公开(公告)号：US08341740B2

公开(公告)日：2012-12-25

申请号：US12124431

申请日：2008-05-21

申请人： Bassem Abdel-Aziz ,  Stanley Chow ,  Shu-Lin Chen

发明人： Bassem Abdel-Aziz ,  Stanley Chow ,  Shu-Lin Chen

IPC分类号： G06F21/00

CPC分类号： H04L63/1416

摘要： Malware detection systems are presented in which a list is constructed of enterprise hosts to or from which each given enterprise network host sends or receives packets within a current measurement period and statistics are accumulated based on two or more measurement period lists, with a count value being derived from the statistics to indicate the number of other hosts to or from which each monitored host sent or received packets, and one or more monitored hosts may be identified as suspected of being infected with slow and/or distributed scanning malware for which the count value exceeds a threshold value.

摘要翻译： 提供了恶意软件检测系统，其中列表是由企业主机构成的，每个企业主机在每个给定的企业网络主机在当前测量周期内发送或接收分组，并且基于两个或更多个测量周期列表累积统计信息，计数值为 从统计信息中导出，以指示每个受监视主机发送或接收的数据包的其他主机的数量，以及一个或多个受监视主机可能被识别为怀疑被慢扫描和/或分布式扫描恶意软件感染，计数值 超过阈值。

公开(公告)号：US20090293122A1

公开(公告)日：2009-11-26

申请号：US12124431

申请日：2008-05-21

申请人： Bassem Abdel-Aziz ,  Stanley Chow ,  Shu-Lin Chen

发明人： Bassem Abdel-Aziz ,  Stanley Chow ,  Shu-Lin Chen

IPC分类号： G06F11/00

CPC分类号： H04L63/1416

摘要： Malware detection systems are presented in which a list is constructed of enterprise hosts to or from which each given enterprise network host sends or receives packets within a current measurement period and statistics are accumulated based on two or more measurement period lists, with a count value being derived from the statistics to indicate the number of other hosts to or from which each monitored host sent or received packets, and one or more monitored hosts may be identified as suspected of being infected with slow and/or distributed scanning malware for which the count value exceeds a threshold value.

摘要翻译： 提供了恶意软件检测系统，其中列表是由企业主机构成的，每个企业主机在每个给定的企业网络主机在当前测量周期内发送或接收分组，并且基于两个或更多个测量周期列表累积统计信息，计数值为 从统计信息中导出，以指示每个受监视主机发送或接收的数据包的其他主机的数量，以及一个或多个受监控主机可能被识别为怀疑被慢扫描和/或分布式扫描恶意软件感染，计数值 超过阈值。

公开(公告)号：US20090328220A1

公开(公告)日：2009-12-31

申请号：US12145768

申请日：2008-06-25

申请人： Bassem Abdel-Aziz ,  Stanley Chow ,  Shu-Lin Chen

发明人： Bassem Abdel-Aziz ,  Stanley Chow ,  Shu-Lin Chen

IPC分类号： G06F21/00

CPC分类号： H04L63/145 ,  G06F21/552

摘要： Malware detection systems and methods are presented in which header data of protocol data units (PDUs) are examined at a wireless access switch shared by multiple clients, and the PDU type and client are used to establish counters, with the count values being analyzed to identify clients suspected of being infected with malware.

摘要翻译： 介绍了恶意软件检测系统和方法，其中在多个客户端共享的无线接入交换机上检查协议数据单元（PDU）的报头数据，并且使用PDU类型和客户端建立计数器，计数值被分析以识别 怀疑被恶意软件感染的客户。

公开(公告)号：US08250645B2

公开(公告)日：2012-08-21

申请号：US12145768

申请日：2008-06-25

申请人： Bassem Abdel-Aziz ,  Stanley Chow ,  Shu-Lin Chen

发明人： Bassem Abdel-Aziz ,  Stanley Chow ,  Shu-Lin Chen

IPC分类号： H04L29/06

CPC分类号： H04L63/145 ,  G06F21/552

摘要： Malware detection systems and methods are presented in which header data of protocol data units (PDUs) are examined at a wireless access switch shared by multiple clients, and the PDU type and client are used to establish counters, with the count values being analyzed to identify clients suspected of being infected with malware.

摘要翻译： 介绍了恶意软件检测系统和方法，其中在多个客户端共享的无线接入交换机上检查协议数据单元（PDU）的报头数据，并且使用PDU类型和客户端建立计数器，计数值被分析以识别 怀疑被恶意软件感染的客户。

公开(公告)号：US20090044276A1

公开(公告)日：2009-02-12

申请号：US12248537

申请日：2008-10-09

申请人： Bassem Abdel-Aziz ,  Stanley Taihai Chow ,  Shu-Lin Chen

发明人： Bassem Abdel-Aziz ,  Stanley Taihai Chow ,  Shu-Lin Chen

IPC分类号： G06F21/00 ,  G06F12/14

CPC分类号： H04L63/1425 ,  H04L63/145

摘要： A method of detecting malware may include: a) examining header data in each PDU transferred by a port of an access switch to identify PDUs transferred from a local network device, b) extracting a far-end device address for PDUs based at least in part on examination of an address portion of the corresponding header data, c) maintaining fan-out information indicative of a quantity of unique far-end device addresses extracted from the PDUs during consecutive time windows, d) determining a current trend based on the fan-out information for a current time window, e) comparing the current trend to an expected trend, and f) identifying a suspected malware infection in the local network device when the current trend exceeds the expected trend by a trend threshold. A network element that may implement the method may include a header data processing unit, data storage logic, data processing logic, and malware identification logic.

摘要翻译： 检测恶意软件的方法可以包括：a）检查由接入交换机的端口传送的每个PDU中的标题数据，以识别从本地网络设备传送的PDU; b）至少部分地提取用于PDU的远端设备地址 在检查对应的标题数据的地址部分时，c）保持指示在连续时间窗口期间从PDU提取的唯一的远端设备地址的数量的扇出信息，d）基于扇区数据确定当前趋势， 输出当前时间窗口的信息，e）将当前趋势与预期趋势进行比较，以及f）当当前趋势以趋势阈值超过预期趋势时，识别本地网络设备中的疑似恶意软件感染。 可以实现该方法的网络元件可以包括头部数据处理单元，数据存储逻辑，数据处理逻辑和恶意软件识别逻辑。

公开(公告)号：US08112801B2

公开(公告)日：2012-02-07

申请号：US12248537

申请日：2008-10-09

申请人： Bassem Abdel-Aziz ,  Stanley Taihai Chow ,  Shu-Lin Chen

发明人： Bassem Abdel-Aziz ,  Stanley Taihai Chow ,  Shu-Lin Chen

IPC分类号： G06F12/14 ,  H04L9/32

CPC分类号： H04L63/1425 ,  H04L63/145

摘要： A method of detecting malware may include: a) examining header data in each PDU transferred by a port of an access switch to identify PDUs transferred from a local network device, b) extracting a far-end device address for PDUs based at least in part on examination of an address portion of the corresponding header data, c) maintaining fan-out information indicative of a quantity of unique far-end device addresses extracted from the PDUs during consecutive time windows, d) determining a current trend based on the fan-out information for a current time window, e) comparing the current trend to an expected trend, and f) identifying a suspected malware infection in the local network device when the current trend exceeds the expected trend by a trend threshold. A network element that may implement the method may include a header data processing unit, data storage logic, data processing logic, and malware identification logic.

摘要翻译： 检测恶意软件的方法可以包括：a）检查由接入交换机的端口传送的每个PDU中的标题数据，以识别从本地网络设备传送的PDU; b）至少部分地提取用于PDU的远端设备地址 在检查对应的标题数据的地址部分时，c）保持指示在连续时间窗口期间从PDU提取的唯一的远端设备地址的数量的扇出信息，d）基于扇区数据确定当前趋势， 输出当前时间窗口的信息，e）将当前趋势与预期趋势进行比较，以及f）当当前趋势以趋势阈值超过预期趋势时，识别本地网络设备中的疑似恶意软件感染。 可以实现该方法的网络元件可以包括头部数据处理单元，数据存储逻辑，数据处理逻辑和恶意软件识别逻辑。

公开(公告)号：US08542581B2

公开(公告)日：2013-09-24

申请号：US12212868

申请日：2008-09-18

申请人： Shu-Lin Chen ,  Vinod Choyi ,  Bassem Abdel-Aziz

发明人： Shu-Lin Chen ,  Vinod Choyi ,  Bassem Abdel-Aziz

IPC分类号： H04L1/00

CPC分类号： H04W12/12 ,  H04L63/1408 ,  H04L63/1491

摘要： Malicious clients within a wireless access network are identified using bait traffic transmitted between a collaborating wireless access point and a collaborating client. The bait traffic entices a malicious client to transmit malicious traffic towards the collaborating wireless access point. Upon receiving the malicious traffic, the collaborating wireless access point is able to identify the malicious client and report the presence of the malicious client within the wireless access network.

摘要翻译： 使用在协作无线接入点和协作客户端之间传输的诱饵流量来识别无线接入网络内的恶意客户端。 诱饵流量引起恶意客户端向合作无线接入点传输恶意流量。 在接收到恶意流量时，协作无线接入点能够识别恶意客户端，并在无线接入网络内报告恶意客户端的存在。

公开(公告)号：US20100067504A1

公开(公告)日：2010-03-18

申请号：US12212868

申请日：2008-09-18

申请人： Shu-Lin Chen ,  Vinod Choyi ,  Bassem Abdel-Aziz

发明人： Shu-Lin Chen ,  Vinod Choyi ,  Bassem Abdel-Aziz

IPC分类号： H04Q7/24

CPC分类号： H04W12/12 ,  H04L63/1408 ,  H04L63/1491

摘要： Malicious clients within a wireless access network are identified using bait traffic transmitted between a collaborating wireless access point and a collaborating client. The bait traffic entices a malicious client to transmit malicious traffic towards the collaborating wireless access point. Upon receiving the malicious traffic, the collaborating wireless access point is able to identify the malicious client and report the presence of the malicious client within the wireless access network.

摘要翻译： 使用在协作无线接入点和协作客户端之间传输的诱饵流量来识别无线接入网络内的恶意客户端。 诱饵流量引起恶意客户端向合作无线接入点传输恶意流量。 在接收到恶意流量时，协作无线接入点能够识别恶意客户端，并在无线接入网络内报告恶意客户端的存在。

公开(公告)号：US08181249B2

公开(公告)日：2012-05-15

申请号：US12039817

申请日：2008-02-29

申请人： Stanley Chow ,  Bassem Abdel-Aziz ,  Faud Khan

发明人： Stanley Chow ,  Bassem Abdel-Aziz ,  Faud Khan

IPC分类号： G06F12/14

CPC分类号： H04L63/145 ,  G06F21/566 ,  H04L63/1491

摘要： Methods and systems are presented for detection of malware such as worms in which a network switch entices the malware into sending scan packets by allocating one or more ports as bait addresses, sending outgoing bait packets, and identifying compromised hosts that send unexpected incoming packets to a bait address.

摘要翻译： 提出了用于检测蠕虫的方法和系统，其中网络交换机通过将一个或多个端口分配为诱饵地址，发送传出诱饵分组以及将发送意外的传入分组的受损主机识别到 诱饵地址

公开(公告)号：US20120117653A1

公开(公告)日：2012-05-10

申请号：US13352451

申请日：2012-01-18

申请人： Stanley Chow ,  Bassem Abdel-Aziz ,  Faud Khan

发明人： Stanley Chow ,  Bassem Abdel-Aziz ,  Faud Khan

IPC分类号： G06F12/14

CPC分类号： H04L63/145 ,  G06F21/566 ,  H04L63/1491

摘要： Methods and systems are presented for detection of malware such as worms in which a network switch entices the malware into sending scan packets by allocating one or more ports as bait addresses, sending outgoing bait packets, and identifying compromised hosts that send unexpected incoming packets to a bait address.

摘要翻译： 提出了用于检测蠕虫的方法和系统，其中网络交换机通过将一个或多个端口分配为诱饵地址，发送传出诱饵分组以及将发送意外的传入分组的受损主机识别到 诱饵地址