XIN YAN HU
Nursing in Ann Arbor, MI

2009001, Jan 15, 2009

Apr 18, 2008

12/106144

Taejoon Park - Seoul, KR
Kang Guen SHIN - Ann Arbor MI, US
Xin Hu - Ann Arbor MI, US
Abhijit Bose - Ann Arbor MI, US

SAMSUNG ELECTRONICS CO., LTD. - Suwon-si
THE REGENTS OF THE UNIVERSITY OF MICHIGAN - Ann Arbor MI

G06F 21/00

726 24, 726 22

A method and apparatus for modeling a behavior of a computer program that is executed in a computer system is described. The method and apparatus for modeling a behavior of a computer program may be used to detect a malicious program based on the behavior of the computer program. A method includes collecting system use information about resources of the computer system the computer program uses; extracting a behavior signature of the computer program from the collected system use information; and encoding the extracted behavior signature to generate a behavior vector. As a result, behaviors of a particular computer program may be modeled to enable a malicious program detection program and to determine whether the computer program is either normal or malicious.

8245295, Aug 14, 2012

Apr 8, 2008

12/099649

Taejoon Park - Seoul, KR
Kang Geun Shin - Ann Arbor MI, US
Xin Hu - Ann Arbor MI, US
Abhijit Bose - Ann Arbor MI, US

Samsung Electronics Co., Ltd. - Suwon-si
The Regents of the University of Michigan - Ann Arbor MI

H04L 29/06, G06F 11/00, G06F 12/14, G06F 12/16, G06F 21/00, G08B 23/00, H04L 9/32

726 22, 726 23, 726 26, 713176, 713186

An apparatus and method of diagnosing whether a computer program executed in a computer system is a malicious program and more particularly, an apparatus and method of diagnosing whether a computer program is a malicious program using a behavior of a computer program, and an apparatus and method of generating malicious code diagnostic data is provided. The apparatus for diagnosing a malicious code may include a behavior vector generation unit which generates a first behavior vector based on a behavior signature extracted from a diagnostic target program; a diagnostic data storage unit which stores a plurality of second behavior vectors for a plurality of sample programs predetermined to be malicious or normal; and a code diagnostic unit which diagnoses whether the diagnostic target program is a malicious code by comparing the first behavior vector with the plurality of second behavior vectors.

8448248, May 21, 2013

Mar 26, 2008

12/056236

Abhijit Bose - Ann Arbor MI, US
Taejoon Park - Seoul, KR
Kang Geun Shin - Ann Arbor MI, US
Xin Hu - Ann Arbor MI, US

Samsung Electronics Co., Ltd. - Suwon-si
The Regents of the University of Michigan - Ann Arbor

G06F 11/00

726 24, 726 22, 726 23, 726 25, 713188

An apparatus and method of diagnosing whether a program executed in a computer system is malware and repairing the computer system infected by malware. The apparatus includes a receiving unit which receives a first behavior vector for the malware from a malware control server; a determination unit which determines whether a diagnostic target program corresponds to malware based on the received first behavior vector and a second behavior vector for the diagnostic target program; and a repair unit which repairs the computer system based on a result of the determination. A behavior of a computer program executed in the computer system may be modeled in real time.

8321942, Nov 27, 2012

Mar 12, 2009

12/403335

Kent E. Griffin - Santa Monica CA, US
Scott Schneider - Santa Monica CA, US
Xin Hu - Ann Arbor MI, US

Symantec Corporation - Mountain View CA

G06F 21/56

726 24, 726 22, 726 23

A candidate signature for a known malware entity is selected for analysis. A set of malware entities that contain the candidate signature is identified. A diversity measurement for the candidate signature is determined. The diversity measurement describes the diversity of the set of malware entities that contain the candidate signature. A determination is made whether to use the candidate signature to identify the known malware entity based at least in part on the diversity measurement. Responsive to the determination, the candidate malware signature is stored as a signature for the known malware entity.

8239948, Aug 7, 2012

Dec 19, 2008

12/340420

Kent E. Griffin - Santa Monica CA, US
Scott Schneider - Santa Monica CA, US
Xin Hu - Ann Arbor MI, US

Symantec Corporation - Mountain View CA

G06F 11/00

726 24, 726 22, 707200

A set of candidate signatures for a malicious software (malware) is generated. The candidate signatures in the set are scored based on features that indicate the signatures are more unique and thus less likely to generically occur non-malicious programs. A malware signature for the malware entity is selected from among the candidate malware signatures based on the scores. The selected malware signature is stored.