专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明授权

US10341373B2 Automatically detecting insider threats using user collaboration patterns 有权
公开(公告)号：US10341373B2
公开(公告)日：2019-07-02
申请号：US15629421
申请日：2017-06-21
申请人： SYMANTEC CORPORATION
发明人： Sandeep Bhatkar , Saurabh Shintre , Ashwin Kayyoor
IPC分类号： H04L29/06
摘要： Automatically detecting insider threats using user collaboration patterns. In one embodiment, a method may include identifying collaborative access of one or more network resources in a network between a target user using a target network device and other users using other network devices in the network during multiple prior time periods and during a current time period, generating prior collaboration graphs for the prior time periods, generating an average collaboration graph by combining the prior collaboration graphs, generating a current collaboration graph for the current time period, generating an anomaly score by comparing the current collaboration graph to the average collaboration graph, determining that the collaborative access of the one or more network resources during the current time period is anomalous by determining that the anomaly score exceeds a threshold, and, in response to the anomaly score exceeding the threshold, performing a security action on the target network device.

2. 发明授权

US09225736B1 Techniques for detecting anomalous network traffic 有权
标题翻译：检测异常网络流量的技术
公开(公告)号：US09225736B1
公开(公告)日：2015-12-29
申请号：US13929123
申请日：2013-06-27
申请人： Symantec Corporation
发明人： Kevin Alejandro Roundy , Jie Fu , Tao Cheng , Zhi Kai Li , Fanglu Guo , Sandeep Bhatkar
IPC分类号： G06F11/00 , H04L29/06
CPC分类号： H04L63/1425 , H04L63/101 , H04L63/1416
摘要： Techniques for detecting anomalous network traffic are disclosed. In one particular embodiment, the techniques may be realized as a method for detecting anomalous network traffic comprising the steps of receiving a list including a plurality of processes and, for each process, a list of approved types of network traffic; monitoring network traffic of each process on the list of processes; upon detecting network traffic for a process on the list of processes, determining that the type of network traffic detected is not on the list of approved types for that process; and identifying the process as infected based on determining that the type of network traffic detected is not on the list of approved types for that process.
摘要翻译：公开了用于检测异常网络流量的技术。在一个具体实施例中，这些技术可以被实现为用于检测异常网络流量的方法，包括以下步骤：接收包括多个进程的列表，并且对于每个进程，列出经批准的网络流量类型; 监控流程列表中每个进程的网络流量; 在检测到处理列表上的进程的网络流量时，确定检测到的网络流量的类型不在该进程的批准类型的列表上; 并且基于确定检测到的网络流量的类型不在该进程的经批准的类型的列表上来识别被感染的进程。

3. 发明授权

US10007786B1 Systems and methods for detecting malware 有权
公开(公告)号：US10007786B1
公开(公告)日：2018-06-26
申请号：US14953305
申请日：2015-11-28
申请人： Symantec Corporation
发明人： Sandeep Bhatkar , Jugal Parikh , Carey Nachenberg
IPC分类号： G06F21/56 , G06N99/00
CPC分类号： G06F21/566 , G06F21/561 , G06N20/00
摘要： A computer-implemented method for detecting malware may include (1) identifying a behavioral trace of a program, the behavioral trace including a sequence of runtime behaviors exhibited by the program, (2) dividing the behavioral trace to identify a plurality of n-grams within the behavioral trace, each runtime behavior within the sequence of runtime behaviors corresponding to an n-gram token, (3) analyzing the plurality of n-grams to generate a feature vector of the behavioral trace, and (4) classifying the program based at least in part on the feature vector of the behavioral trace to determine whether the program is malicious. Various other methods, systems, and computer-readable media are also disclosed.

4. 发明授权

US09230111B1 Systems and methods for protecting document files from macro threats 有权
标题翻译：用于保护文档文件免受宏威胁的系统和方法
公开(公告)号：US09230111B1
公开(公告)日：2016-01-05
申请号：US14073507
申请日：2013-11-06
申请人： Symantec Corporation
发明人： Susanta Nanda , Sandeep Bhatkar , Fanglu Guo
IPC分类号： G06F21/56 , G06F12/14 , G06F21/57
CPC分类号： H04L63/1441 , G06F21/562 , G06F21/563 , G06F21/57
摘要： A computer-implemented method for protecting document files from macro threats may include (1) identifying a document file that contains an embedded macro, (2) locating an event-driven programming language module that stores the embedded macro for the document file, and (3) cleaning the event-driven programming language module by removing procedures for the embedded macro within the event-driven programming language module and retaining variable definitions within the event-driven programming language module. Various other methods, systems, and computer-readable media are also disclosed.
摘要翻译：用于保护文档文件免受宏威胁的计算机实现的方法可以包括（1）识别包含嵌入式宏的文档文件，（2）定位存储用于文档文件的嵌入式宏的事件驱动编程语言模块，以及（ 3）通过删除事件驱动编程语言模块中的嵌入式宏的过程，并在事件驱动的编程语言模块中保留变量定义来清除事件驱动的编程语言模块。还公开了各种其它方法，系统和计算机可读介质。

5. 发明申请

US20150074806A1 SYSTEMS AND METHODS FOR USING EVENT-CORRELATION GRAPHS TO DETECT ATTACKS ON COMPUTING SYSTEMS 有权
标题翻译：使用事件相关图来检测计算机系统的攻击的系统和方法
公开(公告)号：US20150074806A1
公开(公告)日：2015-03-12
申请号：US14041762
申请日：2013-09-30
申请人： Symantec Corporation
发明人： Kevin Roundy , Fanglu Guo , Sandeep Bhatkar , Tao Cheng , Jie Fu , Zhi Kai Li , Darren Shou , Sanjay Sawhney , Acar Tamersoy , Elias Khalil
IPC分类号： G06F21/55
CPC分类号： G06F21/55 , G06F21/577 , H04L63/1425 , H04L63/1433
摘要： A computer-implemented method for using event-correlation graphs to detect attacks on computing systems may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing an event-correlation graph that includes a first node that represents the first actor, a second node that represents a second actor, and an edge that interconnects the first node and the second node and represents a suspicious event involving the first actor and the second actor, (3) calculating, based at least in part on the additional suspicious event, an attack score for the event-correlation graph, (4) determining that the attack score is greater than a predetermined threshold, and (5) determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event may be part of an attack on the computing system. Various other methods, systems, and computer-readable media are also disclosed.
摘要翻译：用于使用事件相关图来检测对计算系统的攻击的计算机实现的方法可以包括（1）检测涉及计算系统内的第一actor的可疑事件，（2）构建事件相关图，其包括第一节点，代表第一演员，表示第二演员的第二节点和互连第一节点和第二节点并且表示涉及第一演员和第二演员的可疑事件的边缘，（3）至少部分地计算关于附加的可疑事件，事件相关图的攻击得分，（4）确定攻击得分大于预定阈值，以及（5）至少部分地基于攻击得分大于预定阈值，可疑事件可能是对计算系统的攻击的一部分。还公开了各种其它方法，系统和计算机可读介质。

6. 发明授权

US09665715B1 Systems and methods for detecting malware-induced crashes 有权
公开(公告)号：US09665715B1
公开(公告)日：2017-05-30
申请号：US14138130
申请日：2013-12-23
申请人： Symantec Corporation
发明人： Kevin Roundy , Sandeep Bhatkar , Fanglu Guo , Daniel Marino
IPC分类号： G06F21/62 , G06F21/56
CPC分类号： G06F21/562 , G06F11/0766 , G06F21/552 , G06F21/561
摘要： A computer-implemented method for detecting malware-induced crashes may include (1) identifying, by analyzing a health log associated with a previously stable computing device, the occurrence of an unexpected stability problem on the previously stable computing device, (2) identifying, by analyzing an event log associated with the previously stable computing device, an event that is potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device, (3) determining, due at least in part to the event being potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device, that the event is potentially malicious, and (4) performing a security action in response to determining that the event is potentially malicious. Various other methods, systems, and computer-readable media are also disclosed.

7. 发明申请

US20160103992A1 SYSTEMS AND METHODS FOR CLASSIFYING SECURITY EVENTS AS TARGETED ATTACKS 有权
标题翻译：将安全事件分类为有针对性的攻击的系统和方法
公开(公告)号：US20160103992A1
公开(公告)日：2016-04-14
申请号：US14513804
申请日：2014-10-14
申请人： Symantec Corporation
发明人： Kevin Alejandro Roundy , Sandeep Bhatkar
IPC分类号： G06F21/55 , H04L29/06
CPC分类号： G06F21/554 , G06F21/55 , H04L63/1416
摘要： The disclosed computer-implemented method for classifying security events as targeted attacks may include (1) detecting a security event in connection with at least one organization, (2) comparing the security event against a targeted-attack taxonomy that identifies a plurality of characteristics of targeted attacks, (3) determining that the security event is likely targeting the organization based at least in part on comparing the security event against the targeted-attack taxonomy, and then in response to determining that the security event is likely targeting the organization, (4) classifying the security event as a targeted attack. Various other methods, systems, and computer-readable media are also disclosed.
摘要翻译：用于将安全事件分类为目标攻击的公开的计算机实现的方法可以包括（1）检测与至少一个组织有关的安全事件，（2）将安全事件与标识多个特征的目标攻击分类法进行比较（3）至少部分地基于将安全事件与目标攻击分类法进行比较来确定安全事件可能针对组织，然后响应于确定安全事件可能针对组织（（ 4）将安全事件分类为有针对性的攻击。还公开了各种其它方法，系统和计算机可读介质。

8. 发明授权

US09275226B1 Systems and methods for detecting selective malware attacks 有权
标题翻译：用于检测选择性恶意软件攻击的系统和方法
公开(公告)号：US09275226B1
公开(公告)日：2016-03-01
申请号：US14029451
申请日：2013-09-17
申请人： Symantec Corporation
发明人： Kevin Roundy , Sandeep Bhatkar , Fanglu Guo
IPC分类号： G06F11/00 , G06F12/14 , G06F12/16 , G06F21/56
CPC分类号： G06F21/56
摘要： A computer-implemented method for detecting selective malware attacks is described. A website visited by a user is identified based on a number of visits to the website satisfying a predetermined threshold. A web crawl is performed on the identified website. Results of the web crawl are analyzed to determine whether the identified website includes a malicious software attack designed to selectively attack visitors to the website.
摘要翻译：描述了用于检测选择性恶意软件攻击的计算机实现的方法。基于满足预定阈值的对网站的访问次数来识别用户访问的网站。在所识别的网站上执行网络爬网。分析Web抓取的结果，以确定所识别的网站是否包含旨在选择性地攻击网站访问者的恶意软件攻击。

9. 发明授权

US09256739B1 Systems and methods for using event-correlation graphs to generate remediation procedures 有权
标题翻译：使用事件关联图生成修复程序的系统和方法
公开(公告)号：US09256739B1
公开(公告)日：2016-02-09
申请号：US14221703
申请日：2014-03-21
申请人： Symantec Corporation
发明人： Kevin Alejandro Roundy , Sandeep Bhatkar
IPC分类号： G06F21/55 , H04L29/06 , G06F21/56 , H04L12/24 , G06F21/54
CPC分类号： G06F21/554 , G06F21/54 , G06F21/552 , G06F21/566 , H04L41/0631 , H04L63/1425
摘要： A computer-implemented method for using event-correlation graphs to generate remediation procedures may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing, in response to detecting the suspicious event involving the first actor, an event-correlation graph that includes (i) a first node that represents the first actor, (ii) a second node that represents a second actor, and (iii) an edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor, and (3) using the event-correlation graph to generate a procedure for remediating an effect of an attack on the computing system that is reflected in the event-correlation graph. Various other methods, systems, and computer-readable media are also disclosed.
摘要翻译：一种用于使用事件相关图来产生修复过程的计算机实现的方法可以包括：（1）检测涉及计算系统内的第一actor的可疑事件，（2）响应于检测到涉及第一actor的可疑事件，事件相关图，其包括（i）表示第一演员的第一节点，（ii）表示第二演员的第二节点，以及（iii）将第一节点和第二节点互连并表示附加的边缘涉及第一演员和第二演员的可疑事件，以及（3）使用事件相关图来生成反映在事件相关图中的针对计算系统的攻击的影响的过程。还公开了各种其它方法，系统和计算机可读介质。

10. 发明授权

US09166997B1 Systems and methods for reducing false positives when using event-correlation graphs to detect attacks on computing systems 有权
标题翻译：使用事件相关图来检测对计算系统的攻击时减少误报的系统和方法
公开(公告)号：US09166997B1
公开(公告)日：2015-10-20
申请号：US14031044
申请日：2013-09-19
申请人： Symantec Corporation
发明人： Fanglu Guo , Sandeep Bhatkar , Kevin Roundy
IPC分类号： H04L29/00 , H04L29/06 , G06F21/57
CPC分类号： H04L63/1433 , G06F21/554 , G06F21/577 , H04L63/1416
摘要： A computer-implemented method for reducing false positives when using event-correlation graphs to detect attacks on computing systems may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing an event-correlation graph that includes a first node that represents the first actor, a second node that represents a second actor, and an edge that represents an additional suspicious event involving the first actor and the second actor, (3) comparing the event-correlation graph with at least one additional event-correlation graph that represents events on at least one additional computing system, (4) determining that a similarity of the event-correlation graph and the additional event-correlation graph exceeds a predetermined threshold, and (5) classifying the suspicious event as benign based on determining that the similarity of the event-correlation graph and the additional event-correlation graph exceeds the predetermined threshold. Various other methods, systems, and computer-readable media are also disclosed.
摘要翻译：一种用于在使用事件相关图来检测对计算系统的攻击时减少误报的计算机实现的方法可以包括（1）检测涉及计算系统内的第一执行者的可疑事件，（2）构建事件相关图，其包括表示第一演员的第一节点，表示第二演员的第二节点和表示涉及第一演员和第二演员的附加可疑事件的边缘，（3）将事件相关图与至少一个附加的比较表示至少一个附加计算系统上的事件的事件相关图，（4）确定事件相关图和附加事件相关图的相似度超过预定阈值，以及（5）将可疑事件分类为良性基于确定事件相关图和附加事件相关图的相似度超过预定阈值。还公开了各种其它方法，系统和计算机可读介质。

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式