专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明授权

US08332944B2 System and method for detecting new malicious executables, based on discovering and monitoring characteristic system call sequences 失效
标题翻译：基于发现和监测特征系统调用序列，检测新的恶意可执行文件的系统和方法
公开(公告)号：US08332944B2
公开(公告)日：2012-12-11
申请号：US12697559
申请日：2010-02-01
申请人： Boris Rozenberg , Ehud Gudes , Yuval Elovici
发明人： Boris Rozenberg , Ehud Gudes , Yuval Elovici
IPC分类号： G06F12/14
CPC分类号： G06F21/552
摘要： The invention relates to a method for detecting malicious executables, which comprises: in an offline training phase, finding a collection of system call sequences that are characteristic only to malicious files, when such malicious files are executed, and storing said sequences in a database; and, in runtime, for each running executable, continuously monitoring its issued run-time system calls and comparing with the stored sequences of system calls within the database to determine whether there exists a match between a portion of the sequence of the run-time system calls and one or more of the database sequences, and when such a match is found, declaring said executable as malicious.
摘要翻译：本发明涉及一种用于检测恶意可执行程序的方法，包括：在离线训练阶段，当执行这种恶意文件并且将所述序列存储在数据库中时，找到仅对恶意文件特有的系统调用序列的集合; 并且在运行时，对于每个运行的可执行文件，连续地监视其发出的运行时系统调用并与存储的数据库序列中的系统调用进行比较，以确定运行时系统的一部分序列之间是否存在匹配调用和一个或多个数据库序列，并且当发现这样的匹配时，将所述可执行文件声明为恶意的。

2. 发明授权

US07941853B2 Distributed system and method for the detection of eThreats 有权
标题翻译：分布式系统和检测eThreats的方法
公开(公告)号：US07941853B2
公开(公告)日：2011-05-10
申请号：US12125263
申请日：2008-05-22
申请人： Boris Rozenberg , Ehud Gudes , Yuval Elovici
发明人： Boris Rozenberg , Ehud Gudes , Yuval Elovici
IPC分类号： G06F11/00
CPC分类号： H04L63/1425 , G06N5/043 , H04L63/145
摘要： The invention relates to a distributed system for detecting eThreats that propagate in a network, which comprises: (a) graphs database storing at least one propagation graph, each graph describing the typical propagation over time of one eThreat class or a legitimate executable class within the network; (b) plurality of agents that are distributed in corresponding plurality of hosts within the network, each of said agents continuously monitoring the corresponding host and reporting to a Central Decision Maker (CDM) the identity of any new suspected executable, and the time in which said suspected executable has been first detected by said agent; (c) a CDM for: (c.1) receiving all said reports from said plurality of agents; (c.2) creating from said reports for each suspected executable a corresponding propagation graph which reflects the propagation characteristics over time of said suspected executable within the network, and (c.3) comparing each of said created graphs with said stored at least one propagation graph; (c.4) upon finding a similarity above a predefined threshold between a created graph and one of the stored graphs, concluding respectively that said executable belongs to the class as defined by said stored graph; and (c.5) conveying said conclusion to said agents, for optionally taking an appropriate action.
摘要翻译：本发明涉及一种用于检测在网络中传播的威胁的分布式系统，其包括：（a）存储至少一个传播图的图形数据库，每个图形描述一个eThreat类别内的典型传播随时间流逝的内容网络; （b）分布在网络内的相应多个主机中的多个代理，每个所述代理持续监视对应的主机并向中央决策者（CDM）报告任何新的可疑可执行文件的身份，以及其中所述疑似可执行文件已被所述代理首先检测到; （c）清洁发展机制：（c.1）从所述多个代理人接收所有所述报告; （c.2）从所述报告中为每个可疑可执行文件创建反映在所述网络内的所述可疑可执行文件随时间的传播特性的相应传播图，以及（c.3）将所述创建的图形中的每一个与所存储的至少一个传播图; （c.4）在找到在所创建的图和存储的图之一之间的预定阈值之上的相似度时，分别结束所述可执行文件属于由所述存储的图形定义的类; 和（c.5）将所述结论传达给所述代理人，以选择采取适当的行动。

3. 发明申请

US20100229239A1 SYSTEM AND METHOD FOR DETECTING NEW MALICIOUS EXECUTABLES, BASED ON DISCOVERING AND MONITORING CHARACTERISTIC SYSTEM CALL SEQUENCES 失效
标题翻译：基于发现和监测特征系统呼叫序列检测新型恶意程序的系统和方法
公开(公告)号：US20100229239A1
公开(公告)日：2010-09-09
申请号：US12697559
申请日：2010-02-01
申请人： Boris Rozenberg , Ehud Gudes , Yuval Elovici
发明人： Boris Rozenberg , Ehud Gudes , Yuval Elovici
IPC分类号： G06F11/30 , G06F21/00
CPC分类号： G06F21/552
摘要： The invention relates to a method for detecting malicious executables, which comprises: (a) in an offline training phase, finding a collection of system call sequences that are characteristic only to malicious files, when such malicious files are executed, and storing said sequences in a database; and, in runtime, for each running executable, continuously monitoring its issued run-time system calls and comparing with the stored sequences of system calls within the database to determine whether there exists a match between a portion of the sequence of the run-time system calls and one or more of the database sequences, and when such a match is found, declaring said executable as malicious.
摘要翻译：本发明涉及一种用于检测恶意可执行程序的方法，包括：（a）在离线训练阶段，查找仅恶意文件特有的系统调用序列的集合，当执行这种恶意文件时，将所述序列存储在数据库并且在运行时，对于每个运行的可执行文件，连续地监视其发出的运行时系统调用并与存储的数据库序列中的系统调用进行比较，以确定运行时系统的一部分序列之间是否存在匹配调用和一个或多个数据库序列，并且当发现这样的匹配时，将所述可执行文件声明为恶意的。

4. 发明申请

US20080313734A1 DISTRIBUTED SYSTEM AND METHOD FOR THE DETECTION OF eTHREATS 有权
标题翻译：分布式系统及其检测方法
公开(公告)号：US20080313734A1
公开(公告)日：2008-12-18
申请号：US12125263
申请日：2008-05-22
申请人： Boris Rozenberg , Ehud Gudes , Yuval Elovici
发明人： Boris Rozenberg , Ehud Gudes , Yuval Elovici
IPC分类号： G06F21/00
CPC分类号： H04L63/1425 , G06N5/043 , H04L63/145
摘要： The invention relates to a distributed system for detecting eThreats that propagate in a network, which comprises: (a) graphs database storing at least one propagation graph, each graph describing the typical propagation over time of one eThreat class or a legitimate executable class within the network; (b) plurality of agents that are distributed in corresponding plurality of hosts within the network, each of said agents continuously monitoring the corresponding host and reporting to a Central Decision Maker (CDM) the identity of any new suspected executable, and the time in which said suspected executable has been first detected by said agent; (c) a CDM for: (c.1) receiving all said reports from said plurality of agents; (c.2) creating from said reports for each suspected executable a corresponding propagation graph which reflects the propagation characteristics over time of said suspected executable within the network, and (c.3) comparing each of said created graphs with said stored at least one propagation graph; (c.4) upon finding a similarity above a predefined threshold between a created graph and one of the stored graphs, concluding respectively that said executable belongs to the class as defined by said stored graph; and (c.5) conveying said conclusion to said agents, for optionally taking an appropriate action.
摘要翻译：本发明涉及一种用于检测在网络中传播的威胁的分布式系统，其包括：（a）存储至少一个传播图的图形数据库，每个图形描述一个eThreat类别内的典型传播随时间流逝的内容网络; （b）分布在网络内的相应多个主机中的多个代理，每个所述代理持续监视对应的主机并向中央决策者（CDM）报告任何新的可疑可执行文件的身份，以及其中所述疑似可执行文件已被所述代理首先检测到; （c）清洁发展机制：（c.1）从所述多个代理人接收所有所述报告; （c.2）从所述报告中为每个可疑可执行文件创建反映在所述网络内的所述可疑可执行文件随时间的传播特性的相应传播图，以及（c.3）将所述创建的图形中的每一个与所存储的至少一个传播图; （c.4）在找到在所创建的图和存储的图之一之间的预定阈值之上的相似度时，分别结束所述可执行文件属于由所述存储的图形定义的类; 和（c.5）将所述结论传达给所述代理人，以选择采取适当的行动。

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式