公开(公告)号：US07945953B1

公开(公告)日：2011-05-17

申请号：US11176855

申请日：2005-07-06

申请人： Govind Salinas ,  Matthew Conover ,  Sourabh Satish

发明人： Govind Salinas ,  Matthew Conover ,  Sourabh Satish

IPC分类号： H04L29/00

CPC分类号： G06F21/54 ,  G06F12/1441 ,  G06F21/52 ,  G06F21/577

摘要： A method and system detect buffer overflows and RLIBC attacks by determining if a critical call initiating function is a “potential threat”. In one embodiment, a critical call initiating function is considered a potential threat if the value of the return address of the critical call initiating function points to a location in memory between the location of the highest Thread Environment Block (TEB) or Process Environment Block (PEB) and the location of the lowest Thread Environment Block (TEB) or PEB. In another embodiment, a critical call initiating function making a call to a predefined critical operating system function is considered a potential threat if the value of the return address of the critical call initiating function points to the beginning of a new function with a zero offset.

摘要翻译： 通过确定关键呼叫发起功能是否是“潜在威胁”，方法和系统检测缓冲区溢出和RLIBC攻击。 在一个实施例中，如果临界呼叫发起功能的返回地址的值指向存储器中最高线程环境块（TEB）或过程环境块（TEB）的位置之间的位置，则将关键呼叫发起功能视为潜在威胁 PEB）和最低线程环境块（TEB）或PEB的位置。 在另一个实施例中，如果临时呼叫发起功能的返回地址的值指向具有零偏移的新功能的开始，则对呼叫预定义的关键操作系统功能的关键呼叫发起功能被认为是潜在的威胁。

公开(公告)号：US20200344113A1

公开(公告)日：2020-10-29

申请号：US16926907

申请日：2020-07-13

申请人： Oliver Friedrichs ,  Atif Mahadik ,  Govind Salinas ,  Sourabh Satish

发明人： Oliver Friedrichs ,  Atif Mahadik ,  Govind Salinas ,  Sourabh Satish

IPC分类号： H04L12/24 ,  H04L29/06

摘要： Described herein are systems, methods, and software to enhance the management of responses to incidents. In one example, a method of improving incident response comprises identifying an incident in an information technology (IT) environment associated with a first entity of a plurality of entities, and identifying action implementation information related to the incident. The method further anonymizes the action implementation information for the incident, and determines action suggestions based at least on the anonymized action implementation information.

公开(公告)号：US20140201208A1

公开(公告)日：2014-07-17

申请号：US13742218

申请日：2013-01-15

申请人： Sourabh Satish ,  Govind Salinas ,  Vincent Cheong ,  Symantec Corporation

发明人： Sourabh Satish ,  Govind Salinas ,  Vincent Cheong ,  Symantec Corporation

IPC分类号： G06F17/30

CPC分类号： G06F21/564

摘要： An unlabeled sample is classified using clustering. A set of samples containing labeled and unlabeled samples is established. Values of features are gathered from the samples contained in the datasets and a subset of features are selected. The labeled and unlabeled samples are clustered together based on similarity of the gathered values for the selected subset of features to produce a set of clusters, each cluster having a subset of samples from the set of samples. The selecting and clustering steps are recursively iterated on the subset of samples in each cluster in the set of clusters until at least one stopping condition is reached. The iterations produce a cluster having a labeled sample and an unlabeled sample. A label is propagated from the labeled sample in the cluster to the unlabeled sample in the cluster to classify the unlabeled sample.

摘要翻译： 未标记的样本使用聚类进行分类。 建立了一套含标签和未标记样品的样品。 从数据集中包含的样本中收集特征值，并选择一组特征。 基于所选择的特征子集的收集值的相似性，将标记和未标记的样本聚类在一起，以产生一组聚类，每个聚类具有来自该组样本的样本子集。 在集群中的每个集群中的样本子集上递归迭代选择和聚类步骤，直到达到至少一个停止条件。 迭代产生具有标记样品和未标记样品的簇。 标签从群集中标记的样本传播到群集中的未标记样本，以对未标记的样本进行分类。

公开(公告)号：US07975308B1

公开(公告)日：2011-07-05

申请号：US11864346

申请日：2007-09-28

申请人： Sourabh Satish ,  Govind Salinas ,  Zulfikar Ramzan

发明人： Sourabh Satish ,  Govind Salinas ,  Zulfikar Ramzan

IPC分类号： G06F7/04 ,  G06F12/00 ,  G06F12/14 ,  G06F13/00 ,  G06F17/30 ,  G11C7/00

CPC分类号： G06F17/30867 ,  G06F21/6254 ,  G06F21/6263

摘要： Embodiments in accordance with the invention install a primary security browser extension first in the browser event notification order list and a secondary security browser extension last in the event notification order list. On receipt of a user data event including user confidential data at the primary security browser extension, the user confidential data is obfuscated by the primary security browser extension and the user data event including the obfuscated data is released to a next browser extension in the browser event notification order list. Upon receipt of the user data event at the secondary security browser extension, the obfuscated data is restored with the original user confidential data and the user data event is released for further processing.

摘要翻译： 根据本发明的实施例首先在浏览器事件通知顺序列表中安装主安全浏览器扩展，并且在事件通知顺序列表中最后安装辅助安全浏览器扩展。 在主安全浏览器扩展接收到包括用户机密数据的用户数据事件时，用户机密数据被主安全浏览器扩展模糊，包括混淆数据的用户数据事件被释放到浏览器事件中的下一个浏览器扩展 通知单列表。 在辅助安全浏览器扩展接收到用户数据事件时，用原始用户机密数据恢复混淆的数据，并释放用户数据事件以便进一步处理。

公开(公告)号：US07552477B1

公开(公告)日：2009-06-23

申请号：US11064712

申请日：2005-02-23

申请人： Sourabh Satish ,  Matthew Conover

发明人： Sourabh Satish ,  Matthew Conover

IPC分类号： G06F12/16 ,  G06F13/24

CPC分类号： G06F21/52 ,  G06F9/545 ,  G06F2209/542

摘要： A method makes use of the fact that call modules, such as APIS, making calls to a critical operating system (OS) function are typically called by a call instruction while, in contrast, a RLIBC attack typically uses call modules that are jumped to, returned to, or invoked by some means other than a call instruction. The method includes stalling a call to critical OS function and checking to ensure that the call module making the call to the critical OS function was called by a call instruction. If it is determined that the call module making the call to the critical OS function was not called by a call instruction, the method further includes taking protective action to protect a computer system.

摘要翻译： 一种方法利用呼叫模块（例如APIS）调用关键操作系统（OS）功能的事实通常由调用指令调用，而相比之下，RLIBC攻击通常使用跳转到的调用模块， 通过某种方式返回或调用，而不是通话指令。 该方法包括停止对关键OS功能的调用，并检查以确保通过调用指令调用对关键OS功能进行调用的调用模块。 如果确定对呼叫指令进行调用的呼叫模块未被呼叫指令调用，则该方法还包括采取保护措施来保护计算机系统。

公开(公告)号：US07296138B1

公开(公告)日：2007-11-13

申请号：US11075515

申请日：2005-03-08

申请人： Matthew Conover ,  Sourabh Satish

发明人： Matthew Conover ,  Sourabh Satish

IPC分类号： G06F12/00 ,  G06F9/34

CPC分类号： G06F12/109

摘要： A process page table entry (PTE) associated with a process is located, and a determination is made whether the process PTE is prototype PTE. If the process PTE is a prototype PTE, the location of the actual PTE is determined. A copy-on-write functionality associated with the PTE is disabled and the location of shared page of memory associated with the PTE determined. The shared page is modified, for example with hooking code, and the copy-on-write functionality is re-enabled.

摘要翻译： 定位与过程相关联的过程页表项（PTE），并确定过程PTE是否是原型PTE。 如果过程PTE是原型PTE，则确定实际PTE的位置。 禁用与PTE相关联的写时复制功能，并确定与PTE相关联的共享内存页的位置。 修改共享页面，例如使用挂钩代码，并重新启用写时复制功能。

公开(公告)号：US08037526B1

公开(公告)日：2011-10-11

申请号：US11095276

申请日：2005-03-30

申请人： Sourabh Satish ,  Matthew Conover

发明人： Sourabh Satish ,  Matthew Conover

IPC分类号： G06F12/14

CPC分类号： G06F21/52

摘要： A method makes use of positional relationships in a memory stack between the frame pointer, such as the Extended Base Pointer (EBP) in Windows®-based systems, of a critical call initiating function making a call to a critical operating system (OS) function, the top of stack position, such as the Process Environment Block (PEB) in Windows® based systems, and the bottom of stack position, such as the Extended Stack pointer (ESP) in a Windows® based system, to detect and block buffer overflows.

摘要翻译： 一种方法利用帧指针（诸如基于Windows®的系统中的扩展基指针（EBP））之间的存储器堆栈中的位置关系，该关键呼叫启动功能调用关键操作系统（OS）功能 ，堆栈位置的顶部，例如基于Windows®的系统中的过程环境块（PEB）和堆栈位置的底部，例如基于Windows®的系统中的扩展堆栈指针（ESP））来检测和阻止缓冲区 溢出

公开(公告)号：US07752242B1

公开(公告)日：2010-07-06

申请号：US11231681

申请日：2005-09-20

申请人： Sourabh Satish ,  Matthew Conover

发明人： Sourabh Satish ,  Matthew Conover

IPC分类号： G06F12/00 ,  G06F17/30

CPC分类号： G06F21/53

摘要： A legacy application program contains unmanaged code. Application definitions for common unmanaged applications are established. An application definition includes a manifest that describes the unmanaged code and an execution wrapper that projects the unmanaged code as a managed assembly to the execution environment. An application definition can also specify other modifications to the unmanaged code, such as modifications to cause the unmanaged code to call managed application programming interfaces (APIs). The application definition is utilized to transform the unmanaged code into a managed assembly. The manifest and wrapper are added to the managed assembly and the unmanaged code is maintained as a resource. The managed execution environment uses the manifest to compute a permissions set for the unmanaged code, and the wrapper invokes the unmanaged code. The unmanaged code uses the managed APIs, and the managed execution environment can therefore manage execution of the code.

摘要翻译： 遗留应用程序包含非托管代码。 建立常用非托管应用程序的应用程序定义。 应用程序定义包括描述非托管代码的清单和将非托管代码作为托管程序集投影到执行环境的执行包装器。 应用程序定义还可以指定对非托管代码的其他修改，例如修改以使非托管代码调用托管应用程序编程接口（API）。 应用程序定义用于将非托管代码转换为托管程序集。 清单和包装器被添加到托管程序集，非托管代码作为资源维护。 托管执行环境使用清单来计算非托管代码的权限集，包装器调用非托管代码。 非托管代码使用托管API，因此托管执行环境可以管理代码的执行。

公开(公告)号：US07552479B1

公开(公告)日：2009-06-23

申请号：US11088144

申请日：2005-03-22

申请人： Matthew Conover ,  Sourabh Satish

发明人： Matthew Conover ,  Sourabh Satish

IPC分类号： G06F12/14 ,  H04L9/00

CPC分类号： G06F21/565

摘要： On start up of a process, a critical imported functions table including resolved addresses of critical imported functions that an application, such as a host intrusion detection system application depends upon to have data integrity, is dynamically allocated and marked read only to impede modification by malicious code. The critical imported functions are hooked so that execution of a call to a critical imported function is made using a corresponding entry in the critical imported functions table rather than an entry in a current process IAT, which may have been modified by malicious code. The current process IAT is evaluated to determine whether it has changed from an initial start up state, in a way that is indicative of an evasion attempt by malicious code. If an evasion attempt is detected, a notification is provided to a user and/or system administrator. Optionally, protective action is taken, such as saving a copy of the current process IAT to permit later analysis of the change.

摘要翻译： 在进程启动时，关键的导入功能表包括主要入侵检测系统应用程序等应用程序依赖于数据完整性的关键导入功能的解析地址，被动态分配并标记为只读，以阻止恶意修改 码。 关键的导入功能被挂接，以便使用关键的导入功能表中的相应条目执行对关键导入功能的调用，而不是当前进程IAT中可能已被恶意代码修改的条目。 评估当前进程IAT以确定它是否从初始启动状态改变，以指示恶意代码的逃避尝试的方式。 如果检测到逃避尝试，则向用户和/或系统管理员提供通知。 可选地，采取保护措施，例如保存当前过程IAT的副本以允许稍后分析变更。

公开(公告)号：US07272748B1

公开(公告)日：2007-09-18

申请号：US10803848

申请日：2004-03-17

申请人： Matthew Conover ,  Sourabh Satish

发明人： Matthew Conover ,  Sourabh Satish

IPC分类号： G06F11/00

CPC分类号： G06F11/1407 ,  G06F21/52

摘要： A prologue and an epilogue of a function are hooked. Completion of the prologue is stalled in a first state of a stack frame, and a copy of the first state of the stack frame is saved. Completion of the prologue is initiated, permitting execution of the function. Completion of the epilogue is stalled in a second state of the stack frame. The saved copy of the first state of the stack frame is located and compared with the second state of the stack frame. A determination is made whether the stack frame is corrupted based on the comparison. Upon a determination that the stack frame is corrupted, the second state of the stack frame is replaced with the copy of the first state of the stack frame, and completion of the epilogue is initiated, allowing the function to complete.

摘要翻译： 一个序幕和一个功能的结尾被挂钩。 序列的完成在堆栈帧的第一状态中停止，并且保存堆栈帧的第一状态的副本。 启动序言的完成，允许执行该功能。 结束语的完成在堆栈帧的第二状态中停滞。 堆栈帧的第一状态的保存副本被定位并与堆栈帧的第二状态进行比较。 根据比较确定堆栈帧是否损坏。 在确定堆栈帧被破坏时，堆叠帧的第二状态被替换为堆栈帧的第一状态的副本，并且结束语的完成被启动，从而允许该功能完成。