公开(公告)号：US08074115B2

公开(公告)日：2011-12-06

申请号：US12091150

申请日：2006-10-25

申请人： Salvatore J. Stolfo ,  Angelos D. Keromytis ,  Stelios Sidiroglou

发明人： Salvatore J. Stolfo ,  Angelos D. Keromytis ,  Stelios Sidiroglou

IPC分类号： G06F11/00

CPC分类号： G06F11/0772 ,  G06F11/0718 ,  G06F11/0751 ,  G06F11/079 ,  G06F11/3652

摘要： Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.

摘要翻译： 提供了用于检测异常程序执行的方法，介质和系统。 在一些实施例中，提供了用于检测异常程序执行的方法，包括：在仿真器中执行程序的至少一部分; 将在仿真器中产生的函数调用与所述程序的至少一部分的函数调用模型进行比较; 并根据比较将功能调用识别为异常。 在一些实施例中，提供了用于检测异常程序执行的方法，包括：修改程序以包括程序执行期间进行的程序级函数调用的指示; 将在仿真器中进行的程序级功能调用的至少一个指标与所述程序的至少一部分的函数调用模型进行比较; 以及基于所述比较，将与所述至少一个所述指示符相对应的功能调用识别为异常。

公开(公告)号：US20100023810A1

公开(公告)日：2010-01-28

申请号：US12091150

申请日：2006-10-25

申请人： Salvatore J. Stolfo ,  Angelos D. Keromytis ,  Stelios Sidiroglou

发明人： Salvatore J. Stolfo ,  Angelos D. Keromytis ,  Stelios Sidiroglou

IPC分类号： G06F11/36 ,  G06F9/455

CPC分类号： G06F11/0772 ,  G06F11/0718 ,  G06F11/0751 ,  G06F11/079 ,  G06F11/3652

摘要： Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.

摘要翻译： 提供了用于检测异常程序执行的方法，介质和系统。 在一些实施例中，提供了用于检测异常程序执行的方法，包括：在仿真器中执行程序的至少一部分; 将在仿真器中产生的函数调用与所述程序的至少一部分的函数调用模型进行比较; 并根据比较将功能调用识别为异常。 在一些实施例中，提供了用于检测异常程序执行的方法，包括：修改程序以包括程序执行期间进行的程序级函数调用的指示; 将在仿真器中进行的程序级功能调用的至少一个指标与所述程序的至少一部分的函数调用模型进行比较; 以及基于所述比较，将与所述至少一个所述指示符相对应的功能调用识别为异常。

公开(公告)号：US10423788B2

公开(公告)日：2019-09-24

申请号：US15247154

申请日：2016-08-25

申请人： Angelos D. Keromytis ,  Salvatore J. Stolfo

发明人： Angelos D. Keromytis ,  Salvatore J. Stolfo

IPC分类号： G06F11/00 ,  G06F21/56 ,  G06F11/08 ,  G06F11/36 ,  H04L29/06 ,  G06N7/00

摘要： Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.

公开(公告)号：US20160366169A1

公开(公告)日：2016-12-15

申请号：US14982888

申请日：2015-12-29

申请人： Yingbo Song ,  Angelos D. Keromytis ,  Salvatore J. Stolfo

发明人： Yingbo Song ,  Angelos D. Keromytis ,  Salvatore J. Stolfo

IPC分类号： H04L29/06

CPC分类号： H04L63/1425 ,  H04L63/1416 ,  H04L63/1466 ,  H04L67/02 ,  H04L69/16

摘要： Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.

摘要翻译： 提供了检测网络异常的系统，方法和介质。 在一些实施例中，接收具有参数串的通信协议消息的训练数据集。 确定与每个参数串相关联的内容和结构，并且使用确定的每个参数串的内容和结构来训练概率模型。 接收具有通过计算机网络从第一处理器发送到第二处理器的参数串的通信协议消息。 将接收到的通信协议消息与概率模型进行比较，然后确定通信协议消息是否是异常的。

公开(公告)号：US08819825B2

公开(公告)日：2014-08-26

申请号：US12302774

申请日：2007-05-31

申请人： Angelos D. Keromytis ,  Salvatore J. Stolfo

发明人： Angelos D. Keromytis ,  Salvatore J. Stolfo

IPC分类号： G06F21/00

CPC分类号： H04L63/1491 ,  H04L43/0876 ,  H04L51/22 ,  H04L63/1408 ,  H04L63/145

摘要： Systems, methods, and media for generating bait information for trap-based defenses are provided. In some embodiments, methods for generating bait information for trap-based defenses include: recording historical information of a network; translating the historical information; and generating bait information by tailoring the translated historical information.

摘要翻译： 提供了用于生成基于陷阱的防御的诱饵信息的系统，方法和媒体。 在一些实施例中，用于产生用于基于陷阱的防御的诱饵信息的方法包括：记录网络的历史信息; 翻译历史信息; 并通过定制翻译的历史信息产生诱饵信息。

公开(公告)号：US20140173734A1

公开(公告)日：2014-06-19

申请号：US14185175

申请日：2014-02-20

申请人： Angelos D. Keromytis ,  Salvatore J. Stolfo

发明人： Angelos D. Keromytis ,  Salvatore J. Stolfo

IPC分类号： H04L29/06

CPC分类号： G06F21/566 ,  G06F11/08 ,  G06F11/3688 ,  G06F2221/033 ,  G06N7/005 ,  H04L63/1425

摘要： Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.

摘要翻译： 提供了用于检测函数调用异常序列的方法，介质和系统。 该方法可以包括通过使用压缩模型来压缩由程序执行所产生的函数调用序列; 以及基于函数调用序列被压缩的程度来确定功能调用序列中函数调用的异常序列的存在。 所述方法还可以包括执行至少一个已知程序; 观察由所述至少一个已知节目的执行而进行的至少一个函数调用序列; 在由所述至少一个已知程序进行的所述至少一个功能调用序列中分配每种类型的功能调用唯一标识符; 以及通过记录至少一个唯一标识符序列来创建所述压缩模型的至少一部分。

公开(公告)号：US08667588B2

公开(公告)日：2014-03-04

申请号：US12837302

申请日：2010-07-15

申请人： Salvatore J. Stolfo ,  Angelos D. Keromytis ,  Vishal Misra ,  Michael E. Locasto ,  Janak Parekh

发明人： Salvatore J. Stolfo ,  Angelos D. Keromytis ,  Vishal Misra ,  Michael E. Locasto ,  Janak Parekh

IPC分类号： H04L29/06

CPC分类号： H04L63/1408

摘要： Systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.

摘要翻译： 系统和方法提供警报相关器和警报分发器，其能够检测到攻击的早期迹象并且迅速地传播到协作系统。 警报相关器利用数据结构来关联警报检测，并提供可以向其他协作系统透露威胁信息的机制。 警报分配器使用有效的技术来对协作系统进行分组，然后根据时间表在某些成员之间传递数据。 以这种方式，数据可以定期分布，而不会产生过多的流量负载。

公开(公告)号：US08528091B2

公开(公告)日：2013-09-03

申请号：US12982984

申请日：2010-12-31

申请人： Brian M. Bowen ,  Pratap V. Prabhu ,  Vasileios P. Kemerlis ,  Stylianos Sidiroglou ,  Salvatore J. Stolfo ,  Angelos D. Keromytis

发明人： Brian M. Bowen ,  Pratap V. Prabhu ,  Vasileios P. Kemerlis ,  Stylianos Sidiroglou ,  Salvatore J. Stolfo ,  Angelos D. Keromytis

IPC分类号： G06F11/00 ,  H04L9/32

CPC分类号： G06F21/56 ,  G06F21/566 ,  G06F21/577 ,  H04L63/1441 ,  H04L63/1491

摘要： Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: generating simulated user activity outside of the computing environment; conveying the simulated user activity to an application inside the computing environment; and determining whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity.

摘要翻译： 提供了用于检测隐蔽恶意软件的方法，系统和媒体。 根据一些实施例，提供了一种用于在计算环境中检测隐匿恶意软件的方法，所述方法包括：在所述计算环境之外生成模拟用户活动; 将所述模拟用户活动传达到所述计算环境内的应用; 以及确定是否已经被未经授权的实体访问与所述模拟用户活动相对应的诱饵。

公开(公告)号：US09419981B2

公开(公告)日：2016-08-16

申请号：US12092224

申请日：2006-10-31

申请人： Salvatore J. Stolfo ,  Gabriela F. Ciocarlie ,  Vanessa Frias-Martinez ,  Janak Parekh ,  Angelos D. Keromytis ,  Joseph Sherrick

发明人： Salvatore J. Stolfo ,  Gabriela F. Ciocarlie ,  Vanessa Frias-Martinez ,  Janak Parekh ,  Angelos D. Keromytis ,  Joseph Sherrick

IPC分类号： H04L29/06

CPC分类号： H04L63/102 ,  H04L63/145

摘要： Methods, media, and systems for securing communications between a first node and a second node are provided. In some embodiments, methods for securing communication between a first node and a second node are provided. The methods comprising: receiving at least one model of behavior of the second node at the first node; and authorizing the first node to receive traffic from the second node based on the difference between the at least one model of behavior of the second node and at least one model of behavior of the first node.

摘要翻译： 提供了用于保护第一节点和第二节点之间的通信的方法，媒体和系统。 在一些实施例中，提供了用于确保第一节点和第二节点之间的通信的方法。 所述方法包括：在所述第一节点处接收所述第二节点的至少一个行为模型; 并且基于所述第二节点的所述至少一个行为模型与所述第一节点的行为的至少一个模型之间的差异，授权所述第一节点从所述第二节点接收流量。

公开(公告)号：US09253201B2

公开(公告)日：2016-02-02

申请号：US14476142

申请日：2014-09-03

申请人： Yingbo Song ,  Angelos D. Keromytis ,  Salvatore J. Stolfo

发明人： Yingbo Song ,  Angelos D. Keromytis ,  Salvatore J. Stolfo

IPC分类号： H04L29/06 ,  H04L29/08

CPC分类号： H04L63/1425 ,  H04L63/1416 ,  H04L63/1466 ,  H04L67/02 ,  H04L69/16

摘要： Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.

摘要翻译： 提供了检测网络异常的系统，方法和介质。 在一些实施例中，接收具有参数串的通信协议消息的训练数据集。 确定与每个参数串相关联的内容和结构，并且使用确定的每个参数串的内容和结构来训练概率模型。 接收具有通过计算机网络从第一处理器发送到第二处理器的参数串的通信协议消息。 将接收到的通信协议消息与概率模型进行比较，然后确定通信协议消息是否是异常的。