公开(公告)号：US07487544B2

公开(公告)日：2009-02-03

申请号：US10208432

申请日：2002-07-30

申请人： Matthew G. Schultz ,  Eleazar Eskin ,  Erez Zadok ,  Manasi Bhattacharyya ,  Stolfo J. Salvatore

发明人： Matthew G. Schultz ,  Eleazar Eskin ,  Erez Zadok ,  Manasi Bhattacharyya ,  Stolfo J. Salvatore

IPC分类号： G06F21/00

CPC分类号： H04L63/145 ,  G06F21/562

摘要： A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set.

摘要翻译： 一种用于在使用数据挖掘技术的计算机系统的电子邮件处理应用中检测恶意可执行附件的系统和方法。 电子邮件处理应用程序可能位于服务器或客户端或主机。 从所述电子邮件过滤可执行附件，并从可执行附件中提取字节序列特征。 可执行附件通过将可执行附件的字节序列特征与从一组类别（例如恶意或良性）中具有预定类别的已知可执行程序的数据集的字节序列特征导出的分类规则集进行比较来分类。 当可执行文件的恶意程度与可执行文件的良性概率在预定的阈值内时，系统还能将可执行附件分类为边界。 为了优化分类规则集，系统可以通知用户边界附件的数量超过阈值。

公开(公告)号：US07979907B2

公开(公告)日：2011-07-12

申请号：US12338479

申请日：2008-12-18

申请人： Matthew G. Schultz ,  Eleazar Eskin ,  Erez Zadok ,  Manasi Bhattacharyya ,  Stolfo Salvatore J.

发明人： Matthew G. Schultz ,  Eleazar Eskin ,  Erez Zadok ,  Manasi Bhattacharyya ,  Stolfo Salvatore J.

IPC分类号： G06F11/00 ,  G06F12/14

CPC分类号： H04L63/145 ,  G06F21/562

摘要： A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set.

摘要翻译： 一种用于在使用数据挖掘技术的计算机系统的电子邮件处理应用中检测恶意可执行附件的系统和方法。 电子邮件处理应用程序可能位于服务器或客户端或主机。 从所述电子邮件过滤可执行附件，并从可执行附件中提取字节序列特征。 可执行附件通过将可执行附件的字节序列特征与从一组类别（例如恶意或良性）中具有预定类别的已知可执行程序的数据集的字节序列特征导出的分类规则集进行比较来分类。 当可执行文件的恶意程度与可执行文件的良性概率在预定的阈值内时，系统还能将可执行附件分类为边界。 为了优化分类规则集，系统可以通知用户边界附件的数量超过阈值。

公开(公告)号：US20090254992A1

公开(公告)日：2009-10-08

申请号：US12338479

申请日：2008-12-18

申请人： Matthew G. Schultz ,  Eleazar Eskin ,  Erez Zadok ,  Manasi Bhattacharyya ,  Stolfo Salvatore J.

发明人： Matthew G. Schultz ,  Eleazar Eskin ,  Erez Zadok ,  Manasi Bhattacharyya ,  Stolfo Salvatore J.

IPC分类号： G06F21/00

CPC分类号： H04L63/145 ,  G06F21/562

摘要： A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set.

摘要翻译： 一种用于在使用数据挖掘技术的计算机系统的电子邮件处理应用中检测恶意可执行附件的系统和方法。 电子邮件处理应用程序可能位于服务器或客户端或主机。 从所述电子邮件过滤可执行附件，并从可执行附件中提取字节序列特征。 可执行附件通过将可执行附件的字节序列特征与从一组类别（例如恶意或良性）中具有预定类别的已知可执行程序的数据集的字节序列特征导出的分类规则集进行比较来分类。 当可执行文件的恶意程度与可执行文件的良性概率在预定的阈值内时，系统还能将可执行附件分类为边界。 为了优化分类规则集，系统可以通知用户边界附件的数量超过阈值。

公开(公告)号：US09355109B2

公开(公告)日：2016-05-31

申请号：US13159039

申请日：2011-06-13

申请人： Shrikar Archak ,  Sagar Dixit ,  Richard P. Spillane ,  Erez Zadok

发明人： Shrikar Archak ,  Sagar Dixit ,  Richard P. Spillane ,  Erez Zadok

IPC分类号： G06F12/00 ,  G06F13/00 ,  G06F13/28 ,  G06F17/30

CPC分类号： G06F17/30094 ,  C12Q1/6886 ,  C12Q2600/158 ,  G06F12/0802 ,  G06F17/30132 ,  G06F2212/225

摘要： A method for maintaining an index in multi-tier data structure includes providing a plurality of a storage devices forming the multi-tier data structure, caching an index of key-value pairs across the multi-tier data structure, wherein each of the key-value pairs includes a key, and one of a data value and a data pointer, the key-value pairs stored in the multi-tier data structure, providing a journal for interfacing with the multi-tier data structure, providing a plurality of zone allocators recording which zones of the multi-tier data structure are in used, and providing a plurality of zone managers for controlling access to cache lines of the multi-tier data structure through the journal and zone allocators, wherein each zone manager maintains a header object pointing to data to be stored in an allocated zone.

摘要翻译： 一种用于维护多层数据结构中的索引的方法包括提供形成多层数据结构的多个存储装置，缓存多层数据结构中的键 - 值对的索引，其中每个密钥 - 价值对包括密钥，数据值和数据指针之一，存储在多层数据结构中的键值对，提供用于与多层数据结构接口的日志，提供多个区域分配器 记录多层数据结构的哪些区域被使用，以及提供多个区域管理器，用于通过日志和区域分配器来控制对多层数据结构的高速缓存行的访问，其中每个区域管理器维护指向 到要存储在分配区域中的数据。

公开(公告)号：US20050273858A1

公开(公告)日：2005-12-08

申请号：US10862212

申请日：2004-06-07

申请人： Erez Zadok ,  Charles Wright ,  Akshat Aranya ,  Abhijith Das ,  Yevgeniy Miretskiy ,  Kiran-Kumar Muniswamy-Reddy ,  Andrew Himmer

发明人： Erez Zadok ,  Charles Wright ,  Akshat Aranya ,  Abhijith Das ,  Yevgeniy Miretskiy ,  Kiran-Kumar Muniswamy-Reddy ,  Andrew Himmer

IPC分类号： G06F15/16 ,  G06F21/00 ,  H04L29/08

CPC分类号： G06F21/56 ,  G06F21/50 ,  G06F21/6218 ,  G06F21/78 ,  H04L67/06 ,  H04L67/1097

摘要： An operating system kernel, including a protocol stack, includes a network layer for receiving a message from a data network, a stackable file system layer coupled to the network layer for inspecting the message, wherein the stackable file system layer is coupled to a storage device, the stackable file system determining and storing file system level information determined from the message, and a wrapped file system comprising a file targeted by the message coupled to the stackable file system layer for receiving the message inspected by the stackable file system.

摘要翻译： 包括协议栈的操作系统内核包括用于从数据网络接收消息的网络层，耦合到网络层的用于检查消息的可堆叠文件系统层，其中可堆叠文件系统层耦合到存储设备 所述可堆叠文件系统确定并存储从所述消息确定的文件系统级别信息，以及包装文件系统，包括由所述可堆叠文件系统层耦合的消息所针对的文件，用于接收由所述可堆叠文件系统检查的所述消息。

公开(公告)号：US20120072656A1

公开(公告)日：2012-03-22

申请号：US13159039

申请日：2011-06-13

申请人： Shrikar Archak ,  Sagar Dixit ,  Richard P. Spillane ,  Erez Zadok

发明人： Shrikar Archak ,  Sagar Dixit ,  Richard P. Spillane ,  Erez Zadok

IPC分类号： G06F12/08

CPC分类号： G06F17/30094 ,  C12Q1/6886 ,  C12Q2600/158 ,  G06F12/0802 ,  G06F17/30132 ,  G06F2212/225

摘要： A method for maintaining an index in multi-tier data structure includes providing a plurality of a storage devices forming the multi-tier data structure, caching an index of key-value pairs across the multi-tier data structure, wherein each of the key-value pairs includes a key, and one of a data value and a data pointer, the key-value pairs stored in the multi-tier data structure, providing a journal for interfacing with the multi-tier data structure, providing a plurality of zone allocators recording which zones of the multi-tier data structure are in used, and providing a plurality of zone managers for controlling access to cache lines of the multi-tier data structure through the journal and zone allocators, wherein each zone manager maintains a header object pointing to data to be stored in an allocated zone.

摘要翻译： 一种用于维护多层数据结构中的索引的方法包括提供形成多层数据结构的多个存储装置，缓存多层数据结构中的键 - 值对的索引，其中每个密钥 - 价值对包括密钥，数据值和数据指针之一，存储在多层数据结构中的键值对，提供用于与多层数据结构接口的日志，提供多个区域分配器 记录多层数据结构的哪些区域被使用，以及提供多个区域管理器，用于通过日志和区域分配器来控制对多层数据结构的高速缓存行的访问，其中每个区域管理器维护指向 到要存储在分配区域中的数据。