Virus Detection Patents (Class 726/24)
  • Patent number: 10331882
    Abstract: Methods, systems, and computer-readable media for tracking and managing virtual desktops using signed tokens are presented. In some embodiments, a server computing device may receive a first registration message from a first virtual machine. The server computing device may determine a state of the first virtual machine based on token information associated with the first registration message received from the first virtual machine. Subsequently, the server computing device may update virtual machine state information records maintained by the server computing device based on the state of the first virtual machine determined by the server computing device. The virtual machine state information records maintained by the server computing device may identify one or more tainted virtual machines and one or more untainted virtual machines.
    Type: Grant
    Filed: August 24, 2016
    Date of Patent: June 25, 2019
    Assignee: Citrix Systems, Inc.
    Inventors: Leo C. Singleton, William T. G. Charnell, Sebastian Tomasz Amrogowicz, Andrew John Ogle, Sheldon Ferdinand Lachambre
  • Patent number: 10333951
    Abstract: A method and a system for implementing golden container storage. Specifically, the disclosed method and system entail the creation of a container registry to securely store golden containers (or templates) for containers of specific application types that execute within a service platform. Given short retention spans, the containers are constantly being cycled out. Each recreated container is modeled after one of the golden containers, and assigned new Internet Protocol (IP) and/or media access control (MAC) addresses rather than assuming the existing addresses of the containers the recreated containers replace. Substantively, embodiments of the invention employ these tactics towards implementing a moving target defense (MTD) strategy.
    Type: Grant
    Filed: July 31, 2017
    Date of Patent: June 25, 2019
    Assignee: EMC IP Holding Company LLC
    Inventors: Assaf Natanzon, Amit Lieberman, Oron Golan, Yuri Manusov, Raul Shnier
  • Patent number: 10333949
    Abstract: The present disclosure relates to systems and methods for blocking an infection vector. In some embodiments, a method may include detecting, at a first device, a synchronization event with a second device, the first device and the second device operating with a proprietary mobile operating system. In some examples, the method may include recognizing, by the first device, that the first device is attempting to send a data package to the second device, and identifying the data package as malware. The method may further include blocking the data package from being received at the second device based at least in part on the identifying.
    Type: Grant
    Filed: March 15, 2016
    Date of Patent: June 25, 2019
    Assignee: Symantec Corporation
    Inventors: Rui Jing, Joseph Chen, Yuan Liu
  • Patent number: 10326781
    Abstract: Some embodiments of cloud-based gateway security scanning have been presented. In one embodiment, some data packets are received sequentially at a gateway device. The data packets constitute at least a part of a file being addressed to a client machine coupled to the gateway device. The gateway device forwards an identification of the file to a remote datacenter in parallel with forwarding the data packets to the client machine. The datacenter performs signature matching on the identification and returns a result of the signature matching to the gateway device. The gateway device determining whether to block the file from the client machine based on the result of the signature matching from the datacenter.
    Type: Grant
    Filed: January 26, 2017
    Date of Patent: June 18, 2019
    Assignee: SONICWALL INC.
    Inventors: Aleksandr Dubrovsky, Senthilkumar G. Cheetancheri, Boris Yanovsky
  • Patent number: 10325092
    Abstract: Examples relate to dynamically adjusting a model for a security operations center (“SOC”). As such, the examples disclosed herein enable constructing a customer storage model over a set of time periods for a customer based on a set of resources of the SOC, a storage distribution model received from the customer related to expected usage of the set of resources, and a threat landscape for the customer. The customer storage model may be revised for a second time period based on actual storage use of the customer during a first time period, and a projection of an amount of data to be consumed in the second time period based on the threat landscape. Allocation of the resources in the SOC may be revised for the second time period based on the revision to the customer storage model.
    Type: Grant
    Filed: March 11, 2015
    Date of Patent: June 18, 2019
    Assignee: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP
    Inventors: Marco Casassa Mont, Simon Ian Arnell, Mihaela Gittler
  • Patent number: 10318731
    Abstract: A detection method comprising: (A) transmitting a to-be tested file to a first testing machine by the processing device; wherein the first testing machine uses for executing the to-be tested file; (B) monitoring that whether a component usage of the first testing machine is higher than a default threshold during a period of executing the to-be tested file by the processing device; and (C) when the component usage of the first testing machine is higher than the default threshold, the memory forensics module analyzes the memory space of the first testing machine to determine that whether the to-be tested file comprises a malware program and generate an analyzing result.
    Type: Grant
    Filed: December 5, 2016
    Date of Patent: June 11, 2019
    Assignee: INSTITUTE FOR INFORMATION INDUSTRY
    Inventors: Jian-Wei Liao, Chin-Wei Tien, Shun-Chieh Chang
  • Patent number: 10320821
    Abstract: Methods, computer-readable media, software, and apparatuses may assist a consumer in keeping track of a consumer's accounts in order to prevent unauthorized access or use of the consumer's identified accounts. To discover the various accounts, the methods, computer-readable media, software, and apparatuses can monitor at least a consumer's email accounts, web browser history, and web cache. The discovered accounts may be displayed to the consumer along with recommendations and assistance for closing unused or unwanted accounts to prevent unauthorized access or use.
    Type: Grant
    Filed: September 22, 2017
    Date of Patent: June 11, 2019
    Assignee: Allstate Insurance Company
    Inventors: Jason D. Park, John S. Parkinson
  • Patent number: 10313370
    Abstract: Techniques for generating malware signatures based on developer fingerprints in debug information are disclosed. In some embodiments, a system, process, and/or computer program product for generating malware signatures based on developer fingerprints in debug information includes receiving a sample, in which the sample includes a binary executable file; matching one or more paths in content of the binary executable file based on a plurality of patterns; extracting meta information from the one or more matched paths; and automatically generating a signature based on the extracted meta information.
    Type: Grant
    Filed: May 2, 2018
    Date of Patent: June 4, 2019
    Assignee: Palo Alto Networks, Inc.
    Inventor: Zihang Xiao
  • Patent number: 10313373
    Abstract: There is provided a network appliance, methods and systems which intercept web and email traffic, extract executables, compare the executables with a policy and wrap the executables. Then, the wrapped executables are delivered to a client system in a manner to protect the network and end point devices, where the wrapped executables are run in a sandbox with all file system, registry accesses, communication and traffic isolated.
    Type: Grant
    Filed: October 7, 2015
    Date of Patent: June 4, 2019
    Inventors: Melih Abdulhayoglu, Egemen Tas, Haibo Zhang
  • Patent number: 10313366
    Abstract: Techniques are provided for retroactively identifying malware programs when new signatures become available that later match network traffic previously obtained from the sandbox environment. An exemplary method comprises obtaining a plurality of packet capture files comprising previously captured network communications of malware programs that previously executed in a sandbox environment, wherein each of the packet capture files are associated with a corresponding malware program that generated the network communications; obtaining signatures indicative of at least one malware program; comparing the signatures to the packet capture files; and retroactively identifying a given malware program as malware if a signature matches a given packet capture file associated with the given malware program.
    Type: Grant
    Filed: September 23, 2016
    Date of Patent: June 4, 2019
    Assignee: EMC IP Holding Company LLC
    Inventor: Erik M. Heuser
  • Patent number: 10313387
    Abstract: Systems and methods are described for using a template for simulated phishing campaigns based on predetermined date from a date associated with a user. The predetermined date may by an event, an anniversary or a milestone associated with employment of the user with a company. The campaign controller may identify a date associated with the user and based on the identification of the date associated with the user, the campaign controller may select one or more templates for one or more simulated phishing campaigns to be triggered by a predetermined date related to the date associated with the user.
    Type: Grant
    Filed: December 1, 2017
    Date of Patent: June 4, 2019
    Assignee: KNOWBE4, INC.
    Inventor: Greg Kras
  • Patent number: 10303878
    Abstract: A method detects, locates, and masks a hardware Trojan (HT) in an arithmetic circuit to improve circuit security. The method provides a first netlist and a second netlist of the arithmetic circuit, uses reverse engineering to extract 2-input XOR sub circuits, XOR trees, 1-bit adders, 1-bit adder graphs and arithmetic macros from the first netlist and the second netlist to obtain a first plurality of arithmetic macros and a second plurality of arithmetic macros, detects the HT by comparing the first plurality of arithmetic macros with the second plurality of arithmetic macros with functional ECO engine, locates the HT in the second netlist, and improves security of the arithmetic circuit by masking the HT with addition of a patch in the second netlist to obtain a patched netlist.
    Type: Grant
    Filed: January 13, 2017
    Date of Patent: May 28, 2019
    Inventor: Yu-Liang Wu
  • Patent number: 10303705
    Abstract: An organization categorization system and method is disclosed. The organization categorization system and method relies on server data to discover which business organizations are consuming the finite resources of the server and in what proportions. Organizations are categorized according to their consumption of resources. The categorization system and method further ascribes a relative business value to each organization to facilitate the allocation of resources among the various organizations in a business. In an example embodiment, users of the server resources use the SAS programming language and the server resources execute SAS applications that support the SAS programming language. The organization categorization system and method connects an executed computer program to a business-defined classification of applicability to purpose.
    Type: Grant
    Filed: November 21, 2016
    Date of Patent: May 28, 2019
    Assignee: Humana Inc.
    Inventors: Andrew B. Hollister, Elizabeth Barth-Thacker
  • Patent number: 10296743
    Abstract: A method and device for constructing an apk virus signature database and an apk virus detection system. The method comprises: obtaining a given sample set, the sample set being composed of N normal apk file samples and N virus-infected apk file samples; for any sample in the given sample set, separately obtaining M signature values of the sample according to M preset signatures; for any sample in the given sample set, separately obtaining M signature values of the sample according to M preset signatures; for any sample subset i (i=1, . . .
    Type: Grant
    Filed: March 3, 2015
    Date of Patent: May 21, 2019
    Assignee: Conew Network Technology (Beijing) Co., Ltd.
    Inventors: Guoqing Yuan, Haifeng Su, Xin Shu
  • Patent number: 10291700
    Abstract: As disclosed herein a computer-implemented method includes receiving a delta scan from an endpoint system comprising changes to a baseline inventory, and determining if the delta scan can be processed. The method further includes responsive to determining that the delta scan can be processed, processing the delta scan to produce a synchronized baseline inventory, and responsive to determining that the delta scan cannot be processed, indicating that the delta scan is unable to be processed. The method further includes responsive to indicating the delta scan is unable to be processed, receiving a most recent full system scan from the endpoint system to provide a new synchronized baseline inventory. A computer program product and a computer system corresponding to the above method are also disclosed herein.
    Type: Grant
    Filed: February 8, 2016
    Date of Patent: May 14, 2019
    Assignee: International Business Machines Corporation
    Inventors: Piotr P. Godowski, Artur Obrzut, Luigi Pichetti, Jacek J. Stezowski
  • Patent number: 10284598
    Abstract: In general, in one aspect, a system for providing honeypot network services may monitor network activity, and detect network activity indicative of network service discovery by a first device, for example, port scanning. The system may present a temporarily available network service to the first device in response to detecting the activity indicative of port scanning, for example, by redirecting traffic at an unassigned network address to a honeypot network service. The system may monitor communication between the first device and the presented honeypot network service to determine whether the monitored communication is indicative of a threat, and determine that the first device is compromised based on the monitored communication between the first device and the presented honeypot network service. The system may initiate measures to protect the network from the compromised first device.
    Type: Grant
    Filed: January 29, 2016
    Date of Patent: May 7, 2019
    Assignee: Sophos Limited
    Inventor: Daniel Stutz
  • Patent number: 10284577
    Abstract: The present application discloses a method and an apparatus for file identification. The method for file identification comprises: determining a virus family of each malicious file sample in a plurality of the file samples resulting in a plurality of virus families; dividing the plurality of the virus families into at least one sample group based on a number of the malicious files belonging to each of the plurality of virus families; training the malicious file samples in each of the at least one sample group with a different training rule to obtain at least one file identification model; and determining, using the at least one identification model whether a file is a malicious file. The method for file identification of the present application may provide different identification models for various types of malicious files and thus improves the accuracy of the file identification.
    Type: Grant
    Filed: December 31, 2015
    Date of Patent: May 7, 2019
    Assignee: IYUNTIAN CO., LTD.
    Inventors: Zhentan Feng, Deqiang Cao, Shuguang Xiong, Xiaobo Zhou, Xin Wang
  • Patent number: 10282092
    Abstract: Methods and systems for creating and maintaining a virtual library of virtual hard disks involve one or more processors partitioning resources on a physical host computer into at least one virtual machine having at least one virtual hard disk attached to the virtual machine and loading pre-selected custom content on the virtual hard disk. Thereafter, the virtual hard disk may be detached from the virtual machine and cataloged in a database together with control parameters limiting cloning of the detached virtual hard disk. At a later time, the cataloged virtual hard disk loaded with the pre-selected custom content may be attached from the database to the virtual machine on the physical host computer.
    Type: Grant
    Filed: September 9, 2015
    Date of Patent: May 7, 2019
    Assignee: CITIGROUP TECHNOLOGY, INC.
    Inventor: Parul K. Jain
  • Patent number: 10277631
    Abstract: Systems and methods herein discuss a policy engine stored on a mobile device that intercepts content requests to a content provider. The policy engine is self-preserving, and may, subsequent to intercepting the content requests and based upon a determination that the requesting entity is associated with a whitelist; blocking, by the policy engine. The policy engine may in some cases transmit at least some of the requested content in response to a determination that the requesting application is associated with a blacklist or may transmit an HTTP200 response to the requesting entity based on a determination that the requesting application anticipates a response.
    Type: Grant
    Filed: July 8, 2016
    Date of Patent: April 30, 2019
    Assignee: Sprint Communications Company L.P.
    Inventor: Glen S. Gemeniano
  • Patent number: 10277617
    Abstract: Provided are a method and device for feature extraction. The method comprises: acquiring a batch of black sample files and white sample files from an application layer of a smart terminal operating system; parsing each file, acquiring information structure of all functions contained in each file, and computing a checksum for each function; determining whether or not the files contain the functions corresponding to the checksums, thus compiling statistics on the number of occurrences of each function in the black sample files and the white sample files; and, extracting a black sample feature on the basis of functions occurring only in the black sample files and not occurring in the white sample files, or extracting a white sample feature on a similar basis.
    Type: Grant
    Filed: October 31, 2014
    Date of Patent: April 30, 2019
    Assignee: Beijing Qihoo Technology Company Limited
    Inventors: Kang Yang, Zhuo Chen, Hai Tang
  • Patent number: 10268825
    Abstract: Mechanisms are provided for correlating security vulnerability detection across multiple applications. The mechanisms perform a security vulnerability analysis of first source code of a first application, and identify, based on results of the security vulnerability analysis, a security vulnerability in a first portion of the first source code. The mechanisms associate characteristics of the security vulnerability with the first portion, and correlate the characteristics of the security vulnerability with second source code of a second application based on the association of the characteristics of the security vulnerability with the first portion. In addition, the mechanisms generate an output to a computing device of a consumer or contributor associated with the second source code identifying a presence of the security vulnerability in the second source code based on the correlation.
    Type: Grant
    Filed: December 1, 2016
    Date of Patent: April 23, 2019
    Assignee: International Business Machines Corporation
    Inventors: Elizabeth A. Holz, Iosif V. Onut, Joni E. Saylor, Hyun Kyu Seo, Ronald B. Williams
  • Patent number: 10262136
    Abstract: Systems, methods and apparatus for malware detection detect and stop the distribution of malware and other undesirable content before such content reaches computing systems. A malware detection service external to network edges of a system receives a request from a computer within the system, the request identifying a signature associated with content. The service determines a status indicator of the content using the signature, and transmits the status indicator to the computer.
    Type: Grant
    Filed: August 4, 2008
    Date of Patent: April 16, 2019
    Assignee: Zscaler, Inc.
    Inventors: Kailash Kailash, Robert L. Voit, Jose Raphel
  • Patent number: 10264007
    Abstract: A method for detecting malware beaconing in a network, the method includes capturing network traffic over a network connection at a network connected device, representing the network traffic over the network connection as a set of tuples wherein each of the tuples includes at least a source Internet Protocol address, a destination Internet Protocol address, and a destination port, associating timestamps with each of the set of tuples, and analyzing the tuples using the timestamps based on frequency of connections to determine malware beaconing on the network, wherein the analyzing is performed by a computing device.
    Type: Grant
    Filed: April 19, 2018
    Date of Patent: April 16, 2019
    Assignee: NETSEC CONCEPTS, LLC
    Inventor: Brian Fehrman
  • Patent number: 10262309
    Abstract: Approaches for augmenting a BIOS with a new program. A BIOS provides an interface through which a user may select one or more programs from a plurality of offered programs. When the BIOS receives input from the user that selects a particular program, the BIOS retrieves, over a network, the particular program. Received applications may be stored in the BIOS or in a hidden file that the BIOS can also access without booting the operating system. An online application store can offer applications that are signed by the BIOS issuer as being approved for plug-in applications for use in a pre-boot or post-boot environment.
    Type: Grant
    Filed: February 11, 2013
    Date of Patent: April 16, 2019
    Assignee: Phoenix Technologies Ltd.
    Inventors: Steven Chan, Dan Kikinis
  • Patent number: 10256978
    Abstract: Techniques and mechanisms described herein facilitate the encryption of content using content-based encryption keys. According to various embodiments, data stream may include one or more data chunks. A client machine may apply a hash function to a data chunk to determine a fingerprint value. A cryptographic protocol shared with a remote server may be applied to the fingerprint value to determine a data chunk encryption key. The data chunk encryption key may be used to encrypt the data chunk, and the encrypted data chunk may be sent to the remote server for storage.
    Type: Grant
    Filed: November 7, 2017
    Date of Patent: April 9, 2019
    Assignee: QUEST SOFTWARE INC.
    Inventors: Murali Bashyam, Tarun K. Tripathy
  • Patent number: 10250603
    Abstract: The launching of new software code, virtual machines, and other such instances can undergo one or more scans before being fully available in an electronic environment. One or more policies may apply to such a launch, which can cause the launch to first be performed under a first network configuration, wherein the instance may not be granted access to resources other than scanning infrastructure. After one or more scans are performed, the results can be compared against the policies and, if the results pass, the instance can be caused to operate in a second network configuration, whether launching a new instance in a production environment, altering the configuration of the network, or other such tasks. The policies can be set by a provider of the relevant resources, an administrator of one or more affected resources, an administrator of the instance, or another appropriate party.
    Type: Grant
    Filed: March 30, 2015
    Date of Patent: April 2, 2019
    Assignee: AMAZON TECHNOLOGIES, INC.
    Inventors: Gregory Branchek Roth, Andrew Paul Mikulski
  • Patent number: 10243981
    Abstract: A system automatically detects bots and/or botnets.
    Type: Grant
    Filed: September 9, 2016
    Date of Patent: March 26, 2019
    Assignee: CA, Inc.
    Inventors: Jin Zhang, Chi Zhang, Zheng Chen
  • Patent number: 10242188
    Abstract: Disclosed are an apparatus and method of verifying an application installation procedure. One example method of operation may include receiving an application at a computer device and initiating the installation of the application on the computer device. The method may also provide executing the application during the installation procedure and creating a hash value corresponding to the executed application data. The method may further provide storing the hash value in memory and comparing the hash value to a pre-stored hash value to determine whether to continue the installation of the application.
    Type: Grant
    Filed: September 5, 2017
    Date of Patent: March 26, 2019
    Assignee: OPEN INVENTION NETWORK LLC
    Inventor: William Charles Easttom
  • Patent number: 10235524
    Abstract: A system, method, and apparatus for identifying and removing malicious applications are disclosed. An example apparatus includes an executable application configured to collect data regarding processes operating on a client device during a time period. The executable application is also configured to purposefully access, during the time period, an application server using a web browser on the client device in an attempt to trigger a malicious application potentially located on the client device. The executable application is configured to transmit, after the time period, the collected data to an analysis server to determine whether the malicious application is located on the client device.
    Type: Grant
    Filed: May 19, 2017
    Date of Patent: March 19, 2019
    Assignee: SUNSTONE INFORMATION DEFENSE, INC.
    Inventor: David K. Ford
  • Patent number: 10237284
    Abstract: A method for implementing an Internet of Things security appliance is presented. The method may include intercepting a data packet sent from a server to a client computing device. The method may include performing a security check on the data packet using security modules. The method may include determining the data packet is not malicious based on the security check. The method may include determining a shadow tester to test the data packet based on a type associated with the client computing device. The method may include creating a virtualization environment of the client computing device using the shadow tester. The method may include analyzing behaviors associated with the data packet within the virtualization environment using detection modules. The method may include determining the behaviors do not violate a behavior policy associated with the client computing device. The method may include transmitting the data packet to the client computing device.
    Type: Grant
    Filed: March 31, 2016
    Date of Patent: March 19, 2019
    Assignee: International Business Machines Corporation
    Inventors: KuoChun Chen, Sheng-Tung Hsu, Jia-Sian Jhang, Chun-Shuo Lin
  • Patent number: 10237303
    Abstract: In an example, there is disclosed a method and system for calculating an object's trust level for security purposes based on prevalence in a context-aware network. In an embodiment, as objects are accessed, a client queries a domain master such as a reputation server to evaluate the object's reputation. The domain master may maintain a prevalence-based reputation database, which may be updated as new clients report object prevalences.
    Type: Grant
    Filed: December 20, 2013
    Date of Patent: March 19, 2019
    Assignee: McAfee, LLC
    Inventors: Kenneth D. Simone, Jr., Paul A. Whitehurst, Mark Joseph Boudreaux
  • Patent number: 10229161
    Abstract: Approaches, techniques, and mechanisms are disclosed for improved caching in database systems that deal with multiple data access patterns, such as in database systems that interface with both OLTP and Data Warehouse clients. A cache is deployed between a database server and a storage system that stores data units. Some of the data units accessed by the database server are buffered within the cache. The data units may be associated with data access patterns, such as a random data access pattern or a scan data access pattern, in accordance with which the database server is or appears to be accessing the data units. A processor selects when to cache data units accessed by the database server, based at least on the associated data access patterns. Recent access counts may also be stored for the data units, and may further be utilized to select when to cache data units.
    Type: Grant
    Filed: September 17, 2014
    Date of Patent: March 12, 2019
    Assignee: Oracle International Corporation
    Inventors: Sarat B. Kakarla, Jia Shi, Selcuk Aya, Kothanda Umamageswaran, Juan R. Loaiza
  • Patent number: 10218726
    Abstract: In one embodiment, a networking device in a network causes formation of device clusters of devices in the network. The devices in a particular cluster exhibit similar characteristics. The networking device receives feedback from a device identity service regarding the device clusters. The feedback is based in part on the device identity service probing the devices. The networking device adjusts the device clusters based on the feedback from the device identity service. The networking device performs anomaly detection in the network using the adjusted device clusters.
    Type: Grant
    Filed: June 13, 2016
    Date of Patent: February 26, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: Jean-Philippe Vasseur, Grégory Mermoud, Pierre-André Savalle, Andrea Di Pietro, Sukrit Dasgupta
  • Patent number: 10216718
    Abstract: A method for maintaining conversational cadence may include determining, by a processor, a conversational cadence associated with a user in a social network. The conversational cadence may be determined based on a plurality of messages previously transmitted by the user. The method may also include detecting, by the processor, a reduction in the conversational cadence of the user. The method may further include providing, by the processor, a set of fill-in messages that create an appearance to another user in the social network that there is no reduction in the conversational cadence.
    Type: Grant
    Filed: January 25, 2017
    Date of Patent: February 26, 2019
    Assignee: International Business Machines Corporation
    Inventors: Paul R. Bastide, Matthew E. Broomhall, Robert E. Loredo
  • Patent number: 10218731
    Abstract: Detecting cyber threat and malware, particularly zero-day malware is a major challenge for the security community. Signature-based methods of cyber threat and malware detection are unable to detect zero-day malware. In order to detect zero-day malware and cyber threat which may have more severe impacts, a system called Compromised Detection System (CDS) and a method thereof is disclosed. The CDS uses a sophisticated approach and method based on Machine Learning to detect anomalies on the network behavior. By such approach, CDS is able to detect unknown cyber threat and malware (aka zero day)since they will present a deviation from the normal behavior in the network.
    Type: Grant
    Filed: October 5, 2016
    Date of Patent: February 26, 2019
    Assignee: EFFICIENT PROTECTION INC.
    Inventors: Karim Ganame, Ahmed Techini
  • Patent number: 10218741
    Abstract: Provided are systems, methods, and computer program products for a cyber-vaccination technique. In various implementations, the cyber-vaccination technique includes using a network device that is infected by a malware program to determining a marker generated by the malware program. The marker may indicate to the malware program that the network device has been infected by the malware program. Determining the marker can include identifying a placement of the marker on the network device. The technique further includes identifying one or more other network devices that have not previously been infected by the malware program. The technique further includes automatically distributing copies of the marker. When a copy of the marker is received at one of the previously identified, uninfected network devices, the identified network device can place the marker on the identified network device according to the identified placement.
    Type: Grant
    Filed: March 23, 2017
    Date of Patent: February 26, 2019
    Assignee: ACALVIO TECHNOLOGIES, INC.
    Inventor: Rajendra A. Gopalakrishna
  • Patent number: 10210332
    Abstract: A security device may receive actual behavior information associated with an object. The actual behavior information may identify a first set of behaviors associated with executing the object in a live environment. The security device may determine test behavior information associated with the object. The test behavior information may identify a second set of behaviors associated with testing the object in a test environment. The security device may compare the first set of behaviors and the second set of behaviors to determine a difference between the first set of behaviors and the second set of behaviors. The security device may identify whether the object is an evasive malicious object based on the difference between the first set of behaviors and the second set of behaviors. The security device may provide an indication of whether the object is an evasive malicious object.
    Type: Grant
    Filed: March 15, 2018
    Date of Patent: February 19, 2019
    Assignee: Juniper Networks, Inc.
    Inventors: Kyle Adams, Daniel J. Quinlan
  • Patent number: 10212186
    Abstract: The disclosure is directed towards systems and methods for improving security in a computer network. The system can include a planner and a plurality of controllers. The controllers can be deployed within each zone of the production network. Each controller can be configured to assume the role of an attacker or a target for malicious network traffic. Simulations of malicious behavior can be performed by the controllers within the production network, and can therefore account for the complexities of the production network, such as stateful connections through switches, routers, and other intermediary devices. In some implementations, the planner can analyze data received from the controllers to provide a holistic analysis of the overall security posture of the production network.
    Type: Grant
    Filed: February 24, 2017
    Date of Patent: February 19, 2019
    Assignee: VERODIN, INC.
    Inventors: Christopher B. Key, Paul E. Holzberger, Jr.
  • Patent number: 10204226
    Abstract: According to some embodiments, a threat detection model creation computer may receive a series of normal monitoring node values (representing normal operation of the industrial asset control system) and generate a set of normal feature vectors. The threat detection model creation computer may also receive a series of threatened monitoring node values (representing a threatened operation of the industrial asset control system) and generate a set of threatened feature vectors. At least one potential decision boundary for a threat detection model may be calculated based on the set of normal feature vectors, the set of threatened feature vectors, and an initial algorithm parameter. A performance of the at least one potential decision boundary may be evaluated based on a performance metric. The initial algorithm parameter may then be tuned based on a result of the evaluation, and the at least one potential decision boundary may be re-calculated.
    Type: Grant
    Filed: December 7, 2016
    Date of Patent: February 12, 2019
    Assignee: GENERAL ELECTRIC COMPANY
    Inventors: Cody Joe Bushey, Lalit Keshav Mestha, Justin Varkey John, Daniel Francis Holzhauer
  • Patent number: 10200383
    Abstract: Methods and systems for neutralizing malicious locators. Threat actors may shut down their web pages or applications (i.e., resources) that serve malicious content upon receiving request(s) configured to be perceived by the resource as non-browser requests. Therefore, initiating (large-scale) non-browser requests, or requests that are at least perceived as non-browser requests, may effectively act to inhibit, or even nullify, intended attack vectors.
    Type: Grant
    Filed: June 29, 2016
    Date of Patent: February 5, 2019
    Assignee: Rapid7, Inc.
    Inventors: Roy Hodgman, Aditya Kuppa, Suchin Gururangan, Andrew Reece
  • Patent number: 10198734
    Abstract: A computer-implemented method includes generating an emulated view of an advertisement; determining, based on the emulated view, one or more elements associated with the advertisement; comparing the one or more elements to one or more criteria associated with an advertisement marketplace; and determining, based on comparing, whether the advertisement complies with the one or more criteria.
    Type: Grant
    Filed: September 1, 2010
    Date of Patent: February 5, 2019
    Assignee: Google LLC
    Inventors: Eyal Manor, Ola Abiri
  • Patent number: 10198576
    Abstract: Systems and method identify potentially mislabeled file samples. A graph is created from a plurality of sample files. The graph includes nodes associated with the sample files and behavior nodes associated with behavior signatures. Phantom nodes are created in the graph for those sample files having a known label. During a label propagation operation, a node receives data indicating a label distribution of a neighbor node in the graph. In response to determining that the current label for the node is known, a neighborhood opinion is determined for the associated phantom node, based at least in part on the label distribution of the neighboring nodes. After the label propagation operation has completed, differences between the neighborhood opinion and the current label distribution for nodes are determined. If the difference exceeds a threshold, then the current label may be incorrect.
    Type: Grant
    Filed: December 9, 2016
    Date of Patent: February 5, 2019
    Assignees: AVAST SOFTWARE S.R.O., USTAV INFORMATIKY AV CR, V.V.I.
    Inventor: Martin Vejmelka
  • Patent number: 10193918
    Abstract: An anti-malware application analyzes behavior of an executing process to identify ransomware. The anti-malware application detects an untrusted process requesting enumeration of a directory of user files and causes the untrusted process to initially operate on a decoy file that mimics the user files. If the behavior of the untrusted process with respect to the decoy file is indicative of ransomware, the process can be terminated without loss of the user files. The decoy file may be deployed in a way that is undetectable to the user.
    Type: Grant
    Filed: March 28, 2018
    Date of Patent: January 29, 2019
    Assignee: Malwarebytes Inc.
    Inventors: Mark William Patton, Nathan Scott, Ramon Royo Gutierrez, Sherab Giovannini
  • Patent number: 10193915
    Abstract: Disclosed are systems and methods for improving interactions with and between computers in content searching, generating, hosting and/or providing systems supported by or configured with personal computing devices, servers and/or platforms. The systems interact to identify and retrieve data within or across platforms, which can be used to improve the quality of data used in processing interactions between or among processors in such systems. The disclosed systems and methods provide a novel clustering framework applied on datasets of network interactions to automatically identify IP clusters carrying out a specific task(s) based on an IP blacklist. The disclosed systems and methods can analyze network activity of devices associated with the IP addresses, and/or the IP addresses themselves, and perform an automatic, on-the-spot analysis that results in a determination whether the activity is permitted on or over a network.
    Type: Grant
    Filed: September 30, 2016
    Date of Patent: January 29, 2019
    Assignee: OATH INC.
    Inventor: Baris Coskun
  • Patent number: 10193921
    Abstract: Aspects of the present disclosure involve systems and methods computing devices to access a public network posing as a user to the network to detect one or more malware programs available for downloading through the network. More particularly, a malware detection control system utilizes a browser executed on a computing device to access a public network, such as the Internet. Through the browser, sites or nodes of the public network are accessed by the control system with the interactions with the sites of the public network designed to mimic or approximate a human user of the browser. More particularly, the control system may apply the one or more personality profiles to the browser of the computing device to access and interact with the nodes of the public network. Further, the control system may monitor the information retrieved from the network sites to detect the presence of malware within the nodes.
    Type: Grant
    Filed: February 9, 2017
    Date of Patent: January 29, 2019
    Assignee: Level 3 Communications, LLC
    Inventor: Skyler J. Bingham
  • Patent number: 10192052
    Abstract: According to one embodiment, a computerized method comprises conducting a first static scan on content within a file. Thereafter, if the first static scan did not result in the file being classified as malicious, the file is deconstructed to gain access to one or more objects within the file. A second static scan associated with the one or more objects is performed to determine whether the one or more objects are suspected of including malware. The file may then be classified as malicious based on results of the second static scan.
    Type: Grant
    Filed: September 30, 2013
    Date of Patent: January 29, 2019
    Assignee: FireEye, Inc.
    Inventors: Abhishek Singh, Yichong Lin, Angshuman Mukherjee, Zheng Bu
  • Patent number: 10185826
    Abstract: Client devices detect malware based on a ruleset received from a security server. To evaluate a current ruleset, an administrative client device initiates a ruleset evaluation of the malware detection ruleset. A security server partitions stored malware samples into a group of evaluation lists based on an evaluation policy. The security server then creates scanning nodes on an evaluation server according to the evaluation policy. The scanning nodes scan the malware samples of the evaluation lists using the rulesets and associate each malware sample with a rule of the ruleset based on the detections, if any. The security server analyzes the associations and optimizes the ruleset and stored malware samples. The security server sends the optimized ruleset to client devices such that they more efficiently detect malware samples.
    Type: Grant
    Filed: March 20, 2018
    Date of Patent: January 22, 2019
    Assignee: MALWAREBYTES INC.
    Inventors: Sunil Mathew Thomas, Michael Graham Malone
  • Patent number: 10187401
    Abstract: In one embodiment, a method includes receiving packet flow data at a feature extraction hierarchy comprising a plurality of levels, each of the levels comprising a set of feature extraction functions, computing a first set of feature vectors for the packet flow data at a first level of the feature extraction hierarchy, inputting the first set of feature vectors from the first level of the feature extraction hierarchy into a second level of the feature extraction hierarchy to compute a second set of feature vectors, and transmitting a final feature vector to a classifier to identify malicious traffic. An apparatus and logic are also disclosed herein.
    Type: Grant
    Filed: November 6, 2015
    Date of Patent: January 22, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: Lukas Machlica, Michal Sofka
  • Patent number: 10187417
    Abstract: Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.
    Type: Grant
    Filed: December 14, 2017
    Date of Patent: January 22, 2019
    Assignee: George Mason Research Foundation, Inc.
    Inventors: Anup Ghosh, Yih Huang, Jiang Wang, Angelos Stavrou
  • Patent number: RE47364
    Abstract: In accordance with an embodiment of the present invention, a client device is protected against the execution of unauthorized software. The client includes a code authentication process that verifies the integrity of executable code, by generating and comparing a first hash value of the executable code with a known hash value of the original code. Furthermore, during boot-up, the client initializes a CPU exception vector table with one or more vector table entries. One or more, or all, of the vector table entries direct the CPU to execute the code authentication process prior to executing an event handler when an exception event occurs. Consequently, the code authentication process is virtually guaranteed to execute, thereby protecting against the execution of unauthorized code.
    Type: Grant
    Filed: March 16, 2016
    Date of Patent: April 23, 2019
    Assignee: VUDU, INC.
    Inventors: Edin Hodzic, Andrew M. Goodman, Prasanna Ganesan