Described systems and methods protect client devices such as personal computers and IoT devices against malicious software. In some embodiments, a plurality of client devices report the occurrence of various events to a security server, each such event caused by a local instance of a target application (e.g., mobile app) executing on a respective device. The security server then collates the behavior of the respective target application across the plurality of client devices. Some embodiments compute an aggregate event set and/or sequence combining events detected on one device with events detected on other devices, and determine whether the target application is malicious according to the aggregate event set/sequence.
Described systems and methods protect client devices such as personal computers and IoT devices against harmful or inappropriate Internet content. When a client uses an encrypted handshake to hide the identity of the end server, e.g., in applications implementing an encrypted client hello (ECH), some embodiments employ a modified DNS server to provide a surrogate key to the client instead of the genuine handshake key. A traffic filter executing for instance on a network gateway may then intercept and decrypt the handshake and apply an access policy to selectively allow or deny access to the respective end server. When access is allowed, the traffic filter may re-encrypt the server identifier using the genuine handshake key before forwarding the handshake to its destination. Communication privacy is maintained since the illustrated methods only decrypt the handshake, and not the actual payload.
Described systems and methods allow carrying out privacy-preserving DNS exchanges. In some embodiments, a client machine engages in a private information retrieval (PIR) exchange with a nameserver. In response to receiving an encrypted query from the client, the query formulated according to a domain name, the nameserver may extract a record (e.g., an IP address) from a domain name database without decrypting the respective query. Some embodiments achieve such information retrieval by the use of homomorphic encryption.
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
H04L 61/4511 - Network directories; Name-to-address mapping using standardised directory access protocols using domain name system [DNS]
4.
Computer Security Systems and Methods Using Self-Supervised Consensus-Building Machine Learning
Some embodiments employ a consensus-building procedure to train a multitask graph comprising a plurality of nodes interconnected by a plurality of edges, wherein each node is associated with a task of determining a set of node-specific attributes of a set of input data, and each edge comprises an AI module (e.g., neural network) configured to determine attributes of an end node according to attributes of a start node of the respective edge. Training fosters consensus between all edges converging to a node. The trained multitask graph may then be deployed in a threat detector configured to determine whether an input set of data is indicative of malice (e.g., malware, intrusion, online threat, etc.).
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06K 9/62 - Methods or arrangements for recognition using electronic means
G06N 3/04 - Architecture, e.g. interconnection topology
5.
Security Appliance for Protecting Power-Saving Wireless Devices Against Attack
Described systems and methods allow protecting multiple wireless Internet-of-things (IoT) devices against impersonation attacks. In some embodiments, a security appliance detects an availability notification (e.g., a Bluetooth® Low Energy advertisement) emitted as part of a protocol of establishing a wireless connection between two devices. The security appliance may then determine whether the detected notification fits a baseline notification pattern of the apparent sender. When no, the security appliance may attack the sender device by replying to the respective availability notification and initiating a handshake.
H04W 12/48 - Security arrangements using identity modules using secure binding, e.g. securely binding identity modules to devices, services or applications
H04W 12/122 - Counter-measures against attacks; Protection against rogue devices
Some embodiments enable distributing data (e.g., recorded video, photographs, recorded audio, etc.) to a plurality of users in a manner which preserves the privacy of the respective users. Some embodiments leverage homomorphic encryption and proxy re-encryption techniques to manipulate the respective data so that selected portions of it are revealed according to an identity of the user currently accessing the respective data.
Described systems and methods enable protecting client devices (e.g., personal computers and IoT devices) implementing encrypted DNS protocols against harmful or inappropriate Internet content. A DNS proxy intercepts an attempt to establish an encrypted communication session between a client device and a DNS server. Without decrypting any communications, some embodiments of the DNS proxy determine an identifier of the respective session and an identifier of the client device, and send a query tracer connecting the session identifier with the client identifier to a security server. In some embodiments, the security server obtains the domain name included in an encrypted DNS query from the DNS server and instructs the DNS server to allow or block access of the client device to the respective Internet domain according to a device- and/or user-specific access policy.
Described systems and methods enable protecting client devices (e.g., personal computers and IoT devices) implementing encrypted DNS protocols against harmful or inappropriate Internet content. A DNS proxy intercepts an attempt to establish an encrypted communication session between a client device and a DNS server. Without decrypting any communications, some embodiments of the DNS proxy determine an identifier of the respective session and an identifier of the client device, and send a query tracer connecting the session identifier with the client identifier to a security server. In some embodiments, the security server obtains the domain name included in an encrypted DNS query from the DNS server and instructs the DNS server to allow or block access of the client device to the respective Internet domain according to a device- and/or user-specific access policy.
Some embodiments employ a novel procedure of training an artificial intelligence system (e.g., set of deep neural networks) for anomaly detection in applications such as natural language processing and computer security. Token sequences selected from a training corpus are distorted according to at least one of a plurality of pre-determined sequence transformations, before being fed to a sequence analyzer. In turn, the sequence analyzer is trained to correctly guess which transformation was used to generate the respective input token sequence.
Described systems and methods allow carrying out privacy-preserving DNS exchanges. In some embodiments, a client machine engages in a private information retrieval (PIR) exchange with a nameserver. In response to receiving an encrypted query from the client, the query formulated according to a domain name, the nameserver may extract a record (e.g., an IP address) from a domain name database without decrypting the respective query. Some embodiments achieve such information retrieval by the use of homomorphic encryption.
H04L 9/00 - Arrangements for secret or secure communications; Network security protocols
G06F 16/22 - Indexing; Data structures therefor; Storage structures
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
Some embodiments enable distributing data (e.g., recorded video, photographs, recorded audio, etc.) to a plurality of users in a manner which preserves the privacy of the respective users. Some embodiments leverage homomorphic encryption and proxy re-encryption techniques to manipulate the respective data so that selected portions of it are revealed according to an identity of the user currently accessing the respective data.
Some embodiments enable distributing data (e.g., recorded video, photographs, recorded audio, etc.) to a plurality of users in a manner which preserves the privacy of the respective users. Some embodiments leverage homomorphic encryption and proxy re-encryption techniques to manipulate the respective data so that selected portions of it are revealed according to an identity of the user currently accessing the respective data.
Some embodiments use text and/or image processing methods to determine whether a user of an electronic messaging platform is subject to an online threat such as cyberbullying, sexual grooming, and identity theft, among others. In some embodiments, a text content of electronic messages is automatically harvested and aggregated into conversations. Conversation data are then analyzed to extract various threat indicators. A result of a text analysis may be combined with a result of an analysis of an image transmitted as part of the respective conversation. When a threat is detected, some embodiments automatically send a notification to a third party (e.g., parent, teacher, etc.)
Described systems and methods allow protecting multiple wireless Internet-of-things (IoT) devices against impersonation attacks. In some embodiments, a security appliance detects an availability notification (e.g., a Bluetooth® Low Energy advertisement) emitted as part of a protocol of establishing a wireless connection between two devices. The security appliance may then determine whether the detected notification fits a baseline notification pattern of the apparent sender. When no, the security appliance may attack the sender device by replying to the respective availability notification and initiating a handshake.
H04W 12/122 - Counter-measures against attacks; Protection against rogue devices
H04L 67/1087 - Peer-to-peer [P2P] networks using cross-functional networking aspects
H04W 12/48 - Security arrangements using identity modules using secure binding, e.g. securely binding identity modules to devices, services or applications
In some embodiments, a behavior classifier comprises a set of neural networks trained to determine whether a monitored software entity is malicious according to a sequence of computing events caused by the execution of the respective entity. When the behavior classifier indicates that the entity is malicious, some embodiments execute a memory classifier comprising another set of neural networks trained to determine whether the monitored entity is malicious according to a memory snapshot of the monitored entity. Applying the classifiers in sequence may substantially reduce the false positive detection rate, while reducing computational costs.
Described systems and methods allow a selective collection of computer security data from client devices such as personal computers, smartphones, and Internet of Things (IoT) devices. A security application executing on each client device comprises a domain name service (DNS) proxy that tags outgoing DNS messages with a client ID. The DNS server selects a client for to data collection by returning a DNS reply comprising a service activation flag. Some embodiments thus enable a per-DNS-message selectivity of data collection. In some embodiments, subsequent network access requests by the selected clients are re-routed to a security server for analysis.
Described systems and methods allow an automatic translation from a natural language (e.g., English) into an artificial language such as a structured query language (SQL). In some embodiments, a translator module includes an encoder component and a decoder component, both components comprising recurrent neural networks. Training the translator module comprises two stages. A first stage trains the translator module to produce artificial language (AL) output when presented with an AL input. For instance, the translator is first trained to reproduce an AL input. A second stage of training comprises training the translator to produce AL output when presented with a natural language (NL) input.
Some embodiments use text and/or image processing methods to determine whether a user of an electronic messaging platform is subject to an online threat such as cyberbullying, sexual grooming, and identity theft, among others. In some embodiments, a text content of electronic messages is automatically harvested and aggregated into conversations. Conversation data are then analyzed to extract various threat indicators. A result of a text analysis may be combined with a result of an analysis of an image transmitted as part of the respective conversation. When a threat is detected, some embodiments automatically send a notification to a third party (e.g., parent, teacher, etc.).
Some embodiments use text and/or image processing methods to determine whether a child is transmitting confidential information to a conversation partner via an electronic messaging service. Some embodiments detect whether an image transmitted as part of an electronic message shows a bank card, a social security card, or an identity document, among others. When detecting such a situation, some embodiments automatically send a notification to a third party (e.g., parent, teacher, etc.)
In some embodiments, a behavioral computer security system protects clients and networks against threats such as malicious software and intrusion. A set of client profiles is constructed according to a training corpus of events occurring on clients, wherein each client profile represents a subset of protected machines, and each client profile is indicative of a normal or baseline pattern of using the machines assigned to the client respective profile. A client profile may group together machines having a similar event statistic. Following training, events detected on a client are selectively analyzed against a client profile associated with the respective client, to detect anomalous behavior. In some embodiments, individual events are analyzed in the context of other events, using a multi-dimensional event embedding space.
In some embodiments, a behavioral computer security system protects clients and networks against threats such as malicious software and intrusion. A set of client profiles is constructed according to a training corpus of events occurring on clients, wherein each client profile represents a subset of protected machines, and each client profile is indicative of a normal or baseline pattern of using the machines assigned to the client respective profile. A client profile may group together machines having a similar event statistic. Following training, events detected on a client are selectively analyzed against a client profile associated with the respective client, to detect anomalous behavior. In some embodiments, individual events are analyzed in the context of other events, using a multi-dimensional event embedding space.
In some embodiments, a behavioral computer security system protects clients and networks against threats such as malicious software and intrusion. A set of client profiles is constructed according to a training corpus of events occurring on clients, wherein each client profile represents a subset of protected machines, and each client profile is indicative of a normal or baseline pattern of using the machines assigned to the client respective profile. A client profile may group together machines having a similar event statistic. Following training, events detected on a client are selectively analyzed against a client profile associated with the respective client, to detect anomalous behavior. In some embodiments, individual events are analyzed in the context of other events, using a multi-dimensional event embedding space.
Described systems and methods enable performing software audits remotely and automatically, on a relatively large number of client systems (e.g., a corporate network, a virtual desktop infrastructure system, etc.) An audit engine executes on each client system, in a hardware virtualization configuration wherein the audit engine executes outside an audited virtual machine. When receiving an audit request from an audit server, some embodiments of the audit engine drop an audit agent into the audited virtual machine, and remove the audit agent upon completion of the audit.
Alert manager software dynamically assembles a security alert as various security scenarios are tested to reach a verdict. Each executed scenario may contribute a scenario-specific message, so the resulting compound security alert indicates an actual line of reasoning used in reaching the respective verdict. The described systems and methods apply, inter alia, to the analysis of high-volume network flows in corporate networks. In some embodiments, flows are pre-tagged with extra metadata to facilitate detection of malware and/or intrusion.
Described systems and methods allow an automatic translation from a natural language (e.g., English) into an artificial language such as a structured query language (SQL). In some embodiments, a translator module includes an encoder component and a decoder component, both components comprising recurrent neural networks. Training the translator module comprises two stages. A first stage trains the translator module to produce artificial language (AL) output when presented with an AL input. For instance, the translator is first trained to reproduce an AL input. A second stage of training comprises training the translator to produce AL output when presented with a natural language (NL) input.
Described systems and methods enable a swift and efficient detection of fraudulent Internet domains, i.e., domains used to host or distribute fraudulent electronic documents such as fraudulent webpages and electronic messages. Some embodiments use a reverse IP analysis to select a set of fraud candidates from among a set of domains hosted at the same IP address as a known fraudulent domain. The candidate set is further filtered according to domain registration data. Online content hosted at each filtered candidate domain is further analyzed to identify truly fraudulent domains. A security module may then prevent users from accessing a content of such domains.
Described systems and methods enable a decryption of encrypted communication between a client system and a remote party, for applications such as detection and analysis of malicious software, intrusion detection, and surveillance, among others. The client system executes a virtual machine and an introspection engine outside the virtual machine. The introspection engine is configured to identify memory pages whose contents have changed between a first session event (e.g., a ServerHello message) and a second session event (e.g., a ClientFinished message). The respective memory pages are likely to contain encryption key material for the respective communication session. A decryption engine may then attempt to decrypt an encrypted payload of the respective communication session using information derived from the content of the identified memory pages.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
G06F 12/1009 - Address translation using page tables, e.g. page table structures
H04L 9/14 - Arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
H04L 9/30 - Public key, i.e. encryption algorithm being computationally infeasible to invert and users' encryption keys not requiring secrecy
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
29.
Systems and methods for tracking malicious behavior across multiple software entities
Described systems and methods allow protecting a computer system from malicious software. In some embodiments, a security application organizes a set of monitored executable entities (e.g., processes) into a plurality of groups, wherein members of a group are related by filiation and/or code injection. The security application may further associate a malice-indicative entity score with each monitored entity, and a malice-indicative group score with each entity group. Group scores may be incremented when a member of the respective group performs certain actions. Thus, even though actions performed by individual members may not be malware-indicative per se, the respective group score may capture collective malicious behavior and trigger malware detection.
In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. When introduced to the local network, some embodiments of network regulator take over some network services from a router, and automatically install the network regulator as gateway to the local network. The network regulator then carries out an automatic device discovery procedure and distribute device-specific utility agents to the protected client systems. An exemplary utility agent detects when its host device has left the local network, and in response, sets up a virtual private network (VPN) tunnel with a security server to maintain protection of the respective device.
H04L 41/22 - Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
H04L 67/12 - Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
H04L 41/0816 - Configuration setting characterised by the conditions triggering a change of settings the condition being an adaptation, e.g. in response to network events
H04L 43/0876 - Network utilisation, e.g. volume of load or congestion level
H04L 67/02 - Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
H04L 12/28 - Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
H04W 4/70 - Services for machine-to-machine communication [M2M] or machine type communication [MTC]
H04L 41/0806 - Configuration setting for initial configuration or provisioning, e.g. plug-and-play
H04L 61/5014 - Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
Described systems and methods enable enforcing application control remotely and automatically, on a relatively large number of client systems (e.g., a corporate network, a virtual desktop infrastructure system, etc.). An application control engine executes outside a virtual machine exposed on a client system, the application control engine configured to enforce application control within the virtual machine according to a set of control policies. When a policy indicates that a specific process is not allowable on the respective client system, the app control engine may prevent execution of the respective process. To assist in data gathering and/or other activities associated with application control, some embodiments temporarily drop a control agent into the controlled virtual machine.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
32.
Systems and methods for auditing a virtual machine
Described systems and methods enable performing software audits remotely and automatically, on a relatively large number of client systems (e.g., a corporate network, a virtual desktop infrastructure system, etc.) An audit engine executes on each client system, in a hardware virtualization configuration wherein the audit engine executes outside an audited virtual machine. When receiving an audit request from an audit server, some embodiments of the audit engine drop an audit agent into the audited virtual machine, and remove the audit agent upon completion of the audit.
Described systems and methods allow protecting a host computer system from malicious software, such as return-oriented programming (ROP) and jump-oriented programming (JOP) exploits. In some embodiments, a processor of the host system is endowed with two counters storing a count of branch instructions and a count of inter-branch instructions, respectively, occurring within a sequence of instructions. Exemplary counted branch instructions include indirect JMP, indirect CALL, and RET on x86 platforms, while inter-branch instructions consist of instructions executed between two consecutive counted branch instructions. The processor may be further configured to generate a processor event, such as an exception, when a value stored in a counter exceeds a predetermined threshold, and/or when a branch instruction redirects execution to a critical OS function. Such events may be used as triggers for launching a malware analysis to determine whether the host system is subject to a code reuse attack.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
G06F 21/55 - Detecting local intrusion or implementing counter-measures
34.
Systems and methods for automatic device detection, device management, and remote assistance
In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. When introduced to the local network, some embodiments of network regulator take over some network services from a router, and automatically install the network regulator as gateway to the local network. The network regulator then carries out an automatic device discovery procedure and distribute device-specific utility agents to the protected client systems. An exemplary utility agent detects when its host device has left the local network, and in response, sets up a virtual private network (VPN) tunnel with a security server to maintain protection of the respective device.
Described systems and methods allow protecting a hardware virtualization system from malicious software. Some embodiments use a hybrid event notification/analysis system, wherein a first component executing within a protected virtual machine (VM) registers as a handler for processor exceptions triggered by violations of memory access permissions, and wherein a second component executing outside the respective VM registers as a handler for VM exit events. The first component filters permission violation events according to a set of rules and only notifies the second component about events which are deemed relevant to security. The second component analyzes notified events to detect malicious software.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/55 - Detecting local intrusion or implementing counter-measures
36.
Dynamic reputation indicator for optimizing computer security operations
Described systems and methods allow protecting a computer system from malware such as viruses, worms, and spyware. A reputation manager executes on the computer system concurrently with an anti-malware engine. The reputation manager associates a dynamic reputation indicator to each executable entity seen as a unique combination of individual components (e.g., a main executable and a set of loaded libraries). The reputation indicator indicates a probability that the respective entity is malicious. The reputation of benign entities may increase in time. When an entity performs certain actions which may be indicative of malicious activity, the reputation of the respective entity may drop. The anti-malware engine uses an entity-specific protocol to scan and/or monitor each target entity for malice, the protocol varying according to the entity's reputation. Entities trusted to be non-malicious may be analyzed using a more relaxed protocol than unknown or untrusted entities.
Described systems and methods allow conducting computer security operations, such as detecting malware and spyware, in a bare-metal computer system. In some embodiments, a first processor of a computer system executes the code samples under assessment, whereas a second, distinct processor is used to carry out the assessment and to control various hardware components involved in the assessment. Such hardware components include, among others, a memory shadower configured to detect changes to a memory connected to the first processor, and a storage shadower configured to detect an attempt to write to a non-volatile storage device of the computer system. The memory shadower and storage shadower may be used to inject a security agent into the computer system.
Described systems and methods enable a swift and efficient detection of fraudulent Internet domains, i.e., domains used to host or distribute fraudulent electronic documents such as fraudulent webpages and electronic messages. Some embodiments use a reverse IP analysis to select a set of fraud candidates from among a set of domains hosted at the same IP address as a known fraudulent domain. The candidate set is further filtered according to domain registration data. Online content hosted at each filtered candidate domain is further analyzed to identify truly fraudulent domains. A security module may then prevent users from accessing a content of such domains.
Described systems and methods enable an efficient detection and analysis of software events, especially in hardware virtualization configurations. In some embodiments, certain types of events are analyzed asynchronously, in the sense that the triggering entity is allowed to continue execution while the respective event is added to a queue for later processing. Some embodiments modify the instruction set architecture of the processor by adding a processor instruction dedicated to delivering event notifications. Such notification instructions allow for complex and flexible event detection without some of the disadvantages of conventional methods such as hooking.
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
G06F 21/55 - Detecting local intrusion or implementing counter-measures
Described systems and methods allow protecting a host system against malware, using hardware virtualization technology. A memory introspection engine executes at the level of a hypervisor, protecting a virtual machine (VM) from exploits targeting the call stack of a thread executing within the respective VM. The introspection engine identifies a virtual memory page reserved for the stack, but not committed to the stack, and intercepts an attempt to write to the respective page. In response to intercepting the write attempt, the memory introspection engine marks the respective page as non-executable, thus protecting the stack against exploits.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 12/14 - Protection against unauthorised use of memory
G06F 12/1009 - Address translation using page tables, e.g. page table structures
G06F 21/55 - Detecting local intrusion or implementing counter-measures
41.
Systems and methods for application control in virtualized environments
Described systems and methods enable enforcing application control remotely and automatically, on a relatively large number of client systems (e.g., a corporate network, a virtual desktop infrastructure system, etc.). An application control engine executes outside a virtual machine exposed on a client system, the application control engine configured to enforce application control within the virtual machine according to a set of control policies. When a policy indicates that a specific process is not allowable on the respective client system, the app control engine may prevent execution of the respective process. To assist in data gathering and/or other activities associated with application control, some embodiments temporarily drop a control agent into the controlled virtual machine.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
42.
Systems and methods for decrypting network traffic in a virtualized environment
Described systems and methods enable a decryption of encrypted communication between a client system and a remote party, for applications such as detection and analysis of malicious software, intrusion detection, and surveillance, among others. The client system executes a virtual machine and an introspection engine outside the virtual machine. The introspection engine is configured to identify memory pages whose contents have changed between a first session event (e.g., a ServerHello message) and a second session event (e.g., a ClientFinished message). The respective memory pages are likely to contain encryption key material for the respective communication session. A decryption engine may then attempt to decrypt an encrypted payload of the respective communication session using information derived from the content of the identified memory pages.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 12/1009 - Address translation using page tables, e.g. page table structures
H04L 9/14 - Arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
H04L 9/30 - Public key, i.e. encryption algorithm being computationally infeasible to invert and users' encryption keys not requiring secrecy
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
43.
Systems and methods for automatic device detection
Described systems and methods enable an automatic device detection/discovery, particularly of ‘Internet of Things’ client devices such as wearables, mobile communication devices, and smart home appliances, among others. Device detection comprises assigning a target device to a device category, such as “tablet computer from an unknown manufacturer, running Android®”. Some embodiments determine multiple preliminary category assignments according to distinct inputs such as HTTP user agent data, DHCP data, mDNS data, and MAC data. Each preliminary category assignment may come with an associated score. A definitive category assignment may be made according to an aggregate score. Applications include computer security, software provisioning, and remote device management, among others.
Described systems and methods enable performing software audits remotely and automatically, on a relatively large number of client systems (e.g., a corporate network, a virtual desktop infrastructure system, etc.) An audit engine executes on each client system, in a hardware virtualization configuration wherein the audit engine executes outside an audited virtual machine. When receiving an audit request from an audit server, some embodiments of the audit engine drop an audit agent into the audited virtual machine, and remove the audit agent upon completion of the audit.
In some embodiments, a protected client operates a live introspection engine and an on-demand introspection engine. The live introspection engine detects the occurrence of certain events within a protected virtual machine exposed on the respective client system, and communicates the occurrence to a remote security server. In turn, the server may request a forensic analysis of the event from the client system, by indicating a forensic tool to be executed by the client. Forensic tools may be stored in a central repository accessible to the client. In response to receiving the analysis request, the on-demand introspection engine may retrieve and execute the forensic tool, and communicate a result of the forensic analysis to the security server. The server may use the information to determine whether the respective client is under attack by malicious software or an intruder.
Domain generation algorithm (DGA) malware is detected by intercepting an external time request sent by a potential DGA malware host, and replacing the received real time with an accelerated (future) real time designed to trigger time-dependent DGA activity. The interception and replacement are performed outside the physical or virtual DGA host, on a different physical or virtual system such as a distinct external physical server or router, or distinct hypervisor or virtual machine running on the same physical system, in order to reduce the risk that the DGA malware identifies the time substitution. Failed DGA malware external access requests triggered only at future times are then used to identify domain names generated by the DGA malware, allowing proactive countermeasures.
Described systems and methods enable a computer security module to protect a set of guest virtual machines against computer security threats. In some embodiments, the computer security module receives introspection notifications from the protected VM, each such notification indicating that a particular trigger event (e.g., a system call) has occurred during execution of guest software within the respective VM. In some embodiments, delivering a notification comprises suspending execution of guest software and switching the processor to executing a notification handler forming part of the computer security module. Some embodiments enable a context-specific delivery of notifications, wherein the set of events triggering notifications may vary from one guest process to another.
Described systems and methods enable an efficient analysis of security-relevant events, especially in hardware virtualization platforms. In some embodiments, a notification handler detects the occurrence of an event within a virtual machine, and communicates the respective event to security software. The security software then attempts to match the respective event to a collection of behavioral and exception signatures. An exception comprises a set of conditions which, when satisfied by an tuple, indicates that the respective entity is not malicious. In some embodiments, a part of exception matching is performed synchronously (i.e., while execution of the entity that triggered the respective event is suspended), while another part of exception matching is performed asynchronously (i.e., after the triggering entity is allowed to resume execution).
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 3/06 - Digital input from, or digital output to, record carriers
49.
Systems and methods for tracking malicious behavior across multiple software entities
Described systems and methods allow protecting a computer system from malicious software. In some embodiments, a security application divides a set of monitored executable entities (e.g., processes) into a plurality of groups, wherein all members of a group are related by filiation or code injection. The security application may further associate a set of scores with each entity group. Such group scores may be incremented when a member of the respective group performs certain actions. Thus, even though actions performed by individual members may not be malware-indicative per se, the group score may capture collective malicious behavior and trigger malware detection. In some embodiments, group membership rules vary according to whether an entity is part of a selected subset of entities including certain OS processes, browsers and file managers. When an entity is determined to be malicious, anti-malware measures may be taken against a whole group of related entities.
Described systems and methods allow protecting a computer system from malware, such as return-oriented programming (ROP) exploits. In some embodiments, a set of references are identified within a call stack used by a thread of a target process, each reference pointing into the memory space of an executable module loaded by the target process. Each such reference is analyzed to determine whether it points to a ROP gadget, and whether the respective reference was pushed on the stack by a legitimate function call. In some embodiments, a ROP score is indicative of whether the target process is subject to a ROP attack, the score determined according to a count of references to a loaded module, according to a stack footprint of the respective module, and further according to a count of ROP gadgets identified within the respective module.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
G06F 21/55 - Detecting local intrusion or implementing counter-measures
51.
Systems and methods for delivering event-filtered introspection notifications
Described systems and methods enable a computer security module to protect a set of guest virtual machines against computer security threats. In some embodiments, the computer security module receives introspection notifications from the protected VM, each such notification indicating that a particular trigger event (e.g., a system call) has occurred during execution of guest software within the respective VM. In some embodiments, delivering a notification comprises suspending execution of guest software and switching the processor to executing a notification handler forming part of the computer security module. In some embodiments, the computer security module may indicate to the processor a selected subset of events which trigger introspection notifications.
Described systems and methods enable a computer security module to protect a set of guest virtual machines against computer security threats. In some embodiments, the computer security module receives introspection notifications from the protected VM, each such notification indicating that a particular trigger event (e.g., a system call) has occurred during execution of guest software within the respective VM. In some embodiments, delivering a notification comprises suspending execution of guest software and switching the processor to executing a notification handler forming part of the computer security module. Some embodiments of the present invention introduce a dedicated instruction for delivering introspection notifications. The instruction may be encoded such that it is interpreted as a no-operation instruction (NOP) by legacy processors and/or by processors that do not support hardware virtualization or do not currently execute in hardware virtualization mode.
Described systems and methods allow conducting computer security operations, such as detecting malware and spyware, in a bare-metal computer system. In some embodiments, a first processor of a computer system executes the code samples under assessment, whereas a second, distinct processor is used to carry out the assessment and to control various hardware components involved in the assessment. The described computer systems may be used in conjunction with a conventional anti-malware filter to increase throughput and/or the efficacy of malware scanning.
Described systems and methods allow protecting a computer system from computer security threats such as malware and spyware. In some embodiments, a security application executes a set of detection routines to determine whether a set of monitored entities (processes, threads, etc.) executing on the computer system comprise malicious software. The detection routines are formulated in bytecode and executed within a bytecode translation virtual machine. Execution of a detection routine comprises translating bytecode instructions of the respective routine into native processor instructions, for instance via interpretation or just-in-time compilation. Execution of the respective routines is triggered selectively, due to the occurrence of specific events within the protected client system. Detection routines may output a set of scores, which may be further used by the security application to determine whether a monitored entity is malicious.
According to one aspect, a dynamic binary instrumentation (DBI) framework is used to identify rootkits and disable their malicious functionality. A user-mode or kernel-mode anti-rootkit (ARK) engine monitors the execution of a program running on a host machine in user more or kernel mode. Upon encountering calls to certain functions that may be used by rootkits to subvert system functionality (e.g. system calls used to manage the system registry, storage/disk, processes/threads, and/or network communications), the anti-rootkit engine executes translated versions of the functions in an isolated environment and continues execution of the program under analysis using the results of the translated code execution. The translated code execution replaces the execution of original code which may or may not have been subverted by a rootkit. Isolating the stack and registers of the isolated environment impedes detection of the monitoring process by rootkits.
In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. When introduced to the local network, some embodiments of network regulator automatically take over network services from an existing router, and install the network regulator as gateway to the local network. In response to taking over the network services, some embodiments redirect a request by a protected client system to access a remote resource to a security server configured to determine whether granting access to the resource constitutes a computer security threat to the client system.
H04L 9/06 - Arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for blockwise coding, e.g. D.E.S. systems
In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. When introduced to the local network, some embodiments of network regulator take over some network services from a router, and automatically install the network regulator as gateway to the local network. The network regulator then carries out an automatic device discovery procedure and distribute device-specific utility agents to the protected client systems. An exemplary utility agent detects when its host device has left the local network, and in response, sets up a virtual private network (VPN) tunnel with a security server to maintain protection of the respective device.
Described systems and methods allow a mobile device, such as a smartphone or a tablet computer, to protect a user of the respective device from fraud and/or loss of privacy. In some embodiments, the mobile device receives from a server a risk indicator indicative of whether executing a target application causes a privacy risk. Determining the risk indicator includes automatically supplying a test input to a data field used by the target application, the data field configured to hold a private item such as a password or a geolocation indicator. Determining the risk indicator further comprises determining whether a test device executing an instance of the target application transmits an indicator of the test input, such as the test input itself or a hash of the test input, to another party on the network.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
H04W 12/02 - Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
Described systems and methods allow conducting computer security operations, such as detecting malware and spyware, in a bare-metal computer system. In some embodiments, a first processor of a computer system executes the code samples under assessment, whereas a second, distinct processor is used to carry out the assessment and to control various hardware components involved in the assessment. Such hardware components include, among others, a memory shadower configured to detect changes to a memory connected to the first processor, and a storage shadower configured to detect an attempt to write to a non-volatile storage device of the computer system.
In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. Various aspects of the operation of the network regulator may be managed remotely via a graphical user interface (GUI) executing on an administration device, such as a mobile phone. The GUI is further configured to display a security notification to a user of the administration device, the security notification indicating the occurrence of a security event caused by an action of a protected client system.
Described systems and methods allow a mobile device, such as a smartphone or a tablet computer, to protect a user of the respective device from fraud and/or loss of privacy. In some embodiments, the mobile device receives from a server a risk indicator indicative of whether executing a target application causes a privacy risk. Determining the risk indicator includes automatically supplying a test input to a data field used by the target application, the data field configured to hold a private item such as a password or a geolocation indicator. Determining the risk indicator further comprises determining whether a test device executing an instance of the target application transmits an indicator of the test input, such as the test input itself or a hash of the test input, to another party on the network.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Described systems and methods enable a host system to efficiently perform computer security activities, when operating in a hardware virtualization configuration. A processor is configured to generate a VM suspend event (e.g., a VM exit or a virtualization exception) when a guest instruction executing within a guest VM performs a memory access violation. In some embodiments, the processor is further configured to delay generating the VM suspend event until the execution stage of the pipeline for the guest instruction is complete, and to save results of the execution stage to a specific location (e.g. a specific processor register readable by security software) before generating the event.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 12/08 - Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
G06F 12/1027 - Address translation using associative or pseudo-associative address translation means, e.g. translation look-aside buffer [TLB]
G06F 12/109 - Address translation for multiple virtual address spaces, e.g. segmentation
G06F 12/14 - Protection against unauthorised use of memory
64.
Systems and methods for spam detection using frequency spectra of character strings
Described spam detection techniques including string identification, pre-filtering, and frequency spectrum and timestamp comparison steps facilitate accurate, computationally-efficient detection of rapidly-changing spam arriving in short-lasting waves. In some embodiments, a computer system extracts a target character string from an electronic communication such as a blog comment, transmits it to an anti-spam server, and receives an indicator of whether the respective electronic communication is spam or non-spam from the anti-spam server. The anti-spam server determines whether the electronic communication is spam or non-spam according to features of the frequency spectrum of the target string. Some embodiments also perform an unsupervised clustering of incoming target strings into clusters, wherein all members of a cluster have similar spectra.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
Described systems and methods allow protecting a host system against malware, using hardware virtualization technology. A memory introspection engine executes at the level of a hypervisor, protecting a virtual machine (VM) from exploits targeting the call stack of a thread executing within the respective VM. The introspection engine identifies a virtual memory page reserved for the stack, but not committed to the stack, and intercepts an attempt to write to the respective page. In response to intercepting the write attempt, the memory introspection engine marks the respective page as non-executable, thus protecting the stack against exploits.
G06F 12/00 - Accessing, addressing or allocating within memory systems or architectures
G06F 12/14 - Protection against unauthorised use of memory
G06F 12/1009 - Address translation using page tables, e.g. page table structures
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/55 - Detecting local intrusion or implementing counter-measures
Described systems and methods allow protecting a host computer system from malware, such as return-oriented programming (ROP) and jump-oriented programming (JOP) exploits. In some embodiments, a processor of the host system is endowed with two counters configured to store a count of branch instructions and a count of inter-branch instructions, respectively, occurring within a stream of instructions fetched by the processor for execution. Exemplary counted branch instructions include indirect JMP, indirect CALL, and RET on x86 platforms, while inter-branch instructions consist of instructions executed between two consecutive counted branch instructions. The processor may be further configured to generate a processor event, such as an exception, when a value stored in a counter exceeds a predetermined threshold. Such events may be used as triggers for launching a malware analysis to determine whether the host system is subject to a code reuse attack.
In some embodiments, an anti-malware system accounts for benign differences between non-malicious data objects, such as differences introduced by compilers and other polymorphisms. A target object is separated into a multitude of code blocks, and a hash is calculated for each code block. The obtained set of target hashes is then compared against a database of hashes corresponding to code blocks extracted from whitelisted objects. A target object may be labeled as whitelisted (trusted, non-malicious) if it has a substantial number of hashes in common with a whitelisted object. Objects which are slightly different from known whitelisted objects may still receive whitelisting status. By allowing a certain degree of mismatch between the sets of hashes of distinct objects, some embodiments of the present invention increase the efficiency of whitelisting without an unacceptable decrease in safety.
Described systems and methods allow protecting a client system, such as a computer system or smartphone, from malware. In some embodiments, a network regulator device is used to distribute a bootable image of a hypervisor, on demand, to each of a set of client systems connected to a network. After booting on a client system, the hypervisor loads the local OS and applications into a virtual machine. Integrity measurements of the hypervisor and/or OS are sent to the network regulator for verification. When the network regulator determines that software executing on a client system, such as the hypervisor and/or the OS, are not in a trusted state, the network regulator may block access of the respective client system to the network.
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 9/44 - Arrangements for executing specific programs
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
70.
Systems and methods for executing arbitrary applications in secure environments
Described systems and methods allow protecting a host system, such as a computer system or smartphone, from malware such as viruses, exploits, and rootkits. In some embodiments, a hypervisor executes at the highest processor privilege level and displaces other software to a guest virtual machine (VM). A security application detects the launch of a target process within the guest VM. In response to the launch, the hypervisor instantiates a process VM isolated from the guest VM, and relocates the target process to the process VM. In some embodiments, when the relocated target process attempts to access a resource, such as a file or registry key, an instance of the respective resource is fetched on-demand, from the guest VM to the respective process VM. Executing the target process within an isolated environment helps to contain malware to the respective environment.
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
71.
Computer security systems and methods using virtualization exceptions
Described systems and methods enable a host system to efficiently perform computer security activities, when operating in a hardware virtualization configuration. A hypervisor exposes a virtual machine on the host system. In some embodiments, the hypervisor further configures a processor of the host system to generate a virtualization exception in response to detecting a memory access violation, and to deliver such exceptions to a computer security program operating within the virtual machine. The hypervisor may further set access permissions to a section of memory containing a part of a function targeted for hooking, so that an attempt to execute the respective target function triggers a virtualization exception. Some embodiments thus achieve hooking of the target function without resorting to conventional methods, such as patching, inline hooking, and MSR hooking.
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/74 - Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
72.
Strongly isolated malware scanning using secure virtual containers
Described systems and methods allow protecting a host system, such as a computer or smartphone, from malware. In some embodiments, an anti-malware application installs a hypervisor, which displaces an operating system executing on the host system to a guest virtual machine (VM). The hypervisor further creates a set of virtual containers (VC), by setting up a memory domain for each VC, isolated from the memory domain of the guest VM. The hypervisor then maps a memory image of a malware scanner to each VC. When a target object is selected for scanning, the anti-malware application launches the malware scanner. Upon intercepting the launch, the hypervisor switches the memory context of the malware scanner to the memory domain of a selected VC, for the duration of the scan. Thus, malware scanning is performed within an isolated environment.
Described systems and methods allow a host system, such as a computer or a smartphone, to enable a secure environment, which can be used to carry out secure communications with a remote service provider, for applications such as online banking, e-commerce, private messaging, and online gaming, among others. A hypervisor oversees a switch between an insecure environment and the secure environment, in response to a user input, or in response to an event such as receiving a telephone call. Switching from the insecure to the secure environment comprises transitioning the insecure environment to a sleeping state and loading the secure environment from a memory image (snapshot) saved to disk, after checking the integrity of the snapshot. Switching from the secure to the insecure environment comprises transitioning the secure environment into a sleeping state and waking up the insecure environment.
Described systems and methods allow protecting a computer system from malware, such as return-oriented programming (ROP) exploits. In some embodiments, a set of references are identified within a call stack used by a thread of a target process, each reference pointing into the memory space of an executable module loaded by the target process. Each such reference is analyzed to determine whether it points to a ROP gadget, and whether the respective reference was pushed on the stack by a legitimate function call. In some embodiments, a ROP score is indicative of whether the target process is subject to a ROP attack, the score determined according to a count of references to a loaded module, according to a stack footprint of the respective module, and further according to a count of ROP gadgets identified within the respective module.
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
Described systems and methods allow protecting a computer system from malware such as viruses, Trojans, and spyware. For each of a plurality of executable entities (such as processes and threads executing on the computer system), a scoring engine records a plurality of evaluation scores, each score determined according to a distinct evaluation criterion. Every time an entity satisfies an evaluation criterion (e.g, performs an action), the respective score of the entity is updated. Updating a score of an entity may trigger score updates of entities related to the respective entity, even when the related entities are terminated, i.e., no longer active. Related entities include, among others, a parent of the respective entity, and/or an entity injecting code into the respective entity. The scoring engine determines whether an entity is malicious according to the plurality of evaluation scores of the respective entity.
Described systems and methods allow protecting a computer system from malware, such as viruses, Trojans, and spyware. A reputation manager executes in conjunction with an anti-malware engine. The reputation manager determines a reputation of a target process executing on the computer system according to a reputation of a set of executable modules, such as shared libraries, loaded by the target process. The anti-malware engine may be configured to employ a process-specific protocol to scan the target process for malware, the protocol selected according to process reputation. Processes trusted to be non-malicious may thus be scanned using a more relaxed protocol than unknown or untrusted processes. The reputation of executable modules may be static; an indicator of module reputation may be stored and/or retrieved by a remote reputation server. Process reputation may be dynamically changeable, i.e. re-computed repeatedly by the reputation manager in response to process life-cycle and/or security events.
Described systems and methods allow a classification of electronic documents such as email messages and HTML documents, according to a document-specific text fingerprint. The text fingerprint is calculated for a text block of each target document, and comprises a sequence of characters determined according to a plurality of text tokens of the respective text block. In some embodiments, the length of the text fingerprint is forced within a pre-determined range of lengths (e.g. between 129 and 256 characters) irrespective of the length of the text block, by zooming in for short text blocks, and zooming out for long ones. Classification may include, for instance, determining whether an electronic document represents unsolicited communication (spam) or online fraud such as phishing.
Described systems and methods allow protecting a host system from malware using virtualization technology. In some embodiments, a memory introspection engine operates below a virtual machine (VM) executing on the host system. The engine is configured to analyze the content of a virtual memory page used by software executing within the VM, and/or to protect the respective content from unauthorized modification, for instance by malware. When the respective content is swapped out of memory, the memory introspection engine injects a page fault into the respective VM, to force a swap-in of the respective content.
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
G06F 21/79 - Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 12/08 - Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
79.
Process evaluation for malware detection in virtual machines
Described systems and methods allow protecting a computer system from malware, such as viruses and rootkits. An anti-malware component executes within a virtual machine (VM) exposed by a hypervisor executing on the computer system. A memory introspection engine executes outside the virtual machine, at the processor privilege level of the hypervisor, and protects a process executing within the virtual machine by write-protecting a memory page of the respective process. By combining anti-malware components executing inside and outside the respective VM, some embodiments of the present invention may use the abundance of behavioral data that inside-VM components have access to, while protecting the integrity of such components from outside the respective VM.
G06F 12/14 - Protection against unauthorised use of memory
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
Described systems and methods allow a classification of electronic documents such as email messages and HTML documents, according to a document-specific text fingerprint. The text fingerprint is calculated for a text block of each target document, and comprises a sequence of characters determined according to a plurality of text tokens of the respective text block. In some embodiments, the length of the text fingerprint is forced within a pre-determined range of lengths (e.g. between 129 and 256 characters) irrespective of the length of the text block, by zooming in for short text blocks, and zooming out for long ones. Classification may include, for instance, determining whether an electronic document represents unsolicited communication (spam) or online fraud such as phishing.
Described systems and methods allow protecting a computer system from malware, such as viruses and rootkits. In some embodiments, a hypervisor configures a hardware virtualization platform hosting a set of operating systems (OS). A memory introspection engine executing at the processor privilege level of the hypervisor dynamically identifies each OS, and uses an protection priming module to change the way memory is allocated to a target software object by the memory allocation function native to the respective OS. In some embodiments, the change affects only target objects requiring malware protection, and comprises enforcing that memory pages containing data of the target object are reserved exclusively for the respective object. The memory introspection engine then write-protects the respective memory pages.
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
In some embodiments, a malware detecting system is configured to conduct an iterative, collaborative scan of a target object (computer file or process), comprising a server-side scan and a client-side scan, and to assess the malware status of the target object according to the results of the client-side and server-side scans. The client-side scan comprises computationally-intensive operations such as virtual-environment emulation, decryption and data compression methods, while the server-side scan comprises database-intensive operations such as hash lookups. The information exchanged between client and server systems may be limited to relatively-compact data, such as hashes, which may amount to a few bytes per target object. Exemplary methods and systems described herein allow storing malware signature databases on the server side, thus reducing the burden of frequently delivering data-heavy signature updates to large numbers of customers, without requiring the server side to perform computationally-intensive scanning tasks for large numbers of customers.
A client system, such as a computer or a smartphone, securely exchanges sensitive information with a remote service provider computer system such as a bank or an online retailer. The client system executes a commercially available operating system in an untrusted virtual machine (VM), which may be affected by malware. A hypervisor is configured to launch a trusted, malware-free VM from an authenticated image stored on computer-readable media used by the untrusted VM. The trusted VM executes a thin operating system with minimal functionality, to manage a secure communication channel with the remote server system, wherein sensitive communication is encrypted. Data from the trusted VM is forwarded via the hypervisor to a network interface driver of the untrusted VM for transmission to the remote service provider. The service provider may perform a remote attestation of the client system to determine whether it operates a trusted VM.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
H04L 29/06 - Communication control; Communication processing characterised by a protocol
Described systems and methods allow the detection and prevention of malware and/or malicious activity within a network comprising multiple client computer systems, such as an enterprise network with multiple endpoints. Each endpoint operates a hardware virtualization platform, including a hypervisor exposing a client virtual machine (VM) and a security VM. The security VM is configured to have exclusive use of the network adapter(s) of the respective endpoint, and to detect whether data traffic to/from the client VM comprises malware or is indicative of malicious behavior. Upon detecting malware/malicious behavior, the security VM may block access of the client VM to the network, thus preventing the spread of malware to other endpoints. The client system may further comprise a memory introspection engine configured to perform malware scanning of the client VM from the level of the hypervisor.
In some embodiments, a phishing detection method includes computing a first phishing indicator of a target webpage; when the target webpage is considered suspicious of phishing according to the first phishing indicator, computing a second phishing indicator of the target webpage, and deciding whether the webpage is a phishing site according to the first and second phishing indicators. Computing the second phishing indicator comprises comparing a word content (semantic content) of the target webpage to a word content of each of a plurality of reference webpages. Comparing the word contents may include counting the number of visible words which are common to the target and reference webpages, and/or computing a ratio of a number of words which are common to the target and reference webpages to the total number of words in both the target and reference webpages.
In some embodiments, an anti-malware system accounts for benign differences between non-malicious data objects, such as differences introduced by compilers and other polymorphisms. A target object is separated into a multitude of code blocks, and a hash is calculated for each code block. The obtained set of target hashes is then compared against a database of hashes corresponding to code blocks extracted from whitelisted objects. A target object may be labeled as whitelisted (trusted, non-malicious) if it has a substantial number of hashes in common with a whitelisted object. Objects which are slightly different from known whitelisted objects may still receive whitelisting status. By allowing a certain degree of mismatch between the sets of hashes of distinct objects, some embodiments of the present invention increase the efficiency of whitelisting without an unacceptable decrease in safety.
A client system, such as a computer or a smartphone, securely exchanges sensitive information with a remote service provider computer system such as a bank or an online retailer. The client system executes a commercially available operating system in an untrusted virtual machine (VM), which may be affected by malware. A hypervisor is configured to launch a trusted, malware-free VM from an authenticated image stored on computer-readable media used by the untrusted VM. The trusted VM executes a thin operating system with minimal functionality, to manage a secure communication channel with the remote server system, wherein sensitive communication is encrypted. Data from the trusted VM is forwarded via the hypervisor to a network interface driver of the untrusted VM for transmission to the remote service provider. The service provider may perform a remote attestation of the client system to determine whether it operates a trusted VM.
In some embodiments, a graphical user interface (GUI) of a computer security application is automatically configured according to a user profile of the user. Upon installation of the computer security application, a desired GUI complexity questionnaire is displayed to the user. The application then matches the user to a user profile out of a set of predefined user profiles, according to the user's answers to the questionnaire. User profiles reflect a user's desired complexity of display and control (e.g. Novice/Intermediate/Expert, Basic/Intermediate/Advanced). The information displayed and application controls provided by the GUI window vary in detail according to the user profile. Selecting a user profile propagates multiple individually-user-configurable display and control settings of the GUI, as well as under-the-hood (non-GUI) settings of the anti-malware application.
G06F 3/0484 - Interaction techniques based on graphical user interfaces [GUI] for the control of specific functions or operations, e.g. selecting or manipulating an object, an image or a displayed text element, setting a parameter value or selecting a range
90.
Systems and methods for dynamically integrating heterogeneous anti-spam filters
In some embodiments, a spam filtering method includes computing the relevance of each of a plurality of anti-spam filters according to a relevance parameter set, and deciding whether an electronic message is spam or non-spam according to the relevancies and individual classification scores generated by the anti-spam filters. The relevance of an anti-spam filter indicates the degree to which a classification score produced by that particular filter determines the final classification of a given message. The relevance parameter set of each anti-spam filter may include, among others, a training maturity indicative of the degree of training of the filter, a filter update age indicative of the time elapsed since the latest update of the filter, a false-positive classification indicator, and a false-negative classification indicator of the anti-spam filter.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
G06F 15/173 - Interprocessor communication using an interconnection network, e.g. matrix, shuffle, pyramid, star or snowflake
91.
Systems and methods for spam detection using frequency spectra of character strings
Described spam detection techniques including string identification, pre-filtering, and frequency spectrum and timestamp comparison steps facilitate accurate, computationally-efficient detection of rapidly-changing spam arriving in short-lasting waves. In some embodiments, a computer system extracts a target character string from an electronic communication such as a blog comment, transmits it to an anti-spam server, and receives an indicator of whether the respective electronic communication is spam or non-spam from the anti-spam server. The anti-spam server determines whether the electronic communication is spam or non-spam according to features of the frequency spectrum of the target string. Some embodiments also perform an unsupervised clustering of incoming target strings into clusters, wherein all members of a cluster have similar spectra.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
Described spam detection techniques including string identification, pre-filtering, and character histogram and timestamp comparison steps facilitate accurate, computationally-efficient detection of rapidly-changing spam arriving in short-lasting waves. In some embodiments, a computer system extracts a target character string from an electronic communication such as a blog comment, transmits it to an anti-spam server, and receives an indicator of whether the respective electronic communication is spam or non-spam from the anti-spam server. The anti-spam server determines whether the electronic communication is spam or non-spam according to certain features of the character histogram of the target string. Some embodiments also perform an unsupervised clustering of incoming target strings into clusters, wherein all members of a cluster have similar character histograms.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
H04L 29/06 - Communication control; Communication processing characterised by a protocol
93.
Online fraud detection dynamic scoring aggregation systems and methods
In some embodiments, an online fraud prevention system combines the output of several distinct fraud filters, to produce an aggregate score indicative of the likelihood that a surveyed target document (e.g. webpage, email) is fraudulent. Newly implemented fraud filters can be incorporated and ageing fraud filters can be phased out without the need to recalculate individual scores or to renormalize the aggregate fraud score. Every time the output of an individual filter is calculated, the aggregate score is updated in a manner which ensures the aggregate score remains within predetermined bounds defined by a minimum allowable score and a maximum allowable score (e.g., 0 to 100).
In some embodiments, an anti-malware system accounts for benign differences between non-malicious data objects, such as differences introduced by compilers and other polymorphisms. A target object is separated into a multitude of code blocks, and a hash is calculated for each code block. The obtained set of target hashes is then compared against a database of hashes corresponding to code blocks extracted from whitelisted objects. A target object may be labeled as whitelisted (trusted, non-malicious) if it has a substantial number of hashes in common with a whitelisted object. Objects which are slightly different from known whitelisted objects may still receive whitelisting status. By allowing a certain degree of mismatch between the sets of hashes of distinct objects, some embodiments of the present invention increase the efficiency of whitelisting without an unacceptable decrease in safety.
In some embodiments, antivirus/malware behavior-based scanning (emulation) is accelerated by identifying known code sequences and executing pre-stored native-code routines (e.g. decompression, decryption, checksum routines) implementing the functionality of the known code sequences before returning to the emulation. During emulation, target machine code instructions are compared to a set of known signatures. If a known code sequence is identified, the emulator calls a native code routine and caches the current instruction address. If the emulator subsequently reaches a cached address, a native code routine may be called without scanning the data at the address for known signatures. Signature scanning may be performed selectively for instructions following code flow changes (e.g. after jump, call or interrupt instructions). The emulator may also call native-code routines implementing virtual operating system calls, and native-code unpacked file reconstruction routines that reconstruct unpacked files from the contents of virtual memory for scanning by a content-based malware scanner.
In some embodiments, image spam is identified by comparing color histograms of suspected spam images with color histograms of reference (known) images. The histogram comparison includes comparing a first color content in a query image with a range of similar color contents in the reference image. For example, a pixel count for a given color in the query image may be compared to pixel counts for a range of similar colors in the reference image. A histogram distance between two images may be determined according to a computed pixel count difference between the given query histogram color and a selected color in the range of similar reference histogram colors.
In some embodiments, a streaming message classification method dynamically allocates a stream of messages to a variable number of clusters (e.g. message categories), each containing messages which share a set of similar features. Incoming messages are compared to a collection of known spam clusters. New spam types are identified, and new clusters are created automatically and dynamically in order to accommodate the new spam types. Message clustering is performed in a hyperspace of message feature vectors using a modified k-means algorithm. Triangle inequality distance comparisons may be used to accelerate hyperspace distance calculations.
G06E 1/00 - Devices for processing exclusively digital data
G06E 3/00 - Devices not provided for in group , e.g. for processing analogue or hybrid data
G06F 15/18 - in which a program is changed according to experience gained by the computer itself during a complete run; Learning machines (adaptive control systems G05B 13/00;artificial intelligence G06N)
G06G 7/00 - Devices in which the computing operation is performed by varying electric or magnetic quantities
In some embodiments, antivirus/malware behavior-based scanning (emulation) is accelerated by identifying known code sequences and executing pre-stored native-code routines (e.g. decompression, decryption, checksum routines) implementing the functionality of the known code sequences before returning to the emulation. During emulation, target machine code instructions are compared to a set of known signatures. If a known code sequence is identified, the emulator calls a native code routine and caches the current instruction address. If the emulator subsequently reaches a cached address, a native code routine may be called without scanning the data at the address for known signatures. Signature scanning may be performed selectively for instructions following code flow changes (e.g. after jump, call or interrupt instructions). The emulator may also call native-code routines implementing virtual operating system calls, and native-code unpacked file reconstruction routines that reconstruct unpacked files from the contents of virtual memory for scanning by a content-based malware scanner.
In some embodiments, a spam filtering method includes computing a pattern relevance for each of a set of message feature patterns, and using a neural network filter to classify incoming messages as spam or ham according to the pattern relevancies. Each message feature pattern is characterized by the simultaneous presence within a message of a specific set of message features (e.g., the presence of certain keywords within the message body, various message header heuristics, various message layout features, etc.). Each message feature may be spam- or ham-identifying, and may receive a tunable feature relevance weight from an external source (e.g. data file and/or human operator). The external feature relevance weights modulate the set of neuronal weights calculated through a training process of the neural network.
G06F 15/18 - in which a program is changed according to experience gained by the computer itself during a complete run; Learning machines (adaptive control systems G05B 13/00;artificial intelligence G06N)
100.
Line-structure-based electronic communication filtering systems and methods
In some embodiments, a layout-based electronic communication classification (e.g. spam filtering) method includes generating a layout vector characterizing a layout of a message, assigning the message to a selected cluster according to a hyperspace distance between the layout vector and a central vector of the selected cluster, and classifying the message (e.g. labeling as spam or non-spam) according to the selected cluster. The layout vector is a message representation characterizing a set of relative positions of metaword substructures of the message, as well as metaword substructure counts. Examples of metaword substructures include MIME parts and text lines. For example, a layout vector may have a first component having scalar axes defined by numerical layout feature counts (e.g. numbers of lines, blank lines, links, email addresses), and a second vector component including a line-structure list and a formatting part (e.g. MIME part) list.
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs