-
1.发明授权Classification of malware using clustering that orders events in accordance with the time of occurance 有权使用根据发生时间对事件进行排序的群集进行恶意软件分类公开(公告)号:US07809670B2
公开(公告)日:2010-10-05
申请号:US11608625
申请日:2006-12-08
IPC分类号: G06F17/00
CPC分类号: G06F21/564
摘要: The present invention is directed to a method and system for automatically classifying an application into an application group which is previously classified in a knowledge base. More specifically, a runtime behavior of an application is captured as a series of events which are monitored and recorded during the execution of the application. The series of events are analyzed to find a proper application group which shares common runtime behavior patterns with the application. The knowledge base of application groups is previously constructed based on a large number of sample applications. The construction of the knowledge base is done in such a manner that each sample application can be classified into application groups based on a set of classification rules in the knowledge base. The set of classification rules are applied to a new application in order to classify the new application into one of the application groups.
摘要翻译: 本发明涉及一种将应用程序自动分类为先前分类为知识库的应用组的方法和系统。 更具体地,应用程序的运行时行为被捕获为在应用程序的执行期间被监视和记录的一系列事件。 分析一系列事件,以找到与应用程序共享公共运行时行为模式的正确应用程序组。 基于大量示例应用程序,先前构建了应用程序组的知识库。 基于知识库中的一组分类规则,完成知识库的构建,使得每个样本应用程序可以分类为应用组。 将一组分类规则应用于新应用程序,以便将新应用程序分类到其中一个应用程序组中。
-
公开(公告)号:US07861296B2
公开(公告)日:2010-12-28
申请号:US11154267
申请日:2005-06-16
申请人: Mihai Costea , Adrian Bivol , Adrian M. Marinescu , Anil Francis Thomas , Cenk Ergan , David Goebel , George C. Chicioreanu , Marius Gheorghe Gheorghescu , Michael R. Fortin
发明人: Mihai Costea , Adrian Bivol , Adrian M. Marinescu , Anil Francis Thomas , Cenk Ergan , David Goebel , George C. Chicioreanu , Marius Gheorghe Gheorghescu , Michael R. Fortin
IPC分类号: G06F11/00
CPC分类号: G06F21/51 , G06F21/566
摘要: The present invention is directed toward a system, method, and a computer-readable medium for efficiently loading data into memory in order to scan the data for malware. The logic provided in the present invention improves the experience of a user when operating a computer protected with antivirus software. One aspect of the present invention is a method that identifies a pattern in which data in a file is loaded into memory from a computer-readable medium. Then the method identifies a pattern in which data in the file may be loaded into memory in a way that minimizes the time required to read data in the file. When a subsequent scan of the file is scheduled to occur, the method causes data in the file to be loaded in memory using the pattern that minimizes the time required to read data in the file.
摘要翻译: 本发明涉及一种用于将数据有效地加载到存储器中以便扫描恶意软件的数据的系统,方法和计算机可读介质。 本发明提供的逻辑提高了用户在操作受防病毒软件保护的计算机时的体验。 本发明的一个方面是从计算机可读介质中识别文件中的数据被加载到存储器中的模式的方法。 然后,该方法识别可以以最小化在文件中读取数据所需的时间的方式将文件中的数据加载到存储器中的模式。 当调度文件的后续扫描时,该方法会使文件中的数据使用最小化文件中读取数据所需的时间的模式加载到内存中。
-
3.发明授权System and method for detecting malware in executable scripts according to its functionality 有权根据其功能,在可执行脚本中检测恶意软件的系统和方法公开(公告)号:US07707634B2
公开(公告)日:2010-04-27
申请号:US10769104
申请日:2004-01-30
IPC分类号: G06F11/00
CPC分类号: G06F21/562 , G06F21/563 , G06F21/564
摘要: A malware detection system and method for determining whether an executable script is malware is presented. The malware detection system determines whether the executable script is malware by comparing the functional contents of the executable script to the functional contents of known malware. In practice, the executable script is obtained. The executable script is normalized, thereby generating a script signature corresponding to the functionality of the executable script. The script signature is compared to known malware script signatures in a malware signature store to determine whether the executable script is malware. If a complete match is made, the executable script is considered to be malware. If a partial match is made, the executable script is considered to likely be malware. The malware detection system may perform two normalizations, each normalization generating a script signature which is compared to similarly normalized known malware script signatures in the malware signature store.
摘要翻译: 用于确定可执行脚本是否是恶意软件的恶意软件检测系统和方法。 恶意软件检测系统通过将可执行脚本的功能内容与已知恶意软件的功能内容进行比较来确定可执行脚本是否为恶意软件。 在实践中,获得可执行脚本。 可执行脚本被归一化,从而生成与可执行脚本的功能相对应的脚本签名。 将脚本签名与恶意软件签名存储中的已知恶意软件脚本签名进行比较,以确定可执行脚本是否为恶意软件。 如果完成匹配,可执行脚本被认为是恶意软件。 如果进行了部分匹配,则可执行脚本被认为可能是恶意软件。 恶意软件检测系统可以执行两个规范化,每个规范化生成脚本签名,其与恶意软件签名存储中的类似规范化的已知恶意软件脚本签名进行比较。
-
4.发明授权System and method for unpacking packed executables for malware evaluation 有权打包包装可执行文件进行恶意软件评估的系统和方法公开(公告)号:US07620990B2
公开(公告)日:2009-11-17
申请号:US10769103
申请日:2004-01-30
摘要: A system and method for determining whether a packed executable is malware is presented. In operation, a malware evaluator intercepts incoming data directed to a computer. The malware evaluator evaluates the incoming data to determine whether the incoming data is a packed executable. If the incoming data is a packed executable, the malware evaluator passes the packed executable to an unpacking module. The unpacking module includes a set of unpacker modules for unpacking a packed executable of a particular type. The unpacking module selects an unpacker module according to the type of the packed executable, and executes the selected unpacker module. Executing the unpacker module generates an unpacked executable corresponding to the packed executable. The unpacked executable is returned to the malware evaluator where it is evaluated to determine whether the packed executable is malware.
摘要翻译: 提出了一种用于确定打包的可执行文件是否是恶意软件的系统和方法。 在操作中,恶意软件评估器拦截指向计算机的传入数据。 恶意软件评估程序评估传入数据以确定传入数据是否是打包的可执行文件。 如果传入的数据是打包的可执行文件,则恶意软件评估程序将打包的可执行文件传递到拆包模块。 拆包模块包括一组解包器模块,用于解包特定类型的打包可执行文件。 解包模块根据打包的可执行文件的类型选择解包器模块,并执行所选的解包器模块。 执行解包器模块生成与打包的可执行文件相对应的解包的可执行文件。 解压缩的可执行文件被返回到恶意软件评估器,在其中进行评估,以确定打包的可执行文件是否为恶意软件。
-
公开(公告)号:US20090199297A1
公开(公告)日:2009-08-06
申请号:US12025142
申请日:2008-02-04
IPC分类号: G06F21/24
CPC分类号: G06F21/566
摘要: An arrangement for scanning and patching injected malware code that is executing in otherwise legitimate processes running on a computer system is provided in which malware code is located in the memory of processes by extracting the start addresses of processes' threads and then searching near these addresses. Additional blocks of code in memory that are invoked by the code identified by each start address are also identified and the blocks are then matched against scanning signatures associated with known malware threads. If the entire signature can be matched against a subset of the blocks, then the thread is determined to be infected. The infected thread is suspended and in-memory modifications are performed to patch the injected code to render it harmless. The thread can be resumed or terminated to disable the protection mechanisms of the malware without causing any harm to the process in which the thread is injected.
摘要翻译: 提供扫描和修补在计算机系统上运行的其他合法进程中执行的注入的恶意软件代码的布置,其中通过提取进程的线程的开始地址然后在这些地址附近进行搜索,其中恶意代码位于进程的存储器中。 由每个起始地址识别的代码调用的内存中的其他代码块也被识别,然后将块与已知恶意软件线程相关的扫描签名进行匹配。 如果整个签名可以与块的子集进行匹配,则确定线程被感染。 受感染的线程被暂停,并且执行内存中的修改来修补注入的代码以使其无害化。 可以恢复或终止线程以禁用恶意软件的保护机制,而不会对注入线程的进程造成任何损害。
-
公开(公告)号:US07877802B2
公开(公告)日:2011-01-25
申请号:US12019479
申请日:2008-01-24
申请人: Adrian M. Marinescu
发明人: Adrian M. Marinescu
IPC分类号: G06F11/00
CPC分类号: G06F21/566
摘要: A system, method, and computer readable medium for the proactive detection of malware in operating systems that receive application programming interface (API) calls is provided. A virtual operating environment for simulating the execution of programs and determining if the programs are malware is created. The virtual operating environment confines potential malware so that the systems of the host operating environment will not be adversely effected. During simulation, a behavior signature is generated based on the API calls issued by potential malware. The behavior signature is suitable for analysis to determine whether the simulated executable is malware.
摘要翻译: 提供了用于在接收应用程序接口(API)调用的操作系统中主动检测恶意软件的系统,方法和计算机可读介质。 用于模拟程序的执行并确定程序是否是恶意软件的虚拟操作环境被创建。 虚拟操作环境限制潜在的恶意软件,使得主机操作环境的系统不会受到不利影响。 在仿真期间,根据潜在恶意软件发出的API调用生成行为签名。 行为签名适用于分析,以确定模拟的可执行文件是否为恶意软件。
-
7.发明授权System and method for gathering exhibited behaviors on a .NET executable module in a secure manner 失效以安全的方式收集.NET可执行模块的行为的系统和方法公开(公告)号:US07730530B2
公开(公告)日:2010-06-01
申请号:US10769097
申请日:2004-01-30
IPC分类号: G06F11/00
CPC分类号: H04L63/1408 , G06F21/563 , G06F21/564 , G06F21/566
摘要: A system and method for gathering exhibited behaviors of a .NET executable module in a secure manner is presented. In operation, a .NET behavior evaluation module presents a virtual .NET environment to a Microsoft Corporation .NET code module. The .NET behavior evaluation module implements a sufficient number of aspects of an actual Microsoft Corporation .NET environment that a .NET code module can execute. As the .NET code module executes, the .NET behavior evaluation module records some of the exhibited behaviors, i.e., .NET system supplied libraries/subroutines, that are associated with known malware. The recorded behaviors are placed in a behavior signature for an external determination as to whether the .NET code module is malware, i.e., an unwanted computer attack.
摘要翻译: 提出了以安全的方式收集.NET可执行模块的展示行为的系统和方法。 在运行中,.NET行为评估模块向Microsoft Corporation .NET代码模块呈现虚拟.NET环境。 .NET行为评估模块实现.NET代码模块可以执行的实际Microsoft Corporation .NET环境的足够数量的方面。 当.NET代码模块执行时,.NET行为评估模块记录与已知恶意软件相关联的一些展示行为,即.NET系统提供的库/子程序。 记录的行为被放置在行为签名中,以便外部确定.NET代码模块是否是恶意软件,即不需要的计算机攻击。
-
公开(公告)号:US07624443B2
公开(公告)日:2009-11-24
申请号:US11018412
申请日:2004-12-21
申请人: Michael Kramer , Scott A. Field , Marc E. Seinfeld , Carl Carter-Schwendler , Paul Luber , Adrian M. Marinescu
发明人: Michael Kramer , Scott A. Field , Marc E. Seinfeld , Carl Carter-Schwendler , Paul Luber , Adrian M. Marinescu
IPC分类号: G06F11/00 , G06F17/30 , G06F15/177 , G06F1/24 , H04L29/06 , G06F11/30 , G06F15/173 , G06F12/00
CPC分类号: G06F21/568 , G06F21/554 , Y10S707/99953
摘要: A self-healing device is provided in which changes made between the time that an infection resulting from an attack on the device was detected and an earlier point in time to which the device is capable of being restored may be recovered based, at least in part, on what kinds of changes were made, whether the changes were bona fide or malware induced, whether the changes were made after the time that the infection likely occurred, and whether new software was installed.
摘要翻译: 提供了一种自愈设备,其中,可以在至少部分地恢复在检测到由设备的攻击引起的感染的时间与设备能够恢复到的较早时间点之间进行的改变 关于什么样的变化,这些变化是真正的还是恶意软件引起的,这些变化是否在感染可能发生的时间之后进行,以及是否安装了新的软件。
-
9.发明授权Discovering malicious input files and performing automatic and distributed remediation 有权发现恶意输入文件并执行自动和分布式修复公开(公告)号:US09436826B2
公开(公告)日:2016-09-06
申请号:US13161950
申请日:2011-06-16
申请人: Vishal Kapoor , Jonathan Mark Keller , Ajith Kumar , Adrian M. Marinescu , Marc E. Seinfeld , Anil Francis Thomas , Michael Sean Jarrett , Joseph J. Johnson , Joseph L. Faulhaber
发明人: Vishal Kapoor , Jonathan Mark Keller , Ajith Kumar , Adrian M. Marinescu , Marc E. Seinfeld , Anil Francis Thomas , Michael Sean Jarrett , Joseph J. Johnson , Joseph L. Faulhaber
CPC分类号: G06F21/566 , G06F21/52 , G06F21/552 , G06F21/554 , G06F21/56 , G06F21/568 , G06F2221/2101 , H04L63/145
摘要: The subject disclosure is directed towards detecting malware or possible malware in an input file by allowing the input file to be opened, and by monitoring for one or more behaviors corresponding to the open file that likely indicate malware. Only certain executable files and/or file types opened thereby may be monitored, with various collected event data used for antimalware purposes when improper behavior is observed. Example behaviors include writing of a file to storage, generation of network traffic, injection of a process, running of script, and/or writing system registry data. Telemetry data and/or a sample of the file may be sent to an antimalware service, and malware remediation may be performed. Data (e.g., the collected events) may be distributed to other nodes for use in antimalware detection, e.g., to block execution of a similar file.
摘要翻译: 本发明涉及通过允许打开输入文件以及通过监视与可能指示恶意软件的打开文件相对应的一个或多个行为来检测输入文件中的恶意软件或可能的恶意软件。 可以监视由此引起的某些可执行文件和/或文件类型,当观察到不当的行为时,各种收集的事件数据用于反恶意软件目的。 示例行为包括将文件写入存储,生成网络流量,注入进程,运行脚本和/或编写系统注册表数据。 遥测数据和/或文件样本可以被发送到反恶意软件服务,并且可以执行恶意软件修复。 数据(例如,收集的事件)可以被分发到其他节点以用于反恶意软件检测,例如阻止类似文件的执行。
-
10.发明授权Applying antimalware logic without revealing the antimalware logic to adversaries 有权应用反恶意软件逻辑,而不会向对手揭示反恶意软件逻辑公开(公告)号:US08955133B2
公开(公告)日:2015-02-10
申请号:US13156726
申请日:2011-06-09
申请人: Ajith Kumar , Timothy Jon Fraser , Adrian M. Marinescu , Marc E. Seinfeld , Jack Wilson Stokes, III , Anil Francis Thomas
发明人: Ajith Kumar , Timothy Jon Fraser , Adrian M. Marinescu , Marc E. Seinfeld , Jack Wilson Stokes, III , Anil Francis Thomas
CPC分类号: G06F21/552 , G06F21/566
摘要: The subject disclosure is directed towards a technology by which antimalware detection logic is maintained and operated at a backend service, with which a customer frontend machine communicates (queries) for purposes of malware detection. In this way, some antimalware techniques are maintained at the backend service rather than revealed to antimalware authors. The backend antimalware detection logic may be based upon feature selection, and may be updated rapidly, in a manner that is faster than malware authors can track. Noise may be added to the results to make it difficult for malware authors to deduce the logic behind the results. The backend may return results indicating malware or not malware, or return inconclusive results. The backend service may also detect probing-related queries that are part of an attempt to deduce the unrevealed antimalware detection logic, with noisy results returned in response and/or other actions taken to foil the attempt.
摘要翻译: 主题公开涉及一种技术,通过该技术,反恶意软件检测逻辑在后端服务中被维护和操作,客户前端机器为此进行通信(查询)以用于恶意软件检测。 这样一来,后端服务就会保留一些反恶意软件技术,而不是反恶意软件作者。 后端反恶意软件检测逻辑可以基于特征选择,并且可以以比作者可追踪的恶意软件更快的方式快速更新。 噪声可能会添加到结果中,使恶意软件作者难以推断出结果背后的逻辑。 后端可能返回指示恶意软件或不是恶意软件的结果,或返回不确定的结果。 后端服务还可以检测作为尝试推断出未显示的反恶意软件检测逻辑的一部分的探测相关查询,其中响应返回噪声结果和/或为了抵制该尝试而采取的其他动作。
-
-
-
-
-
-
-
-
-
搜索结果
29 条记录 (耗时 0.029 秒)
