-
公开(公告)号:US08051479B1
公开(公告)日:2011-11-01
申请号:US11332115
申请日:2006-01-12
申请人: Zheng Bu , Fengmin Gong
发明人: Zheng Bu , Fengmin Gong
CPC分类号: G06F21/52
摘要: The invention is a method and apparatus for detecting shellcode such that a set of computer instructions is scanned for the presence of a null operation instruction. The computer instructions are also examined for the presence of a system call instruction, and reviewed for the presence of a decoder instruction set. A null operation weight value is then determined corresponding to the null operation instruction. Also assessed is a system call weight value corresponding to the system call instruction. In addition, a decoder weight value is calculated corresponding to the decoder instruction set. The null operation weight value, the system call weight value, and the decoder weight value are then analyzed to identify a shellcode.
-
公开(公告)号:US07904955B1
公开(公告)日:2011-03-08
申请号:US10172138
申请日:2002-06-13
申请人: Zheng Bu , Fengmin Gong
发明人: Zheng Bu , Fengmin Gong
CPC分类号: G06F21/52
摘要: The invention is a method and apparatus for detecting shellcode such that a set of computer instructions is scanned for the presence of a null operation instruction. The computer instructions are also examined for the presence of a system call instruction, and reviewed for the presence of a decoder instruction set. A null operation weight value is then determined corresponding to the null operation instruction. Also assessed is a system call weight value corresponding to the system call instruction. In addition, a decoder weight value is calculated corresponding to the decoder instruction set. The null operation weight value, the system call weight value, and the decoder weight value are then analyzed to identify a shellcode.
摘要翻译: 本发明是一种用于检测shellcode的方法和装置,以便扫描一组计算机指令以存在空操作指令。 还检查计算机指令是否存在系统调用指令,并检查了解码器指令集的存在。 然后对应于空操作指令确定空操作权重值。 还评估了与系统调用指令对应的系统调用权重值。 此外,对应于解码器指令集计算解码器权重值。 然后分析空操作权重值,系统调用权重值和解码器权重值以识别shellcode。
-
3.发明申请公开(公告)号:US20120331556A1
公开(公告)日:2012-12-27
申请号:US13170163
申请日:2011-06-27
IPC分类号: G06F21/00
CPC分类号: H04L63/1408 , H04L63/0227 , H04L63/0236 , H04L63/0245 , H04L63/14 , H04L63/1416
摘要: A method is provided in one example embodiment that includes generating a fingerprint based on properties extracted from data packets received over a network connection and requesting a reputation value based on the fingerprint. A policy action may be taken on the network connection if the reputation value received indicates the fingerprint is associated with malicious activity. The method may additionally include displaying information about protocols based on protocol fingerprints, and more particularly, based on fingerprints of unrecognized protocols. In yet other embodiments, the reputation value may also be based on network addresses associated with the network connection.
摘要翻译: 在一个示例实施例中提供了一种方法,其包括基于通过网络连接接收的数据分组提取的属性生成指纹,并且基于指纹请求信誉值。 如果接收到的信誉值指示指纹与恶意活动相关联,则可以对网络连接进行策略动作。 该方法可以另外包括基于协议指纹显示关于协议的信息,更具体地,基于无法识别的协议的指纹。 在其他实施例中,信誉值也可以基于与网络连接相关联的网络地址。
-
4.发明授权System, method, and computer program product to automate the flagging of obscure network flows as at least potentially unwanted 有权系统,方法和计算机程序产品,用于自动化至少潜在地不想要的模糊网络流的标记公开(公告)号:US08024473B1
公开(公告)日:2011-09-20
申请号:US11780448
申请日:2007-07-19
申请人: Vinay A. Mahadik , Zheng Bu
发明人: Vinay A. Mahadik , Zheng Bu
IPC分类号: G06F15/16 , G06F15/173
CPC分类号: H04L63/1408
摘要: A system, method, and computer program product are provided for flagging a network flow as at least potentially unwanted. In use, a network flow is identified as utilizing an unknown protocol. Further, the network flow is flagged as at least potentially unwanted.
摘要翻译: 提供了系统,方法和计算机程序产品,用于将网络流标记为至少潜在地不需要的。 在使用中,网络流被识别为利用未知协议。 此外,网络流被标记为至少潜在地不需要。
-
5.发明授权System, method, and computer program product for preventing communication of unwanted network traffic by holding only a last portion of the network traffic 有权系统,方法和计算机程序产品,用于通过仅保持网络流量的最后部分来防止不想要的网络流量的通信公开(公告)号:US08448232B1
公开(公告)日:2013-05-21
申请号:US13210070
申请日:2011-08-15
CPC分类号: H04L63/1416 , H04L63/0245 , H04L63/145
摘要: A system, method, and computer program product are provided for preventing communication of unwanted network traffic by holding only a last portion of the network traffic. In use, network traffic associated with a file transfer is received. Additionally, only a last portion of the network traffic associated with the file transfer is held for determining whether the file is unwanted. Further, the last portion of the network traffic associated with the file transfer is conditionally forwarded to a destination device, based on the determination.
摘要翻译: 提供了一种系统,方法和计算机程序产品,用于通过仅保持网络业务的最后一部分来防止不想要的网络业务的通信。 在使用中,接收与文件传输相关联的网络流量。 另外,仅保持与文件传输相关联的网络流量的最后部分,以确定文件是否是不需要的。 此外,基于该确定,与文件传输相关联的网络流量的最后部分被有条件地转发到目的地设备。
-
6.发明授权公开(公告)号:US09106680B2
公开(公告)日:2015-08-11
申请号:US13170163
申请日:2011-06-27
CPC分类号: H04L63/1408 , H04L63/0227 , H04L63/0236 , H04L63/0245 , H04L63/14 , H04L63/1416
摘要: A method is provided in one example embodiment that includes generating a fingerprint based on properties extracted from data packets received over a network connection and requesting a reputation value based on the fingerprint. A policy action may be taken on the network connection if the reputation value received indicates the fingerprint is associated with malicious activity. The method may additionally include displaying information about protocols based on protocol fingerprints, and more particularly, based on fingerprints of unrecognized protocols. In yet other embodiments, the reputation value may also be based on network addresses associated with the network connection.
摘要翻译: 在一个示例实施例中提供了一种方法,其包括基于通过网络连接接收的数据分组提取的属性生成指纹,并且基于指纹请求信誉值。 如果接收到的信誉值指示指纹与恶意活动相关联,则可以对网络连接进行策略动作。 该方法可以另外包括基于协议指纹显示关于协议的信息,更具体地,基于无法识别的协议的指纹。 在其他实施例中,信誉值也可以基于与网络连接相关联的网络地址。
-
7.发明授权System, method, and computer program product for preventing communication of unwanted network traffic by holding only a last portion of the network traffic 有权系统,方法和计算机程序产品,用于通过仅保持网络流量的最后部分来防止不想要的网络流量的通信公开(公告)号:US08024462B1
公开(公告)日:2011-09-20
申请号:US12573768
申请日:2009-10-05
IPC分类号: G06F15/16 , G06F15/173 , G06F15/177
CPC分类号: H04L63/1416 , H04L63/0245 , H04L63/145
摘要: A system, method, and computer program product are provided for preventing communication of unwanted network traffic by holding only a last portion of the network traffic. In use, network traffic associated with a file transfer is received. Additionally, only a last portion of the network traffic associated with the file transfer is held for determining whether the file is unwanted. Further, the last portion of the network traffic associated with the file transfer is conditionally forwarded to a destination device, based on the determination.
摘要翻译: 提供了一种系统,方法和计算机程序产品,用于通过仅保持网络业务的最后一部分来防止不想要的网络业务的通信。 在使用中,接收与文件传输相关联的网络流量。 另外,仅保持与文件传输相关联的网络流量的最后部分,以确定文件是否是不需要的。 此外,基于该确定,与文件传输相关联的网络流量的最后部分被有条件地转发到目的地设备。
-
8.发明申请公开(公告)号:US20150363598A1
公开(公告)日:2015-12-17
申请号:US14761285
申请日:2014-01-16
申请人: Chong XU , Bing SUN , Navtej SINGH , Yichong LIN , Zheng BU
发明人: Chong Xu , Bing Sun , Navtej Singh , Yichong Lin , Zheng Bu
IPC分类号: G06F21/56
CPC分类号: G06F21/563 , G06F21/564 , G06F21/566 , G06F21/567
摘要: A method is provided in one example embodiment and includes initiating an execution of a compiled script, evaluating a function called in the compiled script, detecting an execution event based on at least a first criterion, and storing information associated with the execution event in an execution event queue. The method also includes verifying a correlation signature based on information associated with at least one execution event in the execution event queue. In specific embodiments, the method includes evaluating an assignment statement of a script during compilation of the script by a compiler, detecting a compilation event based on at least a second criterion, and storing information associated with the compilation event in a compilation event queue. In yet additional embodiments, the verification of the correlation signature is based in part on information associated with one or more compilation events in the compilation event queue.
摘要翻译: 在一个示例实施例中提供了一种方法,并且包括启动编译脚本的执行,评估在编译脚本中调用的函数,至少基于第一准则来检测执行事件,以及将与执行事件相关联的信息存储在执行中 事件队列。 该方法还包括基于与执行事件队列中的至少一个执行事件相关联的信息来验证相关签名。 在具体实施例中,该方法包括在由编译器编译脚本期间评估脚本的赋值语句,基于至少第二准则检测编译事件,以及将与编译事件相关联的信息存储在编译事件队列中。 在另外的实施例中,相关签名的验证部分地基于与编译事件队列中的一个或多个编译事件相关联的信息。
-
公开(公告)号:US20140351930A1
公开(公告)日:2014-11-27
申请号:US13977014
申请日:2013-03-15
申请人: Bing Sun , Chong Xu , Jeff Hetzler , Zheng Bu
发明人: Bing Sun , Chong Xu , Jeff Hetzler , Zheng Bu
IPC分类号: H04L29/06
CPC分类号: G06F21/52 , G06F21/74 , G06F2221/033 , G06F2221/2141 , H04L63/1441
摘要: An apparatus, method, computer readable storage medium are provided in one or more examples and comprise accessing an application, identifying an access token of the application, determining if the access token is a system token, and responsive to the access token failing to be a system token, enabling a runtime module.
摘要翻译: 在一个或多个示例中提供了一种装置,方法,计算机可读存储介质,包括访问应用程序,识别应用程序的访问令牌,确定访问令牌是否是系统令牌,以及响应于访问令牌不成为 系统令牌,启用运行时模块。
-
10.发明授权System, method, and computer program product to automate the flagging of obscure flows as at least potentially unwanted 有权系统,方法和计算机程序产品,用于自动化至少潜在地不想要的模糊网络流的标记公开(公告)号:US08560715B1
公开(公告)日:2013-10-15
申请号:US13210065
申请日:2011-08-15
申请人: Vinay A. Mahadik , Zheng Bu
发明人: Vinay A. Mahadik , Zheng Bu
IPC分类号: G06F15/16 , G06F15/173
CPC分类号: H04L63/1408
摘要: A system, method, and computer program product are provided for flagging a network flow as at least potentially unwanted. In use, a network flow is identified as utilizing an unknown protocol. Further, the network flow is flagged as at least potentially unwanted.
摘要翻译: 提供了系统,方法和计算机程序产品,用于将网络流标记为至少潜在地不需要的。 在使用中,网络流被识别为利用未知协议。 此外,网络流被标记为至少潜在地不需要。
-
-
-
-
-
-
-
-
-
搜索结果
12 条记录 (耗时 0.02 秒)
