公开(公告)号：US09594652B1

公开(公告)日：2017-03-14

申请号：US14134334

申请日：2013-12-19

Applicant: Symantec Corporation

Inventor： Maheswaran Sathiamoorthy ,  Fanglu Guo ,  Alexandros G. Dimakis

IPC: G06F11/00 ,  G06F11/20

CPC classification number: G06F11/2053 ,  G06F11/1092

Abstract: A computer-implemented method for decreasing RAID rebuilding time may include (1) identifying data for which there is a need for physical integrity and high availability, (2) segmenting the data sequentially into a plurality of groups of chunks, with each group of chunks including redundant data sufficient to rebuild a lost chunk within the group of chunks, (3) storing the groups of chunks on a storage array according to a four-cycle-free bipartite storage map that, for each group of chunks, stores each chunk on a different device set within the storage array and, when a chunk within a group of chunks is lost, enables all other chunks within the group to be read in parallel from different devices within the storage array. Various other methods, systems, and computer-readable media are also disclosed.

Abstract translation: 用于减少RAID重建时间的计算机实现的方法可以包括（1）识别需要物理完整性和高可用性的数据，（2）将数据顺序地分割成多组块，每组块 包括足以重建块组内的丢失块的冗余数据，（3）根据四个循环的二分组存储映射将一组块存储在存储阵列上，对于每组块存储每个块，每组存储 设置在存储阵列内的不同设备，并且当一组块内的块丢失时，使得组内的所有其他块可以从存储阵列内的不同设备并行读取。 还公开了各种其它方法，系统和计算机可读介质。

公开(公告)号：US09160757B1

公开(公告)日：2015-10-13

申请号：US14207503

申请日：2014-03-12

Applicant: Symantec Corporation

Inventor： Fanglu Guo ,  Tao Cheng

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/44 ,  G06F21/30

CPC classification number: H04L63/1408 ,  G06F21/30 ,  G06F21/44 ,  G06F21/554

Abstract: A computer-implemented method for detecting suspicious attempts to access data based on organizational relationships may include (1) detecting an attempt by a computing device within an organization to access an additional computing device within the organization, (2) identifying, based on a directory service associated with the organization that classifies the computing device and the additional computing device, an organizational relationship between the computing device and the additional computing device, (3) determining, based on the organizational relationship between the computing device and the additional computing device, that the attempt by the computing device to access the additional computing device is suspicious, and (4) performing a security action in response to determining that the attempt by the computing device to access the additional computing device is suspicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract translation: 用于检测基于组织关系访问数据的可疑尝试的计算机实现的方法可以包括（1）检测组织内的计算设备的尝试以访问组织内的附加计算设备，（2）基于目录 与计算设备和附加计算设备分类的组织相关联的服务，计算设备和附加计算设备之间的组织关系，（3）基于计算设备和附加计算设备之间的组织关系确定该 计算设备访问附加计算设备的尝试是可疑的，并且（4）响应于确定计算设备访问附加计算设备的尝试是可疑的，执行安全动作。 还公开了各种其它方法，系统和计算机可读介质。

公开(公告)号：US20130185259A1

公开(公告)日：2013-07-18

申请号：US13784096

申请日：2013-03-04

Applicant: SYMANTEC CORPORATION

Inventor： Fanglu Guo

IPC: G06F17/30 ,  G06F11/14

CPC classification number: G06F17/30138 ,  G06F11/1448 ,  G06F11/1453 ,  G06F11/1469 ,  G06F12/0253 ,  G06F17/30156

Abstract: A system and method for managing a resource reclamation reference list at a coarse level. A storage device is configured to store a plurality of storage objects in a plurality of storage containers, each of said storage containers being configured to store a plurality of said storage objects. A storage container reference list is maintained, wherein for each of the storage containers the storage container reference list identifies which files of a plurality of files reference a storage object within a given storage container. In response to detecting deletion of a given file that references an object within a particular storage container of the storage containers, a server is configured to update the storage container reference list by removing from the storage container reference list an identification of the given file. A reference list associating segment objects with files that reference those segment objects may not be updated response to the deletion.

Abstract translation: 一种用于在粗略级别管理资源回收参考列表的系统和方法。 存储装置被配置为将多个存储对象存储在多个存储容器中，每个所述存储容器被配置为存储多个所述存储对象。 维护存储容器参考列表，其中对于每个存储容器，存储容器参考列表识别多个文件中的哪些文件引用给定存储容器内的存储对象。 响应于检测到引用存储容器的特定存储容器内的对象的给定文件的删除，服务器被配置为通过从存储容器引用列表中移除给定文件的标识来更新存储容器引用列表。 将段对象与引用这些段对象的文件相关联的引用列表可能不会被更新以响应于删除。

公开(公告)号：US09665715B1

公开(公告)日：2017-05-30

申请号：US14138130

申请日：2013-12-23

Applicant: Symantec Corporation

Inventor： Kevin Roundy ,  Sandeep Bhatkar ,  Fanglu Guo ,  Daniel Marino

IPC: G06F21/62 ,  G06F21/56

CPC classification number: G06F21/562 ,  G06F11/0766 ,  G06F21/552 ,  G06F21/561

Abstract: A computer-implemented method for detecting malware-induced crashes may include (1) identifying, by analyzing a health log associated with a previously stable computing device, the occurrence of an unexpected stability problem on the previously stable computing device, (2) identifying, by analyzing an event log associated with the previously stable computing device, an event that is potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device, (3) determining, due at least in part to the event being potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device, that the event is potentially malicious, and (4) performing a security action in response to determining that the event is potentially malicious. Various other methods, systems, and computer-readable media are also disclosed.

公开(公告)号：US09575670B1

公开(公告)日：2017-02-21

申请号：US14584549

申请日：2014-12-29

Applicant: Symantec Corporation

Inventor： Fanglu Guo

IPC: G06F12/00 ,  G06F3/06

CPC classification number: G06F3/0613 ,  G06F3/0647 ,  G06F3/0665 ,  G06F3/0689

Abstract: The disclosed computer-implemented method for dynamic load balancing on disks may include (1) calculating the spare throughput for each disk, (2) identifying a lightly loaded disk and a heavily loaded disk, (3) identifying a set of workloads to be transferred from the heavily loaded disk to the lightly loaded disk by: (a) beginning with the set empty, (b) identifying candidate workloads on the heavily loaded disk, (c) adding a new workload from the candidate workloads to the set when the new workload would not reduce the spare throughput on the lightly loaded disk below a threshold if both the set and the workload were transferred to the lightly loaded disk, and (d) considering each workload for transfer in order from most throughput consumed to least throughput consumed, and (4) transferring the set of workloads. Various other methods, systems, and computer-readable media are also disclosed.

Abstract translation: 公开的用于在磁盘上进行动态负载平衡的计算机实现方法可以包括（1）计算每个磁盘的备用吞吐量，（2）识别轻负载磁盘和重负载磁盘，（3）识别要传送的一组工作负载 通过以下方式从高负载磁盘到轻载磁盘：（a）从设置为空开始，（b）识别负载较重的磁盘上的候选工作负载，（c）将新的工作负载从候选工作负载添加到组中，当新的 如果将集合和工作负载都传输到轻载磁盘，工作负载不会将轻载磁盘上的备用吞吐量降低到阈值以下，以及（d）从大多数吞吐量消耗到最低吞吐量的顺序考虑每个工作负载进行传输， 和（4）转移一组工作负载。 还公开了各种其它方法，系统和计算机可读介质。

公开(公告)号：US09275226B1

公开(公告)日：2016-03-01

申请号：US14029451

申请日：2013-09-17

Applicant: Symantec Corporation

Inventor： Kevin Roundy ,  Sandeep Bhatkar ,  Fanglu Guo

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G06F21/56

CPC classification number: G06F21/56

Abstract: A computer-implemented method for detecting selective malware attacks is described. A website visited by a user is identified based on a number of visits to the website satisfying a predetermined threshold. A web crawl is performed on the identified website. Results of the web crawl are analyzed to determine whether the identified website includes a malicious software attack designed to selectively attack visitors to the website.

Abstract translation: 描述了用于检测选择性恶意软件攻击的计算机实现的方法。 基于满足预定阈值的对网站的访问次数来识别用户访问的网站。 在所识别的网站上执行网络爬网。 分析Web抓取的结果，以确定所识别的网站是否包含旨在选择性地攻击网站访问者的恶意软件攻击。

公开(公告)号：US09166997B1

公开(公告)日：2015-10-20

申请号：US14031044

申请日：2013-09-19

Applicant: Symantec Corporation

Inventor： Fanglu Guo ,  Sandeep Bhatkar ,  Kevin Roundy

IPC: H04L29/00 ,  H04L29/06 ,  G06F21/57

CPC classification number: H04L63/1433 ,  G06F21/554 ,  G06F21/577 ,  H04L63/1416

Abstract: A computer-implemented method for reducing false positives when using event-correlation graphs to detect attacks on computing systems may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing an event-correlation graph that includes a first node that represents the first actor, a second node that represents a second actor, and an edge that represents an additional suspicious event involving the first actor and the second actor, (3) comparing the event-correlation graph with at least one additional event-correlation graph that represents events on at least one additional computing system, (4) determining that a similarity of the event-correlation graph and the additional event-correlation graph exceeds a predetermined threshold, and (5) classifying the suspicious event as benign based on determining that the similarity of the event-correlation graph and the additional event-correlation graph exceeds the predetermined threshold. Various other methods, systems, and computer-readable media are also disclosed.

Abstract translation: 一种用于在使用事件相关图来检测对计算系统的攻击时减少误报的计算机实现的方法可以包括（1）检测涉及计算系统内的第一执行者的可疑事件，（2）构建事件相关图，其包括 表示第一演员的第一节点，表示第二演员的第二节点和表示涉及第一演员和第二演员的附加可疑事件的边缘，（3）将事件相关图与至少一个附加的比较 表示至少一个附加计算系统上的事件的事件相关图，（4）确定事件相关图和附加事件相关图的相似度超过预定阈值，以及（5）将可疑事件分类为良性 基于确定事件相关图和附加事件相关图的相似度超过预定阈值。 还公开了各种其它方法，系统和计算机可读介质。

公开(公告)号：US09141790B2

公开(公告)日：2015-09-22

申请号：US14041762

申请日：2013-09-30

Applicant: Symantec Corporation

Inventor： Kevin Roundy ,  Fanglu Guo ,  Sandeep Bhatkar ,  Tao Cheng ,  Jie Fu ,  Zhi Kai Li ,  Darren Shou ,  Sanjay Sawhney ,  Acar Tamersoy ,  Elias Khalil

IPC: G06F21/00 ,  G06F21/55 ,  G06F21/57 ,  H04L29/06

CPC classification number: G06F21/55 ,  G06F21/577 ,  H04L63/1425 ,  H04L63/1433

Abstract: A computer-implemented method for using event-correlation graphs to detect attacks on computing systems may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing an event-correlation graph that includes a first node that represents the first actor, a second node that represents a second actor, and an edge that interconnects the first node and the second node and represents a suspicious event involving the first actor and the second actor, (3) calculating, based at least in part on the additional suspicious event, an attack score for the event-correlation graph, (4) determining that the attack score is greater than a predetermined threshold, and (5) determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event may be part of an attack on the computing system. Various other methods, systems, and computer-readable media are also disclosed.

Abstract translation: 用于使用事件相关图来检测对计算系统的攻击的计算机实现的方法可以包括（1）检测涉及计算系统内的第一actor的可疑事件，（2）构建事件相关图，其包括第一节点， 代表第一演员，表示第二演员的第二节点和互连第一节点和第二节点并且表示涉及第一演员和第二演员的可疑事件的边缘，（3）至少部分地计算 关于附加的可疑事件，事件相关图的攻击得分，（4）确定攻击得分大于预定阈值，以及（5）至少部分地基于攻击得分大于 预定阈值，可疑事件可能是对计算系统的攻击的一部分。 还公开了各种其它方法，系统和计算机可读介质。

公开(公告)号：US20150112950A1

公开(公告)日：2015-04-23

申请号：US14580246

申请日：2014-12-23

Applicant: Symantec Corporation

Inventor： Xianbo Zhang ,  Fanglu Guo ,  Weibao Wu

IPC: G06F17/30

CPC classification number: G06F17/30156 ,  G06F11/1448 ,  G06F17/30306 ,  G06F17/30584 ,  G06F2201/80

Abstract: A computer-implemented method for providing increased scalability in deduplication storage systems may include (1) identifying a database that stores a plurality of reference objects, (2) determining that at least one size-related characteristic of the database has reached a predetermined threshold, (3) partitioning the database into a plurality of sub-databases capable of being updated independent of one another, (4) identifying a request to perform an update operation that updates one or more reference objects stored within at least one sub-database, and then (5) performing the update operation on less than all of the sub-databases to avoid processing costs associated with performing the update operation on all of the sub-databases. Various other systems, methods, and computer-readable media are also disclosed.

Abstract translation: 用于在重复数据删除存储系统中提供增加的可扩展性的计算机实现的方法可以包括（1）识别存储多个参考对象的数据库，（2）确定数据库的至少一个尺寸相关特性已经达到预定阈值， （3）将数据库分割成能够彼此独立地更新的多个子数据库，（4）识别执行更新存储在至少一个子数据库中的一个或多个参考对象的更新操作的请求，以及 然后（5）在小于所有子数据库的情况下执行更新操作，以避免处理与对所有子数据库执行更新操作相关联的成本。 还公开了各种其它系统，方法和计算机可读介质。

公开(公告)号：US09230111B1

公开(公告)日：2016-01-05

申请号：US14073507

申请日：2013-11-06

Applicant: Symantec Corporation

Inventor： Susanta Nanda ,  Sandeep Bhatkar ,  Fanglu Guo

IPC: G06F21/56 ,  G06F12/14 ,  G06F21/57

CPC classification number: H04L63/1441 ,  G06F21/562 ,  G06F21/563 ,  G06F21/57

Abstract: A computer-implemented method for protecting document files from macro threats may include (1) identifying a document file that contains an embedded macro, (2) locating an event-driven programming language module that stores the embedded macro for the document file, and (3) cleaning the event-driven programming language module by removing procedures for the embedded macro within the event-driven programming language module and retaining variable definitions within the event-driven programming language module. Various other methods, systems, and computer-readable media are also disclosed.

Abstract translation: 用于保护文档文件免受宏威胁的计算机实现的方法可以包括（1）识别包含嵌入式宏的文档文件，（2）定位存储用于文档文件的嵌入式宏的事件驱动编程语言模块，以及（ 3）通过删除事件驱动编程语言模块中的嵌入式宏的过程，并在事件驱动的编程语言模块中保留变量定义来清除事件驱动的编程语言模块。 还公开了各种其它方法，系统和计算机可读介质。