CN102160048B - 收集和分析恶意软件数据 - Google Patents
收集和分析恶意软件数据 Download PDFInfo
- Publication number
- CN102160048B CN102160048B CN200980138004.3A CN200980138004A CN102160048B CN 102160048 B CN102160048 B CN 102160048B CN 200980138004 A CN200980138004 A CN 200980138004A CN 102160048 B CN102160048 B CN 102160048B
- Authority
- CN
- China
- Prior art keywords
- threat
- information
- client computers
- malware
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 claims description 37
- 238000001514 detection method Methods 0.000 claims description 31
- 230000009471 action Effects 0.000 claims description 24
- 230000008569 process Effects 0.000 claims description 17
- 238000004891 communication Methods 0.000 claims description 11
- 238000013500 data storage Methods 0.000 claims description 7
- 244000035744 Hura crepitans Species 0.000 claims description 4
- 238000003860 storage Methods 0.000 claims description 3
- 230000004044 response Effects 0.000 claims description 2
- 230000000737 periodic effect Effects 0.000 claims 1
- 230000000116 mitigating effect Effects 0.000 abstract 2
- 230000003472 neutralizing effect Effects 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 7
- 238000009434 installation Methods 0.000 description 6
- 230000009897 systematic effect Effects 0.000 description 5
- 230000000712 assembly Effects 0.000 description 4
- 238000000429 assembly Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000003538 neomorphic effect Effects 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 230000002045 lasting effect Effects 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Computer And Data Communications (AREA)
- Debugging And Monitoring (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
描述了提供关于客户机计算机上的恶意软件执行历史的信息、并且允许用于对标识签名和移除指令的较快创建的自动化后端分析的一恶意软件分析系统。该恶意软件分析系统收集客户机计算机上的威胁信息,并且将该威胁信息发送给后端分析组件以供自动化分析。该后端分析组件通过将该威胁信息与关于已知威胁的信息作比较来分析该威胁信息。该系统建立用于标识威胁家族的签名、以及用于中立化该威胁的减轻脚本。该系统将签名和减轻数据发送给使用该信息来减轻威胁的客户机计算机。由此,该恶意软件分析系统通过减少对技术人员手动地创建用于再现威胁的环境以及手动地分析威胁行为的负担,而比先前系统更快速地检测并且减轻威胁。
Description
背景技术
反病毒、反间谍软件、以及其他反恶意软件应用程序通过标识有害应用程序或其他可执行代码并且移除或至少中立化该有害代码来设法保护客户机计算机。当前反恶意软件应用程序(例如,微软Windows Defender、微软ForefrontClient Security、微软OneCare、微软Exchange服务器的Forefront服务器等等)使用基于签名的方法来检测病毒、蠕虫、以及间谍软件。基于签名的方法依赖于恶意软件的一个或多个区别特征以提供肯定标识,使得反恶意软件应用程序可以移除它。例如,特定恶意软件应用程序可以具有特定文件名、将特定值写入操作系统配置数据库(例如,微软Windows Registry),或包含具有特定字节的可执行代码(例如,使用CRC、密码散列、或其他签名算法标识的)
基于签名的方法更多地取决于本领域的技术人员对现有恶意软件的分析以及该分析的质量。通常,技术人员接收新威胁的样本、或已知威胁的变体。例如,用户可以将该威胁以一个或多个文件的形式用电子邮件发送到电子邮件地址用于报告恶意软件。该技术人员随后开始调查。在调查期间,该技术人员可以在诸如即使恶意软件影响计算机系统但对其他计算机系统也不能造成危害的沙箱计算机系统等虚拟环境中执行恶意软件。如果恶意软件样本在虚拟环境中成功地运行并且产生足够信息,则该技术人员分析执行历史、所创建的/所删除的文件的内容、注册表项、网络活动、以及恶意软件的其他活动,并且创建删除签名和移除指令。例如,如果恶意软件在特定目录中创建文件virus.exe,则该签名可以标识该文件,并且移除脚本可以指定在其典型的位置删除该文件。
出于若干原因,这种类型的分析是有问题的。首先,该过程涉及人类分析,并且由此因为可用技术人员要审阅新威胁而变慢并且发生瓶颈。新威胁的速率一直在增加,并且可用技术人员常常比创建新恶意软件的恶意软件作者更少。其次,技术人员可能不能够在虚拟环境中成功地运行恶意软件,并且由此可能不能够理解恶意软件如何表现的完整模型。这可以导致例如不能检测具有某些变体形式的恶意软件、或对恶意软件的不完全移除。恶意软件可能无法在虚拟环境中运行的原因的示例是恶意软件将技术人员的域名检测为反恶意软件供应商的域名、在操作系统版本或安装的应用程序不是恶意软件作者所期望的时恶意软件运行失败等等。有时从顾客计算机接收的样本可能包含不足够的关于威胁的信息。例如,报告可以仅包括驱动程序以及几个其他文件,而没有足够信息供技术人员理解如何运行恶意软件。这一情况通常以影响顾客体验的不完整的检测/移除而告终。
当用户访问网站并且允许安装“未知软件”(通常,用户认为他们正安装良好的软件)时,客户机计算机常常被感染。用户所访问的原始URL常常不包含二进制代码,而是重新定向到另一“短生存周期”的统一资源定位符(URL)。一旦技术人员接收原始URL并且开始调查,则该“短生存周期”URL可以不再包含恶意软件。技术人员可能永远不会接收足够信息来捕捉真正的罪犯、或检测具有其最早形式的恶意软件。此外,某些样本可以暂时规避分析,因为技术人员或早期威胁分析将它们的优先级确定为低。例如,威胁可以接收到有限数量的报告,这可仅仅因为反恶意软件还不是固有地检测威胁(即,虚假否定)。
另一问题是对其中由技术人员产生的移除脚本不清理新变体的先前所标识的恶意软件的新变体的误标识。这可以来自用关于恶意软件家族中的当前改变的最新信息来更新反恶意软件应用程序的缓慢。技术人员还可能没有接收被分析的恶意软件的完整画面,因为恶意软件期望专用环境、或在技术人员的环境中不明显或不存在的用户动作的结合。例如,在恶意软件执行之前,可以期望用户访问特定网站。当用户访问该网站之后,恶意软件可以用属于通过间谍软件网站对用户的web浏览器通信重新定向并且监视用户的浏览习惯的恶意软件的一个证书来替换用户的安全证书,。如果技术人员永远没有访问该网站,则恶意软件将不产生足够信息供技术人员理解恶意软件的损坏行为。
发明内容
描述了提供关于客户机计算机上的恶意软件执行历史的信息、并且允许用于对标识签名和移除命令的较快创建的自动化后端分析的一恶意软件分析系统。该恶意软件分析系统收集客户机计算机上的威胁信息,并且将该威胁信息发送给后端分析组件以供自动化分析。该后端分析组件通过将该威胁信息与关于已知威胁的信息作比较来分析该威胁信息。该系统建立用于标识威胁家族的签名、以及用于中立化该威胁的减轻脚本。该系统将签名和减轻数据发送给使用该信息来减轻威胁的客户机计算机。由此,该恶意软件分析系统通过减少对技术人员手动地创建用于再现威胁的环境以及手动地分析威胁行为的负担,而比先前系统更快速地检测并且减轻威胁。
提供本发明内容以便以简化形式介绍将在以下的具体实施方式中进一步描述的一些概念。本概述并不旨在标识出所要求保护的主题的关键特征或必要特征,也不旨在用于限定所要求保护的主题的范围。
附图说明
图1是示出在一个实施例中的恶意软件分析系统的各组件的框图。
图2是示出在一个实施例中的恶意软件分析系统的典型操作环境的框图。
图3是示出一个实施例中的由恶意软件分析系统在客户机计算机上进行的处理的流程图。
图4是示出一个实施例中的用于分析和减轻潜在威胁的恶意软件分析系统的后端服务的处理的流程图。
具体实施方式
概览
描述了提供关于客户机计算机上的恶意软件执行历史的信息、并且允许用于对标识签名和移除指令的较快创建的自动化后端分析的一恶意软件分析系统。该恶意软件分析系统收集客户机计算机上的威胁信息,并且将该威胁信息发送给后端分析组件以供自动化分析。例如,系统可以收集所访问的URL、所执行的用户动作、所访问的文件、以及关于由恶意软件造成的潜在威胁的其他信息。当特定事件发生时,诸如当应用程序尝试访问网站时,该系统可以触发对威胁信息的收集。该后端分析组件通过将该威胁信息与关于已知威胁的信息作比较来分析该威胁信息。例如,后端分析组件可以基于威胁信息来标识相似的先前威胁,并且将新威胁分类到威胁家族。该系统建立用于标识威胁家族的签名、以及用于中立化该威胁的减轻脚本。例如,签名可以标识威胁家族所共有的文件,并且减轻脚本可以删除由恶意软件安装的文件。该系统将签名和减轻数据发送给减轻威胁的客户机计算机。由此,该恶意软件分析系统通过减少对技术人员手动地创建用于再现威胁的环境以及手动地分析威胁行为的负担,而比先前系统更快速地检测并且减轻威胁。反恶意软件供应商随后可以将有限的技术人员资源定位在最相关的且最难减轻的威胁上。
图1是示出在一个实施例中的恶意软件分析系统的各组件的框图。恶意软件分析系统100包括威胁分析组件110、信息收集组件120、通信组件130、威胁数据存储140、威胁分析组件150、签名建立器组件160、减轻组件170、反馈组件180、以及用户接口组件190。可以在一个或多个客户机计算机和运行在一个或多个服务器上的后端服务之间对这些组件进行划分。这些组件中的每一个都在此处进一步详细讨论。
威胁检测组件110检测指示潜在威胁的客户机计算机上的事件,并且发信号通知信息收集组件120以跟踪关于威胁的信息。这些事件可以由系统来预定义、或随着客户机计算机从后端服务接收新威胁签名而动态地更新。威胁检测组件110可以包括在操作系统的低级执行的内核模式驱动程序来检测各种类型的威胁。
信息收集组件120收集关于在客户机计算机处的潜在威胁的信息。例如,信息收集组件120可以存储关于文件、目录、注册表项、URL、以及由应用程序访问的其他资源的信息。组件120还可以存储指示代码的潜在恶意片段如何发起每次动作的历史的和分层的数据。例如,如果用户访问了网站、下载了恶意应用程序,并且该应用程序联系了另一网站,则该数据可以指示这些事件的顺序以及它们之间的关系。
通信组件130在客户机计算机和后端服务之间传送信息。例如,客户机计算机使用通信组件130来将威胁信息发送给后端服务。后端服务通过通信组件130将已更新的签名和减轻指令发送给客户机计算机。通信组件130可以通过因特网、局域网(LAN)、或其他通信介质来操作。
威胁数据存储140存储由客户机设备报告的关于所遇到的威胁的信息、等待分析的威胁队列、已知威胁的家族及其特征、用于检测威胁的签名、以及用于移除所检测到的威胁的减轻指令。威胁数据存储140担当威胁信息的储存库,并且该系统可以挖掘威胁数据存储140来标识威胁之间的共同性、诸如特定威胁的发生速率等统计量等等。
威胁分析组件150为所接收的威胁报告配置执行环境,执行威胁,并且尝试基于先前所遇到的威胁家族来对威胁进行分类。例如,威胁分析组件150可以检查威胁报告来确定操作系统和提交报告的客户机计算机的配置,在虚拟或沙箱环境中配置相似的计算机,并且实施威胁报告中指示的用户或其他动作来观察与该威胁相关联的恶意软件的行为。
签名建立器组件160检查由威胁分析组件150配置的执行环境来确定标识该威胁的特征。例如,该威胁可以下载特定文件、访问特定URL、或将信息存储在指示将该威胁与其他安全操作相区别的行为的特定注册表项中。签名建立器组件160基于区别行为来创建用于检测威胁的实例的签名。
减轻组件170应用签名和减轻指令来标识已知威胁,并且响应于所标识的威胁实例来执行动作。例如,减轻组件170可以从后端服务接收签名更新,并且扫描客户机计算机寻找从该服务接收的每一签名,以便确定客户机计算机上是否存在任何威胁实例。如果客户机计算机上存在威胁实例,则减轻组件170执行与签名相关联的且从后端服务接收的动作。例如,这些动作可以指定要删除的文件、要聚集并且发送给后端服务的附加信息等等。减轻组件170将威胁恶意软件从客户机计算机中移除,并且聚集后端服务的信息不足以消除的威胁的附加信息(如此处将进一步描述的)。
反馈组件180基于特定准则来分析威胁检测评级并且对威胁报告区分优先级。例如,反馈组件180可以对与特定已知威胁家族相匹配的威胁相比于其他威胁区分较高的优先级。组件180还监视后端服务部署到客户机计算机的新签名更新来确定威胁的检测速率是否增加。增加的检测速率可以指示先前的虚假肯定,并且导致系统增加先前较低优先级的威胁的优先级。反馈组件180在正在进行的基础上通过将威胁分析资源聚焦于最困难的威胁来改进威胁检测。
用户接口组件190为技术人员和系统管理员指导和调谐系统提供接口。例如,技术人员可以标识威胁家族、向报告特定威胁的客户机计算机请求附加信息等等。用户接口190向技术人员提供一种方式,该方式用于查看威胁信息并且分析威胁信息以便处理没有技术人员的干预则系统100无法减轻的威胁。
在其上实现该系统的计算设备可包括中央处理单元、存储器、输入设备(例如,键盘和定点设备)、输出设备(例如,显示设备)和存储设备(例如,盘驱动器)。存储器和存储设备是可以用实现该系统的计算机可执行指令来编码的计算机可读介质,这表示包含该指令的计算机可读介质。此外,数据结构和消息结构可被存储或经由诸如通信链路上的信号等数据传送介质发送。可以使用各种通信链路,诸如因特网、局域网、广域网、点对点拨号连接、蜂窝电话网络等。
该系统的实施例可以在各种操作环境中实现,这些操作环境包括个人计算机、服务器计算机、手持式或膝上型设备、多处理器系统、基于微处理器的系统、可编程消费电子产品、数码照相机、网络PC、小型计算机、大型计算机、包括任何上述系统或设备中任一种的分布式计算环境等。计算机系统可以是蜂窝电话、个人数字助理、智能电话、个人计算机、可编程消费电子设备、数码相机等。
该系统可以在由一个或多个计算机或其他设备执行的诸如程序模块等计算机可执行指令的通用上下文中描述。一般而言,程序模块包括执行特定任务或实现特定抽象数据类型的例程、程序、对象、组件、数据结构等等。通常,程序模块的功能可以在各个实施例中按需进行组合或分布。
图2是示出在一个实施例中的恶意软件分析系统的典型操作环境的框图。一个或多个客户机计算机210通过网络240被连接到后端服务260。每一客户机计算机210包括恶意软件分析系统的客户机侧组件230,这些客户机则组件230检测并且分析关于客户机计算机210上的威胁的信息。客户机侧组件230将关于潜在威胁的执行历史的信息提供给后端服务260以供进一步分析。后端服务260包括恶意软件分析系统的服务器侧组件270。客户机侧组件230和服务器侧组件270可以包括例如图1中描述的一个或多个组件。本领域的普通技术人员将认识到,客户机和服务器上的操作组件的许多配置基于诸如可伸缩性、可靠性、以及安全性等要求来提供此处描述的优点是可能的。由此,基于这些和其他考虑,这些组件可以在客户机计算机210或后端服务260上操作。
后端服务可以包括用于再现所检测到的威胁的执行和行为的执行环境280。在恶意软件的执行期间,客户机计算机210和执行环境280两者都连接到恶意软件提供者250。例如,恶意软件可以导致客户机计算机210连接到并且将数据提供给恶意软件提供者250。后端服务260观察恶意软件在执行环境280中的执行,并且如此处进一步描述地提供签名和减轻信息。
客户机数据收集
恶意软件分析系统通过在威胁的生存期的早期开始信息的收集、保存除先前可用的之外的关于威胁的附加信息、并且向后端提供更完整的威胁模型,来改进对技术人员和自动化补救工具可用的威胁信息。
先前,用户提交被感染的样本以供分析,该被感染的样本通常包含对成功的后端分析可能不足够的单个文件和有限的元数据。为了提高后端威胁分析的质量和成功率,恶意软件分析系统从被感染的计算机收集更多的元数据。这一数据例如可以描述恶意软件的执行历史、与恶意软件的执行有关的用户动作、浏览历史、恶意软件束安装轨迹、以及其他细节。
在某些实施例中,恶意软件分析系统对客户机侧执行初始威胁分析,而不是在后端创建各种执行环境配置(例如,多个操作系统)并且提供昂贵的手动分析。例如,恶意软件分析系统可以在客户机计算机上安装执行以下内容的内核模式的可配置组件。第一,该组件是可配置的,并且可以通过配置来启用和禁用。当该组件被禁用时,它保留在存储器中,但仅仅使用少量客户机资源。它可以仅仅执行周期性的自审核以防止损害该组件的代码注入。
第二,该组件监视注册表项的创建、修改、删除、以及其他修改。当该组件检测这些修改时,它标识负责改变的过程,并且将这一信息存储在威胁日志中。该组件可以对文件、目录、以及其他客户机元素执行类似的监视和日志记录。第三,该组件监视内核存储器(例如,Service Description Table(服务描述表)、EPROCESS结构)中的改变,并且在已经执行了修改该文件的一文件之后检测改变。如果该组件检测改变,则它将事件与负责该事件的过程相关,并且将这一信息添加到威胁日志中。第四,该组件监视TCP/UDP连接的创建,并且用日志记录相关信息。该组件还可以分析打开的端口的利用频率以及并将过程与利用活动相关。
在某些实施例中,恶意软件分析系统截取并且用日志记录用户驱动的事件。例如,该系统可以跟踪用户的浏览历史,诸如用户在web浏览器中访问的web地址。该系统可以用移除敏感的用户信息以保护该用户的隐私的规范化形式来存储URL。该系统还可以跟踪由用户安装的软件。例如,如果用户安装来自因特网的软件,则该系统记录目标URL以及在安装期间打开的其他URL。很可能恶意软件不位于用户开始安装软件的相同的网站上,因此该系统为了成功的分析而聚集更多关于恶意软件网络配置的信息。该系统还可以跟踪并且用日志记录在客户机计算机上执行的应用程序的历史。这一历史可以包括应用程序之间的关系,诸如启动其他可执行文件的可执行文件。如果该系统稍后将可执行文件标识为恶意软件,则该系统可以确定对启动该可执行文件负责的应用程序是否也是恶意软件,并且将它们标记为潜在地恶意以供技术人员进一步调查。
在某些实施例中,恶意软件分析系统自动地将来自威胁日志的威胁信息提交给后端服务或其他分析授权机构(例如,反恶意软件应用程序的服务器组件)。例如,如果该系统接收客户机计算机上存储被感染的文件的证据,则该系统可以自动地提交威胁日志信息。被感染的文件可以通过反恶意软件应用程序、操作系统报警告、第三方检测警告、用户的按需动作(例如,将文件标记为恶意的)等等来检测。作为另一示例,系统的小型过滤器驱动程序可以检测对一般对用户模式的应用程序隐藏的文件对象的FILE_OPEN请求。
以下是一示例场景。用户怀疑恶意软件已经感染了他的客户机计算机,因为该计算机运行得太慢。用户运行反恶意软件应用程序,但该程序报告没有恶意软件。用户请求恶意软件分析提供进一步调查。用户的动作可以导致恶意软件分析系统选择将有助于从威胁日志中调查的数据(例如,最近的安装数据、内核模式的修改历史、网络频率和利用等等),并且将该数据发送给后端服务以供进一步分析。如果后端服务标识恶意软件,则该服务可以将已更新的补救信息发送给客户机计算机并且自动地移除该恶意软件。
图3是示出一个实施例中的由恶意软件分析系统在客户机计算机上进行的处理的流程图。在框310中,系统检测潜在威胁或恶意软件应用程序。例如,用户可以尝试访问已知的恶意URL,或应用程序可以请求对不常见的文件的访问。在框320,系统收集关于潜在威胁的信息。例如,系统可以收集对潜在恶意软件应用程序访问的资源中的每一个的描述,包括文件、注册表项等等。作为另一示例,系统可以收集由潜在恶意软件应用程序发起的网络通信量,诸如访问的URL、打开的端口等等。在框330中,系统将威胁信息提交给后端服务以供进一步分析。
在框340中,系统从后端服务接收检测由后端服务所确认的威胁的威胁签名和减轻信息。例如,签名可以标识保护恶意的可执行代码的特定文件。在框350中,对于所检测到的威胁,系统应用由所接收的减轻信息指定的减轻动作。例如,减轻信息可以指定要删除的特定文件或要修改的注册表项,以便中立化来自所标识的恶意软件应用程序的威胁。在框360,系统可任选地将在客户机计算机上关于经由签名所检测到的威胁的信息提供给后端服务,使得后端可以收集关于特定威胁的发生的统计信息,以便改进威胁减轻过程。在框360之后,这些步骤结束。
后端分析
客户机计算机将样本提交给后端以供分析。例如,当指示潜在威胁的事件发生或用户怀疑文件是恶意的时候,客户机计算机提交文件和描述用户的动作的数据以及与样本有关的系统改变(例如,所创建的文件、注册表项、打开的因特网连接、URL等等)。后端服务接收所提交的样本,并且对样本执行自动化分析。例如,后端服务可以使用关于存储在所接收的威胁信息中的原始处理过程的信息来自动地配置用于再现威胁的处理环境。当可疑代码执行时,恶意软件分析系统记录威胁的行为(例如,文件、注册表项、威胁访问或修改的其他项目),并且验证后端上记录的行为与从客户机计算机报告的数据相匹配。该环境可以从威胁信息中描述的URL下载恶意软件,模仿类似于在威胁信息中它被如何描述的用户动作等等。系统还可以随时间(例如,接着6-12个月)监视威胁信息中的URL,以便跟踪威胁和潜在变体。
当系统已经验证该行为时,系统调用样本分组过程。分组过程将系统当前正在分析的威胁的行为与先前所分析的威胁的行为(例如,存储在数据存储中)作比较,以便标识相关威胁以及当前威胁可能属于的家族。例如,相同恶意软件的若干变体可以修改客户机计算机的相同文件和注册表项。当系统标识该家族之后,签名建立器创建整个家族的或变体专用检测的通用检测签名。最后,系统将签名释放到客户机计算机,诸如通过常规更新过程。客户机计算机上的减轻组件使用签名来将威胁从客户机计算机上移除,诸如通过删除文件、卸载应用程序等等。
在某些实施例中,恶意软件分析系统按优先级对所接收的威胁进行排序。例如,系统可以将高优先级分配给来自许多客户机计算机的产生大量样本的威胁。然而,这并非始终是合乎需要的,因为低报告不一定与低威胁等级相关。低报告可以仅仅意味着在许多情况下一广泛的威胁正回避检测。这样的威胁可以是系统应给予增加的优先级的新威胁。因此,当系统分析威胁并且部署减轻签名和指令时,系统测量以反馈环路类型的周期的执行。例如,如果在系统释放威胁的新签名之后(例如,在前几天中),先前很少报告的威胁导致大量移除或减轻动作,则系统重新评估分配给该家族的优先级,使得未来相似的威胁被给予较高优先级。
优先级加权促进了技术人员或自动化分析的更及时的检查,由此更有效地利用有限的分析资源。恶意软件分析系统在客户机和服务器之间提供了持续细化学习并且有效地减轻威胁的过程的端对端的环路。由此,即使随着恶意软件作者创建更多的恶意软件而等待分析的威胁的积压(backlog)持续增长,但在对要分析哪个恶意软件区分优先级以及迭代地调谐检测和减轻过程方面,该系统仍然比现有系统更有效。
如此处描述的,恶意软件检测系统创建反馈环路,其中客户机计算机将威胁信息馈入后端服务以供更多上下文相关的分析,并且后端服务进而提供更及时且完整的签名更新,使得利用这些签名的已更新的客户机可以更准确地检测恶意软件(最小化部分检测和虚假否定)。由此,当虚假肯定或误分类发生时,系统可以消耗这些“异常”并且实现自校正,以便防止未来发生相似错误。
在某些实施例中,恶意软件检测系统还允许技术人员干预该过程,并且从客户机计算机请求更多信息。例如,如果技术人员不能完整地分析威胁,则该技术人员可能仍然能够提供威胁的更新签名并且当系统检测该威胁的实例时创建聚集附加信息以供进一步分析的脚本。系统从报告该威胁的原始客户机以及遇到相同威胁的其他客户机获取附加的所请求的信息。下一次遇到该威胁时,客户机计算机提交任何所请求的文件、注册表项、以及致力于完成关于该威胁的完整画面的技术人员所请求的其他遥测。虽然反恶意软件供应商之前已经提供了包括签名更新在内的服务组件,但此处描述的迭代能力提供了先前不可用的新等级的威胁分析和减轻,当下一次遇到威胁时该迭代能力允许技术人员或后端服务更深地挖掘客户机计算机上所检测到的威胁。
图4是示出一个实施例中的用于分析和减轻潜在威胁的恶意软件分析系统的后端服务的处理的流程图。在框410中,系统从客户机计算机接收威胁报告。例如,客户机计算机可以检测与后端服务先前所提供的签名相匹配的恶意软件或可疑行为。报告包括关于该威胁的执行历史的详细信息。在框420中,系统尝试基于先前所分析的威胁标识该威胁并且对其分组。例如,威胁信息可以区分该威胁,并且将其与先前所检测到的具有相似行为的威胁相关。系统还可以配置执行环境来再现该威胁并且在那里执行该威胁,以便聚集用于标识该威胁的附加信息。
在框430中,系统建立用于检测该威胁的签名。例如,在客户机系统上执行或安装威胁的早先时候,签名可以检测家族中的威胁或特定威胁变体。在框440中,系统确定如何减轻威胁并且产生减轻脚本或动作。例如,系统可以确定删除由威胁安装的文件将使该威胁中立化。在框450中,系统将签名和减轻脚本提供给客户机计算机。例如,客户机计算机可以周期性地向后端服务查询新的减轻信息。在框460中,系统从客户机计算机接收指示由客户机计算机基于从后端服务接收的签名检测到的威胁的反馈信息。例如,基于检测到客户机计算机上的威胁的签名,反馈信息可以包含标识特定威胁家族或变体的标识符。用户使用反馈信息来对威胁区分优先级并且改进威胁检测。在框460之后,这些步骤结束。
从上文将会认识到,虽然在此已出于说明目的描述了恶意软件分析系统的特定实施例,但是可以做出各种修改而不背离本发明的精神和范围。例如,尽管已经描述了恶意软件应用程序,但还可以使用该系统来检测使用相似技术的恶意文档、电子邮件、钓鱼欺诈等等。因此,本发明只受所附权利要求限制。
Claims (19)
1.一种用于在客户计算机上跟踪恶意软件的执行的计算机实现的方法,所述方法包括:
在客户机计算机处检测(310)潜在恶意软件应用程序;
收集(320)关于所述潜在恶意软件应用程序的威胁信息,其中所述威胁信息包括所述客户机计算机的操作系统和配置,其中所述威胁信息还包括来自所述客户机计算机的指示所述潜在恶意软件应用程序如何发起每次动作的历史数据;
将所述威胁信息提交(330)给后端服务以供进一步分析,其中通过基于所述客户机计算机的操作系统和配置来在虚拟或沙箱环境中配置相似的计算机并且实施所述威胁信息中指示的动作以进行分析;
从所述后端服务接收(340)威胁签名和减轻信息,其中所述签名包括用于检测由所述后端服务确认的威胁的数据;以及
基于从所述后端服务接收的签名,将一个或多个减轻动作应用(350)于所检测到的潜在恶意软件应用程序。
2.如权利要求1所述的方法,其特征在于,检测潜在恶意软件应用程序包括检测对连接到已知恶意URL的请求。
3.如权利要求1所述的方法,其特征在于,检测潜在恶意软件应用程序包括检测对访问操作系统文件的尝试。
4.如权利要求1所述的方法,其特征在于,收集威胁信息包括收集关于以下至少一项的信息:文件、目录、注册表项、以及由所述潜在恶意软件应用程序访问的网络端口。
5.如权利要求1所述的方法,其特征在于,所述威胁签名标识与所述恶意软件应用程序相关联的特定文件。
6.如权利要求1所述的方法,其特征在于,所述减轻动作包括从所述客户机计算机上删除与所述潜在恶意软件应用程序相关联的文件。
7.如权利要求1所述的方法,其特征在于,还包括将关于基于所接收的签名来检测到的威胁的信息提供给所述后端服务,使得所述后端能够收集关于特定威胁的发生的统计信息,以便改进威胁减轻过程。
8.一种用于检测和移除恶意应用程序的计算机系统,所述系统包括:
威胁检测组件(110),所述威胁检测组件(110)被配置成检测客户机计算机上的指示潜在恶意应用程序的事件;
信息收集组件(120),所述信息收集组件(120)被配置成在所述客户机计算机处收集关于所述潜在恶意应用程序的信息,其中所收集的信息包括所述客户机计算机的操作系统和配置,并且其中所收集的信息还包括来自所述客户机计算机的指示所述潜在恶意应用程序如何发起每次动作的历史数据;
通信组件(130),所述通信组件(130)被配置成将威胁报告从所述客户机计算机传送给后端服务,并且将用于检测恶意应用程序的签名从所述后端服务传送给所述客户机计算机;
威胁数据存储(140),所述威胁数据存储(140)被配置成存储关于由客户机计算机报告的潜在恶意应用程序的信息、等待分析的潜在恶意应用程序的队列、用于检测恶意应用程序的签名、以及用于将恶意应用程序从客户机计算机上移除的减轻指令;
威胁分析组件(150),所述威胁分析组件(150)被配置成通过基于所述客户机计算机的操作系统和配置来在虚拟或沙箱环境中配置相似的计算机并且实施所收集的信息中指示的用户或其他动作以分析所接收的报告;
签名建立器组件(160),所述签名建立器组件(160)被配置成从所述威胁分析组件接收关于所分析的威胁的信息,并且创建用于检测所述威胁的实例的签名;以及
减轻组件(170),所述减轻组件被配置成应用签名和减轻指令来标识已知威胁,并且响应于所标识的威胁实例来执行减轻动作。
9.如权利要求8所述的系统,其特征在于,所述威胁检测组件包括收集关于所述潜在恶意应用程序的执行的信息的内核模式驱动程序。
10.如权利要求8所述的系统,其特征在于,所述信息收集组件存储所述客户机计算机的用户的浏览历史。
11.如权利要求8所述的系统,其特征在于,所述威胁分析组件还被配置成再现所接收的威胁报告的执行环境,执行所接收的潜在恶意应用程序,并且对所述潜在恶意应用程序分类。
12.如权利要求8所述的系统,其特征在于,所述减轻组件还被配置成从所述后端服务接收签名更新,为所接收的每一个签名扫描所述客户机计算机,并且为任何所检测到的威胁执行减轻动作。
13.如权利要求8所述的系统,其特征在于,所述减轻组件还被配置成基于从所述后端服务接收的请求来聚集关于所述潜在恶意应用程序的附加信息。
14.如权利要求8所述的系统,其特征在于,还包括反馈组件,所述反馈组 件被配置成将来自所述客户机计算机的威胁检测信息提供给所述后端服务,并且对所述后端服务上的威胁报告分析区分优先级。
15.如权利要求8所述的系统,其特征在于,还包括用户接口组件,所述用户接口组件被配置成为技术人员提供接口以指导威胁分析。
16.一种用于控制提供后端服务的计算机系统以收集和分析由客户机计算机报告的恶意软件威胁的方法,所述方法包括:
从客户机计算机接收(410)标识恶意软件威胁的威胁报告,其中所述威胁报告包括所述客户机计算机的操作系统和配置,其中所述威胁报告还包括来自所述客户机计算机的指示所述恶意软件威胁如何发起每次动作的历史数据;
基于先前所分析的威胁对所述恶意软件威胁分类(420);
基于所述客户机计算机的操作系统和配置来配置执行环境以再现所述恶意软件威胁,并且执行所述恶意软件威胁以聚集关于所述恶意软件威胁的附加信息;
建立(430)签名用于检测所述恶意软件威胁;
确定(440)减轻动作用于中立化所述恶意软件威胁,并且基于所述减轻动作来再现减轻脚本;以及
将所述签名和减轻脚本提供(450)给所述客户机计算机。
17.如权利要求16所述的方法,其特征在于,所接收的威胁报告包括与所述恶意软件威胁有关的历史执行信息。
18.如权利要求16所述的方法,其特征在于,对所述恶意软件威胁分类包括标识包含具有与所述恶意软件威胁相匹配的特征的恶意软件的恶意软件家族。
19.如权利要求16所述的方法,其特征在于,将所述签名和减轻脚本提供给所述客户机计算机包括对所述客户机计算机对已更新的签名信息的周期性请求作出响应。
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/234,717 | 2008-09-22 | ||
US12/234,717 US8667583B2 (en) | 2008-09-22 | 2008-09-22 | Collecting and analyzing malware data |
PCT/US2009/053774 WO2010033326A2 (en) | 2008-09-22 | 2009-08-13 | Collecting and analyzing malware data |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102160048A CN102160048A (zh) | 2011-08-17 |
CN102160048B true CN102160048B (zh) | 2014-04-09 |
Family
ID=42038973
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN200980138004.3A Active CN102160048B (zh) | 2008-09-22 | 2009-08-13 | 收集和分析恶意软件数据 |
Country Status (3)
Country | Link |
---|---|
US (1) | US8667583B2 (zh) |
CN (1) | CN102160048B (zh) |
WO (1) | WO2010033326A2 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10305929B2 (en) | 2013-09-27 | 2019-05-28 | Mcafee, Llc | Managed software remediation |
Families Citing this family (405)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8539582B1 (en) | 2004-04-01 | 2013-09-17 | Fireeye, Inc. | Malware containment and security analysis on connection |
US8528086B1 (en) | 2004-04-01 | 2013-09-03 | Fireeye, Inc. | System and method of detecting computer worms |
US8549638B2 (en) | 2004-06-14 | 2013-10-01 | Fireeye, Inc. | System and method of containing computer worms |
US8171553B2 (en) | 2004-04-01 | 2012-05-01 | Fireeye, Inc. | Heuristic based capture with replay to virtual machine |
US8793787B2 (en) | 2004-04-01 | 2014-07-29 | Fireeye, Inc. | Detecting malicious network content using virtual environment components |
US8881282B1 (en) | 2004-04-01 | 2014-11-04 | Fireeye, Inc. | Systems and methods for malware attack detection and identification |
US8898788B1 (en) | 2004-04-01 | 2014-11-25 | Fireeye, Inc. | Systems and methods for malware attack prevention |
US8566946B1 (en) | 2006-04-20 | 2013-10-22 | Fireeye, Inc. | Malware containment on connection |
US7587537B1 (en) | 2007-11-30 | 2009-09-08 | Altera Corporation | Serializer-deserializer circuits formed from input-output circuit registers |
US9106694B2 (en) * | 2004-04-01 | 2015-08-11 | Fireeye, Inc. | Electronic message analysis for malware detection |
US8375444B2 (en) | 2006-04-20 | 2013-02-12 | Fireeye, Inc. | Dynamic signature creation and enforcement |
US8584239B2 (en) | 2004-04-01 | 2013-11-12 | Fireeye, Inc. | Virtual machine with dynamic data flow analysis |
US8566928B2 (en) | 2005-10-27 | 2013-10-22 | Georgia Tech Research Corporation | Method and system for detecting and responding to attacking networks |
US8009566B2 (en) | 2006-06-26 | 2011-08-30 | Palo Alto Networks, Inc. | Packet classification in a network security device |
US8515912B2 (en) | 2010-07-15 | 2013-08-20 | Palantir Technologies, Inc. | Sharing and deconflicting data changes in a multimaster database system |
US10027688B2 (en) | 2008-08-11 | 2018-07-17 | Damballa, Inc. | Method and system for detecting malicious and/or botnet-related domain names |
US8997219B2 (en) | 2008-11-03 | 2015-03-31 | Fireeye, Inc. | Systems and methods for detecting malicious PDF network content |
US8850571B2 (en) | 2008-11-03 | 2014-09-30 | Fireeye, Inc. | Systems and methods for detecting malicious network content |
US8065567B1 (en) * | 2009-03-03 | 2011-11-22 | Symantec Corporation | Systems and methods for recording behavioral information of an unverified component |
US8266698B1 (en) * | 2009-03-09 | 2012-09-11 | Symantec Corporation | Using machine infection characteristics for behavior-based detection of malware |
US8370942B1 (en) * | 2009-03-12 | 2013-02-05 | Symantec Corporation | Proactively analyzing binary files from suspicious sources |
US8549401B1 (en) * | 2009-03-30 | 2013-10-01 | Symantec Corporation | Systems and methods for automatically generating computer-assistance videos |
GB2469323B (en) * | 2009-04-09 | 2014-01-01 | F Secure Oyj | Providing information to a security application |
US9607148B1 (en) * | 2009-06-30 | 2017-03-28 | Symantec Corporation | Method and apparatus for detecting malware on a computer system |
US8832829B2 (en) * | 2009-09-30 | 2014-09-09 | Fireeye, Inc. | Network-based binary file extraction and analysis for malware detection |
US8578497B2 (en) | 2010-01-06 | 2013-11-05 | Damballa, Inc. | Method and system for detecting malware |
US8826438B2 (en) | 2010-01-19 | 2014-09-02 | Damballa, Inc. | Method and system for network-based detecting of malware from behavioral clustering |
US8677491B2 (en) * | 2010-02-04 | 2014-03-18 | F-Secure Oyj | Malware detection |
US9213838B2 (en) * | 2011-05-13 | 2015-12-15 | Mcafee Ireland Holdings Limited | Systems and methods of processing data associated with detection and/or handling of malware |
WO2011127488A2 (en) | 2010-04-08 | 2011-10-13 | Lynux Works, Inc. | Systems and methods of processing data associated with detection and/or handling of malware |
US9392005B2 (en) | 2010-05-27 | 2016-07-12 | Samsung Sds Co., Ltd. | System and method for matching pattern |
US9015843B2 (en) | 2010-12-03 | 2015-04-21 | Microsoft Corporation | Predictive malware threat mitigation |
US9767282B2 (en) | 2010-12-14 | 2017-09-19 | Microsoft Technology Licensing, Llc | Offline scan, clean and telemetry using installed antimalware protection components |
US8521667B2 (en) | 2010-12-15 | 2013-08-27 | Microsoft Corporation | Detection and categorization of malicious URLs |
US8631489B2 (en) | 2011-02-01 | 2014-01-14 | Damballa, Inc. | Method and system for detecting malicious domain names at an upper DNS hierarchy |
US8839434B2 (en) | 2011-04-15 | 2014-09-16 | Raytheon Company | Multi-nodal malware analysis |
US9436826B2 (en) * | 2011-05-16 | 2016-09-06 | Microsoft Technology Licensing, Llc | Discovering malicious input files and performing automatic and distributed remediation |
US8966625B1 (en) | 2011-05-24 | 2015-02-24 | Palo Alto Networks, Inc. | Identification of malware sites using unknown URL sites and newly registered DNS addresses |
US8555388B1 (en) | 2011-05-24 | 2013-10-08 | Palo Alto Networks, Inc. | Heuristic botnet detection |
US9047441B2 (en) * | 2011-05-24 | 2015-06-02 | Palo Alto Networks, Inc. | Malware analysis system |
US8695096B1 (en) | 2011-05-24 | 2014-04-08 | Palo Alto Networks, Inc. | Automatic signature generation for malicious PDF files |
US8955133B2 (en) | 2011-06-09 | 2015-02-10 | Microsoft Corporation | Applying antimalware logic without revealing the antimalware logic to adversaries |
US9129123B2 (en) | 2011-06-13 | 2015-09-08 | Lynx Software Technologies, Inc. | Systems and methods of secure domain isolation involving separation kernel features |
US9547693B1 (en) | 2011-06-23 | 2017-01-17 | Palantir Technologies Inc. | Periodic database search manager for multiple data sources |
US8640246B2 (en) | 2011-06-27 | 2014-01-28 | Raytheon Company | Distributed malware detection |
US8635079B2 (en) | 2011-06-27 | 2014-01-21 | Raytheon Company | System and method for sharing malware analysis results |
CN102708309A (zh) * | 2011-07-20 | 2012-10-03 | 北京邮电大学 | 恶意代码自动分析方法及系统 |
US8874579B2 (en) | 2011-08-18 | 2014-10-28 | Verisign, Inc. | Systems and methods for identifying associations between malware samples |
US8677493B2 (en) * | 2011-09-07 | 2014-03-18 | Mcafee, Inc. | Dynamic cleaning for malware using cloud technology |
US9686293B2 (en) * | 2011-11-03 | 2017-06-20 | Cyphort Inc. | Systems and methods for malware detection and mitigation |
SG11201402078XA (en) * | 2011-11-10 | 2014-09-26 | Securebrain Corp | Unauthorized application detection system and method |
US8863288B1 (en) | 2011-12-30 | 2014-10-14 | Mantech Advanced Systems International, Inc. | Detecting malicious software |
US8776235B2 (en) * | 2012-01-10 | 2014-07-08 | International Business Machines Corporation | Storage device with internalized anti-virus protection |
US9922190B2 (en) | 2012-01-25 | 2018-03-20 | Damballa, Inc. | Method and system for detecting DGA-based malware |
US9519782B2 (en) | 2012-02-24 | 2016-12-13 | Fireeye, Inc. | Detecting malicious network content |
US8904538B1 (en) * | 2012-03-13 | 2014-12-02 | Symantec Corporation | Systems and methods for user-directed malware remediation |
US10185822B2 (en) * | 2012-03-14 | 2019-01-22 | Carbon Black, Inc. | Systems and methods for tracking and recording events in a network of computing systems |
RU2486588C1 (ru) | 2012-03-14 | 2013-06-27 | Закрытое акционерное общество "Лаборатория Касперского" | Система и способ эффективного лечения компьютера от вредоносных программ и последствий их работы |
CN103369520B (zh) * | 2012-03-27 | 2016-12-14 | 百度在线网络技术(北京)有限公司 | 移动终端的应用程序可疑行为的意图预判系统及方法 |
CN103368987B (zh) * | 2012-03-27 | 2017-02-08 | 百度在线网络技术(北京)有限公司 | 云服务器、应用程序的审核认证及管理系统和方法 |
CN103366116B (zh) * | 2012-03-27 | 2016-12-14 | 百度在线网络技术(北京)有限公司 | 移动终端的应用程序潜在威胁的预判系统、方法及装置 |
CN103368904B (zh) * | 2012-03-27 | 2016-12-28 | 百度在线网络技术(北京)有限公司 | 移动终端、可疑行为检测及判定系统和方法 |
US9256733B2 (en) * | 2012-04-27 | 2016-02-09 | Microsoft Technology Licensing, Llc | Retrieving content from website through sandbox |
US20130303118A1 (en) * | 2012-05-11 | 2013-11-14 | T-Mobile Usa, Inc. | Mobile device security |
WO2014004747A2 (en) | 2012-06-26 | 2014-01-03 | Lynuxworks, Inc. | Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, rootkit detection/prevention, and/or other features |
CN104254845B (zh) * | 2012-07-24 | 2017-09-05 | 惠普发展公司,有限责任合伙企业 | 通过访问网络站点接收更新模块 |
US9043914B2 (en) | 2012-08-22 | 2015-05-26 | International Business Machines Corporation | File scanning |
US10547674B2 (en) | 2012-08-27 | 2020-01-28 | Help/Systems, Llc | Methods and systems for network flow analysis |
US9894088B2 (en) | 2012-08-31 | 2018-02-13 | Damballa, Inc. | Data mining to identify malicious activity |
US10084806B2 (en) | 2012-08-31 | 2018-09-25 | Damballa, Inc. | Traffic simulation to identify malicious activity |
US9680861B2 (en) | 2012-08-31 | 2017-06-13 | Damballa, Inc. | Historical analysis to identify malicious activity |
US9104870B1 (en) | 2012-09-28 | 2015-08-11 | Palo Alto Networks, Inc. | Detecting malware |
RU2510530C1 (ru) * | 2012-09-28 | 2014-03-27 | Закрытое акционерное общество "Лаборатория Касперского" | Способ автоматического формирования эвристических алгоритмов поиска вредоносных объектов |
US9215239B1 (en) * | 2012-09-28 | 2015-12-15 | Palo Alto Networks, Inc. | Malware detection based on traffic analysis |
US9460283B2 (en) * | 2012-10-09 | 2016-10-04 | Dell Products L.P. | Adaptive integrity validation for portable information handling systems |
US9081975B2 (en) | 2012-10-22 | 2015-07-14 | Palantir Technologies, Inc. | Sharing information between nexuses that use different classification schemes for information access control |
US9501761B2 (en) | 2012-11-05 | 2016-11-22 | Palantir Technologies, Inc. | System and method for sharing investigation results |
US8925085B2 (en) * | 2012-11-15 | 2014-12-30 | Microsoft Corporation | Dynamic selection and loading of anti-malware signatures |
US10572665B2 (en) | 2012-12-28 | 2020-02-25 | Fireeye, Inc. | System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events |
US9165142B1 (en) * | 2013-01-30 | 2015-10-20 | Palo Alto Networks, Inc. | Malware family identification using profile signatures |
US20150373040A1 (en) * | 2013-01-31 | 2015-12-24 | Hewlett-Packard Development Company, L.P. | Sharing information |
JP6176868B2 (ja) * | 2013-02-10 | 2017-08-09 | ペイパル・インク | 予測的なセキュリティ製品を提供し、既存のセキュリティ製品を評価する方法と製品 |
US10152591B2 (en) | 2013-02-10 | 2018-12-11 | Paypal, Inc. | Protecting against malware variants using reconstructed code of malware |
CN103164649B (zh) * | 2013-02-18 | 2016-08-17 | 北京神州绿盟信息安全科技股份有限公司 | 进程行为分析方法及系统 |
US9176843B1 (en) | 2013-02-23 | 2015-11-03 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US9195829B1 (en) | 2013-02-23 | 2015-11-24 | Fireeye, Inc. | User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications |
US9009823B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications installed on mobile devices |
US9009822B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for multi-phase analysis of mobile applications |
US9367681B1 (en) | 2013-02-23 | 2016-06-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application |
US8990944B1 (en) | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
US9159035B1 (en) | 2013-02-23 | 2015-10-13 | Fireeye, Inc. | Framework for computer application analysis of sensitive information tracking |
US9824209B1 (en) | 2013-02-23 | 2017-11-21 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications that is usable to harden in the field code |
US9412066B1 (en) | 2013-03-11 | 2016-08-09 | Symantec Corporation | Systems and methods for predicting optimum run times for software samples |
US9626509B1 (en) | 2013-03-13 | 2017-04-18 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US9355247B1 (en) | 2013-03-13 | 2016-05-31 | Fireeye, Inc. | File extraction from memory dump for malicious content analysis |
US9565202B1 (en) | 2013-03-13 | 2017-02-07 | Fireeye, Inc. | System and method for detecting exfiltration content |
US9104867B1 (en) | 2013-03-13 | 2015-08-11 | Fireeye, Inc. | Malicious content analysis using simulated user interaction without user involvement |
US9430646B1 (en) | 2013-03-14 | 2016-08-30 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
US9311479B1 (en) | 2013-03-14 | 2016-04-12 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of a malware attack |
US9251343B1 (en) | 2013-03-15 | 2016-02-02 | Fireeye, Inc. | Detecting bootkits resident on compromised computers |
EP2973176A4 (en) * | 2013-03-15 | 2016-11-23 | Mandiant Llc | SYSTEM AND METHOD WITH STRUCTURED INTELLIGENCE FOR VERIFYING AND COMBATING THREATS AT FINAL POINTS |
US10713358B2 (en) | 2013-03-15 | 2020-07-14 | Fireeye, Inc. | System and method to extract and utilize disassembly features to classify software intent |
US9965937B2 (en) | 2013-03-15 | 2018-05-08 | Palantir Technologies Inc. | External malware data item clustering and analysis |
US9413781B2 (en) | 2013-03-15 | 2016-08-09 | Fireeye, Inc. | System and method employing structured intelligence to verify and contain threats at endpoints |
US8818892B1 (en) | 2013-03-15 | 2014-08-26 | Palantir Technologies, Inc. | Prioritizing data clusters with customizable scoring strategies |
US9178901B2 (en) | 2013-03-26 | 2015-11-03 | Microsoft Technology Licensing, Llc | Malicious uniform resource locator detection |
CN103269341B (zh) * | 2013-05-08 | 2016-02-17 | 腾讯科技(深圳)有限公司 | 一种间谍程序的分析方法和计算机系统 |
US9495180B2 (en) | 2013-05-10 | 2016-11-15 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US9635039B1 (en) | 2013-05-13 | 2017-04-25 | Fireeye, Inc. | Classifying sets of malicious indicators for detecting command and control communications associated with malware |
US9571511B2 (en) | 2013-06-14 | 2017-02-14 | Damballa, Inc. | Systems and methods for traffic classification |
US9378370B2 (en) | 2013-06-17 | 2016-06-28 | Microsoft Technology Licensing, Llc | Scanning files for inappropriate content during synchronization |
US9850568B2 (en) | 2013-06-20 | 2017-12-26 | Applied Materials, Inc. | Plasma erosion resistant rare-earth oxide based thin film coatings |
US9536091B2 (en) | 2013-06-24 | 2017-01-03 | Fireeye, Inc. | System and method for detecting time-bomb malware |
US10133863B2 (en) | 2013-06-24 | 2018-11-20 | Fireeye, Inc. | Zero-day discovery system |
US20140379637A1 (en) | 2013-06-25 | 2014-12-25 | Microsoft Corporation | Reverse replication to rollback corrupted files |
US9888016B1 (en) | 2013-06-28 | 2018-02-06 | Fireeye, Inc. | System and method for detecting phishing using password prediction |
US9300686B2 (en) | 2013-06-28 | 2016-03-29 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
US10019575B1 (en) | 2013-07-30 | 2018-07-10 | Palo Alto Networks, Inc. | Evaluating malware in a virtual machine using copy-on-write |
US9811665B1 (en) | 2013-07-30 | 2017-11-07 | Palo Alto Networks, Inc. | Static and dynamic security analysis of apps for mobile devices |
US9613210B1 (en) | 2013-07-30 | 2017-04-04 | Palo Alto Networks, Inc. | Evaluating malware in a virtual machine using dynamic patching |
US9335897B2 (en) | 2013-08-08 | 2016-05-10 | Palantir Technologies Inc. | Long click display of a context menu |
US10192052B1 (en) | 2013-09-30 | 2019-01-29 | Fireeye, Inc. | System, apparatus and method for classifying a file as malicious using static scanning |
US9294501B2 (en) | 2013-09-30 | 2016-03-22 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US9736179B2 (en) | 2013-09-30 | 2017-08-15 | Fireeye, Inc. | System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection |
US9171160B2 (en) | 2013-09-30 | 2015-10-27 | Fireeye, Inc. | Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses |
US10515214B1 (en) | 2013-09-30 | 2019-12-24 | Fireeye, Inc. | System and method for classifying malware within content created during analysis of a specimen |
US10089461B1 (en) | 2013-09-30 | 2018-10-02 | Fireeye, Inc. | Page replacement code injection |
US9690936B1 (en) | 2013-09-30 | 2017-06-27 | Fireeye, Inc. | Multistage system and method for analyzing obfuscated content for malware |
US9628507B2 (en) | 2013-09-30 | 2017-04-18 | Fireeye, Inc. | Advanced persistent threat (APT) detection center |
US9213831B2 (en) | 2013-10-03 | 2015-12-15 | Qualcomm Incorporated | Malware detection and prevention by monitoring and modifying a hardware pipeline |
US9519775B2 (en) | 2013-10-03 | 2016-12-13 | Qualcomm Incorporated | Pre-identifying probable malicious behavior based on configuration pathways |
US9116975B2 (en) | 2013-10-18 | 2015-08-25 | Palantir Technologies Inc. | Systems and user interfaces for dynamic and interactive simultaneous querying of multiple data stores |
EP3072077B1 (en) | 2013-11-19 | 2019-05-08 | Intel Corporation | Context-aware proactive threat management system |
US9189627B1 (en) | 2013-11-21 | 2015-11-17 | Fireeye, Inc. | System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection |
CN103593614B (zh) * | 2013-11-29 | 2017-01-11 | 成都科来软件有限公司 | 一种未知病毒检索方法 |
US10579647B1 (en) | 2013-12-16 | 2020-03-03 | Palantir Technologies Inc. | Methods and systems for analyzing entity performance |
US9154515B1 (en) * | 2013-12-19 | 2015-10-06 | Amazon Technologies, Inc. | Systems and methods identifying and reacting to potentially malicious activity |
US9756074B2 (en) | 2013-12-26 | 2017-09-05 | Fireeye, Inc. | System and method for IPS and VM-based detection of suspicious objects |
US10356032B2 (en) | 2013-12-26 | 2019-07-16 | Palantir Technologies Inc. | System and method for detecting confidential information emails |
US9747446B1 (en) | 2013-12-26 | 2017-08-29 | Fireeye, Inc. | System and method for run-time object classification |
US9338013B2 (en) | 2013-12-30 | 2016-05-10 | Palantir Technologies Inc. | Verifiable redactable audit log |
US8832832B1 (en) | 2014-01-03 | 2014-09-09 | Palantir Technologies Inc. | IP reputation |
US9740857B2 (en) | 2014-01-16 | 2017-08-22 | Fireeye, Inc. | Threat-aware microvisor |
KR102000133B1 (ko) * | 2014-02-03 | 2019-07-16 | 한국전자통신연구원 | 수집된 이벤트 정보 기반 악성코드 탐지 장치 및 방법 |
US9262635B2 (en) | 2014-02-05 | 2016-02-16 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US9009827B1 (en) * | 2014-02-20 | 2015-04-14 | Palantir Technologies Inc. | Security sharing system |
US10326778B2 (en) | 2014-02-24 | 2019-06-18 | Cyphort Inc. | System and method for detecting lateral movement and data exfiltration |
US10095866B2 (en) | 2014-02-24 | 2018-10-09 | Cyphort Inc. | System and method for threat risk scoring of security threats |
US11405410B2 (en) | 2014-02-24 | 2022-08-02 | Cyphort Inc. | System and method for detecting lateral movement and data exfiltration |
US9569617B1 (en) | 2014-03-05 | 2017-02-14 | Symantec Corporation | Systems and methods for preventing false positive malware identification |
US9684705B1 (en) | 2014-03-14 | 2017-06-20 | Symantec Corporation | Systems and methods for clustering data |
CN103905436A (zh) * | 2014-03-14 | 2014-07-02 | 汉柏科技有限公司 | 一种防护app个人隐私收集的方法及装置 |
US9241010B1 (en) * | 2014-03-20 | 2016-01-19 | Fireeye, Inc. | System and method for network behavior detection |
US10242185B1 (en) | 2014-03-21 | 2019-03-26 | Fireeye, Inc. | Dynamic guest image creation and rollback |
US9591015B1 (en) | 2014-03-28 | 2017-03-07 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US9432389B1 (en) | 2014-03-31 | 2016-08-30 | Fireeye, Inc. | System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object |
US9223972B1 (en) | 2014-03-31 | 2015-12-29 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
US8997226B1 (en) * | 2014-04-17 | 2015-03-31 | Shape Security, Inc. | Detection of client-side malware activity |
WO2015160357A1 (en) * | 2014-04-18 | 2015-10-22 | Hewlett-Packard Development Company, L.P. | Rating threat submitter |
CA2946695C (en) * | 2014-04-25 | 2021-05-04 | Securebrain Corporation | Fraud detection network system and fraud detection method |
US9594912B1 (en) | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
US10212176B2 (en) | 2014-06-23 | 2019-02-19 | Hewlett Packard Enterprise Development Lp | Entity group behavior profiling |
US10469514B2 (en) * | 2014-06-23 | 2019-11-05 | Hewlett Packard Enterprise Development Lp | Collaborative and adaptive threat intelligence for computer security |
US10084813B2 (en) | 2014-06-24 | 2018-09-25 | Fireeye, Inc. | Intrusion prevention and remedy system |
US10805340B1 (en) | 2014-06-26 | 2020-10-13 | Fireeye, Inc. | Infection vector and malware tracking with an interactive user display |
US9398028B1 (en) | 2014-06-26 | 2016-07-19 | Fireeye, Inc. | System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers |
US9619557B2 (en) | 2014-06-30 | 2017-04-11 | Palantir Technologies, Inc. | Systems and methods for key phrase characterization of documents |
US9535974B1 (en) | 2014-06-30 | 2017-01-03 | Palantir Technologies Inc. | Systems and methods for identifying key phrase clusters within documents |
US10002252B2 (en) | 2014-07-01 | 2018-06-19 | Fireeye, Inc. | Verification of trusted threat-aware microvisor |
US9202249B1 (en) | 2014-07-03 | 2015-12-01 | Palantir Technologies Inc. | Data item clustering and analysis |
US9785773B2 (en) | 2014-07-03 | 2017-10-10 | Palantir Technologies Inc. | Malware data item analysis |
US10572496B1 (en) | 2014-07-03 | 2020-02-25 | Palantir Technologies Inc. | Distributed workflow system and database with access controls for city resiliency |
US9021260B1 (en) | 2014-07-03 | 2015-04-28 | Palantir Technologies Inc. | Malware data item analysis |
US9256664B2 (en) | 2014-07-03 | 2016-02-09 | Palantir Technologies Inc. | System and method for news events detection and visualization |
US9489516B1 (en) | 2014-07-14 | 2016-11-08 | Palo Alto Networks, Inc. | Detection of malware using an instrumented virtual machine environment |
US9659176B1 (en) * | 2014-07-17 | 2017-05-23 | Symantec Corporation | Systems and methods for generating repair scripts that facilitate remediation of malware side-effects |
US9009836B1 (en) | 2014-07-17 | 2015-04-14 | Kaspersky Lab Zao | Security architecture for virtual machines |
WO2016014029A1 (en) * | 2014-07-22 | 2016-01-28 | Hewlett-Packard Development Company, L.P. | Conditional security indicator sharing |
WO2016014030A1 (en) * | 2014-07-22 | 2016-01-28 | Hewlett-Packard Development Company, L.P. | Security indicator access determination |
US9419992B2 (en) | 2014-08-13 | 2016-08-16 | Palantir Technologies Inc. | Unwanted tunneling alert system |
US9965627B2 (en) * | 2014-09-14 | 2018-05-08 | Sophos Limited | Labeling objects on an endpoint for encryption management |
US10671726B1 (en) | 2014-09-22 | 2020-06-02 | Fireeye Inc. | System and method for malware analysis using thread-level event monitoring |
US10027689B1 (en) | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
US9773112B1 (en) | 2014-09-29 | 2017-09-26 | Fireeye, Inc. | Exploit detection of malware and malware families |
CN104318153B (zh) * | 2014-09-30 | 2017-06-23 | 北京金和软件股份有限公司 | 一种在线监测移动设备下载移动应用的系统 |
US9043894B1 (en) | 2014-11-06 | 2015-05-26 | Palantir Technologies Inc. | Malicious software detection in a computing system |
WO2016093836A1 (en) | 2014-12-11 | 2016-06-16 | Hewlett Packard Enterprise Development Lp | Interactive detection of system anomalies |
US9542554B1 (en) | 2014-12-18 | 2017-01-10 | Palo Alto Networks, Inc. | Deduplicating malware |
US9805193B1 (en) | 2014-12-18 | 2017-10-31 | Palo Alto Networks, Inc. | Collecting algorithmically generated domains |
US9367872B1 (en) | 2014-12-22 | 2016-06-14 | Palantir Technologies Inc. | Systems and user interfaces for dynamic and interactive investigation of bad actor behavior based on automatic clustering of related data in various data structures |
US10552994B2 (en) | 2014-12-22 | 2020-02-04 | Palantir Technologies Inc. | Systems and interactive user interfaces for dynamic retrieval, analysis, and triage of data items |
US9348920B1 (en) | 2014-12-22 | 2016-05-24 | Palantir Technologies Inc. | Concept indexing among database of documents using machine learning techniques |
US9690933B1 (en) | 2014-12-22 | 2017-06-27 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US20160180078A1 (en) * | 2014-12-23 | 2016-06-23 | Jasmeet Chhabra | Technologies for enhanced user authentication using advanced sensor monitoring |
US10075455B2 (en) | 2014-12-26 | 2018-09-11 | Fireeye, Inc. | Zero-day rotating guest image profile |
US9467455B2 (en) | 2014-12-29 | 2016-10-11 | Palantir Technologies Inc. | Systems for network risk assessment including processing of user access rights associated with a network of devices |
US9817563B1 (en) | 2014-12-29 | 2017-11-14 | Palantir Technologies Inc. | System and method of generating data points from one or more data stores of data items for chart creation and manipulation |
US9648036B2 (en) | 2014-12-29 | 2017-05-09 | Palantir Technologies Inc. | Systems for network risk assessment including processing of user access rights associated with a network of devices |
US9934376B1 (en) | 2014-12-29 | 2018-04-03 | Fireeye, Inc. | Malware detection appliance architecture |
US9838417B1 (en) | 2014-12-30 | 2017-12-05 | Fireeye, Inc. | Intelligent context aware user interaction for malware detection |
US10372879B2 (en) | 2014-12-31 | 2019-08-06 | Palantir Technologies Inc. | Medical claims lead summary report generation |
US10110622B2 (en) * | 2015-02-13 | 2018-10-23 | Microsoft Technology Licensing, Llc | Security scanner |
US9483643B1 (en) | 2015-03-13 | 2016-11-01 | Symantec Corporation | Systems and methods for creating behavioral signatures used to detect malware |
US9619649B1 (en) | 2015-03-13 | 2017-04-11 | Symantec Corporation | Systems and methods for detecting potentially malicious applications |
US10116688B1 (en) | 2015-03-24 | 2018-10-30 | Symantec Corporation | Systems and methods for detecting potentially malicious files |
US9930065B2 (en) | 2015-03-25 | 2018-03-27 | University Of Georgia Research Foundation, Inc. | Measuring, categorizing, and/or mitigating malware distribution paths |
US10148693B2 (en) | 2015-03-25 | 2018-12-04 | Fireeye, Inc. | Exploit detection system |
US9690606B1 (en) | 2015-03-25 | 2017-06-27 | Fireeye, Inc. | Selective system call monitoring |
US9438613B1 (en) | 2015-03-30 | 2016-09-06 | Fireeye, Inc. | Dynamic content activation for automated analysis of embedded objects |
US9798878B1 (en) | 2015-03-31 | 2017-10-24 | Symantec Corporation | Systems and methods for detecting text display manipulation attacks |
US9680845B2 (en) | 2015-03-31 | 2017-06-13 | Juniper Neworks, Inc. | Detecting a malicious file infection via sandboxing |
US10417031B2 (en) | 2015-03-31 | 2019-09-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US10075453B2 (en) * | 2015-03-31 | 2018-09-11 | Juniper Networks, Inc. | Detecting suspicious files resident on a network |
US9654496B1 (en) * | 2015-03-31 | 2017-05-16 | Juniper Networks, Inc. | Obtaining suspect objects based on detecting suspicious activity |
US10474813B1 (en) | 2015-03-31 | 2019-11-12 | Fireeye, Inc. | Code injection technique for remediation at an endpoint of a network |
US9483644B1 (en) | 2015-03-31 | 2016-11-01 | Fireeye, Inc. | Methods for detecting file altering malware in VM based analysis |
US9654485B1 (en) | 2015-04-13 | 2017-05-16 | Fireeye, Inc. | Analytics-based security monitoring system and method |
US9594904B1 (en) | 2015-04-23 | 2017-03-14 | Fireeye, Inc. | Detecting malware based on reflection |
US9407652B1 (en) | 2015-06-26 | 2016-08-02 | Palantir Technologies Inc. | Network anomaly detection |
WO2017003580A1 (en) * | 2015-06-27 | 2017-01-05 | Mcafee, Inc. | Mitigation of malware |
US10454950B1 (en) | 2015-06-30 | 2019-10-22 | Fireeye, Inc. | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks |
US10726127B1 (en) | 2015-06-30 | 2020-07-28 | Fireeye, Inc. | System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer |
US10642753B1 (en) | 2015-06-30 | 2020-05-05 | Fireeye, Inc. | System and method for protecting a software component running in virtual machine using a virtualization layer |
US11113086B1 (en) | 2015-06-30 | 2021-09-07 | Fireeye, Inc. | Virtual system and method for securing external network connectivity |
US9454785B1 (en) | 2015-07-30 | 2016-09-27 | Palantir Technologies Inc. | Systems and user interfaces for holistic, data-driven investigation of bad actor behavior based on clustering and scoring of related data |
US9456000B1 (en) * | 2015-08-06 | 2016-09-27 | Palantir Technologies Inc. | Systems, methods, user interfaces, and computer-readable media for investigating potential malicious communications |
US10803074B2 (en) | 2015-08-10 | 2020-10-13 | Hewlett Packard Entperprise Development LP | Evaluating system behaviour |
US10715542B1 (en) | 2015-08-14 | 2020-07-14 | Fireeye, Inc. | Mobile application risk analysis |
US10489391B1 (en) | 2015-08-17 | 2019-11-26 | Palantir Technologies Inc. | Systems and methods for grouping and enriching data items accessed from one or more databases for presentation in a user interface |
US9537880B1 (en) | 2015-08-19 | 2017-01-03 | Palantir Technologies Inc. | Anomalous network monitoring, user behavior detection and database system |
US10102369B2 (en) | 2015-08-19 | 2018-10-16 | Palantir Technologies Inc. | Checkout system executable code monitoring, and user account compromise determination system |
US10176321B2 (en) | 2015-09-22 | 2019-01-08 | Fireeye, Inc. | Leveraging behavior-based rules for malware family classification |
US10764329B2 (en) | 2015-09-25 | 2020-09-01 | Micro Focus Llc | Associations among data records in a security information sharing platform |
US10033747B1 (en) | 2015-09-29 | 2018-07-24 | Fireeye, Inc. | System and method for detecting interpreter-based exploit attacks |
US10706149B1 (en) | 2015-09-30 | 2020-07-07 | Fireeye, Inc. | Detecting delayed activation malware using a primary controller and plural time controllers |
US10817606B1 (en) | 2015-09-30 | 2020-10-27 | Fireeye, Inc. | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic |
US9825989B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
US9825976B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Detection and classification of exploit kits |
US10601865B1 (en) | 2015-09-30 | 2020-03-24 | Fireeye, Inc. | Detection of credential spearphishing attacks using email analysis |
US10210329B1 (en) | 2015-09-30 | 2019-02-19 | Fireeye, Inc. | Method to detect application execution hijacking using memory protection |
WO2017062038A1 (en) | 2015-10-09 | 2017-04-13 | Hewlett Packard Enterprise Development Lp | Privacy preservation |
WO2017062037A1 (en) | 2015-10-09 | 2017-04-13 | Hewlett Packard Enterprise Development Lp | Performance tracking in a security information sharing platform |
US10044745B1 (en) | 2015-10-12 | 2018-08-07 | Palantir Technologies, Inc. | Systems for computer network security risk assessment including user compromise analysis associated with a network of devices |
WO2017083435A1 (en) * | 2015-11-09 | 2017-05-18 | Cyphort, Inc. | System and method for threat risk scoring of security threats |
US10284575B2 (en) | 2015-11-10 | 2019-05-07 | Fireeye, Inc. | Launcher for setting analysis environment variations for malware detection |
US10447728B1 (en) | 2015-12-10 | 2019-10-15 | Fireeye, Inc. | Technique for protecting guest processes using a layered virtualization architecture |
US10846117B1 (en) | 2015-12-10 | 2020-11-24 | Fireeye, Inc. | Technique for establishing secure communication between host and guest processes of a virtualization architecture |
US10108446B1 (en) | 2015-12-11 | 2018-10-23 | Fireeye, Inc. | Late load technique for deploying a virtualization layer underneath a running operating system |
US9888039B2 (en) | 2015-12-28 | 2018-02-06 | Palantir Technologies Inc. | Network-based permissioning system |
US9916465B1 (en) | 2015-12-29 | 2018-03-13 | Palantir Technologies Inc. | Systems and methods for automatic and customizable data minimization of electronic data stores |
US10621338B1 (en) | 2015-12-30 | 2020-04-14 | Fireeye, Inc. | Method to detect forgery and exploits using last branch recording registers |
US10133866B1 (en) | 2015-12-30 | 2018-11-20 | Fireeye, Inc. | System and method for triggering analysis of an object for malware in response to modification of that object |
US10565378B1 (en) | 2015-12-30 | 2020-02-18 | Fireeye, Inc. | Exploit of privilege detection framework |
US10050998B1 (en) | 2015-12-30 | 2018-08-14 | Fireeye, Inc. | Malicious message analysis system |
US11552986B1 (en) | 2015-12-31 | 2023-01-10 | Fireeye Security Holdings Us Llc | Cyber-security framework for application of virtual features |
US10581874B1 (en) | 2015-12-31 | 2020-03-03 | Fireeye, Inc. | Malware detection system with contextual analysis |
US9824216B1 (en) | 2015-12-31 | 2017-11-21 | Fireeye, Inc. | Susceptible environment detection system |
WO2017160765A1 (en) | 2016-03-15 | 2017-09-21 | Carbon Black, Inc. | System and method for process hollowing detection |
CA3017918A1 (en) | 2016-03-15 | 2017-09-21 | Carbon Black, Inc. | Using private threat intelligence in public cloud |
CA3017936A1 (en) | 2016-03-15 | 2017-09-21 | Carbon Black, Inc. | System and method for reverse command shell detection |
CA3017942A1 (en) | 2016-03-15 | 2017-09-21 | Carbon Black, Inc. | Multi-host threat tracking |
US10671721B1 (en) | 2016-03-25 | 2020-06-02 | Fireeye, Inc. | Timeout management services |
US10476906B1 (en) | 2016-03-25 | 2019-11-12 | Fireeye, Inc. | System and method for managing formation and modification of a cluster within a malware detection system |
US10785255B1 (en) | 2016-03-25 | 2020-09-22 | Fireeye, Inc. | Cluster configuration within a scalable malware detection system |
US10601863B1 (en) | 2016-03-25 | 2020-03-24 | Fireeye, Inc. | System and method for managing sensor enrollment |
US10826933B1 (en) | 2016-03-31 | 2020-11-03 | Fireeye, Inc. | Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints |
US10893059B1 (en) | 2016-03-31 | 2021-01-12 | Fireeye, Inc. | Verification and enhancement using detection systems located at the network periphery and endpoint devices |
US10498711B1 (en) | 2016-05-20 | 2019-12-03 | Palantir Technologies Inc. | Providing a booting key to a remote system |
US10084802B1 (en) | 2016-06-21 | 2018-09-25 | Palantir Technologies Inc. | Supervisory control and data acquisition |
US10169585B1 (en) | 2016-06-22 | 2019-01-01 | Fireeye, Inc. | System and methods for advanced malware detection through placement of transition events |
WO2017221088A1 (en) * | 2016-06-23 | 2017-12-28 | Logdog Information Security Ltd. | Distributed user-centric cyber security for online-services |
US10462173B1 (en) | 2016-06-30 | 2019-10-29 | Fireeye, Inc. | Malware detection verification and enhancement by coordinating endpoint and malware detection systems |
US10291637B1 (en) | 2016-07-05 | 2019-05-14 | Palantir Technologies Inc. | Network anomaly detection and profiling |
US10698927B1 (en) | 2016-08-30 | 2020-06-30 | Palantir Technologies Inc. | Multiple sensor session and log information compression and correlation system |
US10592678B1 (en) | 2016-09-09 | 2020-03-17 | Fireeye, Inc. | Secure communications between peers using a verified virtual trusted platform module |
US10491627B1 (en) | 2016-09-29 | 2019-11-26 | Fireeye, Inc. | Advanced malware detection using similarity analysis |
US10795991B1 (en) | 2016-11-08 | 2020-10-06 | Fireeye, Inc. | Enterprise search |
US10318630B1 (en) | 2016-11-21 | 2019-06-11 | Palantir Technologies Inc. | Analysis of large bodies of textual data |
US10587647B1 (en) | 2016-11-22 | 2020-03-10 | Fireeye, Inc. | Technique for malware detection capability comparison of network security devices |
US10620618B2 (en) | 2016-12-20 | 2020-04-14 | Palantir Technologies Inc. | Systems and methods for determining relationships between defects |
US10728262B1 (en) | 2016-12-21 | 2020-07-28 | Palantir Technologies Inc. | Context-aware network-based malicious activity warning systems |
US10552610B1 (en) | 2016-12-22 | 2020-02-04 | Fireeye, Inc. | Adaptive virtual machine snapshot update framework for malware behavioral analysis |
US10581879B1 (en) | 2016-12-22 | 2020-03-03 | Fireeye, Inc. | Enhanced malware detection for generated objects |
US10523609B1 (en) | 2016-12-27 | 2019-12-31 | Fireeye, Inc. | Multi-vector malware detection and analysis |
US10754872B2 (en) | 2016-12-28 | 2020-08-25 | Palantir Technologies Inc. | Automatically executing tasks and configuring access control lists in a data transformation system |
US10721262B2 (en) | 2016-12-28 | 2020-07-21 | Palantir Technologies Inc. | Resource-centric network cyber attack warning system |
US10469509B2 (en) * | 2016-12-29 | 2019-11-05 | Chronicle Llc | Gathering indicators of compromise for security threat detection |
US10839703B2 (en) * | 2016-12-30 | 2020-11-17 | Fortinet, Inc. | Proactive network security assessment based on benign variants of known threats |
US10645107B2 (en) * | 2017-01-23 | 2020-05-05 | Cyphort Inc. | System and method for detecting and classifying malware |
EP3352110B1 (en) | 2017-01-23 | 2020-04-01 | Cyphort Inc. | System and method for detecting and classifying malware |
US10320818B2 (en) * | 2017-02-14 | 2019-06-11 | Symantec Corporation | Systems and methods for detecting malicious computing events |
US10419269B2 (en) | 2017-02-21 | 2019-09-17 | Entit Software Llc | Anomaly detection |
US10325224B1 (en) | 2017-03-23 | 2019-06-18 | Palantir Technologies Inc. | Systems and methods for selecting machine learning training data |
US10904286B1 (en) | 2017-03-24 | 2021-01-26 | Fireeye, Inc. | Detection of phishing attacks using similarity analysis |
US10606866B1 (en) | 2017-03-30 | 2020-03-31 | Palantir Technologies Inc. | Framework for exposing network activities |
US10554507B1 (en) | 2017-03-30 | 2020-02-04 | Fireeye, Inc. | Multi-level control for enhanced resource and object evaluation management of malware detection system |
US10902119B1 (en) | 2017-03-30 | 2021-01-26 | Fireeye, Inc. | Data extraction system for malware analysis |
US10791138B1 (en) | 2017-03-30 | 2020-09-29 | Fireeye, Inc. | Subscription-based malware detection |
US10798112B2 (en) | 2017-03-30 | 2020-10-06 | Fireeye, Inc. | Attribute-controlled malware detection |
US10855713B2 (en) | 2017-04-27 | 2020-12-01 | Microsoft Technology Licensing, Llc | Personalized threat protection |
US10104101B1 (en) * | 2017-04-28 | 2018-10-16 | Qualys, Inc. | Method and apparatus for intelligent aggregation of threat behavior for the detection of malware |
US10235461B2 (en) | 2017-05-02 | 2019-03-19 | Palantir Technologies Inc. | Automated assistance for generating relevant and valuable search results for an entity of interest |
US10482382B2 (en) | 2017-05-09 | 2019-11-19 | Palantir Technologies Inc. | Systems and methods for reducing manufacturing failure rates |
US10885189B2 (en) * | 2017-05-22 | 2021-01-05 | Microsoft Technology Licensing, Llc | Isolated container event monitoring |
US10601848B1 (en) | 2017-06-29 | 2020-03-24 | Fireeye, Inc. | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators |
US10027551B1 (en) | 2017-06-29 | 2018-07-17 | Palantir Technologies, Inc. | Access controls through node-based effective policy identifiers |
US10503904B1 (en) | 2017-06-29 | 2019-12-10 | Fireeye, Inc. | Ransomware detection and mitigation |
US10855700B1 (en) | 2017-06-29 | 2020-12-01 | Fireeye, Inc. | Post-intrusion detection of cyber-attacks during lateral movement within networks |
US10893068B1 (en) | 2017-06-30 | 2021-01-12 | Fireeye, Inc. | Ransomware file modification prevention technique |
US10243989B1 (en) * | 2017-07-27 | 2019-03-26 | Trend Micro Incorporated | Systems and methods for inspecting emails for malicious content |
US10963465B1 (en) | 2017-08-25 | 2021-03-30 | Palantir Technologies Inc. | Rapid importation of data including temporally tracked object recognition |
US10432648B1 (en) * | 2017-08-28 | 2019-10-01 | Palo Alto Networks, Inc. | Automated malware family signature generation |
US10521607B2 (en) * | 2017-09-06 | 2019-12-31 | Motorola Mobility Llc | Contextual content sharing in a video conference |
US10984427B1 (en) | 2017-09-13 | 2021-04-20 | Palantir Technologies Inc. | Approaches for analyzing entity relationships |
US10747872B1 (en) | 2017-09-27 | 2020-08-18 | Fireeye, Inc. | System and method for preventing malware evasion |
US10805346B2 (en) | 2017-10-01 | 2020-10-13 | Fireeye, Inc. | Phishing attack detection |
US10079832B1 (en) | 2017-10-18 | 2018-09-18 | Palantir Technologies Inc. | Controlling user creation of data resources on a data processing platform |
GB201716170D0 (en) | 2017-10-04 | 2017-11-15 | Palantir Technologies Inc | Controlling user creation of data resources on a data processing platform |
US11108809B2 (en) | 2017-10-27 | 2021-08-31 | Fireeye, Inc. | System and method for analyzing binary code for malware classification using artificial neural network techniques |
US10250401B1 (en) | 2017-11-29 | 2019-04-02 | Palantir Technologies Inc. | Systems and methods for providing category-sensitive chat channels |
US20190174319A1 (en) * | 2017-12-01 | 2019-06-06 | Seven Networks, Llc | Detection and identification of potentially harmful applications based on detection and analysis of malware/spyware indicators |
US11133925B2 (en) | 2017-12-07 | 2021-09-28 | Palantir Technologies Inc. | Selective access to encrypted logs |
US11271955B2 (en) | 2017-12-28 | 2022-03-08 | Fireeye Security Holdings Us Llc | Platform and method for retroactive reclassification employing a cybersecurity-based global data store |
US11005860B1 (en) | 2017-12-28 | 2021-05-11 | Fireeye, Inc. | Method and system for efficient cybersecurity analysis of endpoint events |
US11240275B1 (en) | 2017-12-28 | 2022-02-01 | Fireeye Security Holdings Us Llc | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture |
US10142349B1 (en) | 2018-02-22 | 2018-11-27 | Palantir Technologies Inc. | Verifying network-based permissioning rights |
US10970395B1 (en) | 2018-01-18 | 2021-04-06 | Pure Storage, Inc | Security threat monitoring for a storage system |
US11010233B1 (en) | 2018-01-18 | 2021-05-18 | Pure Storage, Inc | Hardware-based system monitoring |
US11159538B2 (en) | 2018-01-31 | 2021-10-26 | Palo Alto Networks, Inc. | Context for malware forensics and detection |
US10764309B2 (en) | 2018-01-31 | 2020-09-01 | Palo Alto Networks, Inc. | Context profiling for malware detection |
US10671725B2 (en) * | 2018-03-20 | 2020-06-02 | Didi Research America, Llc | Malicious process tracking |
US10826931B1 (en) | 2018-03-29 | 2020-11-03 | Fireeye, Inc. | System and method for predicting and mitigating cybersecurity system misconfigurations |
US11308207B2 (en) | 2018-03-30 | 2022-04-19 | Microsoft Technology Licensing, Llc | User verification of malware impacted files |
US11003773B1 (en) | 2018-03-30 | 2021-05-11 | Fireeye, Inc. | System and method for automatically generating malware detection rule recommendations |
US10917416B2 (en) * | 2018-03-30 | 2021-02-09 | Microsoft Technology Licensing, Llc | Service identification of ransomware impacted files |
US10956477B1 (en) | 2018-03-30 | 2021-03-23 | Fireeye, Inc. | System and method for detecting malicious scripts through natural language processing modeling |
US10878051B1 (en) | 2018-03-30 | 2020-12-29 | Palantir Technologies Inc. | Mapping device identifiers |
US11558401B1 (en) | 2018-03-30 | 2023-01-17 | Fireeye Security Holdings Us Llc | Multi-vector malware detection data sharing system for improved detection |
US11200320B2 (en) | 2018-03-30 | 2021-12-14 | Microsoft Technology Licensing, Llc | Coordinating service ransomware detection with client-side ransomware detection |
US10769278B2 (en) | 2018-03-30 | 2020-09-08 | Microsoft Technology Licensing, Llc | Service identification of ransomware impact at account level |
EP3550791B1 (en) | 2018-04-03 | 2023-12-06 | Palantir Technologies Inc. | Controlling access to computer resources |
US10949400B2 (en) | 2018-05-09 | 2021-03-16 | Palantir Technologies Inc. | Systems and methods for tamper-resistant activity logging |
CN110545251A (zh) * | 2018-05-29 | 2019-12-06 | 国际关系学院 | 一种木马攻击场景的证据链构建方法 |
US11244063B2 (en) | 2018-06-11 | 2022-02-08 | Palantir Technologies Inc. | Row-level and column-level policy service |
US11314859B1 (en) | 2018-06-27 | 2022-04-26 | FireEye Security Holdings, Inc. | Cyber-security system and method for detecting escalation of privileges within an access token |
US11075930B1 (en) | 2018-06-27 | 2021-07-27 | Fireeye, Inc. | System and method for detecting repetitive cybersecurity attacks constituting an email campaign |
US11228491B1 (en) | 2018-06-28 | 2022-01-18 | Fireeye Security Holdings Us Llc | System and method for distributed cluster configuration monitoring and management |
US11316900B1 (en) | 2018-06-29 | 2022-04-26 | FireEye Security Holdings Inc. | System and method for automatically prioritizing rules for cyber-threat detection and mitigation |
US10956573B2 (en) | 2018-06-29 | 2021-03-23 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US11010474B2 (en) | 2018-06-29 | 2021-05-18 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US11063967B2 (en) * | 2018-07-03 | 2021-07-13 | The Boeing Company | Network threat indicator extraction and response |
US10911479B2 (en) * | 2018-08-06 | 2021-02-02 | Microsoft Technology Licensing, Llc | Real-time mitigations for unfamiliar threat scenarios |
US10826756B2 (en) | 2018-08-06 | 2020-11-03 | Microsoft Technology Licensing, Llc | Automatic generation of threat remediation steps by crowd sourcing security solutions |
CN109190376B (zh) * | 2018-08-30 | 2021-04-30 | 郑州云海信息技术有限公司 | 一种网页木马检测方法、系统及电子设备和存储介质 |
US11182473B1 (en) | 2018-09-13 | 2021-11-23 | Fireeye Security Holdings Us Llc | System and method for mitigating cyberattacks against processor operability by a guest process |
US11763004B1 (en) | 2018-09-27 | 2023-09-19 | Fireeye Security Holdings Us Llc | System and method for bootkit detection |
US11743290B2 (en) | 2018-12-21 | 2023-08-29 | Fireeye Security Holdings Us Llc | System and method for detecting cyberattacks impersonating legitimate sources |
US11176251B1 (en) | 2018-12-21 | 2021-11-16 | Fireeye, Inc. | Determining malware via symbolic function hash analysis |
US11368475B1 (en) | 2018-12-21 | 2022-06-21 | Fireeye Security Holdings Us Llc | System and method for scanning remote services to locate stored objects with malware |
US12074887B1 (en) | 2018-12-21 | 2024-08-27 | Musarubra Us Llc | System and method for selectively processing content after identification and removal of malicious content |
US11640460B2 (en) * | 2018-12-26 | 2023-05-02 | Acronis International Gmbh | Self-protection of anti-malware tool and critical system resources protection |
US11601444B1 (en) | 2018-12-31 | 2023-03-07 | Fireeye Security Holdings Us Llc | Automated system for triage of customer issues |
US11233804B2 (en) * | 2019-01-28 | 2022-01-25 | Microsoft Technology Licensing, Llc | Methods and systems for scalable privacy-preserving compromise detection in the cloud |
EP3694173B1 (en) | 2019-02-08 | 2022-09-21 | Palantir Technologies Inc. | Isolating applications associated with multiple tenants within a computing platform |
US11310238B1 (en) | 2019-03-26 | 2022-04-19 | FireEye Security Holdings, Inc. | System and method for retrieval and analysis of operational data from customer, cloud-hosted virtual resources |
US11677786B1 (en) | 2019-03-29 | 2023-06-13 | Fireeye Security Holdings Us Llc | System and method for detecting and protecting against cybersecurity attacks on servers |
US11636198B1 (en) | 2019-03-30 | 2023-04-25 | Fireeye Security Holdings Us Llc | System and method for cybersecurity analyzer update and concurrent management system |
US10862854B2 (en) * | 2019-05-07 | 2020-12-08 | Bitdefender IPR Management Ltd. | Systems and methods for using DNS messages to selectively collect computer forensic data |
US11258806B1 (en) | 2019-06-24 | 2022-02-22 | Mandiant, Inc. | System and method for automatically associating cybersecurity intelligence to cyberthreat actors |
US11556640B1 (en) | 2019-06-27 | 2023-01-17 | Mandiant, Inc. | Systems and methods for automated cybersecurity analysis of extracted binary string sets |
US11392700B1 (en) | 2019-06-28 | 2022-07-19 | Fireeye Security Holdings Us Llc | System and method for supporting cross-platform data verification |
US11704441B2 (en) | 2019-09-03 | 2023-07-18 | Palantir Technologies Inc. | Charter-based access controls for managing computer resources |
US11196765B2 (en) | 2019-09-13 | 2021-12-07 | Palo Alto Networks, Inc. | Simulating user interactions for malware analysis |
EP3796165A1 (en) | 2019-09-18 | 2021-03-24 | Palantir Technologies Inc. | Systems and methods for autoscaling instance groups of computing platforms |
US11886585B1 (en) | 2019-09-27 | 2024-01-30 | Musarubra Us Llc | System and method for identifying and mitigating cyberattacks through malicious position-independent code execution |
US11637862B1 (en) | 2019-09-30 | 2023-04-25 | Mandiant, Inc. | System and method for surfacing cyber-security threats with a self-learning recommendation engine |
US11687418B2 (en) | 2019-11-22 | 2023-06-27 | Pure Storage, Inc. | Automatic generation of recovery plans specific to individual storage elements |
US11500788B2 (en) | 2019-11-22 | 2022-11-15 | Pure Storage, Inc. | Logical address based authorization of operations with respect to a storage system |
US12079333B2 (en) | 2019-11-22 | 2024-09-03 | Pure Storage, Inc. | Independent security threat detection and remediation by storage systems in a synchronous replication arrangement |
US11657155B2 (en) | 2019-11-22 | 2023-05-23 | Pure Storage, Inc | Snapshot delta metric based determination of a possible ransomware attack against data maintained by a storage system |
US12079502B2 (en) | 2019-11-22 | 2024-09-03 | Pure Storage, Inc. | Storage element attribute-based determination of a data protection policy for use within a storage system |
US12079356B2 (en) | 2019-11-22 | 2024-09-03 | Pure Storage, Inc. | Measurement interval anomaly detection-based generation of snapshots |
US11651075B2 (en) | 2019-11-22 | 2023-05-16 | Pure Storage, Inc. | Extensible attack monitoring by a storage system |
US11755751B2 (en) | 2019-11-22 | 2023-09-12 | Pure Storage, Inc. | Modify access restrictions in response to a possible attack against data stored by a storage system |
US11720692B2 (en) | 2019-11-22 | 2023-08-08 | Pure Storage, Inc. | Hardware token based management of recovery datasets for a storage system |
US11615185B2 (en) | 2019-11-22 | 2023-03-28 | Pure Storage, Inc. | Multi-layer security threat detection for a storage system |
US12050683B2 (en) * | 2019-11-22 | 2024-07-30 | Pure Storage, Inc. | Selective control of a data synchronization setting of a storage system based on a possible ransomware attack against the storage system |
US11941116B2 (en) | 2019-11-22 | 2024-03-26 | Pure Storage, Inc. | Ransomware-based data protection parameter modification |
US11625481B2 (en) | 2019-11-22 | 2023-04-11 | Pure Storage, Inc. | Selective throttling of operations potentially related to a security threat to a storage system |
US11520907B1 (en) | 2019-11-22 | 2022-12-06 | Pure Storage, Inc. | Storage system snapshot retention based on encrypted data |
US11720714B2 (en) | 2019-11-22 | 2023-08-08 | Pure Storage, Inc. | Inter-I/O relationship based detection of a security threat to a storage system |
US11675898B2 (en) | 2019-11-22 | 2023-06-13 | Pure Storage, Inc. | Recovery dataset management for security threat monitoring |
US12067118B2 (en) | 2019-11-22 | 2024-08-20 | Pure Storage, Inc. | Detection of writing to a non-header portion of a file as an indicator of a possible ransomware attack against a storage system |
US12050689B2 (en) | 2019-11-22 | 2024-07-30 | Pure Storage, Inc. | Host anomaly-based generation of snapshots |
US11645162B2 (en) | 2019-11-22 | 2023-05-09 | Pure Storage, Inc. | Recovery point determination for data restoration in a storage system |
US11341236B2 (en) | 2019-11-22 | 2022-05-24 | Pure Storage, Inc. | Traffic-based detection of a security threat to a storage system |
US11838300B1 (en) | 2019-12-24 | 2023-12-05 | Musarubra Us Llc | Run-time configurable cybersecurity system |
US11436327B1 (en) | 2019-12-24 | 2022-09-06 | Fireeye Security Holdings Us Llc | System and method for circumventing evasive code for cyberthreat detection |
US11522884B1 (en) | 2019-12-24 | 2022-12-06 | Fireeye Security Holdings Us Llc | Subscription and key management system |
US11238041B2 (en) * | 2020-03-25 | 2022-02-01 | Ocient Holdings LLC | Facilitating query executions via dynamic data block routing |
US11277375B1 (en) | 2021-01-04 | 2022-03-15 | Saudi Arabian Oil Company | Sender policy framework (SPF) configuration validator and security examinator |
US11956212B2 (en) | 2021-03-31 | 2024-04-09 | Palo Alto Networks, Inc. | IoT device application workload capture |
CN113794727B (zh) * | 2021-09-16 | 2023-09-08 | 山石网科通信技术股份有限公司 | 威胁情报特征库的生成方法、装置、存储介质及处理器 |
CN114020366A (zh) * | 2022-01-06 | 2022-02-08 | 北京微步在线科技有限公司 | 一种基于威胁情报的远控类木马卸载方法及装置 |
CN117201208B (zh) * | 2023-11-08 | 2024-02-23 | 新华三网络信息安全软件有限公司 | 恶意邮件识别方法、装置、电子设备和存储介质 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6205551B1 (en) * | 1998-01-29 | 2001-03-20 | Lucent Technologies Inc. | Computer security using virus probing |
US6611925B1 (en) * | 2000-06-13 | 2003-08-26 | Networks Associates Technology, Inc. | Single point of entry/origination item scanning within an enterprise or workgroup |
CN1550950A (zh) * | 2003-05-09 | 2004-12-01 | 防护计算机系统使之免受恶意软件破坏的方法和系统 | |
US7356736B2 (en) * | 2001-09-25 | 2008-04-08 | Norman Asa | Simulated computer system for monitoring of software performance |
Family Cites Families (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6035423A (en) | 1997-12-31 | 2000-03-07 | Network Associates, Inc. | Method and system for providing automated updating and upgrading of antivirus applications using a computer network |
US7096368B2 (en) | 2001-08-01 | 2006-08-22 | Mcafee, Inc. | Platform abstraction layer for a wireless malware scanning engine |
US7210168B2 (en) | 2001-10-15 | 2007-04-24 | Mcafee, Inc. | Updating malware definition data for mobile data processing devices |
US6742128B1 (en) * | 2002-08-28 | 2004-05-25 | Networks Associates Technology | Threat assessment orchestrator system and method |
US7392543B2 (en) | 2003-06-30 | 2008-06-24 | Symantec Corporation | Signature extraction system and method |
US7913305B2 (en) | 2004-01-30 | 2011-03-22 | Microsoft Corporation | System and method for detecting malware in an executable code module according to the code module's exhibited behavior |
JP4371905B2 (ja) | 2004-05-27 | 2009-11-25 | 富士通株式会社 | 不正アクセス検知装置、不正アクセス検知方法、不正アクセス検知プログラムおよび分散型サービス不能化攻撃検知装置 |
US7543146B1 (en) * | 2004-06-18 | 2009-06-02 | Blue Coat Systems, Inc. | Using digital certificates to request client consent prior to decrypting SSL communications |
US7434261B2 (en) | 2004-09-27 | 2008-10-07 | Microsoft Corporation | System and method of identifying the source of an attack on a computer network |
US8516583B2 (en) | 2005-03-31 | 2013-08-20 | Microsoft Corporation | Aggregating the knowledge base of computer systems to proactively protect a computer from malware |
US7730040B2 (en) | 2005-07-27 | 2010-06-01 | Microsoft Corporation | Feedback-driven malware detector |
CA2701689C (en) * | 2006-10-06 | 2016-09-06 | Smobile Systems, Inc. | System and method of malware sample collection on mobile networks |
WO2008048665A2 (en) | 2006-10-18 | 2008-04-24 | University Of Virginia Patent Foundation | Method, system, and computer program product for malware detection analysis, and response |
CA2706721C (en) | 2006-11-27 | 2016-05-31 | Smobile Systems, Inc. | Wireless intrusion prevention system and method |
US8091127B2 (en) | 2006-12-11 | 2012-01-03 | International Business Machines Corporation | Heuristic malware detection |
US7797746B2 (en) | 2006-12-12 | 2010-09-14 | Fortinet, Inc. | Detection of undesired computer files in archives |
US8661008B2 (en) * | 2008-05-15 | 2014-02-25 | Enpulz, L.L.C. | Network browser supporting historical content viewing |
-
2008
- 2008-09-22 US US12/234,717 patent/US8667583B2/en active Active
-
2009
- 2009-08-13 CN CN200980138004.3A patent/CN102160048B/zh active Active
- 2009-08-13 WO PCT/US2009/053774 patent/WO2010033326A2/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6205551B1 (en) * | 1998-01-29 | 2001-03-20 | Lucent Technologies Inc. | Computer security using virus probing |
US6611925B1 (en) * | 2000-06-13 | 2003-08-26 | Networks Associates Technology, Inc. | Single point of entry/origination item scanning within an enterprise or workgroup |
US7356736B2 (en) * | 2001-09-25 | 2008-04-08 | Norman Asa | Simulated computer system for monitoring of software performance |
CN1550950A (zh) * | 2003-05-09 | 2004-12-01 | 防护计算机系统使之免受恶意软件破坏的方法和系统 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10305929B2 (en) | 2013-09-27 | 2019-05-28 | Mcafee, Llc | Managed software remediation |
Also Published As
Publication number | Publication date |
---|---|
WO2010033326A3 (en) | 2010-05-20 |
WO2010033326A2 (en) | 2010-03-25 |
CN102160048A (zh) | 2011-08-17 |
US8667583B2 (en) | 2014-03-04 |
US20100077481A1 (en) | 2010-03-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102160048B (zh) | 收集和分析恶意软件数据 | |
US11727333B2 (en) | Endpoint with remotely programmable data recorder | |
US11636206B2 (en) | Deferred malware scanning | |
JP7544738B2 (ja) | ロギングによる機密データの暴露の検出 | |
US20190207966A1 (en) | Platform and Method for Enhanced Cyber-Attack Detection and Response Employing a Global Data Store | |
US20190207967A1 (en) | Platform and method for retroactive reclassification employing a cybersecurity-based global data store | |
US8413235B1 (en) | Malware detection using file heritage data | |
US8266698B1 (en) | Using machine infection characteristics for behavior-based detection of malware | |
RU2444056C1 (ru) | Система и способ ускорения решения проблем за счет накопления статистической информации | |
US11240275B1 (en) | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture | |
US20130167236A1 (en) | Method and system for automatically generating virus descriptions | |
US8959624B2 (en) | Executable download tracking system | |
IL182013A (en) | Method and device for querying a number of computerized devices | |
WO2020046575A1 (en) | Enterprise network threat detection | |
RU2481633C2 (ru) | Система и способ автоматического расследования инцидентов безопасности | |
CN115086081B (zh) | 一种蜜罐防逃逸方法及系统 | |
Kono et al. | An unknown malware detection using execution registry access | |
US11763004B1 (en) | System and method for bootkit detection | |
CN113824678A (zh) | 处理信息安全事件以检测网络攻击的系统和方法 | |
Anand et al. | Malware Exposed: An In-Depth Analysis of its Behavior and Threats | |
CN114154160B (zh) | 容器集群监测方法、装置、电子设备及存储介质 | |
Wu | A Study on Observation, Analysis, and Countermeasure of Cyber Attacks in IoT | |
CN118233278A (zh) | 过滤用于传输到远程设备的事件的系统和方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
ASS | Succession or assignment of patent right |
Owner name: MICROSOFT TECHNOLOGY LICENSING LLC Free format text: FORMER OWNER: MICROSOFT CORP. Effective date: 20150421 |
|
C41 | Transfer of patent application or patent right or utility model | ||
TR01 | Transfer of patent right |
Effective date of registration: 20150421 Address after: Washington State Patentee after: Micro soft technique license Co., Ltd Address before: Washington State Patentee before: Microsoft Corp. |