-
公开(公告)号:US10726125B2
公开(公告)日:2020-07-28
申请号:US16181247
申请日:2018-11-05
发明人: Yanxin Zhang , Xinran Wang , Huagang Xie , Wei Xu
摘要: Techniques for malware detection using clustering with malware source information are disclosed. In some embodiments, malware detection using clustering with malware source information includes generating a first cluster of source information associated with a first malware sample, in which the first malware sample was determined to be malware, and the first malware sample was determined to be downloaded from a first source; and determining that a second source is associated with malware based on the first cluster.
-
公开(公告)号:US20180041521A1
公开(公告)日:2018-02-08
申请号:US15653381
申请日:2017-07-18
发明人: Yanxin Zhang , Xinran Wang , Huagang Xie , Wei Xu
CPC分类号: H04L63/14 , G06F17/30958 , H04L29/12066 , H04L61/1511 , H04L61/6009 , H04L63/0236 , H04L63/1416 , H04L63/1441
摘要: Techniques for malware domain detection using passive Domain Name Service (DNS) are disclosed. In some embodiments, malware domain detection using passive DNS includes generating a malware association graph that associates a plurality of malware samples with malware source information, in which the malware source information includes a first domain; generating a reputation score for the first domain using the malware association graph and passive DNS information; and determining whether the first domain is a malware domain based on the reputation score for the first domain.
-
公开(公告)号:US09542556B2
公开(公告)日:2017-01-10
申请号:US14855296
申请日:2015-09-15
发明人: Kyle Sanders , Xinran Wang
CPC分类号: G06F21/566 , G06F21/53 , G06F21/567 , G06F2221/033 , H04L63/02 , H04L63/1408 , H04L63/1416 , H04L63/1425 , H04L63/1433 , H04L63/1441 , H04L63/145
摘要: A potential malware sample is received from a security device at a server associated with a security cloud service. The sample is executed in a sandbox environment on the server, including by monitoring interaction of the sample with an application program interface (API), provided by the sandbox environment, in order to obtain an API log. It is determined whether the sample is associated with a known malware family including by determining, based at least in part on the API log, if the sample created an executable file and if the sample registered the executable file in a run key. If it is determined that the sample is associated with a known malware family, then an alert is generated.
摘要翻译: 从与安全云服务相关联的服务器的安全设备接收到潜在的恶意软件样本。 样品在服务器上的沙盒环境中执行,包括通过监控样品与沙箱环境提供的应用程序接口(API)的交互,以获取API日志。 确定样品是否与已知的恶意软件系列相关联,包括至少部分地基于API日志确定样品是否创建了可执行文件,以及样品是否在运行键中注册了可执行文件。 如果确定样品与已知的恶意软件系列相关联,则会生成警报。
-
公开(公告)号:US20160269443A1
公开(公告)日:2016-09-15
申请号:US15067048
申请日:2016-03-10
发明人: Bo Qu , Kyle Sanders , Xinran Wang
IPC分类号: H04L29/06
CPC分类号: H04L63/20 , G06F21/52 , G06F21/55 , G06F21/56 , H04L63/0245 , H04L63/10 , H04L63/1416 , H04L63/1425
摘要: Various techniques for exploit detection based on heap spray detection are disclosed. In some embodiments, exploit detection based on heap spray detection includes executing a program in a virtual environment; and detecting heap spray in memory while executing the program in the virtual environment. In some embodiments, exploit detection based on heap spray detection includes executing a program in a virtual environment; and detecting heap spray related malware in response to a modification of an execution environment in the virtual environment.
摘要翻译: 公开了基于堆喷雾检测的各种利用检测技术。 在一些实施例中,基于堆喷雾检测的利用检测包括在虚拟环境中执行程序; 并在虚拟环境中执行程序时检测存储器中的堆喷雾。 在一些实施例中,基于堆喷雾检测的利用检测包括在虚拟环境中执行程序; 以及响应于虚拟环境中的执行环境的修改来检测与堆喷雾相关的恶意软件。
-
公开(公告)号:US20160048683A1
公开(公告)日:2016-02-18
申请号:US14855296
申请日:2015-09-15
发明人: Kyle Sanders , Xinran Wang
CPC分类号: G06F21/566 , G06F21/53 , G06F21/567 , G06F2221/033 , H04L63/02 , H04L63/1408 , H04L63/1416 , H04L63/1425 , H04L63/1433 , H04L63/1441 , H04L63/145
摘要: A potential malware sample is received from a security device at a server associated with a security cloud service. The sample is executed in a sandbox environment on the server, including by monitoring interaction of the sample with an application program interface (API), provided by the sandbox environment, in order to obtain an API log. It is determined whether the sample is associated with a known malware family including by determining, based at least in part on the API log, if the sample created an executable file and if the sample registered the executable file in a run key. If it is determined that the sample is associated with a known malware family, then an alert is generated.
摘要翻译: 从与安全云服务相关联的服务器的安全设备接收到潜在的恶意软件样本。 样品在服务器上的沙盒环境中执行,包括通过监控样品与沙箱环境提供的应用程序接口(API)的交互,以获取API日志。 确定样品是否与已知的恶意软件系列相关联,包括至少部分地基于API日志确定样品是否创建了可执行文件,以及样品是否在运行键中注册了可执行文件。 如果确定样品与已知的恶意软件系列相关联,则会生成警报。
-
公开(公告)号:US09165142B1
公开(公告)日:2015-10-20
申请号:US13754789
申请日:2013-01-30
发明人: Kyle Sanders , Xinran Wang
CPC分类号: G06F21/566 , G06F21/53 , G06F21/567 , G06F2221/033 , H04L63/02 , H04L63/1408 , H04L63/1416 , H04L63/1425 , H04L63/1433 , H04L63/1441 , H04L63/145
摘要: Techniques for malware family identification using profile signatures are disclosed. In some embodiments, malware identification using profile signatures includes executing a potential malware sample in a virtual machine environment (e.g., a sandbox); and determining whether the potential malware sample is associated with a known malware family based on a profile signature. In some embodiments, the virtual machine environment is an instrumented virtual machine environment for monitoring potential malware samples during execution.
摘要翻译: 公开了使用简档签名的恶意软件家族识别技术。 在一些实施例中,使用配置文件签名的恶意软件标识包括在虚拟机环境(例如,沙箱)中执行潜在的恶意软件样本; 以及基于简档签名来确定潜在的恶意软件样本是否与已知的恶意软件系列相关联。 在一些实施例中,虚拟机环境是用于在执行期间监视潜在恶意软件样本的经检测的虚拟机环境。
-
公开(公告)号:US10019575B1
公开(公告)日:2018-07-10
申请号:US13954860
申请日:2013-07-30
发明人: Xinran Wang , Huagang Xie
CPC分类号: G06F21/565 , G06F9/45558 , G06F21/566 , G06F2009/45587
摘要: Evaluating a potentially malicious sample using a copy-on-write overlay is disclosed. A first virtual machine instance is initialized as a copy-on-write overlay associated with an original virtual machine image. The first virtual machine image is started and a first sample is executed. A second virtual machine instance is initialized as a copy-on-write overlay associated with a second original virtual machine image. The second virtual machine image is started and a second sample is executed. The first and second samples are executed at an overlapping time.
-
公开(公告)号:US09143522B2
公开(公告)日:2015-09-22
申请号:US14018323
申请日:2013-09-04
发明人: Xinran Wang , Huagang Xie
CPC分类号: H04L63/1416 , G06F21/552 , H04L63/0236 , H04L63/1425 , H04L63/1433 , H04L67/02 , H04L69/22 , H04L2463/144
摘要: In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score.
摘要翻译: 在一些实施例中,提供了启发式僵尸网络检测。 在一些实施例中,启发式僵尸网络检测包括监视网络流量以识别可疑网络流量; 以及基于使用处理器的可疑网络流量行为的启发式分析来检测漫游器,其中可疑网络流量行为包括与漫游器主机相关联的命令和控制流量。 在一些实施例中,启发式僵尸网络检测还包括将分数分配给所监视的网络业务,其中分数对应于所监视的网络业务的僵尸网络风险表征(例如,基于一个或多个启发式僵尸网络检测技术); 基于与所监视的网络业务相关联的附加可疑行为的相关性(例如,基于一个或多个启发式僵尸网络检测技术)来增加分数; 并且基于分数确定可疑行为与僵尸网络相关联。
-
公开(公告)号:US20140090059A1
公开(公告)日:2014-03-27
申请号:US14018323
申请日:2013-09-04
发明人: Xinran Wang , Huagang Xie
IPC分类号: H04L29/06
CPC分类号: H04L63/1416 , G06F21/552 , H04L63/0236 , H04L63/1425 , H04L63/1433 , H04L67/02 , H04L69/22 , H04L2463/144
摘要: In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score.
摘要翻译: 在一些实施例中,提供了启发式僵尸网络检测。 在一些实施例中,启发式僵尸网络检测包括监视网络流量以识别可疑网络流量; 以及基于使用处理器的可疑网络流量行为的启发式分析来检测漫游器,其中可疑网络流量行为包括与漫游器主机相关联的命令和控制流量。 在一些实施例中,启发式僵尸网络检测还包括将分数分配给所监视的网络业务,其中分数对应于所监视的网络业务的僵尸网络风险表征(例如,基于一个或多个启发式僵尸网络检测技术); 基于与所监视的网络业务相关联的附加可疑行为的相关性(例如,基于一个或多个启发式僵尸网络检测技术)来增加分数; 并且基于分数确定可疑行为与僵尸网络相关联。
-
公开(公告)号:US09811665B1
公开(公告)日:2017-11-07
申请号:US13954815
申请日:2013-07-30
发明人: Zhi Xu , Xinran Wang , Huagang Xie
IPC分类号: G06F21/56
CPC分类号: G06F21/566 , G06F21/562
摘要: Techniques for performing static and dynamic analysis on a mobile device application are disclosed. Static analysis is performed on a mobile device application using a static analysis engine. A static analysis report is generated. Dynamic analysis of the application is performed using a dynamic analysis engine. The dynamic analysis performed is customized based on results of the static analysis. A determination of whether the application is malicious is made based at least on the dynamic analysis.
-
-
-
-
-
-
-
-
-
搜索结果
32 条记录 (耗时 0.031 秒)
