公开(公告)号：WO2017147441A1

公开(公告)日：2017-08-31

申请号：PCT/US2017/019379

申请日：2017-02-24

Applicant: CYLANCE INC.

Inventor： PERMEH, Ryan ,  WOLFF, Matthew ,  ZHAO, Xuan ,  SOEDER, Derek ,  JIN, Ming

IPC: G06F21/44 ,  G06F21/50 ,  G06F21/53 ,  G06F21/56

CPC classification number: G06F21/54 ,  G06F21/44 ,  G06F21/50 ,  G06F21/53 ,  G06F21/566 ,  G06F2221/033 ,  G06N99/005

Abstract: In one aspect there is provided a method. The method may include: determining that an executable implements a sub-execution environment, the sub-execution environment being configured to receive an input, and the input triggering at least one event at the sub-execution environment; intercepting the event at the sub-execution environment; and applying a security policy to the intercepted event, the applying of the policy comprises blocking the event, when the event is determined to be a prohibited event. Systems and articles of manufacture, including computer program products, are also provided.

Abstract translation: 在一个方面，提供了一种方法。 所述方法可以包括：确定可执行程序实现子执行环境，所述子执行环境被配置为接收输入，并且所述输入在所述子执行环境下触发至少一个事件; 在子执行环境中拦截事件; 并且将所述安全策略应用于所截取的事件，则当所述事件被确定为禁止事件时，所述策略的应用包括阻止所述事件。 还提供系统和制造产品，包括计算机程序产品。

公开(公告)号：WO2018200458A1

公开(公告)日：2018-11-01

申请号：PCT/US2018/029051

申请日：2018-04-24

Applicant: CYLANCE INC.

Inventor： STRONG, Homer, Valentine ,  PERMEH, Ryan ,  OSWALD, Samuel, John

IPC: G06F21/55

Abstract: An endpoint computer system monitors data relating to a plurality of events occurring within an operating environment of the endpoint computer system. The monitoring can include receiving and/or inferring the data using one or more sensors executing on the endpoint computer system. The endpoint computer system can store artifacts used in connection with the plurality of events in a vault maintained on such endpoint computer system. The endpoint computer system, in response to a trigger, identifies and retrieves metadata characterizing artifacts associated with the trigger from the vault. Such identified and retrieved metadata is then provided by the endpoint computer system to a remote server.

公开(公告)号：WO2018200451A1

公开(公告)日：2018-11-01

申请号：PCT/US2018/029041

申请日：2018-04-24

Applicant: CYLANCE INC.

Inventor： STRONG, Homer, Valentine ,  PERMEH, Ryan ,  OSWALD, Samuel, John

IPC: G06F21/55

Abstract: Each of a plurality of endpoint computer systems monitors data relating to a plurality of events occurring within an operating environment of the corresponding endpoint computer system. The monitoring can include receiving and/or inferring the data using one or more sensors executing on the endpoint computer systems Thereafter, for each endpoint computer system, artifacts used in connection with the events are stored in a vault maintained on such endpoint computer system. A query is later received by at least a subset of the plurality of endpoint computer systems from a server. Such endpoint computer systems, in response, identify and retrieve artifacts within the corresponding vaults response to the query. Results responsive to the query including or characterizing the identified artifacts is then provided by the endpoint computer systems receiving the query to the server.

公开(公告)号：WO2017147300A1

公开(公告)日：2017-08-31

申请号：PCT/US2017/019142

申请日：2017-02-23

Applicant: CYLANCE INC.

Inventor： PERMEH, Ryan ,  WOLFF, Matthew ,  OSWALD, Samuel, John ,  ZHAO, Xuan ,  CULLEY, Mark ,  POLSON, Steve

IPC: G06F21/55 ,  G06F21/64

CPC classification number: G06F21/56 ,  G06F21/552 ,  G06F21/554 ,  G06F21/64 ,  G06F2221/2101 ,  G06N5/04 ,  G06N99/005 ,  H04L9/30

Abstract: An endpoint computer system can harvest data relating to a plurality of events occurring within an operating environment of the endpoint computer system and can add the harvested data to a local data store maintained on the endpoint computer system. A query response can be generated, for example by identifying and retrieving responsive data from the local data store. The responsive data are related to an artifact on the endpoint computer system and/or to an event of the plurality of events. In some examples, the local data store can be an audit log and/or can include one or more tamper resistant features. Systems, methods, and computer program products are described.

Abstract translation: 端点计算机系统可以收集与在端点计算机系统的操作环境内发生的多个事件有关的数据，并且可以将收获的数据添加到保持在端点计算机系统上的本地数据存储。 查询响应可以生成，例如通过识别和检索来自本地数据存储的响应数据。 响应数据与端点计算机系统上的人工产物和/或多个事件中的事件有关。 在一些示例中，本地数据存储可以是审计日志和/或可以包括一个或多个防篡改特征。 描述系统，方法和计算机程序产品。

公开(公告)号：WO2016168690A1

公开(公告)日：2016-10-20

申请号：PCT/US2016/027885

申请日：2016-04-15

Applicant: CYLANCE INC.

Inventor： DAVIS, Andrew ,  WOLFF, Matthew ,  SOEDER, Derek, A. ,  CHISHOLM, Glenn ,  PERMEH, Ryan

IPC: G06N3/10 ,  G06F21/56 ,  G06N3/02

CPC classification number: G06F21/566 ,  G06F21/564 ,  G06N3/04 ,  G06N3/0445 ,  G06N3/08 ,  G06N3/084

Abstract: Using a recurrent neural network (RNN) that has been trained to a satisfactory level of performance, highly discriminative features can be extracted by running a sample through the RNN, and then extracting a final hidden state hh where i is the number of instructions of the sample. This resulting feature vector may then be concatenated with the other hand-engineered features, and a larger classifier may then be trained on hand- engineered as well as automatically determined features. Related apparatus, systems, techniques and articles are also described.

Abstract translation: 使用经过训练达到令人满意的性能水平的循环神经网络（RNN），可以通过运行样本通过RNN提取高度辨别特征，然后提取最终隐藏状态hh，其中i是指令的指令数 样品。 然后可以将所得到的特征向量与其他手工设计特征相连接，然后可以对手工设计的以及自动确定的特征来训练较大的分类器。 还描述了相关设备，系统，技术和物品。

公开(公告)号：WO2017147072A1

公开(公告)日：2017-08-31

申请号：PCT/US2017/018723

申请日：2017-02-21

Applicant: CYLANCE INC.

Inventor： PERMEH, Ryan ,  SOEDER, Derek A. ,  WOLFF, Matthew ,  JIN, Ming ,  ZHAO, Xuan

IPC: G06F21/56 ,  G06F21/53 ,  H04L29/06

CPC classification number: G06F21/51 ,  G06F21/53 ,  G06F21/56 ,  G06F21/562 ,  G06F21/566 ,  G06F2221/033 ,  G06N99/005 ,  H04L63/0227 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/145

Abstract: Determining, by a machine learning model in an isolated operating environment, whether a file is safe for processing by a primary operating environment. The file is provided, when the determining indicates the file is safe for processing, to the primary operating environment for processing by the primary operating environment. When the determining indicates the file is unsafe for processing, the file is prevented from being processed by the primary operating environment. The isolated operating environment can be maintained on an isolated computing system remote from a primary computing system maintaining the primary operating system. The isolating computing system and the primary operating system can communicate over a cloud network.

Abstract translation: 通过隔离的操作环境中的机器学习模型来确定文件是否对主操作环境的处理是安全的。 当确定指示文件对于处理是安全的时，文件被提供给主操作环境以供主操作环境处理。 当确定指示文件不安全处理时，阻止文件由主操作环境处理。 隔离的操作环境可以维护在远离维护主操作系统的主计算系统的隔离计算系统上。 隔离计算系统和主操作系统可以通过云网络进行通信。

公开(公告)号：WO2015120243A1

公开(公告)日：2015-08-13

申请号：PCT/US2015/014769

申请日：2015-02-06

Applicant: CYLANCE INC.

Inventor： PERMEH, Ryan ,  SOEDER, Derek, A. ,  CHISHOLM, Glenn ,  RUSSELL, Braden ,  GOLOMB, Gary ,  WOLFF, Matthew ,  KUKKONEN, Carl A.

IPC: G06N99/00 ,  G06F21/12 ,  G06F21/51

CPC classification number: G06F21/51 ,  G06F21/52 ,  G06F21/566 ,  G06F2221/033 ,  G06F2221/2115 ,  G06F2221/2125 ,  G06N99/005 ,  H04L63/12 ,  H04L63/1441

Abstract: Described are techniques to enable computers to efficiently determine if they should run a program based on an immediate (i.e., real-time, etc.) analysis of the program. Such an approach leverages highly trained ensemble machine learning algorithms to create a real-time discernment on a combination of static and dynamic features collected from the program, the computer's current environment, and external factors. Related apparatus, systems, techniques and articles are also described.

Abstract translation: 描述的是使计算机有效地确定它们是否应该基于程序的即时（即实时等）分析来运行程序的技术。 这种方法利用高度训练有素的综合机器学习算法来创建从程序，计算机当前环境和外部因素收集的静态和动态特征的组合的实时辨别。 还描述了相关设备，系统，技术和物品。

公开(公告)号：WO2017193036A1

公开(公告)日：2017-11-09

申请号：PCT/US2017/031362

申请日：2017-05-05

Applicant: CYLANCE INC.

Inventor： ZHAO, Xuan ,  KAPOOR, Aditya ,  WOLFF, Matthew ,  DAVIS, Andrew ,  SOEDER, Derek ,  PERMEH, Ryan

IPC: G06F21/56 ,  G06F21/55 ,  H04L29/06 ,  G06N3/08

CPC classification number: G06F21/562 ,  G06F21/554 ,  G06F2221/034 ,  G06N3/0454 ,  G06N3/084 ,  G06N5/025 ,  G06N7/005 ,  H04L63/1416 ,  H04L63/145

Abstract: In some implementations there may be provided a system. The system may include a processor and a memory. The memory may include program code which causes operations when executed by the processor. The operations may include analyzing a series of events contained in received data. The series of events may include events that occur during the execution of a data object. The series of events may be analyzed to at least extract, from the series of events, subsequences of events. A machine learning model may determine a classification for the received data. The machine learning model may classify the received data based at least on whether the subsequences of events are malicious. The classification indicative of whether the received data is malicious may be provided. Related methods and articles of manufacture, including computer program products, are also disclosed.

Abstract translation: 在一些实现中，可以提供一种系统。 该系统可以包括处理器和存储器。 存储器可以包括当由处理器执行时引起操作的程序代码。 操作可以包括分析包含在接收到的数据中的一系列事件。 这一系列事件可能包括执行数据对象期间发生的事件。 可以分析一系列事件以至少从一系列事件中提取事件的子序列。 机器学习模型可以确定接收到的数据的分类。 机器学习模型可以至少基于事件的子序列是否是恶意的来对接收到的数据进行分类。 可以提供指示接收到的数据是否恶意的分类。 还公开了相关方法和制造产品，包括计算机程序产品。

公开(公告)号：WO2015117012A1

公开(公告)日：2015-08-06

申请号：PCT/US2015/013933

申请日：2015-01-30

Applicant: CYLANCE INC.

Inventor： SOEDER, Derek, A. ,  PERMEH, Ryan ,  GOLOMB, Gary ,  WOLFF, Matthew

IPC: G06F21/50

CPC classification number: G06F17/30076 ,  G06F11/36 ,  G06F11/3604 ,  G06F17/2705 ,  G06F17/30233 ,  G06F21/562

Abstract: Data is received or accessed that includes a structured file encapsulating data required by an execution environment to manage executable code wrapped within the structured file. Thereafter, code and data regions are iteratively identified in the structured file. Such identification is analyzed so that at least one feature can be extracted from the structured file. Related apparatus, systems, techniques and articles are also described.

Abstract translation: 收到或访问的数据包括封装执行环境所需的数据的结构化文件，以管理包含在结构化文件中的可执行代码。 此后，在结构化文件中迭代地识别代码和数据区域。 分析这样的识别，使得可以从结构化文件中提取至少一个特征。 还描述了相关设备，系统，技术和物品。

公开(公告)号：WO2014210050A1

公开(公告)日：2014-12-31

申请号：PCT/US2014/043934

申请日：2014-06-24

Applicant: CYLANCE INC.

Inventor： PERMEH, Ryan ,  MCCLURE, Stuart ,  WOLFF, Matthew ,  GOLOMB, Gary ,  SOEDER, Derek, A. ,  LEVITES, Seagen ,  O'DEA, Michael ,  ACEVEDO, Gabriel ,  CHISHOLM, Glenn

IPC: G06F9/50

CPC classification number: G06N99/005 ,  G06F9/5038 ,  G06F2209/5011 ,  G06N5/02

Abstract: A sample of data is placed within a directed graph that comprises a plurality of hierarchical nodes that form a queue of work items for a particular worker class that are used to process the sample of data. Subsequently, work items are scheduled within the queue for each of a plurality of workers by traversing the nodes of the directed graph. The work items are then served to the workers according to the queue. Results can later be received from the workers for the work items (the nodes of the directed graph are traversed based on the received results). In addition, in some variations, the results can be classified so that one or models can be generated. Related systems, methods, and computer program products are also described.

Abstract translation: 数据样本被放置在有向图中，该有向图包括形成用于处理数据样本的特定工人类的工作项队列的多个分层节点。 随后，通过遍历有向图的节点，在多个工作者中的每一个的队列内调度工作项。 然后将工作项目按照队列送达工作人员。 以后可以从工作人员收到工作项目的结果（有向图的节点根据收到的结果进行遍历）。 另外，在一些变型中，可以对结果进行分类，以便生成一个或多个模型。 还描述了相关系统，方法和计算机程序产品。