公开(公告)号：US20080229419A1

公开(公告)日：2008-09-18

申请号：US11724705

申请日：2007-03-16

申请人： Vladimir Holostov ,  John Neystadt

发明人： Vladimir Holostov ,  John Neystadt

IPC分类号： G06F12/14

CPC分类号： H04L63/145 ,  G06F21/564 ,  G06F2221/2101 ,  G06F2221/2151 ,  H04L63/0263 ,  H04L63/1425

摘要： Automated identification of deficiencies in a malware scanner contained in a firewall is provided by correlating incident reports that are generated by desktop protection clients running on hosts in an enterprise that is protected by the firewall. A desktop protection client scans a host for malware incidents, and when detected, analyzes the host's file access log to extract one or more pieces of information about the incident (e.g., identification of a process that placed the infected file on disk, an associated timestamp, file or content type, malware type, hash of such information, or hash of the infected file). The firewall correlates this file access log information with data in its own log to enable the firewall to download the content again and inspect it. If malware is detected, then it is assumed that it was missed when the file first entered the enterprise because the firewall did not have an updated signature. However, if the malware is not detected, then there is a potential deficiency.

摘要翻译： 通过关联由受防火墙保护的企业中的主机上运行的桌面防护客户端生成的事件报告，可以自动识别防火墙中包含的恶意软件扫描程序中的缺陷。 桌面保护客户端扫描主机以查找恶意软件事件，并在被检测到时分析主机的文件访问日志，以提取有关事件的一条或多条信息（例如，将受感染文件放在磁盘上的进程的标识，相关联的时间戳 ，文件或内容类型，恶意软件类型，此类信息的散列或受感染文件的散列）。 防火墙将该文件访问日志信息与其自己的日志中的数据相关联，以使防火墙能够再次下载内容并进行检查。 如果检测到恶意软件，则假设当文件首次进入企业时，因为防火墙没有更新的签名，所以它被遗漏。 但是，如果没有检测到恶意软件，那么存在潜在的缺陷。

公开(公告)号：US20090328210A1

公开(公告)日：2009-12-31

申请号：US12165608

申请日：2008-06-30

申请人： Vassilii Khachaturov ,  Vladimir Holostov ,  John Neystadt

发明人： Vassilii Khachaturov ,  Vladimir Holostov ,  John Neystadt

IPC分类号： G06F21/00

CPC分类号： G06F21/552

摘要： An automated security feedback arrangement is provided by which a specialized audit record called a tainting record is linked to data crossing the perimeter of a corpnet that comes from potentially untrusted sources. The linked tainting record operates to taint such data which may be received from external sources such as e-mail and websites or which may comprise data that is imported into the corpnet from mobile computing devices. Data that is derived from the original data is also tainted using a linked tainting record which includes a pointer back to the previous tainting record. The linking and pointing back are repeated for all subsequent derivations of data to thus create an audit trail that may be used to reconstruct the chain of events between the original data crossing the perimeter and any security compromise that may later be detected in the corpnet.

摘要翻译： 提供了一种自动安全反馈安排，通过该安排，称为污染记录的专门审核记录与跨越可能不受信任的来源的公司的边界的数据相关联。 链接的污染记录用于污染可从诸如电子邮件和网站的外部来源接收的这些数据，或者可以包括从移动计算设备导入到该公司的数据。 从原始数据导出的数据也使用链接的污点记录来污染，该记录包括指向前一个污点记录的指针。 为了所有后续的数据导出重复链接和指向，从而创建可用于重建跨越周界的原始数据之间的事件链以及可能在公司网络中稍后被检测到的任何安全损害的审计跟踪。

公开(公告)号：US08607305B2

公开(公告)日：2013-12-10

申请号：US12202352

申请日：2008-09-01

申请人： John Neystadt ,  Arie Friedman ,  Gregory Aaron Kohanim ,  Adam Shostack

发明人： John Neystadt ,  Arie Friedman ,  Gregory Aaron Kohanim ,  Adam Shostack

IPC分类号： G06F17/00 ,  A61N1/00 ,  H04M11/04 ,  H04M11/00

CPC分类号： G06F21/64 ,  G06F21/44 ,  G06F21/645 ,  G06F2221/2135 ,  H04L9/3268 ,  H04L63/0428 ,  H04L2209/42

摘要： Aspects of the subject matter described herein relate to collecting anonymous and traceable telemetry. In aspects, a telemetry source may obtain a certificate or other data from an escrow certificate issuer. The certificate includes information usable by a certificate collector to verify that the certificate is valid, but does not include information usable to identify the telemetry source to the telemetry collector.

摘要翻译： 本文描述的主题的方面涉及收集匿名和可溯源的遥测。 在方面，遥测源可以从托管证书颁发者获得证书或其他数据。 证书包括证书收集器可用以验证证书是否有效的信息，但不包括可用于识别遥测收集器的遥测源的信息。

公开(公告)号：US08136095B2

公开(公告)日：2012-03-13

申请号：US11959469

申请日：2007-12-19

申请人： Nissim Natanov ,  John Neystadt

发明人： Nissim Natanov ,  John Neystadt

IPC分类号： G06F9/44 ,  G06F9/445

CPC分类号： G06F11/3684

摘要： A test tool is provided for testing a software component. The tool receives data structured and formatted for processing by the software component. The structured data might conform to a schema defining valid inputs that the software component is able to parse/process. The test tool selects a discrete part of the structured data and fuzzes the selected discrete part. The test tool determines whether there are any parts of the structured data whose validity can be affected by fuzzing of the discrete part of the structured data. The fuzzed discrete part of the structured data is analyzed and a related part of the structured data is updated to be consistent with the fuzzed discrete part. The fuzzing tool passes the structured data with the fuzzed part and the updated part to the software component being tested. The software component is tested by having it process the data.

摘要翻译： 提供测试工具用于测试软件组件。 该工具接收由软件组件处理的结构化和格式化的数据。 结构化数据可能符合定义有效输入的模式，软件组件能够解析/处理。 测试工具选择结构化数据的离散部分并对所选择的离散部分进行模糊。 测试工具确定是否存在结构化数据的任何部分，其有效性可能受结构化数据的离散部分的模糊影响。 分析结构化数据的模糊离散部分，并将结构化数据的相关部分更新为与模糊离散部分一致。 模糊工具将具有模糊部分和更新部分的结构化数据传递到正在测试的软件组件。 软件组件通过处理数据进行测试。

公开(公告)号：US20110138442A1

公开(公告)日：2011-06-09

申请号：US12727267

申请日：2010-03-19

申请人： Anders B. Vinberg ,  John Neystadt ,  Yair Tor ,  Oleg Ananiev

发明人： Anders B. Vinberg ,  John Neystadt ,  Yair Tor ,  Oleg Ananiev

IPC分类号： G06F21/00

CPC分类号： G06F21/53 ,  H04L63/20

摘要： Architecture that provides additional data that can be obtained and employed in security models in order to provide security to services over the service lifecycle. The architecture automatically propagates security classifications throughout the lifecycle of the service, which can include initial deployment, expansion, moving servers, monitoring, and reporting, for example, and further include classification propagation from the workload (computer), classification propagation in the model, classification propagation according to the lineage of the storage location (e.g., virtual hard drive), status propagation in the model and classification based on data stored in the machine.

摘要翻译： 提供可在安全模型中获取和使用的附加数据的架构，以便在服务生命周期中为服务提供安全性。 该架构在服务的整个生命周期中自动传播安全性分类，其可以包括初始部署，扩展，移动服务器，监视和报告，并且进一步包括来自工作负载（计算机）的分类传播，模型中的分类传播， 根据存储位置（例如，虚拟硬盘驱动器）的沿袭分类传播，模型中的状态传播和基于存储在机器中的数据的分类。

公开(公告)号：US20110138441A1

公开(公告)日：2011-06-09

申请号：US12633805

申请日：2009-12-09

申请人： John Neystadt ,  Yigal Edery ,  Yan Belinky ,  Anders B. Vinberg ,  Dennis Scott Batchelder ,  Shimon Yannay

发明人： John Neystadt ,  Yigal Edery ,  Yan Belinky ,  Anders B. Vinberg ,  Dennis Scott Batchelder ,  Shimon Yannay

IPC分类号： G06Q10/00 ,  G06F21/00 ,  G06F15/177 ,  G06F9/455

CPC分类号： H04L63/20 ,  G06F9/5077 ,  G06F21/53 ,  H04L63/10

摘要： Architecture that provides model-based systems management in virtualized and non-virtualized environments. A security component provides security models which define security requirements for services. A management component applies one or more of the security models during the lifecycle of virtual machines and services. The lifecycle can include initial deployment, expansion, moving servers, monitoring, and reporting. The architecture creates a formal description model of how a virtual machine or a service (composition of multiple virtual machines) is secured. The security requirements information can also be fed back to the general management system which uses this information in its own activities such as to guide the placement of workloads on servers can be security related.

摘要翻译： 在虚拟化和非虚拟化环境中提供基于模型的系统管理的架构。 安全组件提供了定义服务安全性要求的安全模型。 管理组件在虚拟机和服务的生命周期中应用一个或多个安全模型。 生命周期可以包括初始部署，扩展，移动服务器，监控和报告。 该架构创建了如何保护虚拟机或服务（多个虚拟机的组合）的正式描述模型。 安全要求信息也可以反馈给在其自身活动中使用该信息的通用管理系统，以指导服务器上的工作负载的布置可以与安全相关。

公开(公告)号：US07882542B2

公开(公告)日：2011-02-01

申请号：US11824649

申请日：2007-06-30

申请人： John Neystadt ,  Efim Hudis ,  Yair Helman ,  Alexandra Faynburd

发明人： John Neystadt ,  Efim Hudis ,  Yair Helman ,  Alexandra Faynburd

IPC分类号： G06F15/16

CPC分类号： H04L63/1425 ,  H04L63/308

摘要： Compromised host computers in an enterprise network environment comprising a plurality of security products called endpoints are detected in an automated manner by an arrangement in which a reputation service provides updates to identify resources including website URIs (Universal Resource Identifiers) and IP addresses (collectively “resources”) whose reputations have changed and represent potential threats or adversaries to the enterprise network. Responsively to the updates, a malware analyzer, which can be configured as a standalone endpoint, or incorporated into an endpoint having anti-virus/malware detection capability, or incorporated into the reputation service, will analyze logs maintained by another endpoint (typically a firewall, router, proxy server, or gateway) to identify, in a retroactive manner over some predetermined time window, those client computers in the environment that had any past communications with a resource that is newly categorized by the reputation service as malicious. Every client computer so identified is likely to be compromised.

摘要翻译： 在企业网络环境中包含被称为端点的多个安全产品的被破坏的主计算机以自动方式被检测，其中信誉服务提供更新以识别包括网站URI（通用资源标识符）和IP地址（统称为“资源”）的资源 “），其声誉已经改变，代表企业网络的潜在威胁或对手。 响应于更新，可以配置为独立端点或并入具有防病毒/恶意软件检测功能或并入信誉服务的端点的恶意软件分析器将分析由另一个端点（通常为防火墙）维护的日志 ，路由器，代理服务器或网关）以某种预定时间窗口的追溯方式，将与信誉服务新分类的资源的任何过去通信的环境中的那些客户端计算机识别为恶意的。 如此确定的每台客户端计算机都可能受到威胁。

公开(公告)号：US20090164478A1

公开(公告)日：2009-06-25

申请号：US11959469

申请日：2007-12-19

申请人： Nissim Natanov ,  John Neystadt

发明人： Nissim Natanov ,  John Neystadt

IPC分类号： G06F7/00

CPC分类号： G06F11/3684

摘要： A test tool is provided for testing a software component. The tool receives data structured and formatted for processing by the software component. The structured data might conform to a schema defining valid inputs that the software component is able to parse/process. The test tool selects a discrete part of the structured data and fuzzes the selected discrete part. The test tool determines whether there are any parts of the structured data whose validity can be affected by fuzzing of the discrete part of the structured data. The fuzzed discrete part of the structured data is analyzed and a related part of the structured data is updated to be consistent with the fuzzed discrete part. The fuzzing tool passes the structured data with the fuzzed part and the updated part to the software component being tested. The software component is tested by having it process the data.

摘要翻译： 提供测试工具用于测试软件组件。 该工具接收由软件组件处理的结构化和格式化的数据。 结构化数据可能符合定义有效输入的模式，软件组件能够解析/处理。 测试工具选择结构化数据的离散部分并对所选择的离散部分进行模糊。 测试工具确定是否存在结构化数据的任何部分，其有效性可能受结构化数据的离散部分的模糊影响。 分析结构化数据的模糊离散部分，并将结构化数据的相关部分更新为与模糊离散部分一致。 模糊工具将具有模糊部分和更新部分的结构化数据传递到正在测试的软件组件。 软件组件通过处理数据进行测试。

公开(公告)号：US09055107B2

公开(公告)日：2015-06-09

申请号：US11607720

申请日：2006-12-01

申请人： Gennady Medvinsky ,  Nir Nice ,  Tomer Shiran ,  Alexander Teplitsky ,  Paul Leach ,  John Neystadt

发明人： Gennady Medvinsky ,  Nir Nice ,  Tomer Shiran ,  Alexander Teplitsky ,  Paul Leach ,  John Neystadt

IPC分类号： H04L29/06 ,  G06F21/33 ,  H04L9/32

CPC分类号： H04L63/166 ,  G06F21/33 ,  G06F2221/2115 ,  H04L9/3213 ,  H04L9/3263 ,  H04L9/3271 ,  H04L29/06965 ,  H04L63/0823 ,  H04L2209/38

摘要： The method of delegating authentication, within a chain of entities, relies upon a recording of at least a portion of a TLS handshake between a gateway device and user, in which the user needs access to a desired server. The method then relies upon re-verification of cryptographic evidence in the recorded portion of the TLS handshake, which is forwarded either (1) to the server to which access is desired, in which case the server re-verifies the recorded portion to confirm authentication, or, (2) to a third party entity, in which case the third party entity confirms authentication and provides credentials to the gateway server which then uses the credentials to authenticate to the server as the user.

摘要翻译： 在实体链中委托认证的方法依赖于在网关设备和用户之间记录TLS握手的至少一部分，其中用户需要访问期望的服务器。 然后，该方法依赖于在TLS握手的记录部分中重新验证加密证据，TLS握手被转发到（1）到需要访问的服务器，在这种情况下，服务器重新验证记录部分以确认认证 ，或者（2）到第三方实体，在这种情况下，第三方实体确认认证，并向网关服务器提供凭证，然后网关服务器使用凭证作为用户对服务器进行认证。

公开(公告)号：US08955108B2

公开(公告)日：2015-02-10

申请号：US12485930

申请日：2009-06-17

申请人： John Neystadt ,  R. Eric Fitzgerald ,  Leonid Verny

发明人： John Neystadt ,  R. Eric Fitzgerald ,  Leonid Verny

IPC分类号： G06F21/53 ,  G06F11/34

CPC分类号： G06F21/53 ,  G06F11/3476 ,  G06F2201/815

摘要： A security system collects an audit trail on a computer outside of a boundary created by one or more virtual machines. The security system uses a privileged virtual machine to collect audit logs for each protected virtual machine. As the protected virtual machines run, they send auditing information to the privileged virtual machine. The privileged virtual machine can collect auditing information from protected virtual machines much more quickly than a network server, as well as collecting auditing events from multiple protected virtual machines. Because the auditing destination is located on the same computer as the virtual machine monitored by the audit trail, no network dependency is present. Thus, the security system allows for monitoring the activity of administrators and other users while preventing tampering with the audit trail of each user's actions.

摘要翻译： 安全系统在由一个或多个虚拟机创建的边界之外的计算机上收集审计跟踪。 安全系统使用特权虚拟机来收集每个受保护的虚拟机的审核日志。 当受保护的虚拟机运行时，它们将审计信息发送到特权虚拟机。 特权虚拟机可以比受网络服务器更快地从受保护的虚拟机收集审核信息，以及从多个受保护的虚拟机收集审核事件。 由于审计目标位于与由审计跟踪监视的虚拟机相同的计算机上，因此不存在网络依赖关系。 因此，安全系统允许监视管理员和其他用户的活动，同时防止篡改每个用户的行为的审计跟踪。