-
公开(公告)号:US20210096941A1
公开(公告)日:2021-04-01
申请号:US15930951
申请日:2020-05-13
摘要: Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
-
公开(公告)号:US20190311113A1
公开(公告)日:2019-10-10
申请号:US16215976
申请日:2018-12-11
摘要: Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack. In some embodiments, the methods include: selecting a data segment in at least one portion of an electronic document; determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; and determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program.
-
公开(公告)号:US20190250979A1
公开(公告)日:2019-08-15
申请号:US16175429
申请日:2018-10-30
CPC分类号: G06F11/0772 , G06F11/0718 , G06F11/0751 , G06F11/079 , G06F11/3652
摘要: Methods, media, and systems for detecting anomalous program executions are provided. In some embodiments, methods for detecting anomalous program executions are provided, comprising: executing at least a part of a program in an emulator; comparing a function call made in the emulator to a model of function calls for the at least a part of the program; and identifying the function call as anomalous based on the comparison. In some embodiments, methods for detecting anomalous program executions are provided, comprising: modifying a program to include indicators of program-level function calls being made during execution of the program; comparing at least one of the indicators of program-level function calls made in the emulator to a model of function calls for the at least a part of the program; and identifying a function call corresponding to the at least one of the indicators as anomalous based on the comparison.
-
公开(公告)号:US10063574B2
公开(公告)日:2018-08-28
申请号:US14638705
申请日:2015-03-04
发明人: Salvatore J. Stolfo
CPC分类号: H04L63/1425 , G06F21/55 , G06F21/552 , G06F21/554 , G06F21/56 , G06F21/562 , G06F21/563 , G06F21/564 , H04L43/00 , H04L43/0876 , H04L63/0218 , H04L63/0245 , H04L63/0263 , H04L63/029 , H04L63/145
摘要: A method, apparatus, and medium are provided for tracing the origin of network transmissions. Connection records are maintained at computer system for storing source and destination addresses. The connection records also maintain a statistical distribution of data corresponding to the data payload being transmitted. The statistical distribution can be compared to that of the connection records in order to identify the sender. The location of the sender can subsequently be determined from the source address stored in the connection record. The process can be repeated multiple times until the location of the original sender has been traced.
-
5.发明申请METHODS, MEDIA, AND SYSTEMS FOR SECURING COMMUNICATIONS BETWEEN A FIRST NODE AND A SECOND NODE 有权用于保护第一个节点和第二个节点之间的通信的方法,媒体和系统公开(公告)号:US20170054732A1
公开(公告)日:2017-02-23
申请号:US15221384
申请日:2016-07-27
发明人: Salvatore J. Stolfo , Gabriela F. Ciocarlie , Vanessa Frias-Martinez , Janak Parekh , Angelos D. Keromytis , Joseph Sherrick
IPC分类号: H04L29/06
CPC分类号: H04L63/102 , H04L63/145
摘要: Methods, media, and systems for securing communications between a first node and a second node are provided. In some embodiments, methods for securing communication between a first node and a second node are provided. The methods comprising: receiving at least one model of behavior of the second node at the first node; and authorizing the first node to receive traffic from the second node based on the difference between the at least one model of behavior of the second node and at least one model of behavior of the first node.
摘要翻译: 提供了用于保护第一节点和第二节点之间的通信的方法,媒体和系统。 在一些实施例中,提供了用于确保第一节点和第二节点之间的通信的方法。 所述方法包括:在所述第一节点处接收所述第二节点的至少一个行为模型; 并且基于所述第二节点的所述至少一个行为模型与所述第一节点的行为的至少一个模型之间的差异,授权所述第一节点从所述第二节点接收流量。
-
公开(公告)号:US20160277444A1
公开(公告)日:2016-09-22
申请号:US15155790
申请日:2016-05-16
CPC分类号: H04L63/1491 , H04L43/0876 , H04L51/22 , H04L63/1408 , H04L63/145
摘要: Systems, methods, and media for generating bait information for trap-based defenses are provided. In some embodiments, methods for generating bait information for trap-based defenses include: recording historical information of a network; translating the historical information; and generating bait information by tailoring the translated historical information.
-
7.发明授权公开(公告)号:US09392017B2
公开(公告)日:2016-07-12
申请号:US14379166
申请日:2013-02-15
发明人: Ang Cui , Salvatore J. Stolfo
CPC分类号: H04L63/145 , G06F21/54 , G06F21/572 , G06F21/64 , H04L63/20
摘要: Methods, systems, and media for inhibiting attacks on embedded devices are provided, in some embodiments, a system for inhibiting on embedded devices is provided, the system comprises a processor that is configured to: identify an embedded device that is configured to provide one or more services to one or more digital processing devices within a communications network; receive a first firmware associated with the embedded device; generate a second firmware that is functionally equivalent to the first firmware by: determining unused code within the first firmware; removing the unused code within the second firmware; and restructuring remaining code portions of the first firmware into memory positions within the second firmware; and inject the second firmware into the embedded device.
摘要翻译: 提供了用于禁止对嵌入式设备的攻击的方法,系统和媒体,在一些实施例中,提供了用于禁止嵌入式设备的系统,该系统包括处理器,其被配置为:识别被配置为提供一个或多个 对通信网络内的一个或多个数字处理设备的更多服务; 接收与嵌入式设备相关联的第一固件; 通过以下方式产生功能上等同于第一固件的第二固件:确定第一固件内的未使用代码; 删除第二固件内的未使用的代码; 以及将所述第一固件的剩余代码部分重组为所述第二固件内的存储器位置; 并将第二固件注入到嵌入式设备中。
-
8.发明申请SYSTEMS AND METHODS FOR CORRELATING AND DISTRIBUTING INTRUSION ALERT INFORMATION AMONG COLLABORATING COMPUTER SYSTEMS 审中-公开用于协调计算机系统的相关和分发提示信息的系统和方法公开(公告)号:US20150381639A1
公开(公告)日:2015-12-31
申请号:US14846188
申请日:2015-09-04
发明人: Salvatore J. Stolfo , Tal Malkin , Angelos D. Keromytis , Vishal Misra , Michael Locasto , Janak Parekh
IPC分类号: H04L29/06
CPC分类号: H04L63/1416 , G06F21/552 , G06F21/554 , H04L63/145 , H04L63/1475 , H04L63/1491
摘要: Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.
摘要翻译: 提供了在协作计算机系统之间关联和分发入侵警报信息的系统和方法。 这些系统和方法提供警报相关器和警报分发器,其使得能够检测到攻击的早期迹象并且迅速地传播到协作系统。 警报相关器利用数据结构来关联警报检测,并提供可以向其他协作系统透露威胁信息的机制。 警报分配器使用有效的技术来对协作系统进行分组,然后根据时间表在某些成员之间传递数据。 以这种方式,数据可以常规分配,而不会产生过多的流量负载。
-
公开(公告)号:US20130333037A1
公开(公告)日:2013-12-12
申请号:US13965619
申请日:2013-08-13
发明人: Brian M. Bowen , Pratap V. Prabhu , Vasileios P. Kemerlis , Stylianos Sidiroglou , Salvatore J. Stolfo , Angelos D. Keromytis
IPC分类号: G06F21/56
CPC分类号: G06F21/56 , G06F21/566 , G06F21/577 , H04L63/1441 , H04L63/1491
摘要: Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: receiving a first set of user actions; generating a second set of user actions based on the first set of user actions and a model of user activity; conveying the second set of user actions to an application inside the computing environment; determining whether state information of the application matches an expected state after the second set of user actions is conveyed to the application; and determining whether covert malware is present in the computing environment based at least in part on the determination.
摘要翻译: 提供了用于检测隐蔽恶意软件的方法,系统和媒体。 根据一些实施例,提供了一种用于在计算环境中检测隐蔽恶意软件的方法,所述方法包括:接收第一组用户动作; 基于第一组用户动作和用户活动的模型生成第二组用户动作; 将所述第二组用户动作传送到所述计算环境内的应用; 在所述第二组用户动作被传送到所述应用之后,确定所述应用的状态信息是否与期望状态相匹配; 以及至少部分地基于所述确定来确定隐形恶意软件是否存在于所述计算环境中。
-
公开(公告)号:US12079345B2
公开(公告)日:2024-09-03
申请号:US17511253
申请日:2021-10-26
IPC分类号: G06F21/57 , H04L67/306 , H04L67/50
CPC分类号: G06F21/577 , H04L67/306 , H04L67/535 , G06F2221/034
摘要: Methods, systems, and media for testing insider threat detection systems are provided. In some embodiments, the method comprises: receiving, using a hardware processor, a first plurality of actions in a computing environment that are associated with one of a plurality of user accounts; generating a plurality of models of user behavior based at least in part on the first plurality of actions, wherein each of the plurality of models of user behavior is associated with each of the plurality of user accounts; selecting a model of user behavior from the plurality of models of user behavior, wherein the model of user behavior is associated with a malicious user type; generating a simulated user bot based on the selected model of user behavior; executing the simulated user bot in the computing environment, wherein the simulated user bot injects a second plurality of actions in the computing environment; determining whether an insider threat detection system executing within the computing environment identifies the simulated user bot as a malicious user; and transmitting a notification indicating an efficacy of the insider threat detection system based on the determination.
-
-
-
-
-
-
-
-
-
搜索结果
65 条记录 (耗时 0.037 秒)
