Patents by Inventor Xinran Wang
Xinran Wang has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 9542556Abstract: A potential malware sample is received from a security device at a server associated with a security cloud service. The sample is executed in a sandbox environment on the server, including by monitoring interaction of the sample with an application program interface (API), provided by the sandbox environment, in order to obtain an API log. It is determined whether the sample is associated with a known malware family including by determining, based at least in part on the API log, if the sample created an executable file and if the sample registered the executable file in a run key. If it is determined that the sample is associated with a known malware family, then an alert is generated.Type: GrantFiled: September 15, 2015Date of Patent: January 10, 2017Assignee: Palo Alto Networks, Inc.Inventors: Kyle Sanders, Xinran Wang
-
Patent number: 9529994Abstract: Computer systems and methods in various embodiments are configured for improving the security and efficiency of client computers interacting with server computers through supervising instructions defined in a web page and/or web browser. In an embodiment, a computer system comprising one or more processors, coupled to a remote client computer, and configured to send, to the remote client computer, one or more instructions, which when executed by the remote client computer, cause a run-time environment on the remote client computer to: intercept, within the run-time environment, a first call to execute a particular function defined in the run-time environment by a first caller function in the run-time environment; determine a first caller identifier, which corresponds to the first caller function identified in a run-time stack maintained by the run-time environment; determine whether the first caller function is authorized to call the particular function based on the first caller identifier.Type: GrantFiled: November 24, 2014Date of Patent: December 27, 2016Assignee: Shape Security, Inc.Inventors: Yao Zhao, Xinran Wang
-
Patent number: 9491142Abstract: In some embodiments, a malware analysis system includes receiving a potential malware sample from a firewall; analyzing the potential malware sample using a virtual machine to determine if the potential malware sample is malware; and automatically generating a signature if the potential malware sample is determined to be malware. In some embodiments, the potential malware sample does not match a preexisting signature, and the malware is a zero-day attack.Type: GrantFiled: April 21, 2015Date of Patent: November 8, 2016Assignee: Palo Alto Networks, Inc.Inventors: Huagang Xie, Xinran Wang, Jiangxia Liu
-
Publication number: 20160269443Abstract: Various techniques for exploit detection based on heap spray detection are disclosed. In some embodiments, exploit detection based on heap spray detection includes executing a program in a virtual environment; and detecting heap spray in memory while executing the program in the virtual environment. In some embodiments, exploit detection based on heap spray detection includes executing a program in a virtual environment; and detecting heap spray related malware in response to a modification of an execution environment in the virtual environment.Type: ApplicationFiled: March 10, 2016Publication date: September 15, 2016Inventors: Bo Qu, Kyle Sanders, Xinran Wang
-
Patent number: 9411958Abstract: A computer-implemented method includes identifying, in web code to be served to a client, presence of code for generating a form; generating additional, executable code to be run on the client device, the additional, executable code being arranged to identify user input on the client device and modify the form so that data from the user input is received into one or more alternative fields of the form other than a first field to which a user performing the input directed the input; receiving a request from the client device based on completion of input into the form; and converting data from the received request so that data for the one or more alternative fields of the form is directed to the first field of the form for processing by a web server system that initially generated the web code.Type: GrantFiled: May 23, 2014Date of Patent: August 9, 2016Assignee: Shape Security, Inc.Inventors: Xinran Wang, Yao Zhao
-
Publication number: 20160156644Abstract: In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score.Type: ApplicationFiled: August 14, 2015Publication date: June 2, 2016Inventors: Xinran Wang, Huagang Xie
-
Publication number: 20160147992Abstract: Computer systems and methods in various embodiments are configured for improving the security and efficiency of client computers interacting with server computers through supervising instructions defined in a web page and/or web browser. In an embodiment, a computer system comprising one or more processors, coupled to a remote client computer, and configured to send, to the remote client computer, one or more instructions, which when executed by the remote client computer, cause a run-time environment on the remote client computer to: intercept, within the run-time environment, a first call to execute a particular function defined in the run-time environment by a first caller function in the run-time environment; determine a first caller identifier, which corresponds to the first caller function identified in a run-time stack maintained by the run-time environment; determine whether the first caller function is authorized to call the particular function based on the first caller identifier.Type: ApplicationFiled: November 24, 2014Publication date: May 26, 2016Inventors: YAO ZHAO, XINRAN WANG
-
Patent number: 9336386Abstract: Various techniques for exploit detection based on heap spray detection are disclosed. In some embodiments, exploit detection based on heap spray detection includes executing a program in a virtual environment; and detecting heap spray in memory while executing the program in the virtual environment. In some embodiments, exploit detection based on heap spray detection includes executing a program in a virtual environment; and detecting heap spray related malware in response to a modification of an execution environment in the virtual environment.Type: GrantFiled: July 25, 2013Date of Patent: May 10, 2016Assignee: Palo Alto Networks, Inc.Inventors: Bo Qu, Kyle Sanders, Xinran Wang
-
Publication number: 20160048683Abstract: A potential malware sample is received from a security device at a server associated with a security cloud service. The sample is executed in a sandbox environment on the server, including by monitoring interaction of the sample with an application program interface (API), provided by the sandbox environment, in order to obtain an API log. It is determined whether the sample is associated with a known malware family including by determining, based at least in part on the API log, if the sample created an executable file and if the sample registered the executable file in a run key. If it is determined that the sample is associated with a known malware family, then an alert is generated.Type: ApplicationFiled: September 15, 2015Publication date: February 18, 2016Inventors: Kyle Sanders, Xinran Wang
-
Patent number: 9215239Abstract: Detecting malware is disclosed. A candidate malware application is caused to be executed using a virtual machine. Traffic analysis is performed on network traffic associated with the execution of the candidate malware application. A determination is made as to whether the candidate malware application is malicious or not, based at least in part on the traffic analysis and an application type associated with the candidate malware application.Type: GrantFiled: September 28, 2012Date of Patent: December 15, 2015Assignee: Palo Alto Networks, Inc.Inventors: Xinran Wang, Huagang Xie, Kyle Sanders
-
Publication number: 20150339479Abstract: A computer-implemented method includes identifying, in web code to be served to a client, presence of code for generating a form; generating additional, executable code to be run on the client device, the additional, executable code being arranged to identify user input on the client device and modify the form so that data from the user input is received into one or more alternative fields of the form other than a first field to which a user performing the input directed the input; receiving a request from the client device based on completion of input into the form; and converting data from the received request so that data for the one or more alternative fields of the form is directed to the first field of the form for processing by a web server system that initially generated the web code.Type: ApplicationFiled: May 23, 2014Publication date: November 26, 2015Applicant: Shape Security Inc.Inventors: Xinran Wang, Yao Zhao
-
Publication number: 20150319136Abstract: In some embodiments, a malware analysis system includes receiving a potential malware sample from a firewall; analyzing the potential malware sample using a virtual machine to determine if the potential malware sample is malware; and automatically generating a signature if the potential malware sample is determined to be malware. In some embodiments, the potential malware sample does not match a preexisting signature, and the malware is a zero-day attack.Type: ApplicationFiled: April 21, 2015Publication date: November 5, 2015Inventors: Huagang Xie, Xinran Wang, Jiangxia Liu
-
Patent number: 9165142Abstract: Techniques for malware family identification using profile signatures are disclosed. In some embodiments, malware identification using profile signatures includes executing a potential malware sample in a virtual machine environment (e.g., a sandbox); and determining whether the potential malware sample is associated with a known malware family based on a profile signature. In some embodiments, the virtual machine environment is an instrumented virtual machine environment for monitoring potential malware samples during execution.Type: GrantFiled: January 30, 2013Date of Patent: October 20, 2015Assignee: Palo Alto Networks, Inc.Inventors: Kyle Sanders, Xinran Wang
-
Patent number: 9143522Abstract: In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score.Type: GrantFiled: September 4, 2013Date of Patent: September 22, 2015Assignee: Palo Alto Networks, Inc.Inventors: Xinran Wang, Huagang Xie
-
Patent number: 9104870Abstract: An example of candidate malware is data that potentially includes one or more malicious elements. Candidate malware is received. The received candidate malware is analyzed using a virtual machine. A determination is made that the candidate malware has attempted to perform an anti-virtual machine action. Output that indicates that the candidate malware is malicious is generated.Type: GrantFiled: September 28, 2012Date of Patent: August 11, 2015Assignee: Palo Alto Networks, Inc.Inventors: Bo Qu, Xinran Wang, Kyle Sanders
-
Patent number: 9047441Abstract: In some embodiments, a malware analysis system includes receiving a potential malware sample from a firewall; analyzing the potential malware sample using a virtual machine to determine if the potential malware sample is malware; and automatically generating a signature if the potential malware sample is determined to be malware. In some embodiments, the potential malware sample does not match a preexisting signature, and the malware is a zero-day attack.Type: GrantFiled: May 24, 2011Date of Patent: June 2, 2015Assignee: Palo Alto Networks, Inc.Inventors: Huagang Xie, Xinran Wang, Jiangxia Liu
-
Patent number: 9027142Abstract: A computer-implemented method involves identifying an initial element for serving by a web server system to a client device and recoding the element by creating a plurality of different elements that each represent a portion of the initial element. The different elements are then served in place of the initial element. A response is received form the client device and has portions that correspond to the different elements, and a combined response is created by combining the received portions in a manner that corresponds to a manner in which the initial element was recoded to create the plurality of different elements.Type: GrantFiled: January 21, 2014Date of Patent: May 5, 2015Assignee: Shape Security, Inc.Inventors: Justin D. Call, Marc R. Hansen, Xinran Wang, Sumit Agarwal, Bryan D. Hanks
-
Patent number: 8997226Abstract: A computer-implemented method includes providing, for use by a third-party, injectable computer code that is capable of being served with other code provided by the third-party to client computing devices; receiving data from client computing devices that have been served the code by the third-party, the data including data that characterizes (a) the client computing devices and (b) user interaction with the client computing devices; classifying the client computing devices as controlled by actual users or instead by automated software based on analysis of the received data from the client computing devices; and providing to the third party one or more reports that characterize an overall level of automated software activity among client computing devices that have been served code by the third party.Type: GrantFiled: April 17, 2014Date of Patent: March 31, 2015Assignee: Shape Security, Inc.Inventors: Justin D. Call, Xinran Wang, Yao Zhao, Timothy Dylan Peacock
-
Publication number: 20140090059Abstract: In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score.Type: ApplicationFiled: September 4, 2013Publication date: March 27, 2014Applicant: Palo Alto Networks, Inc.Inventors: Xinran Wang, Huagang Xie
-
Patent number: 8555388Abstract: In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score.Type: GrantFiled: May 24, 2011Date of Patent: October 8, 2013Assignee: Palo Alto Networks, Inc.Inventors: Xinran Wang, Huagang Xie