Настройки

Укажите год
-

Небесная энциклопедия

Космические корабли и станции, автоматические КА и методы их проектирования, бортовые комплексы управления, системы и средства жизнеобеспечения, особенности технологии производства ракетно-космических систем

Подробнее
-

Мониторинг СМИ

Мониторинг СМИ и социальных сетей. Сканирование интернета, новостных сайтов, специализированных контентных площадок на базе мессенджеров. Гибкие настройки фильтров и первоначальных источников.

Подробнее

Форма поиска

Поддерживает ввод нескольких поисковых фраз (по одной на строку). При поиске обеспечивает поддержку морфологии русского и английского языка
Ведите корректный номера.
Ведите корректный номера.
Ведите корректный номера.
Ведите корректный номера.
Укажите год
Укажите год
Применить Всего найдено 20996. Отображено 100.
19-01-2012 дата публикации

Method and apparatus for virus throttling with rate limiting

Номер: US20120017279A1
Автор: Shaun Kazuo Wakumoto
Принадлежит: Hewlett Packard Development Co LP

A method for traffic control of a network device in a network are disclosed. The network device determines potentially malicious behavior by a host device in the network. A permissible rate of traffic from the host device through a port of the network device is reduced in response to determining the potentially malicious behavior. A rate of traffic through the port of the network device is measured. The measured traffic rate is compared with a threshold rate. The permissible rate of traffic is adjusted based on the comparison.

Подробнее
Номер записи: 1
02-02-2012 дата публикации

Functional patching/hooking detection and prevention

Номер: US20120030762A1
Автор: Amit Klein, Eldan BEN-HAIM, Oleg Izmerly, Shmuel REGEV
Принадлежит: Trusteer Ltd

A method for preventing malicious attacks on software, using the patching method, includes providing a database of malicious known patches (malware). The database contains characteristic signatures of the malware. The method also includes detecting whether a patch is malicious by comparing it with a signature in the database and performing one or more activities needed to prevent the malicious patch from performing undesired activities.

Подробнее
Номер записи: 2
09-02-2012 дата публикации

Smart card, anti-virus system and scanning method using the same

Номер: US20120036571A1
Автор: InSeon YOO
Принадлежит: Samsung SDS Co Ltd

A smart card installed in a device receives from the device data to be scanned and determines whether a virus exists in the data. Accordingly, security of the device may be enhanced without using substantial resources of the device.

Подробнее
Номер записи: 3
15-03-2012 дата публикации

System recovery method and computing apparatus having system recovery function

Номер: US20120066546A1
Автор: Bum-keun Kim
Принадлежит: SAMSUNG ELECTRONICS CO LTD

A system recovery method and a computing apparatus having a system recovery function. The computing apparatus includes a first memory unit to store a general operating system (OS) in a system partition where a primary anti-virus program operates, and to store a recovery OS in a recovery partition where a secondary anti-virus program operates; a second memory unit to store firmware determining a booting partition of the computing apparatus; and a processor to control execution of the firmware to, when the system partition is infected by a virus and thus the computing apparatus does not boot to the general OS, boot the computing apparatus to the recovery OS, and to control recovery of the system partition.

Подробнее
Номер записи: 4
29-03-2012 дата публикации

Mobile communication system and mobile terminal having function of inactivating mobile communication viruses, and method thereof

Номер: US20120079597A1
Автор: Ki Chul An
Принадлежит: PANTECH CO LTD

A mobile communication system for inactivating a virus includes: a database associated with the mobile communication system, for storing at least one virus vaccine program; and a virus monitoring unit associated with the mobile communication system, for checking virus infection of received data, analyzing virus information, choosing one of virus vaccine programs that are stored in the database and inactivating the virus. Virus vaccine programs are timely updated over the air (OTA) whenever a new version of vaccine program is available.

Подробнее
Номер записи: 5
05-04-2012 дата публикации

Detecting Malicious Use of Computer Resources by Tasks Running on a Computer System

Номер: US20120084862A1
Автор: Gunter Ollmann, Robert G. Freeman
Принадлежит: International Business Machines Corp

A method, apparatus, and computer program product for identifying malware is disclosed. The method identifies processes in a running process list on a host computer system. The method identifies ports assigned to the processes in the running process list on the host computer system. The method determines whether any one of ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list. The method then makes a record that a hidden, running process is present as a characteristic of an attack in response to a determination that one of the ports is currently in use but is not assigned to any of the processes in the running process list in the host computer system.

Подробнее
Номер записи: 6
19-04-2012 дата публикации

System and method for identifying malicious activities through non-logged-in host usage

Номер: US20120096556A1
Автор: Gunter D. OLLMANN
Принадлежит: International Business Machines Corp

A method for identifying malware activities, implemented within a computer infrastructure, includes receiving a data communication via a data channel and determining a user is not interactively logged in to a host. Additionally, the method includes identifying the data communication as a potential malware communication in response to the determining the user is not interactively logged in to the host.

Подробнее
Номер записи: 7
03-05-2012 дата публикации

System and method for a scanning api

Номер: US20120110174A1
Автор: Bruce Wootton, Kevin Patrick Mahaffey, Timothy Micheal Wyatt
Принадлежит: LookOut Inc

Application programs for mobile communication devices are stored in a data store. The applications may be collected from any number of different sources such as through an application programming interface (API), from web crawling, from users, or combinations of these. The applications are analyzed and the analysis results reported. The applications may be “continuously” analyzed so that any changes in assessments can be reported. If an application for which an analysis is sought is not in the data store, information about a different, but related application may be provided.

Подробнее
Номер записи: 8
10-05-2012 дата публикации

Computer Worm Curing System and Method and Computer Readable Storage Medium for Storing Computer Worm Curing Method

Номер: US20120117647A1
Автор: Chia-Jun Lin, Fu-Hau Hsu, Jain-Shing Wu, Shih-Jen Chen
Принадлежит: INSTITUTE FOR INFORMATION INDUSTRY

A computer worm curing system includes a string receiving module, a string generating module and a string replying module. The string receiving module receives an infected string, which is generated by a computer worm, from an infected host, which is infected by the computer worm, through a network. The infected string includes a shellcode, and the shellcode is executed utilizing a vulnerable process. The string generating module generates a curing code for curing the computer worm, and replaces the shellcode in the infected string with the curing code to generate a curing string, such that the curing string can be executed utilizing the vulnerable process. The string replying module replies the curing string to the infected host, such that the curing code of the curing string can be executed utilizing the vulnerable process of the infected host to cure the infected host of the computer worm.

Подробнее
Номер записи: 9
31-05-2012 дата публикации

Anti-malware scanning system and method thereof

Номер: US20120137365A1
Автор: KangKyu Lee
Принадлежит: Samsung SDS Co Ltd

Provided are an anti-malware scanning system and a method thereof. The system includes: a host; and a chip which is removably connected to the host, receives a file to be scanned from the host, and scans whether malware exists in the file, wherein the host adjusts a size of the file to be scanned to correspond to a storage capacity of a storage unit of the chip and transmits the adjusted file to the chip. Accordingly, scanning is performed effectively even in an environment in which resources of the anti-malware scanning system are limited.

Подробнее
Номер записи: 10
14-06-2012 дата публикации

Computing system

Номер: US20120151580A1
Автор: Hyosun Hwang, Jeongseok Chae, Sunghyun Kim
Принадлежит: SAMSUNG ELECTRONICS CO LTD

Disclosed is a computing system which comprises a data processing device exchanging communication data with the external and processing the communication data; and a security integrated circuit (IC) monitoring the communication data.

Подробнее
Номер записи: 11
19-07-2012 дата публикации

Computer system and method for scanning computer virus

Номер: US20120185940A1
Автор: Nobuyuki Saika
Принадлежит: Individual

According to the present invention, a timeout caused by executing a virus scan is avoided. A computer system has a first computer, a second computer coupled to the first computer, and a storage system coupled to the first computer and the second computer. The first computer receives a request to write data, writes the requested data in the storage system, and sends a virus scan request of the written data to the second computer. The second computer receives the virus scan request from the first computer, reads the written data out of the storage system, and partially executes a virus scan of the read data. After the partial virus scan of the read data is finished, the first computer sends a response to the received write request. After the first computer sends the response, the second computer executes the remainder of the virus scan of the read data.

Подробнее
Номер записи: 12
02-08-2012 дата публикации

Secure auditing system and secure auditing method

Номер: US20120198553A1
Автор: Junko SUGINAKA, Yoshihisa Furukawa
Принадлежит: Individual

Disclosed is a technique that audits security of a terminal connected to a network and executes a given program wherein a computer-virus free file is permitted to execute a program in a manner such that a computer virus is not activated. As a result, the terminal is maintained in a secure state.

Подробнее
Номер записи: 13
16-08-2012 дата публикации

Method for identifying infected electronic files

Номер: US20120206482A1
Автор: Vitaly Evgenievich Pilkin
Принадлежит: Individual

The invention relates to electronic engineering and in particular to a method for identifying infected electronic files on a display (monitor) of an electronic device, said infected electronic files being located in the electronic device or on the Internet. The aim of the proposed invention is to provide a novel method of identifying infected electronic files. As a result of the use of the proposed invention, the user of the electronic device or the Internet is provided with the possibility of discovering infected electronic files with the aid of different identification methods which distinguish infected electronic files from uninfected electronic files.

Подробнее
Номер записи: 14
06-09-2012 дата публикации

System And Method For Packet Profiling

Номер: US20120227109A1
Автор: Jeffrey D. DIMURO
Принадлежит: JPMorgan Chase Bank NA

Systems and methods for packet profiling are disclosed. According to one embodiment, a method for profiling incoming data packets for an organization includes the steps of (1) receiving, at an interface for a transport provider, a data packet; (2) using a computer processor, analyzing the data packet; (3) using the computer processor, based on the analysis, marking the data packet; and (4) transmitting the data packet to the organization.

Подробнее
Номер записи: 15
13-09-2012 дата публикации

System and method for server-coupled application re-analysis to obtain trust, distribution and ratings assessment

Номер: US20120233695A1
Автор: Anthony McKay Lineberry, Ariel Salomon, Daniel Lee Evans, David Golombek, David Luke Richardson, James David Burgess, Kevin Patrick Mahaffey, Kyle Barton, Timothy Michael WYATT
Принадлежит: LookOut Inc

A system and method for preventing malware, spyware and other undesirable applications from affecting mobile communication devices uses a server to assist in identifying and removing undesirable applications. When scanning an application, a device transmits information about the application to a server for analysis. The server receives the information, produces a characterization assessment and can also provide a characterization re-assessment for the application, or data object, and transmits the assessment to the device. By performing analysis on a server, the invention allows a device to reduce the battery and performance cost of protecting against undesirable applications. The servers transmit notifications to devices that have installed applications that are discovered to be undesirable. The server can accumulate this data and then perform a characterization re-assessment of a data object it has previously assessed to provide an assessment based upon one of trust, distribution and ratings information.

Подробнее
Номер записи: 16
20-09-2012 дата публикации

Memory storage device and memory controller and virus scanning method thereof

Номер: US20120240230A1
Автор: Chien-Fu Lee
Принадлежит: Phison Electronics Corp

A memory storage device, a memory controller, and a virus scanning method are provided. In the method, a virus signature database recording a predetermined file segment and a corresponding virus signature is provided. A plurality of logical addresses is mapped to a part of a plurality of physical addresses in a rewritable non-volatile memory chip of the memory storage device, a host system accesses the logical addresses by using a file system including a file allocation table (FAT). At lease one binary code is received. The FAT is analyzed to identify a file segment containing the at least one binary code. If the file segment matches the predetermined file segment, the at least one binary code is not written into the memory storage device or transmitted back to the host system when the at least one binary code matches the virus signature corresponding to the predetermined file segment.

Подробнее
Номер записи: 17
20-09-2012 дата публикации

Crawling multiple markets and correlating

Номер: US20120240236A1
Автор: Kevin Patrick Mahaffey, Tim Strazzere, Timothy M. Wyatt, Yogesh Swami
Принадлежит: LookOut Inc

A crawler program collects and stores application programs including application binaries and associated metadata from any number of sources such as official application marketplaces and alternative application marketplaces. An analysis including comparisons and correlations are performed among the collected data in order to detect and warn users about pirated or maliciously modified applications.

Подробнее
Номер записи: 18
27-09-2012 дата публикации

Method and apparatus for determining software trustworthiness

Номер: US20120246721A1
Автор: Pieter Viljoen
Принадлежит: Symantec Corp

Aspects of the invention relate to a method, apparatus, and computer readable medium for determining software trustworthiness. In some examples, a software package identified as including at least one file of unknown trustworthiness is installed on a clean machine. A report package including a catalog of files that have been installed or modified on the clean machine by the software package is generated. Identification attributes for each of the files in the catalog is determined. Each of the files in the catalog is processed to assign a level of trustworthiness thereto. The report package is provided as output.

Подробнее
Номер записи: 19
27-09-2012 дата публикации

Data storage devices including integrated anti-virus circuits and method of operating the same

Номер: US20120246729A1
Автор: Byung-gook Kim, Chanik Park, Dawoon Jung, Jisoo Kim
Принадлежит: SAMSUNG ELECTRONICS CO LTD

A data storage device includes a storage medium and a controller circuit configured to be coupled to an external host to provide an interface between the external host and the storage medium, the controller circuit configured to detect a virus carried by a data file transferred to and/or stored in the storage medium. The controller circuit may be further configured to cure the detected virus.

Подробнее
Номер записи: 20
18-10-2012 дата публикации

Multi-Nodal Malware Analysis

Номер: US20120266245A1
Автор: Darin J. DeRita, Jesse J. Lee, Monty D. Mcdougal, Randy S. Jennings, William E. Sterns
Принадлежит: Raytheon Co

A computer-implemented method includes accessing, by an analysis console, information related to a first file received at a first host of a plurality of hosts. Each host is capable of running a corresponding set of malware detection processes. The information includes: an identifier of the first file; and data indicating a first result of the first host applying the set of malware detection processes to the first file. The identifier is generated by the first host and is usable by each of the hosts to determine whether a second file comprises content substantially equivalent to content of the first file. The analysis console generates a first output including: the identifier of the first file; and a second result indicating whether the first file comprises malware. The second result is usable by each of the hosts to determine whether the second file comprises malware. The first output is propagated to the hosts.

Подробнее
Номер записи: 21
15-11-2012 дата публикации

System and method for server-coupled application re-analysis

Номер: US20120290640A1
Автор: Anthony McKay Lineberry, Ariel Salomon, Daniel Lee Evans, David Golombek, David Luke Richardson, James David Burgess, Kevin Patrick Mahaffey, Kyle Barton, Tomothy Michael WYATT
Принадлежит: LookOut Inc

To prevent malware, spyware and other undesirable applications from affecting mobile communication devices (e.g., smartphones, netbooks, and tablets), a device uses a server to assist in identifying and removing undesirable applications. When scanning an application, a device transmits information about the application to a server for analysis. The server receives the information, produces a categorization assessment and can provide a categorization re-assessment, and transmits the assessment to the device. By performing analysis on a server, a device can reduce its battery and performance cost of protecting against undesirable applications. The server transmits notifications to devices that have installed applications that are discovered to be undesirable. The server receives data about applications from many devices, using the combined data to minimize false positives and provide comprehensive protection against known and unknown threats. The server can accumulate this data and perform a categorization re-assessment of a data object previously assessed.

Подробнее
Номер записи: 22
15-11-2012 дата публикации

Emulating Mixed-Code Programs Using a Virtual Machine Instance

Номер: US20120290848A1
Автор: Adrian Emil Stepan, Timothy David Ebringer, Xun Wang
Принадлежит: Microsoft Corp

The subject disclosure is directed towards a technology for efficiently emulating program code that is protected by one or more various code virtualization techniques to detect the presence of malware. An emulation engine emulates a program containing a mix of native code, custom (e.g., virtualized obfuscated) code, and at least one emulator and/or interpreter that understands the custom code, by building a custom emulation component that is built by detecting and analyzing the internal emulator or interpreter. The custom emulation component may access a translation table built from the analysis, and also may simplify a plurality of instructions in the program into a lesser number of instructions in an intermediate language used for emulation.

Подробнее
Номер записи: 23
29-11-2012 дата публикации

Automatic detection of search results poisoning attacks

Номер: US20120304287A1
Автор: Arvind Krishnamurthy, Fang Yu, John P. John, Martin Abadi, Yinglian Xie
Принадлежит: Microsoft Corp

Search result poisoning attacks may be automatically detected by identifying groups of suspicious uniform resource locators (URLs) containing multiple keywords and exhibiting patterns that deviate from other URLs in the same domain without crawling and evaluating the actual contents of each web page. Suspicious websites are identified and lexical features are extracted for each such website. The websites are clustered based on their lexical features, and group analysis is performed on each group to identify at least one suspicious group. Other implementations are directed to detecting a search engine optimization (SEO) attack by processing a large population of URLs to identify suspicious URLs based on the presence of a subset of keywords in each URL and the relative newness of each URL.

Подробнее
Номер записи: 24
06-12-2012 дата публикации

System and method for non-signature based detection of malicious processes

Номер: US20120311708A1
Автор: Harinath Ramachetty VISHWANATH, Nitin Jyoti, Palasamudram Ramagopal Prashanth, Prabhat Kumar Singh, Romanch AGARWAL
Принадлежит: McAfee LLC

Systems and methods for detecting malicious processes in a non-signature based manner are disclosed. The system and method may include gathering features of processes running on an electronic device, applying a set of rules to the features, and applying a statistical analysis to the results of the rules application to determine whether a process should be classified into one or more of a plurality of process categories.

Подробнее
Номер записи: 25
20-12-2012 дата публикации

Systems and methods providing wear leveling using dynamic randomization for non-volatile memory

Номер: US20120324141A1
Автор: Dong Hyuk Woo, Hsien-Hsin S. Lee, Nak Hee Seong
Принадлежит: Georgia Tech Research Corp

Systems and methods for dynamically remapping elements of a set to another set based on random keys. Application of said systems and methods to dynamically mapping regions of memory space of non-volatile memory, e.g., phase-change memory, can provide a wear-leveling technique. The wear leveling technique can be effective under normal execution of typical applications, and in worst-case scenarios including the presence of malicious exploits and/or compromised operating systems, wherein constantly migrating the physical location of data inside the PCM avoids information leakage and increases security; wherein random relocation of data results in the distribution of memory requests across the physical memory space increases durability; and wherein such wear leveling schemes can be implemented to provide fine-grained wear leveling without overly-burdensome hardware overhead e.g., a look-up table.

Подробнее
Номер записи: 26
03-01-2013 дата публикации

Portable Security Device and Methods for Detection and Treatment of Malware

Номер: US20130007883A1
Автор: Oleg V. Zaitsev
Принадлежит: Kaspersky Lab AO

Disclosed is a portable security device and method for detection and treatment of computer malware. The security device includes a communication interface for connecting to a computer, a memory for storing a set of data for use in malware detection experiments, and an antivirus engine configured to perform one or more malware detection experiments on the computer. A malware detection experiment includes simulating a connection to the computer of a data storage device containing a predefined set of data. The antivirus engine further configured to identify modifications in the set of data contained in the data storage device after termination of one or more malware detection experiments, analyze a modified set of data for presences of computer malware, determine a treatment mechanism for the detected malware, perform treatment of the detected malware on the computer, and generate user reports.

Подробнее
Номер записи: 27
17-01-2013 дата публикации

Remote-Assisted Malware Detection

Номер: US20130019306A1
Автор: Alexander Varshavsky, Horacio Andres Lagar-Cavilla
Принадлежит: AT&T INTELLECTUAL PROPERTY I LP

Remote assistance is provided to a mobile device across a network to enable malware detection. The mobile device transmits potentially infected memory pages to a remote server across a network. The remote server performs analysis, and provides feedback to the mobile device. Based on the received feedback, the mobile device halts a process, or retrieves and transmits additional memory pages to the remote server for more analysis. This process is repeated until a compromised region of memory is identified and/or isolated for further repair to be performed. The feedback from the remote server reduces the processing and storage burden on the mobile device, resulting in a more reliable detection that uses fewer resources. Embodiments including hypervisors and virtual machines are disclosed.

Подробнее
Номер записи: 28
24-01-2013 дата публикации

Auditing a device

Номер: US20130024936A1
Автор: Bjorn Markus Jakobsson, Karl-Anders R. Johansson
Принадлежит: Fatskunk Inc

The auditing of a device that includes a physical memory is disclosed. One or more hardware parameters that correspond to a hardware configuration is received. Initialization information is also received. The physical memory is selectively written in accordance with a function. The physical memory is selectively read and at least one result is determined. The result is provided to a verifier.

Подробнее
Номер записи: 29
31-01-2013 дата публикации

System and methods for adaptive model generation for detecting intrusion in computer systems

Номер: US20130031633A1
Автор: Andrew Honig, Andrew Howard, Eleazar Eskin, Salvatore J. Stolfo
Принадлежит: Columbia University of New York

A system and methods for detecting intrusions in the operation of a computer system comprises a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format. A data warehouse is configured to receive the data record from the sensor in the predetermined data format and to store the data in a SQL database. A detection model generator is configured to request data records from the data warehouse in the predetermined data format, to generate an intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format. A detector is configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model. A data analysis engine is configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records.

Подробнее
Номер записи: 30
14-02-2013 дата публикации

Server based malware screening

Номер: US20130042324A1
Автор: James D. Bennett
Принадлежит: ENPULZ LLC

An Internet infrastructure is provided to transfer a packet of data between a client device and source device. The infrastructure consists of a support server that screens the packet for malware codes on behalf of a registered client. In order to scan for malware, the support server contains hardware and/or software modules to perform malware detection and quarantine functions. The modules identify malware bit sequence in the packet(s), malware bit sequences or entire contaminated code is quarantined or repaired as appropriate. After identification of malware code (if any), the support server sends warning messages to affected parties, providing information regarding the malware codes that were detected.

Подробнее
Номер записи: 31
28-02-2013 дата публикации

Enhanced browsing with security scanning

Номер: US20130055395A1
Автор: James Kelly, Scott Milener, Wendell Brown
Принадлежит: BT Web Solutions LLC

A method scans a second web page linked to a first web page being displayed by a browser in a browser window. The method identifies, in the first web page, a target link to the second web page. Prior to receiving a user selection of the target link, the method prefetches content from the second web page and loads it into a safe cache according to a prefetching order before receiving the user selection of the target link and before the content of the second web page is opened by an application configured to provide access to the content of the second web page. The method scans the prefetched content from the second web page for a security threat, within the safe cache, which is configured to prevent the prefetched content from altering a memory location or storage location external to the safe cache.

Подробнее
Номер записи: 32
21-03-2013 дата публикации

Providing a Network-Accessible Malware Analysis

Номер: US20130074185A1
Автор: Bradley T. Ford, Monty D. Mcdougal, William E. Sterns
Принадлежит: Raytheon Co

In certain embodiments, a computer-implemented method comprises receiving, via a computer network and from a first computer system, a first malware analysis request. The first malware analysis request comprises a file to be analyzed for malware by a malware analysis system. The method includes initiating a malware analysis by the malware analysis system of the first file for malware. The method includes communicating to the first computer system a response for the first file determined by the malware analysis system to the first computer system. The response comprises an indication of whether the first file comprises malware.

Подробнее
Номер записи: 33
28-03-2013 дата публикации

Outbound Connection Detection and Blocking at a Client Computer

Номер: US20130081129A1
Автор: Jarno Niemelä
Принадлежит: F Secure Oyj

A method of detecting and blocking a malicious SSL connection at a client computer. The method includes identifying, at a network firewall level, an outbound SSL connection being set up at the client computer; detecting an SSL certificate associated with the SSL connection; sending a request to a central server for reputation information on the SSL certificate; at the central server, determining reputation information in dependence upon the SSL certificate; providing said reputation information from the central server to the client computer; and using the reputation information at the client computer to determine whether or not to block the connection.

Подробнее
Номер записи: 34
04-04-2013 дата публикации

SYSTEM AND METHOD FOR PREVENTING MALWARE ON A MOBILE COMMUNICATION DEVICE

Номер: US20130086682A1
Автор: Barton Kyle, Burgess James David, Evans Daniel Lee, Golombek David, Lineberry Anthony McKay, Mahaffey Kevin Patrick, Richardson David Luke, Salomon Ariel, Wyatt Timothy Michael
Принадлежит: Lookout, Inc., a California Corporation

A server receives from a mobile communication device information about a data object (e.g., application) on the device when the device cannot assess the data object. The server uses the information along with other information stored at the server to assess the data object. Based on the assessment, the device may be permitted to access the data object or the device may not be permitted to access the data object. The other information stored at the server can include data objects known to be bad, data objects known to be good, or both. 1. A non-transitory computer-readable storage medium having stored thereon a plurality of instructions which , when executed by a processor , cause the processor to perform the steps of a method for assessing a data object present on a mobile communication device , the assessment provided by a server computer , the method comprising:before receiving data identifying at least a portion of the data object present on the mobile communication device at the server computer, determining if previously stored definition information stored in a local store at the mobile communication device corresponds to the data identifying at least a portion of the data object present on the mobile communication device, the local store storing a corresponding assessment for the previously stored definition information; and,if the previously stored definition information in the local store at the mobile communication device does not correspond to the data identifying at least a portion of the data object present on the mobile communication device, then at the server computer, receiving data identifying at least a portion of the data object present on the mobile communication device;at the server, determining if previously stored definition information for a data object corresponds to the received data, the definition information stored in a data store accessible by the server, the data store storing a corresponding assessment for the definition information;if ...

Подробнее
Номер записи: 35
11-04-2013 дата публикации

Login initiated scanning of computing devices

Номер: US20130091569A1
Автор: Craig Froelich, Craig Kirby, Cris T. Paltenghe, Igor A. Baikalov, Ravi Pritmani
Принадлежит: Bank of America Corp

Embodiments of the invention relate to systems, methods, and computer program products for login initiated remote scanning of computer devices. The present invention detects login to the network via access management systems. The login data provides information that identifies the device so that the device can be checked against a scan database to determine if and when a previous scan occurred. Based on the findings in the scan database determinations are made as to whether to perform a scan. Additionally, the level of scanning can be determined based on previous scan dates and previous scan results, which may dictate customized scanning. In addition, the priority of the impending scan may be dictated by previous scan dates and results. Further embodiments provide for assessing risk, such as risk scoring or the like, concurrently or in near-real-time with the completion of the scan so that alerts may be communicated.

Подробнее
Номер записи: 36
18-04-2013 дата публикации

System and method for profile based filtering of outgoing information in a mobile environment

Номер: US20130097652A1
Автор: Balbir Singh, Rajbir Bhattacharjee
Принадлежит: McAfee LLC

A system and method in one embodiment includes modules for detecting an access request by an application to access information in a mobile device, determining that the application is a potential threat according to at least one policy filter, and blocking a send request by the application to send the information from the mobile device without a user's consent. More specific embodiments include user selecting the information through a selection menu on a graphical user interface that includes information categories pre-populated by an operating system of the mobile device, and keywords that can be input by the user. Other embodiments include queuing the send request in a queue with other requests, and presenting an outbox comprising the queue to the user to choose to consent to the requests. The outbox includes graphical elements configured to permit the user to selectively consent to any requests in the queue.

Подробнее
Номер записи: 37
18-04-2013 дата публикации

SYSTEM AND METHOD TO LOCATE A PREFIX HIJACKER WITHIN A ONE-HOP NEIGHBORHOOD

Номер: US20130097703A1
Автор: Ji Lusheng, Pei Dan, Qiu Tongqing, Wang Jia
Принадлежит: AT&T Intellectual Property I, L.P.

Method, system and computer-readable device to locate a prefix hijacker of a destination prefix within a one-hop neighborhood. The method includes generating one-hop neighborhoods from autonomous system-level paths associated with a plurality of monitors to a destination prefix. The method also includes determining a suspect set of autonomous system identifiers resulting from a union of the one-hop neighborhoods. The method further includes calculating a count and a distance associated with each autonomous system identifier in the suspect set of autonomous system identifiers. The count represents how often an autonomous system identifier appears in the one-hop neighborhoods. The distance represents a total number of autonomous system identifiers from the autonomous system identifier to autonomous system identifiers associated with the plurality of monitors. Yet further, the method includes generating a one-hop suspect set including autonomous system identifiers in the suspect set that have a greatest sum of the count and the distance. 1. A method of locating a prefix hijacker within a one-hop neighborhood , the method comprising:generating, using a computing system, one-hop neighborhoods from autonomous system-level paths to a destination prefix, the autonomous system-level paths associated with a plurality of monitors, each of the one-hop neighborhoods including autonomous system identifiers that are in an autonomous system-level path and autonomous system-level identifiers that are within one-hop of the autonomous system identifiers in the autonomous system-level path;determining, using the computing system, a suspect set of autonomous system identifiers resulting from a union of the one-hop neighborhoods;calculating, using the computing system, a count and a distance associated with each autonomous system identifier in the suspect set of autonomous system identifiers, the count representing how often an autonomous system identifier appears in the one-hop ...

Подробнее
Номер записи: 38
18-04-2013 дата публикации

Handling Noise in Training Data for Malware Detection

Номер: US20130097704A1
Автор: Dragos GAVRILUT, Liviu V. CIORTUZ, Marius BARAT
Принадлежит: Bitdefender IPR Management Ltd

Described systems and methods allow the reduction of noise found in a corpus used for training automatic classifiers for anti-malware applications. Some embodiments target pairs of records, which have opposing labels, e.g. one record labeled as clean/benign, while the other labeled as malware. When two such records are found to be similar, they are identified as noise and are either discarded from the corpus, or relabeled. Two records may be deemed similar when, in a simple case, they share a majority of features, or, in a more sophisticated case, they are sufficiently close in a feature space according to some distance measure.

Подробнее
Номер записи: 39
18-04-2013 дата публикации

AUTOMATED BEHAVIORAL AND STATIC ANALYSIS USING AN INSTRUMENTED SANDBOX AND MACHINE LEARNING CLASSIFICATION FOR MOBILE SECURITY

Номер: US20130097706A1
Автор: Manohar-Alers Nelson R., Titonis Theodora H., Wysopal Christopher J.
Принадлежит: Veracode, Inc.

The present system includes a computer-networked system that allows mobile subscribers, and others, to submit mobile applications to be analyzed for anomalous and malicious behavior using data acquired during the execution of the application within a highly instrumented and controlled environment for which the analysis relies on per-execution as well as comparative aggregate data across many such executions from one or more subscribers. 1. A method for assessing the quality of mobile applications , the method comprising: performs a static analysis risk assessment of binary code associated with a plurality of mobile applications, each being submitted by a submission source;', 'examines execution behaviors of the mobile applications within an instrumented sandbox environment; and', 'aggregates analyses of the execution behaviors and static analysis into predictor statistics describing quality and vulnerability characteristics of mobile applications., 'providing a computer networked environment comprising a cloud-based service for mobile devices that when operated;'}2. The method of claim 1 , wherein the cloud-based service generates an analysis vector comprised of one or more feature sets derived from analysis of application related data selected from the group comprising execution characteristics of the application and analysis of static characteristics of the application.3. The method of claim 1 , wherein the cloud service generates an analysis report comprised of at least of one of: a risk assessment identifying suspicious behavioral characteristics of the mobile application; a malware confidence rating indicating a confidence of the risk assessment; a malware risk rating indicating dangerousness of the associated risks; and a malware label indicating details about nature of the risks associated with the mobile application.4. The method of further comprising accumulating analysis results from a selected set of previously generated analysis vectors.5. The method of ...

Подробнее
Номер записи: 40
25-04-2013 дата публикации

Private Domain Name Registration

Номер: US20130104229A1
Автор: Brennan, III Charles Joseph
Принадлежит: Network Solutions, LLC

A service for protecting the privacy of domain name registrants while preserving the registrant's ability to directly change the registration information or transfer the registration. A whois record is created that reflects the registrant's actual identity but contains contact information that is entirely associated with a privacy service. 1. A method for protecting the privacy of a registrant of a domain name , comprising configuring a whois record such that the registrant name displayed in the whois record is the actual registrant name and the contact information displayed in the whois record is entirely alternate contact information.2. The method of claim 1 , wherein correspondence received at an alternate contact is forwarded to a registrant contact in accordance with a predetermined rule.3. The method of claim 2 , wherein postal correspondence received at an alternate contact is scanned and forwarded to a registrant e-mail address.4. The method of claim 1 , wherein an e-mail message received at an alternate email address is scanned and forwarded to a registrant e-mail address if it is determined not to be SP AM and if it is determined not to contain malicious code.5. An apparatus for protecting the privacy of a registrant of a domain name claim 1 , comprising:a processor;a memory coupled to said processor, said memory storing a whois record for a domain name registration wherein the registrant name of the who is record is the actual registrant name and the contact information of the who is record is entirely alternate contact information.6. The apparatus of claim 5 , wherein said instructions are further adapted to be executed by said processor to perform steps including:receiving an e-mail message addressed to an alternate e-mail address listed in a whois record;scanning the e-mail message for SPAM; andforwarding the e-mail message to an e-mail address specified by the registrant if the message is determined not to be SPAM.7. The apparatus of claim 5 , wherein ...

Подробнее
Номер записи: 41
25-04-2013 дата публикации

Detection of undesired computer files in archives

Номер: US20130104235A1
Автор: Alexander Douglas MacDonald, Steven Michael Fossen
Принадлежит: Fortinet Inc

Systems and methods for content filtering are provided. According to one embodiment, a type and structure of an archive file are determined. The archive file includes identification bytes that identify the type of archive file and header information both in unencrypted and uncompressed form and a file data portion containing contents of files in encrypted form, compressed form or both. The determination is based solely on the identification bytes and/or the header information. Based thereon, descriptive information, describing characteristics of the files, is extracted from the header information for each file. The descriptive information includes a checksum of the file in uncompressed form, a size of the file in uncompressed form and/or a size of the file in compressed form. A file is identified as being potentially malicious or undesired when a comparison of the descriptive information to detection signatures of known malicious or undesired files results in a match.

Подробнее
Номер записи: 42
09-05-2013 дата публикации

System and Method for Bidirectional Trust Between Downloaded Applications and Mobile Devices Including a Secure Charger and Malware Scanner

Номер: US20130117854A1
Автор: Andrew M. Wesie, Brian S. Pak, Douglas Britton
Принадлежит: Andrew M. Wesie, Brian S. Pak, Douglas Britton

A system and method are described that will enable mobile smart devices, such as a cellular phones, PDAs, or iPads, smartphones, mobile payment systems, mobile healthcare systems, handheld law enforcement systems, and other types of tablet devices, to trust download applications and for the download applications to trust the mobile smart devices onto which they are downloaded. The system and method enables charging a mobile smart device and while charging the mobile smart device scans for malware and other viruses in the applications and the operating system on the mobile smart device.

Подробнее
Номер записи: 43
16-05-2013 дата публикации

OFFLINE EXTRACTION OF CONFIGURATION DATA

Номер: US20130125237A1
Автор: Dai Hui, Sandu Catalin D., Thomas Anil F.
Принадлежит: MICROSOFT CORPORATION

A configuration scanning system is described herein that scans a system configuration database for malware-related information with less impact on other operations that access the system configuration database. The system employs techniques to reduce the impact on other operations that access the configuration database, including parsing a file-based stored version of the configuration database, accessing the configuration database using opportunistic locking, and caching configuration information obtained by scanning the configuration database. In this way, the system is able to respond to requests antimalware programs using cached information without impacting other programs using the configuration database. Thus, the configuration scanning system protects a computer system against malware while reducing the burden on the configuration database and on other programs that access the configuration database. 1. A computer-readable storage medium having instructions stored therein for using cached system configuration data by performing actions comprising:receiving a request to access the cached system configuration data, wherein the cached system configuration data relates to the computing device, and wherein the request includes a first logical path for a resource;determining that the cached system configuration data is valid;searching the cached system configuration data for a record entry that is associated with the first logical path;retrieving a value of the record entry that is associated with the first logical path, wherein the value includes a second logical path usable to access the resource when a user associated with the cached system configuration data is logged on to the computing device; andproviding a response to the received request, wherein the response includes the retrieved value.2. The computer-readable storage medium of claim 1 , wherein the actions further comprise:employing the second logical path during an anti-malware operation.3. The ...

Подробнее
Номер записи: 44
16-05-2013 дата публикации

CONTENT FILTERING OF REMOTE FILE-SYSTEM ACCESS PROTOCOLS

Номер: US20130125238A1
Автор: Crawford William Jeffrey
Принадлежит: Fortinet, Inc.

Methods and systems for content filtering of remote file-system access protocols are provided. According to one embodiment, a first set of Server Message Block/Common Internet File System (SMB/CIFS) protocol requests originated by a first process running on a client and relating to a file associated with a share of a server and a second set of SMB/CIFS protocol requests originated by a second process running on the client and relating to the file are transparently proxied by a gateway device. The existence or non-existence of malicious, dangerous or unauthorized content contained within the file is determined by the gateway device by (i) buffering data being read from or written to the file as a result of the first and second set of SMB/CIFS protocol requests into a shared file buffer; and (ii) performing content filtering on the shared file buffer when a scanning condition is satisfied. 1. A method comprisingtransparently proxying, by a gateway device, (i) a first plurality of Server Message Block/Common Internet File System (SMB/CIFS) protocol requests originated by a first process running on a client and relating to a file associated with a share of a server and (ii) a second plurality of SMB/CIFS protocol requests originated by a second process running on the client and relating to the file; and buffering data being read from or written to the file as a result of the first plurality of SMB/CIFS protocol requests and the second plurality of SMB/CIFS protocol requests into a shared file buffer within a memory of the gateway device; and', 'when one or more of a plurality of scanning conditions are satisfied, then performing content filtering on the shared file buffer., 'determining, by the gateway device, the existence or non-existence of malicious, dangerous or unauthorized content contained within the file by'}2. The method of claim 1 , further comprising tracking claim 1 , by the gateway device claim 1 , references to the shared file buffer by maintaining a ...

Подробнее
Номер записи: 45
23-05-2013 дата публикации

PATTERN MATCHING ENGINE, TERMINAL APPARATUS USING THE SAME, AND METHOD THEREOF

Номер: US20130133067A1
Автор: YOO InSeon
Принадлежит: SAMSUNG SDS CO., LTD.

Provided is a pattern matching engine. The pattern matching engine calculates an error detection sign of target data and compares the calculated error detection sign with an error detection sign of a malware pattern DB. When the error detection sign of the target data and the error detection sign of the malware pattern DB are identical to each other, the pattern matching engine compares the target data with the malware pattern. 1. A pattern matching engine , comprising:an error detection sign comparison unit which calculates an error detection sign of sub-data, which is a part of target data, and compares the calculated error detection sign with an error detection sign of a malware pattern; anda matcher which, when the error detection sign of the sub-data and the error detection sign of the malware pattern are identical to each other, compares the sub-data with the malware pattern.2. The pattern matching engine as claimed in claim 1 , further comprising a hash loader which compares a hash value of the sub-data with a hash value of the malware pattern; wherein claim 1 , when the hash value of the sub-data and the hash value of the malware pattern are identical to each other claim 1 , the matcher compares the sub-data with the malware pattern.3. The pattern matching engine as claimed in claim 2 , further comprising a hash value comparison unit which:calculates a hash value of the target data by applying a hash algorithm, andcompares the calculated hash value with a hash value of the malware pattern;wherein the error detection sign comparison unit, the matcher, and the hash loader are operated only after an indication that the hash value of the target data and the hash value of the malware pattern are not identical to each other.4. The pattern matching engine as claimed in claim 3 , further comprising a text loader which provides the sub-data to the hash loader and the error detection sign comparison unit.5. The pattern matching engine as claimed in claim 2 , further ...

Подробнее
Номер записи: 46
30-05-2013 дата публикации

Taint injection and tracking

Номер: US20130139262A1
Автор: Andrew F. Glew, Clarence T. Tegreene, Daniel A. Gerrity
Принадлежит: Individual

An embodiment or embodiments of an electronic device can comprise an input interface and a hardware component coupled to the input interface. The input interface can be operable to receive a plurality of taint indicators corresponding to at least one of a plurality of taints indicative of potential security risk which are injected from at least one of a plurality of resources. The hardware component can be operable to track the plurality of taints.

Подробнее
Номер записи: 47
06-06-2013 дата публикации

METHODS AND APPARATUS FOR CONTROL AND DETECTION OF MALICIOUS CONTENT USING A SANDBOX ENVIRONMENT

Номер: US20130145463A1
Автор: Bryant Benjamin, Cosby Scott, Ghosh Anup, Keister Alan, Taylor Stephen
Принадлежит: Invincea, Inc.

A non-transitory processor-readable medium storing code representing instructions to cause a processor to perform a process includes code to cause the processor to receive a set of indications of allowed behavior associated with an application. The processor is also caused to initiate an instance of the application within a sandbox environment. The processor is further caused to receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the application in response to initiating the instance of the application within the sandbox environment. The processor is also caused to send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior does not correspond to an indication from the set of indications of allowed behavior. 1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor , the code comprising code to cause the processor to:receive a set of indications of allowed behavior associated with an application;initiate an instance of the application within a sandbox environment;receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the application in response to initiating the instance of the application within the sandbox environment; andsend an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior does not correspond to an indication from the set of indications of allowed behavior.2. The non-transitory processor-readable medium of claim 1 , wherein the code to cause the processor to send includes code to cause the processor to send the indication associated with the anomalous behavior such that the sandbox environment is terminated.3. The non-transitory processor-readable medium of claim 1 , wherein the code to cause the processor to ...

Подробнее
Номер записи: 48
06-06-2013 дата публикации

Multilayered deception for intrusion detection and prevention

Номер: US20130145465A1
Автор: Andrea G. Forte, Jeffrey Earl Bickford, Qi Shen, Wei Wang
Принадлежит: AT&T INTELLECTUAL PROPERTY I LP

Concepts and technologies are disclosed herein for multilayered deception for intrusion detection. According to various embodiments of the concepts and technologies disclosed herein, a multilayer deception system includes honey servers, honey files and folders, honey databases, and/or honey computers. A multilayer deception system controller generates honey activity between the honey entities and exposes a honey profile with contact information associated with a honey user. Contact directed at the honey user and/or activity at any of the honey entities can trigger alarms and/or indicate an attack, and can be analyzed to prevent future attacks.

Подробнее
Номер записи: 49
13-06-2013 дата публикации

APPARATUS AND METHOD FOR ANALYZING MALWARE IN DATA ANALYSIS SYSTEM

Номер: US20130152202A1
Автор: JUNG Jae-Hoon, KIM Na-Hea-Sal, Lee Kyung-Hee, PAK Michael
Принадлежит: SAMSUNG ELECTRONICS CO. LTD.

An apparatus and method for analyzing malware in a data analysis system are provided. The apparatus includes a data analysis unit and a controller. The data analysis unit sorts data into primary harmful data and primary harmless data using screening data information of malicious code information and virus information. The controller screens or deletes the primary harmful data, and sends a request for precision analysis of the primary harmless data to a server. The data analysis unit sorts secondary harmful data from the primary harmless data using the precision analysis result received from the server. 1. An apparatus for analyzing malware in a portable terminal , the apparatus comprising:a data analysis unit for sorting data into primary harmful data and primary harmless data based on screening data information of malicious code information and virus information; anda controller for screening or deleting the primary harmful data, and for sending a request for analysis of the primary harmless data to a server,wherein the data analysis unit sorts secondary harmful data from the primary harmless data based on the analysis result received from the server.2. The apparatus of claim 1 , wherein the screening data information is provided and updated in a security enterprise claim 1 , andwherein the controller comprises information about the secondary harmful data in the screening data information.3. The apparatus of claim 1 , wherein the controller screens access to the sorted secondary harmful data or deletes the secondary harmful data.4. The apparatus of claim 1 , wherein the controller transmits holding data information that is information of data stored in the portable terminal claim 1 , to the server claim 1 , receives harmful data information included in the holding data information from the server claim 1 , and deletes harmful data based on the received harmful data information.5. An apparatus for analyzing malware in a server claim 1 , the apparatus comprising:a ...

Подробнее
Номер записи: 50
13-06-2013 дата публикации

Interactive analysis of a security specification

Номер: US20130152205A1
Автор: Marco Pistoia, Omer Tripp, Takaaki Tateishi
Принадлежит: International Business Machines Corp

Analyzing a security specification. An embodiment can include identifying a downgrader in a computer program under test. Via a processor, testing on the downgrader can be performed in a first level of analysis. Responsive to the downgrader not passing the testing performed in the first level of analysis, a counter example for the downgrader can be automatically synthesized. Further, a test unit can be created for the downgrader using the counter example as an input parameter to the downgrader. The test unit can be executed to perform testing on the downgrader in a second level of analysis. Responsive to the downgrader passing the testing performed in the second level of analysis, a user can be prompted to simplify a model of the downgrader.

Подробнее
Номер записи: 51
20-06-2013 дата публикации

Method and system for rapid signature search over encrypted content

Номер: US20130160125A1
Автор: Alice Yali Chang, Nikolay Vladimirovich Likhachev
Принадлежит: Individual

A method for detecting malware includes dividing data to be scanned for malware into at least a first data segment and a second data segment, dividing a signature corresponding to an indication of malware into at least a first signature segment and a second signature segment, performing a relationship function on the first signature segment and the second signature segment yielding a first result, performing the relationship function on the first data segment and the second data segment yielding a second result, comparing the first result and the second result, and, based on the comparison, determining that the data includes information corresponding to the signature. The relationship function characterizes the relationship between at least two information sets.

Подробнее
Номер записи: 52
27-06-2013 дата публикации

METHOD AND SYSTEM FOR AUTOMATICALLY GENERATING VIRUS DESCRIPTIONS

Номер: US20130167236A1
Автор: SICK THORSTEN
Принадлежит: Avira Holding GmbH

Systems and methods for automatically generating information describing malware are disclosed. In accordance with certain embodiments, a client computer may be provided with an antivirus program capable of finding malware and a server for receiving malware information sent from the antivirus program via a network. In accordance with one embodiment, the antivirus program may checked the client computer for malware and, in the event that malware is found, the antivirus program may acquire information about the malware such as the type of malware, the form of identification of the malware, whether the malware has already been executed, and/or whether it has been possible to remove the malware. This malware information may be transmitted from the client computer to the server in an automatic, structured manner. When received by the server, the malware information may be fed into a database on the server and subsequently displayed, for example, in an automatic, structured manner on a web page or via an interface of the antivirus program. 1. A method , comprising:receiving via a network a message containing information describing one or more aspects of a malware detected on a remote computer by an antivirus program;storing the received information about the malware in an entry in a database that is associated with the malware;retrieving information about the malware from the database;generating a description page describing the malware using the retrieved information and a template; andsending the description page via the network to the remote computer for display at the remote computer.2. The method of claim 1 , wherein the antivirus program runs on the remote computer.3. The method of claim 1 , wherein the antivirus program is located at a location remote from the remote computer and analyzes the malware on the remote computer via the network.4. The method of claim 1 , wherein the malware is detected at the remote computer by the antivirus program through an analysis of ...

Подробнее
Номер записи: 53
04-07-2013 дата публикации

Active Defense Method on The Basis of Cloud Security

Номер: US20130174257A1
Автор: Fan Paul, Yu He, Zheng Wenbin, Zhou Hongyi
Принадлежит:

The present invention relates to an active defense method based on cloud security comprising: a client collecting and sending a program behavior launched by a program thereon and/or a program feature of the program launching the program behavior to a server; with respect to the program feature and/or the program behavior sent by the client, the server performing an analysis and comparison in its database, making a determination on the program based on the comparison result, and feeding back to the client; based on the feedback determination result, the client deciding whether to intercept the program behavior, terminate execution of the program and/or clean up the program, and restore the system environment. The invention introduces a cloud security architecture, and employs a behavior feature based on active defense to search and kill a malicious program, thereby ensuring network security. 1. An active defense method based on cloud security , comprising:collecting a program behavior launched by a program and/or a program feature of the program launching the behavior;with respect to the program feature and/or the program behavior, performing an analysis and comparison in a database, making a determination on the program based on the comparison result;based on the feedback determination result, deciding whether to intercept the program behavior, terminate execution of the program and/or clean up the program, restore the system environment.2. A method as claimed in claim 1 , wherein the program behavior comprises the program behavior itself and the attributes of the object of the program behavior; the attributes of the object of the program behavior further comprise the black and white level to which the behavioral object itself belongs claim 1 , the position in the system and type of the behavioral object claim 1 , the behavior itself made by the behavioral object and the black and white level to which the behavior itself belongs.3. A method as claimed in claim 1 , ...

Подробнее
Номер записи: 54
18-07-2013 дата публикации

WHITELIST-BASED INSPECTION METHOD FOR MALICIOUS PROCESS

Номер: US20130185797A1
Автор: Qi Xiangdong, Zhou Hongyi
Принадлежит:

A method of detecting a malware based on a white list comprises: receiving on a server side a program feature and/or a program behavior of a program to be detected sent from a client side; comparing the program feature and/or the program behavior of the detected program with legitimate program features and/or legitimate program behaviors stored in a white list; obtaining a legitimacy information of the unknown program based on the comparison result and feeding this back to the client side. In the invention, a legitimate program is determined by using a white list, thereby determining an illegitimate program excluded from the white list as a malware, which performs a determination and detecting and removing of a malware from another perspective. 1. A method of detecting a malware based on a white list , comprising:receiving on a server side a program feature and/or a program behavior of a program to be detected sent from a client side;comparing the program feature and/or the program behavior of the detected program with legitimate program features and/or legitimate program behaviors stored in a white list;obtaining a legitimacy information of the unknown program based on the comparison result and feeding the legitimacy information back to the client side.2. The method as claimed in claim 1 , wherein the obtaining of the legitimacy information of the unknown program based on the comparison result and the feeding of the legitimacy information back to the client side comprise: if the program feature and/or the program behavior of the detected program hits a legitimate program feature and/or a legitimate program behavior stored in the white list claim 1 , then determining the detected program as a legitimate program claim 1 , and feeding this back to the client side; if missed claim 1 , then determining the detected program as a malware claim 1 , and feeding this back to the client side.3. The method as claimed in claim 1 , wherein the obtaining of the legitimacy ...

Подробнее
Номер записи: 55
08-08-2013 дата публикации

Pre-boot firmware based virus scanner

Номер: US20130205395A1
Автор: Michael A. Rothman, Vincent J. Zimmer
Принадлежит: Individual

The present disclosure relates to allowing the utilization of a virus scanner and cleaner that operates primarily in the pre-boot phase of computer operation and, more particularly, to allowing the utilization of a virus scanner and cleaner that operates primarily during the loading of an operating system.

Подробнее
Номер записи: 56
08-08-2013 дата публикации

Detecting Malicious Software

Номер: US20130205396A1
Автор: Franklin Douglas N.
Принадлежит: INTERNATIONAL BUSINESS MACHINES CORPORATION

A computer implemented method, apparatus, and program code for detecting malicious software components. A series of calls made by a software component is monitored to identify an identified respective series of call types to components named in said calls. A determination is made as to whether the identified respective series of call types to components named in said calls is indicative of malicious behavior. 1. A method for detecting a malicious software component method comprising:a computer receiving a request to write a potentially malicious software component to storage in the computer;responsive to receiving the request, the computer initiating execution of the potentially malicious software component in an emulated data processing system, the emulated data processing system isolating the potentially malicious software component from one or more other software components that are called by the potentially malicious software component such that if the potentially malicious software component is malicious, it will not damage the other software components;while executing the potentially malicious software component in the emulated data processing system, the potentially malicious software component making a series of calls specified by the potentially malicious software component to the emulated data processing system;the computer monitoring the series of calls made by the potentially malicious software component to the emulated data processing system to determine a respective series of call types to the other software components named in the series of calls;the emulated data processing system executing the series of calls;the computer determining whether the respective series of call types is indicative of a malicious behavior based on a comparison of the respective series of call types to a set of pre-determined call patterns indicative of malicious behavior for the potentially malicious software component; andallowing the request in response to determining the ...

Подробнее
Номер записи: 57
15-08-2013 дата публикации

System, Method and Computer Program Product for Performing a Security or Maintenance Operation in Association with Virtual Disk Data

Номер: US20130212581A1
Автор: John D. Teddy, Jonathan L. Edwards, Tracy E. Camp
Принадлежит: McAfee LLC

A system, method and computer program product are provided for performing a security or maintenance operation in association with virtual disk data accessed independent of a virtual machine. In use, data stored on a virtual disk is accessed at least in part independent of a virtual machine. Further, a security or maintenance operation is performed in association with the accessed data.

Подробнее
Номер записи: 58
29-08-2013 дата публикации

PROGRAM ANALYSIS SYSTEM AND METHOD THEREOF

Номер: US20130227690A1
Автор: KAJI Tadashi, KAWAGUCHI Nobutaka, YAMAGUCHI Hiroki
Принадлежит: HTIACHI, LTD.

A program analysis system that analyzes a program while adjusting time elapse velocity in program execution environment sets analysis conditions such as time elapse velocity in the execution environment, program execution start time and execution termination time, adjusts the time elapse velocity and the program execution start time according to the determination of an analysis manager, executes the program till the execution termination time, monitors the execution environment, acquires an action record of the program, analyzes the action record, and clarifies the behavior of the program. Further, the program analysis system resets the analysis conditions based upon a result of analysis, re-analyzes, monitors communication between a sample and an external terminal, and varies the time elapse velocity set by the analysis manager to prevent time-out from occurring in communication. 1. A program analysis system that operates a program the operation of which is to be verified in execution environment where time elapse velocity can be arbitrarily adjusted , comprising:a system management device provided with an analysis manager that manages an analysis situation of the program and determines time elapse velocity;at least one sample execution device provided with a sample executor that executes the program in the execution environment based upon the time elapse velocity specified by the analysis manager and an action recorder that acquires the behavior of the program in the execution environment as an action record;at least one action analyzer provided with an action analyzer that analyzes the action record and outputs a characteristic of the program as a result of analysis; andat least one communication monitoring device provided with a communication monitor that adjusts the time elapse velocity so as to prevent time-out from occurring when the program communicates with an external device.2. The program analysis system according to claim 1 , wherein the communication ...

Подробнее
Номер записи: 59
05-09-2013 дата публикации

SYSTEMS AND METHODS FOR CYBER-THREAT DETECTION

Номер: US20130232576A1
Автор: Graham John M., Hickey Jason M., Ivanov Ivaylo, Karnikis Karolos, Thompson Erick
Принадлежит: VINSULA, INC.

Disclosed herein are systems and methods relating generally to computer system security and more specifically to scalable cyber-threat detection systems and methods that systematically and automatically execute and monitor code within a secure isolated environment to automatically identify and filter out malicious code so that it is not executed on a live system. 1. A computer-implemented method of executing content within a secure isolated environment , monitoring and recording the execution of the content , and processing the recorded results of the execution to detect and filter out cyber-based threats , the method comprising the steps of:locating and identifying content for execution and monitoring within a unique secure isolated environment, the unique secure isolated environment comprising a computer including a processor configured to execute computer readable instructions;preparing the located and identified content for execution and monitoring by separating the content into individual components;processing each individual component by executing each individual component within the unique secure isolated environment;monitoring and recording system activity resulting from the execution of each individual component within the unique secure isolated environment;processing the recorded system activity from each of the components to identify whether the located and identified content is a threat; andreporting the processing results.2. The computer-implemented method according to wherein one or more client components are configured to locate and identify the content for execution and monitoring within the unique secure isolated environment.3. The computer-implemented method according to claim 2 , wherein at least one client component is configured to systematically scan a network to locate and identify resident files for execution and monitoring within the unique secure isolated environment.4. The computer-implemented method according to claim 2 , wherein one or ...

Подробнее
Номер записи: 60
19-09-2013 дата публикации

Embedded anti-virus scanner for a network adapter

Номер: US20130246620A1
Автор: Anton C. Rothwell, Luke D. Jagger, William R. Dennis
Принадлежит: McAfee LLC

A network adapter system and associated method are provided. The network adapter system includes a processor positioned on a network adapter coupled between a computer and a network. Such processor is configured for scanning network traffic transmitted between the computer and the network.

Подробнее
Номер записи: 61
19-09-2013 дата публикации

System, method, and computer program product for preventing a modification to a domain name system setting

Номер: US20130247183A1
Автор: Harinath Vishwanath Ramachetty, Lokesh Kumar, Nandi Dharma Kishore
Принадлежит: McAfee LLC

A system, method, and computer program product are provided for preventing a modification to a domain name system setting. In use, an attempt to modify a domain name system setting is detected. Additionally, a source of the attempt and an attribute of the modification are verified. Further, the modification to the domain name system setting is prevented, based on the verification.

Подробнее
Номер записи: 62
19-09-2013 дата публикации

System, method, and computer program product for utilizing a data structure including event relationships to detect unwanted activity

Номер: US20130247190A1
Автор: Joel R. Spurlock
Принадлежит: Individual

A system, method, and computer program product are provided for utilizing a data structure including event relationships to detect unwanted activity. In use, a plurality of events is identified. Additionally, a data structure including objects associated with the plurality of events and relationships associated with the plurality of events is generated. Further, unwanted activity is detected utilizing the data structure.

Подробнее
Номер записи: 63
19-09-2013 дата публикации

Output control apparatus, computer-readable medium for storing program for output control apparatus, output control method, and output control system

Номер: US20130247195A1
Автор: Noriyuki Takahashi, Toshio Dogu
Принадлежит: Digital Arts Inc

Provided is an output section that outputs data to outside; a condition storage section that stores an abnormal condition showing at least one of a characteristic of data to be outputted from the output section by means of malicious software and a characteristic of an operational pattern of the output section that results when the malicious software outputs data; and an output control section that prohibits output of data when at least one of a characteristic of data to be outputted from the output section and a characteristic of an operational pattern of the output section satisfies the abnormal condition.

Подробнее
Номер записи: 64
19-09-2013 дата публикации

SYSTEM AND METHOD FOR DETECTION OF NON-COMPLIANT SOFTWARE INSTALLATION

Номер: US20130247196A1
Автор: BRANDO Danny, LEE Joonho, YE Jia
Принадлежит: FEDERAL RESERVE BANK OF NEW YORK

A system and method for performing a security check may include using at least one processor to periodically check a status of a flag, generate and store a baseline representation of modules stored on the device where the flag is determined to be set to a first state, and, where the flag is determined to be set to a second state, generate an active representation of modules stored on the first device, compare the active representation of modules to the baseline representation of modules, and, responsive to a determination in the comparing step of a difference between the baseline and active representations of modules, output an alert. The flag status may depend on an association of the device with one of a plurality of authorization policies, each mapped to one of the two states. Results of the comparison may be appended to an activity log of the device. 1. A computer-implemented security method for detecting non-compliant software installation , the method comprising: determining a status of a flag;', 'where the flag is determined to be set to a first state, generating and storing a baseline representation of modules stored on a first device; and', generating an active representation of the modules stored on the first device,', 'comparing the active representation of the modules to the baseline representation of the modules,', 'determining if there is a difference between the baseline and the active representations of the modules, and', 'outputting an alert if there is a difference between the baseline and the active representations of the modules., 'where the flag is determined to be set to a second state], 'performing, on a periodic basis and using at least one computer processor, the following2. The method of claim 1 , wherein:a period of the periodic performance is controlled by a timer,the timer is automatically reset subsequent to the generation of the baseline representation of the modules where the flag is determined to be set to the first state, andthe ...

Подробнее
Номер записи: 65
19-09-2013 дата публикации

Emulator updating system and method

Номер: US20130247198A1
Автор: Long Duncan V., Muttik Igor
Принадлежит:

One embodiment includes a method and computer program product for distributing and/or receiving a first emulator extension with respect to an emulator capable of performing an emulation using emulation code. The first emulator extension includes program instructions that aid in the process of emulating in order to detect potentially unwanted computer software. Such program instructions of the first emulator extension are additional beyond that associated with the emulator code, for assisting the emulator code in the emulation by patching the additional program instructions into the emulator in order to aid in detecting the potentially unwanted computer software within the suspect code. In use, an emulation is performed using the first emulator extension and the suspect code. The emulation is performed within an insulated environment in a computer system so that the computer system is insulated from potentially unwanted actions of the suspect code. 1. A method to be performed in conjunction with a processor and a memory , the method comprising:receiving a first emulator extension from among a plurality of different emulator extensions at an emulator for performing an emulation using emulation code, each of the plurality of different emulator extensions including program instructions that read suspect code of a computer system during the process of emulating in order to detect that the suspect code includes potentially unwanted computer software;performing a first emulation using the first emulator extension and the suspect code to detect whether the suspect code contains potentially unwanted computer software, the first emulation being performed within an insulated environment in the computer system, wherein each of the plurality of different emulator extensions is configured for loading, from a database containing the plurality of different emulator extensions, into an emulator buffer as a patch to the suspect code such that at least some of the suspect code is ...

Подробнее
Номер записи: 66
19-09-2013 дата публикации

System, method and computer program product for removing null values during scanning

Номер: US20130247199A1
Автор: Barbieri Federico, Kuo Chengi J.
Принадлежит:

A system, method, and computer program product are provided for scanning data values. Initially, a set of data values are received. Null values between the data values are then removed such that the data values are contiguous. Further, the data values with the null values removed are scanned for the purpose of identifying unwanted data. 1. A method , comprising:receiving a set of data values at a computer, which includes a processor;determining if a threshold is met before removing null values;removing the null values between the data values such that the data values are made contiguous and shorter;evaluating a size of the data values after the null values have been removed;scanning the set of data values with the null values removed to identify unwanted data in the computer; andcollapsing at least a portion of whitespace within text-based files corresponding to the set of data values such that certain sequences of whitespace characters are replaced by a single whitespace character.2. (canceled)3. (canceled)4. The method of claim 1 , wherein the threshold includes a size of the set of data values.5. The method of claim 1 , wherein only a portion of the set of data values is received if the set of data values is larger than the threshold.6. The method of claim 5 , wherein the portion of the set of data values only includes the data values that are necessary for the scanning.7. The method of claim 5 , wherein the portion of the set of data values is identified utilizing a key position.8. The method of claim 7 , wherein the key position is based on a virus signature associated with the scanning.9. The method of claim 6 , wherein claim 6 , after the null values are removed in a first portion of the set of data values claim 6 , the first portion of the set of data values is stored with the null values removed claim 6 , and it is determined whether a second portion of the set of data values is to be received.10. The method of claim 9 , wherein claim 9 , after the portions ...

Подробнее
Номер записи: 67
26-09-2013 дата публикации

System and method for detecting potential threats by monitoring user and system behavior associated with computer and network activity

Номер: US20130254885A1
Автор: Matthew G. DEVOST
Принадлежит: WINTERMUTE LLC

A system and method is provided to monitor user and system behavior associated with computer and network activity to determine deviations from normal behavior that represent a potential cyber threat or cyber malicious activity. The system and method uses a multi-factor behavioral and activity analysis approach to determine when a trusted insider might be exhibiting threatening behavior or when a user's computer or network credentials have been compromised and are in use by a third-party. As a result, changes in insider behavior that could be indicative of malicious intent can be detected, or an external entity masquerading as a legitimate user can be detected.

Подробнее
Номер записи: 68
26-09-2013 дата публикации

Method, System and Program Product for Optimizing Emulation of a Suspected Malware

Номер: US20130254890A1
Автор: Wu Ji Yan
Принадлежит: INTERNATIONAL BUSINESS MACHINES CORPORATION

A method, system and program product for optimizing emulation of a suspected malware. The method includes identifying, using an emulation optimizer tool, whether an instruction in a suspected malware being emulated by an emulation engine in a virtual environment signifies a long loop and, if so, generating a first hash for the loop. Further, the method includes ascertaining whether the first hash generated matches any long loop entries in a storage and, if so calculating a second hash for the long loop. Furthermore, the method includes inspecting any long loop entries ascertained to find an entry having a respective second hash matching the second hash calculated. If an entry matching the second hash calculated is found, the method further includes updating one or more states of the emulation engine, such that, execution of the long loop of the suspected malware is skipped, which optimizes emulation of the suspected malware. 1. A method for optimizing emulation of a suspected malware program , the method comprising the steps of:a computer identifying a first instruction in the suspected malware program that initiates a loop, and in response, the computer determining a length of the loop based at least in part on a number of times that the loop will be repeated, and if the length exceeds a predetermined threshold, generating a first hash value based at least in part on a hash of instructions in the loop;the computer identifying a second, subsequent instruction in the suspected malware program that initiates a loop, and in response, the computer determining a length of the loop initiated by the second instruction, based at least in part on a number of times that the loop initiated by the second instruction will be repeated, and if the length exceeds a predetermined threshold, generating a second hash value based at least in part on a hash of instructions within the loop initiated by the second instruction; andif the second hash value matches the first hash value, the ...

Подробнее
Номер записи: 69
26-09-2013 дата публикации

APPARATUS AND METHOD FOR REMOVING MALICIOUS CODE

Номер: US20130254893A1
Автор: Kim Kyung Hee
Принадлежит: AHNLAB, INC.

Disclosed are an apparatus and a method for removing a malicious code. Accordingly, the present invention provides a technology of mixing a cloud computing based network detecting scheme and a conventional malicious code detecting scheme for providing a detection engine to a client terminal according to a situation based on characteristics of the client terminal, helping efficiently cope with a malicious code. 1. A malicious code removing apparatus comprising:a determiner for determining whether a detection engine associated with detection and removal of a malicious code will be provided to a client terminal, or the malicious code will be detected and removed based on cloud computing, based on characteristics of the client terminal;a detection engine transmitter for, when the determiner determines that the detection engine will be provided to the client terminal, transmitting the detection engine to the client terminal; andan execution unit for, when the determiner determines that the malicious code will be detected and removed based on cloud computing, detecting and removing the malicious code based on cloud computing.2. The malicious code removing apparatus as claimed in claim 1 , further comprising a database where characteristic information associated with characteristics of the client terminal is stored claim 1 , wherein the determiner determines whether the detection engine will be provided to the client terminal claim 1 , or the malicious code will be detected and removed based on cloud computing claim 1 , with reference to the characteristic information from the database.3. The malicious code removing apparatus as claimed in claim 1 , wherein when the detection engine is received from the malicious code removing apparatus claim 1 , the client terminal detects and removes the malicious code using the detection engine.4. The malicious code removing apparatus as claimed in claim 1 , wherein the determiner determines whether the detection engine will be provided ...

Подробнее
Номер записи: 70
03-10-2013 дата публикации

Controlling Anti-Virus Software Updates

Номер: US20130263269A1
Автор: Andrew Patel, Paolo Palumbo
Принадлежит: F Secure Oyj

The present invention relates to a method of controlling the download of anti-virus software updates to a device. The device is configured to transmit an update query to a network device requesting information on whether any updates are available for the anti-virus software. When the device receives the response it stores the response in the cache. The cache can then be queried following a trigger and, if the cache indicates an update to the anti-virus software is available the device downloads an update to the anti-virus software. In an alternative embodiment the device may download and install an update upon receiving the response to the query if the response to the query indicates that an update is available. The query may be transmitted during a scan or upon determining a change in a connection at a device.

Подробнее
Номер записи: 71
10-10-2013 дата публикации

System and method for determining and using local reputations of users and hosts to protect information in a network environment

Номер: US20130268994A1
Автор: David Frederick Diehl, Geoffrey Howard Cooper, Michael W. Green, Robert Ma
Принадлежит: McAfee LLC

A method in an example embodiment includes correlating a first set of event data from a private network and determining a local reputation score of a host in the private network based on correlating the first set of event data. The method further includes providing the local reputation score of the host to a security node, which applies a policy, based on the local reputation score of the host, to a network communication associated with the host. In specific embodiments, the local reputation score of the host is mapped to a network address of the host. In further embodiments, the first set of event data includes one or more event indicators representing one or more events, respectively, in the private network. In more specific embodiments, the method includes determining a local reputation score of a user and providing the local reputation score of the user to the security node.

Подробнее
Номер записи: 72
17-10-2013 дата публикации

System, method and computer program product for detecting activity in association with program resources that has at least a potential of an unwanted effect on the program

Номер: US20130276109A1
Автор: Prakash Ranjan
Принадлежит:

A system, method and computer program product are provided. In use, at least one resource utilized by a program is monitored. In addition, activity in association with the at least one resource that has at least a potential of an unwanted effect on the program is detected. Further, a reaction is performed in response to detecting the activity to prevent the unwanted effect. 1. A method , comprising:selecting a first function and a second function of a plurality of functions of a computer program;monitoring at least one resource associated with the first function and the second function, utilizing a processor;detecting activity by the first function in association with the at least one resource that has at least a potential of an unwanted effect on the second function; and determining that the second function has a higher priority than the first function; and', 'temporarily disabling the first function until the second function has finished utilizing the at least one resource., 'reacting in response to detecting the activity to prevent the unwanted effect, comprising2. The method of claim 1 , further comprising identifying the first function and the second function.3. The method of claim 2 , wherein the first function and second function are identified by receiving a selection of the first function and the second function from a user.4. The method of claim 1 , wherein the first function and the second function are selected by a user utilizing a graphical user interface.5. (canceled)6. The method of claim 1 , wherein the at least one resource that is monitored is identified based on the first function and the second function.7. (canceled)8. The method of claim 6 , wherein the at least one resource that is monitored is identified based on a mapping between a plurality of functions and a plurality of resources.9. The method of claim 1 , wherein the at least one resource includes at least one of a network resource claim 1 , a processing resource claim 1 , a storage ...

Подробнее
Номер записи: 73
17-10-2013 дата публикации

METHOD AND APPARATUS FOR RETROACTIVELY DETECTING MALICIOUS OR OTHERWISE UNDESIRABLE SOFTWARE

Номер: US20130276114A1
Автор: "ODonnell Adam J.", FRIEDRICHS OLIVER, Huger Alfred, RAMZAN Zulfikar
Принадлежит:

A system for retroactively detecting malicious software on an end user system without performing expensive cross-referencing directly on the endpoint device. A client provides a server with information about files that are on it together with what it knows about these files. The server tracks this information and cross-references it against new intelligence it gathers on clean or malicious files. If a discrepancy is found (i.e., a file that had been called malicious, but that is actually benign or vice versa), the server informs the client, which in turn takes an appropriate action based on this information. 1. A method for the retroactive detection and removal of undesirable software , comprising:periodically receiving, at a server in communication with a network, information relating to files on a client computing device, including information relating to whether one or more files have previously been classified as posing a threat or not;storing on said server said information relating to files on said client computing device, including said information relating to whether one or more files have previously been classified as posing a threat or not;periodically receiving at a server in communication with a network information useful in classifying files as posing a threat or not;cross-referencing said information relating to files on said client computing device with said information useful in classifying files as posing a threat or not to determine whether a previous classification of a file is inconsistent with a classification based on current information;if an inconsistent classification is found; communicating information concerning an updated classification to said client computing device or to an administrator responsible for said client computing device.2. A method according to claim 1 , wherein said information relating to whether one or more files have been classified as posing or threat or not comprises information relating to whether one or more files ...

Подробнее
Номер записи: 74
17-10-2013 дата публикации

ENVIRONMENTAL IMAGING

Номер: US20130276116A1
Автор: McRAE Scott M.
Принадлежит:

A method and system for detecting whether a computer program, sent to a first computer having an operating environment including a plurality of files, includes malware is provided. A second computer lists in a file a plurality of environment details of the operating environment of the first computer. The second computer simulates in the second computer the presence of the plurality of files in the operating environment by exhibiting the plurality of environment details without installing the plurality of files in the second computer. The second computer executes the computer program in the second computer with the simulation and determines whether the computer program attempts to access or utilize the plurality of files in a manner indicative of malware. If not, the second computer records and generates a notification that the computer program is not malware. 1. A method for determining whether a computer program , addressed to a first computer having a plurality of files different than the computer program , includes malware , the method comprising the steps of:a second computer receiving the computer program via a network;listing in a file in the second computer, without installing the plurality of files in the second computer, identities of the plurality of files in the first computer and respective creation dates or respective last edit dates for the respective plurality of files in the first computer;creating, for the computer program, a simulated operating environment in the second computer using the file having the listing of identities of the plurality of files in the first computer and the respective creation dates or respective last edit dates;executing the computer program in the second computer; andthe second computer determining whether the computer program attempts to access or utilize the plurality of files in a manner indicative of malware, and if so, the second computer generating a first record that the computer program exhibits a characteristic of ...

Подробнее
Номер записи: 75
17-10-2013 дата публикации

METHOD AND APPARATUS FOR DETECTING A MALWARE IN FILES

Номер: US20130276117A1
Автор: Hwang Kyu Beom
Принадлежит: AHNLAB, INC.

An apparatus for detecting a malware in files includes an acquisition unit configured to obtain from a file system information about a first time point when an interested folder is created by the file system, and information about a second time point when an interested file is created in the interested folder by the file system, a candidate determination unit configured to determine whether the interested file is a candidate file to be subjected to a malware inspection, based on the information on the first and the second time point, and an inspection unit configured to perform the malware inspection on the interested file determined to be the candidate file for the malware inspection. 1. An apparatus for detecting a malware in files , comprising:an acquisition unit configured to obtain from a file system information about a first time point when an interested folder is created by the file system, and information about a second time point when an interested file is created in the interested folder by the file system;a candidate determination unit configured to determine whether the interested file is a candidate file to be subjected to a malware inspection, based on the information on the first and the second time point; andan inspection unit configured to perform the malware inspection on the interested file determined to be the candidate file for the malware inspection.2. The apparatus of claim 1 , wherein the candidate determination unit is configured to determine the interested file as the candidate file to be inspected in case that the second time point is behind a predetermined term from the first time point.3. The apparatus of claim 1 , wherein the interested folder is associated with an operating system employing the file system.4. The apparatus of claim 3 , wherein the interested folder has a folder name that is prohibited from being renamed by the operating system.5. The apparatus of claim 1 , wherein the interested folder has a parent folder claim 1 , and ...

Подробнее
Номер записи: 76
17-10-2013 дата публикации

MECHANISM FOR PROVIDING A SECURE ENVIRONMENT FOR ACCELERATION OF SOFTWARE APPLICATIONS AT COMPUTING DEVICES

Номер: US20130276123A1
Автор: Axena Paritosh, Thadikaran Paul J., Triantafillou Nicholas D.
Принадлежит:

A mechanism is described for facilitating a secure environment and acceleration of software applications according to one embodiment of the invention. A method of embodiments of the invention includes initiating a software application session at a computing device. The software application session includes an anti-virus/anti-malware software-based scanning session, and the scanning session includes scanning of a plurality of locations of a storage subsystem of the computing device. The method may further include accelerating the initiated session by performing session tasks relating to the initiated session without having to rely on an operating system of the computing device. 1. A computer-implemented method comprising:initiating a software application session at a computing device, wherein the software application session comprises an anti-virus/anti-malware software-based scanning session, wherein the scanning session comprises scanning of a plurality of locations of a storage subsystem of the computing device; andaccelerating the initiated session by performing session tasks relating to the initiated session without having to rely on an operating system of the computing device.2. The computer-implemented method of claim 1 , further comprising detecting a change at at least one of the plurality of locations of the storage subsystem claim 1 , the change representing an attempted access of the computing device by an attacker.3. The computer-implemented method of claim 2 , further comprising skipping scanning of one or more locations of the plurality of locations claim 2 , wherein the one or more locations are not detected as having a change.4. The computer-implemented method of claim 1 , wherein the operating system comprises an open-environment operating system.5. The computer-implemented method of claim 1 , wherein acceleration is performed via an accelerator claim 1 , wherein the accelerator comprises a hardware accelerator embedded in the storage subsystem of ...

Подробнее
Номер записи: 77
24-10-2013 дата публикации

USER CONTROLLABLE PLATFORM-LEVEL TRIGGER TO SET POLICY FOR PROTECTING PLATFORM FROM MALWARE

Номер: US20130283380A1
Автор: Bowen Thomas R., Saxena Paritosh, Thadikaran Paul J., Triantafillou Nicholas D.
Принадлежит:

Embodiments of systems, apparatuses, and methods to protect data stored in a storage system of a device from malware alternation are described. In some embodiments, a system receives an indication that the data is to be protected. In addition, the system further triggers an interrupt of the device and secures the data from the malware alternation. 1. A method to protect data stored in a storage system of a device from malware alteration , comprising:receiving an indication that the data is to be protected;triggering an interrupt of the device;securing the data from the malware alteration.2. The method of claim 1 , wherein the securing the data comprises:sending a first message to the storage system, the first message specifying that the data is to be protected from the malware alteration; andreceiving a second message from the storage system indicating that the data is protected form malware alteration.3. The method of claim 2 , wherein the first and second message are transported over a tunnel between the device and the storage system.4. The method of claim 1 , wherein claim 1 , in response to the sending of the first message claim 1 , the data is made read-only.5. The method of claim 1 , further comprising:receiving a configuration that indicates that the data is to be protected.6. The method of claim 1 , further comprising:receiving the data; andstoring the data in the storage system.7. The method of claim 1 , wherein the receiving an indication in response to a hardware switch being activated.8. The method of claim 7 , wherein the hardware switch is dedicated switch.9. The method of claim 7 , wherein the hardware switch is keyboard combination.10. The method of claim 1 , wherein the data is anti-virus definition data.11. A method to protect data stored in a storage system of a device from malware alternation claim 1 , comprising:initiating a boot sequence of the device, the data stored in a plurality of sectors in the storage system;during the boot sequence, ...

Подробнее
Номер записи: 78
24-10-2013 дата публикации

SYSTEMS AND METHODS FOR PROVIDING ANTI-MALWARE PROTECTION ON STORAGE DEVICES

Номер: US20130283381A1
Автор: Bowen Thomas R., Jayakumar Unnikrishnan, LASKO Darren, Lindquist William B., List John A., Mangold Richard Paul, Nepomuceno Reginald D., Ramalingam Anand S., Saxena Paritosh, Sholar Janet Yabeny, Thadikaran Paul J., Triantafillou Nicholas D., Wright Adam Greer
Принадлежит:

Systems and methods for providing anti-malware protection on storage devices are described. In one embodiment, a storage device includes a controller, firmware, and memory. The firmware communicates with an authorized entity (e.g., external entity, operating system) to establish a secure communication channel. The system includes secure storage to securely store data. 1. A system , comprising:an operating system for performing operations on the system; firmware to establish at least one trusted communication channel with an endpoint having software; and', 'memory having secure storage., 'a storage device to communicate with the operating system, the storage device comprises,'}2. The system of claim 1 , wherein the firmware to redirect sector requests from the endpoint to secretly and securely access one or more sectors of memory claim 1 , which malware is attempting to hide.3. The system of claim 2 , wherein the endpoint is part of the operating system or comprises a host anti-virus/anti-malware software application.4. The system of claim 2 , wherein the storage device to receive messages from the endpoint with the messages including read/write messages and special communications including negative logical block addressing (LBA) commands.5. The system of claim 1 , wherein the trusted communication channel is established by setting up a shared key between the endpoint and the firmware.6. The system of claim 1 , wherein the firmware to establish at least one trusted communication channel with the endpoint comprises selectively establishing one of a first communication channel and a second communication channel or both of the first and second communication channels.7. The system of claim 6 , wherein the first communication channel is established using a Trusted Send/Receive protocol.8. A storage device comprising:a controller to manage input/output operations for the storage device;firmware communicatively coupled to the controller, the firmware to establish a secure ...

Подробнее
Номер записи: 79
24-10-2013 дата публикации

SYSTEM AND METHOD FOR DETECTING MALWARE IN FILE BASED ON GENETIC MAP OF FILE

Номер: US20130283382A1
Автор: Hwang Kyu Beom, KIM Jeong Hun
Принадлежит: AHNLAB, INC.

A method for detecting whether a file includes malware is performed on a device. The method includes extracting information of at least two predetermined items in the file; creating a genetic map for the file by altering the extracted information into a previously set format; comparing the created genetic map with a previously stored malware genetic map to obtain a similarity between the created genetic map and the previously stored malware genetic map; and determining that the file is a malware when the similarity is higher than a reference value. 1. A method performed on a device for detecting whether a file includes malware , the method comprising:extracting static information of at least two predetermined items in the file;creating a genetic map for the file by altering the extracted information into a previously set format;comparing the created genetic map with a previously stored malware genetic map to obtain a similarity between the created genetic map and the previously stored malware genetic map; anddetermining that the file includes malware when the similarity is higher than a reference value.2. The method of claim 1 , wherein the created genetic map includes information representing non-existence of one item among the predetermined items when said one item does not exist in the file.3. The method of claim 1 , wherein claim 1 , the information of said at least two predetermined items are extracted from a part of the file.4. The method of claim 1 , wherein the predetermined items include a branch distance which is included in a branch instruction within the file.5. The method of claim 1 , wherein the predetermined items are selected regardless of a kind of the file.6. The method of claim 1 , the method further comprising:storing the created genetic map in a data base, via a network, as a new malware genetic map when the file is determined to include malware, wherein the previously stored malware genetic map has been stored in the data base.7. The method of ...

Подробнее
Номер записи: 80
31-10-2013 дата публикации

INFORMATION SECURITY TECHNIQUES INCLUDING DETECTION, INTERDICTION AND/OR MITIGATION OF MEMORY INJECTION ATTACKS

Номер: US20130290662A1
Автор: Teal Daniel
Принадлежит: Lumension Security, Inc.

Methods of detecting malicious code injected into memory of a computer system are disclosed. The memory injection detection methods may include enumerating memory regions of an address space in memory of computer system to create memory region address information. The memory region address information may be compared to loaded module address information to facilitate detection of malicious code memory injection. 1. A method comprising:(a) enumerating, based on a query of an operating executive of a computer system, a plurality of memory regions of an address space in memory of the computer system, thereby creating memory region address information; and [ (A) examining the plurality of loaded modules for loaded module address information; and', '(B) comparing the memory region address information to the loaded module address information; and, '(i) determining whether a first memory region of the plurality of memory regions corresponds to any of a plurality of loaded modules registered with the operating executive, wherein the determining step comprises, '(ii) wherein, when the first memory region does not correspond to any of the plurality of loaded modules, determining whether the first memory region contains library indicative coding; and', '(iii) wherein, when the first memory region contains library indicative coding, generating a memory injection alarm., '(b) scanning memory of the computer system for a memory injection, wherein the scanning step comprises2. The method of claim 1 , wherein claim 1 , when the first memory region corresponds to one of the plurality of loaded modules claim 1 , determining whether that loaded module is mapped from a file system of the computer system.3. The method of claim 2 , wherein the memory injection alarm is a first memory injection alarm claim 2 , and wherein claim 2 , when the loaded module is not mapped from a file system of the computer system claim 2 , determining whether the first memory region contains library ...

Подробнее
Номер записи: 81
31-10-2013 дата публикации

System and Method for Run-Time Attack Prevention

Номер: US20130291103A1
Автор: Andy Davenport, Hunter King, Jon R. Ramsey
Принадлежит: Dell Products LP

Preventing attacks on a computer at run-time. Content that is configured to access at least one function of a computer is received by the computer. Protections corresponding to the function are added to the content, wherein the protections override the function. The content and the protections are then transmitted to the computer. The function may expose a vulnerability of the computer, and arguments passed to the function may exploit that vulnerability. The protections are executed when the content is executed, and determine whether the arguments the content passed into the function represent a threat. In response to determining that the arguments represent a threat, execution of the content is terminated without executing the function.

Подробнее
Номер записи: 82
31-10-2013 дата публикации

SYSTEMS AND METHODS FOR PROVIDING ANTI-MALWARE PROTECTION AND MALWARE FORENSICS ON STORAGE DEVICES

Номер: US20130291110A1
Автор: Bowen Thomas R., Saxena Paritosh, Thadikaran Paul J., Triantafillou Nicholas D., Wright Adam Greer
Принадлежит:

Systems and methods for providing features that enable anti-malware protection on storage devices are described. In one embodiment, a storage device includes a controller, firmware, and memory. The controller manages input/output operations for the storage device. The firmware provides features for protection against malware. The memory includes secure storage that is configured to provide a set of storage operations. 1. A system , comprising:an operating system for performing operations on the system; 'memory having configurable secure storage that is configured to monitor activity or restrict activity in the secure storage.', 'a storage device to communicate with the operating system, the storage device comprises, firmware to provide features for protection against malware; and'}2. The system of claim 1 , wherein the memory comprises a secure log to record activity of the system.3. The system of claim 2 , wherein the secure log enables storing a unique sequence of commands that are given to the storage device along with configurable parameters.4. The system of claim 2 , wherein the secure log is accessed by an authenticated external entity to determine if the activity recorded in the log is suspicious.5. The system of claim 4 , wherein the authenticated external entity using the firmware configures a region of the secure storage to monitor activity or restrict activity in the secure storage based on determination of suspicious activity.6. The system of claim 5 , wherein the authenticated external entity using the firmware configures unused space at an end region near an end of the memory to redirect access to the secure storage.7. The system of claim 6 , wherein a read request or a write request that is intended for the unused space near the end region is redirected to the secure storage.8. A storage device comprising:a controller to manage input/output operations for the storage device;firmware being implemented with the controller, the firmware to provide ...

Подробнее
Номер записи: 83
31-10-2013 дата публикации

Method and Device for Program Identification Based on Machine Learning

Номер: US20130291111A1
Автор: Hongyi Zhou, Hui Zhou, YI Dong
Принадлежит: Beijing Qihoo Technology Co Ltd

The invention discloses a method and device for programidentification based on machine learning. The method comprises: analyzing an inputted unknown program, and extracting a feature of the unknown program; coarsely classifying the unknown program according to the extracted feature; judging by inputting the unknown program into a corresponding decision-making machine generated by training according to a result of the coarse classification; and outputting an identification result of the unknown program, wherein the identification result is a malicious program or a non-malicious program. The embodiments of the invention adopt the machine learning technology, achieve the decision-making machine for identifying a malicious program by analyzing a large number of program samples, and can save a lot of manpower and improve the identification efficiency for a malicious program by using the decision-making machine; and furthermore, can find an inherent law of programs based on data mining for massive programs, prevent a malicious program that has not happened and make it difficult for a malicious program to avoid killing.

Подробнее
Номер записи: 84
07-11-2013 дата публикации

METHOD FOR PROTECTING COMPUTER PROGRAMS AND DATA FROM HOSTILE CODE

Номер: US20130298234A1
Автор: Dotan Eyal
Принадлежит:

A method that protects computer data from untrusted programs. Each computer's object and process is assigned with trust attributes, which define the way it can interact with other objects within the system. When an object is classified as untrusted, it can interact with other object within the system on a limited basis. A virtualized system is provided on the computer so that when the untrusted object attempts to perform an operation that is outside its scope of authorization, the virtualized system intercepts the operation but present the untrusted program with an indication that the requested operation has been performed. The method further includes processes to securely move a program from an untrusted group to a trusted group. 2. A computerized method of managing a computer's operation in a computer having a real directory , comprising:causing the computer to create a virtual directory;monitoring operation of a program;when it is determined that the program should not be run on an unlimited trusted mode, causing the computer to:when the program attempts to rename a named file, performing the operations:if the named file exists in the real directory only, copying the named file into the virtual directory, renaming the named file in the virtual directory, and generating a deleted indicator for the named file,if the named file exists in the virtual directory only, renaming the named file, andif the named file exists in both the real and virtual directories, renaming the named file in the virtual directory, generating a delete indicator for the named, and returning a success indication.3. A computerized method of managing a computer's operation in a computer having a real directory , comprising:causing the computer to create a visual directory;monitoring operation of a program;when it is determined that a program should not be run on an unlimited trusted mode, causing the computer to:when the program issues a file inquiry, returning a true indication if:the file ...

Подробнее
Номер записи: 85
07-11-2013 дата публикации

Method and system for automatic detection of eavesdropping of an account based on identifiers and conditions

Номер: US20130298238A1
Автор: Deepak Kumar Vasthimal, Purshotam SHAH
Принадлежит: Yahoo Inc until 2017

A system and method for detecting whether a user account has been compromised. A server computer determines, for a client device, a first identifier associated with the client device. The server computer analyzes an activity log associated with an account of a user to determine if an eavesdropping condition has been met during a given duration. The analysis includes: 1) determining that an eavesdropping activity has occurred during the given duration and determining that no normal activity has occurred during the given duration for the first identifier; 2) determining a second identifier associated with a second device used to access the user account; and 3) determining that a normal activity associated with the second identifier has occurred during the given duration.

Подробнее
Номер записи: 86
07-11-2013 дата публикации

SYSTEM FOR MECHANICAL AND ELECTRONIC PROTECTION OF SAFE EQUIPMENT

Номер: US20130298252A1
Автор: Ribeiro-Pereira Jorge
Принадлежит:

The present invention provides the mechanical positioning of electronic circuits, mounted on rigid printed circuit boards or flexible circuits, creating a protected region within a Safe Equipment, so that an action to attempt to invade or violate this area of the equipment will trigger an alarm that triggers the blocking of the equipment use, instantly erasing the safety keys of the safe equipment; to avoid this possibility, the invention provides a region completely surrounded by protection circuits and sensors surrounding the sensitive part of the device with alarm devices. 1. “SYSTEM FOR MECHANICAL AND ELECTRONIC PROTECTION OF SAFE EQUIPMENT” characterized by two or more printed circuit boards , so that at least on one of the boards an internal indention is made and at least on the surface of one of the boards sensitive components are mounted to be protected so that when uniting all boards the sensitive components are embedded within the indention of the indented boards , obtaining a safe cavity.2. “SYSTEM FOR MECHANICAL AND ELECTRONIC PROTECTION OF SAFE EQUIPMENT” claim 1 , according to claim 1 , characterized by introducing a cover for one or more printed circuit strips claim 1 , whether it's is flexible or rigid claim 1 , in the open area of the safe cavity and there may be or not components between the cavity and the flexible circuit strip.3. “SYSTEM FOR MECHANICAL AND ELECTRONIC PROTECTION OF SAFE EQUIPMENT” claim 1 , according to claim 1 , characterized by the fact of the printed circuit boards have conductive circuits in form of a protection mesh that serves as sensor against the drilling of the board.4. “SYSTEM FOR MECHANICAL AND ELECTRONIC PROTECTION OF SAFE EQUIPMENT claim 3 , according to claim 3 , characterized by the fact that flexible circuit strips have conductive circuits in form of a protective mesh serving as sensor against drilling of the strip.5. “SYSTEM FOR MECHANICAL AND ELECTRONIC PROTECTION OF SAFE EQUIPMENT” claim 4 , according to claim 4 ...

Подробнее
Номер записи: 87
14-11-2013 дата публикации

APPARATUS AND METHOD FOR DETECTING MALICIOUS FILES

Номер: US20130305366A1
Автор: LEE Ju Seok, LIM Cha Sung
Принадлежит: AHNLAB, INC.

An apparatus for detecting a malicious file, includes a program driving unit configured to output an execution address of a command executed by driving a program corresponding to a non-executable file; and an address storage unit configured to store normal address range information in accordance with the driving of the program. 1. An apparatus for detecting a malicious file , comprising:a program driving unit configured to output an execution address of a command executed by driving a program corresponding to a non-executable file;an address storage unit configured to store normal address range information in accordance with the driving of the program; anda maliciousness determination unit configured to determine whether the non-executable file is malicious depending on whether the execution address is not within the normal address range information.2. The apparatus claim 1 , wherein the program driving unit determines a file format of the non-executable file claim 1 , and selects and drives a program for executing the non-executable file based on the determined file format.3. The apparatus of claim 1 , wherein the maliciousness determination unit determines claim 1 , when the execution address is not within the normal address range information claim 1 , whether or not a memory region indicated by the execution address has execution properties claim 1 , and determines whether the non-executable file is malicious based on the determination result.4. The apparatus of claim 3 , wherein the maliciousness determination unit determines:when the memory region indicated by the execution address does not have execution properties, whether the non-executable file is malicious by checking whether an abnormal event occurs due to an execution of a code stored in the memory region indicated by the execution address;when the abnormal event does not occur, whether the non-executable file is malicious by checking whether an execution address from the next of the execution address to ...

Подробнее
Номер записи: 88
14-11-2013 дата публикации

METHOD AND APPARATUS FOR INSPECTING NON-PORTABLE EXECUTABLE FILES

Номер: US20130305373A1
Автор: LEE Ju Seok, LIM Cha Sung
Принадлежит: AHNLAB, INC.

An apparatus for inspecting a non-PE file includes a data loading unit configured to load candidate malicious address information related to a malicious code of the non-PE file; and a program link unit configured to acquire normal address range information of a module being loaded on a memory when an application program adapted for the non-PE file is executed and set up a candidate malicious address corresponding to the candidate malicious address information to be a breakpoint of the application program. Further, the apparatus includes a malicious code determination unit configured to determine whether a next execution address is within the normal address range information when there occurs an event derived from the breakpoint. 1. An apparatus for inspecting a non-PE file , the apparatus comprising:a data loading unit configured to load candidate malicious address information related to a malicious code of the non-PE file;a program link unit configured to acquire normal address range information of a module being loaded on a memory when an application program adapted for the non-PE file is executed and set up a candidate malicious address corresponding to the candidate malicious address information to be a breakpoint of the application program; anda malicious code determination unit configured to determine whether a next execution address is within the normal address range information when there occurs an event derived from the breakpoint.2. The apparatus of claim 1 , wherein when it is determined that the execution address is not within the normal address range information claim 1 , the malicious code determination unit is configured to determine that the non-PE file is malicious.3. The apparatus of claim 1 , wherein when it is determined that the execution address is not within the normal address range information claim 1 , the malicious code determination unit is configured to check whether a memory area pointed out by the execution address has an execution ...

Подробнее
Номер записи: 89
14-11-2013 дата публикации

CONTROLLING MALICIOUS ACTIVITY DETECTION USING BEHAVIORAL MODELS

Номер: US20130305374A1
Автор: Barash Uri, Dinerstein Yosef, Friedman Arie, Helman Yair, Hudis Efim, Rubin Shai A.
Принадлежит:

Systems, methods, and computer program products are described for controlling malicious activity detection with respect to information technology assets based on behavioral models associated with the respective information technology assets. Protection rules and corresponding sensitivities associated with the behavioral models are applied by protection services to detect malicious activity with respect to the information technology assets. 1. A method of controlling malicious activity detection , comprising:displaying a first graphical interface element at a presentation device that enables a user to select a behavioral model to be associated with an information technology asset; andcausing distribution of a behavioral model indicator indicating the selected behavioral model to a plurality of protection services deployed on one or more processing modules to cause the plurality of protection services to utilize a plurality of respective protection rule configurations corresponding to the behavioral model to generate respective malicious activity assessments with respect to the information technology asset.2. The method of claim 1 , wherein displaying the first graphical interface element comprises:displaying the first graphical interface element that enables the user to select a behavioral model to be associated with a computer.3. The method of claim 1 , wherein displaying the first graphical interface element comprises:displaying the first graphical interface element that enables the user to select a behavioral model to be associated with a user account.4. The method of claim 1 , wherein displaying the first graphical interface element includes displaying the first graphical interface element that enables the user to select a plurality of behavioral models to be associated with the information technology asset; andwherein causing distribution of the behavioral model indicator includes causing distribution of the behavioral model indicator indicating the selected ...

Подробнее
Номер записи: 90
21-11-2013 дата публикации

ELECTRONIC DEVICE WITH VIRUS PREVENTION FUNCTION AND VIRUS PREVENTION METHOD THEREOF

Номер: US20130312100A1
Автор: WANG Peng
Принадлежит:

In a virus prevention method of an electronic device, executable files that are being installed in the electronic device are compared with the virus characteristics in virus database of the electronic device. The electronic device communicates with a server through a network, and a virus database and a suspected virus database of the server are accessed when one or more suspected files are determined. The one or more suspected files are compared with virus characteristics of virus samples in the virus database and non-viral characteristic of non-virus samples in the suspected virus database of the server, so as to determine whether the one or more suspected files are virus files. The determined one or more virus files intruded in the executed files are deleted. 1. A virus prevention method of an electronic device , the electronic device comprising a register , a virus database , and a suspected virus database , the virus database comprising virus characteristics of a plurality of virus samples , the suspected virus database comprising encoding characteristics which resemble those of a virus but are non-viral , the method comprising:scanning executable files that are being installed in the electronic device, comparing the executable files with the virus characteristics in the virus database, and determining whether the executable files comprise one or more virus files and/or one or more suspected files;establishing an electronic communication between the electronic device and a server via a network, and accessing a virus database and a suspected virus database of the server when one or more suspected files are determined;comparing the determined one or more suspected files with virus characteristics of virus samples in the virus database and non-viral characteristics of non-virus samples in the suspected virus database of the server, and determining whether the one or more suspected files are virus files according to the comparison; anddeleting the determined one or ...

Подробнее
Номер записи: 91
28-11-2013 дата публикации

Systems and Methods for Correlating and Distributing Intrusion Alert Information Among Collaborating Computer Systems

Номер: US20130318606A1
Автор: Keromytis Angelos D., LOCASTO Michael, Malkin Tal, Misra Vishal, Parekh Janak, Stolfo Salvatore J.
Принадлежит: The Trustees of Columbia University in the City of New York

Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed, without generating excess traffic loads. 1receiving, at a first computer system, a first one-way data structure from a collaborating second computer system, the first one-way data structure representing first data relating to a first intrusion attempt detected by an intrusion detection system of the collaborating second computer system such that the first data is hidden in the first one-way data structure;detecting, using an intrusion detection system of the first computer system, a second intrusion attempt;storing second data relating to the second intrusion attempt in a second one-way data structure of the first computer system such that the second data is hidden in the second one-way data structure;determining whether the second intrusion attempt correlates with the first intrusion attempt by comparing the first data structure and the second data structure; andindicating that a threat is present if the second intrusion attempt is determined to correlate with the data received from the collaborating second computer system relating, to the first intrusion attempt.. A method of detecting a threat to a computer system in a plurality of collaborating computer systems, the method comprising: This application is a continuation under 35 U.S.C. §120 of U.S. patent application ...

Подробнее
Номер записи: 92
28-11-2013 дата публикации

System and Method for Detection and Treatment of Malware on Data Storage Devices

Номер: US20130318610A1
Автор: Oleg V. Zaitsev
Принадлежит: Kaspersky Lab AO

Disclosed are systems and methods for detection and repair of malware on data storage devices. The system includes a controller, a communication interface for connecting an external data storage device, and a memory for storing antivirus software. The antivirus software is configured to scan the data contained in the data storage device, perform repair or removal of malicious files or programs found on the data storage device, identify suspicious files or programs on the data storage device and malicious files or programs that cannot be repaired or removed from the data storage device, send information about these files or programs to the antivirus software provider, receive updates for the antivirus software from the antivirus software provider, and rescan the suspicious files or programs and malicious files or programs that cannot be repaired or removed using updated antivirus software.

Подробнее
Номер записи: 93
28-11-2013 дата публикации

ROOTKIT MONITORING AGENT BUILT INTO AN OPERATING SYSTEM KERNEL

Номер: US20130318612A1
Автор: Ramalingam Jayakrishnan
Принадлежит: INTERNATIONAL BUSINESS MACHINES CORPORATION

An approach for detecting a kernel-level rootkit is presented. A changed entry in a System Service Descriptor Table (SSDT) or an Interrupt Descriptor Table (IDT) is detected. The changed entry results from an installation of suspect software. The changed entry is determined to be not referenced by a white list. A black list is updated to reference the changed entry to indicate the changed entry results from an installation of the kernel-level rootkit. The suspect software is determined to be the kernel-level rootkit based on the changed entry not being referenced by the white list. The changed entry is restored to an entry included in a first state of an operating system kernel. The first state is based on the SSDT and IDT referencing hooks indicated in the white list, where the hooks are not the result of an installation of any kernel-level rootkit. 1. A method of detecting a kernel-level rootkit , said method comprising:a computer system detecting a changed entry in a System Service Descriptor Table (SSDT) or an Interrupt Descriptor Table (IDT), wherein said changed entry results from an installation of suspect software in said computer system;said computer system determining a value of said changed entry is not referenced by a white list;said computer system updating a black list to include a reference to said value of said changed entry to indicate that said value of said changed entry results from an installation of said kernel-level rootkit on said computer system;said computer system determining said suspect software is said kernel-level rootkit based on said value of said changed entry not being referenced by said white list; andsaid computer system restoring said changed entry to an entry of said SSDT or said IDT, said entry included in a first state of data structures of a kernel of an operating system of said computer system, said first state based on said SSDT and said IDT referencing hooks indicated in said white list which are not the result of any ...

Подробнее
Номер записи: 94
05-12-2013 дата публикации

INTEGRATING MULTIPLE DATA SOURCES FOR MALWARE CLASSIFICATION

Номер: US20130326625A1
Автор: Anderson Blake Harrell, Lane Terran, Storlie Curtis B.
Принадлежит: Los Alamos National Security, LLC

Disclosed herein are representative embodiments of tools and techniques for classifying programs. According to one exemplary technique, at least one graph representation of at least one dynamic data source of at least one program is generated. Also, at least one graph representation of at least one static data source of the at least one program is generated. Additionally, at least using the at least one graph representation of the at least one dynamic data source and the at least one graph representation of the at least one static data source, the at least one program is classified. 1. A method , implemented at least in part by one or more computing devices , the method comprising:generating at least one graph representation of at least one dynamic data source of at least one program;generating at least one graph representation of at least one static data source of the at least one program; andat least using the at least one graph representation of the at least one dynamic data source and the at least one graph representation of the at least one static data source, classifying the at least one program.2. One or more computer readable storage media storing computer-executable instructions which when executed cause a computing device to perform a method , the method comprising:generating at least one graph representation of at least one dynamic data source of at least one program;generating at least one graph representation of at least one static data source of the at least one program; andat least using the at least one graph representation of the at least one dynamic data source and the at least one graph representation of the at least one static data source, classifying the at least one program.3. The method of claim 1 , wherein the classifying the program comprises classifying the program as malware or non-malware.4. The method of claim 1 , wherein the at least one graph representation of the at least one dynamic data source or the at least one graph ...

Подробнее
Номер записи: 95
05-12-2013 дата публикации

ASYNCHRONOUS FILTERING AND PROCESSING OF EVENTS FOR MALWARE DETECTION

Номер: US20130326626A1
Автор: MARTYNENKO VLADISLAV V., Sobko Andrey V.
Принадлежит: KASPERSKY LAB, ZAO

A method for asynchronous processing of system calls, including detecting a system call on a computer system; filtering the system call to determine when the system call call matches a filter parameter; making a copy of the system call and asynchronously asynchronously processing the system call copy, if the system call does not pass through at through at least one filter, and the filter parameter does not match the system call; placing placing the system call into a queue; releasing the system call after an anti-virus (AV) (AV) check of the system call copy and terminating an object that caused the system call call when the AV check reveals that the system call is malicious; and for an object associated with the system call that has behavior differences compared to a previous known known non-malicious version of the object but also similarities to the previous known non-known non-malicious object, classifying the object as non-malicious. 1. A method for asynchronous processing of system calls , the method comprising:(a) detecting a system call on a computer system;(b) filtering the system call to determine when the system call matches a filter parameter;(c) making a copy of the system call and asynchronously processing the system call copy, if the system call does not pass through at least one filter, and the filter parameter does not match the system call;(d) placing the system call into a queue;(e) releasing the system call after an anti-virus (AV) check of the system call copy and terminating an object that caused the system call when the AV check reveals that the system call is malicious; and(f) for an object associated with the system call that has behavior differences compared to a previous known non-malicious version of the object but also similarities to the previous known non-malicious object, classifying the object as non-malicious,wherein steps (b)-(f) are performed sequentially without interrupting execution of the system call.2. The method of claim 1 , ...

Подробнее
Номер записи: 96
12-12-2013 дата публикации

Aggregating The Knowledge Base Of Computer Systems To Proactively Protect A Computer From Malware

Номер: US20130332988A1
Автор: Bahl Pradeep, Costea Mihai, Dadhia Rajesh K., Edery Yigal, Hudis Efim, Krämer Michael, Thomas Anil Francis
Принадлежит:

Techniques for aggregating a knowledge base of a plurality of security services or other event collection systems to protect a computer from malware are provided. In embodiments, a computer is protected from malware by using anti-malware services or other event collection systems to observe suspicious events that are potentially indicative of malware. A determination is made as to whether a combination of the suspicious events is indicative of malware. If the combination of suspicious events is indicative of malware, a restrictive security policy designed to prevent the spread of malware is implemented. 1. A computer system , comprising:a memory and a processor configured to execute instructions in the memory to cause the computer system to implement an aggregation routine, the aggregation routine configured to:identify a first suspicious event by analyzing metrics that are generated based on performance characteristics of the computer system;receive a report of a second suspicious event from at least one of multiple anti-malware services executing on the computer system;determine whether a combination of suspicious events is indicative of malware, the combination of suspicious events including at least the first suspicious event and the second suspicious event; andresponsive to a determination that the combination of suspicious events is indicative of malware, apply a restrictive security policy configured to restrict an entity associated with the combination of suspicious events from performing actions on the computer system.2. A computer system as described in claim 1 , wherein the first suspicious event is a potential indicator of the malware infection.3. A computer system as described in claim 1 , wherein the processor is further configured to execute instructions in the memory to cause the computer system to implement an event detection service claim 1 , the event detection service configured to identify the performance characteristics of the computer system.4 ...

Подробнее
Номер записи: 97
12-12-2013 дата публикации

SYSTEM, METHOD AND PROGRAM FOR IDENTIFYING AND PREVENTING MALICIOUS INTRUSIONS

Номер: US20130333036A1
Автор: LAHANN JEFFREY S., THIELE FREDERIC G., Walter Michael A.
Принадлежит: INTERNATIONAL BUSINESS MACHINES CORPORATION

Computer system, method and program product for identifying a malicious intrusion. A first number of different destination IP addresses, a second number of different destination ports and a third number of different signatures of messages, are identified from a source IP address during a predetermined period. A determination is made that in one or more other such predetermined periods the source IP address sent messages having the first number of different destination IP addresses, the second number of different destination ports and the third number of different signatures. Based on the determination that in the one or more other such predetermined periods the source IP address sent messages having the first number of different destination IP addresses, the second number of different destination ports and the third number of different signatures, a determination is made that the messages are characteristic of a malicious intrusion. 1. A method for identifying a pattern of messages which is characteristic of a malicious intrusion , the method comprising the steps of:a server receiving information identifying a destination IP address, a destination port and a signature of each of a multiplicity of messages having an indicia of a malicious intrusion, and in response, determining a total number of different destination IP addresses, a total number of different destination ports and a total number of different signatures of messages of the multiplicity of messages sent from each of a plurality of source IP addresses during each of a plurality of intervals of substantially the same duration; andthe server determining that there are (a) a first total number of different destination IP addresses, a second total number of different destination ports and a third total number of different signatures for the messages sent from one of the source IP addresses during one of the intervals and (b) approximately the first total number of different destination IP addresses, ...

Подробнее
Номер записи: 98
12-12-2013 дата публикации

METHODS, SYSTEMS, AND MEDIA FOR DETECTING COVERT MALWARE

Номер: US20130333037A1
Автор: Bowen Brian M., Kemerlis Vasileios P., Keromytis Angelos D., Prabhu Pratap V., Sidiroglou Stylianos, Stolfo Salvatore J.
Принадлежит:

Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: receiving a first set of user actions; generating a second set of user actions based on the first set of user actions and a model of user activity; conveying the second set of user actions to an application inside the computing environment; determining whether state information of the application matches an expected state after the second set of user actions is conveyed to the application; and determining whether covert malware is present in the computing environment based at least in part on the determination. 1. A method for detecting covert malware in a computing environment , the method comprising:receiving a first set of user actions;generating a second set of user actions based on the first set of user actions and a model of user activity;conveying the second set of user actions to an application inside the computing environment;determining whether state information of the application matches an expected state after the second set of user actions is conveyed to the application; anddetermining whether covert malware is present in the computing environment based at least in part on the determination.2. The method of claim 1 , wherein the second set of user actions is generated outside of the computing environment.3. The method of claim 1 , further comprises:determining whether a decoy corresponding to the second set of user actions has been accessed by an unauthorized entity; andin response to determining that the decoy has been accessed by the unauthorized entity, determining that covert malware is present in the computing environment.4. The method of claim 1 , wherein the first set of user actions comprises mouse and keyboard events.5. The method of claim 4 , further comprising replaying at least a portion of the first set of user actions along with ...

Подробнее
Номер записи: 99
19-12-2013 дата публикации

SECURE CLOUD HYPERVISOR MONITOR

Номер: US20130340077A1
Автор: Salsamendi Ryan C., Simms Michael J., Wagner John R.
Принадлежит: Raytheon Company

This disclosure addresses systems and methods for the protection of hardware and software in a computing environment. A hypervisor-monitor may be nested between the hardware of a host system and a hypervisor that is capable of supporting one or more guest virtual machines. The hypervisor-monitor may intercept exceptions generated by one or more processors in the host system and inspect software instructions for the hypervisor and the guests. Inspection may include performing a hash of the software instructions and a comparison of the hash with authorized software modules or a set of known malware. In this manner the hypervisor-monitor may monitor prevent the execution of malware by the hypervisor or the guests or provide a record of when code of an unknown origin was executed. 1. A hypervisor monitor system comprising:one or more processors coupled to a memory, the one or more processors configured to execute instructions in the memory, and generate an exception in response to a page fault;a hypervisor configured to operate on the one or more processors and to manage execution of a plurality of virtual machines on the one or more processors;a hashing module configured to calculate a mathematical hash of at least a portion of the instructions in the memory;a database, isolated from the hypervisor, the database including a list of mathematical hashes of registered code; anda monitor providing an interface between the one or more processors and the hypervisor, the monitor being configured to respond to the exception by performing a comparison of the mathematical hash of a page of instructions loaded into the memory by the hypervisor with the list of mathematical hashes of authorized code;wherein the monitor, in response to the comparison, prevents the one or more processors from executing the page of instructions when the comparison indicates the mathematical hash of the page of instructions is not included in the list of mathematical hashes of registered code.2. The ...

Подробнее
Номер записи: 100