Monitoring Or Scanning Of Software Or Data Including Attack Prevention Patents (Class 726/22)
  • Patent number: 10152597
    Abstract: Detecting duplicate malware samples is disclosed. A first guest clock is set to a first value in a first virtual machine instance. A first malware sample is executed in the first virtual machine instance. A second guest clock value is set to the first value in a second virtual machine instance. A second malware sample is executed in the second virtual machine instance. A determination is made as to whether the first malware sample and the second malware sample are the same, based at least in part on performing a comparison of attempted external contacts generated by executing each of the respective first and second malware samples.
    Type: Grant
    Filed: November 28, 2016
    Date of Patent: December 11, 2018
    Assignee: Palo Alto Networks, Inc.
    Inventors: Ryan C. Salsamendi, Wei Xu
  • Patent number: 10152609
    Abstract: Systems, methods, and apparatus of tracking user information dissemination are disclosed herein. In one or more embodiments, the disclosed method involves matching, by a processor(s), a first service provider(s) to an address(es) (e.g., an email address and/or a postal address) related to a user(s) and/or personal identifiable information (PII) related to the user(s). The method further involves aggregating, by a processor(s), the number of times a second service provider(s) utilizes the address(es) to mail the user(s) and/or sends at least a portion of the PII to the user(s) and/or to another user(s). Further, the method involves generating, by the processor(s), a ranking of trustworthiness for the first service provider(s) based on the number of times all of the second service provider(s) utilizes the address(es) to mail the user(s) and/or sends at least a portion of the PII to the user(s) and/or to another user(s).
    Type: Grant
    Filed: July 23, 2015
    Date of Patent: December 11, 2018
    Assignee: THE BOEING COMPANY
    Inventors: Brian C. Grubel, Brian P. Treich
  • Patent number: 10146594
    Abstract: Embodiment pertain to facilitation of live migration of a virtual machine in a network system. The network system includes a first host, a second host, a first appliance for providing service to the first host, a second appliance for providing service to the second host, and a third appliance. At least one virtual machine is disposed on the first host and has an ongoing first network flow. The first appliance has generated state information about the first network flow. During the migration of the at least one virtual machine to the second host, the third appliance obtains a copy of the state information about the first network flow; and the third appliance takes over from the first appliance to serve the first network flow during the migration of the at least one virtual machine, until the first network flow is terminated.
    Type: Grant
    Filed: December 21, 2015
    Date of Patent: December 4, 2018
    Assignee: International Business Machines Corporation
    Inventors: Chih-Wen Chao, Cheng-Ta Lee, Wei-Shiau Suen, Ming Hsun Wu, Lun Pin Yuan
  • Patent number: 10148684
    Abstract: Systems, methods, and other embodiments associated with placing a workload on one of a plurality of hosts are described. In one embodiment, a method includes analyzing hosts to identify a first host and a second host determined to meet resource requirements of the workload. The example method may also include analyzing the first host to calculate a first threat score, and analyzing the second host to calculate a second threat score. The example method may also include selecting a host with a lowest threat score and placing the workload on the selected host. The example method may also include reanalyzing the selected host to calculate an updated threat score. The example method may also include in response to determining that the updated threat score exceeds a threshold threat score, moving the workload to a third host.
    Type: Grant
    Filed: January 27, 2017
    Date of Patent: December 4, 2018
    Assignee: ORACLE INTERNATIONAL CORPORATION
    Inventors: Ajai Joy, Sarat C. Aramandla
  • Patent number: 10148694
    Abstract: Techniques are disclosed for performing data loss prevention (DLP) by monitoring file system activity of an application having a network connection. A DLP agent tracks file system activity (e.g., file open and read operations) being initiated by the application. The DLP agent intercepts the file system activity and evaluates a file specified by the file system operation to determine whether the file includes sensitive data. If so determined, the DLP agent prevents the sensitive data from being transmitted (e.g., by blocking the file system activity, redacting the sensitive data from the file, etc.).
    Type: Grant
    Filed: October 1, 2015
    Date of Patent: December 4, 2018
    Assignee: SYMANTEC CORPORATION
    Inventors: Sumit Manmohan Sarin, Sumesh Jaiswal, Bishnu Chaturvedi, Arnaud Scomparin
  • Patent number: 10142357
    Abstract: The disclosed computer-implemented method may include (i) monitoring computing activity, (ii) detecting, during a specific time period, at least one malicious network connection that involves a computing device within a network, (iii) determining that no malicious network connections involving the computing device were detected during another time period, (iv) identifying a feature of the computing activity that (a) occurred during the specific time period and (b) did not occur during the other time period, (v) determining that the feature is likely indicative of malicious network activity due at least in part to the feature having occurred during the specific time period and not having occurred during the other time period, and in response to detecting the feature at a subsequent point in time, (vi) performing a security action on a subsequent network connection attempted around the subsequent point in time. Various other methods, systems, and computer-readable media are also disclosed.
    Type: Grant
    Filed: December 21, 2016
    Date of Patent: November 27, 2018
    Assignee: Symantec Corporation
    Inventors: Acar Tamersoy, Kevin Roundy
  • Patent number: 10142359
    Abstract: System and method to identify a security entity in a computing environment is disclosed. Communication between a user computer and at least one destination computer by a security appliance is monitored by a security appliance. Selective information from the communication is extracted by the security appliance. At least one security entity is identified based on a subset of the selective information. One or more selective information is associated to at least one security entity. A knowledge graph is generated based on the associated selective information.
    Type: Grant
    Filed: April 22, 2016
    Date of Patent: November 27, 2018
    Assignee: AWAKE SECURITY, INC.
    Inventors: Eric Karasuda, Ram Keralapura, Chunsheng Victor Fang, Gary Golomb
  • Patent number: 10140493
    Abstract: In general, embodiments of the invention include methods and apparatuses for taking predetermined actions based on coded graphical objects in video content for display by a computer device. According to some aspects, the coded graphical object can include a barcode or QR code. According to additional aspects, the predetermined actions can include performing a monitoring function or automatically providing credentials to a web service.
    Type: Grant
    Filed: April 21, 2017
    Date of Patent: November 27, 2018
    Assignee: JANUS TECHNOLOGIES, INC.
    Inventor: Sofin Raskin
  • Patent number: 10135786
    Abstract: Techniques for discovering and selecting candidates for sinkholing of network domains are provided. In some embodiments, a process for discovering and selecting candidates for sinkholing of network domains includes collecting passive DNS data from a plurality of security devices to discover candidates for sinkholing of domain names; selecting one or more domain names that are most commonly queried by distinct client devices based on the passive DNS data, wherein each of the one or more domain names is not yet registered; and automatically registering each of the one or more domain names with a domain registry to a sinkholed IP address in order to sinkhole each of the one or more domain names.
    Type: Grant
    Filed: December 19, 2016
    Date of Patent: November 20, 2018
    Assignee: Palo Alto Networks, Inc.
    Inventor: Wei Xu
  • Patent number: 10135852
    Abstract: A system automatically detects bots and/or botnets.
    Type: Grant
    Filed: September 9, 2016
    Date of Patent: November 20, 2018
    Assignee: CA, Inc.
    Inventors: Zheng Chen, Chi Zhang, Jin Zhang
  • Patent number: 10135849
    Abstract: A medical device monitor (MedMon), method and computer readable medium is disclosed. The MedMon is configured to operate in a system having communications between a first medical device associated with a patient and a second device. The MedMon includes a receiver configured to snoop on communications between the first medical device and second device. An anomaly detector having a set of security polices is configured to detect an anomaly by analyzing the communications between the first medical device and second device for compliance with the security policies. A response generator configured to generate a response on a condition that an anomaly is detected. The response may be a warning message configured to warn the patient. The MedMon may include a transmitter configured to transmit the response. The response may be a jamming signal configured to disrupt communications between the first medical device and second device.
    Type: Grant
    Filed: March 15, 2013
    Date of Patent: November 20, 2018
    Assignees: PURDUE RESEARCH FOUNDATION, THE TRUSTEES OF PRINCETON UNIVERSITY
    Inventors: Niraj K. Jha, Anand Raghunathan, Meng Zhang
  • Patent number: 10133754
    Abstract: The disclosure is directed to content sharing. An aspect defines a filter having at least one parameter for receiving content and detects a content device. The content device is a peer device with sharable content. The aspect further queries the content device for desired content from the sharable content and receives the desired content from the content device. The desired content matches the at least one parameter.
    Type: Grant
    Filed: February 10, 2013
    Date of Patent: November 20, 2018
    Assignee: QUALCOMM Incorporated
    Inventors: Krishnan Ramachandran, Paul G. Phillips, Enrico Ros, Babak Forutanpour
  • Patent number: 10135784
    Abstract: Verifying source addresses associated with a terminal is disclosed, including: receiving a packet from a terminal, wherein the packet comprises a source Internet Protocol (IP) address and a source Media Access Control (MAC) address associated with the terminal; determining whether a matching entry associated with the terminal is found in a local verification table storing valid source IP addresses and valid source MAC addresses; determine that the matching entry associated with the terminal is not found in the local verification table; generating a request based on the source IP address and the source MAC address; transmitting the request to a dynamic host configuration protocol (DHCP) server; and determining whether the source IP address and the source MAC address associated with the terminal are valid based at least in part on a response from the DHCP server.
    Type: Grant
    Filed: August 22, 2016
    Date of Patent: November 20, 2018
    Assignee: Alibaba Group Holding Limited
    Inventor: Gaoliang Deng
  • Patent number: 10135788
    Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting suspicious user activities. One of the methods includes generating hypergraphs, wherein the hypergraphs include nodes corresponding to feature profiles and edges between particular nodes representing a measure of similarity between nodes; using the generated hypergraphs to detect suspicious graph nodes; and using the suspicious graph nodes to detect malicious user communities.
    Type: Grant
    Filed: October 5, 2017
    Date of Patent: November 20, 2018
    Assignee: Data Visor Inc.
    Inventors: Yinglian Xie, Fang Yu
  • Patent number: 10136283
    Abstract: A communication method includes receiving a first message of a Short Message Service containing a first command that requests execution of a proactive command. The first message is decrypted according to protocol SCP80 to extract the first command. The execution of the proactive command is requested in order to obtain a response to the proactive command. A second message of the Short Message Service is transmitted to the remote server and indicates that the response to the proactive command has been obtained. A third message of the Short Message Service is received and contains a second command from the remote server. The third message is decrypted according to the protocol SCP80. A response message is generated as a function of the response and encrypted according to the protocol SCP80 to generate a fourth message of the Short Message Service transmitted to the remote server.
    Type: Grant
    Filed: November 9, 2015
    Date of Patent: November 20, 2018
    Assignee: STMICROELECTRONICS S.R.L.
    Inventor: Francesco Caserta
  • Patent number: 10127397
    Abstract: The present invention provides a method of integrating existing strong encryption methods into the processing of a .ZIP file to provide a highly secure data container which provides flexibility in the use of symmetric and asymmetric encryption technology. The present invention adapts the well-established .ZIP file format to support higher levels of security and multiple methods of data encryption and key management, thereby producing a highly secure and flexible digital container for electronically storing and transferring confidential data.
    Type: Grant
    Filed: June 29, 2015
    Date of Patent: November 13, 2018
    Assignee: PKWARE, INC.
    Inventor: James C. Peterson
  • Patent number: 10129215
    Abstract: A method and systems for information security threat identification, management, and analysis, including identifying and managing threats posed by senders of unsolicited e-mail, pirates, hackers, and virus-spreaders. Methods are provided for identifying and facilitating legal action against a sender of unsolicited e-mail. A secure evidence repository can be used for storing copies of and information regarding unsolicited e-mails in a forensically sound manner. A relational knowledge database can be used for storing copies of and information regarding unsolicited e-mails such that the information can be queried, manipulated, or analyzed.
    Type: Grant
    Filed: October 29, 2015
    Date of Patent: November 13, 2018
    Assignee: Internet Crimes Group Inc.
    Inventors: Joshua I. Halpern, Kevin E. Leininger, Randall Dey Toth, Osbourne A. Shaw
  • Patent number: 10129270
    Abstract: Implementations of the present disclosure involve a system and/or method for identifying and mitigating malicious network threats. Network data associated is retrieved from various sources across a network and analyzed to identify a malicious network threat. When a threat is found, the system performs a mitigating action to neutralize the malicious network threat.
    Type: Grant
    Filed: September 27, 2013
    Date of Patent: November 13, 2018
    Assignee: Level 3 Communications, LLC
    Inventors: Brad Bernay Doctor, Skyler Jameson Bingham, Keshava Berg, John Sherwood Reynolds, II, Justin George Mohr
  • Patent number: 10129292
    Abstract: The present invention provides for protecting against denial of service attacks. A request is sent by a client, the request comprises client indicia. The request is received at a server. A request count is incremented by the server. A sequence number is assigned as a function of the client indicia. A problem is selected by the server. The problem is sent by the server to the client. A solution to the problem is sent to the server. It is determined if the solution by client is correct. If the solution is correct, a session is performed. If the solution is not correct, the request is discarded. This can substantially decrease the amount of attacks performed by a rogue client, as the session set-up time can be substantial.
    Type: Grant
    Filed: June 13, 2012
    Date of Patent: November 13, 2018
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Clark Debs Jeffries, Mohammad Peyravian
  • Patent number: 10124750
    Abstract: A vehicle security system having controller area network buses, electronic control units connected to the controller area network buses, a vehicle security module connected to the controller area network buses, and an on board diagnostics connector connected to the vehicle security module. The vehicle security module may according to a policy discriminate between authorized and unauthorized signals that are input to the on board diagnostics connector. Authorized signals may be forwarded by the vehicle security module to the controller area network busses. Authorized signals may affect operation of one or more of the components of the vehicle via the electronic control units. Authorized signals may change the policy used by the vehicle security module. Unauthorized signals may be refused entry to the controller area network busses. The on board diagnostics connector may receive the signals from diagnostic instrumentation, control instrumentation, tracking instrumentation, a dongle, and so forth.
    Type: Grant
    Filed: April 26, 2016
    Date of Patent: November 13, 2018
    Assignee: Honeywell International Inc.
    Inventor: Thomas R. Markham
  • Patent number: 10129291
    Abstract: Particular embodiments described herein provide for an electronic device that can be configured to monitor activities of objects in a system, compare the monitored activities to metadata for the system, and identify low prevalence outliers to detect potentially malicious activity. The monitored activities can include an analysis of metadata of the objects in the system to identify polymorphic threats, an object reuse analysis of the system to detect an object reusing metadata from another object, and a filename analysis of the system.
    Type: Grant
    Filed: June 27, 2015
    Date of Patent: November 13, 2018
    Assignee: McAfee, LLC
    Inventors: James Bean, Joel R. Spurlock
  • Patent number: 10122687
    Abstract: Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted/untrusted processes or corporate/private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth.
    Type: Grant
    Filed: September 14, 2014
    Date of Patent: November 6, 2018
    Assignee: Sophos Limited
    Inventors: Andrew J. Thomas, Neil Robert Tyndale Watkiss, Daniel Salvatore Schiappa, Kenneth D. Ray
  • Patent number: 10122677
    Abstract: Provided is a method for delegation of local content delivery service. The method includes receiving a Domain Name System (DNS) query from a client to resolve a domain name to a network address associated with content provider by a content provider, determining that distribution of the content has been delegated by a content provider to a local content server associated with an Internet Service Provider (ISP), and based on predetermined criteria, resolving the domain name to the local content server. The resolution can include responding to the DNS query with an answer from a caching server, and returning, to the client, the answer pointing to the local content server, wherein upon receiving the answer, the client can establish a data communication channel with the local content server. The content can be downloaded to the local content server upon a request received by a provisioning system associated with the ISP.
    Type: Grant
    Filed: March 20, 2018
    Date of Patent: November 6, 2018
    Assignee: Nominum, Inc.
    Inventors: Robert Thomas Halley, Brian Wellington, Robert S. Wilbourn, Srinivas Avirneni
  • Patent number: 10121009
    Abstract: A testing system for testing computer system security includes control logic interposed between tester computers and a computer system under test. Tester computers are used by testers to test for security vulnerabilities of the computer system under test. A test results database contains records of tester interactions with the computer system under test and responses of the computer system under test to the tester interactions. A test mark database, coupled to the control logic, contains records related to granular elements of the computer system under test that are amenable to being tested for security vulnerabilities. Records of the test mark database indicate whether a corresponding granular element has been tested for security vulnerabilities. A coverage application, coupled to the test mark database, inputs data from the test mark database and outputs data indicating which granular elements of the computer system under test are to be tested.
    Type: Grant
    Filed: September 25, 2015
    Date of Patent: November 6, 2018
    Assignee: Synack, Inc.
    Inventors: Mark Kuhr, Jay Kaplan
  • Patent number: 10122807
    Abstract: A computer implemented method and network device for tracking OPT-OUT user preferences in a global communication network and computer programs thereof, The method comprising performing, by at least one a user, at least one operation request for a service of an online system (500); tracking, by a network device (300), said operation request and detecting if it is linked to a tracking mechanism, wherein: a) if it is not linked to a tracking mechanism, said network device (300), bypasses the operation request to said online system (500) without performing any action; or if it is linked to a tracking mechanism, the network device (300), identifies whether an OPT-OUT or an Opt-In status related to the user is included in the operation request and sends or not the operation request to a tracking server (600) depending on the result of said identification.
    Type: Grant
    Filed: January 12, 2016
    Date of Patent: November 6, 2018
    Assignee: TELEFONICA DIGITAL ESPAN√ĎA, S.L.U.
    Inventors: Xiaoyuan Yang, David Guijarro Guillem, Arcadio Pando Cao, Martin I. Levi
  • Patent number: 10122694
    Abstract: In a wireless communication system, a secure communication link is provided by selecting a decoy data signal vector for transmission, generating a MIMO precoding matrix from a message to be sent; and multiplying the decoy data signal vector by the MIMO precoding matrix to construct a precoded signal vector. The MIMO precoding matrix produces information-bearing synthesized channel distortions in the transmitted signal. An undistorted version of the decoy data may be transmitted to an intended receiver. The receiver distinguishes between the synthesized information-bearing channel distortions and natural channel distortions to decrypt the information, while an eavesdropper would find it difficult to distinguish between natural and synthesized channel distortions in the signals it receives.
    Type: Grant
    Filed: April 2, 2018
    Date of Patent: November 6, 2018
    Assignee: Department 13, Inc.
    Inventors: Steve J Shattil, Robi Sen
  • Patent number: 10122750
    Abstract: Methods and systems for penetration testing of a networked system by a penetration testing system (e.g. that is controlled by a user interface of a computing device) are disclosed herein. In one example, a penetration testing campaign is executed according to a manual and explicit selecting of one or more network nodes of the networked system. Alternatively or additionally, a penetration testing campaign is executed according to a manually and explicitly selected node-selection condition. Alternatively or additionally, a penetration testing campaign is executed according to an automatic selecting of one or more network nodes of the networked system.
    Type: Grant
    Filed: August 21, 2017
    Date of Patent: November 6, 2018
    Assignee: XM Cyber Ltd
    Inventors: Boaz Gorodissky, Adi Ashkenazy, Ronen Segal
  • Patent number: 10120998
    Abstract: An embodiment for providing a secure virtual browsing environment includes creating a virtual browsing environment with a virtualized operating system sharing an operating system kernel of a supporting operating system and executing the browser application within the virtual browsing environment. Another embodiment includes receiving a website selection within a browser application, determining if the website selection corresponds to a secure bookmark, and creating a second virtual browsing environment and executing the browser application within the second virtual browsing environment to access the website selection when the website selection corresponds to a website specified as a secure bookmark.
    Type: Grant
    Filed: August 29, 2016
    Date of Patent: November 6, 2018
    Assignee: George Mason Research Foundation, Inc.
    Inventors: Anup K. Ghosh, Sushil Jajodia, Yih Huang, Jiang Wang
  • Patent number: 10116676
    Abstract: Methods and apparatus for evaluating collected data relating to online activity, and modification of services within a service provider network. In one embodiment, a service provider collects data relating to the online activity of users of third-party services and correlates the data with subscribers of the service provider to generate useful products and analytics (e.g., classifications, behavioral models, etc.) containing information relating to the subscribers' online activity. The generated products may be used to determine whether and how to modify services provided to individual subscribers, exported for use by third parties, or for other purposes.
    Type: Grant
    Filed: February 16, 2016
    Date of Patent: October 30, 2018
    Assignee: Time Warner Cable Enterprises LLC
    Inventors: Chris Roosenraad, Richard Harman, John W. Watson, Christopher Turner, Phil Arnhold, Brian Durham, Barbara Stovall
  • Patent number: 10116678
    Abstract: A system for detecting fraudulent emails from entities impersonating legitimate senders that are intended to cause the recipients to unknowingly conduct unauthorized transactions, for example, transferring funds or divulging sensitive information. The system monitors emails being sent from and received at the protected domain to detect suspected fraudulent emails. The emails are monitored for, among other aspects, linguistic variations, changes in normal patterns of email communications, new or unfamiliar source domains. Suspicious emails can be held and flagged for later review, discarded or passed through with an alert raised indicating a review is needed.
    Type: Grant
    Filed: February 27, 2017
    Date of Patent: October 30, 2018
    Assignee: Verrafid LLC
    Inventors: Vincent Jay LaRosa, Christopher H. York, Sr.
  • Patent number: 10114735
    Abstract: A method, a device and a medium for managing an application program are provided. The method includes: type information of a first application program running on a foreground of a terminal is acquired; and the first application program is prevented from being debugged by other application programs if the type information of the first application program is preset type information.
    Type: Grant
    Filed: December 14, 2016
    Date of Patent: October 30, 2018
    Assignee: BEIJING XIAOMI MOBILE SOFTWARE CO., LTD.
    Inventors: Yufei Wang, Chenxi Wang, Ming Liu
  • Patent number: 10108918
    Abstract: A method and system for assessing the data leakage threat associated with third-party tags on a particular website, such as a content publisher site, is assessed by mimicking a standard web browser. Each third-party tag on the site is identified and investigated in a hierarchical manner, and a data leakage threat score is assigned to each third-party tag based on certain attributes associated with the tag and the resource linked by the third-party tag. A cumulative data leakage threat score is then calculated to determine if the site is a data leakage threat, such as a threat for misuse of a consumer's data.
    Type: Grant
    Filed: September 5, 2014
    Date of Patent: October 23, 2018
    Assignee: Acxiom Corporation
    Inventors: Vivek Palan, Paul Owen, Frank Ledo, Ben Jolitz
  • Patent number: 10110633
    Abstract: The method comprising: capturing and removing a public unique identifier set by a Website (300) in a computing device (100D) of a user (100); monitoring, during a first time-period, web-requests the user (100) makes to obtain a web-behavioral profile of the user (300), and storing the obtained web-behavioral profile as a first vector; tracking, during a second time-period, the web-requests to examine the effect each web-request has on assisting the de-anonymization of the user (100), obtaining a second vector; classifying, the obtained second vector taking into account a computed similarity score parameter; creating and mapping, a corresponding private unique identifier for said captured public identifier; and executing, based on said mapping between the private and the public unique identifiers, an intervention algorithm for said web-tracker, that considers a configured intervention policy.
    Type: Grant
    Filed: November 16, 2015
    Date of Patent: October 23, 2018
    Assignee: Telefonica, S.A.
    Inventors: Nikolaos Laoutaris, Jeremy Blackburn
  • Patent number: 10108802
    Abstract: A method for using static program analysis for detecting security bugs in application source code including receiving and determining a plurality of variables based on the application source code. The method further includes determining a plurality of information flow relations comprising a source variable and a target variable, determining a confidentiality requirement and a capability for each of the source variables, and determining an integrity requirement and a capability for each of the target variables. The method further includes generating an error report log entry when the capability of the target variable is not greater than and not equal to the confidentiality requirement of the source variable or the capability of the source variable is not greater than and not equal to the integrity requirement of the target variable. The method further includes generating an error report log.
    Type: Grant
    Filed: January 30, 2015
    Date of Patent: October 23, 2018
    Assignee: Oracle International Corporation
    Inventors: Yi Lu, Raghavendra Kagalavadi Ramesh
  • Patent number: 10102372
    Abstract: Provided herein are systems and methods for behavior profiling of targets to determine malware presence. The method includes, in various embodiments, applying a domain specific language to a target; observing a set of temporal sequences and events of the target; determining the presence of markers within the set of temporal sequences and events indicative of malware; and identifying the target as being associated with malware based on the markers. In some embodiments, a malware detection system is provided for creating a behavioral sandbox environment where a target is inspected for malware. The behavioral sandbox environment can include forensic collectors. Each of the collectors may be configured to apply a domain specific language to a target; observe a set of temporal sequences and events of the target; determine the presence of markers within the set of temporal sequences and events indicative of malware; and detect malware presence based on the markers.
    Type: Grant
    Filed: June 14, 2017
    Date of Patent: October 16, 2018
    Assignee: Proofpoint, Inc.
    Inventors: Wayne Huang, M. James Idle
  • Patent number: 10102367
    Abstract: Among other things, embodiments of the present disclosure help provide entities with the ability to remotely detect behavior associated with malware and identify compromised user-sessions, regardless of the malware variant or family, and independently of the page structure.
    Type: Grant
    Filed: September 6, 2017
    Date of Patent: October 16, 2018
    Assignee: EASY SOLUTIONS ENTERPRISES CORP.
    Inventors: Ivan Dario Fajardo Verano, Claudio Deiro, Javier Fernando Vargas Gonzalez
  • Patent number: 10095871
    Abstract: The present disclosure is directed to a system, method, and computer program for detecting and assessing security risks in an enterprise's computer network. A behavior model is built for a user in the network based on the user's interactions with the network, wherein a behavior model for a user indicates client device(s), server(s), and resources used by the user. The user's behavior during a period of time is compared to the user's behavior model. A risk assessment is calculated for the period of time based at least in part on the comparison between the user's behavior and the user's behavior model, wherein any one of certain anomalies between the user's behavior and the user's behavior model increase the risk assessment.
    Type: Grant
    Filed: September 19, 2017
    Date of Patent: October 9, 2018
    Assignee: Exabeam, Inc.
    Inventors: Sylvain Gil, Domingo Mihovilovic, Nir Polak, Magnus Stensmo, Sing Yip
  • Patent number: 10096001
    Abstract: A system comprises content caching circuitry of a first email subsystem, and privacy enforcement circuitry of the first email subsystem. The privacy enforcement circuitry is configured to, after the reception of the email message by the connection handler circuitry and before relaying of the email message to a second email subsystem, detect tracking code in the email message; and replace the detected tracking code with replacement content. The tracking code comprises a first uniform resource locator (URL), and the replacement content comprises a second URL. The content caching circuitry is configured to: determine whether content stored at the first URL is wanted or needed; and not fetch the content from the first URL if the content stored at the first URL is not wanted and not needed.
    Type: Grant
    Filed: November 13, 2017
    Date of Patent: October 9, 2018
    Inventors: Paul R Everton, Chad M Gilles, Tian Wang
  • Patent number: 10095538
    Abstract: Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or memory access. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a detection mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it), inter alia, for detection and/or notification of, and action by a monitoring guest upon access by a monitored guest to predetermined physical memory locations.
    Type: Grant
    Filed: July 11, 2016
    Date of Patent: October 9, 2018
    Assignee: Lynx Software Technologies, Inc.
    Inventors: Edward T. Mooring, Phillip Yankovsky
  • Patent number: 10095844
    Abstract: A method includes: receiving a blacklist identifying piracy threatening items that pose a piracy threat such that, if installed and active with playback of the digital media content on the client, the piracy threatening items facilitate unauthorized use of the digital media content, the piracy threatening items on the blacklist having associated priority values; identifying first and second subsets of piracy threatening items in the blacklist responsive to the associated priority values; determining whether one or more piracy threatening items associated with the first subset are present on the client; performing a DRM transaction provisioning the digital media content for playback responsive to determining that no piracy threatening items associated with the first subset are present on the client; and determining whether to play back the digital media content responsive to determining whether one or more piracy threatening items associated with the second subset are present on the client.
    Type: Grant
    Filed: October 26, 2017
    Date of Patent: October 9, 2018
    Assignee: GOOGLE TECHNOLOGY HOLDINGS LLC
    Inventors: Anton Valerievich Koukine, Owen Michael Means, Sean Joseph Higgins, Paul Osborne
  • Patent number: 10089474
    Abstract: Virtual machine introspection can include performing an offline analysis of a virtual machine hard disk image. Core operating system files associated with the operating system can be located during the offline analysis. Operating system structure symbols can be accessed from a symbol server based on the core operating system files. Introspection of the virtual machine can be performed using the accessed operating system structure symbols.
    Type: Grant
    Filed: October 29, 2013
    Date of Patent: October 2, 2018
    Assignee: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP
    Inventors: Tony Roberts, Mike Wray, Nigel Edwards
  • Patent number: 10091187
    Abstract: A client application performs certificate pinning as a means of authenticating the identity of a server. A proxy is interposed in the communications path of the client and the hosting server and provides a proxy security certificate to the client. In response to the client extracting a proxy authentication component from the proxy security certificate, operation of the client is paused and a hosting server authentication component is extracted from a hosting server security certificate. The client operation is resumed, providing the extracted hosting server authentication component to the client, in substitution for the proxy authentication component. Based on receiving the extracted hosting server authentication component, the client authenticates the proxy to receive communications directed to the hosting server.
    Type: Grant
    Filed: September 26, 2017
    Date of Patent: October 2, 2018
    Assignee: International Business Machines Corporation
    Inventors: Emanuel Bronshtein, Roee Hay, Sagi Kedmi
  • Patent number: 10091232
    Abstract: A new paradigm for security analysis is provided by transitioning code analysis reporting from the problem space (the warnings themselves), to a solution space (potential solutions to the identified problems). Thus, instead of reporting raw findings to the user, the automated system as described here outputs proposed solutions to eliminate the defects identified in the security analysis. A consequence of this approach is that the report generated by the analysis tool is much more consumable, and thus much more actionable. Preferably, the report provides the user with one or more candidate location(s) at which to apply a fix to an identified security problem. These locations preferably are identified by processing overlapping nodes to identify one or more solution groupings that represent an API for a sanitization fix. The report also includes one or more recommendations for the fix, and preferably the report is generated on a per-vulnerability type basis.
    Type: Grant
    Filed: August 7, 2017
    Date of Patent: October 2, 2018
    Assignee: International Business Machines Corporation
    Inventors: Stephen Darwin Teilhet, Kristofer Alyn Duer, John Thomas Peyton, Jr., Omer Tripp
  • Patent number: 10091231
    Abstract: The disclosed computer-implemented method for detecting security blind spots may include (i) detecting, via an endpoint security program, a threat incident at a set of client machines associated with a security vendor server, (ii) obtaining an indication of how the set of client machines will respond to the detecting of the threat incident, (iii) predicting how a model set of client machines would respond to the threat incident, (iv) determining that a delta exceeds a security threshold, and (v) performing a security action by the security vendor server, in response to determining that the delta exceeds the security threshold, to protect the set of client machines at least in part by electronically notifying the set of client machines of information about the prediction of how the model set of client machines would respond to the threat incident. Various other methods, systems, and computer-readable media are also disclosed.
    Type: Grant
    Filed: September 15, 2016
    Date of Patent: October 2, 2018
    Assignee: Symantec Corporation
    Inventors: Chris Gates, Stanislav Miskovic, Michael Hart, Kevin Roundy
  • Patent number: 10089461
    Abstract: Techniques for malicious content detection using code injection are described herein. In one embodiment a first code section of a target program is loaded into a first memory page of a virtual machine (VM) hosted by a virtual machine monitor (VMM). The target program to receive code injection. The VMM injects a second code section into the target program by replacing the first code section with a second code section loaded in a second memory page. Determining a behavior of a content specimen using the injected second code section instead of the first code section, and the second code section is injected after the target program.
    Type: Grant
    Filed: September 30, 2013
    Date of Patent: October 2, 2018
    Assignee: FireEye, Inc.
    Inventors: Phung-Te Ha, Seva Tonkonoh, Osman Abdoul Ismael
  • Patent number: 10089223
    Abstract: Separating data of trusted and untrusted data types in a memory of a computer during execution of a software program. Assigning mutually separated memory regions in the memory, namely, for each of the data types, a memory region for storing any data of the respective data type, and an additional memory region for storing any data which cannot be uniquely assigned to one of the data types. For each allocation instruction, performing a memory allocation including linking the allocation instruction to at least one data source, generating instruction-specific context information, evaluating the data source to determine the data type, associating the data type with the context information, based on the context information, assigning the allocation instruction to the memory region assigned to the evaluated data type, and allocating memory for storing data from the data source in the assigned memory region.
    Type: Grant
    Filed: December 13, 2017
    Date of Patent: October 2, 2018
    Assignee: International Business Machines Corporation
    Inventors: Anil Kurmus, Matthias Neugschwandtner, Alessandro Sorniotti
  • Patent number: 10091166
    Abstract: Systems and methods for an SDN switch that provides service group chaining for sequentially serving multiple network security devices are provided. According to one embodiment, a packet received by the switch is processed by a first FPU based on a first set of rules and forwarded conditionally to a first security device. The packet is security processed, including dropping it or forwarding it to an egress port or forwarding it to a second FPU. When forwarded to the second FPU, the packet is processed based on a second set of rules by forwarding it to a second security device or dropping it or forwarding it to the egress port. When forwarded to the second security device, the packet is security processed, including dropping it or forwarding it to the egress port or conditionally forwarding it to a third FPU to be sequentially forwarded to a third security device.
    Type: Grant
    Filed: December 31, 2015
    Date of Patent: October 2, 2018
    Assignee: Fortinet, Inc.
    Inventors: Son Pham, Donald Krall, Venkateswara Adusumilli, Edward Lopez, Neil Huynh
  • Patent number: 10084702
    Abstract: The application disclose a packet processing method that includes: receiving, by a service distribution node, service routing information sent by a controller, where the service routing information includes a flow identifier, a service identifier, and a next-hop address, the flow identifier is used to identify a packet flow, the service identifier is used to identify a sequence of a service node instance that processes the packet flow, and the next-hop address is used to identify the service node instance that processes the packet flow; receiving a first packet; acquiring a first flow identifier according to the first packet, and searching the service routing information according to the first flow identifier to acquire a matched service identifier and a matched next-hop address; and sending a second packet to a first service node instance that has the matched next-hop address, which implements service processing on a packet flow.
    Type: Grant
    Filed: September 15, 2015
    Date of Patent: September 25, 2018
    Assignee: Huawei Technologies Co., Ltd
    Inventor: Changjiang Yan
  • Patent number: 10084817
    Abstract: A malware and exploit campaign detection system and method are provided that cannot be detected by the malware or exploit campaign. The system may provide threat feed data to the vendors that produce in-line network security and end point protection (anti virus) technologies. The system may also be used as a testing platform for 3rd party products. Due to the massive footprint of the system's cloud infrastructure and disparate network connections and geo-location obfuscation techniques, NSS can locate and monitor malware across the globe and provide detailed threat analysis for each specific region, as they often support and host different malware/cybercrime campaigns.
    Type: Grant
    Filed: September 10, 2014
    Date of Patent: September 25, 2018
    Assignee: NSS Labs, Inc.
    Inventors: Mohamed Saher, Jayendra Pathak
  • Patent number: 10084815
    Abstract: A computer-implemented method, comprising: detecting network messages that are emitted by a compromised computer, wherein the compromised computer comprises at least one malware item that is configured to direct unauthorized network activity toward one or more enterprise networks or enterprise computers; queuing copies of the network messages in a queue; forwarding the network messages to original destinations; determining whether the number of network messages exceeds a specified threshold associated with an attack vector; filtering by the processor, the copies that do not include one of a set of port values associated with known computer attacks; analyzing, by the processor, timing of the copies with respect to a predetermined schedule including active hours and inactive hours, detecting one or more security threats caused by the comprised computer based on the determining, filtering, and the analyzing, sending a result of the detecting to a security control computer over a communication network.
    Type: Grant
    Filed: June 13, 2017
    Date of Patent: September 25, 2018
    Assignee: Area 1 Security, Inc.
    Inventors: Oren Falkowitz, Philip Syme, Blake Darche