Methods and systems for detecting obfuscated executables
    1.
    发明授权
    Methods and systems for detecting obfuscated executables 有权
    检测模糊可执行文件的方法和系统

    公开(公告)号:US09135442B1

    公开(公告)日:2015-09-15

    申请号:US12130827

    申请日:2008-05-30

    申请人: Mark Kennedy

    发明人: Mark Kennedy

    IPC分类号: G06F9/44 G06F21/56 G06F9/445

    CPC分类号: G06F21/563 G06F9/44589

    摘要: A computer-implemented method for detecting an obfuscated executable may include identifying an executable file programmed to execute on a target architecture. The method may also include disassembling a first section of the executable file and determining whether the first section of the executable file comprises a valid instruction. The method may further include determining, based on whether the first section of the executable file comprises a valid instruction, whether the executable file poses a security risk. Various other methods, computer-readable media, and systems are also disclosed.

    摘要翻译: 用于检测混淆的可执行程序的计算机实现的方法可以包括识别被编程为在目标架构上执行的可执行文件。 该方法还可以包括拆卸可执行文件的第一部分并确定可执行文件的第一部分是否包括有效指令。 该方法还可以包括基于可执行文件的第一部分是否包括有效指令来确定可执行文件是否构成安全风险。 还公开了各种其它方法,计算机可读介质和系统。

    Systems and methods for reducing false positives produced by heuristics
    2.
    发明授权
    Systems and methods for reducing false positives produced by heuristics 有权
    用于减少启发式产生的假阳性的系统和方法

    公开(公告)号:US08635171B1

    公开(公告)日:2014-01-21

    申请号:US12542099

    申请日:2009-08-17

    申请人: Mark Kennedy

    发明人: Mark Kennedy

    IPC分类号: G06F15/18

    摘要: An exemplary method for reducing false positives produced by heuristics may include: 1) training a heuristic using a set of training data, 2) deploying the heuristic, 3) identifying false positives produced by the heuristic during deployment, and then 4) tuning the heuristic by: a) duplicating at least a portion of the false positives, b) modifying the training data to include the duplicate false positives, and c) re-training the heuristic using the modified training data. Corresponding systems and computer-readable media are also disclosed.

    摘要翻译: 用于减少启发式产生的假阳性的示例性方法可以包括:1)使用一组训练数据训练启发式,2)部署启发式,3)识别在部署期间由启发式产生的误报,然后4)调整启发式 通过:a)复制至少一部分假阳性,b)修改训练数据以包括重复的假阳性,以及c)使用修改的训练数据重新训练启发式。 还公开了相应的系统和计算机可读介质。

    Malware detection efficacy by identifying installation and uninstallation scenarios
    3.
    发明授权
    Malware detection efficacy by identifying installation and uninstallation scenarios 有权
    通过识别安装和卸载方案来检测恶意软件的功能

    公开(公告)号:US08578345B1

    公开(公告)日:2013-11-05

    申请号:US12761364

    申请日:2010-04-15

    IPC分类号: G06F9/44 G06F9/445 G06F11/00

    CPC分类号: G06F21/566 G06F21/57

    摘要: The launch of an installer or uninstaller is detected. A process lineage tree is created representing the detected launched installer/uninstaller process, and all processes launched directly and indirectly thereby. The detected installer/uninstaller process is represented by the root node in the process lineage tree. Launches of child processes by the installer/uninstaller process and by any subsequently launched child processes are detected. The launched child processes are represented by child nodes in the tree. As long as the installer/uninstaller process represented by the root node in the tree is running, the processes represented by nodes in tree are exempted from anti-malware analysis. The termination of the installer/uninstaller process is detected, after which the processes represented by nodes in the process lineage tree are no longer exempted from anti-malware analysis.

    摘要翻译: 检测到启动安装程序或卸载程序。 创建一个进程谱系树,表示检测到的启动的安装程序/卸载程序进程,以及由此直接和间接启动的所有进程。 检测到的安装程序/卸载程序进程由进程谱系树中的根节点表示。 检测到安装程序/卸载程序进程和任何后续启动的子进程启动子进程。 启动的子进程由树中的子节点表示。 只要树中的根节点所表示的安装程序/卸载程序进程正在运行,树中节点所代表的进程将被免除防恶意软件分析。 检测到安装程序/卸载程序进程的终止,之后,进程谱系树中由节点表示的进程不再被免除防恶意软件分析。

    Systems and methods for identifying an executable file obfuscated by an unknown obfuscator program
    4.
    发明授权
    Systems and methods for identifying an executable file obfuscated by an unknown obfuscator program 有权
    用于识别由未知混淆器程序模糊的可执行文件的系统和方法

    公开(公告)号:US08205263B1

    公开(公告)日:2012-06-19

    申请号:US12335890

    申请日:2008-12-16

    申请人: Mark Kennedy

    发明人: Mark Kennedy

    CPC分类号: G06F21/564

    摘要: A method for analyzing an unverified executable file within an antivirus engine in order to identify the executable file as being obfuscated by an unknown obfuscator program is described. An unverified executable file comprising obfuscated library strings is received. A list of pre-verified library strings is accessed. A determination is made as to whether the unverified executable file comprises one or more of the pre-verified library strings. The unverified executable file is identified as being obfuscated by an unknown obfuscator program if the file does not comprise one or more of the pre-verified library strings.

    摘要翻译: 描述了用于分析防病毒引擎内的未验证可执行文件以便将可执行文件识别为由未知混淆器程序模糊化的方法。 收到包含模糊化库字符串的未验证的可执行文件。 访问预验证的库字符串的列表。 确定未验证的可执行文件是否包括一个或多个预验证的库字符串。 未验证的可执行文件被识别为由未知的混淆器程序模糊,如果该文件不包括一个或多个预验证的库字符串。

    Stealth threat detection
    5.
    发明授权
    Stealth threat detection 有权
    隐身威胁检测

    公开(公告)号:US07934259B1

    公开(公告)日:2011-04-26

    申请号:US11290235

    申请日:2005-11-29

    申请人: Mark Kennedy

    发明人: Mark Kennedy

    CPC分类号: G06F21/554

    摘要: A stealth threat detection manager detects stealth threats. The stealth threat detection manager monitors system activities that are vulnerable to being used by stealth threats. Dynamic link libraries are often used by stealth threats, so in some embodiments the stealth threat detection manager monitors for the loading thereof. The stealth threat detection manager detects when a system activity being monitored occurs, and after the occurrence of the activity, determines whether a specific component associated with the activity (e.g., the dynamic link library being loaded) is accessible on the computer. If the component is accessible, the stealth threat detection manager concludes that the component is non-stealthed. On the other hand, if the component is not accessible, the stealth threat detection manager concludes that the component is a stealth threat, and takes appropriate action in response.

    摘要翻译: 隐身威胁检测管理员可以侦测隐身威胁。 隐身威胁检测管理员监视易受隐身威胁使用的系统活动。 动态链接库通常由隐身威胁使用,因此在一些实施例中,隐身威胁检测管理器监视其加载。 隐身威胁检测管理器检测何时发生被监视的系统活动,并且在活动发生之后,确定与活动相关联的特定组件(例如,正在加载的动态链接库)是否可在计算机上访问。 如果该组件可访问,隐身威胁检测管理员认为该组件是非窃取的。 另一方面,如果组件无法访问,隐身威胁检测管理员认为该组件是隐身威胁,并采取适当的措施作出响应。

    Method and apparatus for detecting hidden rootkits
    6.
    发明授权
    Method and apparatus for detecting hidden rootkits 有权
    用于检测隐藏的Rootkit的方法和装置

    公开(公告)号:US07665123B1

    公开(公告)日:2010-02-16

    申请号:US11292687

    申请日:2005-12-01

    IPC分类号: G06F12/14 G06F11/00

    摘要: In one embodiment an IO request packet (IRP) attempting to access a computer disk is evaluated to determine if the request identifies an area of a computer disk to be accessed that is marked as bad in a file system. When the request identifies an area of the computer disk to be accessed that is marked as bad in a file system, the request is assumed to be indicative of a rootkit. In another embodiment an IO request packet is evaluated to determine if the request identifies an area of the computer disk to be accessed that was not identified in requests detected in the file system level of the kernel. When the stalled request identifies an area of the computer disk to be accessed not detected in requests detected in the file system level of the kernel, the request is assumed to be indicative of a rootkit.

    摘要翻译: 在一个实施例中,评估尝试访问计算机磁盘的IO请求分组(IRP),以确定该请求是否识别在文件系统中标记为不良的要访问的计算机磁盘的区域。 当请求标识要在文件系统中被标记为坏的要访问的计算机磁盘的区域时,该请求被假定为指示rootkit。 在另一个实施例中,评估IO请求分组以确定该请求是否识别在内核的文件系统级别中检测到的请求中未识别的要访问的计算机磁盘的区域。 当停止的请求标识在内核的文件系统级别中检测到的请求中未被检测到的要访问的计算机磁盘的区域时,该请求被假定为指示rootkit。

    Blocking e-mail propagation of suspected malicious computer code
    7.
    发明授权
    Blocking e-mail propagation of suspected malicious computer code 有权
    阻止可疑恶意计算机代码的电子邮件传播

    公开(公告)号:US07490244B1

    公开(公告)日:2009-02-10

    申请号:US10941527

    申请日:2004-09-14

    IPC分类号: H04L9/00

    摘要: Methods, apparatuses, and computer-readable media for preventing the spread of malicious computer code. An embodiment of the inventive method comprises the steps of: identifying (110) a computer application that is data mining an e-mail address; determining (130) whether the computer application associates at least one executable application and the data mined e-mail address with an e-mail message (120); and blocking (140) the transmission of the e-mail message when the e-mail message is associated with the at least one executable application and the data mined e-mail address.

    摘要翻译: 用于防止恶意计算机代码扩散的方法,装置和计算机可读介质。 本发明方法的实施例包括以下步骤:识别(110)数据挖掘电子邮件地址的计算机应用程序; 确定(130)计算机应用程序是否将至少一个可执行应用程序和数据挖掘的电子邮件地址与电子邮件消息(120)相关联; 以及当所述电子邮件消息与所述至少一个可执行应用程序和所述数据挖掘的电子邮件地址相关联时,阻止(140)所述电子邮件消息的发送。

    PENETRABLE CAP
    8.
    发明申请
    PENETRABLE CAP 有权
    透明帽

    公开(公告)号:US20080072690A1

    公开(公告)日:2008-03-27

    申请号:US11869233

    申请日:2007-10-09

    摘要: A cap which can form an essentially leak-proof seal with an open-ended vessel capable of receiving and holding fluid specimens or other materials for analysis. To minimize potentially contaminating contact between a fluid sample present in the vessel and humans or the environment, the present invention features a cap having a frangible seal which is penetrable by a plastic pipette tip or other fluid transfer device. The cap further includes a filter for limiting dissemination of an aerosol or bubbles once the frangible seal has been pierced. The filter is positioned between the frangible seal and a retaining structure. The retaining structure is positioned on the cap above the filter and may be used to contain the filter within the cap. The material of the retaining structure may be penetrable by a fluid transfer device.

    摘要翻译: 可以与能够接收和保持流体样本或其他材料进行分析的开放式容器形成基本上防漏密封的盖。 为了最小化容器中存在的流体样品与人类或环境之间的潜在的污染接触,本发明的特征在于具有可由塑料吸头或其他流体传送装置穿透的易碎密封件的盖。 一旦破裂密封件被刺穿,盖子还包括用于限制气溶胶或气泡的传播的过滤器。 过滤器位于易碎密封件和保持结构之间。 保持结构定位在过滤器上方的帽上,并且可以用于将过滤器容纳在盖内。 保持结构的材料可以被流体转移装置穿透。

    Clamp and method of making same
    9.
    发明申请
    Clamp and method of making same 审中-公开
    夹具和制作方法

    公开(公告)号:US20050048640A1

    公开(公告)日:2005-03-03

    申请号:US10921824

    申请日:2004-08-20

    摘要: A clamp includes a hoop section and actuating elements. The hoop section forms a cavity for holding a tubular object. The hoop section has first and second ends. First and second actuating elements are respectively coupled with the first and second ends of the hoop section. Squeezing the ends of the actuating members together causes the hoop section to expand to facilitate installation of the clamp onto an object to be clamped and removal of the clamp from the object. Thus, the clamping force generated by the clamp is limited by the restoring forces inherent in the shape, sized, and material of the hoop section when the actuating members are released. The actuating members include expansion limiting extensions which contact each other after a prescribed amount of expansion of the hoop section to thereby prevent further expansion, and possible yielding, of the hoop section. The clamp can be employed as an anti-rotation device secured to a syringe of a syringe pump.

    摘要翻译: 夹具包括箍部和致动元件。 环形部分形成用于保持管状物体的空腔。 箍部分具有第一和第二端。 第一和第二致动元件分别与箍部分的第一和第二端连接。 将致动构件的端部挤压在一起使得环箍部分膨胀以便于将夹具安装到待夹紧的物体上并且将夹具从物体上移除。 因此,当释放致动构件时,由夹具产生的夹持力受到固定在形状,尺寸和箍部分的材料上的恢复力的限制。 致动构件包括在箍部的规定量的膨胀之后彼此接触从而防止箍部的进一步膨胀和可能屈服的膨胀限制延伸部。 夹具可用作固定到注射器泵的注射器的防旋转装置。

    Systems and methods for using multiple in-line heuristics to reduce false positives
    10.
    发明授权
    Systems and methods for using multiple in-line heuristics to reduce false positives 有权
    使用多个在线启发式方法来减少误报的系统和方法

    公开(公告)号:US08280830B2

    公开(公告)日:2012-10-02

    申请号:US12550880

    申请日:2009-08-31

    申请人: Mark Kennedy

    发明人: Mark Kennedy

    IPC分类号: G06N5/00

    CPC分类号: G06N99/005

    摘要: An exemplary method for using multiple in-line heuristics to reduce false positives may include: 1) training a first heuristic using a set of training data, 2) deploying the first heuristic, 3) identifying false positives produced by the first heuristic during deployment, 4) modifying the training data to include the false positives produced by the first heuristic, 5) creating a second heuristic using the modified training data, 6) deploying both the first heuristic and the second heuristic, and then 7) applying both the first heuristic and the second heuristic, in sequence, to a set of field data.

    摘要翻译: 使用多个在线启发式来减少误报的示例性方法可以包括:1)使用一组训练数据训练第一启发式,2)部署第一启发式,3)识别在部署期间由第一启发式产生的假阳性, 4)修改训练数据以包括由第一启发式产生的假阳性,5)使用修改的训练数据创建第二启发式,6)部署第一启发式和第二启发式,然后7)应用第一启发式 而第二个启发式依次是一组现场数据。