专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明授权

US10242190B2 System and method for detection of malicious code by iterative emulation of microcode 有权
公开(公告)号：US10242190B2
公开(公告)日：2019-03-26
申请号：US14807330
申请日：2015-07-23
申请人： LEVIATHAN SECURITY GROUP, INC.
发明人： Mikhail Davidov , Patrick Stach
IPC分类号： G06F21/56
摘要： Examples of systems, methods and media are shown for iteratively emulating potentially malicious code involving, for each offset of a microarchitecture for the code, emulating a first ring of an operating system, executing a segment of code in the emulated first ring, checking the behavior of the executing code for suspect behavior, and identifying the executing code as malicious code if suspect behavior is detected. Some examples include emulating a second ring of the operating system having a higher level of privilege than the first ring, such that the second ring emulation returns results to the executing code segment, but does not actually perform the functionality in a host platform.

2. 发明授权

US10049210B2 System and method for detection of omnientrant code segments to identify potential malicious code 有权
公开(公告)号：US10049210B2
公开(公告)日：2018-08-14
申请号：US15147801
申请日：2016-05-05
申请人： LEVIATHAN SECURITY GROUP, INC.
发明人： Falcon Momot
IPC分类号： G06F21/56 , G06F9/30
摘要： Methods, systems and media are shown for detecting omnientrant code segments to identify potential malicious code involving, for each offset of a code segment, disassembling the code segment from the offset, determining whether the disassembled code is executable, and incrementing an offset execution value. This approach also involves checking whether the offset execution value exceeds an alert threshold value and generating a malicious code alert for the code segment if the offset execution value exceeds the alert threshold value. Some examples further involve, for each executable offset, identifying a final execution address of the offset, comparing the final execution addresses of the offsets for the code segment, and generating the malicious code alert for the code segment if a proportion of the executable offsets have a common value for the final execution address exceeds a frequency threshold.

3. 发明授权

US09977897B2 System and method for detecting stack pivot programming exploit 有权
公开(公告)号：US09977897B2
公开(公告)日：2018-05-22
申请号：US14801753
申请日：2015-07-16
申请人： Leviathan, Inc.
发明人： Falcon Momot
IPC分类号： G06F11/00 , G06F21/54 , G06F21/55
CPC分类号： G06F21/54 , G06F21/554 , G06F2221/033
摘要： Systems, methods and media are shown for detecting a stack pivot programming exploit that involve extracting return addresses from a call stack from a snapshot of a running program and, for each extracted return address, identifying a stack frame and following frame from stack pointer information, checking whether the stack is consistent with the type of stack generated by the operating system and architecture conventions, and alerting that a stack pivot is likely if an anomaly in stack layout is found. Some examples involve determining whether the stack frame and following frame follow consistently in one of ascending or descending addresses. Some examples involve, given a consistent directional polarity and metadata about the directional polarity of the stack specified by one of the microarchitecture, operating system, software, or other configuration, determining whether the observed directional polarity corresponds to the expected directional polarity.

4. 发明授权

US09165138B2 Mitigation of function pointer overwrite attacks 有权
标题翻译：减轻功能指针覆盖攻击
公开(公告)号：US09165138B2
公开(公告)日：2015-10-20
申请号：US13546905
申请日：2012-07-11
申请人： Mlkhail Davidov
发明人： Mlkhail Davidov
IPC分类号： G06F21/00 , G06F21/54
CPC分类号： G06F21/54
摘要： Methods are disclosed for improving security of computer software and preventing potential attackers from gaining control of computer software via function pointer overwrite attacks. One or more additional layers of complexity may be imposed that would have to be circumvented in order to gain execution control over portions of software. One or more function pointers can be encoded using a value that may be generated on program initialization and decoded before any dynamic function call occurs. In the event of memory corruption that affects an encoded function pointer, the value will cause the destination of the function pointer to decode to an invalid and random address and will induce an error. An application may be prevented from calling an attacker corrupted function pointer by introducing various checks around the call point at compile time that check the validity of the destination to which the function pointer points.
摘要翻译：公开了用于提高计算机软件的安全性并防止潜在攻击者通过功能指针覆盖攻击来获得对计算机软件的控制的方法。可以施加一个或多个附加的复杂层，这些层必须被绕过以获得对软件的一部分的执行控制。可以使用可以在程序初始化时生成的值来编码一个或多个函数指针，并且在任何动态函数调用发生之前进行解码。在影响编码函数指针的内存损坏的情况下，该值将导致函数指针的目的地解码为无效和随机的地址，并将引发错误。可以通过在编译时通过在调用点周围引入各种检查来检查应用程序来调用攻击者损坏的函数指针，从而检查函数指针指向的目的地的有效性。

5. 发明申请

US20140020092A1 Mitigation of function pointer overwrite attacks 有权
标题翻译：减轻功能指针覆盖攻击
公开(公告)号：US20140020092A1
公开(公告)日：2014-01-16
申请号：US13546905
申请日：2012-07-11
申请人： MIkhail Davidov
发明人： MIkhail Davidov
IPC分类号： G06F21/22
CPC分类号： G06F21/54
摘要： Methods are disclosed for improving security of computer software and preventing potential attackers from gaining control of computer software via function pointer overwrite attacks. One or more additional layers of complexity may be imposed that would have to be circumvented in order to gain execution control over portions of software. One or more function pointers can be encoded using a value that may be generated on program initialization and decoded before any dynamic function call occurs. In the event of memory corruption that affects an encoded function pointer, the value will cause the destination of the function pointer to decode to an invalid and random address and will induce an error. An application may be prevented from calling an attacker corrupted function pointer by introducing various checks around the call point at compile time that check the validity of the destination to which the function pointer points.
摘要翻译：公开了用于提高计算机软件的安全性并防止潜在攻击者通过功能指针覆盖攻击来获得对计算机软件的控制的方法。可以施加一个或多个附加的复杂层，这些层必须被绕过以获得对软件的一部分的执行控制。可以使用可以在程序初始化时生成的值来编码一个或多个函数指针，并且在任何动态函数调用发生之前进行解码。在影响编码函数指针的内存损坏的情况下，该值将导致函数指针的目的地解码为无效和随机的地址，并将引发错误。可以通过在编译时通过在调用点周围引入各种检查来检查应用程序来调用攻击者损坏的函数指针，从而检查函数指针指向的目的地的有效性。

6. 发明授权

US10180867B2 System and method for bruteforce intrusion detection 有权
公开(公告)号：US10180867B2
公开(公告)日：2019-01-15
申请号：US14737309
申请日：2015-06-11
申请人： LEVIATHAN SECURITY GROUP, INC.
发明人： Falcon Momot , Lorne Schell , Duncan Smith
IPC分类号： G06F11/07 , G06F21/55 , H04L29/06
摘要： Systems and methods are shown for detecting potential attacks on a domain, where one or more servers, in response to a failure event, obtain a lambda value from a baseline model of historical data associated with a current time interval corresponding to the failure event, determine a probability of whether a total count of failure events for the current time interval is within an expected range using a cumulative density function based on the lambda value, and identify a possible malicious attack if the probability is less than or equal to a selected alpha value.

7. 发明授权

US10606965B2 System and method for emulation of unprivileged code in a simulated environment 有权
公开(公告)号：US10606965B2
公开(公告)日：2020-03-31
申请号：US14804023
申请日：2015-07-20
申请人： Leviathan Security Group, Inc.
发明人： Falcon Momot , Mikhail Davidov , Patrick Stach , Darren Kemp
IPC分类号： G06F17/50 , H04L29/06
摘要： A system, method and media are shown for emulating potentially malicious code involving emulating a first ring of an operating system, emulating a second ring of the operating system, where the second ring has greater access to system resources than the first ring and where the first and second rings are separately emulated, executing a code payload in the emulated first ring, checking the behavior of the executing code payload for suspect behavior, and identifying the code payload as malicious code if suspect behavior is detected. Some examples emulate the second ring by operating system or microarchitecture functionality such that the second ring emulation returns results to the executing code payload, but does not actually perform the functionality in a host platform. Some examples execute the code payload in the emulated first shell at one or more offsets.

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式