Entries |
Document | Title | Date |
20080201780 | Risk-Based Vulnerability Assessment, Remediation and Network Access Protection - A system administrator may define a vulnerability and vulnerability setting for the client machine and may associate a level of risk with the vulnerability. The client may assess the level of risk associated with the vulnerability setting on the client machine and may report data regarding the level of risk to the system administrator. | 08-21-2008 |
20080209563 | Runtime Security and Exception Handler Protection - In various embodiments, redirection techniques can be utilized to protect against insecure functionality, to mitigate scripting vulnerabilities, and to protect vulnerable exception handlers. In at least some embodiments, a program can be protected from a security vulnerability by using a runtime shield which changes the behavior of the program while it is running. The shield effectively provides a redirection solution that addresses the vulnerability while, at the same time, does not alter the particular program's executable code. | 08-28-2008 |
20080209564 | Security protection for a customer programmable platform - A method of preventing a customer programmable device from causing security threats to itself or to a communication system is provided. The method includes establishing one or more thresholds by programming or configuring of the device, detecting whether one or more of the thresholds have been exceeded using one or more detection mechanisms, and taking action in response to each threshold that has been exceeded. | 08-28-2008 |
20080209566 | Method and System For Network Vulnerability Assessment - The present invention relates to a simultaneous system for finding and assessing vulnerabilities in a network, which comprises: A. A mapping unit for: (a) scanning the network, and each time a new element is found, reporting its IP address to a profiling unit; (b) sequentially receiving from the profiling unit profile records of said newly found elements; (c) sequentially extracting tables from those elements which their profile record indicates that they are of the network equipment type; and (d) sequentially reporting to a modeling and simulating unit topology records which include said found IPs, and for those elements being of a network equipment type, said topology records also include said extracted tables; B. A profiling unit for sequentially receiving IP addresses of network elements from the mapping unit, investigating each of said elements, forming a profile record for each of said elements, and sequentially transferring said profile records to both the mapping unit and to a vulnerability assessment unit; C. A vulnerability assessment unit for: (a) sequentially receiving profile records from the profiling unit; (b) determining a list of those vulnerability tests that have to be performed on each element; (c) performing for each element those vulnerability tests that are included in its corresponding list, and determining for each test a passed or failed result; and (d) sequentially reporting to an modeling and simulation unit for each performed test, the IP of the element, the identity code of the element, and the passed or failed result; and D. A modeling and simulation unit for: (a) sequentially receiving topology records from the mapping unit, and each time a topology record is received, adding or subtracting respectively the corresponding element from a model of the network which is maintained at the modeling and simulation unit; (b) sequentially receiving from the vulnerability assessment unit vulnerability test (VT) results; and (c) sequentially analyzing the model currently existing at the modeling and simulation unit for the possibility of exploiting vulnerabilities of the network. | 08-28-2008 |
20080209567 | ASSESSMENT AND ANALYSIS OF SOFTWARE SECURITY FLAWS - Security assessment and vulnerability testing of software applications is performed based at least in part on application metadata in order to determine an appropriate assurance level and associated test plan that includes multiple types of analysis. Steps from each test are combined into a “custom” or “application-specific” workflow, and the results of each test may then be correlated with other results to identify potential vulnerabilities and/or faults. | 08-28-2008 |
20080222730 | Network service monitoring - Network devices, systems, and methods are described that perform network service monitoring. One method includes examining a number of packets received by a first network device to determine whether a protocol of a packet corresponds to a given network service, forwarding an event to a second network device in response to a determination that the protocol of the packet corresponds to the network service, determining whether the network service is an authorized service by comparing the network service to a list of network services, and executing a remedial action in response to a determination that the network service is an unauthorized service. | 09-11-2008 |
20080222731 | Network security modeling system and method - A network security modeling system which simulates a network and analyzes security vulnerabilities of the network. The system includes a simulator which includes a network vulnerabilities database and a network configuration module having network configuration data. The simulator determines vulnerabilities of the simulated network based on the network configuration data and the vulnerabilities database. | 09-11-2008 |
20080229420 | Predictive Assessment of Network Risks - In certain implementations, systems and methods for predicting technology vulnerabilities in a network of computer devices are based on software characteristics of processes executing at the computer devices. In one preferred implementation, the system identifies processes at various computing devices within an organization, identifies software characteristics associated with the processes, applies technology controls to the software characteristics, determines risk indexes based on the modified technology control, applies administrative controls to the risk indexes, aggregates the indexes to create risk model, determines alternative risk models, and presents the risk models for consideration and analysis by a user. | 09-18-2008 |
20080229421 | Adaptive data collection for root-cause analysis and intrusion detection - Endpoints in an enterprise security environment are configured to adaptively switch from their normal data collection mode to a long-term, detailed data collection mode where advanced analyses are applied to the collected detailed data. Such adaptive data collection and analysis is triggered upon the receipt of a security assessment of a particular type, where a security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information (i.e., data in some context) that is collected about an object of interest. A specialized endpoint is coupled to the security assessment channel and performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to detected security incidents in the environment. The specialized endpoint is arranged to perform various analyses and processes on historical security assessments. | 09-18-2008 |
20080229422 | Enterprise security assessment sharing - An enterprise-wide sharing arrangement uses a semantic abstraction, called a security assessment, to share security-related information between different security products, called endpoints. A security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information that is collected about an object of interest. Its tentative nature is reflected in two of its components: a fidelity field used to express the level of confidence in the assessment, and a time-to-live field for an estimated time period for which the assessment is valid. Endpoints may publish security assessments onto a security assessment channel, as well as subscribe to a subset of security assessments published by other endpoints. A specialized endpoint is coupled to the channel that performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to security threats. | 09-18-2008 |
20080229423 | PROBABILISTIC MECHANISM TO DETERMINE LEVEL OF SECURITY FOR A SOFTWARE PACKAGE - A mechanism for determining a probabilistic security score for a software package is provided. The mechanism calculates a raw numerical score that is probabilistically linked to how many security vulnerabilities are present in the source code. The score may then be used to assign a security rating that can be used in either absolute form or comparative form. The mechanism uses a source code analysis tool to determine a number of critical vulnerabilities, a number of serious vulnerabilities, and a number of inconsequential vulnerabilities. The mechanism may then determine a score based on the numbers of vulnerabilities and the number of lines of code. | 09-18-2008 |
20080235801 | Combining assessment models and client targeting to identify network security vulnerabilities - Described is a technology for managing network security by having network clients that are capable of self-assessment assess themselves for security risks and/or security vulnerabilities. Other clients may be remotely assessed for security risks and/or security vulnerabilities. Assessments may include antimalware scans, vulnerability assessment, and/or port scans. The results of the self-assessments and remote assessments are combined into a data set (e.g., a view) indicative of the network security state. In this manner, for example, significant network resources are conserved by allowing those clients capable of self-assessment to assess themselves and thereafter only provide their self-assessment results. Clients capable of self-assessment may also be remotely assessed, to determine whether any discrepancies exist between their remote assessments and self-assessments. Clients may be discovered, along with their self-assessment capabilities, by network communication. | 09-25-2008 |
20080244746 | RUN-TIME REMEASUREMENT ON A TRUSTED PLATFORM - A method and system are disclosed. In one embodiment, the method includes invoking a run-time measurement agent (RTMA) to run on a trusted platform, the RTMA measuring a core system code block multiple times after a single boot on the trusted platform; and a trusted platform module storing these multiple measurements. | 10-02-2008 |
20080244747 | Network context triggers for activating virtualized computer applications - A computer system, comprising at least one controlled execution space hosting an operating system and an application program; a vulnerability monitoring agent coupled to the controlled execution space; one or more vulnerability profiles coupled to the vulnerability monitoring agent, wherein each of the vulnerability profiles comprises an application program identifier, an operating system identifier, a vulnerability specification describing a vulnerability of an application program that the application program identifier indicates when executed with an operating system that the operating system identifier indicates, and a remedial action which when executed will remediate the vulnerability; wherein the vulnerability monitoring agent is configured to monitor execution of the operating system and the application program in the controlled execution space, to detect an anomaly associated with the vulnerability, to determine the remedial action for the operating system and application program based on one of the vulnerability profiles, and to cause the remedial action. | 10-02-2008 |
20080244748 | Detecting compromised computers by correlating reputation data with web access logs - Compromised host computers in an enterprise network environment comprising a plurality of security products called endpoints are detected in an automated manner by an arrangement in which a reputation service provides updates to identify resources including website URIs (Universal Resource Identifiers) and IP addresses (collectively “resources”) whose reputations have changed and represent potential threats or adversaries to the enterprise network. Responsively to the updates, a malware analyzer, which can be configured as a standalone endpoint, or incorporated into an endpoint having anti-virus/malware detection capability, or incorporated into the reputation service, will analyze logs maintained by another endpoint (typically a firewall, router, proxy server, or gateway) to identify, in a retroactive manner over some predetermined time window, those client computers in the environment that had any past communications with a resource that is newly categorized by the reputation service as malicious. Every client computer so identified is likely to be compromised. | 10-02-2008 |
20080244749 | INTEGRATED CIRCUITS INCLUDING REVERSE ENGINEERING DETECTION USING DIFFERENCES IN SIGNALS - An active shield can be configured to receive a test signal, and configured to output a plurality of shield signals, derived from the test signal, via a plurality of signal paths. A compare logic can be configured to compare the test signal with each of the plurality of shield signals to provide at least two comparison signals indicating comparison results and can be configured to output the at least two comparison signals. A detection and decision logic can be configured to determine whether the active shield is subject to attack based on patterns of the at least two comparison signals. | 10-02-2008 |
20080256637 | Computer System and Security Reinforcing Method Thereof - The present invention provides a computer system for carrying out security reinforcing and a security reinforcing method. The computer system comprises hardware, a BIOS, and a virtual machine monitor, and has at least one servo operating system and at least one user operating system running thereon, wherein, the servo operating system comprises a security reinforcing proxy module, and the user operating system comprises a security reinforcing module. With the present invention, it is possible to prevent the security reinforcing performance from being tampered by the frangibility of the user operating system, and to avoid hacker attacks which cannot be avoided in case of regular or manual security reinforcing, and also to ensure better secure defense of the computer system and the security of the downloaded security reinforcing files own. | 10-16-2008 |
20080256638 | SYSTEM AND METHOD FOR PROVIDING NETWORK PENETRATION TESTING - A system and method for providing network penetration testing from an end-user computer is provided. The method includes the step of determining at least one of a version of a Web browser of a target computer, contact information associated with an end-user that uses the target computer, and applications running on the target computer. The method also includes the steps of determining exploits that are associated with the running applications and that can be used to compromise the target computer, and launching the exploits to compromise the target computer. Network penetration testing may also be provided by performing the steps of determining an operating system of a target computer, selecting one of a group of modules to use in detecting services of the target computer, and detecting the services of the target computer. | 10-16-2008 |
20080263671 | System and Method for Providing Application Penetration Testing - A system and method provide application penetration testing. The system contains logic configured to find at least one vulnerability in the application so as to gain access to data associated with the application, logic configured to confirm the vulnerability and determine if the application can be compromised, and logic configured to compromise and analyze the application by extracting or manipulating data from a database associated with the application. In addition, the method provides for penetration testing of a target by: receiving at least one confirmed vulnerability of the target; receiving a method for compromising the confirmed vulnerability of the target; installing a network agent on the target in accordance with the method, wherein the network agent allows a penetration tester to execute arbitrary operating system commands on the target; and executing the arbitrary operating system commands on the target to analyze risk to which the target may be exposed. | 10-23-2008 |
20080271150 | SECURITY BASED ON NETWORK ENVIRONMENT - A method comprises assessing a network environment in which an electronic device is present and implementing a security feature based on the assessment of the network environment. Assessing the network environment comprises identifying other network entities on a network to which the electronic device is coupled. | 10-30-2008 |
20080271151 | Method and system for morphing honeypot with computer security incident correlation - A method, system, apparatus, or computer program product is presented for morphing a honeypot system on a dynamic and configurable basis. The morphing honeypot emulates a variety of services while falsely presenting information about potential vulnerabilities within the system that supports the honeypot. The morphing honeypot has the ability to dynamically change its personality or displayed characteristics using a variety of algorithms and a database of known operating system and service vulnerabilities. The morphing honeypot's personality can be changed on a timed or scheduled basis, on the basis of activity that is generated by the presented honeypot personality, or on some other basis. The morphing honeypot can also be integrated with intrusion detection systems and other types of computer security incident recognition systems to correlate its personality with detected nefarious activities. | 10-30-2008 |
20080276320 | Byte-distribution analysis of file security - A method for scanning files for security, including receiving an unfamiliar file for scanning, if the determining indicates that the mime type is suitable for analysis, then processing a buffer of file data from the unfamiliar file, including generating a histogram of frequencies of occurrence of bytes within a buffer of file data from the unfamiliar file, excluding a designated set of bytes, and if the generated histogram of frequencies of occurrence of the non-excluded bytes deviates substantially from a reference distribution, then signaling that the unfamiliar file is potentially malicious. A system and a computer-readable storage medium are also described and claimed. | 11-06-2008 |
20080282352 | Modification of Messages for Analyzing the Security of Communication Protocols and Channels - A system is used to analyze the implementation of a protocol by a device-under-analysis (DUA). The system includes a source endpoint, a destination endpoint (the DUA), and a message generator. The source endpoint generates an original message and attempts to send it to the DUA. The original message is intercepted by the message generator, which generates a replacement message. The replacement message is then sent to the DUA instead of the original message. The replacement message is deliberately improper so as to analyze the DUA's implementation of the protocol. The message generator includes a structure recognition system and a mutation system. The structure recognition system determines the underlying structure and/or semantics of a message. After the structure recognition system has determined the structure, it creates a description of the structure (a structure description). The mutation system modifies the message based on the structure description to generate a replacement message. | 11-13-2008 |
20080289043 | Network risk analysis - Analyzing security risk in a computer network includes receiving an event associated with a selected object in the computer network, and determining an object risk level for the selected object based at least in part on an event risk level of the event received, wherein the event risk level accounts for intrinsic risk that depends at least in part on the event that is received and source risk that depends at least in part on a source from which the event originated. | 11-20-2008 |
20080295178 | Indicating SQL injection attack vulnerability with a stored value | 11-27-2008 |
20080301813 | Testing Software Applications with Schema-based Fuzzing - Systems and methods to test software applications with schema-based fuzzing are described. In one aspect, the systems and methods automatically generate valid input data for a software application according to a fuzzing data schema. The fuzzing data schema describes characteristics of data format that would be proper or well formed for input into the software application. The systems and methods mutate to the valid input data with one or more fuzzing algorithms to generate corrupted versions, or malformed data. The malformed data is for fuzz testing the software application to identify any security vulnerabilities. | 12-04-2008 |
20080301814 | Information processing apparatus, information processing method, and computer-readable recording medium storing information processing program - An information processing apparatus is disclosed. The information processing apparatus includes a table which describes a relationship between security strength (for example, HIGH, MIDDLE, or LOW) of a computer system of the information processing apparatus and values (for example, ON or OFF) of security function items that stipulate security functions in the information processing apparatus. When a user designates to change the security strength on a screen, the values of the security function items are changed based on the changed security strength. The changed values of the security function items are reported to the user on another screen. | 12-04-2008 |
20080313739 | System Test and Evaluation Automation Modules - Methods are provided for providing uniform and repeatable information security (INFOSEC) assessments. In the embodiments, a security assessor interacts with a system test evaluation and automation module (S.T.E.A.M.) to perform an INFOSEC assessment on a computer system. S.T.E.A.M. generates reports and checklists to help determine whether the computer system being assessed is compliant with one or more INFOSEC requirements. Additionally, S.T.E.A.M. generates reports and checklists that assist the INFOSEC assessor in determining the most important, and most vulnerable data on the computer system. | 12-18-2008 |
20090007269 | USING IMPORTED DATA FROM SECURITY TOOLS - A device may create a new project that includes criteria, import findings from a group of different network security tools into the new project based on the criteria, normalize the imported findings, and store the normalized findings. | 01-01-2009 |
20090007270 | SYSTEM AND METHOD FOR SIMULATING COMPUTER NETWORK ATTACKS - The present invention provides a system and method for providing computer network attack simulation. The method includes the steps of: receiving a network configuration and setup description; simulating the network configuration based on the received network configuration; receiving at least one confirmed vulnerability of at least one computer, machine, or network device in the simulated network; receiving a method for compromising the confirmed vulnerability of the at least one computer, machine, or network device; and virtually installing a network agent on the at least one computer, machine, or network device, wherein the network agent allows a penetration tester to execute arbitrary operating system calls on the at least one computer, machine, or network device. | 01-01-2009 |
20090013410 | DISTRIBUTED THREAT MANAGEMENT - A method and system are provided for managing a security threat in a distributed system. A distributed element of the system detects and reports suspicious activity to a threat management agent. The threat management agent determines whether an attack is taking place and deploys a countermeasure to the attack when the attack is determined to be taking place. Another method and system are also provided for managing a security threat in a distributed system. A threat management agent reviews reported suspicious activity including suspicious activity reported from at least one distributed element of the system, determines, based on the reports, whether a pattern characteristic of an attack occurred, and predicts when a next attack is likely to occur. Deployment of a countermeasure to the predicted next attack is directed in a time window based on when the next attack is predicted to occur. | 01-08-2009 |
20090019547 | Method and computer program product for identifying or managing vulnerabilities within a data processing network - Provided are methods, apparatus and computer programs for identifying vulnerabilities to viruses of hacking. Hash values are computed and stored for resources stored on systems within a network. If a first resource or a collection of resources (such as files comprising an operating system, Web Browser or mail server) is associated with a vulnerability, hash values for the first resource or collection of resources are compared with the stored hash values to identify systems which have the vulnerability. Messages may be sent to the people responsible for the vulnerable systems, or the vulnerability may be removed by automatic downloading of patches or service packs. | 01-15-2009 |
20090025084 | FRAUD DETECTION FILTER - A fraud detection filter installed in an application server including a secure application is disclosed. In one embodiment, the filter includes a rules engine for receiving request data representing an access request for the secure application from a user. The engine applies at least one risk condition rule to the request data to generate a risk probability level, and detects at least one fraud condition when the risk probability level exceeds a threshold level, before passing the access request to the secure application. | 01-22-2009 |
20090038013 | WIRELESS COMMUNICATION SECURITY WHEN USING KNOWN LINK KEYS - The present system may enhance security in device having a wireless interface while it is operating in a mode that may make it more vulnerable to predatory attacks. More specifically, the advent of certain development or support operating modes supported by particular wireless communication mediums, such as debug modes that allow other wireless devices to monitor messages coming and going from a wireless device for diagnostic purposes, may leave devices overly accessible while operating in such a mode. As a result, additional security measures are required in order to determine if a vulnerable mode should be enabled on a device, and further, whether another device should be allowed to establish a communication to a device operating in this mode. | 02-05-2009 |
20090038014 | System and method for tracking remediation of security vulnerabilities - A method of tracking remediation of security vulnerabilities includes a step of providing a global list of network devices within a computer network, wherein each network device of the global list is identified with dynamically assigned identifying information. The method also includes a step of scanning each network device of the global list for at least one security vulnerability. The method also includes a step of creating a vulnerability list of network devices having the at least one security vulnerability, wherein the vulnerability list is a subset of the global list and contains fewer network devices than the global list. Each network device of the vulnerability list is identified with identifying information. The method also includes steps of updating the dynamically assigned identifying information associated with the network devices of the vulnerability list and rescanning each network device of the updated vulnerability list to determine if the vulnerability has been remediated. | 02-05-2009 |
20090038015 | Automatic detection of vulnerability exploits - An embodiment of the invention provides an apparatus and method for automatic detection of a vulnerability exploit. The apparatus and method are configured to post a security vulnerability warning indicating a vulnerability of software; provide an exploit detector; and use the exploit detector to detect an attempted exploit that targets the vulnerability. | 02-05-2009 |
20090044277 | Non-invasive monitoring of the effectiveness of electronic security services - Systems for the non-invasive monitoring of the effectiveness of a customer's electronic security services include a test generation engine for generating and launching a denatured attack towards a customer's network. A monitoring and evaluation agent is operatively coupled to the test generation engine and is adapted to monitor and evaluate the denatured attack. A recording and analysis engine is adapted to record and analyze the results of the denatured attack. Other systems and methods are also provided. | 02-12-2009 |
20090049553 | Knowledge-Based and Collaborative System for Security Assessment of Web Applications - A standardized system for assessing the security of web based applications which has a component for collecting information regarding threat and vulnerabilities to web applications is described. The system includes a component for organizing the information regarding threat and vulnerabilities to web applications into a uniform language so that the information is integrated throughout the entirety of the system. Further, the system has a component for expressing the information in a structured and uniform format of a hierarchical relationship between threat and vulnerabilities which includes threat vulnerability trees. The system includes a component for rating the threats and vulnerabilities under a uniform rating system. The system includes a component for integrating the information into both a storage component and also a presentation component for presenting the information. The presentation component presents the information in a graphical format which visually demonstrates the relationships between the threats and the vulnerabilities. | 02-19-2009 |
20090055931 | DEVICE AND METHOD FOR DETECTING VULNERABILITY OF WEB SERVER USING MULTIPLE SEARCH ENGINES - Provided are a web server vulnerability detecting device and method which detect vulnerability of a plurality of high-performance web servers in real-time using a plurality of search engines simultaneously and automatically provide the updated detailed information on detected vulnerability. The device includes: a web server examination module for requesting a plurality of different search engines to examine a file with a likelihood of vulnerability, in response to an input search word, and receiving from the search engines URLs of web servers on which the file with a likelihood of vulnerability is located; an optimal information collection module for optimizing the URLs of the web servers received from the search engines to obtain optimal information; a web server vulnerability detecting module for detecting vulnerability of a web server corresponding to the optimal information; and a vulnerability information collection module for collecting and providing the latest detailed information on the detected vulnerability. | 02-26-2009 |
20090064337 | METHOD AND APPARATUS FOR PREVENTING WEB PAGE ATTACKS - A method and apparatus for preventing web page attacks are disclosed. Specifically, one embodiment of the present invention sets forth a method, which includes the steps of examining an object property from a web page requested by a client computer in real-time before the client computer receives the web page, assessing a collective risk level associated with the web page causing harm to the client computer based on the result of examining the object property, and performing an action with regards to the web page according to the collective risk level. | 03-05-2009 |
20090070880 | METHODS AND APPARATUS FOR VALIDATING NETWORK ALARMS - Methods and apparatus for validating network alarms, such as alarms from an Intrusion Detection System (IDS). The methods and apparatus validate network threats or alarms by receiving a detected network alarm indicating potentially harmful network activity where the alarm including an alarm destination and an alarm type and obtaining port information of a host targeted by the alarm based on the alarm destination and alarm type. Additionally, a determination is made whether the port at the host is vulnerable to the network alarm based on the obtained port information and the alarm type, and a priority value is assigned to the alarm based at least on the determination of whether the port is vulnerable to the particular network alarm in order to assess validity of the network threat that has triggered the alarm. | 03-12-2009 |
20090077666 | Value-Adaptive Security Threat Modeling and Vulnerability Ranking - Among others, techniques and systems are disclosed for analyzing security threats associated with software and computer vulnerabilities. Stakeholder values relevant for a software system are identified. The identified stakeholder values are quantified using a quantitative decision making approach to prioritize vulnerabilities of the software system. A structured attack graph is generated to include the quantified stakeholder values to define a scalable framework to evaluate attack scenarios. The structured attack graph includes two or more nodes. Based on the generated structured attack graph, structured attack paths are identified with each attack path representing each attack scenario. | 03-19-2009 |
20090094699 | APPARATUS AND METHOD OF DETECTING NETWORK ATTACK SITUATION - Provided is an apparatus for detecting a network attack situation. The apparatus includes an alarm receiver receiving a plurality of alarms raised in a network to which the alarm receiver is connected, converting the alarms into predetermined alarm data, and outputting the alarm data; an alarm processor analyzing an attack situation in the network based on attributes of the alarm data and a number of times that the alarm data is generated; a memory storing basic data needed to analyze the state of the network and providing the basic data to the alarm processor; and an interface transmitting the result of the analysis by the alarm processor to an external device, receiving a predetermined critical value from the external device, which is a basis for determining the occurrence of the attack situation, and outputting the critical value to the alarm processor such that the alarm processor can store the critical value in the memory. Equal numbers of hash engines and detection engines for processing the alarms in the network to the number of data groups classified as network attack situations are formed in a line. Therefore, a network attack situation can be detected in real time based on a great number of alarms indicating intrusion detection. | 04-09-2009 |
20090100522 | WEB FIREWALL AND METHOD FOR AUTOMATICALLY CHECKING WEB SERVER FOR VULNERABILITIES - Provided is a web firewall for automatically checking for vulnerabilities, including: an administrating server scheduling part for ordering the examination of an administrating web server according to a predetermined examination schedule; a vulnerability search database calling part for calling a vulnerability search database previously stored according to the order of the administrating server scheduling part; a vulnerability searching part for searching for potential vulnerabilities of the administrating web server corresponding to data included in the called vulnerability search database; a vulnerability information deducing part for optimizing the results searched in the vulnerability searching part to deduce vulnerability information; a vulnerability checking part for checking the vulnerabilities of the administrating web server based on the results deduced from the vulnerability information deducing part; and a detailed vulnerability information reporting part for reporting detailed information on the checked vulnerabilities. | 04-16-2009 |
20090106842 | System for Regulating Host Security Configuration - Methods and apparatus for dynamically revising host-intrusion-protection configurations according to varying host state and changing intrusion patterns are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the hosts, maintains and updates protection software containing filters and rules for deploying each filter. A local server cyclically monitors each host of its subset of hosts at time instants separated by adjustable monitoring periods to acquire host-characterizing data and determine an optimal set of filters. The local server maintains a profile for each host and determines a current monitoring period for a host according to the host's current profile. The processing effort is reduced by judicial adjustment of successive monitoring periods and selectively tailoring the host-characterizing data to the conditions of each host. | 04-23-2009 |
20090106843 | SECURITY RISK EVALUATION METHOD FOR EFFECTIVE THREAT MANAGEMENT - Provided is a security risk evaluation method for threat management. According to the present invention, new threats or vulnerabilities for a network which should be protected (target network) are collected, and a threat management environment is assessed by checking whether or not to apply attack-attempt detection rules and vulnerability assessment rules for assets related to the threats or vulnerabilities. Based on the assessment result, the range and level of response are previously checked and complemented, and corresponding risk evaluation is provided. Therefore, the threat management environment can be managed effectively. | 04-23-2009 |
20090106844 | SYSTEM AND METHOD FOR VULNERABILITY ASSESSMENT OF NETWORK BASED ON BUSINESS MODEL - Provided are a system and a method for vulnerability assessment of a network based on a business model. In the system and method, services of each node existing in a monitoring target network are monitored, and a business model is generated on the basis of the monitored services so as to perform vulnerability assessment on the business model. Accordingly, it is possible to guarantee the safety and availability of the system and the network while the vulnerability assessment is performed. | 04-23-2009 |
20090113549 | SYSTEM AND METHOD TO ANALYZE SOFTWARE SYSTEMS AGAINST TAMPERING - A system, article of manufacture and method is provided for determining the vulnerability to attack of a software system by generating a hybrid graph, the hybrid graph including an attack graph portion describing at least one potential attack goal on the software system and describing sub-attacks required to achieve the potential attack goal. The hybrid graph also includes a defense graph describing ways to defend against the potential sub-attacks. The hybrid attack-defense graph may be evaluated and a score may be calculated based on the evaluation. | 04-30-2009 |
20090113550 | Automatic Filter Generation and Generalization - Methods and architectures for automatic filter generation are described. In an embodiment, these filters are generated in order to block inputs which would otherwise disrupt the normal functioning of a program. An initial set of filter conditions is generated by analyzing the path of a program from a point at which a bad input is received to the point at which the malfunctioning of the program is detected and creating conditions on an input which ensure that this path is followed. Having generated the initial set of filter conditions, the set is made less specific by determining which instructions do not influence whether the point of detection of the attack is reached and removing the filter conditions which correspond to these instructions. | 04-30-2009 |
20090113551 | DEVICE AND METHOD FOR INSPECTING NETWORK EQUIPMENT FOR VULNERABILITIES USING SEARCH ENGINE - Provided is a device and method for inspecting network equipment for vulnerabilities using a search engine from a remote location. The device for inspecting network equipment for vulnerabilities includes: a network structure examination module for examining the structure of a system network and generating network structure information; a control module for selecting at least one subnet for vulnerability inspection according to the network structure information; a vulnerable network equipment examination module for examining at least one piece of target network equipment for vulnerability inspection in the at least one selected subnet using a search engine; a vulnerability inspection module for inspecting the target network equipment for vulnerabilities; and an inspection result display module for outputting inspection results received from the vulnerability inspection module. The time taken to perform a vulnerability inspection and the overhead of a system subject to inspection may be reduced by selecting one of the system's subnets for inspection according to network structure information, examining the selected subnet for potentially vulnerable network equipment using a search engine, and inspecting only potentially vulnerable network equipment for vulnerabilities. | 04-30-2009 |
20090113552 | System and Method To Analyze Software Systems Against Tampering - A system, article of manufacture and method is provided for determining the vulnerability to attack of a software system by generating a hybrid graph, the hybrid graph including an attack graph portion describing at least one potential attack goal on the software system and describing sub-attacks required to achieve the potential attack goal. The hybrid graph also includes a defense graph describing ways to defend against the potential sub-attacks. The hybrid attack-defense graph may be evaluated and a score may be calculated based on the evaluation. | 04-30-2009 |
20090119776 | METHOD AND SYSTEM FOR PROVIDING WIRELESS VULNERABILITY MANAGEMENT FOR LOCAL AREA COMPUTER NETWORKS - A Software-as-a-Service (SaaS) based method for providing wireless vulnerability management for local area computer networks. The method includes providing a security server being hosted by a service provider entity to provide analysis of data associated with wireless vulnerability management for a plurality of local area computer networks of a plurality of customer entities, respectively. The method includes creating a workspace for wireless vulnerability management for a customer entity on the security server and receiving configuration information associated with the workspace. The method also includes supplying one or more sniffers to the customer entity. The method includes receiving at the security server information associated with wireless activity monitored by the one or more sniffers at premises of the customer entity and processing the received information within the workspace for the customer entity using the security server. The method includes metering usage of the workspace for wireless vulnerability management for the customer entity. | 05-07-2009 |
20090119777 | METHOD AND SYSTEM OF DETERMINING VULNERABILITY OF WEB APPLICATION - A method of determining vulnerability of web application comprises: selecting fixed parameters from parameters of URL link extracted from a website; determining whether a process of determining vulnerability for the selected fixed parameter is completed or not; inserting an attack pattern for each attack type to an input value for the selected fixed parameter, when the process of determining vulnerability for the selected fixed parameter is not completed; and determining vulnerability of the selected fixed parameter by each attack type through an analysis of response to an input of URL link with the attack pattern inserted thereinto. | 05-07-2009 |
20090119778 | METHOD AND APPARATUS FOR AUTOMATED TESTING SOFTWARE - A system for discovering, or at least providing information that might assist in discovering, compromised computers involved in a malicious distributed program. The system is based around a test computer which is deliberately infected by a component of the malicious distributed program. Traffic sent by that test computer when under control of that component is recorded. More sophisticated malicious programs alter the system files or system programs on the computer which they infect—this creates a problem in that automation of the discovery process is difficult to achieve. Embodiments described here overcome this problem by running through a list of malicious program components, and in between executing ( | 05-07-2009 |
20090126022 | Method and System for Generating Data for Security Assessment - A system for creating data to be inputted to a security assessment system is provided with: a system configuration information collection unit for collecting system configuration information from an assessment object system; an attribute information input unit for receiving attribute information added to the system configuration information; an access policy generation unit for generating an access policy using the attribute information; and an assessment policy generation unit for generating an assessment policy representing an improper data migration path based on the access policy, the system configuration information and the attribute information. | 05-14-2009 |
20090126023 | APPARATUS AND METHOD FOR FORECASTING SECURITY THREAT LEVEL OF NETWORK - Provided are an apparatus and method for forecasting the security threat level of a network. The apparatus includes: a security data collection unit for collecting traffic data and intrusion detection data transmitted from an external network to a managed network; a malicious code data collection unit for collecting malicious code data transmitted from a security enterprise network; a time series data transformation unit for transforming the data collected by the security data collection unit into time series data; a network traffic analysis unit for analyzing traffic distribution of the managed network using the data collected by the security data collection unit; and a security forecast engine for forecasting security data of the managed network using the time series data obtained by the time data transformation unit, the data analyzed by the network traffic analysis unit, and the data collected by the malicious code data collection unit. | 05-14-2009 |
20090144827 | AUTOMATIC DATA PATCH GENERATION FOR UNKNOWN VULNERABILITIES - The claimed subject matter provides a system and/or method that generates data patches for vulnerabilities. The system can include devices and components that examine exploits received or obtained from data streams, constructs probes and determines whether the probes take advantage of vulnerabilities. Based at least in part on such determinations data patches are dynamically generated to remedy the hitherto vulnerabilities. | 06-04-2009 |
20090144828 | RAPID SIGNATURES FOR PROTECTING VULNERABLE BROWSER CONFIGURATIONS - Architecture for distributing rules-based, targeted vulnerability signatures to an application (e.g., a browser) in order to block exploitation of vulnerable objects (e.g., ActiveX controls) or protocols. The architecture provides a significant reduction in the window of vulnerability, thereby improving the user experience in the software products. The solution employs text in a configuration file (a realtime rule), which is fine-grained, works on both vendor-created and third-party controls, and is completely compatible except under attack conditions (and thus quick to deploy with minimal testing). Publication of the rule does not block legal uses of the vulnerable control and would not require a full testing procedure. Further, a vulnerable control with a proper vulnerability signature is as safe as running a fully-fixed control. The architecture can be extended to arbitrary binary behaviors, and shell protocols. | 06-04-2009 |
20090172817 | METHOD, APPARATUS AND SYSTEM FOR CONTAINING AND LOCALIZING MALWARE PROPAGATION - A method, apparatus and system contain and localize malware propagation. In one embodiment, a security scheme may identify worm traffic that attempts to probe an unused network location. The security scheme may then in conjunction with a routing component, reroute the worm traffic to a contained and localized location. In one embodiment, the contained and localized location is a virtual machine (VM) within a virtualized platform. In other embodiments, the contained and localized location is a computer system on a network. | 07-02-2009 |
20090172818 | METHODS AND SYSTEM FOR DETERMINING PERFORMANCE OF FILTERS IN A COMPUTER INTRUSION PREVENTION DETECTION SYSTEM - An intrusion prevention/detection system filter (IPS filter) performance evaluation is provided. The performance evaluation is performed at both the security center and at the customer sites to derive a base confidence score and local confidence scores. Existence of new vulnerability is disclosed and its attributes are used in the generation of new IPS filter or updates. The generated IPS filter is first tested to determine its base confidence score from test confidence attributes prior to deploying it to a customer site. A deep security manager and deep security agent, at the customer site, collect local confidence attributes that are used for determining the local confidence score. The local confidence score and the base confidence score are aggregated to form a global confidence score. The local and global confidence scores are then compared to deployment thresholds to determine whether the IPS filter should be deployed in prevention or detection mode or sent back to the security center for improvement. | 07-02-2009 |
20090178142 | END USER RISK MANAGEMENT - A flexible, efficient and easy-to-use computer security management system effectively evaluates and responds to informational risks on a wide variety of computing platforms and in a rapidly changing network environment. An individual computer system dynamically monitors its end user, without regard to network connectivity, in order to calculate a risk score and to ensure that the end user's behavior does not put corporate information or other assets at risk. Data regarding such risks and responses are analyzed and stored in real-time. | 07-09-2009 |
20090199298 | ENTERPRISE SECURITY MANAGEMENT FOR NETWORK EQUIPMENT - The inventive device includes a dashboard or graphical user interface (GUI), a security access control (AUTH) and secure communications sub-system (SEC-COMM), network and asset discover and mapping system (NAADAMS), an asset management engine (AME), vulnerability assessment engine (CVE-DISCOVERY), vulnerability remediation engine (CVE-REMEDY), a reporting system (REPORTS), a subscription, updates and licensing system (SULS), a countermeasure communications system (COUNTERMEASURE-COMM), a logging system (LOGS), a database integration engine (DBIE), a scheduling and configuration engine (SCHED-CONFIG), a wireless and mobile devices/asset detection and management engine (WIRELESS-MOBILE), a notification engine (NOTIFY), a regulatory compliance reviewing and reporting system (REG-COMPLY), client-side (KVM-CLIENT) integration with KVM over IP or similar network management equipment, authentication-services (KVM-AUTH) integration with KVM over IP or similar network management equipment and server-side (KVM-SERVER) integration with KVM over IP or similar network management equipment. | 08-06-2009 |
20090205047 | Method and Apparatus for Security Assessment of a Computing Platform - A system and method for automated security testing are disclosed. The disclosure provides for automated discovery of security vulnerabilities through the monitoring of activities that occur throughout the separate components of a computing platform during a testing session through a communications interface. | 08-13-2009 |
20090217381 | MANUAL OPERATIONS IN AN ENTERPRISE SECURITY ASSESSMENT SHARING SYSTEM - An enterprise-wide sharing arrangement uses a semantic abstraction, called a security assessment, to share security-related information between different security products, called endpoints. A security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information that is collected about an object of interest. Endpoints may publish security assessments onto a security assessment channel, as well as subscribe to a subset of security assessments published by other endpoints. A specialized endpoint is coupled to the channel that performs as a centralized audit point by subscribing to all security assessments, logging the security assessments, and also logging the local actions taken by endpoints in response to received security assessments. Manual operations are supported by the specialized endpoint including manual approval of actions, security assessment cancellation, and manual injection of security assessments into the security assessment channel. | 08-27-2009 |
20090222925 | SECURE BROWSER-BASED APPLICATIONS - Techniques are provided for execution of restricted operations by computer program code in web browsers, where the code is permitted to invoke restricted operations if implicit or explicit consent is received. Such techniques may include generating a risk rating for a computer program code component, where the component includes at least one component operation for executing at least one restricted system operation; and prompting a user for permission to execute the restricted system operation, wherein the prompt includes the risk rating and a description of the component operation. The program code may include script code associated with a web page that invokes a web browser plugin, which in turn invokes the restricted system operation. The code may invoke the restricted system operation in response to receiving an input from a user via the web browser, where the input is for causing an action associated with performing the operation, the action implicitly granting consent to perform the operation. | 09-03-2009 |
20090235359 | METHOD AND SYSTEM FOR PERFORMING SECURITY AND VULNERABILITY SCANS ON DEVICES BEHIND A NETWORK SECURITY DEVICE - A method and system of performing vulnerability and security scans on an internet connected device where the device is behind a network security device such as a firewall. The method is performed by having an agent that is local to the device to be scanned create a VPN connection with a scanning server and then performing the scanning over the VPN. The connection is terminated at the end to free up system resources. | 09-17-2009 |
20090241196 | METHOD AND SYSTEM FOR PROTECTION AGAINST INFORMATION STEALING SOFTWARE - A system and method for identifying infection of unwanted software on an electronic device is disclosed. A software agent configured to generate a bait and is installed on the electronic device. The bait can simulate a situation in which the user performs a login session and submits personal information or it may just contain artificial sensitive information. Parameters may be inserted into the bait such as the identity of the electronic device that the bait is installed upon. The output of the electronic device is monitored and analyzed for attempts of transmitting the bait. The output is analyzed by correlating the output with the bait and can be done by comparing information about the bait with the traffic over a computer network in order to decide about the existence and the location of unwanted software. Furthermore, it is possible to store information about the bait in a database and then compare information about a user with the information in the database in order to determine if the electronic device that transmitted the bait contains unwanted software. | 09-24-2009 |
20090254993 | SYSTEM FOR IMPLEMENTING SECURITY ON TELECOMMUNICATIONS TERMINALS - A system includes at least one telecommunications terminal having data processing capabilities, the telecommunications terminal being susceptible of having installed thereon software applications, wherein each software application has associated therewith a respective indicator adapted to indicate a level of security of the software application, the level of security being susceptible of varying in time; a software agent executed by the at least one telecommunications terminal, the software agent being adapted to conditionally allow the installation of software applications on the telecommunications terminal based on the respective level of security; a server in communications relationship with the software agent, the server being adapted to dynamically calculate the level of security of the software applications, and to communicate to the software agent the calculated level of security of the software applications to be installed on the telecommunications terminal. | 10-08-2009 |
20090260086 | CONTROL FRAMEWORK GENERATION FOR IMPROVING A SECURITY RISK OF AN ENVIRONMENT - Apparatus and method for managing risk in an environment where information is received regarding a problem in an environment. A security risk is analyzed associated with the problem. Controls associated with the environment containing the problem are analyzed. A framework is generated defining one or more controls for mitigating the security risk responsive to the analyzed security risk and controls. | 10-15-2009 |
20090260087 | EXECUTABLE CONTENT FILTERING - Malicious executable content in network messages (e.g., request and response hypertext transfer protocol message) can circumvent some security measures. In addition, conventional security measures aimed at capturing malicious executable content noticeably impact system performance. Stream based filtering of network messages allows for efficient processing to remove malicious executable content. Furthermore, an extensible framework for executable content filtering streaming message elements allows for efficient adaptation of an executable content filter to new threats disguised as executable content. | 10-15-2009 |
20090265787 | SECURITY MATURITY ASSESSMENT METHOD - In general, the invention relates to a method for assessing an information security policy and practice of an organization. The method includes collecting information about the information security policy and practice of the organization, generating a rating for each of a plurality of information security items using a security maturity assessment matrix and the collected information, and generating a graphical assessment of the ratings. The security maturity assessment matrix includes a first dimension and a second dimension, where the first dimension corresponds to the information security items and the second dimension corresponds to maturity levels. Further, each rating is derived using the first dimension and the second dimension. | 10-22-2009 |
20090282487 | Method of Managing and Mitigating Security Risks Through Planning - An exemplary method is provided for managing and mitigating security risks through planning. A first security-related information of a requested product is received. A second security-related information of resources that are available for producing the requested product is received. A multi-stage process with security risks managed by the first security-related information and the second security-related information is performed to produce the requested product. | 11-12-2009 |
20090293128 | GENERATING A MULTIPLE-PREREQUISITE ATTACK GRAPH - In one aspect, a method to generate an attack graph includes determining if a potential node provides a first precondition equivalent to one of preconditions provided by a group of preexisting nodes on the attack graph. The group of preexisting nodes includes a first state node, a first vulnerability instance node, a first prerequisite node, and a second state node. The method also includes, if the first precondition is equivalent to one of the preconditions provided by the group of preexisting nodes, coupling a current node to a preexisting node providing the precondition equivalent to the first precondition using a first edge and if the first precondition is not equivalent to one of the preconditions provided by the group of preexisting nodes, generating the potential node as a new node on the attack graph and coupling the new node to the current node using a second edge. | 11-26-2009 |
20090307777 | METHOD AND DEVICE FOR PREDICTING NETWORK ATTACK ACTION - A method for predicting a network attack action, including: monitoring a network status parameter and obtaining information of an attack action according to a change of the network status parameter; selecting a subsequent attack action which has a most possibility to happen from a plurality of subsequent attack actions of the attack action according to a correspondence between the attack action and the plurality of subsequent attack actions, the subsequent attack action which has the most possibility to happen being a subsequent attack action with a largest occurrence number among the subsequent attack actions corresponding to the attack action; and outputting the subsequent attack action which has the most possibility to happen as a predicted network attack action. A device for predicting a network attack action including an attack action management unit is also provided. The present invention describes the attack action procedure and the relation among attack actions during the attack action procedure and provides a network pre-warning method for determining which action is to be taken. | 12-10-2009 |
20090320136 | IDENTIFYING EXPLOITATION OF VULNERABILITIES USING ERROR REPORT - A tool and method examine error report information from a computer to determine not only whether a virus or other malware may be present on the computer but also may determine what vulnerability a particular exploit was attempting to use to subvert security mechanism to install the virus. A system monitor may collect both error reports and information about the error report, such as geographic location, hardware configuration, and software/operating system version information to build a profile of the spread of an attack and to be able to issue notifications related to increased data collection for errors, including crashes related to suspected services under attack. | 12-24-2009 |
20090320137 | SYSTEMS AND METHODS FOR A SIMULATED NETWORK ATTACK GENERATOR - Systems and methods for generating a network attack within a simulated network environment including a module configured for creating one or more attack events against network devices within the simulated network environment wherein the attack events include exploitations of published and unpublished vulnerabilities and failures of hardware and software network systems, devices, or applications within the simulated network environment and for executing the created attack event on the simulated network environment and having an interface configured for receiving metadata regarding each attack event and adding the received attack event metadata to each associated attack event. | 12-24-2009 |
20090320138 | NETWORK SECURITY SYSTEM HAVING A DEVICE PROFILER COMMUNICATIVELY COUPLED TO A TRAFFIC MONITOR - A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attack signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities. | 12-24-2009 |
20090328222 | MAPPING BETWEEN USERS AND MACHINES IN AN ENTERPRISE SECURITY ASSESSMENT SHARING SYSTEM - Mapping between object types in an enterprise security assessment sharing (“ESAS”) system enables attacks on an enterprise network and security incidents to be better detected and capabilities to respond to be improved. The ESAS system is distributed among endpoints incorporating different security products in the enterprise network that share a commonly-utilized communications channel. An endpoint will generate a tentative assignment of contextual meaning called a security assessment that is published when a potential security incident is detected. The security assessment identifies the object of interest, the type of security incident and its severity. A level of confidence in the detection is also provided which is expressed by an attribute called the “fidelity”. ESAS is configured with the capabilities to map between objects, including users and machines in the enterprise network, so that security assessments applicable to one object domain can be used to generate security assessments in another object domain. | 12-31-2009 |
20090328223 | EVALUATING THE EFFECTIVENESS OF A THREAT MODEL - Evaluating a threat model for structural validity and descriptive completeness. A threat modeling application provides a progress factor or other overall score associated with the structural validity and descriptive completeness of the threat model being evaluated. The structural validity is evaluated based on a data flow diagram associated with the threat model. The descriptive completeness is evaluated by reviewing descriptions of threat types in the threat model. The progress factor encourages modelers to provide effective models to a model reviewer, thus saving time for the model reviewer. | 12-31-2009 |
20090328224 | Calculating Domain Registrar Reputation by Analysis of Hosted Domains - Reputations of domain registrars are calculated based on the hosting of risky domains. The more undesirable domains a registrar hosts, the lower is its reputation. The risk level of the hosted domains is also a factor in determining the reputation. When a user attempts to access a hosted domain, the calculated reputation of the hosting domain registrar is used in determining what security steps to apply to the access attempt. The worse the reputation of the hosting registrar, the more security is applied, all else being equal. | 12-31-2009 |
20100024035 | VULNERABILITY SHIELD SYSTEM - Security against computer software attacks is provided by blocking the use of known software vulnerabilities by attackers. Rather than merely discovering attacking software after it has installed itself into a computer system as in the prior art, software with a known vulnerability is monitored so that when it takes a potentially dangerous action, such as creating new attack software, that new attack software is marked and then prevented from loading. If the newly attack software cannot load, it cannot execute thus thwarting use of the newly written software to perform whatever nefarious act was intended by the attacker. | 01-28-2010 |
20100031362 | SYSTEM AND METHOD FOR IDENTIFICATION AND BLOCKING OF MALICIOUS USE OF SERVERS - A system and method to protect web applications from malicious attacks and, in particular, a system and method for identification and blocking of malicious DNS servers. The system includes a central processing unit and first program instructions. The first program instructions identify a rogue Domain Name Service (DNS) by identifying that a DNS metric is outside a historical limit. The first program instructions are stored on the computer system for execution by the central processing unit. | 02-04-2010 |
20100043074 | METHOD AND APPARATUS FOR CRITICAL INFRASTRUCTURE PROTECTION - A method of risk management across a mission support network is provided, including identifying a mission of the mission support network, and identifying, by a computer processor, assets of the mission support network. The assets include a mission asset to support the mission and a support asset to provide support to the mission asset. Each of the assets is characterized by a criticality index value to measure how important the asset is to a performance of the mission, and a vulnerability index value to measure a vulnerability of the asset to a threat. | 02-18-2010 |
20100050262 | METHODS AND SYSTEMS FOR AUTOMATED DETECTION AND TRACKING OF NETWORK ATTACKS - Methods for tracking attacking nodes are described and include extracting, from a database, an instance of each unique packet header associated with IP-to-IP packets transmitted over a time period. The method includes determining from extracted headers, which nodes have attempted to establish a connection with an excessive number of other nodes over a period, identifying these as potential attacking nodes, determining from the headers, which other nodes responded with a TCP SYN/ACK packet indicating a willingness to establish connections, and a potential for compromise. Nodes scanned by potential attacking nodes are disqualified from the identified nodes based on at least one of: data in the headers relating to at least one of an amount of data transferred, and scanning activities conducted by the nodes that responded to a potential attacking node with a TCP SYN/ACK packet. Any remaining potential attacking nodes and scanned nodes are presented to a user. | 02-25-2010 |
20100050263 | BROWSER BASED METHOD OF ASSESSING WEB APPLICATION VULNERABILITY - A novel and useful mechanism and method for assessing the vulnerability of web applications while browsing the application. As a user interacts with the web application, HTTP requests are sent from the browser to the web server. Each HTTP request is analyzed to determine if its associated elements need testing. Vulnerability assessment tests are sent to the server. Test results are then returned to the browser, where they are analyzed, displayed and/or stored in a log file. | 02-25-2010 |
20100050264 | Spreadsheet risk reconnaissance network for automatically detecting risk conditions in spreadsheet files within an organization - A spreadsheet risk reconnaissance network including a research agent installed on one or more spreadsheet file servers registered on the network, and a plurality of spreadsheet file servers for supporting a plurality of user organizations registered and communicating with a data processing center. Each research agent operates transparently to users on the network so as to perform a number of functions, including (i) collecting metadata from spreadsheet files stored on said spreadsheet file servers registered on said network, and (ii) transmitting the collected metadata to the data processing center for storage and analysis. The data processing center performs a number of operations, including (i) analyzing collected metadata associated with each spreadsheet file, (ii) calculating a spreadsheet risk measure based on objective-relative analysis, for a plurality of spreadsheet files associated with at least one user organization, under management by the network, and (iii) allowing business manager users to assign business attributes to identified spreadsheet files assigned the spreadsheet risk measure. | 02-25-2010 |
20100058475 | FEEDBACK-GUIDED FUZZ TESTING FOR LEARNING INPUTS OF COMA - Embodiments of the present invention combine static analysis, source code instrumentation and feedback-guided fuzz testing to automatically detect resource exhaustion denial of service attacks in software and generate inputs of coma for vulnerable code segments. The static analysis of the code highlights portions that are potentially vulnerable, such as loops and recursions whose exit conditions are dependent on user input. The code segments are dynamically instrumented to provide a feedback value at the end of each execution. Evolutionary techniques are then employed to search among the possible inputs to find inputs that maximize the feedback score. | 03-04-2010 |
20100071066 | SYSTEM, METHOD AND PROGRAM PRODUCT FOR DYNAMICALLY PERFORMING AN AUDIT AND SECURITY COMPLIANCE VALIDATION IN AN OPERATING ENVIRONMENT - A system, method and program product for dynamically performing an audit and security compliance validation. The method includes providing a tool for performing a compliance check of installed computer applications running on a system, the tool including a first set and a second set of plug-ins. Further, the method includes scanning the system, using plug-ins selected from the first set to obtain a current inventory of applications currently installed on the system and selecting plug-ins from the second set to be run on the system in response to the current inventory of applications obtained, and automatically running the plug-ins selected from the second set for performing the compliance check on the system in response to a scheduling criteria identified for the system, where the second set of plug-ins perform the compliance check for only the applications currently installed on the system. | 03-18-2010 |
20100095381 | DEVICE, METHOD, AND PROGRAM PRODUCT FOR DETERMINING AN OVERALL BUSINESS SERVICE VULNERABILITY SCORE - A device, method, and program product are disclosed which are configured to receive, at a risk analysis engine, one or more business service models from a configuration management database, wherein the one or more business service models each comprises a set of configuration items, and wherein the one or more business service models each indicate a type of configuration item and a connectivity of the configuration item; send the set of configuration items to a vulnerability assessment tool; receive, from the vulnerability assessment tool, one or more vulnerability assessment scores for each configuration item within the set of configuration items; determine an overall business service vulnerability score for each of one or more business services based on the one or more business service models and the vulnerability assessment scores received from the vulnerability assessment tool; and output electronically the overall business service vulnerability score. | 04-15-2010 |
20100100962 | INTERNET SECURITY DYNAMICS ASSESSMENT SYSTEM, PROGRAM PRODUCT, AND RELATED METHODS - Systems, program product, and methods related to dynamic Internet security and risk assessment and management, are provided. For example, a system, program product, and method of identifying and servicing actual customer requests to a defended or protected computer or server can include the steps/operations of receiving by the defended computer, a service request from each of a plurality of IP addresses associated with a separate one of a plurality of service requesting computers, sending an inspection code adapted to perform a virtual attack on each existing service requesting computers at each respective associated IP address, and restricting provision of services from the defended computer to a subset of the service requesting computers identified for restriction when a security feature of the respective service requesting computer is determined to have been defeated by the virtual attack. | 04-22-2010 |
20100100963 | SYSTEM AND METHOD FOR ATTACK AND MALWARE PREVENTION - The present invention is a system and method for detecting and preventing attacks and malware on mobile devices such as a cell phones, smartphones or PDAs, which are significantly limited in power consumption, computational power, and memory. The invention enables mobile devices to analyze network data, executable data files, and non-executable data files in order to detect and prevent both known and unknown attacks and malware over vectors that are not typically protected by desktop and server security systems. Security analysis is performed by a combination of “known good,” “known bad,” and decision components. The invention identifies known good executables and/or known characteristics of network data or data files that must be present in order for the data to be considered good. Furthermore, known good and known bad identifier databases may be stored on a server which may be queried by a mobile device. | 04-22-2010 |
20100100964 | SECURITY STATUS AND INFORMATION DISPLAY SYSTEM - The present invention provides a system and method for reporting security information relating to a mobile device. The invention enables a security assessment to be displayed in various formats on the mobile device display or on a client computer. A security component identifies security events on the mobile device that are processed on the mobile device or by a server. The security component then determines a security assessment for the mobile device based upon the detected security events. The security assessment display may be persistent in the form of a desktop widget or dashboard on a client computer, or home-screen item on the mobile device. This allows a user or administrator to verify that security protection on the device is functioning and to be alerted if the device needs attention without having to specifically seek the information, thereby enabling immediate response to potential security problems. | 04-22-2010 |
20100100965 | SYSTEM AND METHOD FOR PROVIDING REMEDIATION MANAGEMENT - In one embodiment, software for remediation management is operable to automatically identify an asset in an enterprise network. One or more vulnerabilities of the identified asset is automatically identified based on comparing the identified asset to content associated with the one or more vulnerabilities. At least a portion of the content is collected from a plurality of third party content providers. Other example software for remediation management may be operable to identify one or more vulnerabilities of an asset based on comparing the asset to content associated with the one or more vulnerabilities and automatically generate remediations for the asset based on the content associated with the one or more vulnerabilities. | 04-22-2010 |
20100115621 | Systems and Methods for Detecting Malicious Network Content - A method for detecting malicious network content comprises inspecting one or more packets of network content, identifying a suspicious characteristic of the network content, determining a score related to a probability that the network content includes malicious network content based on at least the suspicious characteristic, identifying the network content as suspicious if the score satisfies a threshold value, executing a virtual machine to process the suspicious network content, and analyzing a response of the virtual machine to detect malicious network content. | 05-06-2010 |
20100115622 | System and method for monitoring network traffic - Described is a method of assigning a network address to a trap, the network address being a dark address of a virtual private network. The network traffic destined for the network address is monitored and a classification of the network traffic is determined. After the classification, a predetermined response is executed based on the classification of the traffic. | 05-06-2010 |
20100122346 | METHOD AND APPARATUS FOR LIMITING DENIAL OF SERVICE ATTACK BY LIMITING TRAFFIC FOR HOSTS - A method for controlling a denial of service attack involves receiving a plurality of packets from a network, identifying an attacking host based on a severity level of the denial of service attack from the network, wherein the attacking host is identified by an identifying attack characteristic associated with one of the plurality of packets associated with the attacking host, analyzing each of the plurality of packets by a classifier to determine to which of a plurality of temporary data structures each of the plurality of packet is forwarded, forwarding each of the plurality of packets associated with the identifying attack characteristic to one of the plurality of temporary data structures matching the severity level of the denial of service attack as determined by the classifier, requesting a number of packets from the one of the plurality of temporary data structures matching the severity level by the virtual serialization queue, and forwarding the number of packets to the virtual serialization queue. | 05-13-2010 |
20100125912 | ESTIMATING AND VISUALIZING SECURITY RISK IN INFORMATION TECHNOLOGY SYSTEMS - Security risk for a single IT asset and/or a set of IT assets in a network such as an enterprise or corporate network may be estimated and represented in a visual form by categorizing risk into different discrete levels. The IT assets may include both computing devices and users. The risk categorization uses a security assessment of an IT asset that is generated to indicate the type of security problem encountered, the severity of the problem, and the fidelity of the assessment. The asset value of an IT asset to the enterprise is also assigned. Security risk is then categorized (and a numeric risk value provided) for each IT asset for different problem types by considering the IT asset value along with the severity and fidelity of the security assessment. The security risk for the enterprise is estimated using the numeric risk value and then displayed in visual form. | 05-20-2010 |
20100125913 | System and Method for Run-Time Attack Prevention - Preventing attacks on a computer at run-time. Content that is configured to access at least one function of a computer is received by the computer. Protections corresponding to the function are added to the content, wherein the protections override the function. The content and the protections are then transmitted to the computer. The function may expose a vulnerability of the computer, and arguments passed to the function may exploit that vulnerability. The protections are executed when the content is executed, and determine whether the arguments the content passed into the function represent a threat. In response to determining that the arguments represent a threat, execution of the content is terminated without executing the function. | 05-20-2010 |
20100132043 | Method and Apparatus for an End User Identity Protection Suite - A method comprising an indicator showing an overall security status of a user. | 05-27-2010 |
20100138925 | METHOD AND SYSTEM SIMULATING A HACKING ATTACK ON A NETWORK - The present invention describes a method for simulating a hacking attack on a Network, wherein the Network comprises at least one of a plurality of data processing units (DPUs), a plurality of users and a plurality of communication links, to assess vulnerabilities of the Network. The method includes receiving one or more scan parameters for the Network. Further, the method includes creating at least one master agent by a system to gather information about the Network, wherein the information pertains to critical and non-critical information about the Network. The method includes creating an Information Model and then incrementally updating the Information Model during the hacking attack. The Information Model is the abstract representation of information collected by the system. Furthermore, the method includes generating a Multiple Attack Vector (MAV) graph based on one or more scan parameters and the Information Model. MAV has the ability to combine plurality of low and medium severity vulnerabilities associated with the data processing units (DPUs), users and communication links, correlate vulnerabilities in combination with Information Model and generate high severity attack paths that can lead to compromise of the Network. Moreover, the method includes launching one or more attacks based on the MAV graph to compromise the Network. The method further includes installing at least one slave agent on the compromised Network to perform the one or more attacks in a distributed manner. Moreover, the method includes performing a multi stage attack by using the at least one slave agent and the at least one master agent by repeating above steps. Finally, the method includes generating a report by the scan controller, wherein the report contains details about the compromised Network and the vulnerabilities of the Network. | 06-03-2010 |
20100138926 | SELF-DELEGATING SECURITY ARRANGEMENT FOR PORTABLE INFORMATION DEVICES - A portable information device includes a dynamically configurable security arrangement in which operational settings are automatically and dynamically configured based on a current set of security risks to which the device is exposed, on a current computing capacity of the portable information device, or both. The operational settings can be adjusted to control which security services or functions are to be executed locally by portable information device, and which of the security services or functions are to be executed remotely on at least one computing device that is distinct from the portable information device. | 06-03-2010 |
20100162401 | RISK MODEL CORRECTING SYSTEM, RISK MODEL CORRECTING METHOD, AND RISK MODEL CORRECTING PROGRAM - A risk value is calculated to suit a state and environment of an analysis target system, by presenting data for determining whether or not a calculated risk is correct, and presenting portions for parameters to be changed such as weights related to a threat, a vulnerability and a measure contained in the risk model. A risk model correcting system includes a risk model storage section that stores as a risk model, a correspondence relationship between threats constituting a risk and a measure for each threat, and parameters including weights of them; an information collecting section that collects data of an analysis target system; an influence degree calculating section that calculates an influence degree of the existence or non-existence of the measure on a result of the calculation of the risk value; a risk analyzing section that performs a risk analysis on the analysis target system; and a reason presenting section that present a reason of the risk calculation by presenting the influence degree calculated by the risk degree calculating section. | 06-24-2010 |
20100169974 | Measuring Coverage of Application Inputs for Advanced Web Application Security Testing - A computer implemented method, a data processing system, and a computer usable recordable-type medium having a computer usable program code monitor a black box web application security scan. A black box scan of a web application is initiated. The black box scan sends a test is sent to a plurality of web application inputs of the web application. A runtime analysis is performed on the black box scan of the web application. Based on the run time analysis of the black box scan, the black box scan is modified. | 07-01-2010 |
20100169975 | SYSTEMS, METHODS, AND DEVICES FOR DETECTING SECURITY VULNERABILITIES IN IP NETWORKS - This invention is a system, method, and apparatus for detecting compromise of IP devices that make up an IP-based network. One embodiment is a method for detecting and alerting on the following conditions: (1) Denial of Service Attack; (2) Unauthorized Usage Attack (for an IP camera, unauthorized person seeing a camera image); and (3) Spoofing Attack (for an IP camera, unauthorized person seeing substitute images). A survey of services running on the IP device, historical benchmark data, and traceroute information may be used to detect a possible Denial of Service Attack. A detailed log analysis and a passive DNS compromise system may be used to detect a possible unauthorized usage. Finally, a fingerprint (a hash of device configuration data) may be used as a private key to detect a possible spoofing attack. The present invention may be used to help mitigate intrusions and vulnerabilities in IP networks. | 07-01-2010 |
20100175135 | Systems and Methods for Assessing the Compliance of a Computer Across a Network - The disclosed principles describe systems and methods for assessing the security posture of a target device, wherein the assessment is performed by a scanning computer in communication with the target device via a communication network. By employing a system or method in accordance with the disclosed principles, distinct advantages are achieved. Specifically, conducting such a remote scan allows for the scanner computer to perform a remote scan of the remote device without installing client software to the remote device. Thus, the disclosed principles reduce the need for internal IT resources to manage the deployment and updates of client software on the target device. Also, conducting a remote scan according to the disclosed principles allows for the remote scan to be performed even if the scanner computer and remote device run different operating systems. | 07-08-2010 |
20100192228 | DEVICE, METHOD AND PROGRAM PRODUCT FOR PRIORITIZING SECURITY FLAW MITIGATION TASKS IN A BUSINESS SERVICE - A device, method, and program product for prioritizing security flaw mitigation tasks is provided. The device, method, and program product are configured to receive, at a risk analysis engine, one or more business service models from a configuration management database, wherein the one or more business service models each comprises a set of configuration items, and wherein the one or more business service models each indicate a type of configuration item and a connectivity of the configuration item. The set of configuration items are sent to a vulnerability assessment tool to obtain one or more vulnerability assessment scores for each configuration item within the set of configuration items. A risk score for each configuration item is then determined. In turn, a prioritized list of configuration items is output based on the risk score of each configuration item. | 07-29-2010 |
20100192229 | PRIVILEGE VIOLATION DETECTING PROGRAM - A privilege violation detecting program stored on a computer-readable medium causes a computer to detect a privilege violation of an test target program by receiving an authority request API from an authority request API trace log storing unit; reading out, from an object access rule storing unit, an assumed access API assumed to be output in response to the received authority request API; determining an actual access API returned in response to the received authority request API from the actual access API trace log storing unit; and storing, into a least privilege violation data storing unit, data of the received authority request API when the actual access API returned in response received authority request API does not match the read out assumed access API. | 07-29-2010 |
20100199351 | METHOD AND SYSTEM FOR SECURING VIRTUAL MACHINES BY RESTRICTING ACCESS IN CONNECTION WITH A VULNERABILITY AUDIT - A method and system for securing a virtual machine is disclosed. An initiation signal from the host system that is generated upon startup of the virtual machine is intercepted, and a network connection on the host system accessible by the virtual machine is restricted in response. Then, the virtual machine is queried for preexisting vulnerabilities, and such data is received. Access by the virtual machine to the network connection is controlled based upon a comparison of a security policy, which is associated with the virtual machine, to the received preexisting vulnerabilities. | 08-05-2010 |
20100199352 | CONTROL AUTOMATION TOOL - A control automation tool (“CAT”) is configured for supporting discrete management of controls and their corresponding metrics. The control automation tool includes a software application connected with, stored on, and executed by one or more relational, closed-loop data repositories and computer systems. The use and maturation of a control within an organization depends on management of operational performance and expenses, which the CAT assists through lean project management, effective implementation of action plans and financial functions. Further, people resources, organizational hierarchy and access management functions are used to support mapping of controls arranged by organizational unit and support access permissions that are consistent with appropriate data management. The CAT also provides transparency and meaning to control and metric status and relevant data regarding controls and their associated metrics and is configured for ease of control and metric management via the CAT interface. | 08-05-2010 |
20100199353 | VULNERABILITY-BASED REMEDIATION SELECTION - A machine-actionable memory comprises one or more machine-actionable records arranged according to a data structure. Such a data structure may include links that respectively map between a remediation, at least one action, and at least two vulnerabilities. A method of selecting a remediation, that is appropriate to a vulnerability which is present on a machine to be remediated, may include: providing a machine-actionable memory as mentioned above; and indexing into the memory using: a given vulnerability identifier to determine (A) at least one of a remediation mapped thereto and (B) at least one action mapped to the given vulnerability identifier; and/or a given remediation to determine at least two vulnerabilities mapped thereto. | 08-05-2010 |
20100205673 | CODE PROPERTY ANALYSIS FOR SECURITY MITIGATIONS - Attempts to make code secure often are associated with performance penalties. To facilitate striking an acceptable balance between performance and security, vulnerable areas of source code are identified. The vulnerable areas are examined for areas that are actually safe and the safe areas are filtered from the universe of code that receives security mitigations. The remaining code receives security mitigations appropriate to the level of risk of the code. | 08-12-2010 |
20100205674 | Monitoring System for Heap Spraying Attacks - A monitoring system may analyze system memory to determine a vulnerability statistic by identifying potential sleds within the memory, and creating a statistic that is a ratio of the amount of potential sleds per the total memory. In some cases, the statistic may be based on the number of instructions or bytes consumed by the sleds. The potential sleds may be determined by several different mechanisms, including abstract payload execution, polymorphic sled detection, sled surface area calculation, and other mechanisms. The monitoring system may be a multi-threaded operation that continually monitors system memory and analyzes recently changed objects in memory. When the vulnerability statistic rises above a certain level, the system may alert a user or administrator to a high vulnerability condition. | 08-12-2010 |
20100205675 | SYSTEMS AND METHODS FOR MODIFYING NETWORK MAP ATTRIBUTES - The disclosed systems and methods provide a user interface for modifying host configuration data that has been automatically and passively determined and for adding or modifying other parameters associated with a host. A host data table can store various parameters descriptive of a host including the applicability of specific vulnerabilities. If it is determined that one or more hosts should not be identified as associated with a specific vulnerability, a graphical user interface can be used to modify the vulnerability parameter. | 08-12-2010 |
20100218256 | SYSTEM AND METHOD OF INTEGRATING AND MANAGING INFORMATION SYSTEM ASSESSMENTS - A system and method for performing information system assessments, collecting the results, providing an analysis and evaluation of the results to provide a comprehensive and integrated assessment of the information system. | 08-26-2010 |
20100235917 | SYSTEM AND METHOD FOR DETECTING SERVER VULNERABILITY - Systems and methods for detecting vulnerability of a server are provided. One system includes: a check server for collecting response information with respect to at least one predetermined command from one or more service servers that provide service, and thus may be attacked from outside, and detecting and analyzing vulnerabilities of the service servers based on the collected response information; an administration terminal for displaying the results of detecting and analyzing the vulnerabilities of the service servers; and a database for storing and managing pattern information concerning the detected vulnerabilities. One method includes identifying a server that may be attacked by port scanning, receiving response information with respect to at least one predetermined command from the identified server, detecting and analyzing vulnerability of the server based on the response information, and reporting the result of the detection to an administration terminal. | 09-16-2010 |
20100235918 | Method and Apparatus for Phishing and Leeching Vulnerability Detection - A system and method for protection of Web based applications are described. Anomalous traffic can be identified by comparing the traffic to a profile of acceptable user traffic when interacting with the application. Phishing and leeching are one type of anomalous traffic that is detected. The anomalous traffic, or security events, identified at the individual computer networks are communicated to a central security manager. Various responsive actions may be taken in response to detection of phishing or leeching. | 09-16-2010 |
20100235919 | ATTACK CORRELATION USING MARKED INFORMATION - Techniques are described for providing security to a protected network. Techniques are described for thwarting attempted network attacks using marked information. The attack correlation system provides marked information to computing devices that probe for sensitive information, and monitors subsequent communications for use of the marked information. In one example, the attack correlation system reroutes communications containing the marked information to a dedicated vulnerable device that logs the communications to monitor the attackers' methods. The attack correlation system may also include functionality to exchange information regarding attempted attacks with other attack correlation systems to gain broader knowledge of attacks throughout one or more networks. | 09-16-2010 |
20100235920 | METHOD AND DEVICE FOR QUESTIONING A PLURALITY OF COMPUTERIZED DEVICES - Some embodiments of the present invention may relate to a device and a method of questioning computerized devices within an organization's network. The device, in accordance with some embodiments of the present invention, may include a questioning module and an agentless module. The questioning module may be adapted to receive data specifying a plurality of computerized devices to be questioned, and to receive data indicating which one or more questioning subjects are selected to be questioned on the specified computerized devices. The agentless module may be adapted to invoke and configure at least a remote access process, to question at least a registry of a remote computerized device. In accordance with some embodiments of the present invention, the questioning module may be adapted to utilize multiple threads of the agentless module to invoke and configure a plurality of remote access processes to question in parallel and without using agents at least a registry of the specified computerized devices, in accordance with the selected questioning subjects. | 09-16-2010 |
20100242114 | SYSTEM AND METHOD FOR SELECTING AND APPLYING FILTERS FOR INTRUSION PROTECTION SYSTEM WITHIN A VULNERABILITY MANAGEMENT SYSTEM - A system for controlling selection of filters for protecting against vulnerabilities of a computer network includes a vulnerability management system analyzes the computer network and determines network vulnerabilities for the computer network. The vulnerability management system is configured to receive real-time data on a status of filters protecting against vulnerabilities of the computer network. A database contains a pre-generated mapping of network vulnerabilities to filters for protecting against the network vulnerabilities. The vulnerability management system enables user control of filters for protecting against vulnerabilities of the computer network based upon the determined network vulnerabilities of the computer network, the pre-generated mapping of network vulnerabilities to the filters for protecting against the network vulnerabilities and the real-time data on the status of the filters. | 09-23-2010 |
20100251374 | METHOD AND APPARATUS FOR MONITORING AND ANALYZING DEGREE OF TRUST AND INFORMATION ASSURANCE ATTRIBUTES INFORMATION IN A DATA PROVIDENCE ARCHITECTURE WORKFLOW - A method and apparatus that monitors and analyzes degree of trust and information assurance attributes information in a data providence architecture workflow is disclosed. The method may include receiving a message having a data provenance wrapper, examining each data provenance record of the message and any attachments for discrepancies, identifying any discrepancies in the examination of each data provenance record of the message and any attachments; calculating a degree of trust based on any discrepancies identified in the examination of each data provenance record of the message and any attachments, and presenting the degree of trust and information assurance attributes information to the user on a display. | 09-30-2010 |
20100251375 | METHOD AND APPARATUS FOR MINIMIZING NETWORK VULNERABILITY - An apparatus, system, and method for controlling access to a network. A device controls communication between a computer and the network. The device includes an integrated circuit receiving signals from one or more peripheral devices and transmitting the received signals to the computer, a first data connection connecting the computer to the device, and a second data connection connecting the apparatus to a network. The device also includes a switch connecting the first and second data connections and permitting the computer to access the network when in a first state and disconnecting the first and second data connections when in a second state. The device further includes a timer determining the time period since the last transmission of signals from the one or more peripheral devices, and when the time period since the last transmission of signals exceeds a predetermined time period the integrated circuit causes the switch to change from the first state to the second state. | 09-30-2010 |
20100251376 | METHODOLOGIES, TOOLS AND PROCESSES FOR THE ANALYSIS OF INFORMATION ASSURANCE THREATS WITHIN MATERIAL SOURCING AND PROCUREMENT - Enterprise resource planning systems and methods are described. Point sources for at-risk components and technologies in an enterprise are assembled, identified and localized by identifying factors such as geo-political affiliation of parties including employers, employees, organizations, education levels of the parties, capability and abilities to create or modify malware, and the financial level of the per-capita population model-based threat rankings. Threats to a pipeline are determined, ranked, and a targeted risk mitigation prioritization plan against identified high-level threats is created. | 09-30-2010 |
20100251377 | DYNAMIC LEARNING METHOD AND ADAPTIVE NORMAL BEHAVIOR PROFILE (NBP) ARCHITECTURE FOR PROVIDING FAST PROTECTION OF ENTERPRISE APPLICATIONS - An adaptive normal behavior profile (NBP) architecture for providing fast protection of enterprise applications are disclosed. The adaptive NBP architecture includes a plurality of profile items. Each profile item includes a plurality of profile properties holding the descriptive values of the respective item. An application-level security system can identify and prevent attacks targeted at enterprise applications by matching application events against at least a single profile item in the adaptive NBP. | 09-30-2010 |
20100275263 | Enterprise Information Security Management Software For Prediction Modeling With Interactive Graphs - Various baseline security measurements of assets are collected and calculated by the system. A user creates a what-if scenario by changing one or more baseline security measurements. The system generates interactive, animated graphs that compare the baseline security measurements against the what-if scenario. | 10-28-2010 |
20100281543 | Systems and Methods for Sensitive Data Remediation - Systems and methods for sensitive data remediation include calculating a Probability of Loss of data on a given computer based on measures of control, integrity, and potential avenues of exploitation of the given computer, determining an Impact of Loss of the data on the given computer based on a type, volume, and nature of the data, and correlating the Probability of Loss with the Impact of Loss to generate a risk score for the given computer that can be compared to other computers in the network. The computers with higher risk scores can then be subjected to data remediation activity. | 11-04-2010 |
20100287617 | METHOD FOR COMMUNICATION SECURITY AND APPARATUS THEREFOR - A FireNet security system in which trustworthy networks, called BlackNets, each comprising One (1) or more client computers, are protected by FireBreaks against attacks from untrustworthy networks, called RedNets. All incoming transactions from the RedNet are examined by the FireBreak to determine if they violate any of a plurality of protection rules stored in a local protection rules database. Any transaction found to be in violation is discarded. Valid transactions are forwarded to the BlackNet. If an otherwise valid transaction is found to be suspicious, the FireBreak will forward to a FireNet Server relevant information relating to that transaction. If the FireNet Server verifies that the transaction is indeed part of an attack, the FireNet Server will create new protection rules suitable to defend against the newly identified source or strategy of attack. Periodically, all FireBreaks in the FireNet system will transfer, directly or indirectly, all new rules. | 11-11-2010 |
20100293616 | Web Application Vulnerability Scanner - Disclosed is a method for quickly indentifying vulnerabilities in web applications. The method determines website links of interest and evaluates sites for web application vulnerabilities. Both in the selection of links and in their evaluation the method employs various heuristics to enforce a fast evaluation while requiring minimal resources to run. | 11-18-2010 |
20100293617 | METHOD AND APPARATUS FOR AUTOMATIC RISK ASSESSMENT OF A FIREWALL CONFIGURATION - A method and apparatus for Automatic Risk Assessment of a Firewall Configuration facilitates the automatic generation of a risk assessment of a given firewall configuration. The method scans the firewall analyzer report, before the human user does, and flag the Configuration errors. Each found mis-configuration is called a risk item. The report is analyzed according a Knowledge Base of known risk items. The method further filters duplicate risk item which are trigger by different rules | 11-18-2010 |
20100306850 | BEHAVIORAL ENGINE FOR IDENTIFYING PATTERNS OF CONFIDENTIAL DATA USE - A client device hosts a behavioral engine. Using the behavioral engine, the client device analyzes behavior of a client application with respect to confidential information. The client device assigns a rating indicative of risk to the client application based on the behavior of the client application. The client device performs an action to mitigate risk of data loss if the rating exceeds a threshold. | 12-02-2010 |
20100306851 | METHOD AND APPARATUS FOR PREVENTING A VULNERABILITY OF A WEB BROWSER FROM BEING EXPLOITED - A method and an apparatus for preventing a vulnerability of a web browser from being exploited are disclosed. The method comprises: monitoring a file downloaded by a browser process; intercepting a process creating action initiated by the browser process; determining whether the intercepted process creating action is to launch the file downloaded by the browser process; and notifying a user that a vulnerability of the browser may be exploited, if the determining result is positive. | 12-02-2010 |
20100306852 | Apparatus and Methods for Assessing and Maintaining Security of a Computerized System under Development - A security assessment method for assessing security of a computerized system under development, the system including assets and being managed in accordance with an organization policy, the method including providing an organizational computerized system development policy; classifying said assets in said system under development, thereby to generate asset classification information; and automated creation of at least one security requirement based on said asset classification information and said organization policy. | 12-02-2010 |
20100325730 | System and Method for Remotely Securing a Network from Unauthorized Access - This invention is an improved system and method of efficiently deploying a large scale roll out of secure networks, including a VPN, to clients with limited or non-existent technical staff. The invention allows for a person with minimal technical skills to install, and, if necessary, uninstall the solution. Through a series of automated and/or remotely-controlled steps provided through connections established from inside the site to a centralized system over an unprotected network, the site's network can be secured, updated, and/or reconfigured, and returned to its previous state if errors should occur. Furthermore, a virtual private network (VPN) can be established that allows multiple hosts on the VPN but on different local networks to have the same IP address. Additionally, without any additional hardware and as part of the installation process, the invention protects the site from unauthorized local network devices either by preventing them from passing traffic off the local network or by generating notification of their existence. | 12-23-2010 |
20100325731 | ASSESSING THREAT TO AT LEAST ONE COMPUTER NETWORK - Apparatus for assessing threat to at least one computer network in which a plurality of systems ( | 12-23-2010 |
20100333205 | Methods, Computer Networks and Computer Program Products for Reducing the Vulnerability of User Devices - Methods, computer networks, and computer program products that reduce the vulnerability of network user devices to security threats include scanning a user device connected to a network to determine whether the user device contains a particular version of an application; downloading the particular version of the application via the network in response to verifying that the user device does not contain the particular version of the application; installing the downloaded application on the user device; scanning the user device for security vulnerabilities; downloading a patch via the network in response to detecting a security vulnerability, wherein the patch is configured to remedy the security vulnerability; and executing the downloaded patch on the user device to remedy the detected security vulnerability. | 12-30-2010 |
20110016531 | SYSTEM AND METHOD FOR AUTOMATED MAINTENANCE BASED ON SECURITY LEVELS FOR DOCUMENT PROCESSING DEVICES - The subject application is directed to a system and method for automated maintenance of preselected security levels for document processing devices. A network data connection is established with at least one document processing device of a plurality thereof. At least one document processing device is identified and testing software is pushed to the at least one document processing device so as to commence loading and running thereof. Test result data is received from the at least one document processing device in accordance with a running of the testing software, a security level associated with the at least one document processing device is identified, and updated software is pushed to the at least one document processing device in accordance with received test result data and an identified security level. | 01-20-2011 |
20110016532 | Measure selecting apparatus and measure selecting method - A measure selecting apparatus includes a vulnerability handling determining unit and an optimum measure selecting unit. The determining unit determines the handling status of each vulnerability of a resource in a task used to develop a measure, based on vulnerability master data in which a resource, a vulnerability of the resource, and a recovery time associated with the vulnerability are defined in an associated manner; measure master data in which a vulnerability defined in the vulnerability master data and a measure for eliminating a vulnerability are defined in an associated manner; and measure status data in which a performance status of each measure defined in the measure master data is defined. The selecting unit selects a measure, from among measures defined in the measure master data, based on a recovery time that is defined and associated with a vulnerability determined to have not been handled by the determining unit. | 01-20-2011 |
20110023122 | INFORMATION PROVIDING SUPPORT DEVICE AND INFORMATION PROVIDING SUPPORT METHOD - It is an object to provide an information providing support device which is capable of encouraging a person having an intention or an obligation to provide information to provide safe and good quality information. An information providing support device of the present invention includes: an information storage unit for memorizing at least information input by a user of the information providing support device; an information providing request receiving unit for receiving the information providing request without intermediation of a user operation; an internal information retrieval unit for retrieving relevant information from the information storage unit in response to the information providing request received by the information providing request receiving unit, the relevant information being information relevant to the information providing request; and an information providing request presenting unit for presenting a predetermined information manager with the information providing request for which the relevant information has been retrieved by the internal information retrieval unit and the relevant information in association with each other, the information manager being authorized to permit the provision of the information stored in the information storage unit. | 01-27-2011 |
20110030059 | Method for testing the security posture of a system - A method is provided for assessing the susceptibility of a NIDS to evasion. In an embodiment, the method involves intercepting packets that pass through a NIDS or other defensive device, reading, from the intercepted packets, message sequences that pertain to at least one protocol or network application, and constructing at least one stochastic sequential model of usage of the protocol from the protocol sequences. | 02-03-2011 |
20110030060 | METHOD FOR DETECTING MALICIOUS JAVASCRIPT - A method provides Dynamic Analysis to identify URL provisioning malicious javascripts comprising tracing frequently used javascript feature used to either inject malicious javascript in html response or redirecting user to the website that is serving malicious contents. An apparatus embodiment operates in the cloud in the middle where it identifies javascript in the response traffic and then requests the other corresponding javascript and can make a determination before delivering the original content to the user. | 02-03-2011 |
20110030061 | DETECTING AND LOCALIZING SECURITY VULNERABILITIES IN CLIENT-SERVER APPLICATION - The present invention provides a system, computer program product, and a computer implemented method for analyzing a set of two or more communicating applications. The method includes executing a first application, such as a client application, and executing a second application, such as a server application. The applications are communicating with each other. A correlation is recorded between the applications and an execution characteristic exhibited on execution. An oracle is used to determine an analysis of the first application that has been executed. The execution of the first application causes a change of state in the second application and/or a change control flow in the second application. Code fragment in the first application and/or the second application are prioritized based on an evaluation produced by the oracle, and based on the correlation between the code fragments that have been executed and the execution characteristic exhibited by the code fragments. | 02-03-2011 |
20110035803 | SYSTEM AND METHOD FOR EXTENDING AUTOMATED PENETRATION TESTING TO DEVELOP AN INTELLIGENT AND COST EFFICIENT SECURITY STRATEGY - A system and method for extending automated penetration testing of a target network is provided. The method comprises: computing a scenario, comprises the steps of: translating a workspace having at least one target computer in the target network, to a planning definition language, translating penetration modules available in a penetration testing framework to a planning definition language, and defining a goal in the target network and translating the goal into a planning definition language; building a knowledge database with information regarding the target network, properties of hosts in the network, parameters and running history of modules in the penetration testing framework; and running an attack plan solver module, comprising: running an attack planner using the scenario as input, to produce at least one attack plan that achieves the goal, and executing actions defined in the at least one attack plan against the target network from the penetration testing framework. | 02-10-2011 |
20110055925 | PATTERN-BASED APPLICATION CLASSIFICATION - Embodiments of present disclosure provide a method and system for remotely auditing a security posture of a client machine at a centralized server. The system receives an integrity-protected report from the client machine, or other devices related to the client machine, the report comprising entries associated with security events or security states or both related to the client machine. The report entries comprise characteristics of the security events or security states to facilitate identification of a probable security attack at the client machine. The system also detects a pattern among one or more reports. Finally, the system classifies the security posture of the client machine based on the detected pattern, which could indicate a probable security attack at the client machine. | 03-03-2011 |
20110072517 | Detecting Security Vulnerabilities Relating to Cryptographically-Sensitive Information Carriers when Testing Computer Software - A system for detecting security vulnerabilities in computer software, including a cryptographic API identifier configured to identify a cryptographic API among the instructions of a computer software application, a path-to-source tracer configured to trace an information flow path among the instructions between the cryptographic API and a source that directly or indirectly provides data that are input to the cryptographic API, where a cryptographically-sensitive information carrier lies along the information flow path, a path-to-sink tracer configured to trace an information flow path among the instructions from the cryptographically-sensitive information carrier to a sink, and a security vulnerability identifier configured to provide a notification that the information flow path between the cryptographically-sensitive information carrier and the sink represents security vulnerability if the information flow path between the cryptographically-sensitive information carrier and the sink does not pass through a cryptographic API. | 03-24-2011 |
20110078797 | Endpoint security threat mitigation with virtual machine imaging - Methods and apparatus involve the mitigation of security threats at a computing endpoint, such as a server, including dynamic virtual machine imaging. During use, a threat assessment is undertaken to determine whether a server is compromised by a security threat. If so, a countermeasure to counteract the security threat is developed and installed on a virtual representation of the server. In this manner, the compromised server can be replaced with its virtual representation, but while always maintaining the availability of the endpoint in the computing environment. Other features contemplate configuration of the virtual representation from a cloned image of the compromised server at least as of a time just before the compromise and configuration on separate or same hardware platforms. Testing of the countermeasure to determine success is another feature as is monitoring data flows to identifying compromises, including types or severity. Computer program products and systems are also taught. | 03-31-2011 |
20110078798 | REMOTE PROCEDURE CALL (RPC) SERVICES FUZZ ATTACKING TOOL - A system and method for testing a computer program using a computer system includes a plurality of computer systems communicating using a network. An interface parser module defines at least one program interface in a program file of a specified program. A fuzzer module reads the program file and identifies the program interfaces. An attack data generator module attacks the program interfaces and communicates with the fuzzer, and the fuzzer determines vulnerabilities in the specified program. A recorder records the attacking procedure. A verifier verifies remedies for vulnerabilities by replaying the attacking procedure of the program interface and determining vulnerabilities. A service status detective module restarts the specified program when the specified program ceases to operate or crashes. | 03-31-2011 |
20110088095 | Anti-Tamper System Employing Automated Analysis - A computer implemented anti-tamper system employing runtime profiling of software in order to decide where to inject integrity checks into the software, to enable verification of whether or not the software has been tampered with. Runtime profiling and analysis is used to record information about the application, in order to establish the locations and targets of runtime integrity checks in order to optimise protection security, while minimising the performance penalty and the need for hand configuration. | 04-14-2011 |
20110093954 | APPARATUS AND METHOD FOR REMOTELY DIAGNOSING SECURITY VULNERABILITIES - An apparatus for remotely diagnosing security vulnerabilities, includes a vulnerability analysis unit for obtaining service information by searching a target device of a specific network and a port of the target device, searching a profile DB for principal characteristic information of the acquired service information, determining a query key type based on the retrieved principal characteristic information to acquire a vulnerability diagnosis list present in the principal characteristic information from a vulnerability list management DB; and an attack agent for diagnosing a vulnerability of the principal characteristic information on the vulnerability diagnosis list based on preset characteristic information. Further, the apparatus includes a result analysis unit for reporting a result of the diagnosis of the vulnerability of the principal characteristic information; and a GUI management unit for performing interfacing of the result of the diagnosis of the vulnerability of the principal characteristic information to a vulnerability diagnosis tool. | 04-21-2011 |
20110093955 | DESIGNING SECURITY INTO SOFTWARE DURING THE DEVELOPMENT LIFECYCLE - Systems, methods, and computer program products are provided for a comprehensive software security system. The overarching software security system described and claimed herein provides for a system that address all of the concerns and vulnerabilities present at the design level (i.e., new software applications) and the production level (i.e., pre-existing software applications) associated with software. Additionally, the system governs the individual security processes and practices. The software security system defines specific security practices and the timing for application of the practices within the overall software development lifecycle. Additionally, the disclosed software security system takes advantage of role specialization, such as security specialization, to increase effectiveness and limit conflicts of interest within the design process. | 04-21-2011 |
20110093956 | Protecting a Mobile Device Against a Denial of Service Attack - A method of protecting a mobile device against malware is described. The mobile device comprises a backup operating system, the backup operating system being stored, preferably in a ROM, in the mobile device separately from the active operating system. The method comprises the steps of: providing a signal indicative of the possible presence of malware in the mobile device; and, replacing in response to the signal the active operating system with the backup operating system. | 04-21-2011 |
20110119765 | SYSTEM AND METHOD FOR IDENTIFYING AND ASSESSING VULNERABILITIES ON A MOBILE COMMUNICATION DEVICE - The invention is a system and method for identifying, assessing, and responding to vulnerabilities on a mobile communication device. Information about the mobile communication device, such as its operating system, firmware version, or software configuration, is transmitted to a server for assessment. The server accesses a data storage storing information about vulnerabilities. Based on the received information, the server may identify those vulnerabilities affecting the mobile communication device, and may transmit a notification to remediate those vulnerabilities. The server may also transmit result information about the vulnerabilities affecting the mobile communication device. The server may also store the received information about the device, so that in the event the server learns of new vulnerabilities, it may continue to assess whether the device is affected, and may accordingly notify or remediate the device. The server may provide an interface for an administrator to manage the system and respond to security issues. | 05-19-2011 |
20110126288 | METHOD FOR SOFTWARE VULNERABILITY FLOW ANALYSIS, GENERATION OF VULNERABILITY-COVERING CODE, AND MULTI-GENERATION OF FUNCTIONALLY-EQUIVALENT CODE - A method for detecting, analyzing, and mitigating vulnerabilities in software is provided. The method includes determining whether one or more vulnerabilities are present in one or more target software components, determining whether any detected vulnerabilities are fixable, and fixing the detected vulnerabilities that are fixable in code or in associated models used to generate code. A vulnerability-covering code is generated when one or more of the detected vulnerabilities are not fixable. A determination is then made whether there are any remaining vulnerabilities in the vulnerability-covering code. A vulnerability-aware diverse code is generated when there are one or more remaining vulnerabilities to obfuscate the remaining vulnerabilities. | 05-26-2011 |
20110131656 | IDENTIFYING SECURITY VULNERABILITY IN COMPUTER SOFTWARE - Identifying a security vulnerability in a computer software application by identifying at least one source in a computer software application, identifying at least one sink in the computer software application, identifying at least one input to any of the sinks, determining whether the input derives its value directly or indirectly from any of the sources, determining a set of possible values for the input, and identifying a security vulnerability where the set of possible values for the input does not match a predefined specification of legal values associated with the sink input. | 06-02-2011 |
20110131657 | HOOKING NONEXPORTED FUNCTIONS BY THE OFFSET OF THE FUNCTION - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes accessing offset data associated with a binary executable, the offset data including an offset of a nonexported function; and modifying instructions at the offset. In another aspect, a method includes analyzing a reference generated for a binary executable, identifying a unique identifier for the binary executable, determining an offset of a nonexported function in the binary executable, and generating offset data that includes the offset and the unique identifier. | 06-02-2011 |
20110131658 | DYNAMIC RISK MANAGEMENT - A dynamic risk management system for operating systems that provides monitoring, detection, assessment, and follow-up action to reduce the risk whenever it rises. The system enables an operating system to protect itself automatically in dynamic environments. The risk management system monitors a diverse set of attributes of the system which determines the security state of the system and is indicative of the risk the system is under. Based on a specification of risk levels for the various attributes and for their combinations, the risk management system determines whether one or more actions are required to alleviate the overall risk to the system. | 06-02-2011 |
20110131659 | EXTENSIBLE FRAMEWORK FOR SYSTEM SECURITY STATE REPORTING AND REMEDIATION - A security health reporting system provides an application program interface (API) for use by independent software vendors (ISVs) to extend the security health reporting capabilities of the security health reporting system. An ISV security solution can register with the security health reporting system, create a schema that describes a new security class, and use the API to publish an instance of the schema for the new security class with the security health reporting system. When an instance of a schema for a new security class is published, the security health reporting system creates the new security class, and recognizes the definition for the security class within the security health reporting system. Registered ISV security solutions can then use the published schema to report their health statuses for the new security class. | 06-02-2011 |
20110138469 | SYSTEM AND METHOD FOR RESOLVING VULNERABILITIES IN A COMPUTER NETWORK - In a computer network, a remedy server may be provided that controls vulnerability scans of the computer nodes. The remedy server determines a security level of a computer node and dispatches an agent to the node with a scan matching the security level. The agent executes the scan and reports the scan results to the remedy server. The remedy server collates scan results from a plurality of the network computers and determines which computers have a common vulnerability. A fix for the vulnerability, such as an executable patch file, is retrieved and multicast to those relevant computers. | 06-09-2011 |
20110138470 | AUTOMATED TESTING FOR SECURITY VULNERABILITIES OF DEVICES - A method includes selecting an attack signature from an attack signature database; generating a fingerprint that includes parameters indicative of the attack signature; generating configuration data for one or more test devices based on the fingerprint, wherein the configuration data is capable of configuring the one or more test devices to provide a security response to the attack signature; providing the configuration data to the one or more test devices; transmitting the attack signature to the one or more test devices; examining a security response to the attack signature from the one or more test devices; and outputting a result of the examining. | 06-09-2011 |
20110138471 | SECURITY HANDLING BASED ON RISK MANAGEMENT - A security device may receive information relating to a security event in a customer network. The security device may further determine, in response to receiving the information, a likelihood score that reflects a likelihood that the security event will succeed and an impact score that provides an indication of an impact that the security event will have on the customer network. The security device may also determine a risk score based on the likelihood score and the impact score, where the risk score provides an indication of a risk that the security event will affect the customer network. The security device may provide the risk score to a customer associated with the customer network. | 06-09-2011 |
20110145924 | METHOD FOR DETECTION AND PREVENTION OF LOADING EXECUTABLE FILES FROM THE CURRENT WORKING DIRECTORY - The present invention detects vulnerabilities by observing (“monitoring”) the calls of system and application functions, and the arguments of such calls, which play a key role in loading executable files, and detects that a computer program or operating system either has tried, is trying or will try to load or execute an executable file from the current working directory. The present invention extends the detection procedure with an active intervention into the execution of a computer program or operating system such that loading or execution of the executable file is prevented. The present invention limits exploitability of the described vulnerability, by limiting loading or execution of executable files from the current working directory, or limiting or preventing setting of the current working directory to locations where a malicious person could place an executable file. | 06-16-2011 |
20110154497 | SYSTEMS, METHODS, AND COMPUTER PROGRAM PRODUCTS FOR COLLECTING AND REPORTING SENSOR DATA IN A COMMUNICATION NETWORK - A system for collecting and reporting sensor data in a communication network includes a microprocessor coupled to a memory and an electronic storage device. The microprocessor receives sensor data from sensors, and stores the sensor data for each sensor in the electronic storage device. The microprocessor also receives, via the communication network, a data reporting instruction defining a data reporting technique corresponding to the sensor data associated with one or more of the sensors. The data reporting instruction is stored in the electronic storage device, and the microprocessor transmits, to a trust mediator over the communication network, at least a portion of the sensor data based on the data reporting instruction. The trust mediator maintains an acceptable level of security for data throughout the communication network by adjusting security safeguards based on the sensor data. | 06-23-2011 |
20110154498 | APPARATUSES, METHODS AND SYSTEMS OF AN APPLICATION SECURITY MANAGEMENT PLATFORM - This disclosure details the implementation of apparatuses, methods and systems of an application security management platform (hereinafter, “ASMP”). ASMP systems may, in one embodiment, implement a live platform on a computerized system, whereby the platform may receive security data associated with a running application from multiple security tacking systems, evaluate the security performance of the application, generate an application security summary report for review and manage review processes for security professionals. | 06-23-2011 |
20110162072 | DETERMINING THE VULNERABILITY OF COMPUTER SOFTWARE APPLICATIONS TO ATTACKS - Determining the vulnerability of computer software applications to attacks by identifying a defense-related variable within a computer software application that is assigned results of a defense operation defending against a predefined type of attack, identifying a control-flow predicate dominating a security-sensitive operation within the application, identifying a data-flow dependent variable in the application that is data-flow dependent on the defense-related variable, determining whether the control-flow predicate uses the data-flow dependent variable to make a branching decision and whether a control-flow path leading to the security-sensitive operation is taken only if the data-flow dependent variable is compared against a value of a predefined type, determining that the security-sensitive operation is safe from the attack if both control-flow conditions are true, and determining that the application is safe from the attack if all security-sensitive operations in the application are determined to be safe from the attack. | 06-30-2011 |
20110162073 | Predictive Assessment of Network Risks - In certain implementations, systems and methods for predicting technology vulnerabilities in a network of computer devices are based on software characteristics of processes executing at the computer devices. In one preferred implementation, the system identifies processes at various computing devices within an organization, identifies software characteristics associated with the processes, applies technology controls to the software characteristics, determines risk indexes based on the modified technology control, applies administrative controls to the risk indexes, aggregates the indexes to create risk model, determines alternative risk models, and presents the risk models for consideration and analysis by a user. | 06-30-2011 |
20110173700 | IMAGE FORMING APPARATUS, SETTING METHOD OF IMAGE FORMING APPARATUS AND SECURITY SETTING APPARATUS - According to one embodiment, an image forming apparatus includes a database, an acquisition unit, a list creation unit and a list output unit. The database stores assets to be protected, threats to the protected assets and security protection methods to the threats. The acquisition unit acquires basic information inputted by an administrator. The list creation unit lists a threat to a protected asset estimated from the basic information acquired by the acquisition unit and a security protection method by referring to the database. The list output unit outputs information listed by the list creation unit. | 07-14-2011 |
20110179492 | PREDICTIVE BLACKLISTING USING IMPLICIT RECOMMENDATION - A method is provided for determining a rating of a likelihood of a victim system receiving malicious traffic from an attacker system at a point in time. The method comprises: generating a first forecast from a time series model based on past history of attacks by the attacker system; generating a second forecast from a victim neighborhood model based on similarity between the victim system and peer victim systems; generating a third forecast from a joint attacker-victim neighborhood model based on correlation between a group of attacker systems including the attacker system and a group of victim systems including the victim system; and determining the rating of the likelihood of the victim system receiving malicious traffic from the attacker system at the point in time based on the first forecast, the second forecast, and the third forecast. | 07-21-2011 |
20110179493 | INFORMATION PROCESSING DEVICE, A HARDWARE SETTING METHOD FOR AN INFORMATION PROCESSING DEVICE AND A COMPUTER READABLE STORAGE MEDIUM STORED ITS PROGRAM - An information processing device includes a replacement function of a system unit in a partition and a TPM (trusted platform module) function in the system unit. The system unit sets the TPM to valid or invalid and a management unit sets a reserved system board in the partition. The TPM setting information of the system unit and the reserved setting information of the system unit by the management unit are notified each other and are exclusive controlled. It is effectively possible to execute a reserved SB function, which integrates the reserved system board and re-starts without manual operation even though using a system unit which mounts the trusted platform module. | 07-21-2011 |
20110185431 | SYSTEM AND METHOD FOR ENABLING REMOTE REGISTRY SERVICE SECURITY AUDITS - The system and method for enabling remote registry service security audits described herein may include scanning a network to construct a model or topology of the network. In particular, the model or topology of the network may include characteristics describing various devices in the network, which may be analyzed to determine whether a remote registry service has been enabled on the devices. For example, the security audits may include performing one or more credentialed policy scans to enable the remote registry service for certain devices that have disabled the remote registry service, auditing the devices in response to enabling the remote registry service, and then disabling the remote registry service on the devices. Thus, the system and method described herein may enable remotely scanning information contained in device registries during a security audit without exposing the device registries to malicious activity. | 07-28-2011 |
20110185432 | Cyber Attack Analysis - In certain embodiments, analyzing cyber attacks includes receiving cyber attack parameters. A cyber attack parameter describes a performance attribute of a cyber attack scenario. The cyber attack parameters comprises at least one temporal parameter describing a temporal feature of the cyber attack scenario. The following is performed for each cyber defense of one or more cyber defenses to yield one or more sets of cyber attack metrics: simulating the cyber attack operating with a cyber defense; and determining a set of cyber attack metrics describing the cyber attack operating with the cyber defense. The cyber defenses are evaluated in accordance with the sets of cyber attack metrics. | 07-28-2011 |
20110185433 | CONSTRAINT INJECTION SYSTEM FOR IMMUNIZING SOFTWARE PROGRAMS AGAINST VULNERABILITIES AND ATTACKS - A constraint is inserted into a program to address a vulnerability of the program to attacks. The constraint includes a segment of code that determines when the program has been asked to execute a “corner case” which does not occur in normal operations. The constraint code can access a library of detector and remediator functions to detect various attacks and remediate against them. Optionally, the detector can be employed without the remediator for analysis. The context of the program can be saved and restored if necessary to continue operating after remediation is performed. The constraints can include descriptors, along with machine instructions or byte code, which indicate how the constraints are to be used. | 07-28-2011 |
20110191852 | METHOD TO PERFORM A SECURITY ASSESSMENT ON A CLONE OF A VIRTUAL SYSTEM - A system to create a virtual clone of a production system for the purpose of executing security services without risk to the original production system. The service host makes a copy of the dedicated memory and physical storage of the virtual target, and then uses that data to initiate a clone in an isolated virtual environment within the service host. Once the target system has been cloned, security services can be performed on the clone without any risk to the target system, and provide an accurate reflection of the security state of the target system. | 08-04-2011 |
20110191853 | SECURITY TECHNIQUES FOR USE IN MALICIOUS ADVERTISEMENT MANAGEMENT - The present invention provides methods and systems for use in malicious advertisement management. Methods and systems are provided in which, after an advertisement is determined not to present a security threat, whether initially or after removal any such threat, then a first modification is performed to code associated with the advertisement which may introduce a security coding. Further modification, which may breach the security coding, may indicate that the advertisement is more likely to present a security threat than if the further modification had not occurred. | 08-04-2011 |
20110191854 | METHODS AND SYSTEMS FOR TESTING AND ANALYZING VULNERABILITIES OF COMPUTING SYSTEMS BASED ON EXPLOITS OF THE VULNERABILITIES - A security tool can identify vulnerabilities in a computing system and determine a risk level of the vulnerabilities. The security tool can determine the risk level based on exploits associated with the vulnerabilities. The security tool can determine the risk level based on factors associated with the exploits such as whether an exploit exists, a rank of the exploit, a number of exploits that exist for the vulnerability, a difficulty to identify whether the exploit exists, and an effect of the exploit on the vulnerability. The security tool can a report identifying the vulnerabilities of the computing system, the exploits associated with the vulnerabilities, and the risk level of the vulnerabilities. The report can also include links to information about the exploits. | 08-04-2011 |
20110191855 | IN-DEVELOPMENT VULNERABILITY RESPONSE MANAGEMENT - In-development vulnerability response management, in one aspect, may detect a code instance that matches a vulnerability pattern; generate one or more hints associated with the code instance in response to the detecting; retrieve an action response to the code instance that matches a vulnerability pattern; and associate the retrieved action response with the code instance. | 08-04-2011 |
20110214187 | System and Method for Network Security Including Detection of Attacks Through Partner Websites - A computer readable storage medium with instructions executable on a host computer. The instructions record a relationship between a partner site and the host computer, substitute a reference to the partner site with a partner site alias referencing the host computer, deliver the partner site alias to a client, replace the partner site alias for the reference to the partner site in response to receiving the partner site alias from the client and augment the address of the client with an address alias. The address alias is sent to the partner site. A partner action and the address alias are received from the partner site. The address is exchanged for the address alias. The partner action is delivered to the client utilizing the address. These operations are monitored to identify client activity that constitutes a security threat at the host computer or the partner site. | 09-01-2011 |
20110219454 | METHODS OF IDENTIFYING ACTIVEX CONTROL DISTRIBUTION SITE, DETECTING SECURITY VULNERABILITY IN ACTIVEX CONTROL AND IMMUNIZING THE SAME - Provided is a method of identifying an ActiveX control distribution site, detecting a security vulnerability in an ActiveX control and immunizing the same. A security vulnerability existing in an ActiveX control may be automatically detected, effects brought on by the corresponding security vulnerability may be measured, and abuse of the detected security vulnerability in a user PC to be protected may be immediately prevented. Therefore, since the user PC may be protected regardless of a security patch, it is anticipated that security problems in the Internet environment caused by imprudent use of the ActiveX control may be significantly enhanced. | 09-08-2011 |
20110225656 | NETWORK SECURITY SERVER SUITABLE FOR UNIFIED COMMUNICATIONS NETWORK - A network security server constituted of: a device detection functionality, the device detection functionality arranged to detect devices on a network on an ongoing basis; a state extraction functionality arranged to read the state of each of the detected devices; an abstraction functionality arranged to translate each of the read states to a common abstract format; a state analysis functionality arranged to compare each of the translated read states with a predetermined database of states; and a session control functionality arranged to control communication of each of the detected devices responsive to the comparison with the predetermined database of states. | 09-15-2011 |
20110231935 | SYSTEM AND METHOD FOR PASSIVELY IDENTIFYING ENCRYPTED AND INTERACTIVE NETWORK SESSIONS - The system and method for passively identifying encrypted and interactive network sessions described herein may distribute a passive vulnerability scanner in a network, wherein the passive vulnerability scanner may observe traffic travelling across the network and reconstruct a network session from the observed traffic. The passive vulnerability scanner may then analyze the reconstructed network session to determine whether the session was encrypted or interactive (e.g., based on randomization, packet timing characteristics, or other qualities measured for the session). Thus, the passive vulnerability scanner may monitor the network in real-time to detect any devices in the network that run encrypted or interactive services or otherwise participate in encrypted or interactive sessions, wherein detecting encrypted and interactive sessions in the network may be used to manage changes and potential vulnerabilities in the network. | 09-22-2011 |
20110231936 | Detection of vulnerabilities in computer systems - Systems, methods, and apparatus, including computer program products, for detecting a presence of at least one vulnerability in an application. The method is provided that includes modifying instructions of the application to include at least one sensor that is configurable to generate an event indicator, wherein the event indicator includes at least some data associated with the event; storing the event indicator with other stored event indicators generated by the at least one sensor during the execution of the application; analyzing the stored event indicators; detecting a presence of at least one vulnerability in the application based on the analysis of the stored event indicators; and reporting the presence of at least one vulnerability. | 09-22-2011 |
20110231937 | GENERATING A MULTIPLE-PREREQUISITE ATTACK GRAPH - In one aspect, a method to generate an attack graph includes determining if a potential node provides a first precondition equivalent to one of preconditions provided by a group of preexisting nodes on the attack graph. The group of preexisting nodes includes a first state node, a first vulnerability instance node, a first prerequisite node, and a second state node. The method also includes, if the first precondition is equivalent to one of the preconditions provided by the group of preexisting nodes, coupling a current node to a preexisting node providing the precondition equivalent to the first precondition using a first edge and if the first precondition is not equivalent to one of the preconditions provided by the group of preexisting nodes, generating the potential node as a new node on the attack graph and coupling the new node to the current node using a second edge. | 09-22-2011 |
20110239303 | THREAT MANAGEMENT SYSTEM AND METHOD - In a threat management system and method for managed systems, leveraging of identifications and/or assessments of common threats, and/or valuation of assets which may be susceptible to common threats, can be applied to facilitate monitoring of customer compliance with policies needed to guard against threats to customer assets. Threat identification and response in managed systems may be tailored for different customers, in some instances without having to parse individual customer details, such as assets at risk and types of threats to those assets. | 09-29-2011 |
20110252479 | METHOD FOR ANALYZING RISK - A method for analyzing risk to a system, the method being carried out by a computer having a processor and system memory, includes the steps of inputting data representing multiple threat objectives that comprise the risk, calculating a residual risk for each threat objective in view of a plurality of control mechanisms, and generating output representing an overall residual risk to the system that is a combination of the residual risks. | 10-13-2011 |
20110258703 | Detecting Secure or Encrypted Tunneling in a Computer Network - Aspects of the present disclosure relate to a computer assisted method for detecting encrypted tunneling or proxy avoidance which may include electronically receiving information from a proxy server, extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information, determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds and attempting to negotiate a standard HTTPS session with each of the at least one destination. Further, the computer assisted method may further include, for each of the at least one destination, determining whether the destination is hosting an encrypted tunneling or proxy avoidance application, wherein such a determining may be based on characteristics of an Secure Socket Layer (SSL) certificate associated with the destination or a response received from the destination over a TCP/IP connection. | 10-20-2011 |
20110265184 | SECURITY MONITORING METHOD, SECURITY MONITORING SYSTEM AND SECURITY MONITORING PROGRAM - A security monitoring method is disclosed for acquiring plural items of observation information representative of a security state of a device, and for judging whether or not the device is secure through a policy based on the plural items of observation information. Transmission information that is defined as information representative of relevant observation information is retained. It is determined whether or not security judgment is possible through said transmission information alone in place of the plural items observation information. When it is possible, the transmission information in place of all or part of said plurality items of observation information is transmitted. | 10-27-2011 |
20110271348 | PORTABLE PROGRAM FOR GENERATING ATTACKS ON COMMUNICATION PROTOCOLS AND CHANNELS - A security analyzer is capable of generating attacks to test the security of a device under analysis. The security analyzer further has the capability to generate a portable, executable program to generate specified attacks. In this way, others can recreate the attacks without requiring access to the security analyzer. | 11-03-2011 |
20110277034 | SYSTEM AND METHOD FOR THREE-DIMENSIONAL VISUALIZATION OF VULNERABILITY AND ASSET DATA - The system and method for three-dimensional visualization of vulnerability and asset data described herein may provide a management console that integrates various active vulnerability scanners, various passive vulnerability scanners, and a log correlation engine distributed in a network. In particular, the management console may include a three-dimensional visualization tool that can be used to generate three-dimensional visualizations that graphically represent vulnerabilities and assets in the network from the integrated information that management console collects the active vulnerability scanners, the passive vulnerability scanners, and the log correlation engine distributed in the network. As such, the three-dimensional visualization tool may generate three-dimensional representations of the vulnerabilities and assets in the network that can be used to substantially simplify management of the network. | 11-10-2011 |
20110277035 | Detection of Malicious System Calls - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting malicious system calls. In one aspect, a method includes monitoring a function vulnerable to a buffer overflow attack; receiving a call to the function, the call associated with a call stack, the call stack including one or more base pointers, and a destination buffer associated with the function; identifying a first critical memory address vulnerable to the buffer overflow attack comprising: determining the first critical memory address based on a base pointer of the one or more base pointers, wherein the base pointer address is greater than an address of the destination buffer; identifying a first address based on the base pointer of the one or more base pointers; and determining that the first address is a critical memory address in response to the first memory address is greater than the address of the destination buffer. | 11-10-2011 |
20110296528 | SYSTEM AND METHOD FOR CREATING AND EXECUTING PORTABLE SOFTWARE - This invention generally relates to a process, system and computer code for creating a portable unit on a first computer to be executed on remote computers including creating an execution file having one or more tasks for deployment, said tasks having command line arguments executable as variables by the remote computer, assembled into a single execution file, validating the tasks and organizing nested tasks, said organizing step including collecting nested task information for each task and accounting for all dependencies to insure that files, tasks, and environments for running on one or more remote computers are present in the portable unit, said step of creating an execution file further including, reading the task file, scanning for event dependencies and embedding files and links needed for remote execution of the execution file, storing the dependencies in a dependency file, scanning for security, verifying the task file for proper formatting. | 12-01-2011 |
20110302657 | SECURITY COUNTERMEASURE FUNCTION EVALUATION PROGRAM - In a security countermeasure function evaluation apparatus, an estimator operates an input unit, whereby an evaluation point calculation unit makes an evaluation as to whether each item of countermeasure information representing a security countermeasure function in detail satisfies each item of sufficient condition table information, and the evaluation point is calculated from the evaluation result of each item, whereby the transition probability calculation unit calculates a transition probability based on the evaluation point. | 12-08-2011 |
20110302658 | METHOD, APPARATUS, AND SYSTEM FOR ENABLING A SECURE LOCATION-AWARE PLATFORM - A method, apparatus, and system enable a secure location-aware platform. Specifically, embodiments of the present invention may utilize a secure processing partition on the platform to determine a location of the platform and dynamically apply and/or change security controls accordingly. | 12-08-2011 |
20110307957 | Method and System for Managing and Monitoring Continuous Improvement in Detection of Compliance Violations - A computer implemented method, data processing system, and computer program product is provided for using compliance violation risk data about an entity to enable an identity management system to dynamically adjust the frequency in which the identity management system performs a reconciliation and compliance check of an identity account associated with the entity. Data associated with an identity account is collected, wherein the data comprises at least one of compliance data, prior compliance violations, or personal data about an entity associated with the identity account. One or more risk factors for the identity account based on the collected data are determined. A risk score of the identity account is calculated based on the determined risk factors. The identity account is then audited with a frequency according to the risk score assigned to the identity account. | 12-15-2011 |
20110314549 | METHOD AND APPARATUS FOR PERIODIC CONTEXT-AWARE AUTHENTICATION - A method for authenticating access to an electronic document. The method includes identifying a context event associated with a user seeking access to the electronic document, receiving from the user a plurality of context data, and analyzing the plurality of context data to generate a one or more derived context data. The method may also include receiving from an authentication module a context request, and in response to the context request, generating a context report, wherein the context report includes at least the one or more derived context data, and is configured to enable the authentication module to authenticate the user's access to the electronic document using a first authentication mechanism. The method may also include communicating the context report to the authentication module, monitoring the user to identify an occurrence of the context event, and upon identifying the occurrence of the context event, generating a context event flag, the context event flag configured to inform the authentication module to reauthenticate the user's access to the electronic document. | 12-22-2011 |
20110321164 | METHOD AND SYSTEM FOR ADAPTIVE VULNERABILITY SCANNING OF AN APPLICATION - A method and system for adaptive vulnerability scanning (AVS) of an application is provided. The adaptive vulnerability scanning of an application assists in identifying new vulnerabilities dynamically. The endpoints of an application are scanned using a predefined set of rules. Subsequently, one or more possible vulnerabilities are presented. The vulnerabilities are analyzed and predefined rules are modified. The steps of scanning the application and modification of rules are iteratively repeated till the adaptive vulnerability scanning capability is achieved. A neural network is used for training the adaptive vulnerability scanner. This neural network is made to learn some rules based on predefined set of rules while undergoing the training phase. At least one weight in neural networks is altered while imparting the self learning capability. | 12-29-2011 |
20110321165 | System and Method for Sampling Forensic Data of Unauthorized Activities Using Executability States - A method includes receiving a list of target addresses, locating a first page table entry corresponding to the first page, and determining the first executability state. When the first executability state is non-executable, a first set of one or more target addresses that correspond to the first page, and a second set of one or more target addresses that correspond to one or more pages other than the first page are identified. One or more target addresses are stored in breakpoint registers of the computer system. The first executability state of the first page table entry is set as executable, and the executability states of page table entries that correspond to the second set of target addresses are set as non-executable. When the first address matches one of the target addresses stored in the breakpoint registers, forensic data is recorded. | 12-29-2011 |
20110321166 | System and Method for Identifying Unauthorized Activities on a Computer System Using a Data Structure Model - A computer implemented method includes monitoring activity on the virtual machine. A plurality of activities being performed at the virtual machine is identified. Each of the activities includes an activity source, an activity target, and an association between the activity source and the activity target. The activity sources, activity targets, and associations are stored in the memory. A fingerprint indicative of the activity on the virtual machine is created from the stored activities. The fingerprint is transmitted to prevent future attacks that comprise the same or similar activities as indicated by the fingerprint. | 12-29-2011 |
20120011590 | SYSTEMS, METHODS AND DEVICES FOR PROVIDING SITUATIONAL AWARENESS, MITIGATION, RISK ANALYSIS OF ASSETS, APPLICATIONS AND INFRASTRUCTURE IN THE INTERNET AND CLOUD - The present invention determines a situational awareness for alerting, mitigating error, distortion or failures, and managing the Internet (or equally component intranets), connected networks and cloud infrastructure. Specifically, this invention focuses on determining who originates messages, from what system, and the path taken, thereby analyzing the reputation of all the nodes and links through which data passes. | 01-12-2012 |
20120017280 | APPARATUS AND METHOD FOR DETECTING, PRIORITIZING AND FIXING SECURITY DEFECTS AND COMPLIANCE VIOLATIONS IN SAP.RTM. ABAPtm CODE - A static code analysis (SCA) tool, apparatus and method detects, prioritizes and fixes security defects and compliance violations in SAP® ABAP™ code. The code, meta information and computer system configuration settings are transformed into an interchangeable format, and parsed into an execution model. A rules engine is applied to the execution model to identify security and compliance violations. The rules engine may include information about critical database tables and critical SAP standard functions, and the step of applying the rules engine to the execution model may include the calculation of specific business risks or whether a technical defect has a business-relevant impact. In particular, an asset flow analysis may be used to determine whether critical business data is no longer protected by the computer system. Such critical business data may include credit or debit card numbers, financial data or personal data. | 01-19-2012 |
20120017281 | SECURITY LEVEL DETERMINATION OF WEBSITES - A site analysis system to determine a security level of a website comprises a communication transceiver and a processing system. The communication transceiver is configured to receive content information associated with the website describing a current state of the website, receive historical event information associated with the website, and receive external information associated with the website from a source external to the website. The processing system is configured to process the content information to determine a content score for the website, process the historical event information and the external information to determine a reputational score for the website, and process the content score and the reputational score to generate a final score for the website. | 01-19-2012 |
20120023586 | DETERMINING PRIVACY RISK FOR DATABASE QUERIES - A system and method for evaluating security exposure of a query includes evaluating a security risk for a query input to a database configured to generate a response to the query. The query has a plurality of attributes and the security risk is evaluated by determining a risk for each of the plurality of attributes and/or determining an exposure consequence based on at least the query. An overall risk is computed based upon attribute risks and consequences. The overall risk is associated and reported with the query. | 01-26-2012 |
20120030767 | SYSTEM AND METHOD FOR PERFORMING THREAT ASSESSMENTS USING SITUATIONAL AWARENESS - Systems, methods, and computer program products are provided for performing threat assessments. In one exemplary embodiment, the method may include generating one or more patterns of behavior corresponding to a security breach at a first company, and storing the generated one or more patterns in a pattern repository. In addition, the method may include comparing at least one of the one or more patterns with one or more standardized log files for the first company to identify one or more first log entries related to the behavior corresponding to the security breach. The method may also include processing at least one pattern of the one or more patterns with one or more standardized log files for a second company to identify log entries of the second company that indicate a possible security breach at the second company. | 02-02-2012 |
20120036579 | SYSTEM AND METHOD FOR DETECTING ABNORMAL SIP TRAFFIC ON VOIP NETWORK - Provided is a system for detecting abnormal traffic on a network. The system includes: a receiving module which receives session initiation protocol (SIP) traffic information from a network; a decoding module which receives the SIP traffic information from the receiving module and decodes the received SIP traffic information; a traffic information database (DB) which receives the decoded SIP traffic information from the decoding module and stores the received SIP traffic information; an analysis traffic information DB which collects information from the traffic information DB for a predetermined period and stores the collected information as analysis traffic information; a reference traffic information DB which stores reference traffic information; and an attack detection module which compares the analysis traffic information with the reference traffic information and detects whether analysis traffic is attack traffic. | 02-09-2012 |
20120036580 | SELECTIVE WEBSITE VULNERABILITY AND INFECTION TESTING - In embodiments of the present invention improved capabilities are described for selective website vulnerability and infection testing and intelligently paced rigorous direct website testing. By providing robust website content integrity checking while only lightly loading the website hosting server, visitor bandwidth availability is maintained through selective testing and intelligently paced external website exercising. A modular pod-based computing architecture of interconnected severs configured with a sharded database facilitates selective website testing and intelligent direct website test pacing while providing scalability to support large numbers of website testing subscribers. | 02-09-2012 |
20120042383 | ADAPTING A SECURITY TOOL FOR PERFORMING SECURITY ANALYSIS ON A SOFTWARE APPLICATION - A system and method for adapting a security tool for performing security analysis on a software application. In one embodiment, a method includes maintaining a registry of security tools; receiving code for a software application; and comparing component criteria for each security tool against each component of the software application, wherein the component criteria for each respective security tool indicate which components the respective security tool is designed to analyze for security vulnerabilities. The method also includes generating a tool-specific package for each component of the software application, wherein the tool-specific package comprises one or more security tools that are designed to analyze the respective component for security vulnerabilities. | 02-16-2012 |
20120042384 | PERFORMING SECURITY ANALYSIS ON A SOFTWARE APPLICATION - A system and method for performing security analysis on a software application. In one embodiment, a method includes receiving application architecture information for a software application; and determining an application type based on the application architecture information. The method also includes performing one or more security tests on the software application based on the application type and the application architecture information; and approving the software application to be available in an online marketplace if the software application passes the one or more security tests. | 02-16-2012 |
20120060221 | Prioritizing Malicious Website Detection - A computer implemented method includes identifying a universal resource locator and characterizing a traffic pattern associated with the universal resource locator. The traffic pattern can include referrer information, referring information, advertising network relationship information, and any combination thereof. The method can further include classifying the universal resource locator into a risk category based on the traffic pattern. | 03-08-2012 |
20120060222 | SECURITY STATUS AND INFORMATION DISPLAY SYSTEM - The present invention provides a system and method for reporting security information relating to a mobile device. A security component identifies security events on the mobile device that are processed on the mobile device or by a server. The security component then determines a security assessment for the mobile device based upon the detected security events. The security state assessment can be displayed in various different formats on the mobile device display or on a client computer through a user interface. The display may be persistent in the form of a desktop widget or home-screen item which enables the user or administrator to verify the functioning of security protection on the device and be alerted if the device needs attention without having to specifically seek such information. | 03-08-2012 |
20120072990 | COST FUNCTION FOR DATA TRANSMISSION - A method, system, and apparatus are disclosed for cost functions for data transmission. In one or more embodiments, the method, system, and apparatus involve assigning costs associated with the data transmission corresponding to risks. The method, system, and apparatus further involve adjusting data transmission performance parameters according to the costs and the risks. The risks are associated with potential danger, harm, and/or data loss. Data transmission operation costs are related to available radio frequency (RF) bandwidth, data transmission levels of service (LoS) and/or data transmission quality of service (QoS). In at least one embodiment, each different LoS has an associated trigger boundary, which is located at a specific distance away from a risk area and indicates where and/or when to begin data transmission. The risks are related to a number of various factors including topographical features of a terrain, weather factors, conflict factors, crime factors, terrorism factors, and/or environmental region factors. | 03-22-2012 |
20120072991 | METHODS AND SYSTEMS FOR RATING PRIVACY RISK OF APPLICATIONS FOR SMART PHONES AND OTHER MOBILE PLATFORMS - Methods and systems for evaluating and rating privacy risks posed by applications intended for deployment on mobile platforms. Validating the “intent” of a mobile platform application vis-à-vis its impact on user privacy, as viewed from an end-user's perspective allows those end-users to make better-informed decisions concerning the downloading, installation and/or operation of mobile platform applications. In making such assessments user preferences can be taken into account. Privacy scores are provided through sales channels for the applications, thereby affording potential users the opportunity to assess whether they wish to incur the associated privacy risk, before purchasing a subject application. | 03-22-2012 |
20120079598 | TIERED RISK MODEL FOR EVENT CORRELATION - A method for real-time threat monitoring includes identifying two or more real time vulnerabilities, each associated with one or more objects of an enterprise, correlating the two or more real-time vulnerabilities to each other, applying a risk tiering model to the correlated real-time vulnerability, thereby classifying the correlated real-time vulnerability into risk tiers, and initiating an alert based on the correlated real-time vulnerability and the risk tiers into which the correlated real-time vulnerability is classified. According to other embodiments a method includes applying a risk methodology to log data contained in one or more object logs thereby identifying one or more security events, applying a risk tiering model to the one or more security events, thereby classifying the security events into risk tiers, and initiating an alert based on the security events and the risk tiers into which the security events are classified. | 03-29-2012 |
20120084866 | METHODS, SYSTEMS, AND MEDIA FOR MEASURING COMPUTER SECURITY - Methods, systems, and media for measuring computer security are provided. In accordance with some embodiments, methods for measuring computer security are provided, the methods comprising: making at least one of decoys and non-threatening access violations accessible to a first user using a computer programmed to do so; maintaining statistics on security violations and non-violations of the first user using a computer programmed to do so; and presenting the statistics on a display. | 04-05-2012 |
20120084867 | METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR ASSESSING INFORMATION SECURITY - Methods and systems to assess information security based on based on a combination of user-responses to computer-selected queries and results of a testing/diagnostic application. Users may be interviewed based on areas of expertise. Information security assessment may be performed with respect to domains of an enterprise, the results of which may be rolled-up to assess information security across the enterprise. A system may include application-specific questions and vulnerabilities, industry specific questions and vulnerabilities, a repository of expert knowledge, and/or working aids. A system may include an inference engine, which may include a logic-based inference engine, a knowledge-based inference engine, and/or an artificial intelligence inference engine. A system may include an application-specific tool to configure the system to assess security of information handled by a third party application program. | 04-05-2012 |
20120096557 | VARIABLE RISK ENGINE - The invention provides systems and methods for risk assessment using a variable risk engine. A method for risk assessment may comprise setting an amount of real-time risk analysis for an online transaction, performing the amount of real-time risk analysis based on the set amount, and performing an amount of time-delayed risk analysis. In some embodiments, the amount of real-time risk analysis may depend on a predetermined period of time for completion of the real-time risk analysis. In other embodiments, the amount of real-time risk analysis may depend on selected tests to be completed during the real-time risk analysis. | 04-19-2012 |
20120096558 | Assessing Threat to at Least One Computer Network - Apparatus configured to determine predicted threat activity based on stochastic modelling of threat events capable of affecting at least one computer network in which a plurality of systems operate. | 04-19-2012 |
20120102570 | SDI-SCAM - A distributed multi-agent system and method is implemented and employed across at least one intranet for purposes of real time collection, monitoring, aggregation, analysis and modeling of system and network operations, communications, internal and external accesses, code execution functions, network and network resource conditions as well as other assessable criteria within the implemented environment. Analytical models are constructed and dynamically updated from the data sources so as to be able to rapidly identify and characterize conditions within the environment (such as behaviors, events, and functions) that are typically characteristic with that of a normal state and those that are of an abnormal or potentially suspicious state. The model may further recommend (or alternatively implement autonomously or semi-autonomously) optimal remedial repair and recovery strategies as well as the most appropriate countermeasures to isolate or neutralize the threat and its effects. | 04-26-2012 |
20120110668 | Use of Popularity Information to Reduce Risk Posed by Guessing Attacks - A popularity determination module (PDM) is described which reduces the effectiveness of statistical guessing attacks. The PDM operates by receiving a password (or other secret information item) from a user. The PDM uses a model to determine whether the password is popular among a group of users. If so, the PDM may ask the user to select another password. In one implementation, the model corresponds to a probabilistic model, such a count-min sketch model. The probabilistic model provides an upper-bound assessment of a number of times that a password has been encountered. Further, the probabilistic model provides false positives (in which passwords are falsely assessed as popular) at a rate that exceeds a prescribed minimum rate. The false positives are leveraged to reduce the effectiveness of statistical guessing attacks by malicious entities. | 05-03-2012 |
20120110669 | METHOD AND SYSTEM FOR ANALYZING AN ENVIRONMENT - A system for analyzing an environment to identify a security risk, comprising a model engine to generate a model of the environment using multiple components defining adjustable elements of the model and a risk analyzer to calculate multiple randomized instances of an outcome for the environment using multiple values for parameters of the elements of the model selected from within respective predefined ranges for the parameters. | 05-03-2012 |
20120110670 | SYSTEM AND METHOD FOR ANALYZING A PROCESS - A system for analyzing a process, comprising a model engine to generate a model of the environment using multiple components defining adjustable elements of the model and including components representing a process for provisioning and de-provisioning of access credentials for an individual in the environment and a risk analyzer to calculate multiple randomized instances of an outcome for the environment using multiple values for parameters of the elements of the model selected from within respective predefined ranges for the parameters, and to use a results plan to provide data for identifying the security risk using the multiple instances. | 05-03-2012 |
20120110671 | METHOD AND SYSTEM FOR ANALYZING AN ENVIRONMENT - A system for analyzing an environment to identify a security risk in a process, comprising a model engine to generate a model of the environment using multiple components defining adjustable elements of the model and including components representing a patching process for the environment, a risk analyzer to calculate multiple randomized instances of an outcome for the environment using multiple values for parameters of the elements of the model selected from within respective predefined ranges for the parameters, and to use a results plan to provide data for identifying a security risk in the patching process using the multiple instances. | 05-03-2012 |
20120110672 | SYSTEMS AND METHODS FOR CLASSIFICATION OF MESSAGING ENTITIES - Methods and systems for operation upon one or more data processors for biasing a reputation score. A communication having data that identifies a plurality of biasing characteristics related to a messaging entity associated with the communication is received. The identified plurality of biasing characteristics related to the messaging entity associated with the communication based upon a plurality of criteria are analyzed, and a reputation score associated with the messaging entity is biased based upon the analysis of the identified plurality of biasing characteristics related to the messaging entity associated with the communication. | 05-03-2012 |
20120110673 | Inoculator and antibody for computer security - In an embodiment of the invention, a method includes: determining, in a computer, an area where an undesired computer program will reside; and providing a data object in the area, so that the data object is an antibody that provides security to the computer and immunity against the undesired program. Another embodiment of the invention also provides an apparatus (or system) that can be configured to perform at least some of the above functionalities. | 05-03-2012 |
20120110674 | METHODS AND SYSTEMS FOR RATING PRIVACY RISK OF APPLICATIONS FOR SMART PHONES AND OTHER MOBILE PLATFORMS - Methods and systems for evaluating and rating privacy risks posed by applications intended for deployment on mobile platforms. Validating the “intent” of a mobile platform application vis-à-vis its impact on user privacy, as viewed from an end-user's perspective allows those end-users to make better-informed decisions concerning the downloading, installation and/or operation of mobile platform applications. In making such assessments user preferences can be taken into account. Privacy scores are provided through sales channels for the applications, thereby affording potential users the opportunity to assess whether they wish to incur the associated privacy risk, before purchasing a subject application. | 05-03-2012 |
20120117654 | METHODS AND SYSTEMS FOR MANAGING A POTENTIAL SECURITY THREAT TO A NETWORK - Methods, systems and computer readable mediums storing computer executable programs for managing a potential security threat to a network are disclosed. Network data received at a network system within a network is monitored at a network management system. A determination is made at the network management system regarding whether the network data received at the network system poses a potential security threat to the network. A threat type associated with the potential security threat is identified at the network management system based on the determination. A threat assessment system operable to evaluate the identified threat type is identified at the network management system. A command is issued from the network management system to the network system to mirror network data received at the network system to the identified threat assessment system. | 05-10-2012 |
20120117655 | System, Method, and Computer Program Product for Identifying Vulnerabilities Associated with Data Loaded in Memory - A system, method, and computer program product are provided for identifying vulnerabilities associated with data loaded in memory. In operation, a subset of data that is loaded in memory is identified. Additionally, the subset of data is compared to a list of known data. Furthermore, there is a reaction based on the comparison. | 05-10-2012 |
20120124669 | Hindering Side-Channel Attacks in Integrated Circuits - A mechanism is provided for protecting a layer of functional units from side-channel attacks. A determination is made as to whether one or more subsets of functional units in a set of functional units in the layer of functional units is performing operations of a critical nature. Responsive to a determination that there is one or more subsets of functional units that are performing the operations of the critical nature, at least one concealing pattern is generated in a concealing layer in order to conceal the operations of the critical nature being performed by each of the subset of functional units. The concealing layer is electrically and physically coupled to the layer of functional units. | 05-17-2012 |
20120124670 | ANALYZING THE SECURITY OF COMMUNICATION PROTOCOLS AND CHANNELS FOR A PASS THROUGH DEVICE - A security analyzer includes a single software application that both sends test messages to a device under analysis (DUA) and receives response messages generated by the DUA in response to the test messages. In this way, synchronization of which response messages correspond to which test messages can be reduced or avoided. The software application further determines whether the DUA operated correctly by analyzing the received response messages. | 05-17-2012 |
20120131677 | IMAGE VULNERABILITY REPAIR IN A NETWORKED COMPUTING ENVIRONMENT - Embodiments of the present invention provide an approach to repair vulnerabilities (e.g., security vulnerabilities) in images (e.g., application images) in a networked computing environment (e.g., a cloud computing environment). Specifically, an image is checked for vulnerabilities using a database of known images and/or vulnerabilities. If a vulnerability is found, a flexible/elastic firewall is established around the image so as to isolate the vulnerability. Once the firewall has been put in place, the vulnerability can be repaired by a variety of means such as upgrading the image, quarantining the image, discarding the image, and/or generating a new image. Once the image has been repaired, the firewall can be removed. | 05-24-2012 |
20120131678 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR VIRTUAL PATCHING - A system, method, and computer program product are provided for virtual patching. Initially, information associated with at least one vulnerability of a computer application is collected. Further, at least one host interface is identified that is capable of being used to access the vulnerability. In use, data sent to the at least one host interface is analyzed to determine whether the data is unwanted, based on the information. | 05-24-2012 |
20120137367 | CONTINUOUS ANOMALY DETECTION BASED ON BEHAVIOR MODELING AND HETEROGENEOUS INFORMATION ANALYSIS - The present disclosure describes a continuous anomaly detection method and system based on multi-dimensional behavior modeling and heterogeneous information analysis. A method includes collecting data, processing and categorizing a plurality of events, continuously clustering the plurality of events, continuously model building for behavior and information analysis, analyzing behavior and information based on a holistic model, detecting anomalies in the data, displaying an animated and interactive visualization of a behavioral model, and displaying an animated and interactive visualization of the detected anomalies. | 05-31-2012 |
20120137368 | APPARATUS, SYSTEM AND METHOD FOR PREVENTING DATA LOSS - A device and method are provided for a device that communicates security information to a user entering content into the device. In an aspect, the device may access content from a server over a connection through the network. The device displays the content on a user interface of the device. The device detects information entered into a field of the displayed content and evaluates a security state of the device. If the security state is below a security threshold and, if the entered information is identified as protected information based on stored criteria, the device displaying a visual indication on the user interface. | 05-31-2012 |
20120137369 | MOBILE TERMINAL WITH SECURITY FUNCTIONALITY AND METHOD OF IMPLEMENTING THE SAME - Disclosed herein is a mobile terminal with security functionality and a method of implementing the mobile terminal. The mobile terminal with security functionality includes a storage unit, a first module, a second module, and a third module. The storage unit stores a list of risky function combinations which may cause security risks. The first module monitors functions included in an application to be installed or running in the mobile terminal. The second module assesses security vulnerabilities based on whether a combination of the monitored functions corresponds to a risky function combination and/or security attributes of the mobile terminal. The third module takes countermeasures when a security vulnerability has been found based on the assessment. | 05-31-2012 |
20120137370 | PLATFORM FOR ANALYZING THE SECURITY OF COMMUNICATION PROTOCOLS AND CHANNELS - A security analyzer tests the security of a device by attacking the device and observing the device's response. Attacking the device includes sending one or more messages to the device. A message can be generated by the security analyzer or generated independently of the security analyzer. The security analyzer uses various methods to identify a particular attack that causes a device to fail or otherwise alter its behavior. Monitoring includes analyzing data (other than messages) output from the device in response to an attack. Packet processing analysis includes analyzing one or more messages generated by the device in response to an attack. Instrumentation includes establishing a baseline snapshot of the device's state when it is operating normally and then attacking the device in multiple ways while obtaining snapshots periodically during the attacks. | 05-31-2012 |
20120144491 | Answering Security Queries Statically Based On Dynamically-Determined Information - A method includes analyzing execution of a software program, the software program having sources returning values, sinks that perform security-sensitive operations on those returned values or modified versions of the returned values, and flows of the returned values to the sinks, the analyzing determining a first set of methods having access to a value returned from a selected one of the sources. A static analysis is performed on the software program, the static analysis using the first set of methods to determine a second set of methods having calling relationships with the selected source, the static analysis determining whether the returned value from the selected source can flow through a flow to a sink that performs a security-sensitive operation without the flow to the sink being endorsed, and in response, indicating a security violation. Apparatus and computer program products are also disclosed. | 06-07-2012 |
20120144492 | Predictive Malware Threat Mitigation - The subject disclosure is directed towards protecting against malware, by classifying a user's risk level, which corresponds to a likelihood of malware being activated. To make the classification, data is collected that represents a probability of encountering malware, a probability of a user activating that malware, and the impact to the machine is activated. The classification maps to a protection level, which may be dynamically adjustable, e.g., based upon current risk conditions. The protection level determines a way to mitigate possible damage, such as by running a program as a virtualized program, running a virtualized operating system, or sandboxing a process. | 06-07-2012 |
20120144493 | SYSTEM AND METHOD FOR NETWORK VULNERABILITY DETECTION AND REPORTING - A system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target ports, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report. The system and method employ minimally obtrusive techniques to avoid interference with or damage to the target network during or after testing. | 06-07-2012 |
20120144494 | SYSTEM AND METHOD FOR NETWORK VULNERABILITY DETECTION AND REPORTING - A system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target parts, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report. The system and method employ minimally obtrusive techniques to avoid interference with or damage to the target network during or after testing. | 06-07-2012 |
20120151592 | STRING OPERATIONS WITH TRANSDUCERS - There is provided a computer-implemented method for analyzing string-manipulating programs. An exemplary method comprises describing a string-manipulating program as a finite state transducer. The finite state transducer may be evaluated with a constraint solving methodology to determine whether a particular string may be provided as output by the string-manipulating program. The constraint solving methodology may involve the use of one or more satisfiability modulo theories (SMT) solvers. A determination may be made regarding whether the string-manipulating program may contain a potential security risk depending on whether the particular string may be provided as output by the string-manipulating program. | 06-14-2012 |
20120151593 | DISTRIBUTED DENIAL OF SERVICE ATTACK DETECTION APPARATUS AND METHOD, AND DISTRIBUTED DENIAL OF SERVICE ATTACK DETECTION AND PREVENTION APPARATUS FOR REDUCING FALSE-POSITIVE - Provided is a DDoS attack detection apparatus including an information collecting unit to collect DDoS detection information including rate information about traffic change, variation of a first type flow and a Packet Per Second (PPS) for a second type flow, in which the rate information about traffic change is obtained using packet count of packets input per a unit time, flow count of flows input per the unit time and the byte count of bytes input per the unit time; and a testing unit to calculate a probability of occurrence of the DDoS attack by use of a first probability determined by the rate information about traffic change, a second probability determined by the variation of the first type flow and a third probability determined by the PPS for the second type flow and detect occurrence of the DDoS attack based on the probability of occurrence of the DDoS attack. | 06-14-2012 |
20120151594 | SYSTEM AND METHOD FOR NETWORK VULNERABILITY DETECTION AND REPORTING - A system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target ports, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report. The system and method employ minimally obtrusive techniques to avoid interference with or damage to the target network during or after testing. | 06-14-2012 |
20120151595 | SYSTEM AND METHOD FOR NETWORK VULNERABILITY DETECTION AND REPORTING - A system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target ports, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report. The system and method employ minimally obtrusive techniques to avoid interference with or damage to the target network during or after testing. | 06-14-2012 |
20120151596 | SYSTEM AND METHOD FOR NETWORK VULNERABILITY DETECTION AND REPORTING - A system and method provide comprehensive and highly automated testing of vulnerabilities to intrusion on a target network, including identification of operating system, identification of target network topology and target computers, identification of open target ports, assessment of vulnerabilities on target ports, active assessment of vulnerabilities based on information acquired from target computers, quantitative assessment of target network security and vulnerability, and hierarchical graphical representation of the target network, target computers, and vulnerabilities in a test report. The system and method employ minimally obtrusive techniques to avoid interference with or damage to the target network during or after testing. | 06-14-2012 |
20120159634 | VIRTUAL MACHINE MIGRATION - Attesting a virtual machine that is migrating from a first environment to a second environment includes in response to initiation of migration of the virtual machine from the first environment to the second environment, accessing one or more stored trust values generated during the trusted boot of the virtual machine in the first environment, determining if the accessed trust values define a security setting sufficient for the second environment, and if the accessed trust values do not define a security setting sufficient for the second environment, performing a predetermined action in relation to the migration of the virtual machine to the second environment. | 06-21-2012 |
20120174228 | METHODS AND SYSTEMS FOR INTEGRATING RECONNAISSANCE WITH SECURITY ASSESSMENTS FOR COMPUTING NETWORKS - A reconnaissance and assessment (RA) tool can receive base information about the network, such as basic network information and details about an entity and personnel associated with network. The RA tool can utilize the base information to perform reconnaissance procedures on the network to identify the attack surface of the network. The RA tool can perform reconnaissance on the network, itself, and on other external sources, such as third party databases, search engines, and partner networks. Once the attack surface is identified, the RA tool can automatically perform appropriate security assessments on the attack surface. Additionally, if additional information is determined about the network during the security assessments, the RA tool can perform additional reconnaissance and security assessments based on the additional information. | 07-05-2012 |
20120174229 | Runtime Enforcement Of Security Checks - A method is disclosed that includes tracking untrusted inputs through an executing program into a sink, the tracking including maintaining context of the sink as strings based on the untrusted inputs flow into the sink. The method also includes, while tracking, in response to a string based on an untrusted input being about to flow into the sink and a determination the string could lead to an attack if the string flows into a current context of the sink, endorsing the string using an endorser selected based at least on the current context of the sink, and providing the endorsed string to the sink. Computer program products and apparatus are also disclosed. | 07-05-2012 |
20120174230 | System and Method for Management of Vulnerability Assessment - A system and method for an optimization of fulfillment workflow is disclosed. In accordance with embodiments of the present disclosure, a method may include: (i) receiving application data; (ii) determining that an application in scope for vulnerability assessment based at least in part on the application data; (iii) receiving assessment information from an assessor related to an assessment of the application, the assessment indentifying at least one vulnerability; (iv) communicating the information regarding the assessment to a remediator; (v) receiving one or more remediation tasks associated with the assessment, the one or more remediation tasks designed to remedy the at least one vulnerability; (vi) receiving an indication of performance of a remediation task of the one or more remediation tasks; (vii) communicating an indication that a remediation task has been completed based at least in part on the indication of performance of the remediation task; and (viii) receiving an indication of whether the remediation task remedied the at least one vulnerability. | 07-05-2012 |
20120174231 | Assessing System Performance Impact of Security Attacks - A method for assessing an impact of a security attack on a system includes defining a system affecting metric for an observation period as a fraction of time the system satisfies a defined specification, defining a resource failure based model and a resource usage based model for the system, obtaining results for each of a plurality of states of the resource failure based model and the resource usage based model, solving the resource failure based model and the resource usage based model and obtaining a term fraction of time each model spends on each of the plurality of states, obtaining a state probability according to the term fraction, and obtaining a measure of the system affecting metric according to the state probability. | 07-05-2012 |
20120180133 | Systems, Program Product and Methods For Performing a Risk Assessment Workflow Process For Plant Networks and Systems - Systems, methods, and program product to perform a cyber security risk assessment on a plurality of process control networks and systems comprising a plurality of primary network assets at an industrial process facility, are provided. An example of a system and program product can include an industrial and process control systems scanning module configured to identify networks and systems topology and to execute system and network security, vulnerability, virus, link congestion, node congestion analysis to thereby detect susceptibility to know threats to define potential vulnerabilities; a threats to vulnerabilities likelihood and consequences data repository module configured to determine a likelihood of each of a plurality of known threats exploiting identified vulnerabilities and to identify consequences of the exploitation to individual impacted systems and to overall plant operation; and a risk level evaluator module configured to determine a risk level rating for any identified vulnerabilities and provide recommended corrective actions. | 07-12-2012 |
20120185943 | CLASSIFICATION OF CODE CONSTRUCTS USING STRING ANALYSIS - A code construct in a computer-based software application is classified by seeding an analysis of an instruction code set of a computer-based software application with a seed for a seeding variable within the instruction code set, wherein the seed is an abstract value representation, performing the analysis to a fixed point, thereby producing a fixed point solution, selecting an invariant from the fixed point solution, wherein the invariant represents at least one value pointed to by a classification variable in a code construct within the instruction code set, and classifying the code construct with a classification that is applicable to the invariant in accordance with an application criterion. | 07-19-2012 |
20120185944 | METHODS AND SYSTEMS FOR PROVIDING RECOMMENDATIONS TO ADDRESS SECURITY VULNERABILITIES IN A NETWORK OF COMPUTING SYSTEMS - A solution recommendation (SR) tool can receive vulnerabilities identified by a vulnerability scanner and/or penetration testing tool. The SR tool can determine various approaches for remediating or mitigating the identified vulnerabilities, and can prioritize the various approaches based on the efficiency of the various approaches in remediating or mitigating the identified vulnerabilities. The SR tool can recommend one or more of the prioritized approaches based on constraints such as cost, effectiveness, complexity, and the like. Once the one or more of the prioritized approaches are selected, the SR tool can recommend the one or more prioritized approaches to third-party experts for evaluation. | 07-19-2012 |
20120185945 | SYSTEM AND METHOD OF MANAGING NETWORK SECURITY RISKS - A security risk management system comprises a vulnerability database, an asset database, a local threat intelligence database and a threat correlation module. The vulnerability database comprises data about security vulnerabilities of assets on a network gathered using active or passive vulnerability assessment techniques. The asset database comprises data concerning attributes of each asset. The threat correlation module receives threat intelligence alerts that identify attributes and vulnerabilities associated with security threats that affect classes of assets. The threat correlation module compares asset attributes and vulnerabilities with threat attributes and vulnerabilities and displays a list of assets that are affected by a particular threat. The list can be sorted according to a calculated risk score, allowing an administrator to prioritize preventive action and respond first to threats that affect higher risk assets. The security risk management system provides tools for performing preventive action and for tracking the success of preventive action. | 07-19-2012 |
20120192280 | APPARATUS FOR ENHANCING WEB APPLICATION SECURITY AND METHOD THEREFOR - A system that incorporates teachings of the present disclosure may include, for example, constructing a symbolic representation from a portion of a web application that generates a plurality of structured query language (SQL) queries, parsing the symbolic representation into a plurality of trees, and adapting the web application with PREPARE statements according to the plurality of trees. Additional embodiments are disclosed. | 07-26-2012 |
20120192281 | DETERMINING TECHNOLOGY-APPROPRIATE REMEDIATION FOR VULNERABILITY - A machine-actionable memory comprises one or more machine-actionable records arranged according to a data structure. Such a data structure may include links that respectively map between: a RID field, the contents of which denote an identification (ID) of a remediation (RID); at least one TID field, the contents of which denotes an ID of at least two technologies (TIDs), respectively; and at least one ACTID field, the contents of which denotes an ID of an action (ACTID). A method, of selecting a remediation that is appropriate to a technology present on a machine to be remediated, may include: providing such a machine-actionable memory; and indexing into the memory using a given RID value and a given TID value to determine values of the at-least-one ACTID corresponding to the given RID value and appropriate to the given TID value. | 07-26-2012 |
20120198555 | TESTING WEB SERVICES THAT ARE ACCESSIBLE VIA SERVICE ORIENTED ARCHITECTURE (SOA) INTERCEPTORS - Systems, methods, and computer program products are disclosed for testing web service-related elements, where the instructions of a web service-related element are statically analyzed to identify a characteristic of an output of the web service-related element, and where it is determined from a received response to a web service request that the web service request was processed by the web service-related element if at least a portion of the response matches the characteristic of the output of the web service-related element. | 08-02-2012 |
20120198556 | INSIDER THREAT PING AND SCAN - Embodiments of the present invention provide apparatuses and methods for identifying computer systems that pose a threat for potential dissemination of confidential information, and thereafter, scanning the computer systems for unauthorized activity related to potential dissemination of confidential information. Embodiments of the invention comprise compiling a list of user computer systems that are at risk of accessing, using, or disseminating confidential information; determining whether the computer systems on the list are available for scanning; and scanning the computer systems on the list to identify an incident related to potential or actual threats or breaches of confidential information. | 08-02-2012 |
20120198557 | DETERMINING THE VULNERABILITY OF COMPUTER SOFTWARE APPLICATIONS TO PRIVILEGE-ESCALATION ATTACKS - Determining the vulnerability of computer software applications to privilege-escalation attacks, such as where an instruction classifier is configured to be used for identifying a candidate access-restricted area of the instructions of a computer software application, and a static analyzer is configured to statically analyze the candidate access-restricted area to determine if there is a conditional instruction that controls execution flow into the candidate access-restricted area, perform static analysis to determine if the conditional instruction is dependent on a data source within the computer software application, and designate the candidate access-restricted area as vulnerable to privilege-escalation attacks absent either of the conditional instruction and the date source. | 08-02-2012 |
20120198558 | XSS DETECTION METHOD AND DEVICE - The present invention discloses a XSS detection method for detecting the XSS vulnerabilities in a web page, comprising for each parameter-value pair in a set of parameter-value pairs that can be accepted by the web page: constructing a parameter-value pair in which a dedicated script is inserted; assembling a URL corresponding to the web page based on the parameter-value pair in which a dedicated script is inserted; acquiring the dynamic web page content corresponding to the assembled URL; and simulating the execution of the acquired dynamic web page content, if the dedicated script is executed, it is determined that the processing of the parameter in the web page contains XSS vulnerabilities. The present invention further discloses a corresponding XSS detection device and a web site security scanning system and a web scanning system using such a device. | 08-02-2012 |
20120204267 | ADAPTIVE CONFIGURATION MANAGEMENT SYSTEM - An automated configuration management system (ACMS) oversees resources of a virtualized ecosystem by establishing a baseline configuration (including, e.g., security controls) for the resources; and, repeatedly, monitoring and collecting data from the resources, analyzing the data collected, making recommendations concerning configuration changes for the resources of the virtualized ecosystem based on the analysis, and either adopting and implementing the recommendations or not, wherein new states of the virtualized ecosystem and reactions to recommended changes are observed and applied in the form of new recommendations, and/or as adjustments to the baseline. The recommendations may be implemented automatically or only upon review by an administrator before being implemented or not. The various data may be analyzed according to benchmarks established for security and compliance criteria of the resources of the virtualized ecosystem, for example static/pre-defined or dynamically derived benchmarks/best practices. | 08-09-2012 |
20120210432 | LABEL-BASED TAINT ANALYSIS - A computer-implemented method and apparatus, adapted to receive a computer program, and dynamically analyze the computer program to determine flow of untrusted data with respect to a computer resource associated with the computer program. Based on the flow of untrusted data, the method and apparatus determine an abstraction of the computerized resource, and performing static analysis of the computer program with respect to the abstraction, wherein the static analysis is for identifying whether the computer program is susceptible to one or more possible security vulnerabilities. | 08-16-2012 |
20120210433 | EXFILTRATION TESTING AND EXTRUSION ASSESSMENT - An improved technique employs an automated agent inside the network perimeter, which generates and sends data packets to a listener outside the network perimeter. Along these lines, the automated agent generates data packets over a specified range of security parameters including port number, payload format, and communications protocol. The agent attempts to send these data packets across the network boundary through a firewall at an egress or other point of the network. The listener receives the data packets and analyzes the payload content of each received data packet for each value of the security parameters (e.g., port number, file type, and protocol). The listener then sends the results of the analysis to a report generator, which summarizes the analysis for an administrator of the network. | 08-16-2012 |
20120210434 | Security countermeasure management platform - A management platform that allows security and compliance users to view risks and vulnerabilities in their environment with the added context of what other mitigating security countermeasures are associated with that vulnerability and that are applicable and/or available within the overall security architecture. Additionally, the platform allows users to take one or more actions from controlling the operation of a security countermeasure for mitigation purposes to documenting the awareness of a security countermeasure that is in place. | 08-16-2012 |
20120222122 | Mechanism for Generating Vulnerability Reports Based on Application Binary Interface/Application Programming Interface Usage - A method for generating vulnerability reports based on application binary interface/application programming interface usage may include extracting a binary file and a security report relating to a software program, the security report having a vulnerability list of pending vulnerabilities relating to the software program, and detecting, from the binary file, interface usage details associated with interfaces and shared libraries used by the software program. The interfaces include application binary interfaces (ABIs). The method may further include matching the interface usage details with the pending vulnerability of the vulnerability list, and generating a vulnerability report based on matching. | 08-30-2012 |
20120222123 | Detection of Vulnerabilities in Computer Systems - Systems, methods, and apparatus, including computer program products, for detecting a presence of at least one vulnerability in an application. The method is provided that includes modifying instructions of the application to include at least one sensor that is configurable to generate an event indicator, wherein the event indicator includes at least some data associated with the event; storing the event indicator with other stored event indicators generated by the at least one sensor during the execution of the application; analyzing the stored event indicators; detecting a presence of at least one vulnerability in the application based on the analysis of the stored event indicators; and reporting the presence of at least one vulnerability. | 08-30-2012 |
20120233698 | Information System Security Based on Threat Vectors - A security system is provided. The system comprises a computer system, a memory accessible to the computer system, a data store, and an application. The data store comprises a threat catalog, wherein the threat catalog comprises a plurality of threat vectors, each threat vector comprising a plurality of fields, wherein each field is constrained to carry a value selected from a predefined list of enumerated values. The application is stored in the memory and, when executed by the computer system receives a threat report, wherein the threat report comprises an identification of at least one threat vector, determines a correlation between the at least one threat vector received in the threat report with the threat vectors comprising the threat catalog, and, based on the correlation, sends a notification to a stakeholder in an organization under the protection of the security system. | 09-13-2012 |
20120233699 | K-ZERO DAY SAFETY - Systems and methods for determining a safety level of a network vulnerable to attack from at least one origin to at least one target are described. Machines, components, and vulnerabilities in a network may be associated to one another. Degrees of similarity among the vulnerabilities may be determined and subsets of vulnerabilities may be grouped based on their determined degrees of similarity to one another. This data may be used to generate an attack graph describing exploitation of vulnerabilities and grouped vulnerabilities and defining vulnerability exploit condition relationships between at least one origin and at least one target. The attack graph may be analyzed using a k-zero day metric function to determine a safety level. | 09-13-2012 |
20120233700 | SYSTEM AND METHOD FOR PERFORMING REMOTE SECURITY ASSESSMENT OF FIREWALLED COMPUTER - Methods and systems for scanning an endpoint terminal across an open computer network are disclosed. An exemplary method includes providing a scanner engine in a computer server in communication with an open computer network, and establishing a secure connection across the open computer network between the scanner engine and a scanner agent installed on the endpoint terminal in communication with the open computer network. Commands for collecting data regarding the endpoint terminal are sent from the scanner engine across the secure connection to the scanner agent. The scanner engine then receives the collected data from the scanner agent across the secure connection, analyzes the data to assess a current posture of the endpoint terminal, and determines any updates for the endpoint terminal from the analysis. Updates are sent across the secure connection to the scanner agent for installation on the endpoint terminal, and the secure connection may then be terminated. | 09-13-2012 |
20120240235 | METHODS AND SYSTEMS FOR PROVIDING A FRAMEWORK TO TEST THE SECURITY OF COMPUTING SYSTEM OVER A NETWORK - A security tool can utilize a vulnerability in a computing system or credentials for the computing system to gain access to the computing system. Once access is gained, the security tool can deliver an agent to the computing system. The agent can execute, detected or undetected, on the computing system in order to establish a network link between the computing system and the security tool. Once established, the security tool creates a virtual network interface on the computing system on which it is running and instructs the agent to relay network traffic between the virtual network interface of the computing system executing the security tool and the existing network interfaces of computing system executing the agent. | 09-20-2012 |
20120240236 | CRAWLING MULTIPLE MARKETS AND CORRELATING - A crawler program collects and stores application programs including application binaries and associated metadata from any number of sources such as official application marketplaces and alternative application marketplaces. An analysis including comparisons and correlations are performed among the collected data in order to detect and warn users about pirated or maliciously modified applications. | 09-20-2012 |
20120246730 | SYSTEM AND METHOD FOR PREDICTIVE MODELING IN A NETWORK SECURITY SERVICE - The system and method for predictive modeling in a network security service described herein may provide a scalable architecture that can model information relating to any specific threat or potential threat in a network and manage routing requests relating to the threat information among various entities participating in the security service. In particular, the scalable architecture may include various distributed databases that store serialized information describing threat instances, wherein a detection service may maintain information identifying entities associated with the databases storing the serialized information. Further, the security service may include a hierarchical subscriber name service that participating entities can traverse to locate the serialized threat information in the various databases and evaluate how the threat instances may have evolved or progressed through the network. | 09-27-2012 |
20120255020 | METHODS FOR ATTACK SURFACE MEASUREMENT - Methods and apparatus are provided for measuring the attack surface of a code library. In one embodiment, a method includes measuring the attack surfaces of a compiled code library, counting the number of each public item of a plurality of items of the compiled code library, and displaying a visualization of the measurement, wherein the visualization identifies each item type of the plurality of items of the compiled code library and the measurement of each item of the plurality of items of the compiled code library. | 10-04-2012 |
20120255021 | SYSTEM AND METHOD FOR SECURING AN INPUT/OUTPUT PATH OF AN APPLICATION AGAINST MALWARE WITH A BELOW-OPERATING SYSTEM SECURITY AGENT - A system for securing an electronic device may include a memory, a processor, one or more operating systems residing in the memory for execution by the processor, an input-output (I/O) device of the electronic device coupled to the operating system; and a security agent configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the I/O device. The security agent may be further configured to: (i) trap, at a level below all of the operating systems of the electronic device accessing an input/output (I/O) device, an attempted access of a facility for I/O operation with the I/O device; and (ii) using one or more security rules, analyze the attempted access to determine whether the attempted access is indicative of malware. | 10-04-2012 |
20120255022 | SYSTEMS AND METHODS FOR DETERMINING VULNERABILITY TO SESSION STEALING - Systems and methods for determining vulnerability to session stealing are disclosed. An example method includes intercepting, at a first computing device, an intercepted packet sent from a client to a second computing device different than the first computing device, the intercepted packet including a first instruction in a first portion of the intercepted packet, determining, using a template, a second portion of the intercepted packet that is a value that is changed by a calculated amount each time that the client sends a packet, changing the value by the calculated amount to determine a next value for a next packet, replacing the second portion of the intercepted packet with the next value to generate a modified packet, replacing the first portion of the modified packet with a second instruction, and transmitting the modified packet to the second computing device. | 10-04-2012 |
20120255023 | METHODS AND SYSTEMS OF DETECTING AND ANALYZING CORRELATED OPERATIONS IN A COMMON STORAGE - A method of detecting correlated operations in a common storage. The method comprises providing at least one input operation, each the input operation being designated to write uniquely identifiable data on a memory unit of an application, monitoring a plurality of output operations of the application, each the output operation includes data read from the memory unit, comparing between the at least one input operation and the plurality of output operations to identify at least one matching group of input and output operations wherein each member of the at least one matching group has correlated written or read data in a common correlated target address in the memory unit, and outputting an indication of the at least one matching group. | 10-04-2012 |
20120255024 | Compiling Information Obtained By Combinatorial Searching - Some embodiments, among others, include a search for sensitive information. Once a result of the search has been obtained, a score is assigned to the obtained result in accordance with a predefined criterion. | 10-04-2012 |
20120260344 | METHOD AND SYSTEM OF RUNTIME ANALYSIS - A method and a system for detecting one or more security vulnerabilities. The method comprises providing test instructions for an application, such as a web application or a client server application, adding test code to a code segment of the application according to the test instructions, sending at least one message to the application according to the test instructions at runtime thereof, monitoring test information pertaining to at least one reaction of the application to the at least one message during an execution of the test code, performing an analysis of the at least one reaction, and detecting a presence or an absence of at least one security vulnerability according to the analysis. | 10-11-2012 |
20120266246 | PINPOINTING SECURITY VULNERABILITIES IN COMPUTER SOFTWARE APPLICATIONS - A build process management system can acquire data pertaining to a software build process that is currently being executed by an automated software build system. The software build process can include executable process steps, metadata, and/or environmental parameter values. An executable process step can utilize a build artifact, representing an electronic document that supports the software build process. The acquired data can then be synthesized into an immutable baseline build process and associated baseline artifact library. The baseline artifact library can store copies of the build artifacts. The immutable baseline build process can include baseline objects that represent data values and dependencies indicated in the software build process. In response to a user-specified command, an operation can be performed upon the baseline build process and associated baseline artifact library. | 10-18-2012 |
20120266247 | Automatic Inference Of Whitelist-Based Validation As Part Of Static Analysis For Security - A method includes performing taint analysis of a computer program and determining an original set of paths from sources to sinks. Each path corresponds to a vulnerability. The method includes determining for each variable whose type is a collection and is accessed in one of the paths in the original set of paths whether the variable points to a concrete value whose internal state is not tainted according to the taint analysis. The method further includes, for each of the variables whose type is a collection found not to be tainted according to the taint analysis, determining all points in the computer program where a membership check against the collection is performed. The method also includes, for each of the points, determining corresponding paths and removing those paths from the original set of paths to create a reduced set of paths. Apparatus and computer readable program products are also disclosed. | 10-18-2012 |
20120266248 | PINPOINTING SECURITY VULNERABILITIES IN COMPUTER SOFTWARE APPLICATIONS - A build process management system can acquire data pertaining to a software build process that is currently being executed by an automated software build system. The software build process can include executable process steps, metadata, and/or environmental parameter values. An executable process step can utilize a build artifact, representing an electronic document that supports the software build process. The acquired data can then be synthesized into an immutable baseline build process and associated baseline artifact library. The baseline artifact library can store copies of the build artifacts. The immutable baseline build process can include baseline objects that represent data values and dependencies indicated in the software build process. In response to a user-specified command, an operation can be performed upon the baseline build process and associated baseline artifact library. | 10-18-2012 |
20120272322 | DETERMINING THE VULNERABILITY OF COMPUTER SOFTWARE APPLICATIONS TO PRIVILEGE-ESCALATION ATTACKS - Determining the vulnerability of computer software applications to privilege-escalation attacks, such as where an instruction classifier is configured to be used for identifying a candidate access-restricted area of the instructions of a computer software application, and a static analyzer is configured to statically analyze the candidate access-restricted area to determine if there is a conditional instruction that controls execution flow into the candidate access-restricted area, perform static analysis to determine if the conditional instruction is dependent on a data source within the computer software application, and designate the candidate access-restricted area as vulnerable to privilege-escalation attacks absent either of the conditional instruction and the date source. | 10-25-2012 |
20120291132 | SYSTEM, METHOD AND PROGRAM PRODUCT FOR DYNAMICALLY PERFORMING AN AUDIT AND SECURITY COMPLIANCE VALIDATION IN AN OPERATING ENVIRONMENT - A system, method and program product for dynamically performing an audit and security compliance validation. The method includes providing a tool for performing a compliance check of installed computer applications running on a system, the tool including a first set and a second set of plug-ins. Further, the method includes scanning the system, using plug-ins selected from the first set to obtain a current inventory of applications currently installed on the system and selecting plug-ins from the second set to be run on the system in response to the current inventory of applications obtained, and automatically running the plug-ins selected from the second set for performing the compliance check on the system in response to a scheduling criteria identified for the system, where the second set of plug-ins perform the compliance check for only the applications currently installed on the system. | 11-15-2012 |
20120304299 | METHOD AND APPARATUS FOR DETECTING VULNERABILITY STATUS OF A TARGET - A computer implemented method for detecting vulnerability status of a target having interfaces and ports is provided. The method comprises tracking the occurrence of an event including at least one of a network interface becoming active and/or inactive, start and/or stop of a client network service using a port on an active network interface, start and/or stop of a server network service running on a port on an active network interface, and start and/or stop of a network service that does not entail the use of any port. A notification is generated that a possible vulnerability status altering event has occurred. Tracking the occurrence of the event includes tracking using at least one of an OS service, an OS command, a hook, and an API. | 11-29-2012 |
20120304300 | ENTERPRISE VULNERABILITY MANAGEMENT - An enterprise vulnerability management application (EVMA), enterprise vulnerability management process (EVMP) and system. In one embodiment, the EVMP may include executing computer software code on at least one computer hardware platform to receive login information from a user, inventory current information technology assets of the enterprise, conduct vulnerability scanning of the inventoried information technology assets, analyze vulnerability correlation and prioritization of the information technology assets, remediate one or more vulnerabilities of the information technology assets, and report to the user about the vulnerabilities and remediation undertaken. As part of the analysis, one or more vulnerability scores such as, for example, Common Vulnerability Scoring System (CVSS) scores, may be generated from base score metrics, temporal score metrics and environment score metrics. | 11-29-2012 |
20120304301 | CONFIDENTIALITY ANALYSIS SUPPORT SYSTEM, METHOD AND PROGRAM - Features of a confidentiality analysis support system include an attack flow model generating means that generates an attack flow model representing an attack flow which is likely to take place, as a model for analyzing confidentiality of an information system by assigning information which is defined independently from a connection state and a processing flow and which shows a function of a device, to a structure model representing the physical connection state of the device configuring the information system and a behavior model representing the processing flow executed in the device. | 11-29-2012 |
20120311711 | DETECTING PERSISTENT VULNERABILITIES IN WEB APPLICATIONS - A method, including storing a test payload to a persistent state of an application and performing a static analysis to identify a first code location in the application that retrieves the test payload, to identify a first path from an entry point to the first code location, and to identify a second path from the first code location to a second code location that executes a security sensitive operation using the retrieved data. A dynamic analysis is then performed to retrieve the test payload via the first path, and to convey the test payload to the second code location via the second path. | 12-06-2012 |
20120311712 | TESTING WEB APPLICATIONS FOR FILE UPLOAD VULNERABILITIES - A system for detecting file upload vulnerabilities in web applications is provided. The system may include a black-box tester configured to upload, via a file upload interface exposed by a web application, a file together with a signature associated with the file. An execution monitor may be configured to receive information provided by instrumentation instructions within the web application during the execution of the web application. The execution monitor may be configured to recognize the signature of the uploaded file as indicating that the uploaded file was uploaded by the black-box tester. The execution monitor may also be configured to use any of the information to make at least one predefined determination assessing the vulnerability of the web application to a file upload exploit. | 12-06-2012 |
20120311713 | DETECTING PERSISTENT VULNERABILITIES IN WEB APPLICATIONS - A method, including storing a test payload to a persistent state of an application and performing a static analysis to identify a first code location in the application that retrieves the test payload, to identify a first path from an entry point to the first code location, and to identify a second path from the first code location to a second code location that executes a security sensitive operation using the retrieved data. A dynamic analysis is then performed to retrieve the test payload via the first path, and to convey the test payload to the second code location via the second path. | 12-06-2012 |
20120311714 | TESTING WEB APPLICATIONS FOR FILE UPLOAD VULNERABILITIES - A system for detecting file upload vulnerabilities in web applications is provided. The system may include a black-box tester configured to upload, via a file upload interface exposed by a web application, a file together with a signature associated with the file. An execution monitor may be configured to receive information provided by instrumentation instructions within the web application during the execution of the web application. The execution monitor may be configured to recognize the signature of the uploaded file as indicating that the uploaded file was uploaded by the black-box tester. The execution monitor may also be configured to use any of the information to make at least one predefined determination assessing the vulnerability of the web application to a file upload exploit. | 12-06-2012 |
20120311715 | SYSTEM AND METHOD FOR PROTECTING A WEBSITE FROM HACKING ATTACKS - A system and method for protecting at least one server, in communication with a computer network, from hacking attacks including a scanner, a report processor and a control center. The scanner may monitor activity of the server, identify at least one security vulnerability, produce an automated report. The report processor may analyze the automated report and generate fixes for identified vulnerabilities. | 12-06-2012 |
20120317647 | Automated Exploit Generation - A system and method for automatically generating exploits, such as exploits for target code, is described. In some implementations, the system received binary code and/or source code of a software applications, finds one or more exploitable bugs within the software application, and automatically generates exploits for the exploitable bugs. | 12-13-2012 |
20120324581 | System, Method and Device for Cloud-Based Content Inspection for Mobile Devices - A content inspection system provides cloud-based content inspection for mobile devices. The content inspection system includes a content inspection server for receiving a request providing a digital fingerprint of content for evaluation for threats and a data reputation services server for maintaining a threat database. The content inspection system communicates with the mobile device using a service oriented architecture web services based on exchanges of messages between agents of the content inspection system and the mobile device. The content inspection server authenticates the received request belongs to a subscriber, and once the request is authenticated, the data reputation services server operates on the request to determine whether content identified by the digital fingerprint matches pre-existing claims in the threat database. The content inspection system generates a threat evaluation response for the mobile device based on reviewing the threat database for pre-existing claims. | 12-20-2012 |
20120324582 | SERVICE SYSTEM THAT DIAGNOSES THE VULNERABILITY OF A WEB SERVICE IN REAL TIME MODE AND PROVIDES THE RESULT INFORMATION THEREOF - A service system that diagnoses the vulnerability of a web service in real time mode and provides the result information thereof according to the present invention receives the input of a user web service address through the web service, automatically visits the corresponding web service to perform the real-time analysis on a web page and check if the web page has a vulnerability, and transmits the result information to a user PC. The service system can provide an intuitive service by displaying the discovery of the vulnerability, the procedure and an external URL linked to the web page are displayed on the user screen; find out the possibility of an outflow of the information contained in the URL by checking, on the basis of the web page analysis, whether a symbol or reserved word (system command) among the factors has been filtered; and display the classification of vulnerabilities of respective DBs by analyzing the result to be sent to an object system before being displayed on the web page. Further, the service system retains the data on the vulnerability of each DB in a program as a resource to compare the data with the result received from the web service and identify a problem if present; includes a script analysis section; and conducts an analysis on links according to an analyzed portion of an index page sot that the user can see the checking procedure via a taken place link in real time mode as well as the diagnosis progress that has been proceeded up to that point whenever desired and find links being connected. Moreover, when the service system analyzes the web page, the user can easily check an external link section and detect any external domain, if present, which spreads a malicious code in the web service. In addition, the service system allows the user to check over the internet the items for the service diagnosis selected by the user and the diagnosis result, and thus to personally see the problems and solutions therefor. | 12-20-2012 |
20130007885 | BLACK-BOX TESTING OF WEB APPLICATIONS WITH CLIENT-SIDE CODE EVALUATION - Detecting security vulnerabilities in web applications by interacting with a web application at a computer server during its execution at the computer server, identifying client-side instructions provided by the web application responsive to an interaction with the web application, where the client-side instructions are configured to be implemented by a client computer that receives the client-side instructions from the computer server, evaluating the identified client-side instructions, and identifying a security vulnerability associated with the client-side instructions. | 01-03-2013 |
20130007886 | DETECTING SECURITY VULNERABILITIES IN WEB APPLICATIONS - Method to detect security vulnerabilities includes: interacting with a web application during its execution to identify a web page exposed by the web application; statically analyzing the web page to identify a parameter within the web page that is constrained by a client-side validation measure and that is to be sent to the web application; determining a server-side validation measure to be applied to the parameter in view of the constraint placed upon the parameter by the client-side validation measure; statically analyzing the web application to identify a location within the web application where the parameter is input into the web application; determining whether the parameter is constrained by the server-side validation measure prior to the parameter being used in a security-sensitive operation; and identifying the parameter as a security vulnerability. | 01-03-2013 |
20130007887 | BLACK-BOX TESTING OF WEB APPLICATIONS WITH CLIENT-SIDE CODE EVALUATION - Detecting security vulnerabilities in web applications by interacting with a web application at a computer server during its execution at the computer server, identifying client-side instructions provided by the web application responsive to an interaction with the web application, where the client-side instructions are configured to be implemented by a client computer that receives the client-side instructions from the computer server, evaluating the identified client-side instructions, and identifying a security vulnerability associated with the client-side instructions. | 01-03-2013 |
20130014263 | SYSTEM AND METHOD FOR REMOTELY CONDUCTING A SECURITY ASSESSMENT AND ANALYSIS OF A NETWORK - A system and method for performing a security audit of a target network. The system includes a device that establishes a connection to the target network through a communication link. The device has reverse tunneling capabilities for establishing a secure tunnel over the Internet. The system also includes a receiving computer connected to the device through the secure tunnel established by the device over the Internet, and the receiving computer sends commands to the device for performing the security audit of the target network. The device is deployed onsite near the network and the receiving computer is located at a remote offsite location. Also, the device may be covertly hidden onsite near the network to simulate a malicious attack on the target network. | 01-10-2013 |
20130014264 | Systems and Methods For Implementing and Scoring Computer Network Defense Exercises - A process for facilitating a client system defense training exercise implemented over a client-server architecture includes designated modules and hardware for protocol version identification message; registration; profiling; health reporting; vulnerability status messaging; storage; access and scoring. More particularly, the server identifies a rule-based vulnerability profile to the client and scores client responses in accordance with established scoring rules for various defensive and offensive asset training scenarios. | 01-10-2013 |
20130014265 | UNIVERSAL PATCHING MACHINE - A universal patching machine is used to provide security for a computer system. A conversion function is generated for the patching machine that modifies input data to the computer system so that the computer system has an output and state that match the output and state that would be produced by a vendor-patched version of the computer system. The universal patching machine detects security vulnerabilities in intercepted data traffic. If a vulnerability violation is detected, the universal patching machine modifies the data traffic to remove the violation. Fixing the data traffic in this way ensures that the vulnerability cannot be exploited in an attack against the data network. The universal patching machine is formed from patch processors and a packet controller. The patch processors are formed from network patches. In operation, the patch processors detect vulnerabilities and issue modification commands that direct the packet controller to fix the data traffic. | 01-10-2013 |
20130019314 | INTERACTIVE VIRTUAL PATCHING USING A WEB APPLICATION SERVER FIREWALLAANM Ji; PengAACI BeijingAACO CNAAGP Ji; Peng Beijing CNAANM Luo; LinAACI BeijingAACO CNAAGP Luo; Lin Beijing CNAANM Sreedhar; Vugranam C.AACI Yorktown HeightsAAST NYAACO USAAGP Sreedhar; Vugranam C. Yorktown Heights NY USAANM Yang; Shun XiangAACI BeijingAACO CNAAGP Yang; Shun Xiang Beijing CNAANM Zhang; YuAACI BeijingAACO CNAAGP Zhang; Yu Beijing CN - A plurality of templates for web application server firewall rules are generated. A vulnerability report for the web application is obtained. At least one web application server firewall rule is generated, using the vulnerability report and at least one of the plurality of templates. The at least one web application server firewall rule is tested. The at least one web application server firewall rule is deployed to run on the web application server firewall. | 01-17-2013 |
20130019315 | DESIGNING SECURITY INTO SOFTWARE DURING THE DEVELOPMENT LIFECYCLE - Systems, methods, and computer program products are provided for a comprehensive software security system. The overarching software security system described and claimed herein provides for a system that address all of the concerns and vulnerabilities present at the design level (i.e., new software applications) and the production level (i.e., pre-existing software applications) associated with software. Additionally, the system governs the individual security processes and practices. The software security system defines specific security practices and the timing for application of the practices within the overall software development lifecycle. Additionally, the disclosed software security system takes advantage of role specialization, such as security specialization, to increase effectiveness and limit conflicts of interest within the design process. | 01-17-2013 |
20130024942 | SYSTEM AND METHOD FOR DETECTING DATA EXTRUSION IN SOFTWARE APPLICATIONS - Comprehensive techniques identify data leaks in software applications using Asset Flow Analysis (AFA) to determine whether critical data leaves a system through an exit point such that the data is no longer protected by mechanisms of the system. A novel data extrusion mechanism makes use of a relevant subset of all the possible data paths detected by AFA using a knowledge base of critical business functions and critical database content. The system checks if any code performs read access to critical business data and subsequently transfers this data beyond the control limits of the target system. The knowledge base can be extended by configuring which database content is to be regarded as critical in any given organization. The approach is particularly valuable in protecting systems that manipulate, distribute, or store sensitive information associated with financial, business, or personal data, including SAP® ABAP™ software applications. | 01-24-2013 |
20130031634 | SYSTEM AND METHOD FOR NETWORK-BASED ASSET OPERATIONAL DEPENDENCE SCORING - A system and method in one embodiment includes modules for identifying an asset with a vulnerability risk, identifying a service running on a port on the asset, identifying a connection to the port, calculating an operational dependence role of the asset as a function of the service and the connection, and modifying the vulnerability risk based on the operational dependence role. Other embodiments include identifying a protocol of a data packet at the port, classifying the protocol into a protocol category with a protocol importance score, calculating a connection average for the asset, classifying the connection average into a connection category with a connection score, and calculating a service dependence score. Other embodiments include calculating a host dependence score, assigning a data importance score to data communicated by the asset, and calculating the operational dependence role as a function of the host dependence score and data importance score. | 01-31-2013 |
20130031635 | System, Method and Computer Readable Medium for Evaluating a Security Characteristic - A method, system and computer program product for evaluating an IDP entity, the method includes evaluating an effect of at least one IDP rule applied by the IDP entity on legitimate traffic, based upon a network model; evaluating an effect of at least one IDP rule applied by the IDP entity based upon a network model and an attack model; determining an effectiveness of the IDP entity in response to the evaluated effects. | 01-31-2013 |
20130055397 | DETECTING STORED CROSS-SITE SCRIPTING VULNERABILITIES IN WEB APPLICATIONS - A system for detecting security vulnerabilities in web applications, the system including, a black-box tester configured to provide a payload to a web application during a first interaction with the web application at a computer server, where the payload includes a payload instruction and an identifier, and an execution engine configured to detect the identifier within the payload received during an interaction with the web application subsequent to the first interaction, and determine, responsive to detecting the identifier within the payload, whether the payload instruction underwent a security check prior to execution of the payload instruction. | 02-28-2013 |
20130055398 | SYSTEMS AND METHODS FOR PERFORMING VULNERABILITY SCANS ON VIRTUAL MACHINES - Embodiments described herein relate to systems and methods for performing vulnerability scans on virtual machines. The systems and methods comprise a virtual asset tool that can instantiate a vulnerability scanner on a physical machine hosting a set of virtual machines. The vulnerability scanner can scan the virtual machines to identify any vulnerabilities, security flaws, or other risks, and can provide a result of the scan to the virtual asset tool. In embodiments, the virtual asset tool can examine the result of the scan to identify any vulnerabilities resulting from the scan. | 02-28-2013 |
20130055399 | AUTOMATIC ANALYSIS OF SECURITY RELATED INCIDENTS IN COMPUTER NETWORKS - Solutions for responding to security-related incidents in a computer network, including a security server, and a client-side arrangement. The security server includes an event collection module communicatively coupled to the computer network, an event analysis module operatively coupled to the event collection module, and a solution module operatively coupled to the event analysis module. The event collection module is configured to obtain incident-related information that includes event-level information from at least one client computer of the plurality of client computers, the incident-related information being associated with at least a first incident which was detected by that at least one client computer and provided to the event collection module in response to that detection. The event analysis module is configured to reconstruct at least one chain of events causally related to the first incident and indicative of a root cause of the first incident based on the incident-related information. The solution module is configured to formulate at least one recommendation for use by the at least one client computer, the at least one recommendation being based on the at least one chain of events, and including corrective/preventive action particularized for responding to the first incident. | 02-28-2013 |
20130055400 | METHOD FOR GENERATING CROSS-SITE SCRIPTING ATTACK - A method for generating a cross-site scripting attack is provided. An attack string sample is analyzed for obtaining a token sequence. A string word corresponding to each token is used to replace the token for generating a cross-site scripting attack string. Accordingly, a large number of cross-site scripting attacks are generated automatically, so as to execute a penetration test for a website. | 02-28-2013 |
20130055401 | TERMINAL AND METHOD FOR PROVIDING RISK OF APPLICATION USING THE SAME - A terminal includes an information collection unit to collect execution information of an application; a determination unit to select a first risk determination criterion in association with a first security item, and to determine first risk of the application with respect to the first security item based on the first risk determination criterion and the execution information; and a display unit to display the first risk of the application and the first security item. | 02-28-2013 |
20130055402 | DETECTING STORED CROSS-SITE SCRIPTING VULNERABILITIES IN WEB APPLICATIONS - A method for detecting security vulnerabilities in web applications can include providing a payload to a web application during a first interaction with the web application at a computer server, where the payload includes a payload instruction and an identifier, detecting the identifier within the payload received during an interaction with the web application subsequent to the first interaction, and determining, responsive to detecting the identifier within the payload, whether the payload instruction underwent a security check prior to execution of the payload instruction. | 02-28-2013 |
20130055403 | SYSTEM FOR DETECTING VULNERABILITIES IN WEB APPLICATIONS USING CLIENT-SIDE APPLICATION INTERFACES - An improved method and apparatus for client-side web application analysis is provided. Client-side web application analysis involves determining and testing, using client-side application interfaces and the like, data input points and analyzing client requests and server responses. In one embodiment, a security vulnerability analyzer is employed to analyze web page content for client-side application files, such as Flash files and Java applets, extract web addresses and data parameters embedded in the client-side application file, and modify the data parameters according to user-defined test criteria. The modified data parameters are transmitted as part of a request to a respective web server used to service the client-side application files. The security vulnerability analyzer analyzes the response from the server to ascertain if there are any security vulnerabilities associated with the interface between the client-side application file and the web server. | 02-28-2013 |
20130055404 | System And Method For Providing Impact Modeling And Prediction Of Attacks On Cyber Targets - Embodiments of a system and method are disclosed to provide impact modeling and prediction of attacks on cyber targets (IMPACT). An embodiment of the system and method creates a network model to describe the IT resources of an organization, creates a business model to describe the origination's mission, and creates a correlation model that correlates the network model and the business model to describe how the origination's mission relies on the IT resources. Proper analysis may show which cyber resources are of tactical importance in a cyber attack. Such analysis also reveals which IT resources contribute most to the organization's mission. These results may then be used to formulate IT security strategies and explore their trade-offs, which leads to better incident response. | 02-28-2013 |
20130061327 | System and Method for Evaluation in a Collaborative Security Assurance System - A security assurance system includes a back-end application and a computing resource. The back-end application receives a selection of a network security product that is associated with a protected network, and receives a selection of a threat from a plurality of threats stored on the security assurance system. The computing resource launches an evaluation of the security product based upon the threat, and reports to a user of the security assurance system a result of the evaluation. | 03-07-2013 |
20130061328 | INTEGRITY CHECKING SYSTEM - An integrity checking system provides improved monitoring of an electronic device for unauthorized access and modification. The integrity checking system includes a controller with a secure memory. The secure memory stores test profile information, such as test type, test subject, test action, expected test response, test frequency, and result action. The controller reads the test profile information and executes the defined tests to monitor the integrity of the device, and either permit normal operation, or execute the result action (e.g., terminate program execution) depending on the test results. | 03-07-2013 |
20130067581 | INFORMATION SECURITY CONTROL SELF ASSESSMENT - Apparatuses, computer readable media, methods, and systems are described for identifying risk assessment queries for assessing risk of a process, providing the identified risk assessment queries to a client device for presentation, receiving response data from the client device comprising responses to the risk assessment queries, determining response values for at least some of the risk assessment queries based on the received response data, and calculating a process risk metric based on the determined response values. | 03-14-2013 |
20130067582 | SYSTEMS, METHODS AND DEVICES FOR PROVIDING DEVICE AUTHENTICATION, MITIGATION AND RISK ANALYSIS IN THE INTERNET AND CLOUD - The present invention is a method to provide mechanisms and judgment to determine the ongoing veracity of “purported” devices (sometimes called spoofing) with such parameters as unique device ID, access history, paths taken and other environmental data (Device Authentication). | 03-14-2013 |
20130067583 | ANALYZING ACCESS CONTROL CONFIGURATIONS - A facility is described for analyzing access control configurations. In various embodiments, the facility comprises an operating system having resources and identifications of principals, the principals having access control privileges relating to the resources, the access control privileges described by access control metadata; an access control scanner component that receives the access control metadata, determines relationships between principals and resources, and emits access control relations information; and an access control inference engine that receives the emitted access control relations information and an access control policy model, analyzes the received information and model, and emits a vulnerability report. In various embodiments, the facility generates an information flow based on access control relations, an access control mechanism model, and an access control policy model; determines, based on the generated information flow, whether privilege escalation is possible; and when privilege escalation is possible, indicates in a vulnerability report that privilege escalation is possible. | 03-14-2013 |
20130067584 | Content-Checking of Embedded Content in Digitally Encoded Documents - Methods and apparatus for network security content-checking, in particular simplifying the critical element of a content-checker so that it can be trusted and implemented in hardware logic. A method comprises determining whether a digitally encoded document contains any embedded documents; content-checking, by means of at least one hard-ware-implemented content-checker, at least one of the embedded documents separately from those parts of the digitally encoded document within which it was embedded; and releasing a version of the digitally encoded document responsive to the content-checking. | 03-14-2013 |
20130074188 | METHODS AND SYSTEMS FOR IMPROVED RISK SCORING OF VULNERABILITIES - A security tool can identify vulnerabilities in a computing system and determine a risk level of the vulnerabilities based on base and optional CVSS vectors and additional factors that represent the evolving nature of vulnerabilities. Likewise, the security tool can determine an overall risk for vulnerabilities, an asset, and/or a collection of assets that encompasses a global view of an asset's risk and/or collection of assets' risk, business considerations of an entity that own and controls the asset and/or the collection of assets, and the entity's associations. | 03-21-2013 |
20130086685 | SECURE INTEGRATED CYBERSPACE SECURITY AND SITUATIONAL AWARENESS SYSTEM - An integrated cube security system for an organization, such as a governmental or private organization, is disclosed, as well as a method of monitoring security for such an organization against cyberspace vulnerabilities. One such method includes receiving a definition of physical and logical locations of data managed by the organization, and receiving a definition of one or more business rules representing detected circumstances under which the data may be compromised. The method also includes monitoring the data based on the business rules and definition of the physical and logical locations of data to detect a cyberspace or electronic data vulnerability. The method includes generating one or more reports based on monitoring the data and relating at least in part to access of the data, and communicating, via a secure communications module, the one or more reports to an individual included within a community of interest. | 04-04-2013 |
20130086686 | Automated Detection of Flaws and Incompatibility Problems in Information Flow Downgraders - Mechanisms for evaluating downgrader code in application code with regard to a target deployment environment. Downgrader code in the application code is identified. Based on an input string, an output string that the downgrader code outputs in response to receiving the input string is identified. One or more sets of illegal string patterns are retrieved. Each of the one or more sets of illegal string patterns is associated with a corresponding deployment environment. The illegal string patterns are string patterns that a downgrader identifies in the information flow for security purposes. A determination is made as to whether the downgrader code is compatible with the target deployment environment based on the one or more sets of illegal string patterns and the output string. An output indicative of the results of the determining is generated. | 04-04-2013 |
20130086687 | CONTEXT-SENSITIVE APPLICATION SECURITY - In one implementation, a tag is associated with a tainted value of an application and an output context of the application that is associated with output from the application that includes the tainted value is determined. A taint processing is a applied to the tainted value in response to the output of the tainted value, the taint processing is compatible with the output context. | 04-04-2013 |
20130086688 | WEB APPLICATION EXPLOIT MITIGATION IN AN INFORMATION TECHNOLOGY ENVIRONMENT - Methods, systems, and computer program products are provided herein for facilitating security in an information technology environment. Web application security vulnerabilities are discovered and addressed by means of virtual patches deployed to components of the information technology environment. An intelligent feedback loop is created to fill the void in the security of the web application when implemented in the specific information technology environment, thereby providing end-to-end security application management through dynamic, pre-emptive, and proactive security awareness and protection in the information technology environment. As new web application security vulnerabilities are discovered, the vulnerability is diagnosed and resolved to preemptively prevent exploitation of the security vulnerability. | 04-04-2013 |
20130086689 | SECURITY VULNERABILITY CORRECTION - Systems and methods for addressing security vulnerability in a program code are described. The method comprises detecting a security vulnerability. The method further comprises identifying a set of security solutions specified within a specification repository, wherein each security solution is associated with the detected security vulnerability. The method further comprises presenting the set of security solutions to a user for selection. The method further comprises transforming a program code portion associated with the detected security vulnerability in conformance with a security solution selected by the user from the set of security solutions. | 04-04-2013 |
20130086690 | Hygiene-Based Computer Security - A reputation server is coupled to multiple clients via a network. Each client has a security module that detect malware at the client. The security module computes a hygiene score based on detected malware and provides it to the reputation server. The security module monitors client encounters with entities such as files, programs, and websites. When a client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The security module evaluates the reputation score and optionally cancels an activity involving the entity. The reputation server computes reputation scores for the entities based on the clients' hygiene scores and operations performed in response to the evaluations. The reputation server prioritizes malware submissions from the client security modules based on the reputation scores. | 04-04-2013 |
20130091577 | METHODS AND SYSTEMS FOR AUTOMATED NETWORK SCANNING IN DYNAMIC VIRTUALIZED ENVIRONMENTS - Systems and methods for managing jobs to be scanned based on existence of processing nodes are described. One of the methods includes obtaining identification information regarding operation of a first set of the processing nodes from an inventory and creating a job for scanning the processing nodes of the first set for security vulnerability. The job includes the identification information. The method further includes verifying the inventory to determine the first identifying information of the first set of processing nodes for removal from the job and loading the job having second identifying information for a second set of processing nodes that remain after the verifying operation. | 04-11-2013 |
20130091578 | SYSTEM AND A METHOD FOR AUTOMATICALLY DETECTING SECURITY VULNERABILITIES IN CLIENT-SERVER APPLICATIONS - A method for automatically detecting security vulnerabilities in a client-server application where a client is connected to a server. The method is implemented by a computer having a processor and a software program stored on a non-transitory computer readable medium. The method includes automatically extracting, with the software program at the client, a description of one or more validation checks on inputs performed by the client. The method also includes analyzing the server, with the software program by using the one or more validation checks on inputs performed by the client, to determine whether the server is not performing validation checks that the server must be performing. The method further includes determining that security vulnerabilities in the client-server application exist when the server is not performing validation checks that the server must be performing. A method further proposes preventing parameter tampering attacks on a running client-server application by enforcing the one or more validation checks on inputs performed by the client on each input that is submitted to the server. | 04-11-2013 |
20130091579 | INTELLIGENT CONNECTORS INTEGRATING MAGNETIC MODULAR JACKS AND INTELLIGENT PHYSICAL LAYER DEVICES - An apparatus comprises a connector, wherein the connector comprises i) a jack, wherein the jack comprises a) a plurality of electrical terminals, and b) a magnetic component electrically coupled to the plurality of electrical terminals; and ii) a physical layer device, wherein the physical layer device comprises a) a physical layer module, wherein the physical layer module comprises an interface configured to receive packets from the jack, and an interface bus configured to inspect the packets, and b) a network interface configured to, based on the inspection of the packets by the interface bus, provide the packets to a device separate from the physical layer device. | 04-11-2013 |
20130097708 | SYSTEM AND METHOD FOR TRANSITIONING TO A WHITELIST MODE DURING A MALWARE ATTACK IN A NETWORK ENVIRONMENT - A method is provided in one example embodiment that includes receiving a signal to enable a whitelist mode on a host in a network, terminating a process executing on the host if the process is not verified, and blocking execution of software objects on the host if the software objects are not represented on the whitelist. In more particular embodiments, the method also includes identifying the process on a process list that enumerates one or more processes executing on the host. Yet further embodiments include quarantining the host if a second process on the process list is a critical process and if the second process is not verified. More specific embodiments include identifying and restarting another process on the process list if process memory was modified. | 04-18-2013 |
20130097709 | USER BEHAVIORAL RISK ASSESSMENT - A predetermined particular behavioral profile is identified associated with at least one particular user of a computing system, the particular behavioral profile identifying expected behavior of the at least one user within the computing system. Activities associated with use of the computing system by the particular user are identified and it is determined whether the identified activities correlate with the particular behavioral profile. Identifying an activity that deviates from the particular behavioral profile beyond a particular threshold triggers a risk event relating to the particular user. | 04-18-2013 |
20130097710 | MOBILE RISK ASSESSMENT - At least one available wireless access point is identified at a particular location and a connection is established with the available wireless access point. Communication is attempted with a trusted endpoint over the wireless access point and the attempted communication with the trusted endpoint over the wireless access point is monitored to assess risk associated with the wireless access point. Results of the assessment, in some instances, can be reported to an access point risk manager and risk associated with future attempts to use the wireless access point can be assessed based at least in part on the reported assessment results. | 04-18-2013 |
20130097711 | MOBILE RISK ASSESSMENT - A query is received from a particular endpoint device identifying a particular wireless access point encountered by the particular endpoint device. Pre-existing risk assessment data is identified for the identified particular wireless access point and query result data is sent to the particular endpoint device characterizing pre-assessed risk associated with the particular wireless access point. In some instances, the query result data is generated based on the pre-existing risk assessment data. In some instances, pre-existing risk assessment data can be the result of an earlier risk assessment carried-out at least in part by an endpoint device interfacing with and testing the particular wireless access point. | 04-18-2013 |
20130104236 | PERVASIVE, DOMAIN AND SITUATIONAL-AWARE, ADAPTIVE, AUTOMATED, AND COORDINATED ANALYSIS AND CONTROL OF ENTERPRISE-WIDE COMPUTERS, NETWORKS, AND APPLICATIONS FOR MITIGATION OF BUSINESS AND OPERATIONAL RISKS AND ENHANCEMENT OF CYBER SECURITY - Real time security, integrity, and reliability postures of operational (OT), information (IT), and security (ST) systems, as well as slower changing security and operational blueprint, policies, processes, and rules governing the enterprise security and business risk management process, dynamically evolve and adapt to domain, context, and situational awareness, as well as the controls implemented across the operational and information systems that are controlled. Embodiments of the invention are systematized and pervasively applied across interconnected, interdependent, and diverse operational, information, and security systems to mitigate system-wide business risk, to improve efficiency and effectiveness of business processes and to enhance security control which conventional perimeter, network, or host based control and protection schemes cannot successfully perform. | 04-25-2013 |
20130104237 | Managing Risk Associated With Various Transactions - Systems, methods and consumer-readable media for managing risk associated with various transactions are provided. Such methods may include identifying a consumer-based software application for analysis and classifying the consumer-based software application into a plurality of consumer-facing transactions. Each consumer-facing transaction may be rated according to at least one category or criteria. Further, each rating may be converted into a numeric value. Another aspect of the invention may relate to receiving an identification of a list of threats to each of the consumer-facing transactions. These threats may be categorized into threat categories. The impact of each of the threats may be forecasted. The overall impact of the threats as forecasted may be calculated. Yet another aspect of the invention may relate to receiving an identification of a plurality of threat controls that control at least a portion of the plurality of threats. | 04-25-2013 |
20130111592 | MOBILE APPLICATION SECURITY AND MANAGEMENT SERVICE | 05-02-2013 |
20130111593 | TRANSFORMING UNTRUSTED APPLICATIONS INTO TRUSTED EXECUTABLES THROUGH STATIC PREVIRTUALIZATION | 05-02-2013 |
20130111594 | DETECTION OF DOM-BASED CROSS-SITE SCRIPTING VULNERABILITIES | 05-02-2013 |
20130111595 | DETECTION OF DOM-BASED CROSS-SITE SCRIPTING VULNERABILITIES | 05-02-2013 |
20130125239 | INSIDER THREAT CORRELATION TOOL - Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a first threat score representing a first time period may be calculated. The first threat score may be compared with aspects of the same user accounts for a second time period. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating. Blocked transmissions enforced upon a user account may also be received. Certain activity, such as accessing the internet, may be monitored for the presence of a security threat and/or an ethics threat. | 05-16-2013 |
20130133073 | SYSTEM AND METHOD FOR EVALUATING MARKETER RE-IDENTIFICATION RISK - Disclosures of databases for secondary purposes is increasing rapidly and any identification of personal data may from a dataset of database can be detrimental. A re-identification risk metric is determined for the scenario where an intruder wishes to re-identify as many records as possible in a disclosed database, known as a marketer risk. The dataset can be analyzed to determine equivalence classes for variables in the dataset and one or more equivalence class sizes. The re-identification risk metric associated with the dataset can be determined using a modified log-linear model by measuring a goodness of fit measure generalized for each of the one or more equivalence class sizes. | 05-23-2013 |
20130133074 | System And Method For Monitoring Network Traffic - Described is a method of assigning a network address to a trap, the network address being a dark address of a virtual private network. The network traffic destined for the network address is monitored and a classification of the network traffic is determined. After the classification, a predetermined response is executed based on the classification of the traffic. | 05-23-2013 |
20130133075 | FIXING SECURITY VULNERABILITY IN A SOURCE CODE - A computer implemented method for automatically fixing a security vulnerability in a source code is disclosed. The method includes obtaining identification of code that sends tainted data to corresponding sink code in the source code; and automatically fixing the vulnerability by automatically performing code modification which is selected from the group of code modifications consisting of: code motion and code duplication. Also disclosed are computer program product and data processing system. | 05-23-2013 |
20130133076 | WEB VULNERABILITY REPAIR APPARATUS, WEB SERVER, WEB VULNERABILITY REPAIR METHOD, AND PROGRAM - A Web vulnerability repair apparatus ( | 05-23-2013 |
20130139266 | DETECTING VULNERABILITIES IN WEB APPLICATIONS - A method, computer program product, and system for detecting vulnerabilities in web applications is described. A method may comprise determining one or more values associated with a web application that flow to response data associated with the web application. The one or more values may be modifiable by unreliable input. The method may further comprise generating a representation of the response data associated with the web application. The method may additionally comprise determining one or more potentially vulnerable portions of the response data based upon, at least in part, the one or more values modifiable by the unreliable input that flow to the response data associated with the web application, and the representation of the response data associated with the web application. | 05-30-2013 |
20130139267 | DETECTING VULNERABILITIES IN WEB APPLICATIONS - A method, computer program product, and system for detecting vulnerabilities in web applications is described. A method may comprise determining one or more values associated with a web application that flow to response data associated with the web application. The one or more values may be modifiable by unreliable input. The method may further comprise generating a representation of the response data associated with the web application. The method may additionally comprise determining one or more potentially vulnerable portions of the response data based upon, at least in part, the one or more values modifiable by the unreliable input that flow to the response data associated with the web application, and the representation of the response data associated with the web application. | 05-30-2013 |
20130145472 | Preventing Execution of Task Scheduled Malware - A method for preventing malware attacks includes the steps of detecting an attempt on an electronic device to access a task scheduler, determining an entity associated with the attempt to access the task scheduler, determining a malware status of the entity, and, based on the malware status of the entity, allowing or denying the attempted access to the task scheduler. The task scheduler is configured to launch one or more applications at a specified time or interval. | 06-06-2013 |
20130152204 | INTERACTIVE ANALYSIS OF A SECURITY SPECIFICATION - Analyzing a security specification. An embodiment can include identifying a downgrader in a computer program under test. Testing on the downgrader can be performed in a first level of analysis. Responsive to the downgrader not passing the testing performed in the first level of analysis, a counter example for the downgrader can be automatically synthesized. Further, a test unit can be created for the downgrader using the counter example as an input parameter to the downgrader. The test unit can be executed to perform testing on the downgrader in a second level of analysis. Responsive to the downgrader passing the testing performed in the second level of analysis, a user can be prompted to simplify a model of the downgrader. | 06-13-2013 |
20130152205 | INTERACTIVE ANALYSIS OF A SECURITY SPECIFICATION - Analyzing a security specification. An embodiment can include identifying a downgrader in a computer program under test. Via a processor, testing on the downgrader can be performed in a first level of analysis. Responsive to the downgrader not passing the testing performed in the first level of analysis, a counter example for the downgrader can be automatically synthesized. Further, a test unit can be created for the downgrader using the counter example as an input parameter to the downgrader. The test unit can be executed to perform testing on the downgrader in a second level of analysis. Responsive to the downgrader passing the testing performed in the second level of analysis, a user can be prompted to simplify a model of the downgrader. | 06-13-2013 |
20130160128 | APPLICATION MONITORING THROUGH COLLECTIVE RECORD AND REPLAY - Methods and systems for application monitoring through collective record and replay are disclosed herein. The method includes recording a number of execution traces for an application from a number of user devices at a runtime library, wherein the number of execution traces relates to non-deterministic data. The method also includes replaying the number of execution traces to determine whether a behavior of the application creates a security risk. | 06-20-2013 |
20130160129 | SYSTEM SECURITY EVALUATION - A computing device may receive external activity data corresponding to a target system. The external activity data may include information corresponding to network-side information relating to the target system. The computing device may identify suspicious external activity, corresponding to the external activity data, based on an activity watchlist. The activity watchlist may include information corresponding to external activity systems associated with known sources of malicious activity. The computing device may generate a system security report based on the suspicious external activity identified. | 06-20-2013 |
20130160130 | APPLICATION SECURITY TESTING - In one implementation, an attack surface identification system defines an interface description of an application during execution of the application. The interface description is then provided to a scanner. | 06-20-2013 |
20130160131 | APPLICATION SECURITY TESTING - In one implementation, an application security system accesses an attack description and a data set from an application. The data set based on an attack data set. The application security system correlates the data set with the attack description, and reports a security vulnerability for the application if the data set satisfies the attack description. | 06-20-2013 |
20130167237 | DETECTION OF SECOND ORDER VULNERABILITIES IN WEB SERVICES - A system for detecting a vulnerability in a Web service can include a processor configured to initiate executable operations including determining whether a Web service uses identity of a requester to select one of a plurality of different paths of a branch in program code of the Web service and, responsive to determining that the Web service does select one of a plurality of different paths of a branch according to identity of the requester, indicating that the Web service has a potential vulnerability. | 06-27-2013 |
20130167238 | SYSTEM AND METHOD FOR SCANNING FOR COMPUTER VULNERABILITIES IN A NETWORK ENVIRONMENT - A method in one embodiment includes identifying a set of known vulnerabilities and a set of new vulnerabilities in an asset, selecting one or more scripts that include checks for vulnerabilities in a union of the set of known vulnerabilities and the set of new vulnerabilities, and using the selected scripts to scan the asset. Known vulnerabilities and new vulnerabilities may be identified by accessing results of previous scans on the asset. The method may also include identifying a plurality of assets to scan in a network, identifying a plurality of sets of known vulnerabilities and a plurality of sets of new vulnerabilities in substantially all assets in the plurality of assets, and inserting checks for vulnerabilities included in a union of the plurality of sets of known vulnerabilities and the plurality of sets of new vulnerabilities into the selected scripts. | 06-27-2013 |
20130167239 | DETECTION OF SECOND ORDER VULNERABILITIES IN WEB SERVICES - A method of detecting a vulnerability in a Web service can include determining, using a processor, whether a Web service uses identity of a requester to select one of a plurality of different paths of a branch in program code of the Web service. The method further can include, responsive to determining that the Web service does select one of a plurality of different paths of a branch according to identity of the requester, indicating that the Web service has a potential vulnerability. | 06-27-2013 |
20130167240 | METHOD AND APPARATUS FOR DETECTING EVENTS PERTAINING TO POTENTIAL CHANGE IN VULNERABILITY STATUS - Method and apparatus for Vulnerability Assessment techniques is disclosed. A method comprises detecting an event on a target in real time or at periodic intervals, by at least one of an OS service, an OS command, a hook, and an API. The event comprises a change in status of at least one of a network interface, a server network service, a client network service, and a port. An apparatus comprises a target having at least one of a deployed server network service, and a deployed client network service; and an agent deployed on the target, to detect an event on the target in real time or at periodic intervals. At least one of the agent and the VA server detect the event comprising a change in the status of at least one of a network interface, the server network service, the client network service, and a port. | 06-27-2013 |
20130167241 | Locating security vulnerabilities in source code | 06-27-2013 |
20130174259 | GEO-MAPPING SYSTEM SECURITY EVENTS - A particular security event is identified that has been detected as targeting a particular computing device included in a particular computing system. A particular grouping of assets in a plurality of asset groupings within the particular computing system is identified as including the particular computing device. A source of the particular security event is also identified and at least one of a geographic location and a grouping of assets in the plurality of asset groupings is associated with the identified source. Data is generated that is adapted to cause a presentation of a graphical representation of the particular security event on a display device, the graphical representation including a first graphical element representing the particular computing device as included in the particular grouping of assets and a second graphical element representing the source associated with the at least one of a geographic location and a grouping of assets. | 07-04-2013 |
20130174260 | TARGETED SECURITY TESTING - Source code of a plurality of web pages including script code is statically analyzed. A page including a potential vulnerability is identified based on the static analysis. A page not including a potential vulnerability is identified based on the static analysis. The web page including the potential vulnerability is dynamically analyzed using a set of test payloads. The page not including the potential vulnerability is dynamically analyzed using a subset of the set of test payloads, the subset including fewer test payloads than the set of test payloads. | 07-04-2013 |
20130174261 | System and Method of Securing Monitoring Devices on a Public Network - A method for determining whether or not a monitor is registered with a security service. The method includes using a device search engine to perform a search for and find a monitor. Then it is determined whether or not the found monitor is registered with the security service. When the found monitor is not currently registered with the security service, an owner of the unregistered monitor is automatically contacted. | 07-04-2013 |
20130174262 | TARGETED SECURITY TESTING - Source code of a plurality of web pages including script code is statically analyzed. A page including a potential vulnerability is identified based on the static analysis. A page not including a potential vulnerability is identified based on the static analysis. The web page including the potential vulnerability is dynamically analyzed using a set of test payloads. The page not including the potential vulnerability is dynamically analyzed using a subset of the set of test payloads, the subset including fewer test payloads than the set of test payloads. | 07-04-2013 |
20130174263 | AUTOMATED SECURITY ASSESSMENT OF BUSINESS-CRITICAL SYSTEMS AND APPLICATIONS - Systems and methods which provide a new application security assessment framework that allows auditing and testing systems to automatically perform security and compliance audits, detect technical security vulnerabilities, and illustrate the associated security risks affecting business-critical applications. | 07-04-2013 |
20130179977 | Assessing Social Risk Due To Exposure From Linked Contacts - An approach is provided in which a risk assessment is performed that accesses the risk to a user of an information handling system due to the user's link to a social network contact. Risky action values is received with the values corresponding to the social network contact. A risk level is calculated with the risk level corresponding to one or more of the risky action values. A preventative security action is then performed based on the calculated risk level. In another embodiment, an approach is provided in which the potential risks posed by a user are transmitted to the user's social network contacts. In this approach, potentially risky actions that are performed by the user are detected. Risky action values are identified that correspond to the detected potentially risky actions. The risky action values are then transmitted to the user's social network contacts over a computer network. | 07-11-2013 |
20130179978 | Automated Detection of Flaws and Incompatibility Problems in Information Flow Downgraders - Mechanisms for evaluating downgrader code in application code with regard to a target deployment environment. Downgrader code in the application code is identified. Based on an input string, an output string that the downgrader code outputs in response to receiving the input string is identified. One or more sets of illegal string patterns are retrieved. Each of the one or more sets of illegal string patterns is associated with a corresponding deployment environment. The illegal string patterns are string patterns that a downgrader identifies in the information flow for security purposes. A determination is made as to whether the downgrader code is compatible with the target deployment environment based on the one or more sets of illegal string patterns and the output string. An output indicative of the results of the determining is generated. | 07-11-2013 |
20130179979 | DETECTING SECURITY VULNERABILITIES IN WEB APPLICATIONS - Method to detect security vulnerabilities includes: interacting with a web application during its execution to identify a web page exposed by the web application; statically analyzing the web page to identify a parameter within the web page that is constrained by a client-side validation measure and that is to be sent to the web application; determining a server-side validation measure to be applied to the parameter in view of the constraint placed upon the parameter by the client-side validation measure; statically analyzing the web application to identify a location within the web application where the parameter is input into the web application; determining whether the parameter is constrained by the server-side validation measure prior to the parameter being used in a security-sensitive operation; and identifying the parameter as a security vulnerability. | 07-11-2013 |
20130191919 | CALCULATING QUANTITATIVE ASSET RISK - A standardized vulnerability score is identified for a particular vulnerability in a plurality of known vulnerabilities, the standardized vulnerability score indicating a relative level of risk associated with the particular vulnerability relative other vulnerabilities. A vulnerability detection score is determined that indicates an estimated probability that a particular asset possess the particular vulnerability and a vulnerability composite score is determined for the particular asset to the particular vulnerability, the vulnerability composite score derived from the standardized vulnerability score and the vulnerability detection score. A countermeasure component score is identified that indicates an estimated probability that a countermeasure will mitigate risk associated with the particular vulnerability on the particular asset. A risk metric for the particular asset and the particular vulnerability is determined from the vulnerability composite score and the countermeasure component score. In some instances, aggregate risk scores can be calculated from a plurality of calculated risk metrics. | 07-25-2013 |
20130191920 | DYNAMICALLY SCANNING A WEB APPLICATION THROUGH USE OF WEB TRAFFIC INFORMATION - Collecting log file data from at least one log file. From the collected log file data, at least one HTTP request can be generated to exercise a web application to perform a security analysis of the web application. The HTTP request can be communicated to the web application. At least one HTTP response to the HTTP request can be received. The HTTP response can be analyzed to perform validation of the web application. Results of the validation can be output. | 07-25-2013 |
20130191921 | SECURITY STATUS AND INFORMATION DISPLAY SYSTEM - Systems and methods disclosed herein provide a local security component on a mobile device that may acquire data concerning a current configuration of the mobile device. The local security component may receive raw or partially processed data about events on the mobile device. The received data may be processed against a database containing identification data for security threats and against the current mobile device configuration data to assess a security state of the mobile device. The processing may include assigning a severity level for each event. The local security component may output to the mobile device the security state assessment results, including a first assessed security state of the mobile device. The raw or partially processed data about events on the mobile device may be transmitted to a server for processing. A second assessed security state of the mobile device may be received at the mobile device from the server. | 07-25-2013 |
20130198845 | MONITORING A WIRELESS NETWORK FOR A DISTRIBUTED DENIAL OF SERVICE ATTACK - An integrated circuit for monitoring a wireless network. The integrated circuit comprises a hardware interface configured to receive and access data packets transmitted over the wireless network; a programmable hardware accelerator configured to extract pertinent information from the data packets, the pertinent information for use in determining whether the wireless network is under a distributed denial of service (DDOS) attack; and a multi-core processor configured to receive the pertinent information and to determine whether the wireless network is under a DDOS attack based at least in part on the pertinent information provided by the programmable hardware. | 08-01-2013 |
20130198846 | Software Service to Facilitate Organizational Testing of Employees to Determine Their Potential Susceptibility to Phishing Scams - A software system and service for facilitating organizational testing of employees in order to determine their potential susceptibility to phishing scams is disclosed to evaluate their susceptibility to e-mail and Internet cybercrimes such as phishing. The e-mail addresses of a client organization's employees are provided to the system, a phishing e-mail is created and customized, and a phishing e-mail campaign in which the phishing e-mail message is sent and the responses to the phishing e-mail is monitored, and the results of the e-mail campaign are provided for evaluation. The phishing e-mail may optionally contain attachments and various types of probes and “call home” mechanisms. | 08-01-2013 |
20130198847 | METHODS AND SYSTEMS FOR CYBER-PHYSICAL SECURITY MODELING, SIMULATION AND ARCHITECTURE FOR THE SMART GRID - A computer-implemented method for use in evaluating at least one threat to a complex system includes identifying one or more physical components of the complex system and modeling the one or more physical components with interactive software multi-agents. The multi-agents are programmed to monitor and control at least one function of the modeled physical components. One or more threats to a target of the complex system are identified. Each threat is defined as a cyber threat or physical threat and the target is defined as a cyber component or physical component. The method includes simulating an attack on the complex system by the identified threat and assessing an impact of the attack on the complex system. | 08-01-2013 |
20130198848 | REMEDIATION OF COMPUTER SECURITY VULNERABILITIES - A computer security vulnerability remediation system (CSVRS) is disclosed, including a CSVRS client communicatively coupled to a remediation server through a network. The CSVRS client includes software having a security vulnerability, which vulnerability may be known to malicious actors who develop an exploit. In some cases, the exploit is a “zero-day exploit,” meaning the vulnerability may not be known to the CSVRS client until the exploit is deployed. A RSP receives information about the exploit and vulnerability from a team of remediation experts. The RSP may prepare a remedial exploit, which carries a self-healing pay load. The remedial exploit may be delivered either through the vulnerability itself, or through credentials granted by the CSVRS client to the RSP. The self-healing pay-load takes appropriate action, such as closing ports or disabling scripts, to prevent the vulnerability from being further exploited. | 08-01-2013 |
20130205397 | ADAPTIVE FUZZING SYSTEM FOR WEB SERVICES - Web applications, systems and services, which are prone to cyber-attacks, can utilize an adaptive fuzzing system and methodology to intelligently employ fuzzer technology to test web site pages for vulnerabilities. A breadth first search and minimal fuzzing testing is performed on identified pages of a web site looking for either a vulnerability or the potential for a vulnerability. Heuristics are gathered and/or generated on each tested web page to determine a vulnerability score for the page that is an indication of the page's potential for hosting a vulnerability. When a page is discovered with a vulnerability score that indicates the page has the potential for a vulnerability a depth first search and expanded fuzzing testing is performed on one or more branches of the web site that begin with the page with the potential vulnerability. | 08-08-2013 |
20130205398 | AUTOMATIC SYNTHESIS OF UNIT TESTS FOR SECURITY TESTING - Performing security analysis on a computer program under test (CPUT). The CPUT can be analyzed to identify data pertinent to potential security vulnerabilities of the CPUT. At least a first unit test configured to test a particular unit of program code within the CPUT can be automatically synthesized. The first unit test can be configured to initialize at least one parameter used by the particular unit of program code within the CPUT, and can be provided at least a first test payload configured to exploit at least one potential security vulnerability of the CPUT. The first unit test can be dynamically processed to communicate the first test payload to the particular unit of program code within the CPUT. Whether the first test payload exploits an actual security vulnerability of the CPUT can be determined, and a security analysis report can be output. | 08-08-2013 |
20130205399 | AUTOMATIC SYNTHESIS OF UNIT TESTS FOR SECURITY TESTING - Performing security analysis on a computer program under test (CPUT). The CPUT can be analyzed to identify data pertinent to potential security vulnerabilities of the CPUT. At least a first unit test configured to test a particular unit of program code within the CPUT can be automatically synthesized. The first unit test can be configured to initialize at least one parameter used by the particular unit of program code within the CPUT, and can be provided at least a first test payload configured to exploit at least one potential security vulnerability of the CPUT. The first unit test can be dynamically processed to communicate the first test payload to the particular unit of program code within the CPUT. Whether the first test payload exploits an actual security vulnerability of the CPUT can be determined, and a security analysis report can be output. | 08-08-2013 |
20130212682 | AUTOMATIC DISCOVERY OF SYSTEM INTEGRITY EXPOSURES IN SYSTEM CODE - A technique is provided for detecting vulnerabilities in system code on a computer. Supervisor call routines and program call routines of the system code are analyzed to determine which are available to a caller program that is an unauthorized program and has a PSW key | 08-15-2013 |
20130212683 | Systems and Methods for Managing Data Incidents - Systems and methods for managing a data incident are provided herein. Exemplary methods may include receiving data breach data that comprises information corresponding to the data breach, automatically generating a risk assessment from a comparison of data breach data to privacy rules, the privacy rules comprising at least one federal rule and at least one state rule, each of the rules defining requirements associated with data breach notification laws, and providing the risk assessment to a display device that selectively couples with the risk assessment server. | 08-15-2013 |
20130212684 | Detecting Application Harmful Behavior and Grading Application Risks for Mobile Devices - In one embodiment, a method determines a permission list from an application and generates a set of potential behaviors. The potential behaviors are associated with actions that the application allows when executing on a mobile device where the potential behaviors are determined without execution of the application. The method then determines functional category information regarding a functional category from a set of application marketplaces that contain the application and determines application description information for the application. A required behavior list is generated including a set of required behaviors from the functional category information and the application description information. The method compares the required behaviors to the potential behaviors to determine a set of security related behaviors. The security related behaviors are behaviors found in the potential behaviors, but not in the required behaviors. A security rating is determined based on the set of security related behaviors. | 08-15-2013 |
20130212685 | NETWORk THREAT RISK ASSESSMENT TOOL - A method, system and computer program product is disclosed that provides timely, accurate and summarized information about possible threats to information technology environments. It is a tool that looks at multiple aspects of an IT threat, including both specific (traditional) IT threats and general (non-traditional) IT threats, and rates each threat's overall potential to do harm. A matrix is created that identifies a “threat score” to allow prioritization and reaction to the threats. The matrix takes both traditional IT threats and non-traditional IT threats and normalizes them on the same scale, giving users of the matrix the ability to understand the risks of both. | 08-15-2013 |
20130219503 | SYSTEM, METHOD AND COMPUTER READABLE MEDIUM FOR EVALUATING POTENTIAL ATTACKS OF WORMS - A method for evaluating potential attacks of worms, the method includes: associating, in response to information representative of a network and of worm entities, between worm entities and potential worm sources to provide associated worm sources; determining potential worm attacks that start from the associated worm sources; and evaluating at least one potential worm attack security metric associated with the potential worm attacks. | 08-22-2013 |
20130227693 | SOFTWARE MODULE OBJECT ANALYSIS - In one implementation, an object analysis system identifies an object within a software module, and determines a size of the object based on at least one operation within the software module. The object analysis system identifies the object and determines the size of the object without reference to source code of the software module. | 08-29-2013 |
20130227694 | HYGIENIC CHARGING STATION FOR MOBILE DEVICE SECURITY - A mobile device charging station configured to analyze, measure and respond to/correct the state of a mobile device. The charging station can employ an embedded cryptographic subsystem that can make use of anti-tamper/tamper evident techniques to protect stored firmware images/cryptographic material. | 08-29-2013 |
20130227695 | SYSTEMS AND METHODS FOR FIXING APPLICATION VULNERABILITIES THROUGH A CORRELATED REMEDIATION APPROACH - The invention relates to a system and method for fixing application vulnerabilities through a correlated remediation approach. This invention involves identifying application vulnerabilities through dynamic and static assessment of an application. The vulnerability instances reported in the static assessment is fixed using standard code fixes. The assessment results obtained from the static and the dynamic assessment are then correlated to identify how many vulnerability instances reported in the static assessment are by fixing the code based on the standard code fix. If a vulnerability instance reported in the dynamic assessment corresponds to more than one vulnerability instances reported in the static assessment then the shortest and cost effective path to fix the vulnerability instance is determined. These results are stored in a graph database and based on the graph database the application vulnerabilities are fixed. An inference engine can be used to identify the correct fix for an application vulnerability. | 08-29-2013 |
20130227696 | Automated Security Management - A computerized method and system for managing security risk, where risk associated with a breach of security is analyzed and quantified according to weighted risk variables. The analysis is accomplished by a computerized security risk management system that receives information relating to physical, informational, communication and surveillance risk, and structures the information such that it can be related to risk variables and a security risk level can be calculated according to a relevance of associated risk variables. The security risk level can be indicative of a likelihood that a breach of security may occur relating to a particular transaction or facility. Similarly, a security confidence level can be indicative of how secure a particular facility or practice is and a security maintenance level can be indicative of a level of security that should be maintained in relation to an analyzed subject. | 08-29-2013 |
20130227697 | SYSTEM AND METHOD FOR CYBER ATTACKS ANALYSIS AND DECISION SUPPORT - A method for cyber attack risk assessment, the method comprising operating at least one hardware processor for: collecting global cyber attack data from a networked resource; collecting organizational profile data from a user, wherein the organizational profile data comprises: types of computerized defensive controls employed by the organization, a maturity of each of the computerized defensive controls, and organizational assets each pertaining to a business environment and each associated with at least one of the computerized defensive controls; and computing a cyber attack risk of the organization in real time, by continuously performing said collecting of global cyber attack data and comparing the global cyber attack data to the organizational profile data, to compute a cyber attack risk score for each of the organizational assets. | 08-29-2013 |
20130227698 | VULNERABILITY-DIAGNOSIS DEVICE - To diagnose vulnerabilities such as SQL injection, even for web-server devices that change the content of responses to requests in accordance with prescribed conditions. A normal-response collection means ( | 08-29-2013 |
20130232577 | Information System Security Based on Threat Vectors - A security system is provided. The system comprises a computer system, a memory accessible to the computer system, a data store, and an application. The data store comprises a threat catalog, wherein the threat catalog comprises a plurality of threat vectors, each threat vector comprising a plurality of fields, wherein each field is constrained to carry a value selected from a predefined list of enumerated values. The application is stored in the memory and, when executed by the computer system receives a threat report, wherein the threat report comprises an identification of at least one threat vector, determines a correlation between the at least one threat vector received in the threat report with the threat vectors comprising the threat catalog, and, based on the correlation, sends a notification to a stakeholder in an organization under the protection of the security system. | 09-05-2013 |
20130239217 | System, Method and Computer Program Product for Determining a Person's Aggregate Online Risk Score - Various embodiments of a system, method and computer program product for assessing an aggregate risk score for a user of a social network's online activities are described. The system may include an interface adapted to obtain information about online activities concerning a subject via a network such as the Internet. An analyzing component may be provided to analyze the collected information in order to find one or more potential dangers to the subject. The analyzing component may then associate a severity level to each identified potential danger and then assigning a weight to each identified potential danger based on its associated severity level and the current age of the identified potential danger. Next, the analyzer may aggregate the weighted identified potential dangers in order to obtain an aggregate online risk score for the subject. | 09-12-2013 |
20130239218 | SECURITY SCANNING SYSTEM AND METHOD - The present disclosure provides a computer-readable medium, method, and system for determining security vulnerabilities for a plurality of application programs used to provide television services to a customer device over a communications network. The method includes running a first scanning program against a first application program relating to a control panel for the customer device; running a second scanning program against a second application program that provides Internet content to the customer device, running a third scanning program against a third application program that relates to a component management system of customer premises equipment; and correlating security vulnerabilities identified utilizing the first, second, and third scanning programs. | 09-12-2013 |
20130239219 | MINING SOURCE CODE FOR VIOLATIONS OF PROGRAMMING RULES - A method for software code analysis includes automatically processing a body of software source code ( | 09-12-2013 |
20130247203 | Identifying Relationships Between Security Metrics - A security metrics system receives security information data for a network system of computers and metric definitions from metric sources. Each metric definition defines a heuristic for calculating a score for the network system from one or more security signal values at a time in the plurality of times, wherein the score quantifies a security metric for the network system. The system calculates each metric definition for a plurality of times and selecting metric definitions that are related to the performance of and are indicative of one or more other metric definitions as candidates to be key performance indicators. | 09-19-2013 |
20130247204 | SYSTEM AND METHOD FOR APPLICATION SECURITY ASSESSMENT - A system and method in one embodiment includes modules for running a test script to generate a request to a target application, receiving a response from the target application, and running a detector script to inspect the response for a vulnerability. More specific embodiments include a target web site, populating a work in a queue, where the work corresponds to content in the response, and running a second test script or detector script to generate a follow-up request to the application if the vulnerability has been identified in the response. Other embodiments include extracting the work from the queue, and running a second test script corresponding to the extracted work. Other embodiments include storing an injection in an injection cache, de-registering the injection from the injection cache if it is identified in the response, and re-crawling the application, if the injection has not been de-registered from the injection cache. | 09-19-2013 |
20130247205 | CALCULATING QUANTITATIVE ASSET RISK - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for generating quantitative risk metrics for assets and threats. Risk metrics are generated for individual assets and individual threats. These individual metrics can then be analyzed to generate aggregate risk metrics for assets, groups of assets, and threats. Assets and threats can be ordered according to their aggregate risk metrics. | 09-19-2013 |
20130247206 | SYSTEM AND METHOD FOR GROUPING COMPUTER VULNERABILITIES - A system and method in one embodiment includes modules for creating a vulnerability set including one or more vulnerabilities, adding the vulnerability set to a program, and updating the program by adding a new vulnerability to the vulnerability set. More specific embodiments include a program that includes a scan, creating the vulnerability set by generating a query including one or more conditions associated with the vulnerabilities, and creating the vulnerability set by selecting one or more vulnerabilities from a plurality of vulnerabilities. Other embodiments include a program that includes a report template, adding a vulnerability set to the report template by generating a query to include a condition associated with the vulnerability set, running a scan, and generating a report including one or more results from the scan meeting the condition associated with the vulnerability set. | 09-19-2013 |
20130247207 | SYSTEM AND METHOD FOR GROUPING COMPUTER VULNERABILITIES - A system and method in one embodiment includes modules for creating an asset tag including one or more conditions of an asset on a network, adding the asset tag to an asset report template, and generating an asset report from the asset report template. More specific embodiments include creating the asset tag by generating a query for the one or more conditions. The asset tag may include a second asset tag configured to be updated automatically, and a third asset tag configured to be updated manually, and the second asset tag may be updated automatically when the asset tag is updated. Other embodiments include creating a vulnerability set including a selection of vulnerabilities from a plurality of vulnerabilities, adding the vulnerability set to the asset report template, and scanning a plurality of assets on the network. | 09-19-2013 |
20130254894 | INFORMATION PROCESSING DEVICE, NON-TRANSITORY COMPUTER READABLE MEDIUM, AND INFORMATION PROCESSING METHOD - An information processing device includes an importance generation unit that generates importance information indicating an importance of an information processing apparatus on the basis of first apparatus information regarding the information processing apparatus, collected from the information processing apparatus, a crisis degree generation unit that generates crisis degree information indicating a level of a crisis which the information processing apparatus possibly suffers on the basis of second apparatus information regarding the information processing apparatus, collected from the information processing apparatus, and an evaluation unit that calculates an evaluation value on the basis of the importance information generated by the importance generation unit and the crisis degree information generated by the crisis degree generation unit. | 09-26-2013 |
20130254895 | NON-HARMFUL INSERTION OF DATA MIMICKING COMPUTER NETWORK ATTACKS - Non-harmful data mimicking computer network attacks may be inserted in a computer network. Anomalous real network connections may be generated between a plurality of computing systems in the network. Data mimicking an attack may also be generated. The generated data may be transmitted between the plurality of computing systems using the real network connections and measured to determine whether an attack is detected. | 09-26-2013 |
20130263272 | AUTOMATED IDENTIDICATION OF PHISHING, PHONY AND MALICIOUS WEB SITES - A method and system for automated identification of phishing, phony, and malicious web sites are disclosed. According to one embodiment, a computer implemented method, comprises receiving a first input, the first input including a universal resource locator (URL) for a webpage. A second input is received, the second input including feedback information related to the webpage, the feedback information including an indication designating the webpage as safe or unsafe. A third input is received from a database, the third input including reputation information related to the webpage. Data is extracted from the webpage. A safety status is determined for the webpage, including whether the webpage is hazardous by using a threat score for the webpage and the second input, wherein calculating the threat score includes analyzing the extracted data from the webpage. The safety status for the webpage is reported. | 10-03-2013 |
20130263273 | DETECTING SECURE OR ENCRYPTED TUNNELING IN A COMPUTER NETWORK - Aspects of the present disclosure relate to a computer assisted method for detecting encrypted tunneling or proxy avoidance which may include electronically receiving information from a proxy server, extracting information regarding a CONNECT function of Hyper Text Transport Protocol (HTTP) from the electronically received information, determining at least one destination to which the extracted information regarding the CONNECT function of HTTP corresponds and attempting to negotiate a standard HTTPS session with each of the at least one destination. Further, the computer assisted method may further include, for each of the at least one destination, determining whether the destination is hosting an encrypted tunneling or proxy avoidance application, wherein such a determining may be based on characteristics of an Secure Socket Layer (SSL) certificate associated with the destination or a response received from the destination over a TCP/IP connection. | 10-03-2013 |
20130276124 | SYSTEMS, METHODS, APPARATUSES AND COMPUTER PROGRAM PRODUCTS FOR PROVIDING MOBILE DEVICE PROTECTION - Systems, methods, apparatuses and computer program products for providing mobile device protection. Some example embodiments provide for analyzing the current risks associated with a user's mobile device and providing solutions to improve the security of the mobile device. Further, some example embodiments provide for analysis of the hardware and software configuration of a mobile device, the applications installed on a mobile device, the accounts on a mobile device, the user data stored on or accessed from a mobile device, and/or the current location of a mobile device and then comparing this device data to known risk data to provide a user with an increased awareness of the current risks associated with a mobile device. | 10-17-2013 |
20130276125 | SYSTEMS AND METHODS FOR ASSESSING SECURITY RISK - Systems and methods for providing identification tests. In some embodiments, a system and a method are provided for generating and serving to a user an animated challenge graphic comprising a challenge character set whose appearance may change over time. In some embodiments, marketing content may be incorporated into a challenge message for use in an identification test. The marketing content may be accompanied by randomly selected content to increase a level of security of the identification test. In some embodiments, a challenge message for use in an identification test may be provided based on information regarding a transaction for which the identification test is administered. For example, the transaction information may include a user identifier such as an IP address. In some embodiments, identification test results may be tracked and analyzed to identify a pattern of behavior associated with a user identifier. A score indicative of a level of trustworthiness may be computed for the user identifier. | 10-17-2013 |
20130276126 | WEBSITE SCANNING DEVICE AND METHOD - The invention discloses a website scanning apparatus for performing a security vulnerability scanning on a target website, which apparatus comprises: a web page obtaining component obtaining current content and/or features of a web page corresponding to a link to be processed; a link processing component including a change judgment device for judging whether the web page corresponding to the link to be processed has been changed based on stored web page content and/or features corresponding to the link to be processed as well as the current web page content and/or features of the link to be processed; and a vulnerability detecting component for performing a security vulnerability detection on a web page corresponding to a link to be processed for which the web page has been changed. The invention also discloses a website scanning method corresponding thereto. | 10-17-2013 |
20130291113 | PROCESS FLOW OPTIMIZED DIRECTED GRAPH TRAVERSAL - Embodiments disclosed herein relate to a process flow optimized directed graph traversal. In one embodiment, a processor performs a depth first traversal of the optimized directed graph where a node from a first node is not traversed until the nodes before the first node are traversed. The processor may output information associated with the nodes based on the traversal. | 10-31-2013 |
20130291114 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR COMBINING IP FRAGMENTATION EVASION TECHNIQUES - Methods, systems, and computer readable media for combining IP fragmentation evasion techniques are disclosed. According to one aspect, the subject matter described herein includes a method for combining IP fragmentation evasion techniques. In a packet network test device, a plurality of IP fragmentation evasion techniques are defined. An IP packet is generated and fragmented into a first set of IP packet fragments. To the first set of IP packet fragments, each of the multiple IP fragmentation evasion techniques are applied. This produces a second set of IP packet fragments, which are transmitted to the device under test. | 10-31-2013 |
20130291115 | SYSTEM AND METHOD FOR LOGGING SECURITY EVENTS FOR AN INDUSTRIAL CONTROL SYSTEM - A system includes a security server including a memory and a processor configured to receive a first set of communications from a human machine interface (HMI) device, wherein the first set of communications relates to HMI device security events. The security server is also configured to receive a second set of communications from an industrial controller, wherein the second set of communications relates to industrial controller security events. The security server is further configured to package and send the received first and second sets of communications to a remote managed security service provider (MSSP) for analysis. | 10-31-2013 |
20130298242 | SYSTEMS AND METHODS FOR PROVIDING MOBILE SECURITY BASED ON DYNAMIC ATTESTATION - Instrumented networks, machines and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects (including mobile devices) and applications on the instrumented target platform. Methods and systems are disclosed for dynamic attestation of mobile device integrity based upon subject reputation scores. In an embodiment, a method scores trustworthiness of a mobile device based on reputation scores for users associated with the device and/or a device reputation score. The method generates runtime integrity alerts regarding execution anomalies for applications executing on the device, calculates risks based on a ruleset, and determines a calculus of risk for the device. The method sends endpoint events comprising data and content of the integrity warnings to a trust orchestrator, which generates an integrity profile based on the endpoint events. | 11-07-2013 |
20130298243 | SYSTEMS AND METHODS FOR ORCHESTRATING RUNTIME OPERATIONAL INTEGRITY - Instrumented networks and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects and applications on the instrumented target platform. Systems and methods use a graphical user interface (GUI) console to orchestrate operational integrity of a platform. In an embodiment, a method presents a data center-level runtime operational integrity dashboard and remediation controls for infected systems in a display of a platform having a network trust agent, an endpoint trust agent, and a trust orchestrator. The method receives runtime integrity metrics for trust vectors and displays risk indicators based on the confidence level of received integrity metrics in the GUI. The method provides remediation controls for threat containment and risk mitigation and displays remediation status and progress results and malware analytics in the GUI. | 11-07-2013 |
20130298244 | SYSTEMS AND METHODS FOR THREAT IDENTIFICATION AND REMEDIATION - Instrumented networks and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects and applications on the instrumented target platform. Systems and methods for threat identification and remediation for computing platforms based upon reconnaissance-based intelligence correlation and network/application monitoring are disclosed. In an embodiment, a method provides runtime operational integrity of a system by receiving: a dynamic context including endpoint events; and network endpoint assessments. The method generates temporal events based on the network endpoint assessments and correlates the endpoint events and temporal events before generating an integrity profile for the system. In another embodiment, flow level remediation is provided to isolate infected or compromised systems from a computing network fabric using a network trust agent, an endpoint trust agent, and a trust orchestrator. | 11-07-2013 |
20130298245 | GENERATING VULNERABILITY REPORTS BASED ON APPLICATION BINARY INTERFACE/APPLICATION PROGRAMMING INTERFACE USAGE - A method for generating vulnerability reports based on application binary interface/application programming interface usage may include extracting, by a processing device, a binary file and a security report relating to a software program executed by the processing device, the security report having a vulnerability list of pending vulnerabilities relating to the software program, detecting, from the binary file, interface usage details associated with interfaces used by the software program and associated with shared libraries used by the software program, wherein the interfaces comprise application programming interfaces (APIs) corresponding to rules that the software program follows to access and use services and resources provided by another software program, matching the interface usage details with the pending vulnerabilities of the vulnerability list, and generating a vulnerability report based on the matching, wherein the vulnerability report comprises a list of the pending vulnerabilities based on their associated interface usage. | 11-07-2013 |
20130305376 | SYSTEMS, METHODS AND COMPUTER READABLE MEDIA FOR CALCULATING A SECURITY INDEX OF AN APPLICATION HOSTED IN A CLOUD ENVIRONMENT - The present invention provides a method and system for calculating a security index of an application hosted in a cloud environment. The application is mapped to a cloud service provider of the cloud environment, and a set of security controls and a set of security metrics applicable for the application are identified. The set of security controls and the set of security metrics are encapsulated into a security profile object by a security control module. A set of values of the set of security metrics are retrieved from the cloud service provider, by a cloud probe module, and the security index of the application is calculated. | 11-14-2013 |
20130305377 | SDI-SCAM - A distributed multi-agent system and method is implemented and employed across at least one intranet for purposes of real time collection, monitoring, aggregation, analysis and modeling of system and network operations, communications, internal and external accesses, code execution functions, network and network resource conditions as well as other assessable criteria within the implemented environment. Analytical models are constructed and dynamically updated from the data sources so as to be able to rapidly identify and characterize conditions within the environment (such as behaviors, events, and functions) that are typically characteristic with that of a normal state and those that are of an abnormal or potentially suspicious state. The model is further able to implement statistical flagging functions, provide analytical interfaces to system administrators and estimate likely conditions that characterize the state of the system and the potential threat. The model may further recommend (or alternatively implement autonomously or semi-autonomously) optimal remedial repair and recovery strategies as well as the most appropriate countermeasures to isolate or neutralize the threat and its effects. | 11-14-2013 |
20130312101 | Method for simulation aided security event management - A method for simulation aided security event management, the method comprises: generating attack simulation information that comprises multiple simulation data items of at least one data item type out of vulnerability instances data items, attack step data items and attack simulation scope data items; wherein the generating of attack simulation information is responsive to a network model, at least one attack starting point and attack action information; identifying security events in response to a correlation between simulation data items and event data; and prioritizing identified security events. | 11-21-2013 |
20130312102 | VERIFYING APPLICATION SECURITY VULNERABILITIES - Verifying application security vulnerabilities includes receiving a source code to analyze, performing a static analysis using the received source code and generating a vulnerability call trace for the received source code. Responsive to a determination that all static analysis results are not validated, mock objects are generated using the vulnerability call trace and a unit test is created using the generated mock objects. The unit test is executed using the generated mock objects and responsive to a determination that an identified vulnerability was validated; a next static analysis result is selected. Responsive to a determination that all static analysis results are validated, results and computed unit tests are reported. | 11-21-2013 |
20130312103 | DETECTING EXPLOITABLE BUGS IN BINARY CODE - Systems and methods for performing hybrid symbolic execution to detect exploitable bugs in binary code are described. In some example embodiments, the systems and methods determine that resources associated with an execution client performing symbolic execution of a target program are below, at, or above a threshold performance level, generate checkpoints for active executing paths of the online symbolic execution, and cause the execution client to perform symbolic execution in response to the determination that the resources are at or above the threshold performance level. | 11-21-2013 |
20130312104 | METHODS AND APPARATUS PROVIDING AUTOMATIC SIGNATURE GENERATION AND ENFORCEMENT - A system inserts at least one notifying identifier in the computer system. The at least one notifying identifier provides execution information associated with the computer system. The system receives execution information from the at least one notifying identifier, the execution information identifies details associated with a traffic flow on the computer system. The system then generates a signature based on a deterministic link provided by the execution information provided by the at least one notifying identifier. The signature is utilized to prevent further damage caused to the computer system by at least one attack. | 11-21-2013 |
20130318613 | MOBILE APPLICATION SECURITY SCORE CALCULATION - The security or other attributes of mobile applications may be assessed and assigned a security score. In one implementation, a device may obtain information relating to the mobile applications, and may determine, for each of the mobile applications, a number of security scores. Each of the security scores may define a level of risk for a security category relating to a mobile application. The device may further combine the security scores, for each of the mobile applications, to obtain, for each of the mobile applications, a final security score. | 11-28-2013 |
20130318614 | MOBILE APPLICATION SECURITY ASSESSMENT - The security of mobile applications may be assessed and used to enhance the security of mobile devices. In one example, a method may include determining security scores of one or more mobile applications, the security scores defining a level of security risk corresponding to the one or more mobile applications. The method may further include receiving a policy relating to mobile applications that are permitted to be used by the mobile device, the policy including a threshold security score value; and receiving the requested security scores. The method may further include restricting use of selected ones of the one or more mobile applications when a security score corresponding to the one or more mobile applications is below the threshold security score value. | 11-28-2013 |
20130318615 | PREDICTING ATTACKS BASED ON PROBABILISTIC GAME-THEORY - Methods for determining cyber-attack targets include collecting and storing network event information from sensors to extract information regarding an attacker; forming an attack scenario tree that encodes network topology and vulnerability information including paths from known compromised nodes to a set of potential targets; calculating a likelihood for each of the paths using a processor; calculating a probability distribution for the set of potential targets to determine which potential targets are most likely pursued by the attacker; calculating a probability distribution over a set of nodes and node vulnerability types already accessed by the attacker; determining a network graph edge to remove which minimizes a defender's expected uncertainty over the potential targets; and removing the determined network graph edge. | 11-28-2013 |
20130318616 | PREDICTING ATTACKS BASED ON PROBABILISTIC GAME-THEORY - Systems for determining cyber-attack target include a network monitor module configured to collect network event information from sensors in one or more network nodes; a processor configured to extract information regarding an attacker from the network event information, to form an attack scenario tree that encodes network topology and vulnerability information including a plurality of paths from known compromised nodes to a set of potential targets, to calculate a likelihood for each of the paths, to calculate a probability distribution for the set of potential targets to determine which potential targets are most likely pursued by the attacker, to calculate a probability distribution over a set of nodes and node vulnerability types already accessed by the attacker, and to determine a network graph edge to remove that minimizes a defender's expected uncertainty over the potential targets; and a network management module configured to remove the determined network graph edge. | 11-28-2013 |
20130318617 | MANAGING NETWORK SECURITY - Technology for network security is disclosed. In one embodiment, a method of managing network security includes receiving sampled packets. The sampled packets represent packets being sampled from network packet traffic in at least one location in a network. The sampled packets are converted into an appropriate format for analysis to form converted packets. Moreover, the converted packets are sent to a first group including at least one security device for analysis. If an event message is generated by the at least one security device as a result of analysis of the converted packets, the event message is received from the at least one security device. Network security is evaluated based on the event message and security policies and is adjusted based on that evaluation. The method may be implemented with a network manager. | 11-28-2013 |
20130326627 | APPARATUS AND METHOD FOR DETECTING VULNERABILITY - The invention discloses a vulnerability monitoring method for performing a vulnerability monitoring on a system in which data execution protection (DEP) is enabled, which method comprises the steps of: monitoring an operation with respect to the DEP; and considering that an action exploiting the vulnerability has occurred in the system when an operation to close the DEP is detected. The invention also discloses a corresponding vulnerability monitoring apparatus. | 12-05-2013 |
20130333043 | Mechanism to Calculate Probability of a Cyber Security Incident - An Archetype Software Invention which calculates the probability of a cyber security incident for a given computer by correlating the distribution of computer program files with the occurrences of security incidents across a large number of computers. | 12-12-2013 |
20130333044 | VULNERABILITY-BASED REMEDIATION SELECTION - A machine-actionable memory comprises one or more machine-actionable records arranged according to a data structure. Such a data structure may include links that respectively map between a remediation, at least one action, and at least two vulnerabilities. A method of selecting a remediation, that is appropriate to a vulnerability which is present on a machine to be remediated, may include: providing a machine-actionable memory as mentioned above; and indexing into the memory using: a given vulnerability identifier to determine (A) at least one of a remediation mapped thereto and (B) at least one action mapped to the given vulnerability identifier; and/or a given remediation to determine at least two vulnerabilities mapped thereto. | 12-12-2013 |
20130333045 | SECURITY LEVEL VISUALIZATION DEVICE - A security level of each service is calculated and visualized. The device includes a security level calculation unit and a security level visualization unit. The security level calculation unit receives information regarding security of the service from a plurality of sensors as observation information, and calculates a security level of each service based on the received observation information and a security level calculation policy. The security level visualization unit outputs the security level of each service, based on the security level calculated by the security level calculation unit and configuration information of the service. Further, the security level calculation policy has a service, a user using the service, and an observation item to be observed in the service. The security level calculation unit calculates the security level in association with the user of the service and the service, based on the security level calculation policy. | 12-12-2013 |
20130340082 | OPEN SOURCE SECURITY MONITORING - Systems, methods, and devices for open source security monitoring are described herein. For example, one or more embodiments include searching open source data for data posing a security vulnerability to an entity, associating a risk level with the data posing the security vulnerability to the entity, and determining whether to perform a remedial action based on the risk level. | 12-19-2013 |
20130340083 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR AUTOMATICALLY GENERATING A FUZZER THAT IMPLEMENTS FUNCTIONAL AND FUZZ TESTING AND TESTING A NETWORK DEVICE USING THE FUZZER - Methods, systems, and computer readable media for automatically generating a fuzzer for testing a network device using the fuzzer are disclosed. According to one method, a functional description of a network communications protocol finite state machine is received as input. Operation of the protocol is simulated using the functional description of the network communications protocol finite state machine to generate a set of valid conversations in the protocol. A fuzzer is generated from the set of valid conversations. The fuzzer is used to send messages to test a device under test. Responses to the device under test to the messages generated by the fuzzer are analyzyed. | 12-19-2013 |
20130340084 | ASSET RISK ANALYSIS - Methods, systems, and apparatus, including computer programs encoded on computer storage media, for asset risk analysis. One method includes receiving threat definition data for threats, vulnerability detection data for assets, and countermeasure detection data for assets. The method further includes determining a respective risk metric for each of the assets for each of the threats. This includes analyzing the vulnerability detection data for an asset to determine whether the asset is vulnerable to a threat, determining from the threat definition data and the countermeasure detection data whether the asset is protected by one of the countermeasures identified for the threat, and determining the risk metric for the asset for the threat according to whether the asset is vulnerable to the threat and whether the asset is protected by one of the countermeasures identified for the threat. | 12-19-2013 |
20130347116 | THREAT EVALUATION SYSTEM AND METHOD - Systems and methods of evaluation of threats to elements of a client computer application having a cyber reference library, an opponent catalog and a network model. The systems and methods produce a set of analyst reports evaluating the threats to the client computer application. One embodiment of the system for evaluating at least one threat to a client computer application has a threat evaluation engine which performs a plurality of algorithms, where each algorithm of has implementation specific needs for input into the individual algorithm, a threat evaluation results data store, a statistical analysis engine, and an analysis results data store. | 12-26-2013 |
20140007240 | STATIC ANALYSIS FOR DISCOVERY OF TIMING ATTACK VULNERABILITIES IN A COMPUTER SOFTWARE APPLICATION | 01-02-2014 |
20140007241 | SYSTEM AND METHOD FOR IDENTIFYING EXPLOITABLE WEAK POINTS IN A NETWORK | 01-02-2014 |
20140007242 | Notification of Security Question Compromise Level based on Social Network Interactions | 01-02-2014 |
20140007243 | STATIC ANALYSIS FOR DISCOVERY OF TIMING ATTACK VULNERABILITIES IN A COMPUTER SOFTWARE APPLICATION | 01-02-2014 |
20140007244 | SYSTEMS AND METHODS FOR GENERATING RISK ASSESSMENTS | 01-02-2014 |
20140013436 | SYSTEM AND METHOD FOR ENABLING REMOTE REGISTRY SERVICE SECURITY AUDITS - The system and method for enabling remote registry service security audits described herein may include scanning a network to construct a model or topology of the network. In particular, the model or topology of the network may include characteristics describing various devices in the network, which may be analyzed to determine whether a remote registry service has been enabled on the devices. For example, the security audits may include performing one or more credentialed policy scans to enable the remote registry service for certain devices that have disabled the remote registry service, auditing the devices in response to enabling the remote registry service, and then disabling the remote registry service on the devices. Thus, the system and method described herein may enable remotely scanning information contained in device registries during a security audit without exposing the device registries to malicious activity. | 01-09-2014 |
20140041036 | ASSESSING THE RESISTANCE OF A SECURITY MODULE AGAINST ATTACKS BY COMMUNICATION PIPE DIVERSION - A method for assessing the resistance of a security module against an attempt to divert a communication pipe between a gate of this security module and a gate of a near-field communication router present in a telecommunication device to which the security module is intended to be connected, including the steps of: connecting the security module to a near-field communication router emulator; having the emulator send at least one command to the security module, this command simulating the fact that the pipe used is not connected to a near-field communication gate; and determining whether the security module accepts the commands. | 02-06-2014 |
20140047545 | EXPERT SYSTEM FOR DETECTING SOFTWARE SECURITY THREATS - An instance of a vulnerability risk management (VRM) module and a vulnerability management expert decision system (VMEDS) module are instantiated in a cloud. The VMEDS module imports scan results from a VRM vulnerability database and saves them as vulnerabilities to be reviewed in a VMEDS database. The VMEDS module converts vulnerabilities into facts. The VMEDS module builds a rule set in the knowledge base to verify whether certain vulnerabilities are false positives. Rules related to a vulnerability are received in plain English from a web-based front-end application. The VMEDS module tests each rule against all of the facts using the Rete algorithm. The VMEDS module executes the action associated with the rule derived from the Rete algorithm. The VMEDS module stores the results associated with the executing of the action in the VMEDS database and forwards the results to the VRM module. | 02-13-2014 |
20140047546 | Method and System for Managing Computer System Vulnerabilities - A vulnerability risk management (VRM) module receives an indication of a VRM service to be provided from the end user. The VRM module extracts from the indication either external IP addresses or the web application URL and a list of assets of the enterprise computer system to be tested. The VRM module discovers the assets of the enterprise computer system. The VRM module receives a request for a vulnerability scan using a predefined scan configuration based on preferences of the end user and a specified date and time to conduct the scan. The VRM module reports and stores a preliminary list of potential vulnerabilities in the VRM vulnerability database. The preliminary list is fed to an expert system, which applies specific rule sets using an inference engine and a knowledge base to refine results stored in the VRM vulnerability database by removing extraneous information and false positives. | 02-13-2014 |
20140047547 | STEALTH NETWORK ATTACK MONITORING - A particular failed connection attempt initiated by a particular source asset in a network is identified and subsequent failed connection attempts initiated by the particular source asset in the network during a time period are tracked. A low frequency sequence of failed connection attempts involving the particular source asset is detected during the time period and the source asset is designated as a potential security risk based on the detected low frequency sequence of failed connection attempts. | 02-13-2014 |
20140053273 | SYSTEM AND METHOD FOR LIMITING EXPLOITABLE OR POTENTIALLY EXPLOITABLE SUB-COMPONENTS IN SOFTWARE COMPONENTS - Approaches for limiting exploitable or potentially exploitable sub-components in software components are disclosed. In certain implementations, a first software component in the component creation environment may be identified. The first software component may include a first sub-component that provides a function that is exploitable or potentially exploitable to compromise the first software component. The first sub-component may be disabled such that the function provided by the first sub-component is not available via the first software component when the first software component is executed. The first software component may be placed in the component repository after the first sub-component is disabled such that the first software component is placed in the component repository without availability of the function provided by the first sub-component. In some implementations, disabling the first sub-component may comprise removing the first sub-component from the first software component. | 02-20-2014 |
20140053274 | SYSTEM AND METHOD FOR REPLACING SOFTWARE COMPONENTS WITH CORRESPONDING KNOWN-GOOD SOFTWARE COMPONENTS WITHOUT REGARD TO WHETHER THE SOFTWARE COMPONENTS HAVE BEEN COMPROMISED OR POTENTIALLY COMPROMISED - Approaches for replacing software components executing in a runtime environment with corresponding known-good software components are disclosed. In some implementations, at least a first event indicating that at least a first software component executing in the runtime environment should be replaced may be determined. The first event may be determined without respect to whether the first software component has been compromised or potentially compromised. At least a second software component corresponding to the first software component may be obtained from a component repository that is separate from the runtime environment. The first software component may be replaced with the second software component based on the first event such that the second software component is available for use in the runtime environment after the first event and the first software component is no longer available for use in the runtime environment after the first event. | 02-20-2014 |
20140059690 | Method for Scalable Analysis of Android Applications for Security Vulnerability - A method for scalable analysis of Android applications for security includes applying Android application analytics to an Android application, which in turn includes applying an application taint tracking to the Android application and applying application repacking detection to the Android application, and determining security vulnerabilities in the Android application responsive to the analytics. | 02-27-2014 |
20140059691 | METHOD AND DEVICE FOR PROMPTING PROGRAM UNINSTALLATION - The present disclosure discloses method and device for prompting program uninstallation and belongs to the field of the Internet. The method comprises: performing a security assessment of an application program installed on a mobile terminal, thereby obtaining a security assessment result; obtaining security identification information corresponding to the security assessment result based on pre-stored correlations between security assessment results and security identification information; establishing a correlation between the obtained security identification information and the application program, and displaying the correlation to a user. By performing a security assessment of an application program installed on a mobile terminal, obtaining security identification information, and establishing a correlation between the security identification information and the application program, a user can quickly uninstall and clean up malware with hidden security issues based on the security identification information, thereby safeguarding safe running of the mobile terminal. | 02-27-2014 |
20140075560 | AUTOMATIC CLASSIFICATION OF SECURITY VULNERABILITIES IN COMPUTER SOFTWARE APPLICATIONS - Automatically classifying security vulnerabilities in computer software applications by identifying candidate security vulnerabilities in a learning set including at least a first computer software application, classifying each of the candidate security vulnerabilities using predefined classifications, determining, for each of the candidate security vulnerabilities, values for predefined properties, creating a set of correlations between the property values and the classifications of the candidate security vulnerabilities, identifying a candidate security vulnerability in a second computer software application, determining, for the candidate security vulnerability in the second computer software application, values for the predefined properties, and using the set of correlations to classify the candidate security vulnerability in the second computer software application with a classification from the predefined classifications that best correlates with the property values of the candidate security vulnerability in the second computer software application. | 03-13-2014 |
20140075561 | STATIC SECURITY ANALYSIS USING A HYBRID REPRESENTATION OF STRING VALUES - Methods for creating a hybrid string representations include receiving string information as input; parsing the string information to produce one or more string components; determining string components that may be represented concretely by comparing the one or more components to a set of known concretizations; abstracting all string components that could not be represented concretely; and creating a hybrid string representation that includes at least one concrete string component and at least one abstracted string component. | 03-13-2014 |
20140075562 | STATIC SECURITY ANALYSIS USING A HYBRID REPRESENTATION OF STRING VALUES - Systems for constructing hybrid string representations include a string parser configured to parse received string information to produce one or more string components, a database configured to store a set of known concretizations, and a processor configured to compare the one or more string components to the set of known concretizations to determine string components that may be represented concretely, to abstract all string components that could not be represented concretely, and to create a hybrid string representation that includes at least one concrete string component and at least one abstracted string component. | 03-13-2014 |
20140075563 | AUTOMATED SECURITY TESTING - A method of automated security testing includes recording a macro. The recorded macro is played and a web request is intercepted while playing the macro. The web request may be attacked and sent to a web server. A response from the web server based on the web request is received, and the response of the web server is processed to determine any vulnerabilities. | 03-13-2014 |
20140075564 | NETWORK ASSET INFORMATION MANAGEMENT - A network asset information management system ( | 03-13-2014 |
20140082733 | METHODS AND SYSTEMS FOR EVALUATING SOFTWARE FOR KNOWN VULNERABILITIES - A vulnerability identification and resolution (VIR) computer device for identifying security vulnerabilities in a computer system is provided. The VIR computer device includes a memory device for storing data including data representing computing assets installed in the computer system and a processor in communication with the memory device. The VIR computer device is programmed to receive an asset identifier identifying a computing asset selected for evaluation and execute a query on at least one database storing security vulnerabilities, the query searching for security vulnerability data associated with the selected computing asset. The VIR computer device is further programmed to receive the security vulnerability data at the VIR computer device in response to the query. | 03-20-2014 |
20140082734 | CERTIFYING SERVER SIDE WEB APPLICATIONS AGAINST SECURITY VULNERABILITIES - Methods for server security verification include acquiring a public key associated with a received report that includes an indication regarding the presence of a vulnerability for each vulnerability, the report having been generated at a server; decrypting the received report using the public key; determining a level of server-side security based on the decrypted report using a processor; and reconfiguring a browser at the client responsive to the determined level of server-side security. | 03-20-2014 |
20140082735 | MINING ATTACK VECTORS FOR BLACK-BOX SECURITY TESTING - Black-box security testing for a Web application includes identifying infrastructure supporting the Web application, obtaining vulnerability data for the Web application from an external data source according to the infrastructure, deriving a test payload from the vulnerability data using a processor, and determining a type of vulnerability exploited by the test payload. An existing validation operation of a testing system is selected for validating a response from the Web application to the test payload according to the type of vulnerability. | 03-20-2014 |
20140082736 | CERTIFYING SERVER SIDE WEB APPLICATIONS AGAINST SECURITY VULNERABILITIES - Systems for server security verification include a report validation module configured to acquire a public key associated with a received report, where the received report was generated at a server, to decrypt the received report using the public key, and to determine a level of server-side security based on the decrypted report; and a processor configured to reconfigure a browser responsive to the determined level of server-side security. | 03-20-2014 |
20140082737 | MINING ATTACK VECTORS FOR BLACK-BOX SECURITY TESTING - Black-box security testing for a Web application includes identifying infrastructure supporting the Web application, obtaining vulnerability data for the Web application from an external data source according to the infrastructure, deriving a test payload from the vulnerability data using a processor, and determining a type of vulnerability exploited by the test payload. An existing validation operation of a testing system is selected for validating a response from the Web application to the test payload according to the type of vulnerability. | 03-20-2014 |
20140082738 | DYNAMIC RISK MANAGEMENT - A dynamic risk management system for operating systems that provides monitoring, detection, assessment, and follow-up action to reduce the risk whenever it rises. The system enables an operating system to protect itself automatically in dynamic environments. The risk management system monitors a diverse set of attributes of the system which determines the security state of the system and is indicative of the risk the system is under. Based on a specification of risk levels for the various attributes and for their combinations, the risk management system determines whether one or more actions are required to alleviate the overall risk to the system. | 03-20-2014 |
20140082739 | APPLICATION SECURITY TESTING - The present disclosure provides a system that includes a server hosting an application under test (AUT), an observer configured to monitor instructions executed by the AUT, and a computing device communicatively coupled to the AUT and the observer through a common communication channel. The computing device may be configured to send an application request to the AUT, wherein the application request is configured to expose a potential vulnerability of the AUT. The computing device may receive an application response from the AUT in accordance with the AUT's programming. The computing device may send a service request to the observer, and receive a service response from the observer that contains information corresponding to the instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT. | 03-20-2014 |
20140090063 | SYSTEM AND METHOD FOR INHIBITING THE PROCESSING OF NEW CODE MODULES BY AN OUTDATED RUNTIME ENVIRONMENT - A system and method for inhibiting some code modules from being processed by an outdated runtime environment are disclosed. The system and method may operate to detect that a runtime environment installed on a computer system is outdated. New code modules that have not been previously processed by the runtime environment may be inhibited from being processed by the outdated runtime environment, while known code modules that have been previously processed may be allowed to continue being processed uninhibitedly by the outdated runtime environment. | 03-27-2014 |
20140090064 | TRAINING CLASSIFIERS FOR PROGRAM ANALYSIS - Methods for training a static security analysis classifier include running an initial security analysis on a training codebase to generate a set of vulnerabilities associated with the training codebase; analyzing the program with a feature set that limits a number of detected vulnerabilities to generate a limited set of vulnerabilities associated with the feature set; comparing the limited set of vulnerabilities to a known vulnerability distribution to generate an accuracy score; and iterating the steps of analyzing and comparing using different feature sets to find a feature set having a highest accuracy score. | 03-27-2014 |
20140090065 | Method and Apparatus for Paralleling and Distributing Static Source Code Security Analysis Using Loose Synchronization - A method of static source code analysis is provided. A forward search of source code is performed from each of a plurality of source nodes. A backward search of source code is performed from each of a plurality of sink nodes, wherein the forward search and the backward search are performed in parallel simultaneously. The progress of the forward search and the backward search are monitored to determine if the searches intersect at a common node. A vulnerability alert is generated when the monitoring determines that a forward search and a backward search reach a common node. | 03-27-2014 |
20140090066 | SECURITY DATA AGGREGATION AND BUSINESS INTELLIGENCE FOR WEB APPLICATIONS - Systems and methods may provide for detecting a browser request for web content. Additionally, interaction information associated with a plurality of sources may be determined in response to the browser request, and a risk profile may be generated based on the interaction. The risk profile may include at least a portion of the interaction information as well as recommended control actions to mitigate the identified risk. In one example, the risk profile is presented to a user associated with the browser request as well as to a security control module associated with the platform. | 03-27-2014 |
20140090067 | CUSTOMIZING A SECURITY REPORT USING STATIC ANALYSIS - Respective edge weights are assigned to edges of a plurality of paths in a control flow graph representing a model of data flow of a computer program. Edge weights assigned to each edge are processed to determine a total edge weight for the respective paths, the total edge weight for a respective path being a sum of the edge weights assigned to the respective edges of the path. At least one path in the control flow graph whose total edge weight satisfies a particular total edge weight criteria can be identified, and the control flow graph can be updated to indicate to the user the at least one path in the control flow graph whose total edge weight satisfies the particular total edge weight criteria. The updated control flow graph can be presented to the user. | 03-27-2014 |
20140090068 | METHOD AND APPARATUS FOR PARALLELING AND DISTRIBUTING STATIC SOURCE CODE SECURITY ANALYSIS USING LOOSE SYNCHRONIZATION - A method of static source code analysis is provided. A forward search of source code is performed from each of a plurality of source nodes. A backward search of source code is performed from each of a plurality of sink nodes, wherein the forward search and the backward search are performed in parallel simultaneously. The progress of the forward search and the backward search are monitored to determine if the searches intersect at a common node. A vulnerability alert is generated when the monitoring determines that a forward search and a backward search reach a common node. | 03-27-2014 |
20140090069 | TRAINING CLASSIFIERS FOR PROGRAM ANALYSIS - Classifier training modules and systems are shown that include a memory configured to store a known vulnerability distribution and an initial feature set; and a processor configured to run an initial security analysis on a training codebase to generate a set of vulnerabilities associated with the training codebase, to analyze the program with the feature set to limit a number of detected vulnerabilities to generate a limited set of vulnerabilities associated with the feature set, to compare the limited set of vulnerabilities to the known vulnerability distribution to generate an accuracy score, and to iteratively refine the analysis by updating the feature set to find a feature set having a highest accuracy score. | 03-27-2014 |
20140090070 | CUSTOMIZING A SECURITY REPORT USING STATIC ANALYSIS - Respective edge weights are assigned to edges of a plurality of paths in a control flow graph representing a model of data flow of a computer program. Edge weights assigned to each edge are processed to determine a total edge weight for the respective paths, the total edge weight for a respective path being a sum of the edge weights assigned to the respective edges of the path. At least one path in the control flow graph whose total edge weight satisfies a particular total edge weight criteria can be identified, and the control flow graph can be updated to indicate to the user the at least one path in the control flow graph whose total edge weight satisfies the particular total edge weight criteria. The updated control flow graph can be presented to the user. | 03-27-2014 |
20140090071 | Systems and Methods for Runtime Adaptive Security to Protect Variable Assets - A method of adapting a security configuration of a data processing application at runtime, and a system, together with its computing architecture, are disclosed. The system stores a causal network comprising a plurality of nodes and a plurality of incoming and outgoing causal links associated therewith, wherein each node of the causal network is associated with a security concern or a requirement that can be affected by any configuration of the security controls. The current value of assets nodes, as well as those of the security concerns that can be affected by monitored contextual factors, are updated. The control nodes corresponding to the security controls is updated according to the security configuration whose utility is evaluated by the causal network. The node corresponding to the at least one variable is updated with the determined current value, which is propagated through the causal network through the causal links associated with the updated node. The security configuration with the highest utility is selected and replaces the actual configuration by activating and/or deactivating the security functions corresponding to security control nodes enabled/disabled in the selected security configuration. | 03-27-2014 |
20140096255 | CORRECTING WORKFLOW SECURITY VULNERABILITIES VIA STATIC ANALYSIS AND VIRTUAL PATCHING - A computer program can be statically analyzed to determine an order in which client side workflows are intended to be implemented by the computer program. A virtual patch can be generated. When executed by a processor, the virtual patch can track web service calls from a client to the computer program, and determine whether the order of the web service calls from the client to the computer program correlate to the order in which client side workflows are intended to be implemented by the computer program. If the order of the web service calls from the client to the computer program do not correlate to the order in which client side workflows are intended to be implemented by the computer program, an alert can be generated. | 04-03-2014 |
20140096256 | JOINT PERFORMANCE-VULNERABILITY METRIC FRAMEWORK FOR DESIGNING AD HOC ROUTING PROTOCOLS - A system for routing data along a path that is both efficient and secure is provided. A performance and vulnerability routing system selects a path for routing using a joint metric for a link in a network of nodes. The system calculates the joint metric based on a combination of a performance metric and a vulnerability metric of a link. The performance metric for a link indicates the cost of transmitting data over the link, and the vulnerability metric for the link indicates the security of data that is transmitted over the link. The system combines the performance metric and the vulnerability metric to generate the joint metric, which indicates a joint cost of transmitting data. The system then selects paths for transmitting data that tend to minimize the sum of the joint costs of the links along the paths. | 04-03-2014 |
20140096257 | SECURITY REMEDIATION - A method is provided to remediate defects in first computer program code that can be used to configure a computer to produce code for use by the same or a different computer configured using second computer program code to use the produced code to produce output information, the method comprising: configuring a computer to perform static analysis of the first program to produce an information structure in a non-transitory computer readable storage device that associates a respective code statement of the first program code with a respective context, wherein the context associates a parser state with a potential defect in the produced code; identify a defect in the first computer program code that is associated with the respective code statement; and determining a remediation for the identified defect. | 04-03-2014 |
20140096258 | CORRECTING WORKFLOW SECURITY VULNERABILITIES VIA STATIC ANALYSIS AND VIRTUAL PATCHING - A computer program can be statically analyzed to determine an order in which client side workflows are intended to be implemented by the computer program. A virtual patch can be generated. When executed by a processor, the virtual patch can track web service calls from a client to the computer program, and determine whether the order of the web service calls from the client to the computer program correlate to the order in which client side workflows are intended to be implemented by the computer program. If the order of the web service calls from the client to the computer program do not correlate to the order in which client side workflows are intended to be implemented by the computer program, an alert can be generated. | 04-03-2014 |
20140101767 | SYSTEMS AND METHODS FOR TESTING AND MANAGING DEFENSIVE NETWORK DEVICES - The field of the invention relates to systems and methods for securing networked computing devices, and more particularly to systems and methods for testing and managing defensive network systems. In a preferred embodiment, a defensive network management subsystem is included. The subsystem is operatively coupled to a defensive network system and a networked computing system. The defensive network management subsystem is configured to generate test data for the networked computing system, transmit the generated test data to the networked computing system, and record the networked computing system's response to the generated test data. The subsystem is further configured to correlate its recorded data with the defensive network system's response to said generated test data to assess the defensive network system's efficacy. | 04-10-2014 |
20140101768 | Limiting the Functionality of a Software Program Based on a Security Model - Systems, methods, routines and/or techniques for limiting the functionality of a software program based on a security model are described. One or more embodiments may include limiting the functionality of a software program (e.g., a widget) based on one or more operations that the widget intends to take. One or more embodiments may include limiting the functionality of a widget that is located on and/or accessible via a lock screen of a mobile device. One or more embodiments may include preventing a widget from causing an application to perform sensitive actions when a system is in an un-authenticated state. One or more embodiments may include preventing a widget from installing and/or displaying on a particular screen of a mobile device (e.g., a lock screen) if the widget includes a function that indicates that a sensitive operation will be taken. | 04-10-2014 |
20140101769 | REMEDIATION OF SECURITY VULNERABILITIES IN COMPUTER SOFTWARE - Processing a downgrader specification by constructing a set of candidate downgrader placement locations found within a computer software application, where each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and where each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application, applying a downgrader specification to the set of candidate downgrader placement locations, and determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations. | 04-10-2014 |
20140101770 | Systems and Methods for Security Detection - Systems and methods are provided for security detection. For example, an initiation module in a process that initiates a sensitive operation is determined; identification information of the initiation module is collected; and security of the sensitive operation is detected based on at least information associated with the collected identification information and a predetermined database. | 04-10-2014 |
20140109227 | TRANSFORMING UNIT TESTS FOR SECURITY TESTING - A method, computer program product, and system for transforming unit tests is described. A unit test associated with one or more software units is identified. A first input parameter of the unit test is identified. A substitute parameter value is determined, wherein the substitute parameter value is associated with a security test for the one or more software units. A value of the first input parameter in the unit test is replaced with the substitute parameter value. The unit test including the substitute parameter value is implemented for the one or more software units. A first security issue associated with the one or more software units is identified, based upon, at least in part, replacing the first input parameter of the unit test with the substitute parameter value and implementing the unit test including the substitute parameter value. | 04-17-2014 |
20140109228 | TRANSFORMING UNIT TESTS FOR SECURITY TESTING - A method, computer program product, and system for transforming unit tests is described. A unit test associated with one or more software units is identified. A first input parameter of the unit test is identified. A substitute parameter value is determined, wherein the substitute parameter value is associated with a security test for the one or more software units. A value of the first input parameter in the unit test is replaced with the substitute parameter value. The unit test including the substitute parameter value is implemented for the one or more software units. A first security issue associated with the one or more software units is identified, based upon, at least in part, replacing the first input parameter of the unit test with the substitute parameter value and implementing the unit test including the substitute parameter value. | 04-17-2014 |
20140109229 | SECURITY SCANNING SYSTEM AND METHOD - The present disclosure provides a computer-readable medium, method and system for determining security vulnerabilities for a plurality of application programs used to provide television services to a customer device over a communications network. The method includes running a first scanning program against a first application program relating to a control panel for the customer device; running a second scanning program against a second application program that provides Internet content to the customer device; running a third scanning program against a third application program that relates to a component management system of customer premises equipment; and correlating security vulnerabilities identified utilizing the first, second, and third scanning programs. | 04-17-2014 |
20140109230 | REAL-TIME VULNERABILITY MONITORING - A security information management system is described, wherein client-side devices preferably collect and monitor information describing the operating system, software, and patches installed on the device(s), as well as configuration thereof A database of this information is maintained, along with data describing vulnerabilities of available software and associated remediation techniques available for it. The system exposes an API to support security-related decisions by other applications. For example, an intrusion detection system (IDS) accesses the database to determine whether an actual threat exists and should be (or has been) blocked. | 04-17-2014 |
20140115707 | SYSTEMS, METHODS, AND COMPUTER PROGRAM PRODUCTS FOR COLLECTING AND REPORTING SENSOR DATA IN A COMMUNICATION NETWORK - A system for collecting and reporting sensor data in a communication network includes a microprocessor coupled to a memory and an electronic storage device. The microprocessor receives sensor data from sensors, and stores the sensor data for each sensor in the electronic storage device. The microprocessor also receives, via the communication network, a data reporting instruction defining a data reporting technique corresponding to the sensor data associated with one or more of the sensors. The data reporting instruction is stored in the electronic storage device, and the microprocessor transmits, to a trust mediator over the communication network, at least a portion of the sensor data based on the data reporting instruction. The trust mediator maintains an acceptable level of security for data throughout the communication network by adjusting security safeguards based on the sensor data. | 04-24-2014 |
20140123291 | WEIGHTED SECURITY ANALYSIS - A method, computer program product, and system for transforming unit tests is described. A unit test associated with one or more software units is identified. A graphical representation of a portion of a computer program is built, wherein the graphical representation includes a control flow edge. A potentially vulnerable data flow associated with the control flow edge is identified. A control flow weight is assigned to the control flow edge, based upon, at least in part, identifying the potentially vulnerable data flow. A security analysis is applied to the portion of the computer program based upon, at least in part, the control flow weight. | 05-01-2014 |
20140123292 | TRANSIT CONTROL FOR DATA - A method for an apparatus which operates in a data cloud includes requesting trust information from a service cloud, receiving the trust information from the service cloud, performing a trust assessment of the service cloud based on the trust information, and controlling transmission of data to the service cloud according to a result of the trust assessment. | 05-01-2014 |
20140123293 | WEIGHTED SECURITY ANALYSIS - A method, computer program product, and system for transforming unit tests is described. A unit test associated with one or more software units is identified. A graphical representation of a portion of a computer program is built, wherein the graphical representation includes a control flow edge. A potentially vulnerable data flow associated with the control flow edge is identified. A control flow weight is assigned to the control flow edge, based upon, at least in part, identifying the potentially vulnerable data flow. A security analysis is applied to the portion of the computer program based upon, at least in part, the control flow weight. | 05-01-2014 |
20140123294 | INFORMATION PROCESSING APPARATUS, METHOD, AND MEDIUM - An inspection server is provided with a related-information acquisition unit which acquires program-related information related to a program installed in a node connected to a network segment, a condition determination unit which determines whether or not the program-related information satisfies a security condition, and a measure information acquisition unit which acquires, when it is determined that the program-related information does not satisfy the security condition, measure information for allowing the node to satisfy the security condition in accordance with an attribute of the program. | 05-01-2014 |
20140123295 | SYSTEMS AND METHODS FOR ADVANCED DYNAMIC ANALYSIS SCANNING - The field of the invention relates to systems and methods for advanced dynamic analysis scanning for vulnerabilities using a universal translator. In an embodiment, the system includes a dynamic analysis scanner subsystem communicatively coupled to a networked computing system; the scanner subsystem is configured to crawl one or more dynamic web pages of the networked computing system, generate test data for the networked computing system, transmit the generated test data to the networked computing system, and record the networked computing system's response to the generated test data. The scanner may further comprise a universal translator configured to detect vulnerabilities and generate test data for the dynamic web pages of the networked computing system. The scanner subsystem may further comprise a smart scheduler. | 05-01-2014 |
20140130170 | INFORMATION SECURITY AUDIT METHOD, SYSTEM AND COMPUTER READABLE STORAGE MEDIUM FOR STORING THEREOF - An information security audit method used in an information security audit system is provided. The information security audit method comprises the steps outlined below. A normalized weighting of each of a plurality of members of an organization is computed according to a level and at least one feature of each of the members. A plurality of risk evaluation values corresponding to a plurality of audit items are computed and a normalized risk evaluation value of each of the members is further computed according to the risk evaluation values and the normalized weighting. A relation of the normalized risk evaluation value and a plurality of threshold value intervals are determined to dynamically adjust an audit period and/or a number of the audit items according to the relation. | 05-08-2014 |
20140130171 | METHOD AND SYSTEM OF PROCESSING APPLICATION SECURITY - A method of processing application security for uses in a platform-as-a-service layer (PAAS layer) includes steps as follows. First, an application program is scanned to find out a vulnerable code segment. Then, when the vulnerable code segment isn't fixed through a security process, a secure code segment is weaved into this unfixed vulnerable code segment, so as to ensure the security of the application program. Moreover, a system of processing application security is also disclosed in specification. | 05-08-2014 |
20140130172 | SYSTEMS AND METHODS FOR AUTOMATING BLIND DETECTION OF COMPUTATIONAL VULNERABILITIES - Methods for blind detection of computational vulnerabilities include the submission by a detecting system of potentially interpretable information to a target system; measurement of the timing characteristics of the output from the target system by the detecting system; and diagnosis of the vulnerabilities of the target system by the detecting system as based on the timing characteristics, optionally in conjunction with auxiliary data. Invented systems provide reference implementations of these methods. | 05-08-2014 |
20140137256 | SECURITY ANALYSIS USING RELATIONAL ABSTRACTION OF DATA STRUCTURES - Analyzing program code can include detecting an instance of a container within the program code using a processor, selecting a model container correlated with the container using the processor, and creating an instance of the model container within memory using the processor. A data-flow of the program code can be tracked through the instance of the model container instead of the instance of the container. | 05-15-2014 |
20140137257 | System, Method and Apparatus for Assessing a Risk of One or More Assets Within an Operational Technology Infrastructure - A system, method and apparatus assesses a risk of one or more assets within an operational technology infrastructure by providing a database containing data relating to the one or more assets, calculating a threat score for the one or more assets using one or more processors communicably coupled to the database, calculating a vulnerability score for the one or more assets using the one or more processors, calculating an impact score for the one or more assets using the one or more processors, and determining the risk of the one or more assets based on the threat score, the vulnerability score and the impact score using the one or more processors. | 05-15-2014 |
20140137258 | IMAGE VULNERABILITY REPAIR IN A NETWORKED COMPUTING ENVIRONMENT - Embodiments of the present invention provide an approach to repair vulnerabilities (e.g., security vulnerabilities) in images (e.g., application images) in a networked computing environment (e.g., a cloud computing environment). Specifically, an image is checked for vulnerabilities using a database of known images and/or vulnerabilities. If a vulnerability is found, a flexible/elastic firewall is established around the image so as to isolate the vulnerability. Once the firewall has been put in place, the vulnerability can be repaired by a variety of means such as upgrading the image, quarantining the image, discarding the image, and/or generating a new image. Once the image has been repaired, the firewall can be removed. | 05-15-2014 |
20140143878 | Security Capability Reference Model for Goal-based Gap Analysis - Gap analysis is performed on security capabilities of a computer system compared to a desired or targeted security model according to one or more security requirement by providing a data structure of security capabilities of a computer system under analysis, wherein each capability is classified in a formal security capability reference model with a mean having a set of attributes and a goal; determining the security capabilities of the deployed system-under-analysis; matching the security capabilities of the deployed system-under-analysis with the security capabilities defined in the data structure; determining one or more gaps in security capabilities between the deployed system and a security reference model goal; and displaying the gaps to a user in a report. | 05-22-2014 |
20140143879 | Security Capability Reference Model for Goal-based Gap Analysis - Gap analysis is performed on security capabilities of a computer system compared to a desired or targeted security model according to one or more security requirement by providing a data structure of security capabilities of a computer system under analysis, wherein each capability is classified in a formal security capability reference model with a mean having a set of attributes and a goal; determining the security capabilities of the deployed system-under-analysis; matching the security capabilities of the deployed system-under-analysis with the security capabilities defined in the data structure; determining one or more gaps in security capabilities between the deployed system and a security reference model goal; and displaying the gaps to a user in a report. | 05-22-2014 |
20140143880 | Global Variable Security Analysis - A method includes determining selected global variables in a program for which flow of the selected global variables through the program is to be tracked. The selected global variables are less than all the global variables in the program. The method includes using a static analysis performed on the program, tracking flow through the program for the selected global variables. In response to one or more of the selected global variables being used in security-sensitive operations in the flow, use is analyzed of each one of the selected global variables in a corresponding security-sensitive operation. In response to a determination the use may be a potential security violation, the potential security violation is reported. Apparatus and computer program products are also disclosed. | 05-22-2014 |
20140150107 | METHOD AND SYSTEM FOR INTERFACE DATA UTILIZATION - Methods and system for interface data utilization are described. In one embodiment, source interface data may be provided from a provider. The source interface data may be capable of being used to provide a source user interface for a networked resource associated with the provider. A user request may be received through the source user interface. A service call may be provided over a network to an application based on the receiving of the user request. The application may be associated with an application manager. Response data may be received over the network from the application based on the service call. Target interface data may be rendered based on the response data. The target interface data may be provided from the provider. | 05-29-2014 |
20140157417 | METHODS AND SYSTEMS FOR ARCHITECTURE-CENTRIC THREAT MODELING, ANALYSIS AND VISUALIZATION - Methods and systems for use in architecture-centric threat modeling are described. One example system includes a display device, a memory device for storing a plurality of attributes for each of a plurality of network objects, and a processor communicatively coupled to the memory device. The processor is programmed to receive a user selection of at least a first network object and a second network object from the plurality of network objects; create a network architecture including the first network object and the second network object; associate the stored plurality of attributes with the selected network objects in the network architecture; display, on the display device, a graphical representation of the created network architecture; receive, from the user, at least one dataflow attribute associated with at least one of the first and second network objects; and store the at least one dataflow attribute to said memory device as an attribute of at least one of the plurality of network objects. | 06-05-2014 |
20140157418 | DETECTING SECURITY VULNERABILITIES ON COMPUTING DEVICES - Identifying security vulnerabilities on computing devices by detecting an inter-process communication on a computing device, determining whether the inter-process communication is consistent with a predefined specification of a security vulnerability, and causing a predefined action to be performed on the computing device responsive to determining that the inter-process communication is consistent with a predefined specification of a security vulnerability. | 06-05-2014 |
20140157419 | DISCOVERY OF APPLICATION VULNERABILITIES INVOLVING MULTIPLE EXECUTION FLOWS - Methods and systems for security analysis of an application are disclosed. In accordance with one method, a flow-insensitive analysis is conducted on the application to obtain a set of potential vulnerabilities in the application. For each of the potential vulnerabilities, a relevant set of control flows that include the respective vulnerability is determined. Further, for each relevant set of control flows, a flow-sensitive analysis of at least one of the control flows in the corresponding relevant set is performed by a hardware processor to assess the validity of the respective vulnerability. | 06-05-2014 |
20140157420 | DISCOVERY OF APPLICATION VULNERABILITIES INVOLVING MULTIPLE EXECUTION FLOWS - Methods and systems for security analysis of an application are disclosed. One system includes a flow-insensitive analyzer, a control flow assessment module and a flow-sensitive analyzer. The flow-insensitive analyzer is configured to conduct a flow-insensitive analysis on the application to obtain a set of potential vulnerabilities in the application. In addition, the control flow assessment module is configured to determine, for each of the potential vulnerabilities, a relevant set of control flows that include the respective vulnerability. Further, the flow-sensitive analyzer is configured to perform, by a hardware processor, for each relevant set of control flows, a flow-sensitive analysis of at least one of the control flows in the corresponding relevant set to assess the validity of the respective vulnerability. | 06-05-2014 |
20140157421 | DETECTING SECURITY VULNERABILITIES ON COMPUTING DEVICES - Identifying security vulnerabilities on computing devices by detecting an inter-process communication on a computing device, determining whether the inter-process communication is consistent with a predefined specification of a security vulnerability, and causing a predefined action to be performed on the computing device responsive to determining that the inter-process communication is consistent with a predefined specification of a security vulnerability. | 06-05-2014 |
20140165204 | DETECTION OF VULNERABILITIES IN COMPUTER SYSTEMS - Systems, methods, and apparatus, including computer program products, for detecting a presence of at least one vulnerability in an application. The method is provided that includes modifying instructions of the application to include at least one sensor that is configurable to generate an event indicator, wherein the event indicator includes at least some data associated with the event; storing the event indicator with other stored event indicators generated by the at least one sensor during the execution of the application; analyzing the stored event indicators; detecting a presence of at least one vulnerability in the application based on the analysis of the stored event indicators; and reporting the presence of at least one vulnerability. | 06-12-2014 |
20140165205 | EQUIPMENT-INFORMATION TRANSMITTING APPARATUS, SERVICE CONTROL APPARATUS, EQUIPMENT-INFORMATION TRANSMITTING METHOD, AND COMPUTER PRODUCTS - An information generating unit generates identification information for an equipment based on environment information of the equipment. A search-result transmitting unit searches, when an information output request for equipment information generated based on the identification information is received, a database for the equipment information corresponding to the identification information, and transmits a search result as information indicating whether the equipment is allowed to receive a service. | 06-12-2014 |
20140165206 | SECURITY PARAMETER ZEROIZATION - Example embodiments disclosed herein relate to security parameter zeroization. Example embodiments include security parameter zeroization based on a remote security monitor. | 06-12-2014 |
20140165207 | METHOD FOR DETECTING ANOMALY ACTION WITHIN A COMPUTER NETWORK - A method and system for detecting anomalous action within a computer network is provided herein. The method starts with collecting raw data from at least one probe sensor that is associated with at least one router, switch or at least one server which are part of the computer network. Next, the raw data is being parsed and analyzed and meta-data is created from the raw data. Computer network actions are being identified based on existing knowledge about network protocols. The meta-data is associated with entities by analyzing the identified network actions and correlating between different computer network actions. Finally, creating at least one statistical model of the respective computer network said model including network actions' behavior pattern and online or batch detection of anomalous network actions associated with entities based on the statistical models. | 06-12-2014 |
20140173737 | DEVICE AND METHOD FOR REMEDIATING VULNERABILITIES - Exemplary methods, apparatuses, and systems receive data describing a first software component used by a software product and vulnerability data describing a vulnerability in the first software component. A vulnerability score is calculated for the software product based upon the vulnerability data for the first software component. The vulnerability score is recalculated for the software product based upon receiving an updated status of the vulnerability in the first software component from bug tracking software, a waiver of the vulnerability of a software component, the addition of another software component, or another update to the software product or component(s). The task of remediation of the vulnerability in the first software component can be assigned to a user and tracked. A user interface is provided to enable users to monitor the vulnerabilities of software products or components. | 06-19-2014 |
20140173738 | USER DEVICE SECURITY PROFILE - Attribute data of an endpoint computing device is collected that describes attributes of the endpoint computing device. The attribute data is communicated to a security score generator and security score data is received for the endpoint computing device. A graphical dashboard interface is caused to be presented on a display device, the dashboard interface presenting a plurality of security ratings based on the security score data, each security rating representing an amount of risk determined to be associated with a corresponding user activity on the endpoint device in a plurality of user activities. | 06-19-2014 |
20140173739 | AUTOMATED ASSET CRITICALITY ASSESSMENT - A set of attributes of a particular asset of a computing environment is identified that are determined from data collected by one or more utilities in the computing environment. A criticality rating is automatically determined for the particular asset based at least in part on the set of attributes. A security activity is caused to be performed relating to the particular asset based on the automatically determined criticality rating of the particular asset. | 06-19-2014 |
20140173740 | METHODS AND SYSTEMS FOR DETERMINING HARDENING STRATEGIES - A system and method for determining at least one hardening strategy to prevent at least one attack, comprising: performing processing associated with obtaining at least one attack graph, the at least one attack graph comprising at least one goal condition, at least one initial condition, and at least one exploit; performing processing associated with obtaining at least one allowable action that disables the at least one initial condition; performing processing associated with obtaining costs associated with the at least one allowable action; and performing processing associated with utilizing the at least one allowable action to determine at least one recommended strategy from the at least one allowable action taking into account the costs. | 06-19-2014 |
20140173741 | SYSTEM AND METHOD FOR DYNAMIC ANALYSIS TRACKING OBJECTS FOR APPLICATION DATAFLOW - Systems and methods are provided for dynamic analysis tracking objects for application dataflow. A system receives a data object from a data source, creates a source tracking object for the data object, and records information associated with the data source into the source tracking object. The system creates a copy of the data object for a tracking event in the application program, creates a flow tracking object for the tracking event, and records information associated with the tracking event into the flow tracking object as the tracking event processes the copy of the data object. The system outputs the copy of the data object to a data sink, creates a sink tracking object for the data sink, and records information associated with the data sink into the sink tracking object. The system outputs the source tracking object, the flow tracking object, and the sink tracking object as dynamic analysis of dataflow in the application program. | 06-19-2014 |
20140173742 | SYSTEM AND METHOD FOR DYNAMIC ANALYSIS WRAPPER OBJECTS FOR APPLICATION DATAFLOW - Systems and methods are provided for dynamic analysis wrapper objects for application dataflow. A system creates a wrapper object that points to a data object received from a data source, creates a source tracking object for the wrapper object, and records information associated with the data source into the source tracking object. The system creates a copy of the wrapper object for a tracking event in an application program, creates a flow tracking object for the tracking event, and records information associated with the tracking event into the flow tracking object as the tracking event processes the copy of the wrapper object. The system outputs the copy of the wrapper object to a data sink for the application program, creates a sink tracking object for the data sink, and records information associated with the data sink into the sink tracking object. The system outputs the source tracking object, the flow tracking object, and the sink tracking object as dynamic analysis of dataflow in the application program. | 06-19-2014 |
20140173743 | SYSTEM AND METHOD FOR DYNAMIC ANALYSIS TRACKING OBJECT ASSOCIATIONS FOR APPLICATION DATAFLOW - Data source information is recorded into a source tracking object embedded in a wrapper object pointing to a data object from the data source. Tracking event information is recorded into a flow tracking object embedded in a wrapper object copy as the tracking event processes the wrapper object copy. Other tracking event information is recorded into another flow tracking object embedded in another wrapper object as the other tracking event processes the other wrapper object. The flow tracking object is associated with the other flow tracking object in response to a field retrieval of the wrapper object copy from the other wrapper object. The wrapper object copy is output to a data sink. Data sink information is recorded into a sink tracking object embedded in the wrapper object copy. The tracking objects are output as dynamic analysis of dataflow in the application program. | 06-19-2014 |
20140173744 | SYSTEM AND METHODS FOR SCALABLY IDENTIFYING AND CHARACTERIZING STRUCTURAL DIFFERENCES BETWEEN DOCUMENT OBJECT MODELS - A security auditing computer system efficiently evaluates and reports security exposures in a target Web site hosted on a remote Web server system. The auditing system includes a crawler subsystem that constructs a first list of Web page identifiers representing the target Web site. An auditing subsystem selectively retrieves and audits Web pages based on a second list, based on the first. Retrieval is sub-selected dependent on a determined uniqueness of Web page identifiers relative to the second list. Auditing is further sub-selected dependent on a determined uniqueness of structural identifiers computed for each retrieved Web page, including structural identifiers of Web page components contained within a Web page. The computed structural identifiers are stored in correspondence with Web page identifiers and Web page component identifiers in the second list. A reporting system produces reports of security exposures identified through the auditing of Web pages and Web page components. | 06-19-2014 |
20140181980 | SYSTEM AND METHOD FOR PROTECTION FROM BUFFER OVERFLOW VULNERABILITY DUE TO PLACEMENT NEW CONSTRUCTS IN C++ - Systems and methods for protection from buffer overflow vulnerability due to placement new constructs in C++ are provided. A system for protecting from buffer overflow vulnerability due to placement new constructs, comprises a compiler which is capable of receiving a program including a placement new instruction, and runtime which is capable of receiving binary code from the compiler and determining whether the program includes the placement new instruction and whether the placement new instruction would lead to buffer overflow, wherein the runtime is linked to a library including methods for preventing the buffer overflow, and selects a method for preventing the buffer overflow if the runtime determines that the placement new instruction would lead to the buffer overflow. | 06-26-2014 |
20140181981 | SYSTEM AND METHOD FOR PROTECTION FROM BUFFER OVERFLOW VULNERABILITY DUE TO PLACEMENT NEW CONSTRUCTS IN C++ - Systems and methods for protection from buffer overflow vulnerability due to placement new constructs in C++ are provided. A system for protecting from buffer overflow vulnerability due to placement new constructs, comprises a compiler which is capable of receiving a program including a placement new instruction, and runtime which is capable of receiving binary code from the compiler and determining whether the program includes the placement new instruction and whether the placement new instruction would lead to buffer overflow, wherein the runtime is linked to a library including methods for preventing the buffer overflow, and selects a method for preventing the buffer overflow if the runtime determines that the placement new instruction would lead to the buffer overflow. | 06-26-2014 |
20140181982 | METHOD AND SYSTEM FOR DATA PROTECTION - Embodiments of the present invention relate to a method and system for data protection. A data protection method comprises: receiving at least one event prediction message from at least one message source, the at least one event prediction message being associated with an event that is predicted to occur in a future period of time; analyzing information, which is relevant to the event, included in the at least one event prediction message, so as to determine a risk level of the event with respect to the data to be protected; and determining a data protection operation at least based on the risk level and a predetermined event handling policy. There is further disclosed a corresponding data protection system. According to the embodiments of the present invention, it is enabled to voluntarily, dynamically, and flexibly handle high-risk events potentially damaging data, thereby better guaranteeing data security. | 06-26-2014 |
20140189873 | SYSTEM AND METHOD FOR VULNERABILITY RISK ANALYSIS - Embodiments of the present invention are directed to a method and system for automated risk analysis. The method includes accessing host configuration information of a host and querying a vulnerability database based on the host configuration information. The method further includes receiving a list of vulnerabilities and accessing a plurality of vulnerability scores. The list of vulnerabilities corresponds to vulnerabilities of the host. Vulnerabilities can be removed from the list based on checking for installed fixes corresponding to vulnerability. A composite risk score can then be determined for the host and each software product of the host based on the plurality of vulnerability scores. An aggregate risk score can then be determined for the host and each software product of the host based on the plurality of vulnerability scores. | 07-03-2014 |
20140189874 | HYBRID ANALYSIS OF VULNERABLE INFORMATION FLOWS - Arrangements described herein relate to analyzing vulnerable information flows in an application. A black-box scan of the application can be performed to record a call-tree representation of call stacks arising in the application due to test inputs provided during the black-box scan. For each path in the call-tree representation that does not constitute a vulnerable information flow during the black-box scan, a static analysis can be performed to determine at least one parameter value that, when abstracted, drives execution of the application, via the path, to flow to the at least one security sink. A security report can be generated identifying at least one of the paths in the call-tree representation that does not constitute the vulnerable information flow during the black-box scan, but flows to the at least one security sink when the at least one parameter value is abstracted. | 07-03-2014 |
20140189875 | HYBRID ANALYSIS OF VULNERABLE INFORMATION FLOWS - Arrangements described herein relate to analyzing vulnerable information flows in an application. A black-box scan of the application can be performed to record a call-tree representation of call stacks arising in the application due to test inputs provided during the black-box scan. For each path in the call-tree representation that does not constitute a vulnerable information flow during the black-box scan, a static analysis can be performed to determine at least one parameter value that, when abstracted, drives execution of the application, via the path, to flow to the at least one security sink. A security report can be generated identifying at least one of the paths in the call-tree representation that does not constitute the vulnerable information flow during the black-box scan, but flows to the at least one security sink when the at least one parameter value is abstracted. | 07-03-2014 |
20140196150 | QUANTIFYING THE RISKS OF APPLICATIONS FOR MOBILE DEVICES - Quantifying the risks of applications (“apps”) for mobile devices is disclosed. In some embodiments, quantifying the risks of apps for mobile devices includes receiving an application for a mobile device; performing an automated analysis of the application based on a risk profile; and generating a risk score based on the automated analysis of the application based on the risk profile. | 07-10-2014 |
20140201840 | IDENTIFYING STORED SECURITY VULNERABILITIES IN COMPUTER SOFTWARE APPLICATIONS - Identifying stored security vulnerabilities in computer software applications by providing via a first interface of a computer software application during execution of the computer software application, test data having a characteristic of a malicious payload, where an interaction performed with the first interface resulted in data being written to a location within a persistent data store, and where an interaction performed with a second interface of the computer software application resulted in data being read from the location within the persistent data store, and identifying a stored security vulnerability associated with the computer software application if the test data are written to the persistent data store at the location. | 07-17-2014 |
20140201841 | Client Security Scoring - Methods, apparatuses and techniques for security evaluation. A security profile of a client device is evaluated. The security profile is based on hardware and software security mechanism utilization of the client device. A security score is generated based on the security profile. The security score is provided to a service provider. | 07-17-2014 |
20140201842 | IDENTIFYING STORED SECURITY VULNERABILITIES IN COMPUTER SOFTWARE APPLICATIONS - Identifying stored security vulnerabilities in computer software applications by providing via a first interface of a computer software application during execution of the computer software application, test data having a characteristic of a malicious payload, where an interaction performed with the first interface resulted in data being written to a location within a persistent data store, and where an interaction performed with a second interface of the computer software application resulted in data being read from the location within the persistent data store, and identifying a stored security vulnerability associated with the computer software application if the test data are written to the persistent data store at the location. | 07-17-2014 |
20140201843 | SYSTEMS AND METHODS FOR IDENTIFYING AND REPORTING APPLICATION AND FILE VULNERABILITIES - In various embodiments, a method comprises receiving a plurality of records from a first digital device, each of the plurality of records generated during execution or termination of a different executable and containing information related to execution or termination of the different executable, retrieving at least one segment from at least one of the plurality of records, the at least one segment being less than all of the at least one of the plurality of records, the segment including an application or file attribute related to the different executable, comparing the application or file attribute to a vulnerability database, identifying a risk based on the comparison, and generating a report identifying the risk. | 07-17-2014 |
20140208428 | MITIGATING SECURITY RISKS VIA CODE MOVEMENT - A method includes performing on a computing system a source-to-sink reachability analysis of code of an application. The reachability analysis is performed using a static analysis of the code and determines flows from sources of information to sinks that use the information. The method includes determining scopes for corresponding security sensitive operations using the determined flows, each of the security sensitive operations corresponding to statements in the code and one or more flows. A scope for a security sensitive operation includes a block of statements in the code that correspond to a set of one or more flows ending at a sink. The method includes, for each of one or more selected scopes, moving statements in a corresponding block of statements that are independent of a security sensitive operation in the block to code before or after the block. Apparatus and program products are also disclosed. | 07-24-2014 |
20140208429 | Method for Evaluating System Risk - A method for evaluating the vulnerability of a system having at least one portal is provided, wherein at least a portion of the method is implemented via a controller. The method includes examining the at least one portal to identify at least one accessible portal, performing a qualitative analysis responsive to the at least one accessible portal, generating a risk profile responsive to the performing a qualitative analysis and operating the controller to cause the controller to at least one of log the risk profile in a storage device, and display the risk profile via a display device. | 07-24-2014 |
20140208430 | Mitigating Security Risks Via Code Movement - A method includes performing on a computing system a source-to-sink reachability analysis of code of an application. The reachability analysis is performed using a static analysis of the code and determines flows from sources of information to sinks that use the information. The method includes determining scopes for corresponding security sensitive operations using the determined flows, each of the security sensitive operations corresponding to statements in the code and one or more flows. A scope for a security sensitive operation includes a block of statements in the code that correspond to a set of one or more flows ending at a sink. The method includes, for each of one or more selected scopes, moving statements in a corresponding block of statements that are independent of a security sensitive operation in the block to code before or after the block. Apparatus and program products are also disclosed. | 07-24-2014 |
20140208431 | AUTOMATED TOOLS FOR BUILDING SECURE SOFTWARE PROGRAMS - A computer implemented tool is described that includes an assertion generator module that can automatically generate assertions, which are usable to verify application-specific security properties, for a computer software program. An assertion checker module can automatically analyze the computer software program to ensure that it satisfies the application-specific security properties. A graphical user interface module can display feedback to diagnose security flaws detected in the computer software program based on the analysis by the assertion checker module. In support of these modules are a code preprocessor module that can translate source code of the computer software program into an intermediate abstract representation, and a database module that can store the generated assertions and associated data in a database. Each of the modules can provide functionality at any time during code construction of the computer software program. | 07-24-2014 |
20140208432 | TRACING DATA BLOCK OPERATIONS - An apparatus and related method to track data block operations in a cloud system are provided. Attributes associated with the data block operation may be attached to each individual data block targeted by the data block operation. | 07-24-2014 |
20140215628 | Domain Classification Based On Client Request Behavior - Systems and methods for domain classification using the network request behavior of clients are provided. The network requests of a plurality of clients are analyzed to determine a domain corresponding to each request. This information can be used to associate a set of domains with each individual client. Because of the reciprocal nature of a network request, the information is also used to associate a set of clients with each individual domain. Within the plurality of domains associated with the plurality of clients, there may exist known domains having a classification and unknown domains having no classification. Based on the correlation of clients and domains from their respective associations, the system generates domain classification information for at least one of the unknown domains. | 07-31-2014 |
20140215629 | CVSS Information Update by Analyzing Vulnerability Information - An automated system for automatic update of a Common Vulnerability Scoring System (CVSS) score, the system including vulnerability information analyzing functionality to analyze preexisting vulnerability information, the preexisting vulnerability information relating to at least one of at least one vulnerability and at least one attack vector thereof, the at least one vulnerability having a preexisting CVSS score, the preexisting CVSS score being based at least partially on the preexisting vulnerability information, vulnerability information extraction functionality, responsive to the analyzing preexisting vulnerability information, to extract new vulnerability information, the new vulnerability information relating to the at least one of the at least one vulnerability and the at least one attack vector thereof, and CVSS score updating functionality to employ the new vulnerability information to update the preexisting CVSS score. | 07-31-2014 |
20140215630 | Performing an Automated Compliance Audit by Vulnerabilities - An automated enterprise compliance auditing by vulnerabilities system including an enterprise asset database, a compliance regulation including compliance controls, a known asset vulnerabilities database including details of publicly known asset vulnerabilities, compliance control associating functionality to associate each of a set of audited assets with at least a subset of compliance controls of the compliance regulation, the audited assets being a subset of the enterprise assets, vulnerability mapping functionality to map each compliance control to a subset of the known asset vulnerabilities which may impact compliance of at least one of the audited assets therewith, asset scanning functionality to scan each audited asset to ascertain to which publicly known asset vulnerabilities the audited asset is vulnerable to, and numeric compliance score calculating functionality to, responsive to the associating, mapping and scanning, calculate for each audited asset, a numeric compliance score for each compliance control associated therewith. | 07-31-2014 |
20140215631 | METHOD AND SYSTEM FOR MONITORING WEBPAGE MALICIOUS ATTRIBUTES - A method for monitoring a malicious attribute of a webpage is disclosed. The method includes the following steps: acquiring webpage query requests submitted by a plurality of clients; crawling a webpage based on the webpage query requests and acquiring crawled webpage contents; counting up a referenced value of a URL based on the webpage contents; calling a predetermined detection program to detect a malicious attribute of the URL based on the a referenced value of the URL. The accuracy of detection can be improved by using the method for monitoring a malicious attribute of a webpage provided in the present disclosure. Furthermore, a system for monitoring a malicious attribute of a webpage is further disclosed. | 07-31-2014 |
20140223567 | INCIDENT TRIAGE ENGINE - An incident triage engine performs incident triage in a system by prioritizing responses to incidents within the system. One prioritization method may include receiving attributes of incidents and assets in the system, generating cumulative loss forecasts for the incidents, and prioritizing the responses to the incidents based on the cumulative loss forecasts for the incidents. Another prioritization method may include determining different arrangements of incidents within a response queue, calculating cumulative queue loss forecasts for the different arrangements of incidents within the response queue, and arranging the incidents in the response queue based on the arrangement of incidents that minimizes the total loss to the system over the resolution of all of the incidents present in the response queue. | 08-07-2014 |
20140237602 | AUTOMATIC CORRECTION OF SECURITY DOWNGRADERS - Methods and systems for automatic correction of security downgraders includes performing a security analysis that disregards existing user-provided downgraders to detect flows that are vulnerable; locating candidate downgraders on the flows; determining whether each of the candidate downgraders protects against all vulnerabilities associated with each downgrader's respective flow; and transforming candidate downgraders that do not protect against all of the associated vulnerabilities, such that the transformed downgraders do protect against all of the associated vulnerabilities. | 08-21-2014 |
20140237603 | RULE MATCHING IN THE PRESENCE OF LANGUAGES WITH NO TYPES OR AS AN ADJUNCT TO CURRENT ANALYSES FOR SECURITY VULNERABILITY ANALYSIS - A method includes reading by a computing system a rule file including one or more rules having specified paths to methods, each method corresponding to one of a sink, source, or sanitizer. The method includes matching by the computing system the methods to corresponding ones of sinks, sources, or sanitizers determined through a static analysis of an application. The static analysis determines at least flows from sources of information to sinks that use the information. The method includes performing by the computing system, using the sinks, sources, and sanitizers found by the matching, a taint analysis to determine at least tainted flows from sources to sinks, wherein the tainted flows are flows passing information to sinks without the information being endorsed by a sanitizer. Apparatus and program products are also disclosed. | 08-21-2014 |
20140237604 | Rule Matching In The Presence Of Languages With No Types Or As An Adjunct To Current Analyses For Security Vulnerability Analysis - A method includes reading by a computing system a rule file including one or more rules having specified paths to methods, each method corresponding to one of a sink, source, or sanitizer. The method includes matching by the computing system the methods to corresponding ones of sinks, sources, or sanitizers determined through a static analysis of an application. The static analysis determines at least flows from sources of information to sinks that use the information. The method includes performing by the computing system, using the sinks, sources, and sanitizers found by the matching, a taint analysis to determine at least tainted flows from sources to sinks, wherein the tainted flows are flows passing information to sinks without the information being endorsed by a sanitizer. Apparatus and program products are also disclosed. | 08-21-2014 |
20140237605 | AUTOMATIC CORRECTION OF SECURITY DOWNGRADERS - Systems for automatic correction of security downgraders include a security analysis module configured to perform a security analysis that disregards existing user-provided downgraders to detect flows that are vulnerable; and an enhancer module configured to locate candidate downgraders on the flows, to determine whether each of the candidate downgraders protects against all vulnerabilities associated with each downgrader's respective flow, and to transform candidate downgraders that do not protect against all of the associated vulnerabilities such that the transformed downgraders do protect against all of the associated vulnerabilities. | 08-21-2014 |
20140237606 | SYSTEM AND METHOD FOR PROVIDING AUTOMATED COMPUTER SECURITY COMPROMISE AS A SERVICE - A system for providing automated computer security compromise as a service, contains a web server having a web front end running on the web server. The Web server has stored therein pentest definitions. A command and control component processes the pentest definitions, builds pentest task tickets and reporting task tickets, and monitors at least one penetration tester component and/or at least one report generator component. The command and control component interacts with a cloud computing environment to scale up or down the number of penetration tester components and the number of report generator components, and assigns task tickets to the penetration tester and report generator components. At least one penetration tester component runs penetration testing modules available inside the penetration testing framework as instructed by the pentest task tickets. At least one reporter generator component generates reports based on the reporting tasks tickets generated by the command and control service. | 08-21-2014 |
20140237607 | IDENTIFYING EXPLOITATION OF VULNERABILITIES USING ERROR REPORTS - A tool and method examine error report information from a computer to determine not only whether a virus or other malware may be present on the computer but also may determine what vulnerability a particular exploit was attempting to use to subvert security mechanism to install the virus. A system monitor may collect both error reports and information about the error report, such as geographic location, hardware configuration, and software/operating system version information to build a profile of the spread of an attack and to be able to issue notifications related to increased data collection for errors, including crashes related to suspected services under attack. | 08-21-2014 |
20140245448 | APPARATUS AND METHOD FOR ANALYZING PERMISSION OF APPLICATION FOR MOBILE DEVICES AND DETECTING RISK - An apparatus for analyzing a permission of an application for a mobile device, the apparatus comprising: an executable file acquisition unit; a file extraction module; and an execution permission analyzing module configured to detect a security risk which can be caused by the permission on the basis of the permission described in the extracted file, wherein the information related to the permission of the application comprises: information on permission that is declared in the application, permission that the application uses and a function that uses the permission of the application. | 08-28-2014 |
20140245449 | SYSTEM, METHOD, AND SOFTWARE FOR CYBER THREAT ANALYSIS - According to certain embodiments, a cyber threat analysis system generates a network model of a network infrastructure that is used by an organization, assigns a weighting value to each of a plurality of network elements of the network infrastructure according to a relative importance of the each network element to the organization, and generates an attack vector according to a determined vulnerability of the network infrastructure. The attack vector represents one or more illicit actions that may be performed to compromise the network infrastructure. The system may simulate, using a network modeling tool, the attack vector on the network model to determine one or more resulting ramifications of one or more of the plurality of network elements due to the attack vector, and determine a criticality level of the attack vector according to the weighting value of the one or more network elements. | 08-28-2014 |
20140245450 | SYSTEM AND METHOD FOR PATCHING A DEVICE THROUGH EXPLOITATION - A system and method that includes identifying a vulnerability in a computing device; accessing a vulnerability exploitation mapped to the identified vulnerability; at the computing device, executing the vulnerability exploitation and entering an operating mode of escalated privileges; and while in the operating mode of escalated privileges, updating the system with a vulnerability resolution. | 08-28-2014 |
20140245451 | SYSTEM AND METHOD FOR MANAGING INDUSTRIAL PROCESSES - At least some aspects and embodiments disclosed herein provide for a highly configurable dashboard interface through which a PCL or other automatic control device provides information regarding industrial processes managed by the automatic control device or information regarding the automatic control device, itself. In at least one embodiment, the dashboard interface is the first interface displayed when a user logs into an automatic control device. | 08-28-2014 |
20140250533 | MOBILE RISK ASSESSMENT - A query is received from a particular endpoint device identifying a particular wireless access point encountered by the particular endpoint device. Pre-existing risk assessment data is identified for the identified particular wireless access point and query result data is sent to the particular endpoint device characterizing pre-assessed risk associated with the particular wireless access point. In some instances, the query result data is generated based on the pre-existing risk assessment data. In some instances, pre-existing risk assessment data can be the result of an earlier risk assessment carried-out at least in part by an endpoint device interfacing with and testing the particular wireless access point. | 09-04-2014 |
20140259173 | System and Method For Managed Security Assessment and Mitigation - In an embodiment of the invention, a system for assessing vulnerabilities includes: a security management system; a network device in a system under test (SUT), wherein the network device is privy to traffic in the SUT; and wherein the SMS is privy to traffic that is known by the network device and/or to one or more traffic observations that is known by the network device. | 09-11-2014 |
20140259174 | Scalable And Precise String Analysis Using Index-Sensitive Static String Abstractions - A disclosed method includes accessing one or more seeding specifications and a program including computer-readable code and applying the one or more seeding specifications to the program to identify for analysis seeds including strings for corresponding identified string variables. The method includes tracking flows emanating from the identified seeds. The tracking includes computing an integral offset into a tracked string variable for any statements causing such a computation. The tracking also includes providing a string representation based on the computed integral offset, wherein the provided string representation comprises a value of the integral offset and an indication of the corresponding tracked string variable. The tracking further includes modeling string manipulations of the tracked string variables using the string representations. Apparatus and program products are also disclosed. | 09-11-2014 |
20140283080 | IDENTIFYING STORED VULNERABILITIES IN A WEB SERVICE - A computer identifies each web method, of a web service, declared in a web services description language (WSDL) file. The computer adds a node within a directed graph for each web method identified. The computer identifies pairs of web methods declared in the WSDL file in which a match exists between an output parameter of one of the web methods and an input parameter of another one of the web methods. The computer adds an edge within the directed graph for each of the pairs of web methods identified. The computer generates one or more sequences of web methods based on nodes connected by edges within the directed graph, wherein each of the one or more sequences includes at least one of the pairs of web methods identified. The computer tests each of the one or more sequences of web methods to identify stored vulnerabilities in the web service. | 09-18-2014 |
20140283081 | TECHNIQUES FOR CORRELATING VULNERABILITIES ACROSS AN EVOLVING CODEBASE - Methods, apparatus, and systems for characterizing vulnerabilities of an application source code are disclosed. Steps for characterizing vulnerabilities include traversing a representation of the application source code, generating a signature of a potential vulnerability of the application source code, and determining characteristics of the potential vulnerability based on a correlation between the generated signature of the potential vulnerability and previously stored signatures of potential vulnerabilities. | 09-18-2014 |
20140283082 | SYSTEMS AND METHODS FOR DETERMINING POTENTIAL IMPACTS OF APPLICATIONS ON THE SECURITY OF COMPUTING SYSTEMS - A computer-implemented method for determining potential impacts of applications on the security of computing systems may include (1) identifying an application subject to a security vulnerability assessment, (2) requesting information that identifies a potential impact of the application on a vulnerability of at least one computing system to at least one exploit associated with the application, (3) receiving the information that identifies the potential impact of the application on the vulnerability of the computing system, wherein the information may be derived at least in part from data from at least one additional computing system on which the application has previously been installed and (4) directing a determination about an installation of the application on the computing system based at least in part on the information that identifies the potential impact of the application on the vulnerability of the computing system. Various other methods, systems, and computer-readable media are also disclosed. | 09-18-2014 |
20140283083 | SYSTEM AND METHOD FOR CORRELATING LOG DATA TO DISCOVER NETWORK VULNERABILITIES AND ASSETS - The system and method described herein relates to a log correlation engine that may cross-reference or otherwise leverage existing vulnerability data in an extensible manner to support network vulnerability and asset discovery. In particular, the log correlation engine may receive various logs that contain events describing observed network activity and discover a network vulnerability in response to the logs containing at least one event that matches a regular expression in at least one correlation rule associated with the log correlation engine that indicates a vulnerability. The log correlation engine may then obtain information about the indicated vulnerability from at least one data source cross-referenced in the correlation rule and generate a report that the indicated vulnerability was discovered in the network, wherein the report may include the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the correlation rule. | 09-18-2014 |
20140283084 | AUTOMATIC MALIGNANT CODE COLLECTING SYSTEM - An automatic malignant code collecting system comprises a first database configured to store detection target website information, a virtual machine controller configured to read the website information from the first database and transmit the website information, a first virtual machine configured to periodically gain access to a website using the website information and to collect a malignant code and evidence thereof if an abnormal event occurs when the first virtual machine gains access to the website, a second virtual machine configured to periodically gain access to the same website as accessed by the first virtual machine using the website information received from the virtual machine controller and to collect a malignant code and evidence thereof if an abnormal event occurs when the second virtual machine gains access to the website, and a second database configured to store the malignant code and the evidence thereof collected by the first virtual machine and the second virtual machine. | 09-18-2014 |
20140283085 | INTERNET PROTOCOL THREAT PREVENTION - Blocking high-risk IP connections in real-time while allowing tailoring of an acceptable risk profile to match the security requirements of network resources. By acquiring IP threat information about IP addresses, including risk confidence levels, assigning weighting factor values corresponding to various characteristics of the IP addresses, and mathematically transforming the risk confidence levels using the weighting factor values, traffic from IP addresses posing unacceptable levels of risk is blocked. Further, mathematically transforming risk confidence level to a user-defined acceptable risk level permits allowing traffic from the IP addresses having an acceptable level of risk. | 09-18-2014 |
20140289859 | MOBILE APPLICATION SECURITY SCORE CALCULATION - The security or other attributes of mobile applications may be assessed and assigned a security score. In one implementation, a device may obtain information relating to the mobile applications, and may determine, for each of the mobile applications, a number of security scores. Each of the security scores may define a level of risk for a security category relating to a mobile application. The device may further combine the security scores, for each of the mobile applications, to obtain, for each of the mobile applications, a final security score. | 09-25-2014 |
20140298471 | Evaluating Security of Data Access Statements - Techniques are provided for evaluating the security of data access statements. Specifically, in one embodiment of the claimed subject matter there is provided a technique for evaluating the security of data access statements, comprising: evaluating the criticality of multiple SQL statements contained in multiple sessions accessing a database; generating a critical item set from the multiple sessions, each element in the critical item set indicating one or more SQL statements contained in a session; extracting at least one association rule from the critical item set, each of the at least association rule indicating a sequence of SQL statements contained in a session; and calculating the criticality of each of the at least one association rule. | 10-02-2014 |
20140298472 | Method and Apparatus for Automated Vulnerability Detection - A method executable via operation of configured processing circuitry to identify vulnerabilities in program code may include receiving a program and employing a disassembler to disassemble the program, generating a function call tree for the program based on disassembly of the program, receiving an indication of a post condition for which analysis of the program is desired, transforming program statements into logical equations, simplifying the logical equations, propagating post conditions backwards via Dijkstra's weakest precondition variant, analyzing aliases and processing loops to generate a precondition, and using an automated solver to determine whether the precondition is realizable and, if so, providing program inputs required to realize the precondition. | 10-02-2014 |
20140298473 | Methods and Systems for Automated Network Scanning in Dynamic Virtualized Environments - Systems and methods for managing jobs to be scanned based on existence of processing nodes are described. One of the methods includes obtaining identification information regarding operation of a first set of the processing nodes from an inventory and creating a job for scanning the processing nodes of the first set for security vulnerability. The job includes the identification information. The method further includes verifying the inventory to determine the first identifying information of the first set of processing nodes for removal from the job and loading the job having second identifying information for a second set of processing nodes that remain after the verifying operation. | 10-02-2014 |
20140298474 | AUTOMATIC SYNTHESIS OF UNIT TESTS FOR SECURITY TESTING - Performing security analysis on a computer program under test (CPUT). The CPUT can be analyzed to identify data pertinent to potential security vulnerabilities of the CPUT. At least a first unit test configured to test a particular unit of program code within the CPUT can be automatically synthesized. The first unit test can be configured to initialize at least one parameter used by the particular unit of program code within the CPUT, and can be provided at least a first test payload configured to exploit at least one potential security vulnerability of the CPUT. The first unit test can be dynamically processed to communicate the first test payload to the particular unit of program code within the CPUT. Whether the first test payload exploits an actual security vulnerability of the CPUT can be determined, and a security analysis report can be output. | 10-02-2014 |
20140304821 | ESTIMATING ASSET SENSITIVITY USING INFORMATION ASSOCIATED WITH USERS - Automatically estimating a sensitivity level of an information technology (IT) asset in one aspect may obtain information about an asset. Characteristics of the asset assigned based on the information may be compared with stored characteristics of known sensitive assets. A sensitivity level of the asset may be determined based on the comparing. | 10-09-2014 |
20140304822 | Systems and Methods for Managing Data Incidents - Systems and methods for managing a data incident are provided herein. Exemplary methods may include receiving data breach data that comprises information corresponding to the data breach, automatically generating a risk assessment from a comparison of data breach data to privacy rules, the privacy rules comprising at least one federal rule and at least one state rule, each of the rules defining requirements associated with data breach notification laws, and providing the risk assessment to a display device that selectively couples with the risk assessment server. | 10-09-2014 |
20140310812 | IDENTIFYING SECURITY VULNERABILITIES RELATED TO INTER-PROCESS COMMUNICATIONS - Identifying security vulnerabilities related to inter-process communications by identifying within the instructions of a computer software application an object creation location configured to create an inter-process communications object, identifying within the instructions of the computer software application a location of an inter-process communications method, determining whether a path exists for an inter-process communications object created at the object creation location to propagate to the inter-process communications method, classifying with a classification selected from a plurality of predefined classifications, any of the inter-process communications object, the object creation location, and the location of the inter-process communications method, and reporting as a security vulnerability the classified inter-process communications object, object creation location, or location of the inter-process communications method if the path exists and if the classification is predefined to indicate that reporting is warranted. | 10-16-2014 |
20140310813 | DETERMINING SOFTWARE METRICS - A method of determining a metric of software code may include generating a flow graph for software code that includes multiple flow graph nodes, including an entry point node, a termination point node, and a metric node. The method may also include generating a contracted flow graph based on the flow graph that includes multiple contracted flow graph nodes. The method may further include determining a through path count within the contracted flow graph based on the contracted flow graph nodes between a first contracted flow graph node that includes the entry point node and a second contracted flow graph node that includes the termination point node. The method may also include determining a metric entry path count within the contracted flow graph based on the contracted flow graph nodes between the first contracted flow graph node and a third contracted flow graph node that includes the metric node. | 10-16-2014 |
20140310814 | IDENTIFYING SECURITY VULNERABILITIES RELATED TO INTER-PROCESS COMMUNICATIONS - Identifying security vulnerabilities related to inter-process communications by identifying within the instructions of a computer software application an object creation location configured to create an inter-process communications object, identifying within the instructions of the computer software application a location of an inter-process communications method, determining whether a path exists for an inter-process communications object created at the object creation location to propagate to the inter-process communications method, classifying with a classification selected from a plurality of predefined classifications, any of the inter-process communications object, the object creation location, and the location of the inter-process communications method, and reporting as a security vulnerability the classified inter-process communications object, object creation location, or location of the inter-process communications method if the path exists and if the classification is predefined to indicate that reporting is warranted. | 10-16-2014 |
20140310815 | SYSTEMS, METHODS, AND COMPUTER PROGRAM PRODUCTS FOR ADAPTING THE SECURITY MEASURES OF A COMMUNICATION NETWORK BASED ON FEEDBACK - An adaptable network security system includes trust mediator agents that are coupled to each network component. Trust mediator agents continuously detect changes in the security characteristics of the network and communicate the detected security characteristics to a trust mediator. Based on the security characteristics received from the trust mediator agents, the trust mediator adjusts security safeguards to maintain an acceptable level of security. Trust mediator also uses predetermined rules in determining whether to adjust security safeguards. Despite inevitable changes in security characteristics, an acceptable level of security and efficient network operation are achieved without subjecting users of the network to over burdensome security safeguards. | 10-16-2014 |
20140317747 | Partitioning of Program Analyses into Sub-Analyses Using Dynamic Hints - An exemplary method includes performing a first static analysis to locate elements within a program and instrumenting the program to enable a subsequent dynamic analysis based on the located elements. The method includes executing the instrumented program and performing during execution analysis to determine individual sets of statements in the program affected by a corresponding element. The method includes partitioning the sets of statements into partitions based on one or more considerations, each partition including one or more of the elements. The method includes performing a second static analysis on the partitions of the program to produce results and outputting the results. The method may be performed for, e.g., security (e.g., taint) analysis, buffer overflow analysis, and typestate analysis. Apparatus and program products are also disclosed. | 10-23-2014 |
20140317748 | Partitioning of Program Analyses into Sub-Analyses Using Dynamic Hints - An exemplary apparatus and computer program product are disclosed which employ a method that includes performing a first static analysis to locate elements within a program and instrumenting the program to enable a subsequent dynamic analysis based on the located elements. The method includes executing the instrumented program and performing during execution analysis to determine individual sets of statements in the program affected by a corresponding element. The method includes partitioning the sets of statements into partitions based on one or more considerations, each partition including one or more of the elements. The method includes performing a second static analysis on the partitions of the program to produce results and outputting the results. The method may be performed for, e.g., security (e.g., taint) analysis, buffer overflow analysis, and typestate analysis. | 10-23-2014 |
20140317749 | SYSTEMS AND METHODS FOR AUTOMATING BLIND DETECTION OF COMPUTATIONAL VULNERABILITIES - Methods for blind detection of computational vulnerabilities include the submission by a detecting system of potentially interpretable information to a target system; measurement of the timing characteristics of the output from the target system by the detecting system; and diagnosis of the vulnerabilities of the target system by the detecting system as based on the timing characteristics, optionally in conjunction with auxiliary data. Invented systems provide reference implementations of these methods. | 10-23-2014 |
20140317750 | SYSTEMS AND METHODS FOR ASSESSING SECURITY RISK - Systems and methods for providing identification tests. In some embodiments, a system and a method are provided for generating and serving to a user an animated challenge graphic comprising a challenge character set whose appearance may change over time. In some embodiments, marketing content may be incorporated into a challenge message for use in an identification test. The marketing content may be accompanied by randomly selected content to increase a level of security of the identification test, hi some embodiments, a challenge message for use in an identification test may be provided based on information regarding a transaction for which the identification test is administered. For example, the transaction information may include a user identifier such as an IP address. In some embodiments, identification test results may be tracked and analyzed to identify a pattern of behavior associated with a user identifier. A score indicative of a level of trustworthiness may be computed for the user identifier. | 10-23-2014 |
20140317751 | SYSTEMS AND METHODS FOR ASSESSING SECURITY RISK - Systems and methods for providing identification tests. In some embodiments, a system and a method are provided for generating and serving to a user an animated challenge graphic comprising a challenge character set whose appearance may change over time. In some embodiments, marketing content may be incorporated into a challenge message for use in an identification test. The marketing content may be accompanied by randomly selected content to increase a level of security of the identification test, hi some embodiments, a challenge message for use in an identification test may be provided based on information regarding a transaction for which the identification test is administered. For example, the transaction information may include a user identifier such as an IP address. In some embodiments, identification test results may be tracked and analyzed to identify a pattern of behavior associated with a user identifier. A score indicative of a level of trustworthiness may be computed for the user identifier. | 10-23-2014 |
20140317752 | COMPUTER NETWORK SECURITY PLATFORM - A computer system for managing security information for an organization includes a scanner execution module configured to automatically execute at least two scanners in a predetermined interval to analyze potential vulnerabilities of a computer environment. A vulnerability is acquired from the at least two scanners and stored in a data store. A user associated with the analyzed computer environment is determined based on the vulnerability stored in the data store, the user is notified of the vulnerability. | 10-23-2014 |
20140325657 | SYSTEMS AND METHODS FOR ASSESSING SECURITY RISK - Systems and methods for providing identification tests. In some embodiments, a system and a method are provided for generating and serving to a user an animated challenge graphic comprising a challenge character set whose appearance may change over time. In some embodiments, marketing content may be incorporated into a challenge message for use in an identification test. The marketing content may be accompanied by randomly selected content to increase a level of security of the identification test. In some embodiments, a challenge message for use in an identification test may be provided based on information regarding a transaction for which the identification test is administered. For example, the transaction information may include a user identifier such as an IP address. In some embodiments, identification test results may be tracked and analyzed to identify a pattern of behavior associated with a user identifier. A score indicative of a level of trustworthiness may be computed for the user identifier. | 10-30-2014 |
20140325658 | Method and System for Simulating the Effects of an Attack on a Computer Code - Methods and systems of simulating the effects of an attack seeking fraudulently to modify target code that is interpretable by a processor are disclosed. Various implementations may include means and operations for searching for a set of sensitive instructions in the target code; generating an interpretable “simulation” code having instructions representing the result of said attack on the set of instructions; selecting memory registers that might be accessed during the interpretation of the simulation code; interpreting at least a portion of the simulation code; and storing at least one value of the registers during the interpretation in order to enable the effects of the attack to be analyzed. | 10-30-2014 |
20140325659 | MALWARE RISK SCANNER - A technique for improving the installation of anti-malware software performs an analysis of a computer on which anti-malware software is to be installed prior to complete installation of the anti-malware software. If the analysis determines that the computer may already contain malware, then an attempt may be made to scan and clean the computer prior to the installation of a portion of the anti-malware software. Otherwise, the pre-installation scan and clean may be bypassed, allowing the installation of that portion of the anti-malware software. | 10-30-2014 |
20140325660 | K-ZERO DAY SAFETY - Systems and methods for determining a safety level of a network vulnerable to attack from at least one origin to at least one target are described. Machines, components, and vulnerabilities in a network may be associated to one another. Degrees of similarity among the vulnerabilities may be determined and subsets of vulnerabilities may be grouped based on their determined degrees of similarity to one another. This data may be used to generate an attack graph describing exploitation of vulnerabilities and grouped vulnerabilities and defining vulnerability exploit condition relationships between at least one origin and at least one target. The attack graph may be analyzed using a k-zero day metric function to determine a safety level. | 10-30-2014 |
20140325661 | SYSTEMS, METHODS, APPARATUSES, AND COMPUTER PROGRAM PRODUCTS FOR FORENSIC MONITORING - Systems, methods, apparatuses, and computer program products are provided for forensic monitoring. A system may include a forensic analysis apparatus and one or more monitored apparatuses. A monitored apparatus may monitor activity on the monitored apparatus and extract forensic data based at least in part on monitored activity. The forensic data may be transferred from the monitored apparatus to the forensic analysis apparatus for processing and analysis. | 10-30-2014 |
20140325662 | PROTECTING AGAINST SUSPECT SOCIAL ENTITIES - A method includes identifying data on a social network that is associated with a suspect social entity, and determining one or more characteristics of the identified data. A reference to the identified data is generated for each of the one or more characteristics. One or more of the generated references are compared to one or more stored references, where the one or more stored references are associated with a protected social entity. A profile score for the suspect social entity is determined based on the comparison. Determining the profile score includes identifying a match between one or more of the generated references and one or more of the stored references. | 10-30-2014 |
20140331326 | IT Vulnerability Management System - A system for automatically managing vulnerabilities may determine vulnerability data describing vulnerabilities in an information technology environment and then assign each vulnerability to a stakeholder for remediation. The system may receive a remediation proposal from the stakeholder, obtain approval for the remediation proposal, and facilitate remediation of the vulnerability based on the proposal. | 11-06-2014 |
20140331327 | METHOD AND SYSTEM OF RUNTIME ANALYSIS - A method and a system for detecting one or more security vulnerabilities. The method comprises providing test instructions for an application, such as a web application or a client server application, adding test code to a code segment of the application according to the test instructions, sending at least one message to the application according to the test instructions at runtime thereof, monitoring test information pertaining to at least one reaction of the application to the at least one message during an execution of the test code, performing an analysis of the at least one reaction, and detecting a presence or an absence of at least one security vulnerability according to the analysis. | 11-06-2014 |
20140331328 | Honey Monkey Network Exploration - A network can be explored to investigate exploitive behavior. For example, network sites may be actively explored by a honey monkey system to detect if they are capable of accomplishing exploits, including browser-based exploits, on a machine. Also, the accomplishment of exploits may be detected by tracing events occurring on a machine after visiting a network site and analyzing the traced events for illicit behavior. Alternatively, site redirections between and among uniform resource locators (URLs) may be explored to discover relationships between sites that are visited. | 11-06-2014 |
20140337982 | Risk Prioritization and Management - Methods for managing and prioritizing risk include receiving a data set and analyzing the data set for duplicates, false positives, false negatives, and tool errors. Said duplicates, false positives, false negatives and results of tool errors are removed from the data set, creating an input file. The input file is compared against compliance standards to identify any weaknesses, defects, bugs, flaws, vulnerabilities, and/or failures in the input file. The compared input file is mapped to Common Weakness Enumeration standards. A risk prioritization can be generated based on the mapped results. At least one report can be generated based on the risk prioritization. | 11-13-2014 |
20140344936 | SOFTWARE VULNERABILITY NOTIFICATION VIA ICON DECORATIONS - A computer identifies computer software applications installed on a computer. The computer sends an electronic request to a program on a server computer that extracts information about the computer software applications identified having a vulnerability. The computer receives the information that is extracted. The computer generates an icon decoration for the vulnerability, wherein the icon decoration readily displays the level of risk associated to the vulnerability and information about a security update for the vulnerability. The computer adds the icon decoration onto each icon of the one of the computer software applications identified and each icon of electronic documents associated to the one of the computer software applications identified. | 11-20-2014 |
20140344937 | Method and System of Attack Surface Detection - The invention comprises a method of using sensor agents to collect information in a central location to determine the entire attack surface of all certificate based resources, which includes vulnerable, insecure, or unknown resources but also includes where all the secure resources are located and the attack surface for each certificate resource. If a vulnerable resource is detected, the system may initiated additional sensor agents to determine the threat caused by the vulnerability. The system can also assign a rating to the overall security of the network based on vulnerabilities and display the attack surface as a topographic format for easy review by administrators. | 11-20-2014 |
20140344938 | Progressive Static Security Analysis - A disclosed method includes determining modifications have been made to a program and deriving data flow seeds that are affected by the modifications. The method includes selecting one of the data flow seeds that are affected by the modifications or data flow seeds that are not affected by the modifications but that are part of flows that are affected by the modifications and performing a security analysis on the program. The security analysis includes tracking flows emanating from the selected data flow seeds to sinks terminating the flows. The method includes outputting results of the security analysis. The results comprise one or more indications of security status for one or more of the flows emanating from the selected data flow seeds. At least the deriving, selecting, and performing are performed using a static analysis of the program. Apparatus and program products are also disclosed. | 11-20-2014 |
20140344939 | Progressive Static Security Analysis - A disclosed method includes determining modifications have been made to a program and deriving data flow seeds that are affected by the modifications. The method includes selecting one of the data flow seeds that are affected by the modifications or data flow seeds that are not affected by the modifications but that are part of flows that are affected by the modifications and performing a security analysis on the program. The security analysis includes tracking flows emanating from the selected data flow seeds to sinks terminating the flows. The method includes outputting results of the security analysis. The results comprise one or more indications of security status for one or more of the flows emanating from the selected data flow seeds. At least the deriving, selecting, and performing are performed using a static analysis of the program. Apparatus and program products are also disclosed. | 11-20-2014 |
20140344940 | Security countermeasure management platform - A management platform that allows security and compliance users to view risks and vulnerabilities in their environment with the added context of what other mitigating security countermeasures are associated with that vulnerability and that are applicable and/or available within the overall security architecture. Additionally, the platform allows users to take one or more actions from controlling the operation of a security countermeasure for mitigation purposes to documenting the awareness of a security countermeasure that is in place. | 11-20-2014 |
20140351939 | SYSTEMS AND METHODS FOR DETERMINING AN OBJECTIVE SECURITY ASSESSMENT FOR A NETWORK OF ASSETS - A security assessment tool can determine computer assets in a network and provide an overall security score for the network. The overall security score can represent an objective measure of the security of the network that considers potential security threats to the computer assets, counter measures deployed in the network to address the potential security threats, and the effectiveness of the counter measures. Based on the overall security assessment, the security assessment tool can provide recommendations for improving the security of the network. | 11-27-2014 |
20140351940 | SYSTEMS AND METHODS FOR ASSESSING SECURITY FOR A NETWORK OF ASSETS AND PROVIDING RECOMMENDATIONS - A security assessment tool can determine computer assets in a network and provide an overall security score for the network. The overall security score can represent an objective measure of the security of the network that considers potential security threats to the computer assets, counter measures deployed in the network to address the potential security threats, and the effectiveness of the counter measures. Based on the overall security assessment, the security assessment tool can provide recommendations for improving the security of the network. | 11-27-2014 |
20140351941 | METHOD OF DEFENDING A COMPUTER FROM MALWARE - To defend a computer against malware, first executable code, of the computer, that includes a signature that identifies an address, in the computer's memory, of a respective data structure that is potentially vulnerable to tampering, is identified. The first executable code is copied to provide second executable code that emulates the first executable code using its own respective data structure. The first executable code is modified to jump to the second executable code before accessing the data structure, and also so that the signature identifies the address of a guard page. | 11-27-2014 |
20140351942 | METHODS AND APPARATUS PROVIDING AUTOMATIC SIGNATURE GENERATION AND ENFORCEMENT - A system inserts at least one notifying identifier in the computer system. The at least one notifying identifier provides execution information associated with the computer system. The system receives execution information from the at least one notifying identifier, the execution information identifies details associated with a traffic flow on the computer system. The system then generates a signature based on a deterministic link provided by the execution information provided by the at least one notifying identifier. The signature is utilized to prevent further damage caused to the computer system by at least one attack. | 11-27-2014 |
20140359776 | METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR AUTOMATICALLY MITIGATING VULNERABILITIES IN SOURCE CODE - A method for automatically mitigating vulnerabilities in a source code of an application is provided in the present invention. The method includes the following steps. First, the source code is complied, and a path graph is built according to the compiled source code. The path graph includes a plurality of paths traversing from sources to sinks, and each of the paths includes a plurality of nodes. Then, at least one tainted path is identified by enabling a plurality of vulnerability rules. Each of the at least one tainted path corresponds to a vulnerability, and each of the at least one vulnerability corresponds to a sanitization method. Then, the at least one vulnerability is determined if it is mitigable. If the at least one vulnerability is mitigable, the at least one vulnerability is mitigated automatically. Furthermore, the method may be implemented as a system and a computer program product. | 12-04-2014 |
20140359777 | CONTEXT-AWARE RISK MEASUREMENT MOBILE DEVICE MANAGEMENT SYSTEM - A mobile device management server and method are provided for determining the security risk for deployed mobile devices. The mobile device management server receives risk measurements from mobile devices that are used to calculate a risk score based on rules. The risk score can also be adjusted by correlating the received risk measurements with past security breaches or typical usage measurements. The calculated risk score is compared to a one or more thresholds to determine whether to take a protective action that is associated with exceeding a threshold. | 12-04-2014 |
20140359778 | FUNCTION-TARGETED VIRTUAL MACHINE SWITCHING - Technologies are provided for function-targeted virtual machine switching. In some examples, function usage times on a virtual machine (VM) may be profiled by a virtual machine manager (VMM) and used to manage VM switching in order to preferentially switch VMs during specific targeted functions. The targeted functions and/or VM switching preferences may be adjusted over time in order to provide switching unpredictability, for example to frustrate side-channel attackers by forcing the attackers to gather data for much longer periods of time (e.g., weeks or months) if they want to detect or attack. | 12-04-2014 |
20140359779 | OPTIMIZING TEST DATA PAYLOAD SELECTION FOR TESTING COMPUTER SOFTWARE APPLICATIONS VIA COMPUTER NETWORKS - Testing a computer software application by configuring a first computer to execute a copy of data-checking software used by a computer software application at a second computer, processing a first copy of a test data payload using the data-checking software at the first computer, where the test data payload is configured to test for an associated security vulnerability, determining that the first copy of the test data payload is endorsed by the data-checking software at the first computer for further processing, and sending a second copy of the test data payload via a computer network to the computer software application at the second computer for processing threat. | 12-04-2014 |
20140359780 | ANTI-CYBER ATTACKS CONTROL VECTORS - A method for calculating an effectiveness of anti-cyber attack controls, the method comprising using at least one hardware processor for: providing a matrix of attack method and technology layer pairs; providing anti-attack effectiveness values for a plurality of controls against the attack method and technology layer pairs; composing control groups each comprising multiple ones of said plurality of controls having the highest anti-attack effectiveness values; deriving control vectors from said control groups, said deriving being based on a regression analysis of all possible orders of controls in each one of said control groups; and displaying an effectiveness measure of at least some of the plurality of controls, based on the control vectors. | 12-04-2014 |
20140366140 | ESTIMATING A QUANTITY OF EXPLOITABLE SECURITY VULNERABILITIES IN A RELEASE OF AN APPLICATION - Examples disclosed herein relate to estimating a quantity of exploitable security vulnerabilities in a release of an application. Examples include acquiring a source code analysis result representing a number of source code issues identified by source code analysis in a target release of an application. Examples further include estimating a quantity of exploitable security vulnerabilities contained in the target release of the application based on the source code analysis result and metrics for a plurality of historic releases of the application. | 12-11-2014 |
20140366141 | Apparatus, System, and Method for Reconciling Network Discovered Hosts Across Time - An apparatus, systems, and methods for matching network assets that were previously discovered by a network vulnerability assessment to a not yet reconciled network vulnerability assessment, and allowing for the associating of network assets to their corresponding assessed hosts that were discovered as part of different point-in-time network vulnerability assessments. | 12-11-2014 |
20140366142 | APPARATUS AND METHOD FOR ANALYZING VULNERABILITY OF ZIGBEE NETWORK - The present invention relates to an apparatus and method for analyzing vulnerability of a Zigbee network. For this, the apparatus for analyzing vulnerability of a Zigbee network present invention includes an allocation supporting unit for analyzing an environment of a Zigbee network and allocating a plurality of analyzers to multiple channels of the Zigbee network. A public vulnerability inspection unit inspects the Zigbee network for predefined public vulnerability via the plurality of analyzers. A new vulnerability analysis unit analyzes new vulnerability of the Zigbee network via the plurality of analyzers. | 12-11-2014 |
20140366143 | METHOD FOR RISK ASSESSMENT OF APPLICATIONS BASED ON REQUESTED PERMISSIONS - A system and method for risk assessment of installing and executing of an application executable on a platform, the method comprising: categorizing the application to one of a list of application categories, comparing permissions requested by the application to a predetermined list of permissions related to the category of the application and representing a permissible level of risk, and providing information indicative of a level of correlation between the permissions requested by the application and the predetermined list of permissions. | 12-11-2014 |
20140366144 | MULTI-DIMENSIONAL REPUTATION SCORING - Methods and systems for assigning reputation to communications entities include collecting communications data from distributed agents, aggregating the communications data, analyzing the communications data and identifying relationships between communications entities based upon the communications data. | 12-11-2014 |
20140366145 | METHODS AND SYSTEMS FOR EVALUATING SOFTWARE FOR KNOWN VULNERABILITIES - A vulnerability identification and resolution (VIR) computer device for identifying security vulnerabilities in a computer system is provided. The VIR computer device includes a memory device for storing data including data representing computing assets installed in the computer system and a processor in communication with the memory device. The VIR computer device is programmed to receive an asset identifier identifying a computing asset selected for evaluation and execute a query on at least one database storing security vulnerabilities, the query searching for security vulnerability data associated with the selected computing asset. The VIR computer device is further programmed to receive the security vulnerability data at the VIR computer device in response to the query. | 12-11-2014 |
20140366146 | INTERACTIVE ANALYSIS OF A SECURITY SPECIFICATION - Analyzing a security specification. An embodiment can include identifying a downgrader in a computer program under test. Testing on the downgrader can be performed in a first level of analysis. Responsive to the downgrader not passing the testing performed in the first level of analysis, a counter example for the downgrader can be automatically synthesized. Further, a test unit can be created for the downgrader using the counter example as an input parameter to the downgrader. The test unit can be executed to perform testing on the downgrader in a second level of analysis. Responsive to the downgrader passing the testing performed in the second level of analysis, a user can be prompted to simplify a model of the downgrader. | 12-11-2014 |
20140373157 | After-the-Fact Configuration of Static Analysis Tools Able to Reduce User Burden - A method includes mapping, based on a first mapping from possible security findings to possible configuration-related sources of imprecision, actual security findings from a static analysis of a program to corresponding configuration-related sources of imprecision, the mapping of the actual security findings creating a second mapping. A user is requested to configure selected ones of the configuration-related sources of imprecision from the second mapping. Responsive to a user updating configuration corresponding to the selected ones of the configuration-related sources of imprecision, security analysis results are updated for the static analysis of the program at least by determining whether one or more security findings from the security analysis results are no longer considered to be vulnerable based on the updated configuration by the user. The updated security analysis results are output. Apparatus and program products are also disclosed. | 12-18-2014 |
20140373158 | DETECTING SECURITY VULNERABILITIES ON COMPUTING DEVICES - Identifying security vulnerabilities on computing devices by gathering information about a first software application with which a computing device is configured, selecting, using any of the information, an attack specification from a set of predefined attack specifications, attacking the first software application on the computing device with an attack that is in accordance with the selected attack specification, identifying a post-attack condition associated with the first software application, determining whether the post-attack condition is consistent with a predefined security vulnerability, and performing a predefined action associated with the predefined security vulnerability responsive to determining that the post-attack condition is consistent with the predefined security vulnerability, where the gathering, selecting, attacking, identifying, determining, and performing are performed by a second software application during execution of the second software application on the computing device. | 12-18-2014 |
20140373159 | After-The-Fact Configuration Of Static Analysis Tools Able To Reduce User Burden - A method includes mapping, based on a first mapping from possible security findings to possible configuration-related sources of imprecision, actual security findings from a static analysis of a program to corresponding configuration-related sources of imprecision, the mapping of the actual security findings creating a second mapping. A user is requested to configure selected ones of the configuration-related sources of imprecision from the second mapping. Responsive to a user updating configuration corresponding to the selected ones of the configuration-related sources of imprecision, security analysis results are updated for the static analysis of the program at least by determining whether one or more security findings from the security analysis results are no longer considered to be vulnerable based on the updated configuration by the user. The updated security analysis results are output. Apparatus and program products are also disclosed. | 12-18-2014 |
20140373160 | VULNERABILITY COUNTERMEASURE DEVICE AND VULNERABILITY COUNTERMEASURE METHOD - A vulnerability countermeasure device stores configuration information associating multiple computers connected via a network and software possessed by each computer, vulnerability information associating the software with information related to the vulnerability of the software, and countermeasure policy information associating the software with a countermeasure policy to be executed if there is a vulnerability in the software; calculates the computer that data will reach based on information related to a route of the data included in the data received from a used terminal; acquires software existing in the computer based on the calculated computer and configuration information; assesses whether or not there is a vulnerability in the acquired software based on the acquired software and the vulnerability information; and is provided with countermeasure unit for executing a countermeasure to a vulnerability in accordance with a countermeasure policy with respect to the software assessed to have the vulnerability. | 12-18-2014 |
20140373161 | METHODS AND SYSTEMS FOR COMPLYING WITH NETWORK SECURITY REQUIREMENTS - The present invention provides for methods and systems for complying with network security requirements, particularly those defined by NERC CIP. In particular, the invention provides for methods and systems for identifying a set of network security risks on a computing device, refining the set of network security risks requiring documentation as defined by the requirements, creating documentation on the necessity of the network security risks, and creating a report comprising a listing of the refined set of network security risks and documentation for auditing and compliance purposes. | 12-18-2014 |
20140373162 | SECURITY STATUS AND INFORMATION DISPLAY SYSTEM - Systems and methods disclosed herein provide a security component on a server that may be in communication with a database containing mobile device security information. The server security component may receive event information regarding a mobile device from a local security component on the mobile device. The event information may be processed by the server to assess the security state of the mobile device by comparing the event information to the mobile device security information. Based on the processing, an assessment of the security state of the mobile device may be output by the server for display. | 12-18-2014 |
20140380484 | Intelligent Risk Level Grouping for Resource Access Recertification - A computing device receives requests for approval of a plurality of access entitlements, which includes respective identity accounts, each associated with security intelligence information. The computing device determines risk factors for each respective identity account and associated security intelligence information, and determines a risk level for each of the plurality of access entitlements based at least in part on the risk factors. The computing device groups the plurality of access entitlements based on the risk level determined for each of the plurality of access entitlements. The computing device determines if the risk level of a group is low-risk based on the risk level of the plurality of access entitlements of the group, and in response to determining the risk level of the group is low risk, the computing device enables approval of the plurality of access entitlements of the group. | 12-25-2014 |
20140380485 | METHODS AND SYSTEMS FOR USE IN ANALYZING CYBER-SECURITY THREATS IN AN AVIATION PLATFORM - Methods and systems for use in in analyzing cyber-security threats for an aircraft are described herein. One example method includes generating an interconnection graph for a plurality of interconnected aircraft systems. The interconnection graph includes a plurality of nodes and a plurality of links. The method also includes defining a cost function for a cyber-security threat to traverse each link and defining a requirements function for a cyber-security threat to exploit each node. The method further includes generating a set of threat traversal graphs for each cyber-security threat of a plurality of cyber-security threats. | 12-25-2014 |
20140380486 | Automated Detection and Validation of Sanitizers - Methods, systems, and computer-readable storage media for analyzing security of dataflows in programs. In some implementations, actions include processing source code using static analysis to: identify one or more dataflows and one or more candidate sanitizers, each candidate sanitizer being associated with a respective dataflow, and provide an executable sub-program for each candidate sanitizer to provide one or more executable sub-programs, processing the one or more executable sub-programs using dynamic analysis to: execute the one or more executable sub-programs, and provide dynamic analysis results, providing combined results based on the static analysis and the dynamic analysis, the combined results including the dynamic analysis results, and assigning a priority to each result in the combined results. | 12-25-2014 |
20140380487 | SYSTEM AND METHOD FOR LIMITING EXPLOITABLE OR POTENTIALLY EXPLOITABLE SUB-COMPONENTS IN SOFTWARE COMPONENTS - Approaches for limiting exploitable or potentially exploitable sub-components in software components are disclosed. In certain implementations, a first software component in the component creation environment may be identified. The first software component may include a first sub-component that provides a function that is exploitable or potentially exploitable to compromise the first software component. The first sub-component may be disabled such that the function provided by the first sub-component is not available via the first software component when the first software component is executed. The first software component may be placed in the component repository after the first sub-component is disabled such that the first software component is placed in the component repository without availability of the function provided by the first sub-component. In some implementations, disabling the first sub-component may comprise removing the first sub-component from the first software component. | 12-25-2014 |
20140380488 | PERVASIVE, DOMAIN AND SITUATIONAL-AWARE, ADAPTIVE, AUTOMATED, AND COORDINATED ANALYSIS AND CONTROL OF ENTERPRISE-WIDE COMPUTERS, NETWORKS, AND APPLICATIONS FOR MITIGATION OF BUSINESS AND OPERATIONAL RISKS AND ENHANCEMENT OF CYBER SECURITY - Real time security, integrity, and reliability postures of operational (OT), information (IT), and security (ST) systems, as well as slower changing security and operational blueprint, policies, processes, and rules governing the enterprise security and business risk management process, dynamically evolve and adapt to domain, context, and situational awareness, as well as the controls implemented across the operational and information systems that are controlled. Embodiments of the invention are systematized and pervasively applied across interconnected, interdependent, and diverse operational, information, and security systems to mitigate system-wide business risk, to improve efficiency and effectiveness of business processes and to enhance security control which conventional perimeter, network, or host based control and protection schemes cannot successfully perform. | 12-25-2014 |
20150020204 | METHOD, SYSTEM AND SERVER FOR MONITORING AND PROTECTING A BROWSER FROM MALICIOUS WEBSITES - A method and apparatus for protecting a browser from malicious web sites have been disclosed. The method including: sending a request for accessing a web page to a server, and receiving the web page sent by the server; analyzing content of the received web page and displaying on the browser subsequent analyzed content of the web page. The displaying of the subsequent content include: generating monitoring data corresponding to monitoring an operation which is initiated and executed by an execution module, and sending the monitoring data to the server for analysis, the server determines whether the browser would be at risk in executing the corresponding operation by the execution module; if so, sending one or more notice to the browser such that the risk would be avoided when the execution module in the browser executes the operation corresponding to the received notice. | 01-15-2015 |
20150020205 | METHOD AND APPARATUS FOR DETECTING SECURITY VULNERABILITY FOR ANIMATION SOURCE FILE - A method for detecting a security vulnerability for an animation source file is provided. The method may include: decompiling the animation source file and acquiring a program structure and a syntactic model of the animation source file; converting the program structure and the syntactic model into an abstract syntax tree (AST); constructing symbol tables and function summaries based on the AST; and performing a taint backtracking on the symbol tables and the function summaries and detecting whether the animation source file has the security vulnerability according to a vulnerability rule. | 01-15-2015 |
20150026813 | METHOD AND SYSTEM FOR DETECTING NETWORK LINK - A method and system for detecting network link are disclosed. The method includes: receiving copy content by capturing a copy behavior; performing malware detection on network link in the copy content to obtain a detection result; generating a risk warning message according to the detection result. The system includes: a receiving module, configured to receive copy content by capturing a copy behavior; a detecting module, configured to perform malware detection on network link in the copy content to obtain a detection result; a message generating module, configured to generate a risk warning message according to the detection result. The method and system can reduce the attack risk of malicious network link. | 01-22-2015 |
20150033346 | SECURITY TESTING FOR SOFTWARE APPLICATIONS - A mapping engine may be used to determine an attack model enumerating software attacks, the software attacks being represented by linked attack components, and may be used to determine a software architecture to be tested, the software architecture being represented by linked architectural components in an architecture diagram. The mapping engine may then associate each attack component and each architectural component with at least one attack tag characterizing attack requirements. A global test plan generator may be used to determine an attack test model, including associating attack components with corresponding architectural components, based on associated attack tags, and may thus generate attack test workflows from the attack test model, to thereby test the software architecture. | 01-29-2015 |
20150033347 | APPARATUS AND METHOD FOR CLIENT IDENTIFICATION IN ANONYMOUS COMMUNICATION NETWORKS - Apparatus and methods for client identification in anonymous communication networks are provided to identify an anonymous client by guiding a network path selection algorithm to select from a small set of relays. A large percentage of the relays in the set are controlled, thus probabilistically forming a pathway connection in which the traffic is routed through the set of relays which are configured to identify client traffic. From the set of controlled relays, if both an entry node and an exit node are selected by the anonymous client, then client identification is possible. Path vulnerabilities are analyzed and results of the analysis determine a probability of selection of unpopular ports. A hidden program modifies the anonymous client machine and traffic from the anonymous client machine is routed through at least one unpopular port in the new path to determine the identity of the anonymous client machine. | 01-29-2015 |
20150033348 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR PROVIDING MULTIPLE REMEDIATION TECHNIQUES - A system, method, and computer program product are provided for a database associating a plurality of device vulnerabilities to which computing devices can be subject with a plurality of remediation techniques that collectively remediate the plurality of device vulnerabilities. Each of the device vulnerabilities is associated with at least one remediation technique. Each remediation technique associated with a particular device vulnerability remediates that particular vulnerability. Further, each remediation technique has a remediation type are selected from the type group consisting of patch, policy setting, and configuration option. Still yet, a first one of the device vulnerabilities is associated with at least two alternative remediation techniques. | 01-29-2015 |
20150033349 | ANTI-VULNERABILITY SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT - A system, method, and computer program product are provided for receiving actual vulnerability information from at least one first data storage that is generated utilizing potential vulnerability information from at least one second data storage. The actual vulnerability information is generated utilizing the potential vulnerability information. Further, the actual vulnerability information from the at least one first data storage is capable of identifying the plurality of actual vulnerabilities to which the plurality of networked computers are actually vulnerable. In use, an action may be caused to be automatically completed in connection with at least one of the networked devices. | 01-29-2015 |
20150033350 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT WITH VULNERABILITY AND INTRUSION DETECTION COMPONENTS - A system, method, and computer program product are provided including at least one server including at least one first data storage that stores potential vulnerability information describing a plurality of potential vulnerabilities. Also included is a vulnerability component including at least one second data storage for storing actual vulnerability information, and an intrusion prevention component operable for a variety of functionality. | 01-29-2015 |
20150033351 | ANTI-VULNERABILITY SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT - A system, method, and computer program product are provided including client and server code configured to cooperate, resulting in display, via at least one user interface, of a plurality of user options for causing different actions of different types in connection with at least one of the networked devices that is actually vulnerable to at least one of a plurality of actual vulnerabilities for at least mitigating an occurrence. The user options include a first user option for causing a first action for dropping packets in connection with the at least one networked device for mitigating the occurrence and a second user option for causing a second action for installation of a patch on the at least one networked device for removing the at least one vulnerability from the at least one networked device. Based on receipt of first user input selecting the first option via the at least one user interface, the first action is caused for dropping packets in connection with the at least one networked device for mitigating the occurrence. Based on receipt of second user input selecting the second option via the at least one user interface, the second action is caused for installation of the patch on the at least one networked device, utilizing the client code, for removing the at least one vulnerability from the at least one networked device. | 01-29-2015 |
20150033352 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR REPORTING AN OCCURRENCE IN DIFFERENT MANNERS - A system, method, and computer program product are provided for identifying operating system information associated with at least one of a plurality of networked devices, and an occurrence in connection with the at least one of the networked device. It is also determined whether at least one vulnerability capable being exploited by the occurrence is relevant to the at least one networked device based on the operating system information. To this send, the occurrence is reported in a first manner, if it is determined that the at least one vulnerability capable being exploited by the occurrence is relevant to the at least one networked device based on the operating system information. Further, the occurrence is reported in a second manner different from the first manner, if it is determined that the at least one vulnerability capable being exploited by the occurrence is not relevant to the at least one networked device based on the operating system information. | 01-29-2015 |
20150033353 | OPERATING SYSTEM ANTI-VULNERABILITY SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT - A system, method, and computer program product are provided for determining whether an operating system of at least one networked device is actually vulnerable to at least one actual operating system vulnerability based on operating system configuration information. In response to determining that the operating system of the at least one networked device is actually vulnerable to the at least one actual operating system vulnerability, automatic completion of installation of an operating system patch on the operating system of the at least one networked device is caused, utilizing the client code, for removing the at least one actual operating system vulnerability from the operating system of the at least one networked device. | 01-29-2015 |
20150040228 | SELECTION OF A COUNTERMEASURE - Examples disclose a method, executable by a processor, to assign a metric of vulnerability to a virtual machine. Based on the metric of vulnerability, the method places the virtual machine into a detection phase. Additionally, the examples disclose the method is to receive an alert corresponding to the virtual machine and based this received alert, the method implements a countermeasure. | 02-05-2015 |
20150040229 | DYNAMIC SECURITY TESTING - A method and system for discovering and testing security assets is provided. Based on source definition data describing sources to monitor on the one or more computer networks, an example system scans the sources to identify security assets. The system analyses the security assets to identify characteristics of the server-based applications. The system stores database records describing the security assets and the identified characteristics. The system queries the database records to select, based at least on the identified characteristics, one or more target assets, from the security assets, on which to conduct one or more security tests. Responsive to selecting the one or more target assets, the system conducts the one or more security tests on the one or more target assets. The system identifies one or more security vulnerabilities at the one or more target assets based on the conducted one or more security tests. | 02-05-2015 |
20150040230 | MULTI-PATH REMEDIATION - A system, method, and computer program product are provided for a database associating a plurality of device vulnerabilities to which computing devices can be subject with a plurality of remediation techniques that collectively remediate the plurality of device vulnerabilities. Each of the device vulnerabilities is associated with at least one remediation technique. Each remediation technique associated with a particular device vulnerability remediates that particular vulnerability. Further, each remediation technique has a remediation type are selected from the type group consisting of patch, policy setting, and configuration option. Still yet, a first one of the device vulnerabilities is associated with at least two alternative remediation techniques. | 02-05-2015 |
20150040231 | COMPUTER PROGRAM PRODUCT AND APPARATUS FOR MULTI-PATH REMEDIATION - A system, method, and computer program product are provided for a database associating a plurality of device vulnerabilities to which computing devices can be subject with a plurality of remediation techniques that collectively remediate the plurality of device vulnerabilities. Each of the device vulnerabilities is associated with at least one remediation technique. Each remediation technique associated with a particular device vulnerability remediates that particular vulnerability. Further, each remediation technique has a remediation type are selected from the type group consisting of patch, policy setting, and configuration option. Still yet, a first one of the device vulnerabilities is associated with at least two alternative remediation techniques. | 02-05-2015 |
20150040232 | ANTI-VULNERABILITY SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT - A system, method, and computer program product are provided for identifying a first and second occurrence in connection with at least one of the networked device. In use, it is possible that it is determined that the at least one actual vulnerability of the at least one networked device is capable of being taken advantage of by the first occurrence identified in connection with the at least one networked device. Further, it is also possible that it is determined that the at least one actual vulnerability of the at least one networked device is not capable of being taken advantage of by the second occurrence identified in connection with the at least one networked device. To this end, the first occurrence and the second occurrence are reported differently. | 02-05-2015 |
20150040233 | SDK-EQUIPPED ANTI-VULNERABILITY SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT - A system, method, and computer program product are provided including a vulnerability component and a software developer kit (SDK) for allowing access to the vulnerability component via an application program interface (API) for causing an action to be automatically completed in connection with at least one networked device that is actually vulnerable to at least one actual vulnerability. | 02-05-2015 |
20150047045 | AUTOMATIC ALGORITHM DISCOVERY USING REVERSE DATAFLOW ANALYSIS - A system and method for finding vulnerabilities and tracing an end result associated with a vulnerability to its origins in user data. A user data source containing an ordered sequence of user data items may be a data file. In one embodiment the method for identifying, in the user data source, the origins of the end result, includes associating with each user data item a location identifier identifying the location of the user data item in the sequence of user data items executing instructions with a virtual machine, associating with each result the location identifier of the data item when one argument is a user data item and a tag when more than one argument is a user data item. This process may be continued until the end result is obtained. Subsequently, the method may include stepping through instructions with the virtual machine in reverse order, to tracing the origins of the end result to each of the user data items contributing to the result. | 02-12-2015 |
20150047046 | System and Method for Protecting Computers from Software Vulnerabilities - Disclosed herein are systems, methods and computer program products for protecting computer systems from software vulnerabilities. In one aspect, a system is configured to detect execution of a software application and determine whether the detected application has vulnerabilities. When the application has vulnerabilities, the system may analyze the application to identify typical actions performed by the application. The system may then create one or more restriction rules based on the identified typical actions of the application. The restriction rules allow application to perform typical actions and block atypical actions. The system then controls execution of the application using the created restriction rules. | 02-12-2015 |
20150047047 | System And Method For Monitoring Network Traffic - Described is a method of assigning a network address to a trap, the network address being a dark address of a virtual private network. The network traffic destined for the network address is monitored and a classification of the network traffic is determined. After the classification, a predetermined response is executed based on the classification of the traffic. | 02-12-2015 |
20150052614 | VIRTUAL MACHINE TRUST ISOLATION IN A CLOUD ENVIRONMENT - Techniques are disclosed for virtual machine trust isolation in an Infrastructure-as-a-Service (IaaS) cloud environment. More specifically, embodiments of the invention monitor levels of suspicious activity on a particular virtual machine using node agents embedded in each physical node. The node agents transmit activity data to a security and relocation engine. If a virtual machine's suspicious activity levels exceed defined suspicious activity thresholds, the security and relocation engine assigns that virtual machine to a different zone. The zones may have reduced connectivity and/or service levels. This enables administrators to more efficiently respond to security threats in the cloud environment. | 02-19-2015 |
20150058993 | SYSTEM AND METHOD FOR DISCOVERING OPTIMAL NETWORK ATTACK PATHS - A computer-implemented method for discovering network attack paths is provided. The method includes a computer generating scoring system results based on analysis of vulnerabilities of nodes in a network configuration. The method also includes the computer applying Bayesian probability to the scoring system results and selected qualitative risk attributes wherein output accounts for dependencies between vulnerabilities of the nodes. The method also includes the computer applying a weighted-average algorithm to the output yielding at least one ranking of nodes in order of likelihood of targeting by an external attacker. | 02-26-2015 |
20150058994 | SYSTEM AND METHODS FOR ADAPTIVE MODEL GENERATION FOR DETECTING INTRUSION IN COMPUTER SYSTEMS - A system and methods for detecting intrusions in the operation of a computer system comprises a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format. A data warehouse is configured to receive the data record from the sensor in the predetermined data format and to store the data in a SQL database. A detection model generator is configured to request data records from the data warehouse in the predetermined data format, to generate an intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format. A detector is configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model. A data analysis engine is configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records. | 02-26-2015 |
20150067865 | Threat Condition Management - Methods, products, apparatuses, and systems may manage a threat condition. A plurality of triggers may be identified over a period of time. Each of the triggers may be associated with a threat risk value. An accumulation value may be determined based on an aggregation of each threat risk value over the period of time. A set of progressive threshold values associated with a set of progressive threat conditions may be defined. A threat condition from the set of threat conditions may be established for the device based on the accumulation value. The threat condition may be managed, for example by defining an operational mode for the device, in response to the threat condition. | 03-05-2015 |
20150067866 | IDENTIFYING MALICIOUS DEVICES WITHIN A COMPUTER NETWORK - This disclosure describes techniques for proactively identifying possible attackers based on a profile of a device. For example, a device includes one or more processors and network interface cards to receive, from a remote device, network traffic directed to one or more computing devices protected by the device, determine, based on content of the network traffic, a first set of data points for the device, send a response to the remote device to ascertain a second set of data points for the device, and receive, from the remote device, at least a portion of the second set of data points. The device also includes a security module operable by the processors to determine a maliciousness rating, and selectively manage, based on the maliciousness rating, additional network traffic directed to the one or more computing devices protected by the security device and received from the remote device. | 03-05-2015 |
20150067867 | Risk Identification - Systems, methods and apparatuses for analyzing a string of terms (e.g., a search query, text of an email, and the like) are provided. In some examples, a determination is made as to whether one or more terms in the string matches a keyword. If so, various parts of speech of one or more terms in the string of terms may be determined. In some examples, a category of risk of the terms for which the part of speech is identified may also be determined. A risk rating may then be determined for the string of terms based on the relationship between the terms (e.g., the parts of speech) and the category or categories identified. In some examples, one or more additional actions may be implemented based on the risk rating. | 03-05-2015 |
20150067868 | APPARATUS AND METHOD FOR MANIFESTING EVENT TO VERIFY SECURITY OF MOBILE APPLICATION - An apparatus and method for manifesting an event to verify the security of a mobile application are provided. The apparatus for manifesting an event to verify the security of a mobile application includes a tester application production unit, a tester application execution unit, and a tester application daemon execution unit. The tester application production unit produces a tester application for testing an application to be tested based on application information which is extracted from the application to be tested. The tester application execution unit executes the application to be tested by manifesting an event included in the extracted application information, and extracts a user view object output to a screen of a smart device when the application to be tested is executed. The tester application daemon execution unit generates a touch event based on the extracted user view object, and performs a screen change. | 03-05-2015 |
20150082441 | Exploiting Hot Application Programming Interfaces (APIs) and Action Patterns for Efficient Storage of API logs on Mobile Devices for Behavioral Analysis - Methods and devices for detecting suspicious or performance-degrading mobile device behaviors may include performing behavior monitoring and analysis operations to intelligently, dynamically, and/or adaptively determine the mobile device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the behaviors are to be observed. Such behavior monitoring and analysis operations may be performed continuously (or near continuously) in a mobile device without consuming an excessive amount of processing, memory, or energy resources of the mobile device by identifying hot application programming interfaces (APIs) and hot action patterns that are invoked or used most frequently by software applications of the mobile device and storing information regarding these hot APIs and hot action patterns separately and more efficiently. | 03-19-2015 |
20150082442 | System and method to perform secure web application testing based on a hybrid pipelined approach - A processor implemented method of performing a security web application testing based on a hybrid pipelined application which includes (a) receiving, a scan profile selected from a group includes (i) an uniform resource locator associated with an application, (ii) one or more scan attack templates, (iii) one or more attack rules, and (iv) one or more automation scan results, (b) generating, a one or more possible tasks based on the scan profile, (c) selecting, at least a sub-set of tasks from the one or more possible tasks, (d) assigning, the sub-set of tasks to an automated task performing tool, and a user for execution, (e) obtaining, one or more tasks results associated with the sub-set of tasks executed by the automated task performing tool, and the user, and (f) updating, a database based on the one or more tasks results. | 03-19-2015 |
20150089656 | SYSTEM AND METHOD FOR AUTOMATED REMEDYING OF SECURITY VULNERABILITIES - In a binary patching system for alleviating security vulnerabilities in a binary representation of a software application, a binary code portion determined to be associated with a security vulnerability is replaced with a replacement binary code that can avoid such vulnerability without substantially changing the functionality of the code portion that was replaced. The replacement binary code can be selected based on properties and/or context of the code portion to be replaced. | 03-26-2015 |
20150096032 | DETECTING VULNERABILITY TO RESOURCE EXHAUSTION - In an aspect of managing resource exhaustion, a method includes receiving a program code that is configured for generating a random number. The generating is identified as vulnerable to a resource exhaustion. The method also includes identifying a statement in the program code at which a value of a variable associated with the generating of the random number is affected, inserting a hooking code in the statement for monitoring the variable at the statement, and running the program code in a plurality of iterations. A consumption level of the resource is varied in the plurality of iterations. The method further includes monitoring a plurality of values of the variable in the plurality of iterations. The method also includes executing a regression analysis on the plurality of values and returning a root cause of the vulnerability. | 04-02-2015 |
20150096033 | Security Testing Using Semantic Modeling - Optimized testing of vulnerabilities in an application implemented by a method includes generating a first probe directed to determine whether an application is vulnerable to a first type of attack; analyzing one or more responses from the application based on the application responding to the first probe; in response to determining that the one or more responses from the application validate a first hypothesis about one or more vulnerabilities associated with the application, and generating at least a second probe to further verify the first hypothesis. The second probe focuses on discovering additional details about the application's vulnerabilities to the first type of attack or a second type of attack. | 04-02-2015 |
20150096034 | Determine Anomalies in Web Application Code Based on Authorization Checks - Example embodiments disclosed herein relate to determining an anomaly of a missing authorization or inconsistent authorization in web application code. The web application code is analyzed to identify methods that have authorization checks associated and labeling the identified methods as related to authorization checks. Unidentified methods are associated as non-authorization check methods. The methods are compared to determine the anomaly. | 04-02-2015 |
20150096035 | POLLUTING RESULTS OF VULNERABILITY SCANS - A security device may receive, from a server device, a response to a request. The request may be provided by an attacker device and may include a plurality of input values. The security device may determine the plurality of input values, included in the request, based on receiving the response. The security device may modify the response to form a modified response. The response may be modified to include information associated with the plurality of input values. The response may be modified in an attempt to prevent the attacker device from identifying a vulnerability, associated with the server device, based on the plurality of input values being included in the response. The security device may provide the modified response to the attacker device. | 04-02-2015 |
20150096036 | Security Testing Using Semantic Modeling - Optimized testing of vulnerabilities in an application implemented by a method includes generating a first probe directed to determine whether an application is vulnerable to a first type of attack; analyzing one or more responses from the application based on the application responding to the first probe; in response to determining that the one or more responses from the application validate a first hypothesis about one or more vulnerabilities associated with the application, and generating at least a second probe to further verify the first hypothesis. The second probe focuses on discovering additional details about the application's vulnerabilities to the first type of attack or a second type of attack. | 04-02-2015 |
20150101056 | Risk Assessment of Changing Computer System Within a Landscape - Embodiments assess risk posed by changing a computer system present within a landscape of other computer systems. Agents provide a central assessment engine with data relevant to considerations such as system criticality, correlation between related systems, and dependence between different systems. The criticality parameter reflects an importance of a system and a corresponding change risk impact. System correlation is measured to allow comparison between systems, and a risk of failure of a change to the systems. Dependencies between systems are measured to define a set of systems to be changed in a coordinated manner. Change statistics collected in a database, may allow correlating systems across various customers, improving accuracy of risk prediction. Embodiments may facilitate iterative planning, where a different dependency permits the definition of smaller sets of systems offering lower risk of failure upon change implementation. Embodiments may allow correlation measurement between systems and a copy created for testing. | 04-09-2015 |
20150101057 | NETWORK SERVICE INTERFACE ANALYSIS - In one implementation, a service interface analysis system identifies a parameter at a portion of a service request for a network service and within a service response provided by the network service in response to the service request. The service interface analysis system then defines a request template including a placeholder at a portion of the request template associated with the portion of the service request. | 04-09-2015 |
20150106939 | METHOD AND SYSTEM FOR DYNAMIC AND COMPREHENSIVE VULNERABILITY MANAGEMENT - One or more relevant scanners used to identify asset vulnerabilities are identified, obtained, and logically arranged for deployment on an asset in accordance with a vulnerability management policy and a scanner deployment policy such that the relevant scanners are deployed at, or before, a determined ideal time to minimize the resources necessary to correct the vulnerabilities, if found. The relevant scanners are then automatically deployed in accordance with the scanner deployment policy and, if a vulnerability is identified, one or more associated remedies or remedy procedures are applied to the asset. At least one of the one or more relevant scanners are then re-deployed on the asset to determine if the identified vulnerability has been corrected and, if the vulnerability is not corrected at, or before, a defined time, protective measures are automatically taken. | 04-16-2015 |
20150106940 | MOBILE DEVICE APPLICATION INTERACTION REPUTATION RISK ASSESSMENT - A computer processor receives rules associated with applications installed on a mobile device, and collects declared intents of the applications prior to execution of the applications. The computer processor generates possible combinations of declared intents of the applications and collects, by an intent proxy during execution, information associated with intercepted intents. The computer processor compares the information associated with each of the intercepted intents to the rules, wherein a match results in a first violation. The computer processor compares the intercepted intents to the possible combinations of the declared intents, wherein the intercepted intents other than the possible combinations of the declared intents results in a second violation. The computer processor displays a risk alert for the applications associated with either or both of the first violation and the second violation. | 04-16-2015 |
20150106941 | Computer-Implemented Security Evaluation Methods, Security Evaluation Systems, and Articles of Manufacture - Computer-implemented security evaluation methods, security evaluation systems, and articles of manufacture are described. According to one aspect, a computer-implemented security evaluation method includes accessing information regarding a physical architecture and a cyber architecture of a facility, building a model of the facility comprising a plurality of physical areas of the physical architecture, a plurality of cyber areas of the cyber architecture, and a plurality of pathways between the physical areas and the cyber areas, identifying a target within the facility, executing the model a plurality of times to simulate a plurality of attacks against the target by an adversary traversing at least one of the areas in the physical domain and at least one of the areas in the cyber domain, and using results of the executing, providing information regarding a security risk of the facility with respect to the target. | 04-16-2015 |
20150106942 | MOBILE DEVICE APPLICATION INTERACTION REPUTATION RISK ASSESSMENT - A computer processor receives rules associated with applications installed on a mobile device, and collects declared intents of the applications prior to execution of the applications. The computer processor generates possible combinations of declared intents of the applications and collects, by an intent proxy during execution, information associated with intercepted intents. The computer processor compares the information associated with each of the intercepted intents to the rules, wherein a match results in a first violation. The computer processor compares the intercepted intents to the possible combinations of the declared intents, wherein the intercepted intents other than the possible combinations of the declared intents results in a second violation. The computer processor displays a risk alert for the applications associated with either or both of the first violation and the second violation. | 04-16-2015 |
20150106943 | SECURITY TESTING OF WEB APPLICATIONS WITH SPECIALIZED PAYLOADS - In one embodiment, a computer-implemented method for security testing of web applications with specialized payloads includes submitting a test to a web application, where the test includes a payload with a set of constraints. A response is received from the web application. One or more constraints are derived from the response. The set of constraints of the payload are updated with the derived one or more constraints. The payload is synthesized, by a computer processor, for the updated set of constraints. The test having the synthesized payload is iterated with the updated set of constraints. | 04-16-2015 |
20150106944 | METHOD AND DEVICE FOR RISK EVALUATION - A risk evaluation method and a risk evaluation device for evaluating an anonymous dataset generated according to an original dataset are provided. The risk evaluation method comprises the following steps. Acquiring a plurality of appearing times respectively corresponding to a plurality of original values of the original dataset. Generating a partition set and a weight table according to a sample parameter, an anonymous parameter and the appearing times. Dividing the original dataset into a plurality of data partitions according to the partition set, and generating a penetration dataset according to the weight table and the data partitions, wherein the penetration dataset comprises a plurality of sample data. Comparing each sample data with a plurality of anonymous data of the anonymous dataset to obtain a plurality of matching quantities respectively corresponding to the sample data. And calculating and outputting a risk evaluation result according to the matching quantities. | 04-16-2015 |
20150106945 | METHOD, DEVICE AND APPARATUS FOR ACQUIRING SECURITY STATE OF MOBILE TERMINAL - Disclosed are a method, device and apparatus for acquiring the security state of a mobile terminal, which belong to the field of computers. The method includes: acquiring state information about key indicators preset by a mobile terminal; conducting a security level assessment on each key indicator through assessment policies corresponding to each of the preset key indicators, according to the state information about the key indicators, to obtain a first assessment result; and endowing each key indicator with a specific weight value, conducting an overall level assessment on the overall security state of the mobile terminal, and according to the weight value of each of the key indicators and the first assessment result of each of the key indicators, to obtain a second assessment result expressing the overall security state of the mobile terminal. The device includes: an acquiring module, a first assessment module and a second assessment module. | 04-16-2015 |
20150113655 | System, Method and Computer Program Product for Using Opinions Relating to Trustworthiness to Block or Allow Access - A system, method and computer program product are provided. After identifying a computer readable item, at least one opinion relating to the trustworthiness of the identified computer readable item is received, utilizing a network. Access to the computer readable item is then blocked or allowed, based on at least one opinion. | 04-23-2015 |
20150121532 | SYSTEMS AND METHODS FOR DEFENDING AGAINST CYBER ATTACKS AT THE SOFTWARE LEVEL - A method for a customized, scalable and cost-efficient solution to enable source code level solutions to provide zero percentage false positives as well as a controlled false negative ratio to detect software security vulnerabilities accurately and in time. The method includes secure uploading of the source code, initial analysis and customizing according to accuracy and depth defined to enable control of the false negative ratio. The method also includes application processing, advanced analyzing, performing report development and delivering a secure report. The initial analysis provides for a human analyst “built-in” as part of the process that performs the analysis on initial results and the filtering of the results to contain ONLY relevant security vulnerabilities | 04-30-2015 |
20150121533 | DYNAMIC ANALYSIS INTERPRETER MODIFICATION FOR APPLICATION DATAFLOW - An interpreter is modified to create a source tracking object for a data object received from a data source and to record information associated with the data source into the source tracking object. The interpreter is modified to create a copy of the data object for a tracking event in an application program, to create a flow tracking object for the tracking event, and to record information associated with the tracking event into the flow tracking object as the tracking event processes the copy of the data object. The interpreter is modified to create a sink tracking object for outputting the copy of the data object to a data sink and to record information associated with the data sink into the sink tracking object. The source tracking object, the flow tracking object, and the sink tracking object are output as dynamic analysis of dataflow in the application program. | 04-30-2015 |
20150128279 | APPLICATION SECURITY TESTING SYSTEM - Embodiments of the invention are directed to an apparatus, method, and computer program product for an exposure based application security testing system. In some embodiments, the apparatus is configured to: access an application, wherein the application comprises an assessment parameter, wherein the assessment parameter comprises one or more assessment sub-parameters, wherein the one or more assessment sub-parameters comprise one or more assessment indicators; process the application, wherein processing the application comprises calculating a total exposure score for the application based on at least an application exposure score and a protective control score; determine whether the application qualifies for security testing based on at least the calculated total exposure score; and initiating the presentation of the qualified application to the user to implement security testing. | 05-07-2015 |
20150128280 | NETWORK SERVICE INTERFACE ANALYSIS - In one implementation, a service interface analysis system defines a plurality of service templates based on a plurality of Uniform Resource Identifiers associated with a network service, and generates at least one utility measure of each service template from the plurality of service templates. | 05-07-2015 |
20150128281 | DETERMINING APPLICATION VULNERABILITIES - Disclosed herein are techniques for determining vulnerabilities in applications under testing. It is determined whether a first database instruction of an application enters information into a database and whether a second database instruction thereof obtains said information from the database. If the first database instruction enters the information in the database and the second database instruction obtains the information therefrom, it is determined whether the application is vulnerable to entry of malicious code via the database. | 05-07-2015 |
20150135324 | HYPERLINK DATA PRESENTATION - A method of presenting hyperlink data. The method comprises identifying when a web browser running on a web browser client retrieves, in response to a web document data request submitted to a target server, a first web document data for displaying a first web document containing a hyperlink having a label for display and a target destination defining an address of a second web document, evaluating a risk from content of the second web document, generating by the web browser to a reference evaluation indication of the risk, and processing the web document data and the reference evaluation indication by the web browser for generating a presentation on the client terminal which combines the first web document data and the reference evaluation indication such that when the reference evaluation indication is presented when the label is presented by the web browser. | 05-14-2015 |
20150135325 | PACKET CAPTURE AND NETWORK TRAFFIC REPLAY - Implementations disclosed herein provide a network agent embodied in firmware and/or software that replays network traffic of an enterprise network to an entity outside of the enterprise network. The network agent selects and processes the network traffic according to certain policies set by the enterprise network or a third party security management system. These policies allow for a capture and replay of high-integrity data that enables threat analysis. | 05-14-2015 |
20150135326 | SYSTEMS, METHODS, AND COMPUTER PROGRAM PRODUCTS FOR COLLECTING AND REPORTING SENSOR DATA IN A COMMUNICATION NETWORK - A system, method, and computer-readable medium for reporting sensor data over a communication network are provided. A data reporting instruction that identifies at least one of a sensor or a data reporting technique is received from a trust mediator over a communication network. The data reporting instruction is based at least in part on an identified risk. Sensor data is obtained from the sensor, and the sensor data is transmitted to the trust mediator over the communication network based on the data reporting technique. | 05-14-2015 |
20150143524 | SYSTEM AND METHOD FOR IMPLEMENTING APPLICATION POLICIES AMONG DEVELOPMENT ENVIRONMENTS - In a system for facilitating distributed security and vulnerability testing of a software application, each development sandbox in a set of sandboxes receives a portion of the entire application, and the received portion may be tested based on an application-level security policy to obtain a pass/fail result. The portion of the application corresponding to a certain sandbox may be modified and rescanned (i.e., retested) until the modifications, i.e., development achieves functional and quality requirements, and a pass result is obtained. Thereafter, the scan results are promoted to a policy sandbox, where a compliance result for the entire software application can be obtained based on, at least in part, the promoted results. Other sandboxes may also perform their respective pass/fail testing using the promoted results, thus minimizing the need for synchronizing the code changes in different sandboxes before testing for security policy in any sandbox and/or during application-level scanning. | 05-21-2015 |
20150143525 | ANALYZING ACCESS CONTROL CONFIGURATIONS - A facility is described for analyzing access control configurations. In various embodiments, the facility comprises an operating system having resources and identifications of principals, the principals having access control privileges relating to the resources, the access control privileges described by access control metadata; an access control scanner component that receives the access control metadata, determines relationships between the principals and the resources, and emits access control relations information; and an access control inference engine that receives the emitted access control relations information and an access control policy model, analyzes the received information and model, and emits a vulnerability report. In various embodiments, the facility generates an information flow based on access control relations, an access control mechanism model, and an access control policy model; determines, based on the generated information flow, whether privilege escalation is possible; and when privilege escalation is possible, indicates in a vulnerability report that the privilege escalation is possible. | 05-21-2015 |
20150143526 | ACCESS POINT CONTROLLER AND CONTROL METHOD THEREOF - Provided is a control method of an access point controller (APC), the method including: (a) if occurrence of a predetermined security vulnerability checking event on particular terminal equipment is sensed, controlling the plurality of APs so that port scanning is capable of being performed on the particular terminal equipment; and (b) determining that security vulnerability has occurred in the particular terminal equipment in at least one of a case where the predetermined port is opened, a case where the predetermined port is closed, and a case where the number of opened ports exceeds a predetermined number, as a result of performing port scanning on the particular terminal equipment. | 05-21-2015 |
20150143527 | MANAGING VIRTUAL COMPUTING TESTING - Systems, methods, and interfaces for the management of virtual machine instances and other programmatically controlled networks are provided. The hosted virtual networks are configured in a manner such that a virtual machine manager of the virtual network may monitor activity such as user requests, network traffic, and the status and execution of various virtual machine instances to determine possible security assessments. Aspects of the virtual network may be assessed for vulnerabilities at varying levels of granularity and sophistication when a suspicious event or triggering activity is detected. Illustrative embodiments of the systems and methods may be implemented on a virtual network overlaid on one or more intermediate physical networks that are used as a substrate network. | 05-21-2015 |
20150143528 | Risk Assessment for Software Applications - Disclosed are various embodiments for assessing risk associated with a software application on a user computing device in an enterprise networked environment. An application rating is generated for the software application based at least in part on application characteristics. A risk analysis for the installation of the application is generated based at least in part on the application rating, the user computing device, and user information. | 05-21-2015 |
20150150137 | QUANTIFYING THE RISKS OF APPLICATIONS FOR MOBILE DEVICES - Quantifying the risks of applications (“apps”) for mobile devices is disclosed. In some embodiments, quantifying the risks of apps for mobile devices includes receiving an application for a mobile device; performing an automated analysis of the application based on a risk profile; and generating a risk score based on the automated analysis of the application based on the risk profile. | 05-28-2015 |
20150150138 | APPLICATION MONITORING THROUGH COLLECTIVE RECORD AND REPLAY - Methods and systems for application monitoring through collective record and replay are disclosed herein. The method includes recording a number of execution traces for an application from a number of user devices at a runtime library, wherein the number of execution traces relates to non-deterministic data. The method also includes replaying the number of execution traces to determine whether a behavior of the application creates a security risk. | 05-28-2015 |
20150294110 | PROCESS FOR REPORTING AND REMEDIATING APPLICATION DEVELOPMENT STANDARDS - Embodiments disclosed herein relate to systems, methods, and computer program products for a system for monitoring application development standards. The system, method, and computer program product are configured to access application code on a server associated with a network, wherein the application code is installed on the server; scan the application code to identify applications that are integrated into the application code; identify products in the application code based on the scan, wherein the products are identified based on a textual analysis of the application code; compare the products identified in the application code to a list of non-allowed products; identify non-allowed products in the application code based on the comparison of the products to the list; determine an allowed product as an alternative to the non-allowed product; and provide a report to a user comprising the non-allowed product and the alternative allowed product. | 10-15-2015 |
20150294113 | METHOD AND SYSTEM FOR PERFORMING A MEMORY SAFETY CHECK OF A PROGRAM WRITTEN IN AN UNMANAGED PROGRAMMING LANGUAGE - A method for performing a memory safety check of a program coded in an unmanaged programming language includes receiving an intermediate representation (IR) of the program and performing a static analysis pass of the IR to generate annotations including a safe pointer and an unsafe pointer. The method further includes removing, during a static analysis pass of the IR, the safe pointer from the annotations, inserting, into the IR using the annotations, a sandbox function call at the unsafe pointer to generate a modified IR, compiling the modified IR to generate an executable version of the program, executing, inside a sandbox framework, the executable version of the program, generating, during runtime and upon reaching the sandbox function call, a metadata entry and an enhanced pointer for atomicity, and comparing, during runtime and upon reaching a use of the unsafe pointer, the metadata entry with the enhanced pointer. | 10-15-2015 |
20150295948 | METHOD AND DEVICE FOR SIMULATING NETWORK RESILIANCE AGAINST ATTACKS - Embodiments of a system and method for a cyber modeling and simulation framework arc generally described herein. In some embodiments, an interface ( | 10-15-2015 |
20150302202 | PROGRAM VERIFICATION APPARATUS, PROGRAM VERIFICATION METHOD, AND PROGRAM VERIFICATION PROGRAM - A necessary information extraction unit extracts, from variables used in a target program, an output variable to which output information to be output by an output function defined in an output function list is set. The necessary information extraction unit extracts, from the variables used in the target program, an encryption variable to which encrypted information encrypted by an encrypting function defined in an encryption function list is set. A protected state analysis unit refers to an assignment statement included in the target program, and extracts an encrypted state variable to which the encrypted information is assigned. A vulnerability determination unit determines whether or not the encrypted state variable and the output variable are the same variable, and outputs a program verification result based on a result of determination. | 10-22-2015 |
20150302204 | METHOD AND APPARATUS FOR DISPLAYING TEST RESULT OF TERMINAL - The present disclosure provides a method and an apparatus for displaying a test result of a terminal. The method includes: obtaining a last test value and a last test time of the terminal, the test value reflecting a system health condition of the terminal; determining a time span between a current time and the last test time; updating the last test value according to the time span to obtain a current test value; and displaying the current test value. By means of the present disclosure, the test value of the terminal can be updated over time; in this way, the test value can reflect the health condition of the system more accurately, and therefore the performance and security coefficients of the computer system can be improved by performing system optimization according to the test value. | 10-22-2015 |
20150304351 | SYSTEM AND METHOD FOR ASSESSING VULNERABILITY OF A MOBILE DEVICE - A system and method for assessing vulnerability of a mobile device including at a remote analysis cloud service, receiving at least one vulnerability assessment request that includes an object identifier for an operative object of a mobile computing device, wherein the vulnerability assessment request originates from the mobile computing device; identifying a vulnerability assessment associated with the identifier of the operative object; and communicating the identified vulnerability assessment to the mobile computing device. | 10-22-2015 |
20150310098 | CATEGORISATION SYSTEM - A system for the categorisation of interlinked information items, the system comprising: a trust flow module which is configured to receive a seed trust list of one or more first information items, the seed trust list associating the one or more first information items with one or more categories; and a trust flow module configured to: associate a respective trust value with each of the one or more categories for the one or more first information items; and iteratively pass at least part of the or each trust value to one or more further information items to generate, for each of the one or more further information items, at least one accumulated trust value associated with a category of the one or more categories, such that the one or more further information items can be categorised based on the at least one accumulated trust value and associated category. | 10-29-2015 |
20150310204 | Evaluating Customer Security Preferences - Methods and systems for evaluating customer security preferences are presented. In some embodiments, a computer system may receive, from a security dashboard computing platform, a request for a security score associated with a customer. In response to receiving the request for the security score associated with the customer, the computer system may request, from a customer portal computing platform, one or more security preferences associated with the customer. Subsequently, the computer system may receive, from the customer portal computing platform, the one or more security preferences associated with the customer. The computer system then may determine, based on at least one security score definition file and based on the one or more security preferences associated with the customer, a security score for the customer. Thereafter, the computer system may provide, to the security dashboard computing platform, the determined security score for the customer. | 10-29-2015 |
20150310205 | Evaluating Customer Security Preferences - Methods and systems for evaluating customer security preferences are presented. In some embodiments, a computer system may receive, from a customer portal computing platform, a request for a security dashboard user interface for a customer. In response to receiving the request for the security dashboard user interface, the computer system may request, from a security score computing platform, a security score for the customer. Subsequently, the computer system may receive, from the security score computing platform, the security score for the customer. The computer system then may generate, based on the security score for the customer, the security dashboard user interface for the customer. Thereafter, the computer system may provide, to the customer portal computing platform, the generated security dashboard user interface for the customer. | 10-29-2015 |
20150310215 | DISCOVERY AND CLASSIFICATION OF ENTERPRISE ASSETS VIA HOST CHARACTERISTICS - Techniques are presented herein for classifying a variety of enterprise computing resources based on asset characteristics. In particular, a computing asset, e.g., a server, may be classified based on any digital certificates provisioned on that server. That is, the properties of a digital certificate may be used to determine a measure of business value or importance of a server (or data hosted on that server). Once classified, a monitoring system may use the assigned classifications to prioritize security incidents for review. | 10-29-2015 |
20150310217 | THREAT AND DEFENSE EVASION MODELING SYSTEM AND METHOD - A system and method for modeling viable threats and for evading deployed defenses on a network are described. As a defensive tool used for threat modeling, the system and method allows those responsible for the safety of their critical infrastructure and intellectual property to have a clear view of all failures in the security countermeasure products they have deployed. As an offensive tool used for defense evasion modeling, the system and method can be used to quickly ascertain a viable attack vector, select exploitation code, and cross-reference those exploits that will bypass every layer of countermeasure technologies to commercially- and publicly-accessible crimeware and security testing tools. | 10-29-2015 |
20150312270 | SECURITY CONTROLS - A network of computers has a network management system which stores metadata comprising at least the identities of software present on computers of the network. A computer of the network runs a monitoring program which accesses the metadata stored in the network management system to provide a measure of the extent to which one or more of a plurality of security controls are implemented in the network. The security controls are the application of Operating System patches, the application of third party software patches, allowing only applications on a list of approved software to run, and limiting administrator privileges. The measure comprises risk ratings dependent on the extents to which the controls are implemented. | 10-29-2015 |
20150317237 | PARTITIONING OF PROGRAM ANALYSES INTO SUB-ANALYSES USING DYNAMIC HINTS - An exemplary method includes performing a first static analysis to locate elements within a program and instrumenting the program to enable a subsequent dynamic analysis based on the located elements. The method includes executing the instrumented program and performing during execution analysis to determine individual sets of statements in the program affected by a corresponding element. The method includes partitioning the sets of statements into partitions based on one or more considerations, each partition including one or more of the elements. The method includes performing a second static analysis on the partitions of the program to produce results and outputting the results. The method may be performed for, e.g., security (e.g., taint) analysis, buffer overflow analysis, and typestate analysis. Apparatus and program products are also disclosed. | 11-05-2015 |
20150317238 | Partitioning of Program Analyses into Sub-Analyses Using Dynamic Hints - An exemplary apparatus and computer program product are disclosed which employ a method that includes performing a first static analysis to locate elements within a program and instrumenting the program to enable a subsequent dynamic analysis based on the located elements. The method includes executing the instrumented program and performing during execution analysis to determine individual sets of statements in the program affected by a corresponding element. The method includes partitioning the sets of statements into partitions based on one or more considerations, each partition including one or more of the elements. The method includes performing a second static analysis on the partitions of the program to produce results and outputting the results. The method may be performed for, e.g., security (e.g., taint) analysis, buffer overflow analysis, and typestate analysis. | 11-05-2015 |
20150319186 | METHOD AND SYSTEM FOR DETECTING IRREGULARITIES AND VULNERABILITIES IN DEDICATED HOSTING ENVIRONMENTS - A dedicated hosting environment is provided and a requirement is imposed that each virtual asset deployed in the dedicated hosting environment include one or more required virtual asset characteristics. Each virtual asset deployed in the dedicated hosting environment is then provided virtual asset characteristic certification data indicating that the virtual asset includes the one or more required virtual asset characteristics. A virtual asset monitoring system then monitors each virtual asset deployed in the dedicated hosting environment to ensure that each virtual asset in the dedicated hosting environment includes the required virtual asset characteristic certification data. If a virtual asset is identified in the dedicated hosting environment that does not include the required virtual asset characteristic certification data, an alert is provided to one or more entities of the non-compliant virtual asset. | 11-05-2015 |
20150319187 | METHOD, ELECTRONIC DEVICE, AND USER INTERFACE FOR ON-DEMAND DETECTING MALWARE - A method, an electronic device, and a user interface for on-demand detecting a malware are provided and adapted for estimating whether an application has vulnerabilities or malicious behaviors. The method includes the following steps. Firstly, evaluating a risk level and a test time of the application which has vulnerabilities or malicious behaviors. Next, detecting the application by selection of user to estimate the risk level of the application which has vulnerabilities or malicious behaviors and then correspondingly generating a detection result. Therefore, the method, the electronic device, and the user interface for on-demand detecting the malware can detect the risk level of the application which has vulnerabilities or malicious behaviors before getting virus pattern of the variant or new malware. | 11-05-2015 |
20150324616 | SECURITY AND PROTECTION DEVICE AND METHODOLOGY - A mobile device includes a security device. The security device determines whether the mobile device is inside or outside security zones defined around a device being carried around by a user and an access point disposed at or near a place where the user regularly visit by detecting presence or absence of the wireless connection therewith. The device further determines whether or not there is an ongoing scheduled event and whether the mobile device is at or near an event location. The device further assesses a risk level of an environment where the mobile device is currently disposed based on determination results, and executes one of preset security action controls in response to the risk level determined to allow the mobile device to perform a security action to alert the user. | 11-12-2015 |
20150326598 | PREDICTED ATTACK DETECTION RATES ALONG A NETWORK PATH - In one embodiment, attack detectability metrics are received from nodes along a path in a network. The attack detectability metrics from the nodes along the path are used to compute a path attack detectability value. A determination is made as to whether the path attack detectability value satisfies a network policy and one or more routing paths in the network are adjusted based on the path attack detectability value not satisfying the network policy. | 11-12-2015 |
20150326600 | FLOW-BASED SYSTEM AND METHOD FOR DETECTING CYBER-ATTACKS UTILIZING CONTEXTUAL INFORMATION - A flow-based detection system and method for detection of cyber-attacks is provided that utilizes contextual information to provide improved detection accuracy over existing flow-based systems. Contextual information is utilized to semantically reveal cyber-attacks from IP flows. Time, location, and other contextual information mined from network flow data is utilized to create semantic links among alerts raised in response to suspicious IP flows. The semantic links are identified through an inference process on probabilistic semantic link networks. The resulting links are used at run-time to retrieve relevant suspicious activities that represent a possible attack or possible steps in multi-step attacks. | 11-12-2015 |
20150326601 | ASSESSMENT TYPE-VARIABLE ENTERPRISE SECURITY IMPACT ANALYSIS - A data management service identifies sensitive data stored on enterprise databases according to record classification rules that classify a data record as having a sensitive data type if the data record includes fields matching at least one of the record classification rules. Methods and systems rely on a set of impact factors each having a set of set of value bands representing a range for the impact factor and a corresponding value (between 0 and 1). The factors, ranges, and values all are customizable for an organization. Impact scoring calculations take into account each of the impact factors, and each is weighted to represent a specific risk perception or assessment type. A similar impact scoring is applied to data quality using volume of data as a key attribute of the quality. | 11-12-2015 |
20150332053 | SYSTEMS AND METHODS FOR EVALUATING A SOURCE CODE SCANNER - Apparatuses, methods, and non-transitory computer readable medium that evaluate a source code scanner are described. In one implementation, the method comprises obtaining source code. One or more good code snippets and one or more bad code snippets are inserted into the source code to obtain a modified source code. An issue list generated by the source code scanner upon scanning the modified source code is obtained. The issue list comprises code segments having security defects identified by the source code scanner, reasons for the security defects, and locations of the security defects in the modified source code. The code segments present in the issue list are compared with the one or more good code snippets and the one or more bad code snippets. A plurality of metrics, indicating quality of the source code scanner, are generated based on the comparison. | 11-19-2015 |
20150332054 | PROBABILISTIC CYBER THREAT RECOGNITION AND PREDICTION - Generally discussed herein are systems, apparatuses, or processes to recognize that a cyber threat exists or predict a future track of a cyber threat in a network. According to an example, a process for recognizing a cyber threat can include (1) determining a network layout of a network based on received network layout data, (2) receiving cyber sensor data indicating actions performed on the network, (3) calculating a first score associated with the cyber sensor data indicating that a cyber threat is present in the network by comparing a cyber threat profile of the cyber threat that details actions performed by the cyber threat to actions indicated by the cyber sensor data, (4) determining whether the calculated first score is greater than a specified threshold, or (5) determining that the cyber threat is present in response to determining the calculated first score is greater than the specified threshold. | 11-19-2015 |
20150332055 | Locating security vulnerabilities in source code | 11-19-2015 |
20150347759 | METHOD AND APPARATUS FOR AUTOMATING THE BUILDING OF THREAT MODELS FOR THE PUBLIC CLOUD - A method and system for automating threat model generation for an application includes identifying components of an application, receiving security information that identifies whether security measures were implemented within the application to secure the application against security threats, determining whether the security measures sufficiently address security risks associated with the security threats, and providing a threat model that includes a report that identifies components of the application that have been sufficiently (or insufficiently) secured from the security threats, according to one embodiment. In one embodiment, determining whether the security measures sufficiently address the security risks can include transmitting first queries, receiving responses to the first queries, and transmitting subsequent queries based at least in part on the responses to the first queries. | 12-03-2015 |
20150347760 | PERTURBATION OF FIELD PROGRAMMABLE GATE ARRAY CODE TO PREVENT SIDE CHANNEL ATTACK - Technologies are provided to automatically vary a structure of a netlist computation arranged to configure a field programmable gate array (FPGA). In an example scenario, an FPGA netlist may be received from a client to configure the FPGA. A perturbation generator may be activated in response to a detection of one or more security risk factors associated with the netlist. The netlist may be altered through schemes designed to repair one or more FPGAs. The repair schemes may be used to repair the FPGAs to work around failed cells and failed sub-cells. The perturbation generator may produce a false map of failed cells. The false map may be used to generate different timings and different intermediate values associated with the netlist to generate an alternate netlist. The alternate netlist may be used to configure the FPGA to prevent side channel attacks. | 12-03-2015 |
20150347761 | AUTOMATIC CORRECTION OF SECURITY DOWNGRADERS - Systems for automatic correction of security downgraders include a security analysis module configured to perform a security analysis that disregards existing user-provided downgraders to detect flows that are vulnerable; and an enhancer module configured to locate candidate downgraders on the flows, to determine whether each of the candidate downgraders protects against all vulnerabilities associated with each downgrader's respective flow, and to transform candidate downgraders that do not protect against all of the associated vulnerabilities such that the transformed downgraders do protect against all of the associated vulnerabilities. | 12-03-2015 |
20150350234 | MANIPULATING API REQUESTS TO INDICATE SOURCE COMPUTER APPLICATION TRUSTWORTHINESS - Methods of operating an application programming interface (API) request risk assessment system include receiving an API request from a source computer application that is directed to a destination computer application. A risk assessment score is generated based on a characteristic of the API request. The risk assessment score indicates a level of trustworthiness of the source computer application. Deliverability of the API request to the destination computer application is controlled based on the risk assessment score. Related methods of operating a source computer and related operations by API request risk assessment systems and source computers are disclosed. | 12-03-2015 |
20150350235 | SYSTEM AND METHOD FOR FUZZING NETWORK APPLICATION PROGRAM - A system and method for fuzzing a network application program, which use a captured packet upon fuzzing a network application program, and thus neither a protocol analysis procedure nor the production of a fuzzer program is required. The system for fuzzing a network application program includes a fuzzing performance client program unit for generating a packet to be transmitted from a captured packet, applying a fuzzing rule to the packet to be transmitted, and outputting a resulting packet. A fuzzing supervisor program unit provides the packet from the fuzzing performance client program unit to a target program to be fuzzed, monitors an event and abnormal termination of the target program to be fuzzed, and analyzes a situation of termination to verify security vulnerabilities if abnormal termination has occurred. | 12-03-2015 |
20150350238 | CORRELATION BASED SECURITY RISK IDENTIFICATION - Methods and systems are disclosed for identifying security risks, arising from credentials existing on machines in the networks that enable access to other machines on the networks. Account credentials indications are retrieved from machines in the network, which indicate that credentials for accounts are stored on those machines. Access rights for accounts are collected, describing the access and operation permissions of these accounts on machines in the networks. A correlation is then performed to identify machines that can be accessed by employing credentials of accounts retrieved from other machines in the network. | 12-03-2015 |
20150356302 | PRESENTATION OF USER INTERFACE ELEMENTS BASED ON RULES - Example embodiments disclosed herein relate to present part of a web application with one or more user interface elements of the part highlighted based on updated rules. A web application is loaded in a browser layout engine. User actions are simulated on user interface elements of the web application to update the rules. The part of the web application is presented with one or more user interface elements highlighted. | 12-10-2015 |
20150358345 | ACTIVE ATTACK DETECTION SYSTEM - A method and system of detecting security attacks on a wireless networked computer system includes a remote sensor having a wireless adapter, processor, storage and memory, the remote sensor configured and arranged to emulate a client workstation that is activated and instructed to connect to a wireless computer network having an unknown security status. A secure communications tunnel is established via wired or wireless means between the remote sensor and a server. The server is configured to issue commands to the remote sensor and receive alert information from the remote sensor which detects security events on the wireless computer network. The server determines the threat level the security event poses to a user of the wireless computer network and issues a threat assessment to the user. | 12-10-2015 |
20150371044 | TARGETED SECURITY ALERTS - Providing a targeted security alert can include collecting participant data from a plurality of participants within a threat exchange community, calculating, using a threat exchange server, a threat relevancy score of a participant among the plurality of participants within the threat exchange community using the collected participant data, and providing, from the threat exchange server to the participant, the targeted security alert based on the calculated threat relevancy score via a communication link within the threat exchange community. | 12-24-2015 |
20150371047 | DETERMINING COVERAGE OF DYNAMIC SECURITY SCANS USING RUNTIME AND STATIC CODE ANALYSES - Example embodiments relate to assessing dynamic security scans using runtime analysis and static code analysis. In example embodiments, a system performs static code analysis of a web application to identify reachable code and/or data entry points, where the data entry points are used to determine an attack surface size for the web application. At this stage, the system may initiate runtime monitoring for a dynamic security scan of the web application, where the runtime monitoring detects invocation of a statement at one of the data entry points. The invocation is logged as an invocation entry that comprises invocation parameters and/or code units that were executed in response to the invocation. The system may then determine an attack surface coverage of the dynamic security scan using the invocation entry and the attack surface size and/or a reachable code coverage using the invocation entry and the reachable code. | 12-24-2015 |
20150379271 | COMBINING TYPE-ANALYSIS WITH POINTS-TO ANALYSIS FOR ANALYZING LIBRARY SOURCE-CODE - In general, in one aspect, the invention relates to a method for statically analyzing a library that includes obtaining native method annotations associated with native methods invoked by the library and extracting facts corresponding to the library from the library to obtain library facts. The library is written in a first programming language. The method also includes constructing a type-object lattice, modeling an abstracted heap using the type-object lattice, expressing abstracted heap update operations as heap update rules, and constructing, based on the library, a most general application (MGA) for the library. The method additionally includes analyzing the library using the native method annotations, the library facts, the MGA, the abstracted heap, and the heap update rules to obtain results, storing the results of the analysis, and performing an action based on the results. | 12-31-2015 |
20150379272 | METHOD, SYSTEM, AND COMPUTER PROGRAM PRODUCT FOR AUTOMATICALLY MITIGATING VULNERABILITIES IN SOURCE CODE - A method for automatically mitigating vulnerabilities in a source code of an application is provided in the present invention. The method includes the following steps. First, the source code is complied, and a path graph is built according to the compiled source code. The path graph includes a plurality of paths traversing from sources to sinks, and each of the paths includes a plurality of nodes. Then, at least one tainted path is identified by enabling a plurality of vulnerability rules. Each of the at least one tainted path corresponds to a vulnerability, and each of the at least one vulnerability corresponds to a sanitization method. Then, the at least one vulnerability is determined if it is mitigable. If the at least one vulnerability is mitigable, the at least one vulnerability is mitigated automatically. Furthermore, the method may be implemented as a system and a computer program product. | 12-31-2015 |
20150379273 | APPLICATION SECURITY TESTING - The present disclosure provides a system that includes a server hosting an application under test (AUT), an observer configured to monitor instructions executed by the AUT, and a computing device communicatively coupled to the AUT and the observer through a common communication channel. The computing device may be configured to send an application request to the AUT, wherein the application request is configured to expose a potential vulnerability of the AUT. The computing device may receive an application response from the AUT in accordance with the AUT's programming. The computing device may send a service request to the observer, and receive a service response from the observer that contains information corresponding to the instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT. | 12-31-2015 |
20150381376 | ACCURATELY CLASSIFYING A COMPUTER PROGRAM INTERACTING WITH A COMPUTER SYSTEM USING QUESTIONING AND FINGERPRINTING - Methods, systems, and computer program products for online content referral are provided. A computer-implemented method may include issuing a challenge to an application interacting with a computer system to determine whether activity performed by the application is scripted, analyzing data associated with a result of the challenge to determine whether the result is at least partially correct, and computing a reputation score for the application based on the result of the challenge. A computer-implemented method also may include comparing the reputation score for the application to a threshold for identifying non-scripted activity, and determining that that the activity performed by the application is scripted when the reputation score for the application does not meet the threshold for identifying non-scripted activity. | 12-31-2015 |
20150381649 | Probabilistic Model For Cyber Risk Forecasting - A system and method are presented for forecasting the risk of cyber-attacks on targeted networks. The described technology quantifies linear and non-linear damages to network-dependent assets by propagating probabilistic distributions of events in sequence and time in order to forecast damages over specified periods. Damage-forecasts are used to estimate probabilistically time-varying financial losses for cyber-attacks. The described technology incorporates quantities and dependencies for pricing insurance, re-insurance, and self-insurance, assessing cost-benefit tradeoffs for sequenced implementation of security control measures, and detecting attacks in the targeted network. | 12-31-2015 |
20160004862 | DEVICE AND METHOD FOR PROVIDING INTENT-BASED ACCESS CONTROL - Embodiments relate generally to access control, and more particularly to systems and methods for providing access control based on user intent. An intent-based access control method is provided comprising: receiving, from a user, a request to gain access to a protected resource; presenting stimuli to the user to evoke a physiological or behavioral response at one or more time points or time periods; receiving a signal of the physiological or behavioral response, the one or more physiological signals associated with one or more time codes that correspond to the one or more time points or time periods for the presenting of the stimuli; processing the received signal to assess an intention of the user; and in response to the processing, selectively granting the user access to the protected resource. Various systems, methods, and non-transitory computer-readable media are also described. | 01-07-2016 |
20160004868 | Visual display of risk-identifying metadata for identity management access requests - An identity management system is augmented to enable a manager to associate “risk” metadata with different types of access requests representing computer system accounts that can be requested by authorized users. When an authorized user then requests access to a particular account, any “risk” associated with that access is shown to the user, typically in the form of a visual “badge” or other such indicator. The badge includes an appropriate informational display (e.g., “High Risk” or “Regulated”) that provides an appropriate risk warning. The risk metadata badge information preferably also is displayed for risk-based access request approval routing; in such context, the risk metadata may also determine the risk approval workflow itself. Thus, for example, if the risk metadata is present when the authorized user requests access, an approval workflow may be modified so that the request approval is routed appropriately. | 01-07-2016 |
20160012235 | ANALYSIS AND DISPLAY OF CYBERSECURITY RISKS FOR ENTERPRISE DATA | 01-14-2016 |
20160012236 | METHODS AND SYSTEMS FOR IMPROVED RISK SCORING OF VULNERABILITIES | 01-14-2016 |
20160021133 | SYSTEMS AND METHODS FOR MANAGING DATA INCIDENTS - Systems and methods for managing a data incident are provided herein. Exemplary methods may include providing an external entity interface that receives external entity information including a contract between a first party and at least one additional party, notification obligations that specify when the first party or the at least one additional party notifies entities that a data incident has occurred, and properties that trigger an assessment of the notification obligations. When an incident occurs, an assessment is completed and the results thereof are displayed on a risk assessment guidance interface. | 01-21-2016 |
20160026791 | SYSTEMS AND/OR METHODS FOR AUTOMATICALLY PROTECTING AGAINST MEMORY CORRUPTION VULNERABILITIES - Certain example embodiments described herein relate to techniques for automatically protecting, or hardening, software against exploits of memory-corruption vulnerabilities. The techniques include arranging a plurality of guard regions in the memory in relation to data objects formed by the application program, identifying an access by the application program to a guard region arranged in the memory as a disallowed access, and modifying the execution of the application program in response to the identifying, the modifying being in order to prevent exploitation of the memory and/or to correctly execute the application program. | 01-28-2016 |
20160028758 | System and Method for Predicting Impending Cyber Security Events Using Multi Channel Behavioral Analysis in a Distributed Computing Environment - Multi channel distributed behavioral analysis architecture provides a software solution to the major operational challenges faced with providing an early warning system for impending cyber security events. Most cyber security events are premeditated. However, many current cyber security defense technologies only address the real-time detection of a software vulnerability, the presence of malware (known or unknown “zero day”), anomalies from pre-established data points, or the signature of an active security event. The system and method of the multi channel distributed behavioral analysis architecture introduces a technique which provides the data collection, assessment, and alerting ability prior to the occurrence of an event based on threat actor behavior. | 01-28-2016 |
20160034690 | Unused Parameters of Application Under Test - Example embodiments disclosed herein relate to unused parameters. A request to a web page of an application under test is made. It is determined whether the web page includes one or more unused parameter fields. Another request to the web page of the application under test is made using one or more parameters corresponding to the unused parameter fields. | 02-04-2016 |
20160034691 | GLOBAL PLATFORM HEALTH MANAGEMENT - The use of one or more device health values to indicate the health status of a computing device may enable operating system developers to directly manage the security configuration of the computing device. The generation of a device health value involves initializing hardware components of a computing device and loading the operating system according to configuration settings during boot up of the computing device. The device health value is then generated based on a state of the hardware component and/or a state of a software stack that includes the operating system at boot up. The device health value may be compared to a reference health value to determine whether the computing device is in a secured state. | 02-04-2016 |
20160036847 | METHODS AND SYSTEMS FOR AUTOMATED NETWORK SCANNING IN DYNAMIC VIRTUALIZED ENVIRONMENTS - Systems and methods for managing jobs to be scanned based on existence of processing nodes are described. One of the methods includes obtaining identification information regarding operation of a first set of the processing nodes from an inventory and creating a job for scanning the processing nodes of the first set for security vulnerability. The job includes the identification information. The method further includes verifying the inventory to determine the first identifying information of the first set of processing nodes for removal from the job and loading the job having second identifying information for a second set of processing nodes that remain after the verifying operation. | 02-04-2016 |
20160044058 | MANAGING SECURITY OF ENDPOINTS OF A NETWORK - Disclosed are various embodiments for analyzing endpoints of a network, including determining security statuses for clients on the network. A recommendation may be made for the clients from the determined security statuses. A user interface may be generated to provide a user with the recommendation. The user interface may include a summary of the security statuses for the clients. | 02-11-2016 |
20160048686 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR MONITORING AN EXECUTION FLOW OF A FUNCTION - A system, method, and computer program product are provided for monitoring an execution flow of a function. In use, data associated with a function is identified within a call stack. Additionally, a call stack frame is determined from freed memory in the call stack. Further, an execution flow of the function is monitored, utilizing the call stack frame from the freed memory. | 02-18-2016 |
20160050225 | ANALYZING CYBER-SECURITY RISKS IN AN INDUSTRIAL CONTROL ENVIRONMENT - A method of analyzing cyber-security risks in an industrial control system (ICS) including a plurality of networked devices includes providing a processor and a memory storing a cyber-security algorithm. The processor runs the cyber-security algorithm and implements data collecting to compile security data including at least vulnerability data including cyber-risks (risks) regarding the plurality of networked devices by scanning the plurality of devices, processing the security data using a rules engine which associates a numerical score to each of the risks, aggregating data including ranking the risks across the plurality of networked devices and arranging the risks into at least one logical grouping, and displaying the logical grouping(s) on a user station. | 02-18-2016 |
20160057164 | DEVICE FOR QUANTIFYING VULNERABILITY OF SYSTEM AND METHOD THEREFOR - A method and apparatus for quantifying the vulnerability of a system. The apparatus includes a vulnerability calculation unit, a target organization security level calculation unit, a network separation status calculation unit, an interim calculation unit, and a final score calculation unit. The vulnerability calculation unit converts each of the vulnerability identification results of the system into a vulnerability score. The target organization security level calculation unit calculates a target organization security level score based on a technology-field security level score and a management-field security level score. The network separation status calculation unit converts the status of the separation of the local network of the system into a network separation score. The interim calculation unit calculates an interim score. The final score calculation unit quantifies the vulnerability of the system by finally calculating a composite score using the interim score and a simulated intrusion success level. | 02-25-2016 |
20160063257 | DATA DRIVEN SYSTEM FOR RESPONDING TO SECURITY VULNERABILITY - A data-driven system for fast response to security vulnerability, in one example embodiment, comprises a request detector, a content type evaluator, and a presentation module. A request detector may be configured to detect a request to display content. A content type evaluator may be configured to determine a type of the requested content. A presentation module may be configured to selectively display the requested content based on the determined type of the requested content. The content type evaluator and the presentation module may utilize a data file that stores information related to potential vulnerabilities associated with a content viewing application. Example data file may be an XML file. | 03-03-2016 |
20160065607 | System and Method For Managed Security Assessment and Mitigation - In an embodiment of the invention, a system for assessing vulnerabilities includes: a security management system; a network device in a system under test (SUT), wherein the network device is privy to traffic in the SUT; and wherein the SMS is privy to traffic that is known by the network device and/or to one or more traffic observations that is known by the network device. | 03-03-2016 |
20160065608 | MONITORING SECURITY RISKS TO ENTERPRISE CORRESPONDING TO ACCESS RIGHTS AND ACCESS RISK CALCULATION - A system comprising an interface and a memory communicatively coupled to a processor retrieves access information corresponding to an asset. The system stores one or more risk categories and one or more risk factors. The system determines the one or more risk categories corresponding to the access information and determines the one or more risk factors corresponding to the one or more risk categories. Based at least in part upon the one or more risk factors, the system calculates an access risk score for the asset. The system generates data visualization corresponding to the access risk score and the asset. | 03-03-2016 |
20160065609 | Domain Classification Based On Client Request Behavior - Systems and methods for domain classification using the network request behavior of clients are provided. The network requests of a plurality of clients are analyzed to determine a domain corresponding to each request. This information can be used to associate a set of domains with each individual client. Because of the reciprocal nature of a network request, the information is also used to associate a set of clients with each individual domain. Within the plurality of domains associated with the plurality of clients, there may exist known domains having a classification and unknown domains having no classification. Based on the correlation of clients and domains from their respective associations, the system generates domain classification information for at least one of the unknown domains. | 03-03-2016 |
20160070915 | DYNAMIC QUANTIFICATION OF CYBER-SECURITY RISKS IN A CONTROL SYSTEM - A system and method for analyzing cyber-security risk inter-dependencies in a control system having networked devices. The system includes a central server that has a processor and a memory device in communication with the processor. The memory device stores inter-device dependencies and quantified individual risks for each of the networked devices. The memory device also stores a dynamic quantification of risk (DQR) program. The central server is programmed to implement the DQR program. Responsive to observed cyber behavior, the central server changes one or more of the quantified individual risks to generate at least one modified quantified individual risk. The inter-device dependencies for a first of the networked devices and the quantified individual risk for at least one other of the networked devices reflecting the modified quantified individual risk are used to dynamically modify the quantified individual risk for the first device to generate an inter-device modified quantified individual risk. | 03-10-2016 |
20160072835 | ORDERED COMPUTER VULNERABILITY REMEDIATION REPORTING - Techniques for ranking a set of vulnerabilities of a computing asset and set of remediations for a computing asset, and determining a risk score for one or more computing assets are provided. In one technique, vulnerabilities of computing assets in a customer network are received at a vulnerability intelligence platform. Breach data indicating set of breaches that occurred outside customer network is also received. A subset of the set of vulnerabilities that are most vulnerable to a breach is identified based on the breach data. In another technique, multiple vulnerabilities of a computing asset are determined. A risk score is generated for the computing asset based on the vulnerabilities. In another technique, multiple remediations associated with a risk score and multiple vulnerabilities are identified. The remediations are ordered based on the remediations that would reduce the risk score the most if those remediations were applied to remove the corresponding vulnerabilities. | 03-10-2016 |
20160072846 | SYSTEM AND METHOD FOR A SECURITY ASSET MANAGER - Implementations of the present disclosure involve a system and/or method of performing security asset management. The system and/or method may schedule vulnerability scanners to scan the various portions of one or more networks and obtain the results of the vulnerability scans. IP addresses may be assigned to each of vulnerability scanners to scan. The system obtains the results of the vulnerability scans and may adjust the results of the scans according to configuration of the one or more networks that an IP address is associated with. The system and/or method may also assign and reassign IP addresses amongst the scanners to optimize scanning speed. | 03-10-2016 |
20160078221 | AUTOMATED VULNERABILITY AND ERROR SCANNER FOR MOBILE APPLICATIONS - In an embodiment, a method comprises downloading an application program to a first storage coupled to a first device, wherein the application program comprises an encrypted portion based on a set of personally identifying data stored on the first storage; configuring the application program to load and execute a pre-compiled library when the application program is launched and which when executed by the first device, causes storing an unencrypted version of the application program on the first storage; launching the application program. | 03-17-2016 |
20160078231 | CLOUD-BASED SECURITY PROFILING, THREAT ANALYSIS AND INTELLIGENCE - An automated software vulnerability scanning and notification system and method provide an automated detection and notification regarding a software vulnerability. The operation of the system and the method includes obtaining software vulnerability information, periodically scanning a web application and a corresponding web server associated with an operator, and evaluating the periodic scans relative to the software vulnerability information to detect software vulnerabilities. Upon detection of a software vulnerability, a notification message is provided automatically to the operator regarding the software vulnerability. | 03-17-2016 |
20160078234 | SYSTEM AND METHOD FOR AUTOMATED SECURITY TESTING - According to some embodiments, a list of files comprising each file in a data repository that is associated with the website is determined. A list of user roles comprising each user role in the data repository that is associated with the website is determined. Each file in the list of files based on each user role in the list of user roles is attempted to be accessed and a report indicating the success or failure of the attempt to access each file in the list of files based on each user role in the list of user roles is created. | 03-17-2016 |
20160080407 | MANAGING OPERATIONS IN A CLOUD MANAGEMENT SYSTEM - Embodiments of the present invention provide methods, systems, and computer program products for managing operations in a cloud management system. In one embodiment, after a user submits a request to perform a cloud operation, a contextual security assessment of the requesting user and/or cloud resources on which the requested operation will be performed can be determined. An administrative user can review the contextual security assessments before approving or rejecting the cloud operation, which can help increase safety within the cloud computing environment. | 03-17-2016 |
20160080409 | SECURITY SCANNING SYSTEM AND METHOD - The present disclosure provides a computer-readable medium, method and system for determining security vulnerabilities for a plurality of application programs used to provide television services to a customer device over a communications network. The method includes running a first scanning program against a first application program relating to a control panel for the customer device; running a second scanning program against a second application program that provides Internet content to the customer device; running a third scanning program against a third application program that relates to a component management system of customer premises equipment; and correlating security vulnerabilities identified utilizing the first, second, and third scanning programs. | 03-17-2016 |
20160080410 | SELECTIVE WEBSITE VULNERABILITY AND INFECTION TESTING - In embodiments of the present invention improved capabilities are described for selective website vulnerability and infection testing and intelligently paced rigorous direct website testing. By providing robust website content integrity checking while only lightly loading the website hosting server, visitor bandwidth availability is maintained through selective testing and intelligently paced external website exercising. A modular pod-based computing architecture of interconnected severs configured with a sharded database facilitates selective website testing and intelligent direct website test pacing while providing scalability to support large numbers of website testing subscribers. | 03-17-2016 |
20160085970 | PRE-LAUNCH PROCESS VULNERABILITY ASSESSMENT - In an example, a vulnerability assessment engine is disclosed. The vulnerability assessment engine may include a shim application and a shim agent. The shim application sits at a relatively low level in an operational stack, such as just above the operating system itself. It may intercept system calls through operating system hooks or other means, so as to determine whether an action taken by an executable object should be allowed. The vulnerability assessment engine sends an identifier, such as a common platform enumeration (CPE)-like string to a server, which queries a database to determine a response code for the action. The response code may indicate that the action should be allowed, blocked, allowed with a warning, or other useful action. A shim agent may also be installed to receive notifications from the server or to query the server for available updates or patches for the executable object. | 03-24-2016 |
20160088013 | FILTERING LEGITIMATE TRAFFIC ELEMENTS FROM A DOS ALERT - A method for monitoring traffic flow in a network is provided. A network monitoring probe monitors one or more network traffic flow parameters to detect a denial of service attack. In response to detecting the denial of service attack, a first set of data representing the denial of service attack alert is displayed. Filtering criteria are received from a user. The filtering criteria include at least one of the network flow parameters identified as legitimate network traffic. A second set of data is generated and displayed based on the filtering criteria. | 03-24-2016 |
20160092679 | INSPECTION AND RECOVERY METHOD AND APPARATUS FOR HANDLING VIRTUAL MACHINE VULNERABILITY - An inspection and recovery method and apparatus for handling virtual machine vulnerability, which inspect the security status of a virtual machine in a hypervisor domain, and recover a main system file or limit the use of a virtual machine suspected of being damaged due to hacking depending on the results of inspection, thus providing a secure virtual machine use environment for cloud computing. In the presented method, collection target information and inspection criteria including vulnerability inspection criteria, recovery criteria, and hacking damage criteria are updated. Then, the collection target information is collected from the virtual disk and virtual memory of each virtual machine. Vulnerability is inspected in conformity with the inspection criteria, based on the collected information. A damaged main system file depending on inspection results is recovered based on recovery criteria. | 03-31-2016 |
20160094575 | AUTOMATED HARDENING OF WEB PAGE CONTENT - Methods and apparatus are described for automatically modifying web page source code to address a variety of security vulnerabilities such as, for example, vulnerabilities that are exploited by mixed content attacks. | 03-31-2016 |
20160094576 | ANTI-VULNERABILITY SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT - A system, method, and computer program product are provided for accessing at least one data storage identifying a plurality of mitigation techniques that mitigate effects of attacks that take advantage of vulnerabilities, such that: each mitigation technique is capable of mitigating an effect of an attack that takes advantage of a corresponding vulnerability, and each mitigation technique has a mitigation type including at least one of a patch, a policy setting, or a configuration option. Further, the system, method, and computer program product are provided for displaying at least one mitigation technique in connection with at least one vulnerability to be applied as an attack response, and receiving user input for selecting the at least one mitigation technique in connection with the at least one vulnerability. | 03-31-2016 |
20160094577 | PRIVILEGED SESSION ANALYTICS - A privileged account manager is provided for monitoring privileged sessions on target systems of an enterprise. In an embodiment, the privileged account manager is configured to capture metadata related to a privileged session and generate a first activity pattern for the privileged session based on the captured metadata. The first activity pattern may include a sequence of one or more activities performed by a first user during the privileged session. The privileged account manager may be configured to identify a second activity pattern that comprises at least a subset of the one or more activities performed by the first user during the privileged session and determine an appropriate action to be performed for the first activity pattern based on the identification of the second activity pattern. In some embodiments, the privileged account manager may be configured to transmit the action to a second user on a client device. | 03-31-2016 |
20160098563 | SIGNATURES FOR SOFTWARE COMPONENTS - A facility for analyzing a pair of code files is described. From each of the code files, the facility extracts a hierarchy of textual names. The facility then determines the score reflecting a level of similarity between the extracted hierarchies of textual names for attribution to the pair of code files. | 04-07-2016 |
20160098564 | ASSESSMENT AND ANALYSIS OF SOFTWARE SECURITY FLAWS - Security analysis and vulnerability testing results are “packaged” or “bound to” the actual software it describes. By linking the results to the software itself, downstream users of the software can access information about the software, make informed decisions about implementation of the software, and analyze the security risk across an entire system by accessing all (or most) of the reports associated with the executables running on the system and summarizing the risks identified in the reports. | 04-07-2016 |
20160099962 | SITE SECURITY MONITOR - Techniques for monitoring site security are disclosed herein. Sites are scanned for security metric values associated with one or more security metrics. Normalized values for those scanned security metric values are calculated based on previously obtained values associated with one or more other security metrics associated with other scanned sites. Site security metrics are then calculated for the sites based on a subset of the normalized values and based at least in part on a comparison to other scanned sites. | 04-07-2016 |
20160099963 | METHODS AND SYSTEMS FOR SHARING RISK RESPONSES BETWEEN COLLECTIONS OF MOBILE COMMUNICATIONS DEVICES - Methods are provided for determining an enterprise risk level, for sharing security risk information between enterprises by identifying a security response by a first enterprise and then sharing the security response to a second enterprise when a relationship database profile for the first collection indicates the security response may be shared. Methods are also provided for determining whether to allow a request from an originating device where the request may have been initiated by a remote device. | 04-07-2016 |
20160103996 | Methods and Systems for Behavioral Analysis of Mobile Device Behaviors Based on User Persona Information - A computing device processor may be configured with processor-executable instructions to implement methods of using behavioral analysis and machine learning techniques to identify, prevent, correct, or otherwise respond to malicious or performance-degrading behaviors of the computing device. As part of these operations, the processor may generate user-persona information that characterizes the user based on that user's activities, preferences, age, occupation, habits, moods, emotional states, personality, device usage patterns, etc. The processor may use the user-persona information to dynamically determine the number of device features that are monitored or evaluated in the computing device, to identify the device features that are most relevant to determining whether the device behavior is not consistent with a pattern of ordinary usage of the computing device by the user, and to better identify or respond to non-benign behaviors of the computing device. | 04-14-2016 |
20160105455 | EXPOSURE OF AN APPARATUS TO A TECHNICAL HAZARD - Embodiments of the invention are directed to systems, methods and computer program products for determining exposure of an apparatus to a technical hazard and prioritizing technical hazards. An exemplary system is configured to: determine an impact associated with a technical hazard on the apparatus, the impact being initiated by a second apparatus; determine a probability of occurrence of the technical hazard; and determine the exposure of the apparatus based on the impact and the probability. | 04-14-2016 |
20160105457 | Risk Identification - Systems, methods and apparatuses for analyzing a string of terms (e.g., a search query, text of an email, and the like) are provided. In some examples, a determination is made as to whether one or more terms in the string matches a keyword. If so, various parts of speech of one or more terms in the string of terms may be determined. In some examples, a category of risk of the terms for which the part of speech is identified may also be determined. A risk rating may then be determined for the string of terms based on the relationship between the terms (e.g., the parts of speech) and the category or categories identified. In some examples, one or more additional actions may be implemented based on the risk rating. | 04-14-2016 |
20160110547 | SYSTEMS AND METHODS FOR ANALYSIS OF CROSS-SITE SCRIPTING VULNERABILITIES - A system for detecting XSS vulnerabilities includes determining the context in which a probe supplied as an input to a webpage or an application exists in a script associated with the webpage or application. A payload is generated based on, at least in part, the context such that during execution of the script, an executable code fragment in the payload can escape out of the context in which the probe exists and into a the global context of the script. The payload may include additional characters that prevent the payload from causing errors in the execution of the script. | 04-21-2016 |
20160110548 | DETERMINING AN ATTACK SURFACE OF SOFTWARE - A method of determining an attack surface of software may include generating a platform for testing at least one deployment of software code, identifying protocols that are used by the at least one deployment, mapping the protocols to at least one port in the at least one deployment, and computing a metric comprising parameters for the at least one deployment. | 04-21-2016 |
20160110549 | ANALYZING TARGET SOFTWARE FOR SECURITY VULNERABILITIES - A method of analyzing target software for security vulnerabilities comprises, with a processor, scanning a codebase of a target software using a static analysis scan to identify a number of security flaws, and calculating a number of code metrics of the codebase of the target software for a number of iterations over a period of time to obtain a number of historical scans. | 04-21-2016 |
20160110551 | Computer System Anomaly Detection Using Human Responses to Ambient Representations of Hidden Computing System and Process Metadata - A system and method involve measuring one or more hidden states internal to a computing system related only to a user's active task with the computing system, using one or more deterministic mapping functions to directly map, without interpretation of the hidden states as being benign or malicious, the measurements to a representational output, presenting the representational output in real-time and peripheral to the user's active task with the computing system without label information pertaining to the hidden states, determining the user's behavioral responses and/or physiological responses to the presented representational output, altering one or more display characteristics of the presented representational output based upon one or more behavioral responses and physiological responses, and/or inputting the user's response into a machine learning algorithm configured to detect an anomaly within the computing system using the user's behavioral and physiological responses and/or computing system measurements. | 04-21-2016 |
20160112451 | SYSTEMS AND METHODS FOR APPLICATION SECURITY ANALYSIS - Systems and methods for analyzing applications for risk are provided. In the example method, the applications reside on a mobile device that is configurable to access an enterprise system. The example method includes evaluating each of a plurality of applications variously for privacy, data leakage, and malicious behavior. The example method also includes calculating a risk score for each of the plurality of applications based on the evaluating; and automatically remediating (e.g., quarantining) the applications, of the plurality of applications, for which the risk score meets or exceeds a risk score threshold. The method may evaluate all of the applications residing on a mobile device. The method may include grouping application behaviors, for each of the applications, that indicate an increased risk into groups comprising various combinations of a privacy risk, a data leakage risk, an account takeover risk, a device takeover risk, and a malware risk. | 04-21-2016 |
20160117507 | Evaluating Customer Security Preferences - Methods and systems for evaluating customer security preferences are presented. In some embodiments, a computer system may receive, from a customer portal computing platform, a request for a security dashboard user interface for a customer. In response to receiving the request for the security dashboard user interface, the computer system may request, from a security score computing platform, a security score for the customer. Subsequently, the computer system may receive, from the security score computing platform, the security score for the customer. The computer system then may generate, based on the security score for the customer, the security dashboard user interface for the customer. Thereafter, the computer system may provide, to the customer portal computing platform, the generated security dashboard user interface for the customer. | 04-28-2016 |
20160119372 | INTERACTING WITH A REMOTE SERVER OVER A NETWORK TO DETERMINE WHETHER TO ALLOW DATA EXCHANGE WITH A RESOURCE AT THE REMOTE SERVER - Provided are a computer program product, system, and method for interacting with a remote server over a network to determine whether to allow data exchange with a resource at the remote server. Detection is made of an attempt to exchange data with the remote resource over the network. At least one computer instruction is executed to perform at least one interaction with the server over the network to request requested server information for each of the at least one interaction. At least one instance of received server information is received. A determination is made whether the at least one instance of the received server information satisfies at least one security requirement. A determination is made of whether to prevent the exchanging of data with the remote resource based on whether the at least one instance of the received server information satisfies the at least one security requirement. | 04-28-2016 |
20160119373 | SYSTEM AND METHOD FOR AUTOMATIC CALCULATION OF CYBER-RISK IN BUSINESS-CRITICAL APPLICATIONS - A system for calculating cyber-risk in a software application includes a cyber-risk calculator. The cyber-risk calculator receives a security assessment result sample having a list of security modules, each security module listing including a respective result of a security assessment of the application identifying a vulnerability and/or misconfiguration capable of being exploited and/or abused. When run in a risk calculation mode, the cyber-risk calculator determines a world partition of the application in the security assessment result sample belongs to, references a set of parameters from a parametrization database according to the world partition corresponding to the application, determines a cyber-risk exposure level for the application based upon the security assessment result sample and the set of parameters, and reports results of the cyber-risk calculation. | 04-28-2016 |
20160127408 | DETERMINING VULNERABILITY OF A WEBSITE TO SECURITY THREATS - Provided are methods and systems for determining a vulnerability of a website to at least one security threat. An example method can comprise providing a user interface; receiving, via the user interface, website data associated with the website; based on the website data, probing the website with at least one request, with the at least one request including at least one security threat signature; receiving at least one response from the website; comparing the least one response to at least one expected response for the at least one request; based on the comparison, determining the at least one security threat; and reporting results of the determination for review. | 05-05-2016 |
20160127409 | WEB SERVICE TESTING - Disclosed is a computer-implemented method and system of inferring a web service infrastructure from a web service hosted on a web server. The method includes: downloading a web service description language (WSDL) file describing the web service from a location on the web server identified by a uniform resource locator (URL); identifying at least one of a web service design technology and a web service design technology provider from character strings indicative of the technology and implementation, respectively, in at least one of the URL and WSDL file; and inferring the web service infrastructure from the identified web service design technology and web service design technology provider. A computer program product having aspects of the method as program code is also disclosed. | 05-05-2016 |
20160134653 | Synthetic Cyber-Risk Model For Vulnerability Determination - A system, method, and device are presented for assessing a target network's vulnerability to a real cyberthreat based on determining policy-based synthetic tests configured to model the behavior of the cyberthreat. Real-time feedback from the target network (e.g., servers, desktops, and network/monitoring hardware and/or software equipment) are received, analyzed, and used to determine whether any modifications to the same or a new synthesized test is preferred. The technology includes self-healing processes that, using the feedback mechanisms, can attempt to find patches for known vulnerabilities, test for unknown vulnerabilities, and configure the target network's resources in accordance with predefined service-level agreements. | 05-12-2016 |
20160134654 | THIRD PARTY CENTRALIZED DATA HUB SYSTEM PROVIDING SHARED ACCESS TO THIRD PARTY QUESTIONNAIRES, THIRD PARTY RESPONSES, AND OTHER THIRD PARTY DATA - A system for providing a third party centralized data hub. The system includes a server storing a database of sets of third party data, and the system includes a third party risk management module on the server maintaining the third party data. The system includes a first set of client devices communicatively linked with the server over a digital communications network and operable by data providers to provide and modify one of the sets of third party data. The system includes a second set of client devices linked with the server and operable by data consumers to access a subset of the sets of third party data. During operations, the risk management module monitors the third party data, identifies a modification, by one of the data providers, of one of the sets of third party data, and automatically generates and transmits an alert to the second set of client devices. | 05-12-2016 |
20160140341 | SYSTEMS AND METHODS FOR INCREASING SECURITY SENSITIVITY BASED ON SOCIAL INFLUENCE - Systems, methods, and non-transitory computer-readable media can provide a set of security features capable of being enabled by a user associated with an online service. In some implementations, it can be determined that at least one security feature in the set has yet to be enabled by the user. A communication can be provided to the user. In some instances, the communication can indicate that a quantity of social connections associated with the user has already enabled the at least one security feature. One or more options to enable the at least one security feature can be provided to the user. | 05-19-2016 |
20160140345 | INFORMATION PROCESSING DEVICE, FILTERING SYSTEM, AND FILTERING METHOD - An information processing device includes a processor configured to generate one or more sets of data corresponding to information about a testing method set in advance, to input the sets of generated data into a test device, to identify sets of data making the test device exhibit predetermined behavior, among the sets of generated data, and to refer to information common among the sets of identified data, to aggregate the sets of generated data. | 05-19-2016 |
20160142432 | RESOURCE CLASSIFICATION USING RESOURCE REQUESTS - In one implementation, a resource classification system identifies a plurality of resource requests and generates a plurality of resource access measures based on the plurality of resource requests. Each resource request from the plurality of resource requests is associated with a resource from a plurality of resources by a resource identifier of that resource. Each resource access measure from the plurality of resource access measures is associated with a resource from the plurality of resources. The resource classification system applies a classifier to each resource access measure from the plurality of resource access measures to generate a classification result for the resource from the plurality of resources associated with that resource access measure, and assign a security classification to each resource from the plurality of resources based on the classification result for that resource. | 05-19-2016 |
20160142433 | INFORMATION ASSESSMENT SYSTEM, INFORMATION ASSESSMENT APPARATUS, AND INFORMATION ASSESSMENT METHOD - An information assessment system includes: an information management apparatus; and an information assessment apparatus connected to an information device via a first network and connected to the information management apparatus via a second network. The information management apparatus includes: an acquisition unit configured to acquire information about a setting state of the information device, an assessment processing unit configured to assess setting contents of the information device based on the acquired information and generate assessment result information, and a transmitting unit configured to transmit the assessment result information to the information management apparatus. The information management apparatus includes: a receiving unit configured to receive the assessment result information from the information assessment apparatus; and an output unit configured to output assessment-result output information containing findings on setting contents in a management area, in which the information device is arranged, based on the received assessment result information. | 05-19-2016 |
20160147998 | STATISTICAL ANALYTIC METHOD FOR THE DETERMINATION OF THE RISK POSED BY FILE BASED CONTENT - A system and method for calculating a risk assessment for an electronic file is described. A database of checks, organized into categories, can be used to scan electronic files. The categories of checks can include weights assigned to them. An analyser can analyse electronic files using the checks. Issues identified by the analyser can be weighted using the weights to determine a risk assessment for the electronic file. | 05-26-2016 |
20160149945 | DIGITAL DYE PACKS - Embodiments relate to systems and methods for providing digital dye packs in connection with a transaction via a device user interface. In an embodiment, a system includes a communication module of a remote server that interacts with a device that receives, from a user of the device, specific identifier information in connection with conducting a transaction with a recipient server; wherein the specific identifier information is associated with an alert of potential risk of the transaction. The system also includes a non-transitory memory comprising a database storing specific identifier information with corresponding actions that are executed based on the specific identifier information. The system further includes at least one hardware processor for executing an action in response to receiving corresponding identifier information associated with the alert of potential risk from the device in connection with the transaction. | 05-26-2016 |
20160149946 | PERSISTENT CROSS-SITE SCRIPTING VULNERABILITY DETECTION - A system and program product are described herein for various techniques for detecting a persistent cross-site scripting vulnerability are described herein. In one example, the techniques include detecting, via the processor, a read operation executed on a resource using an instrumentation mechanism and returning, via the processor, a malicious script in response to the read operation. The techniques also include detecting, via the processor, a write operation executed on the resource using the instrumentation mechanism and detecting, via the processor, a script operation executed by the malicious script that results in resource data being sent to an external computing device from a client device. Furthermore, the techniques include receiving, via the processor, metadata indicating the execution of the read operation, the write operation, and the script operation. | 05-26-2016 |
20160149947 | PERSISTENT CROSS-SITE SCRIPTING VULNERABILITY DETECTION - Various techniques for detecting a persistent cross-site scripting vulnerability are described herein. In one example, a method includes detecting, via the processor, a read operation executed on a resource using an instrumentation mechanism and returning, via the processor, a malicious script in response to the read operation. The method also includes detecting, via the processor, a write operation executed on the resource using the instrumentation mechanism and detecting, via the processor, a script operation executed by the malicious script that results in resource data being sent to an external computing device from a client device. Furthermore, the method includes receiving, via the processor, metadata indicating the execution of the read operation, the write operation, and the script operation. | 05-26-2016 |
20160154960 | SYSTEMS AND METHODS FOR RISK RATING FRAMEWORK FOR MOBILE APPLICATIONS | 06-02-2016 |
20160154961 | Evaluating Customer Security Preferences | 06-02-2016 |
20160154962 | AUTOMATED SECURITY ASSESSMENT OF BUSINESS-CRITICAL SYSTEMS AND APPLICATIONS | 06-02-2016 |
20160156656 | Methods, Systems and Media for Evaluating Layered Computer Security Products | 06-02-2016 |
20160156657 | SIMULATING A BOT-NET SPANNING A PLURALITY OF GEOGRAPHIC REGIONS | 06-02-2016 |
20160162269 | SECURITY EVALUATION AND USER INTERFACE FOR APPLICATION INSTALLATION - Generally, this disclosure provides systems, devices, methods and computer readable media for application installation security and privacy evaluation and indication. The system may include an application installation module configured to receive an application package for installation on a device, wherein the package comprises a list of device resources to be accessed by the application. The system may also include memory configured to store an impact score table comprising one or more security impact scores, each security impact score associated with access to one of the device resources. The system may further include a security/privacy evaluation module configured to calculate a security impact indicator (SII) based on a sum of the security impact scores selected by the accessed device resources listed in the package. | 06-09-2016 |
20160162690 | RECOMBINANT THREAT MODELING - Dynamically developing and maintaining threat models, threat landscapes and threat matrices are described. Specifically described are techniques on how to relate: (1) attack surfaces, (2) attack histories, (3) threats and (4) historical responses, by loading these four types of data, as well as other data, into a data store. One example data store disclosed includes some variations of a graph data structure. Upon loading the data, the populated data store may be used to develop Threat Models that will represent a Threat Landscape and a Threat Matrix. These may then be queried for recommended reactive and proactive responses with respect to an installation, in order to improve security. | 06-09-2016 |
20160164902 | SYSTEM AND METHOD FOR NETWORK INSTRUCTION DETECTION ANOMALY RISK SCORING - Systems, methods, and computer-readable storage media for scoring network anomaly risk. A system identifies a baseline usage for a facet of a server and determines, for the facet, a normal range of use based on the baseline usage. The system also determines an abnormal range of use based on the baseline usage. When actual usage data is available, the system determines whether the usage data corresponds to the normal range of use or the abnormal range of use, and calculates a facet score based on the abnormality value. | 06-09-2016 |
20160164903 | RESOLVING CUSTOMER COMMUNICATION SECURITY VULNERABILITIES - Customer communication security vulnerabilities are resolved. A usage history is obtained for a user device including communications involving the user device. Pattern recognition is applied to the usage history. The user device is assigned with a risk classification from a predetermined set of possible risk classifications, based on the pattern recognition. A vulnerability on the user device is remedied when the risk classification exceeds a predetermined threshold. | 06-09-2016 |
20160164904 | DETECTION OF PRIVILEGE ESCALATION VULNERABILITIES USING BAG OF WORDS - A method for detecting a privilege escalation vulnerability comprises selecting an address identifier of a web address with secure content. A first response to the address identifier being submitted as a first user having a first security clearance that is not sufficient to access the content is received. If not, then a second response to the address identifier submitted as a second user having a second security clearance that is sufficient to access the content is received. If a comparison of the first response to the second response satisfies a second vulnerability condition, then a privilege escalation vulnerability is reported. If not, then a first term frequency for the first response and a second term frequency for the second response are determined and compared. If the comparison of the first term frequency and the second term frequency satisfies a third vulnerability condition, then a privilege escalation is reported. | 06-09-2016 |
20160164905 | CYBER THREAT MONITOR AND CONTROL APPARATUSES, METHODS AND SYSTEMS - The cyber threat monitor and control apparatuses, methods and systems (hereinafter “CTMC”) determines risk across a global Internet network graph model for various virtual or physical network elements. In one embodiment, the CTMC defines a factor mechanism representing interactions among the set of network elements, the factor mechanism including a factor indicative of a correlation between a pair of network elements from the set of network elements, and dynamically calculate the probabilistic network security measure for each network element in the global Internet graph model based at least in part on the factor mechanism and any observed threat indicators related to the global Internet graph model. | 06-09-2016 |
20160164906 | CYBER THREAT MONITOR AND CONTROL APPARATUSES, METHODS AND SYSTEMS - The cyber threat monitor and control apparatuses, methods and systems (hereinafter “CTMC”) determines risk across a global Internet network graph model for various virtual or physical network elements. In one embodiment, the CTMC defines a factor mechanism representing interactions among the set of network elements, the factor mechanism including a factor indicative of a correlation between a pair of network elements from the set of network elements, and dynamically calculate the probabilistic network security measure for each network element in the global Internet graph model based at least in part on the factor mechanism and any observed threat indicators related to the global Internet graph model. | 06-09-2016 |
20160164907 | SECURITY ACTIONS FOR COMPUTING ASSETS BASED ON ENRICHMENT INFORMATION - Systems, methods, and software described herein provide enhancements for implementing security actions in a computing environment. In one example, a method of operating an advisement system to provide actions in a computing environment includes identifying a security incident in the computing environment, identifying a criticality rating for the asset, and obtaining enrichment information for the security incident from one or more internal or external sources. The method also provides identifying a severity rating for the security incident based on the enrichment information, and determining one or more security actions based on the enrichment information. The method further includes identifying effects of the one or more security actions on operations of the computing environment based on the criticality rating and the severity rating, and identifying a subset of the one or more security actions to respond to the security incident based on the effects. | 06-09-2016 |
20160173520 | SOCIAL NETWORK SECURITY MONITORING | 06-16-2016 |
20160173521 | CALCULATING AND BENCHMARKING AN ENTITY'S CYBERSECURITY RISK SCORE | 06-16-2016 |
20160173522 | ENTITY IP MAPPING | 06-16-2016 |
20160173523 | ENHANCED BROWSING WITH SECURITY SCANNING | 06-16-2016 |
20160173524 | METHOD AND SYSTEM FOR PROVIDING AN EFFICIENT ASSET MANAGEMENT AND VERIFICATION SERVICE | 06-16-2016 |
20160180096 | Static analysis based on abstract program representations | 06-23-2016 |
20160182553 | Auto-tuning program analysis tools based on user feedback | 06-23-2016 |
20160182554 | METHODS, SYSTEMS, AND DEVICES FOR DETECTING AND ISOLATING DEVICE POSING SECURITY THREAT | 06-23-2016 |
20160182555 | MULTI-DIMENSIONAL GEOMETRY FOR ENHANCEMENT OF SIMULATIONS OF NETWORK DEVICES | 06-23-2016 |
20160182556 | SECURITY RISK SCORE DETERMINATION FOR FRAUD DETECTION AND REPUTATION IMPROVEMENT | 06-23-2016 |
20160182558 | Auto-tuning program analysis tools using machine learning | 06-23-2016 |
20160188882 | SOFTWARE NOMENCLATURE SYSTEM FOR SECURITY VULNERABILITY MANAGEMENT - Systems and methods for securing a computer system are described herein. The systems and methods, which are computer-implemented, involve receiving, by a computing device, a name of a software vulnerability. The computing device measures a lexical similarity distance between the vulnerability name and each name in a list of names of software systems and components of the computer system. The computing device further identifies the software system and component names that are within a predetermined similarity distance of the vulnerability name as corresponding to software systems and components having the software vulnerability. Once the vulnerabilities are detected and mapped to corresponding software systems and components, the systems and methods can generate derivative works (e.g., reports, charts, and other derivative data) for further data processing, storage or analysis by different stake holders and/or other computing devices. | 06-30-2016 |
20160188883 | ELECTRONIC SYSTEM WITH RISK PRESENTATION MECHANISM AND METHOD OF OPERATION THEREOF - An electronic system includes: a control unit configured to: calculating a risk score based on a permission requested by an application, generating a summary presentation based on the risk score for presenting a risk visualization of a privacy risk posed by an application, generating a subcategory presentation based on the risk score for presenting the risk visualization of the privacy risk posed to a device feature by the application, and a user interface, coupled to the control unit, configure to present a risk presentation including the summary presentation, the subcategory presentation, or a combination thereof for displaying on a device. | 06-30-2016 |
20160188884 | Application Decomposition Using Data Obtained From External Tools For Use In Threat Modeling - An illustrative embodiment of automated application decomposition generates a set of information specific to an application by one or more external tools. Predefined heuristics and corresponding predefined conclusions, categorized corresponding to one or more external tool domains, are applied to the set of information to produce an intermediate result. The intermediate result is converted into a set of conclusions about factors, representative of the application, used in application decomposition. The set of conclusions is exported and used to generate a model of the application. The model is a starting point for identification of threats and weaknesses specific to the application. | 06-30-2016 |
20160188885 | SOFTWARE VULNERABILITY ANALYSIS METHOD AND DEVICE - The present disclosure includes: searching a code clone corresponding to a used source code from any analysis target source code; detecting a security sink and sensitive data of the security sink on the basis of patch information in the searched code clone; acquiring a source code which is from the user input point the a security sink by backwardly tracing the sensitive data detected in the analysis target source code; and verifying whether the searched code clone is a vulnerability in the analysis target source code by performing a concolic testing on the basis of a path from the input point to the security sink. | 06-30-2016 |
20160191563 | SYSTEM FOR DETECTING THREATS USING SCENARIO-BASED TRACKING OF INTERNAL AND EXTERNAL NETWORK TRAFFIC - Disclosed is an improved approach to implement a system and method for detecting insider threats, where models are constructed that is capable of defining what constitutes the normal behavior for any given hosts and quickly find anomalous behaviors that could constitute a potential threat to an organization. The disclosed approach provides a way to identify abnormal data transfers within and external to an organization without the need for individual monitoring software on each host, by leveraging metadata that describe the data exchange patterns observed in the network. | 06-30-2016 |
20160196429 | REMEDIATION OF SECURITY VULNERABILITIES IN COMPUTER SOFTWARE | 07-07-2016 |
20160196433 | DETECTING EXPLOITABLE BUGS IN BINARY CODE | 07-07-2016 |
20160196434 | REMEDIATION OF SECURITY VULNERABILITIES IN COMPUTER SOFTWARE | 07-07-2016 |
20160197953 | Apparatus and method for assessing financial loss from cyber threats capable of affecting at least one computer network | 07-07-2016 |
20160203319 | System and Method For Providing Technology-Driven End-to-End Managed Security Service Products Through a Security Marketplace | 07-14-2016 |
20160203320 | Privacy Protection for Mobile Devices | 07-14-2016 |
20160205116 | METHOD AND SYSTEM FOR VIRTUAL SECURITY ISOLATION | 07-14-2016 |
20160205126 | INFORMATION TECHNOLOGY SECURITY ASSESSMENT SYSTEM | 07-14-2016 |
20160205127 | DETERMINING A RISK LEVEL FOR SERVER HEALTH CHECK PROCESSING | 07-14-2016 |
20160253503 | VISUALIZATION OF SECURITY RISKS | 09-01-2016 |
20160255154 | VEHICLE SECURITY NETWORK DEVICE AND DESIGN METHOD THEREFOR | 09-01-2016 |
20160378993 | SYSTEMS FOR DIAGNOSING AND TRACKING PRODUCT VULNERABILITIES - Systems and methods for tracking telecom computing device vulnerabilities. The system includes a database storing a plurality of entries that describe security vulnerabilities, and a controller that receives input from a user selecting a class of telecommunication devices, e.g. a product line, and searches the database to identify pertinent entries describing a relevant security vulnerability for the class. The controller also identifies an authoritative entry that describes the relevant security vulnerability, validates pertinent entries within the database that conform with the authoritative entry, generates a report indicating a severity of the security vulnerability within the class based on valid entries within the database, and assesses a severity of the relevant security vulnerability for the class based on the conforming entries. | 12-29-2016 |
20160378995 | STATIC SECURITY ANALYSIS USING A HYBRID REPRESENTATION OF STRING VALUES - A hybrid string constructor includes a database configured to store a set of known concretizations. A processor is configured to compare the one or more string components to the set of known concretizations to determine string components from input string information that may be represented concretely, to abstract all string components that could not be represented concretely, and to create a hybrid string representation that includes at least one concrete string component and at least one abstracted string component. The set of known concretizations includes string configurations that cannot be interfered with by an attacker. | 12-29-2016 |
20160381060 | SYSTEMS AND METHODS FOR AGGREGATING ASSET VULNERABILITIES - In a system for determining vulnerabilities associated with a web property, a network accessible server associated with the property is identified. One or more software components/subsystems associated with that server and, optionally, one or more versions of that component/subsystem are identified. For the identified components and versions thereof, vulnerability information is obtained from a database and compiled to determine vulnerability of the web property, without requiring access to any code of the software components/subsystems. | 12-29-2016 |
20160381061 | PROXY FOR MITIGATION OF ATTACKS EXPLOITING MISCONFIGURED OR COMPROMISED WEB SERVERS - Methods and systems for preventing cyber-attacks on web sessions are disclosed. These methods and systems comprise elements of hardware and software for intercepting a Hyper Text Transfer Protocol (HTTP) transaction; analyzing the HTTP headers of the intercepted HTTP transaction for web session vulnerabilities; and, based on the result of analyzing the HTTP headers of the intercepted HTTP transaction for web session vulnerabilities, inserting at least one HTTP protocol element into the series of HTTP headers of the HTTP transaction. | 12-29-2016 |
20160381062 | RISK ASSESSMENT OF OPEN WI-FI NETWORKS - For assessing a risk associated with a Wi-Fi network, an analysis to evaluate a risk element associated with the Wi-Fi network is performed at a mobile device. From a result of the analysis, a risk value is determined. An overall risk value of the Wi-Fi network is to the risk value. Whether the overall risk value exceeds a risk tolerance threshold is evaluated. An activity on the device is prevented from using the Wi-Fi network at least when the overall risk value exceeds the threshold, and permitted when the overall risk value does not exceed the threshold. A visual attribute is assigned to the risk value according to a scale on which the risk value is measured. The visual attribute is presented on the device as a reason for preventing the use. The Wi-Fi network, the risk element, and the overall risk value are reported to a repository. | 12-29-2016 |
20160381063 | SYSTEM AND METHOD FOR ASSESSING VULNERABILITY OF A MOBILE DEVICE - A system and method for assessing vulnerability of a mobile device including at a remote analysis cloud service, receiving at least one vulnerability assessment request that includes an object identifier for an operative object of a mobile computing device, wherein the vulnerability assessment request originates from the mobile computing device; identifying a vulnerability assessment associated with the identifier of the operative object; and communicating the identified vulnerability assessment to the mobile computing device. | 12-29-2016 |
20160381064 | MANAGING DATA PRIVACY AND INFORMATION SAFETY - Automatically screen data associated with a user that may have already been shared on a social network or about to be shared on the social network for a potential security risk and assign a risk score to the data. If the assigned risk score is above a threshold risk score, a risk mitigation measure is generated and executed. | 12-29-2016 |
20170235960 | INTELLIGENT SYSTEM FOR FORECASTING THREATS IN A VIRTUAL ATTACK DOMAIN | 08-17-2017 |
20170237752 | PREDICTION OF POTENTIAL CYBER SECURITY THREATS AND RISKS IN AN INDUSTRIAL CONTROL SYSTEM USING PREDICTIVE CYBER ANALYTICS | 08-17-2017 |
20170237763 | NETWORK SECURITY FOR INTERNET OF THINGS | 08-17-2017 |
20170237764 | NON-INTRUSIVE TECHNIQUES FOR DISCOVERING AND USING ORGANIZATIONAL RELATIONSHIPS | 08-17-2017 |
20180025154 | Method of Correlating Static and Dynamic Application Security Testing Results for a Web and Mobile Application | 01-25-2018 |
20180025160 | GENERATING CONTAINERS FOR APPLICATIONS UTILIZING REDUCED SETS OF LIBRARIES BASED ON RISK ANALYSIS | 01-25-2018 |
20180025161 | STATIC DETECTION OF CONTEXT-SENSITIVE CROSS-SITE SCRIPTING VULNERABILITIES | 01-25-2018 |
20180025162 | APPLICATION PROGRAM ANALYSIS APPARATUS AND METHOD | 01-25-2018 |
20180025163 | DYNAMIC RISK MANAGEMENT | 01-25-2018 |
20180027009 | AUTOMATED CONTAINER SECURITY | 01-25-2018 |
20190147167 | APPARATUS FOR COLLECTING VULNERABILITY INFORMATION AND METHOD THEREOF | 05-16-2019 |
20190147168 | METHOD AND APPARATUS FOR IDENTIFYING SECURITY VULNERABILITY IN BINARY AND LOCATION OF CAUSE OF SECURITY VULNERABILITY | 05-16-2019 |
20190147378 | REDUCING CYBERSECURITY RISK LEVEL OF A PORTFOLIO OF COMPANIES USING A CYBERSECURITY RISK MULTIPLIER | 05-16-2019 |
20190149571 | METHOD AND DEVICE FOR REPAIRING PAGE VULNERABILITY | 05-16-2019 |
20190149572 | Selectively Choosing Between Actual-Attack and Simulation/Evaluation for Validating a Vulnerability of a Network Node During Execution of a Penetration Testing Campaign | 05-16-2019 |
20220138269 | IDENTIFICATION OF POTENTIALLY SENSITIVE INFORMATION IN DATA STRINGS - Methods for identifying potentially sensitive information and protecting such potentially sensitive information include scanning systems that collect and/or disseminate such information. Without limitation, systems collect and/or disseminate personal identification numbers (e.g., personal identification numbers, tax identification numbers, etc.), such as merchant systems, bank systems, healthcare systems, and the like, that collect, use, or disseminate sensitive information may be scanned to identify sequences of data that are likely to be sensitive, and may take actions to protect such sequences of data. Scanning and protection systems are also disclosed. | 05-05-2022 |
20220138326 | Human Factors Framework - A system, method, and computer-readable medium are disclosed for performing a human factors risk operation. The human factors risk operation includes: monitoring an entity, the monitoring observing an electronically-observable data source; deriving an observable based upon the monitoring of the electronically-observable data source; identifying a security related activity, the security related activity being based upon the observable from the electronic data source; analyzing the security related activity, the analyzing the security related activity using a human factors framework; and, performing a human factors risk operation in response to the analyzing the security related activity. | 05-05-2022 |
20220138327 | SYSTEM AND METHOD FOR MANAGING SECURITY RISK OF INFORMATION TECHNOLOGY SYSTEMS IN AN ENTERPRISE - The disclosure relates to system and method for managing security risk of information technology (IT) systems in an enterprise. The method includes determining valid trustware components that need to be evaluated for security risk of an IT system within the enterprise; correlating information associated with each of the valid trustware components in a set of data repositories; generating a mapping list comprising the valid trustware components, test cases corresponding to each of the valid trustware components, and test environments corresponding to each of the valid trustware components based on the correlation; triggering trustware security units for testing the valid trustware components based on the mapping list; and identifying security issues associated with the valid trustware components based on the testing. The trustware security units are arranged in a sequential manner or a parallel manner to align with execution of the test cases corresponding to each of the valid trustware components. | 05-05-2022 |
20220141186 | FILTERING DATA LOGS FROM DISPARATE DATA SOURCES FOR PROCESSING BY A SECURITY ENGINE - A security system obtains data logs from a set of security applications that each output data of different data types and in different formats. A filtering module obtains the data from the security applications as an input message stream and processes the into message stream into an output message stream with messages in a standardized format for processing by a security engine. The filtering module includes a set of filters each tailored to process data from a different data source. The filtering module detects the data source from analysis of the data and applies the corresponding filter to generate the output message stream. The security engine then detects patterns in the output data stream and provides alerts to an administrative interface when it detects a pattern indicative of malicious activity. | 05-05-2022 |
20220141244 | Using Indicators of Behavior When Performing a Security Operation - A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring an entity to identify a behavior enacted by the entity, the monitoring observing at least one electronically-observable data source; deriving an observable based upon the behavior enacted by the entity; identifying an event of analytic utility, the event of analytic utility being derived from the observable from the electronic data source, the event of analytic utility comprising a behavior enacted by the entity; identifying an indicator of behavior related to the event of analytic utility, the indicator of behavior providing an abstracted description of an inferred intent associated with the behavior enacted by the entity; analyzing the event of analytic utility, the analyzing the event of analytic utility being based upon the indicator of behavior related to the event of analytic utility; and, performing a security operation based upon the inferred intent associated with the behavior enacted by the entity. | 05-05-2022 |
20220141247 | SYSTEMS AND METHODS FOR IDENTIFYING, REPORTING, AND ANALYZING THREATS AND VULNERABILITIES ASSOCIATED WITH REMOTE NETWORK DEVICES - Embodiments of a computer-implemented system and methods for identifying and analyzing cyber threats and associated vulnerabilities associated with implementation of remote network devices are disclosed. | 05-05-2022 |
20220141248 | SYSTEM AND METHOD FOR SECURING A NETWORK - A system for generating a cyber-attack to penetrate a network. The system includes an identification module configured to identify at least one vulnerability of the network by examining at least one of a node of the network, data transmission within the network, or data received from a cyber defense mechanism; a generation module configured to generate a cyber-attack based on the at least one vulnerability of the network, and a goal to be achieved by the cyber-attack. The system includes a penetration module configured to penetrate the network with the cyber-attack and determine an effectiveness rating of the penetration; and a feedback module configured to provide a feedback to the identification module based on at least the effectiveness rating of the penetration. | 05-05-2022 |
20220141249 | REMEDIAL ACTIONS BASED ON USER RISK ASSESSMENTS - In some implementations, a method includes receiving, for each of multiple users, user activity data describing actions taken by the user by use of a user device over a period of time, determining, for each user and based on the actions taken by the user over the period of time and user responsibility data that describe responsibilities of the user, a risk assessment representative of a security risk resulting from the actions taken by the user by use of the user device, and determining, by the data processing apparatus, for each user and based on the risk assessment determined for the user, whether to implement a user-specific remedial action directed to risk mitigation. | 05-05-2022 |