СИСТЕМА И СПОСОБ ОПРЕДЕЛЕНИЯ КАТЕГОРИИ ДОВЕРЕННОСТИ ПРИЛОЖЕНИЯ

Изобретение относится к информационной безопасности. Технический результат заключается в обеспечении определения категории доверия приложения, осуществившего перекрытие защищенного приложения. Система определения категории доверия приложения содержит средство мониторинга защищенного приложения для обнаружения перекрытия элемента интерфейса защищенного приложения элементом интерфейса другого приложения; средство сбора защищенного приложения для сбора информации о приложении, элемент интерфейса которого перекрыл элемент интерфейса защищенного приложения; средство анализа защищенного приложения для определения категории доверия приложения, которое перекрыло интерфейс защищенного приложения; базу данных для хранения статуса опасности приложений. 2 н. и 16 з.п. ф-лы, 5 ил.

Способ блокировки сетевых соединений

Изобретение относится к вычислительной технике. Технический результат заключается в обеспечении блокировки сетевых соединений на основании сравнения цифровых сертификатов в результате осуществления способа блокировки сетевых соединений в режиме реального времени. Способ блокировки сетевых соединений в режиме реального времени, в котором перехватывают сертификат в момент установки защищенного соединения; определяют похожесть перехваченного сертификата на запрещенные сертификаты, где похожим признается сертификат, который может быть отображен на множество запрещенных сертификатов, при этом отображение проверяется посредством применения правила, сформированного из общих признаков запрещенных сертификатов, полученных в результате кластеризации множества запрещенных сертификатов; блокируют устанавливаемое соединение, если перехваченный сертификат в результате определения похожести признается похожим на запрещенные сертификаты. 2 н. и 4 з.п. ф-лы, 7 ил.

ПРОФИЛИРОВАНИЕ ВЫПОЛНЕНИЯ КОДА

Изобретение относится к компьютерной безопасности. Технический результат заключается в обеспечении новой системы и нового способа обнаружения вредоносных программ, которые не могут быть обнаружены известными системами и способами, для защиты электронного устройства. Система защиты электронного устройства содержит набор логики правил доступа вредоносного программного обеспечения, содержащий: идентификацию множества объектов электронного устройства, подлежащих отслеживанию; идентификацию одной или больше операций между объектами, подлежащих отслеживанию; и идентификацию структуры операций, подлежащих отслеживанию; и процессор, выполненный с возможностью генерирования, на основе набора логики правил доступа вредоносного программного обеспечения, уведомления о выполнении одной из операций, подлежащих отслеживанию; модуль борьбы с вредоносным программным обеспечением, выполненный с возможностью определения, на основе уведомления и структуры наблюдаемых операций, указывают ли операции, подлежащие ...

СИСТЕМА И СПОСОБ ОБНАРУЖЕНИЯ ВРЕДОНОСНЫХ ИСПОЛНЯЕМЫХ ФАЙЛОВ НА ОСНОВАНИИ СХОДСТВА РЕСУРСОВ ИСПОЛНЯЕМЫХ ФАЙЛОВ

Изобретение относится к вычислительной технике. Технический результат заключается в повышении эффективности обнаружения вредоносных исполняемых файлов. Система обнаружения вредоносных исполняемых файлов на основании сходства ресурсов исполняемых файлов содержит средство обработки ресурсов для определения вида исполняемого файла и, по крайней мере, одного типа в соответствии с определенным видом исполняемого файла, выявления, по крайней мере, одного ресурса определенного типа исполняемого файла при помощи средства обработки ресурсов, преобразования, по крайней мере, одного выявленного ресурса определенного типа в формат для сравнения и его передачи средству сравнения; средство сравнения для подсчета степени сходства, по крайней мере, одного выявленного ресурса определенного типа с ресурсами упомянутого типа из ресурсов известных вредоносных исполняемых файлов из базы данных ресурсов с помощью алгоритмов сравнения для соответствующих типов ресурсов, передачи результата подсчета степени сходства ...

СИСТЕМА И СПОСОБ СОХРАНЕНИЯ СОСТОЯНИЯ ЭМУЛЯТОРА И ЕГО ПОСЛЕДУЮЩЕГО ВОССТАНОВЛЕНИЯ

Изобретение относится к антивирусным решениям, а более конкретно к способам сохранения состояния эмулятора и его последующего восстановления. Технический результат заключается в сокращении времени на эмуляцию файла путем загрузки необходимых образов состояния эмулятора и обходе антиэмуляционных приемов при эмуляции файла. Получают файл на эмуляцию. Проверяют, выполняется ли эмуляция в первый раз. Определяют образ состояния эмулятора, включающий, по меньшей мере, образ эмулируемой системы, который загружается в эмулятор для последующей эмуляции файла. Производят эмуляцию файла. Создают образы состояния эмулятора, при этом каждый образ состояния эмулятора включает, по меньшей мере, образ эмулируемой системы. Проверяют некорректное завершение эмуляции файла. Выбирают необходимый образ состояния эмулятора для продолжения эмуляции в случае некорректного завершения эмуляции файла. Загружают выбранный образ состояния эмулятора для продолжения эмуляции файла. 2 н. и 12 з.п. ф-лы, 6 ил.

ДВУКРАТНАЯ САМОДИАГНОСТИКА ПАМЯТИ ДЛЯ ЗАЩИТЫ МНОЖЕСТВА СЕТЕВЫХ КОНЕЧНЫХ ТОЧЕК

Изобретение относится к области вычислительной техники. Технический результат заключается в обеспечении защиты среды аппаратной виртуализации от угроз, связанных с компьютерной безопасностью. Технический результат достигается за счёт клиентской системы, выполненной с возможностью реализации гипервизора, модуля самодиагностики реального времени и модуля самодиагностики по требованию, причем: гипервизор выполнен с возможностью предоставления гостевой виртуальной машины (VM) и VM безопасности, отличной от гостевой VM; модуль самодиагностики реального времени выполнен с возможностью, в ответ на детектирование наступления события, передачи индикатора события серверной компьютерной системе; модуль самодиагностики по требованию выполнен с возможностью: в ответ на прием запроса на проведение анализа, идентификации средства обеспечения безопасности согласно запросу на проведение анализа, в ответ на идентификацию средства обеспечения безопасности, выборочного извлечения средства обеспечения безопасности ...

СПОСОБ ОТЛОЖЕННОГО УСТРАНЕНИЯ ВРЕДОНОСНОГО КОДА

Изобретение относится к антивирусным технологиям, а более конкретно к системам и способам отложенного устранения вредоносного кода. Технический результат настоящего изобретения заключается в обеспечении лечения вредоносных программ, которые препятствуют лечению. Настоящий технический результат достигается путем использования способа лечения обнаруженных вредоносных объектов, при котором обнаруживают вредоносные объекты на компьютере, формируют, по меньшей мере, одну задачу лечения обнаруженных вредоносных объектов, при этом задача формируется с использованием языка сценариев. Сформированную задачу лечения обнаруженных вредоносных объектов записывают в заданную ветку реестра перед перезагрузкой компьютера, проверяют целостность задачи лечения обнаруженных вредоносных объектов, перезагружают компьютер. Загружают драйвер для выполнения, по меньшей мере, одной задачи лечения обнаруженных вредоносных объектов, и драйвер операционной системы, позволяющий выполнить задачу лечения обнаруженных ...

СПОСОБ ОБНАРУЖЕНИЯ ВРЕДОНОСНОГО ПРОГРАММНОГО ОБЕСПЕЧЕНИЯ В ЯДРЕ ОПЕРАЦИОННОЙ СИСТЕМЫ

Изобретение относится к вычислительной технике и к обеспечению информационной безопасности автоматизированных и информационно-вычислительных систем, в частности к средствам обнаружения вредоносного программного обеспечения (ПО). Техническим результатом является повышение эффективности обнаружения вредоносного ПО за счет обеспечения возможности обнаружения нелегальных перехватов и изменения кода в ядре и загружаемых модулях ядра ОС. Способ реализуется на компьютере с установленной на нем операционной системой (ОС) и заключается в том, что формируют точку прерывания при выполнении системного вызова пользовательского приложения на возникновение передачи управления по адресу в ядре загруженной ОС, проводят проверку структуры данных загруженной ОС, выполняя следующие действия: определяют адрес команды в оперативной памяти компьютера, которой будет передано управление в ходе системного вызова; проверяют принадлежность адресов команд, выполняемых в ходе системного вызова, к нормальному диапазону ...

СИСТЕМА И СПОСОБ ОЦЕНКИ РЕСУРСОВ В КОМПЬЮТЕРНОЙ СЕТИ С ПОЗИЦИИ ОБЪЕКТОВ ИНТЕРЕСА

Изобретение относится к области оценки компьютерных ресурсов компьютерной сети по объектам интереса с учетом требований к компьютерным системам, на которых располагаются компьютерные ресурсы, и требований к объектам интереса как к содержимому компьютерных ресурсов. Технический результат настоящего изобретения заключается в обеспечении возможности определения компьютерных ресурсов в рамках компьютерной сети, подходящих для целей, заданных выбранными требованиями. Способ определения компьютерных ресурсов в компьютерной сети содержит этапы, на которых: а) формируют с помощью средства инвентаризации компьютерной сети список компьютерных ресурсов, находящихся на компьютерных системах, удовлетворяющих требованиям к компьютерным системам; где компьютерная сеть состоит, по меньшей мере, из двух компьютерных систем; где требования к компьютерным системам хранятся в базе данных требований к компьютерным системам средства хранения требований; б) собирают с помощью средства инвентаризации компьютерной ...

Система и способ блокировки элементов интерфейса приложения

Изобретение относится к системе и способу ограничения доступа к приложениям. Технический результат настоящего изобретения заключается в ограничении доступа к интерфейсу нежелательного приложения. Указанный технический результат достигается за счет блокировки нежелательного элемента интерфейса активного приложения путем его перекрытия. При перекрытии отрисовывают новый графический элемент поверх нежелательного элемента интерфейса активного приложения мобильного устройства. 2 н.п. ф-лы, 3 ил.

СЛОЖНОЕ КЛАССИФИЦИРОВАНИЕ ДЛЯ ВЫЯВЛЕНИЯ ВРЕДОНОСНЫХ ПРОГРАММ

Изобретение относится к области защиты компьютерных систем от вредоносных программ. Техническим результатом является определение, является ли программная сущность вредоносной, на основе множества показателей оценки соответствующей сущности, что позволяет создать более надежное антивредоносное решение по сравнению с аналогичными традиционными решениями. Раскрыта хостовая система для определения вредоносной программной сущности, содержащая блок памяти, хранящий инструкции, при исполнении которых по меньшей мере одним аппаратным процессором хостовой системы хостовая система выполняет модуль управления сущностями, средство оценки сущностей и классифицирующий механизм, при этом: модуль управления сущностями конфигурирован с возможностью управлять коллекцией оцениваемых программных сущностей, причем управление коллекцией содержит: идентификацию набора сущностей-потомков первой сущности коллекции; определение, завершена ли первая сущность; в ответ, когда первая сущность завершена, определение, ...

Система и способ обнаружения вредоносного приложения путем перехвата доступа к отображаемой пользователю информации

Изобретение относится к области защиты данных приложений, а именно к системам и способам обнаружения вредоносного приложения путем перехвата доступа к отображаемой пользователю информации. Технический результат настоящего изобретения заключается в повышении безопасности вычислительного устройства пользователя, которое достигается путем обнаружения вредоносного приложения, из которого был запущен процесс, осуществляющий доступ к отображаемой пользователю вычислительного устройства информации. Раскрыт способ обнаружения вредоносного приложения на вычислительном устройстве пользователя, согласно которому: а. перехватывают при помощи средства перехвата доступ процесса к отображаемой пользователю информации для определения по меньшей мере: информации о процессе, осуществляющем доступ к информации, отображаемой пользователю, при этом упомянутая информация включает по меньшей мере идентификатор процесса (PID); области на дисплее вычислительного устройства, на которой отображается пользователю ...

Способ обнаружения мошеннической активности на устройстве пользователя

Изобретение относится к области защиты от компьютерных угроз, а именно к способам обнаружения мошеннической активности на устройстве пользователя. Технический результат настоящего изобретения заключается в защите удаленного банковского сервера от мошеннической активности, которая достигается путем блокирования взаимодействия устройства пользователя с удаленным банковским сервером, если была обнаружена мошенническая активность во время взаимодействия устройства пользователя с удаленным банковским сервером. Способ обнаружения мошеннической активности на устройстве пользователя при взаимодействии вычислительного устройства пользователя с удаленным банковским сервером содержит этапы, на которых: a) собирают при помощи средства определения поведения данные о поведении пользователя во время взаимодействия пользователя с по меньшей мере одной группой элементов графического интерфейса приложения, которые используются для взаимодействия с удаленным банковским сервером; при этом целью взаимодействия ...

Система и способ блокирования доступа к защищаемым приложениям

Изобретение относится к области защиты данных приложений, а именно к системам и способам блокирования доступа к отображаемой пользователю информации. Техническим результатом является повышение безопасности вычислительного устройства пользователя, которое достигается путем блокирования доступа процесса, к отображаемой пользователю информации. Раскрыт способ блокирования доступа к отображаемой пользователю информации, согласно которому: а. вычисляют при помощи средства мониторинга активности коэффициенты конфиденциальности элементов графического интерфейса процессов, запущенных на вычислительном устройстве; б. перехватывают при помощи средства перехвата доступ процесса к отображаемой пользователю информации для определения по меньшей мере: информации о процессе, осуществляющем доступ к информации, отображаемой пользователю, при этом упомянутая информация включает по меньшей мере идентификатор процесса (PID); области на дисплее вычислительного устройства, на которой отображается пользователю ...

Система и способ прекращения работы функционально ограниченного приложения, взаимосвязанного с веб-сайтом, запускаемого без установки

Изобретение относится к системе и способу прекращения работы функционально ограниченного приложения, взаимосвязанного с веб-сайтом, запускаемого без установки. Технический результат заключается в предотвращении использования приложений, содержащих вредоносный код, запускаемых без установки. Указанный технический результат достигается путем выполнения проверки полнофункционального устанавливаемого приложения, взаимосвязанного с веб-сайтом, соответствующего функционально ограниченному приложению, запускаемому без установки, и прекращения запуска функционально ограниченного приложения, запускаемого без установки при обнаружении вредоносного кода. 2 н. и 12 з.п. ф-лы, 4 ил.

Система и способ определения уровня доверия файла

Изобретение относится к области компьютерной безопасности. Технический результат заключается в улучшении качества классификации доверенного программного обеспечения. Согласно варианту реализации используется способ определения уровня доверия файлов, в котором: выбирают имена файлов, расположенных по заданным путям у заданной доли устройств пользователей; формируют группу файлов из двух файлов со стабильными именами и являющимися компонентами одного приложения; для каждой группы определяют разработчика, с использованием закрытого ключа которого подписан файл упомянутой группы; для каждой группы определяют уровень доверия для всех файлов группы на основании вердиктов сторонних сервисов, присвоенных файлам упомянутой группы, а также на основании вердиктов сторонних сервисов, присвоенных файлу на устройствах пользователей, не принадлежащему упомянутой группе и подписанному закрытым ключом доминирующего разработчика, или на основании вердиктов сторонних сервисов, присвоенных файлам другой группы ...

Система и способ обнаружения вредоносного кода в файле

Изобретение относится к системам и способам обнаружения вредоносного кода в файле. Технический результат заключается в улучшении обнаружения вредоносного кода в файле в сравнении с существующими методами обнаружения вредоносного кода. Способ обнаружения вредоносного кода в файле включает: исполнение процесса, запущенного из файла, с использованием песочницы; перехват вызовов API-функций; последовательное внесение записей о перехваченных вызовах API-функций в первый журнал, сохранение дампа памяти процесса в базу дампов; повторение предыдущих операций до выполнения условия выхода; выявление в первом журнале по меньшей мере одной сигнатуры первого типа из числа сигнатур первого типа; после выявления сигнатуры первого типа передачу на исполнение в эмулятор по меньшей мере одного дампа памяти, сохраненного в базе дампов; во время исполнения процесса в эмуляторе последовательное внесение во второй журнал записей, содержащих информацию о вызове API-функции; определение вредоносного кода в файле ...

СПОСОБ ПОВЫШЕНИЯ ЭФФЕКТИВНОСТИ РАБОТЫ АППАРАТНОГО УСКОРЕНИЯ ЭМУЛЯЦИИ ПРИЛОЖЕНИЙ

Изобретение относится к области эмуляции приложений. Техническим результатом является повышение эффективности работы аппаратного ускорения эмуляции приложений. Согласно одному из вариантов реализации предлагается способ ускорения эмуляции процесса, запущенного из исполняемого файла, включающий следующие этапы: эмулируют исполнение файла по инструкциям; при выполнении условия запуска аппаратного ускорителя эмулятора переводят процесс эмуляции исполнения файла в аппаратный ускоритель; производят исполнение файла по инструкциям с помощью аппаратного ускорителя до вызова исключения или вызова API-функции; переводят процесс эмуляции исполнения файла обратно в эмулятор; оценивают эффективность исполнения файла по инструкциям с помощью аппаратного ускорителя; меняют условия запуска аппаратного ускорителя эмулятора в зависимости от полученного значения эффективности; повторяют приведенные этапы не менее двух раз. 2 з.п. ф-лы, 5 ил.

СЕРВЕР И СПОСОБ ДЛЯ ОПРЕДЕЛЕНИЯ ВРЕДОНОСНЫХ ФАЙЛОВ В СЕТЕВОМ ТРАФИКЕ

Изобретение относится к области информационной безопасности, а именно к определению вредоносных файлов в сетевом трафике. Технический результат – повышение эффективности использования вычислительных ресурсов при обеспечении автоматизированной защиты. Сервер для определения вредоносных файлов в сетевом трафике содержит модуль связи, выполненный с возможностью получения сетевого трафика из сети передачи данных, фильтрующий модуль, выполненный с возможностью подключения к модулю связи для получения от него захваченного сетевого трафика и извлечения множества файлов из полученного сетевого трафика, анализа извлеченных файлов с обеспечением выявления по меньшей мере одного подозрительного файла из указанного множества файлов, модуль системного мониторинга, подключенный к фильтрующему модулю, выполненный с возможностью запуска каждого полученного подозрительного файла на виртуальной машине, характеризующейся заданным набором параметров состояния, регистрация изменений в заданном наборе параметров ...

КАСКАДНЫЙ КЛАССИФИКАТОР ДЛЯ ПРИЛОЖЕНИЙ КОМПЬЮТЕРНОЙ БЕЗОПАСНОСТИ

Изобретение относится к области компьютерной безопасности. Технический результат заключается в обеспечении быстрой обработки больших объемов, обучающих данных, при минимальном проценте ложных позитивных срабатываний. Компьютерная система обучения классификатора для определения, представляет ли целевой объект угрозу компьютерной безопасности, содержит аппаратный процессор и запоминающее устройство, причем аппаратный процессор сконфигурирован применять обученный каскад классификаторов для определения, представляет ли целевой объект угрозу компьютерной безопасности, при этом каскад классификаторов обучен на обучающем массиве записей, причем обучающий массив предварительно классифицирован по меньшей мере на первый класс и второй класс записей, в ответ на обучение классификаторов удаление набора записей из обучающего массива для создания сокращенного обучающего массива. 3 н. и 18 з.п. ф-лы, 17 ил.

Способ обнаружения вредоносных файлов, противодействующих анализу в изолированной среде

Изобретение относится к способу признания файла вредоносным. Технический результат заключается в расширении арсенала средств, предназначенных для признания вредоносными файлов, использующих средства для противодействия анализу в изолированной среде. Способ, по которому: открывают файл средством безопасности в виртуальной машине в виде среды для безопасного исполнения файлов; формируют с помощью средства перехвата гипервизора журнал, в который сохраняют события, возникающие во время исполнения по меньшей мере одного потока процесса, созданного при открытии файла в упомянутой виртуальной машине; формируют средством безопасности из журнала шаблон поведения, который состоит из тех событий, которые имеют отношение к безопасности; отслеживают средством безопасности события, возникающие во время исполнения по меньшей мере одного потока процесса, созданного при открытии файла на компьютерной системе; признают с помощью средства безопасности файл вредоносным при обнаружении по меньшей мере одного ...

СПОСОБ ПОВЕДЕНЧЕСКОГО ОБНАРУЖЕНИЯ ВРЕДОНОСНЫХ ПРОГРАММ С ИСПОЛЬЗОВАНИЕМ ВИРТУАЛЬНОЙ МАШИНЫ-ИНТЕРПРЕТАТОРА

Изобретение относится к защите компьютерных систем от вредоносного программного обеспечения. Технический результат – повышение эффективности защиты компьютерных систем от вредоносных программ. Клиентская система для защиты компьютерных систем от вредоносного программного обеспечения содержит аппаратный процессор, сконфигурированный формировать диспетчер подпрограмм, виртуальную машину-транслятор байт-кода и подсистему оценки поведения, в которой диспетчер подпрограмм сконфигурирован, в ответ на обнаружение наступления события-триггера, выбирать для выполнения противовредоносную байт-кодовую подпрограмму из множества противовредоносных байт-кодовых подпрограмм, виртуальная машина-транслятор байт-кода сконфигурирована выполнять противовредоносную байт-кодовую подпрограмму для определения, указывает ли наступление события-триггера на вредоносное программное обеспечение, причем выполнение противовредоносной байт-кодовой подпрограммы включает трансляцию набора байт-кодовых команд противовредоносной ...

СПОСОБ УМЕНЬШЕНИЯ ВРЕМЕНИ ПРОХОЖДЕНИЯ ИСПОЛНЯЕМОГО ФАЙЛА ЧЕРЕЗ КОНТРОЛЬНУЮ ТОЧКУ

... 1. Способ уменьшения времени прохождения исполняемого файла через контрольную точку, в которой проверяется целостность упомянутого исполняемого файла, при этом упомянутый способ содержит этапы, на которых принимают и накапливают, по меньшей мере, одну часть упомянутого исполняемого файла, которые достигают упомянутой контрольной точки; проверяют целостность упомянутой, по меньшей мере, одной части упомянутого исполняемого файла; выпускают, по меньшей мере, одну накопленную часть, целостность которой проверена, по адресу назначения ускоренным способом; освобождают и отправляют, по меньшей мере, одну накопленную часть по адресу назначения замедленно; и при указании нецелостности упомянутой, по меньшей мере, одной части, выполняют процедуру оповещения. 2. Способ по п.1, к котором упомянутая замедленная отправка выполняется посредством операций, выбранных из группы, состоящей из деления пакетов, которые должны быть отправлены, на более мелкие пакеты, тем самым увеличивая передачу служебных ...

Способ запуска браузера в защищенном режиме

... 1. Способ запуска браузера в защищенном режиме, в котором:а) перехватывают с использованием приложения безопасности по меньшей мере один запрос браузера на сервер, для подключения к которому необходимо запускать браузер в защищенном режиме;б) определяют, что ответ сервера представляет собой веб-страницу;в) выполняют сценарий проверки отображения веб-страницы пользователю, который содержит перехваченный запрос;г) определяют отображение веб-страницы пользователю с использованием по меньшей мере одного критерия;д) на основании результатов определения отображения веб-страницы пользователю запускают с использованием приложения безопасности браузер в защищенном режиме и открывают в нем веб-страницу из содержащегося в сценарии запроса.2. Способ по п. 1, в котором браузер в защищенном режиме необходимо запускать при запросе к серверам, выполняющим онлайн-транзакции.3. Способ по п. 1, в котором критерием определения отображения страницы пользователю является отображение страницы в активном окне.4 ...

СИСТЕМА И СПОСОБ ФОРМИРОВАНИЯ СЦЕНАРИЕВ МОДЕЛИ ПОВЕДЕНИЯ ПРИЛОЖЕНИЙ

... 1. Способ создания сценариев модели поведения на основе правил рейтинга безопасности, при этом способ состоит из этапов, на которых:а) определяют проблемные правила, которые срабатывают одновременно как на вредоносных, так и на безопасных приложениях;б) для проблемного правила выделяют группу приложений, для которых это правило срабатывает;в) находят, по крайней мере, одно отличное от проблемного правило, срабатывание которого вместе со срабатыванием проблемного правила позволяет выделить из выделенной группы приложений только вредоносные, либо только безопасные приложения;г) формируют сценарий модели поведения на основе проблемного правила и, по крайней мере, одного найденного правила, отличного от проблемного правила, срабатывание которого вместе со срабатыванием проблемного правила позволяет выделить из выделенной группы приложений только вредоносные, либо только безопасные приложения.2. Способ по п.1, в котором дополнительно выделяют уточняющие признаки для сформированного сценария ...

СЛОЖНОЕ КЛАССИФИЦИРОВАНИЕ ДЛЯ ВЫЯВЛЕНИЯ ВРЕДОНОСНЫХ ПРОГРАММ

СПОСОБ И СИСТЕМА ПОИСКА СХОЖИХ ВРЕДОНОСНЫХ ПРОГРАММ ПО РЕЗУЛЬТАТАМ ИХ ДИНАМИЧЕСКОГО АНАЛИЗА

Изобретение относится к вычислительной технике. Технический результат заключается в повышении точности отнесения вредоносных программ к известному семейству вредоносных программ. Компьютерно-реализуемый способ поиска схожих вредоносных программ по результатам их динамического анализа содержит подготовительный этап, на котором: в изолированной среде анализируют вредоносную программу; фиксируют выполняемые вредоносной программой действия в поведенческом отчете; разделяют накопленные поведенческие отчеты таким образом, что в группе находятся отчеты, содержащие похожие действия и относящиеся к одному известному вредоносному семейству; по выбранным полям из поведенческого отчета создается вектор признаков по данному известному вредоносному семейству; на основе каждого из полученных векторов признаков обучается бинарный классификатор; создают ансамбль бинарных классификаторов на основе ранее обученных бинарных классификаторов; рабочий этап, на котором: анализируют вредоносную программу; фиксируют ...

Система и способ управления вычислительными ресурсами для обнаружения вредоносных файлов

Изобретение относится к области антивирусных технологий. Техническим результатом является управление вычислительными ресурсами для обнаружения вредоносных файлов. Раскрыта система управления вычислительными ресурсами для обнаружения вредоносных файлов, которая содержит: а) средство анализа журнала поведения, предназначенное для: формирования по меньшей мере одного шаблона поведения на основании команд и параметров, выбранных из созданного журнала поведения, исполняемых на вычислительном устройстве (далее - приложения), при этом шаблон поведения представляет собой набор из по меньшей мере одной команды и такого параметра, который описывает все команды из упомянутого набора; вычисления свертки от сформированного шаблона поведения; передачи вычисленной свертки средству вычисления степени вредоносности; б) средство вычисления степени вредоносности, предназначенное для: вычисления степени вредоносности приложений на основании анализа полученной свертки с помощью модели обнаружения вредоносных ...

ОБНАРУЖЕНИЕ ВРЕДОНОСНОГО ПРОГРАММНОГО ОБЕСПЕЧЕНИЯ С ПЕРЕКРЕСТНЫМ ОБЗОРОМ

ПРОФИЛИРОВАНИЕ ВЫПОЛНЕНИЯ КОДА

ЭВРИСТИЧЕСКИЙ СПОСОБ АНАЛИЗА КОДА

... 1. Способ обнаружения вредоносных программ в вычислительном устройстве, содержащий этапы, на которых: ! - анализируют, посредством процессора вычислительного устройства, программу, содержащую последовательность программных инструкций, сохраненных на машиночитаемом носителе, функционально соединенном с процессором; ! - определяют, посредством процессора, то, удовлетворяет или нет каждая инструкция в последовательности любому критерию из группы критериев подозрительности; ! - назначают, посредством процессора, количественный показатель на уровне инструкций для каждой инструкции, которая удовлетворяет любому из критериев подозрительности; !- суммируют, посредством процессора, количественные показатели на уровне инструкций для каждой инструкции, для получения в результате количественного показателя на уровне программы; ! - определяют, посредством процессора, то, превышает или нет количественный показатель на уровне программы пороговое значение; и ! - если количественный показатель на уровне ...

СТРУКТУРА ОПРЕДЕЛЕНИЯ ПРОГРАММЫ, АВТОНОМНО НЕЙТРАЛИЗУЮЩЕЙ ВТОРГШИЙСЯ ВИРУС, ПРОГРАММА, ИМЕЮЩАЯ УКАЗАННУЮ СТРУКТУРУ, НОСИТЕЛЬ ДАННЫХ, НА КОТОРОМ ИНСТАЛЛИРОВАНА УКАЗАННАЯ ПРОГРАММА, А ТАКЖЕ МЕТОД И АППАРАТ, АВТОНОМНО РЕШАЮЩИЕ ПРОБЛЕМУ ВИРУСОВ

Система и способ анализа файла на вредоносность в виртуальной машине

ВЫЧИСЛИТЕЛЬНАЯ МАШИНА С НАДЕЖНЫМ И ЗАЩИЩЕННЫМ СОЕДИНЕНИЕМ С ИНТЕРНЕТОМ ИЛИ СЕТЬЮ, ОБЕСПЕЧИВАЮЩАЯ СРЕДСТВА ДЛЯ ОБРАБОТКИ, МАНИПУЛЯЦИИ, ПРИЕМА, ПЕРЕДАЧИ И ХРАНЕНИЯ ИНФОРМАЦИИ, ЗАЩИЩЕННОЙ ОТ ХАКЕРОВ, ПЕРЕХВАТЧИКОВ, ВИРУСОВ, ВРЕДОНОСНЫХ ПРОГРАММ И Т.П.

СИСТЕМА И СПОСОБ РАСПРЕДЕЛЕНИЯ ЗАДАЧ АНТИВИРУСНОЙ ПРОВЕРКИ МЕЖДУ ВИРТУАЛЬНЫМИ МАШИНАМИ В ВИРТУАЛЬНОЙ СЕТИ

... 1. Система распределения задачи антивирусной проверки между компонентами антивирусной системы, размещенными в виртуальной среде, которая содержит:а) по крайней мере, две виртуальные машины, развернутые на одном компьютерном устройстве, которое содержит монитор виртуальных машин,б) антивирусный агент, установленный на первой виртуальной машине и предназначенный для:- выявления событий, происходящих в операционной системе данной виртуальной машины,- определения объекта и типа объекта, относящихся к выявленному событию,- определения необходимости проведения антивирусной проверки в соответствии с определенной информацией,- передачи указанной выше информации средству управления,- выполнения задачи антивирусной проверки объектов с помощью назначенных методов антивирусной проверки согласно полученному запросу от средства управления;в) антивирусное средство, установленное на второй виртуальной машине и предназначенное для выполнения задачи антивирусной проверки, и взаимодействующее со средством ...

СИСТЕМА И СПОСОБ ОБНАРУЖЕНИЯ ВРЕДОНОСНЫХ ИСПОЛНЯЕМЫХ ФАЙЛОВ НА ОСНОВАНИИ СХОДСТВА РЕСУРСОВ ИСПОЛНЯЕМЫХ ФАЙЛОВ

... 1. Система обнаружения вредоносных исполняемых файлов на основании сходства ресурсов исполняемых файлов, которая содержит:а) средство обработки ресурсов, предназначенное для извлечения ресурсов анализируемого исполняемого файла и их передачи средству сравнения;б) средство сравнения, предназначенное для поиска сходства ресурсов анализируемого исполняемого файла с известными ресурсами вредоносных исполняемых файлов из базы данных ресурсов, определения и передачи результата поиска сходства средству проверки;в) базу данных ресурсов, предназначенную для хранения известных ресурсов вредоносных исполняемых файлов;г) средство проверки, предназначенное для определения того, является ли анализируемый исполняемый файл вредоносным на основании результата поиска сходства ресурсов анализируемого исполняемого файла с известными ресурсами вредоносных исполняемых файлов при помощи правил определения, хранимых в базе данных правил;д) базу данных правил, предназначенную для хранения правил определения того ...

СИСТЕМА И СПОСОБ БЛОКИРОВКИ ЭЛЕМЕНТОВ ИНТЕРФЕЙСА ПРИЛОЖЕНИЯ

... 1. Система блокировки элементов интерфейса приложений, которая содержит:а) по крайней мере, одно активное приложение, которое имеет интерфейс;б) средство анализа, предназначенное для определения факта отображения, по крайней мере, одного элемента интерфейса активного приложения мобильного устройства, определения нежелательности отображенного элемента интерфейса активного приложения мобильного устройства путем сравнения отображенного элемента активного приложения с известными нежелательными элементами интерфейсов приложений из базы данных нежелательных элементов интерфейсов, при обнаружении нежелательного элемента интерфейса приложения мобильного устройства передачи информации о нежелательном элементе интерфейса активного приложения мобильного устройства средству перекрытия;в) базу данных нежелательных элементов интерфейсов, предназначенную для хранения образцов и параметров известных нежелательных элементов интерфейсов приложений;г) средство перекрытия, предназначенное для блокировки нежелательного ...

Система и способ ограничения работы доверенных приложений при наличии подозрительных приложений

... 1. Система ограничения работы доверенных приложений при наличии подозрительных приложений, которая содержит:а) средство анализа, предназначенное для:- определения среди установленных приложений доверенного приложения, в результате работы которого формируется защищаемая информация,- сбора данных об установленных приложениях,- передачи данных о доверенном приложении и установленных приложениях средству определения;б) средство определения, предназначенное для обнаружения по крайней мере одного подозрительного приложения, которое имеет возможность несанкционированно обработать защищаемую информацию, на основании данных о доверенном приложении и установленных приложениях с применением правил обнаружения подозрительных приложений, передачи результата обнаружения средству ограничения;в) базу данных правил, предназначенную для хранения правил обнаружения подозрительных приложений;г) средство блокирования, предназначенное для ограничения работы доверенного приложения, в результате работы которого ...

Verfahren und Gerät zur Erkennung von Computerviren

DATENVERARBEITUNGSVORRICHTUNG UND VERFAHREN ZUM SICHERN EINER DATENVERARBEITUNGSVORRICHTUNG GEGEN ANGRIFFE

Gemäß einem Ausführungsbeispiel wird eine Datenverarbeitungsvorrichtung beschrieben aufweisend einen Instruktionsspeicher, der ein Computerprogramm speichert, eine Verarbeitungseinheit, die das Computerprogramm ausführt, eine Verschlüsselungseinrichtung, die eingerichtet ist, bei Aufruf eines Unterprogramms eine Rücksprungadresse zu verschlüsseln und die verschlüsselte Rücksprungadresse auf einem Aufrufstapel abzulegen und eine Entschlüsselungseinrichtung, die nach der Ausführung des Unterprogramms die verschlüsselte Rücksprungadresse von dem Aufrufstapel liest, entschlüsselt und einen Programmzähler basierend auf der entschlüsselten Rücksprungadresse einstellt.

Ausbreitung von Viren durch ein Computer Netzwerk

Verfahren und Vorrichtung zum Nachweis einer Raubkopie

Die Erfindung betrifft ein Verfahren zum Nachweis einer Raubkopie, bei der eine erste Software eine Kopie von zumindest einem Teil einer zweiten Software umfasst, werden folgende Schritte ausgeführt, bei dem die erste Software ausgeführt wird, wobei bei einem während eines Prozedurwechsels stattfindenden Schreib- und/oder Lesevorgang einer Parametergruppe einer Prozedurinstanz auf einen und/oder von einem Stapelspeicher zumindest ein für diesen Schreib- und/oder Lesevorgang charakteristischen Parameter in einer für ein Auftreten der Schreib- und/oder Lesevorgänge zeitlichen Reihenfolge in einem ersten Dokument aufgenommen wird, die zweite Software ausgeführt wird, wobei bei einem während eines Prozedurwechsels stattfindenen Schreib- und/oder Lesevorgang einer Parametergruppe einer Prozedurinstanz auf einen bzw. von einem Stapelspeicher zumindest ein für diesen Schreib- und/oder Lesevorgang charakteristischer Parameter in einer für ein Auftreten der Schreib- und/oder Lesevorgänge zeitlichen ...

Manipulationssicherheit eines Endgeräts

Bei einem auf einem portablen Datenträger (20) auszuführenden Verfahren zum Prüfen der Manipulationssicherheit eines Endgeräts (10), mit dem der Datenträger (20) als eine Transaktionseinheit (23) verbunden ist, welche dem Endgerät (10) eine sichere Datenkommunikationsverbindung (26) zur Übertragung von Transaktionsdaten (R2) an einen Transaktionsserver (17) bereitstellen kann, meldet sich der Datenträger (20) gegenüber dem Endgerät (10) gleichzeitig als Eingabeeinheit (22) an und prüft, ob als Transaktionseinheit (23) von dem Endgerät (10) entgegengenommene Pseudotransaktionsdaten (P2) gegenüber dem Endgerät (10) als Eingabeeinheit (22) übergebenen Pseudotransaktionsdaten (P1) unmanipuliert sind.

System zu detektieren von durch eine virtuelle Maschine ausgeführtem Schadcode

Automatisiertes Computersystem zum Schutz vor einer schädlichen Menge von Programmanweisungen, die durch eine virtuelle Maschine eines Prozesses ausführbar sind, wobei die virtuelle Maschine des Prozesses Programmanweisungen umfasst, die auf einem Computersystem ausführbar sind, das eine Hardwareplattform und ein Betriebssystem aufweist, gekennzeichnet durch: ein Programmfehler-Überwachungsmodul in der virtuellen Maschine des Prozesses, das durch Ergänzen der Programmanweisungen der virtuellen Maschine des Prozesses durch einen automatisierten Ergänzungsprozess, der auf dem Computersystem ausgeführt wird, eingerichtet wird, wobei die virtuelle Maschine des Prozesses dafür ausgelegt ist, die betreffende Menge von Programmanweisungen auszuführen; wobei das Programmfehler-Überwachungsmodul dafür ausgelegt ist, einen als Ergebnis der Ausführung der betreffenden Menge von Programmanweisungen auftretenden Programmfehler zu detektieren, wobei der Programmfehler ein Auftreten eines Ereignisses ...

VERFAHREN UND VORRICHTUNG ZUR ERKENNUNG POLYMORPHER VIREN

Protocol software component and test apparatus

Foiling a document exploit attack

Remote malware scanning capable of static and dynamic file analysis

A method of remote malware scanning comprises obtaining, at a second node (e.g. a server), metadata of an electronic file (e.g. an Android app) to be scanned for malware from a first node (e.g. a host), said metadata including at least information for identification of one or more file items contained in the electronic file, for example by a hash value. The second node then identifies whether at least one file item of the electronic file is not pre-known in a knowledge base on the basis of the obtained metadata and delivers an instruction indicating the identified file item to the first node. The electronic file is reconstructed at the second node by assembling its file items, including any file item obtained from the first node in response to the instruction, and any remaining file item which is pre-known in the knowledge base on the basis of the obtained metadata. A dynamic malware analysis on a runtime behaviour of the reconstructed electronic file can be executed at the second node.

Software container application security

A method and apparatus for providing network security

Detecting malware by monitoring executed processes

The invention provides for the detection of malware by monitoring executed processes using a dedicated monitoring device 13, the monitoring being performed without the support of an operating system 15 of hardware 11. The monitoring device 13 comprises a retrieval module 131 configured to retrieve entry point information 112 of a process 150 from a CPU 111 before the process is executed, the process comprising at least one instruction (150a,b,c), and an analysis module 133 configured to retrieve an address 110 corresponding to the process from the CPU according to the entry point information, the address corresponding to a memory block where the at least one instruction is stored. Once execution of the process commences, the monitoring device records the instructions in a memory 113 of the hardware. During or after execution, a determination module 137 of the monitoring device retrieves the executed instructions from the memory and compares them with a malicious process behaviour model ...

Secure e-mail handling using a compartmented operating system

MALWARE DETECTION

Computer device and method for isolating untrusted content

User process (120, fig. 2) in primary user account 121 requests operating system 202 to action a task. Agent 300, executing in cooperation with the OS comprises a task interceptor (320, fig. 2), a task policy unit (330, fig. 2), an isolation environment provisioner (340, fig. 2) and a controller (310, fig. 2). The interceptor intercepts and provides metadata relevant to the task before it is actioned by the OS. The task policy unit examines the metadata and selectively outputs a result identifying the task as untrusted, e.g. due to the nature of the task or because it accesses untrusted content. The provisioner provisions task isolation environment 350 by programmatically creating secondary user account 121b and the controller causes the untrusted task to be executed as an isolated process in the task isolation environment. The primary and secondary user accounts comprise respective first and second folders for files that are accessible under the respective user accounts. The agent maps ...

Cyber security

Input data is received S1 that is associated with an entity associated with a computer system (10, fig. 1), e.g. a user or device. Preferably the data includes data relating to the entitys activity on the computer system. Metrics, representative of the datas characteristics, are derived S2 from the data and may reflect usage of the computer system by the entity over time, e.g. metrics relating to network traffic. The metrics are analysed S3 using one or more models, perhaps arranged to detect different types of threat. A cyber-threat risk parameter is determined S4, S5 in accordance with the analysed metrics and a model of normal behaviour of the entity, e.g. by comparing the metrics with the model. The parameter is indicative of a likelihood of a cyber-threat, preferably the probability of such likelihood, and is preferably determined using recursive Bayesian estimation. The parameter may be compared with a threshold, possibly a moving threshold, to determine whether or not there is a ...

Encryption key seed determination

A method for determining a plurality of data sources providing seed parameters for generation of an encryption key by an ransomware algorithm that, exposes a target computer system to ransomware 702, then monitors application programming interface (API) calls made to an operation system of the target computer system to identify a set of API calls for retrieving data about one or more hardware component of the target computer system 704. Finally, the method determines data about the hardware components to constitute the seed parameters 706. The method may go on to determine the encryption algorithm that was used by the ransomware, then determine the seed parameters used by the encryption algorithm to generate the keys. It may then generate the keys using the seed parameters, and decrypt the encrypted data in the data store. The data about the hardware component may include a reference number, an identifier, a version, a serial number or unique information about the hardware device.

Malware barrier

A network of connected devices organised into a hierarchical tree of subnets (represented as nodes) modelled as a tree data structure 410. Generating a dynamical system for each subnet which models a rate of change of connected devices in the subnet that are susceptible, infected by, protected against and remediated of infection by malware, and basing the system on rates of transmission of malware between all subnet pairs. Evaluating infection risk for each subnet at a predetermined point in time, the risk being associated with a node corresponding to the subnet. Identifying a first subset of nodes for which a risk of infection is below a predetermined level of risk 406, identifying a second subset of nodes as a subset of the first subset, the second subset comprising nodes having a connection to a node having a risk of infection meeting or exceeding the predetermined threshold risk; and performing protective actions on devices in subnets associated with each of the first subset of nodes ...

Detecting a remote exploitation attack

The invention defines a signature for detecting remote exploitation attacks on system vulnerabilities. Network connections that are not associated with a successful authentication are identified. The amount of traffic on these connections is measured and if the data flow is in excess of a threshold a report of a suspected remote exploitation attack is generated. Actions to mitigate the real/potential remote exploit are taken in response to the report. Actions may include terminating the connection or process associated with the connection, changing firewall rules or isolating a machine from the network. Connections may be related to SMB (Server Message Block) protocol.

Detecting obfuscated malware variants

A threat management facility receives computer code 602, which has its redundancy characterised 604 and in response remedial action is taken 610, such as permitting 608 or denying the execution of the code. The characterisation can take the form of compressing the code, or tokenised objects of the code, to reduce redundancy whilst maintaining functionality, and comparing the compressed version with the original to determine a degree of redundancy, and preferably if this is characteristic of polymorphism or obfuscation, and requiring remedial action if this is above a predetermined threshold. The characterisation may also be a pattern of redundancy and comparing this to known patterns of redundancy associated with malware. The code can be a script language code in a scripting language interpretable by an application, or can be list-based, object-oriented or aspect orientated. The redundancy can include superfluous function calls, structures or flow control, and can be further characterised ...

Remote malware scanning capable of static and dynamic file analysis

A method of remote malware scanning comprises comparing at a first node (e.g. a host) file items of an electronic file (e.g. an Android app) to be scanned for malware with the file items of previously scanned electronic files that include a predetermined number of same file items than the app to be scanned, and generating a recipe that includes information for identifying the previously scanned app and one or more file items included in the app to be scanned, and the result of the comparison. The recipe is used at the server to reconstruct the app and execute a dynamic malware analysis on a runtime behaviour of the reconstructed app. The server may then send the result of the analysis to the host. A malware property query may be performed for the app and its file items before the aforementioned method, and the method may be initiated if the query yields an inconclusive result. Upon receiving the recipe, the server may request any missing files, i.e. files that are not readily available ...

Encryption techniques

A portable encryption format wraps encrypted files in a self-executing container that facilitates transparent, identity-based decryption for properly authenticated users while also providing local password access to wrapped files when identity-based decryption is not available.

Mitigation of anti-sandbox malware techniques

Detecting obfuscated malware variants

Cyber attack evaluation method, information processing device and program

Threat detection system

Detecting shared library hijacking

Detecting a remote exploitation attack

Detecting triggering events for distributed denial of service attacks

Method of operating a media scanner

Computer device and method for handling files

Intercepting a file access request S1001, wherein each file has a file type. The appropriate location to insert a tag, which is used to determine the trust status of a file, is looked up in the file S1003, the location being dependent on the file type of the file. A file tag is then inserted in this location S1004. This tag can then be maintained through transfer to heterogeneous file systems. The computer may look up a tag in a file S1012 and may be configured to provide a sandbox to isolate malicious code encountered S1005. The accessed file may be opened in the sandbox is it is untrusted which may be when it is marked with a file tag. The computer device may have an agent which hooks into an API to intercept the file request. The computer device has a first storage drive which may have a file system supporting an alternate data stream and a second tag may be inserted in the alternate data stream of the accessed file.

PROCEDURE AND SYSTEM FOR THE PROTECTION FROM COMPUTER VIRUSES

Automated code lockdown to reduce attack surface for software

A method comprising: determining a set of instructions that provide specific functionality of a computer application; and avoiding, on a computer, exploitation of any security vulnerability present in the set of instructions, by: reorganizing memory addresses for the set of instructions on the computer, the reorganizing randomizes the memory addresses, while preserving relationships among the memory addresses, and rewriting the set of instructions to the reorganized memory addresses on the computer. Inoperative Instructions Application Online Lockdown 585Memo Mode M590 Instruction Addresses Instrumentation Engine Golden Tables 570 Database 565 Instruction Updated Addresses Offline Lockdown Mode ...

Systems and methods for the detection of malware

A system and method for distinguishing human input events from malware- generated events includes one or more central processing units (CPUs), one or more input devices and memory. The memory includes program code that when executed by the CPU causes the CPU to obtain a first set of input events from a user utilizing the input device. The first input events are used to obtain or derive a feature indicative of the user, such as a multi-dimensional feature vector as provided by a support vector machine. Second input events are then obtained, and the second input events are classified against the feature to determine if either the user or malware initiated the second input events.

Method and apparatus of detecting network activity

Application execution control utilizing ensemble machine learning for discernment

Described are techniques to enable computers to efficiently determine if they should run a program based on an immediate (i.e., real-time, etc.) analysis of the program. Such an approach leverages highly trained ensemble machine learning algorithms to create a real-time discernment on a combination of static and dynamic features collected from the program, the computer's current environment, and external factors. Related apparatus, systems, techniques and articles are also described.

Automated code lockdown to reduce attack surface for software

In an example embodiment, a system determines a set of instructions from the available instructions for a computer application. The determined set of instructions provides specific functionality of the computer application. The system may determine the set of instructions by performing functional testing and negative testing on the specific functionality. The system may reorganize and randomize the set of instructions in memory and write the reorganized set of instructions to a smaller memory space. For each available instruction not in the set of instructions, the system changes the respective instruction to inoperative to prevent execution of the respective instruction. The system may change the respective instruction to inoperative by overwriting the instruction with a NOP instruction. The system then captures a memory address of the computer application being accessed at runtime. The system may declare a security attack if the captured memory address matches a memory address for an ...

Information processing device and program

Provided is: an electric file handling unit that obtains an instruction on electric file handling; a remote handling unit which establishes a communication path, enabling remote handling, with an execution environment where the electric file handling is to be executed, and which transmits, to the execution environment via the communication path enabling remote handling, an execution instruction for the execution of the electric file handling on the execution environment; and an electric file transmitting unit that transmits an electric file to the execution environment in accordance with the instruction.

Automated runtime detection of malware

One example method and correspond apparatus extracts a model of a computer application during load time and stores the model of the computer application in a database. This example method and corresponding apparatus also inserts instructions into the computer application to collect data at runtime. This example method and corresponding apparatus then analyzes the data collected at runtime against the stored model of the computer application to detect one or more security events and tracks the one or more security events using a state machine.

IOT BASED GENERIC FRAMEWORK FOR COMPUTER SECURITY USING ARTIFICIAL IMMUNE SYSTEM

IOT BASED GENERIC FRAMEWORK FOR COMPUTER SECURITY USING ARTIFICIAL IMMUNE SYSTEM The present invention relates to a generic framework for computer security using artificial immune system. System is presented as an example of a system developed around the current understanding of the immune system. This system explains capability of an Artificial Immune Systems to capture the basic elements of the immune system and demonstrates the some of its main properties. As natural immune system have features like diversity, distributed computation, error tolerance, dynamic learning and adaptation and self-monitoring these are integrated in the invented generalized framework for Artificial Immune Systems which is utilized for the computer security. The natural human immune system has encouraged scientists, engineers and researchers for discovering powerful information processing algorithms to solve multifarious engineering tasks. The Artificial Immune Systems can be applied to many domains like classification ...

Behaviorally-based computer security system

LOG INFORMATION GENERATION APPARATUS AND RECORDING MEDIUM, AND LOG INFORMATION EXTRACTION APPARATUS AND RECORDING MEDIUM

Provided is a log information generation device comprising: a process information generation unit that, at the start of a process operation consisting of a series of process events which are the execution subject of an application program, in the space of a system having a plurality of computers, generates first identification information which uniquely identifies the process temporally and spatially, and generates process information that includes the first identification information; an event information generation unit that generates event type information indicating the type of event, for each of the events, and generates event information that includes the event type information; and a log information generation unit that generates, for each of the events, log information which includes the process information generated by the processing information generation unit and the event information generated by the event information generation unit.

SYSTEMS AND METHODS FOR DETECTING AND MITIGATING CODE INJECTION ATTACKS

The present disclosure generally relates to computer security and malware protection. In particular, the present disclosure is generally directed towards systems and methods for detecting and mitigating a code injection attack. In one embodiment the systems and methods may detect a code injection attack by scanning identified sections of memory for non-operational machine instructions ("no-ops"), detecting a code injection attack based on the scan(s) and mitigating the code injection attack by taking one or more defensive actions.

SYSTEM AND METHOD FOR ANALYZING UNAUTHORIZED INTRUSION INTO A COMPUTER NETWORK

The method analyzes unauthorized intrusion into a computer network. Access is allowed through one or more open ports to one or more virtualized decoy operating systems running on a hypervisor operating system hosted on a decoy network device. This may be done by opening a port on one of the virtualized decoy operating systems. A network attack on the virtualized operating system is then intercepted by an introspection module running on the hypervisor operating system. The attack-identifying information is communicated through a private network interface channel and stored on a database server as forensic data. A signature-generation engine uses this forensic data to generate a signature of the attack. An intrusion prevention system then uses the attack signature to identify and prevent subsequent attacks. A web- based visualization interface facilitates configuration of the system and analysis of (and response to) forensic data generated by the introspection module and the signature generation ...

DUAL MEMORY INTROSPECTION FOR SECURING MULTIPLE NETWORK ENDPOINTS

Described systems and methods enable protecting multiple client systems (e.g., a corporate network) from computer security threats such as malicious software and intrusion. In some embodiments, each protected client operates a live introspection engine and an on-demand introspection engine. The live introspection engine detects the occurrence of certain events within a protected virtual machine exposed on the respective client system, and communicates the occurrence to a remote security server. In turn, the server may request a forensic analysis of the event from the client system, by indicating a forensic tool to be executed by the client. Forensic tools may be stored in a central repository accessible to the client. In response to receiving the analysis request, the on-demand introspection engine may retrieve and execute the forensic tool, and communicate a result of the forensic analysis to the security server. The server may use the information to determine whether the respective client ...

SYSTEM AND METHOD FOR PREVENTING MALICIOUS CAN BUS ATTACKS

A system for preventing cyber security attacks over the CAN bus of a vehicle, from carrying out their plot. The system includes a teleprocessing device that is provided with the message identifier of at least one ECU to be blocked. The teleprocessing device is configured to read the message identifier of CAN messages, to thereby identify the at least one ECU to be blocked. Upon determining that the vehicle is under a cyber security attack, the ECU blocking device is activated. Upon identifying that a message was transmitted by the at least one ECU to be blocked, then during the CAN bus 'bit monitoring' process, before the at least one ECU to be blocked reads back the transmitted signal, the ECU blocking device alters one or more bits of the transmitted signal, to thereby force the message to be an erroneous CAN message.

COMPUTER SECURITY SYSTEMS AND METHODS USING ASYNCHRONOUS INTROSPECTION EXCEPTIONS

Described systems and methods enable an efficient analysis of security-relevant events, especially in hardware virtualization platforms. In some embodiments, a notification handler detects the occurrence of an event within a virtual machine, and communicates the respective event to security software. The security software then attempts to match the respective event to a collection of behavioral and exception signatures. An exception comprises a set of conditions which, when satisfied by an tuple, indicates that the respective entity is not malicious. In some embodiments, a part of exception matching is performed synchronously (i.e., while execution of the entity that triggered the respective event is suspended), while another part of exception matching is performed asynchronously (i.e., after the triggering entity is allowed to resume execution).

FILE-MODIFYING MALWARE DETECTION

A security agent implemented on a computing device is described herein. The security agent is configured to detect file-modifying malware by detecting that a process is traversing a directory of the memory of the computing device and detecting that the process is accessing files in the memory according to specified file access patterns. The security agent can also be configured to correlate actions of multiple processes that correspond to a specified file access pattern and detect that one or more of the multiple processes are malware by correlating their behavior.

CASCADING CLASSIFIERS FOR COMPUTER SECURITY APPLICATIONS

Described systems and methods allow a computer security system to automatically classify target objects using a cascade of trained classifiers, for applications including malware, spam, and/or fraud detection. The cascade comprises several levels, each level including a set of classifiers. Classifiers are trained in the predetermined order of their respective levels. Each classifier is trained to divide a corpus of records into a plurality of record groups so that a substantial proportion (e.g., at least 95%, or all) of the records in one such group are members of the same class. Between training classifiers of consecutive levels of the cascade, a set of training records of the respective group is discarded from the training corpus. When used to classify an unknown target object, some embodiments employ the classifiers in the order of their respective levels.

BEHAVIORAL MALWARE DETECTION USING AN INTERPRETER VIRTUAL MACHINE

Described systems and methods allow protecting a computer system from computer security threats such as malware and spyware. In some embodiments, a security application executes a set of detection routines to determine whether a set of monitored entities (processes, threads, etc.) executing on the computer system comprise malicious software. The detection routines are formulated in bytecode and executed within a bytecode translation virtual machine. Execution of a detection routine comprises translating bytecode instructions of the respective routine into native processor instructions, for instance via interpretation or just-in-time compilation. Execution of the respective routines is triggered selectively, due to the occurrence of specific events within the protected client system. Detection routines may output a set of scores, which may be further used by the security application to determine whether a monitored entity is malicious.

AUTOMATED RUNTIME DETECTION OF MALWARE

One example method and correspond apparatus extracts a model of a computer application during load time and stores the model of the computer application in a database. This example method and corresponding apparatus also inserts instructions into the computer application to collect data at runtime. This example method and corresponding apparatus then analyzes the data collected at runtime against the stored model of the computer application to detect one or more security events and tracks the one or more security events using a state machine.

SECURE DOCUMENT IMPORTATION VIA PORTABLE MEDIA

System, method and medium for securely transferring untrusted files from a portable storage medium to a computer. The invention can filter, scan and detonate untrusted files to be transferred to a computer from a portable storage medium. First, the types of files which are eligible to be selected for transfer are limited, by file type and/or content. Second, each file selected for transfer is scanned against a collection of signatures of known malware. Thus, files contain malware which has been previously identified as such can be blocked from ever being transferred to the computer. Finally, each file to be transferred is detonated by opening it in a controlled, sterile environment to determine if it adversely impact the operation of that sterile environment. Malware detected in this way can then be added to the collection of malware that can be detected by the second step.

SYSTEM AND METHOD FOR PROTECTING A DEVICE AGAINST ATTACKS ON PROCESSING FLOW USING A CODE POINTER COMPLEMENT

A system, method and computer-readable storage medium with instructions for operating a processor of an electronic device to protect against unauthorized manipulation of the code pointer by maintaining and updating a code pointer complement against which the code pointer may be verified. Other systems and methods are disclosed.

SYSTEM, METHOD AND PROGRAM PRODUCT FOR DETECTING PRESENCE OF MALICIOUS SOFTWARE RUNNING ON A COMPUTER SYSTEM

A system, method and program product for detecting presence of malicious software running on a computer system. The method includes locally querying the system to generate a local invento-ry of tasks and network services running on the system for detecting presence of malicious software running on the system and remotely querying the system from a remote system via a network to generate a remote inventory of tasks and network services running on the system for detecting presence of malicious software running on the system, where the local inventory enumerates ports in use on the system and where the remote inventory enumerates ports in use on the system. Fur-ther, the method includes collecting the local inventory and the remote inventory and comparing the local inventory with the remote inventory to identify any discrepancies between the local and the remote invento-ries for detecting presence of malicious software running on the system.

CONTENT HANDLING FOR APPLICATIONS

Techniques for content handling for applications are described. In one or more implementations, a first set of content handling policies is enforced for a first portion of an application that is permitted to invoke code elements of the computing device and a second set of content handling policies is enforced for a second portion of the application that is not permitted to invoke the code elements. Further, a determination is made whether to apply the first set of content handling policies or the second set of content handling policies to content based on which portion of the application is requesting the content.

SECURITY BOX

Provided is a security box including: an input means for input of external data; an execution means for executing, in a predetermined area, external data input by the input means; and an isolation control means for isolating the execution area from other areas during execution. The security box can be further equipped with: a display means for displaying the behavior of external data executed by the execution means; a determination means for determining, on the basis of the behavior displayed by the display means, whether the external data is normal data; and a deletion means for deleting data that the determination mean has determined is not normal data and/or all of the data of the execution means.

EMULATION REPAIR SYSTEM

An emulation repair system (200) restores virus-infected computer files (220) to their uninfected states without risk of infecting the rest of the computer system (202), by providing a virtual machine (216) for emulating the virusinfected computer file (220), a foundation module (240) including generic, machine language repair routines (242), and a virus specific overlay module (262). Emulation repair system (200) receives the identity of the infected computer file (220) and the infecting virus (224) from a virus scanning module, and uses the received information to access a virus definition (232) that includes decryption information on the identified virus (224). The infected computer file (220) is emulated in the virtual machine (216) until it is determined from comparison with the decryption information that the virus (224) is fully decrypted. The foundation and overlay modules (240, 262) are then loaded into the virtual machine (216) and control of the virtual machine (216) is given ...

Method and apparatus for virus throttling with rate limiting

A method for traffic control of a network device in a network are disclosed. The network device determines potentially malicious behavior by a host device in the network. A permissible rate of traffic from the host device through a port of the network device is reduced in response to determining the potentially malicious behavior. A rate of traffic through the port of the network device is measured. The measured traffic rate is compared with a threshold rate. The permissible rate of traffic is adjusted based on the comparison.

System recovery method and computing apparatus having system recovery function

A system recovery method and a computing apparatus having a system recovery function. The computing apparatus includes a first memory unit to store a general operating system (OS) in a system partition where a primary anti-virus program operates, and to store a recovery OS in a recovery partition where a secondary anti-virus program operates; a second memory unit to store firmware determining a booting partition of the computing apparatus; and a processor to control execution of the firmware to, when the system partition is infected by a virus and thus the computing apparatus does not boot to the general OS, boot the computing apparatus to the recovery OS, and to control recovery of the system partition.

Detecting Malicious Use of Computer Resources by Tasks Running on a Computer System

A method, apparatus, and computer program product for identifying malware is disclosed. The method identifies processes in a running process list on a host computer system. The method identifies ports assigned to the processes in the running process list on the host computer system. The method determines whether any one of ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list. The method then makes a record that a hidden, running process is present as a characteristic of an attack in response to a determination that one of the ports is currently in use but is not assigned to any of the processes in the running process list in the host computer system.

Wireless intrusion prevention system and method

A wireless intrusion prevention system and method to prevent, detect, and stop malware attacks is presented. The wireless intrusion prevention system monitors network communications for events characteristic of a malware attack, correlates a plurality of events to detect a malware attack, and performs mitigating actions to stop the malware attack.

System and method for identifying malicious activities through non-logged-in host usage

A method for identifying malware activities, implemented within a computer infrastructure, includes receiving a data communication via a data channel and determining a user is not interactively logged in to a host. Additionally, the method includes identifying the data communication as a potential malware communication in response to the determining the user is not interactively logged in to the host.

Computer system and method for scanning computer virus

According to the present invention, a timeout caused by executing a virus scan is avoided. A computer system has a first computer, a second computer coupled to the first computer, and a storage system coupled to the first computer and the second computer. The first computer receives a request to write data, writes the requested data in the storage system, and sends a virus scan request of the written data to the second computer. The second computer receives the virus scan request from the first computer, reads the written data out of the storage system, and partially executes a virus scan of the read data. After the partial virus scan of the read data is finished, the first computer sends a response to the received write request. After the first computer sends the response, the second computer executes the remainder of the virus scan of the read data.

System And Method For Packet Profiling

Systems and methods for packet profiling are disclosed. According to one embodiment, a method for profiling incoming data packets for an organization includes the steps of (1) receiving, at an interface for a transport provider, a data packet; (2) using a computer processor, analyzing the data packet; (3) using the computer processor, based on the analysis, marking the data packet; and (4) transmitting the data packet to the organization.

Emulating Mixed-Code Programs Using a Virtual Machine Instance

The subject disclosure is directed towards a technology for efficiently emulating program code that is protected by one or more various code virtualization techniques to detect the presence of malware. An emulation engine emulates a program containing a mix of native code, custom (e.g., virtualized obfuscated) code, and at least one emulator and/or interpreter that understands the custom code, by building a custom emulation component that is built by detecting and analyzing the internal emulator or interpreter. The custom emulation component may access a translation table built from the analysis, and also may simplify a plurality of instructions in the program into a lesser number of instructions in an intermediate language used for emulation.

System and method for non-signature based detection of malicious processes

Systems and methods for detecting malicious processes in a non-signature based manner are disclosed. The system and method may include gathering features of processes running on an electronic device, applying a set of rules to the features, and applying a statistical analysis to the results of the rules application to determine whether a process should be classified into one or more of a plurality of process categories.

Mobile communication terminal having a behavior-based malicious code detection function and detection method thereof

A mobile communication terminal comprises: a system unit which performs application installation and removal, outputs an installation completion message upon completion of the application installation, and provides, upon receipt of request for authority information on the application, the requested authority information; a behavior information database in which behavior information data is stored; and an inspection unit which makes a request for the authority information to the system unit and receives the authority information, upon receipt of the installation completion message from the system unit, and which compares the authority information and the behavior information data stored in the behavior information database to examine whether the application is a malicious code or not.

Remote-Assisted Malware Detection

Remote assistance is provided to a mobile device across a network to enable malware detection. The mobile device transmits potentially infected memory pages to a remote server across a network. The remote server performs analysis, and provides feedback to the mobile device. Based on the received feedback, the mobile device halts a process, or retrieves and transmits additional memory pages to the remote server for more analysis. This process is repeated until a compromised region of memory is identified and/or isolated for further repair to be performed. The feedback from the remote server reduces the processing and storage burden on the mobile device, resulting in a more reliable detection that uses fewer resources. Embodiments including hypervisors and virtual machines are disclosed.

System and methods for adaptive model generation for detecting intrusion in computer systems

A system and methods for detecting intrusions in the operation of a computer system comprises a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format. A data warehouse is configured to receive the data record from the sensor in the predetermined data format and to store the data in a SQL database. A detection model generator is configured to request data records from the data warehouse in the predetermined data format, to generate an intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format. A detector is configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model. A data analysis engine is configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records.

Enhanced browsing with security scanning

A method scans a second web page linked to a first web page being displayed by a browser in a browser window. The method identifies, in the first web page, a target link to the second web page. Prior to receiving a user selection of the target link, the method prefetches content from the second web page and loads it into a safe cache according to a prefetching order before receiving the user selection of the target link and before the content of the second web page is opened by an application configured to provide access to the content of the second web page. The method scans the prefetched content from the second web page for a security threat, within the safe cache, which is configured to prevent the prefetched content from altering a memory location or storage location external to the safe cache.

Outbound Connection Detection and Blocking at a Client Computer

A method of detecting and blocking a malicious SSL connection at a client computer. The method includes identifying, at a network firewall level, an outbound SSL connection being set up at the client computer; detecting an SSL certificate associated with the SSL connection; sending a request to a central server for reputation information on the SSL certificate; at the central server, determining reputation information in dependence upon the SSL certificate; providing said reputation information from the central server to the client computer; and using the reputation information at the client computer to determine whether or not to block the connection.

System and method for profile based filtering of outgoing information in a mobile environment

A system and method in one embodiment includes modules for detecting an access request by an application to access information in a mobile device, determining that the application is a potential threat according to at least one policy filter, and blocking a send request by the application to send the information from the mobile device without a user's consent. More specific embodiments include user selecting the information through a selection menu on a graphical user interface that includes information categories pre-populated by an operating system of the mobile device, and keywords that can be input by the user. Other embodiments include queuing the send request in a queue with other requests, and presenting an outbox comprising the queue to the user to choose to consent to the requests. The outbox includes graphical elements configured to permit the user to selectively consent to any requests in the queue.

Multilayered deception for intrusion detection and prevention

Concepts and technologies are disclosed herein for multilayered deception for intrusion detection. According to various embodiments of the concepts and technologies disclosed herein, a multilayer deception system includes honey servers, honey files and folders, honey databases, and/or honey computers. A multilayer deception system controller generates honey activity between the honey entities and exposes a honey profile with contact information associated with a honey user. Contact directed at the honey user and/or activity at any of the honey entities can trigger alarms and/or indicate an attack, and can be analyzed to prevent future attacks.

PROGRAM ANALYSIS SYSTEM AND METHOD THEREOF

A program analysis system that analyzes a program while adjusting time elapse velocity in program execution environment sets analysis conditions such as time elapse velocity in the execution environment, program execution start time and execution termination time, adjusts the time elapse velocity and the program execution start time according to the determination of an analysis manager, executes the program till the execution termination time, monitors the execution environment, acquires an action record of the program, analyzes the action record, and clarifies the behavior of the program. Further, the program analysis system resets the analysis conditions based upon a result of analysis, re-analyzes, monitors communication between a sample and an external terminal, and varies the time elapse velocity set by the analysis manager to prevent time-out from occurring in communication. 1. A program analysis system that operates a program the operation of which is to be verified in execution environment where time elapse velocity can be arbitrarily adjusted , comprising:a system management device provided with an analysis manager that manages an analysis situation of the program and determines time elapse velocity;at least one sample execution device provided with a sample executor that executes the program in the execution environment based upon the time elapse velocity specified by the analysis manager and an action recorder that acquires the behavior of the program in the execution environment as an action record;at least one action analyzer provided with an action analyzer that analyzes the action record and outputs a characteristic of the program as a result of analysis; andat least one communication monitoring device provided with a communication monitor that adjusts the time elapse velocity so as to prevent time-out from occurring when the program communicates with an external device.2. The program analysis system according to claim 1 , wherein the communication ...

Embedded anti-virus scanner for a network adapter

A network adapter system and associated method are provided. The network adapter system includes a processor positioned on a network adapter coupled between a computer and a network. Such processor is configured for scanning network traffic transmitted between the computer and the network.

System, method, and computer program product for utilizing a data structure including event relationships to detect unwanted activity

A system, method, and computer program product are provided for utilizing a data structure including event relationships to detect unwanted activity. In use, a plurality of events is identified. Additionally, a data structure including objects associated with the plurality of events and relationships associated with the plurality of events is generated. Further, unwanted activity is detected utilizing the data structure.

System and method for determining and using local reputations of users and hosts to protect information in a network environment

A method in an example embodiment includes correlating a first set of event data from a private network and determining a local reputation score of a host in the private network based on correlating the first set of event data. The method further includes providing the local reputation score of the host to a security node, which applies a policy, based on the local reputation score of the host, to a network communication associated with the host. In specific embodiments, the local reputation score of the host is mapped to a network address of the host. In further embodiments, the first set of event data includes one or more event indicators representing one or more events, respectively, in the private network. In more specific embodiments, the method includes determining a local reputation score of a user and providing the local reputation score of the user to the security node.

INFORMATION SECURITY TECHNIQUES INCLUDING DETECTION, INTERDICTION AND/OR MITIGATION OF MEMORY INJECTION ATTACKS

Methods of detecting malicious code injected into memory of a computer system are disclosed. The memory injection detection methods may include enumerating memory regions of an address space in memory of computer system to create memory region address information. The memory region address information may be compared to loaded module address information to facilitate detection of malicious code memory injection. 1. A method comprising:(a) enumerating, based on a query of an operating executive of a computer system, a plurality of memory regions of an address space in memory of the computer system, thereby creating memory region address information; and [ (A) examining the plurality of loaded modules for loaded module address information; and', '(B) comparing the memory region address information to the loaded module address information; and, '(i) determining whether a first memory region of the plurality of memory regions corresponds to any of a plurality of loaded modules registered with the operating executive, wherein the determining step comprises, '(ii) wherein, when the first memory region does not correspond to any of the plurality of loaded modules, determining whether the first memory region contains library indicative coding; and', '(iii) wherein, when the first memory region contains library indicative coding, generating a memory injection alarm., '(b) scanning memory of the computer system for a memory injection, wherein the scanning step comprises2. The method of claim 1 , wherein claim 1 , when the first memory region corresponds to one of the plurality of loaded modules claim 1 , determining whether that loaded module is mapped from a file system of the computer system.3. The method of claim 2 , wherein the memory injection alarm is a first memory injection alarm claim 2 , and wherein claim 2 , when the loaded module is not mapped from a file system of the computer system claim 2 , determining whether the first memory region contains library ...

System and Method for Run-Time Attack Prevention

Preventing attacks on a computer at run-time. Content that is configured to access at least one function of a computer is received by the computer. Protections corresponding to the function are added to the content, wherein the protections override the function. The content and the protections are then transmitted to the computer. The function may expose a vulnerability of the computer, and arguments passed to the function may exploit that vulnerability. The protections are executed when the content is executed, and determine whether the arguments the content passed into the function represent a threat. In response to determining that the arguments represent a threat, execution of the content is terminated without executing the function.

Method and Device for Program Identification Based on Machine Learning

The invention discloses a method and device for programidentification based on machine learning. The method comprises: analyzing an inputted unknown program, and extracting a feature of the unknown program; coarsely classifying the unknown program according to the extracted feature; judging by inputting the unknown program into a corresponding decision-making machine generated by training according to a result of the coarse classification; and outputting an identification result of the unknown program, wherein the identification result is a malicious program or a non-malicious program. The embodiments of the invention adopt the machine learning technology, achieve the decision-making machine for identifying a malicious program by analyzing a large number of program samples, and can save a lot of manpower and improve the identification efficiency for a malicious program by using the decision-making machine; and furthermore, can find an inherent law of programs based on data mining for massive programs, prevent a malicious program that has not happened and make it difficult for a malicious program to avoid killing.

System and Method for Detection and Treatment of Malware on Data Storage Devices

Disclosed are systems and methods for detection and repair of malware on data storage devices. The system includes a controller, a communication interface for connecting an external data storage device, and a memory for storing antivirus software. The antivirus software is configured to scan the data contained in the data storage device, perform repair or removal of malicious files or programs found on the data storage device, identify suspicious files or programs on the data storage device and malicious files or programs that cannot be repaired or removed from the data storage device, send information about these files or programs to the antivirus software provider, receive updates for the antivirus software from the antivirus software provider, and rescan the suspicious files or programs and malicious files or programs that cannot be repaired or removed using updated antivirus software.

SECURE CLOUD HYPERVISOR MONITOR

This disclosure addresses systems and methods for the protection of hardware and software in a computing environment. A hypervisor-monitor may be nested between the hardware of a host system and a hypervisor that is capable of supporting one or more guest virtual machines. The hypervisor-monitor may intercept exceptions generated by one or more processors in the host system and inspect software instructions for the hypervisor and the guests. Inspection may include performing a hash of the software instructions and a comparison of the hash with authorized software modules or a set of known malware. In this manner the hypervisor-monitor may monitor prevent the execution of malware by the hypervisor or the guests or provide a record of when code of an unknown origin was executed. 1. A hypervisor monitor system comprising:one or more processors coupled to a memory, the one or more processors configured to execute instructions in the memory, and generate an exception in response to a page fault;a hypervisor configured to operate on the one or more processors and to manage execution of a plurality of virtual machines on the one or more processors;a hashing module configured to calculate a mathematical hash of at least a portion of the instructions in the memory;a database, isolated from the hypervisor, the database including a list of mathematical hashes of registered code; anda monitor providing an interface between the one or more processors and the hypervisor, the monitor being configured to respond to the exception by performing a comparison of the mathematical hash of a page of instructions loaded into the memory by the hypervisor with the list of mathematical hashes of authorized code;wherein the monitor, in response to the comparison, prevents the one or more processors from executing the page of instructions when the comparison indicates the mathematical hash of the page of instructions is not included in the list of mathematical hashes of registered code.2. The ...

PREVENTING ATTACKS ON DEVICES WITH MULTIPLE CPUs

Disclosed are systems and methods to utilize two different processing units (e.g., CPUs) to monitor each other. The processing units may have limited visibility and/or read only access to each other to reduce the possibility that one affected processing unit could compromise the second processing unit. Devices containing multiple processing units of different architectures could be configured so that one type of processing unit monitors another type of processing unit. When the processing units are different architectures a single piece of malicious software (malware) is unlikely to affect both processing units. Each processing unit can be configured to detect rootkits and other types of malware on the other processor(s) of the system/device.

Identification of Infected Devices in Broadband Environments

Novel solutions for detecting and/or treating malware on a subscriber's premise network. Such solutions can include, but are not limited to, tools and techniques that can detect, and/or enable the detection of, malware infections on individual subscriber devices within the subscriber's network. In a particular embodiment, for example, a premise gateway, or other device on the subscriber's premise network, is configured to analyze packets traveling through the premise gateway and, based on that analysis, identify one or more subscriber devices that are infected with malware.

Social Network Protection System

A method of inhibiting the spread of malware across a network of interconnected computer terminals. The method includes detecting malware or suspicious behaviour at a first computer terminal and inspecting the first computer terminal, before and/or after said step of detecting malware or suspicious behaviour, to identify contacts forming part of a social network. Identities of the identified contacts are sent to a backend security system, and at the backend security system, said identities are received and instructions sent to one or more second computer terminals associated with respective identities to cause those second computer terminals to implement an increased level of security.

System, method and computer program product for sending information extracted from a potentially unwanted data sample to generate a signature

A system, method and computer program product are provided for sending information extracted from a potentially unwanted data sample to generate a signature. In use, information is extracted from a portion of a sample of potentially unwanted data. Further, the information is sent to generate a signature.

Method and Apparatus of Responding to Webpage Access Request

The present disclosure provides techniques to control webpage access. These techniques may receive, by a computing device, the request to visit a webpage. The computing device may then retrieve an identifier of the webpage and/or an identifier of the webpage element of the webpage. The computing device may also retrieve a corresponding resource requirement from a pre-configured resource allocation database based on the identifier of the webpage and/or the identifier of the webpage element. The computing device may then determine whether the resource requirement is larger than a current resource allocation. In response to the determination, the computing device may generate and return a webpage content based on a predetermined rule.

DYNAMIC ANOMALY, ASSOCIATION AND CLUSTERING DETECTION

Techniques are provided for dynamic anomaly, association and clustering detection. At least one code table is built for each attribute in a set of data containing one or more attributes. One or more clusters associated with one or more of the code tables are established. One or more new data points are received. A determination is made if a given one of the new data points is an anomaly. At least one of the one or more code tables is updated responsive to the determination. When a compression cost of a given one of the new data points is greater than a threshold compression cost for each of the one or more clusters, the given one of the new data points is an anomaly. 1. A method , comprising:building one or more code tables for each attribute in a set of data containing one or more attributes;establishing one or more clusters associated with one or more of the code tables;receiving one or more new data points;determining if a given one of the new data points is an anomaly; andupdating at least one of the one or more code tables responsive to the determination;wherein at least one of the building, establishing, receiving, determining and updating steps are performed by a processor device.2. The method of claim 1 , wherein the building step comprises:counting the number of appearances of each attribute value;estimating the bit length of required to compress each attribute value; andcalculating the usage of each attribute value.3. The method of claim 1 , wherein each code table comprises a code word column claim 1 , a bit length column and a usage column.4. The method of claim 1 , further comprising a step of assigning the given one of the new data points to an existing cluster when the given one of the new data points is determined not to be an anomaly.5. The method of claim 4 , wherein the step of assigning the given one of the new data points to an existing cluster comprises:calculating a compression cost of the given one of the new data points for each of the one ...

Anomaly, association and clustering detection

Techniques are provided for anomaly, association and clustering detection. At least one code table is built for each attribute in a set of data. A first code table corresponding to a first attribute and a second code table corresponding to a second attribute are selected. The first code table and the second code table are merged into a merged code table, and a determination is made to accept or reject the merged code table. An anomaly is detected when a total compression cost for a data point is greater than a threshold compression cost inferred from one or more code tables. An association in a data table is detected by merging attribute groups, splitting data groups, and assigning data points to data groups. A cluster is inferred from a matrix of data and code words for each of the one or more code tables.

Electronic devcie and method for monitoring application

An electronic device includes an operating system to determine hardware modules being used when an application of the electronic device is run. The electronic device stores a table recording hardware modules used by the running of each application obtained from a creditable service provider. The electronic device obtains the hardware modules being used by the operating system when an application is running, determines whether all the hardware modules being used are the hardware modules corresponding to the running application in the table if the running application is recorded in the table, and determines that the running application is a malicious application if not all of the hardware modules being used are the hardware modules corresponding to the running application in the table. The electronic device executes a safeguard operation to protect the electronic device when the running application is a malicious application. A related method is also provided.

METHOD AND APPARATUS FOR VIRUS SCANNING

Method and apparatus for virus scanning, and a non-transitory computer-readable medium that stores instructions for performing virus scanning. The method includes detecting a status of a system; and when the status of the system is idle, if current virus scanning has begun, continuing the current virus scanning, and if the current virus scanning has not begun, acquiring a scanning progress of previous virus scanning, beginning the current virus scanning according to the acquired scanning progress, and recording a scanning progress of the current virus scanning. 1. A method for virus scanning , comprising:detecting a status of a system; andwhen the status of the system is idle, if current virus scanning has begun, continuing the current virus scanning, and if the current virus scanning has not begin, acquiring a scanning progress of previous virus scanning, beginning the current virus scanning according to the acquired scanning progress, and recording a scanning progress of the current virus scanning.2. The method according to claim 1 , wherein the step of detecting the status of the system comprises:detecting whether the system is in an input status or a full-screen status, and detecting a current occupancy of system resources;determining, if the system is in the input status or the full-screen status, that the detected status of the system is busy;determining, if the system is not in the input status and the full-screen status, when the detected current occupancy of the system resources is greater than a predetermined occupancy, that the detected status of the system is busy; anddetermining, if the system is not in the input status and the full-screen status, when the current occupancy of the system resources detected within a second predetermined time is less than or equal to the predetermined occupancy, that the detected system status is idle.3. The method according to claim 1 , before the step of detecting the status of the system claim 1 , further comprising: ...

Protection Against Return Oriented Programming Attacks

In one embodiment, a processor includes at least one execution unit. The processor also includes a Return Oriented Programming (ROP) logic coupled to the at least one execution unit. The ROP logic may validate a return pointer stored on a call stack based on a secret ROP value. The secret ROP value may only be accessible by the operating system. 1. A processor comprising:at least one execution unit; anda Return Oriented Programming (ROP) logic coupled to the at least one execution unit, the ROP logic to validate a return pointer stored on a call stack based on a secret ROP value, wherein the secret ROP value is only accessible to an operating system.2. The processor of claim 1 , wherein the ROP logic is to generate the secret ROP value under control of an operating system.3. The processor of claim 2 , wherein the ROP logic is to generate the secret ROP value using a random number.4. The processor of claim 1 , wherein the ROP logic is to generate a check value based on the secret ROP value.5. The processor of claim 4 , wherein the ROP logic is further to store the check value on the call stack after the return pointer.6. The processor of claim 4 , wherein the ROP logic is to generate the check value by encryption of the secret ROP value with the return pointer.7. The processor of claim 4 , wherein the ROP logic is to generate the check value by encryption of the secret ROP value with a stack pointer.8. The processor of claim 5 , wherein the ROP logic is further to remove the check value and the return pointer from the call stack claim 5 , and to generate a validation check value.9. The processor of claim 8 , wherein the ROP logic is to determine that the return pointer is valid when the validation check value matches the check value removed from the call stack.10. The processor of claim 9 , wherein the ROP logic is further to execute a return to a first routine via the return pointer if the return pointer is valid.11. A processor comprising: pop a return pointer and ...

SYSTEM AND METHOD FOR COUNTERING DETECTION OF EMULATION BY MALWARE

Instructions of an application program are emulated such that they are carried out sequentially in a first virtual execution environment that represents the user-mode data processing of the operating system. A system API call requesting execution of a user-mode system function is detected. In response, the instructions of the user-mode system function called by the API are emulated according to a second emulation mode in which the instructions of the user-mode system function are carried out sequentially in a second virtual execution environment that represents the user-mode data processing of the operating system, including tracking certain processor and memory states affected by the instructions of the user-mode system function. Results of the emulating of the application program instructions according to the first emulation mode are analyzed for any presence of malicious code. 124-. (canceled)25. An automated computer-implemented method for investigating a presence of malicious code in an application program stored on a subject computer system , the subject computer system including a processor , memory , and an operating system , the method comprising:providing a standard emulator module for emulating the application program wherein instructions of the application program are carried out sequentially, and wherein system functions called by instructions of the application are simulated in an abbreviated fashion wherein fictitious results representing completed execution of each called system function are returned in lieu of actual execution of that called system function;providing a second emulator module for emulating called system functions that are user-mode system functions, wherein instructions of the called system functions in response to execution of the application program instructions includes sequential execution of the called system function, including branching operations and function calls taking place within the instructions of the called system ...

USING A CHARACTERISTIC OF A PROCESS INPUT/OUTPUT (I/O) ACTIVITY AND DATA SUBJECT TO THE I/O ACTIVITY TO DETERMINE WHETHER THE PROCESS IS A SUSPICIOUS PROCESS

Provided are a computer program product, system, and method for detecting a security breach in a system managing access to a storage. Process Input/Output (I/O) activity by a process accessing data in a storage is monitored. A determination is made of a characteristic of the data subject to the I/O activity from the process. A determination is made as to whether a characteristic of the process I/O activity as compared to the characteristic of the data satisfies a condition. The process initiating the I/O activity is characterized as a suspicious process in response to determining that the condition is satisfied. A security breach is indicated in response to characterizing the process as the suspicious process. 125-. (canceled)26. A computer program product for detecting a security breach in a system managing access to a storage , the computer program product comprising a computer readable storage medium having computer readable program code embodied therein that when executed performs operations , the operations comprising:monitoring Input/Output (I/O) activity by a process accessing data in a storage;determining a last access time the data subject to the monitored I/O activity was last accessed prior to being accessed by the monitored I/O activity;determining whether a difference of a process access time the monitored I/O activity accessed the data and the last access time for the data satisfies a condition;characterizing the process as a suspicious process in response to determining that the condition is satisfied; andindicating a security breach in response to characterizing the process as the suspicious process.27. The computer program product of claim 26 , wherein the condition comprises determining whether the difference exceeds a threshold claim 26 , wherein the process is characterized as the suspicious process if the difference exceeds the threshold.28. The computer program product of claim 26 , wherein the monitoring is performed with respect to a ...

STATISTICAL DETECTION OF FIRMWARE-LEVEL COMPROMISES

Statistical detection of firmware-level compromises can be enabled and performed on a computing system. During pre-boot, a pre-boot agent can access firmware loaded in memory and cause it to be stored in a manner that will allow the firmware to be accessed at runtime. During runtime, the firmware can be accessed and stored as files in the file system or other storage location accessible to an antivirus solution. The antivirus solution can then analyze the files using statistics-based techniques to thereby detect compromises in firmware. 1. A method for analyzing firmware , the method comprising:during pre-boot, accessing firmware stored in one or more regions of memory;storing the firmware in one or more separate regions of memory that remain accessible at runtime;during runtime, accessing the firmware that is stored in the one or more separate regions of memory; andstoring the firmware as one or more files in a file system at a location accessible to an antivirus solution to thereby enable the antivirus solution to perform a statistical analysis on the one or more files to detect a compromise in the firmware.2. The method of claim 1 , wherein the one or more regions of memory comprise at least one memory region that stores dynamic firmware.3. The method of claim 2 , wherein the dynamic firmware includes firmware configuration settings.4. The method of claim 1 , wherein storing the firmware in the one or more separate regions of memory comprises storing the firmware in one or more ACPI tables.5. The method of claim 1 , wherein accessing the firmware that is stored in the one or more separate regions of memory comprises reading the firmware from the one or more ACPI tables.6. The method of claim 1 , wherein storing the firmware in the one or more separate regions of memory comprises storing the firmware in an ACPI NV region of memory.7. The method of claim 6 , wherein accessing the firmware that is stored in the one or more separate regions of memory comprises ...

SYSTEM AND METHOD FOR SECRETIVE STORAGE OF APPLICATIONS IN PORTABLE COMPUTING DEVICE

The embodiments herein provide a system and method for an authentication-driven secret installation and access to applications and data on handheld computing devices. The secret storage is installed and accessed by a directly installed application or a host application on the device. The system comprises an authentication module for authenticating a user to access a data stored in the secret storage area, and a security module for detecting an intrusion of user's privacy during an accessing of the secret storage area. The authentication module automatically shuts down the application when a privacy intrusion is detected continuously for a preset period of time. A secret storage application is run to create a clone of one or more applications installed outside the secret storage area while the created clone of the one or more applications are stored in the secret storage area. 1. A secret digital data storage system for secretive installation of applications in a secretive location on a handheld computing device , the system comprising:a hardware processor;a memory module, wherein the memory module comprises a secret storage area;an external memory module, wherein the external memory module comprises secret storage area;a secret storage application stored on the memory module or the external memory module, wherein the secret storage application is run on the hardware processor and configured to store a data in the secret storage area in the memory nodule or in the secret storage area in the external memory module;an authentication module, wherein the authentication module is run on the hardware processor and configured to authenticate a user to access a data stored in the secret storage area; anda security module, wherein the security module is run on the hardware processor and configured to continuously detect an intrusion of a user's privacy, when the user accesses the secret storage area, and wherein the security module is run on the hardware processor and ...

SYSTEMS AND METHODS FOR REMOTE DETECTION OF SOFTWARE THROUGH BROWSER WEBINJECTS

Computer-implemented methods and systems are provided for the detection of software presence remotely through the web browser by detecting the presence of webinjects in a web browser that visits a detection webpage. The methods can include delivering a detection webpage to a web browser, in which the detection webpage has detection code configured to detect a presence of the webinject in the detection webpage; and inspecting, by the detection code, rendering of content of the detection webpage in the browser to detect webinject content in the detection webpage by the webinject, the webinject content including one or more Hypertext Markup Language (HTML) components. The method can further include, if webinject content is detected, generating a fingerprint for each of the one or more HTML components; transmitting the one or more fingerprints to an external server; and classifying, by the external server, the webinject based on the one or more fingerprints. 1. A computer-implemented method for detection of a webinject , the method comprising:delivering a detection webpage to a web browser, the detection webpage comprising detection code configured to detect a presence of the webinject in the detection webpage;inspecting, by the detection code, rendering of content of the detection webpage in the browser to detect webinject content in the detection webpage by the webinject, the webinject content including one or more Hypertext Markup Language (HTML) components; anddetermining an origin software of the webinject based on the detected webinject content.2. The method of claim 1 , further comprising:transmitting to a external server, by the detection code, the one or more HTML components of the detected webinject content, the transmission performed by a portion of executions of the detection code;identifying the origin software of the one or more HTML components by at least one of: (i) searching for the one or more HTML components in sandboxed executions of software or (ii) ...

METHODS AND APPARATUS FOR ANALYZING SEQUENCES OF APPLICATION PROGRAMMING INTERFACE TRAFFIC TO IDENTIFY POTENTIAL MALICIOUS ACTIONS

In some embodiments, a method includes receiving, at a processor of a server, a first application programming interface (API) call from a client device and providing an indication associated with the first API call as an input to a machine learning model such that the machine learning model identifies a set of parameters associated with a set of likely subsequent API calls. The method can further include receiving a second API call from the client device, identifying the second API call as an anomalous API call based on the second API call not meeting the set of parameters associated with the set of likely subsequent API calls, and sending a signal to perform a remedial action based on the identifying. 120.-. (canceled)21. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor , the code comprising code to cause the processor to:receive, from a client device, a set of application programming interface (API) calls having a sequence;calculate a first consistency score for a pair of API calls from the set of API calls, the first consistency score being based on a first API call in the pair of API calls being within a first predetermined proximity in the sequence of a second API call in the pair of API calls;calculate a second consistency score for the pair of API calls, the second consistency score being based on the first API call in the pair of API calls being within a second predetermined proximity in the sequence of the second API call in the pair of API calls;generate a combined consistency score for the pair of API calls by combining the first consistency score and the second consistency score; andidentify, in response to determining that the combined consistency score for the pair of API calls meets a criterion, that the client device is operating in a malicious manner.22. The non-transitory processor-readable medium of claim 21 , further comprising code to cause the processor to:restrict API calls ...

Method and data processing system for detecting a malicious component on an integrated circuit

A method and data processing system are provided for detecting a malicious component in a data processing system. The malicious component may be of any type, such as a hardware trojan, malware, or ransomware. In the method, a plurality of counters is used to count events in the data processing system during operation, where each event has a counter associated therewith. A machine learning model is trained a normal pattern of behavior of the data processing system using the event counts. After training, an operation of the data processing system is monitored using the machine learning model. Current occurrences of events in the data processing system are compared to the normal pattern of behavior. If a different pattern of behavior is detected, an indication, such as a flag, of the different pattern of behavior is provided.

Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored

An anti-malware device 50 includes: a risk information storage unit 51 in which risk information 510 is stored, in which there are associated a value indicating an attribution of an information processing device 60 for executing software 600 , a value indicating an attribution of the software 600 , and a value that indicates the degree of risk when the software 600 is executed; a subject attribution collection unit 53 for collecting the value indicating the attribution of the information processing device 60 ; an object attribution collection unit 54 for collecting the value indicating the attribution of the software 600 ; and a determination unit 55 for determining that the software 600 is malware when the value indicating the degree of risk obtained by comparing the risk information 510 and the values collected by the subject attribution collection unit 53 and object attribution collection unit 54 satisfies a criterion.

REGULATING CONTROL TRANSFERS FOR EXECUTE-ONLY CODE EXECUTION

In one embodiment, an apparatus comprises a processor configured to: detect a first control transfer operation; determine that a destination of the first control transfer operation is within code stored in execute-only memory; generate a fault if the destination of the first control transfer operation is an invalid entry point into the code stored in execute-only memory; detect a second control transfer operation while executing the code stored in execute-only memory; and abort execution of the code stored in execute-only memory if the second control transfer operation is detected at an invalid exit point in the code. 1. At least one machine accessible storage medium having instructions stored thereon , the instructions when executed on a machine , cause the machine to:detect a first control transfer operation;determine that a destination of the first control transfer operation is within code stored in execute-only memory;generate a fault if the destination of the first control transfer operation is an invalid entry point into the code stored in execute-only memory;detect a second control transfer operation while executing the code stored in execute-only memory; andabort execution of the code stored in execute-only memory if the second control transfer operation is detected at an invalid exit point in the code.2. The storage medium of claim 1 , wherein one or more secrets are embedded in the code stored in execute-only memory as constant values in one or more processor instructions.3. The storage medium of claim 2 , wherein the instructions that cause the machine to abort execution of the code stored in execute-only memory if the second control transfer operation is detected at an invalid exit point in the code further cause the machine to clear the one or more secrets from one or more registers.4. The storage medium of claim 1 , wherein a valid entry point into the code is identified based on a location of a particular processor instruction in the code.5. The ...

ENHANCED CONTROL TRANSFER SECURITY

One embodiment provides a system. The system includes a processor comprising at least one processing unit; a memory; and control transfer (CT) logic. The CT logic is to determine whether a next instruction is a control transfer termination (CTT) when a prior instruction is a control transfer instruction (CTI). The CT logic is to determine whether the CTT is an external CTT, if the next instruction is the CTT; determine whether the prior instruction is an external CTI, if the CTT is the external CTT; and notify an external CTT fault, if the prior instruction is not the external CTI. 1. A control transfer security method comprising:determining, by control transfer (CT) logic, whether a next instruction is a control transfer termination (CTT), when a prior instruction is a control transfer instruction (CTI);determining, by the CT logic, whether the CTT is an external CTT, if the next instruction is the CTT;determining, by the CT logic, whether the prior instruction is an external CTI, if the CTT is the external CTT; andnotifying, by the CT logic, an external CTT fault, if the prior instruction is not the external CTI.2. The method of claim 1 , further comprising notifying claim 1 , by the CT logic claim 1 , a general CTT fault claim 1 , if the next instruction is not the CTT.3. The method of claim 1 , wherein the CTI is an internal CTI or an external CTI.4. The method of claim 3 , wherein the internal CTI is selected from the group comprising an internal call instruction (“CALL”) and an internal jump instruction (“JMP”) claim 3 , and the external CTI is selected from the group comprising an external call instruction (“EXCALL”) and an external jump instruction (“EXJMP”).5. The method of claim 1 , wherein the CTT is an internal CTT or an external CTT.6. The method of claim 5 , wherein the internal CTT is an ENDBRANCH and the external CTT is an EXENDBRANCH.7. A control transfer security method comprising:determining, by control transfer (CT) logic, whether a target of a ...

METHOD FOR PREDICTING AND CHARACTERIZING CYBER ATTACKS

One variation of a method for predicting and characterizing cyber attacks includes: receiving, from a sensor implementing deep packet inspection to detect anomalous behaviors on the network, a first signal specifying a first anomalous behavior of a first asset on the network at a first time; representing the first signal in a first vector representing frequencies of anomalous behaviors—in a set of behavior types—of the first asset within a first time window; calculating a first malicious score representing proximity of the first vector to malicious vectors defining sets of behaviors representative of security threats; calculating a first benign score representing proximity of the first vector to a benign vector representing an innocuous set of behaviors; and in response to the first malicious score exceeding the first benign score and a malicious threshold score, issuing a first alert to investigate the network for a security threat. 1. A method for predicting and characterizing cyber attacks comprising:receiving a first signal specifying a first behavior of a first asset on a network at a first time;compiling the first signal and a first set of signals into a first data structure, each signal in the first set of signals specifying a behavior of the first asset on the network within a first time window of a preset duration up to the first time;calculating a first degree of deviation of the first data structure from a corpus of data structures, each data structure in the corpus of data structures representing a previous set of behaviors of an asset, in a set of assets, on the network within a time window of the preset duration;in response to the first degree of deviation exceeding a deviation threshold score, issuing a first alert to investigate the first asset; calculating a first malicious score proportional to proximity of the first data structure to a first malicious data structure defining a first set of behaviors representative of a first network security ...

Method For Updating Process Objects In An Engineering System

A method for updating process objects of an automation project stored in an engineering system, wherein an automation device is designed and/or configured via the engineering system to control a technical process and wherein, furthermore, the technical process to be controlled can be operated and monitored via an operator system in which changes to process objects made during the run-time are not lost but secured and are automatically “updated” or “traced” in the engineering system. 1. A method for updating process objects of an automation project stored in an engineering system , wherein an automation device being at least one of (i) designed and (ii) configured via the engineering system to control a technical process , and the technical process to be controlled being operable and monitored via an operator system , in cases where a change to at least one process object of the process objects is effected during the process control via the operator system , the method comprising:generating an operating alarm via the operator system and storing the alarm in a process image of the operator system, the operating alarm comprising (a) the change and at least one of (i) user object-based values, (ii) action object-based values and (iii) process object-based values to protect against unauthorized changes at the at least one process object of the process objects and (b) an integrity feature to protect the operating alarm against manipulations;supplying the operating alarm to an archive server and storing the supplied operating alarm in the archive server;reading the operating alarm from the archive server via the engineering system;verifying the integrity feature via the engineering system and comparing at least one of (i) the user object-based values, (ii) the action object-based values and (iii) process object-based values with predefined values stored in the engineering system via the engineering system;adopting the change at the at least one process object in the ...

Automated Code Lockdown To Reduce Attack Surface For Software

In an example embodiment, a system determines a set of instructions from the available instructions for a computer application. The determined set of instructions provides specific functionality of the computer application. The system may determine the set of instructions by performing functional testing and negative testing on the specific functionality. The system may reorganize and randomize the set of instructions in memory and write the reorganized set of instructions to a smaller memory space. For each available instruction not in the set of instructions, the system changes the respective instruction to inoperative to prevent execution of the respective instruction. The system may change the respective instruction to inoperative by overwriting the instruction with a NOP instruction. The system then captures a memory address of the computer application being accessed at runtime. The system may declare a security attack if the captured memory address matches a memory address for an inoperative instruction. 1. A method comprising:determining a set of instructions from available instructions for a computer application, wherein the set of instructions provide specific functionality of the computer application;for each available instruction not in the set of instructions, changing the respective instruction to inoperative to prevent execution of the respective instruction;capturing a memory address of the computer application being accessed at runtime; anddeclaring a security attack if the captured memory address matches a memory address for an inoperative instruction.2. The method of claim 1 , wherein determining the set of instructions further comprises:performing functional testing on the specific functionality of the computer application; andcapturing instructions executed during the functional testing.3. The method of claim 2 , further comprising:performing negative testing on the specific functionality, wherein the negative testing triggers exception handling ...

SYSTEM AND METHOD TO MITIGATE MALICIOUS CALLS

Systems and methods are provided in example embodiments for mitigating malicious calls. The system can be configured to receive a function call, determine the location of a memory page that initiated the function call, determine if the memory page is associated with a trusted module, and block the function call if the memory page is not associated with the trusted module. In addition, the system can determine the return address for the function call and block the function call if the return address does not belong to the trusted module. Further, the system can determine a parameter for the function call, determine if the parameter is a known parameter used by the process that called the function, and block the function call if the parameter is not the known parameter used by the process that called the function. 125-. (canceled)26. At least one computer-readable medium comprising one or more instructions that , when executed by a processor , cause the processor to execute a method comprising:hooking a user mode asynchronous procedure call (APC) dispatcher function of a dynamic-link library;inspecting a parameter of the APC dispatcher function, and verifying a page that would be executed as an APC routine;ignoring an execution of the APC; andcalling an application programming interface function with a parameter.27. The at least one computer-readable medium of claim 26 , wherein the ignoring and calling are performed claim 26 , if the page is not part of a dynamic-link library of a predetermined program or part of an executable of the predetermined program claim 26 , or the APC points to code that differs from a file image corresponding to an address in memory.28. The at least one computer-readable medium of claim 26 , wherein the APC dispatcher function is KiUserApcDispatcher.29. The at least one computer-readable medium of claim 26 , wherein the application programming interface function is NtContinue.30. The at least one computer-readable medium of claim 26 , the ...

Monitoring Real-Time Processor Instruction Stream Execution

In one example embodiment, a computing device has a processor that executes a processor instruction stream that causes the processor to perform one or more operations for the computing device. The computing device generates one or more trace data packets including a first instruction pointer of the processor instruction stream, a second instruction pointer of the processor instruction stream subsequent to the first instruction pointer, and a string of characters derived from instructions associated with a control flow transfer between the first instruction pointer of the processor instruction stream and the second instruction pointer of the processor instruction stream. The computing device determines whether the one or more trace data packets are consistent with a secure processor instruction stream known or determined to be secure from malicious processor instructions and, if not, generates an indication that the processor instruction stream is not secure. 1. A method comprising: generating one or more trace data packets that include a first instruction pointer of the processor instruction stream, a second instruction pointer of the processor instruction stream subsequent to the first instruction pointer, and a string of characters derived from instructions associated with a control flow transfer between the first instruction pointer of the processor instruction stream and the second instruction pointer of the processor instruction stream;', 'determining whether the one or more trace data packets are consistent with a secure processor instruction stream known or determined to be secure from malicious processor instructions; and', 'if it is determined that the one or more trace data packets are not consistent with the secure processor instruction stream, generating an indication that the processor instruction stream is not secure., 'at a computing device having a processor that executes a processor instruction stream that causes the processor to perform one or more ...

Dynamic analysis techniques for applications

A sample is analyzed to determine a set of events that should be selected for performing by a dynamic analyzer executing the sample in an instrumented, emulated environment. The set of selected events is performed. A maliciousness verdict is determined for the sample based at least in part on one or more responses taken by the sample in response to the set of selected events being performed by the dynamic analyzer.

SYSTEMS AND METHODS FOR DETECTING MALICIOUS ACTIVITY IN A COMPUTER SYSTEM

Systems and methods for detecting malicious activity in a computer system. One or more graphs can be generated based on information objects about the computer system and relationships between the information objects, where the information objects are vertices in the graphs and the relationships are edges in the graphs. Comparison of generated graphs to existing graphs can determine a likelihood of malicious activity. 1. A system for detecting malicious activity in a computer system , the system comprising:a computing platform including computing hardware of at least one processor and memory operably coupled to the at least one processor; and [ collect a plurality of information objects about the computer system, and', 'determine a plurality of relationships between the plurality of information objects,, 'a gathering tool configured to—'}, build at least a first intermediate graph and a second intermediate graph based on the plurality of information objects and the plurality of relationships, wherein the first and second intermediate graphs are formed with the plurality of information objects as vertices and the plurality of relationships as edges, and', 'build a final graph based on the at least first and second intermediate graphs, wherein the final graph includes at least one vertex from the first intermediate graph and at least one vertex from the second intermediate graph and at least one edge connecting the at least one vertex from the first intermediate graph and at least one vertex from the second intermediate graph,, 'a graph-building tool configured to—'}, 'select, from a graphs database, at least one preexisting graph similar to the final graph based on a degree of similarity threshold, the at least one preexisting graph assigned a malicious activity ratio,', 'a search tool configured to—'}, 'an analysis tool configured to determine malicious activity based on the at least one preexisting graph., 'instructions that, when executed on the computing platform, ...

METHOD AND SYSTEM FOR GENERATING A REQUEST FOR INFORMATION ON A FILE TO PERFORM AN ANTIVIRUS SCAN

Disclosed herein are systems and methods for generating a request for information on a file to perform an antivirus scan. In one aspect, an exemplary method comprises, intercepting the file, synchronously calculating a first hash of a portion of the file, searching in a verdict cache, when the hash is found, determining whether the hash belongs to a list of malicious files, when it belongs to the list of malicious files, synchronously calculating a second hash, searching for the second hash in the verdict cache, and pronouncing a final decision as to harmfulness of the file, when the first hash does not belong to the list of malicious files, granting access to the file, asynchronously generating a request for information about the file, calculating a second hash, searching for the information in a verdict cache, and pronouncing a decision as to harmfulness of the file. 1. A method for generating a request for information on a file , the method comprising:intercepting the file during the launching of the file;synchronously calculating a first hash of a portion of the file;synchronously searching for the first hash in a verdict cache;when the first hash is found in the verdict cache, determining whether the first hash belongs to a list of malicious files;when the first hash belongs to the list of malicious files, synchronously calculating a second hash of the file, synchronously searching for the second hash in the verdict cache and/or a remote server, and pronouncing a final decision as to a harmfulness or safety of the file based on the results of the synchronous search; andwhen the first hash does not belong to the list of malicious files, granting access to the file, asynchronously generating a request for the information about the file including at least an indication as to harmfulness of the file, asynchronously calculating a second hash of the file, asynchronously searching for the information about the file in a verdict cache located on a remote server ...

MITIGATION OF CODE REUSE ATTACKS BY RESTRICTED INDIRECT BRANCH INSTRUCTION

A method, computer program product and/or system is disclosed. According to an aspect of this invention, one or more processors receive an indirect jump instruction comprising a target address offset and a maximal offset value. One or more processors determine whether the target address offset is valid by comparison of the target address offset and the maximal offset value and one or more processors execute a jump operation based on whether the target address offset is valid. In some embodiments of the present invention, the jump operation comprises one or more processors executing an instruction located at a target address referenced by the target address offset if the target address offset is valid. In some embodiments, the jump operation further comprises one or more processors raising an exception if the target address offset is not valid. 1. A method , comprising:receiving, by one or more processors, an indirect jump instruction comprising a target address offset and a maximal offset value;determining, by one or more processors, whether the target address offset is valid by comparison of the target address offset and the maximal offset value; andexecuting, by one or more processors, a jump operation based on whether the target address offset is valid;wherein the jump operation comprises executing an instruction located at a target address referenced by the target address offset if the target address offset is valid, and wherein the jump operation comprises raising an exception if the target address offset is not valid.2. The method of claim 1 , wherein receiving claim 1 , by one or more processors claim 1 , an indirect jump instruction comprising a target address offset and a maximal offset value comprises:receiving, by one or more processors, an indirect jump instruction comprising a target address offset and a maximal number of bits; anddetermining, by one or more processors, the maximal offset value by setting a set of bits corresponding to the maximal ...

MITIGATION OF CODE REUSE ATTACKS BY RESTRICTED INDIRECT BRANCH INSTRUCTION

A method, computer program product and/or system is disclosed. According to an aspect of this invention, one or more processors receive an indirect jump instruction comprising a target address offset and a maximal offset value. One or more processors determine whether the target address offset is valid by comparison of the target address offset and the maximal offset value and one or more processors execute a jump operation based on whether the target address offset is valid. In some embodiments of the present invention, the jump operation comprises one or more processors executing an instruction located at a target address referenced by the target address offset if the target address offset is valid. In some embodiments, the jump operation further comprises one or more processors raising an exception if the target address offset is not valid. 1receiving, by one or more processors, a first indirect jump instruction comprising a first target address offset and a first maximal offset value;determining, by one or more processors, whether the first target address offset is valid by comparison of the first target address offset and the first maximal offset value;determining, by one or more processors, the first target address offset is valid if the target address offset is between zero and the first maximal offset value;executing, by one or more processors, a first jump operation based on whether the first target address offset is valid, wherein the first jump operation comprises executing an instruction located at a first target address referenced by the first target address offset if the first target address offset is valid, and wherein the first jump operation comprises raising a first exception if the first target address offset is not valid;receiving, by one or more processors, a second indirect jump instruction comprising a second target address offset and a first maximal number of bits;determining, by one or more processors, a second maximal offset value by ...

Electronic control unit

An electronic control unit includes: a memory saving a program that has a call/return to/from a function represented as a control flow together with the function itself and a check instruction inserted in a program code of the program for checking whether the program code is executable based on the control flow. The electronic control unit may also include an input unit receiving an input of use frequency information indicative of a use frequency of the function; a measurement unit measuring a load of the electronic control unit; an execution object determiner determining the check instruction to be executed based on the use frequency information and the load; and an arithmetic unit executing the check instruction determined by the execution object determiner at a time of execution of the program.

Discrete Processor Feature Behavior Collection

Examples of the present disclosure describe systems and methods for discrete processor feature behavior collection and analysis. In aspects, a monitoring utility may initialize a set of debugging and/or performance monitoring feature sets for a microprocessor. When the microprocessor receives from software content a set of instructions that involves the loading of a set of modules or code segments, the set of modules or code segments may be evaluated by the monitoring utility. The monitoring utility may generate a process trace of the loaded set of modules or code segments. Based on the process trace output, various execution paths may be reconstructed in real-time. The system and/or API calls made by the microprocessor may then be compared to the process trace output to quickly observe the interaction between the software content and the operating system of the microprocessor. 1. A system comprising:one or more processors; and monitoring software content;', 'detecting interaction between the software content and the system, wherein the interaction relates to loading into memory a set of instructions, and wherein the interaction generates performance data;', 'evaluating the loaded set of instructions to identify a first set of calls;', 'evaluating the performance data to identify a second set of calls;', 'comparing the first set of calls to the second set of calls to identify a third set of calls, wherein the third set of calls represent calls of interest; and', 'evaluating the third set of calls to categorize the software content., 'memory coupled to at least one of the one or more processors, the memory comprising computer executable instructions that, when executed by the at least one processor, performs a method for discrete processor feature behavior collection and analysis, the method comprising2. The system of claim 1 , the method further comprising initializing one or more performance monitoring feature sets to be monitored by the one or more processors ...

Advanced File Modification Heuristics

Examples of the present disclosure describe systems and methods for providing advanced file modification heuristics. In aspects, software content is selected for monitoring. The monitoring comprises determining when the software content performs file accesses that are followed by read and/or write operations. The read/write operations are analyzed in real-time to determine whether the software content is modifying file content. If the monitoring indicates the software content is modifying accessed files, mathematical calculations are applied to the read-write operations to determine the nature of the modifications. Based on the determined nature of the file modifications, the actions of the software content may be categorized and halted prior to completion; thereby, mitigating malicious cyberattacks and/or unauthorized accesses.

RESET ATTACK DETECTION

An apparatus has a number of data holding elements for holding data values which are reset to a reset value in response to a transition of a signal at a reset signal input of the data holding element from a first value to a second value. A reset tree is provided to distribute a reset signal received at root node of the reset tree to the reset signal inputs of the data holding elements. At least one reset attack detection element is provided, with its reset signal input coupled to a given node of the reset tree, to assert an error signal when its reset signal input transitions from the first value to a second value. Reset error clearing circuitry triggers clearing of the error signal, when the reset signal at the root node of the reset tree transitions from the second value to the first value. 1. An apparatus comprising:a plurality of data holding elements, each to hold a data value and to reset the data value to a reset value in response to a transition of a signal at a reset signal input of the data holding element from a first value to a second value;a reset tree to distribute a reset signal received at a root node of the reset tree to reset signal inputs of the plurality of data holding elements;at least one reset attack detection element comprising a reset signal input to receive the reset signal from a corresponding node of the reset tree, and to assert an error signal in response to a transition of a signal at the reset signal input of the reset attack detection element from the first value to the second value; andreset error clearing circuitry to control each reset attack detection element to clear its error signal, in response to a transition of the reset signal received at the root node of the reset tree from the second value to the first value.2. The apparatus according to claim 1 , comprising attack handling circuitry to detect a reset tree attack when one of said at least one reset attack detection element asserts the error signal in response to a ...

MEMORY LAYOUT BASED MONITORING

Techniques for monitoring based on a memory layout of an application are disclosed. A memory layout may be received, obtained, and/or generated from an application executing on a computer. Based on one or more attributes of a plurality of memory regions of the memory layout a memory layout fingerprint is generated. Additionally, memory region fingerprints are generated based on the one or more attributes for respective memory regions. The memory layout fingerprint and the memory region fingerprints are compared to respective previous memory layout fingerprints and the memory region fingerprints in order to determine whether malicious code and/or application drifting has occurred. 1: A computer-implemented method for monitoring based on a memory layout of an application , the method comprising:receiving the memory layout of the application executing on a first computer, the memory layout including a plurality of memory regions of the application executing on the first computer, wherein each memory region includes one or more attributes of the memory region of the application executing on the first computer;generating a memory layout fingerprint for the application executing on the first computer based on one or more attributes of one or more of the memory regions of the plurality of memory regions;determining whether the memory layout fingerprint for the application matches a previous memory layout fingerprint for the application; andresponsive to determining the memory layout fingerprint for the application does not match the previous memory layout fingerprint, flagging the application for review.2: The method according to claim 1 , further comprising: monitoring the application executing on the at least the first computer by iteratively performing each step.3: The method according to claim 1 , wherein the one or more attributes of the memory region of the application executing on the first computer include one or more of a size of a memory address of the memory ...

Determining the Similarity of Binary Executables

In some implementations, a computing device can determine the similarity of binary executables. For example, the computing device can receive an application, including a binary executable. The computing device can generate function signatures for the functions called within the binary executable. The computing device can generate a locality sensitive hash value for the application based on the function signatures. The computing device can group applications based on the locality sensitive hash value generated for each application. The computing device can compare the function signatures of the binary executables of the applications within a group to determine the similarity of the applications. If two applications have binary executables that are over a threshold percentage of similarity, the two applications can be identified as clones of each other. 1. A method comprising:receiving, by a computing device, an application executable;generating, by the computing device, function signatures for functions called within the application executable;generating, by the computing device, a first value for the application executable based on the function signatures;grouping, by the computing device, the received application executable with one or more other application executables into an application group based on the first value;comparing, by the computing device, the received application executable to the one or more other applications in the application group;determining, by the computing device, that the received application executable and the at least one or other application executable are functionally the same application.2. The method of claim 1 , wherein generating function signatures includes:determining opcodes within the application executable corresponding to a particular function;combining the opcodes to generate a string of opcodes; andgenerating a hash value based on the string of opcodes.3. The method of claim 1 , wherein the first value is a locality ...

Segregating executable files exhibiting network activity

Systems, computer readable media, apparatuses, and methods are disclosed for segregating executable files exhibiting network activity. An example apparatus includes at least one processor and memory including instructions which, when executed, cause the at least one processor to launch an executable file in a segmented portion of a computing system to load one or more dynamically linked libraries (DLLs) associated with the executable file into a process environment block (PEB) of the segmented portion, enumerate the PEB to generate an address list of the one or more DLLs, scan the one or more DLLs to determine whether the one or more DLLs are to perform network activity, and perform malware analysis on the executable file when at least one of the one or more DLLs are to perform network activity.

Automatically preventing and remediating network abuse

Various embodiments described herein are directed to optimizing cloud computing infrastructures functionality based on an abuse prevention and remediation platform. A tenant profile may have a tenant confidence score for a tenant, the tenant confidence score being an indicator of the reputation of the tenant usage of cloud computing resources. Based on the confidence score of the tenant, one or more policies for the tenant may be identified limiting access to cloud computing resources. If the virtual internet protocol address (VIP) of the tenant is determined to be tainted, the VIP may be quarantined in a tainted VIP pool, the quarantining excluding the VIP from being selected for use until the VIP is clean. A cleanup routine may be executed, the cleanup routine communicating remedial actions for the tainted VIP. Upon completion of the cleanup routine, the VIP may be restored to a clean VIP pool.

System and method for detecting malicious links in electronic messages

According to one embodiment, in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, any known URL links are removed from the URL links based on a list of known link signatures. For each of remaining URL links that are unknown, a link analysis is performed on the URL link based on link heuristics to determine whether the URL link is suspicious. For each of the suspicious URL links, a dynamic analysis is performed on a resource of the suspicious URL link. It is classified whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis.

IDENTIFYING WHETHER AN APPLICATION IS MALICIOUS

Identifying whether a first application is malicious. The first application can be presented for installation on a processing system. The first application can be scanned, via a static analysis implemented by a processor, to determine whether a user interface layout of the first application is suspiciously similar to a user interface layout of a second application installed on the processing system. When the user interface layout of the first application is suspiciously similar to the user interface layout of the second application installed on the processing system, an alert can be generated indicating that the first application is malicious. 1. A method of identifying whether a first application is malicious , the method comprising:detecting the first application being presented for installation on a processing system;scanning, via a static analysis implemented by a processor, the first application to determine whether a user interface layout of the first application is suspiciously similar to a user interface layout of a second application installed on the processing system; andresponsive to determining that the user interface layout of the first application is suspiciously similar to the user interface layout of the second application installed on the processing system, generating an alert indicating that the first application is malicious.2. The method of claim 1 , further comprising: during execution of the first application by the processing system, performing a runtime analysis of the first application, the runtime analysis comprising determining whether the user interface layout of the first application is suspiciously similar to the user interface layout of the second application; and', 'responsive to the runtime analysis indicating that the user interface layout of the first application is suspiciously similar to the user interface layout of the second application, generating the alert indicating that the first application is malicious., 'responsive to ...

Systems and Methods Involving Features of Hardware Virtualization Such as Separation Kernel Hypervisors, Hypervisors, Hypervisor Guest Context, Hypervisor Contest, Rootkit Detection/Prevention, and/or Other Features

Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or data isolation. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a rootkit defense mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it), inter alia, for detection and/or prevention of malicious code, for example, in a manner/context that is isolated and not able to be corrupted, detected, prevented, bypassed, and/or otherwise affected by the malicious code. 1. A method for processing information securely , the method comprising:partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains; andisolating and/or securing the domains in time and/or space from each other.2. The method of claim 1 , further comprising one or more of:hosting the plurality of guest operating system virtual machine protection domains by the separation kernel hypervisor;hosting/processing at least one malicious code and/or root kit defense mechanism, each which may be different from each other, that executes within one or more of the plurality of guest operating system virtual machine protection domains via the separation kernel hypervisor;implementing at least one routine and/or component to prohibit the guest operating system virtual machine protection domains from tampering with, corrupting, and/or bypassing the malicious code and/or root kit defense mechanism(s); and/orexecuting the malicious code and/or root kit defense mechanism(s) while preventing interference and/or bypassing/corrupting/tampering by the plurality of guest operating system virtual machine protection ...

SANDBOX BASED INTERNET ISOLATION IN AN UNTRUSTED NETWORK

Methods and systems are disclosed for a sandbox based internet isolation in an untrusted network. A host computer system may include a host-based firewall, an operating system, a first memory space, and a second memory space. The host-based firewall may be configured to prevent unauthorized communication between the trusted host computer system and one or more other devices on an untrusted LAN and/or the Internet. The second memory space may be configured to enable storage and/or operation of one or more applications and/or processes associated with a sandboxed computing environment. The host computer system may include a sandbox firewall that enforces separation of the first and second memory spaces. 1. A host computer system , wherein the host computer system comprises a processor and memory configured to implement at least:a first memory space that is configured to enable storage and operation of a workspace configured to execute a first set of one or more applications and processes running on an operating system of the host computer system;a second memory space that is configured to enable storage and operation of a second set of one or more applications and processes associated with a sandboxed computing environment configured to run on the operating system, wherein the second set of one or more applications and processes comprise a browser process configured to operate within the sandboxed computing environment, the browser process being configured to access the Internet and other untrusted resources, and wherein the sandboxed computing environment is enforced via a sandbox container process that segregates the workspace associated with the first memory space from the sandboxed computing environment associated with the second memory space, and wherein the sandbox container process is configured to prevent data from being communicated between the sandboxed computing environment and the workspace without an explicit user input; anda first firewall configured to ...

Systems and methods for executable code detection, automatic feature extraction and position independent code detection

Disclosed herein are systems and methods for enabling the automatic detection of executable code from a stream of bytes. In some embodiments, the stream of bytes can be sourced from the hidden areas of files that traditional malware detection solutions ignore. In some embodiments, a machine learning model is trained to detect whether a particular stream of bytes is executable code. Other embodiments described herein disclose systems and methods for automatic feature extraction using a neural network. Given a new file, the systems and methods may preprocess the code to be inputted into a trained neural network. The neural network may be used as a “feature generator” for a malware detection model. Other embodiments herein are directed to systems and methods for identifying, flagging, and/or detecting threat actors which attempt to obtain access to library functions independently.

MALWARE DETECTION SYSTEM AND METHOD FOR COMPRESSED DATA ON MOBILE PLATFORMS

A system and method for detecting malware in compressed data. The system and method identifies a set of search strings extracted from compressed executables, each of which is infected with malware from a family of malware. The search strings detect the presence of the family of malware in other compressed executables, fragments of compressed executables, or data streams. 1. A computing device for developing search strings for detecting malware in compressed data , the device comprising:a non-transitory memory having stored thereon a plurality of malware-infected executables infected with a family of malware, wherein each of the plurality of malware-infected executables comprises a respective compressed code portion; and extract a plurality of candidate strings from the compressed code portions of the plurality of malware-infected executables;', 'identify at least one of the plurality of candidate strings that is present in each of the plurality of malware-infected executables as a search string common to the compressed code portions of the plurality of malware-infected executables; and', 'store the search string common to the plurality of malware-infected executables to a mobile device to cause the mobile device to determine whether target applications including compressed code portions are infected with malware based at least in part on the search string., 'a hardware-based processor configured to2. The computing device of claim 1 , wherein the hardware-based processor is configured to extract candidate strings from uncompressed header portions of the plurality of malware-infected executables.3. The computing device of claim 1 , wherein the candidate strings are extracted from non-ASCII portions of the compressed code portions of the plurality of malware-infected executables.4. The computing device of claim 1 , wherein the hardware-based processor is configured to identify a plurality of search strings common to the compressed code portions of the plurality of ...

IDENTIFICATION OF BACKDOORS AND BACKDOOR TRIGGERS

Disclosed are devices, systems, apparatus, methods, products, media, and other implementations, including a method that includes computing for one or more inputs of a circuit associated metrics representative of degree of influence that values of each of the one or more inputs have on at least one output dependent on the one or more inputs, and determining based, at least in part, on the computed metrics associated with the one or more inputs of a more inputs whether the at least one output dependent on the one or more inputs is part of a potentially malicious implementation. 1. A method comprising:computing for one or more inputs of a circuit associated metrics representative of degree of influence that values of each of the one or more inputs have on at least one output dependent on the one or more inputs; anddetermining based, at least in part, on the computed metrics associated with the one or more inputs whether the at least one output dependent on the one or more inputs is part of a potentially malicious implementation.2. The method of claim 1 , wherein determining based claim 1 , at least in part claim 1 , on the computed metrics associated with the one or more inputs whether the at least one output dependent on the one or more inputs is part of a potentially malicious implementation comprises:identifying from the one or more inputs, from which the at least one output is dependent, at least one malicious triggering input configured to trigger malicious behavior of the potentially malicious implementation.3. The method of claim 1 , wherein the potentially malicious implementation comprises a potential electronic backdoor implementation.4. The method of claim 1 , wherein computing for the one or more inputs of the circuit the associated metrics comprises:generating a truth table for the one or more inputs and the at least one output dependent on the one or more inputs, the truth table including at least some combinations of input values for the one or more ...

Protection Against Return Oriented Programming Attacks

In one embodiment, a processor includes at least one execution unit. The processor also includes a Return Oriented Programming (ROP) logic coupled to the at least one execution unit. The ROP logic may validate a return pointer stored on a call stack based on a secret ROP value. The secret ROP value may only be accessible by the operating system. 1. A processor comprising: generate a check value based on a secret value responsive to a first instruction of an instruction set architecture (ISA);', 'push the check value onto a call stack associated with a return pointer;', 'pop the return pointer and the check value off the call stack responsive to a second instruction of the ISA; and', 'determine whether the check value is valid based on a comparison to a validation check value., 'a core including a fetch unit to fetch instructions, a decode unit to decode the fetched instructions, at least one execution unit to execute one or more of the decoded instructions and a first logic comprising at least one hardware circuit coupled to the at least one execution unit, the first logic to2. The processor of claim 1 , wherein the secret value is only accessible to an operating system claim 1 , the secret value to be generated at a beginning of a session and stored in a secure location.3. The processor of claim 2 , wherein the secret value corresponds to a salt value based on a ROP security level.4. The processor of claim 1 , wherein claim 1 , in response to determination that the check value is valid claim 1 , the processor is to resume execution at a location specified by the return pointer claim 1 , and otherwise indicate a possible Return Oriented Programming (ROP) attack.5. The processor of claim 1 , further comprising a control register including at least one bit to indicate whether the first logic is enabled.6. The processor of claim 1 , wherein the first logic is to generate the secret value under control of an operating system claim 1 , responsive to a third instruction ...

METHOD OF AND SYSTEM FOR ANALYSIS OF INTERACTION PATTERNS OF MALWARE WITH CONTROL CENTERS FOR DETECTION OF CYBER ATTACK

This technical solution relates to systems and methods of cyber attack detection, and more specifically it relates to analysis methods and systems for protocols of interaction of malware and cyber attack detection and control centres (servers). The method comprises: uploading the malware application into at least one virtual environment; collecting, by the server, a plurality of malware requests transmitted by the malware application to the malware control center; analyzing the plurality of malware requests to determine, for each given malware request: at least one malware request parameter contained therein; and an order thereof of the at least one malware request parameter. The method then groups the plurality of malware requests based on shared similar malware request parameters contained therein and order thereof and for each group of the at least one group containing at least two malware requests, generates a regular expression describing malware request parameters and order thereof of the group, which regular expression can be used as an emulator of the malware application. 1. A method for analyzing an interaction framework between a malware application and a malware control center associated with the malware application , the method executable by a server; the malware application , the malware control center and the server of the method being communicatively coupled via a communication network , the method comprising:uploading the malware application into at least one virtual environment, the at least one virtual environment being executable by the server;collecting, by the server, a plurality of malware requests transmitted by the malware application to the malware control center via the communication network; at least one malware request parameter contained therein; and', 'an order thereof of the at least one malware request parameter;, 'analyzing the plurality of malware requests to determine, for each given malware requestgrouping, into at least one group ...

Malicious software identification

A computer implemented method to identify a derivative of one or more malicious software components in a computer system including: evaluating a measure of a correlation fractal dimension (CFD) for at least a portion of a monitored software component in the computer system, the CFD including a plurality of CFD values varying with a resolution of fractal dimension; and comparing the plurality of CFD values with a reference measure of CFD for each of the malicious software components, each reference measure of CFD including a plurality of CFD values varying with a resolution of fractal dimension, so as to identify one or more of the plurality of malicious software components from which the monitored software component is derived.

RANSOMWARE DETECTION APPARATUS AND OPERATING METHOD THEREOF

A ransomware detection apparatus and an operation method thereof are provided. The ransomware detection apparatus may include a frequency converter receiving an OP code currently being executed in a CPU and converting a value of the OP code into a frequency domain to generate a first OP code frequency waveform, a memory storing a second OP code frequency waveform, which is a value obtained by converting the OP code corresponding to a ransomware encryption algorithm into a frequency domain, and a ransomware determiner comparing the first OP code frequency waveform with the second OP code frequency waveform to determine whether ransomware operates. 1. A ransomware detection apparatus comprising:a frequency converter receiving an OP code currently being executed in a CPU and converting a value of the OP code into a frequency domain to generate a first OP code frequency waveform,a memory storing a second OP code frequency waveform, which is a value obtained by converting the OP code corresponding to a ransomware encryption algorithm into a frequency domain, anda ransomware determiner comparing the first OP code frequency waveform with the second OP code frequency waveform to determine whether ransomware operates2. The ransomware detection apparatus of claim 1 , further comprising:an OP code decoder receiving a processor tracer packet corresponding to a calculation code from the CPU and decoding the processor trace packet into the calculation code, and then outputting the decoded calculation code to the frequency converter.3. The ransomware detection apparatus of claim 1 , wherein:the ransomware determiner calculates a degree of similarity between the first OP code frequency waveform and the second OP code frequency waveform and determines that ransomware operates when the degree of similarity exceeds a predetermined reference value.4. The ransomware detection apparatus of claim 3 , wherein:the ransomware determiner compares main frequencies between the first OP code ...

STATIC ANOMALY-BASED DETECTION OF MALWARE FILES

A protection application detects and remediates malicious files on a client. The protection application trains models using known samples of static clean files, and the models characterize features of the clean files. A model may be selected based on metadata obtained from a target file. By processing features of the clean files and features of the target file, the model may generate an anomaly score indicating a level of dissimilarity between the target file and the sample. The protection application compares the anomaly score to one or more threshold scores to classify the target file. Additionally, the target file may be provided to a security server to check against a whitelist or blacklist for classification. Responsive to a classification as malicious, the protection application remediates the target file on the client. 1. A method for detecting anomalous files , the method comprising:determining a plurality of subclasses of a plurality of files on a client;determining that a subclass of the plurality of subclasses meets a filtering criteria;selecting a model derived from a training set of clean files belonging to the subclass; generating, by a processor, an anomaly score of the file by applying the file to the selected model, the anomaly score indicating a level of dissimilarity between features of the file and a plurality of features of the training set of clean files;', 'classifying the file as anomalous based on the anomaly score; and', 'remediating the file by the client responsive to the classification of the file., 'for each file of a subset of the plurality of files belonging to the subclass2. The method of claim 1 , further comprising:determining a mean feature vector of the plurality of features of the training set of clean files; andwherein the anomaly score is generated by determining distances between the features of the file and the mean feature vector.3. The method of claim 1 , further comprising:receiving, at the client from a security server, ...

Secure configuration data storage

A machine-implemented method for controlling a configuration data item in a storage-equipped device having at least two security domains, comprising receiving, by one of the security domains, a configuration data item; storing the configuration data item; providing a security indication for the configuration data item; and when an event indicates untrustworthiness of the data item, invalidating a configuration effect of the stored configuration data item. Further provided is a machine-implemented method for controlling a storage-equipped device as a node in a network of devices, comprising receiving information that a data source or type of a configuration data item is untrusted; analysing metadata for the data source and the configuration data item; populating a knowledge base with analysed metadata; and responsive to the analysed metadata, transmitting security information to the network of devices. A corresponding device and computer program product are also described.

ABNORMAL ACTIVITY DETECTION

A method for detecting abnormal activity on a computing system is disclosed. In one embodiment, such a method includes observing, over a period of time, activity occurring on a computing system. The method establishes, for the computing system based on the observations, a normal range associated with the activity. The method further monitors the computing system for the activity and documents activity on the computing system that falls outside the normal range. In certain embodiments, when activity is detected on the computing system that falls outside the normal range, the method gathers or compiles additional information about the activity, notifies a user, and/or generates a report that describes the abnormal activity and events surrounding the abnormal activity. A corresponding system and computer program product are also disclosed. 1. A method for detecting abnormal activity occurring on a computing system , the method comprising:observing, by a at least one processor over a period of time, activity occurring on a computing system;establishing, for the computing system based on the observations, a normal range associated with the activity that is observed on the computing system;monitoring, by the at least one processor, the computing system for the activity; anddocumenting, by the at least one processor, the activity on the computing system that falls outside the normal range.2. The method of claim 1 , further comprising notifying a user when the activity on the computing system falls outside the normal range.3. The method of claim 1 , wherein observing the activity comprises observing systems logs for the activity.4. The method of claim 1 , further comprising claim 1 , when activity is detected on the computing system which falls outside the normal range claim 1 , gathering additional information about the activity.5. The method of claim 1 , further comprising claim 1 , when activity is detected on the computing system which falls outside the normal range ...

Method for Systematic Collection and Analysis of Forensic Data in a Unified Communications System Deployed in a Cloud Environment

A method for systematic collection and analysis of forensic data in a unified communications system deployed in a cloud environment. Three primary forensic components, namely, evidence collectors, a forensic controller and self-forensic investigators, are utilized in the method to interface with the components of the cloud environment and of the unified communications network. The method invokes a cloud evidence collection process which collects footprint data structures continuously at runtime to enable effective real-time collection of cloud forensic evidence and a cloud evidence analyzing process which generates evidence data that can be consumed by standard forensics tools. 1. A method for systematic collection and analysis of forensic data in a unified communications system deployed in a cloud environment , comprising the steps of:integrating at least one evidence collection mechanism with the unified communications system, wherein said at least one evidence collection mechanism is operative to capture forensic data related to operation of the unified communications system and at least one component in the cloud environment;generating at least one model which captures the normal behavior of the unified communications system;monitoring, by at least one intrusion detection system, the unified communications system for an occurrence of an unauthorized action using captured said forensic data and the at least one model;upon the occurrence of an unauthorized action, transmitting, by said at least one intrusion detection system, an alarm to a forensic controller;upon the transmission of the alarm to said forensic controller, collecting, by said at least one evidence collection mechanism, said forensic data;building, by said forensic controller, at least one footprint data structure from the collected forensic data; andformatting said at least one footprint data structure, wherein the step of formatting enables said at least one footprint data structure to be used by ...

System And Method Of Detecting File System Modifications Via Multi-layer File System State

The technology provides for a threat detection system. In this regard, the system may be configured to output file states of a multi-layer file system. For instance, the system may determine, based on the file states for a file, one or more layers of the multi-layer file system in which one or more objects corresponding to the file can be found. Based on the one or more objects corresponding to the file, the system may detect a potential threat. The system may then take an action in response to the potential threat. 1. A method , comprising:outputting, by one or more processors, file states for a file;determining, by the one or more processors based on the file states for the file, one or more layers of a multi-layer file system in which one or more objects corresponding to the file can be found;detecting, by the one or more processors, a potential threat to the multi-layer file system based on the one or more layers in which the one or more objects corresponding to the file are found; andtaking an action in response to the potential threat.2. The method of claim 1 , further comprising:determining that an object corresponding to the file found in a modifiable image in an upper layer of the multi-layer file system contains modifications to an object corresponding to the file found in a base image in a lower layer of the multi-layer file system,wherein detecting the potential threat is further based on determining that the object corresponding to the file found in the modifiable image contains modifications to the object corresponding to the file found in the base image.3. The method of claim 1 , further comprising:determining that none of the one or more objects corresponding to the file is found in a base image in a lower layer of the multi-layer file system,wherein detecting the potential threat is further based on determining that none of the one or more objects corresponding to the file is found in the base image.4. The method of claim 3 , further comprising: ...

SECURITY MANAGEMENT OF ADVERTISEMENTS AT ONLINE ADVERTISING NETWORKS AND ONLINE ADVERTISING EXCHANGES

At an advertising server: adding tracking code to advertisements served by the advertising server, wherein the tracking code is configured to cause web browsers displaying the served advertisements to transmit their contents to a security server. At the security server: scanning the received advertisements to detect presence of malicious code, and storing results of the scanning in a database. At the advertising server: prior to serving a new advertisement that has won in RTB, querying the database for scan results associated with the new advertisement. When the scan results indicate a malicious advertisement, preventing a serving of the new advertisement. When the scan results indicate a safe advertisement, allowing a serving the new advertisement. When no scan results are available for the new advertisement, adding the tracking code to the new advertisement and serving it, such that its contents are scanned by the security server. 1. A method comprising , at an advertising server that employs RTB (Real-Time Bidding):(i) prior to serving a new advertisement that has won an RTB process, querying a database for scanning results associated with the new advertisement, to determine if the new advertisement: (a) has been scanned in the past, and includes malicious code, (b) has been scanned in the past, and is devoid of malicious code, or (c) has not been scanned in the past;(ii) when the new advertisement has been determined to include malicious code, preventing a serving of the new advertisement;(iii) when the new advertisement has been determined to be devoid of malicious code, allowing a serving the new advertisement; and(iv) when the new advertisement has been determined to not having been scanned in the past, adding tracking code to the new advertisement and serving the new advertisement with the added tracking code, such that contents of the new advertisement are scanned.2. The method according to claim 1 , further comprising claim 1 , prior to (i): 'adding the ...

CONTINUOUS DATABASE SECURITY AND COMPLIANCE

A method by a security system for selectively triggering different ones of a plurality of database assessment scans for a database and detecting when non-compliant database configurations of the database are being used. The method includes monitoring for occurrences of a first class of database operations, responsive to detecting an occurrence of one or more database operations of the first class, selecting one or more subsets of the plurality of database assessment scans to be rerun, triggering performance of only the selected one or more of the subsets, identifying one or more non-compliant database configurations of the database based on accessing results of the selected one or more of the subsets, determining one or more security rules for detecting occurrences of database operations that make use of the identified one or more non-compliant database configurations, and applying the determined one or more security rules. 1. A method by a security system implemented by one or more electronic devices for selectively triggering different ones of a plurality of database assessment scans for a database and detecting when non-compliant database configurations of the database are being used , the method comprising:monitoring for occurrences of a first class of database operations that have been determined to require only rerunning subsets of the plurality of database assessment scans to determine whether results of the plurality of database assessment scans have changed, wherein different database operations of the first class require different subsets of the plurality of database assessment scans to be rerun to determine whether the results of the plurality of database assessment scans have changed;responsive to detecting an occurrence of one or more database operations of the first class, selecting one or more of the subsets to be rerun based on which of the database operations of the first class occurred;triggering performance of only the selected one or more of the ...

EMBEDDED DEVICE, VIRUS SCAN PROGRAM EXECUTION METHOD, AND NON-TRANSITORY STORAGE MEDIUM

An embedded device, a method for executing a virus scan program, and a non-transitory storage medium storing instructions for executing the virus scan program are provided. The embedded device on which the virus scan program for detecting computer virus operates starts a virus scan, displays a first display component for receiving an instruction to pause the virus scan, receives the instruction to pause the virus scan, and pauses the virus scan when the instruction to pause the virus scan is received. 1. An embedded device on which a virus scan program for detecting computer virus operates , the embedded device comprising: start a virus scan;', 'display, on a display, a first display component for receiving an instruction to pause the virus scan when starting the virus scan;', 'receive the instruction to pause the virus scan via the first display component; and', 'pause the virus scan when the instruction to pause the virus scan is received., 'circuitry configured to2. The embedded device of claim 1 , wherein the circuitry is further configured to:display a second display component for receiving an instruction to execute the virus scan in background with resources allocated to the virus scan reduced when executing the virus scan; andreduce resources allocated to the virus scan when the instruction to execute the virus scan in the background is received.3. The embedded device of claim 2 , wherein the circuitry is further configured to display a pop-up screen prompting selection of one of the first display component and the second display component when executing the virus scan.4. The embedded device of claim 2 , wherein the circuitry is further configured to display a third display component for receiving an instruction to cancel the virus scan when the virus scan is executed in the background.5. The embedded device of claim 4 , wherein the circuitry is further configured to display a pop-up screen prompting selection of one of the first display component claim 4 , ...

TRACKING EVENTS OF INTEREST TO MITIGATE ATTACKS

A computing device can include a comparator coupled to an I/O pin of the computing device; a storage unit coupled to the comparator; and a counter coupled to receive an output of the comparator, an output of the counter being coupled to a computation engine to provide a limit-exceeded signal to the computation engine, wherein the counter comprises a volatile counter and a nonvolatile storage, wherein the nonvolatile storage stores a bit for each top volatile count number of events identified by the volatile counter. The computing device can further include a backup power source coupled to the volatile counter; and readout circuitry and control logic coupled to the volatile counter and to the nonvolatile storage, the readout circuitry and control logic being configured to control operations of the volatile counter during an error event and determine a total number of events. The computing device can be a smart card. 1. A computing device comprising:a comparator coupled to an I/O pin of the computing device;a storage unit coupled to the comparator; anda counter coupled to receive an output of the comparator, an output of the counter being coupled to a computation engine to provide a limit-exceeded signal to the computation engine, wherein the counter comprises a volatile counter and a nonvolatile storage, wherein the nonvolatile storage stores a bit for each top volatile count number of events identified by the volatile counter.2. The computing device of claim 1 , wherein when an output of the volatile counter reaches or exceeds a threshold claim 1 , the limit-exceeded signal is provided to the computation engine.3. The computing device of claim 1 , wherein when a total count from the volatile counter and the nonvolatile storage reaches or exceeds a threshold claim 1 , the limit-exceeded signal is provided to the computation engine.4. The computing device of claim 1 , wherein the limit-exceeded signal is used by the computation engine to initiate a countermeasure ...

ANALYSIS DEVICE, ANALYSIS METHOD AND COMPUTER-READABLE RECORDING MEDIUM

Provided is an analysis device with which it is possible to find information relating to the intention and purpose of an attacker. The analysis device is provided with a purpose estimating means that estimates the purpose of behavior, based on predetermined behavior in the computer and knowledge information that includes the relation between the behavior and the purpose of executing the behavior. 113-. (canceled)14. An analysis method for a computer system , comprising:storing process information associated with a process in the computer system;storing result information associated with a result, the result being a harm to the computer system caused by the process; andstoring relation information associated with a relation between the process information and the result information.15. The analysis method according to claim 14 , further comprising:storing function information associated with a function related to an influence of the process on the computer system, whereinthe relation information includes first relation information indicating a relation between the process and the function, and second relation information indicating a relation between the function information and the result information.16. The analysis method according to claim 15 , further comprising:receiving a first input related to the result information;receiving a second input related to the function information; andreceiving a third input related to the relation information.17. The analysis method according to claim 14 , further comprising:receiving an input related to the result information.18. The analysis method according to claim 17 , further comprising:receiving another input related to the relation information.19. The analysis method according to claim 14 , further comprising:outputting a signal configured to display the process information, the result information, and the relation information on a display device.20. The analysis method according to claim 14 , further comprising: ...

System and Method for An Automated Analysis of Operating System Samples

Methods and apparatuses for malware analysis and root-cause analysis, and information security insights based on Operating System sampled data such as structured logs, Operating System Snapshots, programs and/or processes and/or kernel crash dumps or samples containing payload for extraction for the purpose of detection and evaluation of threats, infection vector, threat actors and persistence methods in the form of backdoors or Trojans or unknown exploitable vulnerabilities used.

System, Apparatus And Method For Using Malware Analysis Results To Drive Adaptive Instrumentation Of Virtual Machines To Improve Exploit Detection

According to one embodiment, a computerized method operates by configuring a virtual machine operating within an electronic device with a first instrumentation for processing of a suspicious object. In response to detecting a type of event during processing of the suspicious object within the virtual machine, the virtual machine is automatically reconfigured with a second instrumentation that is different from the first instrumentation in efforts to achieve reduced configuration time and/or increased effectiveness in exploit detection.

MALWARE DETECTION AND PREVENTION SYSTEM

Aspects of the present disclosure involve systems and methods computing devices to access a public network posing as a user to the network to detect one or more malware programs available for downloading through the network. More particularly, a malware detection control system utilizes a browser executed on a computing device to access a public network, such as the Internet. Through the browser, sites or nodes of the public network are accessed by the control system with the interactions with the sites of the public network designed to mimic or approximate a human user of the browser. More particularly, the control system may apply the one or more personality profiles to the browser of the computing device to access and interact with the nodes of the public network. Further, the control system may monitor the information retrieved from the network sites to detect the presence of malware within the nodes. 1. A method for managing access to a public network , the method comprising:utilizing a control system to control a computing device to access a first node in the public network;applying a personality profile to the computing device to access a second node in the public network;detecting an indication of a malware program stored in the public network accessible through the second node;storing information of the malware program in a database based on transmission of information between the computing device and the public network during accessing of the second node of the public network; andcreating malware prevention rules based on the information of the malware program.2. The method of claim 1 , wherein creating malware prevention rules based on the stored information comprises flagging a network address associated with the information of the malware program as a source of malware programs.3. The method of claim 2 , wherein creating malware prevention rules based on the stored information further comprises:preventing the malware program from spreading by sharing ...

SYSTEMS AND METHODS FOR PROTECTING DEVICES FROM MALWARE

Disclosed herein are systems and method for protecting an endpoint device from malware. In one aspect, an exemplary method comprises performing, by a light analysis tool of the endpoint, a light static analysis of a sample, terminating the process and notifying the user when the process is malware, performing light dynamic analysis when the process is not malware based on the light static analysis, when the process is clean based on the light dynamic analysis, enabling the process to execute, when the process is malware, terminating the process and notifying the user, and when the process is suspicious pattern, suspending the process, setting a level of trust, sending the sample to a sandbox, terminating the process and notifying the user when the process is a malware based on received final verdict, enabling the process to resume executing when the process is determined as being clean based on the final verdict. 1. A method for protecting an endpoint device from malware , comprising:performing, by a light analysis tool of the endpoint device, a light dynamic analysis of a received sample of a process being monitored;when the process is determined as being a suspicious pattern based on the light dynamic analysis, suspending the process, setting or adjusting a level of trust for the sample, sending the sample to a sandbox with a request for a final verdict, receiving the final verdict, andwhen the process is determined as being a malware based on the received final verdict, terminating the process and notifying a user of the process, andwhen the process is determined as being clean based on the received final verdict, enabling the process to resume executing on the endpoint device in accordance with a policy based on the level of trust.2. The method of claim 1 , further comprising when the process is determined as being clean based on the light dynamic analysis claim 1 , enabling the process to execute on the endpoint device in accordance with the policy.3. The ...

Managing network connections based on their endpoints

The disclosure relates generally to methods, systems, and apparatuses for managing network connections. A system for managing network connections includes a storage component, a decoding component, a rule manager component, and a notification component. The storage component is configured to store a list of expected connections for a plurality of networked machines, wherein each connection in the list of expected connections defines a start point and an end point for the connection. The decoding component is configured to decode messages from the plurality of networked machines indicating one or more connections for a corresponding machine. The rule manager component is configured to identify an unexpected presence or absence of a connection on at least one of the plurality of network machines based on the list of expected connections. The notification component is configured to provide a notification or indication of the unexpected presence or absence.

METHOD AND SYSTEM FOR APPLICATION SECURITY EVALUATION

Systems and methods are provided for application security evaluation. Applications may be managed in a server, the managing may include obtaining one or more security parameters associated with an application executable on a mobile communication device; evaluating the one or more security parameters; and generating or updating, based on evaluating the one or more security parameters, a security profile for the application. The application may be selected based on application related data, which may include feedback data provided by mobile communication devices. The application may be operated within the server, to obtain at least one of the one or more security parameters. The application may be operated using a script. Identification information for the application may be generating based on the security profile, with the identification information including information relating to or enabling assessing security of the application. 1. A method for managing applications in a server , the method comprising:obtaining one or more security parameters associated with an application executable on a mobile communication device;evaluating the one or more security parameters; andgenerating or updating, based on evaluating the one or more security parameters, a security profile for the application.2. The method of claim 1 , selecting the application based on application related data.3. The method of claim 2 , wherein the application related data comprises feedback data provided by the one or more mobile communication devices claim 2 , and further comprising:receiving one or more feedback messages from the one or more mobile communication devices; andgenerating or updating the feedback data based on the one or more feedback messages received from the one or more mobile communication devices.4. The method of claim 1 , comprising operate the application within the server claim 1 , to obtain at least one of the one or more security parameters.5. The method of claim 4 , comprising ...

Execution Environment File Inventory

A method is described to maintain (including generate) an inventory of a system of a plurality of containers accessible by a computer system. At least one container is considered to determine whether the container is executable in at least one of a plurality of execution environments characterizing the computer system. Each execution environment is in the group comprising a native binary execution environment configured to execute native machine language instructions and a non-native execution environment configured to execute at least one program to process non-native machine language instructions to yield native machine language instructions. The inventory is maintained based on a result of the considering step. The inventory may be used to exercise control over what executables are allowed to execute on the computer system.

MALWARE ANALYSIS THROUGH VIRTUAL MACHINE FORKING

A set of virtual machines (VMs) with different guest operating systems installed is initially booted and prepared to facilitate rapid creation, or “forking,” of a child VM(s) for malware analysis of a software sample. Because malicious code may be packaged for a specific operating system version, subsets of the VMs may have different versions of the same guest operating system installed. Upon detection of a sample indicated for malware analysis, a child VM(s) running the appropriate guest operating system is created based on a corresponding one(s) of the set of VMs. A process in which the corresponding VM(s) has been booted is forked to create a child process. A child VM which is a copy of the VM booted in the parent process is then created in the child process. The sample is then sandboxed in the child VM for analysis to determine if the sample comprises malware. 1. A method comprising:based on indication of a first software sample for malware analysis, identifying a first virtual machine of a plurality of virtual machines having installed a first guest operating system compatible with the first software sample;forking a first process of the first virtual machine to create a first child process with a second virtual machine based, at least in part, on the first virtual machine;loading the first software sample into the second virtual machine; andbased on analysis of behavior of the first software sample in the second virtual machine, indicating whether the first software sample is malware.2. The method of further comprising:identifying a third virtual machine having installed a second guest operating system compatible with the first software sample;forking a second process of the third virtual machine to create a second child process with a fourth virtual machine based, at least in part, on the third virtual machine; andloading the first software sample into the fourth virtual machine,wherein indicating whether the first software sample is malware is also based on ...

DISTRIBUTED SECURITY INTROSPECTION

Computer programming code may be executed via look ahead execution in a virtual machine. The computer programming code may include a first instruction to retrieve data stored in an on-demand computing services environment and a second instruction to transmit the data to a recipient. The first instruction, the second instruction, and the data may be evaluated to determine whether the execution of the computer programming code constitutes acceptable use of the on-demand computing services environment. When it is determined that the execution of the computer programming code does not constitute acceptable use of the on-demand computing services environment, further execution of the computer programming code may be halted. 120-. (canceled)21. A method comprising:partially executing computer programming code on a computing device that includes a processor and memory, the computer programming code including first and second instructions;after executing the first instruction, evaluating the first and second instructions, via a processor to determine whether the execution of the computer programming code constitutes malicious activity, wherein evaluating the first and second instructions comprises receiving a response message from a scoring engine implemented as a service within an on-demand computing services environment, the response message indicating whether the execution of the computer programming code constitutes malicious activity; andafter determining that the execution of the computer programming code constitutes malicious activity, halting further execution of the computer programming code.22. The method recited in claim 21 , wherein evaluating the first and second instructions comprises transmitting a request message to the scoring engine via a network.23. The method recited in claim 22 , wherein the request message includes the first instruction claim 22 , the second instruction claim 22 , and information characterizing data retrieved by the first instruction. ...

Active signaling in response to attacks on a transformed binary

An apparatus and method for responding to an invalid state occurrence encountered during execution of a third-party application program is included. The apparatus performing the method which includes registering a trap signal handler with a kernel of an operating system. The method also including intercepting calls from the third-party application program to the operating system and processing an exception signal corresponding to the invalid state to generate a response. The response including performing a signal reporting process.

ENCRYPTION KEY SEED DETERMINATION

A computer implemented method for determining a plurality of data sources providing seed parameters for generation of an encryption key by a ransomware algorithm, the method including exposing a target computer system to the ransomware algorithm; monitoring application programming interface (API) calls made to an operating system of the target computer system to identify a set of API calls for retrieving data about one or more hardware components of the target computer system, the data about the hardware components being determined to constitute the seed parameters. 1. A computer implemented method for determining a plurality of data sources providing seed parameters for generation of an encryption key by a ransomware algorithm , the method comprising:exposing a target computer system to the ransomware algorithm; andmonitoring application programming interface (API) calls made to an operating system of the target computer system to identify a set of API calls for retrieving data about one or more hardware components of the target computer system, the data about the one or more hardware components being determined to constitute the seed parameters.2. The method of claim 1 , wherein each of the one or more hardware components includes one or more of: a central processing unit; a memory; a storage device; a peripheral device; a basic input/output subsystem; an output device; an input device; or a network device of the target computer system.3. The method of wherein the data about the one or more hardware components includes one or more of: a reference number; an identifier; a version; a date; a time; an address; a serial number; or unique information about the hardware component.4. The method of wherein the monitoring includes using a process monitor to determine operating system API calls are made.5. A computer system comprising: exposing a target computer system to the ransomware algorithm; and', 'monitoring application programming interface (API) calls made to an ...

SYSTEM AND METHOD FOR IDENTIFYING COMPROMISED ELECTRONIC CONTROLLER USING INTENTIONALLY INDUCED ERROR

A system and method for identifying a compromised controller using an intentional error are provided. The method, performed by an electronic device in a controller area network (CAN), for identifying a compromised electronic control unit (ECU) that transmits an attack message on a CAN bus in a periodic transmission cycle. The method includes, in response to detecting the attack message, transitioning a first ECU among a plurality of ECUs connected to the CAN bus to a bus-off state intentionally, and determining whether the first ECU is the compromised ECU based at least in part on a time, which is predicted from recovery parameters related to the first ECU, for when the first ECU resumes transmission of a CAN message and a time when the attack message is redetected on the CAN bus. 1. A method , performed by an electronic device in a controller area network (CAN) , for identifying a compromised electronic control unit (ECU) that transmits an attack message on a CAN bus in a periodic transmission cycle , the method comprising:in response to detecting the attack message, transitioning a first ECU among a plurality of ECUs connected to the CAN bus to a bus-off state intentionally; anddetermining whether the first ECU is the compromised ECU based at least in part on a time, which is predicted from recovery parameters related to the first ECU, for when the first ECU resumes a transmission of a CAN message and a time when the attack message is redetected on the CAN bus.2. The method of claim 1 , wherein the transitioning to the bus-off state comprises:transmitting a diagnosis request message corresponding to the first ECU;monitoring the CAN bus to detect an initiation of transmission of a diagnosis response message by the first ECU; andin response to detecting the initiation of transmission of the diagnosis response message, causing a transmission error in the diagnosis response message by transmitting a plurality of dominant bits to the CAN bus until the first ECU ...

DETECTING MALICIOUS ACTIVITY IN A COMPUTER SYSTEM USING COMPUTER SYSTEM OBJECTS

Systems and methods for detecting malicious activity in a computer system. One or more graphs can be generated based on information objects about the computer system and relationships between the information objects, where the information objects are vertices in the graphs and the relationships are edges in the graphs. Comparison of generated graphs to existing graphs can determine a likelihood of malicious activity. 120-. (canceled)21. A system for detecting malicious activity in a computer system , the system comprising:a computing platform including computing hardware of at least one processor and memory operably coupled to the at least one processor; and [ collect information about the computer system for a plurality of computer system objects, and', 'determine a plurality of relationships between the plurality of computer system objects,, 'a gathering tool configured to, build at least a first intermediate graph and a second intermediate graph based on the plurality of computer system objects and the plurality of relationships, wherein the first and second intermediate graphs are formed with the plurality of computer system objects as vertices and the plurality of relationships as edges, and', 'build a final graph based on the at least first and second intermediate graphs, wherein the final graph includes at least one vertex from the first intermediate graph and at least one vertex from the second intermediate graph and at least one edge connecting the at least one vertex from the first intermediate graph and at least one vertex from the second intermediate graph to reduce a computing platform resource usage when the plurality of computer system objects grows non-linearly,, 'a graph-building tool configured to, 'select, from a graphs database, at least one preexisting graph similar to the final graph based on a degree of similarity threshold, the at least one preexisting graph assigned a malicious activity ratio,', 'a search tool configured to, 'an analysis ...

System and Method for Validating In-Memory Integrity of Executable Files to Identify Malicious Activity

In the embodiments described herein, a malicious code detection module identifies potentially malicious instructions in volatile memory of a computing device before the instructions are executed. The malicious code detection module identifies an executable file, such as an .exe file, in memory, validates one or more components of the executable file against the same file stored in non-volatile storage, and issues an alert if the validation fails. 1. A method of validating an executable file to identify potential malware in a computing device comprising a processor , memory , non-volatile storage , an operating system , and a malicious code detection module , the method comprising: 'a first plurality of components that are not altered by the operating system when loaded into the memory;', 'identifying, by the malicious code detection module, a first executable file in the memory, the first executable file includingidentifying, by the malicious code detection module, a second executable file in the non-volatile storage, wherein the first executable file and the second executable file are associated with one another by the operating system;determining that the second executable file has been compressed and/or encrypted using software packing;determining if the second executable file can be unpacked;unpacking the second executable file if the second executable file can be unpacked;comparing, by the malicious code detection module, a size of a first component of a first plurality of components of the first executable file and a size of a first component of the first plurality of components of the second executable file, wherein comparing includes accounting for changes to the second executable file caused by the unpacking of the second executable file, and further wherein when the second executable file has not been compressed and/or encrypted using software packing, the changes need not be accounted for, andgenerating an alertwhen the size of the first component of the ...

JUST IN TIME MEMORY ANALYSIS FOR MALWARE DETECTION

Methods and apparatus consistent with the present disclosure may use instrumentation code that remains transparent to an application program that the instrumentation code has been injected into. In certain instances, data sets that include executable code may be received via packetized communications or be received via other means, such as, receiving a file from a data store. The present technique allows a processor executing instrumentation code to monitor actions performed by the program code included in a received data set. Malware may be detected by scanning suspect program code with a malware scanner, malware may be detected by identifying suspicious actions performed by a set of program code, or malware may be detected by a combination of such techniques. 1. A method for analyzing computer data , the method comprising:allowing instructions of a set of computer data to be executed by a processor;monitoring actions performed by the execution of the instructions of the set of computer data, the monitoring performed by the processor executing a set of instrumentation code instructions;pausing execution of the instructions of the computer data based on an identification that the monitored actions include writing data to a memory;comparing a signature generated from the data written to the memory to a malware signature; andperforming a corrective action based on an identification that the generated signature matches the malware signature.2. The method of claim 1 , further comprising identifying that the monitored actions correspond to an access pattern of the memory that includes allocating a portion of the memory claim 1 , wherein the data written to the memory is written to the allocated memory portion.3. The method of claim 2 , further comprising identifying that the monitored actions include de-obfuscating the data written to the memory.4. The method of claim 1 , further comprising generating the signature by scanning the data written to the memory with a deep ...

SYSTEMS AND METHODS FOR AUTOMATICALLY GENERATING MALWARE COUNTERMEASURES

Malware can be automatically detected and countermeasures automatically generated. A virtual machine (VM) is run with an operating system configured with a monitoring subsystem. The monitoring subsystem is configured to generate event data based on events occurring on the virtual machine. The monitoring subsystem can run within the operating system kernel. Kernel drivers can register to receive specific events. The events are therefore sent to the drivers, which can send them to a classifier. The classifier can detect malware based on the events. When a sample is run on the VM, the classifier can detect malware in the sample. While running the sample, event data is collected. A countermeasure compiler can generate a countermeasure to the malware, the countermeasure based on the event data. 1. A method comprising:running a virtual machine with an operating system configured with a monitoring subsystem, the monitoring subsystem configured to generate event data based on a plurality of events occurring on the virtual machine;running a classifier configured to detect a malware based on the plurality of events;running a sample on the virtual machine, the classifier detecting the malware in the sample; andrunning a countermeasure compiler that generates a countermeasure to the malware, the countermeasure based on the event data.23. The method of wherein the monitoring subsystem is run within a kernel of the operating system. . The method of wherein detecting the malware triggers generating the countermeasure.4. The method of wherein the countermeasure compiler is configured to generate a resource data section and wherein the countermeasure includes a precompiled template populated with the resource data section.5. The method of claim 1 , the classifier configured to:detect the malware based on the sample modifying a tripwire file monitored by the monitoring subsystem, anddetect the malware based on the sample modifying a system file monitored by the monitoring subsystem.6 ...