公开(公告)号：US12254089B1

公开(公告)日：2025-03-18

申请号：US18535386

申请日：2023-12-11

Applicant: Trend Micro Inc.

Inventor： Yin-Ming Chang ,  Hsing-Yun Chen ,  Hsin-Wen Kung ,  Li-Chun Sung ,  Si-Wei Wang

IPC: G06F21/56 ,  G06F9/54 ,  G06F18/23213

Abstract: Behavior report generation monitors the behavior of unknown sample files executing in a sandbox. Behaviors are encoded and feature vectors created based upon a q-gram for each sample. Prototypes extraction includes extracting prototypes from the training set of feature vectors using a clustering algorithm. Once prototypes are identified in this training process, the prototypes with unknown labels are reviewed by domain experts who add a label to each prototype. A K-Nearest Neighbor Graph is used to merge prototypes into fewer prototypes without using a fixed distance threshold and then assigning a malware family name to each remaining prototype. An input unknown sample can be classified using the remaining prototypes and using a fixed distance. For the case that no such prototype is close enough, the behavior report of a sample is rejected and tagged as an unknown sample or that of an emerging malware family.

公开(公告)号：US11886586B1

公开(公告)日：2024-01-30

申请号：US16811651

申请日：2020-03-06

Applicant: Trend Micro Inc.

Inventor： Yin-Ming Chang ,  Hsing-Yun Chen ,  Hsin-Wen Kung ,  Li-Chun Sung ,  Si-Wei Wang

IPC: G06F21/56 ,  G06F9/54 ,  G06F18/23213

CPC classification number: G06F21/566 ,  G06F9/54 ,  G06F18/23213 ,  G06F21/568

Abstract: Behavior report generation monitors the behavior of unknown sample files executing in a sandbox. Behaviors are encoded and feature vectors created based upon a q-gram for each sample. Prototypes extraction includes extracting prototypes from the training set of feature vectors using a clustering algorithm. Once prototypes are identified in this training process, the prototypes with unknown labels are reviewed by domain experts who add a label to each prototype. A K-Nearest Neighbor Graph is used to merge prototypes into fewer prototypes without using a fixed distance threshold and then assigning a malware family name to each remaining prototype. An input unknown sample can be classified using the remaining prototypes and using a fixed distance. For the case that no such prototype is close enough, the behavior report of a sample is rejected and tagged as an unknown sample or that of an emerging malware family.

公开(公告)号：US11558375B1

公开(公告)日：2023-01-17

申请号：US16716156

申请日：2019-12-16

Applicant: Trend Micro Inc.

Inventor： Jing Cao ,  Quan Yuan ,  Bo Liu

IPC: H04L9/40 ,  G06F21/31 ,  H04L67/306 ,  G06F3/04886 ,  H04L9/32 ,  G06K7/14 ,  G06F21/42 ,  G06F21/34

Abstract: A virtual keyboard rendered on a separate computing device is independent of the user's computer. A virtual keyboard displayed on the user's computer screen is blank without any alphanumeric characters. Another virtual keyboard displayed on the user's independent computing device has a randomly generated layout of alphanumeric characters on a keypad. The user enters a password by pressing the blank keys of the blank keyboard on his computer screen with reference to the other virtual keyboard. The position sequence of these entered keys is sent to an application on a remote server computer. The remote server computer shares a virtual keyboard having the randomly generated layout of characters with the independent computing device via an online or off-line technique. When online, an encoded image of the encrypted layout is sent to the client computer and displayed for scanning by the device. When off-line, both the application and the device generate the same random key sequence by using the same pseudo random number generator and the same seed value.

公开(公告)号：US11487876B1

公开(公告)日：2022-11-01

申请号：US16841025

申请日：2020-04-06

Applicant: Trend Micro Inc.

Inventor： Jayson Pryde

IPC: G06F21/56 ,  H04L9/40 ,  G06K9/62

Abstract: A locality-sensitive hash value is calculated for a suspect file in an endpoint computer. A similarity score is calculated for the suspect hash value by comparing it to similarly-calculated hash values in a cluster of known benign files. A suspiciousness score is calculated for the suspect hash value based upon similar matches in a cluster of benign files and a cluster of known malicious files. These similarity score and the suspiciousness score or combined in order to determine if the suspect file is malicious or not. Feature extraction and a set of features for the suspect file may be used instead of the hash value; the classes would contain sets of features rather than hash values. The clusters may reside in a cloud service database. The suspiciousness score is a modified Tarantula technique. Matching of locality-sensitive hashes may be performed by traversing tree structures of hash values.

公开(公告)号：US11461465B1

公开(公告)日：2022-10-04

申请号：US17207197

申请日：2021-03-19

Applicant: TREND MICRO INC.

Inventor： Chuan Jiang ,  Xilin Li ,  Yafei Zhang

IPC: G06F21/56 ,  G06F21/52

Abstract: A method protects a daemon in an operating system of a host computer. The operating system detects that there is an access of a plist file of a daemon by a process in the computer. If so, then it executes a callback function registered for the plist file. The callback function sends to a kernel extension a notification of the attempted access. The kernel extension returns a value to the operating system indicating that the access should be denied. The operating system denies access to the plist file of the daemon by the process. The extension may also notify an application which prompts the user for instruction. The kernel extension also protects itself by executing its exit function when a command is given to unload the extension, and the exit function determines whether or not the command is invoked by an authorized application, such as by checking a flag.

公开(公告)号：US11323476B1

公开(公告)日：2022-05-03

申请号：US16692680

申请日：2019-11-22

Applicant: Trend Micro Inc.

Inventor： Jing Cao ,  Quan Yuan ,  Bo Liu

IPC: G06F15/16 ,  H04L29/06 ,  G06F16/954 ,  G06F11/32

Abstract: A system is implemented in browser plug-in software or in endpoint agent software on a user computer. The user accesses a Web site and fills in a login request form and submits it to the Web site. The system triggers a “forgot password” feature and detects a phishing Web site by determining that it does not send a reset link to a valid user e-mail address, or, the system detects a phishing Web site by determining that it does send a reset link to an invalid e-mail address. Or, the system detects a phishing Web site by determining that it sends a reset link to a user e-mail address from a domain different from the domain of a login request form. Or, the system fills in an incorrect account name or password in a login request form and detects a phishing Web site by determining that the Web site does not indicate that the incorrect user name or incorrect password are incorrect. Or, the system submits incorrect credentials and detects a phishing Web site by determining that the Web site does not implement any way to reset the account name or password.

公开(公告)号：US12063244B1

公开(公告)日：2024-08-13

申请号：US17867019

申请日：2022-07-18

Applicant: Trend Micro Inc.

Inventor： Yilu Ou ,  Changxi Cao ,  Liangzhi Zhang

IPC: H04L29/06 ,  H04L9/40 ,  G06F40/143 ,  H04N21/8543

CPC classification number: H04L63/1441 ,  G06F40/143 ,  H04N21/8543

Abstract: An endpoint computer is protected from malicious distributed configuration profiles. The endpoint computer receives a distributed configuration profile over a computer network. Before installation of the distributed configuration profile in the endpoint computer, features of the distributed configuration profile are used to traverse a supervised decision tree. A rating score is generated based on weights of nodes of the supervised decision tree that are traversed using the features of the distributed configuration profile. The distributed configuration profile is detected to be malicious based at least on the rating score.

公开(公告)号：US11354409B1

公开(公告)日：2022-06-07

申请号：US16787204

申请日：2020-02-11

Applicant: Trend Micro Inc.

Inventor： Ian Kenefick

IPC: G06F21/55 ,  G06F21/56 ,  G06F9/54

Abstract: An agent on an endpoint computer computes a locality-sensitive hash value for an API call sequence of an executing process. This value is sent to a cloud computer which includes an API call sequence blacklist database of locality-sensitive hash values. A search is performed using a balanced tree structure of the database using the received hash value and a match is determined based upon whether or not a metric distance is under or above a distance threshold. The received value may also be compared to a white list of locality-sensitive hash values. Attribute values of the executing process are also received from the endpoint computer and may be used to inform whether or not the executing process is deemed to be malicious. An indication of malicious or not is returned to the endpoint computer and if malicious, the process may be terminated and its subject file deleted.

公开(公告)号：US11329936B1

公开(公告)日：2022-05-10

申请号：US16852015

申请日：2020-04-17

Applicant: Trend Micro Inc.

Inventor： Jing Cao ,  Quan Yuan ,  Bo Liu

IPC: H04L51/10 ,  H04L51/234 ,  H04L9/40 ,  H04L29/06

Abstract: The system executes online on corporate premises or in a cloud service, or offline. An e-mail message is received at a server within a corporate network or cloud service. A header of the e-mail message is parsed to determine locations of server computers through which the e-mail message has traveled. Geographic locations are placed into a routing map. A banner is inserted into the e-mail message that includes the routing map or a link to the routing map. The routing map is stored by the e-mail gateway server at a storage location identified by the link. The modified e-mail message is delivered or downloaded from the e-mail server to a user computer in real time. The sender Web site is parsed to identify sender domain information to be inserted into the banner. If offline, a product fetches and modifies the e-mail message using an API of the e-mail server.

公开(公告)号：US11516249B1

公开(公告)日：2022-11-29

申请号：US17234676

申请日：2021-04-19

Applicant: TREND MICRO INC.

Inventor： Jing Cao ,  Quan Yuan ,  Bo Liu

IPC: H04L29/06 ,  H04L9/40 ,  H04L67/02 ,  H04L51/08

Abstract: An attachment to an e-mail message received at an e-mail gateway is scanned by a scan server and then is converted into an HTML file. The HTML file includes preview data of the attachment (minus any macro scripts), the entire original data of the attachment, scan functionality enabling a user to send the attachment back to a scan server for a second scan, or extract functionality enabling a user to extract the original attachment data for saving or opening in an application. The recipient is able to open or save the attachment directly if he or she believes it comes from a trusted sender. If the attachment seems suspicious, the recipient previews the attachment first before performing a scan, opening the attachment or deleting it. The recipient performs a scan of the attachment by clicking a “scan” button to send the attachment to a backend server for a second scan where an updated virus pattern file may be available to detect any zero-day malware.