公开(公告)号：US20090217369A1

公开(公告)日：2009-08-27

申请号：US11919906

申请日：2005-05-04

申请人： Paolo Abeni ,  Paolo Milani Comparetti ,  Sebastiano Di Paola ,  Gerardo Lamastra

发明人： Paolo Abeni ,  Paolo Milani Comparetti ,  Sebastiano Di Paola ,  Gerardo Lamastra

IPC分类号： G06F21/00 ,  H04L12/26

CPC分类号： H04L47/10 ,  G06F9/526 ,  G06F2209/522 ,  H04L49/90 ,  H04L63/1408

摘要： Packet flows are processed, e.g. to perform an intrusion detection function in a communication network, by means of a multiprocessor system including a plurality of processing units. The packets are distributed for processing among the processing units via a distribution function. Such a distribution function is selectively allotted to one of the processing units of the plurality. A preferred embodiment of the arrangement involves using a single Symmetric Multi-Processor machine with a single network port to Gigabit/sec link. The corresponding system architecture does not require any intermediate device, or any external load balancing mechanism. All the processing work is performed on a single system, which is able to dynamically balance the traffic load among the several independent CPUs. By resorting to a specific scheduling arrangement, such a system is able to effectively distribute the computations required to perform both the loadbalancing and the detection operations.

摘要翻译： 处理数据包流，例如 通过包括多个处理单元的多处理器系统在通信网络中执行入侵检测功能。 这些分组被分配用于经由分发功能在处理单元之间进行处理。 这种分配功能被选择性地分配给多个处理单元之一。 该布置的优选实施例涉及使用具有单个网络端口到千兆/秒链路的单个对称多处理器机器。 相应的系统架构不需要任何中间设备或任何外部负载平衡机制。 所有的处理工作都在单个系统上执行，能够动态平衡多个独立CPU之间的流量负载。 通过采用特定的调度安排，这样的系统能够有效地分配执行负载平衡和检测操作所需的计算。

公开(公告)号：US20070107052A1

公开(公告)日：2007-05-10

申请号：US10582848

申请日：2003-12-17

申请人： Gianluca Cangini ,  Gerardo Lamastra ,  Francesco Coda Zabetta ,  Paolo Abeni ,  Madalina Baltatu ,  Rosalia D'Alessandro ,  Stefano Brusotti ,  Sebastiano Di Paola ,  Manuel Leone ,  Federico Frosali

发明人： Gianluca Cangini ,  Gerardo Lamastra ,  Francesco Coda Zabetta ,  Paolo Abeni ,  Madalina Baltatu ,  Rosalia D'Alessandro ,  Stefano Brusotti ,  Sebastiano Di Paola ,  Manuel Leone ,  Federico Frosali

IPC分类号： G06F12/14

CPC分类号： G06F21/554 ,  G06F21/55

摘要： Apparatus for monitoring operation of a processing system includes a set of modules for monitoring operation of a set of system primitives that allocate or release the system resources and are used by different processes running on the system. Preferably, the modules include at least one application knowledge module tracking the processes running on the system and monitoring the resources used thereby, a network knowledge module monitoring connections by the processes running on the system, a file-system analysis module monitoring the file-related operations performed within the system, and a device monitoring module monitoring operation of commonly used modules with the system. A preferred field of application is in host-based intrusion detection systems.

摘要翻译： 用于监视处理系统的操作的装置包括一组模块，用于监视分配或释放系统资源并被系统上运行的不同进程使用的一组系统原语的操作。 优选地，所述模块包括至少一个应用知识模块，其跟踪在系统上运行的进程并监视由此使用的资源，网络知识模块通过系统上运行的进程来监视连接，文件系统分析模块监视文件相关 在系统内执行的操作，以及设备监控模块，监视系统中常用模块的操作。 优选的应用领域是基于主机的入侵检测系统。

公开(公告)号：US20070214504A1

公开(公告)日：2007-09-13

申请号：US10594306

申请日：2004-03-30

申请人： Paolo Milani Comparetti ,  Paolo Abeni

发明人： Paolo Milani Comparetti ,  Paolo Abeni

IPC分类号： G08B23/00

CPC分类号： H04L63/1408

摘要： A system for providing intrusion detection in a network wherein data flows are exchanged using associated network ports and application layer protocols. The system includes a monitoring module configured for monitoring data flows in the network, a protocol identification engine configured for detecting information on the application layer protocols involved in the monitored data flows, and an intrusion detection module configured for operating based on the information on application layer protocols detected. Intrusion detection is thus provided independently of any predefined association between the network ports and the application layer protocols.

摘要翻译： 一种用于在网络中提供入侵检测的系统，其中使用关联的网络端口和应用层协议来交换数据流。 该系统包括一个监控模块，用于监控网络中的数据流;一个协议识别引擎，用于检测有关监控数据流中所涉及的应用层协议的信息;以及入侵检测模块，被配置为基于应用层信息进行操作 检测到协议。 因此，独立于网络端口和应用层协议之间的任何预定义的关联来提供入侵检测。

公开(公告)号：US08042182B2

公开(公告)日：2011-10-18

申请号：US10594306

申请日：2004-03-30

申请人： Paolo Milani Comparetti ,  Paolo Abeni

发明人： Paolo Milani Comparetti ,  Paolo Abeni

IPC分类号： G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  H04L29/06

CPC分类号： H04L63/1408

摘要： A system for providing intrusion detection in a network wherein data flows are exchanged using associated network ports and application layer protocols. The system includes a monitoring module configured for monitoring data flows in the network, a protocol identification engine configured for detecting information on the application layer protocols involved in the monitored data flows, and an intrusion detection module configured for operating based on the information on application layer protocols detected. Intrusion detection is thus provided independently of any predefined association between the network ports and the application layer protocols.

摘要翻译： 一种用于在网络中提供入侵检测的系统，其中使用关联的网络端口和应用层协议来交换数据流。 该系统包括一个监控模块，用于监控网络中的数据流;一个协议识别引擎，用于检测有关监控数据流中所涉及的应用层协议的信息;以及入侵检测模块，被配置为基于应用层信息进行操作 检测到协议。 因此，独立于网络端口和应用层协议之间的任何预定义的关联来提供入侵检测。

公开(公告)号：US08443439B2

公开(公告)日：2013-05-14

申请号：US12225686

申请日：2006-10-31

申请人： Gerardo Lamastra ,  Paolo Abeni ,  Gianluca Cangini ,  Francesco Coda Zabetta

发明人： Gerardo Lamastra ,  Paolo Abeni ,  Gianluca Cangini ,  Francesco Coda Zabetta

IPC分类号： G06F12/14

CPC分类号： H04L51/12 ,  H04L51/38 ,  H04L63/0227 ,  H04L63/1491 ,  H04W12/12

摘要： A honeypot system for protecting a mobile communication network against malware includes one or more user-less mobile devices including a monitoring module for monitoring the events conveying software applications in the associated mobile device as well as a controller client module that emulates human-like interaction with the user-less devices as a function of the events monitored. The system controllably performs, for the applications conveyed by the events monitored, one or more of the following steps: i) installing the application on the device; ii) executing the application installed on the device; and iii) de-installing the application from the device. After any of these steps, the state of the device is checked in order to detect if any anomalous variation has occurred in the state of the device indicative of the device being exposed to the risk of malware. If any anomalous variation is detected, the system issues a malware alert message.

摘要翻译： 用于保护移动通信网络免受恶意软件的蜜罐系统包括一个或多个无用户移动设备，包括用于监视传送相关联的移动设备中的软件应用程序的事件的监视模块以及模拟与人类的交互的控制器客户端模块 作为监视事件的函数的无用户设备。 该系统可控制地执行由所监视的事件传送的应用程序中的一个或多个以下步骤：i）将应用程序安装在设备上; ii）执行安装在设备上的应用程序; 以及iii）从所述设备中去除所述应用。 在这些步骤中的任一步骤之后，检查设备的状态，以便检测在设备的状态下是否发生任何异常变化，指示设备被暴露于恶意软件的风险。 如果检测到任何异常变化，系统将发出恶意软件警报消息。

公开(公告)号：US20090144823A1

公开(公告)日：2009-06-04

申请号：US12225686

申请日：2006-10-31

申请人： Gerardo Lamastra ,  Paolo Abeni ,  Gianluca Cangini ,  Francesco Coda Zabetta

发明人： Gerardo Lamastra ,  Paolo Abeni ,  Gianluca Cangini ,  Francesco Coda Zabetta

IPC分类号： H04L9/00

CPC分类号： H04L51/12 ,  H04L51/38 ,  H04L63/0227 ,  H04L63/1491 ,  H04W12/12

摘要： A honeypot system for protecting a mobile communication network against malware includes one or more user-less mobile devices including a monitoring module for monitoring the events conveying software applications in the associated mobile device as well as a controller client module that emulates human-like interaction with the user-less devices as a function of the events monitored. The system controllably performs, for the applications conveyed by the events monitored, one or more of the following steps: i) installing the application on the device; ii) executing the application installed on the device; and iii) de-installing the application from the- device. After any of these steps, the state of the device is checked in order to detect if any anomalous variation has occurred in the state of the device indicative of the device being exposed to the risk of malware. If any anomalous variation is detected, the system issues a malware alert message.

摘要翻译： 用于保护移动通信网络免受恶意软件的蜜罐系统包括一个或多个无用户移动设备，包括用于监视传送相关联的移动设备中的软件应用程序的事件的监视模块以及模拟与人类的交互的控制器客户端模块 作为监视事件的函数的无用户设备。 该系统可控制地执行由所监视的事件传送的应用程序中的一个或多个以下步骤：i）将应用程序安装在设备上; ii）执行安装在设备上的应用程序; 以及iii）从设备中去除应用程序。 在这些步骤中的任一步骤之后，检查设备的状态，以便检测在设备的状态下是否发生任何异常变化，指示设备被暴露于恶意软件的风险。 如果检测到任何异常变化，系统将发出恶意软件警报消息。

公开(公告)号：US09094444B2

公开(公告)日：2015-07-28

申请号：US13143062

申请日：2008-12-31

申请人： Madalina Baltatu ,  Paolo Abeni

发明人： Madalina Baltatu ,  Paolo Abeni

IPC分类号： H04L12/26 ,  H04L29/06

CPC分类号： H04L63/1425 ,  H04L43/00

摘要： Disclosed herein is an anomaly detection method for a packet-based network which includes several network resources, also called network-related software objects. The method includes monitoring the network resources of the packet-based network, ordering the monitored network resources according to a given ordering criterion, and detecting an anomaly in the packet-based network based on the ordered network resources. In particular, detecting an anomaly includes forming a detection feature vector based on the ordered network resources, and feeding the detection feature vector to a machine learning system configured to detect an anomaly in the packet-based network based on the detection feature vector. The detection feature vector includes detection feature items related to corresponding monitored network resources, and arranged in the detection feature vector depending on the ordering of the corresponding monitored network resources. Conveniently, the machine learning system is a one-class classifier, preferably a one-class Support Vector Machine (OC-SVM).

摘要翻译： 本文公开了一种用于基于分组的网络的异常检测方法，其包括若干网络资源，也称为网络相关软件对象。 该方法包括监视基于分组的网络的网络资源，根据给定的排序标准对监控的网络资源进行排序，并基于有序的网络资源检测基于分组的网络中的异常。 特别地，检测异常包括基于有序网络资源形成检测特征向量，并且将检测特征向量馈送到被配置为基于检测特征向量来检测基于分组的网络中的异常的机器学习系统。 检测特征向量包括与对应的被监视的网络资源相关的检测特征项，并根据对应的被监视的网络资源的顺序排列在检测特征向量中。 方便的是，机器学习系统是一类分类器，最好是一类支持向量机（OC-SVM）。

公开(公告)号：US08006302B2

公开(公告)日：2011-08-23

申请号：US10567752

申请日：2003-08-11

申请人： Paolo Abeni

发明人： Paolo Abeni

IPC分类号： G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08G23/00

CPC分类号： H04L63/1408

摘要： A system for detecting unauthorised use of a network is provided with a pattern matching engine for searching attack signatures into data packets, and with a response analysis engine for detecting response signatures into data packets sent back from an attacked network/computer. When a suspect signature has been detected into a packet, the system enters an alarm status starting a monitoring process on the packets sent back from the potentially attacked network/computer. An alarm is generated only in case the analysis of the response packets produces as well a positive result. Such intrusion detection system is much less prone to false positives and misdiagnosis than a conventional pattern matching intrusion detection system.

摘要翻译： 用于检测未授权使用网络的系统提供有用于将攻击签名搜索到数据分组中的模式匹配引擎，以及用于将响应签名检测到从被攻击的网络/计算机发回的数据分组中的响应分析引擎。 当一个可疑签名被检测到一个数据包时，系统会从对潜在的攻击的网络/计算机发回的数据包进入一个监视进程的警报状态。 仅在响应分析的分析产生正面结果的情况下才产生报警。 这种入侵检测系统比传统的匹配入侵检测系统的模式更不容易发生误报和误诊。

公开(公告)号：US20060242703A1

公开(公告)日：2006-10-26

申请号：US10567752

申请日：2003-08-11

申请人： Paolo Abeni

发明人： Paolo Abeni

IPC分类号： G06F12/14

CPC分类号： H04L63/1408

摘要： A system for detecting unauthorised use of a network is provided with a pattern matching engine for searching attack signatures into data packets, and with a response analysis engine for detecting response signatures into data packets sent back from an attacked network/computer. When a suspect signature has been detected into a packet, the system enters an alarm status starting a monitoring process on the packets sent back from the potentially attacked network/computer. An alarm is generated only in case the analysis of the response packets produces as well a positive result. Such intrusion detection system is much less prone to false positives and misdiagnosis than a conventional pattern matching intrusion detection system.

摘要翻译： 用于检测未授权使用网络的系统提供有用于将攻击签名搜索到数据分组中的模式匹配引擎，以及用于将响应签名检测到从被攻击的网络/计算机发回的数据分组中的响应分析引擎。 当一个可疑签名被检测到一个数据包时，系统会从对潜在的攻击的网络/计算机发回的数据包进入一个监视进程的警报状态。 仅在响应分析的分析产生正面结果的情况下才产生报警。 这种入侵检测系统比传统的匹配入侵检测系统的模式更不容易发生误报和误诊。

公开(公告)号：US20110267964A1

公开(公告)日：2011-11-03

申请号：US13143062

申请日：2008-12-31

申请人： Madalina Baltatu ,  Paolo Abeni

发明人： Madalina Baltatu ,  Paolo Abeni

IPC分类号： H04L12/26

CPC分类号： H04L63/1425 ,  H04L43/00

摘要： Disclosed herein is an anomaly detection method for a packet-based network which includes several network resources, also called network-related software objects. The method includes monitoring the network resources of the packet-based network, ordering the monitored network resources according to a given ordering criterion, and detecting an anomaly in the packet-based network based on the ordered network resources. In particular, detecting an anomaly includes forming a detection feature vector based on the ordered network resources, and feeding the detection feature vector to a machine learning system configured to detect an anomaly in the packet-based network based on the detection feature vector. The detection feature vector includes detection feature items related to corresponding monitored network resources, and arranged in the detection feature vector depending on the ordering of the corresponding monitored network resources. Conveniently, the machine learning system is a one-class classifier, preferably a one-class Support Vector Machine (OC-SVM).

摘要翻译： 本文公开了一种用于基于分组的网络的异常检测方法，其包括若干网络资源，也称为网络相关软件对象。 该方法包括监视基于分组的网络的网络资源，根据给定的排序标准对监控的网络资源进行排序，并基于有序的网络资源检测基于分组的网络中的异常。 特别地，检测异常包括基于有序网络资源形成检测特征向量，并且将检测特征向量馈送到被配置为基于检测特征向量来检测基于分组的网络中的异常的机器学习系统。 检测特征向量包括与对应的被监视的网络资源相关的检测特征项，并根据对应的被监视的网络资源的顺序排列在检测特征向量中。 方便的是，机器学习系统是一类分类器，最好是一类支持向量机（OC-SVM）。