-
公开(公告)号:US10360379B2
公开(公告)日:2019-07-23
申请号:US15381853
申请日:2016-12-16
Applicant: F-Secure Corporation
Inventor: Daavid Hentunen
Abstract: Methods and apparatus are disclosed for detecting if a source of initial content is serving exploits to a target device exposed to initial content. The method includes selecting at least two target devices and dividing the selected target devices into at least two groups, and causing the at least two groups to appear towards the initial content as having different software profiles towards the initial content. Information is obtained regarding at least one of connections and content transmitted/received by the at least two groups as a result of exposure to the initial content. The obtained information between the at least two groups is compared. If the comparison indicates that target devices in one of the at least two groups transmit/receive at least one of additional connections and additional content due to being exposed to the initial content, deciding that a source of the initial content serves exploits.
-
公开(公告)号:US20170177866A1
公开(公告)日:2017-06-22
申请号:US15381853
申请日:2016-12-16
Applicant: F-Secure Corporation
Inventor: Daavid Hentunen
CPC classification number: G06F21/563 , G06F21/552 , H04L63/1425 , H04L63/1433 , H04L63/1491
Abstract: Methods and apparatus are disclosed for detecting if a source of initial content is serving exploits to a target device exposed to initial content. The method includes selecting at least two target devices and dividing the selected target devices into at least two groups, and causing the at least two groups to appear towards the initial content as having different software profiles towards the initial content. Information is obtained regarding at least one of connections and content transmitted/received by the at least two groups as a result of exposure to the initial content. The obtained information between the at least two groups is compared. If the comparison indicates that target devices in one of the at least two groups transmit/receive at least one of additional connections and additional content due to being exposed to the initial content, deciding that a source of the initial content serves exploits.
-
公开(公告)号:US20150161396A1
公开(公告)日:2015-06-11
申请号:US14624617
申请日:2015-02-18
Applicant: F-Secure Corporation
Inventor: Daavid Hentunen
IPC: G06F21/57
CPC classification number: G06F21/577 , G06F21/54 , G06F2221/033
Abstract: A method and apparatus for detecting a Return-Oriented Programming exploitation. At a computer device, a mechanism to detect a control transfer of a code location in a memory is established. This may be, for example, hooking the control transfer. The code location relates to an electronic file. In the event that a control transfer of the code location is detected, a comparison is made between a destination code location address with values in the freed stack. If the code location address matches any of the values in the freed stack, then it is determined that the control transfer of the code location relates to a Return-Oriented Programming exploitation.
Abstract translation: 一种用于检测面向回归的编程开发的方法和装置。 在计算机装置中,建立了用于检测存储器中的代码位置的控制传送的机制。 这可能是例如钩住控制传输。 代码位置涉及电子文件。 在检测到代码位置的控制传送的情况下,在具有释放堆栈中的值的目的地代码位置地址之间进行比较。 如果代码位置地址与释放堆栈中的任何值相匹配,则确定代码位置的控制传输与面向回归的编程开发有关。
-
公开(公告)号:US10447724B2
公开(公告)日:2019-10-15
申请号:US15604769
申请日:2017-05-25
Applicant: F-Secure Corporation
Inventor: Daavid Hentunen
Abstract: Aspects of the invention relate to a method for preventing communication through covert channels in a Local Area Network (LAN). The method includes suspending an inbound or an outbound network connection related to a network element for a predetermined period of time, determining if any respective outbound or inbound network connection related to the same or any other network element ceases to transmit for the duration of the time period predetermined, if an outbound or inbound network connection is detected to cease transmission, concluding that the inbound or outbound network connection suspended and the respective outbound or inbound network connections are connected, determining whether the connected network connections use different transmission protocols and if the connected network connections are detected to use different transmission protocols, determining that the connected network connections are related to a malicious covert channel and taking action to prevent the malicious covert channel from working.
-
公开(公告)号:US09785774B2
公开(公告)日:2017-10-10
申请号:US15417536
申请日:2017-01-27
Applicant: F-Secure Corporation
Inventor: Antti Tikkanen , Jarkko Turkulainen , Daavid Hentunen , Samuli Larvala , Jose Perez Alegre
CPC classification number: G06F21/56 , G06F9/4406 , G06F9/442 , G06F2221/2105
Abstract: A method and apparatus for scanning for or removing malware from a computer device. Under normal circumstances, the computer device is controlled by a first operating system installed in a memory of the device. In order to scan for or remove the malware from the computer device, control of the computer device is passed from the first operating system to a second operating system and, under the control of the second operating system, the device is either scanned for malware or the malware is removed. This allows malware to be detected or removed, even if it has affected the first operating system in some way in order to evade detection or removal.
-
Patent Agency Ranking
公开(公告)号:US09641548B2
公开(公告)日:2017-05-02
申请号:US14612679
申请日:2015-02-03
Applicant: F-Secure Corporation
Inventor: Daavid Hentunen
CPC classification number: H04L63/145 , G06F21/54
Abstract: The invention relates to computer security and to systems and methods for detecting and protecting against malicious content such as computer viruses. Gateway (200) and security (400) computers for protecting a client computer (300) against dynamically generated malicious content. The gateway computer includes: a receiver configured to receive original content, the original content including a call to an original function, the call including an associated input. The gateway computer further includes: a content modifier unit configured to modify the original content to produce modified content, wherein the modified content includes at least a portion of the original content and a call to a shielding function, the shielding function being operable to cause the client computer to transmit an instruction to a security computer (400) to inspect the input associated with the call to the original function. The gateway computer further includes: a transmitter configured to transmit the original content to the security computer and to transmit the modified content to the client computer, thereby allowing, based on the original content, detection of dynamically generated malicious content.
-
公开(公告)号:US20160226889A1
公开(公告)日:2016-08-04
申请号:US14612679
申请日:2015-02-03
Applicant: F-Secure Corporation
Inventor: Daavid Hentunen
IPC: H04L29/06
CPC classification number: H04L63/145 , G06F21/54
Abstract: The invention relates to computer security and to systems and methods for detecting and protecting against malicious content such as computer viruses. Gateway (200) and security (400) computers for protecting a client computer (300) against dynamically generated malicious content. The gateway computer includes: a receiver configured to receive original content, the original content including a call to an original function, the call including an associated input. The gateway computer further includes: a content modifier unit configured to modify the original content to produce modified content, wherein the modified content includes at least a portion of the original content and a call to a shielding function, the shielding function being operable to cause the client computer to transmit an instruction to a security computer (400) to inspect the input associated with the call to the original function. The gateway computer further includes: a transmitter configured to transmit the original content to the security computer and to transmit the modified content to the client computer, thereby allowing, based on the original content, detection of dynamically generated malicious content.
Abstract translation: 本发明涉及计算机安全以及用于检测和保护诸如计算机病毒等恶意内容的系统和方法。 网关(200)和安全(400)计算机,用于保护客户端计算机(300)免受动态产生的恶意内容。 网关计算机包括:接收器,被配置为接收原始内容,原始内容包括对原始功能的呼叫,该呼叫包括相关联的输入。 网关计算机还包括:内容修改器单元,被配置为修改原始内容以产生修改的内容,其中修改的内容包括原始内容的至少一部分和对屏蔽功能的呼叫,屏蔽功能可操作以使 客户端计算机将指令发送到安全计算机(400)以检查与原始功能的呼叫相关联的输入。 网关计算机还包括:发送机,被配置为将原始内容发送到安全计算机,并将修改后的内容发送到客户端计算机,由此允许基于原始内容检测动态生成的恶意内容。
-
公开(公告)号:US09923961B2
公开(公告)日:2018-03-20
申请号:US14944381
申请日:2015-11-18
Applicant: F-Secure Corporation
Inventor: Daavid Hentunen
CPC classification number: H04L67/1036 , H04L61/1511 , H04L61/2015 , H04L63/1416 , H04L63/1433 , H04L63/1483
Abstract: There are provided measures for enabling/realizing an integrity check of a DNS server setting, thereby enabling/realizing detection of DNS hacking or hijacking. Such measures could exemplarily include triggering a DNS resolution operation by a service device configured to provide a service using the DNS server setting, wherein the DNS server setting is used for DNS resolution or DNS forwarding in service provisioning, acquiring the IP address of a DNS server device, which is configured to perform DNS resolution in service provisioning, by reading the IP address of the DNS server device included in a DNS message as part of the triggered DNS resolution operation by the service device, and processing the acquired IP address of the DNS server device for evaluating integrity of the DNS server setting used in service provisioning.
-
公开(公告)号:US20170140150A1
公开(公告)日:2017-05-18
申请号:US15417536
申请日:2017-01-27
Applicant: F-Secure Corporation
Inventor: Antti Tikkanen , Jarkko Turkulainen , Daavid Hentunen , Samuli Larvala , Jose Perez Alegre
CPC classification number: G06F21/56 , G06F9/4406 , G06F9/442 , G06F2221/2105
Abstract: A method and apparatus for scanning for or removing malware from a computer device. Under normal circumstances, the computer device is controlled by a first operating system installed in a memory of the device. In order to scan for or remove the malware from the computer device, control of the computer device is passed from the first operating system to a second operating system and, under the control of the second operating system, the device is either scanned for malware or the malware is removed. This allows malware to be detected or removed, even if it has affected the first operating system in some way in order to evade detection or removal.
-
公开(公告)号:US20160150004A1
公开(公告)日:2016-05-26
申请号:US14944381
申请日:2015-11-18
Applicant: F-Secure Corporation
Inventor: Daavid Hentunen
CPC classification number: H04L67/1036 , H04L61/1511 , H04L61/2015 , H04L63/1416 , H04L63/1433 , H04L63/1483
Abstract: There are provided measures for enabling/realizing an integrity check of a DNS server setting, thereby enabling/realizing detection of DNS hacking or hijacking. Such measures could exemplarily include triggering a DNS resolution operation by a service device configured to provide a service using the DNS server setting, wherein the DNS server setting is used for DNS resolution or DNS forwarding in service provisioning, acquiring the IP address of a DNS server device, which is configured to perform DNS resolution in service provisioning, by reading the IP address of the DNS server device included in a DNS message as part of the triggered DNS resolution operation by the service device, and processing the acquired IP address of the DNS server device for evaluating integrity of the DNS server setting used in service provisioning.
Abstract translation: 提供了启用/实现DNS服务器设置的完整性检查的措施,从而实现/实现DNS黑客或劫持的检测。 这样的措施可以示例性地包括触发由配置为使用DNS服务器设置提供服务的服务设备的DNS解析操作,其中DNS服务器设置用于服务提供中的DNS解析或DNS转发,获取DNS服务器的IP地址 设备,其被配置为在服务设置中执行DNS解析,通过读取DNS消息中包括的DNS服务器设备的IP地址作为服务设备的触发的DNS解析操作的一部分,并且处理所获取的DNS的IP地址 用于评估服务配置中使用的DNS服务器设置的完整性的服务器设备。
-
-
-
-
-
-
-
-
-
Search Results
15
records
(took 0.017 seconds)
