-
公开(公告)号:US08370931B1
公开(公告)日:2013-02-05
申请号:US12212250
申请日:2008-09-17
申请人: Hao-Liang Chien , Ming-Chang Shih , Chun-Da Wu
发明人: Hao-Liang Chien , Ming-Chang Shih , Chun-Da Wu
IPC分类号: G06F11/00
CPC分类号: G06F11/3072 , G06F21/566
摘要: Multi-behavior matching in a computer system is performed in order to identify suspicious sequences of activities. System behavior is captured using driver hooks. A behavior monitoring system determines the process to which the system behavior belongs by processing a table. This includes using the process ID and thread ID of the system behavior as lookups into the table. A multi-behavior matching algorithm is applied to determine if there is any matching suspicious behavior by matching sets of rules (a policy) to system events caused by a particular process. A state machine is used to keep track of matching policies. Options to the rules and policies (such as “offset,” “depth,” “distance,” “within,” “ordered” and “occurrence/interval”) are used to refine when a rule or policy is allowed to produce a positive match, reducing false positives.
摘要翻译: 执行计算机系统中的多行为匹配以便识别活动的可疑序列。 使用驱动程序钩子捕获系统行为。 行为监控系统通过处理表来确定系统行为所属的过程。 这包括将进程ID和系统行为的线程ID用作表中的查找。 应用多行为匹配算法来确定是否存在与特定进程引起的系统事件匹配的规则集(策略)是否存在任何匹配的可疑行为。 状态机用于跟踪匹配策略。 使用规则和策略的选项(如偏移量,深度,距离,内部,有序和出现/间隔)来优化何时允许规则或策略产生正匹配,从而减少误报。
-
公开(公告)号:US09117078B1
公开(公告)日:2015-08-25
申请号:US12212378
申请日:2008-09-17
申请人: Hao-Liang Chien , Ming-Chang Shih , Ya-Hsuan Tsai
发明人: Hao-Liang Chien , Ming-Chang Shih , Ya-Hsuan Tsai
IPC分类号: G06F21/56
CPC分类号: G06F21/566
摘要: Creating a policy to be used by a malware prevention system uses multiple events triggered by malware. A sample of malicious computer code or malware is executed in a computer system having a kernel space and a user space. Event data relating to multiple events caused by the malicious code executing on the computer system are captured and stored. The event data is configured using a specific property that facilitates malware behavior analysis. A behavior list is then created utilizing the multiple events and associated event data. The behavior list, together with data in a malware behavior database, is used to derive a policy for use in a malware prevention system. The computer system is free of any malicious code, including viruses, Trojan horses, or any other unwanted software code. The malicious computer code executes without any constraints so that the execution behavior of the malicious code may be observed and captured. Critical events are selected based on the user's expertise and experience in dealing with malware and a sequential stream including the event as the events occur is created.
摘要翻译: 创建恶意软件防护系统使用的策略会使用恶意软件触发的多个事件。 在具有内核空间和用户空间的计算机系统中执行恶意计算机代码或恶意软件的示例。 捕获和存储与在计算机系统上执行的恶意代码引起的多个事件有关的事件数据。 事件数据使用特定的属性进行配置,有助于恶意软件行为分析。 然后使用多个事件和相关联的事件数据来创建行为列表。 行为列表连同恶意软件行为数据库中的数据一起用于导出用于恶意软件防护系统的策略。 计算机系统没有任何恶意代码,包括病毒,特洛伊木马或任何其他不需要的软件代码。 恶意的计算机代码执行没有任何限制,从而可以观察和捕获恶意代码的执行行为。 基于用户处理恶意软件的专业知识和经验,创建关键事件,并创建包括事件在内的顺序流。
-
公开(公告)号:US08799824B1
公开(公告)日:2014-08-05
申请号:US11862141
申请日:2007-09-26
申请人: Hao-Liang Chien
发明人: Hao-Liang Chien
CPC分类号: G06F3/017 , G06F3/0481 , G06F3/0488 , G06F3/04883 , G06F11/34
摘要: The invention relates, in an embodiment, to a system for handling one or more pop-up messages activated by one or more applications and displayed on an output device associated with an electronic device, the electronic device is associated with an input device is provided. The system for handling pop-up messages includes an identification module to identify an active pop-message activated by an application of one or more applications. The system for handling pop-up messages also includes a recording control module to record a movement path associated with the input device. The system for handling pop-up messages also includes a translation module configured to translate recorded data pertaining to the movement path into a command pertaining to the active pop-up message.
摘要翻译: 本发明在一个实施例中涉及一种用于处理由一个或多个应用激活并显示在与电子设备相关联的输出设备上的一个或多个弹出消息的系统,所述电子设备与输入设备相关联。 用于处理弹出消息的系统包括识别模块,用于识别由一个或多个应用的应用激活的活动弹出消息。 用于处理弹出消息的系统还包括记录控制模块,用于记录与输入设备相关联的移动路径。 用于处理弹出消息的系统还包括翻译模块,其被配置为将与移动路径相关的记录数据转换为与活动弹出消息有关的命令。
-
-