摘要:
A computer-implemented method for preventing threats originating from a non-process based component hosted by a trusted process is described. The loading activity of the trusted process is monitored. A trust level associated with the trusted process is altered when an unverified component is loaded into the trusted process. Events performed by the trusted process are monitored. An unverified component that originated the event is identified. The trusted process is terminated based on a security risk associated with the unverified component that originated the event.
摘要:
A computer-implemented method for classifying an unclassified process as a potentially trusted process based on dependencies of the unclassified process is described. A component loaded by the unclassified process is identified. A determination is made as to whether a hard dependency exists between the unclassified process and the loaded component. A hard dependency exists if the unclassified process depends on the loaded component in order to execute. The unclassified process is classified as a potentially trusted process if a hard dependency exists between the unclassified process and the loaded component.
摘要:
A decision tree for classifying computer files is constructed. Computational complexities of a set of candidate attributes are determined. A set of attribute vectors are created for a set of training files with known classification. A node is created to represent the set. A weighted impurity reduction score is calculated for each candidate attribute based on the computational complexity of the attribute. If a stopping criterion is satisfied then the node is set as a leaf node. Otherwise the node is set as a branch node and the attribute with the highest weighted impurity reduction score is selected as the splitting attribute for the branch node. The set of attribute vectors are split into subsets based on their attribute values of the splitting attribute. The above process is repeated for each subset. The tree is then pruned based on the computational complexities of the splitting attributes.
摘要:
A behavioral signature for detecting malware is generated. A computer is used to collect behavior traces of malware in a malware dataset. The behavior traces describe sequential behaviors performed by the malware. The behavior traces are normalized to produce malware behavior sequences. Similar malware behavior sequences are clustered together. The malware behavior sequences in a cluster describe behaviors of a malware family. The cluster is analyzed to identify a behavior subsequence common to the cluster's malware family. A behavior signature for the malware family is generated using the behavior subsequence. A trace of new malware is normalized and aligned with an existing cluster, if possible. The behavioral signature for that cluster is generated based on the behavior sequence of the new malware and the other sequences in the cluster.
摘要:
A computer-implemented method for detecting data-stealing malware may include: 1) detecting an attempt by an untrusted application to access a storage location that is known to be used by a legitimate application when storing potentially sensitive information, 2) determining that the legitimate application is not installed on the computing device, 3) determining that the untrusted application represents a potential security risk, and then 4) performing a security operation on the untrusted application. Corresponding systems and computer-readable instructions embodied on computer-readable media are also disclosed.
摘要:
Method and apparatus for host authentication in a network implementing network access control is described. In an example, a network access control (NAC) server receives network address requests from hosts on a network. If a host is compliant with an established security policy, the NAC server determines a unique indicium for the host and records the unique indicium along with a network address leased to the host by a dynamic host configuration protocol (DHCP) server. When a host requests access to a resource on the network, the host is authenticated by determining whether its asserted network address is valid. If valid, a pre-computed unique indicium for that address is obtained and compared with a unique indicium for the host. If the indicia match, the host is allowed access to the resource. Otherwise, the host is blocked from access to the resource.
摘要:
A decision tree for classifying computer files is constructed. Computational complexities of a set of candidate attributes are determined. A set of attribute vectors are created for a set of training files with known classification. A node is created to represent the set. A weighted impurity reduction score is calculated for each candidate attribute based on the computational complexity of the attribute. If a stopping criterion is satisfied then the node is set as a leaf node. Otherwise the node is set as a branch node and the attribute with the highest weighted impurity reduction score is selected as the splitting attribute for the branch node. The set of attribute vectors are split into subsets based on their attribute values of the splitting attribute. The above process is repeated for each subset. The tree is then pruned based on the computational complexities of the splitting attributes.
摘要:
The instant disclosure describes various exemplary systems and methods for exonerating an untrusted software component based solely on a trusted software component's non-optional or “hard” dependency on the untrusted software component. In one example, a method for exonerating untrusted software components in this manner may include: 1) identifying a dependent software component, 2) determining that the dependent software component is a non-optional dependent component of at least one trusted software component, and then 3) classifying the dependent software component as a trusted software component. As detailed herein, such a method may enable security software to quickly and efficiently exonerate untrusted components by association without having to scan or perform other intrusive and/or resource-intensive security operations on such untrusted software components.
摘要:
A behavioral signature for detecting malware is generated. A computer is used to collect behavior traces of malware in a malware dataset. The behavior traces describe sequential behaviors performed by the malware. The behavior traces are normalized to produce malware behavior sequences. Similar malware behavior sequences are clustered together. The malware behavior sequences in a cluster describe behaviors of a malware family. The cluster is analyzed to identify a behavior subsequence common to the cluster's malware family. A behavior signature for the malware family is generated using the behavior subsequence. A trace of new malware is normalized and aligned with an existing cluster, if possible. The behavioral signature for that cluster is generated based on the behavior sequence of the new malware and the other sequences in the cluster.
摘要:
A host reputation score indicating whether a host connected to the client by a network is malicious is received. An entity on the client that communicates with the host is identified. Whether the entity is a malware threat is determined based at least in part on the host reputation score.