公开(公告)号：US08966359B2

公开(公告)日：2015-02-24

申请号：US13345713

申请日：2012-01-26

申请人： Igor Gokhman ,  Boris Rozenberg

发明人： Igor Gokhman ,  Boris Rozenberg

IPC分类号： G06F17/30

CPC分类号： G06F17/3089

摘要： A method of mapping between visual objects and web messages. The method comprises monitoring a plurality of web messages transmitted during at least one of loading and modifying a webpage having a plurality of dynamic visual objects by a browser of a client terminal, providing a dynamic model having a plurality of model elements each indicative of another of the plurality of dynamic visual objects, monitoring changes to the dynamic model to identify a first of the plurality of web messages has an effect on a first of the plurality of dynamic visual objects, and mapping, using a processor, between the first dynamic visual object and the first web message according to a source of the first web message.

摘要翻译： 一种在可视对象和Web消息之间映射的方法。 该方法包括监视在由客户终端的浏览器加载和修改具有多个动态可视对象的网页中的至少一个期间发送的多个web消息，提供具有多个模型元素的动态模型，每个模型元素指示另一个 多个动态可视对象，监视对动态模型的改变以识别多个web消息中的第一个，对多个动态可视对象中的第一个具有影响，并且使用处理器在第一动态可视对象之间进行映射 以及根据第一web消息的源的第一web消息。

公开(公告)号：US20130198603A1

公开(公告)日：2013-08-01

申请号：US13345713

申请日：2012-01-26

申请人： Igor Gokhman ,  Boris Rozenberg

发明人： Igor Gokhman ,  Boris Rozenberg

IPC分类号： G06F17/00

CPC分类号： G06F17/3089

摘要： A method of mapping between visual objects and web messages. The method comprises monitoring a plurality of web messages transmitted during at least one of loading and modifying a webpage having a plurality of dynamic visual objects by a browser of a client terminal, providing a dynamic model having a plurality of model elements each indicative of another of the plurality of dynamic visual objects, monitoring changes to the dynamic model to identify a first of the plurality of web messages has an effect on a first of the plurality of dynamic visual objects, and mapping, using a processor, between the first dynamic visual object and the first web message according to a source of the first web message.

摘要翻译： 一种在可视对象和Web消息之间映射的方法。 该方法包括监视在由客户终端的浏览器加载和修改具有多个动态可视对象的网页中的至少一个期间发送的多个web消息，提供具有多个模型元素的动态模型，每个模型元素指示另一个 多个动态可视对象，监视对动态模型的改变以识别多个web消息中的第一个，对多个动态可视对象中的第一个具有影响，并且使用处理器在第一动态可视对象之间进行映射 以及根据第一web消息的源的第一web消息。

公开(公告)号：US08898796B2

公开(公告)日：2014-11-25

申请号：US13396271

申请日：2012-02-14

申请人： Ron Ben-Natan ,  Tamar Domany ,  Ariel Farkash ,  Igor Gokhman ,  Abigail Goldsteen ,  Yuval Hager ,  Ksenya Kveler ,  Boris Rozenberg ,  Ury Segal

发明人： Ron Ben-Natan ,  Tamar Domany ,  Ariel Farkash ,  Igor Gokhman ,  Abigail Goldsteen ,  Yuval Hager ,  Ksenya Kveler ,  Boris Rozenberg ,  Ury Segal

IPC分类号： G06F21/00 ,  G06F21/60 ,  G06F17/27 ,  G06F17/22

CPC分类号： G06F17/272 ,  G06F17/2247 ,  G06F21/606 ,  H04L63/20 ,  H04L2209/56 ,  H04L2463/102

摘要： A method, system or computer usable program product for masking communication data using context based rules including intercepting a communication between a server and a client by an intermediary, the communication having a recipient, parsing the communication by the intermediary to determine whether a context based alteration rule should be applied, responsive to an affirmative determination, applying the rule to the communication to produce an altered communication with altered data, and sending the altered communication to the recipient so that the altered data in the communication is utilized in a masked manner.

摘要翻译： 一种用于使用基于上下文的规则来掩蔽通信数据的方法，系统或计算机可用程序产品，包括通过中间人截取服务器和客户端之间的通信，所述通信具有接收者，解析所述中间人的通信以确定基于上下文的改变 应当根据肯定的决定应用规则，将该规则应用于通信以产生具有改变的数据的改变的通信，以及将改变的通信发送到接收者，以便以掩蔽的方式利用通信中的改变的数据。

公开(公告)号：US20130212689A1

公开(公告)日：2013-08-15

申请号：US13396271

申请日：2012-02-14

申请人： Ron Ben-Natan ,  Tamar Domany ,  Ariel Farkash ,  Igor Gokhman ,  Abigail Goldsteen ,  Yuval Hager ,  Ksenya Kveler ,  Boris Rozenberg ,  Ury Segal

发明人： Ron Ben-Natan ,  Tamar Domany ,  Ariel Farkash ,  Igor Gokhman ,  Abigail Goldsteen ,  Yuval Hager ,  Ksenya Kveler ,  Boris Rozenberg ,  Ury Segal

IPC分类号： G06F21/24 ,  G06F15/16

CPC分类号： G06F17/272 ,  G06F17/2247 ,  G06F21/606 ,  H04L63/20 ,  H04L2209/56 ,  H04L2463/102

摘要： A method, system or computer usable program product for masking communication data using context based rules including intercepting a communication between a server and a client by an intermediary, the communication having a recipient, parsing the communication by the intermediary to determine whether a context based alteration rule should be applied, responsive to an affirmative determination, applying the rule to the communication to produce an altered communication with altered data, and sending the altered communication to the recipient so that the altered data in the communication is utilized in a masked manner.

摘要翻译： 一种用于使用基于上下文的规则来掩蔽通信数据的方法，系统或计算机可用程序产品，包括通过中间人截取服务器和客户端之间的通信，所述通信具有接收者，解析所述中间人的通信以确定基于上下文的改变 应当根据肯定的决定应用规则，将该规则应用于通信以产生经改变的数据的改变的通信，并将改变的通信发送给接收者，使得通信中改变的数据以掩蔽的方式被利用。

公开(公告)号：US10171471B2

公开(公告)日：2019-01-01

申请号：US14991958

申请日：2016-01-10

申请人： Ofer Biller ,  Oded Sofer ,  Boris Rozenberg ,  David Rozenblat

发明人： Ofer Biller ,  Oded Sofer ,  Boris Rozenberg ,  David Rozenblat

IPC分类号： G06F21/00 ,  H04L29/06 ,  G06N99/00

摘要： Methods, computing systems and computer program products implement embodiments of the present invention that include assigning, to multiple users, respective sets of original roles for accessing data stored on a computer system, and performing, in response to requests from the users, multiple operations on the data. While performing the multiple operations on the data, a transaction log is generated that includes a plurality of entries, each of the entries storing attributes of a given operation. Based on the entries in the log file, a respective set of learned roles for respective users is identified, and the respective sets of the learned roles are assigned to the respective users.

公开(公告)号：US20100229239A1

公开(公告)日：2010-09-09

申请号：US12697559

申请日：2010-02-01

申请人： Boris Rozenberg ,  Ehud Gudes ,  Yuval Elovici

发明人： Boris Rozenberg ,  Ehud Gudes ,  Yuval Elovici

IPC分类号： G06F11/30 ,  G06F21/00

CPC分类号： G06F21/552

摘要： The invention relates to a method for detecting malicious executables, which comprises: (a) in an offline training phase, finding a collection of system call sequences that are characteristic only to malicious files, when such malicious files are executed, and storing said sequences in a database; and, in runtime, for each running executable, continuously monitoring its issued run-time system calls and comparing with the stored sequences of system calls within the database to determine whether there exists a match between a portion of the sequence of the run-time system calls and one or more of the database sequences, and when such a match is found, declaring said executable as malicious.

摘要翻译： 本发明涉及一种用于检测恶意可执行程序的方法，包括：（a）在离线训练阶段，查找仅恶意文件特有的系统调用序列的集合，当执行这种恶意文件时，将所述序列存储在 数据库 并且在运行时，对于每个运行的可执行文件，连续地监视其发出的运行时系统调用并与存储的数据库序列中的系统调用进行比较，以确定运行时系统的一部分序列之间是否存在匹配 调用和一个或多个数据库序列，并且当发现这样的匹配时，将所述可执行文件声明为恶意的。

公开(公告)号：US20080313734A1

公开(公告)日：2008-12-18

申请号：US12125263

申请日：2008-05-22

申请人： Boris Rozenberg ,  Ehud Gudes ,  Yuval Elovici

发明人： Boris Rozenberg ,  Ehud Gudes ,  Yuval Elovici

IPC分类号： G06F21/00

CPC分类号： H04L63/1425 ,  G06N5/043 ,  H04L63/145

摘要： The invention relates to a distributed system for detecting eThreats that propagate in a network, which comprises: (a) graphs database storing at least one propagation graph, each graph describing the typical propagation over time of one eThreat class or a legitimate executable class within the network; (b) plurality of agents that are distributed in corresponding plurality of hosts within the network, each of said agents continuously monitoring the corresponding host and reporting to a Central Decision Maker (CDM) the identity of any new suspected executable, and the time in which said suspected executable has been first detected by said agent; (c) a CDM for: (c.1) receiving all said reports from said plurality of agents; (c.2) creating from said reports for each suspected executable a corresponding propagation graph which reflects the propagation characteristics over time of said suspected executable within the network, and (c.3) comparing each of said created graphs with said stored at least one propagation graph; (c.4) upon finding a similarity above a predefined threshold between a created graph and one of the stored graphs, concluding respectively that said executable belongs to the class as defined by said stored graph; and (c.5) conveying said conclusion to said agents, for optionally taking an appropriate action.

摘要翻译： 本发明涉及一种用于检测在网络中传播的威胁的分布式系统，其包括：（a）存储至少一个传播图的图形数据库，每个图形描述一个eThreat类别内的典型传播随时间流逝的内容 网络; （b）分布在网络内的相应多个主机中的多个代理，每个所述代理持续监视对应的主机并向中央决策者（CDM）报告任何新的可疑可执行文件的身份，以及其中 所述疑似可执行文件已被所述代理首先检测到; （c）清洁发展机制：（c.1）从所述多个代理人接收所有所述报告; （c.2）从所述报告中为每个可疑可执行文件创建反映在所述网络内的所述可疑可执行文件随时间的传播特性的相应传播图，以及（c.3）将所述创建的图形中的每一个与所存储的至少一个 传播图; （c.4）在找到在所创建的图和存储的图之一之间的预定阈值之上的相似度时，分别结束所述可执行文件属于由所述存储的图形定义的类; 和（c.5）将所述结论传达给所述代理人，以选择采取适当的行动。

公开(公告)号：US20170201525A1

公开(公告)日：2017-07-13

申请号：US14991958

申请日：2016-01-10

申请人： Ofer Biller ,  Oded Sofer ,  Boris Rozenberg ,  David Rozenblat

发明人： Ofer Biller ,  Oded Sofer ,  Boris Rozenberg ,  David Rozenblat

IPC分类号： H04L29/06 ,  G06N99/00

CPC分类号： H04L63/102 ,  G06N99/005 ,  H04L63/08 ,  H04L63/104 ,  H04L63/1433

摘要： Methods, computing systems and computer program products implement embodiments of the present invention that include assigning, to multiple users, respective sets of original roles for accessing data stored on a computer system, and performing, in response to requests from the users, multiple operations on the data. While performing the multiple operations on the data, a transaction log is generated that includes a plurality of entries, each of the entries storing attributes of a given operation. Based on the entries in the log file, a respective set of learned roles for respective users is identified, and the respective sets of the learned roles are assigned to the respective users.

公开(公告)号：US07941853B2

公开(公告)日：2011-05-10

申请号：US12125263

申请日：2008-05-22

申请人： Boris Rozenberg ,  Ehud Gudes ,  Yuval Elovici

发明人： Boris Rozenberg ,  Ehud Gudes ,  Yuval Elovici

IPC分类号： G06F11/00

CPC分类号： H04L63/1425 ,  G06N5/043 ,  H04L63/145

摘要： The invention relates to a distributed system for detecting eThreats that propagate in a network, which comprises: (a) graphs database storing at least one propagation graph, each graph describing the typical propagation over time of one eThreat class or a legitimate executable class within the network; (b) plurality of agents that are distributed in corresponding plurality of hosts within the network, each of said agents continuously monitoring the corresponding host and reporting to a Central Decision Maker (CDM) the identity of any new suspected executable, and the time in which said suspected executable has been first detected by said agent; (c) a CDM for: (c.1) receiving all said reports from said plurality of agents; (c.2) creating from said reports for each suspected executable a corresponding propagation graph which reflects the propagation characteristics over time of said suspected executable within the network, and (c.3) comparing each of said created graphs with said stored at least one propagation graph; (c.4) upon finding a similarity above a predefined threshold between a created graph and one of the stored graphs, concluding respectively that said executable belongs to the class as defined by said stored graph; and (c.5) conveying said conclusion to said agents, for optionally taking an appropriate action.

摘要翻译： 本发明涉及一种用于检测在网络中传播的威胁的分布式系统，其包括：（a）存储至少一个传播图的图形数据库，每个图形描述一个eThreat类别内的典型传播随时间流逝的内容 网络; （b）分布在网络内的相应多个主机中的多个代理，每个所述代理持续监视对应的主机并向中央决策者（CDM）报告任何新的可疑可执行文件的身份，以及其中 所述疑似可执行文件已被所述代理首先检测到; （c）清洁发展机制：（c.1）从所述多个代理人接收所有所述报告; （c.2）从所述报告中为每个可疑可执行文件创建反映在所述网络内的所述可疑可执行文件随时间的传播特性的相应传播图，以及（c.3）将所述创建的图形中的每一个与所存储的至少一个 传播图; （c.4）在找到在所创建的图和存储的图之一之间的预定阈值之上的相似度时，分别结束所述可执行文件属于由所述存储的图形定义的类; 和（c.5）将所述结论传达给所述代理人，以选择采取适当的行动。

公开(公告)号：US08332944B2

公开(公告)日：2012-12-11

申请号：US12697559

申请日：2010-02-01

申请人： Boris Rozenberg ,  Ehud Gudes ,  Yuval Elovici

发明人： Boris Rozenberg ,  Ehud Gudes ,  Yuval Elovici

IPC分类号： G06F12/14

CPC分类号： G06F21/552

摘要： The invention relates to a method for detecting malicious executables, which comprises: in an offline training phase, finding a collection of system call sequences that are characteristic only to malicious files, when such malicious files are executed, and storing said sequences in a database; and, in runtime, for each running executable, continuously monitoring its issued run-time system calls and comparing with the stored sequences of system calls within the database to determine whether there exists a match between a portion of the sequence of the run-time system calls and one or more of the database sequences, and when such a match is found, declaring said executable as malicious.

摘要翻译： 本发明涉及一种用于检测恶意可执行程序的方法，包括：在离线训练阶段，当执行这种恶意文件并且将所述序列存储在数据库中时，找到仅对恶意文件特有的系统调用序列的集合; 并且在运行时，对于每个运行的可执行文件，连续地监视其发出的运行时系统调用并与存储的数据库序列中的系统调用进行比较，以确定运行时系统的一部分序列之间是否存在匹配 调用和一个或多个数据库序列，并且当发现这样的匹配时，将所述可执行文件声明为恶意的。