-
公开(公告)号:US12149623B2
公开(公告)日:2024-11-19
申请号:US17836714
申请日:2022-06-09
Applicant: Open Text Inc.
Inventor: Andrew Sandoval , Eric Klonowski
Abstract: Examples of the present disclosure describe systems and methods for monitoring the security privileges of a process. In aspects, when a process is created, the corresponding process security token and privilege information is detected and recorded. At subsequent “checkpoints,” the security token is evaluated to determine whether the security token has been replaced, or whether new or unexpected privileges have been granted to the created process. When a modification to the security token is determined, a warning or indication of the modification is generated and the process may be terminated to prevent the use of the modified security token.
-
公开(公告)号:US12039038B2
公开(公告)日:2024-07-16
申请号:US18302885
申请日:2023-04-19
Applicant: Open Text Inc.
Inventor: Eric Klonowski , Fred Krenson
IPC: G06F21/55
CPC classification number: G06F21/552 , G06F21/554 , G06F2221/034
Abstract: Examples of the present disclosure describe systems and methods for behavioral threat detection definition. In an example, a behavior rule comprising a set of rule instructions is used to define one or more events indicative of a behavior. For example, a set of events from which one event must be matched may be defined or a set of events from which all events must be matched may be defined. In some examples, events are matched based on an event name or type, or may be matched based on one or more parameters. Exact and/or inexact matching may be used. The set of rule instructions ultimately specifies one or more halt instructions, thereby indicating that a determination as to the presence of the behavior has been made. Example determinations include, but are not limited to, a match determination, a non-match determination, or an indication that additional monitoring should be performed.
-
公开(公告)号:US12032691B2
公开(公告)日:2024-07-09
申请号:US18353491
申请日:2023-07-17
Applicant: Open Text Inc.
Inventor: Eric Klonowski , Fred Krenson
CPC classification number: G06F21/554 , G06F9/45558 , G06F2009/45562 , G06F21/56 , G06F2221/033 , G06F2221/034
Abstract: Examples of the present disclosure describe systems and methods for a behavioral threat detection engine. In examples, the behavioral threat detection engine manages execution of one or more virtual machines, wherein each virtual machine processes a rule in relation to a context. The behavioral threat detection engine uses any of a variety of techniques to identify when events occur. Accordingly, the behavioral threat detection engine provides event indications, in the form of event packets, to one or more virtual machines, such that corresponding rules are able to process the events accordingly. Eventually, a rule may make a determination as to the presence or absence of a behavior. As a result, execution of the associated virtual machine may be halted, thereby indicating to the behavioral threat detection engine that a determination has been made. Thus a behavioral threat detection engine employs a behavior-based approach to detecting malicious or potentially malicious behaviors.
-
公开(公告)号:US20250015999A1
公开(公告)日:2025-01-09
申请号:US18892382
申请日:2024-09-21
Applicant: Open Text Inc.
Inventor: Andrew Sandoval , Eric Klonowski
Abstract: Examples of the present disclosure describe systems and methods for monitoring the security privileges of a process. In aspects, when a process is created, the corresponding process security token and privilege information is detected and recorded. At subsequent “checkpoints,” the security token is evaluated to determine whether the security token has been replaced, or whether new or unexpected privileges have been granted to the created process. When a modification to the security token is determined, a warning or indication of the modification is generated and the process may be terminated to prevent the use of the modified security token.
-
公开(公告)号:US12093380B2
公开(公告)日:2024-09-17
申请号:US18301832
申请日:2023-04-17
Applicant: Open Text Inc.
Inventor: Eric Klonowski , Fred Krenson
CPC classification number: G06F21/554 , G06F9/45558 , G06F2009/45587
Abstract: Examples of the present disclosure describe systems and methods for a behavioral threat detection virtual machine. In examples, the virtual machine executes a rule comprising rule instructions. A rule may comprise one or more wait rule instructions that causes the virtual machine to pause execution. As events are added to an event queue for the rule virtual machine, the behavioral threat detection virtual machine evaluates such events in order to identify a positive or, in some instances, a negative match. When a matching event is identified, rule execution resumes. Eventually, a determination is made as a result of processing events and wait packets, thereby indicating the presence or absence of a malicious or potentially malicious behavior, among other examples. Thus, among other things, the behavioral threat detection virtual machine maintains a state associated with rule execution and processes events to identify behaviors accordingly.
-
Patent Agency Ranking
公开(公告)号:US12235960B2
公开(公告)日:2025-02-25
申请号:US17698200
申请日:2022-03-18
Applicant: Open Text Inc.
Inventor: Eric Klonowski , Fred Krenson
Abstract: Examples of the present disclosure describe systems and methods for behavioral threat detection definition compilation. In an example, one or more sets of rule instructions may be packaged for distribution and/or use by a behavioral threat detection engine. As an example, a set of rule instructions is compiled into an intermediate language and assembled in to a compiled behavior rule binary. Event linking is performed, wherein other rules launched by the rule and/or events that launch the rule or are processed by the rule are identified, and such information may be stored accordingly. The behavior rule binary may be packaged with other rules associated with identifying a specific behavior. The packaged behavior rule is distributed to one or more computing devices for use with a behavioral threat detection engine. For example, the threat detection engine may execute the behavior rule using a rule virtual machine.
-
公开(公告)号:US20240184888A1
公开(公告)日:2024-06-06
申请号:US18441638
申请日:2024-02-14
Applicant: OPEN TEXT INC.
Inventor: Andrew L. Sandoval , David Alan Myers , John R. Shaw , Eric Klonowski
CPC classification number: G06F21/566 , G06F21/554 , G06F2221/033
Abstract: Examples of the present disclosure describe systems and methods for malicious software detection based on API trust. In an example, a set of software instructions executed by a computing device may call an API. A hook may be generated on the API, such that a threat processor may receive an indication when the API is called. Accordingly, the threat processor may generate a trust metric based on the execution of the set of software instructions, which may be used to determine whether the set of software instructions poses a potential threat. For example, one or more call stack frames may be evaluated to determine whether a return address is preceded by a call instruction, whether the return address is associated with a set of software instructions or memory associated with a set of software instructions, and/or whether the set of software instructions satisfies a variety of security criteria.
-
公开(公告)号:US11947670B2
公开(公告)日:2024-04-02
申请号:US18092355
申请日:2023-01-02
Applicant: Open Text Inc.
Inventor: Andrew L. Sandoval , David Alan Myers , John R. Shaw, II , Eric Klonowski
CPC classification number: G06F21/566 , G06F21/554 , G06F2221/033
Abstract: Examples of the present disclosure describe systems and methods for malicious software detection based on API trust. In an example, a set of software instructions executed by a computing device may call an API. A hook may be generated on the API, such that a threat processor may receive an indication when the API is called. Accordingly, the threat processor may generate a trust metric based on the execution of the set of software instructions, which may be used to determine whether the set of software instructions poses a potential threat. For example, one or more call stack frames may be evaluated to determine whether a return address is preceded by a call instruction, whether the return address is associated with a set of software instructions or memory associated with a set of software instructions, and/or whether the set of software instructions satisfies a variety of security criteria.
-
公开(公告)号:US20230359734A1
公开(公告)日:2023-11-09
申请号:US18353491
申请日:2023-07-17
Applicant: Open Text Inc.
Inventor: Eric Klonowski , Fred Krenson
CPC classification number: G06F21/554 , G06F9/45558 , G06F2221/033 , G06F2221/034 , G06F21/56
Abstract: Examples of the present disclosure describe systems and methods for a behavioral threat detection engine. In examples, the behavioral threat detection engine manages execution of one or more virtual machines, wherein each virtual machine processes a rule in relation to a context. The behavioral threat detection engine uses any of a variety of techniques to identify when events occur. Accordingly, the behavioral threat detection engine provides event indications, in the form of event packets, to one or more virtual machines, such that corresponding rules are able to process the events accordingly. Eventually, a rule may make a determination as to the presence or absence of a behavior. As a result, execution of the associated virtual machine may be halted, thereby indicating to the behavioral threat detection engine that a determination has been made. Thus a behavioral threat detection engine employs a behavior-based approach to detecting malicious or potentially malicious behaviors.
-
公开(公告)号:US20240427892A1
公开(公告)日:2024-12-26
申请号:US18826906
申请日:2024-09-06
Applicant: OPEN TEXT INC.
Inventor: Eric Klonowski , Fred Krenson
Abstract: Examples of the present disclosure describe systems and methods for behavioral threat detection definition compilation. In an example, one or more sets of rule instructions may be packaged for distribution and/or use by a behavioral threat detection engine. As an example, a set of rule instructions is compiled into an intermediate language and assembled in to a compiled behavior rule binary. Event linking is performed, wherein other rules launched by the rule and/or events that launch the rule or are processed by the rule are identified, and such information may be stored accordingly. The behavior rule binary may be packaged with other rules associated with identifying a specific behavior. The packaged behavior rule is distributed to one or more computing devices for use with a behavioral threat detection engine. For example, the threat detection engine may execute the behavior rule using a rule virtual machine.
-
-
-
-
-
-
-
-
-
Search Results
17
records
(took 0.024 seconds)
