-
公开(公告)号:US20050028002A1
公开(公告)日:2005-02-03
申请号:US10629292
申请日:2003-07-29
申请人: Mihai Christodorescu , Somesh Jha
发明人: Mihai Christodorescu , Somesh Jha
CPC分类号: G06F21/562
摘要: A technique for finding malicious code such as viruses in an executable binary file converts the executable binary to a function unique form to which function unique forms of virus code may be compared. By avoiding direct comparison of the expression of the viral code but looking instead at its function, obfuscation techniques intended to hide the virus code are substantially reduced in effectiveness.
摘要翻译: 在可执行二进制文件中查找恶意代码(如病毒)的技术将可执行二进制文件转换为可以比较功能唯一形式的病毒代码的功能唯一形式。 通过避免病毒代码的表达的直接比较,而不是看其功能,旨在隐藏病毒代码的混淆技术的有效性大大降低。
-
公开(公告)号:US09003025B2
公开(公告)日:2015-04-07
申请号:US13542422
申请日:2012-07-05
IPC分类号: G06F15/173 , G06F21/32
CPC分类号: G06F21/32 , G06F2221/2101 , G06F2221/2117 , H04L41/5058 , H04L41/5096 , H04L67/22 , H04L67/306
摘要: A method for identifying an unknown user according to a plurality of facets of user activity in a plurality of contexts includes receiving a plurality of priors for the facets with respect to the contexts, receiving a plurality of footprints of known users, aggregating the footprints of the users to determine an ensemble prior, receiving a plurality of network traces relevant to an unknown user in a computer environment, matching the network traces against each of the footprints to determine a plurality of matches, aggregating the matches using the ensemble prior according to the facets and the contexts, and outputting a probable user identity for the unknown user.
摘要翻译: 根据多个上下文中的用户活动的多个方面来识别未知用户的方法包括:针对所述上下文接收所述方面的多个先验,接收已知用户的多个覆盖区, 用户在先前确定集合,在计算机环境中接收与未知用户相关的多个网络迹线,将网络跟踪与每个足迹匹配以确定多个匹配,以根据小平面先前使用集合聚合匹配 和上下文,并为未知用户输出可能的用户身份。
-
3.发明授权Method and apparatus for detecting unauthorized bulk forwarding of sensitive data over a network 有权用于检测通过网络的敏感数据的未经批准转发的方法和装置公开(公告)号:US08938511B2
公开(公告)日:2015-01-20
申请号:US13494101
申请日:2012-06-12
CPC分类号: H04L51/32 , G06Q10/107 , H04L51/12
摘要: Methods and apparatus are provided for detecting unauthorized bulk forwarding of sensitive data over a network. A bulk forwarding of email from a first network environment is automatically detected by determining an arrival rate for internal emails received from within the first network environment into one or more user accounts; determining a sending rate for external emails sent from the one or more user accounts to a second network environment; and detecting the bulk forwarding of email from a given user account by comparing the arrival rate for internal emails and the sending rate for external emails. The bulk forwarding of email from a given user account can be detected by determining whether statistical models of the arrival rate for internal emails and of the sending rate for external emails are correlated in time.
摘要翻译: 提供了用于检测通过网络的敏感数据的未授权批量转发的方法和装置。 通过确定从第一网络环境中接收的内部电子邮件的到达率到一个或多个用户帐户,自动检测来自第一网络环境的电子邮件的批量转发; 确定从所述一个或多个用户帐户发送到第二网络环境的外部电子邮件的发送速率; 并通过比较内部电子邮件的到达率和外部电子邮件的发送速率来检测来自给定用户帐户的电子邮件的批量转发。 通过确定内部电子邮件到达率的统计模型和外部电子邮件的发送速率是否及时相关,可以检测到来自给定用户帐户的电子邮件的批量转发。
-
公开(公告)号:US08949797B2
公开(公告)日:2015-02-03
申请号:US12761952
申请日:2010-04-16
CPC分类号: G06F21/566 , G06F21/554 , G06F21/563
摘要: A system, method and computer program product for verifying integrity of a running application program on a computing device. The method comprises: determining entry points into an application programs processing space that impact proper execution impact program integrity; mapping data elements reachable from the determined entry points into a memory space of a host system where the application to verify is running; run-time monitoring, in the memory space, potential modification of the data elements in a manner potentially breaching program integrity; and initiating a response to the potential modification. The run-time monitoring detects when a data transaction, e.g., a write event, reaches a malicious agent's entry point, a corresponding memory hook is triggered and control is passed to a security agent running outside the monitored system. This agent requests the values of the data elements, and determines if invariants that have been previously computed hold true or not under the set of retrieved data values.
摘要翻译: 一种用于验证计算设备上正在运行的应用程序的完整性的系统,方法和计算机程序产品。 该方法包括:将入口点确定为影响适当执行影响程序完整性的应用程序处理空间; 将从所确定的入口点到达的数据元素映射到要验证的应用正在运行的主机系统的存储器空间中; 在存储器空间中的运行时监视,以潜在地破坏程序完整性的方式潜在地修改数据元素; 并启动对潜在修改的响应。 运行时监视检测数据事务(例如写入事件)何时到达恶意代理的入口点,触发对应的存储器钩子,并将控制传递到在被监视系统外部运行的安全代理。 该代理请求数据元素的值,并确定先前计算的不变量是否在检索的数据值集合之前成立。
-
5.发明申请Method and Apparatus for Automatic Identification of Affected Network Resources After a Computer Intrusion 审中-公开计算机入侵后影响网络资源自动识别的方法与装置公开(公告)号:US20130333041A1
公开(公告)日:2013-12-12
申请号:US13494108
申请日:2012-06-12
IPC分类号: G06F21/00
CPC分类号: G06F21/55 , G06F21/568
摘要: Methods and apparatus are provided for automatic identification of affected network resources after a computer intrusion. The network resources affected by a computer intrusion can be identified by collecting information about an external system from an external source; deriving a list of one or more affected internal systems on an internal network by correlating the information with internal information about internal systems that interacted with the external system; and identifying one or more user accounts associated with the one or more affected internal systems. Data residing on systems accessible by the one or more user accounts can also optionally be identified. A list can optionally be presented of the network resources that may be affected by the computer intrusion. The affected network resources can be, for example, servers, services and/or client machines.
摘要翻译: 提供了方法和装置,用于在计算机入侵之后自动识别受影响的网络资源。 可以通过从外部源收集有关外部系统的信息来识别受计算机入侵影响的网络资源; 通过将信息与与外部系统交互的内部系统的内部信息相关联,得出内部网络上的一个或多个受影响的内部系统的列表; 以及识别与所述一个或多个受影响的内部系统相关联的一个或多个用户帐户。 还可以可选地识别驻留在由一个或多个用户帐户访问的系统上的数据。 可以选择性地呈现可能受到计算机入侵影响的网络资源的列表。 受影响的网络资源可以是例如服务器,服务和/或客户端机器。
-
6.发明申请Method and Apparatus for Automatic Identification of Affected Network Resources After a Computer Intrusion 审中-公开计算机入侵后影响网络资源自动识别的方法与装置公开(公告)号:US20130333034A1
公开(公告)日:2013-12-12
申请号:US13604031
申请日:2012-09-05
IPC分类号: G06F21/00
CPC分类号: G06F21/55 , G06F21/568
摘要: Methods and apparatus are provided for automatic identification of affected network resources after a computer intrusion. The network resources affected by a computer intrusion can be identified by collecting information about an external system from an external source; deriving a list of one or more affected internal systems on an internal network by correlating the information with internal information about internal systems that interacted with the external system: and identifying one or more user accounts associated with the one or more affected internal systems. Data residing on systems accessible by the one or more user accounts can also optionally be identified. A list can optionally be presented of the network resources that may be affected by the computer intrusion. The affected network resources can be, for example, servers, services and/or client machines.
摘要翻译: 提供了方法和装置,用于在计算机入侵之后自动识别受影响的网络资源。 可以通过从外部源收集有关外部系统的信息来识别受计算机入侵影响的网络资源; 通过将信息与与外部系统交互的内部系统的内部信息相关联,并且识别与所述一个或多个受影响的内部系统相关联的一个或多个用户帐户,来产生内部网络上的一个或多个受影响的内部系统的列表。 还可以可选地识别驻留在由一个或多个用户帐户访问的系统上的数据。 可以选择性地呈现可能受到计算机入侵影响的网络资源的列表。 受影响的网络资源可以是例如服务器,服务和/或客户端机器。
-
公开(公告)号:US20130318616A1
公开(公告)日:2013-11-28
申请号:US13487774
申请日:2012-06-04
申请人: Mihai Christodorescu , Dmytro Korzhyk , Reiner Sailer , Douglas L Schales , Marc Ph Stoecklin , Ting Wang
发明人: Mihai Christodorescu , Dmytro Korzhyk , Reiner Sailer , Douglas L Schales , Marc Ph Stoecklin , Ting Wang
IPC分类号: G06F21/00
CPC分类号: G06F21/00 , G06F21/552 , G06Q10/06375 , H04L63/1408 , H04L63/20
摘要: Systems for determining cyber-attack target include a network monitor module configured to collect network event information from sensors in one or more network nodes; a processor configured to extract information regarding an attacker from the network event information, to form an attack scenario tree that encodes network topology and vulnerability information including a plurality of paths from known compromised nodes to a set of potential targets, to calculate a likelihood for each of the paths, to calculate a probability distribution for the set of potential targets to determine which potential targets are most likely pursued by the attacker, to calculate a probability distribution over a set of nodes and node vulnerability types already accessed by the attacker, and to determine a network graph edge to remove that minimizes a defender's expected uncertainty over the potential targets; and a network management module configured to remove the determined network graph edge.
摘要翻译: 用于确定网络攻击目标的系统包括被配置为从一个或多个网络节点中的传感器收集网络事件信息的网络监视器模块; 处理器,其被配置为从网络事件信息中提取关于攻击者的信息,以形成将网络拓扑和脆弱性信息编码的攻击场景树,所述攻击场景树包括从已知的受损节点到一组潜在目标的多个路径,以计算每个 的路径,以计算潜在目标集合的概率分布,以确定攻击者最有可能追查哪些潜在目标,以计算攻击者已经访问的一组节点和节点漏洞类型的概率分布,以及 确定一个网络图边缘去除,使防守者对潜在目标的预期不确定性最小化; 以及被配置为去除所确定的网络图边缘的网络管理模块。
-
公开(公告)号:US20100011441A1
公开(公告)日:2010-01-14
申请号:US12108406
申请日:2008-04-23
CPC分类号: G06F21/56 , G06F21/53 , G06F2221/2101 , G06F2221/2149
摘要: Computer programs are preprocessed to produce normalized or standard versions to remove obfuscation that might prevent the detection of embedded malware through comparison with standard malware signatures. The normalization process can provide an unpacking of compressed or encrypted malware, a reordering of the malware into a standard form, and the detection and removal of semantically identified nonfunctional code added to disguise the malware.
摘要翻译: 预处理计算机程序以生成标准化或标准版本,以消除可能通过与标准恶意软件签名进行比较来防止嵌入式恶意软件检测的混淆。 标准化过程可以提供压缩或加密的恶意软件的拆包,将恶意软件重新排列成标准形式,以及检测和删除添加伪装恶意软件的语义识别的非功能代码。
-
公开(公告)号:US20190268308A1
公开(公告)日:2019-08-29
申请号:US16189818
申请日:2018-11-13
申请人: Rohit SINHA , Mihai Christodorescu
发明人: Rohit SINHA , Mihai Christodorescu
摘要: Verification system and methods are provided for allowing database server responses to be verified. A proxy device may maintain a data structure (e.g., a Merkle B+-tree) within a secure memory space (e.g., an Intel SGX enclave) associated with a protected application. In some embodiments, the data structure may comprise hashed values representing hashed versions of the data managed by the database server. The proxy may intercept client requests submitted from a client device and forward such requests to the database server. Responses from the database server may be verified using the data structure (e.g., the hashes contained in the Merkle B+-tree). If the data is verified by the proxy device, the response may be transmitted to the client device.
-
公开(公告)号:US20140012973A1
公开(公告)日:2014-01-09
申请号:US13542422
申请日:2012-07-05
IPC分类号: G06F15/173
CPC分类号: G06F21/32 , G06F2221/2101 , G06F2221/2117 , H04L41/5058 , H04L41/5096 , H04L67/22 , H04L67/306
摘要: A method for identifying an unknown user according to a plurality of facets of user activity in a plurality of contexts includes receiving a plurality of priors for the facets with respect to the contexts, receiving a plurality of footprints of known users, aggregating the footprints of the users to determine an ensemble prior, receiving a plurality of network traces relevant to an unknown user in a computer environment, matching the network traces against each of the footprints to determine a plurality of matches, aggregating the matches using the ensemble prior according to the facets and the contexts, and outputting a probable user identity for the unknown user.
摘要翻译: 根据多个上下文中的用户活动的多个方面来识别未知用户的方法包括:针对所述上下文接收所述方面的多个先验,接收已知用户的多个覆盖区, 用户在先前确定集合,在计算机环境中接收与未知用户相关的多个网络迹线,将网络跟踪与每个足迹匹配以确定多个匹配,以根据小平面先前使用集合聚合匹配 和上下文,并为未知用户输出可能的用户身份。
-
-
-
-
-
-
-
-
-
搜索结果
21 条记录 (耗时 0.016 秒)
