Patent Grant
12034751
Organizations of all types and sizes face an ever-increasing threat from security breaches, malicious attacks, and other unauthorized activity, including those associated with electronic criminal activity (“e-crime”) and cyber-espionage. It is common to see advanced threat actors launch cyber-operations against particular entities or industries without pre-existing indicators of such attacks. However, over time, indicators of compromise (IOCs) or other digital forensic attributes can be revealed, such as those discovered during incident response engagements or by third parties. Knowing and curating such attributes, techniques, or other indicators of unauthorized cyber-activity, can aid in threat detection and/or attribution. However, some advanced threat actors, will seek to go undetected for as long as possible to achieve their objectives. After gaining access to information systems and the ability to remotely execute code, these threat actors will sometimes perform their activities by manually typing commands on their keyboard rather than using automated scripts or pre-compiled malware that can be easier to detect. This is often done as the actor transitions between gathering information, analyzing it, and leveraging the results of said analysis to gain additional accesses or take actions on their objectives.
Advanced threat actors often mimic the actions and appearance of authorized personnel by using pre-existing credentials and system administration software to avoid detection. When such covert techniques are employed to mimic routine business actions/activities, those actions are often more difficult to detect. The fidelity of potential IOCs associated with such advanced threat actors can be significantly lower than those that employ file-based malware, which can result in both delays and/or failures in the detection of such attacks. Accordingly, a need exists for the improved behavioral detection of advanced threat actors, especially when they are conducting more important stages of their operations via hands-on-keyboard activity. The present disclosure addresses the foregoing and other related and unrelated problems/issues in the art.
Briefly described, in one aspect, the present disclosure is directed to the systems and methods for the aggregation and review of evidence, including telemetry from endpoint and extended detection and response systems collected over time for the detection of unauthorized and malicious hands-on-keyboard activity. During an initial feature extraction stage or operation, a plurality of partial values and/or attributes of the received/collected telemetry, e.g. processes, network connections, domain names, URLs, files/scripts/macros and operations thereon, terminal commands, kernel objects, named pipes, event tracings, module/library loads, thread injections, system/hypervisor calls, memory analysis, scheduled tasks, shortcuts, service names, registry keys, digital certificates, authentication events, and various other software, hardware, and user attributes, are decomposed and tokenized.
In one aspect, as telemetry corresponding to hands-on-keyboard activities and other manual actions is received from an information system or systems, e.g. from various logs generated by such information handling systems, the systems and methods of the present disclosure will parse and tokenize the telemetry, taking a snapshot or view of the collected telemetry, and will extract a series of features indicative of various idiosyncrasies or detected actions. The extracted features will be tokenized and then aggregated over a finite window of time. Statistics will be extracted from the aggregated tokens to characterize temporal attributes of the tokens within the time window. Additional attributes can also be included in the feature vector, such as those associated with the information system's operating system, other software, hardware, and/or its user. The aggregated features will be provided to one or more machine learning subsystems, which can include one or more classifiers, which are trained to identify threat actors based on historical examples in order to differentiate it from authorized activities over similar time periods. The machine learning systems will generate preliminary scores and feed those to an ensemble classifier/learning system to generate an overall behavioral threat score of the likelihood that features of the telemetry over a prescribed time period resulting from unauthorized or malicious hands-on-keyboard activity.
In some embodiments, the tokenization of the telemetry can itself be based on examples of known threat actors interacting with target systems. Even if IOCs would generate too many false positives on their own, they can be useful input to a broader machine learning-based system that combines probabilistic information from a variety of sources. In embodiments, lower fidelity IOCs (used as tokens) are counter-intuitively preferred to increase the potential recall of future activity by the same actors. It can then be the responsibility of downstream machine learning subsystems to compensate for the noisy IOCs and increase the detector's overall precision when examining the totality of evidence contained in the aggregate feature vector(s).
Multiple machine learning subsystems can be run in parallel, and can be configured to use different classification/regression strategies, and/or can be optimized to detect different threat actors and/or focus on particular tactics, techniques, and/or procedures. The system further generally uses historical examples of both malicious activity conducted manually by threat actors seeking to avoid detection as well large amounts of authorized activity that is itself a mixture of some manual and more prevalent automated activity. The examples of authorized and unauthorized activities are used to train the machine learning subsystems to identify similar attacks in the future, more rapidly and with much higher fidelity.
In one aspect, a method for detecting malicious hands-on-keyboard activity in an information handling system can include receiving telemetry from one or more client systems, tokenizing a plurality of partial values/idiosyncrasies detected in the telemetry to form a plurality of tokens, aggregating the plurality of tokens or features over a selected time window to at least partially develop an aggregate feature vector, submitting the aggregate feature vector to one or more machine learning subsystems, and applying an ensemble model to one or more outputs from the one or more machine learning subsystems to generate an overall behavioral threat score of the unauthorized hands-on-keyboard activity.
In another aspect, a system for detecting manually-conducted unauthorized activity can include one or more storage media for telemetry from one or more information handling systems and at least one processor programmed to execute instructions stored in memory and operable to collect telemetry corresponding to the monitored keyboard activity from the one or more information handling systems, tokenize a plurality of partial values/idiosyncrasies detected in the telemetry to form a plurality of tokens, aggregate the plurality of tokens over a selected time window to at least partially develop an aggregate feature vector, submit the aggregate feature vector to one or more machine learning subsystems, and apply an ensemble model to one or more outputs from the one or more machine learning subsystems to generate a behavioral threat score.
Various objects, features and advantages of the present disclosure will become apparent to those skilled in the art upon a review of the following detail description, when taken in conjunction with the accompanying drawings.
It will be appreciated that for simplicity and clarity of illustration, elements illustrated in the Figures are not necessarily drawn to scale. For example, the dimensions of some elements may be exaggerated relative to other elements. Embodiments incorporating teachings of the present disclosure are shown and described with respect to the drawings herein, in which:
The use of the same reference symbols in different drawings indicates similar or identical items.
The following description in combination with the Figures is provided to assist in understanding the teachings disclosed herein. While the description discloses various implementations and embodiments of the teachings, and is provided to assist in describing the teachings, the implementation, features, and embodiments discussed herein should not be interpreted as a limitation on the scope or applicability of the teachings.
For purposes of this disclosure, an information handling system may include any instrumentality or aggregate of instrumentalities operable to compute, calculate, determine, classify, process, transmit, receive, retrieve, originate, switch, store, display, communicate, manifest, detect, record, reproduce, handle, or utilize any form of information, intelligence, or data for business, scientific, control, or other purposes. For example, an information handling system may be a personal computer (e.g., desktop or laptop), tablet computer, mobile device (e.g., personal digital assistant (PDA) or smart phone), server (e.g., blade server or rack server), a network storage device, or any other suitable device and may vary in size, shape, performance, functionality, and price. The information handling system may include random access memory (RAM), one or more processing resources such as a central processing unit (CPU) or hardware or software control logic, read only memory (ROM), and/or other types of nonvolatile memory. Additional components of the information handling system may include one or more disk drives, one or more network ports for communicating with external devices as well as various input and output (I/O) devices, such as a keyboard, a mouse, a touchscreen and/or a video display. The information handling system also may include one or more buses operable to transmit communications between the various hardware components.
As shown in
Such monitored activity can include logging on and off networks by the information handling systems 32, downloads and/or uploads, changes to system settings, IP addresses accessed by or attempting to access the network, etc. Additionally, network activities such as executed processes (i.e., type, number of times accessed, resulting actions, etc.), types and/or numbers of files modified, network connections, memory forensic attributes, and similar logged or other Digital Forensics and Incident Response (DFIR) investigative activities can also be monitored and collected as part of security log data/records.
The monitoring device(s) 40 communicatively coupled to the organization/client networked system 12 additionally can be configured to aggregate, ingest, or otherwise receive forensic information, such as specific security related data, security or event logs, raw data, and/or other suitable records or information, based at least in part on monitored activity of the plurality of devices 32 and/or the networked systems 12. The security data may be stored in the memory or storage of the monitoring devices 40 and can be communicated to and/or accessed by an MSSP providing security services for the organizations/clients. For example, each monitoring system 40 may automatically send the security data/information to the one or more servers at the MSSP data center, or the MSSP can otherwise directly access the information or security data from the memory or storage of the monitoring device(s) 14.
Forensic analyses/reviews of such data will be performed, e.g., to determine if the data has been threatened or corrupted by an actual attack or malicious actor, and responsive events determined and remediated. The resultant forensic information or security data further can be stored on the memory 28 or in servers or other suitable information handling systems 22 and/or data storage at the security event management center 13, such that the security data is accessible to be analyzed/processed by the MSSP. It further will be recognized that the monitoring devices 40 at the client/customer networked systems 12 are optional, and organizations/clients or technology partners thereof can independently monitor the networked systems, for example, using one or more of the information handling systems 32, and otherwise provide forensic information, security data or other suitable data/information to the MSSP.
With embodiments of the present disclosure, the processor(s) 26 can be operable to run or otherwise access one or more engines, computer program products, platforms, etc. that facilitate the discovery of threats and/or malicious acts across the networked systems 12. For example, the processor(s) 26 can tokenize values and/or attributes in system logs and other information received from one or more network systems, aggregate the tokens into an aggregate feature vector, apply the aggregate feature vector to one or more machine learning subsystems, and apply an ensemble classifier to the output from the machine learning subsystems to produce a behavioral threat score. As necessary, the processor(s) 26 can generate alerts and/or can take remediating and/or preventative action to address malicious activity in the networked system. In some embodiments, these risk scores further can be dynamically updated/changed as new security data is received and analyzed.
In embodiments, a threat actor that has achieved the ability to execute code in an information system such as a networked client system may perform actions in the client system, such as reconnaissance, privilege escalation, credential access, lateral movement, and other functions in support of a final objective. Some or all of this threat activity may be automated (e.g., with malware). Alternatively, a threat actor may perform these activities manually (e.g., hands-on-keyboard activity) to minimize observable indicators of compromise and to reduce the chances of being detected before achieving their long-term objectives. Such a threat actor may avoid using known signatures that could be detected by a threat monitoring system. However, a threat detection system that observes a confluence of such behavior over finite time windows lends itself to probabilistic detection using machine learning and, in exemplary embodiments, can have a high confidence of such detection.
As shown in
In the illustrated embodiment, potentially malicious and/or unauthorized hands-on-keyboard activity can be detected amongst the noise (e.g., authorized activities by human actors and/or automated systems) by inputting the telemetry collected over a selected temporal window or time period through a feature extraction engine (e.g., the log feature extractor 104 of
In embodiments, the historical corpus of malicious and benign activity can be associated with multiple client systems, one or more specific client systems, or a combination of both. For example, it may be abnormal for a certain term to be capitalized in a particular client system, and an instance of the term being capitalized in the system logs could be tokenized. Such a token may be indicative of a particular threat actor along with other behavioral idiosyncrasies and/or other information or may be benign. In other client systems, variations in the use of capitalization of terms in the system logs may be normal and would not be indicative of threat activity.
As indicated at 206 in
As an alternative approach to dimensionality reduction, the plurality of tokens optionally may be embedded into a finite-dimensional numeric vector representation as indicated at 207 in
Thereafter, at 208, the plurality of tokens output from the feature extraction engine and/or the hashed tokens and/or their vector representation output can be aggregated over the selected time window for each client system and/or each user encountered by the temporal aggregator and analyzer 106, for example, for developing an aggregate feature vector. The aggregate feature vector can include relevant statistics, such as raw counts of the different tokens, the number of raw events for each type of token/data in the time window, and information about the inter-arrival timings of the events (e.g., time statistics about the time intervals between events) for each client system. In an exemplary embodiment, such information can be used by one or more of the machine learning subsystems 108 to differentiate automated behavior by other systems and agents from manual hands-on-keyboard activity. For example, a human actor may take longer between commands than an automated system or a certain token that is present a large number of times in the time window may indicate that that token is associated with a script as part of normal activity in the client system.
As indicated at 210, additional attributes (such as one or more attributes 110 shown in
Subsequently, at 212, the aggregate feature vector and the optional additional attributes 110 can be submitted to a series of machine learning subsystems (e.g., the one or more machine learning classifiers 108 shown in
In some embodiments, anomaly detection subsystems can be included for additional characterization of the feature vector to determine the degree to which a particular user or client system is unusual with respect to its peers. For example, it may be normal for a manufacturing company's system to have connections with a particular country while connections with the same country would be abnormal for a banking client's system. Other machine learning subsystems can be optimized to detect suspicious hardware attributes, software attributes, user attributes, and/or other aspects of the aggregate feature vector, to detect different types of threat actors and/or different methods of attack, and/or to use different classification strategies. In some embodiments, all of the machine learning subsystems can be optimized to review different aspects of the aggregate feature vector.
Alternatively, at least a portion of the machine learning subsystems can have overlapping specialties. In exemplary embodiments, the classification subsystems can include naive Bayes classifiers, support vector machines, random forests, gradient boosted trees, deep neural networks, and/or other suitable techniques. In some embodiments, it may be desired to include more flexible subsystems that seek to predict a numeric output, such as the financial risk associated with the observed behavior. For example, such subsystems could include regression analysis, linear regression, logistic regression, generalized linear modeling, generalized additive modeling, nonlinear regression, and/or other suitable techniques. In these embodiments, the machine learning subsystems can be configured to run in parallel. In the illustrated embodiment, any suitable number of machine learning subsystems can be used.
Thereafter, at 214, the output of each of the machine learning subsystems can be fed to an ensemble classification system or regression model trained with an additional and/or different corpus of examples of malicious and/or benign activities and configured to generate an overall behavioral threat score. For example, the threat score can include a confidence value and/or a severity value. In some embodiments, the ensemble classifier can provide an indication that the actor is or is not an insider threat, a financially motivated criminal, a nation-state actor, etc. in addition or alternatively to the confidence and/or severity of such a determination. Accordingly, the machine learning subsystems can flag respective aspects of the aggregate feature vector as benign or malicious and the ensemble classifier can output the threat score based on the outputs (e.g., preliminary threat scores) from the machine learning subsystems. For example, one machine learning subsystem may flag changes in hardware attributes as being suspicious, while other machine learning subsystems indicate no malicious activity, and the ensemble classifier may develop a low threat score, accordingly.
Alternatively, the combined outputs of the machine learning subsystems may lead to a higher behavioral threat score from the ensemble classifier if a number of the machine learning subsystems flag suspicious activity. In some embodiments, the outputs from some of the machine learning subsystems can be weighted by the ensemble classifier. For example, aspects of the aggregate feature vector that are flagged as suspicious by a particular machine learning subsystem may have a high probability of indicating malicious activity in the networked system, and the ensemble classifier can give more weight to the output from this machine learning subsystem or can stop the analysis and take action (e.g., generate an alarm and/or take remedial action).
As shown in
In the case that the behavioral threat score is between the upper and lower predetermined values (at 216, 220), the threat detection system can adjust and/or expand the time window for the tokenized data reviewed by the threat detection system (at 224) so that additional telemetry and/or hashes and/or embedded notations or indications of telemetry can be analyzed for the particular user/system. For example, the adjusted and/or expanded time window can be applied to step 208 with the process continuing from 208. It is also possible that more complex or computationally expensive models can be used to evaluate feature vectors that initially score between the upper and lower predetermined values. It further will be understood that the actions indicated at 202 to 224 may be rearranged or omitted and other actions or steps may be included, without departing from the scope of the present disclosure.
In some streaming real-time embodiments, the time window can be updated for the machine learning classifiers, etc. For example, more recent events can be added to the aggregate feature vector while older events age out and are removed from the aggregate feature vector as the time window shifts forward. The continually updating aggregate feature vector can be fed through the machine learning subsystems and then the ensemble classifier to produce updated behavioral threat scores. For example, the machine learning subsystems can be operated in real-time by removing old tokens from the aggregate feature vector and incorporating new tokens into the aggregate feature vector as time passes.
As shown in
As shown, the information handling system 700 further may include a video display unit 710, such as a liquid crystal display (LCD), an organic light emitting diode (OLED), a flat panel display, a solid state display, or a cathode ray tube (CRT), or other suitable display. The video display unit 710 may also act as an input accepting touchscreen inputs. Additionally, the information handling system 700 may include an input device 712, such as a keyboard, or a cursor control device, such as a mouse or touch pad, or a selectable interface on the display unit. Information handling system may include a battery system 714. The information handling system 700 can represent a device capable of telecommunications and whose can be share resources, voice communications, and data communications among multiple devices. The information handling system 700 can also represent a server device whose resources can be shared by multiple client devices, or it can represent an individual client device, such as a laptop or tablet personal computer, and/or any other suitable device without departing from the scope of the present disclosure.
The information handling system 700 can include a set of instructions that can be executed to cause the processor to perform any one or more of the methods or computer based functions disclosed herein. The processor 702 may operate as a standalone device or may be connected such as using a network, to other computer systems or peripheral devices.
In a networked deployment, the information handling system 700 may operate in the capacity of a server or as a client information handling device in a server-client user network environment, or as a peer computer system in a peer-to-peer (or distributed) network environment. The information handling system 700 can also be implemented as or incorporated into various devices, such as a personal computer (PC), a tablet PC, a set-top box (STB), a smartphone, a PDA, a mobile device, a palmtop computer, a laptop computer, a desktop computer, a communications device, a wireless telephone, a land-line telephone, a control system, a camera, a scanner, a facsimile machine, a printer, a pager, a personal trusted device, a web appliance, a network router, switch or bridge, or any other machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. In a particular embodiment, the computer system 700 can be implemented using electronic devices that provide voice, video or data communication. Further, while a single information handling system 700 is illustrated, the term “system” shall also be taken to include any collection of systems or subsystems that individually or jointly execute a set, or multiple sets, of instructions to perform one or more computer functions.
The disk drive unit 716 or static memory 714 may include a computer-readable medium 722 in which one or more sets of instructions 724 such as software can be embedded. The disk drive unit 716 or static memory 706 also contains space for data storage. Further, the instructions 724 may embody one or more of the methods or logic as described herein. In a particular embodiment, the instructions 724 may reside completely, or at least partially, within the main memory 704, the static memory 706, and/or within the processor 702 during execution by the information handling system 700. The main memory 704 and the processor 702 also may include computer-readable media. The network interface device 720 can provide connectivity to a network 726, e.g., a wide area network (WAN), a local area network (LAN), wireless network, or other network. The network interface device 720 may also interface with macrocellular networks including wireless telecommunications networks such as those characterized as 2G, 3G, 4G, 5G, LTE or similar wireless telecommunications networks similar to those described above. The network interface 720 may be a wireless adapter having antenna systems for various wireless connectivity and radio frequency subsystems for signal reception, transmission, or related processing.
In an alternative embodiment, dedicated hardware implementations such as application specific integrated circuits, programmable logic arrays and other hardware devices can be constructed to implement one or more of the methods described herein. Applications that may include the apparatus and systems of various embodiments can broadly include a variety of electronic and computer systems. One or more embodiments described herein may implement functions using two or more specific interconnected hardware modules or devices with related control and data signals that can be communicated between and through the modules, or as portions of an application-specific integrated circuit. Accordingly, the present system encompasses software, firmware, and hardware implementations. In accordance with various embodiments of the present disclosure, the methods described herein may be implemented by software programs executable by a computer system. Further, in an exemplary, non-limited embodiment, implementations can include distributed processing, component/object distributed processing, and parallel processing. Alternatively, virtual computer system processing can be constructed to implement one or more of the methods or functionality as described herein.
The present disclosure contemplates a computer-readable medium that includes instructions 724 or receives and executes instructions 724 responsive to a propagated signal; so that a device connected to a network 726 can communicate voice, video, or data or other information data over the network 726. Further, the instructions 724 may be transmitted or received over the network 726 via the network interface device 720. In a particular embodiment, BIOS/FW code 724 reside in memory 704, and include machine-executable code that is executed by processor 702 to perform various functions of information handling system 700.
Information handling system 700 includes one or more application programs 724, and Basic Input/Output System and Firmware (BIOS/FW) code 724. BIOS/FW code 724 functions to initialize information handling system 700 on power up, to launch an operating system, and to manage input and output interactions between the operating system and the other elements of information handling system 700.
In another embodiment (not illustrated), application programs and BIOS/FW code reside in another storage medium of information handling system 700. For example, application programs and BIOS/FW code can reside in drive 716, in a ROM (not illustrated) associated with information handling system 700, in an option-ROM (not illustrated) associated with various devices of information handling system 700, in storage system 706, in a storage system (not illustrated) associated with network channel 720, in another storage medium of the information handling system 700, or a combination thereof. Application programs 724 and BIOS/FW code 724 can each be implemented as single programs, or as separate programs carrying out the various features as described herein.
While the computer-readable medium is shown to be a single medium, the term “computer-readable medium” includes a single medium or multiple media, such as a centralized or distributed database, and/or associated caches and servers that store one or more sets of instructions. The term “computer-readable medium” shall also include any medium that is capable of storing, encoding, or carrying a set of instructions for execution by a processor or that cause a computer system to perform any one or more of the methods or operations disclosed herein.
In a particular non-limiting, exemplary embodiment, the computer-readable medium can include a solid-state memory such as a memory card or other package that houses one or more non-volatile, read-only memories. Further, the computer-readable medium can be a random access memory or other volatile re-writable memory. Additionally, the computer-readable medium can include a magneto-optical or optical medium, such as a disk or tapes or other storage device to store information received via carrier wave signals such as a signal communicated over a transmission medium. Furthermore, a computer readable medium can store information received from distributed network resources such as from a cloud-based environment. A digital file attachment to an e-mail or other self-contained information archive or set of archives may be considered a distribution medium that is equivalent to a tangible storage medium. Accordingly, the disclosure is considered to include any one or more of a computer-readable medium or a distribution medium and other equivalents and successor media, in which data or instructions may be stored.
In the embodiments described herein, an information handling system includes any instrumentality or aggregate of instrumentalities operable to compute, classify, process, transmit, receive, retrieve, originate, switch, store, display, manifest, detect, record, reproduce, handle, or use any form of information, intelligence, or data for business, scientific, control, entertainment, or other purposes. For example, an information handling system can be a personal computer, a consumer electronic device, a network server or storage device, a switch router, wireless router, or other network communication device, a network connected device (cellular telephone, tablet device, etc.), or any other suitable device, and can vary in size, shape, performance, price, and functionality.
The information handling system can include memory (volatile (such as random-access memory, etc.), nonvolatile (read-only memory, flash memory etc.) or any combination thereof), one or more processing resources, such as a central processing unit (CPU), a graphics processing unit (GPU), hardware or software control logic, or any combination thereof. Additional components of the information handling system can include one or more storage devices, one or more communications ports for communicating with external devices, as well as, various input and output (I/O) devices, such as a keyboard, a mouse, a video/graphic display, or any combination thereof. The information handling system can also include one or more buses operable to transmit communications between the various hardware components. Portions of an information handling system may themselves be considered information handling systems.
When referred to as a “device,” a “module,” or the like, the embodiments described herein can be configured as hardware. For example, a portion of an information handling system device may be hardware such as, for example, an integrated circuit (such as an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), a structured ASIC, or a device embedded on a larger chip), a card (such as a Peripheral Component Interface (PCI) card, a PCI-express card, a Personal Computer Memory Card International Association (PCMCIA) card, or other such expansion card), or a system (such as a motherboard, a system-on-a-chip (SoC), or a stand-alone device).
The device or module can include software, including firmware embedded at a device, such as a Pentium class or PowerPC™ brand processor, or other such device, or software capable of operating a relevant environment of the information handling system. The device or module can also include a combination of the foregoing examples of hardware or software. Note that an information handling system can include an integrated circuit or a board-level product having portions thereof that can also be any combination of hardware and software.
Devices, modules, resources, or programs that are in communication with one another need not be in continuous communication with each other, unless expressly specified otherwise. In addition, devices, modules, resources, or programs that are in communication with one another can communicate directly or indirectly through one or more intermediaries.
The foregoing description generally illustrates and describes various embodiments of the present disclosure. It will, however, be understood by those skilled in the art that various changes and modifications can be made to the above-discussed construction of the present disclosure without departing from the spirit and scope of the disclosure as disclosed herein, and that it is intended that all matter contained in the above description or shown in the accompanying drawings shall be interpreted as being illustrative, and not to be taken in a limiting sense. Furthermore, the scope of the present disclosure shall be construed to cover various modifications, combinations, additions, alterations, etc., above and to the above-described embodiments, which shall be considered to be within the scope of the present disclosure. Accordingly, various features and characteristics of the present disclosure as discussed herein may be selectively interchanged and applied to other illustrated and non-illustrated embodiments of the disclosure, and numerous variations, modifications, and additions further can be made thereto without departing from the spirit and scope of the present invention as set forth in the appended claims.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5937066 | Gennaro et al. | Aug 1999 | A |
| 6357010 | Viets et al. | Mar 2002 | B1 |
| 7269578 | Sweeney | Sep 2007 | B2 |
| 7331061 | Ramsey et al. | Feb 2008 | B1 |
| 7492957 | Bonhaus | Feb 2009 | B1 |
| 7548932 | Horvitz et al. | Jun 2009 | B2 |
| 7555482 | Korkus | Jun 2009 | B2 |
| 7571474 | Ross et al. | Aug 2009 | B2 |
| 7594270 | Church et al. | Sep 2009 | B2 |
| 7606801 | Faitelson et al. | Oct 2009 | B2 |
| 7613722 | Horvitz et al. | Nov 2009 | B2 |
| 7770031 | MacKay et al. | Aug 2010 | B2 |
| 7841008 | Cole | Nov 2010 | B1 |
| 7856411 | Darr | Dec 2010 | B2 |
| 7926113 | Gula et al. | Apr 2011 | B1 |
| 8037529 | Chiueh | Oct 2011 | B1 |
| 8079081 | Lavrik et al. | Dec 2011 | B1 |
| 8082506 | McConnell | Dec 2011 | B1 |
| 8122495 | Ramsey et al. | Feb 2012 | B2 |
| 8156553 | Church et al. | Apr 2012 | B1 |
| 8327419 | Korablev et al. | Dec 2012 | B1 |
| 8407335 | Church et al. | Mar 2013 | B1 |
| 8490193 | Sarraute et al. | Jul 2013 | B2 |
| 8490196 | Lucangeli et al. | Jul 2013 | B2 |
| 8522350 | Davenport et al. | Aug 2013 | B2 |
| 8539575 | Schmitlin et al. | Sep 2013 | B2 |
| 8578393 | Fisher | Nov 2013 | B1 |
| 8595170 | Gladstone et al. | Nov 2013 | B2 |
| 8621618 | Ramsey et al. | Dec 2013 | B1 |
| 8701176 | Ramsey et al. | Apr 2014 | B2 |
| 8793786 | Bhesania et al. | Jul 2014 | B2 |
| 8805881 | Hom et al. | Aug 2014 | B2 |
| 8832048 | Lim | Sep 2014 | B2 |
| 8839414 | Mantle et al. | Sep 2014 | B2 |
| 8898777 | Oliver | Nov 2014 | B1 |
| 8909673 | Faitelson et al. | Dec 2014 | B2 |
| 8931095 | Ramsey et al. | Jan 2015 | B2 |
| 8938802 | Davenport et al. | Jan 2015 | B2 |
| 8959115 | Marathe | Feb 2015 | B2 |
| 8984644 | Oliphant et al. | Mar 2015 | B2 |
| 9009828 | Ramsey et al. | Apr 2015 | B1 |
| 9032478 | Ballesteros et al. | May 2015 | B2 |
| 8928476 | Jerhotova et al. | Jun 2015 | B2 |
| 9046886 | Chong et al. | Jun 2015 | B2 |
| 9047336 | Hom et al. | Jun 2015 | B2 |
| 9058492 | Satish | Jun 2015 | B1 |
| 9069599 | Martinez et al. | Jun 2015 | B2 |
| 9098702 | Rubin et al. | Aug 2015 | B2 |
| 9129105 | Donley et al. | Sep 2015 | B2 |
| 9130988 | Seifert et al. | Sep 2015 | B2 |
| 9137262 | Qureshi et al. | Sep 2015 | B2 |
| 9191400 | Ptasinski et al. | Nov 2015 | B1 |
| 9195809 | Kaplan | Nov 2015 | B1 |
| 9275231 | Chen | Mar 2016 | B1 |
| 9298895 | Lim | Mar 2016 | B2 |
| 9319426 | Webb et al. | Apr 2016 | B2 |
| 9338134 | Yin | May 2016 | B2 |
| 9338180 | Ramsey et al. | May 2016 | B2 |
| 9430534 | Bhattacharya et al. | Aug 2016 | B2 |
| 9438563 | Yin | Sep 2016 | B2 |
| 9438623 | Thioux | Sep 2016 | B1 |
| 9519756 | Bitran et al. | Dec 2016 | B2 |
| 9544273 | Fleury et al. | Jan 2017 | B2 |
| 9548994 | Pearcy et al. | Jan 2017 | B2 |
| 9558352 | Dennison et al. | Jan 2017 | B1 |
| 9560062 | Khatri et al. | Jan 2017 | B2 |
| 9560068 | Figlin et al. | Jan 2017 | B2 |
| 9596252 | Coates et al. | Mar 2017 | B2 |
| 9628511 | Ramsey et al. | Apr 2017 | B2 |
| 9667656 | Banerjee et al. | May 2017 | B2 |
| 9667661 | Sharma et al. | May 2017 | B2 |
| 9690938 | Saxe et al. | Jun 2017 | B1 |
| 9710672 | Braun | Jul 2017 | B2 |
| 9712549 | Almurayh | Jul 2017 | B2 |
| 9742559 | Christodorescu et al. | Aug 2017 | B2 |
| 9767302 | Lim | Sep 2017 | B2 |
| 9792443 | Sheridan | Oct 2017 | B1 |
| 9805202 | Medeiros et al. | Oct 2017 | B2 |
| 9825989 | Mehra | Nov 2017 | B1 |
| 9910986 | Saxe | Mar 2018 | B1 |
| 9934376 | Ismael | Apr 2018 | B1 |
| 9973524 | Boyer et al. | May 2018 | B2 |
| 9998480 | Gates | Jun 2018 | B1 |
| 10038706 | Mekky | Jul 2018 | B2 |
| 10050992 | Thyni et al. | Aug 2018 | B2 |
| 10063582 | Feng et al. | Aug 2018 | B1 |
| 10114954 | Bellis | Oct 2018 | B1 |
| 10116500 | Long et al. | Oct 2018 | B1 |
| 10218733 | Amidon | Feb 2019 | B1 |
| 10270790 | Jackson | Apr 2019 | B1 |
| 10277625 | Efstathopoulos | Apr 2019 | B1 |
| 10311231 | Kayyoor et al. | Jun 2019 | B1 |
| 10348747 | Yamada | Jul 2019 | B2 |
| 10356125 | Goutal et al. | Jul 2019 | B2 |
| 10382473 | Ashkenazy | Aug 2019 | B1 |
| 10382489 | Das et al. | Aug 2019 | B2 |
| 10419903 | Singh et al. | Sep 2019 | B2 |
| 10425223 | Roth et al. | Sep 2019 | B2 |
| 10454950 | Aziz | Oct 2019 | B1 |
| 10474813 | Ismael | Nov 2019 | B1 |
| 10474820 | Manadhata | Nov 2019 | B2 |
| 10491632 | Natarajan et al. | Nov 2019 | B1 |
| 10521584 | Sharifi Mehr | Dec 2019 | B1 |
| 10558809 | Joyce | Feb 2020 | B1 |
| 10567407 | Tang et al. | Feb 2020 | B2 |
| 10594713 | McLean | Mar 2020 | B2 |
| 10601865 | Mesdaq et al. | Mar 2020 | B1 |
| 10642753 | Steinberg | May 2020 | B1 |
| 10691810 | Freitag | Jun 2020 | B1 |
| 10726127 | Steinberg | Jul 2020 | B1 |
| 10728263 | Neumann | Jul 2020 | B1 |
| 10735470 | Vidas et al. | Aug 2020 | B2 |
| 10754958 | Sidagni | Aug 2020 | B1 |
| 10762206 | Titonis et al. | Sep 2020 | B2 |
| 10785238 | McLean et al. | Sep 2020 | B2 |
| 10834128 | Rajogopalan et al. | Nov 2020 | B1 |
| 10841337 | Kinder | Nov 2020 | B2 |
| 10853431 | Lin et al. | Dec 2020 | B1 |
| 10855717 | Feiman | Dec 2020 | B1 |
| 10868825 | Dominessy | Dec 2020 | B1 |
| 10915828 | Qhi | Feb 2021 | B2 |
| 10944758 | Nagargadde | Mar 2021 | B1 |
| 11003718 | McLean et al. | May 2021 | B2 |
| 11038920 | Sellers | Jun 2021 | B1 |
| 11044263 | McLean et al. | Jun 2021 | B2 |
| 11113086 | Steinberg | Sep 2021 | B1 |
| 11140193 | Patel | Oct 2021 | B2 |
| 11165862 | Austin et al. | Nov 2021 | B2 |
| 11275831 | Aouad et al. | Mar 2022 | B1 |
| 11693972 | Nunes | Jul 2023 | B2 |
| 11757907 | Berger | Sep 2023 | B1 |
| 11863577 | Miseiko | Jan 2024 | B1 |
| 20020129135 | Delany et al. | Sep 2002 | A1 |
| 20020199122 | Davis | Dec 2002 | A1 |
| 20040128543 | Blake | Jul 2004 | A1 |
| 20050060295 | Gould et al. | Mar 2005 | A1 |
| 20050138204 | Iyer et al. | Jun 2005 | A1 |
| 20050166072 | Converse | Jul 2005 | A1 |
| 20050288939 | Peled et al. | Dec 2005 | A1 |
| 20060012815 | Ebner et al. | Jan 2006 | A1 |
| 20060037076 | Roy | Feb 2006 | A1 |
| 20060195575 | Delany et al. | Aug 2006 | A1 |
| 20060253447 | Judge | Nov 2006 | A1 |
| 20070143852 | Keanini | Jun 2007 | A1 |
| 20070192867 | Miliefsky | Aug 2007 | A1 |
| 20070226248 | Darr | Sep 2007 | A1 |
| 20070226807 | Ginter et al. | Sep 2007 | A1 |
| 20070294756 | Fetik | Dec 2007 | A1 |
| 20080077593 | Abrams et al. | Mar 2008 | A1 |
| 20080219334 | Brainos et al. | Sep 2008 | A1 |
| 20080255997 | Bluhm et al. | Oct 2008 | A1 |
| 20080262991 | Kapoor | Oct 2008 | A1 |
| 20080301798 | Hao | Dec 2008 | A1 |
| 20080320000 | Gaddam | Dec 2008 | A1 |
| 20090038015 | Diamant | Feb 2009 | A1 |
| 20090198682 | Buehler et al. | Aug 2009 | A1 |
| 20100083374 | Schmitlin et al. | Apr 2010 | A1 |
| 20100125913 | Davenport et al. | May 2010 | A1 |
| 20100251329 | Wei et al. | Sep 2010 | A1 |
| 20110004771 | Matsushima et al. | Jan 2011 | A1 |
| 20110179492 | Markopoulou et al. | Jul 2011 | A1 |
| 20110197056 | Chen | Aug 2011 | A1 |
| 20110276604 | Hom et al. | Nov 2011 | A1 |
| 20110276716 | Coulson | Nov 2011 | A1 |
| 20120072983 | McCusker et al. | Mar 2012 | A1 |
| 20120117640 | Ramsey et al. | May 2012 | A1 |
| 20120185275 | Loghmani | Jul 2012 | A1 |
| 20120246730 | Raad | Sep 2012 | A1 |
| 20120254333 | Chandramouli | Oct 2012 | A1 |
| 20120260341 | Chan et al. | Oct 2012 | A1 |
| 20130104191 | Peled et al. | Apr 2013 | A1 |
| 20130138428 | Chandramouli | May 2013 | A1 |
| 20130173620 | Takenouchi | Jul 2013 | A1 |
| 20130226938 | Risher et al. | Aug 2013 | A1 |
| 20130238319 | Minegishi et al. | Sep 2013 | A1 |
| 20130282746 | Balko et al. | Oct 2013 | A1 |
| 20130291103 | Davenport et al. | Oct 2013 | A1 |
| 20130318604 | Coates et al. | Nov 2013 | A1 |
| 20140041028 | Ramsey et al. | Feb 2014 | A1 |
| 20140047544 | Jakobsson | Feb 2014 | A1 |
| 20140051432 | Gupta et al. | Feb 2014 | A1 |
| 20140143863 | Deb et al. | May 2014 | A1 |
| 20140165195 | Brdiczka et al. | Jun 2014 | A1 |
| 20140181981 | Christodorescu | Jun 2014 | A1 |
| 20140222712 | Samaha et al. | Aug 2014 | A1 |
| 20140283081 | Sheridan | Sep 2014 | A1 |
| 20140283083 | Gula | Sep 2014 | A1 |
| 20140331207 | Sridharan | Nov 2014 | A1 |
| 20140373151 | Webb et al. | Dec 2014 | A1 |
| 20150019323 | Goldberg et al. | Jan 2015 | A1 |
| 20150040225 | Coates et al. | Feb 2015 | A1 |
| 20150074390 | Stoback | Mar 2015 | A1 |
| 20150135287 | Medeiros et al. | May 2015 | A1 |
| 20150135320 | Coskun | May 2015 | A1 |
| 20150156212 | Khatri et al. | Jun 2015 | A1 |
| 20150186618 | Poorvin et al. | Jul 2015 | A1 |
| 20150222652 | Ramsey et al. | Aug 2015 | A1 |
| 20150271047 | McLean | Sep 2015 | A1 |
| 20150310211 | Mei et al. | Oct 2015 | A1 |
| 20150324457 | McLean | Nov 2015 | A1 |
| 20150332054 | Eck | Nov 2015 | A1 |
| 20150365437 | Bell, Jr. | Dec 2015 | A1 |
| 20160006749 | Cohen et al. | Jan 2016 | A1 |
| 20160014140 | Akireddy et al. | Jan 2016 | A1 |
| 20160014151 | Prakash | Jan 2016 | A1 |
| 20160078365 | Baumard | Mar 2016 | A1 |
| 20160099963 | Mahaffey et al. | Apr 2016 | A1 |
| 20160112445 | Abramowitz | Apr 2016 | A1 |
| 20160134653 | Vallone | May 2016 | A1 |
| 20160139886 | Perdriau et al. | May 2016 | A1 |
| 20160156655 | Lotem et al. | Jun 2016 | A1 |
| 20160162690 | Reith | Jun 2016 | A1 |
| 20160182546 | Coates et al. | Jun 2016 | A1 |
| 20160205127 | Roehl | Jul 2016 | A1 |
| 20160241591 | Ramsey et al. | Aug 2016 | A1 |
| 20160248789 | Nakamatsu | Aug 2016 | A1 |
| 20160253497 | Christodorescu | Sep 2016 | A1 |
| 20160277423 | Apostolescu et al. | Sep 2016 | A1 |
| 20160313709 | Biesdorf et al. | Oct 2016 | A1 |
| 20160337400 | Gupta | Nov 2016 | A1 |
| 20160342805 | Lim | Nov 2016 | A1 |
| 20160378978 | Singla et al. | Dec 2016 | A1 |
| 20170026343 | Wardman | Jan 2017 | A1 |
| 20170026391 | Abu-Nimeh | Jan 2017 | A1 |
| 20170063893 | Franc et al. | Mar 2017 | A1 |
| 20170063905 | Muddu et al. | Mar 2017 | A1 |
| 20170093902 | Roundy et al. | Mar 2017 | A1 |
| 20170098087 | Li | Apr 2017 | A1 |
| 20170111379 | Khatri et al. | Apr 2017 | A1 |
| 20170140295 | Bandara | May 2017 | A1 |
| 20170142149 | Coates et al. | May 2017 | A1 |
| 20170169154 | Lin et al. | Jun 2017 | A1 |
| 20170171228 | McLean | Jun 2017 | A1 |
| 20170180418 | Shen | Jun 2017 | A1 |
| 20170201381 | Kinder et al. | Jul 2017 | A1 |
| 20170201431 | Kinder et al. | Jul 2017 | A1 |
| 20170201490 | Kinder et al. | Jul 2017 | A1 |
| 20170201548 | Kinder et al. | Jul 2017 | A1 |
| 20170208084 | Steelman et al. | Jul 2017 | A1 |
| 20170208085 | Steelman et al. | Jul 2017 | A1 |
| 20170243004 | Kinder et al. | Aug 2017 | A1 |
| 20170243005 | Kinder et al. | Aug 2017 | A1 |
| 20170243009 | Sejpal | Aug 2017 | A1 |
| 20170244734 | Kinder et al. | Aug 2017 | A1 |
| 20170244750 | Kinder et al. | Aug 2017 | A1 |
| 20170244754 | Kinder et al. | Aug 2017 | A1 |
| 20170244762 | Kinder et al. | Aug 2017 | A1 |
| 20170318033 | Holland et al. | Nov 2017 | A1 |
| 20170318034 | Holland et al. | Nov 2017 | A1 |
| 20170346839 | Peppe | Nov 2017 | A1 |
| 20170359368 | Hodgman | Dec 2017 | A1 |
| 20180004948 | Martin | Jan 2018 | A1 |
| 20180069885 | Patterson | Mar 2018 | A1 |
| 20180077189 | Doppke et al. | Mar 2018 | A1 |
| 20180077195 | Gathala | Mar 2018 | A1 |
| 20180089574 | Goto | Mar 2018 | A1 |
| 20180091306 | Antonopoulos et al. | Mar 2018 | A1 |
| 20180096140 | Bulygin | Apr 2018 | A1 |
| 20180103010 | Diaz Cuellar et al. | Apr 2018 | A1 |
| 20180124073 | Scherman et al. | May 2018 | A1 |
| 20180124085 | Frayman et al. | May 2018 | A1 |
| 20180124094 | Hamdi | May 2018 | A1 |
| 20180129811 | Diu | May 2018 | A1 |
| 20180152480 | Kinder et al. | May 2018 | A1 |
| 20180181599 | Crabtree et al. | Jun 2018 | A1 |
| 20180219899 | Joy | Aug 2018 | A1 |
| 20180234434 | Viljoen | Aug 2018 | A1 |
| 20180288198 | Pope et al. | Oct 2018 | A1 |
| 20180324203 | Estes | Nov 2018 | A1 |
| 20180367550 | Musuvathi et al. | Dec 2018 | A1 |
| 20190014149 | Cleveland et al. | Jan 2019 | A1 |
| 20190037406 | Wash | Jan 2019 | A1 |
| 20190050554 | Fiske | Feb 2019 | A1 |
| 20190068630 | Valecha et al. | Feb 2019 | A1 |
| 20190095320 | Biswas et al. | Mar 2019 | A1 |
| 20190095801 | Saillet et al. | Mar 2019 | A1 |
| 20190102554 | Luo et al. | Apr 2019 | A1 |
| 20190102564 | Li | Apr 2019 | A1 |
| 20190102646 | Redmon | Apr 2019 | A1 |
| 20190104154 | Kumar et al. | Apr 2019 | A1 |
| 20190109717 | Reddy | Apr 2019 | A1 |
| 20190122258 | Bramberger et al. | Apr 2019 | A1 |
| 20190132344 | Lem et al. | May 2019 | A1 |
| 20190166149 | Gerrick | May 2019 | A1 |
| 20190166152 | Steele | May 2019 | A1 |
| 20190173919 | Irimie | Jun 2019 | A1 |
| 20190242718 | Siskind et al. | Aug 2019 | A1 |
| 20190258807 | DiMaggio et al. | Aug 2019 | A1 |
| 20190297096 | Ahmed et al. | Sep 2019 | A1 |
| 20190342296 | Anandam et al. | Nov 2019 | A1 |
| 20190347423 | Sanossian | Nov 2019 | A1 |
| 20190347433 | Chakravorty et al. | Nov 2019 | A1 |
| 20200012796 | Trepagnieer | Jan 2020 | A1 |
| 20200036750 | Bahnsen | Jan 2020 | A1 |
| 20200036751 | Kohavi | Jan 2020 | A1 |
| 20200057857 | Roytman | Feb 2020 | A1 |
| 20200074084 | Dorrans | Mar 2020 | A1 |
| 20200082080 | Boulton | Mar 2020 | A1 |
| 20200097662 | Hufsmith | Mar 2020 | A1 |
| 20200097663 | Sato | Mar 2020 | A1 |
| 20200110873 | Rosendahl | Apr 2020 | A1 |
| 20200120126 | Ocepek | Apr 2020 | A1 |
| 20200177618 | Hassanzadeh | Jun 2020 | A1 |
| 20200186544 | Dichiu et al. | Jun 2020 | A1 |
| 20200186569 | Milazzo | Jun 2020 | A1 |
| 20200195683 | Kuppa et al. | Jun 2020 | A1 |
| 20200210590 | Doyle | Jul 2020 | A1 |
| 20200213346 | Shafet | Jul 2020 | A1 |
| 20200257792 | Rivard | Aug 2020 | A1 |
| 20200259791 | Garcia et al. | Aug 2020 | A1 |
| 20200274894 | Argoeti et al. | Aug 2020 | A1 |
| 20200285737 | Kraus | Sep 2020 | A1 |
| 20200285952 | Liu et al. | Sep 2020 | A1 |
| 20200314122 | Jones et al. | Oct 2020 | A1 |
| 20200327237 | Shakarian | Oct 2020 | A1 |
| 20200329062 | Beauchesne | Oct 2020 | A1 |
| 20200336497 | Seul et al. | Oct 2020 | A1 |
| 20200351285 | Eisenkot et al. | Nov 2020 | A1 |
| 20200351302 | Kyle | Nov 2020 | A1 |
| 20200351307 | Vidas et al. | Nov 2020 | A1 |
| 20200356665 | Denney | Nov 2020 | A1 |
| 20200358795 | Urbanski et al. | Nov 2020 | A1 |
| 20200358819 | Bowditch et al. | Nov 2020 | A1 |
| 20200364338 | Ducau | Nov 2020 | A1 |
| 20200372129 | Gupta | Nov 2020 | A1 |
| 20200380119 | Correa Bahnsen | Dec 2020 | A1 |
| 20200394309 | Angelo et al. | Dec 2020 | A1 |
| 20210006575 | McLean et al. | Jan 2021 | A1 |
| 20210012012 | Soroush | Jan 2021 | A1 |
| 20210034752 | Canada | Feb 2021 | A1 |
| 20210034753 | Canada | Feb 2021 | A1 |
| 20210034895 | Archibald | Feb 2021 | A1 |
| 20210067562 | Kinder et al. | Mar 2021 | A1 |
| 20210103663 | Gadhe | Apr 2021 | A1 |
| 20210109797 | Zhou | Apr 2021 | A1 |
| 20210112087 | Tassoumt | Apr 2021 | A1 |
| 20210112090 | Rivera et al. | Apr 2021 | A1 |
| 20210133320 | Havenga | May 2021 | A1 |
| 20210157926 | Handurukande | May 2021 | A1 |
| 20210157945 | Cobb | May 2021 | A1 |
| 20210160273 | Choi | May 2021 | A1 |
| 20210173930 | Dahal | Jun 2021 | A1 |
| 20210185057 | McLean | Jun 2021 | A1 |
| 20210192057 | Helfman | Jun 2021 | A1 |
| 20210194853 | Xiao | Jun 2021 | A1 |
| 20210216928 | O'Toole | Jul 2021 | A1 |
| 20210226926 | Crabtree | Jul 2021 | A1 |
| 20210226970 | Ross et al. | Jul 2021 | A1 |
| 20210258327 | Felke et al. | Aug 2021 | A1 |
| 20210273957 | Boyer | Sep 2021 | A1 |
| 20210281609 | Crabtree | Sep 2021 | A1 |
| 20210306372 | Koral | Sep 2021 | A1 |
| 20210312058 | Chiarelli | Oct 2021 | A1 |
| 20210312351 | Pourmohammad | Oct 2021 | A1 |
| 20210360007 | Paquin | Nov 2021 | A1 |
| 20210390181 | McClay | Dec 2021 | A1 |
| 20220004643 | Sloane | Jan 2022 | A1 |
| 20220014542 | Janakiraman | Jan 2022 | A1 |
| 20220021691 | Bhatkar | Jan 2022 | A1 |
| 20220038424 | Liu et al. | Feb 2022 | A1 |
| 20220043911 | Pomerantsev | Feb 2022 | A1 |
| 20220070182 | Bowditch et al. | Mar 2022 | A1 |
| 20220070193 | Konda | Mar 2022 | A1 |
| 20220078203 | Shakarian | Mar 2022 | A1 |
| 20220083644 | Kulshreshtha | Mar 2022 | A1 |
| 20220100868 | Tarrant | Mar 2022 | A1 |
| 20220159033 | Mizrahi | May 2022 | A1 |
| 20220179908 | Wei | Jun 2022 | A1 |
| 20220191230 | Morgan | Jun 2022 | A1 |
| 20220206819 | Pokam | Jun 2022 | A1 |
| 20220210656 | Shaw | Jun 2022 | A1 |
| 20220237764 | Mullet | Jul 2022 | A1 |
| 20220263850 | Colyandro, Jr. | Aug 2022 | A1 |
| 20220394034 | Keith | Dec 2022 | A1 |
| 20220400135 | Gamra | Dec 2022 | A1 |
| 20220407891 | Albanese | Dec 2022 | A1 |
| 20220414206 | Hinkle | Dec 2022 | A1 |
| 20230038196 | Labreche | Feb 2023 | A1 |
| 20230370486 | Paquette et al. | Nov 2023 | A1 |
| 20230421578 | Mullins et al. | Dec 2023 | A1 |
| Number | Date | Country |
|---|---|---|
| 3599753 | Jan 2020 | EP |
| 2738344 | Dec 2020 | RU |
| 2738344 | Dec 2020 | RU |
| WO2007002749 | Jan 2007 | WO |
| WO2007090605 | Aug 2007 | WO |
| WO2010059843 | May 2010 | WO |
| WO2021067238 | Apr 2021 | WO |
| Entry |
|---|
| International Search Report and the Written Opinion of the International Search Authority for PCT/US21/54090, mailed Jan. 27, 2022. |
| Buyukkayhan, Ahmet Sali; Oprea, Alina; Li, Zhou; and Robertson, William; “Lens on the endpoint; Hunting for malicious software through endpoint data analysis”; International Symposium on Research in Attacks, Intrusions, and Defenses; RAID 2017: Research in Attacks, Intrusions, and Defenses Proceedings; pp. 73-79; Sep. 18-20, 2017; Atlanta, GA, USA. |
| SECUREWORKS-Log Management-Protect your infrastructure from known and emerging threats; www.secureworks.com/resources/ds-log-management; 2015 (available). |
| Sofya Raskhodnikova & Adam Smith; CSE 598A Algorithmic Challenges in Data Privacy; Lecture 2; Jan. 19, 2010. |
| Afroz, S. and Greenstadt, R. “PhishZoo: Detecting Phishing Websites by Looking at Them”; IEEE Fifth International Conference on Semantic Computing, 2011; pp. 368-375; doi: 10.1109/ICSC.2011.52; 2011. |
| Alkhawlani, Mohammed, Elmogy, Mohammed and Elbakry, Hazem; “Content-based image retrieval using local features descriptors and bag-of-visual words”; International Journal of Advanced Computer Science and Applications, vol. 6 No. 9 2015; pp. 212-219; 2015. |
| Buber, E., Demir, O. and Sahingoz, O.K.; “Feature selections for the machine learning based detection of phishing websites”; 2017 International Artificial Intelligence and Data Processing Symposium (IDAP), 2017; pp. 1-5; doi: 10.1109/DAP.2017.8090317; 2017. |
| Lin, Tsung-Yi, et al.; “Microsoft coco: Common objects in context”; European Conference on Computer Vision, Springer, Cham, 2014; 2014. |
| Liu, Y., Wang, Q., Zhuang, M. and Zhu, Y .; Reengineering Legacy Systems with RESTFul Web Service; 2008 32nd Annual IEEE International Computer Software and Applications Conference, 2008; pp. 785-790; doi: 10.1109/COMPSAC.2008.89; 2008. |
| White, Joshua S., Matthews, Jeanna N., and Stacy, John L.; A method for the automated detection phishing websites through both site characteristics and image analysis Cyber Sensing 2012; vol. 8408; International Society for Optics and Photonics, 2012; 2012. |
| URLVoid; URLVoid.com; retrieved from archives.org: https:web.archive.org/web/20180730215132/https.://www.urlvoid.com/); Published Jul. 30, 2018. |
| Number | Date | Country | |
|---|---|---|---|
| 20230105087 A1 | Apr 2023 | US |
