Systems and methods are provided wherein document content is parsed into sentences, or other structures, and evaluated for similarity to other sentences. The similarity, such as when a consign similarity of two sentences is determined to be greater than a first threshold, is used to place similar sentences into chunks. The sentences are evaluated again based on a second threshold more restrictive than the first threshold. The threshold value is selected to produce a sufficiently flattened distribution of the sizes of the chunks. The sentences may then be re-chunked, and the chunks are then provided to an artificially intelligent language model, such as a large language model (LLM).
Systems and methods are provided for more natural human-machine interactions. Artificial intelligence (AI) fails to consider the context of one question that is provided by a previous question. By preserving metadata (e.g., entities, intents, and topics and/or the question itself) for a particular question for use in a second question, which the user may not be aware of, an AI system, can more accurately select a relevant response. If the user changes the topic, a topic detection services will detect the change and exclude the metadata, which is now irrelevant, from influencing the response to the current question.
Many documents, whether hardcopy or softcopy, require authentication for a particular use. Documents are often copied but knowing whether the contents of a document, even a copy of the document, have been altered can still be critical to the particular use. In one embodiment, a document's content is encoded with a symbolic representation, such as one or more Quick Response (QR) codes, derived from the document's content. Subsequent scanning of the document retrieves the document's content and the symbolic representation. The retrieved document's contents are then used to generate a symbolic representation of the content and compared to the content encoded in the symbolic representation. If the two match, the document has not been altered.
G06F 21/30 - Authentification, c.-à-d. détermination de l’identité ou de l’habilitation des responsables de la sécurité
G06K 19/06 - Supports d'enregistrement pour utilisation avec des machines et avec au moins une partie prévue pour supporter des marques numériques caractérisés par le genre de marque numérique, p. ex. forme, nature, code
G06V 20/00 - ScènesÉléments spécifiques à la scène
4.
SYSTEM AND METHODS FOR DETECTING ALTERED DOCUMENTS
Many documents, whether hardcopy or softcopy, require authentication for a particular use. Documents are often copied but knowing whether the contents of a document, even a copy of the document, have been altered can still be critical to the particular use. In one embodiment, a document's content is encoded with a symbolic representation, such as one or more Quick Response (QR) codes, derived from the document's content. Subsequent scanning of the document retrieves the document's content and the symbolic representation. The retrieved document's contents are then used to generate a symbolic representation of the content and compared to the content encoded in the symbolic representation. If the two match, the document has not been altered.
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
G06K 7/14 - Méthodes ou dispositions pour la lecture de supports d'enregistrement par radiation électromagnétique, p. ex. lecture optiqueMéthodes ou dispositions pour la lecture de supports d'enregistrement par radiation corpusculaire utilisant la lumière sans sélection des longueurs d'onde, p. ex. lecture de la lumière blanche réfléchie
G06K 19/06 - Supports d'enregistrement pour utilisation avec des machines et avec au moins une partie prévue pour supporter des marques numériques caractérisés par le genre de marque numérique, p. ex. forme, nature, code
5.
SYSTEM AND METHODS FOR DETECTING ALTERED DOCUMENTS
Systems and methods are provided to validate an image. The image is segmented into a plurality of blocks and scrambled. A hash of the original image and scrambled image is then provided with a hash of the algorithms used (e.g., the segmenting algorithm, the scrambling algorithm, and/or the hashing algorithm). The foregoing hashes may be provided as a single, merged hash, and optionally as a quick response (QR) code. A recipient may then validate the image with a provided hash, which may comprise a merged hash that is separated into its constituent hashes. If the hashes match, the image is determined to be unaltered.
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
Examples of the present disclosure describe systems and methods for identifying anomalous network behavior. In aspects, a network event may be observed network sensors. One or more characteristics may be extracted from the network event and used to construct an evidence vector. The evidence vector may be compared to a mapping of previously-identified events and/or event characteristics. The mapping may be represented as one or more clusters of expected behaviors and anomalous behaviors. The mapping may be modeled using analytic models for direction detection and magnitude detection. One or more centroids may be identified for each of the clusters. A “best fit” may be determined and scored for each of the analytic models. The scores may be fused into single binocular score and used to determine whether the evidence vector is likely to represent an anomaly.
The present disclosure describes systems and methods for detection and mitigation of malicious encryption. A security agent on an infected computing device may monitor data writes to disk, memory, or network transmission buffers for strings that may represent encryption keys or moduli. The security agent may apply one or more techniques to decode and parse the string to either identify or extract the keys, or rule out the string as containing an encryption key or modulus. If a key is identified, or its presence cannot be excluded, then the security agent may generate an alert and take mitigation actions.
Embodiments of systems and methods for DNS leak prevention and protection are disclosed herein. In particular, certain embodiments include a local DNS protection agent installed on a system and an associated trusted external DNS protection server. The DNS protection agent prevents DNS leaks from applications on the system such that all DNS requests from the system are confined to requests from the DNS protection agent to the associated DNS protection server. As the DNS leak prevention provided by the DNS protection agent stops applications on the system from circumventing the DNS protection server, all DNS requests originating from the system remain under the control of the DNS protection server and thus desired DNS protection (e.g., as implemented on the DNS protection server) may be maintained. Certain embodiments prevent applications from using certain DNS security protocols, such as DoH and DoT, without going through the DNS protection agent.
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
H04L 67/60 - Ordonnancement ou organisation du service des demandes d'application, p. ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises
9.
METHODS AND SYSTEMS OF CONTENT INTEGRATION FOR GENERATIVE ARTIFICIAL INTELLIGENCE
Systems and methods are provided for a device to obtain a query, such as from a user. The query is vectorized to obtain a numerical representation of the query and provided to a vector database to find the nearest vectors corresponding to most relevant context, such as for a particular domain or subject matter. The query, query vector, and context vectors, and optionally past query history and past query responses, are provided to an artificial intelligence, such as a large language model (LLM), to receive a response to the query without providing the context to the LLM.
A firewall monitors network activity and stores information about that network activity in a network activity log. The network activity is analyzed to identify a potential threat. The potential threat is further analyzed to identify other potential threats that are related to the potential threat, and are likely to pose a future risk to a protected network. A block list is updated to include the potential threat and the other potential threats to protect the protected network from the potential threat and the other potential threats.
H04L 41/069 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant des journaux de notificationsPost-traitement des notifications
Methods, devices and computer program products facilitate the storage, access and management of log files that are associated with particular client devices. The log files provide a record of user or client device activities that are periodically sent to a data backup center. A dedicated log file server facilitates the processing and storage of an increasingly large number of log files that are generated by new and existing client devices. A storage server pre-processes the received log files to facilitate the processing and storage of the log files by the log file server. This Abstract is provided for the sole purpose of complying with the Abstract requirement rules. This Abstract is submitted with the explicit understanding that it will not be used to interpret or to limit the scope or the meaning of the claims.
G06F 16/10 - Systèmes de fichiersServeurs de fichiers
G06F 3/06 - Entrée numérique à partir de, ou sortie numérique vers des supports d'enregistrement
G06F 11/14 - Détection ou correction d'erreur dans les données par redondance dans les opérations, p. ex. en utilisant différentes séquences d'opérations aboutissant au même résultat
G06F 11/34 - Enregistrement ou évaluation statistique de l'activité du calculateur, p. ex. des interruptions ou des opérations d'entrée–sortie
G06F 16/17 - Détails d’autres fonctions de systèmes de fichiers
G06F 16/174 - Élimination de redondances par le système de fichiers
G06F 17/40 - Acquisition et consignation de données
12.
SYSTEM AND METHOD FOR PREDICTING DOMAIN REPUTATION
A computer system comprising a processor and a memory storing instructions that, when executed by the processor, cause the computer system to perform a set of operations. The set of operations comprises collecting domain attribute data comprising one or more domain attribute features for a domain, collecting sampled domain profile data comprising one or more domain profile features for the domain and generating, using the domain attribute data and the sampled domain profile data, a domain reputation assignment utilizing a neural network.
Embodiments disclosed herein relate to systems and methods for providing a smart cache. In embodiments, a variable time to live (TTL) may be calculated and associated with data as it is stored in a cache. The variable TTL may be calculated based upon reputation and/or category information related to the source of the data. The reputation and/or category information may include TTL modifiers for adjusting the TTL for data from a particular data source that is stored in the cache. In further embodiments, a feedback method may be employed to update reputation and/or category information for a particular data source.
H04L 67/5682 - Politiques ou règles de mise à jour, de suppression ou de remplacement des données stockées
G06F 12/0802 - Adressage d’un niveau de mémoire dans lequel l’accès aux données ou aux blocs de données désirés nécessite des moyens d’adressage associatif, p. ex. mémoires cache
G06F 12/0864 - Adressage d’un niveau de mémoire dans lequel l’accès aux données ou aux blocs de données désirés nécessite des moyens d’adressage associatif, p. ex. mémoires cache utilisant des moyens pseudo-associatifs, p. ex. associatifs d’ensemble ou de hachage
G06F 12/0875 - Adressage d’un niveau de mémoire dans lequel l’accès aux données ou aux blocs de données désirés nécessite des moyens d’adressage associatif, p. ex. mémoires cache avec mémoire cache dédiée, p. ex. instruction ou pile
G06F 12/128 - Commande de remplacement utilisant des algorithmes de remplacement adaptée aux systèmes de mémoires cache multidimensionnelles, p. ex. associatives d’ensemble, à plusieurs mémoires cache, multi-ensembles ou multi-niveaux
G06F 16/957 - Optimisation de la navigation, p. ex. mise en cache ou distillation de contenus
Systems and methods are provided for a device to obtain a query, such as from a user. The query is vectorized to obtain a numerical representation of the query and provided to a vector database to find the nearest vectors corresponding to most relevant context, such as for a particular domain or subject matter. The query, query vector, and context vectors, and optionally past query history and past query responses, are provided to an artificial intelligence, such as a large language model (LLM), to receive a response to the query without providing the context to the LLM.
Methods and systems for determining, presenting and analyzing API usage of an application are disclosed herein. Embodiments of an API monitor as presented herein may serve to provide tightly coupled insight into API usage by an application to ascertain and provide knowledge and visibility into API usage by an application associated with the API monitor, including API calls made by both a frontend and a backend of an application.
H04L 67/025 - Protocoles basés sur la technologie du Web, p. ex. protocole de transfert hypertexte [HTTP] pour la commande à distance ou la surveillance à distance des applications
H04L 67/10 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau
A protection module operates to analyze threats, at the protocol level (e.g., at the HTML level), by intercepting all requests that a browser engine resident in a computing device sends and receives, and the protection agent completes the requests without the help of the browser engine. And then the protection module analyzes and/or modifies the completed data before the browser engine has access to it, to, for example, display it. After performing all of its processing, removing, and/or adding any code as needed, the protection module provides the HTML content to the browser engine, and the browser engine receives responses from the protection agent as if it was speaking to an actual web server, when in fact, browser engine is speaking to an analysis engine of the protection module.
Systems, methods and products for enabling parallelized verification of a forensic copy generated using a non-parallelizable hashing algorithm. Disclosed embodiments generate the forensic copy of a data source using a non-parallelizable algorithm. In addition to generating a hash of the source data, intermediate hash states are stored for successive blocks of data from the data source. During verification of the forensic copy, the intermediate hash states and identifiers of the data blocks are retrieved from a data structure that is saved with the forensic copy. The non-parallelizable algorithm is used to hash each data block using the intermediate hash state preceding the data block as a starting hash state, then the hash of the data block is compared to the intermediate hash state following the data block to verify the data block. If all data blocks are successfully verified, the forensic copy is verified, otherwise verification fails.
H04L 9/06 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité l'appareil de chiffrement utilisant des registres à décalage ou des mémoires pour le codage par blocs, p. ex. système DES
H04L 9/00 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité
18.
DEFINITION AND EXTENSION OF STORIES OF CORE ENTITIES AND CALCULATION OF RISK SCORES THEREOF
Core entities are each defined as a subset of base entities that satisfy one or more core entity connection relationships. Base stories are each defined as a subset of core entities that satisfy one or more story connection relationships. A risk score of each core entity is calculated based on previously calculated risk scores of the base entities. A risk score of each base story is calculated based on the calculated risk score of each core entity of the base story. Selected base stories are extended with external content to generate corresponding extended stories.
Core entities are each defined as a subset of base entities that satisfy one or more core entity connection relationships. Base stories are each defined as a subset of core entities that satisfy one or more story connection relationships. A risk score of each core entity is calculated based on previously calculated risk scores of the base entities. A risk score of each base story is calculated based on the calculated risk score of each core entity of the base story. Selected base stories are extended with external content to generate corresponding extended stories.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
Examples of the present disclosure describe systems and methods for discrete processor feature behavior collection and analysis. In aspects, a monitoring utility may initialize a set of debugging and/or performance monitoring feature sets for a microprocessor. When the microprocessor receives from software content a set of instructions that involves the loading of a set of modules or code segments, the set of modules or code segments may be evaluated by the monitoring utility. The monitoring utility may generate a process trace of the loaded set of modules or code segments. Based on the process trace output, various execution paths may be reconstructed in real-time. The system and/or API calls made by the microprocessor may then be compared to the process trace output to quickly observe the interaction between the software content and the operating system of the microprocessor.
Domain-specific images used for training an optical character recognition (OCR) machine learning model are generated as follows. Universal resource locator (URL) addresses of web pages associated with a particular domain are retrieved. Words in the web pages associated with the particular domain are determined. Domain-relevant n-grams of the words are identified for the particular domain. Corresponding domain-specific images of each domain-relevant n gram for the particular domain are generated.
G06V 30/19 - Reconnaissance utilisant des moyens électroniques
G06V 10/764 - Dispositions pour la reconnaissance ou la compréhension d’images ou de vidéos utilisant la reconnaissance de formes ou l’apprentissage automatique utilisant la classification, p. ex. des objets vidéo
Examples of the present disclosure describe systems and methods for providing advanced file modification heuristics. In aspects, software content is selected for monitoring. The monitoring comprises determining when the software content performs file accesses that are followed by read and/or write operations. The read/write operations are analyzed in real-time to determine whether the software content is modifying file content. If the monitoring indicates the software content is modifying accessed files, mathematical calculations are applied to the read-write operations to determine the nature of the modifications. Based on the determined nature of the file modifications, the actions of the software content may be categorized and halted prior to completion; thereby, mitigating malicious cyberattacks and/or unauthorized accesses.
Examples of the present disclosure describe systems and methods of providing real-time scanning of IP addresses. In aspects, input may be received by a real-time IP scanning system. The system may generate one or more work orders based on the input. A scanner associated with the system may access a work order and attempt to communicate with one or more devices identified by the work order. If the attempted communication with a device is successful, a protocol analyzer may be used to provide a predefined payload to the device. If the response from the device matches an expected string, the device may be determined to be a safe and/or legitimate device. If the response from the device does not match an expected string, the device may be determined to be a malicious device.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
Examples of the present disclosure describe systems and methods for monitoring the security privileges of a process. In aspects, when a process is created, the corresponding process security token and privilege information is detected and recorded. At subsequent “checkpoints,” the security token is evaluated to determine whether the security token has been replaced, or whether new or unexpected privileges have been granted to the created process. When a modification to the security token is determined, a warning or indication of the modification is generated and the process may be terminated to prevent the use of the modified security token.
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
G06F 21/50 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation
25.
Behavioral Threat Detection Definition And Compilation
Examples of the present disclosure describe systems and methods for behavioral threat detection definition compilation. In an example, one or more sets of rule instructions may be packaged for distribution and/or use by a behavioral threat detection engine. As an example, a set of rule instructions is compiled into an intermediate language and assembled in to a compiled behavior rule binary. Event linking is performed, wherein other rules launched by the rule and/or events that launch the rule or are processed by the rule are identified, and such information may be stored accordingly. The behavior rule binary may be packaged with other rules associated with identifying a specific behavior. The packaged behavior rule is distributed to one or more computing devices for use with a behavioral threat detection engine. For example, the threat detection engine may execute the behavior rule using a rule virtual machine.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
Peer device protection enables a first device comprising a digital security agent to remedy security issues on (or associated with) a set of devices visible to the first device. In aspects, a first device comprising a digital security agent may identify a set of devices visible to the first device. The first device may monitor the set of devices to collect data, such as types of communications and data points of interest. The digital security agent may apply threat detection to the collected data to identify anomalous network behavior. When anomalous network behavior is detected, the first device may cause an indicator of compromise (IOC) to be generated. Based on the IOC, the first device may facilitate remediation of the anomalous network behavior and/or apply security to one or more devices in the set of devices.
Examples of the present disclosure describe systems and methods for behavioral threat detection definition. In an example, a behavior rule comprising a set of rule instructions is used to define one or more events indicative of a behavior. For example, a set of events from which one event must be matched may be defined or a set of events from which all events must be matched may be defined. In some examples, events are matched based on an event name or type, or may be matched based on one or more parameters. Exact and/or inexact matching may be used. The set of rule instructions ultimately specifies one or more halt instructions, thereby indicating that a determination as to the presence of the behavior has been made. Example determinations include, but are not limited to, a match determination, a non-match determination, or an indication that additional monitoring should be performed.
Examples of the present disclosure describe systems and methods for detecting and mitigating stack pivoting exploits. In aspects, various “checkpoints” may be identified in software code. At each checkpoint, the current stack pointer, stack base, and stack limit for each mode of execution may be obtained. The current stack pointer for each mode of execution may be evaluated to determine whether the stack pointer falls within a stack range between the stack base and the stack limit of the respective mode of execution. When the stack pointer is determined to be outside of the expected stack range, a stack pivot exploit is detected and one or more remedial actions may be automatically performed.
G06F 21/52 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données
The present disclosure describes systems and methods for remote management of appliances. The appliance may be configured to periodically check in a predetermined online location for the presence of a trigger file identifying one or more appliances directed to contact a management server for maintenance. If the file is present at the predetermined location and the file includes the identifier of the appliance, the appliance may initiate a connection to the management server. If the file is not found, then the appliance may reset a call timer and attempt to retrieve the file at a later time. To avoid having to configure addresses on the appliance, link local IPv6 addresses may be configured for use over a virtual private network, allowing administration, regardless of the network configuration or local IP address of the appliance.
H04L 67/125 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p. ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance en impliquant la commande des applications des terminaux par un réseau
Systems and methods of tracking chain of custody of relevant electronic documents are provided. An example method begins with receiving an electronic document collection request. In response, a set of relevant electronic documents is retrieved, a tracking unit is generated, and the tracking unit is assigned to the set of relevant electronic documents. The tracking unit includes: a state machine having at least two stages including a specification stage for specifying the electronic document collection request and a review stage for displaying the relevant electronic documents, a plurality of Chain-Of-Custody (COC) statuses, and a plurality of number of relevant document values. The chain of custody of the set of relevant electronic documents is tracked. The set of relevant electronic documents generated by the electronic document collection request is displayed by a graphical user interface.
Examples of the present disclosure describe systems and methods of automatic inline detection based on static data. In aspects, a file being received by a recipient device may be analyzed using an inline parser. The inline parser may identify sections of the file and feature vectors may be created for the identified sections. The feature vectors may be used to calculate a score corresponding to the malicious status of the file as the information is being analyzed. If a score is determined to exceed a predetermined threshold, the file download process may be terminated. In aspects, the received files, file fragments, feature vectors and/or additional data may be collected and analyzed to build a probabilistic model used to identify potentially malicious files.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
Examples of the present disclosure describe systems and methods for sharing memory using a multi-ring shared, traversable and dynamic database. In aspects, the database may be synchronized and shared between multiple processes and/or operation mode protection rings of a system. The database may also be persisted to enable the management of information between hardware reboots and application sessions. The information stored in the database may be view independent, traversable, and resizable from various component views of the database. In some aspects, an event processor is additionally described. The event processor may use the database to allocate memory chunks of a shared heap to components/processes in one or more protection modes of the operating system.
G06F 12/06 - Adressage d'un bloc physique de transfert, p. ex. par adresse de base, adressage de modules, extension de l'espace d'adresse, spécialisation de mémoire
G06F 12/14 - Protection contre l'utilisation non autorisée de mémoire
G06F 16/00 - Recherche d’informationsStructures de bases de données à cet effetStructures de systèmes de fichiers à cet effet
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
33.
DETECTING STACK PIVOTS USING STACK ARTIFACT VERIFICATION
Examples of the present disclosure describe systems and methods for detecting and mitigating stack pivoting using stack artifact verification. In aspects, function hooks may be added to one or more functions. When a hooked function executes, artifacts relating to the hooked function may be left on the stack memory (“stack”). The location of the artifacts on the stack may be stored in a local storage area. Each time a hook in a hooked function is subsequently executed, protection may be executed to determine whether an artifact remains in the location stored in the local storage area. If the artifact is no longer in the same location, a stack pivot may be detected and one or more remedial actions may be automatically performed.
G06F 21/54 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
The present disclosure relates to systems and methods for identifying highly sensitive modules and taking a remediation or preventative action if such modules are accessed by malicious software. For example, the likelihood that a module is used for an exploit, and is thus sensitive, is categorized as high, medium, or low. The likelihood that a module can be used for an exploit can dictate whether, and to what degree, an application accessing the module is “suspicious.” However, in some instances, a sensitive module may have legitimate reasons to load when used in certain non-malicious ways. The system may also consider a trust level when determining what actions to take, such that an application and/or user having a higher trust level may be less suspicious when accessing a sensitive module as compared to an application or user having a lower trust level.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/51 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade du chargement de l’application, p. ex. en acceptant, en rejetant, en démarrant ou en inhibant un logiciel exécutable en fonction de l’intégrité ou de la fiabilité de la source
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
Examples of the present disclosure describe systems and methods for malicious software detection based on API trust. In an example, a set of software instructions executed by a computing device may call an API. A hook may be generated on the API, such that a threat processor may receive an indication when the API is called. Accordingly, the threat processor may generate a trust metric based on the execution of the set of software instructions, which may be used to determine whether the set of software instructions poses a potential threat. For example, one or more call stack frames may be evaluated to determine whether a return address is preceded by a call instruction, whether the return address is associated with a set of software instructions or memory associated with a set of software instructions, and/or whether the set of software instructions satisfies a variety of security criteria.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
36.
Systems and methods for secure file management via an aggregation of cloud storage services
The present disclosure describes systems and methods for aggregation and management of cloud storage among a plurality of providers via file fragmenting to provide increased reliability and security. In one implementation, fragments or blocks may be distributed among a plurality of cloud storage providers, such that no provider retains a complete copy of a file. Accordingly, even if an individual service is compromised, a malicious actor cannot access the data. In another implementation, fragments may be duplicated and distributed to multiple providers, such that loss of communications to any one provider does not result in inability to access the data. This implementation may be combined with error correction techniques to allow recovery, even with loss of multiple providers. File synchronization may also be faster in these implementations by dividing reading and writing operations among multiple providers.
G06F 11/14 - Détection ou correction d'erreur dans les données par redondance dans les opérations, p. ex. en utilisant différentes séquences d'opérations aboutissant au même résultat
G06F 16/178 - Techniques de synchronisation des fichiers dans les systèmes de fichiers
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
H04L 67/1095 - Réplication ou mise en miroir des données, p. ex. l’ordonnancement ou le transport pour la synchronisation des données entre les nœuds du réseau
37.
Systems and methods for detection and mitigation of malicious encryption
The present disclosure describes systems and methods for detection and mitigation of malicious encryption. A security agent on an infected computing device may monitor data writes to disk, memory, or network transmission buffers for strings that may represent encryption keys or moduli. The security agent may apply one or more techniques to decode and parse the string to either identify or extract the keys, or rule out the string as containing an encryption key or modulus. If a key is identified, or its presence cannot be excluded, then the security agent may generate an alert and take mitigation actions.
Embodiments provide systems and methods for logging events. A computer-implemented method, for example, includes a syslog connector providing a subscription to a cloud source that collects events from a plurality of data sources, the subscription comprising an event selection criterion, receiving event records from the cloud source according to the subscription, the received event records formatted according to a first format, transforming the event records received from the cloud source from the first format to syslog messages and storing, by the syslog connector, the syslog messages to a syslog data sink.
Embodiments provide systems and methods for logging events. A computer-implemented method comprises receiving input for selecting one or more event types to receive from an event collector, receiving, based on the one or more event types, a plurality of security events from the event collector, transforming each of the plurality of security events to a standard format to generate a plurality of formatted security events and transmitting the plurality of formatted security events to a security information and event management (SIEM) server.
Examples of the present disclosure describe systems and methods for selective export address table filtering. In aspects, the relative virtual address (RVA) of exported function names may be modified to point to a protected memory location. An exception handler may be registered to process exceptions relating to access violations of the protected memory location. If an exception is detected that indicates an attempt to access the protected memory location, the instruction pointer of the exception may be compared to an allowed range of memory addresses. If the instruction pointer address is outside the boundaries, remedial action may occur.
G06F 21/54 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
41.
RESTRICTING ACCESS TO APPLICATION PROGRAMMING INTERFACES (APIs)
Examples of the present disclosure describe systems and methods for restricting access to application programming interfaces (APIs). For example, when a process calls an API, the API call may be intercepted by a security system for evaluation of its trustfulness before the API is allowed to run. Upon intercepting an API call, the process calling the API may be evaluated to determine if the process is known to the security system, such that known processes that are untrusted may be blocked from calling the API. Further, when the security system cannot identify the process calling the API, the security service may evaluate a call stack associated with the call operation to determine if attributes of the call operation are known to the security system. If the call operation is known to the security system as untrusted, the call operation may be blocked from calling the API.
G06F 21/51 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade du chargement de l’application, p. ex. en acceptant, en rejetant, en démarrant ou en inhibant un logiciel exécutable en fonction de l’intégrité ou de la fiabilité de la source
G06F 21/52 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
Examples of the present disclosure describe systems and methods of issuing certificates. One embodiment includes a non-transitory, computer-readable medium comprising computer executable instructions stored thereon, the computer executable instructions executable for receiving a certificate request from an online identity, wherein the certificate request validates a reputation of the online identity, analyzing the certificate request, based on the analysis, determining to issue a certificate, and issuing the certificate to the online identity.
Examples of the present disclosure describe systems and methods for discrete processor feature behavior collection and analysis. In aspects, a monitoring utility may initialize a set of debugging and/or performance monitoring feature sets for a microprocessor. When the microprocessor receives from software content a set of instructions that involves the loading of a set of modules or code segments, the set of modules or code segments may be evaluated by the monitoring utility. The monitoring utility may generate a process trace of the loaded set of modules or code segments. Based on the process trace output, various execution paths may be reconstructed in real-time. The system and/or API calls made by the microprocessor may then be compared to the process trace output to quickly observe the interaction between the software content and the operating system of the microprocessor.
Embodiments disclosed herein relate to systems and methods for providing a smart cache. In embodiments, a variable time to live (TTL) may be calculated and associated with data as it is stored in a cache. The variable TTL may be calculated based upon reputation and/or category information related to the source of the data. The reputation and/or category information may include TTL modifiers for adjusting the TTL for data from a particular data source that is stored in the cache. In further embodiments, a feedback method may be employed to update reputation and/or category information for a particular data source.
G06F 12/0802 - Adressage d’un niveau de mémoire dans lequel l’accès aux données ou aux blocs de données désirés nécessite des moyens d’adressage associatif, p. ex. mémoires cache
G06F 12/0864 - Adressage d’un niveau de mémoire dans lequel l’accès aux données ou aux blocs de données désirés nécessite des moyens d’adressage associatif, p. ex. mémoires cache utilisant des moyens pseudo-associatifs, p. ex. associatifs d’ensemble ou de hachage
G06F 12/0875 - Adressage d’un niveau de mémoire dans lequel l’accès aux données ou aux blocs de données désirés nécessite des moyens d’adressage associatif, p. ex. mémoires cache avec mémoire cache dédiée, p. ex. instruction ou pile
G06F 12/128 - Commande de remplacement utilisant des algorithmes de remplacement adaptée aux systèmes de mémoires cache multidimensionnelles, p. ex. associatives d’ensemble, à plusieurs mémoires cache, multi-ensembles ou multi-niveaux
G06F 16/957 - Optimisation de la navigation, p. ex. mise en cache ou distillation de contenus
Aspects of the present disclosure are operable to protect against malicious objects, such as JavaScript code, which may be encountered, downloaded, or otherwise accessed from a content source by a computing system. In an example, antivirus software implementing aspects disclosed herein may be capable of detecting malicious objects in real-time. Aspects of the present disclosure aim to reduce the amount of time used to detect malicious code while maintaining detection accuracy, as detection delays and/or a high false positive rate may result in a negative user experience. Among other benefits, the systems and methods disclosed herein are operable to identify malicious objects encountered by a computing system while maintaining a high detection rate, a low false positive rate, and a high scanning speed.
Examples of the present disclosure describe systems and methods of providing real-time scanning of IP addresses. In aspects, input may be received by a real-time IP scanning system. The system may generate one or more work orders based on the input. A scanner associated with the system may access a work order and attempt to communicate with one or more devices identified by the work order. If the attempted communication with a device is successful, a protocol analyzer may be used to provide a predefined payload to the device. If the response from the device matches an expected string, the device may be determined to be a safe and/or legitimate device. If the response from the device does not match an expected string, the device may be determined to be a malicious device.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
Examples of the present disclosure describe systems and methods for exploit detection via induced exceptions. One embodiment of a method can include generating an inspection point, the inspection point causing an exception when a set of software instructions encounters the inspection point during an execution of the set of software instructions by a processor, registering an exception handler to handle the exception associated with by the inspection point; receiving, in response to the set of software instructions encountering the inspection point, an indication of an exception, accessing a context record associated with the execution of the set of software instructions, evaluating the context record to determine if an exploit is present using the first reputation information, and based on a determination that an exploit is present, performing a corrective action for the exploit.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
48.
Aggregation and management among a plurality of storage providers
The present disclosure describes systems and methods for aggregation and management of cloud storage among a plurality of providers via file fragmenting to provide increased reliability and security. In one implementation, fragments or blocks may be distributed among a plurality of cloud storage providers, such that no provider retains a complete copy of a file. Accordingly, even if an individual service is compromised, a malicious actor cannot access the data. In another implementation, file fragmenting may be performed in a non-standard method such that file headers and metadata are divided across separate fragments, obfuscating the original file metadata.
H04L 67/1097 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour le stockage distribué de données dans des réseaux, p. ex. dispositions de transport pour le système de fichiers réseau [NFS], réseaux de stockage [SAN] ou stockage en réseau [NAS]
G06F 16/10 - Systèmes de fichiersServeurs de fichiers
G06F 16/14 - Détails de la recherche de fichiers basée sur les métadonnées des fichiers
G06F 16/17 - Détails d’autres fonctions de systèmes de fichiers
G06F 16/27 - Réplication, distribution ou synchronisation de données entre bases de données ou dans un système de bases de données distribuéesArchitectures de systèmes de bases de données distribuées à cet effet
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
H04L 67/06 - Protocoles spécialement adaptés au transfert de fichiers, p. ex. protocole de transfert de fichier [FTP]
H04L 67/1095 - Réplication ou mise en miroir des données, p. ex. l’ordonnancement ou le transport pour la synchronisation des données entre les nœuds du réseau
Examples of the present disclosure describe systems and methods for state-based entity behavior analysis. In an example, entities of a computing environment may be represented using a hierarchical entity web. In some examples, an entity may have a state associated with it, which may be modeled using a place/transition (PT) network. Events within the computing environment may be evaluated by transitions of a PT network to determine whether an entity should change state. If an entity transitions from one state to another, one or more actions may be performed, including, but not limited to, taking a remedial action, generating a recommendation, and updating the state of one or more associated entities. Thus, aspects disclosed herein may provide a high-level overview of the state of entities of a computing environment, but may also be used to view in-depth information of entities at lower levels of the hierarchical entity web.
H04L 41/0853 - Récupération de la configuration du réseauSuivi de l’historique de configuration du réseau en recueillant activement des informations de configuration ou en sauvegardant les informations de configuration
H04L 41/0893 - Affectation de groupes logiques aux éléments de réseau
H04L 41/0816 - Réglages de configuration caractérisés par les conditions déclenchant un changement de paramètres la condition étant une adaptation, p. ex. en réponse aux événements dans le réseau
Embodiments of systems and methods for DNS smart access are disclosed herein. In particular, certain embodiments include a local cache of trusted addresses resolved by a trusted DNS resolver. A DNS smart access agent monitors outbound communications from applications or processes on a client device. The DNS smart access agent blocks access to addresses that were not resolved through the trusted DNS resolver.
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
Examples of the present disclosure describe systems and methods for a behavioral threat detection engine. In examples, the behavioral threat detection engine manages execution of one or more virtual machines, wherein each virtual machine processes a rule in relation to a context. The behavioral threat detection engine uses any of a variety of techniques to identify when events occur. Accordingly, the behavioral threat detection engine provides event indications, in the form of event packets, to one or more virtual machines, such that corresponding rules are able to process the events accordingly. Eventually, a rule may make a determination as to the presence or absence of a behavior. As a result, execution of the associated virtual machine may be halted, thereby indicating to the behavioral threat detection engine that a determination has been made. Thus a behavioral threat detection engine employs a behavior-based approach to detecting malicious or potentially malicious behaviors.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
09 - Appareils et instruments scientifiques et électriques
35 - Publicité; Affaires commerciales
38 - Services de télécommunications
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Downloadable computer software using artificial intelligence for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; Downloadable computer software using artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics. Business consulting services for businesses and institutions relating to artificial intelligence, big data, cognitive computing and data-driven analytics. Advisory and consultancy services relating to artificial intelligence as it applies to communications between computers over telecommunications networks. Software as a service (SAAS) services featuring software for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; SaaS services featuring artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics.
09 - Appareils et instruments scientifiques et électriques
35 - Publicité; Affaires commerciales
38 - Services de télécommunications
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Downloadable computer software using artificial intelligence for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; Downloadable computer software using artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics; none of the aforesaid goods being in relation to gaming, gambling or casinos. Business consulting services for businesses and institutions relating to artificial intelligence, big data, cognitive computing and data-driven analytics; none of the aforesaid services being in relation to gaming, gambling or casinos. Advisory and consultancy services relating to artificial intelligence as it applies to communications between computers over telecommunications networks; none of the aforesaid services being in relation to gaming, gambling or casinos. Software as a service (SAAS) services featuring software for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; SaaS services featuring artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics; none of the aforesaid services being in relation to gaming, gambling or casinos.
09 - Appareils et instruments scientifiques et électriques
35 - Publicité; Affaires commerciales
38 - Services de télécommunications
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
(1) Downloadable computer software using artificial intelligence for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; downloadable computer software using artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics (1) Business consulting services for businesses and institutions relating to artificial intelligence, big data, cognitive computing and data-driven analytics
(2) Advisory and consultancy services relating to artificial intelligence as it applies to communications between computers over telecommunications networks
(3) Software as a service (SAAS) services featuring software for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; SaaS services featuring artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics
09 - Appareils et instruments scientifiques et électriques
35 - Publicité; Affaires commerciales
38 - Services de télécommunications
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
(1) Downloadable computer software using artificial intelligence for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; downloadable computer software using artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics (1) Business consulting services for businesses and institutions relating to artificial intelligence, big data, cognitive computing and data-driven analytics
(2) Advisory and consultancy services relating to artificial intelligence as it applies to communications between computers over telecommunications networks
(3) Software as a service (SAAS) services featuring software for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; SaaS services featuring artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics
09 - Appareils et instruments scientifiques et électriques
35 - Publicité; Affaires commerciales
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Telecommunication advisory and consultancy services relating to artificial intelligence as it applies to communications between computers over telecommunications networks Downloadable computer software using artificial intelligence for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; Downloadable computer software using artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics in the nature of data analysis Business consulting services for businesses and institutions relating to artificial intelligence, big data, cognitive computing and data-driven analytics Software as a service (SAAS) services featuring software for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; SaaS services featuring artificial intelligence software for machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics in the nature of data analysis
57.
Systems and methods for secure file management via an aggregation of cloud storage services
The present disclosure describes systems and methods for aggregation and management of cloud storage among a plurality of providers via file fragmenting to provide increased reliability and security. In one implementation, fragments or blocks may be distributed among a plurality of cloud storage providers, such that no provider retains a complete copy of a file. Accordingly, even if an individual service is compromised, a malicious actor cannot access the data. In another implementation, fragments may be duplicated and distributed to multiple providers, such that loss of communications to any one provider does not result in inability to access the data. This implementation may be combined with error correction techniques to allow recovery, even with loss of multiple providers. File synchronization may also be faster in these implementations by dividing reading and writing operations among multiple providers.
G06F 11/14 - Détection ou correction d'erreur dans les données par redondance dans les opérations, p. ex. en utilisant différentes séquences d'opérations aboutissant au même résultat
G06F 16/178 - Techniques de synchronisation des fichiers dans les systèmes de fichiers
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
H04L 67/1095 - Réplication ou mise en miroir des données, p. ex. l’ordonnancement ou le transport pour la synchronisation des données entre les nœuds du réseau
09 - Appareils et instruments scientifiques et électriques
35 - Publicité; Affaires commerciales
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Telecommunication advisory and consultancy services relating to artificial intelligence as it applies to communications between computers over telecommunications networks Downloadable computer software using artificial intelligence for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; Downloadable computer software using artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics in the nature of data analysis Business consulting services for businesses and institutions relating to artificial intelligence, big data, cognitive computing and data-driven analytics Software as a service (SAAS) services featuring software for managing content, customer user experience, business networks, IT operations, software developer operations, and cybersecurity; SaaS services featuring artificial intelligence including machine learning, predictive analytics, and generative artificial intelligence for use in cybersecurity, electronic discovery, customer communications management, customer service management, functional testing, software development, enterprise content management, business process management, and forensics in the nature of data analysis
59.
Systems and methods for remote management of appliances
The present disclosure describes systems and methods for remote management of appliances. The appliance may be configured to periodically check in a predetermined online location for the presence of a trigger file identifying one or more appliances directed to contact a management server for maintenance. If the file is present at the predetermined location and the file includes the identifier of the appliance, the appliance may initiate a connection to the management server. If the file is not found, then the appliance may reset a call timer and attempt to retrieve the file at a later time. To avoid having to configure addresses on the appliance, link local IPv6 addresses may be configured for use over a virtual private network, allowing administration, regardless of the network configuration or local IP address of the appliance.
H04L 67/125 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p. ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance en impliquant la commande des applications des terminaux par un réseau
Embodiments of systems and methods for DNS leak prevention and protection are disclosed herein. In particular, certain embodiments include a local DNS protection agent installed on a system and an associated trusted external DNS protection server. The DNS protection agent prevents DNS leaks from applications on the system such that all DNS requests from the system are confined to requests from the DNS protection agent to the associated DNS protection server. As the DNS leak prevention provided by the DNS protection agent stops applications on the system from circumventing the DNS protection server, all DNS requests originating from the system remain under the control of the DNS protection server and thus desired DNS protection (e.g., as implemented on the DNS protection server) may be maintained. Certain embodiments prevent applications from using certain DNS security protocols, such as DoH and DoT, without going through the DNS protection agent.
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
H04L 67/60 - Ordonnancement ou organisation du service des demandes d'application, p. ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises
Examples of the present disclosure describe systems and methods for selective export address table filtering. In aspects, the relative virtual address (RVA) of exported function names may be modified to point to a protected memory location. An exception handler may be registered to process exceptions relating to access violations of the protected memory location. If an exception is detected that indicates an attempt to access the protected memory location, the instruction pointer of the exception may be compared to an allowed range of memory addresses. If the instruction pointer address is outside the boundaries, remedial action may occur.
G06F 21/54 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
Examples of the present disclosure describe systems and methods for a behavioral threat detection virtual machine. In examples, the virtual machine executes a rule comprising rule instructions. A rule may comprise one or more wait rule instructions that causes the virtual machine to pause execution. As events are added to an event queue for the rule virtual machine, the behavioral threat detection virtual machine evaluates such events in order to identify a positive or, in some instances, a negative match. When a matching event is identified, rule execution resumes. Eventually, a determination is made as a result of processing events and wait packets, thereby indicating the presence or absence of a malicious or potentially malicious behavior, among other examples. Thus, among other things, the behavioral threat detection virtual machine maintains a state associated with rule execution and processes events to identify behaviors accordingly.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
63.
Behavioral threat detection definition and compilation
Examples of the present disclosure describe systems and methods for behavioral threat detection definition. In an example, a behavior rule comprising a set of rule instructions is used to define one or more events indicative of a behavior. For example, a set of events from which one event must be matched may be defined or a set of events from which all events must be matched may be defined. In some examples, events are matched based on an event name or type, or may be matched based on one or more parameters. Exact and/or inexact matching may be used. The set of rule instructions ultimately specifies one or more halt instructions, thereby indicating that a determination as to the presence of the behavior has been made. Example determinations include, but are not limited to, a match determination, a non-match determination, or an indication that additional monitoring should be performed.
Aspects of the present disclosure relate to systems and methods for partitioning an OS or hypervisor utilized on a computing device from the process of proxy control. For example, a proxy may be installed on a separation kernel or firmware on a computing device that routes all data traffic received via a network connection to a cloud which performs various services such as IP reputation management, URL reputation detection and validation, malicious file filtering through potential malware detection.
Examples of the present disclosure describe systems and methods for providing advanced file modification heuristics. In aspects, software content is selected for monitoring. The monitoring comprises determining when the software content performs file accesses that are followed by read and/or write operations. The read/write operations are analyzed in real-time to determine whether the software content is modifying file content. If the monitoring indicates the software content is modifying accessed files, mathematical calculations are applied to the read-write operations to determine the nature of the modifications. Based on the determined nature of the file modifications, the actions of the software content may be categorized and halted prior to completion; thereby, mitigating malicious cyberattacks and/or unauthorized accesses.
Examples of the present disclosure describe systems and methods for detecting and mitigating stack pivoting exploits. In aspects, various “checkpoints” may be identified in software code. At each checkpoint, the current stack pointer, stack base, and stack limit for each mode of execution may be obtained. The current stack pointer for each mode of execution may be evaluated to determine whether the stack pointer falls within a stack range between the stack base and the stack limit of the respective mode of execution. When the stack pointer is determined to be outside of the expected stack range, a stack pivot exploit is detected and one or more remedial actions may be automatically performed.
G06F 21/52 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données
B01D 15/18 - Adsorption sélective, p. ex. chromatographie caractérisée par des caractéristiques de structure ou de fonctionnement relatives aux différents types d'écoulement
G01N 30/20 - Injection utilisant une valve d'échantillonnage
G01N 30/22 - Injection dans des systèmes liquides à haute pression
G01N 30/46 - Modèles d'écoulement utilisant plus d'une colonne
A protection module operates to analyze threats, at the protocol level (e.g., at the HTML level), by intercepting all requests that a browser engine resident in a computing device sends and receives, and the protection agent completes the requests without the help of the browser engine. And then the protection module analyzes and/or modifies the completed data before the browser engine has access to it, to, for example, display it. After performing all of its processing, removing, and/or adding any code as needed, the protection module provides the HTML content to the browser engine, and the browser engine receives responses from the protection agent as if it was speaking to an actual web server, when in fact, browser engine is speaking to an analysis engine of the protection module.
Examples of the present disclosure describe systems and methods for malicious software detection based on API trust. In an example, a set of software instructions executed by a computing device may call an API. A hook may be generated on the API, such that a threat processor may receive an indication when the API is called. Accordingly, the threat processor may generate a trust metric based on the execution of the set of software instructions, which may be used to determine whether the set of software instructions poses a potential threat. For example, one or more call stack frames may be evaluated to determine whether a return address is preceded by a call instruction, whether the return address is associated with a set of software instructions or memory associated with a set of software instructions, and/or whether the set of software instructions satisfies a variety of security criteria.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
69.
Multi-ring shared, traversable, and dynamic advanced database
Examples of the present disclosure describe systems and methods for sharing memory using a multi-ring shared, traversable and dynamic database. In aspects, the database may be synchronized and shared between multiple processes and/or operation mode protection rings of a system. The database may also be persisted to enable the management of information between hardware reboots and application sessions. The information stored in the database may be view independent, traversable, and resizable from various component views of the database. In some aspects, an event processor is additionally described. The event processor may use the database to allocate memory chunks of a shared heap to components/processes in one or more protection modes of the operating system.
G06F 12/06 - Adressage d'un bloc physique de transfert, p. ex. par adresse de base, adressage de modules, extension de l'espace d'adresse, spécialisation de mémoire
G06F 12/14 - Protection contre l'utilisation non autorisée de mémoire
G06F 16/00 - Recherche d’informationsStructures de bases de données à cet effetStructures de systèmes de fichiers à cet effet
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
70.
SYSTEMS AND METHODS FOR AGGREGATION OF CLOUD STORAGE
The present disclosure describes systems and methods for aggregation and management of cloud storage among a plurality of providers. According to one aspect, a computer-implemented method includes providing an aggregated folder at a client computer, the aggregated folder aggregating the contents of a plurality of folders, each of the plurality of folders used for synchronization with a respective one of a plurality of cloud storage providers; identifying a new file for synchronization; determining a first cloud storage provider from the plurality of cloud storage providers to which to store at least a portion of the new file; storing the at least a portion of the new file in a first folder from the plurality of folders, the first folder for synchronization with the first cloud storage provider from the plurality of cloud storage providers; and adding the new file to the aggregated folder.
H04L 67/06 - Protocoles spécialement adaptés au transfert de fichiers, p. ex. protocole de transfert de fichier [FTP]
H04L 67/1097 - Protocoles dans lesquels une application est distribuée parmi les nœuds du réseau pour le stockage distribué de données dans des réseaux, p. ex. dispositions de transport pour le système de fichiers réseau [NFS], réseaux de stockage [SAN] ou stockage en réseau [NAS]
H04L 67/1095 - Réplication ou mise en miroir des données, p. ex. l’ordonnancement ou le transport pour la synchronisation des données entre les nœuds du réseau
H04L 67/1008 - Sélection du serveur pour la répartition de charge basée sur les paramètres des serveurs, p. ex. la mémoire disponible ou la charge de travail
G06F 16/10 - Systèmes de fichiersServeurs de fichiers
G06F 16/178 - Techniques de synchronisation des fichiers dans les systèmes de fichiers
The present disclosure relates to systems and methods for identifying highly sensitive modules and taking a remediation or preventative action if such modules are accessed by malicious software. For example, the likelihood that a module is used for an exploit, and is thus sensitive, is categorized as high, medium, or low. The likelihood that a module can be used for an exploit can dictate whether, and to what degree, an application accessing the module is “suspicious.” However, in some instances, a sensitive module may have legitimate reasons to load when used in certain non-malicious ways. The system may also consider a trust level when determining what actions to take, such that an application and/or user having a higher trust level may be less suspicious when accessing a sensitive module as compared to an application or user having a lower trust level.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/51 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade du chargement de l’application, p. ex. en acceptant, en rejetant, en démarrant ou en inhibant un logiciel exécutable en fonction de l’intégrité ou de la fiabilité de la source
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
The present disclosure describes systems and methods for detection and mitigation of malicious encryption. A security agent on an infected computing device may monitor data writes to disk, memory, or network transmission buffers for strings that may represent encryption keys or moduli. The security agent may apply one or more techniques to decode and parse the string to either identify or extract the keys, or rule out the string as containing an encryption key or modulus. If a key is identified, or its presence cannot be excluded, then the security agent may generate an alert and take mitigation actions.
Examples of the present disclosure describe systems and methods for identifying anomalous network behavior. In aspects, a network event may be observed network sensors. One or more characteristics may be extracted from the network event and used to construct an evidence vector. The evidence vector may be compared to a mapping of previously-identified events and/or event characteristics. The mapping may be represented as one or more clusters of expected behaviors and anomalous behaviors. The mapping may be modeled using analytic models for direction detection and magnitude detection. One or more centroids may be identified for each of the clusters. A “best fit” may be determined and scored for each of the analytic models. The scores may be fused into single binocular score and used to determine whether the evidence vector is likely to represent an anomaly.
A method and system for controlling access to an Internet resource is disclosed herein. When a request for an Internet resource, such as a Web site, is transmitted by an end-user of a LAN, a security appliance for the LAN analyzes a reputation index for the Internet resource before transmitting the request over the Internet. The reputation index is based on a plurality of factors for the Internet resource. A client application's access to the Internet resource can be allowed or denied based on the reputation index of the Internet resource.
The present disclosure describes systems and methods for remote management of appliances. The appliance may be configured to periodically check in a predetermined online location for the presence of a trigger file identifying one or more appliances directed to contact a management server for maintenance. If the file is present at the predetermined location and the file includes the identifier of the appliance, the appliance may initiate a connection to the management server. If the file is not found, then the appliance may reset a call timer and attempt to retrieve the file at a later time. To avoid having to configure addresses on the appliance, link local IPv6 addresses may be configured for use over a virtual private network, allowing administration, regardless of the network configuration or local IP address of the appliance.
H04L 67/125 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p. ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance en impliquant la commande des applications des terminaux par un réseau
Examples of the present disclosure describe systems and methods for a behavioral threat detection engine. In examples, the behavioral threat detection engine manages execution of one or more virtual machines, wherein each virtual machine processes a rule in relation to a context. The behavioral threat detection engine uses any of a variety of techniques to identify when events occur. Accordingly, the behavioral threat detection engine provides event indications, in the form of event packets, to one or more virtual machines, such that corresponding rules are able to process the events accordingly. Eventually, a rule may make a determination as to the presence or absence of a behavior. As a result, execution of the associated virtual machine may be halted, thereby indicating to the behavioral threat detection engine that a determination has been made. Thus a behavioral threat detection engine employs a behavior-based approach to detecting malicious or potentially malicious behaviors.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
77.
Security privilege escalation exploit detection and mitigation
Examples of the present disclosure describe systems and methods for monitoring the security privileges of a process. In aspects, when a process is created, the corresponding process security token and privilege information is detected and recorded. At subsequent “checkpoints,” the security token is evaluated to determine whether the security token has been replaced, or whether new or unexpected privileges have been granted to the created process. When a modification to the security token is determined, a warning or indication of the modification is generated and the process may be terminated to prevent the use of the modified security token.
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
G06F 21/50 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation
78.
DETECTING A CHANGE TO THE CONTENT OF INFORMATION DISPLAYED TO A USER OF A WEBSITE
Methods and systems are provided for detecting a change in web content of a web page. In particular, executable instructions may be inserted into a web page such that a first fingerprint of the web page is created when viewed on a client device. The first fingerprint may then be compared to a previously created fingerprint to determine if the web page has been modified. The fingerprints may be based on one or more elements of the web page.
Aspects of the present disclosure relate to threat detection of executable files. A plurality of static data points may be extracted from an executable file without decrypting or unpacking the executable file. The executable file may then be analyzed without decrypting or unpacking the executable file. Analysis of the executable file may comprise applying a classifier to the plurality of extracted static data points. The classifier may be trained from data comprising known malicious executable files, known benign executable files and known unwanted executable files. Based upon analysis of the executable file, a determination can be made as to whether the executable file is harmful.
Examples of the present disclosure describe systems and methods for detecting and mitigating stack pivoting using stack artifact verification. In aspects, function hooks may be added to one or more functions. When a hooked function executes, artifacts relating to the hooked function may be left on the stack memory (“stack”). The location of the artifacts on the stack may be stored in a local storage area. Each time a hook in a hooked function is subsequently executed, protection may be executed to determine whether an artifact remains in the location stored in the local storage area. If the artifact is no longer in the same location, a stack pivot may be detected and one or more remedial actions may be automatically performed.
G06F 21/54 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données par ajout de routines ou d’objets de sécurité aux programmes
Examples of the present disclosure describe systems and methods for evaluating malicious web content for associated threats using specialized web crawling techniques. A seed resource identifier is evaluated to determine a second resource identifier associated with the seed resource identifier. A resource corresponding to the second resource identifier is scanned to identify a third resource identifier. The third resource identifier is processed with a machine learning model to classify the third resource identifier according to a classification representing a predicted level of threat. The machine learning model trained to classify resource identifiers into a plurality of classifications. A corrective action can be executed based on the classification of the third resource identifier.
Examples of the present disclosure describe systems and methods for behavioral threat detection definition compilation. In an example, one or more sets of rule instructions may be packaged for distribution and/or use by a behavioral threat detection engine. As an example, a set of rule instructions is compiled into an intermediate language and assembled in to a compiled behavior rule binary. Event linking is performed, wherein other rules launched by the rule and/or events that launch the rule or are processed by the rule are identified, and such information may be stored accordingly. The behavior rule binary may be packaged with other rules associated with identifying a specific behavior. The packaged behavior rule is distributed to one or more computing devices for use with a behavioral threat detection engine. For example, the threat detection engine may execute the behavior rule using a rule virtual machine.
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
A firewall monitors network activity and stores information about that network activity in a network activity log. The network activity is analyzed to identify a potential threat. The potential threat is further analyzed to identify other potential threats that are related to the potential threat, and are likely to pose a future risk to a protected network. A block list is updated to include the potential threat and the other potential threats to protect the protected network from the potential threat and the other potential threats.
H04L 41/069 - Gestion des fautes, des événements, des alarmes ou des notifications en utilisant des journaux de notificationsPost-traitement des notifications
Examples of the present disclosure describe systems and methods for exploit detection via induced exceptions. One embodiment of a method can include generating an inspection point, the inspection point causing an exception when a set of software instructions encounters the inspection point during an execution of the set of software instructions by a processor, registering an exception handler to handle the exception associated with by the inspection point; receiving, in response to the set of software instructions encountering the inspection point, an indication of an exception, accessing a context record associated with the execution of the set of software instructions, evaluating the context record to determine if an exploit is present using the first reputation information, and based on a determination that an exploit is present, performing a corrective action for the exploit.
H04L 29/06 - Commande de la communication; Traitement de la communication caractérisés par un protocole
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
85.
Systems and methods for remote management of appliances
The present disclosure describes systems and methods for remote management of appliances. The appliance may be configured to periodically check in a predetermined online location for the presence of a trigger file identifying one or more appliances directed to contact a management server for maintenance. If the file is present at the predetermined location and the file includes the identifier of the appliance, the appliance may initiate a connection to the management server. If the file is not found, then the appliance may reset a call timer and attempt to retrieve the file at a later time. To avoid having to configure addresses on the appliance, link local IPv6 addresses may be configured for use over a virtual private network, allowing administration, regardless of the network configuration or local IP address of the appliance.
H04L 67/125 - Protocoles spécialement adaptés aux environnements propriétaires ou de mise en réseau pour un usage spécial, p. ex. les réseaux médicaux, les réseaux de capteurs, les réseaux dans les véhicules ou les réseaux de mesure à distance en impliquant la commande des applications des terminaux par un réseau
Examples of the present disclosure describe systems and methods of providing real-time scanning of IP addresses. In aspects, input may be received by a real-time IP scanning system. The system may generate one or more work orders based on the input. A scanner associated with the system may access a work order and attempt to communicate with one or more devices identified by the work order. If the attempted communication with a device is successful, a protocol analyzer may be used to provide a predefined payload to the device. If the response from the device matches an expected string, the device may be determined to be a safe and/or legitimate device. If the response from the device does not match an expected string, the device may be determined to be a malicious device.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
Examples of the present disclosure describe systems and methods for determining exploit prevention software settings using machine learning. In aspects, exploit prevention software may be used to identify processes executing on a computing device. Metadata for the identified processes may be determined and transmitted to a machine learning system. The machine learning system may use an exploit prevention model to determine exploit prevention configuration settings for each of the processes, and may transmit the configuration setting to the computing device. The computing device may implement the configuration settings to protect the processes and monitor the stability of the protected processes as they execute. The computing device may transmit the stability data to the machine-learning system. The machine-learning system may then modify the exploit prevention model based on the stability data.
Methods, devices and computer program products facilitate the storage, access and management of log files that are associated with particular client devices. The log files provide a record of user or client device activities that are periodically sent to a data backup center. A dedicated log file server facilitates the processing and storage of an increasingly large number of log files that are generated by new and existing client devices. A storage server pre-processes the received log files to facilitate the processing and storage of the log files by the log file server. This Abstract is provided for the sole purpose of complying with the Abstract requirement rules. This Abstract is submitted with the explicit understanding that it will not be used to interpret or to limit the scope or the meaning of the claims.
G06F 16/00 - Recherche d’informationsStructures de bases de données à cet effetStructures de systèmes de fichiers à cet effet
G06F 3/06 - Entrée numérique à partir de, ou sortie numérique vers des supports d'enregistrement
G06F 11/14 - Détection ou correction d'erreur dans les données par redondance dans les opérations, p. ex. en utilisant différentes séquences d'opérations aboutissant au même résultat
G06F 11/34 - Enregistrement ou évaluation statistique de l'activité du calculateur, p. ex. des interruptions ou des opérations d'entrée–sortie
G06F 16/10 - Systèmes de fichiersServeurs de fichiers
G06F 16/17 - Détails d’autres fonctions de systèmes de fichiers
G06F 16/174 - Élimination de redondances par le système de fichiers
G06F 17/40 - Acquisition et consignation de données
89.
System and method for leak prevention for domain name system requests
Embodiments of systems and methods for DNS leak prevention and protection are disclosed herein. In particular, certain embodiments include a local DNS protection agent installed on a system and an associated trusted external DNS protection server. The DNS protection agent prevents DNS leaks from applications on the system such that all DNS requests from the system are confined to requests from the DNS protection agent to the associated DNS protection server. As the DNS leak prevention provided by the DNS protection agent stops applications on the system from circumventing the DNS protection server, all DNS requests originating from the system remain under the control of the DNS protection server and thus desired DNS protection (e.g., as implemented on the DNS protection server) may be maintained. Certain embodiments prevent applications from using certain DNS security protocols, such as DoH and DoT, without going through the DNS protection agent.
H04L 61/4511 - Répertoires de réseauCorrespondance nom-adresse en utilisant des répertoires normalisésRépertoires de réseauCorrespondance nom-adresse en utilisant des protocoles normalisés d'accès aux répertoires en utilisant le système de noms de domaine [DNS]
H04L 67/60 - Ordonnancement ou organisation du service des demandes d'application, p. ex. demandes de transmission de données d'application en utilisant l'analyse et l'optimisation des ressources réseau requises
90.
Systems and methods for secure file management via an aggregation of cloud storage services
The present disclosure describes systems and methods for aggregation and management of cloud storage among a plurality of providers via file fragmenting to provide increased reliability and security. In one implementation, fragments or blocks may be distributed among a plurality of cloud storage providers, such that no provider retains a complete copy of a file. Accordingly, even if an individual service is compromised, a malicious actor cannot access the data. In another implementation, fragments may be duplicated and distributed to multiple providers, such that loss of communications to any one provider does not result in inability to access the data. This implementation may be combined with error correction techniques to allow recovery, even with loss of multiple providers. File synchronization may also be faster in these implementations by dividing reading and writing operations among multiple providers.
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
H04L 67/1095 - Réplication ou mise en miroir des données, p. ex. l’ordonnancement ou le transport pour la synchronisation des données entre les nœuds du réseau
G06F 16/178 - Techniques de synchronisation des fichiers dans les systèmes de fichiers
G06F 11/14 - Détection ou correction d'erreur dans les données par redondance dans les opérations, p. ex. en utilisant différentes séquences d'opérations aboutissant au même résultat
91.
Behavioral threat detection definition and compilation
Examples of the present disclosure describe systems and methods for behavioral threat detection definition. In an example, a behavior rule comprising a set of rule instructions is used to define one or more events indicative of a behavior. For example, a set of events from which one event must be matched may be defined or a set of events from which all events must be matched may be defined. In some examples, events are matched based on an event name or type, or may be matched based on one or more parameters. Exact and/or inexact matching may be used. The set of rule instructions ultimately specifies one or more halt instructions, thereby indicating that a determination as to the presence of the behavior has been made. Example determinations include, but are not limited to, a match determination, a non-match determination, or an indication that additional monitoring should be performed.
Methods, devices and computer program products facilitate the storage, access and management of log files that are associated with particular client devices. The log files provide a record of user or client device activities that are periodically sent to a data backup center. A dedicated log file server facilitates the processing and storage of an increasingly large number of log files that are generated by new and existing client devices. A storage server pre-processes the received log files to facilitate the processing and storage of the log files by the log file server. This Abstract is provided for the sole purpose of complying with the Abstract requirement rules. This Abstract is submitted with the explicit understanding that it will not be used to interpret or to limit the scope or the meaning of the claims.
G06F 16/00 - Recherche d’informationsStructures de bases de données à cet effetStructures de systèmes de fichiers à cet effet
G06F 3/06 - Entrée numérique à partir de, ou sortie numérique vers des supports d'enregistrement
G06F 11/14 - Détection ou correction d'erreur dans les données par redondance dans les opérations, p. ex. en utilisant différentes séquences d'opérations aboutissant au même résultat
G06F 11/34 - Enregistrement ou évaluation statistique de l'activité du calculateur, p. ex. des interruptions ou des opérations d'entrée–sortie
G06F 16/10 - Systèmes de fichiersServeurs de fichiers
G06F 16/17 - Détails d’autres fonctions de systèmes de fichiers
G06F 16/174 - Élimination de redondances par le système de fichiers
G06F 17/40 - Acquisition et consignation de données
Examples of the present disclosure describe systems and methods for a behavioral threat detection virtual machine. In examples, the virtual machine executes a rule comprising rule instructions. A rule may comprise one or more wait rule instructions that causes the virtual machine to pause execution. As events are added to an event queue for the rule virtual machine, the behavioral threat detection virtual machine evaluates such events in order to identify a positive or, in some instances, a negative match. When a matching event is identified, rule execution resumes. Eventually, a determination is made as a result of processing events and wait packets, thereby indicating the presence or absence of a malicious or potentially malicious behavior, among other examples. Thus, among other things, the behavioral threat detection virtual machine maintains a state associated with rule execution and processes events to identify behaviors accordingly.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 9/455 - ÉmulationInterprétationSimulation de logiciel, p. ex. virtualisation ou émulation des moteurs d’exécution d’applications ou de systèmes d’exploitation
94.
Multi-ring shared, traversable, and dynamic advanced database
Examples of the present disclosure describe systems and methods for sharing memory using a multi-ring shared, traversable and dynamic database. In aspects, the database may be synchronized and shared between multiple processes and/or operation mode protection rings of a system. The database may also be persisted to enable the management of information between hardware reboots and application sessions. The information stored in the database may be view independent, traversable, and resizable from various component views of the database. In some aspects, an event processor is additionally described. The event processor may use the database to allocate memory chunks of a shared heap to components/processes in one or more protection modes of the operating system.
G06F 12/06 - Adressage d'un bloc physique de transfert, p. ex. par adresse de base, adressage de modules, extension de l'espace d'adresse, spécialisation de mémoire
G06F 12/14 - Protection contre l'utilisation non autorisée de mémoire
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 16/00 - Recherche d’informationsStructures de bases de données à cet effetStructures de systèmes de fichiers à cet effet
Peer device protection enables a first device comprising a digital security agent to remedy security issues on (or associated with) a set of devices visible to the first device. In aspects, a first device comprising a digital security agent may identify a set of devices visible to the first device. The first device may monitor the set of devices to collect data, such as types of communications and data points of interest. The digital security agent may apply threat detection to the collected data to identify anomalous network behavior. When anomalous network behavior is detected, the first device may cause an indicator of compromise (IOC) to be generated. Based on the IOC, the first device may facilitate remediation of the anomalous network behavior and/or apply security to one or more devices in the set of devices.
Examples of the present disclosure describe systems and methods for state-based entity behavior analysis. In an example, entities of a computing environment may be represented using a hierarchical entity web. In some examples, an entity may have a state associated with it, which may be modeled using a place/transition (PT) network. Events within the computing environment may be evaluated by transitions of a PT network to determine whether an entity should change state. If an entity transitions from one state to another, one or more actions may be performed, including, but not limited to, taking a remedial action, generating a recommendation, and updating the state of one or more associated entities. Thus, aspects disclosed herein may provide a high-level overview of the state of entities of a computing environment, but may also be used to view in-depth information of entities at lower levels of the hierarchical entity web.
H04L 41/0853 - Récupération de la configuration du réseauSuivi de l’historique de configuration du réseau en recueillant activement des informations de configuration ou en sauvegardant les informations de configuration
H04L 41/0893 - Affectation de groupes logiques aux éléments de réseau
H04L 41/0816 - Réglages de configuration caractérisés par les conditions déclenchant un changement de paramètres la condition étant une adaptation, p. ex. en réponse aux événements dans le réseau
Examples of the present disclosure describe systems and methods for restricting access to application programming interfaces (APIs). For example, when a process calls an API, the API call may be intercepted by a security system for evaluation of its trustfulness before the API is allowed to run. Upon intercepting an API call, the process calling the API may be evaluated to determine if the process is known to the security system, such that known processes that are untrusted may be blocked from calling the API. Further, when the security system cannot identify the process calling the API, the security service may evaluate a call stack associated with the call operation to determine if attributes of the call operation are known to the security system. If the call operation is known to the security system as untrusted, the call operation may be blocked from calling the API.
G06F 21/51 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade du chargement de l’application, p. ex. en acceptant, en rejetant, en démarrant ou en inhibant un logiciel exécutable en fonction de l’intégrité ou de la fiabilité de la source
G06F 21/62 - Protection de l’accès à des données via une plate-forme, p. ex. par clés ou règles de contrôle de l’accès
G06F 21/52 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données
Examples of the present disclosure describe systems and methods for detecting and mitigating stack pivoting exploits. In aspects, various “checkpoints” may be identified in software code. At each checkpoint, the current stack pointer, stack base, and stack limit for each mode of execution may be obtained. The current stack pointer for each mode of execution may be evaluated to determine whether the stack pointer falls within a stack range between the stack base and the stack limit of the respective mode of execution. When the stack pointer is determined to be outside of the expected stack range, a stack pivot exploit is detected and one or more remedial actions may be automatically performed.
G06F 21/52 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade de l’exécution du programme, p. ex. intégrité de la pile, débordement de tampon ou prévention d'effacement involontaire de données
G06F 11/36 - Prévention d'erreurs par analyse, par débogage ou par test de logiciel
99.
Statistical analysis of network behavior using event vectors to identify behavioral anomalies using a composite score
Examples of the present disclosure describe systems and methods for identifying anomalous network behavior. In aspects, a network event may be observed network sensors. One or more characteristics may be extracted from the network event and used to construct an evidence vector. The evidence vector may be compared to a mapping of previously-identified events and/or event characteristics. The mapping may be represented as one or more clusters of expected behaviors and anomalous behaviors. The mapping may be modeled using analytic models for direction detection and magnitude detection. One or more centroids may be identified for each of the clusters. A “best fit” may be determined and scored for each of the analytic models. The scores may be fused into single binocular score and used to determine whether the evidence vector is likely to represent an anomaly.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/50 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation
The present disclosure relates to systems and methods for identifying highly sensitive modules and taking a remediation or preventative action if such modules are accessed by malicious software. For example, the likelihood that a module is used for an exploit, and is thus sensitive, is categorized as high, medium, or low. The likelihood that a module can be used for an exploit can dictate whether, and to what degree, an application accessing the module is “suspicious.” However, in some instances, a sensitive module may have legitimate reasons to load when used in certain non-malicious ways. The system may also consider a trust level when determining what actions to take, such that an application and/or user having a higher trust level may be less suspicious when accessing a sensitive module as compared to an application or user having a lower trust level.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/51 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade du chargement de l’application, p. ex. en acceptant, en rejetant, en démarrant ou en inhibant un logiciel exécutable en fonction de l’intégrité ou de la fiabilité de la source
