Patents by Inventor Angelos Stavrou
Angelos Stavrou has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20170302692Abstract: Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.Type: ApplicationFiled: March 15, 2017Publication date: October 19, 2017Applicant: George Mason Research Foundation, Inc.Inventors: Anup GHOSH, Yih HUANG, Jiang WANG, Angelos STAVROU
-
Publication number: 20170201534Abstract: A transparent proxy for malware detection includes a monitor module, a protocol determination module, a challenge generation module, a response determination module, and a data control module. The monitor module examines data originating from an application towards a remote server. The protocol determination module identifies the protocol type used for the data. The challenge generation module produces a challenge for the application based upon the protocol type, sends the challenge to the application, and maintains a state related to the data and the challenge. The response determination module makes a determination if an automatic non-interactive application response is received in response to the challenge from the application. The data control module allows the first data to continue to the remote server when the determination is valid. The data control module reports malware detection and blocks the data to continue to the remote server when the determination is invalid.Type: ApplicationFiled: November 22, 2016Publication date: July 13, 2017Applicant: George Mason Research Foundation, Inc.Inventors: Angelos STAVROU, Sushil JAJODIA, Anup K. GHOSH, Rhandi MARTIN, Charalampos ANDRIANAKIS
-
Publication number: 20170161478Abstract: Embodiments herein disclose a method and system for actively authenticating users of an electronic device in a continuous manner using a plurality of factors comprising of biometric modalities, power consumption, application usage, user interactions, user movement, and user location/travel.Type: ApplicationFiled: August 12, 2016Publication date: June 8, 2017Inventors: Angelos Stavrou, Rahul Murmuria, Ryan Johnson, Daniel Barbara
-
Publication number: 20170091428Abstract: Disclosures herein describe methods and systems for detecting unlicensed content that can be accessed by electronic devices using an automated framework for analyzing applications present on the electronic device that allow a user of the electronic device to access unlicensed content.Type: ApplicationFiled: September 28, 2016Publication date: March 30, 2017Inventors: Ryan Johnson, Nikolaos Kiourtis, Angelos Stavrou
-
Patent number: 9602524Abstract: Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.Type: GrantFiled: July 24, 2015Date of Patent: March 21, 2017Assignee: George Mason Research Foundation, Inc.Inventors: Anup Ghosh, Yih Huang, Jiang Wang, Angelos Stavrou
-
Patent number: 9531747Abstract: A transparent proxy for malware detection includes a monitor module, a protocol determination module, a challenge generation module, a response determination module, and a data control module. The monitor module examines data originating from an application towards a remote server. The protocol determination module identifies the protocol type used for the data. The challenge generation module produces a challenge for the application based upon the protocol type, sends the challenge to the application, and maintains a state related to the data and the challenge. The response determination module makes a determination if an automatic non-interactive application response is received in response to the challenge from the application. The data control module allows the first data to continue to the remote server when the determination is valid. The data control module reports malware detection and blocks the data to continue to the remote server when the determination is invalid.Type: GrantFiled: September 10, 2014Date of Patent: December 27, 2016Assignee: George Mason Research Foundation, Inc.Inventors: Angelos Stavrou, Sushil Jajodia, Anup K. Ghosh, Rhandi Martin, Charalampos Andrianakis
-
Publication number: 20160357657Abstract: Embodiments herein disclose a debugging framework that employs a mode in the processor (for example, a processor using x86 architecture), to transparently study armored malware. Embodiments herein perform stealthy debugging by leveraging System Management Mode (SMM) to transparently debug software on bare-metal.Type: ApplicationFiled: June 3, 2016Publication date: December 8, 2016Inventors: Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang
-
Publication number: 20160248808Abstract: Systems and methods for inhibiting attacks with a network are provided. In some embodiments, methods for inhibiting attacks by forwarding packets through a plurality of intermediate nodes when being transmitted from a source node to a destination node are provided, the methods comprising: receiving a packet at one of the plurality of intermediate nodes; determining at the selected intermediate node whether the packet has been sent to the correct one of the plurality of intermediate nodes based on a pseudo random function; and forwarding the packet to the destination node, based on the determining. In some embodiments an intermediate node is selected based on a pseudo random function. In some embodiments, systems and methods for establishing access to a multi-path network are provided.Type: ApplicationFiled: May 5, 2016Publication date: August 25, 2016Inventors: Angelos Stavrou, Angelos D. Keromytis
-
Publication number: 20160182540Abstract: Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.Type: ApplicationFiled: July 24, 2015Publication date: June 23, 2016Applicant: GEORGE MASON RESEARCH FOUNDATION, INC.Inventors: Anup GHOSH, Yih HUANG, Jiang WANG, Angelos STAVROU
-
Patent number: 9344418Abstract: Systems and methods for inhibiting attacks with a network are provided. In some embodiments, methods for inhibiting attacks by forwarding packets through a plurality of intermediate nodes when being transmitted from a source node to a destination node are provided, the methods comprising: receiving a packet at one of the plurality of intermediate nodes; determining at the selected intermediate node whether the packet has been sent to the correct one of the plurality of intermediate nodes based on a pseudo random function; and forwarding the packet to the destination node, based on the determining. In some embodiments an intermediate node is selected based on a pseudo random function. In some embodiments, systems and methods for establishing access to a multi-path network are provided.Type: GrantFiled: December 11, 2013Date of Patent: May 17, 2016Assignee: The Trustees of Columbia University in the City of New YorkInventors: Angelos Stavrou, Angelos D. Keromytis
-
Publication number: 20160087951Abstract: Systems and methods for inhibiting attacks with a network are provided. In some embodiments, methods for inhibiting attacks by forwarding packets through a plurality of intermediate nodes when being transmitted from a source node to a destination node are provided, the methods comprising: receiving a packet at one of the plurality of intermediate nodes; determining at the selected intermediate node whether the packet has been sent to the correct one of the plurality of intermediate nodes based on a pseudo random function; and forwarding the packet to the destination node, based on the determining. In some embodiments an intermediate node is selected based on a pseudo random function. In some embodiments, systems and methods for establishing access to a multi-path network are provided.Type: ApplicationFiled: December 11, 2013Publication date: March 24, 2016Applicant: The Trustees of Columbia University in the City of New YorkInventors: Angelos Stavrou, Angelos D. Keromytis
-
Patent number: 9270697Abstract: A hardware-assisted integrity monitor may include one or more target machines and/or monitor machines. A target machine may include one or more processors, which may include one or more system management modes (SMM). A SMM may include one or more register checking modules, which may be configured to determine one or more current CPU register states. A SMM may include one or more acquiring modules, which may be configured to determine one or more current memory states. A SMM may include one or more network modules, which may be configured to direct one or more communications, for example of one or more current CPU register states and/or current memory states, to a monitor machine. A monitor machine may include one or more network modules and/or analysis modules. An analysis module may be configured to determine memory state differences and/or determine CPU register states differences.Type: GrantFiled: August 22, 2014Date of Patent: February 23, 2016Assignee: George Mason Research Foundation, Inc.Inventors: Anup K. Ghosh, Kun Sun, Jiang Wang, Angelos Stavrou
-
Patent number: 9218254Abstract: Systems, methods, and media for recovering an application from a fault or an attack are disclosed herein. In some embodiments, a method is provided for enabling a software application to recover from a fault condition. The method includes specifying constrained data items and assigning a set of repair procedures to the constrained data items. The method further includes detecting a fault condition on the constrained data items during execution of the software application, which triggers at least one repair procedure. The triggered repair procedures are executed and the execution of the software application is restored. In some embodiments, the restoring comprises providing memory rollback to a point of execution of the software application before the fault condition was detected.Type: GrantFiled: December 18, 2014Date of Patent: December 22, 2015Assignee: The Trustees of Columbia University in the City of New YorkInventors: Michael E. Locasto, Angelos D. Keromytis, Angelos Stavrou, Gabriela F. Ciocarlie
-
Publication number: 20150326597Abstract: Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and generating anomaly detection models are provided. In some embodiments, methods for sanitizing anomaly detection models are provided. The methods including: receiving at least one abnormal anomaly detection model from at least one remote location; comparing at least one of the at least one abnormal anomaly detection model to a local normal detection model to produce a common set of features common to both the at least one abnormal anomaly detection model and the local normal detection model; and generating a sanitized normal anomaly detection model by removing the common set of features from the local normal detection model.Type: ApplicationFiled: July 13, 2015Publication date: November 12, 2015Inventors: Gabriela F. Ciocarlie, Angelos Stavrou, Salvatore J. Stolfo, Angelos D. Keromytis
-
Publication number: 20150264059Abstract: A transparent proxy for malware detection includes a monitor module, a protocol determination module, a challenge generation module, a response determination module, and a data control module. The monitor module examines data originating from an application towards a remote server. The protocol determination module identifies the protocol type used for the data. The challenge generation module produces a challenge for the application based upon the protocol type, sends the challenge to the application, and maintains a state related to the data and the challenge. The response determination module makes a determination if an automatic non-interactive application response is received in response to the challenge from the application. The data control module allows the first data to continue to the remote server when the determination is valid. The data control module reports malware detection and blocks the data to continue to the remote server when the determination is invalid.Type: ApplicationFiled: September 10, 2014Publication date: September 17, 2015Applicant: George Mason Research Foundation, Inc.Inventors: Angelos STAVROU, Sushil JAJODIA, Anup K. GHOSH, Rhandi MARTIN, Charalampos Andrianakis
-
Publication number: 20150261624Abstract: Systems, methods, and media for recovering an application from a fault or an attack are disclosed herein. In some embodiments, a method is provided for enabling a software application to recover from a fault condition. The method includes specifying constrained data items and assigning a set of repair procedures to the constrained data items. The method further includes detecting a fault condition on the constrained data items during execution of the software application, which triggers at least one repair procedure. The triggered repair procedures are executed and the execution of the software application is restored. In some embodiments, the restoring comprises providing memory rollback to a point of execution of the software application before the fault condition was detected.Type: ApplicationFiled: December 18, 2014Publication date: September 17, 2015Inventors: Michael E. Locasto, Angelos D. Keromytis, Angelos Stavrou, Gabriela F. Ciocarlie
-
Patent number: 9098698Abstract: Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.Type: GrantFiled: September 14, 2009Date of Patent: August 4, 2015Assignee: George Mason Research Foundation, Inc.Inventors: Anup Ghosh, Yih Huang, Jiang Wang, Angelos Stavrou
-
Patent number: 9088596Abstract: Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and generating anomaly detection models are provided. In some embodiments, methods for sanitizing anomaly detection models are provided. The methods including: receiving at least one abnormal anomaly detection model from at least one remote location; comparing at least one of the at least one abnormal anomaly detection model to a local normal detection model to produce a common set of features common to both the at least one abnormal anomaly detection model and the local normal detection model; and generating a sanitized normal anomaly detection model by removing the common set of features from the local normal detection model.Type: GrantFiled: February 26, 2013Date of Patent: July 21, 2015Assignee: The Trustees of Columbia University in the City of New YorkInventors: Gabriela F. Ciocarlie, Angelos Stavrou, Salvatore J. Stolfo, Angelos D. Keromytis
-
Publication number: 20150195302Abstract: A hardware-assisted integrity monitor may include one or more target machines and/or monitor machines. A target machine may include one or more processors, which may include one or more system management modes (SMM). A SMM may include one or more register checking modules, which may be configured to determine one or more current CPU register states. A SMM may include one or more acquiring modules, which may be configured to determine one or more current memory states. A SMM may include one or more network modules, which may be configured to direct one or more communications, for example of one or more current CPU register states and/or current memory states, to a monitor machine. A monitor machine may include one or more network modules and/or analysis modules. An analysis module may be configured to determine memory state differences and/or determine CPU register states differences.Type: ApplicationFiled: August 22, 2014Publication date: July 9, 2015Applicant: GEORGE MASON RESEARCH FOUNDATION, INC.Inventors: Anup K. GHOSH, Kun SUN, Jiang WANG, Angelos STAVROU
-
Patent number: 9043818Abstract: A system or method for inferring and selective display of visual and sound media content based on a pet(s)'s level of engagement or reactions to content displayed on any number of content display devices including, but not limited to, television screens, computer monitors, tablets, and cell phones and measured by a sensor. A content selection algorithm takes as input the sensor measurements and historical or pre-computed data to infer the pet(s)'s preference for content. A content modification algorithm interposes algorithmically computed shapes and sounds overlaid on top of the existing content to attract the attention of the pet(s) observing the display.Type: GrantFiled: May 23, 2013Date of Patent: May 26, 2015Assignee: Fur Entertainment, Inc.Inventors: Angelos Stavrou, Margaret Lee Perry-Flippin