each substring occurring within a malware family is determined and a decision tree is constructed using the substrings. An enterprise server receives indications from client machines that a particular file is suspected of being malware. The suspect file is retrieved and the decision tree is walked using the suspect file. A leaf node is reached that identifies a particular common substring, a byte offset within the suspect file at which it is likely that the common substring begins, and a probability distribution that the common substring appears in a number of malware families. A hash value of the common substring is compared (exact or approximate) against the corresponding substring in the suspect file. If positive, a result is returned to the enterprise server indicating the probability that the suspect file is a member of a particular malware family.

Abstract translation: 使用从已知恶意软件样本中提取的常见子串开发恶意软件检测的培训模型。 确定在恶意软件系列内发生每个子串的概率，并使用该子串构建一个决策树。 企业服务器从客户机接收到特定文件被怀疑是恶意软件的指示。 检索可疑文件，并使用可疑文件行进决策树。 到达一个叶节点，标识一个特定的共同子串，可疑文件中可能是公共子串开始的字节偏移量，以及常见子字符串出现在多个恶意软件系列中的概率分布。 将公共子串的哈希值与可疑文件中的相应子字符串进行比较（精确或近似）。 如果为肯定，则返回给企业服务器的结果，指示可疑文件是特定恶意软件系列成员的概率。

公开(公告)号：US08601064B1

公开(公告)日：2013-12-03

申请号：US11414120

申请日：2006-04-28

Applicant: En-Yi Liao ,  Cheng-Lin Hou ,  Chinghsien Liao

Inventor： En-Yi Liao ,  Cheng-Lin Hou ,  Chinghsien Liao

IPC: G06F15/16

CPC classification number: H04L51/12 ,  H04L63/1425

Abstract: In one embodiment, a server computer determines whether an email entering a private computer network is malicious (e.g., part of a directory harvest attack or bounce-source attack) by determining the recipient email address of the email and the Internet Protocol (IP) address of the source of the email. When the server computer determines that the email is malicious, the server computer may reject the email by sending a non-deterministic response to the source of the email. The non-deterministic response may include an error message that is different from the actual reason why the email is being rejected. The rejection may be sent as an immediate reply or postponed, for example.

Abstract translation: 在一个实施例中，服务器计算机通过确定电子邮件的接收者电子邮件地址和互联网协议（IP）地址来确定进入专用计算机网络的电子邮件是否是恶意的（例如，目录收集攻击或反弹源攻击的一部分） 的电子邮件来源。 当服务器计算机确定该电子邮件是恶意的时，服务器计算机可以通过向该电子邮件的源发送非确定性响应来拒绝该电子邮件。 非确定性响应可能包括与电子邮件被拒绝的实际原因不同的错误消息。 例如，拒绝可以作为即时回复或推迟发送。

公开(公告)号：US07814540B1

公开(公告)日：2010-10-12

申请号：US11318361

申请日：2005-12-23

Applicant: En-Yi Liao ,  Cheng-Lin Hou ,  Jerry Chinghsien Liao

Inventor： En-Yi Liao ,  Cheng-Lin Hou ,  Jerry Chinghsien Liao

IPC: G06F9/00 ,  G06F15/16 ,  G06F17/00

CPC classification number: H04L51/066

Abstract: Methods and arrangements for implementing new email handling policies in gateway logic that is inserted upstream of the existing email system (which may or may not have an existing email gateway). By inserting the gateway logic upstream of the existing email system, it is unnecessary to reconfigure existing email handling logic since the remainder of the email system downstream of the newly inserted gateway logic is substantially undisturbed. Techniques and arrangements are proposed to ensure the remainder of the email system continues to function correctly after the insertion of the new gateway logic.

Abstract translation: 在现有电子邮件系统（可能已经或可能没有现有的电子邮件网关）上游的网关逻辑中实施新的电子邮件处理策略的方法和安排。 通过在现有的电子邮件系统的上游插入网关逻辑，不需要重新配置现有的电子邮件处理逻辑，因为新插入的网关逻辑的下游的电子邮件系统的其余部分基本上是不受干扰的。 提出了技术和安排，以确保电子邮件系统的其余部分在插入新网关逻辑后继续正常运行。

公开(公告)号：US08458261B1

公开(公告)日：2013-06-04

申请号：US11401498

申请日：2006-04-07

Applicant: En-Yi Liao ,  Cheng-Lin Hou ,  Chinghsien Liao

Inventor： En-Yi Liao ,  Cheng-Lin Hou ,  Chinghsien Liao

IPC: G06F15/16

CPC classification number: H04L51/28 ,  H04L51/30

Abstract: In one embodiment, a method of generating a listing of valid email addresses in a private computer network includes monitoring of inbound emails and outbound delivery failure notification emails. Recipient email addresses of inbound emails may be indicated in the listing as valid email addresses. The delivery failure notification emails may be indicative of receipt in the private computer network of an undeliverable email. The recipient email address of the undeliverable email may be identified in the listing as an invalid email address. Comparing the recipient email addresses of undeliverable emails and inbound emails advantageously allows generation of the listing of valid email addresses in the private computer network without having to ask an email server for such a listing.

Abstract translation: 在一个实施例中，在专用计算机网络中生成有效电子邮件地址列表的方法包括监视入站电子邮件和出站递送失败通知电子邮件。 入站电子邮件的收件人电子邮件地址可能会在列表中显示为有效的电子邮件地址。 交付失败通知电子邮件可以指示在私人计算机网络中收到无法投递的电子邮件。 无法投递的电子邮件的收件人电子邮件地址可能会在列表中标识为无效的电子邮件地址。 比较无法投递的电子邮件和入站电子邮件的收件人电子邮件地址有助于在专用计算机网络中生成有效的电子邮件地址列表，而无需向电子邮件服务器询问此类列表。