公开(公告)号：US10452841B1

公开(公告)日：2019-10-22

申请号：US15583077

申请日：2017-05-01

Applicant: SYMANTEC CORPORATION

Inventor： Acar Tamersoy ,  Sandeep Bhatkar ,  Daniel Marino ,  Kevin Alejandro Roundy

IPC: G06F21/55 ,  G06N5/04 ,  G06N20/00

Abstract: Systems, apparatuses, methods, and computer readable mediums for modeling malicious behavior that occurs in the absence of users. A system trains an anomaly detection model using attributes associated with a first plurality of events representing system activity on one or more clean machines when users are not present. Next, the system utilizes the trained anomaly detection model to remove benign events from a second plurality of events captured from infected machines when users are not present. Then, the system utilizes malicious events, from the second plurality of events, to train a classifier. Next, the classifier identifies a first set of attributes which are able to predict if an event is caused by malware with a predictive power greater than a threshold.

公开(公告)号：US09116768B1

公开(公告)日：2015-08-25

申请号：US14549218

申请日：2014-11-20

Applicant: Symantec Corporation

Inventor： Sanjay Sawhney ,  Petros Efstathopoulos ,  Daniel Marino

IPC: G06F9/445

CPC classification number: G06F8/60

Abstract: The disclosed computer-implemented method for deploying applications included in application containers may include (1) identifying an application container that includes an application and facilitates transferring the application to a deployment environment, (2) performing a reconnaissance analysis on the deployment environment by identifying one or more properties of the deployment environment, (3) determining, based at least in part on the reconnaissance analysis, that the deployment environment meets a predetermined threshold of requirements for securely executing the application, and then (4) transferring the application included in the application container to the deployment environment in response to determining that the deployment environment meets the predetermined threshold. Various other methods, systems, and computer-readable media are also disclosed.

Abstract translation: 用于部署应用程序容器中的应用程序的公开的计算机实现的方法可以包括（1）识别包括应用的应用容器，并且有助于将应用传送到部署环境，（2）通过识别部署环境来执行对部署环境的侦察分析 或更多的属性，（3）至少部分地基于侦察分析来确定部署环境满足用于安全地执行应用程序的预定的要求阈值，然后（4）将包括在所述部署环境中的应用程序 响应于确定部署环境达到预定阈值，应用容器到部署环境。 还公开了各种其它方法，系统和计算机可读介质。

公开(公告)号：US08925037B2

公开(公告)日：2014-12-30

申请号：US13733131

申请日：2013-01-02

Applicant: Symantec Corporation

Inventor： Daniel Marino ,  Darren Shou ,  Bruce McCorkendale

IPC: G06F17/00 ,  G06F7/04 ,  G06F21/60

CPC classification number: G06F21/60

Abstract: A computer-implemented method for enforcing data-loss-prevention policies using mobile sensors may include (1) detecting an attempt by a user to access sensitive data on a mobile computing device, (2) collecting, via at least one sensor of the mobile computing device, sensor data that indicates an environment in which the user is attempting to access the sensitive data, (3) determining, based at least in part on the sensor data, a privacy level of the environment, and (4) restricting, based at least in part on the privacy level of the environment, the attempt by the user to access the sensitive data according to a DLP policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract translation: 用于使用移动传感器实施数据丢失防止策略的计算机实现的方法可以包括（1）检测用户尝试访问移动计算设备上的敏感数据，（2）经由移动台的至少一个传感器 计算设备，指示用户尝试访问敏感数据的环境的传感器数据，（3）至少部分地基于传感器数据确定环境的隐私级别，以及（4）基于 至少部分地基于环境的隐私级别，用户根据DLP策略尝试访问敏感数据。 还公开了各种其它方法，系统和计算机可读介质。

公开(公告)号：US20140189784A1

公开(公告)日：2014-07-03

申请号：US13733131

申请日：2013-01-02

Applicant: Symantec Corporation

Inventor： Daniel Marino ,  Darren Shou ,  Bruce McCorkendale

IPC: G06F21/60

CPC classification number: G06F21/60

Abstract: A computer-implemented method for enforcing data-loss-prevention policies using mobile sensors may include (1) detecting an attempt by a user to access sensitive data on a mobile computing device, (2) collecting, via at least one sensor of the mobile computing device, sensor data that indicates an environment in which the user is attempting to access the sensitive data, (3) determining, based at least in part on the sensor data, a privacy level of the environment, and (4) restricting, based at least in part on the privacy level of the environment, the attempt by the user to access the sensitive data according to a DLP policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract translation: 用于使用移动传感器实施数据丢失防止策略的计算机实现的方法可以包括（1）检测用户尝试访问移动计算设备上的敏感数据，（2）经由移动台的至少一个传感器 计算设备，指示用户尝试访问敏感数据的环境的传感器数据，（3）至少部分地基于传感器数据确定环境的隐私级别，以及（4）基于 至少部分地基于环境的隐私级别，用户根据DLP策略尝试访问敏感数据。 还公开了各种其它方法，系统和计算机可读介质。

公开(公告)号：US20190253398A1

公开(公告)日：2019-08-15

申请号：US16021950

申请日：2018-06-28

Applicant: SYMANTEC CORPORATION

Inventor： Yuqiong Sun ,  Daniel Marino ,  Susanta K. Nanda ,  Saurabh Shintre ,  Brian T. Witten ,  Ronald A. Frederick ,  Qing Li

IPC: H04L29/06 ,  G06F21/62

CPC classification number: H04L63/0435 ,  G06F21/57 ,  G06F21/6263 ,  H04L63/0281

Abstract: Decrypting network traffic on a middlebox device using a trusted execution environment (TEE). In one embodiment, a method may include loading a kernel application inside the TEE, loading a logic application outside the TEE, intercepting, by the logic application, encrypted network traffic, forwarding, from the logic application to the kernel application, the encrypted network traffic, decrypting, at the kernel application, the encrypted network traffic, inspecting, at the kernel application, the decrypted network traffic according to a sensitivity policy to determine whether the decrypted network traffic includes sensitive data, forwarding, from the kernel application to the logic application, filtered decrypted network traffic that excludes the sensitive data, processing, at the logic application, the filtered decrypted network traffic, forwarding, from the logic application to the kernel application, the filtered decrypted network traffic after the processing by the logic application, and forwarding, from the kernel application, the encrypted network traffic.

公开(公告)号：US10044691B1

公开(公告)日：2018-08-07

申请号：US15894619

申请日：2018-02-12

Applicant: SYMANTEC CORPORATION

Inventor： Yuqiong Sun ,  Daniel Marino ,  Susanta K. Nanda ,  Saurabh Shintre ,  Brian T. Witten ,  Ronald A. Frederick ,  Qing Li

IPC: H04L29/06 ,  G06F21/62

Abstract: Decrypting network traffic on a middlebox device using a trusted execution environment (TEE). In one embodiment, a method may include loading a kernel application inside the TEE, loading a logic application outside the TEE, intercepting, by the logic application, encrypted network traffic, forwarding, from the logic application to the kernel application, the encrypted network traffic, decrypting, at the kernel application, the encrypted network traffic, inspecting, at the kernel application, the decrypted network traffic according to a sensitivity policy to determine whether the decrypted network traffic includes sensitive data, forwarding, from the kernel application to the logic application, filtered decrypted network traffic that excludes the sensitive data, processing, at the logic application, the filtered decrypted network traffic, forwarding, from the logic application to the kernel application, the filtered decrypted network traffic after the processing by the logic application, and forwarding, from the kernel application, the encrypted network traffic.

公开(公告)号：US11128473B1

公开(公告)日：2021-09-21

申请号：US16359723

申请日：2019-03-20

Applicant: Symantec Corporation

Inventor： Daniel Kats ,  Christopher Gates ,  Acar Tamersoy ,  Daniel Marino

IPC: H04L9/32 ,  G06F21/72 ,  G06F21/60

Abstract: The disclosed method for assuring authenticity of electronic sensor data may include (i) capturing, using a sensor within a device, electronic sensor data, and (ii) digitally signing, using a cryptoprocessor embedded within the device, the electronic sensor data to create a digital signature that verifies that the signed electronic sensor data has not been modified since the electronic sensor data was captured by the sensor. Various other methods, systems, and computer-readable media are also disclosed.

公开(公告)号：US11012452B1

公开(公告)日：2021-05-18

申请号：US15865304

申请日：2018-01-09

Applicant: Symantec Corporation

Inventor： Daniel Kats ,  Daniel Marino

IPC: H04L29/06 ,  G06F16/951

Abstract: The disclosed computer-implemented method for establishing restricted interfaces for database applications may include analyzing, by a computing device, query behavior of an application for query requests from the application to a remote database in a computer system and identifying, based on the analysis, an expected query behavior for the application. The method may include establishing, between the application and the remote database, a restricted interface. The method may include receiving, at the restricted interface, a query request from the application to the remote database and limiting, by the restricted interface, the query request from the application to the remote database based on the expected query behavior. The method may include determining, by checking the query request against the expected query behavior, that the query request is anomalous query behavior and performing a security action with respect to the computer system. Various other methods, systems, and computer-readable media are also disclosed.

公开(公告)号：US09665715B1

公开(公告)日：2017-05-30

申请号：US14138130

申请日：2013-12-23

Applicant: Symantec Corporation

Inventor： Kevin Roundy ,  Sandeep Bhatkar ,  Fanglu Guo ,  Daniel Marino

IPC: G06F21/62 ,  G06F21/56

CPC classification number: G06F21/562 ,  G06F11/0766 ,  G06F21/552 ,  G06F21/561

Abstract: A computer-implemented method for detecting malware-induced crashes may include (1) identifying, by analyzing a health log associated with a previously stable computing device, the occurrence of an unexpected stability problem on the previously stable computing device, (2) identifying, by analyzing an event log associated with the previously stable computing device, an event that is potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device, (3) determining, due at least in part to the event being potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device, that the event is potentially malicious, and (4) performing a security action in response to determining that the event is potentially malicious. Various other methods, systems, and computer-readable media are also disclosed.

公开(公告)号：US09185119B1

公开(公告)日：2015-11-10

申请号：US14273503

申请日：2014-05-08

Applicant: Symantec Corporation

Inventor： Acar Tamersoy ,  Kevin A. Roundy ,  Daniel Marino

IPC: G08B23/00 ,  H04L29/06 ,  G06F17/30

CPC classification number: H04L63/20 ,  G06F17/30103 ,  G06F17/30115 ,  H04L63/14

Abstract: The disclosed computer-implemented method for detecting malware using file clustering may include (1) identifying a file with an unknown reputation, (2) identifying at least one file with a known reputation that co-occurs with the unknown file, (3) identifying a malware classification assigned to the known file, (4) determining a probability that the unknown file is of the same classification as the known file, and (5) assigning, based on the probability that the unknown file is of the same classification as the known file, the classification of the known file to the unknown file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract translation: 用于使用文件聚类来检测恶意软件的公开的计算机实现的方法可以包括（1）识别具有未知信誉的文件，（2）识别具有与未知文件共存的已知信誉的至少一个文件，（3）识别 分配给已知文件的恶意软件分类，（4）确定未知文件与已知文件具有相同分类的概率，以及（5）基于未知文件与 已知文件，将已知文件分类到未知文件。 还公开了各种其它方法，系统和计算机可读介质。