公开(公告)号：US07571482B2

公开(公告)日：2009-08-04

申请号：US11170792

申请日：2005-06-28

申请人： Alexey A. Polyakov ,  Gretchen L. Loihle ,  Mihai Costea ,  Robert J. Hensing, Jr. ,  Scott A. Field ,  Vincent R. Orgovan ,  Yi-Min Wang ,  Yun Lin

发明人： Alexey A. Polyakov ,  Gretchen L. Loihle ,  Mihai Costea ,  Robert J. Hensing, Jr. ,  Scott A. Field ,  Vincent R. Orgovan ,  Yi-Min Wang ,  Yun Lin

IPC分类号： G06F12/14 ,  G06F11/00

CPC分类号： G06F21/566

摘要： Embodiments of a RootKit detector are directed to identifying a RootKit on a computer that is designed to conceal malware. Aspects of the RootKit detector leverage services provided by kernel debugger facilities to automatically obtain data in specified data structures that are maintained by an operating system. Then the data obtained from the kernel debugger facilities is processed with an integrity checker that determines whether the data contains properties sufficient to declare that a RootKit is resident on the computer.

摘要翻译： RootKit检测器的实施例旨在识别被设计为隐藏恶意软件的计算机上的RootKit。 RootKit检测器的各个方面利用内核调试工具提供的服务来自动获取由操作系统维护的指定数据结构中的数据。 然后，使用完整性检查器处理从内核调试器设备获取的数据，该检查器确定数据是否包含足以声明RootKit驻留在计算机上的属性。

公开(公告)号：US08453027B2

公开(公告)日：2013-05-28

申请号：US12561608

申请日：2009-09-17

申请人： Kevin Bartz ,  Jack Wilson Stokes, III ,  Ryan S. Kivett ,  David G. Grant ,  Gretchen L. Loihle ,  Silviu C. Calinoiu

发明人： Kevin Bartz ,  Jack Wilson Stokes, III ,  Ryan S. Kivett ,  David G. Grant ,  Gretchen L. Loihle ,  Silviu C. Calinoiu

IPC分类号： G06F11/07 ,  G06F11/20

CPC分类号： G06F11/079 ,  G06F11/0709 ,  H04L41/0631

摘要： Techniques for determining similarity between error reports received by an error reporting service. An error report may be compared to other previously-received error reports to determine similarity and facilitate diagnosing and resolving an error that generated the error report. In some implementations, the similarity may be determined by comparing frames included in a callstack of an error report to frames included in callstacks in other error reports to determine an edit distance between the callstacks, which may be based on the number and type of frame differences between callstacks. Each type of change may be weighted differently when determining the edit distance. Additionally or alternatively, the comparison may be performed by comparing a type of error, process names, and/or exception codes for the errors contained in the error reports. The similarity may be expressed as a probability that two error reports were generated as a result of a same error.

摘要翻译： 确定错误报告服务接收的错误报告之间的相似性的技术。 可以将错误报告与其他先前接收到的错误报告进行比较，以确定相似性，并便于诊断和解决生成错误报告的错误。 在一些实现中，可以通过将包括在错误报告的调用堆栈中的帧与包括在其他错误报告中的调用堆栈中的帧进行比较来确定呼叫栈之间的编辑距离来确定相似性，这可以基于帧差异的数量和类型 在电话堆栈之间。 当确定编辑距离时，每种类型的变化可以被不同地加权。 另外或替代地，可以通过比较错误报告中包含的错误，过程名称和/或异常代码的类型来执行比较。 相似性可以表示为由于相同错误而产生两个错误报告的概率。

公开(公告)号：US20110066908A1

公开(公告)日：2011-03-17

申请号：US12561608

申请日：2009-09-17

申请人： Kevin Bartz ,  Jack Wilson Stokes, III ,  Ryan S. Kivett ,  David G. Grant ,  Gretchen L. Loihle ,  Silviu C. Calinoiu

发明人： Kevin Bartz ,  Jack Wilson Stokes, III ,  Ryan S. Kivett ,  David G. Grant ,  Gretchen L. Loihle ,  Silviu C. Calinoiu

IPC分类号： G06F11/00

CPC分类号： G06F11/079 ,  G06F11/0709 ,  H04L41/0631

摘要： Techniques for determining similarity between error reports received by an error reporting service. An error report may be compared to other previously-received error reports to determine similarity and facilitate diagnosing and resolving an error that generated the error report. In some implementations, the similarity may be determined by comparing frames included in a callstack of an error report to frames included in callstacks in other error reports to determine an edit distance between the callstacks, which may be based on the number and type of frame differences between callstacks. Each type of change may be weighted differently when determining the edit distance. Additionally or alternatively, the comparison may be performed by comparing a type of error, process names, and/or exception codes for the errors contained in the error reports. The similarity may be expressed as a probability that two error reports were generated as a result of a same error.

摘要翻译： 确定错误报告服务接收的错误报告之间的相似性的技术。 可以将错误报告与其他先前接收到的错误报告进行比较，以确定相似性，并便于诊断和解决生成错误报告的错误。 在一些实现中，可以通过将包括在错误报告的调用堆栈中的帧与包括在其他错误报告中的调用堆栈中的帧相比较来确定相似性，以确定调用堆栈之间的编辑距离，其可以基于帧差异的数量和类型 在电话堆栈之间。 当确定编辑距离时，每种类型的变化可以被不同地加权。 另外或替代地，可以通过比较错误报告中包含的错误，过程名称和/或异常代码的类型来执行比较。 相似性可以表示为由于相同错误而产生两个错误报告的概率。