SYSTEM AND METHOD FOR PASSIVE THREAT DETECTION USING VIRTUAL MEMORY INSPECTION
    1.
    发明申请
    SYSTEM AND METHOD FOR PASSIVE THREAT DETECTION USING VIRTUAL MEMORY INSPECTION 有权
    使用虚拟内存检查进行被动威胁检测的系统和方法

    公开(公告)号:US20130246685A1

    公开(公告)日:2013-09-19

    申请号:US13229502

    申请日:2011-09-09

    IPC分类号: G06F12/10 G06F12/00

    摘要: A method in one example implementation includes synchronizing a first memory page set with a second memory page set of a virtual guest machine, inspecting the first memory page set off-line, and detecting a threat in the first memory page set. The method further includes taking an action based on the threat. In more specific embodiments, the method includes updating the first memory page set with a subset of the second memory page set at an expiration of a synchronization interval, where the subset of the second memory page set was modified during the synchronization interval. In other more specific embodiments, the second memory page set of the virtual guest machine represents non-persistent memory of the virtual guest machine. In yet other specific embodiments, the action includes at least one of shutting down the virtual guest machine and alerting an administrator.

    摘要翻译: 一个示例实现中的方法包括:将第一存储器页面集合与虚拟访客机器的第二存储器页面集合进行同步,检查离线的第一存储器页面以及检测第一存储器页面集合中的威胁。 该方法还包括基于威胁采取行动。 在更具体的实施例中,该方法包括在同步间隔期满之前用第二存储器页组的子集来更新第一存储器页组,其中第二存储器页集的子集在同步间隔期间被修改。 在其他更具体的实施例中,虚拟客机的第二存储器页组表示虚拟客机的非持久存储器。 在其他具体实施例中,该动作包括关闭虚拟客机并警告管理员中的至少一个。

    System and Method for Network Level Protection Against Malicious Software
    2.
    发明申请
    System and Method for Network Level Protection Against Malicious Software 有权
    网络级别防范恶意软件的系统和方法

    公开(公告)号:US20120030750A1

    公开(公告)日:2012-02-02

    申请号:US12844964

    申请日:2010-07-28

    IPC分类号: G06F21/20

    摘要: A method in one example implementation includes receiving information related to a network access attempt on a first computing device with the information identifying a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether network traffic associated with the software program file is permitted and then creating a restriction rule to block the network traffic if the network traffic is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the method includes pushing the restriction rule to a network protection device that intercepts the network traffic associated with the software program file and applies the restriction rule to the network traffic. In more specific embodiments, the method includes searching a whitelist identifying trustworthy software program files to determine the trust status of the software program file.

    摘要翻译: 一个示例实现中的方法包括:接收与第一计算设备上的网络访问尝试相关的信息,其中所述信息标识与网络访问尝试相关联的软件程序文件。 该方法还包括评估第一准则以确定是否允许与软件程序文件相关联的网络流量,然后创建限制规则以在不允许网络流量的情况下阻止网络流量。 第一个标准包括软件程序文件的信任状态。 在具体实施例中,该方法包括将限制规则推送到网络保护设备,该网络保护设备拦截与该软件程序文件相关联的网络流量,并将限制规则应用于网络业务。 在更具体的实施例中,该方法包括搜索白名单来识别可信软件程序文件以确定软件程序文件的信任状态。

    SYSTEM AND METHOD FOR CLUSTERING HOST INVENTORIES
    3.
    发明申请
    SYSTEM AND METHOD FOR CLUSTERING HOST INVENTORIES 有权
    用于分类主机的系统和方法

    公开(公告)号:US20140006405A1

    公开(公告)日:2014-01-02

    申请号:US14016497

    申请日:2013-09-03

    IPC分类号: G06F17/30

    摘要: A method in one example implementation includes obtaining a plurality of host file inventories corresponding respectively to a plurality of hosts, calculating input data using the plurality of host file inventories, and then providing the input data to a clustering procedure to group the plurality of hosts into one or more clusters of hosts. The method further includes each cluster of hosts being grouped using predetermined similarity criteria. In more specific embodiments, each of the host file inventories includes a set of one or more file identifiers with each file identifier representing a different executable software file on a corresponding one of the plurality of hosts. In other more specific embodiments, calculating the input data includes transforming the host file inventories into a matrix of keyword vectors in Euclidean space. In further embodiments, calculating the input data includes transforming the host file inventories into a similarity matrix.

    摘要翻译: 一个示例实现中的方法包括获得分别对应于多个主机的多个主机文件库存,使用多个主机文件库存计算输入数据,然后将输入数据提供给聚类程序以将多个主机分组成 一个或多个主机群集。 该方法还包括使用预定的相似性标准分组的每个主机群。 在更具体的实施例中,每个主机文件库存包括一组一个或多个文件标识符,其中每个文件标识符表示多个主机中对应的一个上的不同的可执行软件文件。 在其他更具体的实施例中,计算输入数据包括将主文件库存变换为欧几里得空间中的关键词向量矩阵。 在另外的实施例中,计算输入数据包括将主机文件库存变换为相似性矩阵。

    System and method for clustering host inventories
    4.
    发明授权
    System and method for clustering host inventories 有权
    用于集群主机库存的系统和方法

    公开(公告)号:US08549003B1

    公开(公告)日:2013-10-01

    申请号:US12880125

    申请日:2010-09-12

    IPC分类号: G06F17/30

    摘要: A method in one example implementation includes obtaining a plurality of host file inventories corresponding respectively to a plurality of hosts, calculating input data using the plurality of host file inventories, and then providing the input data to a clustering procedure to group the plurality of hosts into one or more clusters of hosts. The method further includes each cluster of hosts being grouped using predetermined similarity criteria. In more specific embodiments, each of the host file inventories includes a set of one or more file identifiers with each file identifier representing a different executable software file on a corresponding one of the plurality of hosts. In other more specific embodiments, calculating the input data includes transforming the host file inventories into a matrix of keyword vectors in Euclidean space. In further embodiments, calculating the input data includes transforming the host file inventories into a similarity matrix.

    摘要翻译: 一个示例实现中的方法包括获得分别对应于多个主机的多个主机文件库存,使用多个主机文件库存计算输入数据,然后将输入数据提供给聚类程序以将多个主机分组成 一个或多个主机群集。 该方法还包括使用预定的相似性标准分组的每个主机群。 在更具体的实施例中,每个主机文件库存包括一组一个或多个文件标识符,其中每个文件标识符表示多个主机中对应的一个上的不同的可执行软件文件。 在其他更具体的实施例中,计算输入数据包括将主文件库存变换为欧几里得空间中的关键词向量矩阵。 在另外的实施例中,计算输入数据包括将主机文件库存变换为相似性矩阵。

    Method of and system for computer system state checks

    公开(公告)号:US09424154B2

    公开(公告)日:2016-08-23

    申请号:US12291232

    申请日:2008-11-07

    IPC分类号: G06F7/04 G06F11/30 G06F9/455

    摘要: A system for and method of system state analysis of a computational system. The method is comprised of capturing selective state information of a computational system configured to operated with one or more guest machines running on a virtual machine layer and configured to output state information. The state information is then analyzed to for compliance checking. The system for system state analysis is comprised of a storage system, computation hardware configured to run the guest machines and the virtual machine layer, guest machines, a virtual machine layer configured to output guest machine state information, a system state snapshot server configured to control the virtual machine layer for the capture of state information.

    Method of and system for computer system state checks
    6.
    发明申请
    Method of and system for computer system state checks 有权
    计算机系统状态检查的方法和系统

    公开(公告)号:US20130247032A1

    公开(公告)日:2013-09-19

    申请号:US12291232

    申请日:2008-11-07

    IPC分类号: G06F9/46

    摘要: A system for and method of system state analysis of a computational system. The method is comprised of capturing selective state information of a computational system configured to operated with one or more guest machines running on a virtual machine layer and configured to output state information. The state information is then analyzed to for compliance checking. The system for system state analysis is comprised of a storage system, computation hardware configured to run the guest machines and the virtual machine layer, guest machines, a virtual machine layer configured to output guest machine state information, a system state snapshot server configured to control the virtual machine layer for the capture of state information.

    摘要翻译: 一种计算系统的系统状态分析方法和方法。 该方法包括捕获被配置为与在虚拟机层上运行的一个或多个客户机一起操作并被配置为输出状态信息的计算系统的选择状态信息。 然后分析状态信息以进行合规性检查。 用于系统状态分析的系统包括:存储系统,被配置为运行客机和虚拟机层的计算硬件,客户机,被配置为输出客机状态信息的虚拟机层,被配置为控制的系统状态快照服务器 虚拟机层用于捕获状态信息。

    SYSTEM AND METHOD FOR CLUSTERING HOST INVENTORIES
    7.
    发明申请
    SYSTEM AND METHOD FOR CLUSTERING HOST INVENTORIES 有权
    用于分类主机的系统和方法

    公开(公告)号:US20130246422A1

    公开(公告)日:2013-09-19

    申请号:US12880125

    申请日:2010-09-12

    IPC分类号: G06F17/30

    摘要: A method in one example implementation includes obtaining a plurality of host file inventories corresponding respectively to a plurality of hosts, calculating input data using the plurality of host file inventories, and then providing the input data to a clustering procedure to group the plurality of hosts into one or more clusters of hosts. The method further includes each cluster of hosts being grouped using predetermined similarity criteria. In more specific embodiments, each of the host file inventories includes a set of one or more file identifiers with each file identifier representing a different executable software file on a corresponding one of the plurality of hosts. In other more specific embodiments, calculating the input data includes transforming the host file inventories into a matrix of keyword vectors in Euclidean space. In further embodiments, calculating the input data includes transforming the host file inventories into a similarity matrix.

    摘要翻译: 一个示例实现中的方法包括获得分别对应于多个主机的多个主机文件库存,使用多个主机文件库存计算输入数据,然后将输入数据提供给聚类程序以将多个主机分组成 一个或多个主机群集。 该方法还包括使用预定的相似性标准分组的每个主机群。 在更具体的实施例中,每个主机文件库存包括一组一个或多个文件标识符,其中每个文件标识符表示多个主机中对应的一个上的不同的可执行软件文件。 在其他更具体的实施例中,计算输入数据包括将主文件库存变换为欧几里得空间中的关键词向量矩阵。 在另外的实施例中,计算输入数据包括将主机文件库存变换为相似性矩阵。

    System and method for selectively grouping and managing program files
    8.
    发明授权
    System and method for selectively grouping and managing program files 有权
    用于选择性地分组和管理程序文件的系统和方法

    公开(公告)号:US09075993B2

    公开(公告)日:2015-07-07

    申请号:US13012138

    申请日:2011-01-24

    IPC分类号: G06F21/56 G06F17/30 H04L29/06

    摘要: A method in one embodiment includes determining a frequency range corresponding to a subset of a plurality of program files on a plurality of hosts in a network environment. The method also includes generating a first set of counts including a first count that represents an aggregate amount of program files in a first grouping of one or more program files of the subset, where each of the one or more program files of the first grouping includes a first value of a primary attribute. In specific embodiments, each program file is unknown. In further embodiments, the primary attribute is one of a plurality of file attributes provided in file metadata. Other specific embodiments include either blocking or allowing execution of each of the program files of the first grouping. More specific embodiments include determining a unique identifier corresponding to at least one program file of the first grouping.

    摘要翻译: 一个实施例中的方法包括确定与网络环境中的多个主机上的多个节目文件的子集相对应的频率范围。 该方法还包括生成第一组计数,其包括第一计数,第一计数表示在该子集的一个或多个程序文件的第一分组中的程序文​​件的总量,其中第一组的一个或多个程序文件中的每一个包括 主属性的第一个值。 在具体实施例中,每个程序文件是未知的。 在另外的实施例中,主属性是文件元数据中提供的多个文件属性之一。 其他具体实施例包括阻止或允许执行第一组的每个节目文件。 更具体的实施例包括确定对应于第一分组的至少一个节目文件的唯一标识符。

    System and method for network level protection against malicious software
    9.
    发明授权
    System and method for network level protection against malicious software 有权
    针对恶意软件进行网络级保护的系统和方法

    公开(公告)号:US08938800B2

    公开(公告)日:2015-01-20

    申请号:US12844964

    申请日:2010-07-28

    IPC分类号: G06F21/00 H04L29/06

    摘要: A method in one example implementation includes receiving information related to a network access attempt on a first computing device with the information identifying a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether network traffic associated with the software program file is permitted and then creating a restriction rule to block the network traffic if the network traffic is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the method includes pushing the restriction rule to a network protection device that intercepts the network traffic associated with the software program file and applies the restriction rule to the network traffic. In more specific embodiments, the method includes searching a whitelist identifying trustworthy software program files to determine the trust status of the software program file.

    摘要翻译: 一个示例实现中的方法包括:接收与第一计算设备上的网络访问尝试相关的信息,其中所述信息标识与网络访问尝试相关联的软件程序文件。 该方法还包括评估第一准则以确定是否允许与软件程序文件相关联的网络流量,然后创建限制规则以在不允许网络流量的情况下阻止网络流量。 第一个标准包括软件程序文件的信任状态。 在具体实施例中,该方法包括将限制规则推送到网络保护设备,该网络保护设备拦截与该软件程序文件相关联的网络流量,并将限制规则应用于网络业务。 在更具体的实施例中,该方法包括搜索白名单来识别可信软件程序文件以确定软件程序文件的信任状态。

    System and Method for Local Protection Against Malicious Software
    10.
    发明申请
    System and Method for Local Protection Against Malicious Software 有权
    本地防范恶意软件的系统和方法

    公开(公告)号:US20120030731A1

    公开(公告)日:2012-02-02

    申请号:US12844892

    申请日:2010-07-28

    IPC分类号: G06F21/20

    摘要: A method in one example implementation includes intercepting a network access attempt on a computing device and determining a software program file associated with the network access attempt. The method also includes evaluating a first criterion to determine whether the network access attempt is permitted and blocking the network access attempt if it is not permitted. The first criterion includes a trust status of the software program file. In specific embodiments, the trust status is defined as trusted if the software program file is included in a whitelist of trustworthy program files and untrusted if the software program file is not included in a whitelist. In more specific embodiments, the method includes blocking the network access attempt if the software program file has an untrusted status. In further embodiments, an event is logged if the software program file associated with the network access attempt has an untrusted status.

    摘要翻译: 一个示例实现中的方法包括拦截计算设备上的网络访问尝试并且确定与网络访问尝试相关联的软件程序文件。 该方法还包括评估第一准则以确定是否允许网络访问尝试,如果不允许,则阻止网络访问尝试。 第一个标准包括软件程序文件的信任状态。 在具体实施例中,如果软件程序文件被包括在可信程序文件的白名单中,则信任状态被定义为可信状态,并且如果软件程序文件不包括在白名单中则不信任。 在更具体的实施例中,如果软件程序文件具有不可信状态,则该方法包括阻止网络访问尝试。 在另外的实施例中,如果与网络访问尝试相关联的软件程序文件具有不可信状态,则记录事件。