Patents by Inventor Michael E. Locasto
Michael E. Locasto has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11934538Abstract: In general, this disclosure describes techniques for replacing target cryptographic primitives in executable binary files with other, potentially more secure, cryptographic primitives. In some examples, a computing system for augmenting cryptographic executables includes a locator to determine if an executable program in an executable binary file includes a target cryptographic primitive. The computing system can include a patch generator to generate patch instructions in response to a determination by the locator that the executable program includes the target cryptographic primitive. The patch instructions cause the executable program to execute a replacement cryptographic primitive instead of the target cryptographic primitive. A rewriter engine of the computing system can modify, based on the patch instructions, the executable program to generate a modified executable binary file.Type: GrantFiled: July 24, 2020Date of Patent: March 19, 2024Assignee: SRI INTERNATIONALInventors: Karim Eldefrawy, Hassen Saidi, Michael E. Locasto, Norrathep Rattanavipanon
-
Patent number: 11689544Abstract: Intrusion detection systems and methods monitor legal control messages in an operational control system to detect subtly malicious sequences of control messages with undesirable emergent effects on devices in the operational control system. A message provenance component may investigate system-level correlations between messages rather than detecting if individual messages are anomalous. A semantic fuzzing component may search, based on the operational effect of candidate message sequences, the space of legal messages for sequences that cause actual harm. Behavior oracles may be used to test message sequences to identify sequences that induce drift towards a failure state. The intrusion detection system is able to prevent harm and disruption arising from control messages that individually appear legitimate and benign but that, in combination with other messages, can cause undesirable outcomes.Type: GrantFiled: March 15, 2017Date of Patent: June 27, 2023Assignee: SRI INTERNATIONALInventors: Gabriela Ciocarlie, Michael E. Locasto, Cherita Corbett, Dejan Jovanovic
-
Patent number: 11575688Abstract: A method, apparatus and system for malware characterization includes receiving data identifying a presence of at least one anomaly of a respective portion of a processing function captured by at least one of each of at least two different sensor payloads and one sensor payload at two different times, determining a correlation between the at least two anomalies identified by the data captured by the at least one sensor payloads, and determining a presence of malware in the processing function based on the determined correlation. The method, apparatus and system can further include predicting an occurrence of at least one anomaly in the network based on at least one of current sensor payload data or previously observed and stored sensor payload data, recommending and/or initiating a remediation action and reporting a result of the malware characterization to a user.Type: GrantFiled: May 2, 2019Date of Patent: February 7, 2023Assignee: SRI InternationalInventors: Sek Chai, Michael E. Locasto, Scott Oberg, Nicholas Vitovitch
-
Publication number: 20210232695Abstract: In general, this disclosure describes techniques for replacing target cryptographic primitives in executable binary files with other, potentially more secure, cryptographic primitives. In some examples, a computing system for augmenting cryptographic executables includes a locator to determine if an executable program in an executable binary file includes a target cryptographic primitive. The computing system can include a patch generator to generate patch instructions in response to a determination by the locator that the executable program includes the target cryptographic primitive. The patch instructions cause the executable program to execute a replacement cryptographic primitive instead of the target cryptographic primitive. A rewriter engine of the computing system can modify, based on the patch instructions, the executable program to generate a modified executable binary file.Type: ApplicationFiled: July 24, 2020Publication date: July 29, 2021Inventors: Karim Eldefrawy, Hassen Saidi, Michael E. Locasto, Norrathep Rattanavipanon
-
Publication number: 20190342308Abstract: A method, apparatus and system for malware characterization includes receiving data identifying a presence of at least one anomaly of a respective portion of a processing function captured by at least one of each of at least two different sensor payloads and one sensor payload at two different times, determining a correlation between the at least two anomalies identified by the data captured by the at least one sensor payloads, and determining a presence of malware in the processing function based on the determined correlation. The method, apparatus and system can further include predicting an occurrence of at least one anomaly in the network based on at least one of current sensor payload data or previously observed and stored sensor payload data, recommending and/or initiating a remediation action and reporting a result of the malware characterization to a user.Type: ApplicationFiled: May 2, 2019Publication date: November 7, 2019Inventors: Sek Chai, Michael E. Locasto, Scott Oberg, Nicholas Vitovitch
-
Patent number: 10305919Abstract: In accordance with some embodiments of the present invention, systems and methods that protect an application from attacks are provided. In some embodiments of the present invention, input from an input source, such as traffic from a communication network, can be routed through a filtering proxy that includes one or more filters, classifiers, and/or detectors. In response to the input passing through the filtering proxy to the application, a supervision framework monitors the input for attacks (e.g., code injection attacks). The supervision framework can provide feedback to tune the components of the filtering proxy.Type: GrantFiled: May 9, 2016Date of Patent: May 28, 2019Assignee: The Trustees of Columbia University in the City of New YorkInventors: Michael E. Locasto, Salvatore J. Stolfo, Angelos D. Keromytis, Ke Wang
-
Publication number: 20190089722Abstract: Intrusion detection systems and methods monitor legal control messages in an operational control system to detect subtly malicious sequences of control messages with undesirable emergent effects on devices in the operational control system. A message provenance component may investigate system-level correlations between messages rather than detecting if individual messages are anomalous. A semantic fuzzing component may search, based on the operational effect of candidate message sequences, the space of legal messages for sequences that cause actual harm. Behavior oracles may be used to test message sequences to identify sequences that induce drift towards a failure state. The intrusion detection system is able to prevent harm and disruption arising from control messages that individually appear legitimate and benign but that, in combination with other messages, can cause undesirable outcomes.Type: ApplicationFiled: March 15, 2017Publication date: March 21, 2019Inventors: Gabriela Ciocarlie, Michael E. Locasto, Cherita Corbett, Dejan Jovanovic
-
Publication number: 20170070514Abstract: In accordance with some embodiments of the present invention, systems and methods that protect an application from attacks are provided. In some embodiments of the present invention, input from an input source, such as traffic from a communication network, can be routed through a filtering proxy that includes one or more filters, classifiers, and/or detectors. In response to the input passing through the filtering proxy to the application, a supervision framework monitors the input for attacks (e.g., code injection attacks). The supervision framework can provide feedback to tune the components of the filtering proxy.Type: ApplicationFiled: May 9, 2016Publication date: March 9, 2017Inventors: Michael E. Locasto, Salvatore J. Stolfo, Angelos D. Keromytis, Ke Wang
-
Patent number: 9338174Abstract: In accordance with some embodiments of the present invention, systems and methods that protect an application from attacks are provided. In some embodiments of the present invention, input from an input source, such as traffic from a communication network, can be routed through a filtering proxy that includes one or more filters, classifiers, and/or detectors. In response to the input passing through the filtering proxy to the application, a supervision framework monitors the input for attacks (e.g., code injection attacks). The supervision framework can provide feedback to tune the components of the filtering proxy.Type: GrantFiled: May 7, 2014Date of Patent: May 10, 2016Assignee: The Trustees of Columbia University in the City of New YorkInventors: Michael E Locasto, Salvatore J Stolfo, Angelos D Keromytis, Ke Wang
-
Patent number: 9218254Abstract: Systems, methods, and media for recovering an application from a fault or an attack are disclosed herein. In some embodiments, a method is provided for enabling a software application to recover from a fault condition. The method includes specifying constrained data items and assigning a set of repair procedures to the constrained data items. The method further includes detecting a fault condition on the constrained data items during execution of the software application, which triggers at least one repair procedure. The triggered repair procedures are executed and the execution of the software application is restored. In some embodiments, the restoring comprises providing memory rollback to a point of execution of the software application before the fault condition was detected.Type: GrantFiled: December 18, 2014Date of Patent: December 22, 2015Assignee: The Trustees of Columbia University in the City of New YorkInventors: Michael E. Locasto, Angelos D. Keromytis, Angelos Stavrou, Gabriela F. Ciocarlie
-
Publication number: 20150261624Abstract: Systems, methods, and media for recovering an application from a fault or an attack are disclosed herein. In some embodiments, a method is provided for enabling a software application to recover from a fault condition. The method includes specifying constrained data items and assigning a set of repair procedures to the constrained data items. The method further includes detecting a fault condition on the constrained data items during execution of the software application, which triggers at least one repair procedure. The triggered repair procedures are executed and the execution of the software application is restored. In some embodiments, the restoring comprises providing memory rollback to a point of execution of the software application before the fault condition was detected.Type: ApplicationFiled: December 18, 2014Publication date: September 17, 2015Inventors: Michael E. Locasto, Angelos D. Keromytis, Angelos Stavrou, Gabriela F. Ciocarlie
-
Publication number: 20150264058Abstract: In accordance with some embodiments of the present invention, systems and methods that protect an application from attacks are provided. In some embodiments of the present invention, input from an input source, such as traffic from a communication network, can be routed through a filtering proxy that includes one or more filters, classifiers, and/or detectors. In response to the input passing through the filtering proxy to the application, a supervision framework monitors the input for attacks (e.g., code injection attacks). The supervision framework can provide feedback to tune the components of the filtering proxy.Type: ApplicationFiled: May 7, 2014Publication date: September 17, 2015Inventors: Michael E Locasto, Salvatore J Stolfo, Angelos D Keromytis, Ke Wang
-
Patent number: 8924782Abstract: Systems, methods, and media for recovering an application from a fault or an attack are disclosed herein. In some embodiments, a method is provided for enabling a software application to recover from a fault condition. The method includes specifying constrained data items and assigning a set of repair procedures to the constrained data items. The method further includes detecting a fault condition on the constrained data items during execution of the software application, which triggers at least one repair procedure. The triggered repair procedures are executed and the execution of the software application is restored. In some embodiments, the restoring comprises providing memory rollback to a point of execution of the software application before the fault condition was detected.Type: GrantFiled: January 28, 2008Date of Patent: December 30, 2014Assignee: The Trustees of Columbia University in the City of New YorkInventors: Michael E. Locasto, Angelos D. Keromytis, Angelos Stavrou, Gabriela F. Ciocarlie
-
Patent number: 8763103Abstract: In accordance with some embodiments of the present invention, systems and methods that protect an application from attacks are provided. In some embodiments of the present invention, input from an input source, such as traffic from a communication network, can be routed through a filtering proxy that includes one or more filters, classifiers, and/or detectors. In response to the input passing through the filtering proxy to the application, a supervision framework monitors the input for attacks (e.g., code injection attacks). The supervision framework can provide feedback to tune the components of the filtering proxy.Type: GrantFiled: April 21, 2006Date of Patent: June 24, 2014Assignee: The Trustees of Columbia University in the City of New YorkInventors: Michael E. Locasto, Salvatore J. Stolfo, Angelos D. Keromytis, Ke Wang
-
Patent number: 8667588Abstract: Systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.Type: GrantFiled: July 15, 2010Date of Patent: March 4, 2014Assignee: The Trustees of Columbia University in the City of New YorkInventors: Salvatore J. Stolfo, Angelos D. Keromytis, Vishal Misra, Michael E. Locasto, Janak Parekh
-
Patent number: 8613096Abstract: The claimed subject matter provides a system and/or method that generates data patches for vulnerabilities. The system can include devices and components that examine exploits received or obtained from data streams, constructs probes and determines whether the probes take advantage of vulnerabilities. Based at least in part on such determinations data patches are dynamically generated to remedy the hitherto vulnerabilities.Type: GrantFiled: November 30, 2007Date of Patent: December 17, 2013Assignee: Microsoft CorporationInventors: Marcus Peinado, Weidong Cui, Jiahe Helen Wang, Michael E. Locasto
-
Patent number: 8407160Abstract: Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and generating anomaly detection models are provided. In some embodiments, methods for generating sanitized data are provided. The methods including: dividing a first training dataset comprised of a plurality of training data items into a plurality of data subsets each including at least one training data item of the plurality of training data items of the first training dataset; based on the plurality of data subsets, generating a plurality of distinct anomaly detection micro-models; testing at least one data item of the plurality of data items of a second training dataset of training data items against each of the plurality of micro-models to produce a score for the at least one tested data item; and generating at least one output dataset based on the score for the at least one tested data item.Type: GrantFiled: November 15, 2007Date of Patent: March 26, 2013Assignee: The Trustees of Columbia University in the City of New YorkInventors: Gabriela Cretu, Angelos Stavrou, Salvatore J. Stolfo, Angelos D. Keromytis, Michael E. Locasto
-
Patent number: 7962798Abstract: Methods, systems, and media for enabling a software application to recover from a fault condition, and for protecting a software application from a fault condition, are provided. In some embodiments, methods include detecting a fault condition during execution of the software application, restoring execution of the software application to a previous point of execution, the previous point of execution occurring during execution of a first subroutine in the software application, and forcing the first subroutine to forego further execution and return to a caller of the first subroutine.Type: GrantFiled: April 17, 2007Date of Patent: June 14, 2011Assignee: The Trustees of Columbia University in the City of New YorkInventors: Michael E. Locasto, Angelos D. Keromytis, Salvatore J. Stolfo, Angelos Stavrou, Gabriela Cretu, Stylianos Sidiroglou, Jason Nieh, Oren Laadan
-
Publication number: 20100293407Abstract: Systems, methods, and media for recovering an application from a fault or an attack are disclosed herein. In some embodiments, a method is provided for enabling a software application to recover from a fault condition. The method includes specifying constrained data items and assigning a set of repair procedures to the constrained data items. The method further includes detecting a fault condition on the constrained data items during execution of the software application, which triggers at least one repair procedure. The triggered repair procedures are executed and the execution of the software application is restored. In some embodiments, the restoring comprises providing memory rollback to a point of execution of the software application before the fault condition was detected.Type: ApplicationFiled: January 28, 2008Publication date: November 18, 2010Applicant: THE TRUSTEES OF COLUMBIA UNIVERSITY IN THE CITY OFInventors: Michael E. Locasto, Angelos D. Keromytis, Angelos Stavrou, Gabriela F. Ciocarlie
-
Publication number: 20100281542Abstract: Systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.Type: ApplicationFiled: July 15, 2010Publication date: November 4, 2010Applicant: The Trustees of Columbia University in the City of New YorkInventors: Salvatore J. Stolfo, Angelos D. Keromytis, Vishal Misra, Michael E. Locasto, Janak Parekh