Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


Intrusion detection

Subclass of:

726 - Information security

726022000 - MONITORING OR SCANNING OF SOFTWARE OR DATA INCLUDING ATTACK PREVENTION

Patent class list (only not empty are listed)

Deeper subclasses:

Class / Patent application numberDescriptionNumber of patent applications / Date published
726024000 Virus detection 465
Entries
DocumentTitleDate
20130031633System and methods for adaptive model generation for detecting intrusion in computer systems - A system and methods for detecting intrusions in the operation of a computer system comprises a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format. A data warehouse is configured to receive the data record from the sensor in the predetermined data format and to store the data in a SQL database. A detection model generator is configured to request data records from the data warehouse in the predetermined data format, to generate an intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format. A detector is configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model. A data analysis engine is configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records.01-31-2013
20090222920MALWARE DETECTION SYSTEM AND METHOD - Methods and systems are presented for detection of malware such as worms in which a network switch entices the malware into sending scan packets by allocating one or more ports as bait addresses, sending outgoing bait packets, and identifying compromised hosts that send unexpected incoming packets to a bait address.09-03-2009
20130031632System and Method for Detecting Malicious Content - An intrusion prevention system receives a file, determines that the file does not correspond to an entry of a database, sends a request associated with the file to an intrusion prevention server responsive to determining that the file does not correspond to the entry, receives a reply from the intrusion prevention server, and provides an indication to a client system that the file includes the exploit responsive to the reply.01-31-2013
20130031631DETECTION OF UNAUTHORIZED DEVICE ACCESS OR MODIFICATIONS - Devices, methods and products are described that provide for recording an unauthorized event, such as rooting, on an information handling device. One aspect provides a method comprising determining whether at least one unauthorized event has occurred on an information handling device; setting at least one unauthorized event flag stored on the information handling device responsive to an unauthorized event; and allowing external access to the at least one unauthorized event flag. Other embodiments and aspects are also described herein.01-31-2013
20120204262METHOD FOR TRACKING MACHINES ON A NETWORK USING MULTIVARIABLE FINGERPRINTING OF PASSIVELY AVAILABLE INFORMATION - A method for tracking machines on a network of computers includes determining one or more assertions to be monitored by a first web site which is coupled to a network of computers. The method monitors traffic flowing to the web site through the network of computers and identifies the one or more assertions from the traffic coupled to the network of computers to determine a malicious host coupled to the network of computers. The method includes associating a first IP address and first hardware finger print to the assertions of the malicious host and storing information associated with the malicious host in one or more memories of a database. The method also includes identifying an unknown host from a second web site, determining a second IP address and second hardware finger print with the unknown host, and determining if the unknown host is the malicious host.08-09-2012
20090205045Bootstrap OS protection and recovery - A method, system, and computer program product for protecting a computer system provides bootstrap operating system detection and recovery and provides the capability to detect malware, such as rootkits, before the operating system has been loaded and provides the capability to patch malfunctions that block the ability of the computer system to access the Internet. A method for protecting a computer system includes reading stored status information indicating whether network connectivity was available the last time an operating system of the computer system was operational, when the stored status information indicates that network connectivity was not available, obtaining a software patch, and executing and applying the software patch.08-13-2009
20090199296DETECTING UNAUTHORIZED USE OF COMPUTING DEVICES BASED ON BEHAVIORAL PATTERNS - Techniques for detecting unauthorized use (e.g., malicious attacks) of the computing systems (e.g., computing devices) are disclosed. Unauthorized use can be detected based on patterns of use (e.g., behavioral patterns of use typically associated with a human being) of the computing systems. Acceptable behavioral pattern data can be generated for a computing system by monitoring the use of a support system (e.g., an operating system, a virtual environment) operating on the computing system. For example, a plurality of system support provider components of a support system (e.g., system calls, device drivers) can be monitored in order to generate the acceptable behavioral pattern data in a form which effectively defines an acceptable pattern of use (usage pattern) for the monitored system support provider components, thereby allowing detection of unauthorized use of a computing system by detecting any deviation from the acceptable pattern of use of the monitored system support provider components.08-06-2009
20100088766METHOD AND SYSTEM FOR DETECTING, BLOCKING AND CIRCUMVENTING MAN-IN-THE-MIDDLE ATTACKS EXECUTED VIA PROXY SERVERS - A method for detecting and blocking a Man-in-the-Middle phishing attack carried out on a client connection which has been fraudulently routed through an anonymous proxy server. An agent downloaded to the client device opens a client direct connection to the security host protecting against the attack and sends a client direct connection ID to the security host for validation. By comparing IP addresses correlated via the validated client direct connection ID, the security host determines whether the original connection is direct (secure) or indirect (attack via phishing proxy). The detection and blocking can be performed by the service provider's server or by a third-party validation server handling all security without additional requirements on the service provider server. In addition to detecting and blocking such attacks, methods for client direct connection ID, as well as automatic transparent and seamless attack circumvention and preemptive circumvention are disclosed.04-08-2010
20110191849SYSTEM AND METHOD FOR RISK RATING AND DETECTING REDIRECTION ACTIVITIES - A method in one example implementation includes sending a first request to a first network address on a first server and determining whether the first network address has been redirected on the server to a second network address. The method further includes searching a memory element for a predetermined risk rating associated with the second network address if the first network address has been redirected to the second network address. The method also includes providing a risk response to a client if a predetermined risk rating is found. In more specific embodiments, the risk response includes sending an alert to the client or blocking the client from accessing the second network address if the predetermined risk rating indicates the second network address is malicious. In other more specific embodiments, the first network address is redirected to one or more other network addresses before being redirected to the second network address.08-04-2011
20130086680SYSTEM AND METHOD FOR COMMUNICATION IN A NETWORK - A method for providing secure communication in an electrical power distribution network includes detecting an enhanced threat level in the electrical power distribution network. A threshold number of different configuration command shadows are received and processed to generate a configuration command data. A verified configuration command data is generated by comparing the configuration command data with a stored configuration commands and a verified configuration command related to the verified configuration command data is executed.04-04-2013
20130086682SYSTEM AND METHOD FOR PREVENTING MALWARE ON A MOBILE COMMUNICATION DEVICE - A server receives from a mobile communication device information about a data object (e.g., application) on the device when the device cannot assess the data object. The server uses the information along with other information stored at the server to assess the data object. Based on the assessment, the device may be permitted to access the data object or the device may not be permitted to access the data object. The other information stored at the server can include data objects known to be bad, data objects known to be good, or both.04-04-2013
20130086681PROACTIVE BROWSER CONTENT ANALYSIS - A protection module operates to analyze threats, at the protocol level (e.g., at the HTML level), by intercepting all requests that a browser engine resident in a computing device sends and receives, and the protection agent completes the requests without the help of the browser engine. And then the protection module analyzes and/or modifies the completed data before the browser engine has access to it, to, for example, display it. After performing all of its processing, removing, and/or adding any code as needed, the protection module provides the HTML content to the browser engine, and the browser engine receives responses from the protection agent as if it was speaking to an actual web server, when in fact, browser engine is speaking to an analysis engine of the protection module.04-04-2013
20130081137Simultaneous Determination of a Computer Location and User Identification - An apparatus including an intrusion detection arrangement and a location identification arrangement which ties digital information (i.e. transaction events such as parameters of information, database queries, transaction ranges, etc.) submitted to a computer system with the physical characteristics of the event such as the picture of the person(s) originating the information.03-28-2013
20130081141SECURITY THREAT DETECTION ASSOCIATED WITH SECURITY EVENTS AND AN ACTOR CATEGORY MODEL - Security events associated with network devices and an actor category model are stored (03-28-2013
20130081140METHODS AND SYSTEM FOR DETERMINING PERFORMANCE OF FILTERS IN A COMPUTER INTRUSION PREVENTION DETECTION SYSTEM - An intrusion prevention/detection system filter (IPS filter) performance evaluation is provided. The performance evaluation is performed at both the security center and at the customer sites to derive a base confidence score and local confidence scores. Existence of new vulnerability is disclosed and its attributes are used in the generation of new IPS filter or updates. The generated IPS filter is first tested to determine its base confidence score from test confidence attributes prior to deploying it to a customer site. A deep security manager and deep security agent, at the customer site, collect local confidence attributes that are used for determining the local confidence score. The local confidence score and the base confidence score are aggregated to form a global confidence score. The local and global confidence scores are then compared to deployment thresholds to determine whether the IPS filter should be deployed in prevention or detection mode or sent back to the security center for improvement.03-28-2013
20130081138RESPONDING TO IMPERMISSIBLE BEHAVIOR OF USER DEVICES - A device detects an impermissible behavior by a user device. The device further identifies a rule associated with the impermissible behavior and executes a response to the impermissible behavior based on the rule. The response restricts access of the user device to a service provided by or via a network device. The device also transmits, to the user device, a message that specifies the response. The device also verifies a termination of a cause of the impermissible behavior and restores the access of the user device to the service.03-28-2013
20130036470CROSS-VM NETWORK FILTERING - A security virtual machine inspects all data traffic between other virtual machines on a virtualization platform in order to prevent an inter-VM attack. Data traffic between the machines is intercepted at the privileged domain and directed to the security virtual machine via a hook mechanism and a shared memory location. The traffic is read by the security machine and analyzed for malicious software. After analysis, the security machine sends back a verdict for each data packet to the privileged machine which then drops each data packet or passes each data packet on to its intended destination. The privileged domain keeps a copy of each packet or relies upon the security machine to send back each packet. The security machine also substitutes legitimate or warning data packets into a malicious data package instead of blocking data packets. The shared memory location is a circular buffer for greater performance. Traffic is intercepted on a single host computer or between host computers.02-07-2013
20130036469DETECTING SUSPICIOUS NETWORK ACTIVITY USING FLOW SAMPLING - Methods, media, and computing devices for network security can include receiving flow sampled network traffic from multiple network devices with a network monitoring computing device for network traffic among multiple computing devices, comparing source ports and destination ports in the flow sampled network traffic to a list of approved ports with the network monitoring computing device, and detecting suspicious network activity for flow sampled network traffic having a source port and a destination port exceptional to the list of approved ports with the network monitoring computing device. Alternatively, a suspicious network activity list can be maintained for flow sampled network traffic having source and destination ports exceptional to the list of approved ports. Alternatively, a network administrator can be alerted when a port is added to the suspicious network activity list in response to a total number of ports in the suspicious network activity list exceeding a threshold number.02-07-2013
20130036468ANTI-PHISHING DOMAIN ADVISOR AND METHOD THEREOF - A method of anti-phishing and domain name protection. The method comprises capturing a system call sent to an operating system of a client by an application requesting an access to an Internet resource; extracting a URL included in the captured system call; capturing a response to the system call sent from operating system to the application; determining if the system call's response includes any one of a domain name system (DNS) error code and fake internet protocol (IP) address; checking the extracted URL against an anti-phishing blacklist to determine if the Internet resource is a malicious website; performing a DNS error correction action if any one of the DNS error code and the fake IP address was detected; and performing an anti-phishing protection action if the internet resource is determined to be a malicious website.02-07-2013
20130081139QUARANTINE NETWORK SYSTEM, SERVER APPARATUS, AND PROGRAM - A quarantine network system 03-28-2013
20130042322SYSTEM AND METHOD FOR DETERMINING APPLICATION LAYER-BASED SLOW DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK - A technology for defending a Distributed Denial-of-Service (DDoS) attack is provided. A system for determining an application layer-based slow DDoS attack may include a packet collecting unit to collect a packet in a network, a packet parsing unit to extract at least one header field from the collected packet, and a DDoS attack determining unit to determine whether a DDoS attack against the packet is detected, using a session table and a flow table.02-14-2013
20130042324SERVER BASED MALWARE SCREENING - An Internet infrastructure is provided to transfer a packet of data between a client device and source device. The infrastructure consists of a support server that screens the packet for malware codes on behalf of a registered client. In order to scan for malware, the support server contains hardware and/or software modules to perform malware detection and quarantine functions. The modules identify malware bit sequence in the packet(s), malware bit sequences or entire contaminated code is quarantined or repaired as appropriate. After identification of malware code (if any), the support server sends warning messages to affected parties, providing information regarding the malware codes that were detected.02-14-2013
20130042323HIGH AVAILABILITY FOR NETWORK SECURITY DEVICES - In one example, a backup intrusion detection and prevention (IDP) device includes one or more network interfaces to receive a state update message from a primary IDP device, wherein the state update message indicates a network session being inspected by the primary IDP device and an identified application-layer protocol for the device, to receive an indication that the primary device has switched over or failed over to the backup device, and to receive a plurality of packets of the network session after receiving the indication, each of the plurality of packets comprising a respective payload including application-layer data, a protocol decoder to detect a beginning of a new transaction from the application-layer data of one of the plurality of packets, and a control unit to statefully process only the application-layer data of the network session that include and follow the beginning of the new transaction.02-14-2013
20130036471System and Method for Rule Matching in a Processor - In one embodiment, a system includes a format block configured to receive a key, at least one rule, and rule formatting information. The rule can have one or more dimensions. The format block can be further configured to extract each of the dimensions from the at least one rule. The system can further include a plurality of dimension matching engines (DME). Each DME can be configured to receive the key and a corresponding formatted dimension, and process the key and the corresponding dimension for returning a match or nomatch. The system can further include a post processing block configured to analyze the matches or no matches returned from the DMEs and return a response based on the returned matches or nomatches.02-07-2013
20090158430Method, system and computer program product for detecting at least one of security threats and undesirable computer files - Method, system and computer program product for detecting at least one of security threats and undesirable computer files are provided. A first method includes receiving a data stream which represents outbound, application layer messages from a first computer process to at least one second computer process. The computer processes are implemented on one or more computers. The method further includes monitoring the data stream to detect a security threat based on a whitelist having entries which contain metadata. The whitelist describes legitimate application layer messages based on a set of heuristics. The method still further includes generating a signal if a security threat is detected. A second method includes comparing a set of computer files with a whitelist which characterizes all legitimate computer files. The whitelist contains one or more entries. Each of the entries describe a plurality of legitimate computer files.06-18-2009
20100107255Intrusion Detection Using MDL Compression - An intrusion masquerade detection system and method that includes a grammar inference engine. A grammar-based Minimum Description Length (MDL) compression algorithm is used to determine a masquerade based on a distance from a threshold in a model of an estimated algorithmic minimum sufficient statistic.04-29-2010
20100107254NETWORK INTRUSION DETECTION USING MDL COMPRESS FOR DEEP PACKET INSPECTION - A network intrusion detection system and method that includes a grammar inference engine. A grammar-based Minimum Description Length (MDL) compression algorithm is used to determine an attack based on closeness of fit to one or more compression models. The network intrusion detection system and method can determine zero day attacks.04-29-2010
20100107253MDL COMPRESS SYSTEM AND METHOD FOR SIGNATURE INFERENCE AND MASQUERADE INTRUSION DETECTION - An intrusion masquerade detection system and method that includes a grammar inference engine. A grammar-based Minimum Description Length (MDL) compression algorithm is used to determine a masquerade based on a distance from a threshold in a model of an estimated algorithmic minimum sufficient statistic.04-29-2010
20100107252COGNIZANT ENGINES: SYSTEMS AND METHODS FOR ENABLING PROGRAM OBSERVABILITY AND CONTROLABILITY AT INSTRUCTION LEVEL GRANULARITY - The present invention is directed to system for and methods of real time observing, monitoring, and detecting anomalies in programs' behavior at instruction level. The hardware assist design in this invention provides fine grained observability, and controllability. Fine grained observability provides unprecedented opportunity for detecting anomaly. Controllability provides a powerful tool for stopping anomaly, repairing the kernel and restoring the state of processing. The performance improvement over pure software approach is estimated to be many orders of magnitudes. This invention is also effective and efficient in detecting mutating computer viruses, where normal, signature based, virus detection is under performing.04-29-2010
20080301809SYSTEM AND METHOD FOR DETECTNG MALICIOUS MAIL FROM SPAM ZOMBIES - In recent years, the use of spam zombies has become a preferred method of sending spam. In fact, it is estimated that over 90% of all spam comes from spam zombies. Although existing spam zombie detection mechanisms such as the Spamhaus XBL blacklist exist, these techniques are limited in that they cannot block spam from newly created spam zombies. The present invention relates to a system and method for detecting malicious e-mails from spam zombies, the system comprising a processor operable to process a server identification value of a sending source by separating the value into one or more domain level terms to allow each unique term to be tokenized with an index value and to apply the one or more tokenized values as a learning feature in a learning algorithm trained to identify spam zombies.12-04-2008
20100095379METHOD AND APPARATUS FOR DETECTING MALICIOUS CODE IN AN INFORMATION HANDLING SYSTEM - A method for detecting malicious code on an information handling system includes executing malicious code detection code (MCDC) on the information handling system. The malicious code detection code includes detection routines. The detection routines are applied to executable code under investigation running on the information handling system during the execution of the MCDC. The detection routines associate weights to respective executable code under investigation in response to detections of a valid program or malicious code as a function of respective detection routines. Lastly, executable code under investigation is determined a valid program or malicious code as a function of the weights associated by the detection routines. Computer-readable media and an information handling system are also disclosed.04-15-2010
20120167216METHOD AND APPARATUS HAVING RESISTANCE TO FORCED TERMINATION ATTACK ON MONITORING PROGRAM FOR MONITORING A PREDETERMINED RESOURCE - Exemplary embodiments include a method and system having resistance to a forced termination attack on a monitoring program for monitoring a predetermined resource. Aspects of the exemplary embodiment include a device that executes a predetermined process including a monitoring program that monitors a predetermined resource, wherein the predetermined process is a process for which the predetermined resource becomes unavailable in response to termination of the predetermined process; a program starting unit for starting the monitoring program in response to an execution of the predetermined process; and a terminator for terminating the predetermined process in the case where the monitoring program is forcibly terminated from the outside.06-28-2012
20120167214METHOD AND SYSTEM FOR CLOAKED OBSERVATION AND REMEDIATION OF SOFTWARE ATTACKS - A method and system provide security for a communication network and for one or more nodes within the network. Software can be distributed throughout the network from a centralized location or administrative console. The software can be made resident in the kernel of the operating system of a receiving node. The software can provide an observation functionality, an analysis functionality, a reporting functionality and a remediation functionality or some subset of those functionalities.06-28-2012
20130047255SYSTEM AND METHOD FOR INDIRECT INTERFACE MONITORING AND PLUMB-LINING - A method is provided in one example embodiment that includes monitoring a first interface, monitoring a second interface, and taking a policy action if the second interface is not executed before the first interface. In more particular embodiments, monitoring the second interface may include walking a call stack associated with the first interface. Moreover, a program context for calling code associated with the second interface may be identified and acted upon.02-21-2013
20090019545COMPUTER SECURITY METHOD AND SYSTEM WITH INPUT PARAMETER VALIDATION - A security system, including a receiver for receiving a downloadable, a scanner, coupled with the receiver, for scanning the downloadable to identify suspicious computer operations therein, a code modifier, coupled with the scanner, for overwriting the suspicious computer operations with substitute computer operations, if at least one suspicious computer operation is identified by the scanner, and for appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is identified by the scanner, and a processor, coupled with the code modifier, for executing programmed instructions, wherein the monitoring program code includes program instructions for the processor to validate input parameters for the suspicious computer operations during run-time of the downloadable. A method is also described and claimed.01-15-2009
20090307775IDENTIFYING FRAUDULENT ACTIVITIES AND THE PERPETRATORS THEREOF - A system for identifying perpetrators of fraudulent activity includes location logic for locating, extracting, or capturing identifying information from a client communication received from a client device. For example, the location logic may locate, or extract, a variety of message headers from an HTTP client request. The system may also include analyzer logic to analyze the identifying information, for example, by comparing the identifying information with previously captured identifying information from a previously received client communication. Finally, the system may include account identifier logic to identify user accounts associated with the previous client communication in which the same identifying information was extracted.12-10-2009
20090307774COMPUTER PERIPHERAL APPARATUS AND METHOD OF CONTROLLING THE SAME - A computer peripheral apparatus of this invention has a check step of checking whether received data is infected with a computer virus. If the received data satisfies a predetermined condition, the apparatus executes the check step before predetermined data processing. If the received data does not satisfy the predetermined condition, the apparatus executes the check step before the predetermined data processing.12-10-2009
20090307773SYSTEM AND METHOD FOR ARP ANTI-SPOOFING SECURITY - A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.12-10-2009
20120192274System, Method, and Device for Storing and Delivering Data - A system and device includes a data storage that stores a use record and data readable by a platform processor at a platform. An executable controller executed from the data storage directs the relationship between the data storage and the platform processor. The platform processor reads the data and, optionally, generates and writes a use record to the data storage.07-26-2012
20120192273Malware detection - First data relating to a selected file is obtained. Based upon the first data it is determined if malware detection processing can be selected. Malware detection processing of the file is selected based upon said first data if it is determined that malware detection processing can be selected based upon the first data. If it is determined that, based upon the first data, malware detection processing cannot be selected based upon the first data, second data relating to the selected file is obtained and malware detection processing of the file is selected based upon said first and second obtained data. The selected malware detection processing is applied to said selected file. In an exemplary embodiment the first data is metadata and represents a faster scan of the file, and the second data is content of the file's header and represents a more in-depth scan of the file.07-26-2012
20120192272Mitigating multi-AET attacks - Aspects of the invention relate to a method of identifying a potential attack in network traffic that includes payload data transmitted to a host entity in the network. The method includes: performing a first data-check on one or more data bytes of the payload data at the host entity; performing a second data-check, equivalent to the first data-check, on data of the network equivalent to the one or more bytes of payload data; and comparing the results of the first and second data-checks to determine if there is a mismatch, the mismatch being an indication of a potential attack.07-26-2012
20130167231PREDICTIVE SCORING MANAGEMENT SYSTEM FOR APPLICATION BEHAVIOR - A system may be provided that comprises one or more servers to: receive information regarding known epitypes of malness, where the information includes malness scores and behaviors for the known epitypes of malness; store the information regarding the known epitypes of malness; generate rules for a model based on the information regarding the known epitypes of malness; input application data from an application on a device into the model; output a malness score from the model based on the application data; and allow the application and/or the device access to a network when the malness scores for the application is below a first threshold level, or block the application and/or the device access to the network when the malness score the application is above a second threshold level, where the first threshold level is less than the second threshold level.06-27-2013
20130167232EVENT DETECTION/ANOMALY CORRELATION HEURISTICS - A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.06-27-2013
20130167234Method for Processing Messages in a Communication Network Comprising a Plurality of Network Nodes - A method for processing messages in a communication network, wherein messages are transmitted between network nodes of the communication network, which are each combined with test information that is verifiable to determine whether a corresponding message is admissible, where an admissible message leads to a positive test result and an inadmissible message leads to a negative test result. For at least one message that is provided for a respective network node, an action coupled to the message is performed from the respective network node in time a message is received in the respective network node without checking the test information combined with the message, wherein, upon execution of the action, the test information is verified by the respective network node and, when the test result is negative, at least one predefined measure is performed.06-27-2013
20130061324SIGNATURE CHECKING USING DETERMINISTIC FINITE STATE MACHINES - The occurrence of false positives and the post-processing of digital streams subjected to examination by a deterministic finite state machine for character strings are reduced by combining location-based pattern matching, e.g. on packet headers, and content-based pattern matching, e.g. on payloads of packets. One scheme allows automatic transition from a header match state into an initial state of a content matching machine. Another scheme is based on a rules graph defining strings of match states and the examination of a list of match states (rather than characters) which have been previously determined, for example by means of header matching and content matching. The latter is also capable of comparing offset and depth values associated with the match states with offset and depth criteria.03-07-2013
20130061323SYSTEM AND METHOD FOR PROTECTING AGAINST MALWARE UTILIZING KEY LOGGERS - A software, system and methodology for protecting against malware key logger attacks that utilize, for example, form-grabbing techniques. The application protects the browser from key logging malware attacks, and the loss of critical user confidential information often entered into internet forms for the purpose of buying items or logging into financial institutions. An embodiment of a method for blocking form-grabbing attacks includes the following steps. Upon detecting a form submission event from the browser, and immediately after allowing the data to be properly submitted, the form input fields are cleared of data. The method prevents hook-based key loggers or form-grabbing key loggers from capturing form input data, thereby protecting the user from theft of passwords or credentials.03-07-2013
20130061322Systems and Methods for Detecting Design-Level Attacks Against a Digital Circuit - Systems and methods for detecting design-level attacks against a digital circuit which includes various functional units. A target unit is selected from among the functional units for monitoring and a predictor unit is arranged to receive events before they reach the target unit. A reactor unit is selected from among the functional units of the digital circuit which are arranged to receive events after they pass through the target unit. A monitor unit is arranged to receive predicted event messages from the predictor unit and actual event messages from the reactor unit. The monitor unit is configured to indicate an alarm based on a comparison of the predicted event messages received from the predictor unit and the actual event messages received from the reactor unit.03-07-2013
20110067105Operating System Sandbox - An operating system sandbox may include an operating system isolation module configured to restrict an operating system from transmitting machine-readable data and/or machine-readable instructions to an application, based on at least one predefined rule corresponding to abnormal operating system behavior.03-17-2011
20090300762Methods And Systems For Managing A Potential Security Threat To A Network - Methods, systems and computer readable mediums storing computer executable programs for managing a potential security threat to a network are disclosed. Network data received at a network system within a network is monitored at a network management system. A determination is made at the network management system regarding whether the network data received at the network system poses a potential security threat to the network. A threat type associated with the potential security threat is identified at the network management system based on the determination. A threat assessment system operable to evaluate the identified threat type is identified at the network management system. A command is issued from the network management system to the network system to mirror network data received at the network system to the identified threat assessment system.12-03-2009
20090293124Intrinsically Safe Remote Data Monitoring System and Monitoring Method Thereof - This invention refers to an intrinsically safe remote data monitoring system and a monitoring method for remote data monitoring by using such system. The monitoring system comprises a process control computer that monitors or controls the controlled process, a remote monitoring computer that remotely monitors the process control computer, a signal collecting device physically connected, without through network, with the process control computer, for acquiring data from the process control computer, a local monitoring computer (11-26-2009
20090293122METHOD AND SYSTEM FOR IDENTIFYING ENTERPRISE NETWORK HOSTS INFECTED WITH SLOW AND/OR DISTRIBUTED SCANNING MALWARE - Malware detection systems are presented in which a list is constructed of enterprise hosts to or from which each given enterprise network host sends or receives packets within a current measurement period and statistics are accumulated based on two or more measurement period lists, with a count value being derived from the statistics to indicate the number of other hosts to or from which each monitored host sent or received packets, and one or more monitored hosts may be identified as suspected of being infected with slow and/or distributed scanning malware for which the count value exceeds a threshold value.11-26-2009
20090271866System and Method for Protecting Against Malware Utilizing Key Loggers - A software, system and methodology for protecting against malware key logger attacks that utilize, for example, form-grabbing techniques. The application protects the browser from key logging malware attacks, and the loss of critical user confidential information often entered into internet forms for the purpose of buying items or logging into financial institutions. An embodiment of a method for blocking form-grabbing attacks includines the following steps. Upon detecting a form submission event from the browser, and immediately after allowing the data to be properly submitted, the form input fields are cleared of data. The method prevents hook-based key loggers or form-grabbing key loggers from capturing form input data, thereby protecting the user from theft of passwords or credentials.10-29-2009
20090271865METHOD AND DEVICE FOR DETECTING FLOOD ATTACKS - Disclosed is a flood attack detection method, wherein the total number of keywords of a source packet is acquired, and the number of feature parameters corresponding to the source packet is acquired. A ratio of the number of feature parameters to the total number of keywords is compared with a preset threshold, and if the ratio is greater than or equal to the preset threshold, it is determined that a flood attack occurs.10-29-2009
20090271864Containment of Rogue Systems in Wireless Network Environments - Methods, apparatuses and systems facilitating containment of the effects of rogue or unauthorized access points on wireless computer network environments. Embodiments of the present invention support one to a plurality of rogue containment methodologies. A first rogue containment type involves identification of the physical connection of the rogue access point to the wired network infrastructure and, thus, allows for disabling of that physical connection to contain the rogue access point. Other rogue containment methods involve wireless techniques for containing the effect of rogue access points. As discussed below, the rogue containment functionality described herein can be applied to a wide variety of wireless network system architectures.10-29-2009
20090271863Identifying unauthorized privilege escalations - Disclosed herein is a method and system of determining and/or managing potential privilege escalation attacks in a system or network comprising one or more potentially heterogeneous hosts. The step of configuration scanning optionally includes making a list of operating system specific protection mechanism on each host. Vulnerability scanning optionally includes the step of identifying the vulnerability position of each identified program. Transitive closure of all security attacks on the network and potential privilege escalations can be determined. A user interface optionally renders the potential privilege escalations as an appropriate representation. The method may include none or one or more of several pre-emptive mechanisms and reactive mechanisms. Further, the method may optionally include a mechanism for a periodic safety check on the system ensuring continued security on the network.10-29-2009
20130167233SYSTEMS, METHODS, AND MEDIA PROTECTING A DIGITAL DATA PROCESSING DEVICE FROM ATTACK - In accordance with some embodiments of the disclosed subject matter, systems, methods, and media for protecting a digital data processing device from attack are provided. For example, in some embodiments, a method for protecting a digital data processing device from attack is provided, that includes, within virtual environment: receiving at least one attachment to an electronic mail; and executing the at least one attachment; and based on the execution of the at least one attachment, determining whether anomalous behavior occurs.06-27-2013
20120117647Computer Worm Curing System and Method and Computer Readable Storage Medium for Storing Computer Worm Curing Method - A computer worm curing system includes a string receiving module, a string generating module and a string replying module. The string receiving module receives an infected string, which is generated by a computer worm, from an infected host, which is infected by the computer worm, through a network. The infected string includes a shellcode, and the shellcode is executed utilizing a vulnerable process. The string generating module generates a curing code for curing the computer worm, and replaces the shellcode in the infected string with the curing code to generate a curing string, such that the curing string can be executed utilizing the vulnerable process. The string replying module replies the curing string to the infected host, such that the curing code of the curing string can be executed utilizing the vulnerable process of the infected host to cure the infected host of the computer worm.05-10-2012
20130067575DETECTION OF NETWORK SECURITY BREACHES BASED ON ANALYSIS OF NETWORK RECORD LOGS - Computer program products and methods of inspecting a log of security records in a computer network are provided. The method includes retrieving a log record, processing the log record including deriving a key to a table, determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique. One or more entries of the table are evaluated based on predetermined criteria to detect attempted security breaches.03-14-2013
20130067574FIGHT-THROUGH NODES FOR SURVIVABLE COMPUTER NETWORK - A survivable network is described in which one or more network device includes enhanced functionality to fight through cyber attacks. A Fight-Through Node (FTN) is described, which may be a combined hardware/software system that enhances existing networks with survivability properties. A network node comprises a hardware-based processing system having a set of one or more processing units, and a hypervisor executing on each one of the processing units; and a plurality of virtual machines executing on each of the hypervisor. The network node includes an application-level dispatcher to receive a plurality of transaction requests from a plurality of network communication session with a plurality of clients and distribute a copy of each of the transaction requests to the plurality of virtual machines executing on the network node over a plurality of time steps to form a processing pipeline of the virtual machines.03-14-2013
20110023120METHOD AND SYSTEM FOR CLEANING MALICIOUS SOFTWARE AND COMPUTER PROGRAM PRODUCT AND STORAGE MEDIUM - A method and a system for cleaning malicious software (malware), a computer program product, and a storage medium are provided. A relation graph is established to associate processes in an operating system and related elements. A node marking action is performed on the relation graph when a predetermined condition is satisfied. The node corresponding to a malicious process and its related nodes are marked with a first label. The nodes of other normal processes and their related nodes are marked with a second label. Then, those nodes marked with both the first label and the second label are screened, so that each of the nodes is marked with only the first label or the second label. Finally, the processes and elements corresponding to the nodes marked with the first label are removed.01-27-2011
20110023119TOPOLOGY-AWARE ATTACK MITIGATION - Techniques are disclosed for preventing malicious attacks or other exploits on a computer server. A network manager may be configured to determine a topology of a plurality of network devices and deploy an intrusion prevention system in one or more of the network devices to mitigate attacks against the vulnerable servers. The one or more network devices may be identified based on the topology and one or more constraints for optimizing the deployment of the intrusion prevention systems.01-27-2011
20110023118BEHAVIORAL-BASED HOST INTRUSION PREVENTION SYSTEM - In embodiments of the present invention improved capabilities are described for behavioral-based threat detection. An executing computer process is monitored for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene. A plurality of malicious behavior indications observed for the executing process are compared to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code. Upon matching the malicious behavior indications with a phenotype, an action may be caused, where the action is based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype. Related user interfaces, applications, and computer program products are disclosed.01-27-2011
20090241192VIRTUAL MACHINE CONFIGURATION SHARING BETWEEN HOST AND VIRTUAL MACHINES AND BETWEEN VIRTUAL MACHINES - In embodiments of the present invention improved capabilities are described for conserving computer resources by processing data through the use of a first virtual machine, causing the first virtual machine to share information about the processing of the data with a second virtual machine, and causing the second virtual machine to alter an activity as a result of the shared information, causing the host to share the information with a second virtual machine to alter an activity of the second virtual machine, causing the first virtual machine to share information about the action with a second virtual machine to alter a process of the second virtual machine, and the like.09-24-2009
20090013407INTRUSION DETECTION SYSTEM/INTRUSION PREVENTION SYSTEM WITH ENHANCED PERFORMANCE - A traffic inspection and filtering system (01-08-2009
20080295174Method and System for Preventing Unauthorized Access and Distribution of Digital Data11-27-2008
20080295173PATTERN-BASED NETWORK DEFENSE MECHANISM11-27-2008
20080295172Method, system and computer-readable media for reducing undesired intrusion alarms in electronic communications systems and networks11-27-2008
20080295171Intrusion Detection System For Wireless Networks11-27-2008
20110041182 INTRUSION DETECTION AND NOTIFICATION - A device for use in a cellular communications system, the device being provided with means for inspecting traffic packets to and from users in the system and for a first classification of said packets according to predetermined rules. The device also comprises means for initiating a process for a user who is the destination or source of a packet which is classified in said first classification as belonging to a specific kind of traffic which has as one of its characteristics that the device cannot redirect the packet from its intended destination to another destination. The process is such that at a later point in time, when the user attempts to access a webpage, the user is redirected to a predefined webpage.02-17-2011
20100162398Method and apparatus for detecting shellcode insertion - A method of detecting malware present on a computer system where the computer system is running an application. The method comprises redirecting a function call, made by the application to a decoding function that performs decoding of an argument provided to it by an application, to a scanning function. The scanning function is then employed to scan an argument of the function call for suspect code or data. In the event that suspect code or data is detected, the function call is inhibited, otherwise program control is returned to the called decoding function.06-24-2010
20100235912Integrity Verification Using a Peripheral Device - A peripheral device includes an interface configured to communicate with a computer, the peripheral device; logic configured to perform an integrity verification of an operating system of the computer; and a display configured to display a result of the integrity verification. A method for integrity verification of a computer using a peripheral device includes connecting the peripheral device to the computer; sending a challenge from the device to the computer; computing attestation data using the challenge and information stored in the computer, retrieving the attestation data from the computer by a client program running on the computer; sending the attestation data to the peripheral device; and verifying the attestation data by the peripheral device.09-16-2010
20080209560Active intrusion resistant environment of layered object and compartment key (airelock) - A secure infrastructure system and method with user transparent signaling for communicating detection of signals at a network node having characteristics of a potential attack and for controlling communications at a node from another node in response to the user transparent signals. A processor is connected to routers and the network through an encryption engine and includes a manager object to issue control commands to nodes of a locally lower hierarchical tier and managed objects to detect potential attacks and exercise control over the routers responsive to signals from a node of a locally higher hierarchical tier. Faults or potential attacks are compartmentalized to a node or sector of the network and isolated while normal communications are continued over redundant network links.08-28-2008
20110283359Validating Visitor Internet-Based Security Threats - A validating server receives from a client device a first request that does not include a cookie for a validating domain that resolves to the validating sever. The first request is received at the validating server as a result of a proxy server redirecting the client device to the validating domain upon a determination that a visitor belonging to the client device is a potential threat based on an IP (Internet Protocol) address assigned to the client device used for a second request to perform an action on an identified resource hosted on an origin server for an origin domain. The validating server sets a cookie for the client device, determines a set of characteristics associated with the first client device, and transmits the cookie and a block page to the client device that has been customized based on the set of characteristics, the block page indicating that the second request has been blocked.11-17-2011
20110283358METHOD AND SYSTEM TO DETECT MALWARE THAT REMOVES ANTI-VIRUS FILE SYSTEM FILTER DRIVER FROM A DEVICE STACK - A method for detecting removal of a filter driver includes performing an operation on an element of a kernel mode of an operating system, the operation initiated by a user mode entity, obtaining the result of performing the operation, and comparing the result of performing the operation against an expected result of the operation. If the result of performing the operation matches the expected result of the operation, it is determined that a file system filter driver in the kernel mode of the operating system is working correctly. If the result of performing the operation does not match the expected result of the operation, it is determined that a file system filter driver in the kernel mode of the operating system has been compromised by malware.11-17-2011
20090031421METHOD OF INTRUSION DETECTION IN TERMINAL DEVICE AND INTRUSION DETECTING APPARATUS - A method of intrusion detection in a terminal device that supports driving of a plurality of operating systems, is provided. The method includes collecting at a first operating system of the plurality of operating systems intrusion detection data for analyzing whether there is an intrusion in at least a second operating system of the plurality of operating systems; and performing at the first operating system an intrusion detection with respect to the at least a second operating system using the collected intrusion detection data.01-29-2009
20090094697INTRUSIVE SOFTWARE MANAGEMENT - Landing pages associated with advertisements are partitioned into training landing pages and testing landing pages. Iterative training and testing of a classification mode on intrusion features of the partitioned landing pages is conducted until the occurrence of a cessation event. Feature weights are derived from the iterative training and testing, and are associated with the intrusion features. The associated feature weights and intrusion features can be used to classify other landing pages.04-09-2009
20090106838Blocking Intrusion Attacks at an Offending Host - A method, apparatus, and program product are provided for protecting a network from intrusions. An offending packet communicated by an offending host coupled to a protected network is detected. In response to the detection, a blocking instruction is returned to the offending host to initiate an intrusion protection operation on the offending host, where the blocking instruction inhibits further transmission of offending packets by the offending host. At the offending host, a blocking instruction is received with a portion of an offending packet. The offending host verifies that the offending packet originated from the host. In response to the verification of the offending packet originating from the host, an intrusion protection operation is initiated on the host thereby inhibiting transmission of a subsequent outbound offending packet by the host.04-23-2009
20110302654METHOD AND APPARATUS FOR ANALYZING AND DETECTING MALICIOUS SOFTWARE - A method for providing analysis and detection of malicious software may include directing a comparison of patterns within sample code to a predetermined set of malicious software patterns, determining whether the sample code is likely to be malicious software based on the comparison, and, in response to a determination that the sample code is likely to be malicious software, determining a malicious software cluster with which the sample code is associated based on the patterns within the sample code. A corresponding computer program product and apparatus are also provided.12-08-2011
20080276316Intrusion detection strategies for hypertext transport protocol - A hypertext transport protocol (HTTP) inspection engine for an intrusion detection system (IDS) includes an HTTP policy selection component, a request universal resource identifier (URI) discovery component, and a URI normalization module. The HTTP policy selection component identifies an HTTP intrusion detection policy using a packet. The request URI discovery component locates a URI within the packet. The URI normalization module decodes an obfuscation within the URI. In another embodiment, a packet transmitted on the network is intercepted. The packet is parsed. An Internet protocol (IP) address of the packet is identified. An HTTP intrusion detection policy for a network device is determined. A URI is located in the packet. A pattern from an intrusion detection system rule is compared to the located URI. In another embodiment, an IDS includes a packet acquisition system, network and transport reassembly modules, an HTTP inspection engine, a detection engine, and a logging system.11-06-2008
20110173698MITIGATING FALSE POSITIVES IN MALWARE DETECTION - An anti-malware system that reduces the likelihood of detecting a false positive. The system is applied in an enterprise network in which a server receives reports of suspected malware from multiple hosts. Files on hosts suspected of containing malware are compared to control versions of those files. A match between a suspected file and a control version is used as an indication that the malware report is a false positive. Such an indication may be used in conjunction with other information, such as whether other hosts similarly report suspect files that match control versions or whether the malware report is generated by a recently changed component of the anti-malware system.07-14-2011
20090282481METHODS, HARDWARE PRODUCTS, AND COMPUTER PROGRAM PRODUCTS FOR IMPLEMENTING INTROSPECTION DATA COMPARISON UTILIZING HYPERVISOR GUEST INTROSPECTION DATA - Introspection data comparison is implemented utilizing hypervisor guest introspection data. A hypervisor shim on a hypervisor is used to construct one or more workload management components that are independent from a participating pool member of a pool comprising a guest having a guest memory and a guest operating system. The hypervisor collects a first set of data. The guest sends a second set of data comprising guest memory data from the guest memory. The first set of data is compared with the second set of data to detect at least one of a potential security intrusion or an anomalous deviation between the first set of data and the second set of data. A policy manager takes action based upon a result of the comparison of the first and second sets of data.11-12-2009
20110296525Malware scanning - According to a first aspect of the present invention there is provided a method of scanning a computer system for malware. The method includes determining when an application being executed on the computer system is attempting to open a file, adding data written to the open file by the application into a malware scanner queue, and ensuring that the application has been notified that the file has been closed before scanning the queued file data to determine if it relates to potential malware.12-01-2011
20100169973System and Method For Detecting Unknown Malicious Code By Analyzing Kernel Based System Actions - There is provided a system and method for detecting unknown malicious code by analyzing kernel based system actions. More particularly, the system and method provides an advantage of actively countering unknown malicious code or viruses by monitoring kernel based system events in real time, organizing action data based on the collected event data, determining whether the action data corresponds to predetermined malicious actions, backtracking a subject of a malicious action when the action data is determined to correspond to the malicious action, and processing the malicious action.07-01-2010
20100169972SHARED REPOSITORY OF MALWARE DATA - Various principles for maintaining a shared repository of authorization scanning results, which may be populated with results of authorization scans of particular files (and other content units) as well as a signature for those particular files. When a particular file is to be scanned by a client computing device to determine whether it contains unauthorized software, a signature for the file may be calculated and provided to the shared repository. If the repository has a result for that file—as indicated by a signature for the file being present in the repository—the result in the repository may be provided to the client computing device that issued the query, and the client computing device may accept the answer in the shared repository. If the result is not in the repository (i.e., the file has not been scanned), then the file may be scanned, and a result may be placed in the repository.07-01-2010
20100169971METHODS FOR USER PROFILING FOR DETECTING INSIDER THREATS BASED ON INTERNET SEARCH PATTERNS AND FORENSICS OF SEARCH KEYWORDS - Disclosed are methods for user profiling for detecting insider threats including the steps of: upon a client application sending a request for a link, extracting at least one search keyword from a search session associated with the request; classifying the link into at least one classification; determining whether at least one classification is a monitored classification; capturing search elements of search sessions associated with the monitored classification; acquiring usage data from the search elements to create a user profile associated with a user's search behavior; and performing a statistical analysis, on a search frequency for the monitored classification, on user profiles associated with many users. Preferably, the method includes: designating a profile as suspicious based on the statistical analysis exceeding a pre-determined threshold value, wherein the pre-determined threshold value is based on an expected search frequency for the profile and each respective grade for at least one risk-assessment dimension.07-01-2010
20100269178Detecting Surreptitious Spyware - Tools and techniques are provided for detecting a particular type of spyware. Network activities and user update activities are monitored automatically, and the results are analyzed to identify related processes which perform network transmissions without performing substantive user updates. These processes are identified to a user and/or an administrator as potential spyware, and are then quarantined or otherwise handled based on instructions received from the user or administrator. In some cases, the monitoring and analysis begins with selection of a group of processes to monitor, while in other cases it begins with monitoring of network and/or user update activities in order to narrow the group of suspect processes. Devices, configured media, and method products are also described.10-21-2010
20130219500NETWORK INTRUSION DETECTION IN A NETWORK THAT INCLUDES A DISTRIBUTED VIRTUAL SWITCH FABRIC - A network intrusion detection system (NIDS) works in conjunction with a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems. The NIDS accesses network information from the distributed virtual switch fabric, which gives the NIDS access to a virtual view that includes hardware information for all networking devices in the network. This allows the NIDS to automatically determine network topology, update itself as hardware in the network is added or changed, and promptly take automated service actions in response to detected network intrusions. The result is a NIDS that is easier to configure, maintain, and use, and that provides enhanced network security.08-22-2013
20110219452Method and Apparatus for Network Intrusion Detection - The current invention discloses a method and apparatus to detect and mitigate network intrusion by collecting a first log of wireless network traffic in the vicinity of an area and a second log of network traffic from a switch port connected to the area; pre-processing the logs; and then detecting the presence of unauthorized access points (APs) by attempting to identify matching patterns in the pre-processed first and second logs.09-08-2011
20110219451System And Method For Host-Level Malware Detection - According to one embodiment, a computer-implemented method includes: accessing a set of configuration parameters, accessing a set of identifiers of files known not to be malware, and accessing a set of identifiers of files known to be malware. Further, the method includes: comparing a first file to the set of configuration parameters, determining that a first hash of the first file is not in the set of identifiers of files known not to be malware and that the first hash is not in the set of identifiers of files known to be malware, and sending the at least one file and information related to the at least one file to be analyzed for malware. The method includes deleting the set of configuration parameters, the set of identifiers of files known not to be malware, and the set of identifiers of files known to be malware after sending the first file.09-08-2011
20110219450System And Method For Malware Detection - According to one embodiment, a computer-implemented method for execution on one or more processors includes receiving a first file and determining a file type of the first file. The method also includes determining, according to a first policy, a plurality of malware detection schemes to apply to the first file based on the determined file type of the first file. In addition, the method includes scheduling the application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy. Further, the method includes determining, in response to determining the results of applying the plurality of malware detection schemes, that the first file is malware or determining that the first file is suspected malware according to a third policy.09-08-2011
20110219448SYSTEMS AND METHODS FOR RISK RATING AND PRO-ACTIVELY DETECTING MALICIOUS ONLINE ADS - Methods and systems for risk rating and pro-actively detecting malicious online ads are described. In one example embodiment, a system for risk rating and pro-actively detecting malicious online ads includes an extraction module, an analysis engine, and a filter module. The extraction module is configured to extract a SWF file from a web page downloaded by the system. The analysis engine is communicatively coupled to the extraction module. The analysis engine is configured to determine a risk rating for the SWF file and send the risk rating to a web application for display. In an example, determining the risk rating includes locating an embedded redirection URL and determining a risk rating for the embedded redirection URL. The filter module is configured to determine, based on the risk rating, whether to block the SWF file and send a warning to the web application for display.09-08-2011
20110271343APPARATUS, SYSTEM AND METHOD FOR DETECTING MALICIOUS CODE - Provided are an apparatus, system and method for detecting malicious code inserted into a normal process in disguise. The apparatus includes a malicious code detection module for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious; and a forcible malicious code termination module for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code.11-03-2011
20110271341BEHAVIORAL SIGNATURE GENERATION USING CLUSTERING - A behavioral signature for detecting malware is generated. A computer is used to collect behavior traces of malware in a malware dataset. The behavior traces describe sequential behaviors performed by the malware. The behavior traces are normalized to produce malware behavior sequences. Similar malware behavior sequences are clustered together. The malware behavior sequences in a cluster describe behaviors of a malware family. The cluster is analyzed to identify a behavior subsequence common to the cluster's malware family. A behavior signature for the malware family is generated using the behavior subsequence. A trace of new malware is normalized and aligned with an existing cluster, if possible. The behavioral signature for that cluster is generated based on the behavior sequence of the new malware and the other sequences in the cluster.11-03-2011
20130219499APPARATUS AND METHOD FOR PROVIDING SECURITY FOR VIRTUALIZATION - Provided is a security providing method based on a security breach in a security providing apparatus in which a physical device is virtualized so that a virtual machine monitor operates and is capable of working in a main domain and one or more sub domains. The method includes repairing sub domains experiencing security breaches; and updating security modules of the sub domains.08-22-2013
20130219501MALICIOUS CODE REAL-TIME INSPECTING DEVICE IN A DRM ENVIRONMENT AND RECORDING MEDIUM FOR RECORDING A PROGRAM TO EXECUTE A METHOD THEREOF - Disclosed are a malicious code real-time inspecting device in a DRM environment and a recording medium for recording a program to execute a method thereof. A DRM module performs decryption and encryption during file reading/writing operations through a handle after confirming user rights relating to a file on the basis of a handle of a file having DRM applied when an execute command is inputted, outputs an inspection request message including a handle and a path of a file, and determines whether to perform an open operation of a file according to a malicious code inspection result on a file. A malicious code inspecting module inspects whether an original file, which is to be decrypted and read by the DRM module, is infected by malicious code or not on the basis of a handle and a path of a file in an inspection request message delivered from an interface module. According to the present invention, whether a document encrypted with DRM applied is infected by malicious code is inspected and treated in real-time.08-22-2013
20090320131Method and System for Preventing Malicious Communication - A method and a system for preventing malicious communication are disclosed. The system comprises a safe module set with a specific Internet Protocol address and a Time to Live threshold value of the specific IP address to determine whether a malicious communication exists. If the malicious communication exists, the safe module can re-direct the malicious communication to a recording module of the system for recording the content of the malicious communication.12-24-2009
20090126018PASSWORD EXPIRATION BASED ON VULNERABILITY DETECTION - Illustrative embodiments provide a computer implemented method, a data processing system and a computer program product for password expiration based on vulnerability detection. The computer implemented method comprises receiving a request for a password after re-activating a user account and requesting a password generator, to create a hashed password. The method further comprises comparing the hashed password to a previously created password of a user, to determine a match entry. Responsive to determining a match entry, expiring an account of the user with respect to the match entry.05-14-2009
20090126019NETWORK-BASED INFECTION DETECTION USING HOST SLOWDOWN - Host malware (or change) may be detected by (1) receiving baseline set of response time information for each of one or more transactions involving (A) the host and (B) at least one peer of the host, (2) determining or receiving a later set of response time information for each of the one or more transactions involving the host and the at least one peer of the host, and (3) determining whether or not host slowdown has occurred using the baseline set of response time information and the later set of response time information. The execution of a host malware (or change) protection policy may be controlled using at least the determination of whether or not host slowdown has occurred.05-14-2009
20100132039SYSTEM AND METHOD TO SELECT MONITORS THAT DETECT PREFIX HIJACKING EVENTS - Method, system and computer-readable medium to select monitors that increase the likelihood of detecting prefix hijacking events of a destination prefix are disclosed. The method includes assigning each of the candidate prefix hijack monitors to a respective cluster of a plurality of clusters. Each of the candidate prefix hijack monitors is associated with an autonomous system (AS) that indicates an AS path of autonomous systems (ASes) from the AS to a destination prefix associated with a destination AS. The method further includes iteratively merging a pair of clusters with a highest similarity score amongst cluster pairs of the plurality of clusters into a single cluster until a processed number of clusters is less than or equal to a predetermined number of clusters. The method also includes ranking each candidate prefix hijack monitor of each of the processed number of clusters according to a route type from an AS associated with the candidate prefix hijack monitor and an AS distance from the AS associated with the candidate prefix hijack monitor to the destination AS. Yet further, the method includes determining a highest ranked candidate prefix hijack monitor of each of the processed number of clusters.05-27-2010
20120110666DETECTING SURREPTITIOUS SPYWARE - Tools and techniques are provided for detecting a particular type of spyware. Network activities and user update activities are monitored automatically, and the results are analyzed to identify related processes which perform network transmissions without performing substantive user updates. These processes are identified to a user and/or an administrator as potential spyware, and are then quarantined or otherwise handled based on instructions received from the user or administrator. In some cases, the monitoring and analysis begins with selection of a group of processes to monitor, while in other cases it begins with monitoring of network and/or user update activities in order to narrow the group of suspect processes. Devices, configured media, and method products are also described.05-03-2012
20120110665Intrusion Detection Within a Distributed Processing System - A computer implemented method monitors activity within a device driver layer of a computer. An arrival rate is identified within a device driver for the node. The arrival rate is a rate at which packets arrive at a network adapter of the node from all other nodes within a network. If the arrival rate exceeds at least one threshold, the node undergoes a state change. The at least one threshold delineates between a plurality of states for the node.05-03-2012
20100122344SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT - A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes receiving a plurality of packets, and determining an existence of a flooding attack without tracking each of the plurality of packets with a SYN bit.05-13-2010
20110197277SYSTEM AND METHOD FOR PRIORITIZING COMPUTERS BASED ON ANTI-MALWARE EVENTS - Tracking malware state information assigned to computers in an enterprise network is described. A computer may transition from a current malware state to a new malware state in accordance with a plurality of stored rules and detection of an anti-malware event on the computer. Examples of anti-malware events include, but are not limited to, detection of new malware on the computer or cleaning of the computer. The malware state information for computers on the network may be mapped to a risk level representing an amount of risk that infected computers present to other computers on the network. The results of a risk level assessment for the computers on the network may be output via a user interface to enable an administrator of the network to prioritize servicing of computers with detected malware.08-11-2011
20090144825Chipset based cheat detection platform for online applications - In general, in one aspect, an interface chipset includes at least one interface to receive user commands from input devices, filters to monitor the received user commands and to copy the user commands associated with at least a subset of the input devices, and an isolated execution environment. The isolated execution environment is to provide a secure communication link between an on-line application and a remote service provider. The isolated execution environment is also to detect at least some subset of user command modifications, on-line application code modifications, and on-line application process flow modifications. The isolated execution environment is further to notify the remote service provider when a modification is detected via the secure communication link.06-04-2009
20100281539DETECTING MALICIOUS NETWORK SOFTWARE AGENTS - This disclosure describes techniques for determining whether a network session originates from an automated software agent. In one example, a network device, such as a router, includes a network interface to receive packets of a network session, a bot detection module to calculate a plurality of scores for network session data based on a plurality of metrics, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, and an attack detection module to perform a programmed response when the network session is determined to be originated by an automated software agent. Each score represents a likelihood that the network session is originated by an automated software agent.11-04-2010
20100325728SYSTEM FOR POLICING JUNK E-MAIL MESSAGES - A system for policying an unsolicited e-mail communication. The system has a plurality of clients, each coupled together using a wide area network of computers, such as the Internet or an interne. Each of the clients is adapted to send an indication of an unsolicited e-mail message through an e-mail device for a display. The system also has a policying server coupled to each of the plurality of clients through the wide area network of computers. The policying server is adapted to receive the indication from at least one of the clients. The e-mail device comprises an SPAM icon on the display. The SPAM icon is adapted to send the indication from the client to the policying server.12-23-2010
20100122343Distributed Sensor for Detecting Malicious Software - Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s)operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.05-13-2010
20120036578TRACING TRAITOR COALITIONS AND PREVENTING PIRACY OF DIGITAL CONTENT IN A BROADCAST ENCRYPTION SYSTEM - Embodiments of the invention relate to finding coalitions of receivers who collude to produce pirated protected content, then evaluates the confidence that particular members of each identified coalition are traitors versus innocent receivers incriminated by chance. Typically, each file in a group of original files is modified to include variations of critical file segments. The group of files is then broadcast with individualized codes that enable particular authorized receivers to properly process the modified files. The modifications in a pirated version of a file can identify which traitorous receivers contributed to its piracy. Candidate coalitions of differing size are first evaluated to determine if they cover observed file variations with greater than a predetermined likelihood that an innocent coalition is falsely incriminated by chance. Individual members of satisfactory coalitions are then evaluated. Traitors may be cryptographically revoked.02-09-2012
20120036576APPARATUS AND METHOD FOR DEFENDING AGAINST INTERNET-BASED ATTACKS - A system for defending against internet-based attacks is disclosed. The system may include an electronic data processor which may be configured to receive information associated with a device when a web request is transmitted by the device to access a web page monitored by the electronic data processor. The processor may also determine whether traffic associated with the web request from the device is suspected of being used for malicious activity and, if not, enable the device to access the web page. If the traffic is suspected of being used for malicious activity, then the processor may transmit a challenge to the device if the traffic is determined to be suspected. Furthermore, the processor may receive information associated with the web request, which may be provided by a uniform resource locator invoked in response to the traffic being determined to be suspected. The processor may also deny the device access to the web page based on a variety of factors.02-09-2012
20100088767TARGET-BASED SMB AND DCE/RPC PROCESSING FOR AN INTRUSION DETECTION SYSTEM OR INTRUSION PREVENTION SYSTEM - A method performed in a processor of an intrusion detection/prevention system (IDS/IPS) checks for valid packets in an SMB named pipe in a communication network. In a processor configured as an IDS/IPS, a packet in a transmission is received and a kind of application of a target of the packet is determined. Also, the data in the packet is inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that: (a) the FID in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and (b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table.04-08-2010
20110173699NETWORK INTRUSION DETECTION WITH DISTRIBUTED CORRELATION - A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be indicated and protective action may be taken.07-14-2011
20100083379INFORMATION PROCESSING DEVICE, INFORMATION PROCESSING METHOD, AND COMPUTER READABLE RECORDING MEDIUM - An example of a device comprises a storage which stores data which is input from outside and to which tracking information is added, a section which detects a first reading event of first data from the storage to which the tracking information is added, a section which detects, after the first reading event, a first writing event to part of character string data to the storage, a section which detects, after the first writing event, a second reading event of second data from the storage to which the tracking information is added, a section which detects, after the second reading event, a second writing event to part of the character string data to the storage, and a section which adds, when the first reading/writing event, second reading/writing event are detected, the tracking information to data to be written to the storage by the first and second writing event.04-01-2010
20100083378Contextual Alert Of An Invasion Of A Computer System - Methods, systems, and computer-readable media for providing contextual feedback to a user of a computer system upon detection of an invasion of the computer system are provided herein. An invasion of the computer system is detected and a contextually appropriate alert is selected from a set of alerts. The alert is played immediately upon detection of the invasion so that the user is alerted to the invasion within close temporal proximity to the user's action that resulted in the invasion of the computer system. In addition, details of the invasion are logged to a diagnostic log file for later use by support personnel in repairing the computer system.04-01-2010
20090276851DETECTING MALICIOUS BEHAVIOR IN A SERIES OF DATA TRANSMISSION DE-DUPLICATION REQUESTS OF A DE-DUPLICATED COMPUTER SYSTEM - The present invention provides a method and system of detecting malicious behavior in a series of data transmission de-duplication requests of a de-duplicated computer system. In an exemplary embodiment, the method and system include, (1) if the series includes at least one particular de-duplication request for particular data and a reply to the particular request that the system does not have the particular data, processing at least one subsequent response and (2) determining the existence of the behavior from the at least one subsequent response.11-05-2009
20090138971Detecting Intrusion by Rerouting of Data Packets in a Telecommunications Network - The invention proposes detection of man-in-the-middle intrusion between an entity (CL) and an access point (AP) of a network, in particular a network according to the IEEE-802.11 standard. To this end it proposes the following steps: a) reading frame bodies (FRA-i, . . . , FRA-i+3) transmitted between the entity and the access point, b) detecting frames (FRA-i, FRA-i+2) transmitted at respective different times but having identical frame bodies (fb), and c) triggering an alarm in the event of positive detection in the step b).05-28-2009
20090064332METHOD AND APPARATUS FOR GENERATING HIGHLY PREDICTIVE BLACKLISTS - In one embodiment, the present invention is a method and apparatus for generating highly predictive blacklists. One embodiment of a method for generating a blacklist of network addresses for a user of a network includes collecting security log data from users of the network, the security log data identifying observed attacks by attack sources, assigning the attack sources to the blacklist based on a combination of the relevance each attack source to the user and the maliciousness of the attack source, and outputting the blacklist.03-05-2009
20100281541Systems and Methods for Correlating and Distributing Intrusion Alert Information Among Collaborating Computer Systems - Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.11-04-2010
20100125911Risk Scoring Based On Endpoint User Activities - Disclosed herein is a computer implemented method and system for ranking a user in an organization based on the user's information technology related activities and arriving at an end risk score used for determining the risk involved in activities performed by the user and for other purposes. Group risk ranking profiles and security policies for usage of the organization's resources are created. The user is associated with one or more group risk ranking profiles. A security client application tracks the user's activities. Points are assigned to the user's tracked activities based on each of the associated group risk ranking profiles. The assigned points are aggregated to generate a first risk score. The assigned points of the user's tracked activities are modified at different levels based on predefined rules. The modified points are aggregated to generate the end risk score which is used for compliance and governance purposes, optimizing resources, etc.05-20-2010
20090187989System and method for controlling abnormal traffic based on fuzzy logic - A system for controlling abnormal traffic based on a fuzzy logic includes: an intrusion detection module for analyzing packets incoming from a network interface by means of a membership function defined based on a specific period of time, and outputting a fuzzy value representing a degree of a port scan attack; a fuzzy control module for recognizing the degree of the port scan attack based on the fuzzy value and outputting a control signal for traffic control according to the recognized degree of the port scan attack; and an intrusion blocking module for receiving the control signal and controlling the traffic with the network interface.07-23-2009
20120291130Contextual Alert of an Invasion of a Computer System - Methods, systems, and computer-readable media for providing contextual feedback to a user of a computer system upon detection of an invasion of the computer system are provided herein. An invasion of the computer system is detected and a contextually appropriate alert is selected from a set of alerts. The alert is played immediately upon detection of the invasion so that the user is alerted to the invasion within close temporal proximity to the user's action that resulted in the invasion of the computer system. In addition, details of the invasion are logged to a diagnostic log file for later use by support personnel in repairing the computer system.11-15-2012
20120291129DETECTING WEB BROWSER BASED ATTACKS USING BROWSER DIGEST COMPUTE TESTS LAUNCHED FROM A REMOTE SOURCE - The detection of web browser-based attacks using browser tests launched from a remote source is described. In one example, a digest is computed based on the content of an HTTP response message. The message is modified and sent to a client device that also computes a digest. The digests are compared to determine whether content has been modified by malware on the HTTP client. The results of the test are analyzed and defensive measures are taken.11-15-2012
20100281540DETECTION OF CODE EXECUTION EXPLOITS - Various embodiments include a method of detecting shell code in an arbitrary file comprising determining where one or more candidate areas exist within an arbitrary file, searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, and calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset for the instruction candidate that the disassembled instructions are shellcode.11-04-2010
20080320592METHOD AND SYSTEM FOR CLOAKED OBSERVATION AND REMEDIATION OF SOFTWARE ATTACKS - A method and system provide security for a communication network and for one or more nodes within the network. Software can be distributed throughout the network from a centralized location or administrative console. The software can be made resident in the kernel of the operating system of a receiving node. The software can provide an observation functionality, an analysis functionality, a reporting functionality and a remediation functionality or some subset of those functionalities.12-25-2008
20090288165METHODS AND APPARATUS FOR INTRUSION PROTECTION IN SYSTEMS THAT MONITOR FOR IMPROPER NETWORK USAGE - Methods and apparatus for intrusion protection in systems that monitor for improper network usage are disclosed. An example method to protect a service platform comprises detecting responses from the service platform indicative of questionable signaling protocol transactions. The example method further comprises storing transaction records corresponding to questionable signaling protocol transaction records with at least one of the transaction records identifying a signaling protocol message including an associated originating device address corresponding to a respective questionable transaction record. Additionally, the method comprises determining whether the originating device address is associated with an improper intrusion of the service platform based on at least one on the transaction records corresponding to the originating device address.11-19-2009
20080295175PROACTIVE TEST-BASED DIFFERENTIATION METHOD AND SYSTEM TO MITIGATE LOW RATE DoS ATTACKS11-27-2008
20090276853FILTERING INTRUSION DETECTION SYSTEM EVENTS ON A SINGLE HOST - Embodiments disclosed herein describe a method to determine consequences of a privilege escalation alert from an intrusion detection system, the method comprising the steps of obtaining privilege escalation alert from the intrusion detection system and analyzing said privilege escalation alert information. The analysis further comprises of identifying the program affected by said privilege escalation alert and determining if it can be circumvented. The users affected by said privilege escalation alert and the transitive effects of said privilege escalation alert are identified.11-05-2009
20090282482Active Computer System Defense Technology - Active computer system defense techniques can include sending disruptive communications to attackers, where the disruptive communications include random data elements which could potentially interfere with the operation of an attacking system. Such computer system defense techniques can also be augmented to automatically optimize the disruptive communications sent to the attackers.11-12-2009
20090288166SECURE APPLICATION STREAMING - A server includes a scanning module for determining whether an application is free of malware, a module for packaging the application into blocks for delivery via application streaming, a module for providing the blocks to a client on request, and a module for adding to each block an indication of whether the associated application has already been determined to be free of malware. A client includes a module for requesting blocks of a streamed application from the server. When the client receives a block, it employs a module for verifying that the associated applications have been determined to be free of malware by examining the indication provided by the server. If verification is successful, then the block's code is executed without first receiving and scanning any additional blocks from the server.11-19-2009
20090288167SECURE VIRTUALIZATION SYSTEM SOFTWARE - Systems and methods for protecting a virtualization environment against malware. The methods involve intercepting an event in a kernel mode of the virtualization environment, suspending execution of the event, and transmitting the event to a user mode security module that determines whether the event should be blocked, allowed, or redirected. Events may be intercepted from any level of the virtualization environment, including an interrupt request table, device driver, OS object manager, OS service dispatch table, Portable Execution (P/E) import/export table, or binary code, among others. In one embodiment, an event may trigger a chain of related events, such that interception of an event without first intercepting an expected antecedent event is one indication of malware. The method also involves securing a virtual storage device against unauthorized access and providing for secure communication between guest OS and virtualization environment security modules.11-19-2009
20120297481SYSTEMS, METHODS, AND APPARATUS FOR NETWORK INTRUSION DETECTION - Systems, methods, and apparatus for network intrusion detection are provided. A device configured to facilitate intrusion detection may include at least one memory and at least one processor. The at least one memory may be configured to store an application that facilitates inspection of communications received by or transmitted by the device. The at least one processor may be configured to access the at least one memory and execute the application to (i) identify a device type associated with the device; (ii) determine, based at least in part upon the identified device type, a list of acceptable content; (iii) analyze, based at least in part upon the determined list, the content of a communication associated with the device; and (iv) determine, based at least in part upon the analysis, whether the content is acceptable content.11-22-2012
20100138922Methods, Systems, and Products for Secure Access to File System Structures - Methods, systems, and products are disclosed for securing access to a file system. A directory is established in a hierarchical file structure having access permission defined by a first owner. A subdirectory is established in the directory. A sub-level subdirectory is established in the subdirectory having access permissions defined by a second owner. The subdirectory is publically accessible to anyone satisfying the access permission defined by the first owner, such that a change directory system call is executed for a user in the subdirectory, even though the user has not authenticated the access permission defined by the second owner.06-03-2010
20090119775SYSTEM FOR REAL-TIME DETECTION OF COMPUTER SYSTEM FILES INTRUSION - A system for detecting real-time system file intrusions in a user computer that is coupled to an administrator computer and includes an operating system and system files. At a boot time of the user computer, an application program interface (API) of the operating system receives a list of vital system files that consists of at least two directory files. At the boot time, one of more daemons are launched, after which the API detects one or more system calls made to one or more vital system files. The API raises an automatic interrupt ‘I’ command that awakens a daemon from a sleep mode. The awakened daemon catches the interrupt ‘I’ command and sends an alert message to the administrator computer to alert the administrator computer of the detecting of the system call made to the one or more vital system files.05-07-2009
20090119774NETWORK IMPLEMENTED CONTENT PROCESSING SYSTEM - In the present invention, a data processing device for processing streams of network borne data includes content inspection logic configurable to perform pattern matching functions on a received content stream and output match data, and a microengine for executing computer coded instructions, the microengine being coupled to the content inspection logic for configuring the pattern matching function of the content inspection unit in respect of a particular processing job for the received content stream and for processing the content stream independence on the match data. The microengine is adapted to reconfigure dynamically the content inspection logic in dependence on the match data thereby to modify the pattern matching function performed by the content inspection logic on the content stream during the course of a processing job. The present invention provides a novel architecture and method for processing content as it flows through a network. The processing of content includes parsing, analysing, modifying and controlling the delivery of a content stream using a number of pattern matching techniques. Importantly, the present invention makes it possible to adjust the parameters of the pattern matching search as the search progresses through the content stream.05-07-2009
20120297484DETECTING A COMPROMISED ONLINE USER ACCOUNT - One or more techniques and/or systems are disclosed for detecting and/or mitigating a potentially compromised online user account. One or more baselines can be established for a user's online account to determine a normal usage pattern for the account by the user (e.g., frequency of incoming/outgoing emails, text messages, etc.). The online user account can be periodically or continually monitored for use of the same resources used to determine the baseline(s). If a deviation from the baseline is detected, the deviation may be compared against a threshold to determine whether the deviation indicates that the account may be compromised. When an indication of a potentially compromised account is detected, the user can be notified of the indication, so that one or more actions can be taken to mitigate the potentially compromised account.11-22-2012
20120297485INFORMATION PROCESSING DEVICE AND INFORMATION PROCESSING METHOD - To improve the responsiveness of a system call process without compromising safety, an information processing device according to the present invention includes: an application identification unit configured to identify a program being executed in the information processing device, by acquiring the application identifier; a caller identification unit configured to identify a caller indicating a portion of the program from which a program code is called when the identified program calls the program code; a checked-application management unit configured to manage a check result which is information including a result of previous check for safety of executing the identified program; and an attack check determination unit configured to determine, based on the identified caller and the check result, whether a check if the identified program is under attack is to be made.11-22-2012
20120297483SYSTEMS, METHODS, AND APPARATUS FOR NETWORK INTRUSION DETECTION BASED ON MONITORING NETWORK TRAFFIC - Systems, methods, and apparatus for network intrusion detection are provided. A device may include at least one memory and at least one processor. The at least one memory may be configured to store computer-executable instructions that facilitate traffic inspection of communications received by the device. The at least one processor may be configured to access the at least one memory and execute the computer-executable instructions to (i) identify a communications interface associated with at least one received communication; (ii) determine one or more network traffic parameters associated with a network traffic profile for the communications interface; (iii) evaluate, based at least in part upon the one or more network traffic parameters, the at least one communication received by the device; and (iv) determine, based at least in part upon the evaluation, whether the at least one communication satisfies the traffic profile.11-22-2012
20080276319Real-time user awareness for a computer network - A computer system, device, computer software, and/or method performed by a computer system, is provided for determining a user name likely to be associated with an attack, a configuration, or a vulnerability. First data is obtained which associates user names with individual IP addresses onto which the user names were logged in. Second data is obtained which associates attacks, configurations, or vulnerabilities with individual IP addresses on which the attacks occurred or on which the configurations or vulnerabilities exist. The user names from the first data are associated with the attacks, configurations or vulnerabilities from the second data based on having the same IP address during a log-in. An individual user name is indicated as being associated with attacks which occurred while the individual user name was logged in or with configurations or vulnerabilities for an IP address onto which the user logs in.11-06-2008
20080276318Spam detection system based on the method of delayed-verification on the purported responsible address of a message - A spam detection system employs a “Delayed-Verification on Purported Responsible Address” (DVPRA) module which verifies the validity of the return address of a received e-mail message in mail server in a time delay interval specifiable by the user. An implementation of the module as a Spam Mail Filter in a stand-alone spam detection system. An implementation of the module as a supplementary to the existing anti-spam systems.11-06-2008
20080276317Detection of Multi-Step Computer Processes Such as Network Intrusions - Multi-step processes such as intrusions into computer networks are detected from individual activities or events such as communications by identifying anchor points (FIG. 11-06-2008
20110209218ENVIRONMENTAL IMAGING - A method and system for detecting whether a computer program, sent to a first computer having an operating environment including a plurality of files, includes malware is provided. A second computer obtains a plurality of environment details of the operating environment of the first computer. The second computer simulates in the second computer the presence of the plurality of files in the operating environment by exhibiting the plurality of environment details without installing the plurality of files in the second computer. The second computer executes the computer program in the second computer with the simulation and determines whether the computer program attempts to access or utilize the plurality of files in a manner indicative of malware. If not, the second computer records and generates a notification that the computer program is not malware.08-25-2011
20120144485COMPUTER SECURITY METHOD AND SYSTEM WITH INPUT PARAMETER VALIDATION - A security system, including a receiver for receiving a downloadable, a scanner, coupled with the receiver, for scanning the downloadable to identify suspicious computer operations therein, a code modifier, coupled with the scanner, for overwriting the suspicious computer operations with substitute computer operations, if at least one suspicious computer operation is identified by the scanner, and for appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is identified by the scanner, and a processor, coupled with the code modifier, for executing programmed instructions, wherein the monitoring program code includes program instructions for the processor to validate input parameters for the suspicious computer operations during run-time of the downloadable. A method is also described and claimed.06-07-2012
20120297480Application revocation - In accordance with an example embodiment of the present invention, there is provided apparatus, including: at least one processor; and at least one memory including executable instructions, the at least one memory and the executable instructions being configured to, in cooperation with the at least one processor, cause the apparatus to perform at least the following: receiving an application revocation request; confirming whether initiating an application revocation process is allowed; generating application revocation data once initiating the application revocation process has been allowed; storing the generated application revocation data to a reputation service network; and provide one or more revocation clients the generated application revocation data from the reputation service network in order to enable the one or more revocation clients revoking the application.11-22-2012
20100146623METHOD AND APPARATUS FOR PATTERN MATCHING FOR INTRUSION DETECTION/PREVENTION SYSTEMS - A packet is compared to a pattern defined by a regular expression with back-references (backref-regex) in a single pass of a non-deterministic finite automaton corresponding to the backref-regex (backref-NFA) that includes representations for all backref-regex's back-references. The packet's characters are sequentially selected and analyzed against the backref-NFA until a match or no-match between the packet and pattern is determined. Upon selecting a character, a corresponding configurations-set is updated, where the set includes configurations associated with respective NFA-states of the backref-NFA and indicating whether the selected character is being matched against a back-reference. With the configurations-set being updated the comparison process proceeds along backref-NFA's NFA-states. The updated configurations-set includes configurations associated with NFA-states reachable from the configurations in the pre-updated set. When the configurations-set includes a final state, a match is determined. When the configurations-set becomes empty, or upon selection of all characters lacks the final state, a no-match is determined.06-10-2010
20100146624Method and apparatus for protection of a program against monitoring flow manipulation and against incorrect program running - Protection program commands are inserted into at least one program command sequence of program commands in a program, to produce and check a monitoring flow marking sequence.06-10-2010
20100146622SECURITY SYSTEM AND METHOD FOR DETECTING INTRUSION IN A COMPUTERIZED SYSTEM - In detecting the identity of a person currently using a computer (06-10-2010
20110209219Protecting User Mode Processes From Improper Tampering or Termination - In one embodiment, a malware protection system may protect a computing system from a malware event. A data storage device 08-25-2011
20080244742Detecting adversaries by correlating detected malware with web access logs - An automated arrangement for detecting adversaries is provided by examining a log that contains records of communications into and out of the enterprise network upon the detection of a security incident by which a host computer on an enterprise network becomes compromised. The log is analyzed over a window of time starting before the occurrence of the detected security incident to identify the web site URIs (Uniform Resource Identifiers) and IP (Internet Protocol) addresses (collectively “resources”) that were respectively accessed by the compromised host and/or from which traffic was received by the compromised host. When other host computers in the enterprise are detected as being compromised, a similar analysis is performed and the results of all the analyses are correlated to identify one or more resources that are common to the logged communications of all the compromised machines.10-02-2008
20080250503METHOD AND SYSTEM FOR FILTERING COMMUNICATION - An e-mail relay provides message filtering services to an e-mail network. The e-mail relay monitors incoming communication and intercepts e-mail messages. The e-mail relay compares attributes of the messages to data derived from SPAM messages, which are stored in a SPAM database. The e-mail relay restricts the delivery of messages based on the comparison such as by restricting the delivery of messages having attributes close to those of SPAM messages from the SPAM database. The SPAM database is constructed by responding to user or administrator indications as to whether received messages are SPAM messages.10-09-2008
20080250500Man-In-The-Middle Attack Detection in Wireless Networks - Detection of a man-in-the-middle attack. In particular implementations, a method includes detecting a first event comprising notification of an invalid wireless management frame operable to cause a termination of a connection between a wireless client and a wireless access point, wherein the notification is based on a failed verification of a management integrity code (MIC) appended to the wireless management frame. The method also includes detecting a second event involving notification of either an authentication failure associated with the wireless client or a connection between the wireless client and a rogue access point. The method also includes performing one or more actions upon detection of the first event and the second event within a threshold period of time of each other.10-09-2008
20080250499Method and Apparatus for Reducing Buffer Overflow Exploits by Computer Viruses - Buffer overflow exploits in a computer are reduced by encoding linkage information associated with a subroutine, following a call to the subroutine from an application executing on the computer. The encoded linkage information is stored at a first address in a run-time stack in a memory of the computer. Upon exit from the subroutine, the value stored at the first address in the run-time stack is retrieved and decoded to obtain decoded linkage information. Execution of the application continues in accordance with the decoded linkage information. Subroutine data written to the stack is not encoded.10-09-2008
20080250498Method, Device a Program for Detecting an Unauthorised Connection to Access Points - This method of detecting address spoofing in a wireless network, comprising the steps of obtaining frames comprising an address of a device having sent the frame and a timestamp representative of the time of sending of the frame by said device; of analyzing the timestamps included in the frames having one and the same sending device address; and of detecting a spoofing of said address according to the analysis of said timestamps.10-09-2008
20090265785SYSTEM AND METHOD FOR ARP ANTI-SPOOFING SECURITY - A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.10-22-2009
20090265784NETWORK FAILURE DETECTION METHOD AND NETWORK FAILURE DETECTION SYSTEM - A system provides definitions of network states, and identifies a cause for the anomaly upon detection. A traffic measuring portion (characteristic quantity generating portion) counts the number of packets/time slot classified by traffic type with respect to network traffic, generating a characteristic quantity; a memory portion stores information about the characteristic quantity; a portion calculates correlation coefficients between each pair of characteristic quantities classified by traffic type; a portion generates a histogram from correlation coefficients; a portion for determining the severity of an anomaly based on the histogram; a portion evaluates the similarity of an anomaly of interest to a reference anomaly using the occurrence probabilities of correlation coefficients; and a portion assigns a color to each pixel according to its occurrence probability value, generating an n×n picture. Visualization of network state is achieved using probability distribution vectors derived from correlation coefficients obtained from each characteristic quantities pair.10-22-2009
20080235798METHOD FOR FILTERING JUNK MESSAGES - A method of filtering junk messages has the steps of generating an implicit code, adding the implicit code to an message to be sent to an addressee, sending the message with the implicit code and a sender's address to the addressee from a sender, and determining whether the implicit code in the message matches a local reference code corresponding to a sender being recorded in an addressee's contact list. The message is correctly received in a normal message box if the implicit code matches the local reference code, otherwise the message is blocked.09-25-2008
20090328215SEMANTIC NETWORKS FOR INTRUSION DETECTION - Semantic networks are generated to model the operational behavior of an enterprise network to provide contextual interpretation of an event or a sequence of events that are observed in that specific enterprise network. In various illustrative examples, different semantic networks may be generated to model different behavior scenarios in the enterprise network. Without the context provided by these semantic networks malicious events may inherently be interpreted as benign events as there is typically always a scenario where such events could be part of normal operations of an enterprise network. Instead, the present semantic networks enable interpretation of events for a specific enterprise network. Such interpretation enables the conclusion that a sequence of events that could possibly be part of normal operations in a theoretical enterprise network is, in fact, abnormal for this specific enterprise network.12-31-2009
20090328214Secure channel reservation - A beacon method for use in a wireless communication network involves populating a beacon frame's channel identification data with accurate data associated with use of a particular channel for wireless communication; populating the beacon frame's network identification data with data including at least one false data element wherein it can be determined if an intruder has attempted to connect to the network by detecting the false data element in the intruder's attempt to connect to the network, where the beacon network identification data are intended to identify the network using the particular channel; storing the beacon frame in a computer readable storage medium; and transmitting the beacon frame over a channel to be reserved. This abstract is not to be considered limiting, since other embodiments may deviate from the features described in this abstract.12-31-2009
20090328213Method and system for morphing honeypot - A method, system, apparatus, or computer program product is presented for morphing a honeypot system on a dynamic and configurable basis. The morphing honeypot emulates a variety of services while falsely presenting information about potential vulnerabilities within the system that supports the honeypot. The morphing honeypot has the ability to dynamically change its personality or displayed characteristics using a variety of algorithms and a database of known operating system and service vulnerabilities. The morphing honeypot's personality can be changed on a timed or scheduled basis, on the basis of activity that is generated by the presented honeypot personality, or on some other basis.12-31-2009
20100275262Autonomous Diagnosis And Mitigation Of Network Anomalies - Autonomous diagnosis and mitigation of network anomalies may include creating a plurality of sketch matrices wherein each sketch matrix corresponds to an individual hashing function and each row in each sketch matrix corresponds to an array of hashed parameters of interest from multiple network devices for a given period of time, the parameters of interest being configurable by an administrator. A principal components analysis (PCA) input matrix is created for each of the sketch matrices by computing an entropy value for each element in the sketch matrices, and principal components analysis (PCA) is performed on each of the PCA input matrices to heuristically detect a network anomaly in real time.10-28-2010
20080209561METHOD, COMPUTER SOFTWARE, AND SYSTEM FOR PROVIDING END TO END SECURITY PROTECTION OF AN ONLINE TRANSACTION - A method for implementing an online transaction security product includes downloading an online transaction security product program from a web site to an information handling system. The security product program includes an anti-malicious code program configured to detect malicious code on the information handling system. Lastly, the security product program is executed, wherein the anti-malicious code program of the security product program operates to detect malicious code on the information handling system.08-28-2008
20080271145Tamper indication system and method for a computing system - A tamper indication system for a computing system comprises a sensor reader configured to determine a state of a tamper sensor of the computing system, and firmware disposed in the computing system and configured to cause a report to evidence whether the report has been tampered with, the report indicating the state of the tamper sensor.10-30-2008
20080271146Identifying a distributed denial of service (DDoS) attack within a network and defending against such an attack - The invention provides methods, apparatus and systems for detecting distributed denial of service (DDoS) attacks within the Internet by sampling packets at a point or points in Internet backbone connections to determine a packet metric parameter. The packet metric parameter which might comprise the volume of packets received is analysed over selected time intervals with respect to specified geographical locations in which the hosts transmitting the packets are located. The expected behaviour can be employed to identify traffic distortions revealing a DDoS attack. In a complementary aspect, the invention provides a method of authenticating packets at routers in order to elevate the QoS of authenticated packets. This method can be used to block or filter packets and can be used in conjunction with the DDoS attack detection system to defend against DDoS attacks within the Internet in a distributed manner.10-30-2008
20130219498MOBILE TERMINAL HAVING SECURITY DIAGNOSIS FUNCTIONALITY AND METHOD OF MAKING DIAGNOSIS ON SECURITY OF MOBILE TERMINAL - A mobile terminal having security diagnosis functionality and a method of making a diagnosis on the security of the mobile terminal are provided. The mobile terminal includes a system check unit, an interface unit, a blacklist check unit, and a security diagnosis unit. The system check unit collects the basic information of the mobile terminal by performing a system check on the mobile terminal. The interface unit provides the basic information of the mobile terminal to a user and receives a control command from the user. The blacklist check unit checks whether at least one application installed in the mobile terminal is present in a blacklist registered on a server. The security diagnosis unit checks whether an abnormality has occurred in the corresponding application based on results of the comparison between the basic information of the mobile terminal with preset abnormality detection reference information and the control command.08-22-2013
20130219497NETWORK INTRUSION DETECTION IN A NETWORK THAT INCLUDES A DISTRIBUTED VIRTUAL SWITCH FABRIC - A network intrusion detection system (NIDS) works in conjunction with a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems. The NIDS accesses network information from the distributed virtual switch fabric, which gives the NIDS access to a virtual view that includes hardware information for all networking devices in the network. This allows the NIDS to automatically determine network topology, update itself as hardware in the network is added or changed, and promptly take automated service actions in response to detected network intrusions. The result is a NIDS that is easier to configure, maintain, and use, and that provides enhanced network security.08-22-2013
20110271342DEFENSE METHOD AND DEVICE AGAINST INTELLIGENT BOTS USING MASQUERADED VIRTUAL MACHINE INFORMATION - A defense method and device against intelligent bots using masqueraded virtual machine information are provided. The method includes performing global hooking on a virtual machine detection request transmitted by a process, determining, on the basis of pre-stored malicious process information, whether or not, the process transmitting the virtual machine detection request corresponds to a malicious process, and when the process is found to correspond to the malicious process as a result of the determination, determining that the process is generated by the intelligent bot, and returning the masqueraded virtual machine information to the process.11-03-2011
20090064333Pattern Discovery in a Network System - Patterns can be discovered in events collected by a network system. In one embodiment, the present invention includes collecting and storing events from a variety of monitor devices. In one embodiment, a subset of the stored events is provided to a manager as an event stream. In one embodiment, the present invention further includes the manager discovering one or more previously unknown event patterns in the event stream.03-05-2009
20090126017Methods and systems for preventing security breaches - A security payload is attached to a received binary executable file. The security payload is adapted to intercept application programming interface (API) calls to system resources from the binary executable file via export address redirection back to the security payload. Upon execution of the binary executable file, the security payload replaces system library export addresses within a process address space for the binary executable file with security monitoring stub addresses to the security payload. Upon the binary executable computer file issuing a call to a given API, the process address space directs the call to the given API back to the security payload via one of the security monitoring stub addresses that is associated with the given API. The security payload then can assess whether the call to the given API is a security breach.05-14-2009
20090126016SYSTEM AND METHOD FOR DETECTING MULTI-COMPONENT MALWARE - Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.05-14-2009
20110219449MALWARE DETECTION METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT - A method, electronic device and computer program product for real-time detection of malicious software (“malware”) are provided. In particular, execution of a suspicious software application attempting to execute on a user's device may be emulated in a virtual operating system environment in order to observe the behavior characteristics of the suspicious application. If after observing the behavior of the suspicious application in the virtual environment, it is determined that the application is malicious, the application may not be permitted to execute on the user's actual device. The suspicious application may be identified as malicious if an isolated data string of the application matches a “blacklisted” data string, a certain behavior of the application matches a behavior that is known to be malicious, and/or the overall behavior of the application is substantially the same or similar to a known family of malware.09-08-2011
20090187990METHOD AND SYSTEM TO VERIFY DATA RECEIVED, AT A SERVER SYSTEM, FOR ACCESS AND/OR PUBLICATION VIA THE SERVER SYSTEM - A method and system to verify active content included within a markup language document store multiple instances of publication information (e.g., an e-commerce listing or e-mail message) in a database associated with a server system. The stored publication information includes active content (e.g., web pages that include an executable script or point to an executable script). Selected active content is retrieved from the database, and subject to a verification process. The verification process is to verify that the selected active content is not malicious. The selected active content is selectively published based on an outcome of the verification process.07-23-2009
20080256634TARGET DATA DETECTION IN A STREAMING ENVIRONMENT - In embodiments of the present invention improved capabilities are described for a data stream scanner. The present invention may provide for a data portion received in association with a data stream, and the data portion may be analyzed to make an assessment. An identity pool may then be selected from a universe of identities based on the assessment, and identities from the identity pool may be selected in a scanning process to analyze the data stream. Further, an unmatched identity may remove the identity from the pool upon finding that the unmatched identity does not match data in the data stream.10-16-2008
20090178140NETWORK INTRUSION DETECTION SYSTEM - A network intrusion detection system (IDS) is built at an important network node and used to detect and monitor network packets. The network intrusion detection system includes a network card and a system core processor. When receiving a network packet, a micro-processor of the network card performs a packet decode procedure and a packet preprocess procedure, thereby verifying a type and a source address of the packet in advance and converting the packet into an IDS format packet. Afterwards, the system core processor determines whether the packet is an intrusion packet. Since the computation of the packet decode procedure and the packet pre-process procedure is handled by the network card, the network intrusion detection system will not lose packets due to too heavy computation burden, thereby greatly improving the accuracy of the network intrusion detection system.07-09-2009
20090025083METHOD AND APPARATUS FOR DETECTING EXECUTABLE CODE - There are provided an apparatus and method for detecting an executable code, capable of verifying reliability of an extracted signature by determining whether there is present an executable code in network data by using instruction pattern information related calling mechanism of function for distinguishing the executable code from a non-executable code, the method including: forming instructions by reverse assembling network data suspicious as an attack; comparing the respective formed instructions with instruction patterns according to calling mechanism of function; and determining whether there is present an executable code in the network data according to a result of the comparing01-22-2009
20090025082Method and apparatus for detecting computer-related attacks - Disclosed is a method and apparatus for detecting prefix hijacking attacks. A source node is separated from a destination network at a first time via an original path. The destination network is associated with a prefix. At a second time, a packet is transmitted from the source node to the destination network to determine a current path between the source node and the destination network. A packet is also transmitted from the source node to a reference node to determine a reference node path. The reference node is located along the original path and is associated with a prefix different than the prefix associated with the destination network. The current path and the reference node path are then compared, and a prefix hijacking attack is detected when the reference node path is not a sub-path of the current path.01-22-2009
20090044272RESOURCE-REORDERED REMEDIATION OF MALWARE THREATS - Systems and methods that mitigate affects of malware and facilitate remediation processes. An analysis engine generates a list of actions for resources associated with the malware, and prioritizes/sorts the actions for execution. Such list of actions can be generated automatically via an action list generation component associated with the analysis engine. Likewise, a sorting component as part of the analysis engine can prioritize operations between detected malware to typically ensure a smooth operation during remediation processes (e.g., avoid conflicts).02-12-2009
20120079593System and Method For Hindering a Cold Boot Attack - A method for hindering a cold boot attack on a user equipment (UE) is provided. The method includes, in response to detection of the cold boot attack, executing prioritized security procedures. A user equipment (UE) is also provided that includes a processor configured to execute prioritized security procedures responsive to detection of a cold boot attack.03-29-2012
20120079594MALWARE AUTO-ANALYSIS SYSTEM AND METHOD USING KERNEL CALLBACK MECHANISM - In a malware auto-analysis method using a kernel callback mechanism, a function, present in a kernel driver within a PsSetCreateProcessNotifyRoutine function, is registered by a process monitor driver as a callback function when a computer boot. A function present in a registry monitor driver is registered by the registry monitor driver as a callback function in a CmRegisterCallback function when the driver is loaded. A kernel driver is registered by a file monitor driver as a mini-filter driver in a Filter Manager present in a Windows system. At least one of a process event, a registry event, or an Input/Output (I/O) event is received by a behavior event collector from the process monitor driver, the registry monitor driver, or the file monitor driver, respectively.03-29-2012
20090241190System and method for securing a network from zero-day vulnerability exploits - A method of securing a network from vulnerability exploits, including the steps of a traffic analysis engine receiving a plurality of packets destined for an internal operating system; the traffic analysis engine selectively forwarding the packets to at least one virtual machine emulating the internal operating system; the virtual machine processing each forwarded packet; a rapid analysis engine identifying a malicious packet from the processed packets; and the rapid analysis engine creating a new signature to identify the malicious packet.09-24-2009
20090070872System and method for filtering spam messages utilizing URL filtering module - Systems and methods for filtering spam messages utilizing a URL filtering module are described. In one embodiment, the method includes detecting, in an incoming message, data indicative of a URL and comparing the URL from the incoming message with URLs characterizing spam. The method further includes determining whether the incoming message is spam based on the comparison of the URL from the incoming message with the URLs characterizing spam.03-12-2009
20090083854Syntax-Based Security Analysis Using Dynamically Generated Test Cases - A security analysis methodology is used to analyze the security of a device-under-analysis (DUA) with respect to a particular protocol message exchange. First, the mutation points that exist in the message exchange are determined. Then, the message exchange is executed multiple times—once for each mutation point. Each execution applies the mutation associated with that particular mutation point (e.g., a particular message during the exchange is modified in a particular way) to create a mutated message exchange. In other words, each message exchange with an applied mutation point corresponds to a test case.03-26-2009
20080263664METHOD OF INTEGRATING A SECURITY OPERATIONS POLICY INTO A THREAT MANAGEMENT VECTOR - The invention relates to the integration of a security operations policy into a threat management vector. In one embodiment, a method according to the invention includes receiving at least one threat management vector (TMV) from a TMV generator, the TMV including a root vulnerability vector, at least one system vector, at least one system level vector, and a countermeasures payload including intrusion detection countermeasures (IDC), intrusion response countermeasures (IRC), and vulnerability remediation countermeasures (VRC); forwarding to the TMDC a TMV including only the root vulnerability vector, the at least one system vector, and the at least one system level vector; propagating the TMV through a hierarchy of policy mediation regions (PMRs), each PMR being operable to refine at least one of the IDC, the IRC, and the VRC; refining at least one of the IDC, the IRC, and the VRC to conform to a security operations policy of the PMR; forwarding the refined TMV to a threat management domain controller (TMDC); recording refinements made by each PMR to each of the IDC, the IRC, and the VRC; transferring the recorded refinements to a threat management control book (TMCB); and marking the refined TMV as having been refined by each PMR making a refinement.10-23-2008
20080263668Automatic Client Responses To Worm Or Hacker Attacks - A system in which a networked device automatically evaluates hacker attack notification information and, based thereon, selects and executes responses to the attack. The notification may include information such as the address of the infected system, identification of the specific worm, and a list of vulnerable applications and operating systems. The evaluation is based on factors including criticality and vulnerability of applications running on the system and connectivity of the device. A variety of automatic responses can be selected, including notification of network administration, shutdown of the device or services running on the device, updating and activation of anti-virus software, and selective handling of data sent from the address of the suspect network device. The selection of responses can occur automatically based on rules input during setup or by intervention of network administration.10-23-2008
20080263667COMMUNICATION APPARATUS, COMMUNICATION METHOD, AND RECORDING MEDIUM USED THEREWITH - Encoded data that is obtained by embedding subdata in advertisement information and embedding the subdata-embedded advertisement information in main data is provided to a user. At the user side, the encoded data is decoded to reproduce the main data and the subdata-embedded advertisement information, and the subdata-embedded advertisement information is decoded to reproduce the advertisement information and the subdata embedded therein.10-23-2008
20080263665NETWORK ATTACK DETECTION USING PARTIAL DETERMINISTIC FINITE AUTOMATON PATTERN MATCHING - This disclosure describes techniques for determining whether network traffic contains one or more computer security threats. In order to determine whether a symbol stream conforms to the symbol pattern, a security device stores a full deterministic finite automaton (fDFA) that accepts streams of symbols that conform to the symbol pattern. The security device also creates a partial deterministic finite automaton (pDFA) that includes nodes that correspond to the nodes in the fDFA that have the highest visitation levels. The security device processes each symbol in the symbol stream using the pDFA until a symbol causes the pDFA to transition to a failure node or to an accepting node. If the symbol causes the pDFA to transition to the failure node, the security device processes the symbol and subsequent symbols in the symbol stream using the fDFA.10-23-2008
20090100520Detection and dynamic alteration of execution of potential software threats - An arrangement for dynamically identifying and intercepting potential software threats before they execute on a computer system is provided in which a file system filter driver (called a “mini-filter”) interfaces with an anti-malware service to selectively generate an alert event and allow the threat to run, in addition to generating an alert event and suspending the threat. The decision to suspend the threat or allow it to run is made through application of a cascading logic hierarchy that includes respective policy-defined actions, user-defined actions, and signature-defined actions. The mini-filter generates the alert event to the anti-malware service whenever a file is opened, or modified and closed. The service uses an engine to scan the file to identify potential threats which are handled though application of the logic hierarchy which provides for configurations defined in a lower tier of the hierarchy to be overridden by those contained in a higher tier.04-16-2009
20110231933LOADBALANCING NETWORK TRAFFIC ACROSS MULTIPLE REMOTE INSPECTION DEVICES - An apparatus includes a checking functionality (CF) for processing data packets in a computer network that comprises a plurality of CFs. The CF includes an interface for communication with one or more source switches that route data packets to the CF for processing, a packet processing capability for processing the data packets, and logic for communicating data regarding the packet processing capability to the source switch through the interface.09-22-2011
20110231932SECURITY INTRUSION DETECTION AND RESPONSE - A system comprises an enclosure, host logic contained in the enclosure, and intrusion security logic also contained in the enclosure. The intrusion security logic is coupled to the host logic and configured to detect a security intrusion to the system and to respond to a security intrusion with a user-configurable trigger event. The intrusion security logic implements at least two tamper blocks, each tamper block configured to monitor one more input signals and initiate a trigger event when a security breach of the enclosure is detected. At least one of the tamper blocks comprises a state machine whose operation is controlled by way of user-programmable registers.09-22-2011
20100154059NETWORK BASED MALWARE DETECTION AND REPORTING - An apparatus, system and method are described for use in detecting the presence of malware on subscribers computers. The apparatus, system and method are network based and may be deployed within an Internet Service Provider (ISP) network. The system may include a plurality of network sensors for receiving and analyzing network traffic to determine the presence of malware. An aggregating apparatus receives alerts of the presence of malware and translates a network identifier of the alert to a subscriber identifier. The aggregating apparatus aggregates alert information and forwards it to a reporting infrastructure that can generate notifications in order to notify a subscriber that malware has been detected on a computer associated with the subscriber.06-17-2010
20090205046METHOD AND APPARATUS FOR COMPENSATING FOR AND REDUCING SECURITY ATTACKS ON NETWORK ENTITIES - Security attacks on network entities can be compensated for and reduced through insurance that modifies incentives. In one example, a virtual slice provider includes a secure and non-secure slice having resources to provide network access to users through a service provider. The secure slice is assigned a first security level and a non-secure slice is assigned a second lower security level. In one embodiment, the second slice is isolated from the first slice. The virtual slice provider also has a risk policy between the slice provider and the service provider to establish different rates charged to the service provider for access to the secure and non-secure slices and to provide different levels of payment to the service provider for losses resulting from a lack of security in each slice.08-13-2009
20090070877METHOD FOR SECURING STREAMING MULTIMEDIA NETWORK TRANSMISSIONS - A method of and apparatus for securing against an unauthorized transmission within an authorized transmission from a sending data processor to a receiving data processor. The transmission is stimulated to elicit a predictable response from the receiving data processor. Upon the observance or absence of the predictable response, the transmission is determined as being potentially unauthorized. The method of this invention can be implemented in network administrator middleboxes such as firewalls.03-12-2009
20090172815METHOD AND APPARATUS FOR DETECTING MALWARE INFECTION - In one embodiment, the present invention is a method and apparatus for detecting malware infection. One embodiment of a method for detecting a malware infection at a local host in a network, includes monitoring communications between the local host and one or more entities external to the network, generating a dialog warning if the communications include a transaction indicative of a malware infection, declaring a malware infection if, within a predefined period of time, the dialog warnings includes at least one dialog warning indicating a transaction initiated at the local host and at least one dialog warning indicating an additional transaction indicative of a malware infection, and outputting an infection profile for the local host.07-02-2009
20090106839METHOD FOR DETECTING NETWORK ATTACK BASED ON TIME SERIES MODEL USING THE TREND FILTERING - Method for detecting network attack based on time series model using the trend filtering. The method has the steps of: a) removing a trend component from the time series data to extract a residual component; and b) detecting an anomaly by applying a time series model to the residual component.04-23-2009
20090241191SYSTEMS, METHODS, AND MEDIA FOR GENERATING BAIT INFORMATION FOR TRAP-BASED DEFENSES - Systems, methods, and media for generating bait information for trap-based defenses are provided. In some embodiments, methods for generating bait information for trap-based defenses include: recording historical information of a network; translating the historical information; and generating bait information by tailoring the translated historical information.09-24-2009
20090222922SYSTEMS, METHODS, AND MEDIA PROTECTING A DIGITAL DATA PROCESSING DEVICE FROM ATTACK - In accordance with some embodiments of the disclosed subject matter, systems, methods, and media for protecting a digital data processing device from attack are provided. For example, in some embodiments, a method for protecting a digital data processing device from attack is provided, that includes, within a virtual environment: receiving at least one attachment to an electronic mail; and executing the at least one attachment; and based on the execution of the at least one attachment, determining whether anomalous behavior occurs.09-03-2009
20080320593Method, System and Computer Readable Medium For Intrusion Control - An intrusion control system, method and computer readable medium. The system includes an input interface adapted to receive traffic over a session opened between a user and a computerized system; and a processor, adapted to control the session while determining whether the traffic is a part of an attack. The method includes determining an occurrence of an attack; and mitigating the attack by providing false information representative of a defense capability of a computerized system.12-25-2008
20090241189EFFICIENT HANDLING OF INTERRUPTS IN A COMPUTING ENVIRONMENT - A method for efficiently handling interrupts in a virtual technology environment with integrity services is provided. The method comprises assigning an interrupt to a virtual machine that is running a software agent; suspending the software agent; invoking a protected interrupt handler; copying the interrupt's memory content to a protected location, in response to successfully verifying the integrity of the content; replacing the interrupt's return address with a return address for a protected function; switching from the software agent's protected context to its active context; executing the original interrupt handler; returning control to the protected function to ensure that execution of the software agent resumes safely; switching back to the software agent's protected context, in response to successfully verifying the integrity of the content; and passing control back to the software agent to resume execution.09-24-2009
20090254991INTRUSION DETECTION USING A NETWORK PROCESSOR AND A PARALLEL PATTERN DETECTION ENGINE - An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.10-08-2009
20080313736DATA NETWORK AND METHOD FOR CHECKING NODES OF A DATA NETWORK - The invention provides a data network, systems and methods for checking nodes of a data network that are used for detecting whether a privacy policy concerning an information is maintained. The information comprises a mark corresponding to the privacy policy. The mark defines the storage place or the accessing paths or the transferring paths of the information. The mark is automatically searchable. The mark is searched, analyzed and checked as to whether the privacy policy is maintained. The advantage of the system is that vulnerabilities of systems for protecting confidential information may be detected a long time before an attack on the confidential information occurs.12-18-2008
20080313735NULLIFICATION OF MALICIOUS CODE BY DATA FILE TRANSFORMATION - To nullify any malicious code potentially contained within a data file. a transformation engine randomly selects a transformation from a number of available file transformations each arranged to alter the bit pattern of a file to which it is applied while still enabling manifestation of at least some of the file's semantic content to a user. The selected transformation is then applied to the data file to produce a transformed file. Preferably, the transformation engine runs in a dedicated virtual machine of a computing platform.12-18-2008
20100162394METHOD AND APPARATUS FOR PROVIDING SECURITY FOR AN INTERNET PROTOCOL SERVICE - A method and apparatus for providing security to an endpoint device are disclosed. For example, the method receives a signaling message by the endpoint device. The method processes the signaling message, if the signaling message is received from a device associated with one of one or more Internet Protocol (IP) addresses in an Access Control List (ACL), and discards the signaling message, if the signaling message is received from a device not associated with one of the one or more IP addresses in the ACL.06-24-2010
20100162395Methods and Systems for Detecting Malware - A method for detecting malware is disclosed. The method may include examining a plurality of metadata fields of a plurality of known-clean-executable files. The method may also include examining a plurality of metadata fields of a plurality of known-malicious-executable files. The method may further include deducing, based on information obtained from examining the plurality of metadata fields of the plurality of known-clean- and known-malicious-executable files, metadata-field attributes indicative of malware. Corresponding systems and computer-readable media are also disclosed.06-24-2010
20120246725VISUAL STYLES FOR TRUST CATEGORIES OF MESSAGES - A message queue (e.g., an email mailbox) may comprise messages received from various sources and including various types of content. For respective messages, a trust category may be identified, e.g., a trusted message category comprising messages received from a known source, an untrusted message category comprising messages received from an unverified source, and a suspicious message category comprising messages containing potentially malicious attachments or potentially unwanted content. The message queue may be presented to the user with the messages of each trust category having a visual style that visually distinguishes the trust categories; e.g., trusted messages may be visually emphasized, and suspicious messages may be visually de-emphasized. This manner of distinguishing messages may enable the user to triage the messages of the message queue, and may mitigate the disadvantages of a false positive in the trust level identification (as compared with moving the suspicious message to a different folder).09-27-2012
20120246726DETERMINING HEAVY DISTINCT HITTERS IN A DATA STREAM - A data traffic monitor for determining a heavy distinct hitter (HDH) in a data stream, the data stream comprising a plurality of element-value (e,v) pairs, includes a HDH module, the HDH module configured to receive the plurality of (e,v) pairs from the data stream; and a counter block in communication with the HDH module, the counter block comprising a plurality of hash functions, and further comprising a respective pair of distinct counting primitives associated with each hash function of the plurality of hash functions, wherein each of the plurality of (e,v) pairs is added to one of the distinct counting primitives of the respective pair of distinct counting primitives for each of the plurality of hash functions in each of the plurality of counter blocks.09-27-2012
20120246727System that provides early detection, alert, and response to electronic threats - The invention is a computer system that provides early detection alert and response to electronic threats (eThreats) in large wide area networks. The system harnesses the processing power of dedicated hardware, software residing in specialized servers, distributed personal computers connected to the network, and the human brain to provide multi-layered early detection, alarm and response. The layers comprise a Protection Layer, a Detection Layer, an Expert Analysis Layer, and a Collaborative Detection & Protection Layer. A Dynamic Sandbox Protection Layer associated with the distributed personal computers connected to the network can optionally be part of the system of the invention.09-27-2012
20120246728TARGET-BASED SMB AND DCE/RPC PROCESSING FOR AN INTRUSION DETECTION SYSTEM OR INSTRUSION PREVENTION SYSTEM - A method performed in a processor of an intrusion detection/prevention system (IDS/IPS) checks for valid packets in an SMB named pipe in a communication network. In a processor configured as an IDS/IPS, a packet in a transmission is received and a kind of application of a target of the packet is determined. Also, the data in the packet is inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that: (a) the FID in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and (b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table.09-27-2012
20100162397APPARATUS AND METHOD FOR PROTECTING ASSET IN COMPUTER SYSTEM - Provided are an apparatus and method using spatial and temporal quarantine expansion to prevent important information from being leaked due to attacks such as viruses, hacking, and the like. The apparatus includes a state change unit for changing a state of at least one of a memory, a register, and a port in the computer system; a state calculation unit for calculating information on the changed state of the computer system; a security-threat-element elimination unit for eliminating security threat elements from the computer system; a communication unit for transmitting the state information calculated by the state calculation unit to the quarantine station, or receiving control information for controlling the computer system based on the state information, from the quarantine station; and a security execution unit for receiving security information from the quarantine station to execute a specific program when the computer system is faultless, wherein the state information and the control information are transmitted or received until the computer system is faultless repeatedly.06-24-2010
20100186088AUTOMATED IDENTIFICATION OF PHISHING, PHONY AND MALICIOUS WEB SITES - A method and system for automated identification of phishing, phony, and malicious web sites are disclosed. According to one embodiment, a computer implemented method, comprises receiving a first input, the first input including a universal resource locator (URL) for a webpage. A second input is received, the second input including feedback information related to the webpage, the feedback information including an indication designating the webpage as safe or unsafe. A third input is received from a database, the third input including reputation information related to the webpage. Data is extracted from the webpage. A safety status is determined for the webpage, including whether the webpage is hazardous by using a threat score for the webpage and the second input, wherein calculating the threat score includes analyzing the extracted data from the webpage. The safety status for the webpage is reported.07-22-2010
20120198552METHOD, COMPUTER SOFTWARE, AND SYSTEM FOR PROVIDING END TO END SECURITY PROTECTION OF AN ONLINE TRANSACTION - Techniques for categorizing programs running on an information handling system. One method includes, while a program is running on an information handling system in a manner that permits the program to infect the information handling system, calculating a first score and a second score. The first score is indicative of the likelihood that the program is malicious; the second score is indicative of the likelihood that the program is valid. This method further includes categorizing the program with respect to the likelihood of the program infecting the information handling system, including by categorizing the program as valid code based on the second score being above a threshold value, regardless of the first score.08-02-2012
20120198551METHOD, SYSTEM AND DEVICE FOR DETECTING AN ATTEMPTED INTRUSION INTO A NETWORK - Described herein are embodiments of methods, systems and devices for detecting an attempted intrusion into a network. In one aspect, the network is an advanced metering infrastructure (AMI) network. In another aspect, the network is an home area network (HAN). In accordance with one aspect, a method of detecting an attempted intrusion into a network is described. This embodiment of a method comprises configuring an entrapment meter such that it receives data packets from a network, but does not transmit data packets to the network. The entrapment meter is also configures such that the entrapment meter appears vulnerable to unauthorized intrusion to the network. The configured entrapment meter is used to detect an attempted unauthorized intrusion into the network. The attempted unauthorized intrusion is monitored.08-02-2012
20100263049VULNERABILITY DETECTION BASED ON AGGREGATED PRIMITIVES - Methods, systems, and computer-readable media are disclosed for detecting vulnerabilities based on aggregated primitives. A particular method includes receiving a plurality of data transmissions. At least one of the data transmissions includes a protocol anomaly that is not indicative of a security threat. The method includes identifying a plurality of primitives associated with the data transmissions. The primitives are aggregated, and an attack condition is identified based on the aggregated primitives. A security alert is generated based on the identified attack condition.10-14-2010
20100263048MALWARE PREVENTION METHOD AND SYSTEM IN A PEER-TO-PEER ENVIRONMENT - A computer-implemented method and system for malware prevention in a peer-to-peer (P2P) environment are disclosed. Specifically, one implementation of the embodiment sets forth a method, which includes the operations of obtaining a meta information of a data, prior to initiating downloading of the data, sending the meta information to a server, and initiating downloading of the data after having received confirmation from the server that the meta information is free from being associated with any known malware.10-14-2010
20100192226Intrusion Event Correlation System - Disclosed is a system for correlating intrusion events using attack graph distances. The system includes an attack graph generator, an exploit distance calculator, an intrusion detector, an event report/exploit associator, an event graph creator, an event graph distance calculator, a correlation value calculator, and a coordinated attack analyzer. An attack graph is constructed for exploits and conditions in a network. The exploit distance calculator determines exploit distances for exploit pair(s). The intrusion detector generates event. Events are associated with exploits. Event graph distances are calculated. Correlation values are calculated for event pair(s) using event graph distances. The correlation values are analyzed using a correlation threshold to detect coordinated attacks.07-29-2010
20100192225EFFICIENT APPLICATION IDENTIFICATION WITH NETWORK DEVICES - In general, techniques are described for efficiently implementing application identification within network devices. In particular, a network device includes a control unit that stores data defining a group Deterministic Finite Automata (DFA) and an individual DFA. The group DFA is formed by merging non-explosive DFAs generated from corresponding non-explosive regular expressions (regexs) and fingerprint DFAs (f-DFAs) generated from signature fingerprints extracted from explosive regexs. The non-explosive regexs comprise regexs determined not to cause state explosion during generation of the group DFA, the signature fingerprints comprise segments of explosive regexs that uniquely identifies the explosive regexs, and the explosive regexs comprise regexs determined to cause state explosion during generation of the group DFA. The network device includes an interface that receives a packet and the control unit traverses first the group DFA and then, in some instances, the individual DFAs to more efficiently identify network applications to which packets correspond.07-29-2010
20100154058METHOD AND SYSTEMS FOR COLLECTING ADDRESSES FOR REMOTELY ACCESSIBLE INFORMATION SOURCES - A method and system are described for collecting addresses for remotely accessible information sources. Messages, such as emails, carried by a messaging network (N1) are intercepted before reaching a destined terminal. Addresses for remotely accessible information sources (i.e. URLs) are identified from the intercepted email messages. The messages are analysed to be classified as either a first type of message (e.g. spam or virus messages) or a second, different, type of message. If the intercepted message is classified as the first spam/virus type then data indicative of the identified address (URL) is transmitted to a filtering system (06-17-2010
20100212014Method for Detecting a Service Prevention Attack and Communication Terminal - A method for detecting a service prevention attack on a first communication terminal, wherein the detection of the service prevention attack is performed by the first communication terminal. The first and at least one second communication terminal comprise communication subscribers in a communication network. The communication connection is provided between the first and the second communication terminals. If the first communication terminal does not receive a status inquiry message of the second communication terminal in a timely manner, receipt of at least one further message indicating that the sender is the second communication terminal is interpreted as a service prevention attack on the first communication terminal and an action is taken, such as all or a plurality of packets are deleted from the input buffer memory or the connection between the two communication terminals is terminated.08-19-2010
20080209559Method for detecting that a protected software program is cracked - A method for determining if a software program having a protective envelope has been cracked, and signaling an indication thereof. A direct determination is made of whether the protective envelope is intact or has been compromised by an attack, without requiring a license violation to occur. Executable code in the protective envelope generates an envelope confirmation which is validated by executable code in the program itself. Any disabling or separation of the envelope from the program will be detectable by the program at validation time. Provisions are made for a secure envelope confirmation, the use of arguments as input to the confirmation generation, and for incorporating information related to the computer and user to facilitate identifying the attacker. Signaled indications can include network messaging to alert the licensor that the program has been cracked.08-28-2008
20080209558Self-defensive protected software with suspended latent license enforcement - A method and system of computer program modules for extending the cover time of protection for a licensed software product, by increasing the difficulty and time required for an attacker to produce a workable cracked version of the program. When an attack is detected, critical information about the effectiveness of the attack are withheld from the attacker by simulating the behavior of a cracked program, thereby inducing the attacker to prematurely consider the attack successful. Latent license enforcement features are provided, whose activation is suspended until predefined environmental conditions are met.08-28-2008
20090077663Score-based intrusion prevention system - A score-based method of preventing intrusion, and related apparatus and systems, including one or more of the following: receiving traffic including new packets; decoding a protocol for same; determining that no session exists to which the packets are associated; creating a session entry for a session corresponding to the packets; setting a total score for the session to zero; performing an anomaly analysis on the packets identifying an anomaly; adding an anomaly score for the anomaly to the total score for the session; determining that the total score for the session does not exceed a threshold; determining that the anomaly analysis is finished; determining that the signature of the received new packets matches a threat signatures; adding a score assigned to the threat signature to the total score for the session; determining that the total score for the session exceeds the threshold; and triggering a threat response action.03-19-2009
20090077662APPARATUS AND METHODS FOR INTRUSION PROTECTION IN SAFETY INSTRUMENTED PROCESS CONTROL SYSTEMS - Apparatus and methods for intrusion protection in safety instrumented process control systems are disclosed. An example method of protecting a safety instrumented system includes receiving legitimate information from a component of a process control system wherein the legitimate information is intended for delivery to a safety instrumented system, determining if a signature at least substantially matches the legitimate information, and preventing the legitimate information from reaching the safety instrumented system when it is determined that the signature at least substantially matches the legitimate information.03-19-2009
20100162393Methods and Systems for Detecting Man-in-the-Browser Attacks - A computer-implemented method for detecting man-in-the-browser attacks may include identifying a transaction fingerprint associated with a web site. The method may also include tracking a user's input to the web site. The user's input may be received through a web browser. The method may further include intercepting an outgoing submission to the web site. The method may additionally include determining whether, in light of the transaction fingerprint, the user's input generated the outgoing submission. Various other methods, systems, and computer-readable media are also disclosed.06-24-2010
20100218253WEB SECURITY VIA RESPONSE INJECTION - System and methods for injecting content into a response for improving client-side security. The system includes a content injection service external to network edges of at least one system. The content injection service receives a request from a client within the at least one system and identifies or anticipates a potential threat associated with the response. The content injection service is configured to determine an appropriate counter for the identified or anticipated potential threat and in response injects content into the response according to the potential or anticipated threat identified.08-26-2010
20100235915USING HOST SYMPTOMS, HOST ROLES, AND/OR HOST REPUTATION FOR DETECTION OF HOST INFECTION - Detecting and mitigating threats to a computer network is important to the health of the network. Currently firewalls, intrusion detection systems, and intrusion prevention systems are used to detect and mitigate attacks. As the attackers get smarter and attack sophistication increases, it becomes difficult to detect attacks in real-time at the perimeter. Failure of perimeter defenses leaves networks with infected hosts. At least two of symptoms, roles, and reputations of hosts in (and even outside) a network are used to identify infected hosts. Virus or malware signatures are not required.09-16-2010
20100212013LOG-BASED TRACEBACK SYSTEM AND METHOD USING CENTROID DECOMPOSITION TECHNIQUE - There are provided a system and method for tracing back an attacker by using centroid decomposition technique, the system including: a log data input module collecting log data of an intrusion alarm from an intrusion detection system; a centroid node detection module generating a shortest path tree by applying a shortest path algorithm to network router connection information collected by a network administration server, detecting a centroid node by applying centroid decomposition technique removing a leaf-node to the shortest path tree, and generating a centroid tree whose node of each level is the detected centroid node; and a traceback processing module requesting log data of a router matched with the node of each level of the centroid tree, and tracing back a router identical to the log data of the collected intrusion alarm as a router connected to a source of an attacker by comparing the log data of the router with the log data of the collected intrusion alarm. According to the system and method, an attacker causing a security intrusion event may be quickly detected, a load on the system is reduced, and a passage host exposed to a danger or having weaknesses may be easily recognized, thereby easily coping with an attack.08-19-2010
20100242113DETECTION OF ROUTING LOOPS BASED ON TIME-TO-LIVE EXPIRIES - A method and system for detecting routing loops and time-to-live (TTL) expiry attacks in a telecommunications network are disclosed. The detection of routing loops and TTL expiry attacks can be achieved based on the comparison of TTL expiries occurring on two or more routers in the network. A quantity of TTL expiries associated with a router can be summed. Additionally, a quantity of TTL expiries associated with other routers that are operatively coupled to the router can be summed. A difference between the sums can be calculated and a determination of whether a routing loop exists can be made in response to the difference.09-23-2010
20100235914INTRUSION DETECTION FOR VIRTUAL LAYER-2 SERVICES - The invention is directed to detecting an attempt of an intruder system to participate in a virtual Layer-2 service provided over a packet switching network. Embodiments of the invention monitor operational status of an interface port of a PE router to which a CE router is communicatively coupled for providing the virtual Layer-2 service, determine, consequent to a change in said status, whether information that should relate to the CE router has changed; and thereby, in the affirmative, interpret said change to indicate that an intruder system has attempted to participate in the virtual Layer-2 service. Advantageously, this capability is complementary to other security measures such as MAC filters and Anti-spoofing filters that depend on the content of data packets exchanged between the CE and PE routers and not on the operational status of communicative connections between them.09-16-2010
20100235913Proactive Exploit Detection - Malware detection systems and methods for determining whether a collection of data not expected to include executable code is suspected of containing malicious executable code. In some embodiments, a malware detection system may disassemble a collection of data to obtain a sequence of possible instructions and determine whether the collection of data is suspected of containing malicious executable code based, at least partially, on an analysis of the sequence of possible instructions. In one embodiment, the analysis of the sequence of possible instructions may comprise determining whether the sequence of possible instructions comprises an execution loop. In a further embodiment, a control flow of the sequence of possible instructions may be analyzed. In a further embodiment, the analysis of the sequence of possible instructions may comprise assigning a weight that is indicative of a level of suspiciousness of the sequence of possible instructions. In a further embodiment, the sequence of possible instructions may begin with a possible instruction that comprises at least one candidate operation code (opcode) that has been determined to occur frequently in executable code.09-16-2010
201001389233-PRONG SECURITY/RELIABILITY/REAL-TIME DISTRIBUTED ARCHITECTURE OF INFORMATION HANDLING SYSTEM - The present invention is directed to a distributed architecture of an information handling system, including a buried nucleus inaccessible for inspection without heroic means while the buried nucleus is in operation, and a trusted authority for generating a secure protocol. The secure protocol controls the operation of the buried nucleus.06-03-2010
20100251371REAL-TIME MALICIOUS CODE INHIBITOR - A method and system for real-time blocking of malicious requests to a compute system and real-time removal of malicious code from such requests, by comparing the request information to a database of known and recorded malicious requests. If it is determined that the request is from an IP address that is restricted or has previously attacked another system, the request may be denied, the request information will be logged, the incident will be reported to the user and also SecurePlus if the user has subscribed to SecurePlus. If the request is not denied, it will be parsed and searched for inclusion of remote files, database code, programming code, known hacking terms, and user-supplied terms. If the presence of any of these items is detected, the request may be denied, the request information will be logged, the incident will be reported to the user and also SecurePlus if the user has subscribed to SecurePlus. If the request in question has been denied, a cookie will be inserted onto the requesting system to assist in detection of known attackers.09-30-2010
20100251370NETWORK INTRUSION DETECTION SYSTEM - A network intrusion detection system applied to detect and monitor network packets. The network intrusion detection system decides to load and operate detection rules according to a current load. The network intrusion detection system includes a network connection unit, a storage unit, and a processing unit. The processing unit operates an alert correlation program, a plurality of detection rules, and a plurality of operation policies according to the received network packets. The alert correlation program applied to detect whether contents of the network packets conform to the detection rules, assign a resource consumption level to each detection rule, and categorize the detection rules to the operation policies according to the resource consumption levels. A loading level of the processing unit is decided according to a device load and an access load. The operation policies and the alert correlation program that the processing unit operates are decided according to the loading-level.09-30-2010
20130219502MANAGING A DDOS ATTACK - A method, system, and/or computer program product manages a distributed denial of service attack in a multiprocessor environment. A determination is made of (a) a first upper threshold for a normal number of packets from the multiprocessor environment to multiple destination addresses, (b) a second upper threshold for a normal ratio of the packets from the multiprocessor environment to a single destination address compared to the packets from the multiprocessor environment to the multiple destination addresses, and (c) a third upper threshold for a normal ratio of packets from the multiprocessor environment to a single port at a single destination address compared to packets from the multiprocessor environment to the multiple destination addresses. In response to the first and second thresholds being exceeded, a specific port is monitored to determine if the third upper threshold is being exceeded at that port, thus indicating an apparent distributed denial of service attack.08-22-2013
20120144487ROUTING APPARATUS AND METHOD FOR DETECTING SERVER ATTACK AND NETWORK USING THE SAME - Routing apparatus and method for detecting a server attack are disclosed. The routing apparatus includes: a reception unit configured to receive a packet transmitted in a network; a transmission unit configured to transmit the packet along a transmission path; a memory unit configured to store data and/or information required for an operation; and a controller configured to set the transmission path of the packet in the network and perform packet switching along the set transmission path, wherein the reception unit receives server state information from servers at every certain time, the memory unit stores the received server state information, and the controller calculates a change in the state of the servers based on the received server state information, and determines that a server is attacked when a change in the state of the server is greater than a certain threshold value.06-07-2012
20090276852STATISTICAL WORM DISCOVERY WITHIN A SECURITY INFORMATION MANAGEMENT ARCHITECTURE - A method, system, and computer program product for identifying a worm attack on a computer network. The method includes setting a predetermined time period for monitoring non-packet event(s). A log entry associated with the packet event(s) is received and stored. The one or more received log entries identify a first source of a worm infection threat, first destination(s) of the worm infection threat, first timestamp(s) of the worm infection threat, and a non-packet event type of the worm infection threat. A counter is configured for recording, within the predetermined time period, a number of infection attempts of the same event type by the first destination(s) of the worm infection threat to a second destination(s) of the worm infection threat. In response to determining that the number of infection attempts satisfies a defined infection attempt threshold value, an alert confirming the worm attack on the computer network is communicated.11-05-2009
20100037318Network Intrusion Detection - A method of detecting network communications includes monitoring network devices for communication data; generating an output file including the communication data correlated with a communication type; computing network metrics based on the correlated data; comparing the network metrics with a policy threshold; and determining a network violation event based on the comparing.02-11-2010
20090260084METHOD FOR VERIFYING CONFORMITY OF THE LOGICAL CONTENT OF A COMPUTER APPLIANCE WITH A REFERENCE CONTENT - A computer appliance and method are provided. The computer appliance includes a processor, a memory in which the processor can read and write, and an input/output device for interfacing the appliance processor with the outside world. In order to verify conformity of the logical content of the appliance with the reference content, the method includes sending to the appliance a request for loading into the memory and executing a verification program. The verification program is capable or writing data into the memory of the appliance and of reading data in the memory to send them to the input/output device. Then, the method includes sending to the appliance a request for executing the program to saturate the memory available not taken up by the program. Finally, it includes exchanging messages with the appliance by executing the program. Based on the exchanged messages, the conformity of the logical content of the appliance is verified.10-15-2009
20090282483SERVER BASED MALWARE SCREENING - An Internet infrastructure is provided to transfer a packet of data between a client device and source device. The infrastructure consists of a support server that screens the packet for malware codes on behalf of a registered client. In order to scan for malware, the support server contains hardware and/or software modules to perform malware detection and quarantine functions. The modules identify malware bit sequence in the packet(s), malware bit sequences or entire contaminated code is quarantined or repaired as appropriate. After identification of malware code (if any), the support server sends warning messages to affected parties, providing information regarding the malware codes that were detected.11-12-2009
20090328219DYNAMIC POLICY PROVISIONING WITHIN NETWORK SECURITY DEVICES - The invention is directed to techniques for dynamic policy provisioning. A network security device may comprise a memory that stores a first policy that identifies a first set of patterns that correspond to a first set of network attacks and a second policy, and a control unit that applies the first policy to the network traffic to detect the first set of network attacks. The control unit, while applying the first policy, monitors parameters corresponding to one or more resources and dynamically determines whether to apply a second policy to the network traffic based on the parameters. The control unit, based on the dynamic determination, applies the second policy to the network traffic to detect a second set of network attacks and forwards the network traffic based on the application of the second policy. In this manner, the network security device may implement the dynamic policy provisioning techniques.12-31-2009
20090328218DATA PROCESSING SYSTEM, DATA PROCESSING METHOD, AND PROGRAM - A log output device and a program are provided, which append a signature to a log, prevent an undetectable tampering (alteration, insertion, deletion, etc.), and are able to narrow tampered position if tampered. The log output device forms a log record including a data part and a hash part, and outputs to a disk; the hash part is formed by combining a hash of the data part (data hash) and a hash of the hash part of the previous record (link hash); a signature is appended to only a part of records of a hash chain; when outputting the record to the disk, a copy of the hash part of the record is maintained on a process memory; when outputting next record, the hash part of the latest record on the disk and the hash part maintained on the process memory are compared; if they are matched, the record on the disk is determined as not being tampered, and if mismatched, the record is determined as tampered.12-31-2009
20110067107INTEGRATED INTRUSION DEFLECTION, DETECTION AND INTROSPECTION - Methods and apparatus are provided for integrated deflection, detection and intrusion. Within a single computer system configured for operating system virtualization (e.g., Solaris, OpenSolaris), multiple security functions execute in logically independent zones or containers, under the control and administration of a global zone. Such functions may illustratively include a demilitarized zone (DMZ) and a honeypot. Management is facilitated because all functions work within a single operating system, which promotes the ability to configure, monitor and control each function. Any given zone can be configured with limited resources, a virtual network interface circuit and/or other features.03-17-2011
20110067106NETWORK INTRUSION DETECTION VISUALIZATION - A network activity visualization system can include a minimum description length (MDL) based network intrusion detection system having an MDL grammar database adapted to store a plurality of MDL grammars, and a pattern matching module adapted to match a received network activity data set against the MDL grammars by calculating a distance of the network activity data set from each MDL grammar. The system can also include an intelligent icon module coupled to the MDL-based intrusion detection system and adapted to receive the MDL grammars and distances of a network data set from each respective MDL grammar, and adapted to generate intelligent icons based on the MDL grammars and distances. The system can further include a display system adapted to display the intelligent icons so as to provide a visual indication of network security.03-17-2011
20100263050METHOD OF DETECTING PROGRAM ATTACKS - A program data attack is detected during execution of an algorithm performed by an embedded system. The algorithm uses program data stored in the embedded system. The detection is performed by asserting a detection command signal, initializing a calculation register with a calculation result in response to assertion of the detection command signal, wherein the calculation result is produced by execution of the algorithm using the program data, and comparing the calculation result stored in the calculation register with a reference value included in the program data, wherein the reference value is a value of the calculation result expected to be obtained when the program data is not attacked from outside.10-14-2010
20100192224SANDBOX WEB NAVIGATION - Browsing the World Wide Web may expose a user's system to malicious attacks that can lead to data loss and/or system failure. Sometimes a user desires to access information on a web page that may contain malicious content. For example, a college student researching computer hacking may need information provided on a hacking website even though the site is potentially dangerous. Although techniques are employed to install potentially harmful executable files into a sandbox (e.g., virtual machine), these techniques do not address navigation of harmful sites. Functionality can be implemented to instantiate a web browser within a controlled virtual environment (“sandbox”) that simulates the host system while restricting the virtual environment to designated space(s) and/or resources of the host system to prevent harmful effects. Instantiating the web browser in the sandbox allows web navigation of risky web sites without deleterious effects on the host system.07-29-2010
20090172814DYNAMIC GENERATION OF INTEGRITY MANIFEST FOR RUN-TIME VERIFICATION OF SOFTWARE PROGRAM - A measurement engine generates an integrity manifest for a software program and uses it to perform active platform observation. The integrity manifest indicates an integrity check value for a section of the program's code. The measurement engine computes a comparison value on the program's image in memory and determines if the comparison value matches the expected integrity check value. If the values do not match, the program's image is determined to be modified, and appropriate remedial action may be triggered.07-02-2009
20090320132SYSTEMS AND METHODS FOR DISTRIBUTED NETWORK PROTECTION - By distributing various information and monitoring centers that monitor distributed networks and unauthorized access attempts, it is possible to, for example, more quickly defend against an unauthorized access attempts. For example, a Level 1 monitoring center could monitor a predetermined geographical area serving, for example, a wide variety of commercial and public sites, an organizational structure, or the like, for alarms. Upon analyzing an alarm for various characteristics, the Level 1 monitoring center can refer the unauthorized access attempt to an appropriate Level 2 center for, for example, possible retaliatory and/or legal action. Then, a Level 3 monitoring center can record and maintain an overall picture of the security of one or more networks, the plurality of monitoring centers and information about one or more hacking attempts.12-24-2009
20090113547MALWARE DETECTING APPARATUS, MONITORING APPARATUS, MALWARE DETECTING PROGRAM, AND MALWARE DETECTING METHOD - A malware detecting apparatus, monitoring apparatus, malware detecting program, and malware detecting method are provided. The method detects a plurality of nodes that have sent connection request information commonly to one of first destinations among a set of monitoring target nodes, detects, for each node in the set of monitoring target nodes, the number of second destinations to which the node has sent connection request information, identifies a node infected with malware based on the plurality of nodes detected and the number of second destinations detected, and outputs a result of the identification.04-30-2009
20090126015SYSTEM AND METHOD FOR DETECTING MULTI-COMPONENT MALWARE - Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.05-14-2009
20080289040Source/destination operating system type-based IDS virtualization - Systems and methods for virtualizing network intrusion detection system (IDS) functions based on each packet's source and/or destination host computer operating system (OS) type and characteristics are described. Virtualization is accomplished by fingerprinting each packet to determine the packet's target OS and then vetting each packet in a virtual IDS against a reduced set of threat signatures specific to the target OS. Each virtual IDS, whether operating on a separate computer or operating as a logically distinct process or separate thread running on a single computer processor, may also operate in parallel with other virtual IDS processes. IDS processing efficiency and speed are greatly increased by the fact that a much smaller subset of threat signature universe is used for each OS-specific packet threat vetting operation.11-20-2008
20100223669Automated Containment Of Network Intruder - The invention in the preferred embodiment features a system (09-02-2010
20120144486METHOD AND SYSTEM FOR PROTECTING AGAINST UNKNOWN MALICIOUS ACTIVITIES BY DETECTING A HEAP SPRAY ATTACK ON AN ELECTRONIC DEVICE - A method and system for protecting against unknown malicious activities by detecting a heap spray attack on a electronic device are disclosed. A script is received at an electronic device from a remote device via a network and a loop operation is detected in the script that contains a write operation operable to write data to a memory of the electronic device. The amount of the data operable to be written to the memory by the write operation is determined and the data is prevented from being written to the memory if the amount of the data is greater than or equal to a threshold.06-07-2012
20080209557SPYWARE DETECTION MECHANISM - A system and method that facilitates and effectuates detection of malware secreted and/or hidden in plain sight on a machine. The system and method in order to achieve its aims generates a list of all loaded modules, identifies from the list a set of modules common to more than a threshold number of processes, and eliminates from the list those modules included in an authentication list. The resultant list is prioritized based, in one instance, on the number of occurrences a particular module makes in the resultant list, and thereafter the list is distributed analyst workstations.08-28-2008
20080229418System and Method to Customize a Security Log Analyzer - Systems and methods adapted to customize a security log analyzer to recognize a security log, the system including at least one network security device for processing data traffic on a data network, the network security device associated with at least one computing device, and adapted to generate a security log, the system further including rule builder software adapted to generate a rule for recognizing at least one item in a security log and a log analyzer adapted to apply the rule in analyzing a security log.09-18-2008
20090106840Certification Of E-Mails With Embedded Code - Certification of embedded content in e-mail is provided. A sender wishing to have code certified for inclusion in e-mail sends the code to a token authority. A code verification engine acting automatically or in conjunction with an analyst examines the code to determine whether it poses a risk of harm to e-mail recipients. If not, the token authority issues a certificate for the embedded content. The mail sender sends e-mail to recipients including the embedded content, and the certification is sent in conjunction with the content itself. A mailbox provider inspects the received e-mail to determine whether it includes embedded content and, if so, whether a certification is attached that the embedded content is not harmful. If not, or if the message includes uncertified content in addition to certified content, then the message is rejected, or delivered with a warning that certification is not present.04-23-2009
20090106841TRAFFIC MANAGER FOR DISTRIBUTED COMPUTING ENVIRONMENTS - Techniques suitable for facilitating communications between various computer programs operating on various nodes in a distributed computing environment are disclosed. The techniques can be used by a traffic manager operating in such environments. The traffic manager is capable of monitoring traffic exchanged between client and server programs operating in the distributed computing environment. Moreover, the traffic manager can be used to implement a variety of desirable features across different computing environments. These computing environments are typically separated by one or more distinguishing characteristics. As will be appreciated, the traffic manager provides an integral and cost effective solution which can bridge these distinguishing characteristics as well as define and enforce policies across disparate computing environments. This is achieved by centralizing the generation of interfaces which allow interaction between any of the nodes in a distributed computing system. This avoids the redundancy and inefficiency inherent in building these capabilities in each node, particularly in complex systems.04-23-2009
20090070876APPARATUS AND METHOD FOR DETECTING MALICIOUS PROCESS - Provided are an apparatus and method for detecting a malicious process. The apparatus includes: a process monitoring unit for monitoring a process generated in a computing environment; a target process setting unit for previously setting a test target process among the processes confirmed by the process monitoring unit; a process generation time change monitoring unit for monitoring if the target process set by the target process setting unit requests to change a generation time; a generation time change preventing unit for preventing a change in the generation time of the target process when the target process requests to change the generation time; and a malicious process detecting unit for determining that a child process of the target process set by the target process setting unit is a malicious process if the child process is generated within a predetermined reference time.03-12-2009
20090070875Distributed Stateful Intrusion Detection for Voice Over IP - An apparatus and method are disclosed for detecting intrusions in Voice over Internet Protocol systems without an attack signature database. The illustrative embodiment is based on two observations: (1) various VoIP-related protocols are simple enough to be represented by a finite-state machine (FSM) of compact size, thereby avoiding the disadvantages inherent in signature-based intrusion-detection systems.; and (2) there exist intrusions that might not be detectable locally by the individual finite-state machines (FSMs) but that can be detected with a global (or distributed) view of all the FSMs. The illustrative embodiment maintains a FSM for each session/node/protocol combination representing the allowed (or “legal”) states and state transitions for the protocol at that node in that session, as well as a “global” FSM for the entire session that enforces constraints on the individual FSMs and is capable of detecting intrusions that elude the individual FSMs.03-12-2009
20090070874Signature-Free Intrusion Detection - An apparatus and method are disclosed for detecting intrusions in Voice over Internet Protocol systems, without the use of an attack signature database. In particular, the illustrative embodiment is based on the observation that some VoIP-related protocols (e.g., the Session Initiation Protocol [SIP], etc.) are simple enough to be represented by a finite-state machine (FSM) of compact size. A finite-state machine is maintained for each session/node/protocol combination, and any illegal state or state transition—which might be the result of a malicious attack—is flagged as a potential intrusion.03-12-2009
20090070873SAFE WEB BASED INTERACTIONS - A system is described for providing safe web based interactions. The system may include a memory, an interface, and a processor. The memory may store a request and a web page. The interface may be operative to communicate with a user and a third party server. The processor may be operatively connected to the memory and the interface and may receive a request from the user for a web page provided by the third party server. The processor may retrieve the web page and determine if malicious data is associated with the web page. If malicious data is determined to be associated with the web page the processor may disable the malicious data. The processor may modify the web page so that subsequent interactions with the web page are redirected to the processor, through the interface. The processor may provide the web page to the user, via the interface.03-12-2009
20130133066TRANSACTION-BASED INTRUSION DETECTION - Systems and methods are provided for intrusion detection. The systems and methods may include receiving transaction information related to one or more current transactions between a client entity and a resource server, accessing a database storing a plurality of transaction groups, analyzing the received transaction information with respect to information related to at least one of the plurality of transaction groups, and based on said analyzing, determining a possibility of an occurrence of an intrusion act at the resource server. The transaction groups may be formed based on a plurality of past transactions between a plurality of client entities and the resource server. Identity information of a user associated with the one or more current transactions may also be received along with the transaction information. The user may be associated with at least one of the plurality of transaction groups.05-23-2013
20130133067PATTERN MATCHING ENGINE, TERMINAL APPARATUS USING THE SAME, AND METHOD THEREOF - Provided is a pattern matching engine. The pattern matching engine calculates an error detection sign of target data and compares the calculated error detection sign with an error detection sign of a malware pattern DB. When the error detection sign of the target data and the error detection sign of the malware pattern DB are identical to each other, the pattern matching engine compares the target data with the malware pattern.05-23-2013
20130133069SILENT-MODE SIGNATURE TESTING IN ANTI-MALWARE PROCESSING - Method and computer program product for signature testing used in anti-malware processing. Silent signatures, after being tested, are not updated into a white list and are sent directly to users instead. If the silent signature coincides with malware signature, a user is not informed. A checksum (e.g., hash value) of a suspected file is sent to a server, where statistics are kept and analyzed. Based on collected false positive statistics of the silent-signature, the silent-signature is either valid or invalid. Use of the silent signatures provides for effective signature testing and reduces response time to new malware-related threats. The silent signature method is used for turning off a signature upon first false positive occurrence. Use of silent signatures allows improving heuristic algorithms for detection of unknown malware.05-23-2013
20130133070SYSTEM AND METHOD FOR ATTACK AND MALWARE PREVENTION - The present invention is a system and method for detecting and preventing attacks and malware on mobile devices such as a cell phones, smartphones or PDAs, which are significantly limited in power consumption, computational power, and memory. The invention enables mobile devices to analyze network data, executable data files, and non-executable data files in order to detect and prevent both known and unknown attacks and malware over vectors that are not typically protected by desktop and server security systems. Security analysis is performed by a combination of “known good,” “known bad,” and decision components. The invention identifies known good executables and/or known characteristics of network data or data files that must be present in order for the data to be considered good. Furthermore, known good and known bad identifier databases may be stored on a server which may be queried by a mobile device.05-23-2013
20130133071SYSTEM AND METHOD FOR ATTACK AND MALWARE PREVENTION - The present invention is a system and method for detecting and preventing attacks and malware on mobile devices such as a cell phones, smartphones or PDAs, which are significantly limited in power consumption, computational power, and memory. The invention enables mobile devices to analyze network data, executable data files, and non-executable data files in order to detect and prevent both known and unknown attacks and malware over vectors that are not typically protected by desktop and server security systems. Security analysis is performed by a combination of “known good,” “known bad,” and decision components. The invention identifies known good executables and/or known characteristics of network data or data files that must be present in order for the data to be considered good. Furthermore, known good and known bad identifier databases may be stored on a server which may be queried by a mobile device.05-23-2013
20100306846REPUTATION BASED LOAD BALANCING - Methods and systems for operation upon one or more data processors for efficiently processing communications based upon reputation of an entity associated with the communication.12-02-2010
20100306845MANAGING POTENTIALLY PHISHING MESSAGES IN A NON-WEB MAIL CLIENT CONTEXT - Computer-readable media and computerized methods for governing treatment of digital communications (e.g., emails and instant messages) upon identifying the communications as potentially phishing emails are provided. A service provider is employed to control behavior of an account that is assigned to an intended recipient of the communications. Controlling the behavior of the account is described in the context of a non-web mail server that renders a UI display, which is not dynamically configurable by the service provider. In one solution, controlling behavior alerts a user to the presence of communications identified as potentially phishing by aggregating these communications in a separate folder. In another solution, controlling behavior facilitates protecting the user by replacing the content of the potentially phishing communications with a warning message. This warning message optionally includes a URL link to a web browser where the user can view the original content of the potentially phishing communications.12-02-2010
20110016526METHOD AND APPARATUS FOR PROTECTING APPLICATION LAYER IN COMPUTER NETWORK SYSTEM - A method and apparatus for protecting an application layer in a computer network system. The method includes creating a session between a client and a data provider in response to a session connection request from the client, and determining the client as an application layer attacking client when the client generates a session termination request before the data provider transmits to the client a response packet to a data request from the client under the created session.01-20-2011
20110016528Method and Device for Intrusion Detection - A method and device for intrusion detection are provided. The method comprises: allocating one or more detection units for each type of network attack event to detect and configuring the type of object to detect of this type of network attack event, a detection operator and a detection knowledge base; in intrusion detection, acquiring network data packets in real time and acquiring the objects to detect included therein; then corresponding detection units performing intrusion detection according to the detection operators and detection knowledge bases configured, so as to generate network attack alarm events. The intrusion detection device comprises sequentially connected data pre-processing unit, data distribution unit and detection grid including one or more detection units, and a configuration management unit connected with them. The present invention supports accurate detection of various complex network attack events and considers the execution efficiency of the entire intrusion detection device.01-20-2011
20120174220DETECTING AND MITIGATING DENIAL OF SERVICE ATTACKS - Embodiments of this invention provide methods for detecting a denial of service attack (DoS) and isolating traffic that relates to the attack. The method may begin by collecting network traffic data by observing individual packets carried over the network. The data may then be compiled into a time series comprising network traffic data relating successive time-intervals. A difference value based upon the entry in the time series for a large time-window and for a small time-window. A deviation score may then be determined by calculating the ratio of the difference values. The deviation score may indicate whether an attack occurred. In an embodiment of the invention, an attack is deemed to occur if the deviation score is between 0.6 and 1.4.07-05-2012
20130145465MULTILAYERED DECEPTION FOR INTRUSION DETECTION AND PREVENTION - Concepts and technologies are disclosed herein for multilayered deception for intrusion detection. According to various embodiments of the concepts and technologies disclosed herein, a multilayer deception system includes honey servers, honey files and folders, honey databases, and/or honey computers. A multilayer deception system controller generates honey activity between the honey entities and exposes a honey profile with contact information associated with a honey user. Contact directed at the honey user and/or activity at any of the honey entities can trigger alarms and/or indicate an attack, and can be analyzed to prevent future attacks.06-06-2013
20100205670METHOD AND APPARATUS FOR TRACING PACKETS - A system and method for performing source path isolation in a network. The system comprises an intrusion detection system (IDS), a source path isolation server (SS08-12-2010
20110010773HARDWARE COMMAND FILTER MATRIX INTEGRATED CIRCUIT WITH RESTRICED COMMAND ENFORCEMENT CAPABILITY - A semiconductor integrated circuit includes a hardware mechanism arranged to ensure that associations between instructions and data are enforced so that a processor cannot execute an instruction that is not authorized. A Command Filter Matrix stores entries comprising instructions and associated data memory ranges. A hardware arrangement denies command execution if the CPU attempts to make a data fetch from an instruction that is outside the range associated with data in the Command Filter Matrix. The Command Filter Matrix may be implemented in a Field Programmable Gate Array such that the memory cell content is pre-programmed with entrusted code by a separate trusted hardware source. In this way, an operating system may function normally but only execute trusted instructions, commands and memory operations. The Command Filter Matrix also contains external write-only capability to enable external monitoring of performance.01-13-2011
20110041180AUDITING A DEVICE - Auditing a device is disclosed. One or more hardware parameters that correspond to a hardware configuration is received. A sequence of modifications to the physical memory is performed. Results are provided to a verifier. Optionally, once it is determined that no evasive software is active in the physical memory, a scan is performed.02-17-2011
20110030057MATCHING WITH A LARGE VULNERABILITY SIGNATURE RULESET FOR HIGH PERFORMANCE NETWORK DEFENSE - Systems, methods, and apparatus are provided for vulnerability signature based Network Intrusion Detection and/or Prevention which achieves high throughput comparable to that of the state-of-the-art regex-based systems while offering improved accuracy. A candidate selection algorithm efficiently matches thousands of vulnerability signatures simultaneously using a small amount of memory. A parsing transition state machine achieves fast protocol parsing. Certain examples provide a computer-implemented method for network intrusion detection. The method includes capturing a data message and invoking a protocol parser to parse the data message. The method also includes matching the parsed data message against a plurality of vulnerability signatures in parallel using a candidate selection algorithm and detecting an unwanted network intrusion based on an outcome of the matching.02-03-2011
20100180343SOFTWARE UPDATING APPARATUS, SOFTWARE UPDATING SYSTEM, ALTERATION VERIFICATION METHOD AND ALTERATION VERIFICATION PROGRAM - To aim provide a software update apparatus including an install module group (07-15-2010
20110035802REPRESENTING VIRTUAL OBJECT PRIORITY BASED ON RELATIONSHIPS - Methods, systems, and computer-readable media are disclosed for representing virtual object priority based on relationships. A particular method determines relationships between a plurality of virtual objects. An abnormal condition is detected at a first virtual object. A second virtual object and a third virtual object are identified based on respective relationships with the first virtual object. The method includes generating an output that identifies the first, second, and third virtual object. The output indicates a priority level for each of the virtual objects, and the priority level for the second virtual object is greater than the priority level for the third virtual object.02-10-2011
20110041179Malware detection - According to a first aspect of the present invention there is provided a method of detecting potential malware. The method comprises, at a server, receiving a plurality of code samples, the code samples including at least one code sample known to be malware and at least one code sample known to be legitimate, executing each of the code samples in an emulated computer system, extracting bytestrings from any changes in the memory of the emulated computer system that result from the execution of each sample, using the extracted bytestrings to determine one or more rules for differentiating between malware and legitimate code, and sending the rule(s) to one or more client computers. At the or each client computer, for a given target code, executing the target code in an emulated computer system, extracting bytestrings from any changes in the memory of the emulated computer system that result from the execution of the target code, and applying the rule(s) received from the server to the extracted bytestrings to determine if the target code is potential malware.02-17-2011
20090049551METHOD OF AND APPARATUS FOR MONITORING CODE TO DETECT INTRUSION CODE - A method and apparatus for monitoring a code to detect intrusion code is used to monitor target code to determine whether the target code is a resident code in a system or an intrusion code into the system. A first code pattern is extracted from the target code and a second code pattern is loaded from a storage unit, and a distance between the first code pattern and the second code pattern is calculated. The calculated distance is compared to a threshold to determine whether the target code is an intrusion code.02-19-2009
20090049550METHOD OF DETECTING AND BLOCKING MALICIOUS ACTIVITY - A method of detecting and blocking malicious activity of processes in computer memory during unpacking of a file after the code and data contained in the file are unpacked is described. The method includes inserting a hook function into one or more un-assessed processes running in the computer memory. A hook Is then placed on one or more system calls carried out by the one or more un-assessed processes; the one or more system calls determining an optimal time period in which to detect malicious activity in the un-assessed processes. During the optimal time period the one or more system calls carried out by the one or more un-assessed processes are suspended and attributes of the one or more un-assessed processes are detected and the likely maliciousness of the one or more un-assessed processes is determined from the attributes.02-19-2009
20110119762METHOD AND APPARATUS FOR DETECTION OF A FAULT ATTACK - The invention concerns a method of detecting a fault attack including providing a plurality of blinding values; generating a first set of data elements including a first group of data elements and at least one additional data element generated by performing the exclusive OR between at least one data element in the first group and at least one of the blinding values; generating a second set of data elements corresponding to the exclusive OR between each data element of the first set and a selected one of the plurality of blinding values; generating a first signature by performing a commutative operation between each of the data elements of the first set; generating a second signature by performing the commutative operation between each of the data elements of the second set; and comparing the first and second signatures to detect a fault attack.05-19-2011
20110131654SYSTEMS AND METHODS FOR AGGRESSIVE WINDOW PROBING - The present application is directed towards systems and methods for aggressively probing a client side connection to determine and counteract a malicious window size attack or similar behavior from a malfunctioning client. The solution described herein detects when a connection may be under malicious attach via improper or unusual window size settings. Responsive to the detection, the solution described herein will setup probes that determine whether or not the client is malicious and does so within an aggressive time period to avoid the tying up of processing cycles, transport layer sockets and buffers, and other resources of the sender.06-02-2011
20090328216PERSONALIZED HONEYPOT FOR DETECTING INFORMATION LEAKS AND SECURITY BREACHES - A honeypot in a computer network is configured for use with a wide variety of computing resources that are defined by a network administrator or user which may include desktop and network resources such as address book contacts, instant messaging contacts, active directory user accounts, IP addresses, and files that contain particular content or that are stored in particular locations. The resources may be real for which protection against leakage is desired, or fake to operate as bait to lure and detect malicious attacks. The honeypot is implemented in an extensible manner so that virtually any resource may be honeypotted to apply honeypot benefits to resources beyond static IP addresses in order to improve both the breadth of information leakage prevention and the detection of malicious attacks.12-31-2009
20110214182METHODS FOR PROACTIVELY SECURING A WEB APPLICATION AND APPARATUSES THEREOF - A method, non-transitory computer readable medium, and apparatus that proactively secures a web application includes injecting one or more decoys into an executing web application. An attempt to exploit one of the one more injected decoys in the executing application is identified. At least one action to secure the executing application from the attempted exploitation is performed.09-01-2011
20110214183SYSTEMS AND METHODS FOR PERFORMING RISK ANALYSIS - A method for analyzing a network element may include assigning values to each of a plurality of vulnerabilities. The method may also include identifying a vulnerability associated with the network element and generating a risk indicator for the network element based on the assigned value associated with the identified vulnerability.09-01-2011
20110214181DUAL BYPASS MODULE AND METHODS THEREOF - A dual bypass module for managing an integrated secured network environment is provided. The module includes network ports that receive and transmit data traffic flowing through the network. The module also includes a set of monitoring ports that is configured for transmitting the data traffic between the dual bypass module and a set of monitoring systems. The module further includes a set of relays configured for controlling the flow of data through the dual bypass module. The module yet also includes a configurable integrated circuit. The configurable integrated circuit includes at least one of a first logic arrangement for determining conditions of the set of monitoring systems, a second logic arrangement for redirecting the data traffic through a secured alternate path when a monitoring system is unavailable, and a third logic arrangement for redirecting the data traffic through a secured alternate path when a communication path becomes unavailable.09-01-2011
20090100519Installer detection and warning system and method - A user of a computer system is provided with warning of unexpected or covert installation attempts using a malware or anti-virus detection engine. Even though the files that are unexpectedly attempted to be installed may be legitimate, rather than malware, the malware detection software is modified or configured to detect the unexpected installation and provide the user with an opportunity to abort the installation. A method of controlling installation of software in a computer system comprises detecting an attempt to install software on the computer system, identifying the software that was attempted to be installed, taking an action in response to identifying the software that was attempted to be installed.04-16-2009
20100218254NETWORK SECURITY SYSTEM - A method and system for preventing an unacceptable data packet directed at a computing device on a first network and sent from a client device. The method includes a step of providing a network security system remotely from the first network and the client device, the network security system having a public address and including a load balancer and at least one network security subsystem having a private address, the network security subsystem further including an intrusion detection module, the load balancer of the network security subsystem receiving the data packet destined for the computing device. The load balancer translates the destination address of the packet from the public address of the network security system to the private address of the network security subsystem and forwards the packet to the intrusion detection module of the network security subsystem. The intrusion detection module then determines whether the packet is an intrusion attempt. If the packet is not the intrusion attempt, the destination address for the packet is translated to the address of the computing device, the packet source address is translated to the public address of the network security system and the packet is forwarded to the computing device. Finally, if the packet is the intrusion attempt, a network intrusion prevention technique is performed.08-26-2010
20100132040Automated method and system for monitoring local area computer networks for unauthorized wireless access - According to an embodiment of the present invention, the wireless activity in a geographic area containing LAN connection ports is monitored using one or more sensor devices, called sniffers. By analyzing said wireless activity, one or more APs that are operating in said geographic area are identified. The active APs so identified are classified into three categories, namely “authorized” APs (those that are allowed by network administrator), “unauthorized” APs (those that are not allowed by the network administrator, but are still connected to the LAN of interest) and “external” APs (those that are not allowed by network administrator but are not connected to the LAN of interest, for example APs connected to the neighbor's LAN) by conducting one or more tests. The sniffers continue to monitor the selected geographic area to detect any wireless station attempting to connect to or communicating with the one or more identified unauthorized APs. Upon identifying unauthorized AP and/or intruding wireless station an indication is transferred to the prevention process.05-27-2010
20090328217Database context-based intrusion detection - A method for detecting an unauthorized action in a database, the method comprising estimating correlation between a predicted result of an intercepted database statement and at least one context parameter associated with the database statement, wherein lack of correlation indicates the database statement being associated with an unauthorized action.12-31-2009
20090031422METHODS AND SYSTEMS THAT SELECTIVELY RESURRECT BLOCKED COMMUNICATIONS BETWEEN DEVICES - Data communications between devices are selectively blocked and resurrected based on error notifications. Data communications from one or more source devices to one or more intended destination devices are selectively blocked based on content of the data communications. The blocked data communications are stored in a database. A blocked data communication is retrieved from the database in response to an error notification from one of the source devices and/or from one of the destination devices. The retrieved data communication is then sent to the intended destination device.01-29-2009
20090241193Enhanced Computer Intrusion Detection Methods And Systems - Improved intrusion detection and/or tracking methods and systems are provided for use across various computing devices and networks. Certain methods, for example, form a substantially unique audit identifier during each authentication/logon process. One method includes identifying one or more substantially unique parameters that are associated with the authentication/logon process and encrypting them to form at least one audit identifier that can then be generated and logged by each device involved in the authentication/logon process. The resulting audit log file can then be audited along with similar audit log files from other devices to track a user across multiple platforms.09-24-2009
20090313699APPARATUS AND METHOD FOR PREVENTING ANOMALY OF APPLICATION PROGRAM - An apparatus and method for preventing an anomaly of an application program are provided. More particularly, an apparatus and method for preventing an anomaly of an application program that detect and stop an anomaly on the basis of a behavior profile for an application program are provided. The apparatus includes a behavior monitor that detects behavior of an application program in operation, an anomaly detector that determines whether the detected behavior of the application program is an anomaly on the basis of a behavior profile of the application program in operation, and an anomaly stopper that stops the behavior of the application program determined as an anomaly by the anomaly detector. Possible application program behavior is stored according to its purpose in a behavior profile and an anomaly is detected and stopped on the basis of the behavior profile, thereby decreasing a false-positive rate of anomaly detection and simultaneously solving a problem of a conventional security programs being incapable of defending against attacks using the authority of a program trusted by a user.12-17-2009
20090217378Boot Time Remediation of Malware - Aspects of the subject matter described herein relate to removing malware from a computer system. In aspects, an anti-malware engine detects malware and writes a tool onto a storage device. The anti-malware engine disguises the tool to make it more difficult for malware to detect that the tool is on the storage device. In addition, the anti-malware engine encrypts and writes remediation actions to be taken by the tool to the storage device and requests that the computer reboot. After rebooting, the computer executes the tool which takes the remediation actions including removing the malware.08-27-2009
20090217377Method and system for monitoring system memory integrity - A host system integrity monitor for monitoring memory, operating systems, applications, domain manager, and other host system's structures of interest is isolated and independent of the CPU and operating system of commodity systems. The system requires no modifications to the protected (monitored) host's software, and operates correctly even when the host system is compromised. Either arranged as a stand-alone computer on the add-in card which communicates with the monitored host system through the PCI bus, or as the co-processor based monitor located on the motherboard of the host system, or residing on one of the virtual CPU while the monitored system resides on another virtual CPU, or residing within the domain manager of the host system, the monitor of the present invention monitors the integrity of the examined structure by calculating hash values of the structure, comparing them with expected hash values, and sending error reports once the discrepancy between these values is detected.08-27-2009
20100037319TWO STAGE ACCESS CONTROL FOR INTELLIGENT STORAGE DEVICE - Systems and methods that resist malicious attacks on an intelligent storage device via an access control component that supplies security at a dual layer of defense. Such dual layer defense encompasses both resistance to brute force (e.g., unauthorized users), and resistance to a replay attack (e.g., a malicious code residing on a machine that hosts the intelligent storage device.) Accordingly, an access control component includes an anti malicious user component and an anti malicious code component, which can resist malicious attacks from both a person and a host unit with a malicious code residing thereon.02-11-2010
20100058473HEURISTIC METHOD OF CODE ANALYSIS - A method of detecting malware at a computing device. The method includes examining a software program comprising a sequence of program instructions, determining whether each instruction in the sequence meets any of a group of suspicion criteria, assigning a instruction-level score to each instruction that meets any of the suspicion criteria, summing the instruction-level scores for each instruction to yield a program-level score, determining whether the program-level score exceeds a threshold, and, if the program-level score exceeds a threshold, developing a report indicating a malware detection result.03-04-2010
20100071062MECHANISM FOR IDENTIFYING MALICIOUS CONTENT, DoS ATTACKS, AND ILLEGAL IPTV SERVICES - Mechanism for identifying malicious content, DoS attacks, and illegal IPTV services. By monitoring the characteristics of various control messages being transmitted within a network that services Internet protocol television (IPTV) content to identify suspicious behavior (e.g., such as that associated with malicious content, denial of service (DoS) attacks, IPTV service stealing, etc.). In addition to monitoring control messages within such a network, deep packet inspection (DPI) may be performed for individual packets within an IPTV stream to identify malicious content therein (e.g., worms, viruses, etc. actually within the IPTV stream itself). By monitoring control messages and/or actual IPTV content within a network (e.g., vs. at the perimeter of a network only), protection against both outside and inside attacks can be effectuated. This network level basis of operation effectively guards against promulgation of malicious content to other devices within the network.03-18-2010
20100071061Method and Apparatus for Whole-Network Anomaly Diagnosis and Method to Detect and Classify Network Anomalies Using Traffic Feature Distributions - To improve network reliability and management in today's high-speed communication networks, we propose an intelligent system using adaptive statistical approaches. The system learns the normal behavior of the network. Deviations from the norm are detected and the information is combined in the probabilistic framework of a Bayesian network. The proposed system is thereby able to detect unknown or unseen faults. As demonstrated on real network data, this method can detect abnormal behavior before a fault actually occurs, giving the network management system (human or automated) the ability to avoid a potentially serious problem.03-18-2010
20100064367INTRUSION DETECTION FOR COMPUTER PROGRAMS - A method of detecting intrusion in a computer program which has number of defined libraries and includes cross border instructions which cause execution to branch from a source library to a target library. The method comprises the step of determining whether execution of the program is in an area consistent with normal execution of the program, by checking whether the source library of a cross border instruction is the expected current execution library of the program. Each cross border instruction has a code stub identifying the source library, and when a legal cross border instruction is executed the target library becomes the current execution library. The method also checks that the target address of a cross border instruction is a legal address. In another arrangement, areas of the program are set so that a cross border instruction will generate page protection fault which is intercepted by the intrusion detection system so that the cross border instruction can be checked.03-11-2010
20100071063SYSTEM FOR AUTOMATIC DETECTION OF SPYWARE - An automatic system for spyware detection and signature generation compares packets of output from a computer in response to standard user inputs, to packets of a standard output set derived from a known clean machine. Differences between these two packet sets are analyzed with respect to whether they relate to unknown web servers and whether they incorporate user-derived information. This analysis is used to provide an automatic detection of and signature generation for spyware infecting the machine.03-18-2010
20110252475Complementary Character Encoding for Preventing Input Injection in Web Applications - Method to prevent the effect of web application injection attacks, such as SQL injection and cross-site scripting (XSS), which are major threats to the security of the Internet. Method using complementary character coding, a new approach to character level dynamic tainting, which allows efficient and precise taint propagation across the boundaries of server components, and also between servers and clients over HTTP. In this approach, each character has two encodings, which can be used to distinguish trusted and untrusted data. Small modifications to the lexical analyzers in components such as the application code interpreter, the database management system, and (optionally) the web browser allow them to become complement aware components, capable of using this alternative character coding scheme to enforce security policies aimed at preventing injection attacks, while continuing to function normally in other respects. This approach overcomes some weaknesses of previous dynamic tainting approaches by offering a precise protection against persistent cross-site scripting attacks, as taint information is maintained when data is passed to a database and later retrieved by the application program. The technique is effective on a group of vulnerable benchmarks and has low overhead.10-13-2011
20120304297DETECTING MALICIOUS DEVICE - A wireless access point and a method may be provided for detecting a malicious device in a network. The wireless access point may include a controller, a search unit, a message generation unit, and a determination unit. The controller may be configured to initiate a malicious device detection mode regularly at predefined intervals. The search unit may be configured to detect candidate devices broadcasting a signal with the first SSID from neighbor devices in an associated network. The message generation unit may be configured to generate a test message in the malicious device detection mode and transmit the test message to the candidate devices. The determination unit may be configured to determine a corresponding device in the candidate device as a malicious device when a test response message is not received from the corresponding device in response to the test message.11-29-2012
20120304296DETECTING WEB BROWSER BASED ATTACKS USING BROWSER RESPONSE COMPARISON TESTS LAUNCHED FROM A REMOTE SOURCE - The detection of web browser-based attacks using browser test launched from a remote source is described. In one example, it is determined that a test should be performed responsive to receiving an HTTP message sent by a client device and a policy. The test is performed with the client device to determine only whether content intended to be communicated between the HTTP client and the web application server using an HTTP message has been modified by malware on the HTTP client. The test includes the sending of an HTTP response to the HTTP client. The results of the test are analyzed and defensive measures are taken.11-29-2012
20110179489HOST INTRUSION PREVENTION SERVER - An intrusion-prevention server supporting a set of hosts comprises data filters and an engine which uses a set of encoded rules for assigning data filters to hosts according to metadata characterizing the hosts. Each data filter corresponds to at least one intrusion pattern from among a set of intrusion patterns and the data filters are continuously updated as intrusion patterns change. Metadata acquired from a host varies with a changing state of the host. Acquisition of metadata from each host is streamlined to reduce communications between the server and the hosts and to minimize processing effort for both the server and the hosts.07-21-2011
20110083182PHISHING SOLUTION METHOD - A method for preventing phishing attacks is provided. The method in one aspect includes identifying a source image file that was used fraudulently, replacing the content of the source image file with a warning, and allowing the source image file having the warning to be accessed.04-07-2011
20110083181COMPREHENSIVE PASSWORD MANAGEMENT ARRANGMENT FACILITATING SECURITY - Computer-implemented process and apparatus for screening data for malware. Received data stored in at least one data store includes at least: (i) a first protected item of data containing contents that are generally inaccessible without specific access credential information, and (ii) specific access credential information corresponding to the first protected item of data. The received data is analyzed to detect any protected items of data therein based on predetermined protected data item identification criteria and to detect any access credential information contained therein based on predetermined access credential identification criteria. In response to a detection of the specific access credential information in the at least one data store, the specific access credential information is stored in the at least one data store in a grouping arrangement with other access credential information. In response to a detection of the first protected item of data, use the specific access credential information is stored in the grouping arrangement to facilitate access to the first protected item of data by a malware screening process to extract its content. The malware screening process is executed to scan the content extracted from the first protected data item to detect a presence of malware.04-07-2011
20110083180METHOD AND SYSTEM FOR DETECTION OF PREVIOUSLY UNKNOWN MALWARE - A system, method and computer program product for detection of the previously unknown malware, the method comprising: (a) receiving event information and file metadata from a remote computer; (b) identifying whether the event information or the file metadata are indicative of the already known malware presence, indicative of the unknown malware presence, or indicative of malware absence; (c) if the event information or the file metadata are indicative of the known malware or indicative of malware absence, filtering out the event information and the file metadata; (d) performing a risk analysis and risk assessment for the remaining event information and the remaining file metadata to determine if the event and the file metadata are indicative of the previously unknown malware presence; and (e) where performing a risk analysis and risk assessment includes a “parent-child” hierarchy of the files, and the risk assessed to the parent is based on the risk associated with the child.04-07-2011
20110078795THREAT PROTECTION NETWORK - Threat protection networks are described. Embodiments of threat protection network in accordance with the invention use expert systems to determine the nature of potential threats to a remote computer. In several embodiments, a secure peer-to-peer network is used to rapidly distribute information concerning the nature of the potential threat through the threat protection network. One embodiment of the invention includes at least one client computer connected to a network, a server that stores threat definition data and is connected to the network, an expert system in communication with the server. In addition, the client computer is configured to refer potential threats to the server, the server is configured to refer to the expert system any potential threat forwarded by a client computer that is not identified in the threat definition data and the expert system is configured to determine whether the potential threat is an actual threat by exposing at least one test computer to the potential threat and observing the behavior of the test computer.03-31-2011
20110078793EXTENSIBLE AUTHENTICATION PROTOCOL ATTACK DETECTION SYSTEMS AND METHODS - The present disclosure provides systems and methods for detecting attacks against authentication mechanisms that generate Transport Layer Security (TLS) tunnels using a server public key. Such attacks can include misconfigured wireless local area network (WLAN) clients that fail to authenticate the server public key prior to creating the TLS tunnels and exchanging credentials. In an exemplary embodiment, an intrusion detection system (IDS) or intrusion prevention system (IPS) is aware of the server public key and monitors for authentication handshakes to detect invalid keys.03-31-2011
20110078794Network-Based Binary File Extraction and Analysis for Malware Detection - A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.03-31-2011
20110252474SYSTEM AND METHOD FOR ENSURING SCANNING OF FILES WITHOUT CACHING THE FILES TO NETWORK DEVICE - A method and system for ensuring scanning of suspicious computer files without unnecessary caching of the files on a network device is provided. A network device receives a suspicious computer file and determines whether a target computer is protected by a malware protection program. If the network device determines that the target computer is protected by the malware protection program, the network device modifies the suspicious computer file to make the suspicious computer file unusable by the target computer and sends the modified suspicious computer file to the target computer.10-13-2011
20120137365ANTI-MALWARE SCANNING SYSTEM AND METHOD THEREOF - Provided are an anti-malware scanning system and a method thereof. The system includes: a host; and a chip which is removably connected to the host, receives a file to be scanned from the host, and scans whether malware exists in the file, wherein the host adjusts a size of the file to be scanned to correspond to a storage capacity of a storage unit of the chip and transmits the adjusted file to the chip. Accordingly, scanning is performed effectively even in an environment in which resources of the anti-malware scanning system are limited.05-31-2012
20110041181METHOD FOR DETECTING ATTACKS TO MULTIMEDIA SYSTEMS AND MULTIMEDIA SYSTEM WITH ATTACK DETECTION FUNCTIONALITY - A method for detecting attacks to multimedia systems, wherein a communication path (02-17-2011
20110061104SYSTEM AND METHOD FOR PROBABILISTIC ATTACK PLANNING - A system and method for automated probabilistic planning of network attacks against infrastructures of computer networks and applications is provided. The embodiments automate the analysis and probabilistic planning of multi-step attacks to computer and application networks (in particular in the context of automating penetration tests), optimizing with respect to one of the following metrics: the probability of success of the actions, a numerical parameter that must be minimized (e.g., running time), or the number of logs generated by the control devices in the target network.03-10-2011
20100313267SYSTEMS AND METHODS FOR EFFICIENT KEYWORD SPOTTING IN COMMUNICATION TRAFFIC - Methods and systems related to keyword searching processes. A list of keywords may be first represented by a set of short substrings. The substrings are selected such that an occurrence of a substring indicates a possible occurrence of one or more of the keywords. Input data may be initially pre-processed, so as to identify locations in the input data in which the substrings occur. Then, the identified locations are searched for occurrences of the actual keywords. The pre-processing scheme enables the keyword search process to search only in the identified locations of the substrings instead of over the entire input data.12-09-2010
20110030056INFORMATION PROCESSING APPARATUS - Provided is an information processing apparatus capable of protecting against an unauthorized access from outside without increasing load of packet analysis and also capable of performing protection from a device inside a network. The information processing apparatus has a first network interface (illustrated using an NIC as an example) and is communicable with other information processing apparatus via the NIC. The information processing apparatus further has a second network interface (illustrated using an energy saving NIC as an example) for performing communication with other information processing apparatus in place of the NIC. The information processing apparatus executes switching processing for switching a network interface to be operated from the NIC to the energy saving NIC when an unauthorized access from outside is detected. At the time of the switching processing, internal information of the information processing apparatus is saved in the energy saving NIC.02-03-2011
20110154494Methods and Systems for Network Attack Detection and Prevention Through Redirection - Methods and systems for detection and/or prevention of network attacks can include the use of multiple and/or time-dependent addresses coupled with filtering by the directory or naming service. The directory service can respond to requests for the address of a resource by returning an address that can be relocated over time by coordinating the directory service entry with the host and network address configuration data and/or by returning an address specific to the requestor. Thus, the directory service can track and build profiles of matches between requestors and accesses. The methods and systems can use the time dependent addresses and profiles to distinguish legitimate accesses from unauthorized or malicious ones. Requests for non-valid addresses can be misdirected to “empty” addresses or to detection devices.06-23-2011
20110154493METHODS FOR INSPECTING DATA AND DEVICES THEREOF - A method, computer readable medium, and apparatus that inspects data includes isolating retrieved target data within a protected construct with the data inspection processing apparatus. The security software is isolated such that the security software is able to access the target data within the protected construct with the data inspection processing apparatus. The data inspection processing apparatus scans the isolated target data with the isolated security software. The data inspection processing apparatus reports whether one or more security threats have been identified from the scan of the isolated retrieved target data.06-23-2011
20110154492MALICIOUS TRAFFIC ISOLATION SYSTEM AND METHOD USING BOTNET INFORMATION - The present invention relates to a malicious traffic isolation system and method using botnet information, and more particularly, to a malicious traffic isolation system and method using botnet information, in which traffics for a set of clients having the same destination are routed to the isolation system based on a destination IP/Port, and botnet traffics are isolated using botnet information based on similarity among groups of the routed and flowed in traffics. The present invention may provide a malicious traffic isolation method using botnet information, which can accommodate traffics received from a PC or a C&C server infected with a bot into a quarantine area, isolate traffics generated by normal users from traffics transmitted from malicious bots, and block the malicious traffics. In addition, the present invention may provide a malicious traffic isolation method using botnet information, which can provide a function of mitigating DDoS attacks of a botnet.06-23-2011
20110154491REMOVING AN ACTIVE APPLICATION FROM A REMOTE DEVICE - A system and a method are disclosed for managing applications on a mobile computing device. A command message is received at the mobile computing device specifying a command and a target application. The command message may have been sent by a application provider server. The command may be a removal command, an enable command, or a disable command. A removal or disable command may be used to remove or disable a problematic target application. The specified command is performed on the target application.06-23-2011
20110154490Malicious Software Prevention Using Shared Information - A method and apparatus for managing executable files. Responsive to detecting a request to run an executable file on a computer, a processor unit determines whether the executable file was downloaded to the computer within a period of time associated with a recent download. Responsive to a determination that the executable file was downloaded to the computer within the period of time, the processor unit determines whether feedback for the executable file from a number of users of the executable file is present in a repository. The feedback identified for the executable file in the repository is presented using a presentation system. User input as to whether the executable file should be run is prompted for by the processor unit after presenting the feedback.06-23-2011
20110258701Protecting A Virtualization System Against Computer Attacks - In certain embodiments, protecting a virtualization system against computer attacks comprises facilitating operation of hypervisors comprising operation zone hypervisors and one or more forensic hypervisors. Each hypervisor operates on a corresponding physical machine, and each operation zone hypervisor manages one or more virtual machines. An assurance procedure is initiated for the hypervisors. At least one virtual machine of a first operation zone hypervisor is moved to a forensic hypervisor to analyze the potential attack. The first operation zone hypervisor is cleaned.10-20-2011
20120204263METHOD AND APPARATUS FOR PREVENTING DOS ATTACKS ON TRUNK INTERFACES - A method of protecting a data network from denial of service (DOS) attacks is described. The method may use various network tools to selectively block or disable portions of a data trunk experiencing a DOS attack, thereby preventing the DOS attack from reaching at least some resources on the network. In one embodiment, a network switch identifies a virtual LAN (VLAN) carrying suspect data on a data trunk. The network switch then adjusts a spanning tree for the network so that one or more ports on the compromised VLAN are blocked or disabled, while non-compromised VLANs are allowed to continue carrying data. Other approaches are also presented for avoiding the loss of valid data when a network blocks one or more VLANs or other portions of a network in response to a DOS attack or other intrusion.08-09-2012
20100037317MEHTOD AND SYSTEM FOR SECURITY MONITORING OF THE INTERFACE BETWEEN A BROWSER AND AN EXTERNAL BROWSER MODULE - A method for detecting attacks that exploit vulnerabilities in an external module of a primary application is disclosed. The method begins with receiving from the primary application an external module method call that includes a module identifier and a module parameter. Thereafter, the external module method call is intercepted prior to the instantiation of the external module. The external module method call, which may include various data, is compared to the signature rules that are correlated to an attack attempt. If there is a match, then a resulting action part defined in the signature rule is evaluated. Otherwise, the external module is invoked.02-11-2010
20090222921Technique and Architecture for Cognitive Coordination of Resources in a Distributed Network - A system and method are disclosed for utilizing resources of a network. A constructive proof that a subset of resources is sufficient to satisfy the objective of a system can be generated. The constructive proof can comprise instructions for using the subset of resources. A set of computer-executable instructions can be created from the constructive proof and executed on a host device. The computer-executable instructions can control a data output device according to the instructions of the constructive proof.09-03-2009
20090138970Method and System for Detecting Intrusions - A method of automatically detecting intrusions among events under surveillance. The method comprises comparing an event under surveillance to a set of patterns, each pattern being associated with a predetermined intrusion signature from a set of intrusion signatures, determining among said set of intrusion signatures a subset of intrusion signatures revealing a particular intrusion in said event under surveillance, and dynamically generating a new signature corresponding to said subset of intrusion signatures, said new signature being dedicated to recognizing said particular intrusion.05-28-2009
20110179487METHOD AND SYSTEM FOR USING SPAM E-MAIL HONEYPOTS TO IDENTIFY POTENTIAL MALWARE CONTAINING E-MAILS - A method and apparatus for employing honeypot systems to identify potential malware containing messages whereby a decoy system to receive illegitimate e-mails is established. E-mails sent to the spam e-mail honeypot decoy are initially scanned/filtered and e-mails that are not considered possible malware containing e-mails are filtered out while the remaining e-mails sent to the spam e-mail honeypot decoy are identified as potential malware containing e-mails. One or more features, and/or feature values, of the identified e-mails are then identified, extracted and ranked. Once a given feature, and/or feature value, occurs more than a burst threshold number of times, the status of the given feature, and/or feature value, is transformed to that of suspicious e-mail parameter.07-21-2011
20110162070MALWARE DETECTION VIA REPUTATION SYSTEM - A computer network device receives a digital file and extracts a plurality of high level features from the file. The plurality of high level features are evaluated using a classifier to determine whether the file is benign or malicious. The file is forwarded to a requesting computer if the file is determined to be benign, and blocked if the file is determined to be malicious.06-30-2011
20090126021SECURE INITIALIZATION OF INTRUSION DETECTION SYSTEM - Secure initialization for detecting intrusions is disclosed. The secure initialization includes storing a behavior profile associated with an application, and reading the stored behavior profile that is cryptographically protected. The method further includes monitoring execution of the application during a bootstrapping phase of an intrusion detection system, according to the stored behavior profile. If the behavior of the application does not conform to the behavior profile, a message is issued indicating that the application is not conforming to the behavior profile. The behavior profile can be generated by a developer of the intrusion detection system, a developer of the application, and/or a third party developer. Additionally, the behavior profile is generated by executing the system on a reference computer system or by heuristic determination.05-14-2009
20090126020ENGINE FOR RULE BASED CONTENT FILTERING - An engine for editing contents of data containers has a set of processors which hosts a set of controllers, each controller coupled to a respective set of transcoders. A memory device stores an array of Boolean variables characterizing the contents of a container, and an array of encoded rules for determining needed content editing, if any. The Boolean variables are determined according to content descriptors and respective criteria. A graphical user interface enables a user to provide the descriptors, the criteria, and the encoded rules. Each transcoder applies the encoded rules to specific containers. A transcoder also performs container adaptation functions which may modify contents of a container to be compatible with a respective receiver. The engine receives containers from clients through a network and directs each container to a respective controller.05-14-2009
20080313737Stateful and Cross-Protocol Intrusion Detection for Voice Over IP - A method for detecting intrusions that employ messages of two or more protocols is disclosed. Such intrusions might occur in Voice over Internet Protocol (VoIP) systems, as well as in systems in which two or more protocols support some service other than VoIP. In the illustrative embodiment of the present invention, a stateful intrusion-detection system is capable of employing rules that have cross-protocol pre-conditions. The illustrative embodiment can use such rules to recognize a variety of VoIP-based intrusion attempts, such as call hijacking, BYE attacks, etc. In addition, the illustrative embodiment is capable of using such rules to recognize other kinds of intrusion attempts in which two or more protocols support a service other than VoIP. The illustrative embodiment also comprises a stateful firewall that is capable of employing rules with cross-protocol pre-conditions.12-18-2008
20110055924GRAPH STRUCTURES FOR EVENT MATCHING - A system for matching a system event to a rule is disclosed. The system includes a computer-readable data structure comprising a plurality of system event rules organizable as a partially ordered set. The system also includes a processor configured to analyze the computer-readable data structure to determine whether an event matches a description set of at least one rule from the plurality of system event rules. Methods and machine-readable mediums are also disclosed.03-03-2011
20110055923HIERARCHICAL STATISTICAL MODEL OF INTERNET REPUTATION - In embodiments of the present invention improved capabilities are described for predicting the reputation of a communication identifier, such as a web address, a domain name, an IP address, host name, email address, IM address, telephone number, VoIP telephony address, and the like. In embodiments, the present invention may receive a communication from a first communication identifier, parse the first communication identifier into its components, and assign the components to a hierarchical tree structure, where the hierarchical tree structure maintains the hierarchical relationship between the components of the communication identifier. The present invention may monitor and keep count of a number of communications from the first communication identifier, wherein the number of communications may be kept for both malicious and/or unwanted communications and non-malicious and/or unwanted communications. Attributes may then be provided to the number of communications for each appropriate component of the hierarchical tree, and a statistical measure may be calculated as related to the number of communications for each component of the hierarchical tree. The present invention may then receive a communication from a second communication identifier, where the second communication identifier may be previously unknown and have a common component with the hierarchical tree. The statistical measure of the common component may then be assigned to the second communication identifier, and utilizing the statistical measure assigned to the second communication identifier, may provide a prediction of reputation of the second communication identifier.03-03-2011
20120204264METHOD, APPARATUS AND SYSTEM FOR DETECTING BOTNET - A method, an apparatus, and a system for detecting Botnet are disclosed. The method for detecting Botnet includes: obtaining an address information about a control host in a Bot sample by using an auto breakout environment; sending a query request message to a traffic analysis device to obtain an address information of a Bot host connected with the control host, in which the query request message carries the address information about the control host; and receiving a query response message returned by the traffic analysis device, in which the query response message carries the address information of the Bot host connected with the control host. The method for detecting Botnet can obtain the Botnet information in real time and construct a topology of the Botnet.08-09-2012
20100281542Systems and Methods for Correlating and Distributing Intrusion Alert Information Among Collaborating Computer Systems - Systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.11-04-2010
20110016525APPARATUS AND METHOD FOR DETECTING NETWORK ATTACK BASED ON VISUAL DATA ANALYSIS - An apparatus for detecting a network attack includes a traffic image generator for generating a traffic image using traffic information and additional IP information extracted from the traffic information; a network attack detector for comparing similarities between the traffic image and a previously generated traffic image based on a predetermined similarity threshold to detect the presence of the network attack; and a network attack analyzer for analyzing the traffic image at a time when the network attack is detected to detect network attack information and pattern information of the network attack. A representation unit for visualizing the network attack information and the pattern information of the network attack.01-20-2011
20110016527Real-time network updates for malicious content - A global response network collects, analyzes, and distributes “cross-vector” threat-related information between security systems to allow for an intelligent, collaborative, and comprehensive real-time response.01-20-2011
20110119761Mitigating Low-Rate Denial-of-Service Attacks in Packet-Switched Networks - A method includes determining, at a network routing device, an average packet drop rate for a plurality of aggregations of packet flows. The method also determines a threshold packet drop rate based on the average packet drop rate, a current packet drop rate for a select aggregation of the plurality of aggregations, and whether at least one packet flow of the select aggregation is potentially subject to a denial-of-service attack based on a comparison of the current packet drop rate to the threshold packet drop rate.05-19-2011
20120311707INTRUSIVE SOFTWARE MANAGEMENT - Intrusion features of a landing page associated with sponsored content are identified. A feature score for the landing page based on the identified intrusion features is generated, and if the feature score for the landing page exceeds a feature threshold, the landing page is classified as a candidate landing page. A sponsor account associated with the candidate landing page can be suspended, or sponsored content associated with the candidate landing page can be suspended.12-06-2012
20120278890INTRUSION DETECTION IN COMMUNICATION NETWORKS - An intrusion detection arrangement (11-01-2012
20120151584METHOD FOR BLOCKING DENIAL-OF-SERVICE ATTACK - Disclosed herein is a method for blocking a Denial-of-Service (DoS) attack. A server extracts a plurality of suspicious packets including data, length of which is equal to or greater than a preset length, from a plurality of received packets. The server determines a packet, which includes data composed of characters or character strings identical to each other, among the plurality of suspicious packets, to be an attack packet. The server blocks a packet corresponding to the attack packet. Accordingly, the present invention can block a DoS attack based on UDP flooding.06-14-2012
20100186089METHOD AND SYSTEM FOR PROTECTING CROSS-DOMAIN INTERACTION OF A WEB APPLICATION ON AN UNMODIFIED BROWSER - A system and method for protecting cross-domain interaction of a web application on an unmodified browser. The system includes: a security framework, which is created by a browser. The security framework further includes: a component creator for creating components from a plurality of sources; and supervision module for supervising and controlling scripts/codes executed during the creation of components and invocation and interaction operations performed by various components after the creation of components.07-22-2010
20110138465MITIGATING MALICIOUS FILE PROPAGATION WITH PROGRESSIVE IDENTIFIERS - A method and system for mitigating a propagation of a file that includes malicious code. Segments of the file are determined by a series of sizes determined by a function ƒ. Signatures identifying segments of the file are determined by applying a hash function to each segment. A complete match between the file and a malicious file is determined by determining a first match between signature(s) identifying a first set of segment(s) of the file and signature(s) identifying corresponding segment(s) of the malicious file and by determining a second match between a signature identifying a final segment of the file and a signature identifying a last segment of the malicious file. Responsive to determining the complete match, the file is identified as the malicious file and a transfer of the final segment of the file is interdicted.06-09-2011
20110138466METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR PROTECTING AGAINST IP PREFIX HIJACKING - A communication network is operated by identifying at least one potential hijack autonomous system (AS) that can be used to generate a corrupt routing path from a source AS to a destination AS. For each of the at least one potential hijack AS the following operations are performed: identifying at least one regional AS that is configured to adopt the corrupt routing path from the source AS to the destination AS and determining a reflector AS set such that, for each reflector AS in the set, a source AS to reflector AS routing path and a reflector AS to destination AS routing path do not comprise any of the at least one regional AS. A reflector AS is then identified that is common among the at least one reflector AS set responsive to performing the identifying and determining operations for each of the at least one potential hijack AS.06-09-2011
20100180344Systems and Methods For Malware Classification - Disclosed are systems, methods and computer program products for detection, classification and reporting of malicious software. A method comprises loading software code into a computer system memory and emulating the software code. The software code and its activity log are then analyzed for presence of a malware. If a malware is detected, an execution flow graph is created from the activity log. The execution flow graph is then parsed using heuristic analysis to identify one or more malicious behavior patterns therein. Then, similarity indexes between the identified malicious behavior patterns and one or more malicious behavior patterns associated with known classes of malware are computed. The emulated software code is then classified into one or more classes of malware based on the computed similarity indexes. Finally, a comprehensive malware report of the emulated software code is generated based on the execution flow graph and malware classification information.07-15-2010
20100115618METHOD AND DEVICE FOR DETECTING UNKNOWN NETWORK WORMS - A method and device for detecting a network worm on the network allows early detection of an unknown network worm with less computational quantity based on a change of randomness occurring to network traffic without using a pattern-matching-based worm detecting method or a behavior-based worm detecting method.05-06-2010
20100115617Event Detection/Anomaly Correlation Heuristics - A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.05-06-2010
20110099631Distributed Packet Flow Inspection and Processing - Distribution of network processing load among a set of packet processing devices is improved by employing means for eliminating, controlling, or otherwise affecting redundant packet processing operations. In one embodiment, at least two packet processing devices are present, both capable of processing data packets flowing therethrough, such as, inspecting, detecting, and filtering data packets pursuant to one or more filters from a filter set. Redundancy is controlled by providing or enabling either or both of the packet processing devices with capability for detecting during its said inspection of said data packets that, for example, one or more filters had been previously executed on said data packets by the other packet processing device, and then not executing the previously-executed filters on said data packets.04-28-2011
20100077479METHOD AND APPARATUS FOR DETERMINING SOFTWARE TRUSTWORTHINESS - Aspects of the invention relate to a method, apparatus, and computer readable medium for determining software trustworthiness. In some examples, a software package identified as including at least one file of unknown trustworthiness is installed on a clean machine. A report package including a catalog of files that have been installed or modified on the clean machine by the software package is generated. Identification attributes for each of the files in the catalog is determined. Each of the files in the catalog is processed to assign a level of trustworthiness thereto. The report package is provided as output.03-25-2010
20110179488KERNAL-BASED INTRUSION DETECTION USING BLOOM FILTERS - Kernel-based intrusion detection using Bloom filters is disclosed. In one of many possible embodiments for detecting an intrusion attack, a Bloom filter is provided and used to generate a Bloom filter data object. The Bloom filter data object contains data representative of expected system-call behavior associated with a computer program. The Bloom filter data object is embedded in an operating system (“OS”) kernel upon an invocation of the computer program. Actual system-call behavior is compared with the data in the Bloom filter data object.07-21-2011
20110145921OBFUSCATED MALWARE DETECTION - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes executing from a binary executable a call instruction and a plurality of instruction subsequent to a target of the call instruction, determining if the value identified by the stack pointer of the call stack is equal to a default value stored in the call stack prior to emulation, determining if there is a non-obfuscation signal resulting from the execution of the call instructions and the plurality of instructions, and if the value identified by the stack pointer is the default value and there is no obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; Additionally, the method includes determining that if the number of call instructions identified as possibly obfuscated call instructions exceeds a threshold number, identifying the binary executable as an obfuscated executable.06-16-2011
20110185423METHOD AND SYSTEM FOR DETECTION OF MALWARE THAT CONNECT TO NETWORK DESTINATIONS THROUGH CLOUD SCANNING AND WEB REPUTATION - A method for detecting malware includes the steps of identifying a one or more open network connections of an electronic device, associating one or more executable objects on the electronic device with the one or more open network connections of the electronic device, determining the address of a first network destination that is connected to the open network connections of the electronic device, receiving an evaluation of the first network destination, and identifying one or more of the executable objects as malware executable objects. The evaluation includes an indication that the first network destination is associated with malware. The malware executable objects includes the executable objects that are associated with the open network connections that are connected to the first network destination.07-28-2011
20110185422Method and system for adaptive anomaly-based intrusion detection - The input characteristics of a real-time IDS change continuously with time therefore setting a rigid (time and behavior invariant) classification threshold limits the accuracy that the IDS can potentially achieve. A generic threshold tuning method and system is proposed which can adaptively tune the detection threshold of a real-time IDS in accordance with varying host and network behavior. The method and system perform statistical and information-theoretic analyses of network and host-based IDSs' anomaly based intrusions to reveal a consistent time correlation structure between benign activity periods which is used to predict future anomaly scores and to adapt an IDS' detection threshold accordingly.07-28-2011
20090300763METHOD AND SYSTEM FOR DETECTING CHARACTERISTICS OF A WIRELESS NETWORK - Characteristics about one or more wireless access devices in a wireless network, whether known or unknown entities, can be determined using a system and method according to the present invention. An observation is made of the activity over a Wireless Area Network (WLAN). Based on this activity, changes in state of wireless access devices within the WLAN can be observed and monitored. These changes in state could be indicative of normal operation of the WLAN, or they may indicate the presence of an unauthorized user. In the latter case, an alert can be sent so that appropriate action may be taken. Additionally, ad hoc networks can be detected that may be connected to a wireless access point.12-03-2009
20090300761Intelligent Hashes for Centralized Malware Detection - A suspicious entity is identified. An intelligent hash for the suspicious entity is generated, wherein the intelligent hash includes a set of metadata that is specific to the suspicious entity and at least some of the metadata is invariant over changes to the suspicious entity. The intelligent hash is transmitted to a server for evaluation of whether the suspicious entity corresponds to the malware entity. The server is adapted to determine whether the suspicious entity corresponds to the malware entity based on the intelligent hash. A result is received from the server specifying whether the suspicious entity corresponds to the malware entity.12-03-2009
20090293123METHODS AND APPARATUS TO MITIGATE A DENIAL-OF-SERVICE ATTACK IN A VOICE OVER INTERNET PROTOCOL NETWORK - Methods and apparatus to mitigate a Denial-of-Service (DoS) attack in a voice over Internet protocol (VoIP) network are disclosed. An example method comprises receiving a communication session initiation message from a communication session endpoint, determining whether the communication session endpoint is associated with a probable DoS attack, and sending to the communication session endpoint a communication session initiation response message comprising a DoS header when the communication session endpoint is associated with the probable DoS attack.11-26-2009
20100024033APPARATUS AND METHOD FOR DETECTING OBFUSCATED MALICIOUS WEB PAGE - An apparatus and method for detecting an obfuscated malicious web page are provided to find a malicious web page by deobfuscating an obfuscated malicious code. The apparatus includes an obfuscated code detector that detects whether an obfuscated code is included in a source code of a web page, a deobfuscation function inserter that reconfigures the source code by inserting a function for deobfuscating the obfuscated code into the source code, a deobfuscator that is called by the function inserted into the reconfigured source code and deobfuscates the obfuscated code, and a malicious code detector that detects a malicious code using the deobfuscated code.01-28-2010
20100017879Method and System for Intrusion Detection - Method for protecting computer software by detecting an attack of an intruding program interfering with the execution of said protected software on a computer system with a processor and at least a processor memory, wherein the computer software to be protected communicates with a license container containing a license for using and executing the protected computer software and containing at least one cryptographic key, wherein the license container provides licenses and cryptographic keys for the protected software to protect its usage and its integrity, and wherein the protected computer software is at least partly encrypted and uses the associated cryptographic keys to decrypt said protected software for executing comprises the following steps: during execution of the protected software, analyzing the behavior of the protected software and/or the execution environment of the protected software on the computer system, and searching for patterns of an intrusion or an intruding program, detecting an intrusion into the protected software during the execution of the protected software, wherein the intruding program uses a monitoring component for gaining unauthorized access, and creating a signal on detection of an attack.01-21-2010
20110307955SYSTEM AND METHOD FOR DETECTING MALICIOUS CONTENT - A system and method for detecting malicious code in web content is described. A controller receives information, routes the information to the appropriate module and determines whether a user receives the web content or a report of a detection of malicious code. A vulnerability definition generator generates vulnerability definitions. A parser parses web content into static language constructions. A translation engine translates the static language constructions into trap rules, translates the web content into application programming interface (API) calls and determines whether the API calls trigger any of the trap rules. A sandbox engine generates an environment that mimics a browser and executes dynamic parts of the web content and determines whether a dynamic part triggers a trap rule.12-15-2011
20090158431METHOD OF DETECTING POLYMORPHIC SHELL CODE - There is provided a method of detecting a polymorphic shell code. The decoding routine of the polymorphic shell code is detected from received data. In order for the decoding routine to access the address of an encoded code, the address of a currently executed code is stored in a stack, the value is moved in a register table, and it is determined whether the value is actually used for operating a memory. Emulation is finally performed and the degree of correctness of detection is improved. Therefore, time spent on detecting the polymorphic shell code and an overhead are reduced and the correctness of detection is increased.06-18-2009
20110314542TREATMENT OF MALICIOUS DEVICES IN A MOBILE-COMMUNICATIONS NETWORK - A method of remotely treating malicious mobile terminals connected to a mobile communications network. In one embodiment, when a malicious mobile terminal is detected by the intrusion-detection services of the network, the network changes the subscriber profile associated with the mobile terminal to operate the latter in a quarantine mode. The packet-switched subsystem of the network then links the quarantined mobile terminal to a remediation manager. The remediation manager remotely treats the mobile terminal, e.g., to repair or reinstall any corrupted software, terminate any active malicious processes, delete or quarantine any malware, and restore the operating system, configuration, and/or memory of the mobile terminal to a clean operational state. After the treatment, the network reverts the subscriber profile back to the initial state and removes the mobile terminal from the quarantine.12-22-2011
20100212012Systems and Methods for Providing Real Time Access Monitoring of a Removable Media Device - In various embodiments, a method comprises detecting a removable media device coupled to a digital device, authenticating a password to access the removable media device, injecting redirection code into the digital device, intercepting, with the redirection code, a request for data, determining to allow the request for data based on a security policy, and providing the data based on the determination. The method may further comprise selecting the security policy from a plurality of security policies based, at least in part, on the password and/or filtering the content of the requested data. Filtering the content may comprise scanning the data for malware. Filtering the content may also comprise scanning the data for confidential information.08-19-2010
20120060218SYSTEM AND METHOD FOR BLOCKING SIP-BASED ABNORMAL TRAFFIC - Provided is a system for blocking session initiation protocol (SIP)-based abnormal traffic. The system includes: a policy database (DB) in which allowed traffic is stored according to transmission priority; an abnormal traffic response module which receives traffic from a first network and transmits only portions of the received traffic, which match the allowed traffic stored in the policy DB, to a second network in order of transmission priority; and an abnormal traffic detection module which analyzes the traffic received from the first network and provides an activation signal to the abnormal traffic response module when detecting that the received traffic is abnormal traffic, wherein the abnormal traffic response module transmits the portions of the received traffic, which match the allowed traffic stored in the policy DB, to the second network such that the sum of the portions transmitted to the second network does not exceed a maximum allowed traffic limit.03-08-2012
20120060217ATOMIC DETECTION AND REPAIR OF KERNEL MEMORY - A method for detecting memory modifications includes allocating a contiguous block of a memory of an electronic device, and loading instructions for detecting memory modifications into the contiguous block of memory. The electronic device includes a plurality of processing entities. The method also includes disabling all but one of a plurality of processing entities of the electronic device, scanning the memory of the electronic device for modifications performed by malware, and, if a memory modification is detected, repairing the memory modification. The method also includes enabling the processing entities that were disabled. The remaining processing entity executes the instructions for detecting memory modifications.03-08-2012
20120210427CONFIGURABLE INVESTIGATIVE TOOL - This disclosure provides example techniques to invoke one or more tools, with an investigative tool. The investigative tool provides a common framework that allows investigators to invoke their own trusted tools or third-party generated tools. The investigative tool described herein seamlessly and transparently invokes the tools in accordance with an investigative profile created by the investigator.08-16-2012
20120047579INFORMATION DEVICE, PROGRAM, METHOD FOR PREVENTING EXECUTION OF UNAUTHORIZED PROGRAM CODE, AND COMPUTER READABLE RECORDING MEDIUM - An unauthorized access relating to buffer overflow is prevented reliably and easily, without dependence on the function that a CPU processes. An information device (02-23-2012
20120210428FLOW DATA FOR SECURITY INTRUSION DETECTION - Disclosed herein are techniques for detecting possible security intrusions in a computer network. The security intrusion detection may be based on analyzing patterns of how transactions flow through one or more software applications. For example, patterns of transaction flows are determined for an initial time period to establish a baseline of normal flow patterns. These normal flow patterns may be compared with patterns for transaction flows for a later time period. Deviations in the patterns of transaction flow may indicate a possible security intrusion.08-16-2012
20120005752Method and system for detecting and removing hidden pestware files - A method and system for detecting and removing a hidden pestware file is described. One illustrative embodiment detects, using direct drive access, a file on a computer storage device; determines whether the file is also detectable by the operating system by attempting to access the file using a standard file Application-Program-Interface (API) function call of the operating system; identifies the file as a potential hidden pestware file, when the file is undetectable by the operating system; confirms through an automated pestware-signature scan of the potential hidden pestware file that the potential hidden pestware file is a hidden pestware file; and removes automatically, using direct drive access, the hidden pestware file from the storage device.01-05-2012
20120005751Systems and Methods for Creating Customized Confidence Bands for Use in Malware Detection - A computer-implemented method for creating customized confidence bands for use in malware detection may include 1) identifying a portal for receiving executable content, 2) identifying metadata relating to the portal, 3) analyzing the metadata to determine what risk executable content received via the portal poses, and then 4) creating, based on the analysis, a confidence band to apply during at least one disposition of executable content received via the portal. Various other methods, systems, and computer-readable media are also disclosed.01-05-2012
20120005753INTRUSIVE SOFTWARE MANAGEMENT - Intrusion features of a landing page associated with sponsored content are identified. A feature score for the landing page based on the identified intrusion features is generated, and if the feature score for the landing page exceeds a feature threshold, the landing page is classified as a candidate landing page. A sponsor account associated with the candidate landing page can be suspended, or sponsored content associated with the candidate landing page can be suspended.01-05-2012
20120005750Systems and Methods for Alternating Malware Classifiers in an Attempt to Frustrate Brute-Force Malware Testing - A computer-implemented method for alternating malware classifiers in an attempt to frustrate brute-force malware testing may include (1) providing a group of heuristic-based classifiers for detecting malware, wherein each classifier within the group differs from all other classifiers within the group but has an accuracy rate that is substantially similar to all other classifiers within the group, (2) including the group of classifiers within a security-software product, and (3) alternating the security-software product's use of the classifiers within the group in an attempt to frustrate brute-force malware testing by (a) randomly selecting and activating an initial classifier from within the group and then, upon completion of a select interval, (b) replacing the initial classifier with an additional classifier randomly selected from within the group. Various other methods, systems, and computer-readable media are also disclosed.01-05-2012
20110167492Virtual Browsing Environment - An embodiment for providing a secure virtual browsing environment includes creating a virtual browsing environment with a virtualized operating system sharing an operating system kernel of a supporting operating system and executing the browser application within the virtual browsing environment. Another embodiment includes receiving a website selection within a browser application, determining if the website selection corresponds to a secure bookmark, and creating a second virtual browsing environment and executing the browser application within the second virtual browsing environment to access the website selection when the website selection corresponds to a website specified as a secure bookmark. Yet another embodiment includes monitoring operation of the operating system within the at least one virtual browsing environment, determining when the operation of the operating system includes potential malicious activity, and terminating the virtual browsing environment when the operation includes potential malicious activity.07-07-2011
20110167493SYSTEMS, METHODS, ANE MEDIA FOR DETECTING NETWORK ANOMALIES - Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous.07-07-2011
20110167491Computer Security Process Monitor - A computer security process monitor detects security intrusions of a networked computing platform by monitoring execution statistics associated with one or more computer processes executed by the platform in relation to expected (or “valid”) execution parameters. The execution statistics in one example include system process statistics (e.g., process name, peak memory usage, maximum number of threads, peak CPU utilization) and network interface statistics (e.g., IP ports, protocols) associated with the one or more computer processes; and the valid execution parameters define acceptable values or states corresponding to the execution statistics.07-07-2011
20120117648Malware Determination - A method and apparatus for a determining whether an electronic file stored at a client device is malware. A server receives from the client device a request message that signature information of the electronic file. The server queries a database of signature information of a multiplicity of electronic files. If the signature information of the electronic file corresponds to signature information stored on the database, a determination is made as to whether the electronic file is malware. If the signature information of the electronic file does not correspond to signature information stored on the database, a determination is made as to whether a predetermined number of further request messages for the electronic file are received from further client devices within a predetermined time period. If fewer request messages are received within the time period, it is likely that the electronic file is malware.05-10-2012
20120210429Adaptive Behavioral Intrusion Detection Systems and Methods - Systems and methods for analyzing historical network traffic and determining which traffic does not belong in a network are disclosed. Intrusion detection is performed over a period of time, looking for behavioral patterns within networks or information systems and generating alerts when these patterns change. The intrusion detection system intelligently forms correlations between disparate sources to find traffic anomalies. Over time, behaviors are predictive, and the intrusion detection system attempts to predict outcomes, becoming proactive instead of just reactive. Intrusions occur throughout whole information systems, including both network infrastructure and application servers. By treating the information system as a whole and performing intrusion detection across it, the chances of detection are increased significantly.08-16-2012
20120210430INTRUSION DETECTION USING A NETWORK PROCESSOR AND A PARALLEL PATTERN DETECTION ENGINE - An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.08-16-2012
20130185797WHITELIST-BASED INSPECTION METHOD FOR MALICIOUS PROCESS - A method of detecting a malware based on a white list comprises: receiving on a server side a program feature and/or a program behavior of a program to be detected sent from a client side; comparing the program feature and/or the program behavior of the detected program with legitimate program features and/or legitimate program behaviors stored in a white list; obtaining a legitimacy information of the unknown program based on the comparison result and feeding this back to the client side. In the invention, a legitimate program is determined by using a white list, thereby determining an illegitimate program excluded from the white list as a malware, which performs a determination and detecting and removing of a malware from another perspective.07-18-2013
20120023582SYSTEMS, METHODS, AND APPARATUS FOR OTOACOUSTIC PROTECTION OF AUTONOMIC SYSTEMS - Systems, methods and apparatus are provided through which in some embodiments an autonomic unit transmits an otoacoustic signal to counteract a potentially harmful incoming signal.01-26-2012
20120023581SYSTEMS, METHODS, AND APPARATUS FOR OTOACOUSTIC PROTECTION OF AUTONOMIC SYSTEMS - Systems, methods and apparatus are provided through which in some embodiments an autonomic unit transmits an otoacoustic signal to counteract a potentially harmful incoming signal.01-26-2012
20120023579PROTECTION AGAINST MALWARE ON WEB RESOURCES - A method and system for identification of malware threats on web resources. The system employs a scheduled antivirus (AV) scanning of web resources. The scheduled scanning of web resources allows to create malware check lists and to configure access to web resources. Frequency and depth of inspection (i.e., scan) are determined for each web resource. The user identifiers are used for scheduled AV scanning of web resources. The system allows for scanning a web resource based on selected configurations without using additional client applications.01-26-2012
20120174223SYSTEMS AND METHODS FOR DETECTION OF SESSION TAMPERING AND FRAUD PREVENTION - The invention provides methods and apparatus for detecting when an online session is compromised. A plurality of device fingerprints may be collected from a user computer that is associated with a designated Session ID. A server may include pages that are delivered to a user for viewing in a browser at which time device fingerprints and Session ID information are collected. By collecting device fingerprints and session information at several locations among the pages delivered by the server throughout an online session, and not only one time or at log-in, a comparison between the fingerprints in association with a Session ID can identify the likelihood of session tampering and man-in-the middle attacks.07-05-2012
20120159626GEOGRAPHICAL INTRUSION RESPONSE PRIORITIZATION MAPPING SYSTEM - Systems and methods for geographically mapping an intrusion into a network having one or more network points include receiving intrusion information identifying a intrusion into a point of the network, correlating the intrusion information with location information for the identified network point, and network identification information for the identified network point, and generating a map displaying a geographical location of the intrusion.06-21-2012
20120159625MALICIOUS CODE DETECTION AND CLASSIFICATION SYSTEM USING STRING COMPARISON AND METHOD THEREOF - The present invention provides a malicious code detection and classification system using a string comparison technique, including a string extracting unit configured to extract all expressed strings existing in a binary file from the malicious code binary file; a string refining unit configured to refine elements obstructing malicious code detection and classification in the strings extracted from the string extracting unit; and a string comparison unit configured to determine how similar one binary is to another binary by comparing strings refined from the string refining unit.06-21-2012
20120159627SUSPICIOUS NODE DETECTION AND RECOVERY IN MAPREDUCE COMPUTING - Embodiments of the present invention address deficiencies of the art in respect to distributed computing for large data sets on clusters of computers and provide a novel and non-obvious method, system and computer program product for detecting and correcting malicious nodes in a cloud computing environment (e.g., MapReduce computing). In one embodiment of the invention, a computer-implemented method for detecting and correcting malicious nodes in a cloud computing environment can include selecting a task to dispatch to a first worker node, setting a suspicion index threshold for the selected task, determining a suspicion index for the selected task, comparing the suspicion index to the suspicion index threshold and receiving a result from a first worker node. The method further can include applying a recovery action when the suspicion index exceeds the selected suspicion index threshold.06-21-2012
20120159624COMPUTER SECURITY METHOD, SYSTEM AND MODEL - A computer security method includes receiving a security alert associated with an electronic attack to at least one computer system of a data network, identifying a first set of business services which may be affected by the electronic attack, estimating, based on an identified first set of potentially affected business services, a first potential cost to a business when the electronic attack is successful, identifying at least one counteraction which may be employed to prevent or mitigate the electronic attack, identifying a second set of business services which may be affected by the at least one counteraction, estimating, based on the identified second set of potentially affected business services, a second potential cost to the business when the counteraction is employed, and comparing the first potential cost and the second potential cost.06-21-2012
20120072987METHOD FOR EVOLVING DETECTORS TO DETECT MALIGN BEHAVIOR IN AN ARTIFICIAL IMMUNE SYSTEM - A system, apparatus, and method are directed to evolving detectors in an Artificial Immune System for use in detecting unauthorized computing activities. In one embodiment, a population of detectors is generated with a matching value and expectation value of zero. The detectors are then compared to logged fragments of system calls within a computing device to modify the matching value. When the matching value for a given detector is equal to or greater than an expectation value, the detector's expectation value may be set to the matching value. The detectors may then evolve and/or generate other detectors using mutation, and/or recombination, or the like. Detectors continue to generate and/or to evolve until a detector's matching value reaches a determined value, in which case, the detector may be evaluated to determine if an unauthorized activity is detected. If an unauthorized activity is detected, a detection response may be performed.03-22-2012
20080307526METHOD TO PERFORM BOTNET DETECTION - A method and a system for monitoring network activities associated with a computer connected to a network are provided. The method may include detecting a bot activity associated with the computer; attributing a bot status to the computer, based on a bot activity type associated with the bot activity, prior detections of bot activities, and considering time stamps. The method may also include updating the bot status attributed to the computer, based upon detection of subsequent bot activities associated with the computer, the bot activity types associated with the subsequent bot activities, and one or more other criteria. In one example embodiment, the network activities may include network transmissions and behavioral patterns. According to example embodiments, the system may include a network monitor, a bot activity detection module, a bot status module, and a bot status update module.12-11-2008
20120124666METHOD FOR DETECTING AND PREVENTING A DDOS ATTACK USING CLOUD COMPUTING, AND SERVER - A method for detecting and preventing a Distributed Denial of Service (DDoS) attack in a cloud computing environment including a plurality of clients connected to a server, the method includes collecting, by the server, file deoxyribonucleic acid (DNA) extracted from a file currently being executed by each of the clients and traffic information about network traffic caused by the file, from each client by using an agent that is installed in the client and that monitors the file currently being executed by the client. Further, the method includes analyzing, by the server, a risk level of a DDoS attack based on whether the file DNA of the file is malicious or unidentified and based on the traffic information. Furthermore, the method includes sending a command related to whether to block the file to the client according to the analyzed risk level.05-17-2012
20110107422EMAIL WORM DETECTION METHODS AND DEVICES - Embodiments of the invention provide a network device for detecting email worms having a port for receiving packets and a processing engine configured to inspect packets received on the port, wherein if a predetermined number of packets sent from a client represent DNS queries, the client is identified as being infected.05-05-2011
20110099632DETECTING USER-MODE ROOTKITS - A method and system for determining whether resources of a computer system are being hidden is provided. The security system invokes a high-level function of user mode that is intercepted and filtered by the malware to identify resources. The security system also directly invokes a low-level function of kernel mode that is not intercepted and filtered by the malware to identify resources. After invoking the high-level function and the low-level function, the security system compares the identified resources. If the low-level function identified a resource that was not identified by the high-level function, then the security system may consider the resource to be hidden.04-28-2011
20090133122METHOD AND SYSTEM FOR DETECTING SUSPICIOUS FRAME IN WIRELESS SENSOR NETWORK - A method and system for detecting a suspicious frame in a wireless sensor network that includes: a plurality of sensor nodes, for sending sensed data and data regarding an upper-level node and cluster head node. A data collecting node receives data from the sensor nodes, sends information, and extracts data received from the sensor nodes. A first probability of occurrence of the routing path is computed with respect to training frames, and a second probability of occurrence of a source routing path is computed using the first probability. The second probability is compared with a reference value, and displays an indication notifying an abnormality of the source node according to when the second probability and the reference value.05-21-2009
20120233693METHODS AND SYSTEMS FOR FULL PATTERN MATCHING IN HARDWARE - Methods and systems are provided for hardware-based pattern matching. In an embodiment, an intrusion-prevention system (IPS) identifies a full match between a subject data word comprising subject-data blocks and a signature data pattern comprising signature-data blocks. The IPS receives the subject data word via a network interface, and thereafter makes a partial-match determination that two or more but less than all of the subject-data blocks respectively match the same number of the signature-data blocks stored in partial-match hardware with respect to both value and position. Thereafter, the IPS makes a full-match determination that all of the subject-data blocks respectively match all of the signature-data blocks stored in the IPS's full-match hardware with respect to both value and position. The IPS then stores an indicator that the full-match determination has been made, and may carry out one or more additional intrusion-prevention responses as well.09-13-2012
20120222118TIERED OBJECT-RELATED TRUST DECISIONS - Adware and viruses are examples of objects that may be embedded in a web page or linked to a web page. When such an object is detected to be associated with a web page loading on a browser, an analysis may be performed to determine a trust level for the object. The object is suppressed based on the trust level. A prompt is displayed to advise a user that the object has been suppressed, and to provide an opportunity to interactively accept or decline activation of an action for the object.08-30-2012
20120222119ACTIVE COMPUTER SYSTEM DEFENSE TECHNOLOGY - Active computer system defense techniques can include sending disruptive communications to attackers, where the disruptive communications include random data elements which could potentially interfere with the operation of an attacking system. Such computer system defense techniques can also be augmented to automatically optimize the disruptive communications sent to the attackers.08-30-2012
20120222117METHOD AND SYSTEM FOR PREVENTING TRANSMISSION OF MALICIOUS CONTENTS - A method and a system for preventing transmission of malicious contents are provided. The method includes intercepting at a network gateway device of a server network a digital communication being sent from the server network to an external network; searching the digital communication for a malicious transmission schema that can be used to cause a malicious transmission on a recipient of the digital communication; and taking an action to hinder the transmission of malicious contents if a malicious transmission schema is found.08-30-2012
20120222116SYSTEM AND METHOD FOR DETECTING WEB BROWSER ATTACKS - A method and system for detecting a heap corruption exploit of a web browser is described. The method comprises installing or injecting a detection module into the web browser. Next, the detection module patches or hooks all calls to the detection module in order to identify calls indicating a heap corruption exploit. The identified calls are then analyzed to determine whether a heap corruption exploit is occurring.08-30-2012
20120222115USING A DECLARATION OF SECURITY REQUIREMENTS TO DETERMINE WHETHER TO PERMIT APPLICATION OPERATIONS - Provided are a computer program product, system, and method for using a declaration of security requirements to determine whether to permit application operations. A declaration of security requirements indicates actions the application designates to perform with respect to resources in a computer system, wherein a plurality of the indicated actions are indicated for at least two operation modes of the application. A detection is made of whether the application is requesting to perform a requested action with respect to a requested resource in the computer system. A determination is made of a current operation mode of the application comprising one of the at least two operation modes in response to detecting that the application is requesting the requested action. A determination is made as to whether the declaration of security requirements indicates the requested action with the current operation mode. The requested action with respect to the requested resource is allowed to proceed in response to determining that the declaration of security requirements indicates the requested action with respect to the requested resource as indicated with the current operation mode.08-30-2012
20120131674Vector-Based Anomaly Detection - Methods of detecting anomalous behaviors associated with a fabric are presented. A network fabric can comprise many fungible networking nodes, preferably hybrid-fabric apparatus capable of routing general purpose packet data and executing distributed applications. A nominal behavior can be established for the fabric and represented by a baseline vector of behavior metrics. Anomaly detection criteria can be derived as a function of a variation from the baseline vector based on measured vectors of behavior metrics. Nodes in the fabric can provide a status for one or more anomaly criterion, which can be aggregated to determine if an anomalous behavior has occurred, is occurring, or is about to occur.05-24-2012
20120131673APPARATUS AND METHOD FOR PROTECTION OF CIRCUIT BOARDS FROM TAMPERING - A method and system for protecting a printed circuit board (PCB) from tampering positions a physical sensor proximal to the PCB. An initialization period is established and an output signal from the sensor is continuously monitored to establish threshold parameter data. Periodically, the sensor is polled and an output signal received which is compared to the threshold parameter data. A detected intrusion signal is generated if the received signal exceeds the threshold by a predetermined level. A detected intrusion is validated using a sent of validation rules which analyze the detected intrusion based on historical sensor output values and factors such as duration or frequency of intrusion detections. If the detected intrusion is validated, a validated signal is generated which triggers a reset processor to output a reset signal that causes erasure of at least a portion of onboard memory.05-24-2012
20120131672Secure Notification on Networked Devices - A system, device and method to securely notify a user of a compromise of a device are provided. The system, device and method may include a detection device adapted for determining a compromise of the device communicatively coupled to the first path, a user database including at least information regarding the device and other devices associated with the user, and the secure signal path to at least one of the other devices.05-24-2012
20120167215SYSTEM AND METHOD OF FACILITATING THE IDENTIFICATION OF A COMPUTER ON A NETWORK - A system and method for facilitating identification of an attacking computer in a network is provided. A user attempting to login to a network application may be presented with a screen prior to the login which lists preconditions of gaining access to the application. If a user concurs with the preconditions, a security module is downloaded to the user's computer and executed which gathers various configuration settings and transmits the gathered information to a predetermined destination. The security module may also attempt to place a call to a predetermined destination over a modem in the computer to cause registration of caller-ID data when answered at the predetermined destination. Once the security check is completed, login may proceed with the network application. Any data gathered by the security module may be stored for later recall and use to identify the computer in the event of an attack.06-28-2012
20120255009METHOD AND APPARATUS FOR COMBATING MALICIOUS CODE - A method and apparatus are provided for combating malicious code. In one embodiment, a method for combating malicious code in a network includes implementing a leap-ahead technique to defend against the malicious code reaching a full saturation potential in the network, by sending alert messages to a group of peers, and reselecting the membership of that group from time to time.10-04-2012
20120255008Method of Handling Malicious Application in Telco's Application Store System and Related Communication Device - A method of handling a malicious application for a client of a service system is disclosed. The method comprises transmitting a malicious application report message to a storefront of the service system when detecting a malicious application, for reporting the malicious application to the storefront; and receiving a malicious application response message in response to the malicious application report message, wherein the malicious application response message is transmitted by the storefront.10-04-2012
20120216281Systems and Methods for Providing a Computing Device Having a Secure Operating System Kernel - A method and apparatus for resisting malicious code in a computing device. A software component corresponding to an operating system kernel is analyzed prior to executing the software component to detect the presence of one or more specific instructions such as malicious code, a change in mode permissions or instructions to modify or turn off security monitoring software, and taking a graduated action in response to the detection of one or more specific instructions. The graduated action taken is specified by a security policy (or policies) stored on the computing device. The analyzing may include off-line scanning of a particular code or portion of code for certain instructions, op codes, or patterns, and includes scanning in real-time as the kernel or kernel module is loading while the code being scanned is not yet executing (i.e., it is not yet “on-line”). Analysis of other code proceeds according to policies.08-23-2012
20120216282METHODS AND SYSTEMS FOR DETECTING AND MITIGATING A HIGH-RATE DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK - Methods and systems for detecting and mitigating high-rate Distributed Denial of Service (DDoS) attacks are herein described. The present invention contemplates a variety of improved techniques for using a flow-based statistical collection mechanism to monitor and detect deviations in server usage data. The method further includes combining multiple anomaly algorithms in a unique way to improve the accuracy of identifying a high-rate DDoS attack. The DDoS solution includes a two-phase approach of detection and mitigation, both of which operate on a local- and a global-basis. Moreover, the anomaly algorithms can be modified or extrapolated to obtain the traffic deviation parameters and therefore, the attack probabilities.08-23-2012
20120255006TWO-TIER DEEP ANALYSIS OF HTML TRAFFIC - A computer-implemented process for two-tier deep analysis of hypertext transport protocol data, monitors Web traffic, receives a packet of Web traffic from a network to form a received packet, wherein the received packet represents Web traffic, and stores the Web traffic temporarily to form stored Web traffic. The computer-implemented process further determines whether the Web traffic is suspicious using a first tier analysis and responsive to a determination that the Web traffic is suspicious, consumes the stored Web traffic using a deep analysis module. The computer-implemented process further determines whether the stored Web traffic is a case of misuse using a second tier analysis and responsive to a determination that the stored Web traffic is a case of misuse, feeding back data about a malicious connection to an intrusion protection system before returning to monitor the Web traffic.10-04-2012
20100205671HASH-BASED SYSTEMS AND METHODS FOR DETECTING AND PREVENTING TRANSMISSION OF POLYMORPHIC NETWORK WORMS AND VIRUSES08-12-2010
20120255002SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING OF DRIVER LOADING AND UNLOADING - A system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access of one or more resources of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, operate at a level below all of the operating systems of the electronic device accessing the one or more resources. The attempted access includes an attempted loading or unloading of a driver in the operating system.10-04-2012
20120137366TECHNIQUES FOR NETWORK PROTECTION BASED ON SUBSCRIBER-AWARE APPLICATION PROXIES - Techniques for responding to intrusions on a packet switched network include receiving user data at a subscriber-aware gateway server between a network access server and a content server. The user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, and suspicious activity data. The suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. It is determined whether an intrusion condition is satisfied based on the suspicious activity data. If the intrusion condition is satisfied, then the gateway responds based at least in part on user data other than the network address data.05-31-2012
20110185424SYSTEM AND METHOD FOR PROACTIVE DETECTION AND REPAIR OF MALWARE MEMORY INFECTION VIA A REMOTE MEMORY REPUTATION SYSTEM - A method for detecting malware memory infections includes the steps of scanning a memory on an electronic device, determining a suspicious entry present in the memory, accessing information about the suspicious entry in a reputation system, and evaluating whether the suspicious entry indicates a malware memory infection. The memory includes memory known to be modified by malware. The suspicious entry is not recognized as a safe entry. The reputation system is configured to store information on suspicious entries. The evaluation is based upon historical data regarding the suspicious entry.07-28-2011
20110185426DETECTION OF NETWORK SECURITY BREACHES BASED ON ANALYSIS OF NETWORK RECORD LOGS - Computer program products and methods of inspecting a log of security records in a computer network are provided. The method includes retrieving a log record, processing the log record including deriving a key to a table, determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique. One or more entries of the table are evaluated based on predetermined criteria to detect attempted security breaches.07-28-2011
20110185425NETWORK ATTACK DETECTION DEVICES AND METHODS - A network attack detection device is provided, including a spatial coordinate database for storing spatial coordinate data; a standard time zone database for storing standard time zone data; a domain name system packet collector for collecting a domain name system packet; a spatial snapshot feature extractor for extracting internet protocol address corresponding to the domain name system packet according to the domain name system packet, and generating spatial feature data corresponding to the internet protocol address according to the internet protocol address, the spatial coordinate data and the standard time zone data; and an attack detector for determining whether the domain name system packet is an attack according to the spatial feature data and a spatial snapshot detection model, and when determining that the domain name system packet is an attack, sending a warning to indicate the attack.07-28-2011
20100175133REORDERING DOCUMENT CONTENT TO AVOID EXPLOITS - Structured document files, such as those utilized by standard productivity applications or for portable documents can have malicious computer executable instructions embedded within them. Modifications to such files can prevent the execution of such malware. Modifications can operate at a file sector level, such as either fragmenting or defragmenting the file, or they can operate at a file record level, such as removing records, adding records, or rearranging the order of records. Other modifications include writing random data into records deemed likely to have malware, removing unaccounted for space, or removing records that are not known to be good and are inordinately large. A scan of the structured document file can identify relevant information and inform the selection of the modifications to be applied.07-08-2010
20100175132ATTACK-RESISTANT VERIFICATION OF AUTO-GENERATED ANTI-MALWARE SIGNATURES - Techniques are disclosed for verifying whether payload signatures correspond to a vulnerability or exploit. Generally a security system may be configured to detect an attack on a server while the server is processing a payload. The security system generates (or obtains) a provisional signature corresponding to the vulnerability. For example, a provisional signature may be generated for a vulnerability from a group of payloads determined to correspond to that vulnerability. The effects of subsequent payloads which match the provisional signature may be monitored. If the effects of a payload duplicate the attack symptoms, a confidence metric for provisional signature may be increased. Once the confidence metric exceeds a predetermined threshold, then the provisional signature may be made active and used to block traffic from reaching an intended destination.07-08-2010
20100287615INTRUSION DETECTION METHOD AND SYSTEM - Intrusion detection method for detecting unauthorized use or abnormal activities of a targeted system of a network, comprising the steps: creating defined preconditions for each vulnerability related to the targeted system and/or for each attack that exploit one or several vulnerabilities; creating assurance references corresponding to said defined preconditions and considering the targeted perimeter capturing data related to the targeted system; comparing captured data with attack signatures for generating at least one security alert when captured data and at least one attack signature match; capturing assurance data from monitoring of the targeted perimeter comparing assurance data, issued from assurance monitoring of the targeted perimeter, with assurance references for generating assurance information when said data issued from assurance monitoring and at least one assurance reference match retrieving the preconditions of the generated security alert checking if assurance information corresponding to said preconditions has been retrieved generating a verified security alarm when generated security alert and its retrieved precondition match with at least one corresponding assurance information filtering said security alert when no match has been found between its retrieved preconditions and at least one corresponding assurance information; emitting a non verified security alert when no preconditions have been retrieved for this alert and/or no assurance reference corresponding to said preconditions has been defined.11-11-2010
20120174221Apparatus and method for blocking zombie behavior process - Provided are an apparatus and method for blocking a zombie behavior process. The apparatus includes a security policy storage configured to store zombie-behavior-type-specific traffic characteristics and security policies, a traffic monitor configured to monitor traffic generated on the computer and detect abnormal traffic exceeding a predetermined reference value, a process and traffic analyzer configured to find an abnormal process causing the abnormal traffic and detect a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic on the basis of the zombie-behavior-type-specific traffic characteristics stored in the security policy storage, and a process handler configured to handle the process whose zombie behavior type has been detected according to a security policy defined for the detected zombie behavior type. Also, the apparatus according to another aspect includes a system process monitor and handler configured to detect whether or not a file associated with a system process is modified and block the system process.07-05-2012
20120174222METHOD FOR THE SAFETY OF NETWORK TERMINAL DEVICES - The present invention provides a method for the safety of network terminal devices that utilizes the basic operations in network terminal devices (NTDs) and a network security center (NSC), as well as the analyzing and processing ability provided by the NSC to solve network security issues based on hierarchical network security structure of client request-server response. In the NSC, the solution is broken into a plurality of basic operations with their respective corresponding parameters. Each basic operation is encoded according to an operation code table (OCT) and encapsulated in a network security suspicion information packet (NSSIP). The NSC sends the NSSIP to the NTD. The NTD receives and splits the network security solution packet (NSSP) to get the plurality of operation codes and their respective corresponding parameters. The NTD retrieves a plurality of call interfaces from the OCT according to the plurality of operation codes. The plurality of call interfaces and their respective corresponding parameters is combined together to form a completely local solution to replace traditional patch and anti-virus module. Using this invention, the requirements on hardware are released so to fit well for various small-sized NTDs.07-05-2012
20120216280DETECTION OF CODE-BASED MALWARE - This document describes techniques for detection of code-based malware. According to some embodiments, the techniques utilize a collection of known malicious code and know benign code and determine which features of each type of code can be used to determine whether unclassified code is malicious or benign. The features can then be used to train a classifier (e.g., a Bayesian classifier) to characterize unclassified code as malicious or benign. In at least some embodiments, the techniques can be used as part of and/or in cooperation with a web browser to inspect web content (e.g., a web page) to determine if the content includes code-based malware.08-23-2012
20100050260Attack node set determination apparatus and method, information processing device, attack dealing method, and program - An attack node set determination apparatus obtains an event log basic parameter extracted from collected event logs and attribute information based on the event log basic parameter. The attack node set determination apparatus performs a clustering on a space having dimensions of part or all of the obtained attribute information and event log basic parameter, computes a cluster, and transmits information on the cluster and a countermeasure against the cluster to a firewall. Upon detecting an attack packet from an attack node set, the firewall identifies a cluster including the attack packet and conducts a countermeasure against the whole identified cluster.02-25-2010
20100050259SYSTEM AND METHOD FOR RADIO FREQUENCY INTRUSION DETECTION - A system to detect and analyze RF signals utilizes a data structure storing RF signatures indicating characteristics of known authorized and/or unauthorized RF transmissions. When an RF signal is detected, certain analysis characteristics are extracted from the RF signal and analyzed with respect to the stored RF signatures to determine whether the RF transmission is authorized or unauthorized. In the event of an unauthorized RF transmission, the system generates an alarm condition to alert the user to an RF intrusion and may further log data related to the intruder transmission. Known techniques may be used to determine the location of the RF intrusion within a defined area of operations.02-25-2010
20100275261SIGNATURE SEARCHING METHOD AND APPARATUS USING SIGNATURE LOCATION IN PACKET - A method of and apparatus for searching for a signature in a packet according to a signature location. The method may include extracting a sub-payload to be compared with a signature from a payload of a packet, generating an offset that is location information about a location of the sub-payload in the payload, generating a search key that includes the extracted sub-payload and the generated offset, and performing ternary content addressable memory (TCAM) matching to check if the generated search key matches a TCAM entry.10-28-2010
20120180130METHOD FOR DEFENDING AGAINST DENIAL-OF-SERVICE ATTACK ON THE IPV6 NEIGHBOR CACHE - A method of defending against a denial-of-service (DoS) attack on an IPv6 neighbor cache includes steps of determining a number of neighbor cache entries currently stored in the neighbor cache and then determining whether the number of entries exceeds a neighbor cache threshold that is less than a neighbor cache limit defining a maximum capacity of the neighbor cache. When the number of entries in the neighbor cache exceeds the neighbor cache threshold, stateless neighbor resolution is triggered. Stateless neighbor resolution entails sending a neighbor solicitation to resolve an address for an incoming packet without logging a corresponding entry in the neighbor cache. Additional techniques that complement the above method involve purging of neighbor cache entries designated as incomplete, prioritization of the entries based on trustworthiness, shortening the incomplete-status timer to less than 3 seconds, and curtailing the number of retransmissions of the neighbor solicitations.07-12-2012
20130174257Active Defense Method on The Basis of Cloud Security - The present invention relates to an active defense method based on cloud security comprising: a client collecting and sending a program behavior launched by a program thereon and/or a program feature of the program launching the program behavior to a server; with respect to the program feature and/or the program behavior sent by the client, the server performing an analysis and comparison in its database, making a determination on the program based on the comparison result, and feeding back to the client; based on the feedback determination result, the client deciding whether to intercept the program behavior, terminate execution of the program and/or clean up the program, and restore the system environment. The invention introduces a cloud security architecture, and employs a behavior feature based on active defense to search and kill a malicious program, thereby ensuring network security.07-04-2013
20100011440Computer Security Intrusion Detection System For Remote, On-Demand Users - An intrusion detection system, and a related method and computer program product, for implementing intrusion detection in a remote, on-demand computing service environment in which one or more data processing hosts are made available to a remote on-demand user that does not have physical custody and control over the host(s). Intrusion detection entails monitoring resources defined by the on-demand user (or a third party security provider) for intrusion events that are also defined by the on-demand user (or security provider), and implementing responses according to event-action rules that are further defined by the on-demand user (or security provider). An intrusion detection system agent is associated with each of the data processing hosts, and is adapted to monitor the intrusion events and report intrusion activity. If there are plural intrusion detection system agents, they can be individually programmed to monitor and report on agent-specific sets of the intrusion events. An intrusion detection system controller is associated with one of the data processing hosts. It is adapted to manage and monitor the intrusion detection system agent(s), process agent reports of intrusion activity, and communicate intrusion-related information to the on-demand user (or security provider). The responses to intrusion events can be implemented by the intrusion detection system controller in combination with the intrusion detection system agents, or by any such entity alone.01-14-2010
20090055930Content Security by Network Switch - A security switch detects whether requested content is either trusted content or non-trusted content. In case of network content being trusted content, network traffic bypasses the inspection gateway and goes directly to the user. If network content is non-trusted content, network traffic passes through to the inspection gateways for inspection. Additionally, when the security switch receives a reply for “trusted” content requests, it parses the reply information to verify that the content-type of the file is indeed “trusted”. If the file doesn't prove to be “trusted”, the security switch drops the connection and stops the suspected content from reaching the client.02-26-2009
20090055929Local Domain Name Service System and Method for Providing Service Using Domain Name Service System - Provided is a local domain name system for querying an external server for a client-requested domain name and providing desired data to a user. A determination is made as to whether a special policy is to be applied to a client-input query through a test task. When a special policy is to be applied to the query, the special policy is performed to provide additional service to the client.02-26-2009
20090038010Monitoring and controlling an automation process - Embodiments are provided to monitor aspects of a process, such as an automation process. In an embodiment, a system includes a number of components configured to monitor and validate operational aspects of a test automation process. In one embodiment, a monitoring application can be used to detect test automation issues, such as file related issues, registry related issues, network related issues, and other operational issues for example. The monitoring application can include a number of rule sets which may be tailored to identify and detect new types of exceptions and other conditions associated with an automation process or some other process. Other embodiments are available.02-05-2009
20120185938DETECTING AND DEFENDING AGAINST MAN-IN-THE-MIDDLE ATTACKS - A system, method and program product for defending against man in the middle (MITM) attacks directed at a target server. A system is provided that includes an activity recording system that records an incoming IP address, userid, and time of each session occurring with the target server; an activity analysis system that identifies suspect IP addresses by determining if an unacceptable number of sessions are occurring from a single incoming IP address during a predefined time period; and a countermeasure system for taking action against suspect IP addresses.07-19-2012
20120084863METHOD AND SYSTEM FOR IDENTIFYING COMPROMISED NODES - The invention relates to a method for identifying compromised nodes in a ZigBee network comprising a general trust center, divided in at least two security domains, each security domain corresponding to a spatial or temporal area, and being associated with a different root keying material, and each node being identified by an identifier, the method comprising: upon detection of a node (U04-05-2012
20120084862Detecting Malicious Use of Computer Resources by Tasks Running on a Computer System - A method, apparatus, and computer program product for identifying malware is disclosed. The method identifies processes in a running process list on a host computer system. The method identifies ports assigned to the processes in the running process list on the host computer system. The method determines whether any one of ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list. The method then makes a record that a hidden, running process is present as a characteristic of an attack in response to a determination that one of the ports is currently in use but is not assigned to any of the processes in the running process list in the host computer system.04-05-2012
20120084861METHODS AND SYSTEMS THAT SELECTIVELY RESURRECT BLOCKED COMMUNICATIONS BETWEEN DEVICES - Data communications between devices are selectively blocked and resurrected based on error notifications. Data communications from one or more source devices to one or more intended destination devices are selectively blocked based on content of the data communications. The blocked data communications are stored in a database. A blocked data communication is retrieved from the database in response to an error notification from one of the source devices and/or from one of the destination devices. The retrieved data communication is then sent to the intended destination device.04-05-2012
20120084860SYSTEM AND METHOD FOR DETECTION OF DOMAIN-FLUX BOTNETS AND THE LIKE - In one embodiment, a method for detecting malicious software agents, such as domain-flux botnets. The method applies a co-clustering algorithm on a domain-name query failure graph, to generate a hierarchical grouping of hosts based on similarities between domain names queried by those hosts, and divides that hierarchical structure into candidate clusters based on percentages of failed queries having at least first- and second-level domain names in common, thereby identifying hosts having correlated queries as possibly being infected with malicious software agents. A linking algorithm is used to correlate the co-clustering results generated at different time periods to differentiate actual domain-flux bots from other domain-name failure anomalies by identifying candidate clusters that persist for relatively long periods of time. Persistent candidate clusters are analyzed to identify which clusters have malicious software agents, based on a freshness metric that characterizes whether the candidate clusters continually generate failed queries having new domain names.04-05-2012
20120084859REALTIME MULTIPLE ENGINE SELECTION AND COMBINING - Architecture that selects a classification engine based on the expertise of the engine to process a given entity (e.g., a file). Selection of an engine is based on a probability that the engine will detect an unknown entity classification using properties of the entity. One or more of the highest ranked engines are activated in order to achieve the desired performance. A statistical, performance-light module is employed to skip or select several performance-demanding processes. Methods and algorithms are utilized for learning based on matching the best classification engine(s) to detect the entity class based on the entity properties. A user selection option is provided for specifying a maximum number of ranked, classification engines to consider for each state of the machine. A user can also select the minimum probability of detection for a specific entity (e.g., unknown file). The best classifications are re-evaluated over time as the classification engines are updated.04-05-2012
20090328212Determination of malicious entities - A method/system of determining if one or more entities in a data storage medium of a processing system are malicious, wherein the method comprises recording entity properties of the one or more entities when at least part of the processing system is in a range of operating usage; and determining, using the entity properties, if the one or more entities are malicious.12-31-2009
20120227108Intrusion Event Correlation System - Disclosed is a system for correlating intrusion events using attack graph distances. The system includes an attack graph generator, an exploit distance calculator, an intrusion detector, an event report/exploit associator, an event graph creator, an event graph distance calculator, a correlation value calculator, and a coordinated attack analyzer. An attack graph is constructed for exploits and conditions in a network. The exploit distance calculator determines exploit distances for exploit pair(s). The intrusion detector generates event. Events are associated with exploits. Event graph distances are calculated. Correlation values are calculated for event pair(s) using event graph distances. The correlation values are analyzed using a correlation threshold to detect coordinated attacks.09-06-2012
20120227107CUSTOMER PREMISES EQUIPMENT AND METHOD FOR AVOIDING ATTACKS - A customer premises equipment (CPE) receives data packets from a network service device via a primary service flow. When the CPE detects flood of packets in the data packets received via the primary service flow, the CPE determines a source Internet protocol (IP) address of the flood of packets. The CPE establishes a new service flow with the network service device. A source IP address of the new service flow is set to the source IP address of the flood of packets, and a transfer speed of the new service flow is less than that of the primary service flow. The CPE transfers the flood of packets from the primary service flow to the new service flow.09-06-2012
20120260341FIREWALLS FOR SECURING CUSTOMER DATA IN A MULTI-TENANT ENVIRONMENT - Network security is enhanced in a multi-tenant database network environment using a query plan detection module to continually poll the database system to locate and raise an alert for suspect query plans. Security also can be enhanced using a firewall system sitting between the application servers and the client systems that records user and organization information for each client request received, compares this with information included in a response from an application server, and verifies that the response is being sent to the appropriate user. Security also can be enhanced using a client-side firewall system with logic executing on the client system that verifies whether a response from an application server is being sent to the appropriate user system by comparing user and organization id information stored at the client with similar information in the response.10-11-2012
20120260340METHODS AND APPARATUS FOR DEALING WITH MALWARE - Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored or processed wherein the base computer comprises plural threat servers arranged to receive the data from the plural remote computers and apply rules or heuristics against the data in real time to determine whether or not the object is malware and to communicate the determination to the remote computers. The base computer includes at least one central server in communication with the threat servers and arranged to receive the data about objects from the threat servers to maintain a master database of data received about objects from all threat servers.10-11-2012
20120260339Imposter Prediction Using Historical Interaction Patterns - An approach is provided in which an electronic message is received from a source at a network interface that is accessible from the information handling system. A source address corresponding to the electronic message is identified, wherein the source address also corresponds to a legitimate source. Current usage patterns are extracted from the received electronic message and historical usage patterns are retrieved that correspond to the identified source address. The historical usage patterns being previously gathered from previous messages received from the legitimate source. The extracted current usage patterns and the retrieved historical usage patterns are compared. A user of the system is notified in response to the comparison revealing that the source is an imposter.10-11-2012
20120233695SYSTEM AND METHOD FOR SERVER-COUPLED APPLICATION RE-ANALYSIS TO OBTAIN TRUST, DISTRIBUTION AND RATINGS ASSESSMENT - A system and method for preventing malware, spyware and other undesirable applications from affecting mobile communication devices uses a server to assist in identifying and removing undesirable applications. When scanning an application, a device transmits information about the application to a server for analysis. The server receives the information, produces a characterization assessment and can also provide a characterization re-assessment for the application, or data object, and transmits the assessment to the device. By performing analysis on a server, the invention allows a device to reduce the battery and performance cost of protecting against undesirable applications. The servers transmit notifications to devices that have installed applications that are discovered to be undesirable. The server can accumulate this data and then perform a characterization re-assessment of a data object it has previously assessed to provide an assessment based upon one of trust, distribution and ratings information.09-13-2012
20120233694MOBILE MALICIOUS SOFTWARE MITIGATION - Mitigation of malicious software in wireless networks and/or on mobile devices is provided. A mobile malicious software mitigation component is provided that obtains an internet protocol address that is exhibiting malicious software behavior, a profile of the malicious software behavior, and a time of the malicious software behavior. The malicious software mitigation component can determine an identity of a mobile device that was assigned the internet protocol address during the time it was exhibiting malicious software behavior, and transmit the profile to the mobile device. In addition, the malicious software mitigation component determine if the duration of the assignment of the internet protocol address to the mobile device is sufficient for positive identification.09-13-2012
20130174256NETWORK DEFENSE SYSTEM AND FRAMEWORK FOR DETECTING AND GEOLOCATING BOTNET CYBER ATTACKS - A network defense system is described that provides network sensor infrastructure and a framework for managing and executing advanced cyber security algorithms specialized for detecting highly-distributed, stealth network attacks. In one example, a system includes a data collection and storage subsystem that provides a central repository to store network traffic data received from sensors positioned within geographically separate networks. Cyber defense algorithms analyze the network traffic data and detect centrally-controlled malware that is configured to perform distributed network attacks (“botnet attacks”) from devices within the geographically separate networks. A visualization and decision-making subsystem generates a user interface that presents an electronic map of geographic locations of source devices and target devices of the botnet attacks. The data collection and storage subsystem stores a manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms.07-04-2013
20100333203METHODS FOR DETECTING MALICIOUS PROGRAMS USING A MULTILAYERED HEURISTICS APPROACH - Three heuristic layers are used to determine whether suspicious code received at a port of a data processing device is malware. First, static analysis is applied to the suspicious code. If the suspicious code passes the static analysis, dissembling analysis is applied to the suspicious code. Preferably, if the suspicious code passes the dissembling analysis, dynamic analysis is applied to the suspicious code.12-30-2010
20080301811System For Stabilizing of Web Service and Method Thereof - An object of the present invention is to provide a system and method for stabilizing a web service. The system of the present invention includes a reception module unit (12-04-2008
20080301810MONITORING APPARATUS AND METHOD THEREFOR - A monitoring apparatus for detection of a malicious attack in a communications network comprises a pattern matching engine (12-04-2008
20080301808INTERNET ROBOT DETECTION FOR NETWORK DISTRIBUTABLE MARKUP - Embodiments of the present invention provide a method, system and computer program product for bot detection for network distributable markup. In accordance with an embodiment of the present invention, a page request for distributed markup can be processed to incorporate embedded fragment within the requested page. For instance, the fragment can include a script enabled to detect human activity within the requested page such as a mouse movement. Alternatively, the fragment can include an extraneous markup artifact. The requested page subsequently can be returned to the requestor and the embedded fragment can be monitored to detect the presence of a bot depending upon the activation of the artifact. For example, where human activity can be detected within the page or where the extraneous markup artifact becomes activated despite the extraneous nature of the artifact, a human requestor can be concluded. However, where no human activity is detected in the requested page, or where the extraneous markup artifact remains unactivated, a bot requestor can be determined.12-04-2008
20110004935VMM-BASED INTRUSION DETECTION SYSTEM - An intrusion detection system collects architectural level events from a Virtual Machine Monitor where the collected events represent operation of a corresponding Virtual Machine. The events are consolidated into features that are compared with features from a known normal operating system. If an amount of any differences between the collected features and the normal features exceeds a threshold value, a compromised Virtual Machine may be indicated. The comparison thresholds are determined by training on normal and abnormal systems and analyzing the collected events with machine learning algorithms to arrive at a model of normal operation.01-06-2011
20120266242APPARATUS AND METHOD FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACK FROM MOBILE TERMINAL - An apparatus for defending a Distributed Denial of Service (DDoS) attack from a mobile terminal is provided. The apparatus includes a monitoring unit, a transmission/non-transmission inquiry unit, and a critical file management unit. The monitoring unit monitors all network data transmitted from a mobile terminal to the outside based on the current mode of the mobile terminal. The transmission/non-transmission inquiry unit asks a user whether to transmit corresponding network data to the outside based on the results of monitoring. The critical file management unit manages a critical file which includes information about at least one protocol used by the mobile terminal and at least one service provided using the protocol.10-18-2012
20110047620SYSTEM AND METHOD FOR SERVER-COUPLED MALWARE PREVENTION - This disclosure is directed to a system and method for preventing malware, spyware and other undesirable applications from affecting mobile communication devices (e.g., smartphones, netbooks, and tablets). A mobile communication device uses a server to assist in identifying and removing undesirable applications. When scanning an application, a device transmits information about the application to a server for analysis. The server receives the information, produces an assessment for the application, and transmits the assessment to the device. By performing analysis on a server, the invention allows a device to reduce the battery and performance cost of protecting against undesirable applications. The servers transmits notifications to devices that have installed applications that are discovered to be undesirable. The server receives data about applications from many devices, using the combined data to minimize false positives and provide comprehensive protection against known and unknown threats.02-24-2011
20110047619NON-SENSITIVE-PASSAGE DATABASE FOR CUT-AND-PASTE ATTACK DETECTION SYSTEMS - One embodiment provides a system that detects sensitive passages. During operation, the system receives a document and disassembles the document into a plurality of passages. For a respective passage, the system performs a search through a non-sensitive-passage database to determine whether the passage is a known non-sensitive passage. If so, the system marks the passage as non-sensitive, and if not, the system determines whether the passage triggers a cut-and-paste attack detection. If so, the system forwards the passage to an administrator and allows the administrator to determine whether the passage is non-sensitive and, further, to add the passage to the non-sensitive-passage database responsive to the administrator determining the passage to be non-sensitive.02-24-2011
20110047618Method, System, and Computer Program Product for Malware Detection, Analysis, and Response - A method, system, and computer program product for detecting malware from outside the host operating system using a disk, virtual machine, or combination of the two. The method, system, and computer program product detects malware at the disk level while computer files in the host operating system are in actual program execution by identifying characteristic malware properties and behaviors associated with the disk requests made. The malware properties and behaviors are identified by using rules that can reliably detect file-infecting viruses. The method, system, and computer program product also uses the disk processor to provide accelerated scanning of virus signatures, which substantially decreases overhead incurred on the host operating system by existing malware detection techniques. In the event that malware is detected, the method, system, and computer program product can respond by limiting the negative effects caused by the malware and help the system recover to its normal state. 02-24-2011
20120324575System, Method, Program, and Recording Medium for Detecting and Blocking Unwanted Programs in Real Time Based on Process Behavior Analysis and Recording Medium for Storing Program - A system, method and program for detecting and blocking unwanted programs in real time based on process behavior analysis and a recording medium for storing the program. In particular, the invention relates to a system, method and program for detecting and blocking unwanted programs in real time based on process behavior analysis and a recording medium for storing the program, in which a security server defines lists of unwanted abnormal actions of a process in advance, detects the number of abnormal actions that have occurred, collects the abnormal actions, and detects and blocks an unwanted process by matching a program executed on a user terminal with the lists of abnormal actions.12-20-2012
20120324576BLOCKING INTRUSION ATTACKS AT AN OFFENDING HOST - A method, apparatus, and program product are provided for protecting a network from intrusions. An offending packet communicated by an offending host coupled to a protected network is detected. In response to the detection, a blocking instruction is returned to the offending host to initiate an intrusion protection operation on the offending host, where the blocking instruction inhibits further transmission of offending packets by the offending host. At the offending host, a blocking instruction is received with a portion of an offending packet. The offending host verifies that the offending packet originated from the host. In response to the verification of the offending packet originating from the host, an intrusion protection operation is initiated on the host thereby inhibiting transmission of a subsequent outbound offending packet by the host.12-20-2012
20120272317SYSTEM AND METHOD FOR DETECTING INFECTIOUS WEB CONTENT - Systems and methods are disclosed herein for detecting a threat to a computing device. The system includes a server and a computing device in communication with the server and configured to browse the Internet. The server receives data indicating a configuration parameter of the computing device and executes an emulation of the computing device that replicates the configuration parameter. The server also receives data relating to the computing device's browsing behavior and replicates the browsing behavior on the emulation. Upon detecting an undesired modification to the emulation of the computing device caused by the replicated browsing behavior, the server automatically generates and outputs an alert related to the undesired modification and related browsing behavior.10-25-2012
20110239301TECHNIQUE OF DETECTING DENIAL OF SERVICE ATTACKS - The invention detects a denial of service attack at a node by monitoring the number of discarded packets in relationship to the number of inbound packets. When an attack is detected, relevant inbound packet information is collected during the attack to help characterize the attack and at least to pinpoint the source of the last hop to the attacked node.09-29-2011
20110239300WEB BASED REMOTE MALWARE DETECTION - A method for detecting HTML-modifying malware present in a computer includes providing a server which serves a web page (HTML) to a browser. A determination is made whether a modified string exists in the page received by said browser and if a modifying element is found, determining the malware is present in the computer.09-29-2011
20110239299ADAPTIVE DISTINCT COUNTING FOR NETWORK-TRAFFIC MONITORING AND OTHER APPLICATIONS - In one embodiment, a counting method of the invention uses an adaptive sketching-update process to compress an unknown cardinality into a counter value that counts the number of binary ones in a hashed bitmap vector. The sketching-update process is probabilistic in nature and uses bit-flip probabilities that are adaptively decreased as the counter value increases. Parameters of the sketching-update process are selected so that the relative error of cardinality estimates obtained based on the counter values is relatively small and substantially constant over a relatively wide range of cardinalities, e.g., from one to about one million. Due to the latter property, the counting method can advantageously be implemented in the form of embedded software that relies on a relatively small, fixed amount of memory.09-29-2011
20110239298CONCURRENT AND DELAYED PROCESSING OF MALWARE WITH REDUCED I/O INTERFERENCE - Systems, methods and non-transitory, tangible computer readable storage mediums encoded with processor readable instructions to scan files for malware are disclosed. An exemplary method includes writing, via a communication pathway, a first file to a storage medium that is utilized by the computer, requesting access to the first file so as to enable the first file to be scanned for malware, and delaying, when the first file resides on the storage medium, access to the first file while there is at least one I/O operation relative to the storage medium that has a higher priority level than a priority level of the request to access the first file. In addition, except to enable the first file to be scanned for malware, access to the first file is prevented until the first file has been scanned for malware.09-29-2011
20100251369METHOD AND SYSTEM FOR PREVENTING DATA LEAKAGE FROM A COMPUTER FACILTY - In embodiments of the present invention improved capabilities are described for the steps of identifying, through a monitoring module of a security software component, a data extraction behavior of a software application attempting to extract data from an endpoint computing facility; and in response to a finding that the data extraction behavior is related to extracting sensitive information and that the behavior is a suspicious behavior, causing the endpoint to perform a remedial action. The security software component may be a computer security software program, a sensitive information compliance software program, and the like.09-30-2010
20120331554Regex Compiler - A method and corresponding apparatus relate to converting a nondeterministic finite automata (NFA) graph for a given set of patterns to a deterministic finite automata (DFA) graph having a number of states. Each of the DFA states is mapped to one or more states of the NFA graph. A hash value of the one or more states of the NFA graph mapped to each DFA state is computed. A DFA states table correlates each of the number of DFA states to the hash value of the one or more states of the NFA graph for the given pattern.12-27-2012
20120278887REPORTING COMPROMISED EMAIL ACCOUNTS - The claimed subject matter provides a method for detecting compromised accounts. The method includes receiving a communication from a sender's account to a recipient. The sender's account is associated with a sender. The method also includes presenting a compromised account reporting interface to the recipient based on specific conditions. Further, the method includes receiving a selection by the recipient indicating the sender's account is compromised. The method also includes determining that the sender's account is compromised based on the selection. Additionally, the method includes generating, in response to a selection by the recipient, a report indicating that the account is compromised.11-01-2012
20120278888GATEWAY AND METHOD FOR AVOIDING ATTACKS - A gateway assigns an IP address included in an address list to a client in a local area network (LAN). The gateway inquires whether the assigned IP address is used by other clients in the LAN. The gateway records a media access control (MAC) address of the client and the assigned IP address in a mapping table when the assigned IP address is not used by the other clients in the LAN. The gateway transmits an address resolution protocol (ARP) request packet to the client, and determines whether an ARP response packet is received from the client. The gateway can determine that the client is an attacker if no ARP response packet is received from the client.11-01-2012
20120278891METHODS AND APPARATUS FOR DEALING WITH MALWARE - In one aspect, a method of classifying a computer object as malware includes receiving at a base computer data about a computer object from each of plural remote computers on which the object or similar objects are stored. The data about the computer object received from the plural computers is compared in the base computer. The computer object is classified as malware on the basis of said comparison. In one embodiment, the data about the computer object includes one or more of: executable instructions contained within or constituted by the object;11-01-2012
20120090030IDENTIFYING BOTS - A method of identifying if a web client has browser capabilities. An originating machine receives a web page request from the web client. The originating machine generates a page request id (PRID) and a script which, when executed by a web client with a browser, regenerates a PRID, and embeds the script in a response. The originating machine sends the response to the web client for the web client to process and, if the web client is capable, to execute the embedded script, thereby to regenerate a PRID, and to return the regenerated PRID to the originating machine. The originating machine compares the returned regenerated PRID with the generated PRID, a match indicating that the web client has browser capabilities.04-12-2012
20110271345DETECTION OF ROGUE WIRELESS DEVICES FROM DYNAMIC HOST CONTROL PROTOCOL REQUESTS - A method to determine if a rogue device is connected to a specific wired network from dynamic host control protocol (DHCP) requests on the wired network. These DHCP requests are analyzed to determine the type of device issuing the request. Once the type of device has been determined, it can be checked against a list of authorized device types. If the device issuing the DHCP request is not an authorized device type, then it can be determined that the suspect device is a rogue that is connected to the specific wired network. Additionally, even if the system of the present invention determines that it is an authorized device type, if the device is not one of the few authorized devices of this type, e.g. because its MAC address is not recognized as that of one of the authorized devices, the system can flag the suspect as a rogue.11-03-2011
20120331553DYNAMIC SIGNATURE CREATION AND ENFORCEMENT - A dynamic signature creation and enforcement system can comprise a tap configured to copy network data from a communication network, and a controller coupled to the tap. The controller is configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if the network data is suspicious, flag the network data as suspicious based on the heuristic determination, simulate transmission of the network data to a destination device to identify unauthorized activity, generate an unauthorized activity signature based on the identification, and transmit the unauthorized activity signature to a digital device configured to enforce the unauthorized activity signature.12-27-2012
20110277032Time-Key Hopping - In certain embodiments, a first network device stores a security key associated with a second network device. The first network device computes access information according to the security key and a time value. The access information may be a network address or a port/socket. The first network device sends a packet to the second network device using the access information. The first network device then computes next access information according to the security key and a next time value and sends a packet to the second network device using the next access information.11-10-2011
20110277031Token Processing - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for mapping security processing rules into a data structure that facilitates a more efficient processing of the security processing rules. In one aspect, a method includes receiving security processing rules, each of the security processing rules defining one or more security checks and security operations corresponding to the security checks and that are to be performed when the security checks occur; and generating from the security processing rules a mapping of security checks to security operations, the mapping including a security check entry for each security check that is defined in one or more of the security processing rules, and each security check entry being mapped to one or more security operations that the security processing rules define as corresponding to the security check.11-10-2011
20120331555Performing A Defensive Procedure In Response To Certain Path Advertisements - In certain embodiments, performing a defensive procedure involves receiving at a first speaker of a first autonomous system a path advertisement from a second speaker of a second autonomous system. The path advertisement advertises a path from the second speaker of the second autonomous system. It is determined whether the second autonomous system is a stub autonomous system and whether a path length of the path is greater than one. If the second autonomous system is a stub and the path length is greater than one, a defensive measure is performed for the path. Otherwise, a default procedure is performed for the path.12-27-2012
20120331556SYSTEM AND METHOD FOR PROTOCOL FINGERPRINTING AND REPUTATION CORRELATION - A method is provided in one example embodiment that includes generating a fingerprint based on properties extracted from data packets received over a network connection and requesting a reputation value based on the fingerprint. A policy action may be taken on the network connection if the reputation value received indicates the fingerprint is associated with malicious activity. The method may additionally include displaying information about protocols based on protocol fingerprints, and more particularly, based on fingerprints of unrecognized protocols. In yet other embodiments, the reputation value may also be based on network addresses associated with the network connection.12-27-2012
20100229238 HYBRID REPRESENTATION FOR DETERMINISTIC FINITE AUTOMATA - A method includes receiving a data unit, determining whether a current state, associated with a deterministic finite automata (DFA) that includes a portion of states in a bitmap and a remaining portion of states in a DFA table, is a bitmap state or not, and determining whether a value corresponding to the data unit is greater than a threshold value, when it is determined that the current state is not a bitmap state. The method further includes determining whether the current state is insensitive, when it is determined that the value corresponding to the data unit is greater than the threshold value, where insensitive means that each next state is a same state for the current state, and selecting a default state, as a next state for the current, when it is determined that the current state is insensitive.09-09-2010
20120102568SYSTEM AND METHOD FOR MALWARE ALERTING BASED ON ANALYSIS OF HISTORICAL NETWORK AND PROCESS ACTIVITY - A method for malware protection includes receiving detection information for detecting malware on an electronic device, accessing historical information of an electronic device, comparing the detection information to the historical information, and based on the comparison of the detection information with the historical information, alerting a user of the electronic device of risks of malware evidenced by the historical information. Comparing detection information to historical information includes determining that information from a first category of historical information is associated with a source of malware, cross-referencing information from a second category of historical information to the information from the first category, and associating the information from the second category with the malware.04-26-2012
20100199348EFFICIENT INTRUSION DETECTION - A method to compress an unoptimized Aho-Corasick automaton is provided that can be used in network intrusion detection systems. Embodiments of the subject method use bitmaps with multiple levels of summaries as well as aggressive path compaction. By using multiple levels of summaries, a popcount can be determined with as few as 1 addition.08-05-2010
20130014257LIMITING EXECUTION OF SOFTWARE PROGRAMS - Techniques are disclosed for limiting execution of software programs. For example, a method comprises the following steps. A first set of program code is extracted from a second set of program code. The extracted first set of program code is parsed to generate a parsed structure. The parsed structure generated from the first set of program code is examined for one or more expressions predetermined to be unsafe for execution. The one or more expressions predetermined to be unsafe for execution that are contained in the first set of program code are detected. In one example, the first set of program code may be a script generated with the JavaScript™ scripting language and the second set of program code may be a business process.01-10-2013
20130014256JCVM BYTECODE EXECUTION PROTECTION AGAINST FAULT ATTACKS - The invention relates to a computing device comprising means to store and execute bytecodes, the computing device storing bytecodes which comprise a bytecode for calling a method. An attack detection bytecode is present after the bytecode for calling the method, and when executing bytecode, the computing device is set, upon return from the method, to continue bytecode execution after the attack detection bytecode. The invention also relates to a procedure for generating secure bytecode and to an applet development tool.01-10-2013
20100162396System and Method for Detecting Remotely Controlled E-mail Spam Hosts - A system for detecting a remotely controlled e-mail spam host. The system includes an E-mail spammer detection unit and a host traffic profiling unit. The E-mail spammer detection unit identifies E-mail Spammers based on SMTP traffic characteristics. The host profiling unit extracts traffic components from the plurality of Internet traffic associated with an E-mail Spammer; interprets the extracted traffic components and determines whether the E-mail Spammer is a compromised host. The system may also include a botnet controller detection unit that analyzes traffic associated with compromised E-mail Spammers and identifies the botnet Controller remotely controlling the compromised E-mail Spammer.06-24-2010
20100154057SIP INTRUSION DETECTION AND RESPONSE ARCHITECTURE FOR PROTECTING SIP-BASED SERVICES - The present invention relates to a Session Initiation Protocol (SIP) intrusion detection and response architecture for protecting SIP-based services, and more specifically, to an SIP intrusion detection and response architecture for protecting SIP-based services, in which SIP-based attacks of a new type can be coped with by detecting the SIP-based attacks and SIP traffic anomalies and managing an SIP-aware security device without degrading quality of multimedia, and signal and media channels can be examined through an SIP-aware intrusion prevention system (IPS) for the purpose of preventing an attacker from hindering a call through manipulation of an SIP message and session-hijacking among legitimate users and attempting a toll fraud by detouring authentication.06-17-2010
20120151583DDOS ATTACK DETECTION AND DEFENSE APPARATUS AND METHOD - A Distributed Denial of Service (DDoS) attack detection and defense apparatus and method are provided. The Distributed Denial of Service (DDoS) attack detection and defense apparatus includes: a flow information collection unit to collect, from one or more input packets with an IP address of an attack target system as a destination IP address, flow information including source IP addresses of the input packets and packet counts of one or more flows that are classified for each of the source IP addresses and each of different protocol types; an inspection unit to calculate packets per second (PPS) values of the flows based on the packet counts; and a response unit to determine a DDoS attack response method for each of the flows based on the PPS value and the protocol type of a corresponding flow and to process the corresponding flow using the determined DDoS attack response method06-14-2012
20120151582Offline Scan, Clean and Telemetry Using Installed Antimalware Protection Components - The subject disclosure relates to antimalware scanning, and more particularly to offline antimalware scanning of a host environment via an alternate, known safe operating system. An offline scanning product obtains data previously written by the host environment online antimalware scanning tool, e.g., configuration data and antimalware signatures in shared data stores accessible to the offline and online products, and uses that data to perform the offline antimalware scan. The offline scanning product writes results information and any quarantined files to other shared data stores, whereby the online environment, when rebooted, has access to the information, such as for review and to upload telemetry information to an online service for analysis. Also described is offline replacement of operating system files that cannot be cleaned or removed when online.06-14-2012
20130019309SYSTEMS AND METHODS FOR DETECTING MALICIOUS INSIDERS USING EVENT MODELSAANM Strayer; William TimothyAACI West NewtonAAST MAAACO USAAGP Strayer; William Timothy West Newton MA USAANM Partridge; CraigAACI East LansingAAST MIAACO USAAGP Partridge; Craig East Lansing MI USAANM Jackson; Alden WarrenAACI BrooklineAAST MAAACO USAAGP Jackson; Alden Warren Brookline MA USAANM Polit; Stephen HenryAACI BelmontAAST MAAACO USAAGP Polit; Stephen Henry Belmont MA US - Systems and methods are disclosed for determining whether a mission has occurred. The disclosed systems and methods utilize event models that represent a sequence of tasks that an entity could or must take in order to successfully complete the mission. As a specific example, an event model may represent the sequence of tasks a malicious insider may complete in order to exfiltrate sensitive information. Most event models include certain tasks that must be accomplished in order for the insider to successfully exfiltrate an organization's sensitive information. Many of the observable tasks in the attack models can be monitored using relatively little information, such as the source, time, and type of the communication. The monitored information is utilized in a traceback search through the event model for occurrences of the tasks of the event model to determine whether the mission that the event model represents occurred.01-17-2013
20130019312Computer Network Defense - Training defense of a computer network. The system includes an enterprise asset subsystem to be defended. The enterprise asset subsystem runs operating system, support services, and application programs. The system also includes a neutral subsystem that is in communication with the enterprise asset subsystem and is used to set up and run at least one exercise scenario, and score performance of enterprise asset defenders in defending the system against exploits. Exploits are launched by an exploitation subsystem communication with the enterprise asset subsystem.01-17-2013
20130019310DETECTION OF ROGUE SOFTWARE APPLICATIONSAANM Ben-Itzhak; YuvalAACI BrnoAACO CZAAGP Ben-Itzhak; Yuval Brno CZAANM Osis; KasparsAACI RigaAACO LVAAGP Osis; Kaspars Riga LVAANM Boz; MikeAACI Foster CityAAST CAAACO USAAGP Boz; Mike Foster City CA US - Software applications are analyzed to determine if they are legitimate applications and warnings are provided to users to avoid installation and/or purchases of unnecessary and/or potentially harmful software based on comparisons of user-interface characteristics of the software applications to visual characteristics of authentic applications to determine to what extent they match (or do not match) or are attempting to mirror the legitimate application.01-17-2013
20130019311Method and system for handling computer network attacks - A method and apparatus for serving content requests using global and local load balancing techniques is provided. Web site content is cached using two or more point of presences (POPs), wherein each POP has at least one DNS server. Each DNS server is associated with the same anycast IP address. A domain name resolution request is transmitted to the POP in closest network proximity for resolution based on the anycast IP address. Once the domain name resolution request is received at a particular POP, local load balancing techniques are performed to dynamically select the appropriate Web server at the POP for use in resolving the domain name resolution request. Approaches are described for handling bursts of traffic at a particular POP, security, and recovering from the failure of various components of the system.01-17-2013
20110162071ANIT-WORM-MEASURE PARAMETER DETERMINING APPARATUS, NUMBER-OF-NODES DETERMINING APPARATUS, NUMBER-OF-NODES LIMITING SYSTEM, AND COMPUTER PRODUCT - An anti-worm-measure parameter determining apparatus determines parameters for controlling timing for an anti-worm-measure means to start blocking of a communication by a worm in a network, for preventing a spread of the worm. An infectivity calculating unit calculates infectivity of the worm based on number of nodes connected to the network. A number-of-infected-nodes estimating unit calculates an expected value of number of infected nodes at a time when the worm transmits a predetermined number of packets, based on the infectivity calculated by the infectivity calculating unit.06-30-2011
20130024938SYSTEM AND METHOD FOR SECURING DATA TO BE PROTECTED OF A PIECE OF EQUIPMENT - A system and method for securing data to be protected of a piece of equipment are provided. The equipment comprises: a space; at least one device for processing the data; a safety module comprising at least one controller connected to at least one memory for sensitive data, the sensitive data giving access to the data; and at least one supervision sensor. The method comprises: transmitting at least one signature through the sensor(s), to the safety module, the signature being based on a signal received by the respective sensor and giving information on the physical condition of the space; comparing in the safety module at least one of the signatures and/or a value inferred from at least one of the signatures with at least one reference value and/or at least one reference signature; limiting access to the data being based on the comparison of at least one of the signatures.01-24-2013
20130024937Intrusion detection using taint accumulation - A method operable in a computing device adapted for handling security risk can use taint accumulation to detect intrusion. The method can comprise receiving a plurality of taint indicators indicative of potential security risk from a plurality of distinct sources at distinct times, and accumulating the plurality of taint indicators independently using a corresponding plurality of distinct accumulation functions. Security risk can be assessed according to a risk assessment function that is cumulative of the plurality of taint indicators.01-24-2013
20130024936AUDITING A DEVICE - The auditing of a device that includes a physical memory is disclosed. One or more hardware parameters that correspond to a hardware configuration is received. Initialization information is also received. The physical memory is selectively written in accordance with a function. The physical memory is selectively read and at least one result is determined. The result is provided to a verifier.01-24-2013
20080250502Software Checking - A method of checking the integrity of a software component comprises: selecting a checking algorithm 10-09-2008
20080250501Method for Monitoring Managed Device - A method for monitoring the managed devices comprises that the manage center preserves the integrality list in advance, which includes the system integrality values of the managed devices and the corresponding relations of the managed devices and the system integrality values of themselves, and the managed device gathers the current system integrality value of itself and saves it when it starts; the managed device sends the information including the current system integrality value to the manage center after receiving the monitor command from the manage center; the manage center determines whether the received current system integrality value of the managed device coincides with the integrality value of the managed device saved by itself according to the received information and said integrality list, and implements the alert process when they do not coincide with each other. The manage center can know whether the managed device is believable currently so that the manage center can determine whether the unknown attack to the managed device exists or not according to the present invention.10-09-2008
20080244745METHOD AND APPARATUS FOR VERIFYING THE INTEGRITY AND SECURITY OF COMPUTER NETWORKS AND IMPLEMENTING COUNTER MEASURES - A system securing a computer network having various devices connected thereto. The system includes a security subsystem connected to the devices in the network, a master security system, and a first communication medium connected between the security subsystem and the master security system. The network devices generate event messages when under attack. The security subsystem generates multiple views, each view including a subset of the event messages generated by the devices. The security subsystem includes an event analyzer, which analyzes the event messages across multiple views to determine if any of the associated events exceeds a predetermined threshold. The master security system receives the associated events, which exceed the predetermined threshold, from the security subsystem through the first communication medium.10-02-2008
20080244744METHOD FOR TRACKING MACHINES ON A NETWORK USING MULTIVARIABLE FINGERPRINTING OF PASSIVELY AVAILABLE INFORMATION - A method for tracking machines on a network of computers. The method includes determining one or more assertions to be monitored by a first web site which is coupled to a network of computers. The method monitors traffic flowing to the web site through the network of computers and identifies the one or more assertions from the traffic coupled to the network of computers to determine a malicious host coupled to the network of computers. The method includes associating a first IP address and first hardware finger print to the assertions of the malicious host and storing information associated with the malicious host in one or more memories of a database. The method also includes identifying an unknown host from a second web site, determining a second IP address and second hardware finger print with the unknown host, and determining if the unknown host is the malicious host.10-02-2008
20080244743Computer System Architecture And Method Providing Operating-System Independent Virus-, Hacker-, and Cyber-Terror Immune Processing Environments - Information appliance, computing device, or other processor or microprocessor based device or system provides security and anti-viral, anti-hacker, and anti-cyber terror features, and can automatically create multiple sequentially or concurrently and intermittently isolated and/or restricted computing environments to prevent viruses, malicious or other computer hacking, computer or device corruption and failure by using these computing environments in conjunction with restricted and controlled methods of moving and copying data, combined with a process that destroys malicious code located in computing environments and data stores.10-02-2008
20080244741Intrusion event correlation with network discovery information - A policy component comprises policy configuration information. The policy configuration information contains one or more rules. Each rule and group of rules can be associated with a set of response actions. As the nodes on the monitored networks change or intrusive actions are introduced on the networks, network change events or intrusion events are generated. The policy component correlates network change events and/or intrusions events with network map information. The network map contains information on the network topology, services and network devices, amongst other things. When certain criteria is satisfied based on the correlation, a policy violation event may be issued by the system resulting in alerts or remediations.10-02-2008
20080235799Network Attack Signature Generation - Described is a technique for detecting attacks on a data communications network having a plurality of addresses for assignment to data processing systems in the network. The technique involves identifying data traffic on the network originating at any assigned address and addressed to any unassigned address. Any data traffic so identified is inspected for data indicative of an attack. On detection of data indicative of an attack, an alert signal is generated.09-25-2008
20080222727SYSTEMS AND METHODS FOR PREVENTING INTRUSION AT A WEB HOST - A web host intrusion prevention system includes a filter engine [09-11-2008
20080222726NEIGHBORHOOD CLUSTERING FOR WEB SPAM DETECTION - A SPAM detection system is provided. The system includes a graph clustering component to analyze web data. A link analysis component can be associated with the graph clustering component to facilitate SPAM detection in accordance with the web data.09-11-2008
20080222725GRAPH STRUCTURES AND WEB SPAM DETECTION - A SPAM detection system is provided. The system includes a graph clustering component to analyze web data. A link analysis component can be associated with the graph clustering component to facilitate SPAM detection in accordance with the web data.09-11-2008
20080222724PREVENTION OF DENIAL OF SERVICE (DoS) ATTACKS ON SESSION INITIATION PROTOCOL (SIP)-BASED SYSTEMS USING RETURN ROUTABILITY CHECK FILTERING - A device receives an attack on a Session Initiation Protocol (SIP)-based device, determines a type of the attack, and applies, based on the determined type of the attack, a return routability check filter to the attack.09-11-2008
20130179969Apparatus and Method for Domain Name Resolution - An apparatus and method for enhancing the infrastructure of a network such as the Internet is disclosed. Multiple edge servers and edge caches are provided at the edge of the network so as to cover and monitor all points of presence. The edge servers selectively intercept domain name translation requests generated by downstream clients, coupled to the monitored points of presence, to subscribing Web servers and provide translations which either enhance content delivery services or redirect the requesting client to the edge cache to make its content requests. Further, network traffic monitoring is provided in order to detect malicious or otherwise unauthorized data transmissions.07-11-2013
20130179970Receiving Security Risk Feedback From Linked Contacts Due to a User's System Actions and Behaviors - An approach is provided in receiving risk feedback from a social network. Feedback transmissions are received by a user's system with each of the feedback transmissions being received over a computer network from a social network contact. The received feedback transmissions are analyzed and, based on the analysis, a risky action that was performed by the user is identified. The user performs a risk avoidance measure to counteract the identified risky action. In one embodiment, the risk avoidance measure is reported back to the user's contacts.07-11-2013
20130179971Virtual Machines - A computerized method for detecting a threat by observing multiple behaviors of a computer system in program execution from outside of a host virtual machine, including mapping a portion of physical memory of the system to a forensic virtual machine to determine the presence of a first signature of the threat; and, on the basis of the determination deploying multiple further forensic virtual machines to determine the presence of multiple other signatures of the threat.07-11-2013
20130145466System And Method For Detecting Malware In Documents - In one embodiment, a method includes identifying, using one or more processors, a plurality of characteristics of a Portable Document Format (PDF) file. The method also includes determining, using the one or more processors, for each of the plurality of characteristics, a score corresponding to the characteristic. In addition, the method includes comparing, using the one or more processors, the determined scores to a first threshold. Based at least on the comparison of the determined scores to the first threshold, the method includes determining, using the one or more processors, that the PDF file is potential malware.06-06-2013
20110271344ILLEGAL MODULE IDENTIFYING DEVICE, INFORMATION PROCESSING DEVICE, ILLEGAL MODULE IDENTIFYING METHOD, ILLEGAL MODULE IDENTIFYING PROGRAM, INTEGRATED CIRCUIT, ILLEGAL MODULE DISABLING SYSTEM, AND ILLEGAL MODULE DISABLING METHOD - A malicious-module identification device (11-03-2011
20120255007SYSTEMS AND METHODS FOR MANAGING APPLICATIONS - A system for managing applications. The system includes a first device, a second device, a first interface and a second interface. The first device is responsible for exhibiting and providing the applications to one or more user(s). The second device is responsible for managing the applications which are uploaded by one or more developer(s) who have developed the applications. The first interface is provided for the second device to submit the applications to the first device. The second interface is provided for the first device to transmit at least a report message to the second device.10-04-2012
20120255005INFORMATION PROCESSING APPARATUS AND METHOD, AND PROGRAM - An information processing apparatus including: an attack detection unit that detects an attack; and a strength adjustment unit that incrementally raises the strength of a security measure every time that an attack is detected by the attack detection unit.10-04-2012
20120255004SYSTEM AND METHOD FOR SECURING ACCESS TO SYSTEM CALLS - In one embodiment, a system for securing access to system calls includes a memory, an operating system configured to execute on an electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to identify one or more resources associated with a system call for which attempted accesses will be trapped, trap an attempted access of the one or more resources that originates from the operational level of the operating system, access one or more security rules to determine whether the attempted access is authorized, and operate at a level below all of the operating systems of the electronic device accessing the one or more resources associated with a system call.10-04-2012
20120255003SYSTEM AND METHOD FOR SECURING ACCESS TO THE OBJECTS OF AN OPERATING SYSTEM - In one embodiment, a system for protecting an electronic device against malware includes an object-oriented operating system configured to execute on the electronic device and a below-operating-system security agent. The below-operating-system security agent may be configured to trap an attempted access of an object manager of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device. In some embodiments, the below-operating-system security agent may determine whether the attempted access is indicative of malware by comparing the attempted access to a behavioral state map to determine if the attempted access represents behavior associated with malware.10-04-2012
20120255001SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING OF DRIVER FILTER ATTACHMENT - A system for protecting an electronic system against malware includes an operating system configured to execute on the electronic device, a driver coupled to the operating system, and a below-operating-system security agent. The below-operating-system security agent is configured to identify one or more resources for changing filters of the driver, trap an attempted access of the one or more resources that originates from the operational level of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic system accessing the one or more resources for changing filters of the driver.10-04-2012
20120255000SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING AND SECURING OF INTERDRIVER COMMUNICATION - In one embodiment, a system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access by a first driver of the operating system of a second driver of the electronic device, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device accessing the second driver.10-04-2012
20120254999SYSTEMS AND METHOD FOR REGULATING SOFTWARE ACCESS TO SECURITY-SENSITIVE PROCESSOR RESOURCES - A method for protecting an electronic device against malware includes consulting one or more security rules to determine a processor resource to protect, in a module below the level of all operating systems of the electronic device, intercepting an attempted access of the processor resource, accessing a processor resource control structure to determine a criteria by which the attempted access will be trapped, trapping the attempted access if the criteria is met, and consulting the one or more security rules to determine whether the attempted access is indicative of malware. The attempted access originates from the operational level of one of one or more operating systems of the electronic device10-04-2012
20130133072NETWORK PROTECTION SYSTEM AND METHOD - Systems and methods for protecting at least one client from becoming part of at least one botnet. The system may comprise virtual machines deliberately infected with malicious content and operable to record botnet communications to and from criminal servers. The virtual machines are in communication with a processing unit configured to index data collected. Data related to the prevalence of cyber threats may be presented to users in response to queries.05-23-2013
20130139263SYSTEMS AND METHODS FOR FINGERPRINTING PHYSICAL DEVICES AND DEVICE TYPES BASED ON NETWORK TRAFFIC - Systems and methods for providing device and/or device type fingerprinting based on properties of network traffic originating from a device to be identified. In one implementation, the method includes capturing packets routed through a network at an intermediate node between the originating device to be identified and destination, measuring properties of the captured traffic, including packet inter-arrival time, and generating a signature based on the measured properties that includes identifying information about the hardware and/or software architecture of the device. Various implementations do not require deep packet inspection, do not require a managed device-side client, are protocol and packet payload agnostic, and effective for MAC or IP-level encrypted streams. Also, various implementations can provide wired-side detection of wireless devices and device types and can detect both previously detected and unknown devices.05-30-2013
20130139261METHOD AND APPARATUS FOR DETECTING MALICIOUS SOFTWARE THROUGH CONTEXTUAL CONVICTIONS - Novel methods, components, and systems that enhance traditional techniques for detecting malicious software are presented. More specifically, we describe methods, components, and systems that leverage important contextual information from a client system (such as recent history of events on that system) to detect malicious software that might have otherwise gone ignored. The disclosed invention provides a significant improvement with regard to detection capabilities compared to previous approaches.05-30-2013
20130091570SHORT-RANGE MOBILE HONEYPOT FOR SAMPLING AND TRACKING THREATS - Files received by a mobile device are sampled for malware tracking. The method includes configuring file transfer mechanisms that use short-range communication technology on the mobile device to appear, to other devices, to be open for accepting all attempts to transfer files. The method further comprises intercepting files transferred via the short-range communication technology to the mobile device from another device. The method also comprises quarantining the files transferred to the mobile device and logging identifying information about each of the files quarantined and about the other devices from which each of the files originated. The method further includes providing the logged identifying information for the files received to a security server. The method can also include, responsive to a request from the security server for more information about one of the files, providing a copy of that file to the security server for malware analysis and for updating a reputation system tracking mobile device malware.04-11-2013
20130091573SYSTEM AND METHOD FOR A DISTRIBUTED APPLICATION OF A NETWORK SECURITY SYSTEM (SDI-SCAM) - A widely distributed security system (SDI-SCAM) that protects computers at individual client locations, but which constantly pools and analyzes information gathered from machines across a network in order to quickly detect patterns consistent with intrusion or attack, singular or coordinated. When a novel method of attack has been detected, the system distributes warnings and potential countermeasures to each individual machine on the network. Such a warning may potentially consist of a probability distribution of the likelihood of an intrusion or attack as well as the relative probabilistic likelihood that such potential intrusion possesses certain characteristics or typologies or even strategic objectives in order to best recommend and/or distribute to each machine the most befitting countermeasure(s) given all presently known particular data and associated predicted probabilistic information regarding the prospective intrusion or attack. If any systems are adversely affected, methods for repairing the damage are shared and redistributed throughout the network.04-11-2013
20130091572Systems, methods, and devices for defending a network - Certain exemplary embodiments comprise a method comprising: within a backbone network: for backbone network traffic addressed to a particular target and comprising attack traffic and non-attack traffic, the attack traffic simultaneously carried by the backbone network with the non-attack traffic: redirecting at least a portion of the attack traffic to a scrubbing complex; and allowing at least a portion of the non-attack traffic to continue to the particular target without redirection to the scrubbing complex.04-11-2013
20130091571SYSTEMS AND METHODS OF PROCESSING DATA ASSOCIATED WITH DETECTION AND/OR HANDLING OF MALWARE - The present disclosure relates to malware and, more particularly, towards systems and methods of processing information associated with detecting and handling malware. According to certain illustrative implementations, methods of processing malware are disclosed. Moreover, such methods may include one or more of unpacking and/or decrypting malware samples, dynamically analyzing the samples, disassembling and/or reverse engineering the samples, performing static analysis of the samples, determining latent logic execution path information regarding the samples, classifying the samples, and/or providing intelligent report information regarding the samples.04-11-2013
20130097704Handling Noise in Training Data for Malware Detection - Described systems and methods allow the reduction of noise found in a corpus used for training automatic classifiers for anti-malware applications. Some embodiments target pairs of records, which have opposing labels, e.g. one record labeled as clean/benign, while the other labeled as malware. When two such records are found to be similar, they are identified as noise and are either discarded from the corpus, or relabeled. Two records may be deemed similar when, in a simple case, they share a majority of features, or, in a more sophisticated case, they are sufficiently close in a feature space according to some distance measure.04-18-2013
20130104230System and Method for Detection of Denial of Service Attacks - Systems and methods for detecting a denial of service attack are disclosed. These may include receiving a plurality of web log traces from one of a plurality of web servers; extracting a first set of features from the plurality of web log traces; applying a first machine learning technique to the first set of features; producing a first plurality of user classifications for communication to the web server; extracting a second set of features from the plurality of web log traces; applying a second machine learning technique to the second set of features; producing a second plurality of user classification for communication to the web server; communicating the first plurality of user classifications to the web server based at least on the plurality of web log traces; and communicating the second plurality of user classifications to the web server based at least on the plurality of web log traces.04-25-2013
20130104233NETWORK DATA CONTROL DEVICE AND NETWORK DATA CONTROL METHOD FOR CONTROLING NETWORK DATA THAT GENERATES MALICIOUS CODE IN MOBILE EQUIPMENT - Provided are a device and a method of controlling network data induced by a malicious code of a mobile apparatus. Information input by a user through an input unit of a mobile apparatus is analyzed to determine whether or not the network data generated in the mobile apparatus are network data which are generated in accordance with user's intention, the network data generated in accordance with user's intention are transmitted to an external communication network, the network data which are generated irrespective of user's intention is consider to be network data which causes extrusion of personal information of the user which is induced by the malicious code residing in the mobile apparatus or an external attacker or network data which attack the external communication network, so that transmission of the network data to the external communication network is blocked.04-25-2013
20130104232APPLIQUE PROVIDING A SECURE DEPLOYMENT ENVIRONMENT (SDE) FOR A WIRELESS COMMUNICATIONS DEVICE - A security appliqué provides a secure deployment environment (SDE) for a wireless communications device. The Security appliqué isolates the security features, requirements, and information security boundaries such that no hardware modifications are required to a wireless communications device. Rather, a security module thin client is provided to the wireless communications device to provide the Secure Deployment Environment (SDE). The wireless communications device is coupled to the security appliqué via the standard connection interface. Through the standard connection interface, the security appliqué provides the SDE for the wireless communications device without implementing modifications to the wireless communications device.04-25-2013
20130104231CYBER SECURITY IN AN AUTOMOTIVE NETWORK - Preventing spoofing in an automotive network includes monitoring, by electronic control unit, data packets on a bus in the automotive network. Upon determining, in response to the monitoring, that a data packet is from a source other than the electronic control unit, the preventing spoofing in the automotive network includes generating and transmitting a diagnostic message to at least one module in the automotive network over the bus, the diagnostic message instructing the at least one module to take no action on the data packet.04-25-2013
20130125237OFFLINE EXTRACTION OF CONFIGURATION DATA - A configuration scanning system is described herein that scans a system configuration database for malware-related information with less impact on other operations that access the system configuration database. The system employs techniques to reduce the impact on other operations that access the configuration database, including parsing a file-based stored version of the configuration database, accessing the configuration database using opportunistic locking, and caching configuration information obtained by scanning the configuration database. In this way, the system is able to respond to requests antimalware programs using cached information without impacting other programs using the configuration database. Thus, the configuration scanning system protects a computer system against malware while reducing the burden on the configuration database and on other programs that access the configuration database.05-16-2013
20130133068METHOD, APPARATUS AND SYSTEM FOR PREVENTING DDOS ATTACKS IN CLOUD SYSTEM - A method, an apparatus and a system for preventing DDoS (Distributed Denial of Service) attacks in a cloud system. The method for preventing DDoS attacks in a cloud system includes: monitoring, by a protection node in a cloud system, data traffic input into virtual machines, where the cloud system includes the protection node and multiple virtual machines, and data streams communicated between the virtual machines pass through the protection node; extracting data streams to be input into virtual machines if it is detected that the data traffic input into the virtual machines is abnormal; sending the extracted data streams to a traffic cleaning apparatus for cleaning; receiving the data streams cleaned by the traffic cleaning apparatus; and inputting the cleaned data streams into the virtual machines. The technical solutions provided in the embodiments of the present disclosure can effectively prevent DDoS attacks between virtual machines in the cloud system.05-23-2013
20130145468SECURITY SYSTEM BASED ON INPUT SHORTCUTS FOR A COMPUTER DEVICE - A method of activating security functions on a computer device, for example a mobile communications device. The computer device includes a device state that may be realized by way of a first user input or a second user input. The method includes designating the first user input to realize the device state as a security rule having an associated security function, detecting realization of the device state, and activating the associated security function if the device state was realized by way of the second user input rather than the first user input. For example, the first user input may be a shortcut input, and the second user input may be a conventional or normal input.06-06-2013
20080201779AUTOMATIC EXTRACTION OF SIGNATURES FOR MALWARE - Method for the automatic generation of malware signatures from computer files. A common function library (CFL) created, wherein the CFL contains any functions identified as a part of the standard computer language used to write computer files which are known as not containing malware. The functions of a computer file which does contain a malware are extracted and the CFL is updated with any new common functions if necessary, such that the remaining functions are all considered as candidates for generating the malware signature. The remaining functions are divided into clusters according to their location in the file and the optimal cluster for generating the malware signature is determined. One or more of the functions in the optimal cluster is selected randomly, as the malware signature.08-21-2008
20080201778INTRUSION DETECTION USING SYSTEM CALL MONITORS ON A BAYESIAN NETWORK - Selected system calls are monitored to generate frequency data that is input to a probabilistic intrusion detection analyzer which generates a likelihood score indicative of whether the system calls being monitored were produced by a computer system whose security has been compromised. A first Bayesian network is trained on data from a compromised system and a second Bayesian network is trained on data from a normal system. The probabilistic intrusion detection analyzer considers likelihood data from both Bayesian networks to generate the intrusion detection measure.08-21-2008
20130145467SYSTEMS AND METHODS FOR DETECTING A SECURITY BREACH IN A COMPUTER SYSTEM - The present invention provides systems and methods for applying hard-real-time capabilities in software to software security. For example, the systems and methods of the present invention allow a programmer to attach, a periodic integrity check to an application so that an attack on the application would need to succeed completely within a narrow and unpredictable time window in order to remain undetected.06-06-2013
20120278889DETECTING MALICIOUS BEHAVIOUR ON A NETWORK - An intrusion detection device (11-01-2012
20130152199Decoy Network Technology With Automatic Signature Generation for Intrusion Detection and Intrusion Prevention Systems - Improved methods and systems for decoy networks with automatic signature generation for intrusion detection and intrusion prevention systems. A modular decoy network with front-end monitor/intercept module(s) with a processing back-end that is separate from the protected network. The front-end presents a standard fully functional operating system that is a decoy so that the instigator of an attack is lead to believe a connection has been made to the protected network. The front-end includes a hidden sentinel kernal driver that monitors connections to the system and captures attack-identifying information. The captured information is sent to the processing module for report generation, data analysis and generation of an attack signature. The generated attack signature can then be applied to the library of signatures of the intrusion detection system or intrusion prevention system of the protected network to defend against network based attacks including zero-day attacks.06-13-2013
20130139260Providing a Malware Analysis Using a Secure Malware Detection Process - In certain embodiments, a computer-implemented system comprises a boundary controller and a first malware detection agent. The boundary controller is operable to implement a security boundary between a first computer network environment and a second computer network environment. The second computer network environment has a security classification level that is more restrictive than a security classification level of the first computer network environment. The boundary controller is operable to receive from the first computer network environment a file. The first malware detection agent is positioned in the second computer network environment and is operable to receive via the boundary controller the file and apply a first malware detection process on the file. The first malware detection process is subject to the security classification level of the second computer network environment.05-30-2013
20130139262Taint injection and tracking - An embodiment or embodiments of an electronic device can comprise an input interface and a hardware component coupled to the input interface. The input interface can be operable to receive a plurality of taint indicators corresponding to at least one of a plurality of taints indicative of potential security risk which are injected from at least one of a plurality of resources. The hardware component can be operable to track the plurality of taints.05-30-2013
20130205392METHOD AND SYSTEM FOR CONTENT DISTRIBUTION NETWORK SECURITY - A content delivery system includes an upload module, a content delivery module, and a monitoring module. The upload module is configured to receive content from a content provider, detect content containing malicious software or proprietary information, and provide information about the content to a monitoring module. The content delivery module is configured to detect content containing malicious software or unauthorized changes, detect operational changes to the content delivery module, provide information about the content and the operational changes to the monitoring module, receive a request for the content from a client system, and provide the content to the client system. The monitoring module is configured to monitor a network for potentially malicious traffic, receive information from the content delivery module and the upload module, correlate the information and the potentially malicious traffic to identify a security event, and trigger a response to the security event.08-08-2013
20100319070Transformative rendering of internet resources - Apparatus and method for transforming internet resources into safely rendered versions of the same. The invention provides transformative rendering of internet resources to remove malicious code before displaying in a browser or its associated application. Malicious code blockage is accomplished by re-writing all code that is to be transferred to the client browser. Since malicious code is often disguised (or obfuscated), the invention will not attempt to rewrite the entire code set on the page but will still make available the functionality of that code through frequent interaction between the invention's rendering processor and the client browser.12-16-2010
20120284795METHOD AND SYSTEM FOR REGULATING HOST SECURITY CONFIGURATION - A recommendation engine coupled to a server computer in communication with a plurality of hosts is described. The recommendation engine includes computer readable intrusion-protection instructions stored in a memory device, which cause a processor of said server computer to determine a current host-protection configuration for a target host; detect discrepancy between said current host-protection configuration and a prior host-protection configuration; install said current host-protection configuration in said target host upon detecting said discrepancy; record successive host-reconfiguration periods, a host reconfiguration period being a difference between successive instants of time at which a current host-protection configuration differs from a prior host-protection configuration; determine a monitoring period according to a value of at least one of said successive host-reconfiguration periods; and a scheduler for activating said intrusion-protection instructions according to said monitoring period.11-08-2012
20120284794PEER INTEGRITY CHECKING SYSTEM - A distributed file integrity checking system is described. The described peer integrity checking system (PICS) may negate an attack by storing a properties database amongst nodes of a peer-to-peer network of hosts, some or all of which co-operate to protect and watch over each other.11-08-2012
20120284793INTRUSION DETECTION USING MDL CLUSTERING - An intrusion detection method, system and computer-readable media are disclosed. The system can include a processor programmed to perform computer network intrusion detection. The intrusion detection can include an identification module and a detection module. The identification module can be adapted to perform semi-supervised machine learning to identify key components of a network attack and develop MDL models representing those attack components. The detection module can cluster the MDL models and use the clustered MDL models to classify network activity and detect polymorphic or zero-day attacks.11-08-2012
20130160119SYSTEM SECURITY MONITORING - A computing device may receive netflow data that includes information corresponding to network-side activity associated with a target device. The computing device may evaluate the netflow data based on a netflow signature to identify potentially malicious activity. The netflow signature may include information corresponding to two or more network events occurring in a particular order. The computing device may report, to another computing device, that potentially malicious activity, corresponding to the network data, has been detected based on the evaluation of the netflow data.06-20-2013
20080263666METHOD AND APPARATUS FOR DETECTING PORT SCANS WITH FAKE SOURCE ADDRESS - A computer implemented method, apparatus, and computer program product for port scan protection. A reply data packet having a modified transmission control protocol header is generated to form a modified reply data packet, in response to detecting a port scan. The modified reply data packet will illicit a response from a recipient of the modified data packet. The reply data packet is sent to a first Internet protocol address associated with the port scan. A second Internet protocol address is identified from a header of the response to the modified reply data packet. The second Internet protocol address is an actual Internet protocol address of a source of the port scan. All network traffic from the second Internet protocol address may be blocked to prevent an attack on any open ports from the source of the port scan.10-23-2008
20130160120PROTECTING END USERS FROM MALWARE USING ADVERTISING VIRTUAL MACHINE - Techniques are disclosed for an AdVM (Advertising Virtual Machine) system, modules, components and methods that provide multiple layers of ad security for end-users. AdVM browsers isolate, monitor and restrict ads in sandboxes. AdVM browsers are configurable to monitor, report abuse and restrict ad performance based on configurable parameters such as system usage, security, privacy, inadvertent clicks, required ad ratings, permissions (whitelisting) and denials (blacklisting). AdVM browser abuse reports are used to generate profiles, whitelists and blacklists for ads, advertisers and other ad participants, which AdVM browsers use to allow or deny ad performances. Publishers assist AdVM browsers with ad detection by declaring ads in content. Ad security is improved by participation of advertisers, ad networks and an ad quality authority in creating trusted or rated ads that can be selected and verified over untrusted or unrated ads. Improving end-user trust in online advertising protects both end-users and legitimate online advertising.06-20-2013
20130160121METHOD AND APPARATUS FOR DETECTING INTRUSIONS IN A COMPUTER SYSTEM - The present invention provides a method and apparatus for detecting intrusions in a processor-based system. One embodiment of the method includes calculating a first checksum from first bits representative of instructions in a block of a program concurrently with executing the instructions. This embodiment of the method also includes issuing a security exception in response to determining that the first checksum differs from a second checksum calculated prior to execution of the block using second bits representative of instructions in the block when the second checksum is calculated.06-20-2013
20130160122TWO-STAGE INTRUSION DETECTION SYSTEM FOR HIGH-SPEED PACKET PROCESSING USING NETWORK PROCESSOR AND METHOD THEREOF - A system and method for detecting network intrusion by using a network processor are provided. The intrusion detection system includes: a first intrusion detector, configured to use a first network processor to perform intrusion detection on layer 3 and layer 4 of a protocol field among information included in a packet header of a packet transmitted to the intrusion detection system, and when no intrusion is detected, classify the packets according to stream and transmit the classified packets to a second intrusion detector; and a second intrusion detector, configured to use a second network processor to perform intrusion detection through deep packet inspection (DPI) for the packet payload of the packets transmitted from the first intrusion detector. Thereby, intrusion detection for high-speed packets can be performed in a network environment.06-20-2013
20130160123Methods, Systems, and Computer Program Products for Mitigating Email Address Harvest Attacks by Positively Acknowledging Email to Invalid Email Addresses - A method of detecting and responding to an email address harvest attack at an Internet Service Provider (ISP) email system includes counting a number of failed email address look-ups during a single Simple Mail Transfer Protocol (SMTP) session associated with an originating Internet Protocol (IP) address and responding to the originating IP address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold.06-20-2013
20130185795METHODS AND SYSTEMS FOR PROVIDING NETWORK PROTECTION BY PROGRESSIVE DEGRADATION OF SERVICE - Systems and methods are provided for protecting a defense with a self defending intrusion system. Data packets may be monitored to detect a pattern of activity indicating a potential attack. Upon detection of a threat, a countermeasure or progressive degradation of network services may be initiated on a selected basis so controllable reduce performance of data communication of the device.07-18-2013
20130185796METHOD AND APPARATUS FOR SECURE AND RELIABLE COMPUTING - In one embodiment, the invention is a method and apparatus for secure and reliable computing. One embodiment of an end-to-end security system for protecting a computing system includes a processor interface coupled to at least one of an application processor and an accelerator of the computing system, for receiving requests from the at least one of the application processor and the accelerator, a security processor integrating at least one embedded storage unit and connected to the processor interface with a tightly coupled memory unit for performing at least one of: authenticating, managing, monitoring, and processing the requests, and a data interface for communicating with a display, a network, and at least one embedded storage unit for securely holding at least one of data and programs used by the at least one of the application processor and the accelerator.07-18-2013
20110314545METHOD AND SYSTEM FOR AUTOMATIC INVARIANT BYTE SEQUENCE DISCOVERY FOR GENERIC DETECTION - A method for creating a set of genericized signatures for detection of byte sequences in computer code includes accessing a first set of sample signatures, determining a maximum number of wildcards that a wildcarded signature may comprise, determining a first wildcarded signature corresponding to the first set of sample signatures, evaluating the first wildcarded signature, and repeating the steps of evaluating for any second wildcarded signatures. Each of the signatures corresponds to an instance of malware. The evaluation further includes if the number of wildcards in the first wildcarded signature exceeds the maximum number of wildcards, determining a plurality of second wildcarded signatures corresponding to a plurality of subsets of the set of sample signatures. The evaluation further includes if the number of wildcards in the first wildcarded signature is less than or equal to the maximum number of wildcards, adding the first wildcarded signature to a set of genericized signatures.12-22-2011
20110314544EVALUATING SHELL CODE FINDINGS - Concepts and technologies are described herein for evaluating shellcode findings. In accordance with the concepts and technologies disclosed herein, shellcode findings can be evaluated to determine if the shellcode findings are legitimate, or if the shellcode findings are false positive shellcode findings. Legitimate shellcode findings can be determined based not simply upon patterns associated with the suspected shellcode itself, but also based upon a pattern of bit-level entropy in the memory around the suspected shellcode. Mathematical models of the memory can be generated and analyzed to determine if the shellcode finding is legitimate.12-22-2011
20110314543SYSTEM STATE BASED DIAGNOSTIC SCAN - In some embodiments, a local agent on a target system may evaluate current and/or historical system state information from a store (either local or remote) and dynamically adjust the level of diagnosis performed during the scan based on the evaluated state information. Individual diagnostic scans may, for example, be enabled and disabled based on the context in the store, and each scan may update the context for further evaluation. By employing such an approach, systems with a low risk profile and lacking symptoms of a problem may be scanned quickly while systems that show signs of a problem or have a high risk profile may receive a more thorough evaluation.12-22-2011
20130191917PATTERN DETECTION - Data is moved through a pipeline as processing of the data unrelated to detection of pattern is performed. The detector detects the pattern within the data at a predetermined location or based on a predetermined reference as the data is moved through the pipeline, in parallel with the processing of the data as the data is moved through the pipeline. The detector detects the pattern within the data as the data is moved through the pipeline without delaying movement of the data into, through, and out of the pipeline.07-25-2013
20130191915METHOD AND SYSTEM FOR DETECTING DGA-BASED MALWARE - System and method for detecting a domain generation algorithm (DGA), comprising: performing processing associated with clustering, utilizing a name-based features clustering module accessing information from an electronic database of NX domain information, the randomly generated domain names based on the similarity in the make-up of the randomly generated domain names; performing processing associated with clustering, utilizing a graph clustering module, the randomly generated domain names based on the groups of assets that queried the randomly generated domain names; performing processing associated with determining, utilizing a daily clustering correlation module and a temporal clustering correlation module, which clustered randomly generated domain names are highly con-elated in daily use and in time; and performing processing associated with determining the DGA that generated the clustered randomly generated domain names.07-25-2013
20130191916DEVICE AND METHOD FOR DATA MATCHING AND DEVICE AND METHOD FOR NETWORK INTRUSION DETECTION - The present invention discloses a device and method for data matching and a device and method for network intrusion detection. The method for data matching includes: searching in a regular expression set one or more complex regular expressions causing a sharp increase in number of states generated based on a regular expression during interaction; constructing a corresponding simplified expression for each complex regular expression; compiling a simplified state machine; compiling one or more substate machines, wherein each of the one or more substate machines is compiled based on a corresponding one of the one or more complex regular expressions; and matching data based on the simplified state machine and the one or more substate machines. The present invention further discloses a device for data matching employing the method for data matching and a device and method for intrusion detection employing the device and method for data matching.07-25-2013
20120023580METHOD FOR DETECTING AN ATTACK BY FAULT INJECTION INTO A MEMORY DEVICE, AND CORRESPONDING DETECTION SYSTEM - The method for detecting an attack by fault injection into memory positions includes a generation of an initial value of a reference indication including an application of a reversible mathematical operator to the values of the information stored in the memory positions. An updating of the value of this reference indication is performed on each write in at least one memory position by using the operator, the reverse operator and the values of the stored information before and after each write in the at least one memory position. And, in the presence of a request, a check is performed as to whether a criterion involving the values of the information stored in the memory positions at the time of the request and the operator or its reverse is or is not satisfied by the value of the reference indication at the time of the request.01-26-2012
20120030764SYSTEM FOR TRACKING MEDIA CONTENT TRANSACTIONS - A system that incorporates teachings of the present disclosure may include, for example, a web server having a controller adapted to manage an archive of media content for a subscriber, and record a transaction description and a corresponding tracking identifier for a transaction that manipulates the archive. Other embodiments are disclosed.02-02-2012
20120030763COUNTER-INVASIVE SOFTWARE SYSTEM AND METHOD - A method and apparatus for detecting, curing and remedying invasive software installation inadvertently, negligently, or intentionally marketed by a vendor. A party may procure a product that sends back invasive data to a source. A testing regimen may identify and defeat sources of any invasive executables found. Accordingly, a party may identify those software packages deemed invasive, and may optionally provide a solution to either defeat or monitor them, where practicable. An independent developer may obtain intellectual property rights in the testing, solution or both of the counter-invasive software system or product. An independent developer may become a supplier of testing or solution systems, motivating a supplier by one of several mechanisms. The developer or damaged party may obtain a legal status with respect to the vendor or of a host of software as a customer, user, clients, shareholder, etc., in order to exercise rights and remedies or provide motivation to a vendor who does not take responsibility for its actions as executed by its marketed products.02-02-2012
20120030762FUNCTIONAL PATCHING/HOOKING DETECTION AND PREVENTION - A method for preventing malicious attacks on software, using the patching method, includes providing a database of malicious known patches (malware). The database contains characteristic signatures of the malware. The method also includes detecting whether a patch is malicious by comparing it with a signature in the database and performing one or more activities needed to prevent the malicious patch from performing undesired activities.02-02-2012
20120030761IMPROPER COMMUNICATION DETECTION SYSTEM - An improper communication detection system that acquires packets that are circulated through a plant network by mirroring and detects improper communication includes a storage unit configured to prestore a session whitelist, which is a list of sessions that can be generated in the plant network; a session determination/separation unit configured to make a determination as to a success or failure of session approval on the basis of the acquired packet and configured to generate session information indicating an approved session; and a first improper communication detection unit configured to compare the session information generated by the session determination/separation unit with the session whitelist, and configured to detect communication related to the relevant session as improper communication when the session information does not match any session in the session whitelist.02-02-2012
20120030760METHOD AND APPARATUS FOR COMBATING WEB-BASED SURREPTITIOUS BINARY INSTALLATIONS - The present invention relates to a method and apparatus for combating web-based surreptitious binary installations. One embodiment of a method combating web-based surreptitious binary installations on a computing device includes intercepting a download of a file to a local file system of the computing device, storing the file in the local file system when the file is correlated with a user consent, and storing the file in a secure zone of the computing device when the file is not correlated with a user consent, wherein files stored in the secure zone cannot be executed or propagated.02-02-2012
20120030759SECURITY PROTOCOL FOR DETECTION OF FRAUDULENT ACTIVITY EXECUTED VIA MALWARE-INFECTED COMPUTER SYSTEM - A security protocol is disclosed for detecting occurrences of intruder activity, including hidden or concealed activity that may occur in a computer system including a host platform operably connected to an application platform. The protocol relies on parameters defining a tag sequence and syntax commonly known to the application platform and host platform (and hence the user) to detect occurrences of intruder activity during the session.02-02-2012
20130198841Malware Classification for Unknown Executable Files - Devices, methods and instructions encoded on computer readable medium are provided herein for implementation of classification techniques in order to determine if an unknown executable file is malware. In accordance with one example method, an unknown executable file comprising a sequence of operation codes (opcodes) is received. Based on the operation codes of the unknown executable, a subset of executable files in a training set is identified in which each of the files in the subset have the same beginning sequence of operation codes as the unknown executable. After the subset is identified, a feature set extracted from the unknown executable file is compared to one or more feature sets extracted from each of executable files in the identified subset. A determination is made, based on the feature set comparison, whether the unknown executable file is malware.08-01-2013
20130198842METHOD FOR DETECTING A MALWARE - System and method for determining, by a security application, whether an examined software code is a malware, according to which the system detects whenever the examined process code performs system calls and further detects a call site. Pieces of code in the surrounding area of the site and/or in branches related to the site are analyzed and the properties of the analyzed pieces of code are compared with a predefined software code patterns, for determining whether the examined process code corresponds to one of the predefined software code patterns. Then the examined process code is classified according to the comparison results.08-01-2013
20120036577METHOD AND SYSTEM FOR ALERT CLASSIFICATION IN A COMPUTER NETWORK - A method and a system for classification of intrusion alerts in computer network is provided. The method comprises the steps of monitoring traffic data in a computer network, detecting an intrusion, providing an intrusion alert and data in relation to the intrusion alert, generating a statistical analysis of the data in relation to the intrusion alert and classifying the intrusion alert based on said statistical analysis. The intrusion alerts and the data in relation to an intrusion alert may be generated by anomaly-based intrusion detection system. The generating a statistical analysis may comprise generating information about a statistical distribution of n-grams in the data. The classification may comprise comparing the statistical analysis with a model analysis of intrusion alerts with predefined alert classes. This model may be generated by providing a training set of data in relation to alerts, generating a model statistical analysis of said data, predefining at least two alert classes, and assigning predefined alert classes to the statistical analysis, based on information provided by a signature-based intrusion detection system, or by a human operator.02-09-2012
20120297482SYSTEMS, METHODS, AND APPARATUS FOR NETWORK INTRUSION DETECTION - Systems, methods, and apparatus for network intrusion detection are provided. A device configured to facilitate network intrusion detection may include at least one memory and at least one processor. The at least one memory may be configured to store computer-executable instructions. The at least one processor may be configured to access the at least one memory and execute the computer-executable instructions to (i) identify a communication, the communication comprising one of (a) a communication received by the device or (b) a communication generated by the device; (ii) identify a type associated with the communication; (iii) determine, based at least in part upon the identified type, a list of acceptable content for the communication; (iv) analyze, based at least in part upon the determined list, the content of the communication; and (v) determine, based at least in part upon the analysis, whether the content is acceptable content.11-22-2012
20120060219Deviating Behaviour of a User Terminal - The invention relates to a method, device (03-08-2012
20120066766SYSTEMS AND METHODS FOR DETECTING A SECURITY BREACH IN A COMPUTER SYSTEM - The present invention provides systems and methods for applying hard-real-time capabilities in software to software security. For example, the systems and methods of the present invention allow a programmer to attach a periodic integrity check to an application so that an attack on the application would need to succeed completely within a narrow and unpredictable time window in order to remain undetected.03-15-2012
20120066765System and method for improving security using intelligent base storage - The present invention presents a system and method for providing improved security within a computer system by using an intelligent based storage system operating with the host unit whereby, the intelligent based storage system independently provides monitoring of files that should not be accessed, monitoring of files that should be accesses with strict regularity, and analysis of access patterns.03-15-2012
20130205394Threat Detection in a Data Processing System - A mechanism is provided for resolving a detected threat. A request is received from a requester to form a received request, statistics associated with the received request are extracted to form extracted statistics, rules validation is performed for the received request using the extracted statistics, and a determination is made as to whether the request is a threat. Responsive to a determination that the request is a threat, the requester is escalated using escalation increments, where the using escalation increments further comprises increasing user identity and validation requirements through one of percolate to a next user level or direct entry to a user level.08-08-2013
20130205393Increasing Availability of an Industrial Control System - A mechanism is provided to improve the availability of an ICS and an external system that uses data from the ICS by ensuring operation of the ICS and opera on of the system even if an anomaly has occurred in a device in the ICS. The mechanism receives measured data from the plurality of devices, calculates prediction data by using the measured data and correlation information used for deriving prediction data for correlated devices, and provides the measured data and the prediction data.08-08-2013
20120079595Snoop Echo Response Extractor - A mechanism is provided for identifying a snooping device in a network environment. A snoop echo response extractor generates an echo request packet with a bogus MAC address that will only be received by a snooping device. The snoop echo response extractor also uses an IP address that will cause the snooping device to respond to the echo request.03-29-2012
20120096552SYSTEM FOR AN ENGINE FOR FORECASTING CYBER THREATS AND METHOD FOR FORECASTING CYBER THREATS USING THE SYSTEM - A system for an engine for forecasting cyber threats and a method enabling the forecast of a low-level cyber threat and the forecast of a high-level cyber threat using the low-level cyber threat in a hierarchical structure of cyber threats are provided. The system includes a forecast information database which stores forecast information including cyber threat forecast items, a forecast schedule related to the items, forecast simulation information, forecast item hierarchical structure information, time series data on cyber threats, and sample data on cyber threats; a forecast engine core subsystem which forecasts the levels of threats for the cyber threat forecast items having a hierarchical structure using the forecast information stored in the forecast information database; and a forecast engine control interface which receives control commands for the forecast engine core subsystem from a user or external system, and delivers the received control commands to the forecast engine core subsystem.04-19-2012
20120096551INTRUSION DETECTING SYSTEM AND METHOD FOR ESTABLISHING CLASSIFYING RULES THEREOF - A method for establishing classifying rules of an intrusion detecting system is provided with the following steps. First, at least one decision tree is provided. Internal nodes of the decision tree respectively represent an attribute judgment condition, and leaf nodes respectively represent an attack event or non-attack event. Next, a plurality of attribute data of at least one new attack event is received. Then, a tree structure of the decision tree is adjusted according to the attribute data. Afterwards, at least one attack rule or at least one non-attack rule is outputted according to the adjusted decision tree. Further, the intrusion detection system is also provided.04-19-2012
20120096550PROVIDING SECURITY FOR A VIRTUAL MACHINE BY SELECTIVELY TRIGGERING A HOST SECURITY SCAN - The disclosed embodiments provide a system that protects an application from malware on a host system. During operation, the system receives a command to commence execution of the application on the host system. In response to the command, the system causes a security scan to be performed on the host system to detect malware, wherein the malware can compromise the security of the application. The system also restricts one or more operations associated with the application until the security scan successfully completes.04-19-2012
20120096549ADAPTIVE CYBER-SECURITY ANALYTICS - Performing adaptive cyber-security analytics including a computer implemented method that includes receiving a report on a network activity. A score responsive to the network activity and to a scoring model is computed at a computer. The score indicates a likelihood of a security violation. The score is validated and the scoring model is automatically updated responsive to results of the validating. The network activity is reported as suspicious in response to the score being within a threshold of a security violation value.04-19-2012
20120096548NETWORK ATTACK DETECTION - A method and apparatus are provided for detecting attacks on a data communication network. The apparatus includes a router with a mechanism for monitoring return messages addressed to an originating user system local to the router. The mechanism includes a message checker for identifying a return message of a specified nature and a rerouter for temporarily routing subsequent messages from the originating user system to the intrusion detection sensor.04-19-2012
20130212680METHODS AND SYSTEMS FOR PROTECTING NETWORK DEVICES FROM INTRUSION - Methods and systems for protecting a computing device to ensure network security are provided. In particular, one or more blacklists may be maintained by an Intrusion Protection System (IPS) for a computing device. Such blacklists may include information such as network addresses of suspected or confirmed rogue entities that pose threat to the security of the computing device. In an embodiment, the blacklists are dynamically updated (e.g., purged) when a network-related change is detected indicating, for example, that the computing device is moving from one network location to another. In some embodiments, one or more blacklists may each correspond to a communication channel, application, process or the like. In some embodiments, only selected blacklists are updated, such as those that are rendered stale or inapplicable by the detected network changes.08-15-2013
20130212681Security Monitoring System and Security Monitoring Method - The objective of the present invention is to provide a security monitoring system and a security monitoring method which is capable of a quick operation when an unauthorized access, a malicious program, and the like are detected, while the normal operation of the control system is not interrupted by an erroneous detection. The security monitoring system 08-15-2013