Inventors list

Assignees list

Classification tree browser

Top 100 Inventors

Top 100 Assignees


Vulnerability assessment

Subclass of:

726 - Information security

726022000 - MONITORING OR SCANNING OF SOFTWARE OR DATA INCLUDING ATTACK PREVENTION

Patent class list (only not empty are listed)

Deeper subclasses:

Entries
DocumentTitleDate
20110179493INFORMATION PROCESSING DEVICE, A HARDWARE SETTING METHOD FOR AN INFORMATION PROCESSING DEVICE AND A COMPUTER READABLE STORAGE MEDIUM STORED ITS PROGRAM - An information processing device includes a replacement function of a system unit in a partition and a TPM (trusted platform module) function in the system unit. The system unit sets the TPM to valid or invalid and a management unit sets a reserved system board in the partition. The TPM setting information of the system unit and the reserved setting information of the system unit by the management unit are notified each other and are exclusive controlled. It is effectively possible to execute a reserved SB function, which integrates the reserved system board and re-starts without manual operation even though using a system unit which mounts the trusted platform module.07-21-2011
20130031634SYSTEM AND METHOD FOR NETWORK-BASED ASSET OPERATIONAL DEPENDENCE SCORING - A system and method in one embodiment includes modules for identifying an asset with a vulnerability risk, identifying a service running on a port on the asset, identifying a connection to the port, calculating an operational dependence role of the asset as a function of the service and the connection, and modifying the vulnerability risk based on the operational dependence role. Other embodiments include identifying a protocol of a data packet at the port, classifying the protocol into a protocol category with a protocol importance score, calculating a connection average for the asset, classifying the connection average into a connection category with a connection score, and calculating a service dependence score. Other embodiments include calculating a host dependence score, assigning a data importance score to data communicated by the asset, and calculating the operational dependence role as a function of the host dependence score and data importance score.01-31-2013
20130031635System, Method and Computer Readable Medium for Evaluating a Security Characteristic - A method, system and computer program product for evaluating an IDP entity, the method includes evaluating an effect of at least one IDP rule applied by the IDP entity on legitimate traffic, based upon a network model; evaluating an effect of at least one IDP rule applied by the IDP entity based upon a network model and an attack model; determining an effectiveness of the IDP entity in response to the evaluated effects.01-31-2013
20120174231Assessing System Performance Impact of Security Attacks - A method for assessing an impact of a security attack on a system includes defining a system affecting metric for an observation period as a fraction of time the system satisfies a defined specification, defining a resource failure based model and a resource usage based model for the system, obtaining results for each of a plurality of states of the resource failure based model and the resource usage based model, solving the resource failure based model and the resource usage based model and obtaining a term fraction of time each model spends on each of the plurality of states, obtaining a state probability according to the term fraction, and obtaining a measure of the system affecting metric according to the state probability.07-05-2012
20100050263BROWSER BASED METHOD OF ASSESSING WEB APPLICATION VULNERABILITY - A novel and useful mechanism and method for assessing the vulnerability of web applications while browsing the application. As a user interacts with the web application, HTTP requests are sent from the browser to the web server. Each HTTP request is analyzed to determine if its associated elements need testing. Vulnerability assessment tests are sent to the server. Test results are then returned to the browser, where they are analyzed, displayed and/or stored in a log file.02-25-2010
20110191855IN-DEVELOPMENT VULNERABILITY RESPONSE MANAGEMENT - In-development vulnerability response management, in one aspect, may detect a code instance that matches a vulnerability pattern; generate one or more hints associated with the code instance in response to the detecting; retrieve an action response to the code instance that matches a vulnerability pattern; and associate the retrieved action response with the code instance.08-04-2011
20110191854METHODS AND SYSTEMS FOR TESTING AND ANALYZING VULNERABILITIES OF COMPUTING SYSTEMS BASED ON EXPLOITS OF THE VULNERABILITIES - A security tool can identify vulnerabilities in a computing system and determine a risk level of the vulnerabilities. The security tool can determine the risk level based on exploits associated with the vulnerabilities. The security tool can determine the risk level based on factors associated with the exploits such as whether an exploit exists, a rank of the exploit, a number of exploits that exist for the vulnerability, a difficulty to identify whether the exploit exists, and an effect of the exploit on the vulnerability. The security tool can a report identifying the vulnerabilities of the computing system, the exploits associated with the vulnerabilities, and the risk level of the vulnerabilities. The report can also include links to information about the exploits.08-04-2011
20130086685SECURE INTEGRATED CYBERSPACE SECURITY AND SITUATIONAL AWARENESS SYSTEM - An integrated cube security system for an organization, such as a governmental or private organization, is disclosed, as well as a method of monitoring security for such an organization against cyberspace vulnerabilities. One such method includes receiving a definition of physical and logical locations of data managed by the organization, and receiving a definition of one or more business rules representing detected circumstances under which the data may be compromised. The method also includes monitoring the data based on the business rules and definition of the physical and logical locations of data to detect a cyberspace or electronic data vulnerability. The method includes generating one or more reports based on monitoring the data and relating at least in part to access of the data, and communicating, via a secure communications module, the one or more reports to an individual included within a community of interest.04-04-2013
20130086686Automated Detection of Flaws and Incompatibility Problems in Information Flow Downgraders - Mechanisms for evaluating downgrader code in application code with regard to a target deployment environment. Downgrader code in the application code is identified. Based on an input string, an output string that the downgrader code outputs in response to receiving the input string is identified. One or more sets of illegal string patterns are retrieved. Each of the one or more sets of illegal string patterns is associated with a corresponding deployment environment. The illegal string patterns are string patterns that a downgrader identifies in the information flow for security purposes. A determination is made as to whether the downgrader code is compatible with the target deployment environment based on the one or more sets of illegal string patterns and the output string. An output indicative of the results of the determining is generated.04-04-2013
20130086688WEB APPLICATION EXPLOIT MITIGATION IN AN INFORMATION TECHNOLOGY ENVIRONMENT - Methods, systems, and computer program products are provided herein for facilitating security in an information technology environment. Web application security vulnerabilities are discovered and addressed by means of virtual patches deployed to components of the information technology environment. An intelligent feedback loop is created to fill the void in the security of the web application when implemented in the specific information technology environment, thereby providing end-to-end security application management through dynamic, pre-emptive, and proactive security awareness and protection in the information technology environment. As new web application security vulnerabilities are discovered, the vulnerability is diagnosed and resolved to preemptively prevent exploitation of the security vulnerability.04-04-2013
20130086689SECURITY VULNERABILITY CORRECTION - Systems and methods for addressing security vulnerability in a program code are described. The method comprises detecting a security vulnerability. The method further comprises identifying a set of security solutions specified within a specification repository, wherein each security solution is associated with the detected security vulnerability. The method further comprises presenting the set of security solutions to a user for selection. The method further comprises transforming a program code portion associated with the detected security vulnerability in conformance with a security solution selected by the user from the set of security solutions.04-04-2013
20130086687CONTEXT-SENSITIVE APPLICATION SECURITY - In one implementation, a tag is associated with a tainted value of an application and an output context of the application that is associated with output from the application that includes the tainted value is determined. A taint processing is a applied to the tainted value in response to the output of the tainted value, the taint processing is compatible with the output context.04-04-2013
20080256638SYSTEM AND METHOD FOR PROVIDING NETWORK PENETRATION TESTING - A system and method for providing network penetration testing from an end-user computer is provided. The method includes the step of determining at least one of a version of a Web browser of a target computer, contact information associated with an end-user that uses the target computer, and applications running on the target computer. The method also includes the steps of determining exploits that are associated with the running applications and that can be used to compromise the target computer, and launching the exploits to compromise the target computer. Network penetration testing may also be provided by performing the steps of determining an operating system of a target computer, selecting one of a group of modules to use in detecting services of the target computer, and detecting the services of the target computer.10-16-2008
20100115621Systems and Methods for Detecting Malicious Network Content - A method for detecting malicious network content comprises inspecting one or more packets of network content, identifying a suspicious characteristic of the network content, determining a score related to a probability that the network content includes malicious network content based on at least the suspicious characteristic, identifying the network content as suspicious if the score satisfies a threshold value, executing a virtual machine to process the suspicious network content, and analyzing a response of the virtual machine to detect malicious network content.05-06-2010
20130086690Hygiene-Based Computer Security - A reputation server is coupled to multiple clients via a network. Each client has a security module that detect malware at the client. The security module computes a hygiene score based on detected malware and provides it to the reputation server. The security module monitors client encounters with entities such as files, programs, and websites. When a client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The security module evaluates the reputation score and optionally cancels an activity involving the entity. The reputation server computes reputation scores for the entities based on the clients' hygiene scores and operations performed in response to the evaluations. The reputation server prioritizes malware submissions from the client security modules based on the reputation scores.04-04-2013
20100043074METHOD AND APPARATUS FOR CRITICAL INFRASTRUCTURE PROTECTION - A method of risk management across a mission support network is provided, including identifying a mission of the mission support network, and identifying, by a computer processor, assets of the mission support network. The assets include a mission asset to support the mission and a support asset to provide support to the mission asset. Each of the assets is characterized by a criticality index value to measure how important the asset is to a performance of the mission, and a vulnerability index value to measure a vulnerability of the asset to a threat.02-18-2010
20120185944METHODS AND SYSTEMS FOR PROVIDING RECOMMENDATIONS TO ADDRESS SECURITY VULNERABILITIES IN A NETWORK OF COMPUTING SYSTEMS - A solution recommendation (SR) tool can receive vulnerabilities identified by a vulnerability scanner and/or penetration testing tool. The SR tool can determine various approaches for remediating or mitigating the identified vulnerabilities, and can prioritize the various approaches based on the efficiency of the various approaches in remediating or mitigating the identified vulnerabilities. The SR tool can recommend one or more of the prioritized approaches based on constraints such as cost, effectiveness, complexity, and the like. Once the one or more of the prioritized approaches are selected, the SR tool can recommend the one or more prioritized approaches to third-party experts for evaluation.07-19-2012
20090044277Non-invasive monitoring of the effectiveness of electronic security services - Systems for the non-invasive monitoring of the effectiveness of a customer's electronic security services include a test generation engine for generating and launching a denatured attack towards a customer's network. A monitoring and evaluation agent is operatively coupled to the test generation engine and is adapted to monitor and evaluate the denatured attack. A recording and analysis engine is adapted to record and analyze the results of the denatured attack. Other systems and methods are also provided.02-12-2009
20090328224Calculating Domain Registrar Reputation by Analysis of Hosted Domains - Reputations of domain registrars are calculated based on the hosting of risky domains. The more undesirable domains a registrar hosts, the lower is its reputation. The risk level of the hosted domains is also a factor in determining the reputation. When a user attempts to access a hosted domain, the calculated reputation of the hosting domain registrar is used in determining what security steps to apply to the access attempt. The worse the reputation of the hosting registrar, the more security is applied, all else being equal.12-31-2009
20090307777METHOD AND DEVICE FOR PREDICTING NETWORK ATTACK ACTION - A method for predicting a network attack action, including: monitoring a network status parameter and obtaining information of an attack action according to a change of the network status parameter; selecting a subsequent attack action which has a most possibility to happen from a plurality of subsequent attack actions of the attack action according to a correspondence between the attack action and the plurality of subsequent attack actions, the subsequent attack action which has the most possibility to happen being a subsequent attack action with a largest occurrence number among the subsequent attack actions corresponding to the attack action; and outputting the subsequent attack action which has the most possibility to happen as a predicted network attack action. A device for predicting a network attack action including an attack action management unit is also provided. The present invention describes the attack action procedure and the relation among attack actions during the attack action procedure and provides a network pre-warning method for determining which action is to be taken.12-10-2009
20120192281DETERMINING TECHNOLOGY-APPROPRIATE REMEDIATION FOR VULNERABILITY - A machine-actionable memory comprises one or more machine-actionable records arranged according to a data structure. Such a data structure may include links that respectively map between: a RID field, the contents of which denote an identification (ID) of a remediation (RID); at least one TID field, the contents of which denotes an ID of at least two technologies (TIDs), respectively; and at least one ACTID field, the contents of which denotes an ID of an action (ACTID). A method, of selecting a remediation that is appropriate to a technology present on a machine to be remediated, may include: providing such a machine-actionable memory; and indexing into the memory using a given RID value and a given TID value to determine values of the at-least-one ACTID corresponding to the given RID value and appropriate to the given TID value.07-26-2012
20120192280APPARATUS FOR ENHANCING WEB APPLICATION SECURITY AND METHOD THEREFOR - A system that incorporates teachings of the present disclosure may include, for example, constructing a symbolic representation from a portion of a web application that generates a plurality of structured query language (SQL) queries, parsing the symbolic representation into a plurality of trees, and adapting the web application with PREPARE statements according to the plurality of trees. Additional embodiments are disclosed.07-26-2012
20130074188METHODS AND SYSTEMS FOR IMPROVED RISK SCORING OF VULNERABILITIES - A security tool can identify vulnerabilities in a computing system and determine a risk level of the vulnerabilities based on base and optional CVSS vectors and additional factors that represent the evolving nature of vulnerabilities. Likewise, the security tool can determine an overall risk for vulnerabilities, an asset, and/or a collection of assets that encompasses a global view of an asset's risk and/or collection of assets' risk, business considerations of an entity that own and controls the asset and/or the collection of assets, and the entity's associations.03-21-2013
20130061328INTEGRITY CHECKING SYSTEM - An integrity checking system provides improved monitoring of an electronic device for unauthorized access and modification. The integrity checking system includes a controller with a secure memory. The secure memory stores test profile information, such as test type, test subject, test action, expected test response, test frequency, and result action. The controller reads the test profile information and executes the defined tests to monitor the integrity of the device, and either permit normal operation, or execute the result action (e.g., terminate program execution) depending on the test results.03-07-2013
20130061327System and Method for Evaluation in a Collaborative Security Assurance System - A security assurance system includes a back-end application and a computing resource. The back-end application receives a selection of a network security product that is associated with a protected network, and receives a selection of a threat from a plurality of threats stored on the security assurance system. The computing resource launches an evaluation of the security product based upon the threat, and reports to a user of the security assurance system a result of the evaluation.03-07-2013
20120117655System, Method, and Computer Program Product for Identifying Vulnerabilities Associated with Data Loaded in Memory - A system, method, and computer program product are provided for identifying vulnerabilities associated with data loaded in memory. In operation, a subset of data that is loaded in memory is identified. Additionally, the subset of data is compared to a list of known data. Furthermore, there is a reaction based on the comparison.05-10-2012
20130067583ANALYZING ACCESS CONTROL CONFIGURATIONS - A facility is described for analyzing access control configurations. In various embodiments, the facility comprises an operating system having resources and identifications of principals, the principals having access control privileges relating to the resources, the access control privileges described by access control metadata; an access control scanner component that receives the access control metadata, determines relationships between principals and resources, and emits access control relations information; and an access control inference engine that receives the emitted access control relations information and an access control policy model, analyzes the received information and model, and emits a vulnerability report. In various embodiments, the facility generates an information flow based on access control relations, an access control mechanism model, and an access control policy model; determines, based on the generated information flow, whether privilege escalation is possible; and when privilege escalation is possible, indicates in a vulnerability report that privilege escalation is possible.03-14-2013
20130067581INFORMATION SECURITY CONTROL SELF ASSESSMENT - Apparatuses, computer readable media, methods, and systems are described for identifying risk assessment queries for assessing risk of a process, providing the identified risk assessment queries to a client device for presentation, receiving response data from the client device comprising responses to the risk assessment queries, determining response values for at least some of the risk assessment queries based on the received response data, and calculating a process risk metric based on the determined response values.03-14-2013
20110023122INFORMATION PROVIDING SUPPORT DEVICE AND INFORMATION PROVIDING SUPPORT METHOD - It is an object to provide an information providing support device which is capable of encouraging a person having an intention or an obligation to provide information to provide safe and good quality information. An information providing support device of the present invention includes: an information storage unit for memorizing at least information input by a user of the information providing support device; an information providing request receiving unit for receiving the information providing request without intermediation of a user operation; an internal information retrieval unit for retrieving relevant information from the information storage unit in response to the information providing request received by the information providing request receiving unit, the relevant information being information relevant to the information providing request; and an information providing request presenting unit for presenting a predetermined information manager with the information providing request for which the relevant information has been retrieved by the internal information retrieval unit and the relevant information in association with each other, the information manager being authorized to permit the provision of the information stored in the information storage unit.01-27-2011
20130067584Content-Checking of Embedded Content in Digitally Encoded Documents - Methods and apparatus for network security content-checking, in particular simplifying the critical element of a content-checker so that it can be trusted and implemented in hardware logic. A method comprises determining whether a digitally encoded document contains any embedded documents; content-checking, by means of at least one hard-ware-implemented content-checker, at least one of the embedded documents separately from those parts of the digitally encoded document within which it was embedded; and releasing a version of the digitally encoded document responsive to the content-checking.03-14-2013
20130067582SYSTEMS, METHODS AND DEVICES FOR PROVIDING DEVICE AUTHENTICATION, MITIGATION AND RISK ANALYSIS IN THE INTERNET AND CLOUD - The present invention is a method to provide mechanisms and judgment to determine the ongoing veracity of “purported” devices (sometimes called spoofing) with such parameters as unique device ID, access history, paths taken and other environmental data (Device Authentication).03-14-2013
20090235359METHOD AND SYSTEM FOR PERFORMING SECURITY AND VULNERABILITY SCANS ON DEVICES BEHIND A NETWORK SECURITY DEVICE - A method and system of performing vulnerability and security scans on an internet connected device where the device is behind a network security device such as a firewall. The method is performed by having an agent that is local to the device to be scanned create a VPN connection with a scanning server and then performing the scanning over the VPN. The connection is terminated at the end to free up system resources.09-17-2009
20120233699K-ZERO DAY SAFETY - Systems and methods for determining a safety level of a network vulnerable to attack from at least one origin to at least one target are described. Machines, components, and vulnerabilities in a network may be associated to one another. Degrees of similarity among the vulnerabilities may be determined and subsets of vulnerabilities may be grouped based on their determined degrees of similarity to one another. This data may be used to generate an attack graph describing exploitation of vulnerabilities and grouped vulnerabilities and defining vulnerability exploit condition relationships between at least one origin and at least one target. The attack graph may be analyzed using a k-zero day metric function to determine a safety level.09-13-2012
20090013410DISTRIBUTED THREAT MANAGEMENT - A method and system are provided for managing a security threat in a distributed system. A distributed element of the system detects and reports suspicious activity to a threat management agent. The threat management agent determines whether an attack is taking place and deploys a countermeasure to the attack when the attack is determined to be taking place. Another method and system are also provided for managing a security threat in a distributed system. A threat management agent reviews reported suspicious activity including suspicious activity reported from at least one distributed element of the system, determines, based on the reports, whether a pattern characteristic of an attack occurred, and predicts when a next attack is likely to occur. Deployment of a countermeasure to the predicted next attack is directed in a time window based on when the next attack is predicted to occur.01-08-2009
20090007270SYSTEM AND METHOD FOR SIMULATING COMPUTER NETWORK ATTACKS - The present invention provides a system and method for providing computer network attack simulation. The method includes the steps of: receiving a network configuration and setup description; simulating the network configuration based on the received network configuration; receiving at least one confirmed vulnerability of at least one computer, machine, or network device in the simulated network; receiving a method for compromising the confirmed vulnerability of the at least one computer, machine, or network device; and virtually installing a network agent on the at least one computer, machine, or network device, wherein the network agent allows a penetration tester to execute arbitrary operating system calls on the at least one computer, machine, or network device.01-01-2009
20090007269USING IMPORTED DATA FROM SECURITY TOOLS - A device may create a new project that includes criteria, import findings from a group of different network security tools into the new project based on the criteria, normalize the imported findings, and store the normalized findings.01-01-2009
20080313739System Test and Evaluation Automation Modules - Methods are provided for providing uniform and repeatable information security (INFOSEC) assessments. In the embodiments, a security assessor interacts with a system test evaluation and automation module (S.T.E.A.M.) to perform an INFOSEC assessment on a computer system. S.T.E.A.M. generates reports and checklists to help determine whether the computer system being assessed is compliant with one or more INFOSEC requirements. Additionally, S.T.E.A.M. generates reports and checklists that assist the INFOSEC assessor in determining the most important, and most vulnerable data on the computer system.12-18-2008
20130167237DETECTION OF SECOND ORDER VULNERABILITIES IN WEB SERVICES - A system for detecting a vulnerability in a Web service can include a processor configured to initiate executable operations including determining whether a Web service uses identity of a requester to select one of a plurality of different paths of a branch in program code of the Web service and, responsive to determining that the Web service does select one of a plurality of different paths of a branch according to identity of the requester, indicating that the Web service has a potential vulnerability.06-27-2013
20130167238SYSTEM AND METHOD FOR SCANNING FOR COMPUTER VULNERABILITIES IN A NETWORK ENVIRONMENT - A method in one embodiment includes identifying a set of known vulnerabilities and a set of new vulnerabilities in an asset, selecting one or more scripts that include checks for vulnerabilities in a union of the set of known vulnerabilities and the set of new vulnerabilities, and using the selected scripts to scan the asset. Known vulnerabilities and new vulnerabilities may be identified by accessing results of previous scans on the asset. The method may also include identifying a plurality of assets to scan in a network, identifying a plurality of sets of known vulnerabilities and a plurality of sets of new vulnerabilities in substantially all assets in the plurality of assets, and inserting checks for vulnerabilities included in a union of the plurality of sets of known vulnerabilities and the plurality of sets of new vulnerabilities into the selected scripts.06-27-2013
20130167241Locating security vulnerabilities in source code06-27-2013
20130167240METHOD AND APPARATUS FOR DETECTING EVENTS PERTAINING TO POTENTIAL CHANGE IN VULNERABILITY STATUS - Method and apparatus for Vulnerability Assessment techniques is disclosed. A method comprises detecting an event on a target in real time or at periodic intervals, by at least one of an OS service, an OS command, a hook, and an API. The event comprises a change in status of at least one of a network interface, a server network service, a client network service, and a port. An apparatus comprises a target having at least one of a deployed server network service, and a deployed client network service; and an agent deployed on the target, to detect an event on the target in real time or at periodic intervals. At least one of the agent and the VA server detect the event comprising a change in the status of at least one of a network interface, the server network service, the client network service, and a port.06-27-2013
20130167239DETECTION OF SECOND ORDER VULNERABILITIES IN WEB SERVICES - A method of detecting a vulnerability in a Web service can include determining, using a processor, whether a Web service uses identity of a requester to select one of a plurality of different paths of a branch in program code of the Web service. The method further can include, responsive to determining that the Web service does select one of a plurality of different paths of a branch according to identity of the requester, indicating that the Web service has a potential vulnerability.06-27-2013
20110035803SYSTEM AND METHOD FOR EXTENDING AUTOMATED PENETRATION TESTING TO DEVELOP AN INTELLIGENT AND COST EFFICIENT SECURITY STRATEGY - A system and method for extending automated penetration testing of a target network is provided. The method comprises: computing a scenario, comprises the steps of: translating a workspace having at least one target computer in the target network, to a planning definition language, translating penetration modules available in a penetration testing framework to a planning definition language, and defining a goal in the target network and translating the goal into a planning definition language; building a knowledge database with information regarding the target network, properties of hosts in the network, parameters and running history of modules in the penetration testing framework; and running an attack plan solver module, comprising: running an attack planner using the scenario as input, to produce at least one attack plan that achieves the goal, and executing actions defined in the at least one attack plan against the target network from the penetration testing framework.02-10-2011
20120060222SECURITY STATUS AND INFORMATION DISPLAY SYSTEM - The present invention provides a system and method for reporting security information relating to a mobile device. A security component identifies security events on the mobile device that are processed on the mobile device or by a server. The security component then determines a security assessment for the mobile device based upon the detected security events. The security state assessment can be displayed in various different formats on the mobile device display or on a client computer through a user interface. The display may be persistent in the form of a desktop widget or home-screen item which enables the user or administrator to verify the functioning of security protection on the device and be alerted if the device needs attention without having to specifically seek such information.03-08-2012
20080282352Modification of Messages for Analyzing the Security of Communication Protocols and Channels - A system is used to analyze the implementation of a protocol by a device-under-analysis (DUA). The system includes a source endpoint, a destination endpoint (the DUA), and a message generator. The source endpoint generates an original message and attempts to send it to the DUA. The original message is intercepted by the message generator, which generates a replacement message. The replacement message is then sent to the DUA instead of the original message. The replacement message is deliberately improper so as to analyze the DUA's implementation of the protocol. The message generator includes a structure recognition system and a mutation system. The structure recognition system determines the underlying structure and/or semantics of a message. After the structure recognition system has determined the structure, it creates a description of the structure (a structure description). The mutation system modifies the message based on the structure description to generate a replacement message.11-13-2008
20110302657SECURITY COUNTERMEASURE FUNCTION EVALUATION PROGRAM - In a security countermeasure function evaluation apparatus, an estimator operates an input unit, whereby an evaluation point calculation unit makes an evaluation as to whether each item of countermeasure information representing a security countermeasure function in detail satisfies each item of sufficient condition table information, and the evaluation point is calculated from the evaluation result of each item, whereby the transition probability calculation unit calculates a transition probability based on the evaluation point.12-08-2011
20110302658METHOD, APPARATUS, AND SYSTEM FOR ENABLING A SECURE LOCATION-AWARE PLATFORM - A method, apparatus, and system enable a secure location-aware platform. Specifically, embodiments of the present invention may utilize a secure processing partition on the platform to determine a location of the platform and dynamically apply and/or change security controls accordingly.12-08-2011
20120159634VIRTUAL MACHINE MIGRATION - Attesting a virtual machine that is migrating from a first environment to a second environment includes in response to initiation of migration of the virtual machine from the first environment to the second environment, accessing one or more stored trust values generated during the trusted boot of the virtual machine in the first environment, determining if the accessed trust values define a security setting sufficient for the second environment, and if the accessed trust values do not define a security setting sufficient for the second environment, performing a predetermined action in relation to the migration of the virtual machine to the second environment.06-21-2012
20110296528SYSTEM AND METHOD FOR CREATING AND EXECUTING PORTABLE SOFTWARE - This invention generally relates to a process, system and computer code for creating a portable unit on a first computer to be executed on remote computers including creating an execution file having one or more tasks for deployment, said tasks having command line arguments executable as variables by the remote computer, assembled into a single execution file, validating the tasks and organizing nested tasks, said organizing step including collecting nested task information for each task and accounting for all dependencies to insure that files, tasks, and environments for running on one or more remote computers are present in the portable unit, said step of creating an execution file further including, reading the task file, scanning for event dependencies and embedding files and links needed for remote execution of the execution file, storing the dependencies in a dependency file, scanning for security, verifying the task file for proper formatting.12-01-2011
20090293128GENERATING A MULTIPLE-PREREQUISITE ATTACK GRAPH - In one aspect, a method to generate an attack graph includes determining if a potential node provides a first precondition equivalent to one of preconditions provided by a group of preexisting nodes on the attack graph. The group of preexisting nodes includes a first state node, a first vulnerability instance node, a first prerequisite node, and a second state node. The method also includes, if the first precondition is equivalent to one of the preconditions provided by the group of preexisting nodes, coupling a current node to a preexisting node providing the precondition equivalent to the first precondition using a first edge and if the first precondition is not equivalent to one of the preconditions provided by the group of preexisting nodes, generating the potential node as a new node on the attack graph and coupling the new node to the current node using a second edge.11-26-2009
20100169974Measuring Coverage of Application Inputs for Advanced Web Application Security Testing - A computer implemented method, a data processing system, and a computer usable recordable-type medium having a computer usable program code monitor a black box web application security scan. A black box scan of a web application is initiated. The black box scan sends a test is sent to a plurality of web application inputs of the web application. A runtime analysis is performed on the black box scan of the web application. Based on the run time analysis of the black box scan, the black box scan is modified.07-01-2010
20100031362SYSTEM AND METHOD FOR IDENTIFICATION AND BLOCKING OF MALICIOUS USE OF SERVERS - A system and method to protect web applications from malicious attacks and, in particular, a system and method for identification and blocking of malicious DNS servers. The system includes a central processing unit and first program instructions. The first program instructions identify a rogue Domain Name Service (DNS) by identifying that a DNS metric is outside a historical limit. The first program instructions are stored on the computer system for execution by the central processing unit.02-04-2010
20100100962INTERNET SECURITY DYNAMICS ASSESSMENT SYSTEM, PROGRAM PRODUCT, AND RELATED METHODS - Systems, program product, and methods related to dynamic Internet security and risk assessment and management, are provided. For example, a system, program product, and method of identifying and servicing actual customer requests to a defended or protected computer or server can include the steps/operations of receiving by the defended computer, a service request from each of a plurality of IP addresses associated with a separate one of a plurality of service requesting computers, sending an inspection code adapted to perform a virtual attack on each existing service requesting computers at each respective associated IP address, and restricting provision of services from the defended computer to a subset of the service requesting computers identified for restriction when a security feature of the respective service requesting computer is determined to have been defeated by the virtual attack.04-22-2010
20130219503SYSTEM, METHOD AND COMPUTER READABLE MEDIUM FOR EVALUATING POTENTIAL ATTACKS OF WORMS - A method for evaluating potential attacks of worms, the method includes: associating, in response to information representative of a network and of worm entities, between worm entities and potential worm sources to provide associated worm sources; determining potential worm attacks that start from the associated worm sources; and evaluating at least one potential worm attack security metric associated with the potential worm attacks.08-22-2013
20100100965SYSTEM AND METHOD FOR PROVIDING REMEDIATION MANAGEMENT - In one embodiment, software for remediation management is operable to automatically identify an asset in an enterprise network. One or more vulnerabilities of the identified asset is automatically identified based on comparing the identified asset to content associated with the one or more vulnerabilities. At least a portion of the content is collected from a plurality of third party content providers. Other example software for remediation management may be operable to identify one or more vulnerabilities of an asset based on comparing the asset to content associated with the one or more vulnerabilities and automatically generate remediations for the asset based on the content associated with the one or more vulnerabilities.04-22-2010
20100100964SECURITY STATUS AND INFORMATION DISPLAY SYSTEM - The present invention provides a system and method for reporting security information relating to a mobile device. The invention enables a security assessment to be displayed in various formats on the mobile device display or on a client computer. A security component identifies security events on the mobile device that are processed on the mobile device or by a server. The security component then determines a security assessment for the mobile device based upon the detected security events. The security assessment display may be persistent in the form of a desktop widget or dashboard on a client computer, or home-screen item on the mobile device. This allows a user or administrator to verify that security protection on the device is functioning and to be alerted if the device needs attention without having to specifically seek the information, thereby enabling immediate response to potential security problems.04-22-2010
20100100963SYSTEM AND METHOD FOR ATTACK AND MALWARE PREVENTION - The present invention is a system and method for detecting and preventing attacks and malware on mobile devices such as a cell phones, smartphones or PDAs, which are significantly limited in power consumption, computational power, and memory. The invention enables mobile devices to analyze network data, executable data files, and non-executable data files in order to detect and prevent both known and unknown attacks and malware over vectors that are not typically protected by desktop and server security systems. Security analysis is performed by a combination of “known good,” “known bad,” and decision components. The invention identifies known good executables and/or known characteristics of network data or data files that must be present in order for the data to be considered good. Furthermore, known good and known bad identifier databases may be stored on a server which may be queried by a mobile device.04-22-2010
20120110674METHODS AND SYSTEMS FOR RATING PRIVACY RISK OF APPLICATIONS FOR SMART PHONES AND OTHER MOBILE PLATFORMS - Methods and systems for evaluating and rating privacy risks posed by applications intended for deployment on mobile platforms. Validating the “intent” of a mobile platform application vis-à-vis its impact on user privacy, as viewed from an end-user's perspective allows those end-users to make better-informed decisions concerning the downloading, installation and/or operation of mobile platform applications. In making such assessments user preferences can be taken into account. Privacy scores are provided through sales channels for the applications, thereby affording potential users the opportunity to assess whether they wish to incur the associated privacy risk, before purchasing a subject application.05-03-2012
20120110672SYSTEMS AND METHODS FOR CLASSIFICATION OF MESSAGING ENTITIES - Methods and systems for operation upon one or more data processors for biasing a reputation score. A communication having data that identifies a plurality of biasing characteristics related to a messaging entity associated with the communication is received. The identified plurality of biasing characteristics related to the messaging entity associated with the communication based upon a plurality of criteria are analyzed, and a reputation score associated with the messaging entity is biased based upon the analysis of the identified plurality of biasing characteristics related to the messaging entity associated with the communication.05-03-2012
20120110671METHOD AND SYSTEM FOR ANALYZING AN ENVIRONMENT - A system for analyzing an environment to identify a security risk in a process, comprising a model engine to generate a model of the environment using multiple components defining adjustable elements of the model and including components representing a patching process for the environment, a risk analyzer to calculate multiple randomized instances of an outcome for the environment using multiple values for parameters of the elements of the model selected from within respective predefined ranges for the parameters, and to use a results plan to provide data for identifying a security risk in the patching process using the multiple instances.05-03-2012
20120110670SYSTEM AND METHOD FOR ANALYZING A PROCESS - A system for analyzing a process, comprising a model engine to generate a model of the environment using multiple components defining adjustable elements of the model and including components representing a process for provisioning and de-provisioning of access credentials for an individual in the environment and a risk analyzer to calculate multiple randomized instances of an outcome for the environment using multiple values for parameters of the elements of the model selected from within respective predefined ranges for the parameters, and to use a results plan to provide data for identifying the security risk using the multiple instances.05-03-2012
20120110669METHOD AND SYSTEM FOR ANALYZING AN ENVIRONMENT - A system for analyzing an environment to identify a security risk, comprising a model engine to generate a model of the environment using multiple components defining adjustable elements of the model and a risk analyzer to calculate multiple randomized instances of an outcome for the environment using multiple values for parameters of the elements of the model selected from within respective predefined ranges for the parameters.05-03-2012
20120110668Use of Popularity Information to Reduce Risk Posed by Guessing Attacks - A popularity determination module (PDM) is described which reduces the effectiveness of statistical guessing attacks. The PDM operates by receiving a password (or other secret information item) from a user. The PDM uses a model to determine whether the password is popular among a group of users. If so, the PDM may ask the user to select another password. In one implementation, the model corresponds to a probabilistic model, such a count-min sketch model. The probabilistic model provides an upper-bound assessment of a number of times that a password has been encountered. Further, the probabilistic model provides false positives (in which passwords are falsely assessed as popular) at a rate that exceeds a prescribed minimum rate. The false positives are leveraged to reduce the effectiveness of statistical guessing attacks by malicious entities.05-03-2012
20100122346METHOD AND APPARATUS FOR LIMITING DENIAL OF SERVICE ATTACK BY LIMITING TRAFFIC FOR HOSTS - A method for controlling a denial of service attack involves receiving a plurality of packets from a network, identifying an attacking host based on a severity level of the denial of service attack from the network, wherein the attacking host is identified by an identifying attack characteristic associated with one of the plurality of packets associated with the attacking host, analyzing each of the plurality of packets by a classifier to determine to which of a plurality of temporary data structures each of the plurality of packet is forwarded, forwarding each of the plurality of packets associated with the identifying attack characteristic to one of the plurality of temporary data structures matching the severity level of the denial of service attack as determined by the classifier, requesting a number of packets from the one of the plurality of temporary data structures matching the severity level by the virtual serialization queue, and forwarding the number of packets to the virtual serialization queue.05-13-2010
20090077666Value-Adaptive Security Threat Modeling and Vulnerability Ranking - Among others, techniques and systems are disclosed for analyzing security threats associated with software and computer vulnerabilities. Stakeholder values relevant for a software system are identified. The identified stakeholder values are quantified using a quantitative decision making approach to prioritize vulnerabilities of the software system. A structured attack graph is generated to include the quantified stakeholder values to define a scalable framework to evaluate attack scenarios. The structured attack graph includes two or more nodes. Based on the generated structured attack graph, structured attack paths are identified with each attack path representing each attack scenario.03-19-2009
20080289043Network risk analysis - Analyzing security risk in a computer network includes receiving an event associated with a selected object in the computer network, and determining an object risk level for the selected object based at least in part on an event risk level of the event received, wherein the event risk level accounts for intrinsic risk that depends at least in part on the event that is received and source risk that depends at least in part on a source from which the event originated.11-20-2008
20080244746RUN-TIME REMEASUREMENT ON A TRUSTED PLATFORM - A method and system are disclosed. In one embodiment, the method includes invoking a run-time measurement agent (RTMA) to run on a trusted platform, the RTMA measuring a core system code block multiple times after a single boot on the trusted platform; and a trusted platform module storing these multiple measurements.10-02-2008
20080244747Network context triggers for activating virtualized computer applications - A computer system, comprising at least one controlled execution space hosting an operating system and an application program; a vulnerability monitoring agent coupled to the controlled execution space; one or more vulnerability profiles coupled to the vulnerability monitoring agent, wherein each of the vulnerability profiles comprises an application program identifier, an operating system identifier, a vulnerability specification describing a vulnerability of an application program that the application program identifier indicates when executed with an operating system that the operating system identifier indicates, and a remedial action which when executed will remediate the vulnerability; wherein the vulnerability monitoring agent is configured to monitor execution of the operating system and the application program in the controlled execution space, to detect an anomaly associated with the vulnerability, to determine the remedial action for the operating system and application program based on one of the vulnerability profiles, and to cause the remedial action.10-02-2008
20100281543Systems and Methods for Sensitive Data Remediation - Systems and methods for sensitive data remediation include calculating a Probability of Loss of data on a given computer based on measures of control, integrity, and potential avenues of exploitation of the given computer, determining an Impact of Loss of the data on the given computer based on a type, volume, and nature of the data, and correlating the Probability of Loss with the Impact of Loss to generate a risk score for the given computer that can be compared to other computers in the network. The computers with higher risk scores can then be subjected to data remediation activity.11-04-2010
20080271151Method and system for morphing honeypot with computer security incident correlation - A method, system, apparatus, or computer program product is presented for morphing a honeypot system on a dynamic and configurable basis. The morphing honeypot emulates a variety of services while falsely presenting information about potential vulnerabilities within the system that supports the honeypot. The morphing honeypot has the ability to dynamically change its personality or displayed characteristics using a variety of algorithms and a database of known operating system and service vulnerabilities. The morphing honeypot's personality can be changed on a timed or scheduled basis, on the basis of activity that is generated by the presented honeypot personality, or on some other basis. The morphing honeypot can also be integrated with intrusion detection systems and other types of computer security incident recognition systems to correlate its personality with detected nefarious activities.10-30-2008
20090094699APPARATUS AND METHOD OF DETECTING NETWORK ATTACK SITUATION - Provided is an apparatus for detecting a network attack situation. The apparatus includes an alarm receiver receiving a plurality of alarms raised in a network to which the alarm receiver is connected, converting the alarms into predetermined alarm data, and outputting the alarm data; an alarm processor analyzing an attack situation in the network based on attributes of the alarm data and a number of times that the alarm data is generated; a memory storing basic data needed to analyze the state of the network and providing the basic data to the alarm processor; and an interface transmitting the result of the analysis by the alarm processor to an external device, receiving a predetermined critical value from the external device, which is a basis for determining the occurrence of the attack situation, and outputting the critical value to the alarm processor such that the alarm processor can store the critical value in the memory. Equal numbers of hash engines and detection engines for processing the alarms in the network to the number of data groups classified as network attack situations are formed in a line. Therefore, a network attack situation can be detected in real time based on a great number of alarms indicating intrusion detection.04-09-2009
20100095381DEVICE, METHOD, AND PROGRAM PRODUCT FOR DETERMINING AN OVERALL BUSINESS SERVICE VULNERABILITY SCORE - A device, method, and program product are disclosed which are configured to receive, at a risk analysis engine, one or more business service models from a configuration management database, wherein the one or more business service models each comprises a set of configuration items, and wherein the one or more business service models each indicate a type of configuration item and a connectivity of the configuration item; send the set of configuration items to a vulnerability assessment tool; receive, from the vulnerability assessment tool, one or more vulnerability assessment scores for each configuration item within the set of configuration items; determine an overall business service vulnerability score for each of one or more business services based on the one or more business service models and the vulnerability assessment scores received from the vulnerability assessment tool; and output electronically the overall business service vulnerability score.04-15-2010
20090172818METHODS AND SYSTEM FOR DETERMINING PERFORMANCE OF FILTERS IN A COMPUTER INTRUSION PREVENTION DETECTION SYSTEM - An intrusion prevention/detection system filter (IPS filter) performance evaluation is provided. The performance evaluation is performed at both the security center and at the customer sites to derive a base confidence score and local confidence scores. Existence of new vulnerability is disclosed and its attributes are used in the generation of new IPS filter or updates. The generated IPS filter is first tested to determine its base confidence score from test confidence attributes prior to deploying it to a customer site. A deep security manager and deep security agent, at the customer site, collect local confidence attributes that are used for determining the local confidence score. The local confidence score and the base confidence score are aggregated to form a global confidence score. The local and global confidence scores are then compared to deployment thresholds to determine whether the IPS filter should be deployed in prevention or detection mode or sent back to the security center for improvement.07-02-2009
20100125913System and Method for Run-Time Attack Prevention - Preventing attacks on a computer at run-time. Content that is configured to access at least one function of a computer is received by the computer. Protections corresponding to the function are added to the content, wherein the protections override the function. The content and the protections are then transmitted to the computer. The function may expose a vulnerability of the computer, and arguments passed to the function may exploit that vulnerability. The protections are executed when the content is executed, and determine whether the arguments the content passed into the function represent a threat. In response to determining that the arguments represent a threat, execution of the content is terminated without executing the function.05-20-2010
20090205047Method and Apparatus for Security Assessment of a Computing Platform - A system and method for automated security testing are disclosed. The disclosure provides for automated discovery of security vulnerabilities through the monitoring of activities that occur throughout the separate components of a computing platform during a testing session through a communications interface.08-13-2009
20090144828RAPID SIGNATURES FOR PROTECTING VULNERABLE BROWSER CONFIGURATIONS - Architecture for distributing rules-based, targeted vulnerability signatures to an application (e.g., a browser) in order to block exploitation of vulnerable objects (e.g., ActiveX controls) or protocols. The architecture provides a significant reduction in the window of vulnerability, thereby improving the user experience in the software products. The solution employs text in a configuration file (a realtime rule), which is fine-grained, works on both vendor-created and third-party controls, and is completely compatible except under attack conditions (and thus quick to deploy with minimal testing). Publication of the rule does not block legal uses of the vulnerable control and would not require a full testing procedure. Further, a vulnerable control with a proper vulnerability signature is as safe as running a fully-fixed control. The architecture can be extended to arbitrary binary behaviors, and shell protocols.06-04-2009
20090113551DEVICE AND METHOD FOR INSPECTING NETWORK EQUIPMENT FOR VULNERABILITIES USING SEARCH ENGINE - Provided is a device and method for inspecting network equipment for vulnerabilities using a search engine from a remote location. The device for inspecting network equipment for vulnerabilities includes: a network structure examination module for examining the structure of a system network and generating network structure information; a control module for selecting at least one subnet for vulnerability inspection according to the network structure information; a vulnerable network equipment examination module for examining at least one piece of target network equipment for vulnerability inspection in the at least one selected subnet using a search engine; a vulnerability inspection module for inspecting the target network equipment for vulnerabilities; and an inspection result display module for outputting inspection results received from the vulnerability inspection module. The time taken to perform a vulnerability inspection and the overhead of a system subject to inspection may be reduced by selecting one of the system's subnets for inspection according to network structure information, examining the selected subnet for potentially vulnerable network equipment using a search engine, and inspecting only potentially vulnerable network equipment for vulnerabilities.04-30-2009
20090113552System and Method To Analyze Software Systems Against Tampering - A system, article of manufacture and method is provided for determining the vulnerability to attack of a software system by generating a hybrid graph, the hybrid graph including an attack graph portion describing at least one potential attack goal on the software system and describing sub-attacks required to achieve the potential attack goal. The hybrid graph also includes a defense graph describing ways to defend against the potential sub-attacks. The hybrid attack-defense graph may be evaluated and a score may be calculated based on the evaluation.04-30-2009
20110173700IMAGE FORMING APPARATUS, SETTING METHOD OF IMAGE FORMING APPARATUS AND SECURITY SETTING APPARATUS - According to one embodiment, an image forming apparatus includes a database, an acquisition unit, a list creation unit and a list output unit. The database stores assets to be protected, threats to the protected assets and security protection methods to the threats. The acquisition unit acquires basic information inputted by an administrator. The list creation unit lists a threat to a protected asset estimated from the basic information acquired by the acquisition unit and a security protection method by referring to the database. The list output unit outputs information listed by the list creation unit.07-14-2011
20090282487Method of Managing and Mitigating Security Risks Through Planning - An exemplary method is provided for managing and mitigating security risks through planning. A first security-related information of a requested product is received. A second security-related information of resources that are available for producing the requested product is received. A multi-stage process with security risks managed by the first security-related information and the second security-related information is performed to produce the requested product.11-12-2009
20090119776METHOD AND SYSTEM FOR PROVIDING WIRELESS VULNERABILITY MANAGEMENT FOR LOCAL AREA COMPUTER NETWORKS - A Software-as-a-Service (SaaS) based method for providing wireless vulnerability management for local area computer networks. The method includes providing a security server being hosted by a service provider entity to provide analysis of data associated with wireless vulnerability management for a plurality of local area computer networks of a plurality of customer entities, respectively. The method includes creating a workspace for wireless vulnerability management for a customer entity on the security server and receiving configuration information associated with the workspace. The method also includes supplying one or more sniffers to the customer entity. The method includes receiving at the security server information associated with wireless activity monitored by the one or more sniffers at premises of the customer entity and processing the received information within the workspace for the customer entity using the security server. The method includes metering usage of the workspace for wireless vulnerability management for the customer entity.05-07-2009
20120144491Answering Security Queries Statically Based On Dynamically-Determined Information - A method includes analyzing execution of a software program, the software program having sources returning values, sinks that perform security-sensitive operations on those returned values or modified versions of the returned values, and flows of the returned values to the sinks, the analyzing determining a first set of methods having access to a value returned from a selected one of the sources. A static analysis is performed on the software program, the static analysis using the first set of methods to determine a second set of methods having calling relationships with the selected source, the static analysis determining whether the returned value from the selected source can flow through a flow to a sink that performs a security-sensitive operation without the flow to the sink being endorsed, and in response, indicating a security violation. Apparatus and computer program products are also disclosed.06-07-2012
20090119778METHOD AND APPARATUS FOR AUTOMATED TESTING SOFTWARE - A system for discovering, or at least providing information that might assist in discovering, compromised computers involved in a malicious distributed program. The system is based around a test computer which is deliberately infected by a component of the malicious distributed program. Traffic sent by that test computer when under control of that component is recorded. More sophisticated malicious programs alter the system files or system programs on the computer which they infect—this creates a problem in that automation of the discovery process is difficult to achieve. Embodiments described here overcome this problem by running through a list of malicious program components, and in between executing (05-07-2009
20090119777METHOD AND SYSTEM OF DETERMINING VULNERABILITY OF WEB APPLICATION - A method of determining vulnerability of web application comprises: selecting fixed parameters from parameters of URL link extracted from a website; determining whether a process of determining vulnerability for the selected fixed parameter is completed or not; inserting an attack pattern for each attack type to an input value for the selected fixed parameter, when the process of determining vulnerability for the selected fixed parameter is not completed; and determining vulnerability of the selected fixed parameter by each attack type through an analysis of response to an input of URL link with the attack pattern inserted thereinto.05-07-2009
20090049553Knowledge-Based and Collaborative System for Security Assessment of Web Applications - A standardized system for assessing the security of web based applications which has a component for collecting information regarding threat and vulnerabilities to web applications is described. The system includes a component for organizing the information regarding threat and vulnerabilities to web applications into a uniform language so that the information is integrated throughout the entirety of the system. Further, the system has a component for expressing the information in a structured and uniform format of a hierarchical relationship between threat and vulnerabilities which includes threat vulnerability trees. The system includes a component for rating the threats and vulnerabilities under a uniform rating system. The system includes a component for integrating the information into both a storage component and also a presentation component for presenting the information. The presentation component presents the information in a graphical format which visually demonstrates the relationships between the threats and the vulnerabilities.02-19-2009
20100138925METHOD AND SYSTEM SIMULATING A HACKING ATTACK ON A NETWORK - The present invention describes a method for simulating a hacking attack on a Network, wherein the Network comprises at least one of a plurality of data processing units (DPUs), a plurality of users and a plurality of communication links, to assess vulnerabilities of the Network. The method includes receiving one or more scan parameters for the Network. Further, the method includes creating at least one master agent by a system to gather information about the Network, wherein the information pertains to critical and non-critical information about the Network. The method includes creating an Information Model and then incrementally updating the Information Model during the hacking attack. The Information Model is the abstract representation of information collected by the system. Furthermore, the method includes generating a Multiple Attack Vector (MAV) graph based on one or more scan parameters and the Information Model. MAV has the ability to combine plurality of low and medium severity vulnerabilities associated with the data processing units (DPUs), users and communication links, correlate vulnerabilities in combination with Information Model and generate high severity attack paths that can lead to compromise of the Network. Moreover, the method includes launching one or more attacks based on the MAV graph to compromise the Network. The method further includes installing at least one slave agent on the compromised Network to perform the one or more attacks in a distributed manner. Moreover, the method includes performing a multi stage attack by using the at least one slave agent and the at least one master agent by repeating above steps. Finally, the method includes generating a report by the scan controller, wherein the report contains details about the compromised Network and the vulnerabilities of the Network.06-03-2010
20080235801Combining assessment models and client targeting to identify network security vulnerabilities - Described is a technology for managing network security by having network clients that are capable of self-assessment assess themselves for security risks and/or security vulnerabilities. Other clients may be remotely assessed for security risks and/or security vulnerabilities. Assessments may include antimalware scans, vulnerability assessment, and/or port scans. The results of the self-assessments and remote assessments are combined into a data set (e.g., a view) indicative of the network security state. In this manner, for example, significant network resources are conserved by allowing those clients capable of self-assessment to assess themselves and thereafter only provide their self-assessment results. Clients capable of self-assessment may also be remotely assessed, to determine whether any discrepancies exist between their remote assessments and self-assessments. Clients may be discovered, along with their self-assessment capabilities, by network communication.09-25-2008
20080271150SECURITY BASED ON NETWORK ENVIRONMENT - A method comprises assessing a network environment in which an electronic device is present and implementing a security feature based on the assessment of the network environment. Assessing the network environment comprises identifying other network entities on a network to which the electronic device is coupled.10-30-2008
20080229422Enterprise security assessment sharing - An enterprise-wide sharing arrangement uses a semantic abstraction, called a security assessment, to share security-related information between different security products, called endpoints. A security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information that is collected about an object of interest. Its tentative nature is reflected in two of its components: a fidelity field used to express the level of confidence in the assessment, and a time-to-live field for an estimated time period for which the assessment is valid. Endpoints may publish security assessments onto a security assessment channel, as well as subscribe to a subset of security assessments published by other endpoints. A specialized endpoint is coupled to the channel that performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to security threats.09-18-2008
20120198555TESTING WEB SERVICES THAT ARE ACCESSIBLE VIA SERVICE ORIENTED ARCHITECTURE (SOA) INTERCEPTORS - Systems, methods, and computer program products are disclosed for testing web service-related elements, where the instructions of a web service-related element are statically analyzed to identify a characteristic of an output of the web service-related element, and where it is determined from a received response to a web service request that the web service request was processed by the web service-related element if at least a portion of the response matches the characteristic of the output of the web service-related element.08-02-2012
20090025084FRAUD DETECTION FILTER - A fraud detection filter installed in an application server including a secure application is disclosed. In one embodiment, the filter includes a rules engine for receiving request data representing an access request for the secure application from a user. The engine applies at least one risk condition rule to the request data to generate a risk probability level, and detects at least one fraud condition when the risk probability level exceeds a threshold level, before passing the access request to the secure application.01-22-2009
20090199298ENTERPRISE SECURITY MANAGEMENT FOR NETWORK EQUIPMENT - The inventive device includes a dashboard or graphical user interface (GUI), a security access control (AUTH) and secure communications sub-system (SEC-COMM), network and asset discover and mapping system (NAADAMS), an asset management engine (AME), vulnerability assessment engine (CVE-DISCOVERY), vulnerability remediation engine (CVE-REMEDY), a reporting system (REPORTS), a subscription, updates and licensing system (SULS), a countermeasure communications system (COUNTERMEASURE-COMM), a logging system (LOGS), a database integration engine (DBIE), a scheduling and configuration engine (SCHED-CONFIG), a wireless and mobile devices/asset detection and management engine (WIRELESS-MOBILE), a notification engine (NOTIFY), a regulatory compliance reviewing and reporting system (REG-COMPLY), client-side (KVM-CLIENT) integration with KVM over IP or similar network management equipment, authentication-services (KVM-AUTH) integration with KVM over IP or similar network management equipment and server-side (KVM-SERVER) integration with KVM over IP or similar network management equipment.08-06-2009
20090064337METHOD AND APPARATUS FOR PREVENTING WEB PAGE ATTACKS - A method and apparatus for preventing web page attacks are disclosed. Specifically, one embodiment of the present invention sets forth a method, which includes the steps of examining an object property from a web page requested by a client computer in real-time before the client computer receives the web page, assessing a collective risk level associated with the web page causing harm to the client computer based on the result of examining the object property, and performing an action with regards to the web page according to the collective risk level.03-05-2009
20120079598TIERED RISK MODEL FOR EVENT CORRELATION - A method for real-time threat monitoring includes identifying two or more real time vulnerabilities, each associated with one or more objects of an enterprise, correlating the two or more real-time vulnerabilities to each other, applying a risk tiering model to the correlated real-time vulnerability, thereby classifying the correlated real-time vulnerability into risk tiers, and initiating an alert based on the correlated real-time vulnerability and the risk tiers into which the correlated real-time vulnerability is classified. According to other embodiments a method includes applying a risk methodology to log data contained in one or more object logs thereby identifying one or more security events, applying a risk tiering model to the one or more security events, thereby classifying the security events into risk tiers, and initiating an alert based on the security events and the risk tiers into which the security events are classified.03-29-2012
20080263671System and Method for Providing Application Penetration Testing - A system and method provide application penetration testing. The system contains logic configured to find at least one vulnerability in the application so as to gain access to data associated with the application, logic configured to confirm the vulnerability and determine if the application can be compromised, and logic configured to compromise and analyze the application by extracting or manipulating data from a database associated with the application. In addition, the method provides for penetration testing of a target by: receiving at least one confirmed vulnerability of the target; receiving a method for compromising the confirmed vulnerability of the target; installing a network agent on the target in accordance with the method, wherein the network agent allows a penetration tester to execute arbitrary operating system commands on the target; and executing the arbitrary operating system commands on the target to analyze risk to which the target may be exposed.10-23-2008
20110231935SYSTEM AND METHOD FOR PASSIVELY IDENTIFYING ENCRYPTED AND INTERACTIVE NETWORK SESSIONS - The system and method for passively identifying encrypted and interactive network sessions described herein may distribute a passive vulnerability scanner in a network, wherein the passive vulnerability scanner may observe traffic travelling across the network and reconstruct a network session from the observed traffic. The passive vulnerability scanner may then analyze the reconstructed network session to determine whether the session was encrypted or interactive (e.g., based on randomization, packet timing characteristics, or other qualities measured for the session). Thus, the passive vulnerability scanner may monitor the network in real-time to detect any devices in the network that run encrypted or interactive services or otherwise participate in encrypted or interactive sessions, wherein detecting encrypted and interactive sessions in the network may be used to manage changes and potential vulnerabilities in the network.09-22-2011
20110231937GENERATING A MULTIPLE-PREREQUISITE ATTACK GRAPH - In one aspect, a method to generate an attack graph includes determining if a potential node provides a first precondition equivalent to one of preconditions provided by a group of preexisting nodes on the attack graph. The group of preexisting nodes includes a first state node, a first vulnerability instance node, a first prerequisite node, and a second state node. The method also includes, if the first precondition is equivalent to one of the preconditions provided by the group of preexisting nodes, coupling a current node to a preexisting node providing the precondition equivalent to the first precondition using a first edge and if the first precondition is not equivalent to one of the preconditions provided by the group of preexisting nodes, generating the potential node as a new node on the attack graph and coupling the new node to the current node using a second edge.09-22-2011
20110231936Detection of vulnerabilities in computer systems - Systems, methods, and apparatus, including computer program products, for detecting a presence of at least one vulnerability in an application. The method is provided that includes modifying instructions of the application to include at least one sensor that is configurable to generate an event indicator, wherein the event indicator includes at least some data associated with the event; storing the event indicator with other stored event indicators generated by the at least one sensor during the execution of the application; analyzing the stored event indicators; detecting a presence of at least one vulnerability in the application based on the analysis of the stored event indicators; and reporting the presence of at least one vulnerability.09-22-2011
20120096558Assessing Threat to at Least One Computer Network - Apparatus configured to determine predicted threat activity based on stochastic modelling of threat events capable of affecting at least one computer network in which a plurality of systems operate.04-19-2012
20080276320Byte-distribution analysis of file security - A method for scanning files for security, including receiving an unfamiliar file for scanning, if the determining indicates that the mime type is suitable for analysis, then processing a buffer of file data from the unfamiliar file, including generating a histogram of frequencies of occurrence of bytes within a buffer of file data from the unfamiliar file, excluding a designated set of bytes, and if the generated histogram of frequencies of occurrence of the non-excluded bytes deviates substantially from a reference distribution, then signaling that the unfamiliar file is potentially malicious. A system and a computer-readable storage medium are also described and claimed.11-06-2008
20120036579SYSTEM AND METHOD FOR DETECTING ABNORMAL SIP TRAFFIC ON VOIP NETWORK - Provided is a system for detecting abnormal traffic on a network. The system includes: a receiving module which receives session initiation protocol (SIP) traffic information from a network; a decoding module which receives the SIP traffic information from the receiving module and decodes the received SIP traffic information; a traffic information database (DB) which receives the decoded SIP traffic information from the decoding module and stores the received SIP traffic information; an analysis traffic information DB which collects information from the traffic information DB for a predetermined period and stores the collected information as analysis traffic information; a reference traffic information DB which stores reference traffic information; and an attack detection module which compares the analysis traffic information with the reference traffic information and detects whether analysis traffic is attack traffic.02-09-2012
20090100522WEB FIREWALL AND METHOD FOR AUTOMATICALLY CHECKING WEB SERVER FOR VULNERABILITIES - Provided is a web firewall for automatically checking for vulnerabilities, including: an administrating server scheduling part for ordering the examination of an administrating web server according to a predetermined examination schedule; a vulnerability search database calling part for calling a vulnerability search database previously stored according to the order of the administrating server scheduling part; a vulnerability searching part for searching for potential vulnerabilities of the administrating web server corresponding to data included in the called vulnerability search database; a vulnerability information deducing part for optimizing the results searched in the vulnerability searching part to deduce vulnerability information; a vulnerability checking part for checking the vulnerabilities of the administrating web server based on the results deduced from the vulnerability information deducing part; and a detailed vulnerability information reporting part for reporting detailed information on the checked vulnerabilities.04-16-2009
20090260086CONTROL FRAMEWORK GENERATION FOR IMPROVING A SECURITY RISK OF AN ENVIRONMENT - Apparatus and method for managing risk in an environment where information is received regarding a problem in an environment. A security risk is analyzed associated with the problem. Controls associated with the environment containing the problem are analyzed. A framework is generated defining one or more controls for mitigating the security risk responsive to the analyzed security risk and controls.10-15-2009
20090178142END USER RISK MANAGEMENT - A flexible, efficient and easy-to-use computer security management system effectively evaluates and responds to informational risks on a wide variety of computing platforms and in a rapidly changing network environment. An individual computer system dynamically monitors its end user, without regard to network connectivity, in order to calculate a risk score and to ensure that the end user's behavior does not put corporate information or other assets at risk. Data regarding such risks and responses are analyzed and stored in real-time.07-09-2009
20090254993SYSTEM FOR IMPLEMENTING SECURITY ON TELECOMMUNICATIONS TERMINALS - A system includes at least one telecommunications terminal having data processing capabilities, the telecommunications terminal being susceptible of having installed thereon software applications, wherein each software application has associated therewith a respective indicator adapted to indicate a level of security of the software application, the level of security being susceptible of varying in time; a software agent executed by the at least one telecommunications terminal, the software agent being adapted to conditionally allow the installation of software applications on the telecommunications terminal based on the respective level of security; a server in communications relationship with the software agent, the server being adapted to dynamically calculate the level of security of the software applications, and to communicate to the software agent the calculated level of security of the software applications to be installed on the telecommunications terminal.10-08-2009
20090265787SECURITY MATURITY ASSESSMENT METHOD - In general, the invention relates to a method for assessing an information security policy and practice of an organization. The method includes collecting information about the information security policy and practice of the organization, generating a rating for each of a plurality of information security items using a security maturity assessment matrix and the collected information, and generating a graphical assessment of the ratings. The security maturity assessment matrix includes a first dimension and a second dimension, where the first dimension corresponds to the information security items and the second dimension corresponds to maturity levels. Further, each rating is derived using the first dimension and the second dimension. 10-22-2009
20100162401RISK MODEL CORRECTING SYSTEM, RISK MODEL CORRECTING METHOD, AND RISK MODEL CORRECTING PROGRAM - A risk value is calculated to suit a state and environment of an analysis target system, by presenting data for determining whether or not a calculated risk is correct, and presenting portions for parameters to be changed such as weights related to a threat, a vulnerability and a measure contained in the risk model. A risk model correcting system includes a risk model storage section that stores as a risk model, a correspondence relationship between threats constituting a risk and a measure for each threat, and parameters including weights of them; an information collecting section that collects data of an analysis target system; an influence degree calculating section that calculates an influence degree of the existence or non-existence of the measure on a result of the calculation of the risk value; a risk analyzing section that performs a risk analysis on the analysis target system; and a reason presenting section that present a reason of the risk calculation by presenting the influence degree calculated by the risk degree calculating section.06-24-2010
20090260087EXECUTABLE CONTENT FILTERING - Malicious executable content in network messages (e.g., request and response hypertext transfer protocol message) can circumvent some security measures. In addition, conventional security measures aimed at capturing malicious executable content noticeably impact system performance. Stream based filtering of network messages allows for efficient processing to remove malicious executable content. Furthermore, an extensible framework for executable content filtering streaming message elements allows for efficient adaptation of an executable content filter to new threats disguised as executable content.10-15-2009
20100169975SYSTEMS, METHODS, AND DEVICES FOR DETECTING SECURITY VULNERABILITIES IN IP NETWORKS - This invention is a system, method, and apparatus for detecting compromise of IP devices that make up an IP-based network. One embodiment is a method for detecting and alerting on the following conditions: (1) Denial of Service Attack; (2) Unauthorized Usage Attack (for an IP camera, unauthorized person seeing a camera image); and (3) Spoofing Attack (for an IP camera, unauthorized person seeing substitute images). A survey of services running on the IP device, historical benchmark data, and traceroute information may be used to detect a possible Denial of Service Attack. A detailed log analysis and a passive DNS compromise system may be used to detect a possible unauthorized usage. Finally, a fingerprint (a hash of device configuration data) may be used as a private key to detect a possible spoofing attack. The present invention may be used to help mitigate intrusions and vulnerabilities in IP networks.07-01-2010
20120246730SYSTEM AND METHOD FOR PREDICTIVE MODELING IN A NETWORK SECURITY SERVICE - The system and method for predictive modeling in a network security service described herein may provide a scalable architecture that can model information relating to any specific threat or potential threat in a network and manage routing requests relating to the threat information among various entities participating in the security service. In particular, the scalable architecture may include various distributed databases that store serialized information describing threat instances, wherein a detection service may maintain information identifying entities associated with the databases storing the serialized information. Further, the security service may include a hierarchical subscriber name service that participating entities can traverse to locate the serialized threat information in the various databases and evaluate how the threat instances may have evolved or progressed through the network.09-27-2012
20100192228DEVICE, METHOD AND PROGRAM PRODUCT FOR PRIORITIZING SECURITY FLAW MITIGATION TASKS IN A BUSINESS SERVICE - A device, method, and program product for prioritizing security flaw mitigation tasks is provided. The device, method, and program product are configured to receive, at a risk analysis engine, one or more business service models from a configuration management database, wherein the one or more business service models each comprises a set of configuration items, and wherein the one or more business service models each indicate a type of configuration item and a connectivity of the configuration item. The set of configuration items are sent to a vulnerability assessment tool to obtain one or more vulnerability assessment scores for each configuration item within the set of configuration items. A risk score for each configuration item is then determined. In turn, a prioritized list of configuration items is output based on the risk score of each configuration item.07-29-2010
20120198558XSS DETECTION METHOD AND DEVICE - The present invention discloses a XSS detection method for detecting the XSS vulnerabilities in a web page, comprising for each parameter-value pair in a set of parameter-value pairs that can be accepted by the web page: constructing a parameter-value pair in which a dedicated script is inserted; assembling a URL corresponding to the web page based on the parameter-value pair in which a dedicated script is inserted; acquiring the dynamic web page content corresponding to the assembled URL; and simulating the execution of the acquired dynamic web page content, if the dedicated script is executed, it is determined that the processing of the parameter in the web page contains XSS vulnerabilities. The present invention further discloses a corresponding XSS detection device and a web site security scanning system and a web scanning system using such a device.08-02-2012
20120198557DETERMINING THE VULNERABILITY OF COMPUTER SOFTWARE APPLICATIONS TO PRIVILEGE-ESCALATION ATTACKS - Determining the vulnerability of computer software applications to privilege-escalation attacks, such as where an instruction classifier is configured to be used for identifying a candidate access-restricted area of the instructions of a computer software application, and a static analyzer is configured to statically analyze the candidate access-restricted area to determine if there is a conditional instruction that controls execution flow into the candidate access-restricted area, perform static analysis to determine if the conditional instruction is dependent on a data source within the computer software application, and designate the candidate access-restricted area as vulnerable to privilege-escalation attacks absent either of the conditional instruction and the date source.08-02-2012
20080209567ASSESSMENT AND ANALYSIS OF SOFTWARE SECURITY FLAWS - Security assessment and vulnerability testing of software applications is performed based at least in part on application metadata in order to determine an appropriate assurance level and associated test plan that includes multiple types of analysis. Steps from each test are combined into a “custom” or “application-specific” workflow, and the results of each test may then be correlated with other results to identify potential vulnerabilities and/or faults.08-28-2008
20120198556INSIDER THREAT PING AND SCAN - Embodiments of the present invention provide apparatuses and methods for identifying computer systems that pose a threat for potential dissemination of confidential information, and thereafter, scanning the computer systems for unauthorized activity related to potential dissemination of confidential information. Embodiments of the invention comprise compiling a list of user computer systems that are at risk of accessing, using, or disseminating confidential information; determining whether the computer systems on the list are available for scanning; and scanning the computer systems on the list to identify an incident related to potential or actual threats or breaches of confidential information.08-02-2012
20100218256SYSTEM AND METHOD OF INTEGRATING AND MANAGING INFORMATION SYSTEM ASSESSMENTS - A system and method for performing information system assessments, collecting the results, providing an analysis and evaluation of the results to provide a comprehensive and integrated assessment of the information system.08-26-2010
20080209563Runtime Security and Exception Handler Protection - In various embodiments, redirection techniques can be utilized to protect against insecure functionality, to mitigate scripting vulnerabilities, and to protect vulnerable exception handlers. In at least some embodiments, a program can be protected from a security vulnerability by using a runtime shield which changes the behavior of the program while it is running. The shield effectively provides a redirection solution that addresses the vulnerability while, at the same time, does not alter the particular program's executable code.08-28-2008
20080209564Security protection for a customer programmable platform - A method of preventing a customer programmable device from causing security threats to itself or to a communication system is provided. The method includes establishing one or more thresholds by programming or configuring of the device, detecting whether one or more of the thresholds have been exceeded using one or more detection mechanisms, and taking action in response to each threshold that has been exceeded.08-28-2008
20080209566Method and System For Network Vulnerability Assessment - The present invention relates to a simultaneous system for finding and assessing vulnerabilities in a network, which comprises: A. A mapping unit for: (a) scanning the network, and each time a new element is found, reporting its IP address to a profiling unit; (b) sequentially receiving from the profiling unit profile records of said newly found elements; (c) sequentially extracting tables from those elements which their profile record indicates that they are of the network equipment type; and (d) sequentially reporting to a modeling and simulating unit topology records which include said found IPs, and for those elements being of a network equipment type, said topology records also include said extracted tables; B. A profiling unit for sequentially receiving IP addresses of network elements from the mapping unit, investigating each of said elements, forming a profile record for each of said elements, and sequentially transferring said profile records to both the mapping unit and to a vulnerability assessment unit; C. A vulnerability assessment unit for: (a) sequentially receiving profile records from the profiling unit; (b) determining a list of those vulnerability tests that have to be performed on each element; (c) performing for each element those vulnerability tests that are included in its corresponding list, and determining for each test a passed or failed result; and (d) sequentially reporting to an modeling and simulation unit for each performed test, the IP of the element, the identity code of the element, and the passed or failed result; and D. A modeling and simulation unit for: (a) sequentially receiving topology records from the mapping unit, and each time a topology record is received, adding or subtracting respectively the corresponding element from a model of the network which is maintained at the modeling and simulation unit; (b) sequentially receiving from the vulnerability assessment unit vulnerability test (VT) results; and (c) sequentially analyzing the model currently existing at the modeling and simulation unit for the possibility of exploiting vulnerabilities of the network.08-28-2008
20120036580SELECTIVE WEBSITE VULNERABILITY AND INFECTION TESTING - In embodiments of the present invention improved capabilities are described for selective website vulnerability and infection testing and intelligently paced rigorous direct website testing. By providing robust website content integrity checking while only lightly loading the website hosting server, visitor bandwidth availability is maintained through selective testing and intelligently paced external website exercising. A modular pod-based computing architecture of interconnected severs configured with a sharded database facilitates selective website testing and intelligent direct website test pacing while providing scalability to support large numbers of website testing subscribers.02-09-2012
20090106844SYSTEM AND METHOD FOR VULNERABILITY ASSESSMENT OF NETWORK BASED ON BUSINESS MODEL - Provided are a system and a method for vulnerability assessment of a network based on a business model. In the system and method, services of each node existing in a monitoring target network are monitored, and a business model is generated on the basis of the monitored services so as to perform vulnerability assessment on the business model. Accordingly, it is possible to guarantee the safety and availability of the system and the network while the vulnerability assessment is performed.04-23-2009
20100251376METHODOLOGIES, TOOLS AND PROCESSES FOR THE ANALYSIS OF INFORMATION ASSURANCE THREATS WITHIN MATERIAL SOURCING AND PROCUREMENT - Enterprise resource planning systems and methods are described. Point sources for at-risk components and technologies in an enterprise are assembled, identified and localized by identifying factors such as geo-political affiliation of parties including employers, employees, organizations, education levels of the parties, capability and abilities to create or modify malware, and the financial level of the per-capita population model-based threat rankings. Threats to a pipeline are determined, ranked, and a targeted risk mitigation prioritization plan against identified high-level threats is created.09-30-2010
20100235917SYSTEM AND METHOD FOR DETECTING SERVER VULNERABILITY - Systems and methods for detecting vulnerability of a server are provided. One system includes: a check server for collecting response information with respect to at least one predetermined command from one or more service servers that provide service, and thus may be attacked from outside, and detecting and analyzing vulnerabilities of the service servers based on the collected response information; an administration terminal for displaying the results of detecting and analyzing the vulnerabilities of the service servers; and a database for storing and managing pattern information concerning the detected vulnerabilities. One method includes identifying a server that may be attacked by port scanning, receiving response information with respect to at least one predetermined command from the identified server, detecting and analyzing vulnerability of the server based on the response information, and reporting the result of the detection to an administration terminal.09-16-2010
20100235920METHOD AND DEVICE FOR QUESTIONING A PLURALITY OF COMPUTERIZED DEVICES - Some embodiments of the present invention may relate to a device and a method of questioning computerized devices within an organization's network. The device, in accordance with some embodiments of the present invention, may include a questioning module and an agentless module. The questioning module may be adapted to receive data specifying a plurality of computerized devices to be questioned, and to receive data indicating which one or more questioning subjects are selected to be questioned on the specified computerized devices. The agentless module may be adapted to invoke and configure at least a remote access process, to question at least a registry of a remote computerized device. In accordance with some embodiments of the present invention, the questioning module may be adapted to utilize multiple threads of the agentless module to invoke and configure a plurality of remote access processes to question in parallel and without using agents at least a registry of the specified computerized devices, in accordance with the selected questioning subjects.09-16-2010
20100235918Method and Apparatus for Phishing and Leeching Vulnerability Detection - A system and method for protection of Web based applications are described. Anomalous traffic can be identified by comparing the traffic to a profile of acceptable user traffic when interacting with the application. Phishing and leeching are one type of anomalous traffic that is detected. The anomalous traffic, or security events, identified at the individual computer networks are communicated to a central security manager. Various responsive actions may be taken in response to detection of phishing or leeching.09-16-2010
20100251375METHOD AND APPARATUS FOR MINIMIZING NETWORK VULNERABILITY - An apparatus, system, and method for controlling access to a network. A device controls communication between a computer and the network. The device includes an integrated circuit receiving signals from one or more peripheral devices and transmitting the received signals to the computer, a first data connection connecting the computer to the device, and a second data connection connecting the apparatus to a network. The device also includes a switch connecting the first and second data connections and permitting the computer to access the network when in a first state and disconnecting the first and second data connections when in a second state. The device further includes a timer determining the time period since the last transmission of signals from the one or more peripheral devices, and when the time period since the last transmission of signals exceeds a predetermined time period the integrated circuit causes the switch to change from the first state to the second state.09-30-2010
20100125912ESTIMATING AND VISUALIZING SECURITY RISK IN INFORMATION TECHNOLOGY SYSTEMS - Security risk for a single IT asset and/or a set of IT assets in a network such as an enterprise or corporate network may be estimated and represented in a visual form by categorizing risk into different discrete levels. The IT assets may include both computing devices and users. The risk categorization uses a security assessment of an IT asset that is generated to indicate the type of security problem encountered, the severity of the problem, and the fidelity of the assessment. The asset value of an IT asset to the enterprise is also assigned. Security risk is then categorized (and a numeric risk value provided) for each IT asset for different problem types by considering the IT asset value along with the severity and fidelity of the security assessment. The security risk for the enterprise is estimated using the numeric risk value and then displayed in visual form.05-20-2010
20080295178Indicating SQL injection attack vulnerability with a stored value11-27-2008
20100138926SELF-DELEGATING SECURITY ARRANGEMENT FOR PORTABLE INFORMATION DEVICES - A portable information device includes a dynamically configurable security arrangement in which operational settings are automatically and dynamically configured based on a current set of security risks to which the device is exposed, on a current computing capacity of the portable information device, or both. The operational settings can be adjusted to control which security services or functions are to be executed locally by portable information device, and which of the security services or functions are to be executed remotely on at least one computing device that is distinct from the portable information device.06-03-2010
20120144494SYSTEM AND METHOD FOR NETWORK VULNERABILITY DETECTION AND REPORTING - A system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target parts, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report. The system and method employ minimally obtrusive techniques to avoid interference with or damage to the target network during or after testing.06-07-2012
20090328222MAPPING BETWEEN USERS AND MACHINES IN AN ENTERPRISE SECURITY ASSESSMENT SHARING SYSTEM - Mapping between object types in an enterprise security assessment sharing (“ESAS”) system enables attacks on an enterprise network and security incidents to be better detected and capabilities to respond to be improved. The ESAS system is distributed among endpoints incorporating different security products in the enterprise network that share a commonly-utilized communications channel. An endpoint will generate a tentative assignment of contextual meaning called a security assessment that is published when a potential security incident is detected. The security assessment identifies the object of interest, the type of security incident and its severity. A level of confidence in the detection is also provided which is expressed by an attribute called the “fidelity”. ESAS is configured with the capabilities to map between objects, including users and machines in the enterprise network, so that security assessments applicable to one object domain can be used to generate security assessments in another object domain.12-31-2009
20090328223EVALUATING THE EFFECTIVENESS OF A THREAT MODEL - Evaluating a threat model for structural validity and descriptive completeness. A threat modeling application provides a progress factor or other overall score associated with the structural validity and descriptive completeness of the threat model being evaluated. The structural validity is evaluated based on a data flow diagram associated with the threat model. The descriptive completeness is evaluated by reviewing descriptions of threat types in the threat model. The progress factor encourages modelers to provide effective models to a model reviewer, thus saving time for the model reviewer.12-31-2009
20090320138NETWORK SECURITY SYSTEM HAVING A DEVICE PROFILER COMMUNICATIVELY COUPLED TO A TRAFFIC MONITOR - A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attack signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities.12-24-2009
20090172817METHOD, APPARATUS AND SYSTEM FOR CONTAINING AND LOCALIZING MALWARE PROPAGATION - A method, apparatus and system contain and localize malware propagation. In one embodiment, a security scheme may identify worm traffic that attempts to probe an unused network location. The security scheme may then in conjunction with a routing component, reroute the worm traffic to a contained and localized location. In one embodiment, the contained and localized location is a virtual machine (VM) within a virtualized platform. In other embodiments, the contained and localized location is a computer system on a network.07-02-2009
20090320136IDENTIFYING EXPLOITATION OF VULNERABILITIES USING ERROR REPORT - A tool and method examine error report information from a computer to determine not only whether a virus or other malware may be present on the computer but also may determine what vulnerability a particular exploit was attempting to use to subvert security mechanism to install the virus. A system monitor may collect both error reports and information about the error report, such as geographic location, hardware configuration, and software/operating system version information to build a profile of the spread of an attack and to be able to issue notifications related to increased data collection for errors, including crashes related to suspected services under attack.12-24-2009
20090320137SYSTEMS AND METHODS FOR A SIMULATED NETWORK ATTACK GENERATOR - Systems and methods for generating a network attack within a simulated network environment including a module configured for creating one or more attack events against network devices within the simulated network environment wherein the attack events include exploitations of published and unpublished vulnerabilities and failures of hardware and software network systems, devices, or applications within the simulated network environment and for executing the created attack event on the simulated network environment and having an interface configured for receiving metadata regarding each attack event and adding the received attack event metadata to each associated attack event.12-24-2009
20090113549SYSTEM AND METHOD TO ANALYZE SOFTWARE SYSTEMS AGAINST TAMPERING - A system, article of manufacture and method is provided for determining the vulnerability to attack of a software system by generating a hybrid graph, the hybrid graph including an attack graph portion describing at least one potential attack goal on the software system and describing sub-attacks required to achieve the potential attack goal. The hybrid graph also includes a defense graph describing ways to defend against the potential sub-attacks. The hybrid attack-defense graph may be evaluated and a score may be calculated based on the evaluation.04-30-2009
20090113550Automatic Filter Generation and Generalization - Methods and architectures for automatic filter generation are described. In an embodiment, these filters are generated in order to block inputs which would otherwise disrupt the normal functioning of a program. An initial set of filter conditions is generated by analyzing the path of a program from a point at which a bad input is received to the point at which the malfunctioning of the program is detected and creating conditions on an input which ensure that this path is followed. Having generated the initial set of filter conditions, the set is made less specific by determining which instructions do not influence whether the point of detection of the attack is reached and removing the filter conditions which correspond to these instructions.04-30-2009
20120144493SYSTEM AND METHOD FOR NETWORK VULNERABILITY DETECTION AND REPORTING - A system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target ports, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report. The system and method employ minimally obtrusive techniques to avoid interference with or damage to the target network during or after testing.06-07-2012
20120144492Predictive Malware Threat Mitigation - The subject disclosure is directed towards protecting against malware, by classifying a user's risk level, which corresponds to a likelihood of malware being activated. To make the classification, data is collected that represents a probability of encountering malware, a probability of a user activating that malware, and the impact to the machine is activated. The classification maps to a protection level, which may be dynamically adjustable, e.g., based upon current risk conditions. The protection level determines a way to mitigate possible damage, such as by running a program as a virtualized program, running a virtualized operating system, or sandboxing a process.06-07-2012
20080244749INTEGRATED CIRCUITS INCLUDING REVERSE ENGINEERING DETECTION USING DIFFERENCES IN SIGNALS - An active shield can be configured to receive a test signal, and configured to output a plurality of shield signals, derived from the test signal, via a plurality of signal paths. A compare logic can be configured to compare the test signal with each of the plurality of shield signals to provide at least two comparison signals indicating comparison results and can be configured to output the at least two comparison signals. A detection and decision logic can be configured to determine whether the active shield is subject to attack based on patterns of the at least two comparison signals.10-02-2008
20080229421Adaptive data collection for root-cause analysis and intrusion detection - Endpoints in an enterprise security environment are configured to adaptively switch from their normal data collection mode to a long-term, detailed data collection mode where advanced analyses are applied to the collected detailed data. Such adaptive data collection and analysis is triggered upon the receipt of a security assessment of a particular type, where a security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information (i.e., data in some context) that is collected about an object of interest. A specialized endpoint is coupled to the security assessment channel and performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to detected security incidents in the environment. The specialized endpoint is arranged to perform various analyses and processes on historical security assessments.09-18-2008
20090106843SECURITY RISK EVALUATION METHOD FOR EFFECTIVE THREAT MANAGEMENT - Provided is a security risk evaluation method for threat management. According to the present invention, new threats or vulnerabilities for a network which should be protected (target network) are collected, and a threat management environment is assessed by checking whether or not to apply attack-attempt detection rules and vulnerability assessment rules for assets related to the threats or vulnerabilities. Based on the assessment result, the range and level of response are previously checked and complemented, and corresponding risk evaluation is provided. Therefore, the threat management environment can be managed effectively.04-23-2009
20090106842System for Regulating Host Security Configuration - Methods and apparatus for dynamically revising host-intrusion-protection configurations according to varying host state and changing intrusion patterns are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the hosts, maintains and updates protection software containing filters and rules for deploying each filter. A local server cyclically monitors each host of its subset of hosts at time instants separated by adjustable monitoring periods to acquire host-characterizing data and determine an optimal set of filters. The local server maintains a profile for each host and determines a current monitoring period for a host according to the host's current profile. The processing effort is reduced by judicial adjustment of successive monitoring periods and selectively tailoring the host-characterizing data to the conditions of each host.04-23-2009
20100293616Web Application Vulnerability Scanner - Disclosed is a method for quickly indentifying vulnerabilities in web applications. The method determines website links of interest and evaluates sites for web application vulnerabilities. Both in the selection of links and in their evaluation the method employs various heuristics to enforce a fast evaluation while requiring minimal resources to run.11-18-2010
20090038014System and method for tracking remediation of security vulnerabilities - A method of tracking remediation of security vulnerabilities includes a step of providing a global list of network devices within a computer network, wherein each network device of the global list is identified with dynamically assigned identifying information. The method also includes a step of scanning each network device of the global list for at least one security vulnerability. The method also includes a step of creating a vulnerability list of network devices having the at least one security vulnerability, wherein the vulnerability list is a subset of the global list and contains fewer network devices than the global list. Each network device of the vulnerability list is identified with identifying information. The method also includes steps of updating the dynamically assigned identifying information associated with the network devices of the vulnerability list and rescanning each network device of the updated vulnerability list to determine if the vulnerability has been remediated.02-05-2009
20090038015Automatic detection of vulnerability exploits - An embodiment of the invention provides an apparatus and method for automatic detection of a vulnerability exploit. The apparatus and method are configured to post a security vulnerability warning indicating a vulnerability of software; provide an exploit detector; and use the exploit detector to detect an attempted exploit that targets the vulnerability.02-05-2009
20090038013WIRELESS COMMUNICATION SECURITY WHEN USING KNOWN LINK KEYS - The present system may enhance security in device having a wireless interface while it is operating in a mode that may make it more vulnerable to predatory attacks. More specifically, the advent of certain development or support operating modes supported by particular wireless communication mediums, such as debug modes that allow other wireless devices to monitor messages coming and going from a wireless device for diagnostic purposes, may leave devices overly accessible while operating in such a mode. As a result, additional security measures are required in order to determine if a vulnerable mode should be enabled on a device, and further, whether another device should be allowed to establish a communication to a device operating in this mode.02-05-2009
20100306852Apparatus and Methods for Assessing and Maintaining Security of a Computerized System under Development - A security assessment method for assessing security of a computerized system under development, the system including assets and being managed in accordance with an organization policy, the method including providing an organizational computerized system development policy; classifying said assets in said system under development, thereby to generate asset classification information; and automated creation of at least one security requirement based on said asset classification information and said organization policy.12-02-2010
20090070880METHODS AND APPARATUS FOR VALIDATING NETWORK ALARMS - Methods and apparatus for validating network alarms, such as alarms from an Intrusion Detection System (IDS). The methods and apparatus validate network threats or alarms by receiving a detected network alarm indicating potentially harmful network activity where the alarm including an alarm destination and an alarm type and obtaining port information of a host targeted by the alarm based on the alarm destination and alarm type. Additionally, a determination is made whether the port at the host is vulnerable to the network alarm based on the obtained port information and the alarm type, and a priority value is assigned to the alarm based at least on the determination of whether the port is vulnerable to the particular network alarm in order to assess validity of the network threat that has triggered the alarm.03-12-2009
20130133073SYSTEM AND METHOD FOR EVALUATING MARKETER RE-IDENTIFICATION RISK - Disclosures of databases for secondary purposes is increasing rapidly and any identification of personal data may from a dataset of database can be detrimental. A re-identification risk metric is determined for the scenario where an intruder wishes to re-identify as many records as possible in a disclosed database, known as a marketer risk. The dataset can be analyzed to determine equivalence classes for variables in the dataset and one or more equivalence class sizes. The re-identification risk metric associated with the dataset can be determined using a modified log-linear model by measuring a goodness of fit measure generalized for each of the one or more equivalence class sizes.05-23-2013
20130133074System And Method For Monitoring Network Traffic - Described is a method of assigning a network address to a trap, the network address being a dark address of a virtual private network. The network traffic destined for the network address is monitored and a classification of the network traffic is determined. After the classification, a predetermined response is executed based on the classification of the traffic.05-23-2013
20100306850BEHAVIORAL ENGINE FOR IDENTIFYING PATTERNS OF CONFIDENTIAL DATA USE - A client device hosts a behavioral engine. Using the behavioral engine, the client device analyzes behavior of a client application with respect to confidential information. The client device assigns a rating indicative of risk to the client application based on the behavior of the client application. The client device performs an action to mitigate risk of data loss if the rating exceeds a threshold.12-02-2010
20100333205Methods, Computer Networks and Computer Program Products for Reducing the Vulnerability of User Devices - Methods, computer networks, and computer program products that reduce the vulnerability of network user devices to security threats include scanning a user device connected to a network to determine whether the user device contains a particular version of an application; downloading the particular version of the application via the network in response to verifying that the user device does not contain the particular version of the application; installing the downloaded application on the user device; scanning the user device for security vulnerabilities; downloading a patch via the network in response to detecting a security vulnerability, wherein the patch is configured to remedy the security vulnerability; and executing the downloaded patch on the user device to remedy the detected security vulnerability.12-30-2010
20100192229PRIVILEGE VIOLATION DETECTING PROGRAM - A privilege violation detecting program stored on a computer-readable medium causes a computer to detect a privilege violation of an test target program by receiving an authority request API from an authority request API trace log storing unit; reading out, from an object access rule storing unit, an assumed access API assumed to be output in response to the received authority request API; determining an actual access API returned in response to the received authority request API from the actual access API trace log storing unit; and storing, into a least privilege violation data storing unit, data of the received authority request API when the actual access API returned in response received authority request API does not match the read out assumed access API.07-29-2010
20090144827AUTOMATIC DATA PATCH GENERATION FOR UNKNOWN VULNERABILITIES - The claimed subject matter provides a system and/or method that generates data patches for vulnerabilities. The system can include devices and components that examine exploits received or obtained from data streams, constructs probes and determines whether the probes take advantage of vulnerabilities. Based at least in part on such determinations data patches are dynamically generated to remedy the hitherto vulnerabilities.06-04-2009
20110030059Method for testing the security posture of a system - A method is provided for assessing the susceptibility of a NIDS to evasion. In an embodiment, the method involves intercepting packets that pass through a NIDS or other defensive device, reading, from the intercepted packets, message sequences that pertain to at least one protocol or network application, and constructing at least one stochastic sequential model of usage of the protocol from the protocol sequences.02-03-2011
20110030060METHOD FOR DETECTING MALICIOUS JAVASCRIPT - A method provides Dynamic Analysis to identify URL provisioning malicious javascripts comprising tracing frequently used javascript feature used to either inject malicious javascript in html response or redirecting user to the website that is serving malicious contents. An apparatus embodiment operates in the cloud in the middle where it identifies javascript in the response traffic and then requests the other corresponding javascript and can make a determination before delivering the original content to the user.02-03-2011
20110119765SYSTEM AND METHOD FOR IDENTIFYING AND ASSESSING VULNERABILITIES ON A MOBILE COMMUNICATION DEVICE - The invention is a system and method for identifying, assessing, and responding to vulnerabilities on a mobile communication device. Information about the mobile communication device, such as its operating system, firmware version, or software configuration, is transmitted to a server for assessment. The server accesses a data storage storing information about vulnerabilities. Based on the received information, the server may identify those vulnerabilities affecting the mobile communication device, and may transmit a notification to remediate those vulnerabilities. The server may also transmit result information about the vulnerabilities affecting the mobile communication device. The server may also store the received information about the device, so that in the event the server learns of new vulnerabilities, it may continue to assess whether the device is affected, and may accordingly notify or remediate the device. The server may provide an interface for an administrator to manage the system and respond to security issues.05-19-2011
20110131659EXTENSIBLE FRAMEWORK FOR SYSTEM SECURITY STATE REPORTING AND REMEDIATION - A security health reporting system provides an application program interface (API) for use by independent software vendors (ISVs) to extend the security health reporting capabilities of the security health reporting system. An ISV security solution can register with the security health reporting system, create a schema that describes a new security class, and use the API to publish an instance of the schema for the new security class with the security health reporting system. When an instance of a schema for a new security class is published, the security health reporting system creates the new security class, and recognizes the definition for the security class within the security health reporting system. Registered ISV security solutions can then use the published schema to report their health statuses for the new security class.06-02-2011
20110131658DYNAMIC RISK MANAGEMENT - A dynamic risk management system for operating systems that provides monitoring, detection, assessment, and follow-up action to reduce the risk whenever it rises. The system enables an operating system to protect itself automatically in dynamic environments. The risk management system monitors a diverse set of attributes of the system which determines the security state of the system and is indicative of the risk the system is under. Based on a specification of risk levels for the various attributes and for their combinations, the risk management system determines whether one or more actions are required to alleviate the overall risk to the system.06-02-2011
20110131657HOOKING NONEXPORTED FUNCTIONS BY THE OFFSET OF THE FUNCTION - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes accessing offset data associated with a binary executable, the offset data including an offset of a nonexported function; and modifying instructions at the offset. In another aspect, a method includes analyzing a reference generated for a binary executable, identifying a unique identifier for the binary executable, determining an offset of a nonexported function in the binary executable, and generating offset data that includes the offset and the unique identifier.06-02-2011
20110131656IDENTIFYING SECURITY VULNERABILITY IN COMPUTER SOFTWARE - Identifying a security vulnerability in a computer software application by identifying at least one source in a computer software application, identifying at least one sink in the computer software application, identifying at least one input to any of the sinks, determining whether the input derives its value directly or indirectly from any of the sources, determining a set of possible values for the input, and identifying a security vulnerability where the set of possible values for the input does not match a predefined specification of legal values associated with the sink input.06-02-2011
20110214187System and Method for Network Security Including Detection of Attacks Through Partner Websites - A computer readable storage medium with instructions executable on a host computer. The instructions record a relationship between a partner site and the host computer, substitute a reference to the partner site with a partner site alias referencing the host computer, deliver the partner site alias to a client, replace the partner site alias for the reference to the partner site in response to receiving the partner site alias from the client and augment the address of the client with an address alias. The address alias is sent to the partner site. A partner action and the address alias are received from the partner site. The address is exchanged for the address alias. The partner action is delivered to the client utilizing the address. These operations are monitored to identify client activity that constitutes a security threat at the host computer or the partner site.09-01-2011
20100251377DYNAMIC LEARNING METHOD AND ADAPTIVE NORMAL BEHAVIOR PROFILE (NBP) ARCHITECTURE FOR PROVIDING FAST PROTECTION OF ENTERPRISE APPLICATIONS - An adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications are disclosed. The adaptive NBP architecture includes a plurality of profile items. Each profile item includes a plurality of profile properties holding the descriptive values of the respective item. An application-level security system can identify and prevent attacks targeted at enterprise applications by matching application events against at least a single profile item in the adaptive NBP.09-30-2010
20100251374METHOD AND APPARATUS FOR MONITORING AND ANALYZING DEGREE OF TRUST AND INFORMATION ASSURANCE ATTRIBUTES INFORMATION IN A DATA PROVIDENCE ARCHITECTURE WORKFLOW - A method and apparatus that monitors and analyzes degree of trust and information assurance attributes information in a data providence architecture workflow is disclosed. The method may include receiving a message having a data provenance wrapper, examining each data provenance record of the message and any attachments for discrepancies, identifying any discrepancies in the examination of each data provenance record of the message and any attachments; calculating a degree of trust based on any discrepancies identified in the examination of each data provenance record of the message and any attachments, and presenting the degree of trust and information assurance attributes information to the user on a display.09-30-2010
20090217381MANUAL OPERATIONS IN AN ENTERPRISE SECURITY ASSESSMENT SHARING SYSTEM - An enterprise-wide sharing arrangement uses a semantic abstraction, called a security assessment, to share security-related information between different security products, called endpoints. A security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information that is collected about an object of interest. Endpoints may publish security assessments onto a security assessment channel, as well as subscribe to a subset of security assessments published by other endpoints. A specialized endpoint is coupled to the channel that performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to received security assessments. Manual operations are supported by the specialized endpoint including manual approval of actions, security assessment cancellation, and manual injection of security assessments into the security assessment channel.08-27-2009
20100058475FEEDBACK-GUIDED FUZZ TESTING FOR LEARNING INPUTS OF COMA - Embodiments of the present invention combine static analysis, source code instrumentation and feedback-guided fuzz testing to automatically detect resource exhaustion denial of service attacks in software and generate inputs of coma for vulnerable code segments. The static analysis of the code highlights portions that are potentially vulnerable, such as loops and recursions whose exit conditions are dependent on user input. The code segments are dynamically instrumented to provide a feedback value at the end of each execution. Evolutionary techniques are then employed to search among the possible inputs to find inputs that maximize the feedback score.03-04-2010
20100242114SYSTEM AND METHOD FOR SELECTING AND APPLYING FILTERS FOR INTRUSION PROTECTION SYSTEM WITHIN A VULNERABILITY MANAGEMENT SYSTEM - A system for controlling selection of filters for protecting against vulnerabilities of a computer network includes a vulnerability management system analyzes the computer network and determines network vulnerabilities for the computer network. The vulnerability management system is configured to receive real-time data on a status of filters protecting against vulnerabilities of the computer network. A database contains a pre-generated mapping of network vulnerabilities to filters for protecting against the network vulnerabilities. The vulnerability management system enables user control of filters for protecting against vulnerabilities of the computer network based upon the determined network vulnerabilities of the computer network, the pre-generated mapping of network vulnerabilities to the filters for protecting against the network vulnerabilities and the real-time data on the status of the filters.09-23-2010
20110093954APPARATUS AND METHOD FOR REMOTELY DIAGNOSING SECURITY VULNERABILITIES - An apparatus for remotely diagnosing security vulnerabilities, includes a vulnerability analysis unit for obtaining service information by searching a target device of a specific network and a port of the target device, searching a profile DB for principal characteristic information of the acquired service information, determining a query key type based on the retrieved principal characteristic information to acquire a vulnerability diagnosis list present in the principal characteristic information from a vulnerability list management DB; and an attack agent for diagnosing a vulnerability of the principal characteristic information on the vulnerability diagnosis list based on preset characteristic information. Further, the apparatus includes a result analysis unit for reporting a result of the diagnosis of the vulnerability of the principal characteristic information; and a GUI management unit for performing interfacing of the result of the diagnosis of the vulnerability of the principal characteristic information to a vulnerability diagnosis tool.04-21-2011
20120304301CONFIDENTIALITY ANALYSIS SUPPORT SYSTEM, METHOD AND PROGRAM - Features of a confidentiality analysis support system include an attack flow model generating means that generates an attack flow model representing an attack flow which is likely to take place, as a model for analyzing confidentiality of an information system by assigning information which is defined independently from a connection state and a processing flow and which shows a function of a device, to a structure model representing the physical connection state of the device configuring the information system and a behavior model representing the processing flow executed in the device.11-29-2012
20120304300ENTERPRISE VULNERABILITY MANAGEMENT - An enterprise vulnerability management application (EVMA), enterprise vulnerability management process (EVMP) and system. In one embodiment, the EVMP may include executing computer software code on at least one computer hardware platform to receive login information from a user, inventory current information technology assets of the enterprise, conduct vulnerability scanning of the inventoried information technology assets, analyze vulnerability correlation and prioritization of the information technology assets, remediate one or more vulnerabilities of the information technology assets, and report to the user about the vulnerabilities and remediation undertaken. As part of the analysis, one or more vulnerability scores such as, for example, Common Vulnerability Scoring System (CVSS) scores, may be generated from base score metrics, temporal score metrics and environment score metrics.11-29-2012
20120304299METHOD AND APPARATUS FOR DETECTING VULNERABILITY STATUS OF A TARGET - A computer implemented method for detecting vulnerability status of a target having interfaces and ports is provided. The method comprises tracking the occurrence of an event including at least one of a network interface becoming active and/or inactive, start and/or stop of a client network service using a port on an active network interface, start and/or stop of a server network service running on a port on an active network interface, and start and/or stop of a network service that does not entail the use of any port. A notification is generated that a possible vulnerability status altering event has occurred. Tracking the occurrence of the event includes tracking using at least one of an OS service, an OS command, a hook, and an API.11-29-2012
20110078798REMOTE PROCEDURE CALL (RPC) SERVICES FUZZ ATTACKING TOOL - A system and method for testing a computer program using a computer system includes a plurality of computer systems communicating using a network. An interface parser module defines at least one program interface in a program file of a specified program. A fuzzer module reads the program file and identifies the program interfaces. An attack data generator module attacks the program interfaces and communicates with the fuzzer, and the fuzzer determines vulnerabilities in the specified program. A recorder records the attacking procedure. A verifier verifies remedies for vulnerabilities by replaying the attacking procedure of the program interface and determining vulnerabilities. A service status detective module restarts the specified program when the specified program ceases to operate or crashes.03-31-2011
20110078797Endpoint security threat mitigation with virtual machine imaging - Methods and apparatus involve the mitigation of security threats at a computing endpoint, such as a server, including dynamic virtual machine imaging. During use, a threat assessment is undertaken to determine whether a server is compromised by a security threat. If so, a countermeasure to counteract the security threat is developed and installed on a virtual representation of the server. In this manner, the compromised server can be replaced with its virtual representation, but while always maintaining the availability of the endpoint in the computing environment. Other features contemplate configuration of the virtual representation from a cloned image of the compromised server at least as of a time just before the compromise and configuration on separate or same hardware platforms. Testing of the countermeasure to determine success is another feature as is monitoring data flows to identifying compromises, including types or severity. Computer program products and systems are also taught.03-31-2011
20130160128APPLICATION MONITORING THROUGH COLLECTIVE RECORD AND REPLAY - Methods and systems for application monitoring through collective record and replay are disclosed herein. The method includes recording a number of execution traces for an application from a number of user devices at a runtime library, wherein the number of execution traces relates to non-deterministic data. The method also includes replaying the number of execution traces to determine whether a behavior of the application creates a security risk.06-20-2013
20100325731ASSESSING THREAT TO AT LEAST ONE COMPUTER NETWORK - Apparatus for assessing threat to at least one computer network in which a plurality of systems (12-23-2010
20100325730System and Method for Remotely Securing a Network from Unauthorized Access - This invention is an improved system and method of efficiently deploying a large scale roll out of secure networks, including a VPN, to clients with limited or non-existent technical staff. The invention allows for a person with minimal technical skills to install, and, if necessary, uninstall the solution. Through a series of automated and/or remotely-controlled steps provided through connections established from inside the site to a centralized system over an unprotected network, the site's network can be secured, updated, and/or reconfigured, and returned to its previous state if errors should occur. Furthermore, a virtual private network (VPN) can be established that allows multiple hosts on the VPN but on different local networks to have the same IP address. Additionally, without any additional hardware and as part of the installation process, the invention protects the site from unauthorized local network devices either by preventing them from passing traffic off the local network or by generating notification of their existence.12-23-2010
20110154498APPARATUSES, METHODS AND SYSTEMS OF AN APPLICATION SECURITY MANAGEMENT PLATFORM - This disclosure details the implementation of apparatuses, methods and systems of an application security management platform (hereinafter, “ASMP”). ASMP systems may, in one embodiment, implement a live platform on a computerized system, whereby the platform may receive security data associated with a running application from multiple security tacking systems, evaluate the security performance of the application, generate an application security summary report for review and manage review processes for security professionals.06-23-2011
20110258703Detecting Secure or Encrypted Tunneling in a Computer Network - Aspects of the present disclosure relate to a computer assisted method for detecting encrypted tunneling or proxy avoidance which may include electronically receiving information from a proxy server, extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information, determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds and attempting to negotiate a standard HTTPS session with each of the at least one destination. Further, the computer assisted method may further include, for each of the at least one destination, determining whether the destination is hosting an encrypted tunneling or proxy avoidance application, wherein such a determining may be based on characteristics of an Secure Socket Layer (SSL) certificate associated with the destination or a response received from the destination over a TCP/IP connection.10-20-2011
20120151593DISTRIBUTED DENIAL OF SERVICE ATTACK DETECTION APPARATUS AND METHOD, AND DISTRIBUTED DENIAL OF SERVICE ATTACK DETECTION AND PREVENTION APPARATUS FOR REDUCING FALSE-POSITIVE - Provided is a DDoS attack detection apparatus including an information collecting unit to collect DDoS detection information including rate information about traffic change, variation of a first type flow and a Packet Per Second (PPS) for a second type flow, in which the rate information about traffic change is obtained using packet count of packets input per a unit time, flow count of flows input per the unit time and the byte count of bytes input per the unit time; and a testing unit to calculate a probability of occurrence of the DDoS attack by use of a first probability determined by the rate information about traffic change, a second probability determined by the variation of the first type flow and a third probability determined by the PPS for the second type flow and detect occurrence of the DDoS attack based on the probability of occurrence of the DDoS attack.06-14-2012
20080229423PROBABILISTIC MECHANISM TO DETERMINE LEVEL OF SECURITY FOR A SOFTWARE PACKAGE - A mechanism for determining a probabilistic security score for a software package is provided. The mechanism calculates a raw numerical score that is probabilistically linked to how many security vulnerabilities are present in the source code. The score may then be used to assign a security rating that can be used in either absolute form or comparative form. The mechanism uses a source code analysis tool to determine a number of critical vulnerabilities, a number of serious vulnerabilities, and a number of inconsequential vulnerabilities. The mechanism may then determine a score based on the numbers of vulnerabilities and the number of lines of code.09-18-2008
20080229420Predictive Assessment of Network Risks - In certain implementations, systems and methods for predicting technology vulnerabilities in a network of computer devices are based on software characteristics of processes executing at the computer devices. In one preferred implementation, the system identifies processes at various computing devices within an organization, identifies software characteristics associated with the processes, applies technology controls to the software characteristics, determines risk indexes based on the modified technology control, applies administrative controls to the risk indexes, aggregates the indexes to create risk model, determines alternative risk models, and presents the risk models for consideration and analysis by a user.09-18-2008
20120204267ADAPTIVE CONFIGURATION MANAGEMENT SYSTEM - An automated configuration management system (ACMS) oversees resources of a virtualized ecosystem by establishing a baseline configuration (including, e.g., security controls) for the resources; and, repeatedly, monitoring and collecting data from the resources, analyzing the data collected, making recommendations concerning configuration changes for the resources of the virtualized ecosystem based on the analysis, and either adopting and implementing the recommendations or not, wherein new states of the virtualized ecosystem and reactions to recommended changes are observed and applied in the form of new recommendations, and/or as adjustments to the baseline. The recommendations may be implemented automatically or only upon review by an administrator before being implemented or not. The various data may be analyzed according to benchmarks established for security and compliance criteria of the resources of the virtualized ecosystem, for example static/pre-defined or dynamically derived benchmarks/best practices.08-09-2012
20090241196METHOD AND SYSTEM FOR PROTECTION AGAINST INFORMATION STEALING SOFTWARE - A system and method for identifying infection of unwanted software on an electronic device is disclosed. A software agent configured to generate a bait and is installed on the electronic device. The bait can simulate a situation in which the user performs a login session and submits personal information or it may just contain artificial sensitive information. Parameters may be inserted into the bait such as the identity of the electronic device that the bait is installed upon. The output of the electronic device is monitored and analyzed for attempts of transmitting the bait. The output is analyzed by correlating the output with the bait and can be done by comparing information about the bait with the traffic over a computer network in order to decide about the existence and the location of unwanted software. Furthermore, it is possible to store information about the bait in a database and then compare information about a user with the information in the database in order to determine if the electronic device that transmitted the bait contains unwanted software.09-24-2009
20090222925SECURE BROWSER-BASED APPLICATIONS - Techniques are provided for execution of restricted operations by computer program code in web browsers, where the code is permitted to invoke restricted operations if implicit or explicit consent is received. Such techniques may include generating a risk rating for a computer program code component, where the component includes at least one component operation for executing at least one restricted system operation; and prompting a user for permission to execute the restricted system operation, wherein the prompt includes the risk rating and a description of the component operation. The program code may include script code associated with a web page that invokes a web browser plugin, which in turn invokes the restricted system operation. The code may invoke the restricted system operation in response to receiving an input from a user via the web browser, where the input is for causing an action associated with performing the operation, the action implicitly granting consent to perform the operation.09-03-2009
20110162073Predictive Assessment of Network Risks - In certain implementations, systems and methods for predicting technology vulnerabilities in a network of computer devices are based on software characteristics of processes executing at the computer devices. In one preferred implementation, the system identifies processes at various computing devices within an organization, identifies software characteristics associated with the processes, applies technology controls to the software characteristics, determines risk indexes based on the modified technology control, applies administrative controls to the risk indexes, aggregates the indexes to create risk model, determines alternative risk models, and presents the risk models for consideration and analysis by a user.06-30-2011
20110162072DETERMINING THE VULNERABILITY OF COMPUTER SOFTWARE APPLICATIONS TO ATTACKS - Determining the vulnerability of computer software applications to attacks by identifying a defense-related variable within a computer software application that is assigned results of a defense operation defending against a predefined type of attack, identifying a control-flow predicate dominating a security-sensitive operation within the application, identifying a data-flow dependent variable in the application that is data-flow dependent on the defense-related variable, determining whether the control-flow predicate uses the data-flow dependent variable to make a branching decision and whether a control-flow path leading to the security-sensitive operation is taken only if the data-flow dependent variable is compared against a value of a predefined type, determining that the security-sensitive operation is safe from the attack if both control-flow conditions are true, and determining that the application is safe from the attack if all security-sensitive operations in the application are determined to be safe from the attack.06-30-2011
20110179492PREDICTIVE BLACKLISTING USING IMPLICIT RECOMMENDATION - A method is provided for determining a rating of a likelihood of a victim system receiving malicious traffic from an attacker system at a point in time. The method comprises: generating a first forecast from a time series model based on past history of attacks by the attacker system; generating a second forecast from a victim neighborhood model based on similarity between the victim system and peer victim systems; generating a third forecast from a joint attacker-victim neighborhood model based on correlation between a group of attacker systems including the attacker system and a group of victim systems including the victim system; and determining the rating of the likelihood of the victim system receiving malicious traffic from the attacker system at the point in time based on the first forecast, the second forecast, and the third forecast.07-21-2011
20090126022Method and System for Generating Data for Security Assessment - A system for creating data to be inputted to a security assessment system is provided with: a system configuration information collection unit for collecting system configuration information from an assessment object system; an attribute information input unit for receiving attribute information added to the system configuration information; an access policy generation unit for generating an access policy using the attribute information; and an assessment policy generation unit for generating an assessment policy representing an improper data migration path based on the access policy, the system configuration information and the attribute information.05-14-2009
20090126023APPARATUS AND METHOD FOR FORECASTING SECURITY THREAT LEVEL OF NETWORK - Provided are an apparatus and method for forecasting the security threat level of a network. The apparatus includes: a security data collection unit for collecting traffic data and intrusion detection data transmitted from an external network to a managed network; a malicious code data collection unit for collecting malicious code data transmitted from a security enterprise network; a time series data transformation unit for transforming the data collected by the security data collection unit into time series data; a network traffic analysis unit for analyzing traffic distribution of the managed network using the data collected by the security data collection unit; and a security forecast engine for forecasting security data of the managed network using the time series data obtained by the time data transformation unit, the data analyzed by the network traffic analysis unit, and the data collected by the malicious code data collection unit.05-14-2009
20110055925PATTERN-BASED APPLICATION CLASSIFICATION - Embodiments of present disclosure provide a method and system for remotely auditing a security posture of a client machine at a centralized server. The system receives an integrity-protected report from the client machine, or other devices related to the client machine, the report comprising entries associated with security events or security states or both related to the client machine. The report entries comprise characteristics of the security events or security states to facilitate identification of a probable security attack at the client machine. The system also detects a pattern among one or more reports. Finally, the system classifies the security posture of the client machine based on the detected pattern, which could indicate a probable security attack at the client machine.03-03-2011
20110016532Measure selecting apparatus and measure selecting method - A measure selecting apparatus includes a vulnerability handling determining unit and an optimum measure selecting unit. The determining unit determines the handling status of each vulnerability of a resource in a task used to develop a measure, based on vulnerability master data in which a resource, a vulnerability of the resource, and a recovery time associated with the vulnerability are defined in an associated manner; measure master data in which a vulnerability defined in the vulnerability master data and a measure for eliminating a vulnerability are defined in an associated manner; and measure status data in which a performance status of each measure defined in the measure master data is defined. The selecting unit selects a measure, from among measures defined in the measure master data, based on a recovery time that is defined and associated with a vulnerability determined to have not been handled by the determining unit.01-20-2011
20110016531SYSTEM AND METHOD FOR AUTOMATED MAINTENANCE BASED ON SECURITY LEVELS FOR DOCUMENT PROCESSING DEVICES - The subject application is directed to a system and method for automated maintenance of preselected security levels for document processing devices. A network data connection is established with at least one document processing device of a plurality thereof. At least one document processing device is identified and testing software is pushed to the at least one document processing device so as to commence loading and running thereof. Test result data is received from the at least one document processing device in accordance with a running of the testing software, a security level associated with the at least one document processing device is identified, and updated software is pushed to the at least one document processing device in accordance with received test result data and an identified security level.01-20-2011
20120151596SYSTEM AND METHOD FOR NETWORK VULNERABILITY DETECTION AND REPORTING - A system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target ports, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report. The system and method employ minimally obtrusive techniques to avoid interference with or damage to the target network during or after testing.06-14-2012
20120311715SYSTEM AND METHOD FOR PROTECTING A WEBSITE FROM HACKING ATTACKS - A system and method for protecting at least one server, in communication with a computer network, from hacking attacks including a scanner, a report processor and a control center. The scanner may monitor activity of the server, identify at least one security vulnerability, produce an automated report. The report processor may analyze the automated report and generate fixes for identified vulnerabilities.12-06-2012
20120311714TESTING WEB APPLICATIONS FOR FILE UPLOAD VULNERABILITIES - A system for detecting file upload vulnerabilities in web applications is provided. The system may include a black-box tester configured to upload, via a file upload interface exposed by a web application, a file together with a signature associated with the file. An execution monitor may be configured to receive information provided by instrumentation instructions within the web application during the execution of the web application. The execution monitor may be configured to recognize the signature of the uploaded file as indicating that the uploaded file was uploaded by the black-box tester. The execution monitor may also be configured to use any of the information to make at least one predefined determination assessing the vulnerability of the web application to a file upload exploit.12-06-2012
20120311713DETECTING PERSISTENT VULNERABILITIES IN WEB APPLICATIONS - A method, including storing a test payload to a persistent state of an application and performing a static analysis to identify a first code location in the application that retrieves the test payload, to identify a first path from an entry point to the first code location, and to identify a second path from the first code location to a second code location that executes a security sensitive operation using the retrieved data. A dynamic analysis is then performed to retrieve the test payload via the first path, and to convey the test payload to the second code location via the second path.12-06-2012
20120311712TESTING WEB APPLICATIONS FOR FILE UPLOAD VULNERABILITIES - A system for detecting file upload vulnerabilities in web applications is provided. The system may include a black-box tester configured to upload, via a file upload interface exposed by a web application, a file together with a signature associated with the file. An execution monitor may be configured to receive information provided by instrumentation instructions within the web application during the execution of the web application. The execution monitor may be configured to recognize the signature of the uploaded file as indicating that the uploaded file was uploaded by the black-box tester. The execution monitor may also be configured to use any of the information to make at least one predefined determination assessing the vulnerability of the web application to a file upload exploit.12-06-2012
20120311711DETECTING PERSISTENT VULNERABILITIES IN WEB APPLICATIONS - A method, including storing a test payload to a persistent state of an application and performing a static analysis to identify a first code location in the application that retrieves the test payload, to identify a first path from an entry point to the first code location, and to identify a second path from the first code location to a second code location that executes a security sensitive operation using the retrieved data. A dynamic analysis is then performed to retrieve the test payload via the first path, and to convey the test payload to the second code location via the second path.12-06-2012
20110138469SYSTEM AND METHOD FOR RESOLVING VULNERABILITIES IN A COMPUTER NETWORK - In a computer network, a remedy server may be provided that controls vulnerability scans of the computer nodes. The remedy server determines a security level of a computer node and dispatches an agent to the node with a scan matching the security level. The agent executes the scan and reports the scan results to the remedy server. The remedy server collates scan results from a plurality of the network computers and determines which computers have a common vulnerability. A fix for the vulnerability, such as an executable patch file, is retrieved and multicast to those relevant computers.06-09-2011
20110138470AUTOMATED TESTING FOR SECURITY VULNERABILITIES OF DEVICES - A method includes selecting an attack signature from an attack signature database; generating a fingerprint that includes parameters indicative of the attack signature; generating configuration data for one or more test devices based on the fingerprint, wherein the configuration data is capable of configuring the one or more test devices to provide a security response to the attack signature; providing the configuration data to the one or more test devices; transmitting the attack signature to the one or more test devices; examining a security response to the attack signature from the one or more test devices; and outputting a result of the examining.06-09-2011
20110126288METHOD FOR SOFTWARE VULNERABILITY FLOW ANALYSIS, GENERATION OF VULNERABILITY-COVERING CODE, AND MULTI-GENERATION OF FUNCTIONALLY-EQUIVALENT CODE - A method for detecting, analyzing, and mitigating vulnerabilities in software is provided. The method includes determining whether one or more vulnerabilities are present in one or more target software components, determining whether any detected vulnerabilities are fixable, and fixing the detected vulnerabilities that are fixable in code or in associated models used to generate code. A vulnerability-covering code is generated when one or more of the detected vulnerabilities are not fixable. A determination is then made whether there are any remaining vulnerabilities in the vulnerability-covering code. A vulnerability-aware diverse code is generated when there are one or more remaining vulnerabilities to obfuscate the remaining vulnerabilities.05-26-2011
20100306851METHOD AND APPARATUS FOR PREVENTING A VULNERABILITY OF A WEB BROWSER FROM BEING EXPLOITED - A method and an apparatus for preventing a vulnerability of a web browser from being exploited are disclosed. The method comprises: monitoring a file downloaded by a browser process; intercepting a process creating action initiated by the browser process; determining whether the intercepted process creating action is to launch the file downloaded by the browser process; and notifying a user that a vulnerability of the browser may be exploited, if the determining result is positive.12-02-2010
20110138471SECURITY HANDLING BASED ON RISK MANAGEMENT - A security device may receive information relating to a security event in a customer network. The security device may further determine, in response to receiving the information, a likelihood score that reflects a likelihood that the security event will succeed and an impact score that provides an indication of an impact that the security event will have on the customer network. The security device may also determine a risk score based on the likelihood score and the impact score, where the risk score provides an indication of a risk that the security event will affect the customer network. The security device may provide the risk score to a customer associated with the customer network.06-09-2011
20110072517Detecting Security Vulnerabilities Relating to Cryptographically-Sensitive Information Carriers when Testing Computer Software - A system for detecting security vulnerabilities in computer software, including a cryptographic API identifier configured to identify a cryptographic API among the instructions of a computer software application, a path-to-source tracer configured to trace an information flow path among the instructions between the cryptographic API and a source that directly or indirectly provides data that are input to the cryptographic API, where a cryptographically-sensitive information carrier lies along the information flow path, a path-to-sink tracer configured to trace an information flow path among the instructions from the cryptographically-sensitive information carrier to a sink, and a security vulnerability identifier configured to provide a notification that the information flow path between the cryptographically-sensitive information carrier and the sink represents security vulnerability if the information flow path between the cryptographically-sensitive information carrier and the sink does not pass through a cryptographic API.03-24-2011
20100115622System and method for monitoring network traffic - Described is a method of assigning a network address to a trap, the network address being a dark address of a virtual private network. The network traffic destined for the network address is monitored and a classification of the network traffic is determined. After the classification, a predetermined response is executed based on the classification of the traffic.05-06-2010
20110088095Anti-Tamper System Employing Automated Analysis - A computer implemented anti-tamper system employing runtime profiling of software in order to decide where to inject integrity checks into the software, to enable verification of whether or not the software has been tampered with. Runtime profiling and analysis is used to record information about the application, in order to establish the locations and targets of runtime integrity checks in order to optimise protection security, while minimising the performance penalty and the need for hand configuration.04-14-2011
20110093956Protecting a Mobile Device Against a Denial of Service Attack - A method of protecting a mobile device against malware is described. The mobile device comprises a backup operating system, the backup operating system being stored, preferably in a ROM, in the mobile device separately from the active operating system. The method comprises the steps of: providing a signal indicative of the possible presence of malware in the mobile device; and, replacing in response to the signal the active operating system with the backup operating system.04-21-2011
20120151595SYSTEM AND METHOD FOR NETWORK VULNERABILITY DETECTION AND REPORTING - A system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target ports, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report. The system and method employ minimally obtrusive techniques to avoid interference with or damage to the target network during or after testing.06-14-2012
20110154497SYSTEMS, METHODS, AND COMPUTER PROGRAM PRODUCTS FOR COLLECTING AND REPORTING SENSOR DATA IN A COMMUNICATION NETWORK - A system for collecting and reporting sensor data in a communication network includes a microprocessor coupled to a memory and an electronic storage device. The microprocessor receives sensor data from sensors, and stores the sensor data for each sensor in the electronic storage device. The microprocessor also receives, via the communication network, a data reporting instruction defining a data reporting technique corresponding to the sensor data associated with one or more of the sensors. The data reporting instruction is stored in the electronic storage device, and the microprocessor transmits, to a trust mediator over the communication network, at least a portion of the sensor data based on the data reporting instruction. The trust mediator maintains an acceptable level of security for data throughout the communication network by adjusting security safeguards based on the sensor data.06-23-2011
20100024035VULNERABILITY SHIELD SYSTEM - Security against computer software attacks is provided by blocking the use of known software vulnerabilities by attackers. Rather than merely discovering attacking software after it has installed itself into a computer system as in the prior art, software with a known vulnerability is monitored so that when it takes a potentially dangerous action, such as creating new attack software, that new attack software is marked and then prevented from loading. If the newly attack software cannot load, it cannot execute thus thwarting use of the newly written software to perform whatever nefarious act was intended by the attacker.01-28-2010
20120210433EXFILTRATION TESTING AND EXTRUSION ASSESSMENT - An improved technique employs an automated agent inside the network perimeter, which generates and sends data packets to a listener outside the network perimeter. Along these lines, the automated agent generates data packets over a specified range of security parameters including port number, payload format, and communications protocol. The agent attempts to send these data packets across the network boundary through a firewall at an egress or other point of the network. The listener receives the data packets and analyzes the payload content of each received data packet for each value of the security parameters (e.g., port number, file type, and protocol). The listener then sends the results of the analysis to a report generator, which summarizes the analysis for an administrator of the network.08-16-2012
20120210434Security countermeasure management platform - A management platform that allows security and compliance users to view risks and vulnerabilities in their environment with the added context of what other mitigating security countermeasures are associated with that vulnerability and that are applicable and/or available within the overall security architecture. Additionally, the platform allows users to take one or more actions from controlling the operation of a security countermeasure for mitigation purposes to documenting the awareness of a security countermeasure that is in place.08-16-2012
20080256637Computer System and Security Reinforcing Method Thereof - The present invention provides a computer system for carrying out security reinforcing and a security reinforcing method. The computer system comprises hardware, a BIOS, and a virtual machine monitor, and has at least one servo operating system and at least one user operating system running thereon, wherein, the servo operating system comprises a security reinforcing proxy module, and the user operating system comprises a security reinforcing module. With the present invention, it is possible to prevent the security reinforcing performance from being tampered by the frangibility of the user operating system, and to avoid hacker attacks which cannot be avoided in case of regular or manual security reinforcing, and also to ensure better secure defense of the computer system and the security of the downloaded security reinforcing files own.10-16-2008
20120042384PERFORMING SECURITY ANALYSIS ON A SOFTWARE APPLICATION - A system and method for performing security analysis on a software application. In one embodiment, a method includes receiving application architecture information for a software application; and determining an application type based on the application architecture information. The method also includes performing one or more security tests on the software application based on the application type and the application architecture information; and approving the software application to be available in an online marketplace if the software application passes the one or more security tests.02-16-2012
20120042383ADAPTING A SECURITY TOOL FOR PERFORMING SECURITY ANALYSIS ON A SOFTWARE APPLICATION - A system and method for adapting a security tool for performing security analysis on a software application. In one embodiment, a method includes maintaining a registry of security tools; receiving code for a software application; and comparing component criteria for each security tool against each component of the software application, wherein the component criteria for each respective security tool indicate which components the respective security tool is designed to analyze for security vulnerabilities. The method also includes generating a tool-specific package for each component of the software application, wherein the tool-specific package comprises one or more security tools that are designed to analyze the respective component for security vulnerabilities.02-16-2012
20080201780Risk-Based Vulnerability Assessment, Remediation and Network Access Protection - A system administrator may define a vulnerability and vulnerability setting for the client machine and may associate a level of risk with the vulnerability. The client may assess the level of risk associated with the vulnerability setting on the client machine and may report data regarding the level of risk to the system administrator.08-21-2008
20110093955DESIGNING SECURITY INTO SOFTWARE DURING THE DEVELOPMENT LIFECYCLE - Systems, methods, and computer program products are provided for a comprehensive software security system. The overarching software security system described and claimed herein provides for a system that address all of the concerns and vulnerabilities present at the design level (i.e., new software applications) and the production level (i.e., pre-existing software applications) associated with software. Additionally, the system governs the individual security processes and practices. The software security system defines specific security practices and the timing for application of the practices within the overall software development lifecycle. Additionally, the disclosed software security system takes advantage of role specialization, such as security specialization, to increase effectiveness and limit conflicts of interest within the design process.04-21-2011
20120210432LABEL-BASED TAINT ANALYSIS - A computer-implemented method and apparatus, adapted to receive a computer program, and dynamically analyze the computer program to determine flow of untrusted data with respect to a computer resource associated with the computer program. Based on the flow of untrusted data, the method and apparatus determine an abstraction of the computerized resource, and performing static analysis of the computer program with respect to the abstraction, wherein the static analysis is for identifying whether the computer program is susceptible to one or more possible security vulnerabilities.08-16-2012
20120117654METHODS AND SYSTEMS FOR MANAGING A POTENTIAL SECURITY THREAT TO A NETWORK - Methods, systems and computer readable mediums storing computer executable programs for managing a potential security threat to a network are disclosed. Network data received at a network system within a network is monitored at a network management system. A determination is made at the network management system regarding whether the network data received at the network system poses a potential security threat to the network. A threat type associated with the potential security threat is identified at the network management system based on the determination. A threat assessment system operable to evaluate the identified threat type is identified at the network management system. A command is issued from the network management system to the network system to mirror network data received at the network system to the identified threat assessment system.05-10-2012
20120017281SECURITY LEVEL DETERMINATION OF WEBSITES - A site analysis system to determine a security level of a website comprises a communication transceiver and a processing system. The communication transceiver is configured to receive content information associated with the website describing a current state of the website, receive historical event information associated with the website, and receive external information associated with the website from a source external to the website. The processing system is configured to process the content information to determine a content score for the website, process the historical event information and the external information to determine a reputational score for the website, and process the content score and the reputational score to generate a final score for the website.01-19-2012
20120017280APPARATUS AND METHOD FOR DETECTING, PRIORITIZING AND FIXING SECURITY DEFECTS AND COMPLIANCE VIOLATIONS IN SAP.RTM. ABAPtm CODE - A static code analysis (SCA) tool, apparatus and method detects, prioritizes and fixes security defects and compliance violations in SAP® ABAP™ code. The code, meta information and computer system configuration settings are transformed into an interchangeable format, and parsed into an execution model. A rules engine is applied to the execution model to identify security and compliance violations. The rules engine may include information about critical database tables and critical SAP standard functions, and the step of applying the rules engine to the execution model may include the calculation of specific business risks or whether a technical defect has a business-relevant impact. In particular, an asset flow analysis may be used to determine whether critical business data is no longer protected by the computer system. Such critical business data may include credit or debit card numbers, financial data or personal data.01-19-2012
20120023586DETERMINING PRIVACY RISK FOR DATABASE QUERIES - A system and method for evaluating security exposure of a query includes evaluating a security risk for a query input to a database configured to generate a response to the query. The query has a plurality of attributes and the security risk is evaluated by determining a risk for each of the plurality of attributes and/or determining an exposure consequence based on at least the query. An overall risk is computed based upon attribute risks and consequences. The overall risk is associated and reported with the query.01-26-2012
20120072990COST FUNCTION FOR DATA TRANSMISSION - A method, system, and apparatus are disclosed for cost functions for data transmission. In one or more embodiments, the method, system, and apparatus involve assigning costs associated with the data transmission corresponding to risks. The method, system, and apparatus further involve adjusting data transmission performance parameters according to the costs and the risks. The risks are associated with potential danger, harm, and/or data loss. Data transmission operation costs are related to available radio frequency (RF) bandwidth, data transmission levels of service (LoS) and/or data transmission quality of service (QoS). In at least one embodiment, each different LoS has an associated trigger boundary, which is located at a specific distance away from a risk area and indicates where and/or when to begin data transmission. The risks are related to a number of various factors including topographical features of a terrain, weather factors, conflict factors, crime factors, terrorism factors, and/or environmental region factors.03-22-2012
20120110673Inoculator and antibody for computer security - In an embodiment of the invention, a method includes: determining, in a computer, an area where an undesired computer program will reside; and providing a data object in the area, so that the data object is an antibody that provides security to the computer and immunity against the undesired program. Another embodiment of the invention also provides an apparatus (or system) that can be configured to perform at least some of the above functionalities.05-03-2012
20120124670ANALYZING THE SECURITY OF COMMUNICATION PROTOCOLS AND CHANNELS FOR A PASS THROUGH DEVICE - A security analyzer includes a single software application that both sends test messages to a device under analysis (DUA) and receives response messages generated by the DUA in response to the test messages. In this way, synchronization of which response messages correspond to which test messages can be reduced or avoided. The software application further determines whether the DUA operated correctly by analyzing the received response messages.05-17-2012
20120124669Hindering Side-Channel Attacks in Integrated Circuits - A mechanism is provided for protecting a layer of functional units from side-channel attacks. A determination is made as to whether one or more subsets of functional units in a set of functional units in the layer of functional units is performing operations of a critical nature. Responsive to a determination that there is one or more subsets of functional units that are performing the operations of the critical nature, at least one concealing pattern is generated in a concealing layer in order to conceal the operations of the critical nature being performed by each of the subset of functional units. The concealing layer is electrically and physically coupled to the layer of functional units.05-17-2012
20120222123Detection of Vulnerabilities in Computer Systems - Systems, methods, and apparatus, including computer program products, for detecting a presence of at least one vulnerability in an application. The method is provided that includes modifying instructions of the application to include at least one sensor that is configurable to generate an event indicator, wherein the event indicator includes at least some data associated with the event; storing the event indicator with other stored event indicators generated by the at least one sensor during the execution of the application; analyzing the stored event indicators; detecting a presence of at least one vulnerability in the application based on the analysis of the stored event indicators; and reporting the presence of at least one vulnerability.08-30-2012
20120222122Mechanism for Generating Vulnerability Reports Based on Application Binary Interface/Application Programming Interface Usage - A method for generating vulnerability reports based on application binary interface/application programming interface usage may include extracting a binary file and a security report relating to a software program, the security report having a vulnerability list of pending vulnerabilities relating to the software program, and detecting, from the binary file, interface usage details associated with interfaces and shared libraries used by the software program. The interfaces include application binary interfaces (ABIs). The method may further include matching the interface usage details with the pending vulnerability of the vulnerability list, and generating a vulnerability report based on matching.08-30-2012
20120317647Automated Exploit Generation - A system and method for automatically generating exploits, such as exploits for target code, is described. In some implementations, the system received binary code and/or source code of a software applications, finds one or more exploitable bugs within the software application, and automatically generates exploits for the exploitable bugs.12-13-2012
20120272322DETERMINING THE VULNERABILITY OF COMPUTER SOFTWARE APPLICATIONS TO PRIVILEGE-ESCALATION ATTACKS - Determining the vulnerability of computer software applications to privilege-escalation attacks, such as where an instruction classifier is configured to be used for identifying a candidate access-restricted area of the instructions of a computer software application, and a static analyzer is configured to statically analyze the candidate access-restricted area to determine if there is a conditional instruction that controls execution flow into the candidate access-restricted area, perform static analysis to determine if the conditional instruction is dependent on a data source within the computer software application, and designate the candidate access-restricted area as vulnerable to privilege-escalation attacks absent either of the conditional instruction and the date source.10-25-2012
20120131678SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR VIRTUAL PATCHING - A system, method, and computer program product are provided for virtual patching. Initially, information associated with at least one vulnerability of a computer application is collected. Further, at least one host interface is identified that is capable of being used to access the vulnerability. In use, data sent to the at least one host interface is analyzed to determine whether the data is unwanted, based on the information.05-24-2012
20120131677IMAGE VULNERABILITY REPAIR IN A NETWORKED COMPUTING ENVIRONMENT - Embodiments of the present invention provide an approach to repair vulnerabilities (e.g., security vulnerabilities) in images (e.g., application images) in a networked computing environment (e.g., a cloud computing environment). Specifically, an image is checked for vulnerabilities using a database of known images and/or vulnerabilities. If a vulnerability is found, a flexible/elastic firewall is established around the image so as to isolate the vulnerability. Once the firewall has been put in place, the vulnerability can be repaired by a variety of means such as upgrading the image, quarantining the image, discarding the image, and/or generating a new image. Once the image has been repaired, the firewall can be removed.05-24-2012
20100235919ATTACK CORRELATION USING MARKED INFORMATION - Techniques are described for providing security to a protected network. Techniques are described for thwarting attempted network attacks using marked information. The attack correlation system provides marked information to computing devices that probe for sensitive information, and monitors subsequent communications for use of the marked information. In one example, the attack correlation system reroutes communications containing the marked information to a dedicated vulnerable device that logs the communications to monitor the attackers' methods. The attack correlation system may also include functionality to exchange information regarding attempted attacks with other attack correlation systems to gain broader knowledge of attacks throughout one or more networks.09-16-2010
20100205673CODE PROPERTY ANALYSIS FOR SECURITY MITIGATIONS - Attempts to make code secure often are associated with performance penalties. To facilitate striking an acceptable balance between performance and security, vulnerable areas of source code are identified. The vulnerable areas are examined for areas that are actually safe and the safe areas are filtered from the universe of code that receives security mitigations. The remaining code receives security mitigations appropriate to the level of risk of the code.08-12-2010
20100205675SYSTEMS AND METHODS FOR MODIFYING NETWORK MAP ATTRIBUTES - The disclosed systems and methods provide a user interface for modifying host configuration data that has been automatically and passively determined and for adding or modifying other parameters associated with a host. A host data table can store various parameters descriptive of a host including the applicability of specific vulnerabilities. If it is determined that one or more hosts should not be identified as associated with a specific vulnerability, a graphical user interface can be used to modify the vulnerability parameter.08-12-2010
20100205674Monitoring System for Heap Spraying Attacks - A monitoring system may analyze system memory to determine a vulnerability statistic by identifying potential sleds within the memory, and creating a statistic that is a ratio of the amount of potential sleds per the total memory. In some cases, the statistic may be based on the number of instructions or bytes consumed by the sleds. The potential sleds may be determined by several different mechanisms, including abstract payload execution, polymorphic sled detection, sled surface area calculation, and other mechanisms. The monitoring system may be a multi-threaded operation that continually monitors system memory and analyzes recently changed objects in memory. When the vulnerability statistic rises above a certain level, the system may alert a user or administrator to a high vulnerability condition.08-12-2010
20100071066SYSTEM, METHOD AND PROGRAM PRODUCT FOR DYNAMICALLY PERFORMING AN AUDIT AND SECURITY COMPLIANCE VALIDATION IN AN OPERATING ENVIRONMENT - A system, method and program product for dynamically performing an audit and security compliance validation. The method includes providing a tool for performing a compliance check of installed computer applications running on a system, the tool including a first set and a second set of plug-ins. Further, the method includes scanning the system, using plug-ins selected from the first set to obtain a current inventory of applications currently installed on the system and selecting plug-ins from the second set to be run on the system in response to the current inventory of applications obtained, and automatically running the plug-ins selected from the second set for performing the compliance check on the system in response to a scheduling criteria identified for the system, where the second set of plug-ins perform the compliance check for only the applications currently installed on the system.03-18-2010
20120137369MOBILE TERMINAL WITH SECURITY FUNCTIONALITY AND METHOD OF IMPLEMENTING THE SAME - Disclosed herein is a mobile terminal with security functionality and a method of implementing the mobile terminal. The mobile terminal with security functionality includes a storage unit, a first module, a second module, and a third module. The storage unit stores a list of risky function combinations which may cause security risks. The first module monitors functions included in an application to be installed or running in the mobile terminal. The second module assesses security vulnerabilities based on whether a combination of the monitored functions corresponds to a risky function combination and/or security attributes of the mobile terminal. The third module takes countermeasures when a security vulnerability has been found based on the assessment.05-31-2012
20120137368APPARATUS, SYSTEM AND METHOD FOR PREVENTING DATA LOSS - A device and method are provided for a device that communicates security information to a user entering content into the device. In an aspect, the device may access content from a server over a connection through the network. The device displays the content on a user interface of the device. The device detects information entered into a field of the displayed content and evaluates a security state of the device. If the security state is below a security threshold and, if the entered information is identified as protected information based on stored criteria, the device displaying a visual indication on the user interface.05-31-2012
20120137367CONTINUOUS ANOMALY DETECTION BASED ON BEHAVIOR MODELING AND HETEROGENEOUS INFORMATION ANALYSIS - The present disclosure describes a continuous anomaly detection method and system based on multi-dimensional behavior modeling and heterogeneous information analysis. A method includes collecting data, processing and categorizing a plurality of events, continuously clustering the plurality of events, continuously model building for behavior and information analysis, analyzing behavior and information based on a holistic model, detecting anomalies in the data, displaying an animated and interactive visualization of a behavioral model, and displaying an animated and interactive visualization of the detected anomalies.05-31-2012
20110185433CONSTRAINT INJECTION SYSTEM FOR IMMUNIZING SOFTWARE PROGRAMS AGAINST VULNERABILITIES AND ATTACKS - A constraint is inserted into a program to address a vulnerability of the program to attacks. The constraint includes a segment of code that determines when the program has been asked to execute a “corner case” which does not occur in normal operations. The constraint code can access a library of detector and remediator functions to detect various attacks and remediate against them. Optionally, the detector can be employed without the remediator for analysis. The context of the program can be saved and restored if necessary to continue operating after remediation is performed. The constraints can include descriptors, along with machine instructions or byte code, which indicate how the constraints are to be used.07-28-2011
20110185432Cyber Attack Analysis - In certain embodiments, analyzing cyber attacks includes receiving cyber attack parameters. A cyber attack parameter describes a performance attribute of a cyber attack scenario. The cyber attack parameters comprises at least one temporal parameter describing a temporal feature of the cyber attack scenario. The following is performed for each cyber defense of one or more cyber defenses to yield one or more sets of cyber attack metrics: simulating the cyber attack operating with a cyber defense; and determining a set of cyber attack metrics describing the cyber attack operating with the cyber defense. The cyber defenses are evaluated in accordance with the sets of cyber attack metrics.07-28-2011
20110185431SYSTEM AND METHOD FOR ENABLING REMOTE REGISTRY SERVICE SECURITY AUDITS - The system and method for enabling remote registry service security audits described herein may include scanning a network to construct a model or topology of the network. In particular, the model or topology of the network may include characteristics describing various devices in the network, which may be analyzed to determine whether a remote registry service has been enabled on the devices. For example, the security audits may include performing one or more credentialed policy scans to enable the remote registry service for certain devices that have disabled the remote registry service, auditing the devices in response to enabling the remote registry service, and then disabling the remote registry service on the devices. Thus, the system and method described herein may enable remotely scanning information contained in device registries during a security audit without exposing the device registries to malicious activity.07-28-2011
20100175135Systems and Methods for Assessing the Compliance of a Computer Across a Network - The disclosed principles describe systems and methods for assessing the security posture of a target device, wherein the assessment is performed by a scanning computer in communication with the target device via a communication network. By employing a system or method in accordance with the disclosed principles, distinct advantages are achieved. Specifically, conducting such a remote scan allows for the scanner computer to perform a remote scan of the remote device without installing client software to the remote device. Thus, the disclosed principles reduce the need for internal IT resources to manage the deployment and updates of client software on the target device. Also, conducting a remote scan according to the disclosed principles allows for the remote scan to be performed even if the scanner computer and remote device run different operating systems.07-08-2010
20100287617METHOD FOR COMMUNICATION SECURITY AND APPARATUS THEREFOR - A FireNet security system in which trustworthy networks, called BlackNets, each comprising One (1) or more client computers, are protected by FireBreaks against attacks from untrustworthy networks, called RedNets. All incoming transactions from the RedNet are examined by the FireBreak to determine if they violate any of a plurality of protection rules stored in a local protection rules database. Any transaction found to be in violation is discarded. Valid transactions are forwarded to the BlackNet. If an otherwise valid transaction is found to be suspicious, the FireBreak will forward to a FireNet Server relevant information relating to that transaction. If the FireNet Server verifies that the transaction is indeed part of an attack, the FireNet Server will create new protection rules suitable to defend against the newly identified source or strategy of attack. Periodically, all FireBreaks in the FireNet system will transfer, directly or indirectly, all new rules.11-11-2010
20120174229Runtime Enforcement Of Security Checks - A method is disclosed that includes tracking untrusted inputs through an executing program into a sink, the tracking including maintaining context of the sink as strings based on the untrusted inputs flow into the sink. The method also includes, while tracking, in response to a string based on an untrusted input being about to flow into the sink and a determination the string could lead to an attack if the string flows into a current context of the sink, endorsing the string using an endorser selected based at least on the current context of the sink, and providing the endorsed string to the sink. Computer program products and apparatus are also disclosed.07-05-2012
20120174230System and Method for Management of Vulnerability Assessment - A system and method for an optimization of fulfillment workflow is disclosed. In accordance with embodiments of the present disclosure, a method may include: (i) receiving application data; (ii) determining that an application in scope for vulnerability assessment based at least in part on the application data; (iii) receiving assessment information from an assessor related to an assessment of the application, the assessment indentifying at least one vulnerability; (iv) communicating the information regarding the assessment to a remediator; (v) receiving one or more remediation tasks associated with the assessment, the one or more remediation tasks designed to remedy the at least one vulnerability; (vi) receiving an indication of performance of a remediation task of the one or more remediation tasks; (vii) communicating an indication that a remediation task has been completed based at least in part on the indication of performance of the remediation task; and (viii) receiving an indication of whether the remediation task remedied the at least one vulnerability.07-05-2012
20120174228METHODS AND SYSTEMS FOR INTEGRATING RECONNAISSANCE WITH SECURITY ASSESSMENTS FOR COMPUTING NETWORKS - A reconnaissance and assessment (RA) tool can receive base information about the network, such as basic network information and details about an entity and personnel associated with network. The RA tool can utilize the base information to perform reconnaissance procedures on the network to identify the attack surface of the network. The RA tool can perform reconnaissance on the network, itself, and on other external sources, such as third party databases, search engines, and partner networks. Once the attack surface is identified, the RA tool can automatically perform appropriate security assessments on the attack surface. Additionally, if additional information is determined about the network during the security assessments, the RA tool can perform additional reconnaissance and security assessments based on the additional information.07-05-2012
20120255022SYSTEMS AND METHODS FOR DETERMINING VULNERABILITY TO SESSION STEALING - Systems and methods for determining vulnerability to session stealing are disclosed. An example method includes intercepting, at a first computing device, an intercepted packet sent from a client to a second computing device different than the first computing device, the intercepted packet including a first instruction in a first portion of the intercepted packet, determining, using a template, a second portion of the intercepted packet that is a value that is changed by a calculated amount each time that the client sends a packet, changing the value by the calculated amount to determine a next value for a next packet, replacing the second portion of the intercepted packet with the next value to generate a modified packet, replacing the first portion of the modified packet with a second instruction, and transmitting the modified packet to the second computing device.10-04-2012
20110191852METHOD TO PERFORM A SECURITY ASSESSMENT ON A CLONE OF A VIRTUAL SYSTEM - A system to create a virtual clone of a production system for the purpose of executing security services without risk to the original production system. The service host makes a copy of the dedicated memory and physical storage of the virtual target, and then uses that data to initiate a clone in an isolated virtual environment within the service host. Once the target system has been cloned, security services can be performed on the clone without any risk to the target system, and provide an accurate reflection of the security state of the target system.08-04-2011
20110191853SECURITY TECHNIQUES FOR USE IN MALICIOUS ADVERTISEMENT MANAGEMENT - The present invention provides methods and systems for use in malicious advertisement management. Methods and systems are provided in which, after an advertisement is determined not to present a security threat, whether initially or after removal any such threat, then a first modification is performed to code associated with the advertisement which may introduce a security coding. Further modification, which may breach the security coding, may indicate that the advertisement is more likely to present a security threat than if the further modification had not occurred.08-04-2011
20100050264Spreadsheet risk reconnaissance network for automatically detecting risk conditions in spreadsheet files within an organization - A spreadsheet risk reconnaissance network including a research agent installed on one or more spreadsheet file servers registered on the network, and a plurality of spreadsheet file servers for supporting a plurality of user organizations registered and communicating with a data processing center. Each research agent operates transparently to users on the network so as to perform a number of functions, including (i) collecting metadata from spreadsheet files stored on said spreadsheet file servers registered on said network, and (ii) transmitting the collected metadata to the data processing center for storage and analysis. The data processing center performs a number of operations, including (i) analyzing collected metadata associated with each spreadsheet file, (ii) calculating a spreadsheet risk measure based on objective-relative analysis, for a plurality of spreadsheet files associated with at least one user organization, under management by the network, and (iii) allowing business manager users to assign business attributes to identified spreadsheet files assigned the spreadsheet risk measure.02-25-2010
20100050262METHODS AND SYSTEMS FOR AUTOMATED DETECTION AND TRACKING OF NETWORK ATTACKS - Methods for tracking attacking nodes are described and include extracting, from a database, an instance of each unique packet header associated with IP-to-IP packets transmitted over a time period. The method includes determining from extracted headers, which nodes have attempted to establish a connection with an excessive number of other nodes over a period, identifying these as potential attacking nodes, determining from the headers, which other nodes responded with a TCP SYN/ACK packet indicating a willingness to establish connections, and a potential for compromise. Nodes scanned by potential attacking nodes are disqualified from the identified nodes based on at least one of: data in the headers relating to at least one of an amount of data transferred, and scanning activities conducted by the nodes that responded to a potential attacking node with a TCP SYN/ACK packet. Any remaining potential attacking nodes and scanned nodes are presented to a user.02-25-2010
20120180133Systems, Program Product and Methods For Performing a Risk Assessment Workflow Process For Plant Networks and Systems - Systems, methods, and program product to perform a cyber security risk assessment on a plurality of process control networks and systems comprising a plurality of primary network assets at an industrial process facility, are provided. An example of a system and program product can include an industrial and process control systems scanning module configured to identify networks and systems topology and to execute system and network security, vulnerability, virus, link congestion, node congestion analysis to thereby detect susceptibility to know threats to define potential vulnerabilities; a threats to vulnerabilities likelihood and consequences data repository module configured to determine a likelihood of each of a plurality of known threats exploiting identified vulnerabilities and to identify consequences of the exploitation to individual impacted systems and to overall plant operation; and a risk level evaluator module configured to determine a risk level rating for any identified vulnerabilities and provide recommended corrective actions.07-12-2012
20130174259GEO-MAPPING SYSTEM SECURITY EVENTS - A particular security event is identified that has been detected as targeting a particular computing device included in a particular computing system. A particular grouping of assets in a plurality of asset groupings within the particular computing system is identified as including the particular computing device. A source of the particular security event is also identified and at least one of a geographic location and a grouping of assets in the plurality of asset groupings is associated with the identified source. Data is generated that is adapted to cause a presentation of a graphical representation of the particular security event on a display device, the graphical representation including a first graphical element representing the particular computing device as included in the particular grouping of assets and a second graphical element representing the source associated with the at least one of a geographic location and a grouping of assets.07-04-2013
20130174263AUTOMATED SECURITY ASSESSMENT OF BUSINESS-CRITICAL SYSTEMS AND APPLICATIONS - Systems and methods which provide a new application security assessment framework that allows auditing and testing systems to automatically perform security and compliance audits, detect technical security vulnerabilities, and illustrate the associated security risks affecting business-critical applications.07-04-2013
20090055931DEVICE AND METHOD FOR DETECTING VULNERABILITY OF WEB SERVER USING MULTIPLE SEARCH ENGINES - Provided are a web server vulnerability detecting device and method which detect vulnerability of a plurality of high-performance web servers in real-time using a plurality of search engines simultaneously and automatically provide the updated detailed information on detected vulnerability. The device includes: a web server examination module for requesting a plurality of different search engines to examine a file with a likelihood of vulnerability, in response to an input search word, and receiving from the search engines URLs of web servers on which the file with a likelihood of vulnerability is located; an optimal information collection module for optimizing the URLs of the web servers received from the search engines to obtain optimal information; a web server vulnerability detecting module for detecting vulnerability of a web server corresponding to the optimal information; and a vulnerability information collection module for collecting and providing the latest detailed information on the detected vulnerability.02-26-2009
20130174261System and Method of Securing Monitoring Devices on a Public Network - A method for determining whether or not a monitor is registered with a security service. The method includes using a device search engine to perform a search for and find a monitor. Then it is determined whether or not the found monitor is registered with the security service. When the found monitor is not currently registered with the security service, an owner of the unregistered monitor is automatically contacted.07-04-2013
20130174262TARGETED SECURITY TESTING - Source code of a plurality of web pages including script code is statically analyzed. A page including a potential vulnerability is identified based on the static analysis. A page not including a potential vulnerability is identified based on the static analysis. The web page including the potential vulnerability is dynamically analyzed using a set of test payloads. The page not including the potential vulnerability is dynamically analyzed using a subset of the set of test payloads, the subset including fewer test payloads than the set of test payloads.07-04-2013
20120185945SYSTEM AND METHOD OF MANAGING NETWORK SECURITY RISKS - A security risk management system comprises a vulnerability database, an asset database, a local threat intelligence database and a threat correlation module. The vulnerability database comprises data about security vulnerabilities of assets on a network gathered using active or passive vulnerability assessment techniques. The asset database comprises data concerning attributes of each asset. The threat correlation module receives threat intelligence alerts that identify attributes and vulnerabilities associated with security threats that affect classes of assets. The threat correlation module compares asset attributes and vulnerabilities with threat attributes and vulnerabilities and displays a list of assets that are affected by a particular threat. The list can be sorted according to a calculated risk score, allowing an administrator to prioritize preventive action and respond first to threats that affect higher risk assets. The security risk management system provides tools for performing preventive action and for tracking the success of preventive action.07-19-2012
20120185943CLASSIFICATION OF CODE CONSTRUCTS USING STRING ANALYSIS - A code construct in a computer-based software application is classified by seeding an analysis of an instruction code set of a computer-based software application with a seed for a seeding variable within the instruction code set, wherein the seed is an abstract value representation, performing the analysis to a fixed point, thereby producing a fixed point solution, selecting an invariant from the fixed point solution, wherein the invariant represents at least one value pointed to by a classification variable in a code construct within the instruction code set, and classifying the code construct with a classification that is applicable to the invariant in accordance with an application criterion.07-19-2012
20120084867METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR ASSESSING INFORMATION SECURITY - Methods and systems to assess information security based on based on a combination of user-responses to computer-selected queries and results of a testing/diagnostic application. Users may be interviewed based on areas of expertise. Information security assessment may be performed with respect to domains of an enterprise, the results of which may be rolled-up to assess information security across the enterprise. A system may include application-specific questions and vulnerabilities, industry specific questions and vulnerabilities, a repository of expert knowledge, and/or working aids. A system may include an inference engine, which may include a logic-based inference engine, a knowledge-based inference engine, and/or an artificial intelligence inference engine. A system may include an application-specific tool to configure the system to assess security of information handled by a third party application program.04-05-2012
20120084866METHODS, SYSTEMS, AND MEDIA FOR MEASURING COMPUTER SECURITY - Methods, systems, and media for measuring computer security are provided. In accordance with some embodiments, methods for measuring computer security are provided, the methods comprising: making at least one of decoys and non-threatening access violations accessible to a first user using a computer programmed to do so; maintaining statistics on security violations and non-violations of the first user using a computer programmed to do so; and presenting the statistics on a display.04-05-2012
20090019547Method and computer program product for identifying or managing vulnerabilities within a data processing network - Provided are methods, apparatus and computer programs for identifying vulnerabilities to viruses of hacking. Hash values are computed and stored for resources stored on systems within a network. If a first resource or a collection of resources (such as files comprising an operating system, Web Browser or mail server) is associated with a vulnerability, hash values for the first resource or collection of resources are compared with the stored hash values to identify systems which have the vulnerability. Messages may be sent to the people responsible for the vulnerable systems, or the vulnerability may be removed by automatic downloading of patches or service packs.01-15-2009
20120233700SYSTEM AND METHOD FOR PERFORMING REMOTE SECURITY ASSESSMENT OF FIREWALLED COMPUTER - Methods and systems for scanning an endpoint terminal across an open computer network are disclosed. An exemplary method includes providing a scanner engine in a computer server in communication with an open computer network, and establishing a secure connection across the open computer network between the scanner engine and a scanner agent installed on the endpoint terminal in communication with the open computer network. Commands for collecting data regarding the endpoint terminal are sent from the scanner engine across the secure connection to the scanner agent. The scanner engine then receives the collected data from the scanner agent across the secure connection, analyzes the data to assess a current posture of the endpoint terminal, and determines any updates for the endpoint terminal from the analysis. Updates are sent across the secure connection to the scanner agent for installation on the endpoint terminal, and the secure connection may then be terminated.09-13-2012
20120233698Information System Security Based on Threat Vectors - A security system is provided. The system comprises a computer system, a memory accessible to the computer system, a data store, and an application. The data store comprises a threat catalog, wherein the threat catalog comprises a plurality of threat vectors, each threat vector comprising a plurality of fields, wherein each field is constrained to carry a value selected from a predefined list of enumerated values. The application is stored in the memory and, when executed by the computer system receives a threat report, wherein the threat report comprises an identification of at least one threat vector, determines a correlation between the at least one threat vector received in the threat report with the threat vectors comprising the threat catalog, and, based on the correlation, sends a notification to a stakeholder in an organization under the protection of the security system.09-13-2012
20130174260TARGETED SECURITY TESTING - Source code of a plurality of web pages including script code is statically analyzed. A page including a potential vulnerability is identified based on the static analysis. A page not including a potential vulnerability is identified based on the static analysis. The web page including the potential vulnerability is dynamically analyzed using a set of test payloads. The page not including the potential vulnerability is dynamically analyzed using a subset of the set of test payloads, the subset including fewer test payloads than the set of test payloads.07-04-2013
20080301813Testing Software Applications with Schema-based Fuzzing - Systems and methods to test software applications with schema-based fuzzing are described. In one aspect, the systems and methods automatically generate valid input data for a software application according to a fuzzing data schema. The fuzzing data schema describes characteristics of data format that would be proper or well formed for input into the software application. The systems and methods mutate to the valid input data with one or more fuzzing algorithms to generate corrupted versions, or malformed data. The malformed data is for fuzz testing the software application to identify any security vulnerabilities.12-04-2008
20080301814Information processing apparatus, information processing method, and computer-readable recording medium storing information processing program - An information processing apparatus is disclosed. The information processing apparatus includes a table which describes a relationship between security strength (for example, HIGH, MIDDLE, or LOW) of a computer system of the information processing apparatus and values (for example, ON or OFF) of security function items that stipulate security functions in the information processing apparatus. When a user designates to change the security strength on a screen, the values of the security function items are changed based on the changed security strength. The changed values of the security function items are reported to the user on another screen.12-04-2008
20120266247Automatic Inference Of Whitelist-Based Validation As Part Of Static Analysis For Security - A method includes performing taint analysis of a computer program and determining an original set of paths from sources to sinks. Each path corresponds to a vulnerability. The method includes determining for each variable whose type is a collection and is accessed in one of the paths in the original set of paths whether the variable points to a concrete value whose internal state is not tainted according to the taint analysis. The method further includes, for each of the variables whose type is a collection found not to be tainted according to the taint analysis, determining all points in the computer program where a membership check against the collection is performed. The method also includes, for each of the points, determining corresponding paths and removing those paths from the original set of paths to create a reduced set of paths. Apparatus and computer readable program products are also disclosed.10-18-2012
20120266248PINPOINTING SECURITY VULNERABILITIES IN COMPUTER SOFTWARE APPLICATIONS - A build process management system can acquire data pertaining to a software build process that is currently being executed by an automated software build system. The software build process can include executable process steps, metadata, and/or environmental parameter values. An executable process step can utilize a build artifact, representing an electronic document that supports the software build process. The acquired data can then be synthesized into an immutable baseline build process and associated baseline artifact library. The baseline artifact library can store copies of the build artifacts. The immutable baseline build process can include baseline objects that represent data values and dependencies indicated in the software build process. In response to a user-specified command, an operation can be performed upon the baseline build process and associated baseline artifact library.10-18-2012
20120266246PINPOINTING SECURITY VULNERABILITIES IN COMPUTER SOFTWARE APPLICATIONS - A build process management system can acquire data pertaining to a software build process that is currently being executed by an automated software build system. The software build process can include executable process steps, metadata, and/or environmental parameter values. An executable process step can utilize a build artifact, representing an electronic document that supports the software build process. The acquired data can then be synthesized into an immutable baseline build process and associated baseline artifact library. The baseline artifact library can store copies of the build artifacts. The immutable baseline build process can include baseline objects that represent data values and dependencies indicated in the software build process. In response to a user-specified command, an operation can be performed upon the baseline build process and associated baseline artifact library.10-18-2012
20120240236CRAWLING MULTIPLE MARKETS AND CORRELATING - A crawler program collects and stores application programs including application binaries and associated metadata from any number of sources such as official application marketplaces and alternative application marketplaces. An analysis including comparisons and correlations are performed among the collected data in order to detect and warn users about pirated or maliciously modified applications.09-20-2012
20120240235METHODS AND SYSTEMS FOR PROVIDING A FRAMEWORK TO TEST THE SECURITY OF COMPUTING SYSTEM OVER A NETWORK - A security tool can utilize a vulnerability in a computing system or credentials for the computing system to gain access to the computing system. Once access is gained, the security tool can deliver an agent to the computing system. The agent can execute, detected or undetected, on the computing system in order to establish a network link between the computing system and the security tool. Once established, the security tool creates a virtual network interface on the computing system on which it is running and instructs the agent to relay network traffic between the virtual network interface of the computing system executing the security tool and the existing network interfaces of computing system executing the agent.09-20-2012
20110030061DETECTING AND LOCALIZING SECURITY VULNERABILITIES IN CLIENT-SERVER APPLICATION - The present invention provides a system, computer program product, and a computer implemented method for analyzing a set of two or more communicating applications. The method includes executing a first application, such as a client application, and executing a second application, such as a server application. The applications are communicating with each other. A correlation is recorded between the applications and an execution characteristic exhibited on execution. An oracle is used to determine an analysis of the first application that has been executed. The execution of the first application causes a change of state in the second application and/or a change control flow in the second application. Code fragment in the first application and/or the second application are prioritized based on an evaluation produced by the oracle, and based on the correlation between the code fragments that have been executed and the execution characteristic exhibited by the code fragments.02-03-2011
20120324581System, Method and Device for Cloud-Based Content Inspection for Mobile Devices - A content inspection system provides cloud-based content inspection for mobile devices. The content inspection system includes a content inspection server for receiving a request providing a digital fingerprint of content for evaluation for threats and a data reputation services server for maintaining a threat database. The content inspection system communicates with the mobile device using a service oriented architecture web services based on exchanges of messages between agents of the content inspection system and the mobile device. The content inspection server authenticates the received request belongs to a subscriber, and once the request is authenticated, the data reputation services server operates on the request to determine whether content identified by the digital fingerprint matches pre-existing claims in the threat database. The content inspection system generates a threat evaluation response for the mobile device based on reviewing the threat database for pre-existing claims.12-20-2012
20120324582SERVICE SYSTEM THAT DIAGNOSES THE VULNERABILITY OF A WEB SERVICE IN REAL TIME MODE AND PROVIDES THE RESULT INFORMATION THEREOF - A service system that diagnoses the vulnerability of a web service in real time mode and provides the result information thereof according to the present invention receives the input of a user web service address through the web service, automatically visits the corresponding web service to perform the real-time analysis on a web page and check if the web page has a vulnerability, and transmits the result information to a user PC. The service system can provide an intuitive service by displaying the discovery of the vulnerability, the procedure and an external URL linked to the web page are displayed on the user screen; find out the possibility of an outflow of the information contained in the URL by checking, on the basis of the web page analysis, whether a symbol or reserved word (system command) among the factors has been filtered; and display the classification of vulnerabilities of respective DBs by analyzing the result to be sent to an object system before being displayed on the web page. Further, the service system retains the data on the vulnerability of each DB in a program as a resource to compare the data with the result received from the web service and identify a problem if present; includes a script analysis section; and conducts an analysis on links according to an analyzed portion of an index page sot that the user can see the checking procedure via a taken place link in real time mode as well as the diagnosis progress that has been proceeded up to that point whenever desired and find links being connected. Moreover, when the service system analyzes the web page, the user can easily check an external link section and detect any external domain, if present, which spreads a malicious code in the web service. In addition, the service system allows the user to check over the internet the items for the service diagnosis selected by the user and the diagnosis result, and thus to personally see the problems and solutions therefor.12-20-2012
20110219454METHODS OF IDENTIFYING ACTIVEX CONTROL DISTRIBUTION SITE, DETECTING SECURITY VULNERABILITY IN ACTIVEX CONTROL AND IMMUNIZING THE SAME - Provided is a method of identifying an ActiveX control distribution site, detecting a security vulnerability in an ActiveX control and immunizing the same. A security vulnerability existing in an ActiveX control may be automatically detected, effects brought on by the corresponding security vulnerability may be measured, and abuse of the detected security vulnerability in a user PC to be protected may be immediately prevented. Therefore, since the user PC may be protected regardless of a security patch, it is anticipated that security problems in the Internet environment caused by imprudent use of the ActiveX control may be significantly enhanced.09-08-2011
20110239303THREAT MANAGEMENT SYSTEM AND METHOD - In a threat management system and method for managed systems, leveraging of identifications and/or assessments of common threats, and/or valuation of assets which may be susceptible to common threats, can be applied to facilitate monitoring of customer compliance with policies needed to guard against threats to customer assets. Threat identification and response in managed systems may be tailored for different customers, in some instances without having to parse individual customer details, such as assets at risk and types of threats to those assets.09-29-2011
20110252479METHOD FOR ANALYZING RISK - A method for analyzing risk to a system, the method being carried out by a computer having a processor and system memory, includes the steps of inputting data representing multiple threat objectives that comprise the risk, calculating a residual risk for each threat objective in view of a plurality of control mechanisms, and generating output representing an overall residual risk to the system that is a combination of the residual risks.10-13-2011
20110277035Detection of Malicious System Calls - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting malicious system calls. In one aspect, a method includes monitoring a function vulnerable to a buffer overflow attack; receiving a call to the function, the call associated with a call stack, the call stack including one or more base pointers, and a destination buffer associated with the function; identifying a first critical memory address vulnerable to the buffer overflow attack comprising: determining the first critical memory address based on a base pointer of the one or more base pointers, wherein the base pointer address is greater than an address of the destination buffer; identifying a first address based on the base pointer of the one or more base pointers; and determining that the first address is a critical memory address in response to the first memory address is greater than the address of the destination buffer.11-10-2011
20110277034SYSTEM AND METHOD FOR THREE-DIMENSIONAL VISUALIZATION OF VULNERABILITY AND ASSET DATA - The system and method for three-dimensional visualization of vulnerability and asset data described herein may provide a management console that integrates various active vulnerability scanners, various passive vulnerability scanners, and a log correlation engine distributed in a network. In particular, the management console may include a three-dimensional visualization tool that can be used to generate three-dimensional visualizations that graphically represent vulnerabilities and assets in the network from the integrated information that management console collects the active vulnerability scanners, the passive vulnerability scanners, and the log correlation engine distributed in the network. As such, the three-dimensional visualization tool may generate three-dimensional representations of the vulnerabilities and assets in the network that can be used to substantially simplify management of the network.11-10-2011
20120102570SDI-SCAM - A distributed multi-agent system and method is implemented and employed across at least one intranet for purposes of real time collection, monitoring, aggregation, analysis and modeling of system and network operations, communications, internal and external accesses, code execution functions, network and network resource conditions as well as other assessable criteria within the implemented environment. Analytical models are constructed and dynamically updated from the data sources so as to be able to rapidly identify and characterize conditions within the environment (such as behaviors, events, and functions) that are typically characteristic with that of a normal state and those that are of an abnormal or potentially suspicious state. The model may further recommend (or alternatively implement autonomously or semi-autonomously) optimal remedial repair and recovery strategies as well as the most appropriate countermeasures to isolate or neutralize the threat and its effects.04-26-2012
20120291132SYSTEM, METHOD AND PROGRAM PRODUCT FOR DYNAMICALLY PERFORMING AN AUDIT AND SECURITY COMPLIANCE VALIDATION IN AN OPERATING ENVIRONMENT - A system, method and program product for dynamically performing an audit and security compliance validation. The method includes providing a tool for performing a compliance check of installed computer applications running on a system, the tool including a first set and a second set of plug-ins. Further, the method includes scanning the system, using plug-ins selected from the first set to obtain a current inventory of applications currently installed on the system and selecting plug-ins from the second set to be run on the system in response to the current inventory of applications obtained, and automatically running the plug-ins selected from the second set for performing the compliance check on the system in response to a scheduling criteria identified for the system, where the second set of plug-ins perform the compliance check for only the applications currently installed on the system.11-15-2012
20100199353VULNERABILITY-BASED REMEDIATION SELECTION - A machine-actionable memory comprises one or more machine-actionable records arranged according to a data structure. Such a data structure may include links that respectively map between a remediation, at least one action, and at least two vulnerabilities. A method of selecting a remediation, that is appropriate to a vulnerability which is present on a machine to be remediated, may include: providing a machine-actionable memory as mentioned above; and indexing into the memory using: a given vulnerability identifier to determine (A) at least one of a remediation mapped thereto and (B) at least one action mapped to the given vulnerability identifier; and/or a given remediation to determine at least two vulnerabilities mapped thereto.08-05-2010
20120137370PLATFORM FOR ANALYZING THE SECURITY OF COMMUNICATION PROTOCOLS AND CHANNELS - A security analyzer tests the security of a device by attacking the device and observing the device's response. Attacking the device includes sending one or more messages to the device. A message can be generated by the security analyzer or generated independently of the security analyzer. The security analyzer uses various methods to identify a particular attack that causes a device to fail or otherwise alter its behavior. Monitoring includes analyzing data (other than messages) output from the device in response to an attack. Packet processing analysis includes analyzing one or more messages generated by the device in response to an attack. Instrumentation includes establishing a baseline snapshot of the device's state when it is operating normally and then attacking the device in multiple ways while obtaining snapshots periodically during the attacks.05-31-2012
20100199352CONTROL AUTOMATION TOOL - A control automation tool (“CAT”) is configured for supporting discrete management of controls and their corresponding metrics. The control automation tool includes a software application connected with, stored on, and executed by one or more relational, closed-loop data repositories and computer systems. The use and maturation of a control within an organization depends on management of operational performance and expenses, which the CAT assists through lean project management, effective implementation of action plans and financial functions. Further, people resources, organizational hierarchy and access management functions are used to support mapping of controls arranged by organizational unit and support access permissions that are consistent with appropriate data management. The CAT also provides transparency and meaning to control and metric status and relevant data regarding controls and their associated metrics and is configured for ease of control and metric management via the CAT interface.08-05-2010
20100199351METHOD AND SYSTEM FOR SECURING VIRTUAL MACHINES BY RESTRICTING ACCESS IN CONNECTION WITH A VULNERABILITY AUDIT - A method and system for securing a virtual machine is disclosed. An initiation signal from the host system that is generated upon startup of the virtual machine is intercepted, and a network connection on the host system accessible by the virtual machine is restricted in response. Then, the virtual machine is queried for preexisting vulnerabilities, and such data is received. Access by the virtual machine to the network connection is controlled based upon a comparison of a security policy, which is associated with the virtual machine, to the received preexisting vulnerabilities.08-05-2010
20130014265UNIVERSAL PATCHING MACHINE - A universal patching machine is used to provide security for a computer system. A conversion function is generated for the patching machine that modifies input data to the computer system so that the computer system has an output and state that match the output and state that would be produced by a vendor-patched version of the computer system. The universal patching machine detects security vulnerabilities in intercepted data traffic. If a vulnerability violation is detected, the universal patching machine modifies the data traffic to remove the violation. Fixing the data traffic in this way ensures that the vulnerability cannot be exploited in an attack against the data network. The universal patching machine is formed from patch processors and a packet controller. The patch processors are formed from network patches. In operation, the patch processors detect vulnerabilities and issue modification commands that direct the packet controller to fix the data traffic.01-10-2013
20130014264Systems and Methods For Implementing and Scoring Computer Network Defense Exercises - A process for facilitating a client system defense training exercise implemented over a client-server architecture includes designated modules and hardware for protocol version identification message; registration; profiling; health reporting; vulnerability status messaging; storage; access and scoring. More particularly, the server identifies a rule-based vulnerability profile to the client and scores client responses in accordance with established scoring rules for various defensive and offensive asset training scenarios.01-10-2013
20130014263SYSTEM AND METHOD FOR REMOTELY CONDUCTING A SECURITY ASSESSMENT AND ANALYSIS OF A NETWORK - A system and method for performing a security audit of a target network. The system includes a device that establishes a connection to the target network through a communication link. The device has reverse tunneling capabilities for establishing a secure tunnel over the Internet. The system also includes a receiving computer connected to the device through the secure tunnel established by the device over the Internet, and the receiving computer sends commands to the device for performing the security audit of the target network. The device is deployed onsite near the network and the receiving computer is located at a remote offsite location. Also, the device may be covertly hidden onsite near the network to simulate a malicious attack on the target network.01-10-2013
20100132043Method and Apparatus for an End User Identity Protection Suite - A method comprising an indicator showing an overall security status of a user.05-27-2010
20120151594SYSTEM AND METHOD FOR NETWORK VULNERABILITY DETECTION AND REPORTING - A system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target ports, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report. The system and method employ minimally obtrusive techniques to avoid interference with or damage to the target network during or after testing.06-14-2012
20120151592STRING OPERATIONS WITH TRANSDUCERS - There is provided a computer-implemented method for analyzing string-manipulating programs. An exemplary method comprises describing a string-manipulating program as a finite state transducer. The finite state transducer may be evaluated with a constraint solving methodology to determine whether a particular string may be provided as output by the string-manipulating program. The constraint solving methodology may involve the use of one or more satisfiability modulo theories (SMT) solvers. A determination may be made regarding whether the string-manipulating program may contain a potential security risk depending on whether the particular string may be provided as output by the string-manipulating program.06-14-2012
20130019314INTERACTIVE VIRTUAL PATCHING USING A WEB APPLICATION SERVER FIREWALLAANM Ji; PengAACI BeijingAACO CNAAGP Ji; Peng Beijing CNAANM Luo; LinAACI BeijingAACO CNAAGP Luo; Lin Beijing CNAANM Sreedhar; Vugranam C.AACI Yorktown HeightsAAST NYAACO USAAGP Sreedhar; Vugranam C. Yorktown Heights NY USAANM Yang; Shun XiangAACI BeijingAACO CNAAGP Yang; Shun Xiang Beijing CNAANM Zhang; YuAACI BeijingAACO CNAAGP Zhang; Yu Beijing CN - A plurality of templates for web application server firewall rules are generated. A vulnerability report for the web application is obtained. At least one web application server firewall rule is generated, using the vulnerability report and at least one of the plurality of templates. The at least one web application server firewall rule is tested. The at least one web application server firewall rule is deployed to run on the web application server firewall.01-17-2013
20130019315DESIGNING SECURITY INTO SOFTWARE DURING THE DEVELOPMENT LIFECYCLE - Systems, methods, and computer program products are provided for a comprehensive software security system. The overarching software security system described and claimed herein provides for a system that address all of the concerns and vulnerabilities present at the design level (i.e., new software applications) and the production level (i.e., pre-existing software applications) associated with software. Additionally, the system governs the individual security processes and practices. The software security system defines specific security practices and the timing for application of the practices within the overall software development lifecycle. Additionally, the disclosed software security system takes advantage of role specialization, such as security specialization, to increase effectiveness and limit conflicts of interest within the design process.01-17-2013
20110145924METHOD FOR DETECTION AND PREVENTION OF LOADING EXECUTABLE FILES FROM THE CURRENT WORKING DIRECTORY - The present invention detects vulnerabilities by observing (“monitoring”) the calls of system and application functions, and the arguments of such calls, which play a key role in loading executable files, and detects that a computer program or operating system either has tried, is trying or will try to load or execute an executable file from the current working directory. The present invention extends the detection procedure with an active intervention into the execution of a computer program or operating system such that loading or execution of the executable file is prevented. The present invention limits exploitability of the described vulnerability, by limiting loading or execution of executable files from the current working directory, or limiting or preventing setting of the current working directory to locations where a malicious person could place an executable file.06-16-2011
20130024942SYSTEM AND METHOD FOR DETECTING DATA EXTRUSION IN SOFTWARE APPLICATIONS - Comprehensive techniques identify data leaks in software applications using Asset Flow Analysis (AFA) to determine whether critical data leaves a system through an exit point such that the data is no longer protected by mechanisms of the system. A novel data extrusion mechanism makes use of a relevant subset of all the possible data paths detected by AFA using a knowledge base of critical business functions and critical database content. The system checks if any code performs read access to critical business data and subsequently transfers this data beyond the control limits of the target system. The knowledge base can be extended by configuring which database content is to be regarded as critical in any given organization. The approach is particularly valuable in protecting systems that manipulate, distribute, or store sensitive information associated with financial, business, or personal data, including SAP® ABAP™ software applications.01-24-2013
20080244748Detecting compromised computers by correlating reputation data with web access logs - Compromised host computers in an enterprise network environment comprising a plurality of security products called endpoints are detected in an automated manner by an arrangement in which a reputation service provides updates to identify resources including website URIs (Universal Resource Identifiers) and IP addresses (collectively “resources”) whose reputations have changed and represent potential threats or adversaries to the enterprise network. Responsively to the updates, a malware analyzer, which can be configured as a standalone endpoint, or incorporated into an endpoint having anti-virus/malware detection capability, or incorporated into the reputation service, will analyze logs maintained by another endpoint (typically a firewall, router, proxy server, or gateway) to identify, in a retroactive manner over some predetermined time window, those client computers in the environment that had any past communications with a resource that is newly categorized by the reputation service as malicious. Every client computer so identified is likely to be compromised.10-02-2008
20110265184SECURITY MONITORING METHOD, SECURITY MONITORING SYSTEM AND SECURITY MONITORING PROGRAM - A security monitoring method is disclosed for acquiring plural items of observation information representative of a security state of a device, and for judging whether or not the device is secure through a policy based on the plural items of observation information. Transmission information that is defined as information representative of relevant observation information is retained. It is determined whether or not security judgment is possible through said transmission information alone in place of the plural items observation information. When it is possible, the transmission information in place of all or part of said plurality items of observation information is transmitted.10-27-2011
20080222731Network security modeling system and method - A network security modeling system which simulates a network and analyzes security vulnerabilities of the network. The system includes a simulator which includes a network vulnerabilities database and a network configuration module having network configuration data. The simulator determines vulnerabilities of the simulated network based on the network configuration data and the vulnerabilities database.09-11-2008
20080222730Network service monitoring - Network devices, systems, and methods are described that perform network service monitoring. One method includes examining a number of packets received by a first network device to determine whether a protocol of a packet corresponds to a given network service, forwarding an event to a second network device in response to a determination that the protocol of the packet corresponds to the network service, determining whether the network service is an authorized service by comparing the network service to a list of network services, and executing a remedial action in response to a determination that the network service is an unauthorized service.09-11-2008
20130179977Assessing Social Risk Due To Exposure From Linked Contacts - An approach is provided in which a risk assessment is performed that accesses the risk to a user of an information handling system due to the user's link to a social network contact. Risky action values is received with the values corresponding to the social network contact. A risk level is calculated with the risk level corresponding to one or more of the risky action values. A preventative security action is then performed based on the calculated risk level. In another embodiment, an approach is provided in which the potential risks posed by a user are transmitted to the user's social network contacts. In this approach, potentially risky actions that are performed by the user are detected. Risky action values are identified that correspond to the detected potentially risky actions. The risky action values are then transmitted to the user's social network contacts over a computer network.07-11-2013
20110271348PORTABLE PROGRAM FOR GENERATING ATTACKS ON COMMUNICATION PROTOCOLS AND CHANNELS - A security analyzer is capable of generating attacks to test the security of a device under analysis. The security analyzer further has the capability to generate a portable, executable program to generate specified attacks. In this way, others can recreate the attacks without requiring access to the security analyzer.11-03-2011
20120255024Compiling Information Obtained By Combinatorial Searching - Some embodiments, among others, include a search for sensitive information. Once a result of the search has been obtained, a score is assigned to the obtained result in accordance with a predefined criterion.10-04-2012
20120255023METHODS AND SYSTEMS OF DETECTING AND ANALYZING CORRELATED OPERATIONS IN A COMMON STORAGE - A method of detecting correlated operations in a common storage. The method comprises providing at least one input operation, each the input operation being designated to write uniquely identifiable data on a memory unit of an application, monitoring a plurality of output operations of the application, each the output operation includes data read from the memory unit, comparing between the at least one input operation and the plurality of output operations to identify at least one matching group of input and output operations wherein each member of the at least one matching group has correlated written or read data in a common correlated target address in the memory unit, and outputting an indication of the at least one matching group.10-04-2012
20120255021SYSTEM AND METHOD FOR SECURING AN INPUT/OUTPUT PATH OF AN APPLICATION AGAINST MALWARE WITH A BELOW-OPERATING SYSTEM SECURITY AGENT - A system for securing an electronic device may include a memory, a processor, one or more operating systems residing in the memory for execution by the processor, an input-output (I/O) device of the electronic device coupled to the operating system; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the I/O device. The security agent may be further configured to: (i) trap, at a level below all of the operating systems of the electronic device accessing an input/output (I/O) device, an attempted access of a facility for I/O operation with the I/O device; and (ii) using one or more security rules, analyze the attempted access to determine whether the attempted access is indicative of malware.10-04-2012
20120255020METHODS FOR ATTACK SURFACE MEASUREMENT - Methods and apparatus are provided for measuring the attack surface of a code library. In one embodiment, a method includes measuring the attack surfaces of a compiled code library, counting the number of each public item of a plurality of items of the compiled code library, and displaying a visualization of the measurement, wherein the visualization identifies each item type of the plurality of items of the compiled code library and the measurement of each item of the plurality of items of the compiled code library.10-04-2012
20130139266DETECTING VULNERABILITIES IN WEB APPLICATIONS - A method, computer program product, and system for detecting vulnerabilities in web applications is described. A method may comprise determining one or more values associated with a web application that flow to response data associated with the web application. The one or more values may be modifiable by unreliable input. The method may further comprise generating a representation of the response data associated with the web application. The method may additionally comprise determining one or more potentially vulnerable portions of the response data based upon, at least in part, the one or more values modifiable by the unreliable input that flow to the response data associated with the web application, and the representation of the response data associated with the web application.05-30-2013
20130091579INTELLIGENT CONNECTORS INTEGRATING MAGNETIC MODULAR JACKS AND INTELLIGENT PHYSICAL LAYER DEVICES - An apparatus comprises a connector, wherein the connector comprises i) a jack, wherein the jack comprises a) a plurality of electrical terminals, and b) a magnetic component electrically coupled to the plurality of electrical terminals; and ii) a physical layer device, wherein the physical layer device comprises a) a physical layer module, wherein the physical layer module comprises an interface configured to receive packets from the jack, and an interface bus configured to inspect the packets, and b) a network interface configured to, based on the inspection of the packets by the interface bus, provide the packets to a device separate from the physical layer device.04-11-2013
20130091577METHODS AND SYSTEMS FOR AUTOMATED NETWORK SCANNING IN DYNAMIC VIRTUALIZED ENVIRONMENTS - Systems and methods for managing jobs to be scanned based on existence of processing nodes are described. One of the methods includes obtaining identification information regarding operation of a first set of the processing nodes from an inventory and creating a job for scanning the processing nodes of the first set for security vulnerability. The job includes the identification information. The method further includes verifying the inventory to determine the first identifying information of the first set of processing nodes for removal from the job and loading the job having second identifying information for a second set of processing nodes that remain after the verifying operation.04-11-2013
20130097708SYSTEM AND METHOD FOR TRANSITIONING TO A WHITELIST MODE DURING A MALWARE ATTACK IN A NETWORK ENVIRONMENT - A method is provided in one example embodiment that includes receiving a signal to enable a whitelist mode on a host in a network, terminating a process executing on the host if the process is not verified, and blocking execution of software objects on the host if the software objects are not represented on the whitelist. In more particular embodiments, the method also includes identifying the process on a process list that enumerates one or more processes executing on the host. Yet further embodiments include quarantining the host if a second process on the process list is a critical process and if the second process is not verified. More specific embodiments include identifying and restarting another process on the process list if process memory was modified.04-18-2013
20130097710MOBILE RISK ASSESSMENT - At least one available wireless access point is identified at a particular location and a connection is established with the available wireless access point. Communication is attempted with a trusted endpoint over the wireless access point and the attempted communication with the trusted endpoint over the wireless access point is monitored to assess risk associated with the wireless access point. Results of the assessment, in some instances, can be reported to an access point risk manager and risk associated with future attempts to use the wireless access point can be assessed based at least in part on the reported assessment results.04-18-2013
20130097709USER BEHAVIORAL RISK ASSESSMENT - A predetermined particular behavioral profile is identified associated with at least one particular user of a computing system, the particular behavioral profile identifying expected behavior of the at least one user within the computing system. Activities associated with use of the computing system by the particular user are identified and it is determined whether the identified activities correlate with the particular behavioral profile. Identifying an activity that deviates from the particular behavioral profile beyond a particular threshold triggers a risk event relating to the particular user.04-18-2013
20130179979DETECTING SECURITY VULNERABILITIES IN WEB APPLICATIONS - Method to detect security vulnerabilities includes: interacting with a web application during its execution to identify a web page exposed by the web application; statically analyzing the web page to identify a parameter within the web page that is constrained by a client-side validation measure and that is to be sent to the web application; determining a server-side validation measure to be applied to the parameter in view of the constraint placed upon the parameter by the client-side validation measure; statically analyzing the web application to identify a location within the web application where the parameter is input into the web application; determining whether the parameter is constrained by the server-side validation measure prior to the parameter being used in a security-sensitive operation; and identifying the parameter as a security vulnerability.07-11-2013
20130097711MOBILE RISK ASSESSMENT - A query is received from a particular endpoint device identifying a particular wireless access point encountered by the particular endpoint device. Pre-existing risk assessment data is identified for the identified particular wireless access point and query result data is sent to the particular endpoint device characterizing pre-assessed risk associated with the particular wireless access point. In some instances, the query result data is generated based on the pre-existing risk assessment data. In some instances, pre-existing risk assessment data can be the result of an earlier risk assessment carried-out at least in part by an endpoint device interfacing with and testing the particular wireless access point.04-18-2013
20130104237Managing Risk Associated With Various Transactions - Systems, methods and consumer-readable media for managing risk associated with various transactions are provided. Such methods may include identifying a consumer-based software application for analysis and classifying the consumer-based software application into a plurality of consumer-facing transactions. Each consumer-facing transaction may be rated according to at least one category or criteria. Further, each rating may be converted into a numeric value. Another aspect of the invention may relate to receiving an identification of a list of threats to each of the consumer-facing transactions. These threats may be categorized into threat categories. The impact of each of the threats may be forecasted. The overall impact of the threats as forecasted may be calculated. Yet another aspect of the invention may relate to receiving an identification of a plurality of threat controls that control at least a portion of the plurality of threats.04-25-2013
20130125239INSIDER THREAT CORRELATION TOOL - Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a first threat score representing a first time period may be calculated. The first threat score may be compared with aspects of the same user accounts for a second time period. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating. Blocked transmissions enforced upon a user account may also be received. Certain activity, such as accessing the internet, may be monitored for the presence of a security threat and/or an ethics threat.05-16-2013
20130133076WEB VULNERABILITY REPAIR APPARATUS, WEB SERVER, WEB VULNERABILITY REPAIR METHOD, AND PROGRAM - A Web vulnerability repair apparatus (05-23-2013
20130133075FIXING SECURITY VULNERABILITY IN A SOURCE CODE - A computer implemented method for automatically fixing a security vulnerability in a source code is disclosed. The method includes obtaining identification of code that sends tainted data to corresponding sink code in the source code; and automatically fixing the vulnerability by automatically performing code modification which is selected from the group of code modifications consisting of: code motion and code duplication. Also disclosed are computer program product and data processing system.05-23-2013
20130145472Preventing Execution of Task Scheduled Malware - A method for preventing malware attacks includes the steps of detecting an attempt on an electronic device to access a task scheduler, determining an entity associated with the attempt to access the task scheduler, determining a malware status of the entity, and, based on the malware status of the entity, allowing or denying the attempted access to the task scheduler. The task scheduler is configured to launch one or more applications at a specified time or interval.06-06-2013
20130179978Automated Detection of Flaws and Incompatibility Problems in Information Flow Downgraders - Mechanisms for evaluating downgrader code in application code with regard to a target deployment environment. Downgrader code in the application code is identified. Based on an input string, an output string that the downgrader code outputs in response to receiving the input string is identified. One or more sets of illegal string patterns are retrieved. Each of the one or more sets of illegal string patterns is associated with a corresponding deployment environment. The illegal string patterns are string patterns that a downgrader identifies in the information flow for security purposes. A determination is made as to whether the downgrader code is compatible with the target deployment environment based on the one or more sets of illegal string patterns and the output string. An output indicative of the results of the determining is generated.07-11-2013
20100275263Enterprise Information Security Management Software For Prediction Modeling With Interactive Graphs - Various baseline security measurements of assets are collected and calculated by the system. A user creates a what-if scenario by changing one or more baseline security measurements. The system generates interactive, animated graphs that compare the baseline security measurements against the what-if scenario.10-28-2010
20110225656NETWORK SECURITY SERVER SUITABLE FOR UNIFIED COMMUNICATIONS NETWORK - A network security server constituted of: a device detection functionality, the device detection functionality arranged to detect devices on a network on an ongoing basis; a state extraction functionality arranged to read the state of each of the detected devices; an abstraction functionality arranged to translate each of the read states to a common abstract format; a state analysis functionality arranged to compare each of the translated read states with a predetermined database of states; and a session control functionality arranged to control communication of each of the detected devices responsive to the comparison with the predetermined database of states.09-15-2011
20130152205INTERACTIVE ANALYSIS OF A SECURITY SPECIFICATION - Analyzing a security specification. An embodiment can include identifying a downgrader in a computer program under test. Via a processor, testing on the downgrader can be performed in a first level of analysis. Responsive to the downgrader not passing the testing performed in the first level of analysis, a counter example for the downgrader can be automatically synthesized. Further, a test unit can be created for the downgrader using the counter example as an input parameter to the downgrader. The test unit can be executed to perform testing on the downgrader in a second level of analysis. Responsive to the downgrader passing the testing performed in the second level of analysis, a user can be prompted to simplify a model of the downgrader.06-13-2013
20130152204INTERACTIVE ANALYSIS OF A SECURITY SPECIFICATION - Analyzing a security specification. An embodiment can include identifying a downgrader in a computer program under test. Testing on the downgrader can be performed in a first level of analysis. Responsive to the downgrader not passing the testing performed in the first level of analysis, a counter example for the downgrader can be automatically synthesized. Further, a test unit can be created for the downgrader using the counter example as an input parameter to the downgrader. The test unit can be executed to perform testing on the downgrader in a second level of analysis. Responsive to the downgrader passing the testing performed in the second level of analysis, a user can be prompted to simplify a model of the downgrader.06-13-2013
20120260344METHOD AND SYSTEM OF RUNTIME ANALYSIS - A method and a system for detecting one or more security vulnerabilities. The method comprises providing test instructions for an application, such as a web application or a client server application, adding test code to a code segment of the application according to the test instructions, sending at least one message to the application according to the test instructions at runtime thereof, monitoring test information pertaining to at least one reaction of the application to the at least one message during an execution of the test code, performing an analysis of the at least one reaction, and detecting a presence or an absence of at least one security vulnerability according to the analysis.10-11-2012
20100293617METHOD AND APPARATUS FOR AUTOMATIC RISK ASSESSMENT OF A FIREWALL CONFIGURATION - A method and apparatus for Automatic Risk Assessment of a Firewall Configuration facilitates the automatic generation of a risk assessment of a given firewall configuration. The method scans the firewall analyzer report, before the human user does, and flag the Configuration errors. Each found mis-configuration is called a risk item. The report is analyzed according a Knowledge Base of known risk items. The method further filters duplicate risk item which are trigger by different rules11-18-2010
20130139267DETECTING VULNERABILITIES IN WEB APPLICATIONS - A method, computer program product, and system for detecting vulnerabilities in web applications is described. A method may comprise determining one or more values associated with a web application that flow to response data associated with the web application. The one or more values may be modifiable by unreliable input. The method may further comprise generating a representation of the response data associated with the web application. The method may additionally comprise determining one or more potentially vulnerable portions of the response data based upon, at least in part, the one or more values modifiable by the unreliable input that flow to the response data associated with the web application, and the representation of the response data associated with the web application.05-30-2013
20130205397ADAPTIVE FUZZING SYSTEM FOR WEB SERVICES - Web applications, systems and services, which are prone to cyber-attacks, can utilize an adaptive fuzzing system and methodology to intelligently employ fuzzer technology to test web site pages for vulnerabilities. A breadth first search and minimal fuzzing testing is performed on identified pages of a web site looking for either a vulnerability or the potential for a vulnerability. Heuristics are gathered and/or generated on each tested web page to determine a vulnerability score for the page that is an indication of the page's potential for hosting a vulnerability. When a page is discovered with a vulnerability score that indicates the page has the potential for a vulnerability a depth first search and expanded fuzzing testing is performed on one or more branches of the web site that begin with the page with the potential vulnerability.08-08-2013
20130160130APPLICATION SECURITY TESTING - In one implementation, an attack surface identification system defines an interface description of an application during execution of the application. The interface description is then provided to a scanner.06-20-2013
20130160131APPLICATION SECURITY TESTING - In one implementation, an application security system accesses an attack description and a data set from an application. The data set based on an attack data set. The application security system correlates the data set with the attack description, and reports a security vulnerability for the application if the data set satisfies the attack description.06-20-2013
20130160129SYSTEM SECURITY EVALUATION - A computing device may receive external activity data corresponding to a target system. The external activity data may include information corresponding to network-side information relating to the target system. The computing device may identify suspicious external activity, corresponding to the external activity data, based on an activity watchlist. The activity watchlist may include information corresponding to external activity systems associated with known sources of malicious activity. The computing device may generate a system security report based on the suspicious external activity identified.06-20-2013
20110307957Method and System for Managing and Monitoring Continuous Improvement in Detection of Compliance Violations - A computer implemented method, data processing system, and computer program product is provided for using compliance violation risk data about an entity to enable an identity management system to dynamically adjust the frequency in which the identity management system performs a reconciliation and compliance check of an identity account associated with the entity. Data associated with an identity account is collected, wherein the data comprises at least one of compliance data, prior compliance violations, or personal data about an entity associated with the identity account. One or more risk factors for the identity account based on the collected data are determined. A risk score of the identity account is calculated based on the determined risk factors. The identity account is then audited with a frequency according to the risk score assigned to the identity account.12-15-2011
20110314549METHOD AND APPARATUS FOR PERIODIC CONTEXT-AWARE AUTHENTICATION - A method for authenticating access to an electronic document. The method includes identifying a context event associated with a user seeking access to the electronic document, receiving from the user a plurality of context data, and analyzing the plurality of context data to generate a one or more derived context data. The method may also include receiving from an authentication module a context request, and in response to the context request, generating a context report, wherein the context report includes at least the one or more derived context data, and is configured to enable the authentication module to authenticate the user's access to the electronic document using a first authentication mechanism. The method may also include communicating the context report to the authentication module, monitoring the user to identify an occurrence of the context event, and upon identifying the occurrence of the context event, generating a context event flag, the context event flag configured to inform the authentication module to reauthenticate the user's access to the electronic document.12-22-2011
20110321166System and Method for Identifying Unauthorized Activities on a Computer System Using a Data Structure Model - A computer implemented method includes monitoring activity on the virtual machine. A plurality of activities being performed at the virtual machine is identified. Each of the activities includes an activity source, an activity target, and an association between the activity source and the activity target. The activity sources, activity targets, and associations are stored in the memory. A fingerprint indicative of the activity on the virtual machine is created from the stored activities. The fingerprint is transmitted to prevent future attacks that comprise the same or similar activities as indicated by the fingerprint.12-29-2011
20110321165System and Method for Sampling Forensic Data of Unauthorized Activities Using Executability States - A method includes receiving a list of target addresses, locating a first page table entry corresponding to the first page, and determining the first executability state. When the first executability state is non-executable, a first set of one or more target addresses that correspond to the first page, and a second set of one or more target addresses that correspond to one or more pages other than the first page are identified. One or more target addresses are stored in breakpoint registers of the computer system. The first executability state of the first page table entry is set as executable, and the executability states of page table entries that correspond to the second set of target addresses are set as non-executable. When the first address matches one of the target addresses stored in the breakpoint registers, forensic data is recorded.12-29-2011
20110321164METHOD AND SYSTEM FOR ADAPTIVE VULNERABILITY SCANNING OF AN APPLICATION - A method and system for adaptive vulnerability scanning (AVS) of an application is provided. The adaptive vulnerability scanning of an application assists in identifying new vulnerabilities dynamically. The endpoints of an application are scanned using a predefined set of rules. Subsequently, one or more possible vulnerabilities are presented. The vulnerabilities are analyzed and predefined rules are modified. The steps of scanning the application and modification of rules are iteratively repeated till the adaptive vulnerability scanning capability is achieved. A neural network is used for training the adaptive vulnerability scanner. This neural network is made to learn some rules based on predefined set of rules while undergoing the training phase. At least one weight in neural networks is altered while imparting the self learning capability.12-29-2011
20130191921SECURITY STATUS AND INFORMATION DISPLAY SYSTEM - Systems and methods disclosed herein provide a local security component on a mobile device that may acquire data concerning a current configuration of the mobile device. The local security component may receive raw or partially processed data about events on the mobile device. The received data may be processed against a database containing identification data for security threats and against the current mobile device configuration data to assess a security state of the mobile device. The processing may include assigning a severity level for each event. The local security component may output to the mobile device the security state assessment results, including a first assessed security state of the mobile device. The raw or partially processed data about events on the mobile device may be transmitted to a server for processing. A second assessed security state of the mobile device may be received at the mobile device from the server.07-25-2013
20130191919CALCULATING QUANTITATIVE ASSET RISK - A standardized vulnerability score is identified for a particular vulnerability in a plurality of known vulnerabilities, the standardized vulnerability score indicating a relative level of risk associated with the particular vulnerability relative other vulnerabilities. A vulnerability detection score is determined that indicates an estimated probability that a particular asset possess the particular vulnerability and a vulnerability composite score is determined for the particular asset to the particular vulnerability, the vulnerability composite score derived from the standardized vulnerability score and the vulnerability detection score. A countermeasure component score is identified that indicates an estimated probability that a countermeasure will mitigate risk associated with the particular vulnerability on the particular asset. A risk metric for the particular asset and the particular vulnerability is determined from the vulnerability composite score and the countermeasure component score. In some instances, aggregate risk scores can be calculated from a plurality of calculated risk metrics.07-25-2013
20130191920DYNAMICALLY SCANNING A WEB APPLICATION THROUGH USE OF WEB TRAFFIC INFORMATION - Collecting log file data from at least one log file. From the collected log file data, at least one HTTP request can be generated to exercise a web application to perform a security analysis of the web application. The HTTP request can be communicated to the web application. At least one HTTP response to the HTTP request can be received. The HTTP response can be analyzed to perform validation of the web application. Results of the validation can be output.07-25-2013
20120011590SYSTEMS, METHODS AND DEVICES FOR PROVIDING SITUATIONAL AWARENESS, MITIGATION, RISK ANALYSIS OF ASSETS, APPLICATIONS AND INFRASTRUCTURE IN THE INTERNET AND CLOUD - The present invention determines a situational awareness for alerting, mitigating error, distortion or failures, and managing the Internet (or equally component intranets), connected networks and cloud infrastructure. Specifically, this invention focuses on determining who originates messages, from what system, and the path taken, thereby analyzing the reputation of all the nodes and links through which data passes.01-12-2012
20120030767SYSTEM AND METHOD FOR PERFORMING THREAT ASSESSMENTS USING SITUATIONAL AWARENESS - Systems, methods, and computer program products are provided for performing threat assessments. In one exemplary embodiment, the method may include generating one or more patterns of behavior corresponding to a security breach at a first company, and storing the generated one or more patterns in a pattern repository. In addition, the method may include comparing at least one of the one or more patterns with one or more standardized log files for the first company to identify one or more first log entries related to the behavior corresponding to the security breach. The method may also include processing at least one pattern of the one or more patterns with one or more standardized log files for a second company to identify log entries of the second company that indicate a possible security breach at the second company.02-02-2012
20130198845MONITORING A WIRELESS NETWORK FOR A DISTRIBUTED DENIAL OF SERVICE ATTACK - An integrated circuit for monitoring a wireless network. The integrated circuit comprises a hardware interface configured to receive and access data packets transmitted over the wireless network; a programmable hardware accelerator configured to extract pertinent information from the data packets, the pertinent information for use in determining whether the wireless network is under a distributed denial of service (DDOS) attack; and a multi-core processor configured to receive the pertinent information and to determine whether the wireless network is under a DDOS attack based at least in part on the pertinent information provided by the programmable hardware.08-01-2013
20130198846Software Service to Facilitate Organizational Testing of Employees to Determine Their Potential Susceptibility to Phishing Scams - A software system and service for facilitating organizational testing of employees in order to determine their potential susceptibility to phishing scams is disclosed to evaluate their susceptibility to e-mail and Internet cybercrimes such as phishing. The e-mail addresses of a client organization's employees are provided to the system, a phishing e-mail is created and customized, and a phishing e-mail campaign in which the phishing e-mail message is sent and the responses to the phishing e-mail is monitored, and the results of the e-mail campaign are provided for evaluation. The phishing e-mail may optionally contain attachments and various types of probes and “call home” mechanisms.08-01-2013
20130198847METHODS AND SYSTEMS FOR CYBER-PHYSICAL SECURITY MODELING, SIMULATION AND ARCHITECTURE FOR THE SMART GRID - A computer-implemented method for use in evaluating at least one threat to a complex system includes identifying one or more physical components of the complex system and modeling the one or more physical components with interactive software multi-agents. The multi-agents are programmed to monitor and control at least one function of the modeled physical components. One or more threats to a target of the complex system are identified. Each threat is defined as a cyber threat or physical threat and the target is defined as a cyber component or physical component. The method includes simulating an attack on the complex system by the identified threat and assessing an impact of the attack on the complex system.08-01-2013
20130198848REMEDIATION OF COMPUTER SECURITY VULNERABILITIES - A computer security vulnerability remediation system (CSVRS) is disclosed, including a CSVRS client communicatively coupled to a remediation server through a network. The CSVRS client includes software having a security vulnerability, which vulnerability may be known to malicious actors who develop an exploit. In some cases, the exploit is a “zero-day exploit,” meaning the vulnerability may not be known to the CSVRS client until the exploit is deployed. A RSP receives information about the exploit and vulnerability from a team of remediation experts. The RSP may prepare a remedial exploit, which carries a self-healing pay load. The remedial exploit may be delivered either through the vulnerability itself, or through credentials granted by the CSVRS client to the RSP. The self-healing pay-load takes appropriate action, such as closing ports or disabling scripts, to prevent the vulnerability from being further exploited.08-01-2013
20130104236PERVASIVE, DOMAIN AND SITUATIONAL-AWARE, ADAPTIVE, AUTOMATED, AND COORDINATED ANALYSIS AND CONTROL OF ENTERPRISE-WIDE COMPUTERS, NETWORKS, AND APPLICATIONS FOR MITIGATION OF BUSINESS AND OPERATIONAL RISKS AND ENHANCEMENT OF CYBER SECURITY - Real time security, integrity, and reliability postures of operational (OT), information (IT), and security (ST) systems, as well as slower changing security and operational blueprint, policies, processes, and rules governing the enterprise security and business risk management process, dynamically evolve and adapt to domain, context, and situational awareness, as well as the controls implemented across the operational and information systems that are controlled. Embodiments of the invention are systematized and pervasively applied across interconnected, interdependent, and diverse operational, information, and security systems to mitigate system-wide business risk, to improve efficiency and effectiveness of business processes and to enhance security control which conventional perimeter, network, or host based control and protection schemes cannot successfully perform.04-25-2013
20120060221Prioritizing Malicious Website Detection - A computer implemented method includes identifying a universal resource locator and characterizing a traffic pattern associated with the universal resource locator. The traffic pattern can include referrer information, referring information, advertising network relationship information, and any combination thereof. The method can further include classifying the universal resource locator into a risk category based on the traffic pattern.03-08-2012
20130205399AUTOMATIC SYNTHESIS OF UNIT TESTS FOR SECURITY TESTING - Performing security analysis on a computer program under test (CPUT). The CPUT can be analyzed to identify data pertinent to potential security vulnerabilities of the CPUT. At least a first unit test configured to test a particular unit of program code within the CPUT can be automatically synthesized. The first unit test can be configured to initialize at least one parameter used by the particular unit of program code within the CPUT, and can be provided at least a first test payload configured to exploit at least one potential security vulnerability of the CPUT. The first unit test can be dynamically processed to communicate the first test payload to the particular unit of program code within the CPUT. Whether the first test payload exploits an actual security vulnerability of the CPUT can be determined, and a security analysis report can be output.08-08-2013
20130205398AUTOMATIC SYNTHESIS OF UNIT TESTS FOR SECURITY TESTING - Performing security analysis on a computer program under test (CPUT). The CPUT can be analyzed to identify data pertinent to potential security vulnerabilities of the CPUT. At least a first unit test configured to test a particular unit of program code within the CPUT can be automatically synthesized. The first unit test can be configured to initialize at least one parameter used by the particular unit of program code within the CPUT, and can be provided at least a first test payload configured to exploit at least one potential security vulnerability of the CPUT. The first unit test can be dynamically processed to communicate the first test payload to the particular unit of program code within the CPUT. Whether the first test payload exploits an actual security vulnerability of the CPUT can be determined, and a security analysis report can be output.08-08-2013
20120072991METHODS AND SYSTEMS FOR RATING PRIVACY RISK OF APPLICATIONS FOR SMART PHONES AND OTHER MOBILE PLATFORMS - Methods and systems for evaluating and rating privacy risks posed by applications intended for deployment on mobile platforms. Validating the “intent” of a mobile platform application vis-à-vis its impact on user privacy, as viewed from an end-user's perspective allows those end-users to make better-informed decisions concerning the downloading, installation and/or operation of mobile platform applications. In making such assessments user preferences can be taken into account. Privacy scores are provided through sales channels for the applications, thereby affording potential users the opportunity to assess whether they wish to incur the associated privacy risk, before purchasing a subject application.03-22-2012
20130091578SYSTEM AND A METHOD FOR AUTOMATICALLY DETECTING SECURITY VULNERABILITIES IN CLIENT-SERVER APPLICATIONS - A method for automatically detecting security vulnerabilities in a client-server application where a client is connected to a server. The method is implemented by a computer having a processor and a software program stored on a non-transitory computer readable medium. The method includes automatically extracting, with the software program at the client, a description of one or more validation checks on inputs performed by the client. The method also includes analyzing the server, with the software program by using the one or more validation checks on inputs performed by the client, to determine whether the server is not performing validation checks that the server must be performing. The method further includes determining that security vulnerabilities in the client-server application exist when the server is not performing validation checks that the server must be performing. A method further proposes preventing parameter tampering attacks on a running client-server application by enforcing the one or more validation checks on inputs performed by the client on each input that is submitted to the server.04-11-2013
20120096557VARIABLE RISK ENGINE - The invention provides systems and methods for risk assessment using a variable risk engine. A method for risk assessment may comprise setting an amount of real-time risk analysis for an online transaction, performing the amount of real-time risk analysis based on the set amount, and performing an amount of time-delayed risk analysis. In some embodiments, the amount of real-time risk analysis may depend on a predetermined period of time for completion of the real-time risk analysis. In other embodiments, the amount of real-time risk analysis may depend on selected tests to be completed during the real-time risk analysis.04-19-2012
20130212682AUTOMATIC DISCOVERY OF SYSTEM INTEGRITY EXPOSURES IN SYSTEM CODE - A technique is provided for detecting vulnerabilities in system code on a computer. Supervisor call routines and program call routines of the system code are analyzed to determine which are available to a caller program that is an unauthorized program and has a PSW key 08-15-2013
20130212683Systems and Methods for Managing Data Incidents - Systems and methods for managing a data incident are provided herein. Exemplary methods may include receiving data breach data that comprises information corresponding to the data breach, automatically generating a risk assessment from a comparison of data breach data to privacy rules, the privacy rules comprising at least one federal rule and at least one state rule, each of the rules defining requirements associated with data breach notification laws, and providing the risk assessment to a display device that selectively couples with the risk assessment server.08-15-2013
20130212684Detecting Application Harmful Behavior and Grading Application Risks for Mobile Devices - In one embodiment, a method determines a permission list from an application and generates a set of potential behaviors. The potential behaviors are associated with actions that the application allows when executing on a mobile device where the potential behaviors are determined without execution of the application. The method then determines functional category information regarding a functional category from a set of application marketplaces that contain the application and determines application description information for the application. A required behavior list is generated including a set of required behaviors from the functional category information and the application description information. The method compares the required behaviors to the potential behaviors to determine a set of security related behaviors. The security related behaviors are behaviors found in the potential behaviors, but not in the required behaviors. A security rating is determined based on the set of security related behaviors.08-15-2013
20130212685NETWORk THREAT RISK ASSESSMENT TOOL - A method, system and computer program product is disclosed that provides timely, accurate and summarized information about possible threats to information technology environments. It is a tool that looks at multiple aspects of an IT threat, including both specific (traditional) IT threats and general (non-traditional) IT threats, and rates each threat's overall potential to do harm. A matrix is created that identifies a “threat score” to allow prioritization and reaction to the threats. The matrix takes both traditional IT threats and non-traditional IT threats and normalizes them on the same scale, giving users of the matrix the ability to understand the risks of both.08-15-2013

Patent applications in class Vulnerability assessment