公开(公告)号：US20080301630A1

公开(公告)日：2008-12-04

申请号：US11756420

申请日：2007-05-31

申请人： William C. Arnold ,  David M. Chess ,  David M. Levine ,  Edward Snible

发明人： William C. Arnold ,  David M. Chess ,  David M. Levine ,  Edward Snible

IPC分类号： G06F9/44

CPC分类号： G06F11/3604

摘要： A mechanism to provide debugging and optimization in policy and knowledge controlled distributed computing system through the use of tagged policies is provided. An aspect of the mechanism tags one or more policies, for instance, at their creation time, execution time and/or at any other time an event that affects the policies occur. Decisions made according to policy execution or evaluation may be traced using the tags.

摘要翻译： 提供了一种通过使用带标签的策略在策略和知识控制的分布式计算系统中提供调试和优化的机制。 该机制的一个方面标记一个或多个策略，例如在其创建时间，执行时间和/或在任何其他时间发生影响策略的事件。 可以使用标签追踪根据策略执行或评估进行的决策。

公开(公告)号：US07996823B2

公开(公告)日：2011-08-09

申请号：US11756420

申请日：2007-05-31

申请人： William C. Arnold ,  David M. Chess ,  David M. Levine ,  Edward Snible

发明人： William C. Arnold ,  David M. Chess ,  David M. Levine ,  Edward Snible

IPC分类号： G06F9/44

CPC分类号： G06F11/3604

摘要： A mechanism to provide debugging and optimization in policy and knowledge controlled distributed computing system through the use of tagged policies is provided. An aspect of the mechanism tags one or more policies, for instance, at their creation time, execution time and/or at any other time an event that affects the policies occur. Decisions made according to policy execution or evaluation may be traced using the tags.

摘要翻译： 提供了一种通过使用带标签的策略在策略和知识控制的分布式计算系统中提供调试和优化的机制。 该机制的一个方面标记一个或多个策略，例如在其创建时间，执行时间和/或在任何其他时间发生影响策略的事件。 可以使用标签追踪根据策略执行或评估进行的决策。

公开(公告)号：US07996905B2

公开(公告)日：2011-08-09

申请号：US12062152

申请日：2008-04-03

申请人： William C. Arnold ,  David M. Chess ,  John F. Morar ,  Alla Segal ,  Ian N. Whalley ,  Steve R. White

发明人： William C. Arnold ,  David M. Chess ,  John F. Morar ,  Alla Segal ,  Ian N. Whalley ,  Steve R. White

IPC分类号： G06F12/14 ,  H04L29/06 ,  G06F11/30

CPC分类号： G06F21/51

摘要： A method and system for the automatic determination of the behavioral profile of a program suspected of having worm-like characteristics includes analyzing data processing system resources required by the program and, if the required resources are not indicative of the program having worm-like characteristics, running the program in a controlled non-network environment while monitoring and logging accesses to system resources to determine the behavior of the program in the non-network environment. A logged record of the observed behavior is analyzed to determine if the behavior is indicative of the program having worm-like characteristics. The non-network environment may simulate the appearance of a network to the program, without emulating the operation of the network.

摘要翻译： 用于自动确定涉嫌具有蠕虫特征的程序的行为特征的方法和系统包括分析程序所需的数据处理系统资源，并且如果所需资源不表示具有蠕虫状特征的程序， 在受控的非网络环境中运行程序，同时监视和记录对系统资源的访问，以确定非网络环境中程序的行为。 分析观察行为的记录记录，以确定行为是否表明具有蠕虫状特征的程序。 非网络环境可以模拟网络对程序的外观，而不模拟网络的操作。

公开(公告)号：US20080256633A1

公开(公告)日：2008-10-16

申请号：US12141165

申请日：2008-06-18

申请人： William C. ARNOLD ,  David M. Chess ,  John F. Morar ,  Alla Segal ,  Ian N. Whalley ,  Steve R. White

发明人： William C. ARNOLD ,  David M. Chess ,  John F. Morar ,  Alla Segal ,  Ian N. Whalley ,  Steve R. White

IPC分类号： G06F12/14

CPC分类号： G06F21/566

摘要： Disclosed is a method, a computer system and a computer readable media product that contains a set of computer executable software instructions for directing the computer system to execute a process for determining a non-replicative behavior of a program that is suspected of containing an undesirable software entity. The process causes execution of the program in at least one known environment and automatically examines the at least one known environment to detect if a change has occurred in the environment as a result of the execution of the program. If a change is detected, the process automatically analyzes the detected change (i.e., the process performs a side effects analysis) to determine if the change resulted from execution of the program or from execution of the undesirable software entity. The process then uses the result of the analysis at least for undoing a detected change that results from execution of the undesirable software entity. The result of the analysis can also be used for informing a user of an anti-virus system of the non-replicative changes made to the environment.

摘要翻译： 公开了一种方法，计算机系统和计算机可读介质产品，其包含一组计算机可执行软件指令，用于指导计算机系统执行用于确定怀疑含有不期望的软件的程序的非复制行为的过程 实体。 该过程导致在至少一个已知环境中执行该程序，并且自动检查该至少一个已知环境以检测由于该程序的执行而在该环境中是否发生了改变。 如果检测到改变，则该过程自动分析检测到的变化（即，过程执行副作用分析），以确定改变是由执行程序还是由不期望的软件实体的执行引起。 该过程然后使用分析结果至少用于撤销由不期望的软件实体的执行导致的检测到的改变。 分析的结果也可以用于向用户通知反病毒系统对环境的非复制变化。

公开(公告)号：US20080189787A1

公开(公告)日：2008-08-07

申请号：US12062152

申请日：2008-04-03

申请人： William C. Arnold ,  David M. Chess ,  John F. Morar ,  Alla Segal ,  Ian N. Whalley ,  Steve R. White

发明人： William C. Arnold ,  David M. Chess ,  John F. Morar ,  Alla Segal ,  Ian N. Whalley ,  Steve R. White

IPC分类号： G06F21/00

CPC分类号： G06F21/51

摘要： A method and system for the automatic determination of the behavioral profile of a program suspected of having worm-like characteristics includes analyzing data processing system resources required by the program and, if the required resources are not indicative of the program having worm-like characteristics, running the program in a controlled non-network environment while monitoring and logging accesses to system resources to determine the behavior of the program in the non-network environment. A logged record of the observed behavior is analyzed to determine if the behavior is indicative of the program having worm-like characteristics. The non-network environment may simulate the appearance of a network to the program, without emulating the operation of the network.

摘要翻译： 用于自动确定涉嫌具有蠕虫特征的程序的行为特征的方法和系统包括分析程序所需的数据处理系统资源，并且如果所需资源不表示具有蠕虫状特征的程序， 在受控的非网络环境中运行程序，同时监视和记录对系统资源的访问，以确定非网络环境中程序的行为。 分析观察行为的记录记录，以确定行为是否表明具有蠕虫状特征的程序。 非网络环境可以模拟网络对程序的外观，而不模拟网络的操作。

公开(公告)号：US07861300B2

公开(公告)日：2010-12-28

申请号：US12141165

申请日：2008-06-18

申请人： William C. Arnold ,  David M. Chess ,  John F. Morar ,  Alla Segal ,  Ian N. Whalley ,  Steve R. White

发明人： William C. Arnold ,  David M. Chess ,  John F. Morar ,  Alla Segal ,  Ian N. Whalley ,  Steve R. White

IPC分类号： G06F11/00

CPC分类号： G06F21/566

摘要： Disclosed is a method, a computer system and a computer readable media product that contains a set of computer executable software instructions for directing the computer system to execute a process for determining a non-replicative behavior of a program that is suspected of containing an undesirable software entity. The process causes execution of the program in at least one known environment and automatically examines the at least one known environment to detect if a change has occurred in the environment as a result of the execution of the program. If a change is detected, the process automatically analyzes the detected change (i.e., the process performs a side effects analysis) to determine if the change resulted from execution of the program or from execution of the undesirable software entity. The process then uses the result of the analysis at least for undoing a detected change that results from execution of the undesirable software entity. The result of the analysis can also be used for informing a user of an anti-virus system of the non-replicative changes made to the environment.

摘要翻译： 公开了一种方法，计算机系统和计算机可读介质产品，其包含一组计算机可执行软件指令，用于指导计算机系统执行用于确定怀疑含有不期望的软件的程序的非复制行为的过程 实体。 该过程导致在至少一个已知环境中执行该程序，并且自动检查该至少一个已知环境以检测由于该程序的执行而在该环境中是否发生了改变。 如果检测到改变，则该过程自动分析检测到的变化（即，过程执行副作用分析），以确定改变是由执行程序还是由不期望的软件实体的执行引起。 该过程然后使用分析结果至少用于撤销由不期望的软件实体的执行导致的检测到的改变。 分析的结果也可以用于向用户通知反病毒系统对环境的非复制变化。

公开(公告)号：US07487543B2

公开(公告)日：2009-02-03

申请号：US10202517

申请日：2002-07-23

申请人： William C. Arnold ,  David M. Chess ,  John F. Morar ,  Alla Segal ,  Ian N. Whalley ,  Steve R. White

发明人： William C. Arnold ,  David M. Chess ,  John F. Morar ,  Alla Segal ,  Ian N. Whalley ,  Steve R. White

IPC分类号： G08B23/00 ,  G06F15/18 ,  G06F12/14 ,  H04L9/00

CPC分类号： G06F21/51

摘要： A method and system for the automatic determination of the behavioral profile of a program suspected of having worm-like characteristics includes analyzing data processing system resources required by the program and, if the required resources are not indicative of the program having worm-like characteristics, running the program in a controlled non-network environment while monitoring and logging accesses to system resources to determine the behavior of the program in the non-network environment. A logged record of the observed behavior is analyzed to determine if the behavior is indicative of the program having worm-like characteristics. The non-network environment may simulate the appearance of a network to the program, without emulating the operation of the network.

摘要翻译： 用于自动确定涉嫌具有蠕虫特征的程序的行为特征的方法和系统包括分析程序所需的数据处理系统资源，并且如果所需资源不表示具有蠕虫状特征的程序， 在受控的非网络环境中运行程序，同时监视和记录对系统资源的访问，以确定非网络环境中程序的行为。 分析观察行为的记录记录，以确定行为是否表明具有蠕虫状特征的程序。 非网络环境可以模拟网络对程序的外观，而不模拟网络的操作。

公开(公告)号：US5440723A

公开(公告)日：1995-08-08

申请号：US4872

申请日：1993-01-19

申请人： William C. Arnold ,  David M. Chess ,  Jeffrey O. Kephart ,  Steven R. White

发明人： William C. Arnold ,  David M. Chess ,  Jeffrey O. Kephart ,  Steven R. White

IPC分类号： G06F1/00 ,  G06F21/56 ,  H04L29/06 ,  G06F11/00

CPC分类号： H04L63/1441 ,  G06F21/564 ,  G06F21/566

摘要： A method includes the following component steps, or some functional subset of these steps: (A) periodic monitoring of a data processing system (10) for anomalous behavior that may indicate the presence of an undesirable software entity such as a computer virus, worm, or Trojan Horse; (B) automatic scanning for occurrences of known types of undesirable software entities and taking remedial action if they are discovered; (C) deploying decoy programs to capture samples of unknown types of computer viruses; (D) identifying machine code portions of the captured samples which are unlikely to vary from one instance of the virus to another; (E) extracting an identifying signature from the executable code portion and adding the signature to a signature database; (F) informing neighboring data processing systems on a network of an occurrence of the undesirable software entity; and (G) generating a distress signal, if appropriate, so as to call upon an expert to resolve difficult cases. A feature of this invention is the automatic execution of the foregoing steps in response to a detection of an undesired software entity, such as a virus or a worm, within a data processing system. The automatic extraction of the identifying signature, the addition of the signature to a signature data base, and the immediate use of the signature by a scanner provides protection from subsequent infections of the system, and also a network of systems, by the same or an altered form of the undesirable software entity.

摘要翻译： 一种方法包括以下组件步骤或这些步骤的一些功能子集：（A）针对异常行为的数据处理系统（10）的周期性监视，其可以指示存在不期望的软件实体，例如计算机病毒，蠕虫， 或特洛伊木马; （B）自动扫描已知类型的不合需要的软件实体，并发现补救措施; （C）部署诱饵计划以捕获未知类型的计算机病毒样本; （D）识别捕获的样本的机器代码部分，其不可能从病毒的一个实例变化到另一个; （E）从可执行代码部分提取识别签名并将签名添加到签名数据库; （F）通知网络上的相邻数据处理系统出现不期望的软件实体; 和（G）如果适当，产生遇险信号，以呼吁专家解决困难的情况。 本发明的一个特征是响应于在数据处理系统内检测不期望的软件实体（例如病毒或蠕虫）来自动执行上述步骤。 识别签名的自动提取，签名数据库的签名添加以及扫描仪的签名的即时使用提供了保护，防止系统的随后的感染以及系统的相同或不同的系统的网络 改变形式的不良软件实体。

公开(公告)号：US5442699A

公开(公告)日：1995-08-15

申请号：US342519

申请日：1994-11-21

申请人： William C. Arnold ,  David M. Chess ,  Jeffrey O. Kephart ,  Gregory B. Sorkin ,  Steve R. White

发明人： William C. Arnold ,  David M. Chess ,  Jeffrey O. Kephart ,  Gregory B. Sorkin ,  Steve R. White

IPC分类号： G06F1/00 ,  G06F21/00 ,  G11B23/28

CPC分类号： G11B23/284 ,  G06F21/564

摘要： A searching method determines, given a specified encryption method (or set of encryption methods) and a specified pattern (or set of patterns), whether a given text contains an encryption, with any key, of anything fitting the pattern or patterns. The procedure detects and locates patterns that are present within data that has been encrypted, provided that the encryption method is one of a variety of simple methods that are often employed by computer programs such as computer viruses. The method includes:1. applying an invariance transformation to the chosen pattern (or set of patterns) to be matched, to obtain a "reduced pattern";2. applying the same reduction to the encrypted data to obtain "reduced data";3. using standard string searching techniques to detect the existence of a match between the reduced pattern and the reduced data, thereby signalling the likely existence of the pattern in encrypted form within the encrypted data;4. corroborating any such likely matches by using techniques specialized to the particular form of encryption; and5. providing information about the match.Depending on the nature of the encryption method and the desired degree of certainty about the match, item 4 may not be necessary. In one embodiment, the patterns and an indication of the encryption method(s) for which they are appropriate are incorporated into the database of a computer virus searcher. The searcher applies each of several different invariant transformations to the searched data (one for each encryption method of interest), and uses search techniques, such as parallel search techniques currently employed by virus searchers, to detect any patterns that may be encrypted within the searched data.

摘要翻译： 一种搜索方法确定了给定的加密方法（或一组加密方法）和指定的模式（或一组模式），给定的文本是否包含任何适合该模式或任何模式的任何密钥的加密。 该过程检测和定位存在于已经被加密的数据内的模式，前提是加密方法是计算机程序（例如计算机病毒）经常使用的各种简单方法之一。 该方法包括：1.将不变性变换应用于要匹配的所选模式（或模式集合），以获得“缩减模式”; 2.对加密数据应用相同的缩减以获得“减少的数据”; 3.使用标准字符串搜索技术来检测缩减模式和缩减数据之间的匹配的存在，从而以加密形式在加密数据内发信号通知模式的可能存在; 4.通过使用专门针对特定加密形式的技术来证实任何这样的可能的匹配; 和5.提供有关比赛的信息。 根据加密方法的性质以及所需的确定度，可能不需要项目4。 在一个实施例中，将它们合适的模式和加密方法的指示并入计算机病毒搜索器的数据库中。 搜索者对搜索到的数据（对于每个感兴趣的加密方法一个）应用几种不变的变换中的每一种，并且使用诸如病毒搜索者当前使用的并行搜索技术的搜索技术来检测可以在被搜索的内容中被加密的任何模式 数据。

公开(公告)号：US07480912B2

公开(公告)日：2009-01-20

申请号：US10449269

申请日：2003-05-29

申请人： William C. Arnold ,  David M. Chess ,  Murthy V. Devarakonda ,  Alla Segal ,  Ian N. Whalley

发明人： William C. Arnold ,  David M. Chess ,  Murthy V. Devarakonda ,  Alla Segal ,  Ian N. Whalley

IPC分类号： G06F9/46 ,  G06F11/00 ,  G06F12/00 ,  G06F13/00 ,  G06F13/28

CPC分类号： G06F9/5016 ,  H04L67/1002 ,  H04L67/1008 ,  H04L67/101 ,  H04L67/1097 ,  H04L67/22 ,  H04L69/329

摘要： Methods for allocation of storage resources, performance monitoring, and reallocation of resources to eliminate hot spots, by specifying high-level goals, rather than by means of low-level manual steps. Policies are specified as administrator specified constraints under which the resources are managed. Goals are specified in terms of performance, availability, and security requirements of the desired storage. As a part of the automation, this invention provides a method for analyzing capabilities of the computer storage system and forming analysis results, which are later used for determining an allocation of resources that will meet the high-level goals specified. This invention also provides methods for automatic monitoring of performance, availability, and security goals for allocated resources. If goals are not met, resources are reallocated so that the goals can be met with the allocation. The invention reduces human involvement, allows policy control, minimizes error, and provides efficient service delivery specified by policies.

摘要翻译： 通过指定高层次目标而不是通过低级手动步骤，分配存储资源的方法，性能监测和重新分配资源以消除热点。 策略被指定为管理员指定的约束，资源被管理。 根据所需存储的性能，可用性和安全性要求指定目标。 作为自动化的一部分，本发明提供了一种用于分析计算机存储系统的能力并形成分析结果的方法，其后来用于确定将满足指定的高级目标的资源分配。 本发明还提供了用于自动监视分配资源的性能，可用性和安全目标的方法。 如果目标没有得到满足，则重新分配资源，以便能够通过分配来满足目标。 本发明减少人的参与，允许策略控制，最小化错误，并提供由策略指定的有效的服务提供。