-
公开(公告)号:US20230019015A1
公开(公告)日:2023-01-19
申请号:US17375341
申请日:2021-07-14
Applicant: Saudi Arabian Oil Company
Inventor: Urfan Ahmed
Abstract: Privilege escalation monitoring may include initiating a learning mode, recording application attributes of one or more applications on a host system to an application repository, recording process attributes of one or more running processes on the host system to an access repository, recording API calls of the one or more running processes on the host system to an API repository, terminating the learning mode, initializing a protecting mode, identifying running processes on the host system based on records in the application repository, determining whether the identified running processes have system access violations based on the application repository, determining whether the identified running processes have file permission escalations based on the access repository, determining whether the identified running processes have failed privileged API calls based on the API repository, generating an alert and terminating an offending process corresponding to the determinations.
-
公开(公告)号:US11489849B2
公开(公告)日:2022-11-01
申请号:US16742406
申请日:2020-01-14
Applicant: Saudi Arabian Oil Company
Inventor: Urfan Ahmed
Abstract: A cybersecurity solution that includes a system, method, or computer program for detecting and remediating malicious code in a communicating device on a computer network that connects to the Internet through a proxy server. The solution includes an operating system arranged to monitor all computing resource (CR) processes on an operating system kernel on the communicating device, determine process parameters for each CR process, determine whether each CR process is a connecting CR process by determining whether it is connecting to the proxy server, compare at least one of the process parameters for each connecting CR process with a whitelist, generate an event notification when at least one process parameter for a connecting CR process does not match the whitelist, and remediate the connecting CR process that has the at least one process parameter.
-
公开(公告)号:US11983272B2
公开(公告)日:2024-05-14
申请号:US17375341
申请日:2021-07-14
Applicant: Saudi Arabian Oil Company
Inventor: Urfan Ahmed
CPC classification number: G06F21/566 , G06F9/54 , G06N20/00 , G06F2221/034
Abstract: Privilege escalation monitoring may include initiating a learning mode, recording application attributes of one or more applications on a host system to an application repository, recording process attributes of one or more running processes on the host system to an access repository, recording API calls of the one or more running processes on the host system to an API repository, terminating the learning mode, initializing a protecting mode, identifying running processes on the host system based on records in the application repository, determining whether the identified running processes have system access violations based on the application repository, determining whether the identified running processes have file permission escalations based on the access repository, determining whether the identified running processes have failed privileged API calls based on the API repository, generating an alert and terminating an offending process corresponding to the determinations.
-
4.发明授权公开(公告)号:US11593482B2
公开(公告)日:2023-02-28
申请号:US17192042
申请日:2021-03-04
Applicant: Saudi Arabian Oil Company
Inventor: Urfan Ahmed
Abstract: Systems and methods to detect malicious software include an application software repository including a stored header file associated with a driver, an executable, or both, and are operable to (i) receive a memory dump file upon an operating system crash including a driver copy, an executable copy, or both, (ii) verify the memory dump file is new for analysis, (iii) compress the verified memory dump file to generate a memory snapshot of the verified memory dump file, (iv) scan the memory snapshot for a memory dump header file associated with the driver copy, the executable copy, or both, and (v) identify and extract malicious software when the memory dump header file from the memory snapshot fails to match at least one stored header file in the application software repository.
-
5.发明申请公开(公告)号:US20220284095A1
公开(公告)日:2022-09-08
申请号:US17192042
申请日:2021-03-04
Applicant: Saudi Arabian Oil Company
Inventor: Urfan Ahmed
Abstract: Systems and methods to detect malicious software include an application software repository including a stored header file associated with a driver, an executable, or both, and are operable to (i) receive a memory dump file upon an operating system crash including a driver copy, an executable copy, or both, (ii) verify the memory dump file is new for analysis, (iii) compress the verified memory dump file to generate a memory snapshot of the verified memory dump file, (iv) scan the memory snapshot for a memory dump header file associated with the driver copy, the executable copy, or both, and (v) identify and extract malicious software when the memory dump header file from the memory snapshot fails to match at least one stored header file in the application software repository.
-
Patent Agency Ranking
公开(公告)号:US11057324B1
公开(公告)日:2021-07-06
申请号:US16919751
申请日:2020-07-02
Applicant: SAUDI ARABIAN OIL COMPANY
Inventor: Urfan Ahmed
Abstract: A method for analyzing an attachment of an electronic mail (e-mail) transmitted from an external network may include intercepting the e-mail comprising the attachment intended for a recipient. The method may include analyzing the attachment for encryption to identify an encrypted attachment. The method may include determining whether the encrypted attachment has been received previously by the recipient by comparing a hash corresponding to the encrypted attachment against a plurality of hashes stored in an attachment repository. The method may include attempting to open the encrypted attachment using a password from a password repository comprising a plurality of known passwords. The method may include extracting the encrypted attachment from the e-mail upon failing to open the encrypted attachment using the plurality of known passwords. The method may include redirecting the recipient to an interface configured to prompt the recipient for a new password that is associated with the encrypted attachment.
-
公开(公告)号:US11768935B2
公开(公告)日:2023-09-26
申请号:US17036757
申请日:2020-09-29
Applicant: Saudi Arabian Oil Company
Inventor: Urfan Ahmed
CPC classification number: G06F21/56 , G06F3/0622 , G06F3/0655 , G06F3/0679 , G06F2221/034
Abstract: A system and methodology for preventing extraction of an authentication credential from a memory in a computer. The system and methodology include identifying a memory area used by a native process, monitoring the memory area for any access of the memory area by a process, detecting when data is being read from the memory area, detecting an amount of data being read from the memory area, comparing the amount of data being read from the memory area to a data amount threshold value, and blocking access to the memory area or terminating said process when the amount of data being read from the memory area reaches or exceeds the data amount threshold. The native process can include a Windows® operating system lsass.exe process.
-
8.发明授权公开(公告)号:US11768933B2
公开(公告)日:2023-09-26
申请号:US16990393
申请日:2020-08-11
Applicant: Saudi Arabian Oil Company
Inventor: Urfan Ahmed
CPC classification number: G06F21/552 , G06F21/562 , G06F21/74 , H04L63/101 , G06F2221/034
Abstract: A cybersecurity solution for preventing malware from infecting a computing device or a computer resource on the computing device. The solution can include detecting a computer resource process running or attempting to run on an operating system and comparing details of the computer resource process against an authorized processes database containing details of previously run computer resources processes to determine if the computer resource process is running or attempting to run for a first time on the operating system. The solution can include adding, during a learning mode, the details of the computer resource process to the authorized processes database when it is determined that the computer resource process is running or attempting to run for the first time on the operating system, and suspending, during a protect mode, the computer resource process from running on the operating system when it is determined that the computer resource process is running or attempting to run for the first time on the operating system. The details of the computer resource process can include at least one of semaphore data, mutex data or atom data for the computer resource process.
-
公开(公告)号:US20230214479A1
公开(公告)日:2023-07-06
申请号:US17646940
申请日:2022-01-04
Applicant: Saudi Arabian Oil Company
Inventor: Urfan Ahmed
CPC classification number: G06F21/51 , G06F21/554 , G06F21/552 , G06F21/53 , G06F2221/2101 , G06F2221/033
Abstract: A system and method detecting and prevent unauthorized access to a computer. The method is configured to control access to the computer. The computer operates in a learning mode including listing, in a whitelist in a memory of the computer, an executable application in the computer, and operating the computer in a protected mode. During operation of the computer in the protected mode, the method detects a first application in the computer, wherein the first application is transferred from a first external resource operatively connected to the computer, suspend execution of the first application, determine whether the first application is in the whitelist, and if the first application is in the whitelist, allowing the first application to be executed, thereby controlling the access of the first application to the computer. The system implements the method using a monitoring sub-system in the computer.
-
10.发明申请公开(公告)号:US20220100854A1
公开(公告)日:2022-03-31
申请号:US17036757
申请日:2020-09-29
Applicant: Saudi Arabian Oil Company
Inventor: Urfan Ahmed
Abstract: A system and methodology for preventing extraction of an authentication credential from a memory in a computer. The system and methodology include identifying a memory area used by a native process, monitoring the memory area for any access of the memory area by a process, detecting when data is being read from the memory area, detecting an amount of data being read from the memory area, comparing the amount of data being read from the memory area to a data amount threshold value, and blocking access to the memory area or terminating said process when the amount of data being read from the memory area reaches or exceeds the data amount threshold. The native process can include a Windows® operating system lsass.exe process.
-
-
-
-
-
-
-
-
-
Search Results
11
records
(took 0.02 seconds)
