公开(公告)号：US20090083855A1

公开(公告)日：2009-03-26

申请号：US12154405

申请日：2008-05-21

申请人： Frank Apap ,  Andrew Honig ,  Hershkop Shlomo ,  Eleazar Eskin ,  Salvatore J. Stolfo

发明人： Frank Apap ,  Andrew Honig ,  Hershkop Shlomo ,  Eleazar Eskin ,  Salvatore J. Stolfo

IPC分类号： G06F21/22 ,  G06F11/30

CPC分类号： G06F21/552 ,  H04L63/1416

摘要： A method for detecting intrusions in the operation of a computer system is disclosed which comprises gathering features from records of normal processes that access the files system of the computer, such as the Windows registry, and generating a probabilistic model of normal computer system usage based on occurrences of said features. The features of a record of a process that accesses the Windows registry are analyzed to determine whether said access to the Windows registry is an anomaly. A system is disclosed, comprising a registry auditing module configured to gather records regarding processes that access the Windows registry; a model generator configured to generate a probabilistic model of normal computer system usage based on records of a plurality of processes that access the Windows registry and that are indicative of normal computer system usage; and a model comparator configured to determine whether the access of the Windows registry is an anomaly.

摘要翻译： 公开了一种用于检测计算机系统操作中的入侵的方法，其包括从访问诸如Windows注册表的计算机的文件系统的正常进程的记录中收集特征，并且基于以下方式生成基于计算机系统的正常计算机系统使用的概率模型： 出现所述特征。 分析访问Windows注册表的进程记录的功能，以确定对Windows注册表的访问是否为异常。 公开了一种系统，其包括注册表审核模块，其被配置为收集关于访问所述Windows注册表的进程的记录; 模型生成器，其被配置为基于访问Windows注册表并且指示正常的计算机系统使用的多个进程的记录来生成正常计算机系统使用的概率模型; 以及配置为确定Windows注册表的访问是否是异常的模型比较器。

公开(公告)号：US07448084B1

公开(公告)日：2008-11-04

申请号：US10352343

申请日：2003-01-27

申请人： Frank Apap ,  Andrew Honig ,  Hershkop Shlomo ,  Eleazar Eskin ,  Salvatore J. Stolfo

发明人： Frank Apap ,  Andrew Honig ,  Hershkop Shlomo ,  Eleazar Eskin ,  Salvatore J. Stolfo

IPC分类号： G06F21/22 ,  G06F11/30

CPC分类号： G06F21/552 ,  H04L63/1416

摘要： A method for detecting intrusions in the operation of a computer system is disclosed which comprises gathering features from records of normal processes that access the files system of the computer, such as the Windows registry, and generating a probabilistic model of normal computer system usage based on occurrences of said features. The features of a record of a process that accesses the Windows registry are analyzed to determine whether said access to the Windows registry is an anomaly. A system is disclosed, comprising a registry auditing module configured to gather records regarding processes that access the Windows registry; a model generator configured to generate a probabilistic model of normal computer system usage based on records of a plurality of processes that access the Windows registry and that are indicative of normal computer system usage; and a model comparator configured to determine whether the access of the Windows registry is an anomaly.

摘要翻译： 公开了一种用于检测计算机系统操作中的入侵的方法，其包括从访问诸如Windows注册表的计算机的文件系统的正常进程的记录中收集特征，并且基于以下方式生成基于计算机系统的正常计算机系统使用的概率模型： 出现所述特征。 分析访问Windows注册表的进程记录的功能，以确定对Windows注册表的访问是否为异常。 公开了一种系统，其包括注册表审核模块，其被配置为收集关于访问所述Windows注册表的进程的记录; 模型生成器，其被配置为基于访问Windows注册表并且指示正常的计算机系统使用的多个进程的记录来生成正常计算机系统使用的概率模型; 以及配置为确定Windows注册表的访问是否是异常的模型比较器。

公开(公告)号：US07913306B2

公开(公告)日：2011-03-22

申请号：US12154405

申请日：2008-05-21

申请人： Frank Apap ,  Andrew Honig ,  Hershkop Shlomo ,  Eleazar Eskin ,  Salvatore J. Stolfo

发明人： Frank Apap ,  Andrew Honig ,  Hershkop Shlomo ,  Eleazar Eskin ,  Salvatore J. Stolfo

IPC分类号： G06F21/22 ,  G06F11/30

CPC分类号： G06F21/552 ,  H04L63/1416

摘要： A method for detecting intrusions in the operation of a computer system is disclosed which comprises gathering features from records of normal processes that access the files system of the computer, such as the Windows registry, and generating a probabilistic model of normal computer system usage based on occurrences of said features. The features of a record of a process that accesses the Windows registry are analyzed to determine whether said access to the Windows registry is an anomaly. A system is disclosed, comprising a registry auditing module configured to gather records regarding processes that access the Windows registry; a model generator configured to generate a probabilistic model of normal computer system usage based on records of a plurality of processes that access the Windows registry and that are indicative of normal computer system usage; and a model comparator configured to determine whether the access of the Windows registry is an anomaly.

摘要翻译： 公开了一种用于检测计算机系统操作中的入侵的方法，其包括从访问诸如Windows注册表的计算机的文件系统的正常进程的记录中收集特征，并且基于以下方式生成基于计算机系统的正常计算机系统使用的概率模型： 出现所述特征。 分析访问Windows注册表的进程记录的功能，以确定对Windows注册表的访问是否为异常。 公开了一种系统，其包括注册表审核模块，其被配置为收集关于访问所述Windows注册表的进程的记录; 模型生成器，其被配置为基于访问Windows注册表并且指示正常的计算机系统使用的多个进程的记录来生成正常计算机系统使用的概率模型; 以及配置为确定Windows注册表的访问是否是异常的模型比较器。