Abstract: A real-time detection method and apparatus for DGA domain name. An original domain name is translated into a multi-dimensional numeric vector, the multi-dimensional numeric vector is input into a deep learning model pre-trained based on an ImageNet data set, to generate a domain name feature, a domain name classifier is trained based on the generated domain name feature, and a DGA domain name is classified and predicted based on the domain name classifier obtained by training. The method firstly uses a deep learning model pre-trained based on an ImageNet data set, from the field of visual image classification and detection, for real-time detection of a DGA domain name, avoiding the process of high-intensity training and parameter weight adjustment for the deep learning model in DGA domain name detection. The detection rate is higher, and detection speed is faster.

Abstract: A real-time detection method and apparatus for DGA domain name. An original domain name is translated into a multi-dimensional numeric vector, the multi-dimensional numeric vector is input into a deep learning model pre-trained based on an ImageNet data set, to generate a domain name feature, a domain name classifier is trained based on the generated domain name feature, and a DGA domain name is classified and predicted based on the domain name classifier obtained by training. The method firstly uses a deep learning model pre-trained based on an ImageNet data set, from the field of visual image classification and detection, for real-time detection of a DGA domain name, avoiding the process of high-intensity training and parameter weight adjustment for the deep learning model in DGA domain name detection. The detection rate is higher, and detection speed is faster.

Abstract: A method for determining a longest common subsequence in a plurality of text strings. The method comprises: separately converting a plurality of text strings into word sequences (S100); classifying the word sequences (S400); and performing longest common subsequence computation on every class (S500). The time needed by LCS computation can be saved by classifying text strings.

Abstract: Provided in the present invention is a method of detecting an abnormal behavior of a user of a computer network system, the method comprising: selecting at least two data sources in the computer network system; extracting data of user behaviors respectively from the corresponding data sources using a configured tensor data structure, and aggregating the extracted data; and detecting abnormality of user behaviors on the basis of the aggregated tensor data. The method of the present invention can efficiently integrate a large volume of irrelevant security data and identify an abnormal behavior automatically.

Abstract: The present invention provides a method for detecting a website attack, comprising: selecting multiple uniform resource locators (URLs) from history access records of a website; clustering the multiple uniform resource locators; and generating a whitelist from the multiple uniform resource locators according to a clustering result. In some embodiments of the present invention, a common OWASP attack at URL level can be checked.

Abstract: A method for determining a longest common subsequence in a plurality of text strings. The method comprises: separately converting a plurality of text strings into word sequences (S100); classifying the word sequences (S400); and performing longest common subsequence computation on every class (S500). The time needed by LCS computation can be saved by classifying text strings.

Abstract: The present invention provides a method for detecting a website attack, comprising: selecting multiple uniform resource locators (URLs) from history access records of a website; clustering the multiple uniform resource locators; and generating a whitelist from the multiple uniform resource locators according to a clustering result. In some embodiments of the present invention, a common OWASP attack at URL level can be checked.

Abstract: One embodiment relates to a computer-implemented process for detecting malicious scripts at a client computer using a malicious script detector. A web page interceptor intercepts an access of web page data at a universal resource locator address. A script preprocessor determines script fragments embedded in the web page data and extracts variable and function names from the script fragments. A context analyzer determines whether the script fragments reference known-good scripts. The context analyzer may check variable and function names in the script fragment against a database of known-good contexts. Those script fragments which were determined to reference known-good scripts may be categorized as non-malicious. An emulator may perform emulation on remaining script fragments which were not determined to reference known-good scripts and not perform emulation on the script fragments which were determined to reference known-good scripts. Other embodiments, aspects and features are also disclosed.

Abstract: One embodiment relates to a computer-implemented method for detecting malicious scripts in web pages. A local engine and an application are executed at a client computer. The local engine intercepts an access by the application to a web page at a universal resource locator (URL) under a domain. The local engine determines scripts at the URL and scripts at other URLs under the domain. Using that information, the local engine determines if the scripts at the URL include one or more unique script(s). The local engine sends the unique script(s), if any, via a network to a script analyzer. The script analyzer may then perform emulation of the unique script(s) to detect malicious code therein. Other embodiments, aspects and features are also disclosed.

Abstract: An emulator on a host computer includes a static analysis module that analyzes executable code of a suspicious sample to determine whether the code identifies that a particular packing program (packer) has packed the sample. Once identified, a custom configuration file is generated that identifies particular API hooks or instructions that should be disabled (or enabled) so that the sample file cannot use these hooks or instructions to detect that it is executing within an emulator. The emulator (such as a virtual machine or sandbox) is configured using the configuration file. The suspicious sample is then executed and its behaviors are collected. The sample is prevented from detecting that it is operating within an emulator and thus prevented from terminating prematurely. Malicious behaviors are scored and a total score indicates whether or not the suspicious sample is malicious or not. Static analysis identifies signatures, instructions or strings.

Abstract: Tablet computers send relevant geographic and identification data to an application server (one of the tablets, or a local or remote server) which groups them to form a video wall. Once placed next to one another in substantially the same plane, the tablets snap photographs at more or less the same time and these images are transmitted to the application server. The server determines the relative positions of the tablets and then streams a portion of a video or digital image to each of the tablets in order that all tablets display the video or image in an integrated fashion. The tablets may operate independently or may rely upon the remote application server. Relative positions are determined by analyzing features and determining an up-down or left-right relationship between pairs of images, sorting images into vertical and horizontal rows, and placing the images into a grid.

Abstract: A single virtual machine is implemented upon a computer and an operating system executes within this virtual machine. A sample file suspected of being malware is received and any number of versions of the software application corresponding to the sample file are installed. Each version of the software application is executed within the operating system, each version opening the sample file. Behavior of each version and of the sample file is collected while each version is executing. A score indicating malicious behavior for each version with respect to the sample file is determined and reported. The versions may execute serially in the happening system, each version terminating before the next version begins executing. Or, all versions may execute concurrently within the operating system. Files and registries are hidden to facilitate installation. System information is changed to facilitate execution.

Abstract: Cross-site scripting vulnerabilities in a Web browser that may lead to malware execution on a computing device are reduced. The specific vulnerabilities arise from HTML-based e-mails using e-mail service providers (e.g., Hotmail, Gmail, Yahoo) that have unknown or malformed HTML elements and Javascripts. These unknown elements may execute in a browser and cause harm to the computing device. To prevent this, the e-mail is parsed to create a DOM tree. The DOM tree is filtered using a normal element filter. The modified DOM tree is filtered a second time using a script analyzer filter to isolate potentially harmful HTML and Javascript elements. These elements are then emulated to determine which of them are in fact malicious. These malicious elements are then prevented from executing, for example, by preventing the e-mail recipient from opening the e-mail in the browser.

Abstract: Computers are protected against virtual machine exploits. A computer includes an exploit monitor for a virtual machine running in the computer. Loading of a virtual machine program in the virtual machine triggers the exploit monitor to modify the virtual machine program after the virtual machine program is loaded in the virtual machine but before the virtual machine program is executed in the virtual machine. The modification includes adding monitoring code, such as one or more checkpoints, in the virtual machine program. When the monitoring code is reached during execution of the virtual machine program in the virtual machine, the virtual machine program is evaluated to determine whether or not the virtual machine program is a virtual machine exploit.

Abstract: A web page available for download from a web server computer may include a reference to a web widget. When the web page is received in a client computer, the reference executes and retrieves the web widget from a security server computer. The web widget may be configured to detect when a cursor in the client computer is pointed to a link displayed on the web page. The web widget may communicate with a remotely located computer to determine if the link points to a downloadable file that contains malicious code. The web widget may display a warning message to alert a user of the client computer when the downloadable file contains malicious code.

Abstract: A computer or its user can prevent the installation of spyware on the computer by having a program that continuously observes and collects data on execution and installation behavior on the computer. This behavior can relate to execution of any application or installation of any type of software. The program uses various installation detection programs and an event collector that continuously observes and gathers data on execution and installation activities on the computer. The program then uses pre-defined rules to determine whether the behavior or activity correlates to spyware installation, which can occur through various methods and means that are often difficult to detect. However, by establishing a comprehensive set of rules that focus on the spyware installation behavior, the program of the present invention is able to detect when spyware is likely being installed and either alert the user who can prevent further installation or execution or automatically do so.