Method and apparatus to detect malicious software
    1.
    发明申请
    Method and apparatus to detect malicious software 有权
    检测恶意软件的方法和装置

    公开(公告)号:US20050028002A1

    公开(公告)日:2005-02-03

    申请号:US10629292

    申请日:2003-07-29

    IPC分类号: G06F11/30 G06F21/00

    CPC分类号: G06F21/562

    摘要: A technique for finding malicious code such as viruses in an executable binary file converts the executable binary to a function unique form to which function unique forms of virus code may be compared. By avoiding direct comparison of the expression of the viral code but looking instead at its function, obfuscation techniques intended to hide the virus code are substantially reduced in effectiveness.

    摘要翻译: 在可执行二进制文件中查找恶意代码(如病毒)的技术将可执行二进制文件转换为可以比较功能唯一形式的病毒代码的功能唯一形式。 通过避免病毒代码的表达的直接比较,而不是看其功能,旨在隐藏病毒代码的混淆技术的有效性大大降低。

    Method and apparatus to detect malicious software
    3.
    发明授权
    Method and apparatus to detect malicious software 有权
    检测恶意软件的方法和装置

    公开(公告)号:US07739737B2

    公开(公告)日:2010-06-15

    申请号:US10629292

    申请日:2003-07-29

    CPC分类号: G06F21/562

    摘要: A technique for finding malicious code such as viruses in an executable binary file converts the executable binary to a function unique form to which function unique forms of virus code may be compared. By avoiding direct comparison of the expression of the viral code but looking instead at its function, obfuscation techniques intended to hide the virus code are substantially reduced in effectiveness.

    摘要翻译: 在可执行二进制文件中查找恶意代码(如病毒)的技术将可执行二进制文件转换为可以比较功能唯一形式的病毒代码的功能唯一形式。 通过避免病毒代码的表达的直接比较,而不是看其功能,旨在隐藏病毒代码的混淆技术的有效性大大降低。

    User identification using multifaceted footprints
    4.
    发明授权
    User identification using multifaceted footprints 有权
    用户识别使用多面脚印

    公开(公告)号:US09003025B2

    公开(公告)日:2015-04-07

    申请号:US13542422

    申请日:2012-07-05

    IPC分类号: G06F15/173 G06F21/32

    摘要: A method for identifying an unknown user according to a plurality of facets of user activity in a plurality of contexts includes receiving a plurality of priors for the facets with respect to the contexts, receiving a plurality of footprints of known users, aggregating the footprints of the users to determine an ensemble prior, receiving a plurality of network traces relevant to an unknown user in a computer environment, matching the network traces against each of the footprints to determine a plurality of matches, aggregating the matches using the ensemble prior according to the facets and the contexts, and outputting a probable user identity for the unknown user.

    摘要翻译: 根据多个上下文中的用户活动的多个方面来识别未知用户的方法包括:针对所述上下文接收所述方面的多个先验,接收已知用户的多个覆盖区, 用户在先前确定集合,在计算机环境中接收与未知用户相关的多个网络迹线,将网络跟踪与每个足迹匹配以确定多个匹配,以根据小平面先前使用集合聚合匹配 和上下文,并为未知用户输出可能的用户身份。

    Method and apparatus for detecting unauthorized bulk forwarding of sensitive data over a network
    5.
    发明授权
    Method and apparatus for detecting unauthorized bulk forwarding of sensitive data over a network 有权
    用于检测通过网络的敏感数据的未经批准转发的方法和装置

    公开(公告)号:US08938511B2

    公开(公告)日:2015-01-20

    申请号:US13494101

    申请日:2012-06-12

    IPC分类号: G06F15/16 H04L12/58

    摘要: Methods and apparatus are provided for detecting unauthorized bulk forwarding of sensitive data over a network. A bulk forwarding of email from a first network environment is automatically detected by determining an arrival rate for internal emails received from within the first network environment into one or more user accounts; determining a sending rate for external emails sent from the one or more user accounts to a second network environment; and detecting the bulk forwarding of email from a given user account by comparing the arrival rate for internal emails and the sending rate for external emails. The bulk forwarding of email from a given user account can be detected by determining whether statistical models of the arrival rate for internal emails and of the sending rate for external emails are correlated in time.

    摘要翻译: 提供了用于检测通过网络的敏感数据的未授权批量转发的方法和装置。 通过确定从第一网络环境中接收的内部电子邮件的到达率到一个或多个用户帐户,自动检测来自第一网络环境的电子邮件的批量转发; 确定从所述一个或多个用户帐户发送到第二网络环境的外部电子邮件的发送速率; 并通过比较内部电子邮件的到达率和外部电子邮件的发送速率来检测来自给定用户帐户的电子邮件的批量转发。 通过确定内部电子邮件到达率的统计模型和外部电子邮件的发送速率是否及时相关,可以检测到来自给定用户帐户的电子邮件的批量转发。

    HIGH-THROUGHPUT DATA INTEGRITY VIA TRUSTED COMPUTING

    公开(公告)号:US20190268308A1

    公开(公告)日:2019-08-29

    申请号:US16189818

    申请日:2018-11-13

    IPC分类号: H04L29/06 H04L29/08 G06F17/30

    摘要: Verification system and methods are provided for allowing database server responses to be verified. A proxy device may maintain a data structure (e.g., a Merkle B+-tree) within a secure memory space (e.g., an Intel SGX enclave) associated with a protected application. In some embodiments, the data structure may comprise hashed values representing hashed versions of the data managed by the database server. The proxy may intercept client requests submitted from a client device and forward such requests to the database server. Responses from the database server may be verified using the data structure (e.g., the hashes contained in the Merkle B+-tree). If the data is verified by the proxy device, the response may be transmitted to the client device.

    OPTIMIZING PERFORMANCE OF INTEGRITY MONITORING
    8.
    发明申请
    OPTIMIZING PERFORMANCE OF INTEGRITY MONITORING 有权
    优化性能监测

    公开(公告)号:US20110258610A1

    公开(公告)日:2011-10-20

    申请号:US12761952

    申请日:2010-04-16

    IPC分类号: G06F11/30 G06F9/44

    摘要: A system, method and computer program product for verifying integrity of a running application program on a computing device. The method comprises: determining entry points into an application programs processing space that impact proper execution impact program integrity; mapping data elements reachable from the determined entry points into a memory space of a host system where the application to verify is running; run-time monitoring, in the memory space, potential modification of the data elements in a manner potentially breaching program integrity; and initiating a response to the potential modification. The run-time monitoring detects when a data transaction, e.g., a write event, reaches a malicious agent's entry point, a corresponding memory hook is triggered and control is passed to a security agent running outside the monitored system. This agent requests the values of the data elements, and determines if invariants that have been previously computed hold true or not under the set of retrieved data values.

    摘要翻译: 一种用于验证计算设备上正在运行的应用程序的完整性的系统,方法和计算机程序产品。 该方法包括:将入口点确定为影响适当执行影响程序完整性的应用程序处理空间; 将从所确定的入口点到达的数据元素映射到要验证的应用正在运行的主机系统的存储器空间中; 在存储器空间中的运行时监视,以潜在地破坏程序完整性的方式潜在地修改数据元素; 并启动对潜在修改的响应。 运行时监视检测数据事务(例如写入事件)何时到达恶意代理的入口点,触发对应的存储器钩子,并将控制传递到在被监视系统外部运行的安全代理。 该代理请求数据元素的值,并确定先前计算的不变量是否在检索的数据值集合下保持为真。

    Optimizing performance of integrity monitoring
    9.
    发明授权
    Optimizing performance of integrity monitoring 有权
    优化完整性监控的性能

    公开(公告)号:US08949797B2

    公开(公告)日:2015-02-03

    申请号:US12761952

    申请日:2010-04-16

    摘要: A system, method and computer program product for verifying integrity of a running application program on a computing device. The method comprises: determining entry points into an application programs processing space that impact proper execution impact program integrity; mapping data elements reachable from the determined entry points into a memory space of a host system where the application to verify is running; run-time monitoring, in the memory space, potential modification of the data elements in a manner potentially breaching program integrity; and initiating a response to the potential modification. The run-time monitoring detects when a data transaction, e.g., a write event, reaches a malicious agent's entry point, a corresponding memory hook is triggered and control is passed to a security agent running outside the monitored system. This agent requests the values of the data elements, and determines if invariants that have been previously computed hold true or not under the set of retrieved data values.

    摘要翻译: 一种用于验证计算设备上正在运行的应用程序的完整性的系统,方法和计算机程序产品。 该方法包括:将入口点确定为影响适当执行影响程序完整性的应用程序处理空间; 将从所确定的入口点到达的数据元素映射到要验证的应用正在运行的主机系统的存储器空间中; 在存储器空间中的运行时监视,以潜在地破坏程序完整性的方式潜在地修改数据元素; 并启动对潜在修改的响应。 运行时监视检测数据事务(例如写入事件)何时到达恶意代理的入口点,触发对应的存储器钩子,并将控制传递到在被监视系统外部运行的安全代理。 该代理请求数据元素的值,并确定先前计算的不变量是否在检索的数据值集合之前成立。

    Method and Apparatus for Automatic Identification of Affected Network Resources After a Computer Intrusion
    10.
    发明申请
    Method and Apparatus for Automatic Identification of Affected Network Resources After a Computer Intrusion 审中-公开
    计算机入侵后影响网络资源自动识别的方法与装置

    公开(公告)号:US20130333041A1

    公开(公告)日:2013-12-12

    申请号:US13494108

    申请日:2012-06-12

    IPC分类号: G06F21/00

    CPC分类号: G06F21/55 G06F21/568

    摘要: Methods and apparatus are provided for automatic identification of affected network resources after a computer intrusion. The network resources affected by a computer intrusion can be identified by collecting information about an external system from an external source; deriving a list of one or more affected internal systems on an internal network by correlating the information with internal information about internal systems that interacted with the external system; and identifying one or more user accounts associated with the one or more affected internal systems. Data residing on systems accessible by the one or more user accounts can also optionally be identified. A list can optionally be presented of the network resources that may be affected by the computer intrusion. The affected network resources can be, for example, servers, services and/or client machines.

    摘要翻译: 提供了方法和装置,用于在计算机入侵之后自动识别受影响的网络资源。 可以通过从外部源收集有关外部系统的信息来识别受计算机入侵影响的网络资源; 通过将信息与与外部系统交互的内部系统的内部信息相关联,得出内部网络上的一个或多个受影响的内部系统的列表; 以及识别与所述一个或多个受影响的内部系统相关联的一个或多个用户帐户。 还可以可选地识别驻留在由一个或多个用户帐户访问的系统上的数据。 可以选择性地呈现可能受到计算机入侵影响的网络资源的列表。 受影响的网络资源可以是例如服务器,服务和/或客户端机器。