公开(公告)号：US07266844B2

公开(公告)日：2007-09-04

申请号：US09963659

申请日：2001-09-27

申请人： Ivan Teblyashkin ,  Igor Muttik ,  Viatcheslav Peternev

发明人： Ivan Teblyashkin ,  Igor Muttik ,  Viatcheslav Peternev

IPC分类号： G06F11/00

CPC分类号： G06F21/563

摘要： Computer programs are analysed for the occurrence of redundant program instructions of program instruction using uninitialised variables. If the number of such instructions exceeds a threshold level, then the computer program is treated as containing a computer virus. This technique is useful in identifying new and polymorphic viruses.

摘要翻译： 对使用未初始化变量的程序指令的冗余程序指令的发生情况分析计算机程序。 如果这些指令的数量超过阈值水平，那么计算机程序被视为包含计算机病毒。 这种技术在鉴定新型和多态性病毒方面是有用的。

公开(公告)号：US07210041B1

公开(公告)日：2007-04-24

申请号：US09846103

申请日：2001-04-30

申请人： Dmitry O. Gryaznov ,  Viatcheslav Peternev ,  Igor Muttik

发明人： Dmitry O. Gryaznov ,  Viatcheslav Peternev ,  Igor Muttik

IPC分类号： G06F11/00 ,  G06F17/30

CPC分类号： G06F21/56

摘要： A macro virus definitions database is maintained and includes a set of indices and associated macro virus definition data files. One or more of the macro virus definition data files are referenced by the associated index. Each macro virus definition data file defines macro virus attributes for known macro viruses. The sets of the indices and the macro virus definition data files are organized according to macro virus families. One or more strings stored in a suspect file are compared to the macro virus attributes defined in the one or more macro virus definition data files for each macro virus family in the macro virus definitions database. The macro virus family to which the suspect file belongs is determined from the indices for each of the macro virus definition data files at least partially containing the suspect file.

摘要翻译： 维护宏病毒定义数据库，并包括一组索引和关联的宏病毒定义数据文件。 一个或多个宏病毒定义数据文件由关联的索引引用。 每个宏病毒定义数据文件定义已知宏病毒的宏病毒属性。 索引集和宏病毒定义数据文件根据宏病毒系列进行组织。 将存储在可疑文件中的一个或多个字符串与宏病毒定义数据库中的每个宏病毒系列的一个或多个宏病毒定义数据文件中定义的宏病毒属性进行比较。 可疑文件所属的宏病毒系列由至少部分包含可疑文件的每个宏病毒定义数据文件的索引确定。

公开(公告)号：US20170180399A1

公开(公告)日：2017-06-22

申请号：US14978539

申请日：2015-12-22

申请人： Vadim Sukhomlinov ,  Kshitij A. Doshi ,  Alex Nayshtut ,  Igor Muttik

发明人： Vadim Sukhomlinov ,  Kshitij A. Doshi ,  Alex Nayshtut ,  Igor Muttik

IPC分类号： H04L29/06 ,  G06F9/455

CPC分类号： H04L63/1416 ,  G06F9/45558 ,  G06F21/552 ,  G06F21/566 ,  G06F2009/45591 ,  H04L63/1425

摘要： Providing detection of computing application malfunctions by performing at least the following: collecting a plurality of computing events that correspond to a computing application and a plurality of addresses associated with the plurality of computing events, generating an event trace that comprises the plurality of computing events and the plurality of addresses, constructing at least one sample fingerprint that represents a current behavior of the computing application using at least the event trace, comparing the at least one sample fingerprint with a behavior model that represents an expected operation of the computing application; and determining whether the computing application is malfunctioning based upon the comparison of the at least one sample fingerprint and the behavioral model.

公开(公告)号：US20150365427A1

公开(公告)日：2015-12-17

申请号：US14369587

申请日：2013-12-18

申请人： Omer Ben-Shalom ,  Igor Muttik ,  Alex Nayshtut ,  Yaniv Avidan

发明人： Omer Ben-Shalom ,  Igor Muttik ,  Alex Nayshtut ,  Yaniv Avidan

IPC分类号： H04L29/06 ,  G06F21/56

CPC分类号： H04L63/145 ,  G06F21/55 ,  G06F21/56 ,  G06F21/567 ,  H04L63/107 ,  H04L63/1416 ,  H04L63/1441

摘要： Various embodiments are generally directed to techniques to detect and eradicate malware attacks by employing information indicative of malware activity received from both endpoint devices and network devices proving network services to endpoint devices. An apparatus to detect malware includes a processor component, an analysis component for execution by the processor component to employ a trust level assigned to a device in a network as a factor in an analysis of an indication received from the device of a malware attack, and an eradication component for execution by the processor component to determine an action to take through the network to eradicate the malware attack based on the analysis. Other embodiments are described and claimed.

摘要翻译： 各种实施例通常涉及通过采用指示从端点设备和网络设备接收的恶意软件活动的信息来检测和消除恶意软件攻击的技术，以证明网络服务到端点设备。 用于检测恶意软件的装置包括处理器组件，用于由处理器组件执行的分析组件，以采用分配给网络中的设备的信任级别作为对从恶意软件攻击的设备接收的指示的分析的因素;以及 用于由处理器组件执行以根据分析来确定通过网络以消除恶意软件攻击的动作的根除组件。 描述和要求保护其他实施例。

公开(公告)号：US20150088967A1

公开(公告)日：2015-03-26

申请号：US14128438

申请日：2013-09-24

申请人： Igor Muttik

发明人： Igor Muttik

IPC分类号： H04L29/08 ,  H04L29/06

CPC分类号： H04L67/10 ,  G06F21/55 ,  G06F21/564 ,  H04L9/3239 ,  H04L63/0263 ,  H04L63/1416 ,  H04L63/145

摘要： Disclosed are systems, apparatuses, computer readable media, and methods of using an adaptive (i.e., learning) client-server system to enhance the efficiency of sample submissions, e.g., the submission of samples of malware programs to a server dictionary. The server in such a system may accumulate a dictionary of known programs and/or portions of programs that have been submitted by many different client devices over time, representing all the various programs that they have encountered. If a portion of a particular file submission is already “available” to the server (i.e., it is a portion that the server has already analyzed and stored), it will be excluded from all future sample transmissions. The server will gradually accumulate a rich dictionary of common program portions, thus requesting transmission only of previously unseen portions. Such systems, apparatuses, computer readable media, and methods may therefore be used to reduce transmission times needed for future sample submissions.

摘要翻译： 公开了系统，装置，计算机可读介质和使用自适应（即学习）客户端 - 服务器系统来提高样本提交的效率的方法，例如将恶意软件程序的样本提交到服务器字典。 这种系统中的服务器可以累积已经被许多不同客户端设备随时间提交的已知程序和/或程序部分的字典，代表他们遇到的所有各种程序。 如果特定文件提交的一部分已经对服务器“可用”（即，它是服务器已经被分析和存储的部分），则将从所有将来的样本传输中排除。 服务器将逐渐累积一个丰富的共同程序部分的字典，从而要求只传送以前看不见的部分。 因此，这样的系统，装置，计算机可读介质和方法可以用于减少未来样品提交所需的传输时间。

公开(公告)号：US20130074186A1

公开(公告)日：2013-03-21

申请号：US13234985

申请日：2011-09-16

申请人： Igor Muttik

发明人： Igor Muttik

IPC分类号： G06F21/24

CPC分类号： G06F21/51 ,  G06F21/10 ,  G06F21/445 ,  G06F21/57

摘要： A particular set of attributes of a particular computing device is identified. A first plurality of whitelisted objects is identified in a global whitelist corresponding to the particular set of attributes. A particular whitelist is generated to include the identified set of whitelisted objects, the particular whitelist tailored to the particular computing device. In some aspects, device-tailored updates to the particular whitelist are also generated.

摘要翻译： 识别特定计算设备的特定的一组属性。 在对应于特定的一组属性的全局白名单中标识出第一组多个白名单对象。 生成特定白名单以包括所标识的白名单对象集合，该特定白名单针对特定计算设备而定制的特定白名单。 在某些方面，还会生成针对特定白名单的设备定制更新。

公开(公告)号：US06907396B1

公开(公告)日：2005-06-14

申请号：US09586671

申请日：2000-06-01

申请人： Igor Muttik ,  Duncan V. Long

发明人： Igor Muttik ,  Duncan V. Long

IPC分类号： G06F9/44 ,  G06F9/455 ,  G06F21/00

CPC分类号： G06F21/56 ,  G06F21/566

摘要： One embodiment of the present invention provides a system for emulating computer viruses and/or malicious software that operates by patching additional program instructions into an emulator in order to aid in detecting a computer virus and/or malicious software within suspect code. During operation, the system loads a first emulator extension into the emulator. This first emulator extension includes program instructions that aid in the process of emulating the suspect code in order to detect a computer virus and/or malicious software. The system also loads the suspect code into an emulator buffer. Next, the system performs an emulation using the first emulator extension and the suspect code. This emulation is performed within an insulated environment in a computer system so that the computer system is insulated from malicious actions of the suspect code. During this emulation, the system determines whether the suspect code is likely to exhibit malicious behavior. In one embodiment of the present invention, loading the first emulator extension into the emulator involves loading the first emulator extension into the emulator buffer within the emulator. In this embodiment, performing the emulation involves emulating the program instructions that comprise the first emulator extension.

摘要翻译： 本发明的一个实施例提供了一种用于模拟计算机病毒和/或恶意软件的系统，其通过将附加程序指令修补到仿真器中来操作，以便有助于在可疑代码内检测计算机病毒和/或恶意软件。 在操作期间，系统将第一个仿真器扩展加载到仿真器中。 该第一个仿真器扩展包括程序指令，有助于仿真可疑代码的过程，以便检测计算机病毒和/或恶意软件。 系统还将可疑代码加载到仿真器缓冲区中。 接下来，系统使用第一个仿真器扩展和可疑代码执行仿真。 这种仿真在计算机系统的绝缘环境中执行，使得计算机系统与可疑代码的恶意动作隔离。 在此仿真期间，系统确定可疑代码是否可能表现出恶意行为。 在本发明的一个实施例中，将第一仿真器扩展加载到仿真器中涉及将第一仿真器扩展加载到仿真器内的仿真器缓冲器中。 在该实施例中，执行仿真涉及模拟包括第一仿真器扩展的程序指令。

公开(公告)号：US20160092697A1

公开(公告)日：2016-03-31

申请号：US14495959

申请日：2014-09-25

申请人： Alex Nayshtut ,  Ned Smith ,  Avishay Sharaga ,  Oleg Pogorelik ,  Abhilasha Bhargav-Spantzel ,  Michael Raziel ,  Avi Priev ,  Adi Shaliv ,  Igor Muttik

发明人： Alex Nayshtut ,  Ned Smith ,  Avishay Sharaga ,  Oleg Pogorelik ,  Abhilasha Bhargav-Spantzel ,  Michael Raziel ,  Avi Priev ,  Adi Shaliv ,  Igor Muttik

IPC分类号： G06F21/62 ,  G06Q30/02 ,  H04W8/06

CPC分类号： G06F21/6254 ,  G06Q30/0261 ,  H04L63/04 ,  H04L63/0414 ,  H04W4/021 ,  H04W4/21 ,  H04W8/06 ,  H04W12/00 ,  H04W12/02

摘要： In an example, a client-server platform identity architecture is disclosed. The platform identity architecture may be used to enable a venue operator to provide online services and to collect telemetry data and metrics while giving end users greater control over privacy. When entering a compatible venue, the user's device generates a signed temporary pseudonymous identity (TPI) in secure hardware or software. Any telemetry uploaded to the venue server includes the signature so that the server can verify that the data are valid. The TPI may have a built-in expiry. The venue server may thus receive useful tracking data during the term of the TPI, while the user is assured that the data are not kept permanently or correlated to personally-identifying information.

摘要翻译： 在一个示例中，公开了客户机 - 服务器平台身份架构。 平台身份架构可用于使场地运营商能够提供在线服务并收集遥测数据和指标，同时为终端用户提供更多的隐私控制。 当进入兼容的场所时，用户的设备在安全硬件或软件中生成签名的临时假名身份（TPI）。 上传到场地服务器的任何遥测包括签名，使得服务器可以验证数据是否有效。 TPI可能有内置的到期。 因此，场地服务器可以在TPI期间接收有用的跟踪数据，同时确保用户永久地保持数据或与个人识别信息相关联。

公开(公告)号：US09197654B2

公开(公告)日：2015-11-24

申请号：US13931705

申请日：2013-06-28

申请人： Omer Ben-Shalom ,  Alex Nayshtut ,  Igor Muttik

发明人： Omer Ben-Shalom ,  Alex Nayshtut ,  Igor Muttik

IPC分类号： H04L29/00 ,  H04L29/06 ,  G06F21/55 ,  G06F21/50

CPC分类号： H04L63/1416 ,  G06F21/50 ,  G06F21/55 ,  G06F21/552 ,  G06F21/554 ,  G06F21/556 ,  H04L63/0227 ,  H04L63/12 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/145 ,  H04L63/16

摘要： A technique allows detection of covert malware that attempts to hide network traffic. By monitoring network traffic both in a secure trusted environment and in an operating system environment, then comparing the monitor data, attempts to hide network traffic can be detected, allowing the possibility of performing rehabilitative actions on the computer system to locate and remove the malware hiding the network traffic.

摘要翻译： 一种技术允许检测隐藏恶意软件，试图隐藏网络流量。 通过监视安全受信任环境和操作系统环境中的网络流量，可以对监视数据进行比较，可以检测到隐藏网络流量的尝试，从而允许在计算机系统上执行恢复操作，以定位和删除恶意软件隐藏 网络流量。

公开(公告)号：US20150278123A1

公开(公告)日：2015-10-01

申请号：US14228842

申请日：2014-03-28

申请人： Alex Nayshtut ,  Igor Muttik ,  Roman Dementiev

发明人： Alex Nayshtut ,  Igor Muttik ,  Roman Dementiev

IPC分类号： G06F12/14

CPC分类号： G06F21/00 ,  G06F9/467 ,  G06F9/48 ,  G06F12/1441 ,  G06F21/52 ,  G06F21/554 ,  G06F21/56 ,  G06F21/566 ,  G06F2212/1016 ,  G06F2212/1052

摘要： Technologies for detecting unauthorized memory accesses include a computing device having transactional memory support. The computing device executes a transactional memory execution envelope within a security thread. Within the transactional envelope, the security thread reads one or more memory locations. The computing device detects a transactional abort originating from the transactional envelope, and determines whether a security event has occurred. A security event may include an unauthorized write to the monitored memory locations from outside the transactional envelope, including from non-transactional code. The computing device reports any security events that are detected. The computing device may execute several security threads that each monitor a different, non-overlapping memory location. The computing device may spawn a new security thread to monitor a memory location while a previous security thread is handling a transactional abort. Other embodiments are described and claimed.

摘要翻译： 用于检测未经授权的存储器访问的技术包括具有事务存储器支持的计算设备。 计算设备在安全线程内执行事务性存储器执行包络。 在事务包络内，安全线程读取一个或多个内存位置。 计算设备检测源自事务包络的事务中止，并确定是否发生了安全事件。 安全事件可能包括从事务信封之外的非监督存储器位置的非授权写入，包括非事务性代码。 计算设备报告检测到的任何安全事件。 计算设备可以执行几个安全线程，每个安全线程监视不同的，不重叠的存储器位置。 计算设备可以产生新的安全线程来监视存储器位置，同时先前的安全线程正在处理事务中止。 描述和要求保护其他实施例。