US20170308707A1 - Mechanism to Calculate Probability of a Cyber Security Incident - Google Patents
Mechanism to Calculate Probability of a Cyber Security Incident Download PDFInfo
- Publication number
- US20170308707A1 US20170308707A1 US14/571,245 US201414571245A US2017308707A1 US 20170308707 A1 US20170308707 A1 US 20170308707A1 US 201414571245 A US201414571245 A US 201414571245A US 2017308707 A1 US2017308707 A1 US 2017308707A1
- Authority
- US
- United States
- Prior art keywords
- computers
- program file
- program
- computer
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Definitions
- This Invention relates to computer applications which will protect a corporate enterprise from security incidents, including unauthorized intrusions and malicious computer programs.
- the foundation of a good cyber security policy for any corporate or government enterprise is a security risk assessment: the probability of a security incident and the impact if it were to occur.
- the amount of risk that can be tolerated and how to mitigate the risk can be determined based upon the risk assessment.
- a security risk assessment is difficult to perform, due in part to the difficulty of assessing probability that a security incident could occur.
- Current methods amount to a subjective rating of known vulnerabilities for an enterprise. ISO 2700 standards even recommend that several people perform the analysis and that their opinions be averaged. Current methods are also manual, laborious and time consuming to perform, and are therefore performed infrequently.
- FIG. 1 System diagram
- FIG. 2 Database Schema of the system.
- Probability of a security breach is calculated by analysis of program files present on a collection of computers.
- the collection of computers is large enough that some of the computers have previously been involved in a security incident 10 , for example, infected by malware.
- Each computer 20 has a software agent 30 which reads program files on disk drives 40 attached to the computer.
- the agent maybe a Windows NT Service in the case of a Windows operating system, or a demon in the case of a Linux operating system.
- the agent performs a checksum calculation and sends information on the program file name, directory and checksum to a database 50 with schema 100 over the internet using, for example a TCPIP or HTTP protocol.
- a computer 60 reads the information in the database, calculates probability for each computer, and saves the information back into the database. Probability for each computer can then be read from the database in order to perform a risk assessment.
- the Invention utilizes a statistical approach when analyzing program files. It is assumed that there are enough computers analyzed that a sufficient number of the computers have previously been involved in a security incident 10 so that an accurate statistical analysis can be perform.
- Agent program 30 located on each networked computer 20 can be performed within many different operating systems: Linux, Unix, Mac OS, various Windows OS, Google Android OS, for example, but will be described here for the Windows 7 Operating system.
- the Agent program 30 calculates a unique number (GUID) which it then stores locally, for example, in the registry.
- GUID unique number
- the new GUID will be stored in the COM_GUIDIdentifier column of the COM_Computer table 110 . This GUID will be used in all communications from the Agent to the Database Publisher to identify the computer.
- the principle task of the Agent program is to insure that the information in tables 120 , 130 , and 140 accurately represents the program files which can be found in the computer's file system.
- the Agent can periodically inventory the file system.
- the Agent begins an inventory by connecting to the database and downloading a local list of program files and directories. This list contains filename, file size, and file checksum, and directory for all the program files which were present when the Agent program last ran.
- This list can be generated by joining the COM_Computer table with the COP_ComputerPathFile 120 , the FIS_File 140 and DIR_Directory 130 table and filtering, using the COM_GUIDIdentifier column as follows:
- the Agent performs an inventory of the file system, comparing the program files found with program files in the list. For program files found in the file system but which are not in the list, the Agent creates an entry in the COP_ComputerPathFile table which links the corresponding file entry in the FIS_File table, the corresponding directory in the DIR_Directory table and the corresponding computer in the COM_Computer table. If the file or directory have not yet been registered, the Agent can first create the FIS_File and DIR_Directory entries.
- the Agent can delete the corresponding COP_ComputerPathFile table.
- the COM_Incident bit can be set for that computer in the COM_Computer table.
- a security incident might include a detected break-in or malicious software which is found within the file system. Malicious software might be found by periodically scanning the FIS_File table for known malware, then identifying the computers which contain that software by linking the FIS_File table to the COM_Computer table though the COP_ComputerPathFile table and filtering by the FIS_FileID for known malware.
- Analysis begins by dividing computers into groups of one or more computers.
- the purpose of the groups is identify files with identical distribution patterns so that these files can be treated as a single program collection or bundle during the correlation analysis.
- Groups can contain more computers to speed analysis or fewer computers to increase sensitivity in identify program files with similar distribution profiles.
- a row is added to the GRP_Group table 160 with a link to the ANA_Analysis table through the GRP_ANA_AnalysisID foreign key.
- a row is entered into the GRC_GroupComputer table 170 for each computer which is part of this group, thus linking the computer to the group.
- the analysis continues by counting the number of times each file can be found in each group. For each file, a row is entered in the GRF_GroupFileValue table 180 and GRF_Value is set to the number of times the file is found on the computers within that group. Because many files can be found multiple times on a computer, it is essential to count a file no more than once-per-computer.
- the following two step SQL script can be used to set the value for GRF_Value if a row has already been inserted in the GRF_GroupFileValue table, where @GroupID and @FileID are variables for the GRP_Group and FIS_File table primary keys:
- the collection of GRF_Value values form the distribution profile.
- a Program Bundle here connotes a collection of program files with the same distribution profile.
- Equation 1 Similarity in distribution profiles is evaluated using Equation 1, where d ab is the distance between files f a and f b , N is the number of groups, G nfa and G nfb are the GRF_Value values for group n, file f a and file f b respectively.
- Equation 1 The following SQL View can be used to calculate Equation 1, and allows filtering by file and analysis.
- each Program File Bundle will contain one or more files for one or more analysis.
- a probability is calculated for each Program File Bundle, where P b,a is the probability value for bundle b, at the time of analysis a; I b,a is the number of once infected computers that have bundle b at the time of analysis a (i.e. computers where the COM_Incident bit has been set to 1 and that also contain the files which form bundle b), C b,a is the total number of computers with bundle b at the time of analysis a and I a is the total number of once infected computers at the time of analysis a (i.e. all computers where the COM_Incident bit has been set to 1), C a is the total number of computers at the time of analysis a, and C B,a is the average number of computers per bundle, across all bundles B at the time of analysis a.
- Equation 2 can be understood by replacing ratios with D, E and F (equation 3).
- Ratio D is the number of infected to total computers for bundle b
- ratio E is the ratio of once infected to all computers.
- D ⁇ E will be negative and the affect of the bundle will be to lower probability of infection for any computer where it appears.
- Ratio F which is the number of computers where bundle b appears relative to the average for a bundle, is a measure of how widely distributed a bundle is, thus giving more weight to a bundle which is more widely distributed.
- P a,b is then calculated for all bundles b for analysis a, and the BUA_Probability value is updated in table BUA_BundleAnalysis table 200 .
- the probability for a computer c is calculated by summing the probabilities of all Program File Bundles which can be found on a computer at the time of analysis a (Equation 4).
- the P c,a value can be saved in the ANC_AnalysisComputer table 220 as the ANC_Probability value, providing a way of trending probability values for any particular computer.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
An Archetype Software Invention which calculates the probability of a cyber security incident for a given computer by correlating the distribution of computer program files with the occurrences of security incidents across a large number of computers.
Description
- This Invention relates to computer applications which will protect a corporate enterprise from security incidents, including unauthorized intrusions and malicious computer programs.
- The foundation of a good cyber security policy for any corporate or government enterprise is a security risk assessment: the probability of a security incident and the impact if it were to occur. The amount of risk that can be tolerated and how to mitigate the risk can be determined based upon the risk assessment.
- A security risk assessment is difficult to perform, due in part to the difficulty of assessing probability that a security incident could occur. Current methods amount to a subjective rating of known vulnerabilities for an enterprise. ISO 2700 standards even recommend that several people perform the analysis and that their opinions be averaged. Current methods are also manual, laborious and time consuming to perform, and are therefore performed infrequently.
- Accordingly, we claim the following as our objects and advantages of our invention:
-
- 1. To objectively estimate the probability of a security incident based upon a statistical correlation of program files present on a computer with security incidents
- 2. To automatically and continuously calculate the probability of a security incident,
-
FIG. 1 , System diagram -
FIG. 2 , Database Schema of the system. -
- 10 Computers which have been previously involved in a security incident
- 20 A computer which is part of the collection of computers under analysis
- 30 The software agent which collects information about program files
- 40 File system of the computer
- 50 Common database with information about program files and computers
- 60 Computer to analyze data in common database and calculate probability
- 100 Schema for
database 50 - 110 Database table containing identification information for each computer within the collection analyzed
- 120 Database
table joining computers 110 withprogram files 140 anddirectories 130 - 130 Database table containing the names of all directories on all
computers 110 - 140 Database table containing information on all program files on all
computers 110 - 150 Database table containing primary keys and time of each analysis
- 160 Database table containing primary keys for groups used to analyze program file distributions in order to form program file bundles
- 170 Database table linking computers to groups
- 180 Database table containing the number of times each program file is found within the computers within each group, used to form program file bundles
- 190 Database table containing primary keys for program file bundles
- 200 Database table containing probability values for each program bundle at the time of an analysis
- 210 Database table linking
program files 140 to bundles 190 for anyparticular analysis 150 - 220 Database table containing the final result of probability values for each
computer 110 at the time of eachanalysis 150 - Probability of a security breach is calculated by analysis of program files present on a collection of computers. The collection of computers is large enough that some of the computers have previously been involved in a
security incident 10, for example, infected by malware. Eachcomputer 20 has asoftware agent 30 which reads program files ondisk drives 40 attached to the computer. The agent maybe a Windows NT Service in the case of a Windows operating system, or a demon in the case of a Linux operating system. The agent performs a checksum calculation and sends information on the program file name, directory and checksum to adatabase 50 withschema 100 over the internet using, for example a TCPIP or HTTP protocol. Acomputer 60 reads the information in the database, calculates probability for each computer, and saves the information back into the database. Probability for each computer can then be read from the database in order to perform a risk assessment. - The Invention utilizes a statistical approach when analyzing program files. It is assumed that there are enough computers analyzed that a sufficient number of the computers have previously been involved in a
security incident 10 so that an accurate statistical analysis can be perform. - The operations described here, which are performed by the
Agent program 30 located on each networkedcomputer 20 can be performed within many different operating systems: Linux, Unix, Mac OS, various Windows OS, Google Android OS, for example, but will be described here for the Windows 7 Operating system. - The very first time the
Agent program 30 starts, it calculates a unique number (GUID) which it then stores locally, for example, in the registry. The new GUID will be stored in the COM_GUIDIdentifier column of the COM_Computer table 110. This GUID will be used in all communications from the Agent to the Database Publisher to identify the computer. - The principle task of the Agent program is to insure that the information in tables 120, 130, and 140 accurately represents the program files which can be found in the computer's file system.
- To accomplish this, the Agent can periodically inventory the file system. The Agent begins an inventory by connecting to the database and downloading a local list of program files and directories. This list contains filename, file size, and file checksum, and directory for all the program files which were present when the Agent program last ran. This list can be generated by joining the COM_Computer table with the
COP_ComputerPathFile 120, the FIS_File 140 and DIR_Directory 130 table and filtering, using the COM_GUIDIdentifier column as follows: -
Script 1, Return a local file listSELECT COP_COM_ComputerID ,FIS_FileID ,DIR_DirectoryID ,FIS_FileName ,FIS_FileSize ,FIS_FileChecksum ,DIR_Directory FROM COP_ComputerPathFile LEFT INNER JOIN FIS_File ON FIS_FileID = COP_FIS_FileID LEFT INNER JOIN DIR_Directory ON DIR_DirectoryID=COP_DIR_DirectoryID LEFT INNER JOIN COM_Computer ON COM_ComputerID=COP_COM_ComputerID WHERE COM_GUIDIndentifier = @GUID - Next, after the local list is downloaded, the Agent performs an inventory of the file system, comparing the program files found with program files in the list. For program files found in the file system but which are not in the list, the Agent creates an entry in the COP_ComputerPathFile table which links the corresponding file entry in the FIS_File table, the corresponding directory in the DIR_Directory table and the corresponding computer in the COM_Computer table. If the file or directory have not yet been registered, the Agent can first create the FIS_File and DIR_Directory entries.
- For entries in the list that cannot be found in the file system, the Agent can delete the corresponding COP_ComputerPathFile table.
- When a computer is involved in a security incident, the COM_Incident bit can be set for that computer in the COM_Computer table. A security incident might include a detected break-in or malicious software which is found within the file system. Malicious software might be found by periodically scanning the FIS_File table for known malware, then identifying the computers which contain that software by linking the FIS_File table to the COM_Computer table though the COP_ComputerPathFile table and filtering by the FIS_FileID for known malware.
- Once the COM_Incident bit is set, it will not be unset even if the malicious file is removed from the computer.
- With program files cataloged and computers involved in security incidents identified, a statistically based analysis is performed. Each time an analysis is performed, a new row is added to the ANA_Analysis table 150 and the ANA_Date is set to the current date and time.
- Analysis begins by dividing computers into groups of one or more computers. The purpose of the groups is identify files with identical distribution patterns so that these files can be treated as a single program collection or bundle during the correlation analysis. Groups can contain more computers to speed analysis or fewer computers to increase sensitivity in identify program files with similar distribution profiles.
- When a group is formed, a row is added to the GRP_Group table 160 with a link to the ANA_Analysis table through the GRP_ANA_AnalysisID foreign key. A row is entered into the GRC_GroupComputer table 170 for each computer which is part of this group, thus linking the computer to the group.
- The analysis continues by counting the number of times each file can be found in each group. For each file, a row is entered in the GRF_GroupFileValue table 180 and GRF_Value is set to the number of times the file is found on the computers within that group. Because many files can be found multiple times on a computer, it is essential to count a file no more than once-per-computer. The following two step SQL script can be used to set the value for GRF_Value if a row has already been inserted in the GRF_GroupFileValue table, where @GroupID and @FileID are variables for the GRP_Group and FIS_File table primary keys:
-
Script 3, Calculate GRF_Value SELECT DISTINCT COP_FIS_FileID INTO #TempCountFile FROM GRC_GroupComputer INNER JOIN COP_ComputerPathFile ON COP_COM_ComputerID=GRC_COM_ComputerID WHERE GRC_GRP_GroupID=@GroupID AND COP_FIS_FileID=@FileID UPDATE GRF_GroupFileValue SET GRF_Value = ( SELECT COUNT(COP_FIS_FileID) FROM #TempCountFile) WHERE GRF_FIS_FileID=@FileID AND GRF_GRP_GroupID=@GroupID - For a given file and a given analysis, the collection of GRF_Value values form the distribution profile.
- Analysis: Organize Files into Program File Bundles
- Once GRF_Value values are calculated for each group for each file, the files are ready to be organized into Program File Bundles. A Program Bundle here connotes a collection of program files with the same distribution profile.
- Similarity in distribution profiles is evaluated using
Equation 1, where dab is the distance between files fa and fb, N is the number of groups, Gnfa and Gnfb are the GRF_Value values for group n, file fa and file fb respectively. -
- The following SQL View can be used to calculate
Equation 1, and allows filtering by file and analysis. -
Script 4, Calculate Distance between Files CREATE VIEW v_DistanceBetweenFiles AS SELECT FileOne.GRP_ANA_AnalysisID ,FileOne.GRF_FIA_FileSignatureID AS GRF_FileOne_FIA_FileSignatureID ,FileTwo.GRF_FIA_FileSignatureID AS GRF_FileTwo_FIA_FileSignatureID ,sqrt( sum( (FileTwo.GRF_Value-FileOne.GRF_Value) * (FileTwo.GRF_Value-FileOne.GRF_Value) ) ) AS Distance FROM GRF_GroupFileValue FileOne ,GRF_GroupFileValue FileTwo ,GRP_Group WHERE FileTwo.GRF_GRP_GroupID=FileOne.GRF_GRP_GroupID and GRP_GroupID=FileOne.GRF_GRP_GroupID GROUP BY FileOne.GRF_ANA_AnalysisID, FileOne.GRF_FIA_FileSignatureID, FileTwo.GRF_FIA_FileSignatureID - When a set of files is found where dab is zero between each file, either a new row is inserted in the BUN_Bundle table 190, or an existing Program File Bundle is found where at least 50% of the files are deemed in common. A new row is inserted in the BUA_BundleAnalysis table 200, and new rows are inserted into the BUF_BundleAnalysisFile table 210, with the primary key of a new or existing
Program Bundle 190, the primary keys of thefiles 140, and the primary key of thecurrent analysis 150. In this way, each Program File Bundle will contain one or more files for one or more analysis. - A probability is calculated for each Program File Bundle, where Pb,a is the probability value for bundle b, at the time of analysis a; Ib,a is the number of once infected computers that have bundle b at the time of analysis a (i.e. computers where the COM_Incident bit has been set to 1 and that also contain the files which form bundle b), Cb,a is the total number of computers with bundle b at the time of analysis a and Ia is the total number of once infected computers at the time of analysis a (i.e. all computers where the COM_Incident bit has been set to 1), Ca is the total number of computers at the time of analysis a, and
C B,a is the average number of computers per bundle, across all bundles B at the time of analysis a. -
- Equation 2 can be understood by replacing ratios with D, E and F (equation 3). Ratio D is the number of infected to total computers for bundle b, ratio E is the ratio of once infected to all computers. When a bundle has a better (smaller) ratio A than computers overall E, then D−E will be negative and the affect of the bundle will be to lower probability of infection for any computer where it appears. Ratio F, which is the number of computers where bundle b appears relative to the average for a bundle, is a measure of how widely distributed a bundle is, thus giving more weight to a bundle which is more widely distributed.
-
P b,a=(D−E)×F Equation 3, - Pa,b is then calculated for all bundles b for analysis a, and the BUA_Probability value is updated in table BUA_BundleAnalysis table 200.
- Finally, a probability can be calculated for each computer. The probability for a computer c is calculated by summing the probabilities of all Program File Bundles which can be found on a computer at the time of analysis a (Equation 4).
-
- The Pc,a value can be saved in the ANC_AnalysisComputer table 220 as the ANC_Probability value, providing a way of trending probability values for any particular computer.
Claims (4)
1. A method for calculating the probability of a cyber security incident for a computer within a collection of computers comprising:
a. providing a means for compiling program file names, checksums, and locations within the file systems on each computer within said collection of computers, where the identity of each said program file is determined by a unique combination of filename and checksum,
b. providing a means for organizing the said program files into Program File Bundles based upon similar distribution across said collection of computers,
c. providing a means for calculating a probability value for each said Program File Bundle according to the distribution of said program file bundle relative to computers previously or currently involved in a security incident and computers never involved in a security incident and which are part of said collection of computers,
d. providing a means for calculating said probability of a cyber security incident for said computer, as a sum of said probabilities values for each said Program File Bundle present on said computer.
2. The method for calculating the probability of a cyber security of claim 1 wherein the function for calculating the probability value for any said Program File Bundle is:
where Pb,a is the probability value for any said Program File Bundle b, at the time of an analysis a, where an analysis is defined as a point in time where said Program File Bundles are identified, recorded and their said probability values are calculated and recorded; Ib,a is the number of said computers previously or currently involved in a security incident and that have said Program File Bundle b at the time of said analysis a, Cb,a is the total number of computers with Program File Bundle b at the time of said analysis a and Ia is the total number of said computers previously or currently involved in a security incident at the time of analysis a, Ca is the total number of computers at the time of analysis a, and C B,a is the average number of computers per said Program File Bundle, across all said Program File Bundles B at the time of analysis ao
3. The method for calculating the probability of a cyber security incident of claim 2 wherein said means for organizing the identities of said program files into Program File Bundles based upon similar distribution across said collection of computers comprising:
a. providing a means for dividing said computers into N cells, with one or more said computers in each said cell,
b. providing a means for obtaining a collection of values {Gnf} which are the number of times each said program file f was found within said cell n, counting said program file no more than once per said computer even if it is found multiple times in the file system, and counting said program file once, even if it had been removed from said computer,
c. providing a means for calculating a distance value dab=F1({Gnf a },{Gnf b }), between every two said program files, symbolized by fa and fb, where said distance value is some function F1 of said collection of {Gnf} values for each said program file,
d. providing a means for compiling all said program files together into Program File Bundles, where each said Program File Bundle consists of said component program files for which the distance dab between any two is zero or near zero,
4. The method for calculating the probability of a cyber security incident of claim 3 wherein the function F1 is
and where N is the total number of computer cells,
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/571,245 US20170308707A1 (en) | 2012-06-08 | 2014-12-15 | Mechanism to Calculate Probability of a Cyber Security Incident |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/491,605 US8914880B2 (en) | 2012-06-08 | 2012-06-08 | Mechanism to calculate probability of a cyber security incident |
US14/571,245 US20170308707A1 (en) | 2012-06-08 | 2014-12-15 | Mechanism to Calculate Probability of a Cyber Security Incident |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/491,605 Continuation US8914880B2 (en) | 2012-06-08 | 2012-06-08 | Mechanism to calculate probability of a cyber security incident |
Publications (1)
Publication Number | Publication Date |
---|---|
US20170308707A1 true US20170308707A1 (en) | 2017-10-26 |
Family
ID=49716394
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/491,605 Expired - Fee Related US8914880B2 (en) | 2012-06-08 | 2012-06-08 | Mechanism to calculate probability of a cyber security incident |
US14/571,245 Abandoned US20170308707A1 (en) | 2012-06-08 | 2014-12-15 | Mechanism to Calculate Probability of a Cyber Security Incident |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/491,605 Expired - Fee Related US8914880B2 (en) | 2012-06-08 | 2012-06-08 | Mechanism to calculate probability of a cyber security incident |
Country Status (1)
Country | Link |
---|---|
US (2) | US8914880B2 (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8914880B2 (en) * | 2012-06-08 | 2014-12-16 | VivoSecurity, Inc. | Mechanism to calculate probability of a cyber security incident |
US9801562B1 (en) | 2014-06-02 | 2017-10-31 | University Of Hawaii | Cardiac monitoring and diagnostic systems, methods, and devices |
US11355240B2 (en) * | 2017-09-26 | 2022-06-07 | Edge2020 LLC | Determination of health sciences recommendations |
US10785243B1 (en) * | 2018-09-28 | 2020-09-22 | NortonLifeLock Inc. | Identifying evidence of attacks by analyzing log text |
US11232384B1 (en) * | 2019-07-19 | 2022-01-25 | The Boston Consulting Group, Inc. | Methods and systems for determining cyber related projects to implement |
Citations (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7093132B2 (en) * | 2001-09-20 | 2006-08-15 | International Business Machines Corporation | Method and apparatus for protecting ongoing system integrity of a software product using digital signatures |
US7228565B2 (en) * | 2001-05-15 | 2007-06-05 | Mcafee, Inc. | Event reporting between a reporting computer and a receiving computer |
US7346927B2 (en) * | 2002-12-12 | 2008-03-18 | Access Business Group International Llc | System and method for storing and accessing secure data |
US7398399B2 (en) * | 2003-12-12 | 2008-07-08 | International Business Machines Corporation | Apparatus, methods and computer programs for controlling performance of operations within a data processing system or network |
US7475427B2 (en) * | 2003-12-12 | 2009-01-06 | International Business Machines Corporation | Apparatus, methods and computer programs for identifying or managing vulnerabilities within a data processing network |
US7519726B2 (en) * | 2003-12-12 | 2009-04-14 | International Business Machines Corporation | Methods, apparatus and computer programs for enhanced access to resources within a network |
US7549061B2 (en) * | 2004-04-02 | 2009-06-16 | Panasonic Corporation | Unauthorized contents detection system |
US7774451B1 (en) * | 2008-06-30 | 2010-08-10 | Symantec Corporation | Method and apparatus for classifying reputation of files on a computer network |
US20100313035A1 (en) * | 2009-06-09 | 2010-12-09 | F-Secure Oyj | Anti-virus trusted files database |
US7975305B2 (en) * | 1997-11-06 | 2011-07-05 | Finjan, Inc. | Method and system for adaptive rule-based content scanners for desktop computers |
US20110219450A1 (en) * | 2010-03-08 | 2011-09-08 | Raytheon Company | System And Method For Malware Detection |
US20110219451A1 (en) * | 2010-03-08 | 2011-09-08 | Raytheon Company | System And Method For Host-Level Malware Detection |
US20120079596A1 (en) * | 2010-08-26 | 2012-03-29 | Verisign, Inc. | Method and system for automatic detection and analysis of malware |
US8151355B2 (en) * | 2006-12-12 | 2012-04-03 | Fortinet, Inc. | Detection of undesired computer files in archives |
US8281399B1 (en) * | 2012-03-28 | 2012-10-02 | Symantec Corporation | Systems and methods for using property tables to perform non-iterative malware scans |
US8392722B2 (en) * | 2007-12-05 | 2013-03-05 | Electronics And Telecommunications Research Institute | Digital cable system and method for protection of secure micro program |
US20140082729A1 (en) * | 2012-09-19 | 2014-03-20 | Estsecurity Co., Ltd. | System and method for analyzing repackaged application through risk calculation |
US8914880B2 (en) * | 2012-06-08 | 2014-12-16 | VivoSecurity, Inc. | Mechanism to calculate probability of a cyber security incident |
-
2012
- 2012-06-08 US US13/491,605 patent/US8914880B2/en not_active Expired - Fee Related
-
2014
- 2014-12-15 US US14/571,245 patent/US20170308707A1/en not_active Abandoned
Patent Citations (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7975305B2 (en) * | 1997-11-06 | 2011-07-05 | Finjan, Inc. | Method and system for adaptive rule-based content scanners for desktop computers |
US7228565B2 (en) * | 2001-05-15 | 2007-06-05 | Mcafee, Inc. | Event reporting between a reporting computer and a receiving computer |
US7093132B2 (en) * | 2001-09-20 | 2006-08-15 | International Business Machines Corporation | Method and apparatus for protecting ongoing system integrity of a software product using digital signatures |
US7346927B2 (en) * | 2002-12-12 | 2008-03-18 | Access Business Group International Llc | System and method for storing and accessing secure data |
US7398399B2 (en) * | 2003-12-12 | 2008-07-08 | International Business Machines Corporation | Apparatus, methods and computer programs for controlling performance of operations within a data processing system or network |
US7475427B2 (en) * | 2003-12-12 | 2009-01-06 | International Business Machines Corporation | Apparatus, methods and computer programs for identifying or managing vulnerabilities within a data processing network |
US7519726B2 (en) * | 2003-12-12 | 2009-04-14 | International Business Machines Corporation | Methods, apparatus and computer programs for enhanced access to resources within a network |
US7689835B2 (en) * | 2003-12-12 | 2010-03-30 | International Business Machines Corporation | Computer program product and computer system for controlling performance of operations within a data processing system or networks |
US7752669B2 (en) * | 2003-12-12 | 2010-07-06 | International Business Machines Corporation | Method and computer program product for identifying or managing vulnerabilities within a data processing network |
US7549061B2 (en) * | 2004-04-02 | 2009-06-16 | Panasonic Corporation | Unauthorized contents detection system |
US7900062B2 (en) * | 2004-04-02 | 2011-03-01 | Panasonic Corporation | Unauthorized contents detection system |
US8261084B2 (en) * | 2004-04-02 | 2012-09-04 | Panasonic Corporation | Unauthorized contents detection system |
US20120090031A1 (en) * | 2006-12-12 | 2012-04-12 | Fortinet, Inc. A Delaware Corporation | Detection of undesired computer files in archives |
US8151355B2 (en) * | 2006-12-12 | 2012-04-03 | Fortinet, Inc. | Detection of undesired computer files in archives |
US8392722B2 (en) * | 2007-12-05 | 2013-03-05 | Electronics And Telecommunications Research Institute | Digital cable system and method for protection of secure micro program |
US7774451B1 (en) * | 2008-06-30 | 2010-08-10 | Symantec Corporation | Method and apparatus for classifying reputation of files on a computer network |
US20100313035A1 (en) * | 2009-06-09 | 2010-12-09 | F-Secure Oyj | Anti-virus trusted files database |
US20110219450A1 (en) * | 2010-03-08 | 2011-09-08 | Raytheon Company | System And Method For Malware Detection |
US20110219451A1 (en) * | 2010-03-08 | 2011-09-08 | Raytheon Company | System And Method For Host-Level Malware Detection |
US20120079596A1 (en) * | 2010-08-26 | 2012-03-29 | Verisign, Inc. | Method and system for automatic detection and analysis of malware |
US8281399B1 (en) * | 2012-03-28 | 2012-10-02 | Symantec Corporation | Systems and methods for using property tables to perform non-iterative malware scans |
US8646079B2 (en) * | 2012-03-28 | 2014-02-04 | Symantec Corporation | Systems and methods for using property tables to perform non-iterative malware scans |
US8914880B2 (en) * | 2012-06-08 | 2014-12-16 | VivoSecurity, Inc. | Mechanism to calculate probability of a cyber security incident |
US20140082729A1 (en) * | 2012-09-19 | 2014-03-20 | Estsecurity Co., Ltd. | System and method for analyzing repackaged application through risk calculation |
Also Published As
Publication number | Publication date |
---|---|
US8914880B2 (en) | 2014-12-16 |
US20130333043A1 (en) | 2013-12-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20170308707A1 (en) | Mechanism to Calculate Probability of a Cyber Security Incident | |
US20070094735A1 (en) | Method to consolidate and prioritize web application vulnerabilities | |
US9531743B2 (en) | Data trend analysis | |
Glanz et al. | CodeMatch: obfuscation won't conceal your repackaged app | |
CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
KR101589656B1 (en) | System and method for detecting and inquiring metamorphic malignant code based on action | |
CN105117544A (en) | Android platform App risk assessment method based on mobile cloud computing and Android platform App risk assessment device based on mobile cloud computing | |
CN110535806B (en) | Method, device and equipment for monitoring abnormal website and computer storage medium | |
CN111400719A (en) | Firmware vulnerability distinguishing method and system based on open source component version identification | |
CN106815135B (en) | Vulnerability detection method and device | |
CN107508809B (en) | Method and device for identifying website type | |
Breitinger et al. | Automated evaluation of approximate matching algorithms on real data | |
CN114915479B (en) | Web attack stage analysis method and system based on Web log | |
CN112350992A (en) | Safety protection method, device, equipment and storage medium based on web white list | |
CN112307374A (en) | Jumping method, device and equipment based on backlog and storage medium | |
CN105024987A (en) | Web service log monitoring method and apparatus | |
CN112445997A (en) | Method and device for extracting CMS multi-version identification feature rule | |
CN116186716A (en) | Security analysis method and device for continuous integrated deployment | |
CN108804501B (en) | Method and device for detecting effective information | |
KR101372906B1 (en) | Method and system to prevent malware code | |
CN113591079B (en) | Method and device for acquiring abnormal application installation package and electronic equipment | |
KR101464736B1 (en) | Security Assurance Management System and Web Page Monitoring Method | |
Leckie et al. | Metadata for anomaly-based security protocol attack deduction | |
CN117240522A (en) | Vulnerability intelligent mining method based on attack event model | |
CN111413952A (en) | Robot fault detection method and device, electronic equipment and readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |