Jiang Wang

US Patent:

20120297177, Nov 22, 2012

Filed:

Nov 15, 2011

Appl. No.:

13/296303

Inventors:

Anup K. Ghosh - Centerville VA, US
Kun Sun - Fairfax VA, US
Jiang Wang - Fairfax VA, US
Angelos Stavrou - Springfield VA, US

International Classification:

G06F 15/177

US Classification:

713 2

Abstract:

An interoperable firmware memory containing a Basic Input Output System (BIOS) and a trusted platform module (TPSM). The BIOS includes CPU System Management Mode (SMM) firmware configured as read-only at boot. The SMM firmware configured to control switching subsequent to boot between at least: a first memory and second isolated memory; and a first and second isolated non-volatile storage device. The first memory including a first operating system and the second memory including a second operating system. The first non-volatile storage device configured to be used by the first operating system and the second non-volatile storage device configured to be used by the second operating system. The trusted platform module (TPSM) configured to check the integrity of the CPU system Management Mode (SMM) during the boot process.

US Patent:

20200267173, Aug 20, 2020

Filed:

Feb 13, 2020

Appl. No.:

16/789973

Inventors:

- Fairfax VA, US
Yih HUANG - Fairfax VA, US
Jiang WANG - Fairfax VA, US
Angelos STAVROU - Springfield VA, US

Assignee:

George Mason Research Foundation, Inc. - Fairfax VA

International Classification:

H04L 29/06
G06F 21/55
G06F 9/455
G06F 21/53

Abstract:

Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.

US Patent:

20190158523, May 23, 2019

Filed:

Jan 17, 2019

Appl. No.:

16/250006

Inventors:

- Fairfax VA, US
Yih HUANG - Fairfax VA, US
Jiang WANG - Fairfax VA, US
Angelos STAVROU - Springfield VA, US

Assignee:

George Mason Research Foundation, Inc. - Fairfax VA

International Classification:

H04L 29/06
G06F 9/455
G06F 21/53
G06F 21/55

Abstract:

Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.

US Patent:

20180103053, Apr 12, 2018

Filed:

Dec 14, 2017

Appl. No.:

15/841913

Inventors:

- Fairfax VA, US
Yih HUANG - Fairfax VA, US
Jiang WANG - Fairfax VA, US
Angelos STAVROU - Springfield VA, US

Assignee:

George Mason Research Foundation, Inc. - Fairfax VA

International Classification:

H04L 29/06
G06F 21/55
G06F 21/53
G06F 9/455

Abstract:

Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OSVM. A detection module operates under the guest OSVM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.

US Patent:

20170302692, Oct 19, 2017

Filed:

Mar 15, 2017

Appl. No.:

15/459563

Inventors:

- Fairfax VA, US
Yih HUANG - Fairfax VA, US
Jiang WANG - Fairfax VA, US
Angelos STAVROU - Springfield VA, US

Assignee:

George Mason Research Foundation, Inc. - Fairfax VA

International Classification:

H04L 29/06
G06F 9/455
G06F 21/55
G06F 21/53
G06F 9/455

Abstract:

Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.

US Patent:

20160182540, Jun 23, 2016

Filed:

Jul 24, 2015

Appl. No.:

14/808681

Inventors:

- Fairfax VA, US
Yih HUANG - Fairfax VA, US
Jiang WANG - Fairfax VA, US
Angelos STAVROU - Springfield VA, US

Assignee:

GEORGE MASON RESEARCH FOUNDATION, INC. - Fairfax VA

International Classification:

H04L 29/06

Abstract:

Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.

US Patent:

20150195302, Jul 9, 2015

Filed:

Aug 22, 2014

Appl. No.:

14/466237

Inventors:

- Fairfax VA, US
Kun SUN - Fairfax VA, US
Jiang WANG - Fairfax VA, US
Angelos STAVROU - Springfield VA, US

Assignee:

GEORGE MASON RESEARCH FOUNDATION, INC. - Fairfax VA

International Classification:

H04L 29/06

Abstract:

A hardware-assisted integrity monitor may include one or more target machines and/or monitor machines. A target machine may include one or more processors, which may include one or more system management modes (SMM). A SMM may include one or more register checking modules, which may be configured to determine one or more current CPU register states. A SMM may include one or more acquiring modules, which may be configured to determine one or more current memory states. A SMM may include one or more network modules, which may be configured to direct one or more communications, for example of one or more current CPU register states and/or current memory states, to a monitor machine. A monitor machine may include one or more network modules and/or analysis modules. An analysis module may be configured to determine memory state differences and/or determine CPU register states differences.