-
1.发明授权公开(公告)号:US08074115B2
公开(公告)日:2011-12-06
申请号:US12091150
申请日:2006-10-25
IPC分类号: G06F11/00
CPC分类号: G06F11/0772 , G06F11/0718 , G06F11/0751 , G06F11/079 , G06F11/3652
摘要: Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
摘要翻译: 提供了用于检测异常程序执行的方法,介质和系统。 在一些实施例中,提供了用于检测异常程序执行的方法,包括:在仿真器中执行程序的至少一部分; 将在仿真器中产生的函数调用与所述程序的至少一部分的函数调用模型进行比较; 并根据比较将功能调用识别为异常。 在一些实施例中,提供了用于检测异常程序执行的方法,包括:修改程序以包括程序执行期间进行的程序级函数调用的指示; 将在仿真器中进行的程序级功能调用的至少一个指标与所述程序的至少一部分的函数调用模型进行比较; 以及基于所述比较,将与所述至少一个所述指示符相对应的功能调用识别为异常。
-
公开(公告)号:US20100023810A1
公开(公告)日:2010-01-28
申请号:US12091150
申请日:2006-10-25
CPC分类号: G06F11/0772 , G06F11/0718 , G06F11/0751 , G06F11/079 , G06F11/3652
摘要: Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
摘要翻译: 提供了用于检测异常程序执行的方法,介质和系统。 在一些实施例中,提供了用于检测异常程序执行的方法,包括:在仿真器中执行程序的至少一部分; 将在仿真器中产生的函数调用与所述程序的至少一部分的函数调用模型进行比较; 并根据比较将功能调用识别为异常。 在一些实施例中,提供了用于检测异常程序执行的方法,包括:修改程序以包括程序执行期间进行的程序级函数调用的指示; 将在仿真器中进行的程序级功能调用的至少一个指标与所述程序的至少一部分的函数调用模型进行比较; 以及基于所述比较,将与所述至少一个所述指示符相对应的功能调用识别为异常。
-
3.发明授权Methods, media, and systems for securing communications between a first node and a second node 有权用于保护第一节点和第二节点之间的通信的方法,媒体和系统公开(公告)号:US09419981B2
公开(公告)日:2016-08-16
申请号:US12092224
申请日:2006-10-31
申请人: Salvatore J. Stolfo , Gabriela F. Ciocarlie , Vanessa Frias-Martinez , Janak Parekh , Angelos D. Keromytis , Joseph Sherrick
发明人: Salvatore J. Stolfo , Gabriela F. Ciocarlie , Vanessa Frias-Martinez , Janak Parekh , Angelos D. Keromytis , Joseph Sherrick
IPC分类号: H04L29/06
CPC分类号: H04L63/102 , H04L63/145
摘要: Methods, media, and systems for securing communications between a first node and a second node are provided. In some embodiments, methods for securing communication between a first node and a second node are provided. The methods comprising: receiving at least one model of behavior of the second node at the first node; and authorizing the first node to receive traffic from the second node based on the difference between the at least one model of behavior of the second node and at least one model of behavior of the first node.
摘要翻译: 提供了用于保护第一节点和第二节点之间的通信的方法,媒体和系统。 在一些实施例中,提供了用于确保第一节点和第二节点之间的通信的方法。 所述方法包括:在所述第一节点处接收所述第二节点的至少一个行为模型; 并且基于所述第二节点的所述至少一个行为模型与所述第一节点的行为的至少一个模型之间的差异,授权所述第一节点从所述第二节点接收流量。
-
4.发明授权Detecting network anomalies by probabilistic modeling of argument strings with markov chains 有权通过使用马尔可夫链的参数串的概率建模来检测网络异常公开(公告)号:US09253201B2
公开(公告)日:2016-02-02
申请号:US14476142
申请日:2014-09-03
CPC分类号: H04L63/1425 , H04L63/1416 , H04L63/1466 , H04L67/02 , H04L69/16
摘要: Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.
摘要翻译: 提供了检测网络异常的系统,方法和介质。 在一些实施例中,接收具有参数串的通信协议消息的训练数据集。 确定与每个参数串相关联的内容和结构,并且使用确定的每个参数串的内容和结构来训练概率模型。 接收具有通过计算机网络从第一处理器发送到第二处理器的参数串的通信协议消息。 将接收到的通信协议消息与概率模型进行比较,然后确定通信协议消息是否是异常的。
-
公开(公告)号:US08763103B2
公开(公告)日:2014-06-24
申请号:US12297730
申请日:2006-04-21
CPC分类号: H04L63/1416 , G06F21/41 , H04L63/0815 , H04L63/1408 , H04L63/1441
摘要: In accordance with some embodiments of the present invention, systems and methods that protect an application from attacks are provided. In some embodiments of the present invention, input from an input source, such as traffic from a communication network, can be routed through a filtering proxy that includes one or more filters, classifiers, and/or detectors. In response to the input passing through the filtering proxy to the application, a supervision framework monitors the input for attacks (e.g., code injection attacks). The supervision framework can provide feedback to tune the components of the filtering proxy.
摘要翻译: 根据本发明的一些实施例,提供了保护应用免受攻击的系统和方法。 在本发明的一些实施例中,可以通过包括一个或多个过滤器,分类器和/或检测器的过滤代理来路由来自诸如来自通信网络的业务的输入源的输入。 响应于通过过滤代理的输入到应用程序,监督框架监视输入的攻击(例如代码注入攻击)。 监督框架可以提供反馈来调整过滤代理的组件。
-
6.发明授权Systems, methods, and media protecting a digital data processing device from attack 有权保护数字数据处理设备免受攻击的系统,方法和媒体公开(公告)号:US08407785B2
公开(公告)日:2013-03-26
申请号:US12063733
申请日:2006-08-18
IPC分类号: G06F11/00
CPC分类号: H04L63/1425 , H04L51/08 , H04L51/12 , H04L63/1416 , H04L63/1466
摘要: In accordance with some embodiments of the disclosed subject matter, systems, methods, and media for protecting a digital data processing device from attack are provided. For example, in some embodiments, a method for protecting a digital data processing device from attack is provided, that includes, within a virtual environment: receiving at least one attachment to an electronic mail; and executing the at least one attachment; and based on the execution of the at least one attachment, determining whether anomalous behavior occurs.
摘要翻译: 根据所公开的主题的一些实施例,提供了用于保护数字数据处理装置免受攻击的系统,方法和媒体。 例如,在一些实施例中,提供了一种用于保护数字数据处理设备免受攻击的方法,其包括在虚拟环境内:接收至少一个附件到电子邮件; 以及执行所述至少一个附件; 并且基于所述至少一个附件的执行,确定是否发生异常行为。
-
7.发明授权Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and/or generating sanitized anomaly detection models 有权用于生成消毒数据,消毒异常检测模型和/或生成消毒异常检测模型的系统,方法和介质公开(公告)号:US08407160B2
公开(公告)日:2013-03-26
申请号:US11940790
申请日:2007-11-15
申请人: Gabriela Cretu , Angelos Stavrou , Salvatore J. Stolfo , Angelos D. Keromytis , Michael E. Locasto
发明人: Gabriela Cretu , Angelos Stavrou , Salvatore J. Stolfo , Angelos D. Keromytis , Michael E. Locasto
IPC分类号: G06F15/18
CPC分类号: H04L63/1425 , G06N99/005 , H04L63/14
摘要: Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and generating anomaly detection models are provided. In some embodiments, methods for generating sanitized data are provided. The methods including: dividing a first training dataset comprised of a plurality of training data items into a plurality of data subsets each including at least one training data item of the plurality of training data items of the first training dataset; based on the plurality of data subsets, generating a plurality of distinct anomaly detection micro-models; testing at least one data item of the plurality of data items of a second training dataset of training data items against each of the plurality of micro-models to produce a score for the at least one tested data item; and generating at least one output dataset based on the score for the at least one tested data item.
摘要翻译: 提供了生成消毒数据,消毒异常检测模型和生成异常检测模型的系统,方法和介质。 在一些实施例中,提供了生成消毒数据的方法。 所述方法包括:将由多个训练数据项组成的第一训练数据集划分成多个数据子集,每个数据子集包括第一训练数据集的多个训练数据项中的至少一个训练数据项; 基于所述多个数据子集,生成多个不同的异常检测微模型; 针对所述多个微模型中的每一个测试训练数据项的第二训练数据集的所述多个数据项中的至少一个数据项,以产生所述至少一个测试数据项的分数; 以及基于所述至少一个测试数据项的得分来生成至少一个输出数据集。
-
公开(公告)号:US20100146615A1
公开(公告)日:2010-06-10
申请号:US12297730
申请日:2006-04-21
CPC分类号: H04L63/1416 , G06F21/41 , H04L63/0815 , H04L63/1408 , H04L63/1441
摘要: In accordance with some embodiments of the present invention, systems and methods that protect an application from attacks are provided. In some embodiments of the present invention, input from an input source, such as traffic from a communication network, can be routed through a filtering proxy that includes one or more filters, classifiers, and/or detectors. In response to the input passing through the filtering proxy to the application, a supervision framework monitors the input for attacks (e.g., code injection attacks). The supervision framework can provide feedback to tune the components of the filtering proxy.
摘要翻译: 根据本发明的一些实施例,提供了保护应用免受攻击的系统和方法。 在本发明的一些实施例中,可以通过包括一个或多个过滤器,分类器和/或检测器的过滤代理来路由来自诸如来自通信网络的业务的输入源的输入。 响应于通过过滤代理的输入到应用程序,监督框架监视输入的攻击(例如代码注入攻击)。 监督框架可以提供反馈来调整过滤代理的组件。
-
公开(公告)号:US10423788B2
公开(公告)日:2019-09-24
申请号:US15247154
申请日:2016-08-25
摘要: Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.
-
公开(公告)号:US20160366169A1
公开(公告)日:2016-12-15
申请号:US14982888
申请日:2015-12-29
IPC分类号: H04L29/06
CPC分类号: H04L63/1425 , H04L63/1416 , H04L63/1466 , H04L67/02 , H04L69/16
摘要: Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.
摘要翻译: 提供了检测网络异常的系统,方法和介质。 在一些实施例中,接收具有参数串的通信协议消息的训练数据集。 确定与每个参数串相关联的内容和结构,并且使用确定的每个参数串的内容和结构来训练概率模型。 接收具有通过计算机网络从第一处理器发送到第二处理器的参数串的通信协议消息。 将接收到的通信协议消息与概率模型进行比较,然后确定通信协议消息是否是异常的。
-
-
-
-
-
-
-
-
-
搜索结果
68 条记录 (耗时 0.031 秒)
