公开(公告)号：US09646157B1

公开(公告)日：2017-05-09

申请号：US14644732

申请日：2015-03-11

申请人： Symantec Corporation

发明人： Zhengqing Hou ,  Jiang Dong

IPC分类号： G06F11/00 ,  G06F21/56

CPC分类号： G06F21/565 ,  G06F2221/033

摘要： A computer-implemented method for identifying repackaged files may include (1) identifying an application package that packages files for a mobile device application that is to be executed through a mobile device operating system, (2) identifying, within the application package, a resource file that identifies resources for the application package defined in a programming language for the mobile device operating system, (3) parsing the resource file to identify a flag for a resource that specifies whether the resource is public, (4) determining that the flag for the resource has been set as public, and (5) classifying the application package as repackaged based at least in part on the determination that the flag for the resource has been set as public. Various other methods, systems, and computer-readable media are also disclosed.

公开(公告)号：US20190132288A1

公开(公告)日：2019-05-02

申请号：US15799032

申请日：2017-10-31

申请人： SYMANTEC CORPORATION

发明人： Qing Li ,  Joseph H. Chen ,  Qu Bo Song ,  Ying Li ,  Zhicheng Zeng ,  Jiang Dong

IPC分类号： H04L29/06 ,  H04L12/46

摘要： Application identification and control in a network device. In one embodiment, a method may include establishing, at a network device, a Virtual Private Network (VPN) tunnel through which all Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) traffic sent from or received at the network device is routed. The method may also include monitoring, at the network device, all TCP and UDP traffic sent from or received at the network device through the VPN tunnel. The method may further include extracting, at the network device, payload data from the monitored TCP and UDP traffic. The method may also include analyzing the extracted payload data to identify applications executing on the network device that sent or received the monitored TCP and UDP traffic. The method may further include taking, at the network device, a security action on the network device based on the identified applications.

公开(公告)号：US09519780B1

公开(公告)日：2016-12-13

申请号：US14570393

申请日：2014-12-15

申请人： Symantec Corporation

发明人： Jiang Dong

IPC分类号： G06F21/56 ,  H04L29/06

CPC分类号： G06F21/564 ,  G06F2221/033 ,  H04L63/145

摘要： A computer-implemented method for identifying malware may include (1) determining, for multiple commands within bytecode associated with a malware program, whether each command constitutes an invocation command, (2) filtering, based on the determination, invocation commands from the bytecode, (3) adding, for each invocation command filtered from the bytecode, an opcode, a format code, and a function prototype to a collection of opcodes, format codes, and function prototypes, (4) generating a digital fingerprint of the collection including the opcode, the format code, and the function prototype for each invocation command filtered from the bytecode, and (5) performing, by a computer security system, a remedial action to protect a user in response to detecting the presence of a variant of the malware program by determining that the digital fingerprint matches a candidate instance of bytecode under evaluation. Various other methods, systems, and computer-readable media are also disclosed.

摘要翻译： 用于识别恶意软件的计算机实现的方法可以包括（1）对于与恶意软件程序相关联的字节码内的多个命令，确定每个命令是否构成调用命令，（2）基于确定从字节码过滤调用命令， （3）对于从字节码过滤的每个调用命令，将操作码，格式代码和功能原型添加到操作码，格式代码和功能原型的集合中，（4）生成包括 操作码，格式代码和从字节码过滤的每个调用命令的功能原型，以及（5）由计算机安全系统执行补救措施以保护用户响应于检测到恶意软件的变体的存在 通过确定数字指纹与评估中的字节码的候选实例匹配来确定程序。 还公开了各种其它方法，系统和计算机可读介质。