Systems and methods for preventing threats originating from a non-process based component hosted by a trusted process
    1.
    发明授权
    Systems and methods for preventing threats originating from a non-process based component hosted by a trusted process 有权
    用于防止由可信过程托管的基于非进程的组件引发的威胁的系统和方法

    公开(公告)号:US08205257B1

    公开(公告)日:2012-06-19

    申请号:US12510828

    申请日:2009-07-28

    IPC分类号: H04K1/00

    摘要: A computer-implemented method for preventing threats originating from a non-process based component hosted by a trusted process is described. The loading activity of the trusted process is monitored. A trust level associated with the trusted process is altered when an unverified component is loaded into the trusted process. Events performed by the trusted process are monitored. An unverified component that originated the event is identified. The trusted process is terminated based on a security risk associated with the unverified component that originated the event.

    摘要翻译: 描述了用于防止由可信过程托管的基于非基于过程的组件引起的威胁的计算机实现的方法。 监视可信过程的加载活动。 当将未验证的组件加载到可信过程中时,与受信任进程相关联的信任级别会被更改。 监视受信任进程执行的事件。 确定发起事件的未验证组件。 可信过程基于与发生事件的未验证组件相关联的安全风险而终止。

    Systems and methods for classifying an unclassified process as a potential trusted process based on dependencies of the unclassified process
    2.
    发明授权
    Systems and methods for classifying an unclassified process as a potential trusted process based on dependencies of the unclassified process 有权
    基于未分类过程的依赖关系将未分类过程分类为潜在可信过程的系统和方法

    公开(公告)号:US08914888B1

    公开(公告)日:2014-12-16

    申请号:US12603429

    申请日:2009-10-21

    IPC分类号: G06F11/00

    摘要: A computer-implemented method for classifying an unclassified process as a potentially trusted process based on dependencies of the unclassified process is described. A component loaded by the unclassified process is identified. A determination is made as to whether a hard dependency exists between the unclassified process and the loaded component. A hard dependency exists if the unclassified process depends on the loaded component in order to execute. The unclassified process is classified as a potentially trusted process if a hard dependency exists between the unclassified process and the loaded component.

    摘要翻译: 描述了一种用于将未分类过程分类为基于未分类过程的依赖性的潜在受信任过程的计算机实现的方法。 识别由未分类过程加载的组件。 确定在未分类的进程和加载的组件之间是否存在硬依赖关系。 如果未分类的进程依赖于加载的组件来执行,则存在硬依赖性。 如果未分类的进程和加载的组件之间存在硬依赖关系,则未分类进程被分类为潜在的可信任进程。

    Decision tree induction that is sensitive to attribute computational complexity
    3.
    发明授权
    Decision tree induction that is sensitive to attribute computational complexity 有权
    对属性计算复杂度敏感的决策树归纳

    公开(公告)号:US08495096B1

    公开(公告)日:2013-07-23

    申请号:US13450390

    申请日:2012-04-18

    IPC分类号: G06F17/30

    CPC分类号: G06F21/566 G06F21/562

    摘要: A decision tree for classifying computer files is constructed. Computational complexities of a set of candidate attributes are determined. A set of attribute vectors are created for a set of training files with known classification. A node is created to represent the set. A weighted impurity reduction score is calculated for each candidate attribute based on the computational complexity of the attribute. If a stopping criterion is satisfied then the node is set as a leaf node. Otherwise the node is set as a branch node and the attribute with the highest weighted impurity reduction score is selected as the splitting attribute for the branch node. The set of attribute vectors are split into subsets based on their attribute values of the splitting attribute. The above process is repeated for each subset. The tree is then pruned based on the computational complexities of the splitting attributes.

    摘要翻译: 构建了用于分类计算机文件的决策树。 确定一组候选属性的计算复杂度。 为一组具有已知分类的训练文件创建一组属性向量。 创建一个节点来表示集合。 基于属性的计算复杂度,为每个候选属性计算加权杂质减少分数。 如果满足停止条件,则将节点设置为叶节点。 否则将节点设置为分支节点,并将具有最高加权杂质减少分数的属性选为分支节点的分割属性。 基于分割属性的属性值,将属性向量集分为子集。 对于每个子集重复上述过程。 然后根据分割属性的计算复杂度修剪树。

    Behavioral signature generation using clustering
    4.
    发明授权
    Behavioral signature generation using clustering 有权
    使用聚类的行为签名生成

    公开(公告)号:US08464345B2

    公开(公告)日:2013-06-11

    申请号:US12769262

    申请日:2010-04-28

    IPC分类号: G06F11/00

    摘要: A behavioral signature for detecting malware is generated. A computer is used to collect behavior traces of malware in a malware dataset. The behavior traces describe sequential behaviors performed by the malware. The behavior traces are normalized to produce malware behavior sequences. Similar malware behavior sequences are clustered together. The malware behavior sequences in a cluster describe behaviors of a malware family. The cluster is analyzed to identify a behavior subsequence common to the cluster's malware family. A behavior signature for the malware family is generated using the behavior subsequence. A trace of new malware is normalized and aligned with an existing cluster, if possible. The behavioral signature for that cluster is generated based on the behavior sequence of the new malware and the other sequences in the cluster.

    摘要翻译: 生成用于检测恶意软件的行为签名。 计算机用于收集恶意软件数据集中恶意软件的行为痕迹。 行为痕迹描述恶意软件执行的顺序行为。 行为轨迹被归一化以产生恶意软件行为序列。 类似的恶意软件行为序列聚集在一起。 集群中的恶意软件行为序列描述恶意软件系列的行为。 分析集群以识别集群恶意软件系列通用的行为子序列。 使用行为子序列生成恶意软件系列的行为签名。 如果可能,新的恶意软件的跟踪将被归一化并与现有集群对齐。 基于新的恶意软件和群集中的其他序列的行为序列生成该群集的行为签名。

    Systems and methods for detecting data-stealing malware
    5.
    发明授权
    Systems and methods for detecting data-stealing malware 有权
    检测数据窃取恶意软件的系统和方法

    公开(公告)号:US08321940B1

    公开(公告)日:2012-11-27

    申请号:US12771433

    申请日:2010-04-30

    IPC分类号: G06F11/00

    摘要: A computer-implemented method for detecting data-stealing malware may include: 1) detecting an attempt by an untrusted application to access a storage location that is known to be used by a legitimate application when storing potentially sensitive information, 2) determining that the legitimate application is not installed on the computing device, 3) determining that the untrusted application represents a potential security risk, and then 4) performing a security operation on the untrusted application. Corresponding systems and computer-readable instructions embodied on computer-readable media are also disclosed.

    摘要翻译: 用于检测数据窃取恶意软件的计算机实现的方法可以包括:1)当存储潜在敏感信息时,检测不可信应用尝试访问已知由合法应用使用的存储位置,2)确定合法 应用程序未安装在计算设备上,3)确定不可信应用程序表示潜在的安全风险,然后4)对不受信任的应用程序执行安全操作。 还公开了包含在计算机可读介质上的相应系统和计算机可读指令。

    Method and apparatus for host authentication in a network implementing network access control
    6.
    发明授权
    Method and apparatus for host authentication in a network implementing network access control 有权
    实现网络访问控制的网络中主机认证的方法和装置

    公开(公告)号:US08190755B1

    公开(公告)日:2012-05-29

    申请号:US11645958

    申请日:2006-12-27

    IPC分类号: G06F15/16

    CPC分类号: H04L63/102 H04L61/2015

    摘要: Method and apparatus for host authentication in a network implementing network access control is described. In an example, a network access control (NAC) server receives network address requests from hosts on a network. If a host is compliant with an established security policy, the NAC server determines a unique indicium for the host and records the unique indicium along with a network address leased to the host by a dynamic host configuration protocol (DHCP) server. When a host requests access to a resource on the network, the host is authenticated by determining whether its asserted network address is valid. If valid, a pre-computed unique indicium for that address is obtained and compared with a unique indicium for the host. If the indicia match, the host is allowed access to the resource. Otherwise, the host is blocked from access to the resource.

    摘要翻译: 描述了实现网络访问控制的网络中的主机认证的方法和装置。 在一个示例中,网络访问控制(NAC)服务器从网络上的主机接收网络地址请求。 如果主机符合已建立的安全策略,则NAC服务器为主机确定唯一的标记,并通过动态主机配置协议(DHCP)服务器将唯一标记与租用的主机的网络地址一起记录。 当主机请求访问网络上的资源时,通过确定其断言的网络地址是否有效来验证主机。 如果有效,则获得该地址的预先计算的唯一标记,并与主机的唯一标记进行比较。 如果标记匹配,则允许主机访问资源。 否则,主机被阻止访问资源。

    Decision tree induction that is sensitive to attribute computational complexity
    7.
    发明授权
    Decision tree induction that is sensitive to attribute computational complexity 有权
    对属性计算复杂度敏感的决策树归纳

    公开(公告)号:US08190647B1

    公开(公告)日:2012-05-29

    申请号:US12560298

    申请日:2009-09-15

    IPC分类号: G06F17/30

    CPC分类号: G06F21/566 G06F21/562

    摘要: A decision tree for classifying computer files is constructed. Computational complexities of a set of candidate attributes are determined. A set of attribute vectors are created for a set of training files with known classification. A node is created to represent the set. A weighted impurity reduction score is calculated for each candidate attribute based on the computational complexity of the attribute. If a stopping criterion is satisfied then the node is set as a leaf node. Otherwise the node is set as a branch node and the attribute with the highest weighted impurity reduction score is selected as the splitting attribute for the branch node. The set of attribute vectors are split into subsets based on their attribute values of the splitting attribute. The above process is repeated for each subset. The tree is then pruned based on the computational complexities of the splitting attributes.

    摘要翻译: 构建了用于分类计算机文件的决策树。 确定一组候选属性的计算复杂度。 为一组具有已知分类的训练文件创建一组属性向量。 创建一个节点来表示集合。 基于属性的计算复杂度,为每个候选属性计算加权杂质减少分数。 如果满足停止条件,则将节点设置为叶节点。 否则将节点设置为分支节点,并将具有最高加权杂质减少分数的属性选为分支节点的分割属性。 基于分割属性的属性值,将属性向量集分为子集。 对于每个子集重复上述过程。 然后根据分割属性的计算复杂度修剪树。

    Systems and methods for exonerating untrusted software components
    8.
    发明授权
    Systems and methods for exonerating untrusted software components 有权
    免除不可信软件组件的系统和方法

    公开(公告)号:US08918873B1

    公开(公告)日:2014-12-23

    申请号:US12550198

    申请日:2009-08-28

    IPC分类号: G06F12/14

    CPC分类号: G06F21/57 G06F2221/2145

    摘要: The instant disclosure describes various exemplary systems and methods for exonerating an untrusted software component based solely on a trusted software component's non-optional or “hard” dependency on the untrusted software component. In one example, a method for exonerating untrusted software components in this manner may include: 1) identifying a dependent software component, 2) determining that the dependent software component is a non-optional dependent component of at least one trusted software component, and then 3) classifying the dependent software component as a trusted software component. As detailed herein, such a method may enable security software to quickly and efficiently exonerate untrusted components by association without having to scan or perform other intrusive and/or resource-intensive security operations on such untrusted software components.

    摘要翻译: 本公开描述了仅基于可信软件组件对不可信软件组件的非可选或“硬”依赖性来排除不可信软件组件的各种示例性系统和方法。 在一个示例中,以这种方式排除不信任软件组件的方法可以包括:1)识别从属软件组件,2)确定依赖软件组件是至少一个可信软件组件的非可选依赖组件,然后 3)将依赖软件组件分类为可信软件组件。 如这里所详细描述的,这种方法可以使得安全软件能够通过关联来快速有效地排除不信任的组件,而不必扫描或执行对这种不受信任的软件组件的其他侵入和/或资源密集型安全操作。

    BEHAVIORAL SIGNATURE GENERATION USING CLUSTERING
    9.
    发明申请
    BEHAVIORAL SIGNATURE GENERATION USING CLUSTERING 有权
    使用聚类的行为签名生成

    公开(公告)号:US20110271341A1

    公开(公告)日:2011-11-03

    申请号:US12769262

    申请日:2010-04-28

    IPC分类号: G06F21/00

    摘要: A behavioral signature for detecting malware is generated. A computer is used to collect behavior traces of malware in a malware dataset. The behavior traces describe sequential behaviors performed by the malware. The behavior traces are normalized to produce malware behavior sequences. Similar malware behavior sequences are clustered together. The malware behavior sequences in a cluster describe behaviors of a malware family. The cluster is analyzed to identify a behavior subsequence common to the cluster's malware family. A behavior signature for the malware family is generated using the behavior subsequence. A trace of new malware is normalized and aligned with an existing cluster, if possible. The behavioral signature for that cluster is generated based on the behavior sequence of the new malware and the other sequences in the cluster.

    摘要翻译: 生成用于检测恶意软件的行为签名。 计算机用于收集恶意软件数据集中恶意软件的行为痕迹。 行为痕迹描述恶意软件执行的顺序行为。 行为轨迹被归一化以产生恶意软件行为序列。 类似的恶意软件行为序列聚集在一起。 集群中的恶意软件行为序列描述恶意软件系列的行为。 分析集群以识别集群恶意软件系列通用的行为子序列。 使用行为子序列生成恶意软件系列的行为签名。 如果可能,新的恶意软件的跟踪将被归一化并与现有集群对齐。 基于新的恶意软件和群集中的其他序列的行为序列生成该群集的行为签名。

    Communication-based host reputation system
    10.
    发明授权
    Communication-based host reputation system 有权
    基于通信的主机信誉系统

    公开(公告)号:US08381289B1

    公开(公告)日:2013-02-19

    申请号:US12416020

    申请日:2009-03-31

    IPC分类号: H04L29/06

    CPC分类号: H04L63/1408 H04L63/145

    摘要: A host reputation score indicating whether a host connected to the client by a network is malicious is received. An entity on the client that communicates with the host is identified. Whether the entity is a malware threat is determined based at least in part on the host reputation score.

    摘要翻译: 接收到主机信誉得分,表示网络连接到客户端的主机是否是恶意的。 识别与主机通信的客户端上的实体。 至少部分地基于主机信誉评分来确定实体是否是恶意软件威胁。