-
1.发明授权Classification of malware using clustering that orders events in accordance with the time of occurance 有权使用根据发生时间对事件进行排序的群集进行恶意软件分类公开(公告)号:US07809670B2
公开(公告)日:2010-10-05
申请号:US11608625
申请日:2006-12-08
IPC分类号: G06F17/00
CPC分类号: G06F21/564
摘要: The present invention is directed to a method and system for automatically classifying an application into an application group which is previously classified in a knowledge base. More specifically, a runtime behavior of an application is captured as a series of events which are monitored and recorded during the execution of the application. The series of events are analyzed to find a proper application group which shares common runtime behavior patterns with the application. The knowledge base of application groups is previously constructed based on a large number of sample applications. The construction of the knowledge base is done in such a manner that each sample application can be classified into application groups based on a set of classification rules in the knowledge base. The set of classification rules are applied to a new application in order to classify the new application into one of the application groups.
摘要翻译: 本发明涉及一种将应用程序自动分类为先前分类为知识库的应用组的方法和系统。 更具体地,应用程序的运行时行为被捕获为在应用程序的执行期间被监视和记录的一系列事件。 分析一系列事件,以找到与应用程序共享公共运行时行为模式的正确应用程序组。 基于大量示例应用程序,先前构建了应用程序组的知识库。 基于知识库中的一组分类规则,完成知识库的构建,使得每个样本应用程序可以分类为应用组。 将一组分类规则应用于新应用程序,以便将新应用程序分类到其中一个应用程序组中。
-
公开(公告)号:US08667583B2
公开(公告)日:2014-03-04
申请号:US12234717
申请日:2008-09-22
申请人: Alexey Polyakov , Marc Seinfeld , Jigar J. Mody , Ning Sun , Tony Lee , Chengyun Chu
发明人: Alexey Polyakov , Marc Seinfeld , Jigar J. Mody , Ning Sun , Tony Lee , Chengyun Chu
CPC分类号: G06F21/552 , G06F21/568
摘要: A malware analysis system is described that provides information about malware execution history on a client computer and allows automated back-end analysis for faster creation of identification signatures and removal instructions. The malware analysis system collects threat information on client computers and sends the threat information to a back-end analysis component for automated analysis. The back-end analysis component analyzes the threat information by comparing the threat information to information about known threats. The system builds a signature for identifying the threat family and a mitigation script for neutralizing the threat. The system sends the signature and mitigation data to client computers, which use the information to mitigate the threat. Thus, the malware analysis system detects and mitigates threats more quickly than previous systems by reducing the burden on technicians to manually create environments for reproducing the threats and manually analyze the threat behavior.
摘要翻译: 描述了恶意软件分析系统,其提供关于客户端计算机上的恶意软件执行历史的信息,并允许自动后端分析,以更快地创建身份签名和删除指令。 恶意软件分析系统在客户端计算机上收集威胁信息,并将威胁信息发送到后端分析组件进行自动分析。 后端分析组件通过将威胁信息与已知威胁信息进行比较来分析威胁信息。 该系统构建一个用于识别威胁系列的签名和用于中和威胁的缓解脚本。 系统将签名和缓解数据发送到客户端计算机,客户端计算机使用该信息来减轻威胁。 因此,恶意软件分析系统通过减轻技术人员手动创建用于再现威胁的环境并手动分析威胁行为的负担,可以更快地检测和减轻威胁。
-
公开(公告)号:US20100077481A1
公开(公告)日:2010-03-25
申请号:US12234717
申请日:2008-09-22
申请人: Alexey Polyakov , Marc Seinfeld , Jigar J. Mody , Ning Sun , Tony Lee , Chengyun Chu
发明人: Alexey Polyakov , Marc Seinfeld , Jigar J. Mody , Ning Sun , Tony Lee , Chengyun Chu
IPC分类号: G06F21/00
CPC分类号: G06F21/552 , G06F21/568
摘要: A malware analysis system is described that provides information about malware execution history on a client computer and allows automated back-end analysis for faster creation of identification signatures and removal instructions. The malware analysis system collects threat information on client computers and sends the threat information to a back-end analysis component for automated analysis. The back-end analysis component analyzes the threat information by comparing the threat information to information about known threats. The system builds a signature for identifying the threat family and a mitigation script for neutralizing the threat. The system sends the signature and mitigation data to client computers, which use the information to mitigate the threat. Thus, the malware analysis system detects and mitigates threats more quickly than previous systems by reducing the burden on technicians to manually create environments for reproducing the threats and manually analyze the threat behavior.
摘要翻译: 描述了恶意软件分析系统,其提供关于客户端计算机上的恶意软件执行历史的信息,并允许自动后端分析,以更快地创建身份签名和删除指令。 恶意软件分析系统在客户端计算机上收集威胁信息,并将威胁信息发送到后端分析组件进行自动分析。 后端分析组件通过将威胁信息与已知威胁信息进行比较来分析威胁信息。 该系统构建一个用于识别威胁系列的签名和用于中和威胁的缓解脚本。 系统将签名和缓解数据发送到客户端计算机,客户端计算机使用该信息来减轻威胁。 因此,恶意软件分析系统通过减轻技术人员手动创建用于再现威胁的环境并手动分析威胁行为的负担,可以更快地检测和减轻威胁。
-
公开(公告)号:US20110191757A1
公开(公告)日:2011-08-04
申请号:US13078262
申请日:2011-04-01
申请人: Jigar J. Mody , Neil A. Cowie
发明人: Jigar J. Mody , Neil A. Cowie
IPC分类号: G06F9/45
CPC分类号: G06F21/563
摘要: A system and method for defining code by its functionality is disclosed. The technology initially accesses a portion of code. Once the portion of code is accessed at least one functional operation embedded in the code is determined. When the functional operation in the code is determined, the portion of code is then defined by the functional operation. In so doing, the portion of code can be defined by functional operation without requiring the consideration of any semantics related to the portion of code.
摘要翻译: 公开了一种通过其功能来定义代码的系统和方法。 该技术最初访问一部分代码。 一旦访问了部分代码,就确定了代码中嵌入的至少一个功能操作。 当确定代码中的功能操作时,代码的部分然后由功能操作定义。 这样做,可以通过功能操作来定义代码部分,而不需要考虑与代码部分相关的任何语义。
-
公开(公告)号:US08214895B2
公开(公告)日:2012-07-03
申请号:US11861489
申请日:2007-09-26
申请人: Chengi Jimmy Kuo , Jigar J. Mody
发明人: Chengi Jimmy Kuo , Jigar J. Mody
IPC分类号: H04L29/06
CPC分类号: G06F21/564
摘要: Aspects of the subject matter described herein relate to identifying good files and malware based on whitelists and blacklists. In aspects, a node starts a scan of files on a data store. In conjunction with starting the scan, the node creates a data structure that indicates the directories on the data store. The node sends the data structure to a whitelist server and a blacklist server and an indication of a last successful time of communication. The whitelist and blacklist servers respond to the node with information about any new files that have been added to the directories since the last successful communication. The node may subsequently use the information to identify known good files and malware.
摘要翻译: 本文描述的主题的方面涉及基于白名单和黑名单来识别良好文件和恶意软件。 在方面,节点开始对数据存储上的文件进行扫描。 结合开始扫描,节点创建一个数据结构,指示数据存储上的目录。 节点将数据结构发送到白名单服务器和黑名单服务器,并指示最后一次成功通信时间。 白名单和黑名单服务器响应节点,其中包含自上次成功通信以来添加到目录中的任何新文件的信息。 节点可以随后使用该信息来识别已知的良好文件和恶意软件。
-
公开(公告)号:US07945956B2
公开(公告)日:2011-05-17
申请号:US11436360
申请日:2006-05-18
申请人: Jigar J. Mody , Neil A. Cowie
发明人: Jigar J. Mody , Neil A. Cowie
IPC分类号: G06F11/00
CPC分类号: G06F21/563
摘要: A system and method for defining code by its functionality is disclosed. The technology initially accesses a portion of code. Once the portion of code is accessed at least one functional operation embedded in the code is determined. When the functional operation in the code is determined, the portion of code is then defined by the functional operation. In so doing, the portion of code can be defined by functional operation without requiring the consideration of any semantics related to the portion of code.
摘要翻译: 公开了一种通过其功能来定义代码的系统和方法。 该技术最初访问一部分代码。 一旦访问了部分代码,就确定了代码中嵌入的至少一个功能操作。 当确定代码中的功能操作时,代码的部分然后由功能操作定义。 这样做,可以通过功能操作来定义代码部分,而不需要考虑与代码部分相关的任何语义。
-
公开(公告)号:US20090083852A1
公开(公告)日:2009-03-26
申请号:US11861489
申请日:2007-09-26
申请人: Chengi Jimmy Kuo , Jigar J. Mody
发明人: Chengi Jimmy Kuo , Jigar J. Mody
IPC分类号: G06F11/00
CPC分类号: G06F21/564
摘要: Aspects of the subject matter described herein relate to identifying good files and malware based on whitelists and blacklists. In aspects, a node starts a scan of files on a data store. In conjunction with starting the scan, the node creates a data structure that indicates the directories on the data store. The node sends the data structure to a whitelist server and a blacklist server and an indication of a last successful time of communication. The whitelist and blacklist servers respond to the node with information about any new files that have been added to the directories since the last successful communication. The node may subsequently use the information to identify known good files and malware.
摘要翻译: 本文描述的主题的方面涉及基于白名单和黑名单来识别良好文件和恶意软件。 在方面,节点开始对数据存储上的文件进行扫描。 结合开始扫描,节点创建一个数据结构,指示数据存储上的目录。 节点将数据结构发送到白名单服务器和黑名单服务器,并指示最后一次成功通信时间。 白名单和黑名单服务器响应节点,其中包含自上次成功通信以来添加到目录中的任何新文件的信息。 节点可以随后使用该信息来识别已知的良好文件和恶意软件。
-
公开(公告)号:US08707436B2
公开(公告)日:2014-04-22
申请号:US13078262
申请日:2011-04-01
申请人: Jigar J. Mody , Neil A. Cowie
发明人: Jigar J. Mody , Neil A. Cowie
CPC分类号: G06F21/563
摘要: A system and method for defining code by its functionality is disclosed. The technology initially accesses a portion of code. Once the portion of code is accessed at least one functional operation embedded in the code is determined. When the functional operation in the code is determined, the portion of code is then defined by the functional operation. In so doing, the portion of code can be defined by functional operation without requiring the consideration of any semantics related to the portion of code.
摘要翻译: 公开了一种通过其功能来定义代码的系统和方法。 该技术最初访问一部分代码。 一旦访问了部分代码,就确定了代码中嵌入的至少一个功能操作。 当确定代码中的功能操作时,代码的部分然后由功能操作定义。 这样做,可以通过功能操作来定义代码部分,而不需要考虑与代码部分相关的任何语义。
-
公开(公告)号:US20070288894A1
公开(公告)日:2007-12-13
申请号:US11436360
申请日:2006-05-18
申请人: Jigar J. Mody , Neil A. Cowie
发明人: Jigar J. Mody , Neil A. Cowie
IPC分类号: G06F9/44
CPC分类号: G06F21/563
摘要: A system and method for defining code by its functionality is disclosed. The technology initially accesses a portion of code. Once the portion of code is accessed at least one functional operation embedded in the code is determined. When the functional operation in the code is determined, the portion of code is then defined by the functional operation. In so doing, the portion of code can be defined by functional operation without requiring the consideration of any semantics related to the portion of code.
摘要翻译: 公开了一种通过其功能来定义代码的系统和方法。 该技术最初访问一部分代码。 一旦访问了部分代码,就确定了代码中嵌入的至少一个功能操作。 当确定代码中的功能操作时,代码的部分然后由功能操作定义。 这样做,可以通过功能操作来定义代码部分,而不需要考虑与代码部分相关的任何语义。
-
-
-
-
-
-
-
-
搜索结果
9 条记录 (耗时 0.025 秒)
