公开(公告)号：US08352409B1

公开(公告)日：2013-01-08

申请号：US12495621

申请日：2009-06-30

申请人： Sourabh Satish ,  Nicholas Graf ,  Lachlan Orr ,  Shane Pereira ,  Scott Sullivan

发明人： Sourabh Satish ,  Nicholas Graf ,  Lachlan Orr ,  Shane Pereira ,  Scott Sullivan

IPC分类号： G06N7/02 ,  G06N7/00

CPC分类号： G06N99/005

摘要： Systems and methods for improving the effectiveness of decision trees are disclosed. In one example, an exemplary method for performing such a task may include: 1) receiving, from at least one computing device, a) a sample, b) a classification assigned to the sample by a decision tree employed by the computing device, and c) identification information for a branch configuration that resulted in the classification, 2) determining that the decision tree incorrectly classified the sample, and then 3) excluding the offending branch configuration from future decision trees. An exemplary method for dynamically adjusting the confidence of decision-tree classifications based on community-supplied data, along with corresponding systems and computer-readable media, are also described.

摘要翻译： 公开了提高决策树有效性的系统和方法。 在一个示例中，用于执行这样的任务的示例性方法可以包括：1）从至少一个计算设备接收a）样本，b）由计算设备使用的决策树分配给样本的分类，以及 c）导致分类的分支配置的识别信息，2）确定决策树不正确地对样本进行分类，然后3）从未来的决策树中排除违规分支配置。 还描述了用于基于社区提供的数据以及对应的系统和计算机可读介质来动态地调整决策树分类的置信度的示例性方法。

公开(公告)号：US08381289B1

公开(公告)日：2013-02-19

申请号：US12416020

申请日：2009-03-31

申请人： Shane Pereira ,  Sourabh Satish

发明人： Shane Pereira ,  Sourabh Satish

IPC分类号： H04L29/06

CPC分类号： H04L63/1408 ,  H04L63/145

摘要： A host reputation score indicating whether a host connected to the client by a network is malicious is received. An entity on the client that communicates with the host is identified. Whether the entity is a malware threat is determined based at least in part on the host reputation score.

摘要翻译： 接收到主机信誉得分，表示网络连接到客户端的主机是否是恶意的。 识别与主机通信的客户端上的实体。 至少部分地基于主机信誉评分来确定实体是否是恶意软件威胁。

公开(公告)号：US08205257B1

公开(公告)日：2012-06-19

申请号：US12510828

申请日：2009-07-28

申请人： Sourabh Satish ,  Shane Pereira ,  Uri Mann

发明人： Sourabh Satish ,  Shane Pereira ,  Uri Mann

IPC分类号： H04K1/00

CPC分类号： H04L63/1416 ,  G06F21/566 ,  G06F21/577

摘要： A computer-implemented method for preventing threats originating from a non-process based component hosted by a trusted process is described. The loading activity of the trusted process is monitored. A trust level associated with the trusted process is altered when an unverified component is loaded into the trusted process. Events performed by the trusted process are monitored. An unverified component that originated the event is identified. The trusted process is terminated based on a security risk associated with the unverified component that originated the event.

摘要翻译： 描述了用于防止由可信过程托管的基于非基于过程的组件引起的威胁的计算机实现的方法。 监视可信过程的加载活动。 当将未验证的组件加载到可信过程中时，与受信任进程相关联的信任级别会被更改。 监视受信任进程执行的事件。 确定发起事件的未验证组件。 可信过程基于与发生事件的未验证组件相关联的安全风险而终止。

公开(公告)号：US20110271341A1

公开(公告)日：2011-11-03

申请号：US12769262

申请日：2010-04-28

申请人： Sourabh Satish ,  Shane Pereira

发明人： Sourabh Satish ,  Shane Pereira

IPC分类号： G06F21/00

CPC分类号： G06F21/566 ,  G06F21/552 ,  G06F21/562 ,  H04L63/1416

摘要： A behavioral signature for detecting malware is generated. A computer is used to collect behavior traces of malware in a malware dataset. The behavior traces describe sequential behaviors performed by the malware. The behavior traces are normalized to produce malware behavior sequences. Similar malware behavior sequences are clustered together. The malware behavior sequences in a cluster describe behaviors of a malware family. The cluster is analyzed to identify a behavior subsequence common to the cluster's malware family. A behavior signature for the malware family is generated using the behavior subsequence. A trace of new malware is normalized and aligned with an existing cluster, if possible. The behavioral signature for that cluster is generated based on the behavior sequence of the new malware and the other sequences in the cluster.

摘要翻译： 生成用于检测恶意软件的行为签名。 计算机用于收集恶意软件数据集中恶意软件的行为痕迹。 行为痕迹描述恶意软件执行的顺序行为。 行为轨迹被归一化以产生恶意软件行为序列。 类似的恶意软件行为序列聚集在一起。 集群中的恶意软件行为序列描述恶意软件系列的行为。 分析集群以识别集群恶意软件系列通用的行为子序列。 使用行为子序列生成恶意软件系列的行为签名。 如果可能，新的恶意软件的跟踪将被归一化并与现有集群对齐。 基于新的恶意软件和群集中的其他序列的行为序列生成该群集的行为签名。

公开(公告)号：US08914888B1

公开(公告)日：2014-12-16

申请号：US12603429

申请日：2009-10-21

申请人： Sourabh Satish ,  Shane Pereira ,  Adam Glick

发明人： Sourabh Satish ,  Shane Pereira ,  Adam Glick

IPC分类号： G06F11/00

CPC分类号： H04L63/145 ,  G06F21/57 ,  G06F2221/2145

摘要： A computer-implemented method for classifying an unclassified process as a potentially trusted process based on dependencies of the unclassified process is described. A component loaded by the unclassified process is identified. A determination is made as to whether a hard dependency exists between the unclassified process and the loaded component. A hard dependency exists if the unclassified process depends on the loaded component in order to execute. The unclassified process is classified as a potentially trusted process if a hard dependency exists between the unclassified process and the loaded component.

摘要翻译： 描述了一种用于将未分类过程分类为基于未分类过程的依赖性的潜在受信任过程的计算机实现的方法。 识别由未分类过程加载的组件。 确定在未分类的进程和加载的组件之间是否存在硬依赖关系。 如果未分类的进程依赖于加载的组件来执行，则存在硬依赖性。 如果未分类的进程和加载的组件之间存在硬依赖关系，则未分类进程被分类为潜在的可信任进程。

公开(公告)号：US08495096B1

公开(公告)日：2013-07-23

申请号：US13450390

申请日：2012-04-18

申请人： Shane Pereira ,  Zulfikar Ramzan ,  Sourabh Satish

发明人： Shane Pereira ,  Zulfikar Ramzan ,  Sourabh Satish

IPC分类号： G06F17/30

CPC分类号： G06F21/566 ,  G06F21/562

摘要： A decision tree for classifying computer files is constructed. Computational complexities of a set of candidate attributes are determined. A set of attribute vectors are created for a set of training files with known classification. A node is created to represent the set. A weighted impurity reduction score is calculated for each candidate attribute based on the computational complexity of the attribute. If a stopping criterion is satisfied then the node is set as a leaf node. Otherwise the node is set as a branch node and the attribute with the highest weighted impurity reduction score is selected as the splitting attribute for the branch node. The set of attribute vectors are split into subsets based on their attribute values of the splitting attribute. The above process is repeated for each subset. The tree is then pruned based on the computational complexities of the splitting attributes.

摘要翻译： 构建了用于分类计算机文件的决策树。 确定一组候选属性的计算复杂度。 为一组具有已知分类的训练文件创建一组属性向量。 创建一个节点来表示集合。 基于属性的计算复杂度，为每个候选属性计算加权杂质减少分数。 如果满足停止条件，则将节点设置为叶节点。 否则将节点设置为分支节点，并将具有最高加权杂质减少分数的属性选为分支节点的分割属性。 基于分割属性的属性值，将属性向量集分为子集。 对于每个子集重复上述过程。 然后根据分割属性的计算复杂度修剪树。

公开(公告)号：US08464345B2

公开(公告)日：2013-06-11

申请号：US12769262

申请日：2010-04-28

申请人： Sourabh Satish ,  Shane Pereira

发明人： Sourabh Satish ,  Shane Pereira

IPC分类号： G06F11/00

CPC分类号： G06F21/566 ,  G06F21/552 ,  G06F21/562 ,  H04L63/1416

摘要： A behavioral signature for detecting malware is generated. A computer is used to collect behavior traces of malware in a malware dataset. The behavior traces describe sequential behaviors performed by the malware. The behavior traces are normalized to produce malware behavior sequences. Similar malware behavior sequences are clustered together. The malware behavior sequences in a cluster describe behaviors of a malware family. The cluster is analyzed to identify a behavior subsequence common to the cluster's malware family. A behavior signature for the malware family is generated using the behavior subsequence. A trace of new malware is normalized and aligned with an existing cluster, if possible. The behavioral signature for that cluster is generated based on the behavior sequence of the new malware and the other sequences in the cluster.

摘要翻译： 生成用于检测恶意软件的行为签名。 计算机用于收集恶意软件数据集中恶意软件的行为痕迹。 行为痕迹描述恶意软件执行的顺序行为。 行为轨迹被归一化以产生恶意软件行为序列。 类似的恶意软件行为序列聚集在一起。 集群中的恶意软件行为序列描述恶意软件系列的行为。 分析集群以识别集群恶意软件系列通用的行为子序列。 使用行为子序列生成恶意软件系列的行为签名。 如果可能，新的恶意软件的跟踪将被归一化并与现有集群对齐。 基于新的恶意软件和群集中的其他序列的行为序列生成该群集的行为签名。

公开(公告)号：US08321940B1

公开(公告)日：2012-11-27

申请号：US12771433

申请日：2010-04-30

申请人： Shane Pereira ,  Sourabh Satish

发明人： Shane Pereira ,  Sourabh Satish

IPC分类号： G06F11/00

CPC分类号： G06F21/00 ,  G06F21/554 ,  G06F21/566

摘要： A computer-implemented method for detecting data-stealing malware may include: 1) detecting an attempt by an untrusted application to access a storage location that is known to be used by a legitimate application when storing potentially sensitive information, 2) determining that the legitimate application is not installed on the computing device, 3) determining that the untrusted application represents a potential security risk, and then 4) performing a security operation on the untrusted application. Corresponding systems and computer-readable instructions embodied on computer-readable media are also disclosed.

摘要翻译： 用于检测数据窃取恶意软件的计算机实现的方法可以包括：1）当存储潜在敏感信息时，检测不可信应用尝试访问已知由合法应用使用的存储位置，2）确定合法 应用程序未安装在计算设备上，3）确定不可信应用程序表示潜在的安全风险，然后4）对不受信任的应用程序执行安全操作。 还公开了包含在计算机可读介质上的相应系统和计算机可读指令。

公开(公告)号：US08190755B1

公开(公告)日：2012-05-29

申请号：US11645958

申请日：2006-12-27

申请人： Sourabh Satish ,  Brian Hernacki ,  Shane Pereira

发明人： Sourabh Satish ,  Brian Hernacki ,  Shane Pereira

IPC分类号： G06F15/16

CPC分类号： H04L63/102 ,  H04L61/2015

摘要： Method and apparatus for host authentication in a network implementing network access control is described. In an example, a network access control (NAC) server receives network address requests from hosts on a network. If a host is compliant with an established security policy, the NAC server determines a unique indicium for the host and records the unique indicium along with a network address leased to the host by a dynamic host configuration protocol (DHCP) server. When a host requests access to a resource on the network, the host is authenticated by determining whether its asserted network address is valid. If valid, a pre-computed unique indicium for that address is obtained and compared with a unique indicium for the host. If the indicia match, the host is allowed access to the resource. Otherwise, the host is blocked from access to the resource.

摘要翻译： 描述了实现网络访问控制的网络中的主机认证的方法和装置。 在一个示例中，网络访问控制（NAC）服务器从网络上的主机接收网络地址请求。 如果主机符合已建立的安全策略，则NAC服务器为主机确定唯一的标记，并通过动态主机配置协议（DHCP）服务器将唯一标记与租用的主机的网络地址一起记录。 当主机请求访问网络上的资源时，通过确定其断言的网络地址是否有效来验证主机。 如果有效，则获得该地址的预先计算的唯一标记，并与主机的唯一标记进行比较。 如果标记匹配，则允许主机访问资源。 否则，主机被阻止访问资源。

公开(公告)号：US08190647B1

公开(公告)日：2012-05-29

申请号：US12560298

申请日：2009-09-15

申请人： Shane Pereira ,  Zulfikar Ramzan ,  Sourabh Satish

发明人： Shane Pereira ,  Zulfikar Ramzan ,  Sourabh Satish

IPC分类号： G06F17/30

CPC分类号： G06F21/566 ,  G06F21/562

摘要： A decision tree for classifying computer files is constructed. Computational complexities of a set of candidate attributes are determined. A set of attribute vectors are created for a set of training files with known classification. A node is created to represent the set. A weighted impurity reduction score is calculated for each candidate attribute based on the computational complexity of the attribute. If a stopping criterion is satisfied then the node is set as a leaf node. Otherwise the node is set as a branch node and the attribute with the highest weighted impurity reduction score is selected as the splitting attribute for the branch node. The set of attribute vectors are split into subsets based on their attribute values of the splitting attribute. The above process is repeated for each subset. The tree is then pruned based on the computational complexities of the splitting attributes.

摘要翻译： 构建了用于分类计算机文件的决策树。 确定一组候选属性的计算复杂度。 为一组具有已知分类的训练文件创建一组属性向量。 创建一个节点来表示集合。 基于属性的计算复杂度，为每个候选属性计算加权杂质减少分数。 如果满足停止条件，则将节点设置为叶节点。 否则将节点设置为分支节点，并将具有最高加权杂质减少分数的属性选为分支节点的分割属性。 基于分割属性的属性值，将属性向量集分为子集。 对于每个子集重复上述过程。 然后根据分割属性的计算复杂度修剪树。