Described systems and methods protect client devices such as personal computers and IoT devices against malicious software. In some embodiments, a plurality of client devices report the occurrence of various events to a security server, each such event caused by a local instance of a target application (e.g., mobile app) executing on a respective device. The security server then collates the behavior of the respective target application across the plurality of client devices. Some embodiments compute an aggregate event set and/or sequence combining events detected on one device with events detected on other devices, and determine whether the target application is malicious according to the aggregate event set/sequence.
BTD-2104 5/2/2023 33 Privacy-Preserving Filtering of Encrypted Traffic ABSTRACT Described systems and methods protect client devices such as personal computers and IoT 5 devices against harmful or inappropriate Internet content. When a client uses an encrypted handshake to hide the identity of the end server, e.g., in applications implementing an encrypted client hello (ECH), some embodiments employ a modified DNS server to provide a surrogate key to the client instead of the genuine handshake key. A traffic filter executing for instance on a network gateway may then intercept and decrypt the handshake and apply an access policy to 10 selectively allow or deny access to the respective end server. When access is allowed, the traffic filter may re-encrypt the server identifier using the genuine handshake key before forwarding the handshake to its destination. Communication privacy is maintained since the illustrated methods only decrypt the handshake, and not the actual payload.
Described systems and methods enable protecting client devices (e.g., personal computers and IoT devices) implementing encrypted DNS protocols against harmful or inappropriate Internet content. A DNS proxy intercepts an attempt to establish an encrypted communication session between a client device and a DNS server. Without decrypting any communications, some embodiments of the DNS proxy determine an identifier of the respective session and an identifier of the client device, and send a query tracer connecting the session identifier with the client identifier to a security server. In some embodiments, the security server obtains the domain name included in an encrypted DNS query from the DNS server and instructs the DNS server to allow or block access of the client device to the respective Internet domain according to a device- and/or user-specific access policy.
Described systems and methods allow carrying out privacy-preserving DNS exchanges. In some embodiments, a client machine engages in a private information retrieval (PIR) exchange with a nameserver. In response to receiving an encrypted query from the client, the query formulated according to a domain name, the nameserver may extract a record (e.g., an IP address) from a domain name database without decrypting the respective query. Some embodiments achieve such information retrieval by the use of homomorphic encryption.
Some embodiments employ a novel procedure of training an artificial intelligence system (e.g., set of deep neural networks) for anomaly detection in applications such as natural language processing and computer security. Token sequences selected from a training corpus are distorted according to at least one of a plurality of pre-determined sequence transformations, before being fed to a sequence analyzer. In turn, the sequence analyzer is trained to correctly guess which transformation was used to generate the respective input token sequence.
Some embodiments enable distributing data (e.g., recorded video, photographs, recorded audio, etc.) to a plurality of users in a manner which preserves the privacy of the respective users. Some embodiments leverage homomorphic encryption and proxy re-encryption techniques to manipulate the respective data so that selected portions of it are revealed according to an identity of the user currently accessing the respective data.
Some embodiments enable distributing data (e.g., recorded video, photographs, recorded audio, etc.) to a plurality of users in a manner which preserves the privacy of the respective users. Some embodiments leverage homomorphic encryption and proxy re-encryption techniques to manipulate the respective data so that selected portions of it are revealed according to an identity of the user currently accessing the respective data.
H04L 9/00 - Arrangements for secret or secure communications; Network security protocols
G09C 5/00 - Ciphering or deciphering apparatus or methods not provided for in other groups of this subclass, e.g. involving the concealment or deformation of graphic data such as designs, written or printed messages
H04L 9/14 - Arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
8.
MACHINE LEARNING SYSTEMS AND METHODS FOR REDUCING THE FALSE POSITIVE MALWARE DETECTION RATE
In some embodiments, a behavior classifier comprises a set of neural networks trained to determine whether a monitored software entity is malicious according to a sequence of computing events caused by the execution of the respective entity. When the behavior classifier indicates that the entity is malicious, some embodiments execute a memory classifier comprising another set of neural networks trained to determine whether the monitored entity is malicious according to a memory snapshot of the monitored entity. Applying the classifiers in sequence may substantially reduce the false positive detection rate, while reducing computational costs.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/55 - Detecting local intrusion or implementing counter-measures
H04L 29/06 - Communication control; Communication processing characterised by a protocol
9.
SYSTEMS AND METHODS FOR USING DNS MESSAGES TO SELECTIVELY COLLECT COMPUTER FORENSIC DATA
Described systems and methods allow a selective collection of computer security data from client devices such as personal computers, smartphones, and Internet of Things (IoT) devices. A security application executing on each client device comprises a domain name service (DNS) proxy that tags outgoing DNS messages with a client ID. The DNS server selects a client for data collection by returning a DNS reply comprising a service activation flag. Some embodiments thus enable a per-DNS-message selectivity of data collection. In some embodiments, subsequent network access requests by the selected clients are re-routed to a security server for analysis.
Some embodiments use text and/or image processing methods to determine whether a child is transmitting confidential information to a conversation partner via an electronic messaging service. Some embodiments detect whether an image transmitted as part of an electronic message shows a bank card, a social security card, or an identity document, among others. When detecting such a situation, some embodiments automatically send a notification to a third party (e.g., parent, teacher, etc.)
Some embodiments use text and/or image processing methods to determine whether a user of an electronic messaging platform is subject to an online threat such as cyberbullying, sexual grooming, and identity theft, among others. In some embodiments, a text content of electronic messages is automatically harvested and aggregated into conversations. Conversation data are then analyzed to extract various threat indicators. A result of a text analysis may be combined with a result of an analysis of an image transmitted as part of the respective conversation. When a threat is detected, some embodiments automatically send a notification to a third party (e.g., parent, teacher, etc.)
Some embodiments use text and/or image processing methods to determine whether a child is transmitting confidential information to a conversation partner via an electronic messaging service. Some embodiments detect whether an image transmitted as part of an electronic message shows a bank card, a social security card, or an identity document, among others. When detecting such a situation, some embodiments automatically send a notification to a third party (e.g., parent, teacher, etc.)
In some embodiments, a behavioral computer security system protects clients and networks against threats such as malicious software and intrusion. A set of client profiles is constructed according to a training corpus of events occurring on clients, wherein each client profile represents a subset of protected machines, and each client profile is indicative of a normal or baseline pattern of using the machines assigned to the client respective profile. A client profile may group together machines having a similar event statistic. Following training, events detected on a client are selectively analyzed against a client profile associated with the respective client, to detect anomalous behavior. In some embodiments, individual events are analyzed in the context of other events, using a multi-dimensional event embedding space.
In some embodiments, a behavioral computer security system protects clients and networks against threats such as malicious software and intrusion. A set of client profiles is constructed according to a training corpus of events occurring on clients, wherein each client profile represents a subset of protected machines, and each client profile is indicative of a normal or baseline pattern of using the machines assigned to the client respective profile. A client profile may group together machines having a similar event statistic. Following training, events detected on a client are selectively analyzed against a client profile associated with the respective client, to detect anomalous behavior. In some embodiments, individual events are analyzed in the context of other events, using a multi-dimensional event embedding space.
In some embodiments, a behavioral computer security system protects clients and networks against threats such as malicious software and intrusion. A set of client profiles is constructed according to a training corpus of events occurring on clients, wherein each client profile represents a subset of protected machines, and each client profile is indicative of a normal or baseline pattern of using the machines assigned to the client respective profile. A client profile may group together machines having a similar event statistic. Following training, events detected on a client are selectively analyzed against a client profile associated with the respective client, to detect anomalous behavior. In some embodiments, individual events are analyzed in the context of other events, using a multi-dimensional event embedding space.
inter aliainter alia, to the analysis of high-volume network flows in corporate networks. In some embodiments, flows are pre-tagged with extra metadata to facilitate detection of malware and/or intrusion.
Described systems and methods allow an automatic translation from a natural language (e.g., English) into an artificial language such as a structured query language (SQL). In some embodiments, a translator module includes an encoder component and a decoder component, both components comprising recurrent neural networks. Training the translator module comprises two stages. A first stage trains the translator module to produce artificial language (AL) output when presented with an AL input. For instance, the translator is first trained to reproduce an AL input. A second stage of training comprises training the translator to produce AL output when presented with a natural language (NL) input.
Described systems and methods allow protecting a host system against computer security threats, and in particular against ransomware and unauthorized access to private data. In some embodiments, a conventional non-volatile storage unit (e.g., magnetic, optical, or solid state drive) is paired with a dedicated security processor, forming a secure storage device which may connect to the primary processor of the host system via a conventional storage interface, such as a SATA, PCI, or USB connector. The primary processor and the security processor exchange messages and data via the storage interface. The security processor controls access of the primary processor to the storage unit, and may execute security and data encryption operations.
Described systems and methods allow protecting a hardware virtualization system from malicious software. Some embodiments use a hybrid event notification/analysis system, wherein a first component executing within a protected virtual machine (VM) registers as a handler for processor exceptions triggered by violations of memory access permissions, and wherein a second component executing outside the respective VM registers as a handler for VM exit events. The first component filters permission violation events according to a set of rules and only notifies the second component about events which are deemed relevant to security. The second component analyzes notified events to detect malicious software.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
20.
DYNAMIC REPUTATION INDICATOR FOR OPTIMIZING COMPUTER SECURITY OPERATIONS
Described systems and methods allow protecting a computer system from malware such as viruses, worms, and spyware. A reputation manager executes on the computer system concurrently with an anti-malware engine. The reputation manager associates a dynamic reputation indicator to each executable entity seen as a unique combination of individual components (e.g., a main executable and a set of loaded libraries). The reputation indicator indicates a probability that the respective entity is malicious. The reputation of benign entities may increase in time. When an entity performs certain actions which may be indicative of malicious activity, the reputation of the respective entity may drop. The anti-malware engine uses an entity-specific protocol to scan and/or monitor each target entity for malice, the protocol varying according to the entity's reputation. Entities trusted to be non-malicious may be analyzed using a more relaxed protocol than unknown or untrusted entities.
Described systems and methods enable a swift and efficient detection of fraudulent Internet domains, i.e., domains used to host or distribute fraudulent electronic documents such as fraudulent webpages and electronic messages. Some embodiments use a reverse IP analysis to select a set of fraud candidates from among a set of domains hosted at the same IP address as a known fraudulent domain. The candidate set is further filtered according to domain registration data. Online content hosted at each filtered candidate domain is further analyzed to identify truly fraudulent domains. A security module may then prevent users from accessing a content of such domains.
Described systems and methods enable a decryption of encrypted communication between a client system and a remote party, for applications such as detection and analysis of malicious software, intrusion detection, and surveillance, among others. The client system executes a virtual machine and an introspection engine outside the virtual machine. The introspection engine is configured to identify memory pages whose contents have changed between a first session event (e.g., a ServerHello message) and a second session event (e.g., a ClientFinished message). The respective memory pages are likely to contain encryption key material for the respective communication session. A decryption engine may then attempt to decrypt an encrypted payload of the respective communication session using information derived from the content of the identified memory pages.
Described systems and methods enable an automatic device detection/discovery, particularly of 'Internet of Things' client devices such as wearables, mobile communication devices, and smart home appliances, among others. Device detection comprises assigning a target device to a device category, such as "tablet computer from an unknown manufacturer, running Android®". Some embodiments determine multiple preliminary category assignments according to distinct inputs such as HTTP user agent data, DHCP data, mDNS data, and MAC data. Each preliminary category assignment may come with an associated score. A definitive category assignment may be made according to an aggregate score. Applications include computer security, software provisioning, and remote device management, among others.
Described systems and methods enable performing software audits remotely and automatically, on a relatively large number of client systems (e.g., a corporate network, a virtual desktop infrastructure system, etc.) An audit engine executes on each client system, in a hardware virtualization configuration wherein the audit engine executes outside an audited virtual machine. When receiving an audit request from an audit server, some embodiments of the audit engine drop an audit agent into the audited virtual machine, and remove the audit agent upon completion of the audit.
Described systems and methods enable protecting multiple client systems (e.g., a corporate network) from computer security threats such as malicious software and intrusion. In some embodiments, each protected client operates a live introspection engine and an on-demand introspection engine. The live introspection engine detects the occurrence of certain events within a protected virtual machine exposed on the respective client system, and communicates the occurrence to a remote security server. In turn, the server may request a forensic analysis of the event from the client system, by indicating a forensic tool to be executed by the client. Forensic tools may be stored in a central repository accessible to the client. In response to receiving the analysis request, the on-demand introspection engine may retrieve and execute the forensic tool, and communicate a result of the forensic analysis to the security server. The server may use the information to determine whether the respective client is under attack by malicious software or an intruder.
Domain generation algorithm (DGA) malware is detected by intercepting an external time request sent by a potential DGA malware host, and replacing the received real time with an accelerated (future) real time designed to trigger time-dependent DGA activity. The interception and replacement are performed outside the physical or virtual DGA host, on a different physical or virtual system such as a distinct external physical server or router, or distinct hypervisor or virtual machine running on the same physical system, in order to reduce the risk that the DGA malware identifies the time substitution. Failed DGA malware external access requests triggered only at future times are then used to identify domain names generated by the DGA malware, allowing proactive count ermeasures.
Described systems and methods allow protecting a computer system from malicious software. In some embodiments, a security application divides a set of monitored executable entities (e.g., processes) into a plurality of groups, wherein all members of a group are related by filiation or code injection. The security application may further associate a set of scores with each entity group. Such group scores may be incremented when a member of the respective group performs certain actions. Thus, even though actions performed by individual members may not be malware-indicative per se, the group score may capture collective malicious behavior and trigger malware detection. In some embodiments, group membership rules vary according to whether an entity is part of a selected subset of entities including certain OS processes, browsers and file managers. When an entity is determined to be malicious, anti-malware measures may be taken against a whole group of related entities.
Described systems and methods enable an efficient analysis of security-relevant events, especially in hardware virtualization platforms. In some embodiments, a notification handler detects the occurrence of an event within a virtual machine, and communicates the respective event to security software. The security software then attempts to match the respective event to a collection of behavioral and exception signatures. An exception comprises a set of conditions which, when satisfied by an tuple, indicates that the respective entity is not malicious. In some embodiments, a part of exception matching is performed synchronously (i.e., while execution of the entity that triggered the respective event is suspended), while another part of exception matching is performed asynchronously (i.e., after the triggering entity is allowed to resume execution).
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/54 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by adding security routines or objects to programs
29.
BEHAVIORAL MALWARE DETECTION USING AN INTERPRETER VIRTUAL MACHINE
Described systems and methods allow protecting a computer system from computer security threats such as malware and spyware. In some embodiments, a security application executes a set of detection routines to determine whether a set of monitored entities (processes, threads, etc.) executing on the computer system comprise malicious software. The detection routines are formulated in bytecode and executed within a bytecode translation virtual machine. Execution of a detection routine comprises translating bytecode instructions of the respective routine into native processor instructions, for instance via interpretation or just-in-time compilation. Execution of the respective routines is triggered selectively, due to the occurrence of specific events within the protected client system. Detection routines may output a set of scores, which may be further used by the security application to determine whether a monitored entity is malicious.
Described systems and methods allow a computer security system to automatically classify target objects using a cascade of trained classifiers, for applications including malware, spam, and/or fraud detection. The cascade comprises several levels, each level including a set of classifiers. Classifiers are trained in the predetermined order of their respective levels. Each classifier is trained to divide a corpus of records into a plurality of record groups so that a substantial proportion (e.g., at least 95%, or all) of the records in one such group are members of the same class. Between training classifiers of consecutive levels of the cascade, a set of training records of the respective group is discarded from the training corpus. When used to classify an unknown target object, some embodiments employ the classifiers in the order of their respective levels.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
H04L 29/06 - Communication control; Communication processing characterised by a protocol
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
31.
COMPUTER SECURITY SYSTEMS AND METHODS USING HARDWARE-ACCELERATED ACCESS TO GUEST MEMORY FROM BELOW THE OPERATING SYSTEM
Described systems and methods allow computer security software to access a memory of a host system with, improved efficiency. A processor and a memory management unit (MMU) of the host system: may be configured to perform memory access operations (read/write) in a target memory context, which may differ from the implicit memory context of the currently executing process. In some embodiments, the instruction set of the processor is extended to include new- categories of instructions, which, when, called from outside a guest virtual machine (VM) exposed by the host system, instruct the processor of the host system to perform memory access directly in a guest context, e.g., in a memory context of a process executing within the guest VM.
G06F 12/08 - Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
G06F 12/1027 - Address translation using associative or pseudo-associative address translation means, e.g. translation look-aside buffer [TLB]
G06F 12/109 - Address translation for multiple virtual address spaces, e.g. segmentation
G06F 12/1009 - Address translation using page tables, e.g. page table structures
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 12/14 - Protection against unauthorised use of memory
G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
32.
SYSTEMS AND METHODS FOR EXPOSING A CURRENT PROCESSOR INSTRUCTION UPON EXITING A VIRTUAL MACHINE
Described systems and methods enable a host system to efficiently perform computer security activities, when operating in a hardware visualization configuration. A processor is configured to generate a VM suspend event (e.g., a VM exit or a virtualization exception) when software executing within a guest VM performs a memory access violation. In some embodiments, the processor is further configured to save disassembly data determined for the processor instruction which triggered the VM suspend event to a special location (e.g., a specific processor register) before generating the event. Saved disassembly data may include the contents of individual instruction encoding fields, such as Prefix, Opcode, Mod R/M, SIB, Displacement, and Immediate fields on Intel® platforms.
G06F 12/08 - Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
G06F 12/1027 - Address translation using associative or pseudo-associative address translation means, e.g. translation look-aside buffer [TLB]
G06F 12/109 - Address translation for multiple virtual address spaces, e.g. segmentation
G06F 12/14 - Protection against unauthorised use of memory
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
H04L 29/06 - Communication control; Communication processing characterised by a protocol
33.
SYSTEMS AND METHODS FOR EXPOSING A RESULT OF A CURRENT PROCESSOR INSTRUCTION UPON EXITING A VIRTUAL MACHINE
Described systems and methods enable a host system to efficiently perform computer security activities, when operating in a hardware virtualization configuration. A processor is configured to generate a VM suspend event (e.g., a VM exit or a virtualization exception) when a guest instruction executing within a guest VM. performs a memory access violation. In some embodiments, the processor is further configured to delay generating the VM suspend event until the execution stage of the pipeline for the guest instruction is complete, and to save results of the execution stage to a specific location (e.g. a specific processor register readable by security-software) before generating the event.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/55 - Detecting local intrusion or implementing counter-measures
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 12/08 - Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
G06F 12/14 - Protection against unauthorised use of memory
G06F 12/109 - Address translation for multiple virtual address spaces, e.g. segmentation
G06F 12/1027 - Address translation using associative or pseudo-associative address translation means, e.g. translation look-aside buffer [TLB]
H04L 29/06 - Communication control; Communication processing characterised by a protocol
34.
USER INTERFACE FOR SECURITY PROTECTION AND REMOTE MANAGEMENT OF NETWORK ENDPOINTS
In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. Various aspects of the operation of the network regulator may be managed remotely via a graphical user interface (GUI) executing on an administration device, such as a mobile phone. The GUI is further configured to display a security notification to a user of the administration device, the security notification indicating the occurrence of a security event caused by an action of a protected client system.
In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. When introduced to the local network, some embodiments of network regulator take over some network services from a router, and automatically install the network regulator as gateway to the local network. The network regulator then carries out an automatic device discovery procedure and distribute device-specific utility agents to the protected client systems. An exemplary utility agent detects when its host device has left the local network, and in response, sets up a virtual private network (VPN) tunnel with a security server to maintain protection of the respective device.
In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. When introduced to the local network, some embodiments of network regulator set up a secure tunnel connecting the network regulator with a remote configuration server. The tunnel may be configured to redirect communications received via the tunnel to a router providing network services to client systems on the local network. In some embodiments, the tunnel is used by the configuration server to transmit a communication to the router, the communication configured to disrupt the operation of the router. In response to the disruption, the network regulator may take over the network services from the router, and automatically install the network regulator as gateway to the local network.
In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. When introduced to the local network, some embodiments of network regulator automatically take over network services from an existing router, and install the network regulator as gateway to the local network. In response to taking over the network services, some embodiments redirect a request by a protected client system to access a remote resource to a security server configured to determine whether granting access to the resource constitutes a computer security threat to the client system.
Described systems and methods allow protecting a host system against malware, using hardware virtualization technology, A memory introspection engine executes at the level of a hypervisor, protecting a virtual machine (VM) from exploits targeting the call stack of a thread executing within the respective VM. The introspection engine identifies a virtual memory page reserved for the stack, but not committed to the stack, and intercepts an attempt to write to the respective page. In response to intercepting the write attempt, the memory introspection engine marks the respective page as non-executable, thus protecting the stack against exploits.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/55 - Detecting local intrusion or implementing counter-measures
39.
SYSTEM AND METHODS FOR MUTUAL INTEGRITY ATTESTATION BETWEEN A NETWORK ENDPOINT AND A NETWORK APPLIANCE
Described systems and methods allow malware-protecting a client system (e.g., computer system, smartphone, etc.) connected to a network. In some embodiments, a network appliance transmits a boot image over the network, on demand, to the client system. The boot image may install a hypervisor, which may further load a local OS and applications into a virtual machine. The client system performs a mutual integrity attestation transaction with the network appliance over the network, wherein each side of the transaction verifies the integrity of software objects executing on the other side. When the network appliance determines that the client system is not in a trusted state, the network appliance may block access of the client system to the network. When the client system determines that the network appliance is not in a trusted state, the client system may block communications between the client system and the network appliance.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
40.
COMPUTER SECURITY SYSTEMS AND METHODS USING VIRTUALIZATION EXCEPTIONS
Described systems and methods enable a host system to efficiently perform computer security activities, when operating in a hardware virtualization configuration, A hypervisor exposes a virtual machine On the host system, in some embodiments, the hypervisor further configures a processor of the host system to generate a virtualization exception in response to detecting a memory access violation, and to deliver such exceptions to a computer security program operating within the virtual machine. The hypervisor may further set access permissions to a section of memory containing a part of a function targeted for hooking, so that an attempt to execute the respective target function triggers a virtualization exception. Some embodiments thus achieve hooking of the target function without resorting to conventional methods, such as patching, inline hooking, and MSR hooking.
G06F 21/74 - Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/55 - Detecting local intrusion or implementing counter-measures
41.
BELOW-OS SECURITY SOLUTION FOR DISTRIBUTED NETWORK ENDPOINTS
Described systems and methods allow protecting a client system, such as a computer system or smartphone, from malware. In some embodiments, a network regulator device is used to distribute a bootable image of a hypervisor, on demand, to each of a set of client systems connected to a network. After booting on a client system, the hypervisor loads the local OS and applications into a virtual machine. Integrity measurements of the hypervisor and/or OS are sent to the network regulator for verification. When the network regulator determines that software executing on a client system, such as the hypervisor and/or the OS, are not in a trusted state, the network regulator may block access of the respective client system to the network.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 9/44 - Arrangements for executing specific programs
H04L 29/06 - Communication control; Communication processing characterised by a protocol
42.
STRONGLY ISOLATED MALWARE SCANNING USING SECURE VIRTUAL CONTAINERS
Described systems and methods allow protecting a host system, such as a computer or smartphone, from malware. In some embodiments, an anti-malware application installs a hypervisor, which displaces an operating system executing on the host system to a guest virtual machine (VM). The hypervisor further creates a set of virtual containers (VC), by setting up a memory domain for each VC, isolated from the memory domain of the guest, VM, The hypervisor then maps a memory image of a malware scanner to each VC. When a target object is selected for scanning, the anti-malware application launches the malware scanner. Upon intercepting the launch, the hypervisor switches the memory context of the malware scanner to the memory domain of a selected VC, for the duration of the scan. Thus, malware scanning is performed within an isolated environment.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 21/55 - Detecting local intrusion or implementing counter-measures
Described systems and methods allow protecting a computer system from malware, such as viruses, Trojans, and spyware. A reputation manager executes in conjunction with an anti- malware engine. The reputation manager determines a reputation of a target process executing on the computer system according to a reputation of a set of executable modules, such as shared libraries, loaded by the target process. The anti-malware engine may be configured to employ a process-specific protocol to scan the target process for malware, the protocol selected according to process reputation. Processes trusted to be non-malicious may thus be scanned using a more relaxed protocol than unknown or untrusted processes. The reputation of executable modules may be static; an indicator of module reputation may be stored and/or retrieved by a remote reputation server. Process reputation may be dynamically changeable, i.e. re-computed repeatedly by the reputation manager in response to process life-cycle and/or security events.
G06F 21/51 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
44.
PAGE FAULT INJECTION IN VIRTUAL MACHINES TO CAUSE MAPPING OF SWAPPED-OUT MEMORY PAGES INTO VM] VIRTU ALIZED MEMORY
Described systems and methods allow protecting a host system from malware using virtualization technology. In some embodiments, a memory introspection engine operates below a virtual machine (VM) executing on the host system. The engine is configured to analyze the content of a virtual memory page used by software executing within the VM, and/or to protect the respective content from unauthorized modification, for instance by malware. When the respective content is swapped out of memory, the memory introspection engine injects a page fault into the respective VM, to force a swap-in of the respective content.
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 12/08 - Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
45.
PROCESS EVALUATION FOR MALWARE DETECTION IN VIRTUAL MACHINES
Described systems and methods allow protecting a computer system from malware, such as viruses and rootkits. An anti-malware component executes within a virtual machine (VM) exposed by a hypervisor executing on the computer system. A memory introspection engine executes outside the virtual machine, at the processor privilege level of the hypervisor, and protects a process executing within the virtual machine by write-protecting a memory page of the respective process. By combining anti-malware components executing inside and outside the respective VM, some embodiments of the present invention may use the abundance of behavioral data that inside- VM components have access to, while protecting the integrity of such components from outside the respective VM.
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
46.
SYSTEMS AND METHODS FOR DETECTING RETURN-ORIENTED PROGRAMMING (ROP) EXPLOITS
Described systems and methods allow protecting a computer system from malware, such as return-oriented programming (ROP) exploits. In some embodiments, a set of references are identified within a call stack used by a thread of a target process, each reference pointing into the memory space of an executable module loaded by the target process. Each such reference is analyzed to determine whether it points to a ROP gadget, and whether the respective reference was pushed on the stack by a legitimate function call. In some embodiments, a ROP score is indicative of whether the target process is subject to a ROP attack, the score determined according to a count of references to a loaded module, according to a stack footprint of the respective module, and further according to a count of ROP gadgets identified within the respective module.
G06F 21/52 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure
Described systems and methods allow protecting a computer system from malware such as viruses, Trojans, and spyware. For each of a plurality of executable entities (such as processes and threads executing on the computer system), a scoring engine records a plurality of evaluation scores, each score determined according to a distinct evaluation criterion. Every time an entity satisfies an evaluation criterion (e.g, performs an action), the respective score of the entity is updated. Updating a score of an entity may trigger score updates of entities related to the respective entity, even when the related entities are terminated, i.e., no longer active. Related entities include, among others, a parent of the respective entity, and/or an entity injecting code into the respective entity. The scoring engine determines whether an entity is malicious according to the plurality of evaluation scores of the respective entity.
Described systems and methods allow a classification of electronic documents such as email messages and HTML documents, according to a document-specific text fingerprint. The text fingerprint is calculated for a text block of each target document, and comprises a sequence of characters determined according to a plurality of text tokens of the respective text block. In some embodiments, the length of the text fingerprint is forced within a pre-determined range of lengths (e.g. between 129 and 256 characters) irrespective of the length of the text block, by zooming in for short text blocks, and zooming out for long ones. Classification may include, for instance, determining whether an electronic document represents unsolicited communication (spam) or online fraud such as phishing.
Described systems and methods allow protecting a computer system from malware, such as viruses and rootkits. In some embodiments, a hypervisor configures a hardware virtualization platform hosting a set of operating systems (OS). A memory introspection engine executing at the processor privilege level of the hypervisor dynamically identifies each OS, and uses an protection priming module to change the way memory is allocated to a target software object by the memory allocation function native to the respective OS. In some embodiments, the change affects only target objects requiring malware protection, and comprises enforcing that memory pages containing data of the target object are reserved exclusively for the respective object. The memory introspection engine then write-protects the respective memory pages.
G06F 9/455 - Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
G06F 12/14 - Protection against unauthorised use of memory
G06F 21/53 - Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity, buffer overflow or preventing unwanted data erasure by executing in a restricted environment, e.g. sandbox or secure virtual machine
G06F 21/62 - Protecting access to data via a platform, e.g. using keys or access control rules
50.
SYSTEM AND METHODS FOR SPAM DETECTION USING FREQUENCY SPECTRA OF CHARACTER STRINGS
Described spam detection techniques including string identification, pre-filtering, and frequency spectrum and timestamp comparison steps facilitate accurate, computationally-efficient detection of rapidly-changing spam arriving in short-lasting waves. In some embodiments, a computer system extracts a target character string from an electronic communication such as a blog comment, transmits it to an anti-spam server, and receives an indicator of whether the respective electronic communication is spam or non-spam from the anti-spam server. The anti-spam server determines whether the electronic communication is spam or non-spam according to features of the frequency spectrum of the target string. Some embodiments also perform an unsupervised clustering of incoming target strings into clusters, wherein all members of a cluster have similar spectra.
Described spam detection techniques including string identification, pre-filtering, and character histogram and timestamp comparison steps facilitate accurate, computationally-efficient detection of rapidly-changing spam arriving in short-lasting waves. In some embodiments, a computer system extracts a target character string from an electronic communication such as a blog comment, transmits it to an anti-spam server, and receives an indicator of whether the respective electronic communication is spam or non-spam from the anti-spam server. The anti- spam server determines whether the electronic communication is spam or non-spam according to certain features of the character histogram of the target string. Some embodiments also perform an unsupervised clustering of incoming target strings into clusters, wherein all members of a cluster have similar character histograms.
In some embodiments, an online fraud prevention system combines the output of several distinct fraud filters, to produce an aggregate score indicative of the likelihood that a surveyed target document (e.g. webpage, email) is fraudulent. Newly implemented fraud filters can be incorporated and ageing fraud filters can be phased out without the need to recalculate individual scores or to renormalize the aggregate fraud score. Every time the output of an individual filter is calculated, the aggregate score is updated in a manner which ensures the aggregate score remains within predetermined bounds defined by a minimum allowable score and a maximum allowable score (e.g., 0 to 100).
In some embodiments, an anti-malware system accounts for benign differences between non- malicious data objects, such as differences introduced by compilers and other polymorphisms. A target object is separated into a multitude of code blocks, and a hash is calculated for each code block. The obtained set of target hashes is then compared against a database of hashes corresponding to code blocks extracted from whitelisted objects. A target object may be labeled as whitelisted (trusted, non-malicious) if it has a substantial number of hashes in common with a whitelisted object. Objects which are slightly different from known whitelisted objects may still receive whitelisting status. By allowing a certain degree of mismatch between the sets of hashes of distinct objects, some embodiments of the present invention increase the efficiency of whitelisting without an unacceptable decrease in safety.
patents
