-
公开(公告)号:US20090044276A1
公开(公告)日:2009-02-12
申请号:US12248537
申请日:2008-10-09
CPC分类号: H04L63/1425 , H04L63/145
摘要: A method of detecting malware may include: a) examining header data in each PDU transferred by a port of an access switch to identify PDUs transferred from a local network device, b) extracting a far-end device address for PDUs based at least in part on examination of an address portion of the corresponding header data, c) maintaining fan-out information indicative of a quantity of unique far-end device addresses extracted from the PDUs during consecutive time windows, d) determining a current trend based on the fan-out information for a current time window, e) comparing the current trend to an expected trend, and f) identifying a suspected malware infection in the local network device when the current trend exceeds the expected trend by a trend threshold. A network element that may implement the method may include a header data processing unit, data storage logic, data processing logic, and malware identification logic.
摘要翻译: 检测恶意软件的方法可以包括:a)检查由接入交换机的端口传送的每个PDU中的标题数据,以识别从本地网络设备传送的PDU; b)至少部分地提取用于PDU的远端设备地址 在检查对应的标题数据的地址部分时,c)保持指示在连续时间窗口期间从PDU提取的唯一的远端设备地址的数量的扇出信息,d)基于扇区数据确定当前趋势, 输出当前时间窗口的信息,e)将当前趋势与预期趋势进行比较,以及f)当当前趋势以趋势阈值超过预期趋势时,识别本地网络设备中的疑似恶意软件感染。 可以实现该方法的网络元件可以包括头部数据处理单元,数据存储逻辑,数据处理逻辑和恶意软件识别逻辑。
-
公开(公告)号:US08112801B2
公开(公告)日:2012-02-07
申请号:US12248537
申请日:2008-10-09
CPC分类号: H04L63/1425 , H04L63/145
摘要: A method of detecting malware may include: a) examining header data in each PDU transferred by a port of an access switch to identify PDUs transferred from a local network device, b) extracting a far-end device address for PDUs based at least in part on examination of an address portion of the corresponding header data, c) maintaining fan-out information indicative of a quantity of unique far-end device addresses extracted from the PDUs during consecutive time windows, d) determining a current trend based on the fan-out information for a current time window, e) comparing the current trend to an expected trend, and f) identifying a suspected malware infection in the local network device when the current trend exceeds the expected trend by a trend threshold. A network element that may implement the method may include a header data processing unit, data storage logic, data processing logic, and malware identification logic.
摘要翻译: 检测恶意软件的方法可以包括:a)检查由接入交换机的端口传送的每个PDU中的标题数据,以识别从本地网络设备传送的PDU; b)至少部分地提取用于PDU的远端设备地址 在检查对应的标题数据的地址部分时,c)保持指示在连续时间窗口期间从PDU提取的唯一的远端设备地址的数量的扇出信息,d)基于扇区数据确定当前趋势, 输出当前时间窗口的信息,e)将当前趋势与预期趋势进行比较,以及f)当当前趋势以趋势阈值超过预期趋势时,识别本地网络设备中的疑似恶意软件感染。 可以实现该方法的网络元件可以包括头部数据处理单元,数据存储逻辑,数据处理逻辑和恶意软件识别逻辑。
-
公开(公告)号:US07917957B2
公开(公告)日:2011-03-29
申请号:US11802965
申请日:2007-05-29
CPC分类号: H04L63/1416
摘要: Packets of a certain type from a certain source are directed to a system that estimates the set of destinations and the number of new destinations for which that source has sent packets during a time window Ti. Instead of maintaining tables with the complete destination addresses for each source, the destination addresses are hashed and stored in a small bit array. The sets of destinations for a number of successive time windows are OR'ed for building cumulative tables Ci, where Ci includes all destinations that have been seen between T0 and Ti. The new destinations are determined by counting the destinations set in Ti but not in Ci-1. Any change from the typical patterns can be suspected as being a slow scan.
摘要翻译: 来自某个来源的特定类型的分组被引导到估计在时间窗口Ti期间该源已经发送分组的目的地集合和新目的地的数量的系统。 不用维护具有每个源的完整目标地址的表,目标地址被散列并存储在一个小位数组中。 多个连续时间窗口的目的地集合用于构建累积表Ci,其中Ci包括在T0和Ti之间已经看到的所有目的地。 新目的地是通过计算Ti中设置的目的地而不是Ci-1来确定的。 任何从典型模式的变化都可以被怀疑是慢扫描。
-
公开(公告)号:US20080301812A1
公开(公告)日:2008-12-04
申请号:US11802965
申请日:2007-05-29
IPC分类号: G06F12/14
CPC分类号: H04L63/1416
摘要: Packets of a certain type from a certain source are directed to a system that estimates the set of destinations and the number of new destinations for which that source has sent packets during a time window Ti. Instead of maintaining tables with the complete destination addresses for each source, the destination addresses are hashed and stored in a small bit array. The sets of destinations for a number of successive time windows are OR'ed for building cumulative tables Ci, where Ci includes all destinations that have been seen between T0 and Ti. The new destinations are determined by counting the destinations set in Ti but not in Ci-1. Any change from the typical patterns can be suspected as being a slow scan.
摘要翻译: 来自某个来源的特定类型的分组被引导到估计在时间窗口Ti期间该源已经发送分组的目的地集合和新目的地的数量的系统。 不用维护具有每个源的完整目标地址的表,目标地址被散列并存储在一个小位数组中。 多个连续时间窗口的目的地集合用于构建累积表Ci,其中Ci包括在T0和Ti之间已经看到的所有目的地。 新目的地是通过计算Ti中设置的目的地而不是Ci-1来确定的。 任何从典型模式的变化都可以被怀疑是慢扫描。
-
公开(公告)号:US08095981B2
公开(公告)日:2012-01-10
申请号:US11785655
申请日:2007-04-19
IPC分类号: G06F21/00
CPC分类号: F16B31/021 , F16B39/12 , F16B39/28 , H04L41/142 , H04L63/1425
摘要: The invention detects stealth worm propagation by comparing the repeat elements in sets of destinations of a source in multiple time windows to a fitted distribution of same, stored as a benchmark plot. Measurements are performed over N time windows, wherein a representation of the set of destinations to which a respective source has sent packets is determined for each source, in each time window. The counting is performed using a hash table. Once N such sets of destinations have been obtained, the number Xk of destinations that are common to N, N−1, N−2, . . . , 2, 1 windows is determined. Thus Xk is the number of destinations that a particular source sent packets to in k time windows. Xk is then compared to the corresponding value on the plot; anomalies indicate an attack from the respective source.
摘要翻译: 本发明通过将多个时间窗口中的源的目的地集合中的重复元素与其相同的拟合分布相比较来检测隐身蠕虫传播,作为基准图存储。 在N个时间窗口中执行测量,其中在每个时间窗口中为每个源确定相应源已发送分组的目的地集合的表示。 使用哈希表执行计数。 一旦获得N个这样的目的地集合,N,N-1,N-2,N-1共同的目的地的数量Xk。 。 。 ,确定2个窗口。 因此,Xk是特定源在k个时间窗口中发送数据包的目的地的数量。 然后将Xk与图上的相应值进行比较; 异常表明来自各个来源的攻击。
-
公开(公告)号:US20090025062A1
公开(公告)日:2009-01-22
申请号:US11879452
申请日:2007-07-17
IPC分类号: G06F7/04
CPC分类号: H04M3/02 , G06F21/33 , H04L63/0823 , H04L63/126 , H04M3/38 , H04M3/42059 , H04M3/53 , H04M3/56 , H04M2201/38 , H04M2203/6045
摘要: A conference call server comprises a collection of computer-executable instructions for facilitating conference call authentication functionality. Computer-executable instructions are provided for authenticating a plurality of invitees to a conference call session during the conference call session. Authenticating the plurality of conference call invitees includes cryptographically verifying an identity of each one of the conference call invitees using information associated with a respective authentication certificate. Computer-executable instructions are provided for outputting identification information contained in the authentication certificate of each one of the conference call invitees in response to successful authentication thereof. The identification information is outputted to at least one of the conference call invitees.
摘要翻译: 电话会议服务器包括用于促进电话会议认证功能的计算机可执行指令的集合。 提供计算机可执行指令,用于在电话会议期间认证多个受邀者到电话会议会话。 认证多个电话会议受邀者包括使用与相应认证证书相关联的信息来加密地验证每个电话会议受邀者的身份。 提供计算机可执行指令,用于响应于其成功认证,输出包含在每个电话会议受邀者的认证证书中的识别信息。 识别信息被输出到至少一个电话会议受邀者。
-
7.发明授权Method and system for identifying enterprise network hosts infected with slow and/or distributed scanning malware 有权识别感染慢扫描和/或分布式扫描恶意软件的企业网络主机的方法和系统公开(公告)号:US08341740B2
公开(公告)日:2012-12-25
申请号:US12124431
申请日:2008-05-21
申请人: Bassem Abdel-Aziz , Stanley Chow , Shu-Lin Chen
发明人: Bassem Abdel-Aziz , Stanley Chow , Shu-Lin Chen
IPC分类号: G06F21/00
CPC分类号: H04L63/1416
摘要: Malware detection systems are presented in which a list is constructed of enterprise hosts to or from which each given enterprise network host sends or receives packets within a current measurement period and statistics are accumulated based on two or more measurement period lists, with a count value being derived from the statistics to indicate the number of other hosts to or from which each monitored host sent or received packets, and one or more monitored hosts may be identified as suspected of being infected with slow and/or distributed scanning malware for which the count value exceeds a threshold value.
摘要翻译: 提供了恶意软件检测系统,其中列表是由企业主机构成的,每个企业主机在每个给定的企业网络主机在当前测量周期内发送或接收分组,并且基于两个或更多个测量周期列表累积统计信息,计数值为 从统计信息中导出,以指示每个受监视主机发送或接收的数据包的其他主机的数量,以及一个或多个受监视主机可能被识别为怀疑被慢扫描和/或分布式扫描恶意软件感染,计数值 超过阈值。
-
8.发明申请METHOD AND SYSTEM FOR IDENTIFYING ENTERPRISE NETWORK HOSTS INFECTED WITH SLOW AND/OR DISTRIBUTED SCANNING MALWARE 有权用于识别用慢速和/或分布式扫描恶意软件感染的企业网络主机的方法和系统公开(公告)号:US20090293122A1
公开(公告)日:2009-11-26
申请号:US12124431
申请日:2008-05-21
申请人: Bassem Abdel-Aziz , Stanley Chow , Shu-Lin Chen
发明人: Bassem Abdel-Aziz , Stanley Chow , Shu-Lin Chen
IPC分类号: G06F11/00
CPC分类号: H04L63/1416
摘要: Malware detection systems are presented in which a list is constructed of enterprise hosts to or from which each given enterprise network host sends or receives packets within a current measurement period and statistics are accumulated based on two or more measurement period lists, with a count value being derived from the statistics to indicate the number of other hosts to or from which each monitored host sent or received packets, and one or more monitored hosts may be identified as suspected of being infected with slow and/or distributed scanning malware for which the count value exceeds a threshold value.
摘要翻译: 提供了恶意软件检测系统,其中列表是由企业主机构成的,每个企业主机在每个给定的企业网络主机在当前测量周期内发送或接收分组,并且基于两个或更多个测量周期列表累积统计信息,计数值为 从统计信息中导出,以指示每个受监视主机发送或接收的数据包的其他主机的数量,以及一个或多个受监控主机可能被识别为怀疑被慢扫描和/或分布式扫描恶意软件感染,计数值 超过阈值。
-
9.发明申请MALWARE DETECTION METHODS AND SYSTEMS FOR MULTIPLE USERS SHARING COMMON ACCESS SWITCH 有权多用户共享通用访问开关的恶意检测方法与系统公开(公告)号:US20090328220A1
公开(公告)日:2009-12-31
申请号:US12145768
申请日:2008-06-25
申请人: Bassem Abdel-Aziz , Stanley Chow , Shu-Lin Chen
发明人: Bassem Abdel-Aziz , Stanley Chow , Shu-Lin Chen
IPC分类号: G06F21/00
CPC分类号: H04L63/145 , G06F21/552
摘要: Malware detection systems and methods are presented in which header data of protocol data units (PDUs) are examined at a wireless access switch shared by multiple clients, and the PDU type and client are used to establish counters, with the count values being analyzed to identify clients suspected of being infected with malware.
摘要翻译: 介绍了恶意软件检测系统和方法,其中在多个客户端共享的无线接入交换机上检查协议数据单元(PDU)的报头数据,并且使用PDU类型和客户端建立计数器,计数值被分析以识别 怀疑被恶意软件感染的客户。
-
10.发明授权System and method for exposing malicious clients in wireless access networks 有权在无线接入网络中暴露恶意客户端的系统和方法公开(公告)号:US08542581B2
公开(公告)日:2013-09-24
申请号:US12212868
申请日:2008-09-18
申请人: Shu-Lin Chen , Vinod Choyi , Bassem Abdel-Aziz
发明人: Shu-Lin Chen , Vinod Choyi , Bassem Abdel-Aziz
IPC分类号: H04L1/00
CPC分类号: H04W12/12 , H04L63/1408 , H04L63/1491
摘要: Malicious clients within a wireless access network are identified using bait traffic transmitted between a collaborating wireless access point and a collaborating client. The bait traffic entices a malicious client to transmit malicious traffic towards the collaborating wireless access point. Upon receiving the malicious traffic, the collaborating wireless access point is able to identify the malicious client and report the presence of the malicious client within the wireless access network.
摘要翻译: 使用在协作无线接入点和协作客户端之间传输的诱饵流量来识别无线接入网络内的恶意客户端。 诱饵流量引起恶意客户端向合作无线接入点传输恶意流量。 在接收到恶意流量时,协作无线接入点能够识别恶意客户端,并在无线接入网络内报告恶意客户端的存在。
-
-
-
-
-
-
-
-
-
搜索结果
21 条记录 (耗时 0.023 秒)
