40 results about "Zero-day attack" patented technology

A method for determining a zero-day attack by an electronic device is described. According to one embodiment, the method comprises instantiating, by the electronic device, at least one virtual machine, the at least one virtual machine being based on a fortified software profile. The method further comprises executing content capable of behaving as an exploit on the at least one virtual machine, and determining that the exploit is associated with zero-day exploit when the exploit, upon execution of the content on the at least one virtual machine, performs an undesired behavior.

Improved methods and systems for decoy networks with automatic signature generation for intrusion detection and intrusion prevention systems. A modular decoy network with front-end monitor/intercept module(s) with a processing back-end that is separate from the protected network. The front-end presents a standard fully functional operating system that is a decoy so that the instigator of an attack is lead to believe a connection has been made to the protected network. The front-end includes a hidden sentinel kernal driver that monitors connections to the system and captures attack-identifying information. The captured information is sent to the processing module for report generation, data analysis and generation of an attack signature. The generated attack signature can then be applied to the library of signatures of the intrusion detection system or intrusion prevention system of the protected network to defend against network based attacks including zero-day attacks.

A method for detection and blocking of zero day worm attacks is disclosed. A zero day worm attack is the initial appearance of a new or revised Web worm. The method compares a hypertext transfer protocol (HTTP) request sent from an attacking computer (or server) to a predefined behavior profile of a protected Web application in order to detect a worm attack. A zero day worm attack based on the first data packet of an HTTP request can be detected.

The invention discloses an open flow table security enhancement method which can enable a security control function to be separated from a security executive function. The method includes the steps of obtaining security application corresponding to each security service, extracting security strategies, security protocols and feature libraries corresponding to the various security services from the security application, analyzing the security strategies of the security services to generate a security flow table, and creating a matching rule in the security flow table, and carrying out access control to messages and inspection for a state firewall, a security virtual private network (VPN) and deep messages according to the matching rule in the security flow table. The invention simultaneously discloses an open flow table security enhancement device. The open flow table security enhancement method and the open flow table security enhancement device can enable the security execution and the security application to be independently evolved and upgraded, and bring convenience to development of new security services, and can intensively carry out security management, resist zero-day attack, and relieve distributed denial of service attack according to the security strategies, and also support a virtualization multi-tenant security mode.

The invention discloses a white list based realization method for active defense of a cloud host. The method involves a centralized management platform of a server and a client, and the client is mounted on each cloud host needed to be protected. The specific realization process is as follows: all binary files in the protected cloud host are scanned through server software; a cloud security center identifies out trust ratings of the scanned files and adds a graded file list library into a white list library, a black list library and a gray list library separately; and at the client, only trusted application programs in a white list are allowed to run for preventing loading of a dynamic-link library file in a kernel. Compared with the prior art, the white list based realization method for active defense of the cloud host can completely prevent potential unwanted application programs and codes and prevent advanced threats, is free of feature code update, and can consistently enable known good software, prevent known or unknown bad software, correctly manage new software and effectively prevent unknown malicious software and zero-day attacks.

The invention discloses an application layer dynamic intrusion detection system and detection method based on artificial intelligence, wherein the detection system comprises an application layer gateway, a detection module, a judgment and operation module, a sample database and an updating module, the detection module comprises a detection model mixed with a convolutional neural network and a bidirectional long and short term memory neural network. The detection module after initialization is used for making an attack judgment on an application layer data packet, filtering the data packet above the threshold value and putting the data packet into a malicious sample database, and meanwhile, the data packet under the threshold value is not processed. The updating module is used for traininga new model by using the malicious samples and normal samples with a certain proportion in the sample database and updating the detection model in the detection module in real time. According to the invention, a universal detection method is used for the attack method of the application layer, the method has the advantages of high detection rate and low misjudgment rate. Meanwhile, the intrusion detection system has the advantage of dynamic updating model, and has good filtering effect on unknown zero-day attack.

Provided is an intrusion detection system configured to detect anomalies indicative of a zero-day attack by statistically analyzing substantially all traffic on a network in real-time. The intrusion detection system, in some aspects, includes a network interface; one or more processors communicatively coupled to the network interface; system memory communicatively coupled to the processors. The system memory, in some aspects, stores instructions that when executed by the processors cause the processors to perform steps including: buffering network data from the network interface in the system memory; retrieving the network data buffered in the system memory; applying each of a plurality of statistical or machine-learning intrusion-detection models to the retrieved network data; aggregating intrusion-likelihood scores from each of the intrusion-detection models in an aggregate score, and upon the aggregate score exceeding a threshold, outputting an alert.

The present invention relates to data encryption and more particularly to data encryption for prevention of malware attacks designed to access user data. The present invention protects user data against regular malware and advance malware like rootkit attacks, zero day attacks and anti-malware disabler attacks. In one embodiment, the present invention uses encryption, application whitelisting, and application binding to prevent malware from accessing a victim's data files. In another embodiment, the present invention uses application path binding to further contain the malware from accessing the victim's data.

A security solution can be implemented using a layering system. By using a layering system, any changes that are made to a computing system can be isolated within a separate write layer. Due to this isolation, the changes, which may even be malicious, can be evaluated without fear that the resources in other layers will be negatively affected. In this way, even security threats that are still unknown to antivirus solutions (so-called zero-day attacks) can be prevented from harming the system.

Zero-day attacks with unknown attack signatures are detected by correlating behavior differences of a plurality of entities. An entity baseline behavior for each entity of the plurality of entities is determined 310, the entity baseline behavior includes multiple variables. An entity behavior difference for each entity is determined at a series of points in time 320. Correlations between the entity behavior differences for the plurality of entities are determined at the series of points in time 330. Based on these correlations, it is determined whether the plurality of entities is exhibiting coordinated behavior differences 340. An attack signature is determined based on the entity behavior differences and the correlations 350. A database of attack signatures is generated 360.

The invention discloses a network vulnerability assessment method based on zero-day attack graph. First it is assumed that all services on a host in a network contain a zero-day vulnerability, a zero-day attack graph is generated through logical reasoning of a given pattern, and then the attack cost for utilizing the zero-day vulnerability to attack is quantified based on a vulnerability scanningtechnology and CVSS vulnerability scoring system, and finally, a network centrality theory is utilized to make an analysis to obtain the key vulnerabilities in the network. All possible unknown vulnerabilities in the network are fully considered while known vulnerabilities are dealt with, so that the assessment method has the capability of dealing with unknown vulnerabilities, can discover potential network vulnerabilities through logical reasoning, and assess the security of the current network, thereby providing a reference basis for further network security protection, and improving the security, reliability and availability of the network.

The invention provides a router threat perception method and system. The method comprises the following steps that: the threat perception system is consistent with the input of a monitored router; theoutput data of the monitored router is sent to the threat perception system at the same time; wherein the configuration information of the monitored router needs to be synchronously configured to thethreat perception system; and the state information of the monitored router needs to be timely collected to the threat perception system. The output data and state of the monitored router are compared with the output data and state of the threat sensing system, if the output data or state of the monitored router is inconsistent with the output data or state of the threat sensing system, the monitored router may have a threat, and alarm information is sent to a management system. The threat perception system comprises an input processing unit, a function equivalent actuator unit, a state comparison unit, an output comparison unit and an analysis alarm unit. According to the method, the problem of high difficulty in judging router threats caused by various vulnerability and attack technicalmeans can be solved, and unknown vulnerabilities and zero-day attacks can be perceived.

The invention discloses a safety protection system of a cloud operation system. The safety protection system of the cloud operation system comprises a non-proxy mode anti-virus module for scanning each application server virtual machine in the cloud operation system in the time-sharing mode, and managing the safety protection of each virtual machine under the virtualization environment; a logic firewall module for executing the network security protection to each application server virtual machine; a patch module for detecting or preventing the known attack or zero-day attack of the cloud operation system loophole; an application program protection module for detecting or preventing the known attack or zero-day attack based on the application program loophole; an application program control module for monitoring each application server virtual machine in the cloud operation system; an integrity monitoring module for detecting or preventing the unauthorized or malevolent modification in allusion to a catalogue, a file and a key value; and a log audit module for executing the audit to an safety event of each application server virtual machine. The system is capable of executing the multi-dimensional safety protection to the cloud operation system through the above-mentioned modules, and guaranteeing the safety of the cloud operation system.

The invention discloses a virtual host program security control method and device, equipment and a medium. The method comprises the following steps: obtaining resources required by a to-be-controlledprogram to access a virtual host; setting the authority of the to-be-controlled program to access the virtual host according to the obtained required resources; and establishing a behavior control description library for the virtual host according to the set authority. The embodiment of the invention provides a virtual host program security control method. An authority is set and a behavior control description library is established; according to the method and the device, the monitoring of the to-be-controlled program of the virtual host does not depend on the existing characteristic-based strategy, and further, the to-be-controlled program can be read regularly through the preset time so as to prevent the unknown program from accessing the virtual host and actively protect the virtual host, so that the zero-day attack is effectively resisted, and the virtual host is protected from other attacks.

A system and method that detects and mitigates zero-day exploits and other vulnerabilities by analyzing event logs and external databases, forcing reauthentication of at-risk and comprised systems and accounts during an identified threat or potential security risk.

The embodiment of the invention discloses a program defense method and system based on a digital certificate, belonging to the field of operating system security design. The embodiment of the invention can detect whether a program digital signature is legal or not. If the program's digital signature is valid, it is allowed to execute and monitor the program in real time. If it is detected that the modified program has been authenticated by the user's signature, a report is made to the user. Embodiments of the present invention do not need to run antivirus software that must be constantly updated, and anything that is not on the list will be blocked from running; The system is protected from zero-day attacks. Users cannot run unauthorized programs that are not on the list, so don't worry about installing executable pests, etc., intentionally or unintentionally. The embodiment of the invention can very effectively prevent malware and spam.