| Entries |
| Document | Title | Date |
|---|
| 20080201776 | Method And Computing System For Avoiding Denial Of Service Attacks - A computing system configured to receive service requests, comprising a memory for storing service request data and a service request handler. The computing system is configured to respond to a service request by registering a call back routine configured to pass details of the service request to the memory if executed by a panic process upon a system crash, the memory is configured to store the details of the service request passed to it, and the service request handler is configured to compare the service request to the service request data in the memory and to deny the service request if the service request matches a predefined portion of the service request data. | 08-21-2008 |
| 20080201777 | Method and Agent for the Protection Against the Unauthorized Use of Computer Resources - Method and agent for preventing a hostile use of computer resources by an application running on a workstation. A list of services that are not allowed for access by unspecified applications is provided, and when such unspecified application runs on the workstation, the application is prevented from accessing any resource directly. Any direct or indirect request for access to specific services is analyzed, to determine whether such request is allowable according to the list. The workstation processes the request if it is allowable. The unspecified application is prevented from accessing the requested resource if the request is not allowable. The resource may be any local or remote resource, such as, memory allocation, files, directories, operations with files and directories, such as copy, delete or compress, or any other operation leading to a permanent change in the workstation or its periphery. | 08-21-2008 |
| 20080209550 | Method For Detecting and Reacting Against Possible Attack to Security Enforcing Operation Performed by a Cryptographic Token or Card - The approach defines a protection mechanism against attacks to a security enforcing operation performed by cryptographic token or smart card. It is based on an attack detector which signals the main elaboration or processing system regarding a potential attack situation. The approach addresses SIM cloning problems of telecommunications operators who use old and breakable cryptographic algorithms such as the COMP-128 and do not want to invest in updating the network authentication systems with more resistant authentication cryptographic algorithms. The approach may be applicable to the typical telecommunications operator in an emerging market that does not use state of the art technology. | 08-28-2008 |
| 20080209551 | File Conversion in Restricted Process - Embodiments are described for removing malicious code from a file in a first file format by converting the file into a converted file of a second file format. In embodiments, converting the file eliminates malicious code embedded within the file from being stored in the converted file. The conversion is performed within a restricted computer process that has restricted privileges limiting its access to an operating system and an underlying computer system. As a result, even if malicious code embedded within the file executes while the file is being converted into the converted file, the damage to a computer system is mitigated because of the limited privileges provided to the restricted process. | 08-28-2008 |
| 20080209552 | IDENTIFYING POTENTIALLY OFFENDING CONTENT USING ASSOCIATIONS - Methods for identifying potentially harmful, malicious, or unwanted content based upon associations with known offenders are provided. Executable content associated with a domain is identified. The executable content URL and the domain are compared to URLs/domains known to be associated with malicious content. If the URL and/or the domain has been identified as associated with offending code, the remaining domain contents and any available associated information are examined to identify any referencing domains, referenced domains, linking domains, affiliated entities, etc. Each identified domain, affiliate, etc. is subsequently examined in a similar manner to identify any domain, entity, etc. having an association with malicious content. Each identified domain, entity, etc. is assigned a suspicion level based upon proximity to the source of the offending code. If desired, relationships among the domains, entities, and the like may be relationally mapped to render associations easier to identify. | 08-28-2008 |
| 20080209553 | Method for protecting data in a hard disk - The present invention discloses a method for protecting data in a hard disk, such that when a computer executes a power-on self test (POST) of a basic input/output system (BIOS), completes initialization of memories and calls an interrupt routine of the BIOS to read a hard disk area after initialization program codes of interface devices of all hard disk are executed, the computer will determine whether or not the hard disk has added a protection description data with a portion that matches with a computer identification code of the computer before accessing data in the hard disk. | 08-28-2008 |
| 20080209554 | Spam honeypot domain identification - Identification of spam honeypot domains is performed automatically by a system | 08-28-2008 |
| 20080209555 | Approach for proactive notification of contract changes in a software service - An approach is provided for proactive notification of contract changes in a software service. According to the approach, when the executable code of a composite application operable to access the service is generated, an initial copy of a contract that describes the service is retrieved. A baseline representation of the contract is generated based on the initial copy of the contract. When the composite application is being executed, a determination is made based on the baseline representation whether the contract has experienced any changes. In response to determining that the contract has experienced a change, a notification is sent indicating that the contract has experienced the change. | 08-28-2008 |
| 20080209556 | METHOD AND DEVICE FOR VERIFICATION OF CODE MODULE IN VIRTUAL MACHINE - A method for pre-verification of a code module when the code module is installed or updated in a virtual machine, comprising: loading codes in the installed or updated code module; performing code verification on the codes in the code module; if the code verification is passed, generating a certificate of the code module; and storing the code module passing the code verification and its certificate. The present invention also discloses a method for verification of a code module at runtime of the code module in a virtual machine, comprising loading codes in the code module; generating a certificate of the code module based on the loaded codes; if the generated certificate of the code module and a pre-stored certificate of the code module are identical, verifying the code module to be valid; otherwise performing a pre-verification on the code module. | 08-28-2008 |
| 20080216173 | Method and Apparatus for Auditing Network Security - In an apparatus for auditing security of a computer systems at least one secure application server is in communication with a global computer network. The secure application server is programmed to receive selectively security audit instruction data from a remote computer system via the global computer network. A plurality of scanning machines each are in communication with the global computer network and are programmed to execute selectively a security audit scan of the remote computer system via the global computer network. A central computer, having a memory, is configured as a database server and as a scheduler. The central computer is in communication with the secure application server and the scanning machine. The central computer is programmed to perform the following operations: evaluate a database to determine if a security audit scan is currently scheduled to be run for a user; determine which of the plurality of scanning machines is available to perform a security audit scan; copy scan-related information into a scanning machine determined to be available and instruct the scanning machine to begin scan; and record the results of the scan in the memory. | 09-04-2008 |
| 20080216174 | Sensitive Data Scanner - A method and system of scanning a client for sensitive data. A server may receive, from the client, a request to scan the data stored in the data storage of the client for sensitive data. In response to receiving the request, the server may provide the client with a scanner, which causes the client to carry out functions including: (a) scanning the data stored in data storage to identify sensitive data; (b) collecting data based on the identified sensitive data; and (c) reporting the collected data. The server may then receive the collected data from the client and responsively analyze the data. The server may also provide feedback about the identified sensitive data to the client or another server. | 09-04-2008 |
| 20080216175 | COMPUTATIONAL SYSTEM INCLUDING MECHANISMS FOR TRACKING TAINT - Mechanisms have been developed for securing computational systems against certain forms of attack. Taint status for data accessible by processes is selectively maintained and propagated in correspondence with information flows of instructions executed by a computing system, so that a security (or other appropriate) response can be provided if and when a control transfer (or other restricted use) is attempted based on tainted data. One response that may be triggered is a change in the privilege level (root and guest) that is used to process code executing in a virtual environment, so as to allow remediation to be performed. The triggering events may be specified in a control block. | 09-04-2008 |
| 20080222723 | MONITORING AND CONTROLLING APPLICATIONS EXECUTING IN A COMPUTING NODE - A method and system for monitoring and controlling applications executing on computing nodes of a computing system. A status request process, one or more control processes, an untrusted application and one other application are executed on a computing node. The status request process receives and processes requests for the statuses of the untrusted and the other application. A first control process controls the execution of the untrusted application. A second control process controls the execution of the other application. The execution of the untrusted application terminates based on a failure of the untrusted application. A capability of the status request process to receive and process the requests for statuses, and a capability of the second control process to control the execution of the other application are preserved in response to the termination of the untrusted application. | 09-11-2008 |
| 20080229414 | Endpoint enabled for enterprise security assessment sharing - An enterprise-wide sharing arrangement uses a semantic abstraction, called a security assessment, to share security-related information between security products, called endpoints. A security assessment is defined as a tentative assignment by an endpoint of broader contextual meaning to information that is collected about an object of interest. Endpoints utilize an architecture that comprises a common assessment sharing agent and a common assessment generating agent. The common assessment sharing agent is arranged for subscribing to security assessments, publishing security assessments onto a channel, maintaining an awareness of configuration changes on the channel (e.g., when a new endpoint is added or removed), and implementing security features like authorization, authentication and encryption. A common assessment generating engine handles endpoint behavior associated with a security assessment including assessment generation, cancellation, tracking, and rolling-back actions based on assessments that have expired. The common assessment generating engine generates and transmits messages that indicate which local actions are taken. | 09-18-2008 |
| 20080229415 | SYSTEMS AND METHODS FOR PROCESSING DATA FLOWS - A flow processing facility, which uses a set of artificial neurons for pattern recognition, such as a self-organizing map, in order to provide security and protection to a computer or computer system supports unified threat management based at least in part on patterns relevant to a variety of types of threats that relate to computer systems, including computer networks. Flow processing for switching, security, and other network applications, including a facility that processes a data flow to address patterns relevant to a variety of conditions are directed at internal network security, virtualization, and web connection security. A flow processing facility for inspecting payloads of network traffic packets detects security threats and intrusions across accessible layers of the IP-stack by applying content matching and behavioral anomaly detection techniques based on regular expression matching and self-organizing maps. Exposing threats and intrusions within packet payload at or near real-time rates enhances network security from both external and internal sources while ensuring security policy is rigorously applied to data and system resources. Intrusion Detection and Protection (IDP) is provided by a flow processing facility that processes a data flow to address patterns relevant to a variety of types of network and data integrity threats that relate to computer systems, including computer networks. | 09-18-2008 |
| 20080229416 | Computer Network Virus Protection System and Method - A network is protected from viruses through the use of a sacrificial server, which may be physical or virtual. Any executable programs or other suspicious parts of incoming e-mail messages are forwarded to a sacrificial server, where they are converted to non-executable format such as Adobe Acrobat PDF and sent to the recipient. The sacrificial server is then checked for virus activity. After the execution is completed, the sacrificial server is rebooted. | 09-18-2008 |
| 20080229417 | METHOD FOR CONTROLLING RISK IN A COMPUTER SECURITY ARTIFICIAL NEURAL NETWORK EXPERT SYSTEM - A computer implemented method, data processing system, and computer program product for monitoring system events and providing real-time response to security threats. System data is collected by monitors in the computing system. The expert system of the present invention compares the data against information in a knowledge base to identify a security threat to a system resource in a form of a system event and an action for mitigating effects of the system event. A determination is made as to whether a threat risk value of the system event is greater than an action risk value of the action for mitigating the system event. If the threat risk value is greater, a determination is made as to whether a trust value set by a user is greater than the action risk value. If the trust value is greater, the expert system executes the action against the security threat. | 09-18-2008 |
| 20080235792 | Prefix matching algorithem - A prefix matching algorithm and method thereof are disclosed. The prefix matching engine for matching prefix of an input stream against prefixes of predefined signatures includes a prefix logic, a prefix look-up table storing prefix information of the predefined signatures and a table entry buffer. According to a portion of the input stream, the prefix logic is capable of accessing a predetermined number of table entries in the prefix look-up table and stores table entry values of the predetermined number of table entries in the table entry buffer. By examining the temporary table entry values in the table entry buffer, the prefix logic determines whether a prefix matching is found. | 09-25-2008 |
| 20080235793 | INTEGRITY PROTECTION IN DATA PROCESSING SYSTEMS - A method for protecting the integrity of a set of memory pages to be accessed by an operating system of a data processing system, includes running the operating system in a virtual machine (VM) of the data processing system; verifying the integrity of the set of memory pages on loading of pages in the set to a memory of the data processing system for access by the operating system; in response to verification of the integrity, designating the set of memory pages as trusted pages and, in a page table to be used by the operating system during the access, marking non-trusted pages as paged; and in response to a subsequent page fault interrupt for a non-trusted page, remapping the set of pages to a region of the data processing system memory which is inaccessible to the virtual machine. | 09-25-2008 |
| 20080235794 | PROTECTION AGAINST IMPERSONATION ATTACKS - A computing method includes running on a user computer a first operating environment for performing general-purpose operations and a second operating environment, which is configured expressly for interacting with a server in a protected communication session and is isolated from the first operating environment. A program running in the second operating environment detects an attempt to imitate the protected communication session made by an illegitimate communication session that interacts with the first operating environment. The detected attempt is inhibited automatically. | 09-25-2008 |
| 20080235795 | System and Method for Confirming Digital Content - A system for confirming digital content and methods for making and using same. The system and methods comprise determining how to search for a file. The system and methods comprise searching for a file and selectively obtaining a file. Further, they comprise verifying a file, and subsequently categorizing the file. A file that is verified can be known as such, thereby preventing the file to be re-verified. The file can be stored along with information about the file. The file and its information can be sent to a data reporting system or interface. An advantageous aspect of the present invention is the ability to perform semi-autonomously. | 09-25-2008 |
| 20080235796 | Circuit Arrangement with Non-Volatile Memory Module and Method for Registering Attacks on Said Non-Volatile Memory Switch - In order to further develop a circuit arrangement ( | 09-25-2008 |
| 20080235797 | Method, Apparatus, and Program to Forward and Verify Multiple Digital Signatures in Electronic Mail - A mechanism is provided for augmenting the mail header of a message with a list of digital signatures representing the chain of contributors to the message. The augmented header may also encode the actual contributions corresponding to each digital signature. The list is appended every time a message is forwarded. If a message has a portion with no corresponding digital signature or if one or more of the digital signatures is not trusted, the user may handle the message accordingly. Furthermore, a mail server or client may discard a message if the number of digital signatures exceeds a threshold to filter out unwanted messages, such as e-mail chain letters. | 09-25-2008 |
| 20080244739 | METHOD AND SYSTEM FOR RESILIENT PACKET TRACEBACK IN WIRELESS MESH AND SENSOR NETWORKS - A system and method for packet traceback in a network includes maintaining an identity number (ID) for each node in a network and generating a signature (e.g., a message authentication code (MAC)) using a secret key shared between each node on a forwarding path and a sink. Each forwarding node leaves a mark by appending its ID and a signature in the packet, either in a deterministic manner or with a probability. Upon receiving a packet at the sink, correctness of the signatures included in each packet is verified in the reverse order by which these signatures were appended. A last valid MAC is determined in the forwarding path to determine the locations of compromised nodes that collude in false data injection attacks. | 10-02-2008 |
| 20080244740 | BROWSER-INDEPENDENT EDITING OF CONTENT - A system for editing a web page includes receiving the web page in a normalized form, where the normalized form is independent of any browser form. The page may be displayed to a user, where the web page has been translated from the normalized form to a browser-dependent form, and editable by the user. The web page may be a Wiki or collaborate web page. Overall, described in detail above is a unified editing system for editing a collaborative web page is described. The collaborative web page having a normalized form that is independent of any browser form. The system displays the collaborative web page that has been translated from the normalized form to a browser-dependent form to a user, wherein the browser-dependent form of the collaborative web page is editable by a user. The unified editing system receives from the user the edited collaborative web page in the browser-dependent form. Other features and aspects of the invention are also disclosed. | 10-02-2008 |
| 20080250496 | Frame Relay Device - A frame relay device includes a table where an entry containing a combination of an MAC address and an IP address is registered to be used in the frame relay processing of a local device. Moreover, the frame relay device includes judgment means for searching the table by the transmission origin MAC address and the transmission origin IP address contained in the frame received and judging whether the combination of the transmission origin addresses is registered as a relay object in the layer | 10-09-2008 |
| 20080250497 | STATISTICAL METHOD AND SYSTEM FOR NETWORK ANOMALY DETECTION - An anomaly detection method and system determine network status by monitoring network activity. A statistics based profile for said network over a period is generated to analyze potentially anomalous network activity to determine if said network activity is anomalous by comparing current activity against the profile. Using the profile as a reference, the anomaly detection system and process estimate and prioritize potentially anomalous network activity based on the probability that the behavior is anomalous. The level of severity that the anomaly detection process uses to determine if an alarm is needed is based on comparing user-adjustable thresholds to the current probability. If the threshold has been breached, the user is alerted, subject to other quality checks. After a reporting cycle concludes, the anomaly detection system and process recompiles the statistics based profile to take into account the information observed in the previous reporting cycle. | 10-09-2008 |
| 20080256631 | RENEWABLE INTEGRITY ROOTED SYSTEM - A method of validating software is disclosed. The method may include receiving, at a first function, a first hash and a first version. The first function may validate a second function according to the first hash and first version. The second function may receive a second hash and a second version, and the second function may validate a third function according to the second hash and second version. The first version and first hash may be stored within the first function, for example. The first version and first hash may be stored within a manifest, for example. | 10-16-2008 |
| 20080256632 | APPARATUS AND METHOD FOR DETECTION OF A DENIAL OF SERVICE ATTACK ON AN INTERNET SERVER - An apparatus and method to detect a denial of service attack on an internet server by a hacker or malevolent software while effectively distinguishing an attack from a spike in demand by legitimate users of the server. In preferred embodiments, the kernel's TCP implementation is modified to hold back sending a reset (RST) to terminate the connection and to make an entry into a dead connection list when a connection attempt is dropped off of an overflowing accept queue. The entries are removed from the dead connection list when they become stale or an ACK is received corresponding to the entry. Additional TCP kernel parameters include a monitor enable to turn on or off the DoS monitor, a monitor threshold to determine when to send an alarm, and a stale time that is a timeout value to determine when to remove entries from the dead connection list. | 10-16-2008 |
| 20080256633 | Method and Apparatus for Determination of the Non-Replicative Behavior of a Malicious Program - Disclosed is a method, a computer system and a computer readable media product that contains a set of computer executable software instructions for directing the computer system to execute a process for determining a non-replicative behavior of a program that is suspected of containing an undesirable software entity. The process causes execution of the program in at least one known environment and automatically examines the at least one known environment to detect if a change has occurred in the environment as a result of the execution of the program. If a change is detected, the process automatically analyzes the detected change (i.e., the process performs a side effects analysis) to determine if the change resulted from execution of the program or from execution of the undesirable software entity. The process then uses the result of the analysis at least for undoing a detected change that results from execution of the undesirable software entity. The result of the analysis can also be used for informing a user of an anti-virus system of the non-replicative changes made to the environment. | 10-16-2008 |
| 20080263658 | USING ANTIMALWARE TECHNOLOGIES TO PERFORM OFFLINE SCANNING OF VIRTUAL MACHINE IMAGES - Methods and systems for scanning a virtual machine image. The virtual machine image may be stored as a collection of one or more virtual hard disk files. The virtual machine image may be stored by taking the virtual machine off-line or may be stored by taking a checkpoint of the virtual machine while the virtual machine is on-line. The virtual machine image is rendered to file-system data. Rendering the virtual machine image to file-system data may comprise mounting the virtual machine image's virtual hard disk drives. An anti-malware engine is invoked to scan the exposed file-system data, and data indicative of the scanning may be stored. | 10-23-2008 |
| 20080263659 | SYSTEM AND METHOD FOR DETECTING MALICIOUS MOBILE PROGRAM CODE - A system and method of detecting malware. A program file is received and analysis performed to identify URLs embedded in the program file. The URLs are categorized as a function of a URL filter database and a malware probability is assigned to each URL identified. A decision is made on how to dispose of the program file as a function of the malware probability of one or more of the URLs identified. In one example approach, a malware type is also assigned to the program file as a function of one or more of the URLs identified. | 10-23-2008 |
| 20080263660 | Method, Device and Program for Detection of Address Spoofing in a Wireless Network - The invention relates to a method, device and program for detection of address spoofing in a wireless network. According to the invention, a sensor is installed in order to capture frames transmitted over the wireless network which have an address field comprising an address of a network access point. The captured frames are analyzed in order to establish a list of stations that are associated with the access point. Another list of stations associated with the access point is obtained from the latter. The two station lists are compared in order to detect possible access point address spoofing. | 10-23-2008 |
| 20080263661 | DETECTING ANOMALIES IN SIGNALING FLOWS - The present invention relates to a method of detecting anomalies in signaling flows in a communication device connected to a database. In accordance with the method, a communication device receives ( | 10-23-2008 |
| 20080263662 | SYSTEM AND METHOD FOR FUZZY MULTI-LEVEL SECURITY - An access control system and method includes a risk index module which computes a risk index for a dimension contributing to risk. A boundary range defined for a parameter representing each risk index such that the parameter above the range is unacceptable, below the range is acceptable and in the range is acceptable with mitigation measures. A mitigation module determines the mitigation measures which reduce the parameter within the range. | 10-23-2008 |
| 20080263663 | ANOMALY DETECTION BASED ON DIRECTIONAL DATA - Properly detects an anomaly on the basis of directional data that are obtained in sequence from a monitored object. An anomaly detecting method includes: sequentially generating directional data indicating a feature of each piece of monitored data correspondingly to the monitored data which are input in sequence; calculating the dissimilarity of the directional data to a reference vector; updating a moment of the distribution of the dissimilarity appearing when the directional data is modeled with a multi-dimensional probability distribution, based on the moment already corresponding to the monitored data; calculating a parameter determining the variance of the multi-dimensional probability distribution, on the basis of the moment; calculating a threshold of the dissimilarity on the basis of the multi-dimensional probability distribution the variance of which is determined by the parameter; and detecting an anomaly in the monitored data that corresponds to the dissimilarity if the dissimilarity exceeds the threshold. | 10-23-2008 |
| 20080271141 | PARALLELIZED PATTERN MATCHING USING NON-DETERMINISTIC FINITE AUTOMATA - This disclosure describes techniques of determining whether a symbol stream includes a pattern defined by a regular expression. As described herein, the regular expression may be represented using a non-deterministic finite automaton (NFA). A plurality of states in the NFA may be evaluated in parallel. These states may be associated with a plurality of symbol positions in a symbol stream. Evaluating a plurality of states and symbols in parallel may allow for faster determinations of whether the symbol stream includes the pattern defined by the regular expression. | 10-30-2008 |
| 20080271142 | PROTECTION AGAINST BUFFER OVERFLOW ATTACKS - A system including storage comprising software code and a plurality of data structures. The system also includes processing logic coupled to the storage and adapted to execute the software code. If the processing logic executes a function call instruction, the processing logic stores copies of software code return information to a first data structure location and to a second data structure location. If, after executing a function associated with the function call instruction, the processing logic determines that data from the first and second data structure locations do not match, the processing logic initiates a security measure. The data is associated with the copies. | 10-30-2008 |
| 20080271143 | Insider threat detection - Methods, systems, and computer program products for insider threat detection are provided. Embodiments detect insiders who act on documents and/or files to which they have access but whose activity is inappropriate or uncharacteristic of them based on their identity, past activity, and/or organizational context. Embodiments work by monitoring the network to detect network activity associated with a set of network protocols; processing the detected activity to generate information-use events; generating contextual information associated with users of the network; and processing the information-use events based on the generated contextual information to generate alerts and threat scores for users of the network. Embodiments provide several information-misuse detectors that are used to examine generated information-use events in view of collected contextual information to detect volumetric anomalies, suspicious and/or evasive behavior. Embodiments provide a user threat ranking system and a user interface to examine user threat scores and analyze user activity. | 10-30-2008 |
| 20080271144 | METHOD FOR THE AUTHENTICATED TRANSMISSION OF A PERSONALIZED DATA SET OR PROGRAM TO A HARDWARE SECURITY MODULE IN PARTICULAR OF A FRANKING MACHINE - In a method and arrangement for authenticated transmission of a personalized data set or program to a hardware security module in a device such as a franking machine, a system manufacturer buys security modules, from a security module manufacturer and incorporate the security modules at a production site in the device and loads a data set and/or an application program into the security module, making the device operable. Authentication occurs using a first security module-specific fixed code, a second security module-specific fixed code that is calculated from the first code according to a given algorithm, and a third security module-specific fixed code that is calculated from the second code and the data in the data set and/or in the program. | 10-30-2008 |
| 20080276313 | Applianced Domain Name Server - A software installation package for a domain name server (DNS) comprises a hardened operating system, a domain name server software, a management interface. To detect and block attack attempts ( | 11-06-2008 |
| 20080276314 | SOFTWARE PROTECTION INJECTION AT LOAD TIME - A method to apply a protection mechanism to a binary object includes using operating system resources to load a binary object from a storage medium along with a manifest and a digital signature. Authentication of the binary object is performed using the digital signature and the manifest is read to determine a category of protection for the binary object. The operating system selects a protection mechanism corresponding to the protection category and injects protection mechanism code, along with the binary object into a binary image on computer RAM. When the binary image is accessed, the protection mechanism executes and either allows full access and functionality to the binary object or prevents proper access and operation of the binary object. The protection mechanisms may be updated independently from the information on the storage medium. | 11-06-2008 |
| 20080276315 | ANTI-PHISHING FILTER - A method operates to detect personal identifying or account information exchanged in a real-time electronic communication occurring between computer network users, such as electronic chat. A detected personal identifier may be recognized as an attempt on the part of one user to engage in a phishing attack upon another user or to otherwise steal the other user's sensitive personal information. Upon recognizing the communication as an unwarranted attempt to collect such information, the electronic communication may be monitored, and communication of the personal information may be prevented. | 11-06-2008 |
| 20080282346 | Data Type Management Unit - A data type management unit. The data type management unit is configured to include a rules module which includes at least one identification standard paired with an associated code type, an interface module configured to receive a code signal, and an analysis module coupled to the interface module and to the rules module. Each identification standard includes a comparison rule paired with an associated rejection criteria; the comparison rule of each identification standard includes at least one code pattern representative of the associated code type; and the rejection criteria of each identification standard includes at least one rejection rule. The analysis module is configured to compare the received code signal to each code pattern in each identification standard and to recognize if one or more of the comparison results violates one or more of the rejection rules. | 11-13-2008 |
| 20080282347 | Real-time network malware protection - A Network State Database (NSD) can comprise information regarding the network-centric state of one or more computing devices connected to a network. The information contained in the NSD can be passively received by the NSD, or it can be actively obtained by the NSD. Additionally the NSD can comprise either a centralized collection of information, or a distributed collection of information independently maintained and conceptualized as a single entity. The information of the NSD can be used by a Network Risk Management Service (NRMS) to appropriately respond and protect the network. The NRMS can provide relevant information from the NSD to subscribers, which can independently act to protect the network. The NRMS can likewise itself instruct computing devices regarding an appropriate action, or it can itself instruct the performance of such action. | 11-13-2008 |
| 20080282348 | Methods, Devices and Data Structures for Trusted Data - A data structure has within it the following elements: an identification of a data structure type; and a proof that two or more instances of the data structure type are as trustworthy as each other. Methods and devices using such data structures are described. | 11-13-2008 |
| 20080289037 | SYSTEMS AND METHODS TO SECURE RESTRICTED INFORMATION IN ELECTRONIC MAIL MESSAGES - Systems and methods are provided to secure restricted information in electronic mail messages. According to some embodiments, it is determined at a client device that an email message is being generated by a user. A security classification may be associated with the email message, and the email message may be sent toward a destination along with an indication of the security classification, wherein the email message is routed based, at least in part, on the security classification. | 11-20-2008 |
| 20080289038 | METHOD AND APPARATUS FOR CHECKING INTEGRITY OF FIRMWARE - Provided are a method and apparatus for checking the integrity of firmware. The method includes storing a first hash function value of unhacked firmware for determining whether actual firmware of an external processor has been hacked; reading the actual firmware via a bus; calculating a second hash function value of the actual firmware; comparing the first hash function value with the second hash function value; and sharing a bus key with the external processor, based on the comparison result. | 11-20-2008 |
| 20080289039 | METHOD AND SYSTEM FOR PROTECTING A MESSAGE FROM AN XML ATTACK WHEN BEING EXCHANGED IN A DISTRIBUTED AND DECENTRALIZED NETWORK SYSTEM - A system may include an attack preventing creator module that is configured to create at least one attack preventing head block for a message having message elements in a tree structure with one or more of the message elements being signed, wherein the attack preventing header block includes structure specific information that comprises at least a digest value of a pre-order traversal list of the tree structure and for each signed message element a unique ID attribute, a depth, a parent's name and a parent's ID attribute. The system may include an attack preventing verifier module that is configured to verify the at least one attack preventing header block by comparing the structure specific information which can be derived from the message with the structure specific information carried by the first attack preventing header block. | 11-20-2008 |
| 20080295169 | DETECTING AND DEFENDING AGAINST MAN-IN-THE-MIDDLE ATTACKS | 11-27-2008 |
| 20080295170 | PEER-TO-PEER NAME RESOLUTION PROTOCOL (PNRP) SECURITY INFRASTRUCTURE AND METHOD | 11-27-2008 |
| 20080301806 | DISTRIBUTED COMPUTATION IN UNTRUSTED COMPUTING ENVIRONMENTS USING DISTRACTIVE COMPUTATIONAL UNITS - An apparatus, program product and method initiate the execution of distractive computational units along with the execution of other computational units on an untrusted computer to inhibit the reconstitution of a computation by an untrusted party. In particular, along with partitioning a particular computation into a plurality of computational units, one or more distractive computational units are generated and supplied to one or more resource providers for execution along with those of the partitioned computation. | 12-04-2008 |
| 20080301807 | System and Method for Controlling On-Demand Security - An on-demand security service ensures isolation of the service provider's customers where the customers share resources at the system, subsystem, and storage level. The security service is provided in a pre-production phase and in a post production phase. The pre-production phase takes place prior to boarding the customer. In the pre-production phase the resources to be protected are defined in a security guide, and using the security guide, physical segregation at the facility, network, and technical and delivery support levels is planned and then implemented. In the post production phase, on going activities are proactive and reactive. Proactive activities include maintaining physical segregation by reviewing and updating the security guide, and testing physical segregation by performing security audits and penetration tests. Observations and finding of the audits and penetration tests are resolved. Reactive activities include identifying isolation failures, coordinating appropriate actions, and resolving the isolation failure. The service may be embodied in a system and in a computer implemented process comprising a security guide file (SGF), a security guide application (SGA), a security implementation application (SIA), a security validation application (SVA), and an event coordination application (ECA). | 12-04-2008 |
| 20080307524 | Detecting Public Network Attacks Using Signatures and Fast Content Analysis - Network worms or viruses are a growing threat to the security of public and private networks and the individual computers that make up those networks. A content sifting method if provided that automatically generates a precise signature for a worm or virus that can then be used to significantly reduce the propagation of the worm elsewhere in the network or eradicate the worm altogether. The content sifting method is complemented by a value sampling method that increases the throughput of network traffic that can be monitored. Together, the methods track the number of times invariant strings appear in packets and the network address dispersion of those packets including variant strings. When an invariant string reaches a particular threshold of appearances and address dispersion, the string is reported as a signature for suspected worm. | 12-11-2008 |
| 20080307525 | SYSTEM AND METHOD FOR EVALUATING SECURITY EVENTS IN THE CONTEXT OF AN ORGANIZATIONAL STRUCTURE - A system and method is provided for evaluating security threats to an enterprise network. The relative severities of security threats are determined, based in part, on the context of each threat within the enterprise network and in relation to the operation of a business. As a result, it is possible to prioritize security threats having the greatest magnitude and also threats that are directed against the most valuable business network devices. The invention comprises a plurality of network agents operating on a plurality of network devices for generating event messages. The event messages contain security data and are forwarded to an event manager for analysis. The event manager comprises an event correlator and an asset context manager. The event correlator detects security threats from the interrelationships between the security data contained in the event messages. In addition, the asset context manager utilizes business context knowledge specific to a particular business or business unit to determine a threat priority based on the importance of the threatened network device to the operation of the business. | 12-11-2008 |
| 20080313732 | Preventing the theft of protected items of user data in computer controlled communication networks by intruders posing as trusted network sites - Theft of protected items of user data from intrusion and theft, e.g. phishing in protected by maintaining a first listing, associated with said with a user display terminal, of protected user data items; and maintaining a second listing, associated with the display terminal, of the addresses of trusted network sites to which each of said protected user data items may be transmitted. The when a there is an initiation of a transmission of a protected item from said user display terminal to a selected non-trusted network site as determined by comparison of the two lists, the user is given an alert of his proposed transmission to a non-trusted site. The transmission is prohibited until the user decides to either cancel or proceed with the transmission. | 12-18-2008 |
| 20080313733 | Optimization of Distributed Anti-Virus Scanning - Techniques for optimizing distributed anti-virus (AV) scanning are described. In one implementation, a message is received into a multi-node network that includes a plurality of distributed scanning tools. An acceptable scanning policy threshold is determined that is representative of a plurality of individual scanning policy configurations of the plurality of scanning tools. A determination is made whether the message has previously been scanned to the acceptable scanning policy threshold based on a single valued element. If the message has been previously scanned, the message is allowed to be communicated. Otherwise, the message is scanned at the acceptable scanning policy threshold. If the scanning is successful, then the message is marked as having been scanned, and is allowed to be communicated. If the scanning is unsuccessful, the message is prevented from being communicated. | 12-18-2008 |
| 20080313734 | DISTRIBUTED SYSTEM AND METHOD FOR THE DETECTION OF eTHREATS - The invention relates to a distributed system for detecting eThreats that propagate in a network, which comprises: (a) graphs database storing at least one propagation graph, each graph describing the typical propagation over time of one eThreat class or a legitimate executable class within the network; (b) plurality of agents that are distributed in corresponding plurality of hosts within the network, each of said agents continuously monitoring the corresponding host and reporting to a Central Decision Maker (CDM) the identity of any new suspected executable, and the time in which said suspected executable has been first detected by said agent; (c) a CDM for: (c.1) receiving all said reports from said plurality of agents; (c.2) creating from said reports for each suspected executable a corresponding propagation graph which reflects the propagation characteristics over time of said suspected executable within the network, and (c.3) comparing each of said created graphs with said stored at least one propagation graph; (c.4) upon finding a similarity above a predefined threshold between a created graph and one of the stored graphs, concluding respectively that said executable belongs to the class as defined by said stored graph; and (c.5) conveying said conclusion to said agents, for optionally taking an appropriate action. | 12-18-2008 |
| 20080320591 | METHOD AND SYSTEM FOR VERIFYING IDENTIFICATION OF AN ELECTRONIC MAIL MESSAGE - A method and system for verifying identification of an electronic mail message. An electronic mail message including a signature and a key is received, the signature identifying a domain from which the electronic mail message originated and the key for verifying the signature. A key registration server of the domain is accessed to verify the key. The key registration server provides for verifying that a key used to sign an electronic mail message is valid and that the sender is authorized by the domain to send the electronic mail message from the return address. | 12-25-2008 |
| 20090007263 | Method and Apparatus for Combining Traffic Analysis and Monitoring Center in Lawful Interception - A method and apparatus for integrating intercepted information with information obtained from an at least one data retention source, the method comprising receiving intercepted information from an interception source, receiving information from a data retention source, and analyzing the information received from the data retention source, in association with the intercepted information. The intercepted information can comprise meta data related to the intercepted communications, and/or the contents of the communication themselves. This enables a user such as a law enforcement agency to reveal possibly indirect connections between target entities s wherein the connections involve non-target entities. The method and apparatus combine interception and content analysis methodologies with traffic analysis techniques. | 01-01-2009 |
| 20090007264 | SECURITY SYSTEM WITH COMPLIANCE CHECKING AND REMEDIATION - A security system is provided for use with computer systems. In various embodiments, the security system can analyze the state of security of one or more computer systems to determine whether the computer systems comply with expressed security policies and to remediate the computer systems so that they conform with the expressed security policies. In various embodiments, the security system can receive compliance documents, determine whether one or more computer systems comply with portions of security policies specified in the compliance documents, and take actions specified in the compliance documents to cause the computer systems to comply with the specified security policies. The security system may provide a common, unified programming interface that applications or tools can employ to verify or enforce security policies. | 01-01-2009 |
| 20090007265 | Defending Against Denial Of Service Attacks - In various embodiments, a server may be provided. The server may respond to a request for a service, from a processing device, with a challenge. The challenge may include a partial key for a memory-intensive operation, a number of iterations of the memory-intensive operation to perform, and a result of performing the number of iterations of the memory-intensive operation. Upon receiving the challenge, the processing device may choose a complete key consistent with the partial key and may produce a proposed result by performing the memory-intensive operation for the number of iterations. When the proposed result matches the result included in the challenge, the processing device may send a challenge answer, including the chosen complete key, to the server. Upon receiving a correct challenge answer from the processing device, the server may access the requested service and may return a result of the access to the processing device. | 01-01-2009 |
| 20090007266 | Adaptive Defense System Against Network Attacks - A system and method according to the invention provide an efficient resource allocation when receiving connection requests from different servers for data transfer and the efficient resource allocation is achieved by identifying and assigning a quality factor to each originating server. When an originating server presents an abusive behavior, it may be assigned to a state that has a low quality factor, thus receiving little resource from the system. | 01-01-2009 |
| 20090007267 | METHOD AND SYSTEM FOR TRACKING AUTHORSHIP OF CONTENT IN DATA - According to one aspect of the invention, iterative local alignment is employed to process two versions of a text and to identify novel contributions and their positions in the newer text version. In one embodiment, the new or target version of the text is aligned to the old or reference version of the text in an iterative process. The iterative process produces a local alignment of both text versions, which is optimal according to the selected parameters. In another embodiment, aligned substrings are removed from the texts and the iterative process is continued until no more aligned substrings can be obtained. In one example, authorship may be transferred from every aligned substring of the reference text version to the corresponding substring of the target text version. In another example, authorship for unaligned substrings of the target text version may be assigned to the author of the target text version. In one embodiment, unaligned substrings of the reference text version can be identified as deleted by the author of the target text version. In another embodiment, deleted substrings can be stored latently and can be considered in subsequent alignments. In another aspect of the invention, the method and system for tracking authorship of content in data may be employed in collaborative text editing systems or in word processing applications to identify and track the contributions of individual authors. | 01-01-2009 |
| 20090013404 | Distributed defence against DDoS attacks - When the processing resources of a host system are occupied beyond a trigger point by incoming requests, that host system issues a cool-it message that is broadcast throughout the network, eventually reaching edge routers that, in response to the message, throttle the traffic that they pass into the network. The throttling is applied in increasing amounts with increasing traffic volumes received at the edge routers. The cool-it messages are authenticated to ensure that they are not being used as instruments of a DoS attack. This mechanism also works to control legitimate network congestion, and it does not block users from a host system that is under attack. | 01-08-2009 |
| 20090013405 | Heuristic detection of malicious code - Scanning of computer files for malware uses a classifying technique to classify an input file as a clean file or a dirty file. The parameters of the classifying technique are derived to train the classification on a corpus of reference files including clean files known to be free of malware and dirty files known to contain malware. The classification is performed using a representation of the files in a feature space defined by a set of predetermined features for respective file formats, the features being a predetermined value or range of values for one or more data fields of given meanings. The representation of a file is derived by determining the file format, parsing the file on the basis of the structure of data fields in the determined file format to identify the data fields and their meaning, and determining, on the basis of the identified data fields, which of the set of predetermined features are present. | 01-08-2009 |
| 20090013406 | DYNAMIC TRUST MANAGEMENT - A method and apparatus are provided for tracking the state of a software component in use on a computing platform. Upon a change of a first type in the software component (such as a change to an integrity-critical part of the component), an appropriate integrity metric of the software component is reliably measured and recorded in cumulative combination with any previous integrity metric values recorded for changes of the first type to the software component. Upon a change of a second type in the software component (such as a change to a non integrity-critical part of the component), an appropriate integrity metric of the software component is reliably measured and recorded as a replacement for any previous integrity metric value recorded for changes of the second type to the software component. The two resultant values provide an indication of the integrity state of the software component. | 01-08-2009 |
| 20090019544 | Ensuring Security of Connection Between Thin Client and Client Blade - A method and system for ensuring security and preventing intrusion in a connection between a thin client and a client blade. An encrypted keep-alive protocol is conducted between the client blade and the thin client. The client blade issues keep-alive protocol messages and monitors for keep-alive protocol acknowledgments from the thin client. If a failure in receiving a keep-alive protocol acknowledgment from the thin client is detected and the failure is not due to a momentary glitch in the keep-alive protocol, then a command is generated to enter the client blade in a particular state (e.g., a hard power off state). The command is based on a “privilege mask” which includes code that specifies an action to be performed (i.e., enter a particular state) by the client blade. Based on the action performed by the client blade, the client blade provides different levels of security or protection against intrusion. | 01-15-2009 |
| 20090031420 | Methods and systems for network traffic security - The present invention is directed to methods of and systems for adaptive networking that monitors a network resource of a network. The method monitors an application performance. The method categorizes a first subset of traffic of the network. The categories for the first subset include trusted, known to be bad, and suspect. The method determines an action for a second subset of traffic based on the category for the first subset of traffic. Some embodiments provide a system for adaptive networking that includes a first device and traffic that has a first subset and a second subset. The system also includes a first resource and a second resource for the transmission of the traffic. The first device receives the traffic and categorizes the traffic into the first and second subsets. The first device assigns the first subset to the first resource. Some embodiments provide a network device that includes an input for receiving incoming traffic, an output for sending outgoing traffic, a categorization module that categorizes incoming traffic, and a resource assignment module that assigns the categorized traffic for a particular resource. A traffic category for the device includes suspect traffic. | 01-29-2009 |
| 20090038008 | MALICIOUS CODE DETECTION - In a system where an indirect control flow instruction requires a CPU to consult a first memory address, in addition to what is encoded in the instruction itself, for program execution, a method is provided to determine if the first memory address contains a valid or plausible value. The first memory address is compared to an expected or predicted memory address. A difference between the expected or predicted memory address and the first memory address causes an evaluation of any program code about to be executed. The evaluation of code determines whether or not a malicious attack is occurring, or being attempted, that might affect proper operation of the system or program. | 02-05-2009 |
| 20090038009 | Information Processing Device That Verifies A Computer Program, And Gaming Machine - An apparatus for processing information includes a memory device and a controller. The controller is configured to: access to a memory area in the memory device in which information related to a location of data including a computer program is stored; store contents of the memory area as a first inspection code into a first memory area of the memory device; at predetermined timing, access to a memory area in the memory device in which latest information is stored; store contents of the memory area as a second inspection code into a second memory area; compare the first and the second inspection codes; if the second inspection code does not agree with the first inspection code, output an error signal indicating inconsistency between the first and the second inspection codes; and if the second inspection code agrees with the first inspection code, perform verification of the computer program. | 02-05-2009 |
| 20090044270 | NETWORK ELEMENT AND AN INFRASTRUCTURE FOR A NETWORK RISK MANAGEMENT SYSTEM - A system for a communication infrastructure in a network including at least one connected system (CS) and at least one network risk management network element (SW), wherein the network acts as a virtual network comprising at least one virtual network element, and wherein the at least one virtual network element takes over the roles of existing network elements comprising at least one of a switch, a router, a firewall and an intrusion prevention system (IPS), and wherein the virtual network is comprised of physical elements that work together to form the network's infrastructure. | 02-12-2009 |
| 20090044271 | INPUT AND OUTPUT VALIDATION - The present description refers in particular to a computer-implemented method, a computer system, and a computer program product for input validation and output validation to prevent SQL injections. In one aspect, an embodiment of the invention involves a service (e.g., a web service operating on a server) receiving a request message from a client over a network. The server includes a handler for checking the request message according to a first method, prior to sending the request message to the service. In addition, the handler checks a response message (from the service) according to the first method, prior to sending the response message to the client. | 02-12-2009 |
| 20090049545 | TOLERATING AND DETECTING ASYMMETRIC RACES - Detecting and/or tolerating races. Races occur due to malicious threads not respecting software locks. A method of detecting and/or correcting races includes making local copie(s) and reference copie(s) of shared data. Any read and write operations performed by a safe thread are caused to be performed on the local copie(s) during a critical section. The critical section defines a time frame which a variable lock is placed on shared data. Any read and write operations performed by malicious threads are allowed to be performed on the shared data during the critical section. The shared data, the local copie(s), and the reference copie(s) are compared to determine that a race has been detected. An indication can be output that a race has occurred or the race can be corrected. | 02-19-2009 |
| 20090049546 | Method and Apparatus for Detection of Malicious Behavior in Mobile Ad-Hoc Networks - Systems and methods are provided for detecting malicious behavior in mobile ad-hoc wireless networks. The mobile ad-hoc network contains a plurality of actual nodes and a plurality of decoys that are derived from the actual nodes using duplicate instances of the operational software of the actual nodes in combination with a virtual interconnection topology created to make the decoys appear as actual nodes within the mobile ad-hoc network. The interconnection topology includes routing characteristics indicating that the most efficient path of communication to any given decoy is through at least one actual node in the network. The decoys are used to identify malicious behavior in the network and in particular to identify attempt to communicate directly with decoys in contradiction to the created interconnection topology. When the malicious behavior is associated with an identifiable node, corrective action is taken that includes quarantining that node from the other nodes in the network. | 02-19-2009 |
| 20090049547 | System for real-time intrusion detection of SQL injection web attacks - A real-time anomaly SQL Injection detection system is provided to detect anomalies specific to the backend Database layer and the Web application layer of a Website. To reduce false alarms, the system correlates abnormal scores for the Database layer and Web application layer to detect and catch different forms of SQL injection attacks. The attacks are detected based on anomalies and not signatures or patterns. | 02-19-2009 |
| 20090049548 | Semiconductor Device and Method For Preventing Attacks on the Semiconductor Device - The invention relates to a method and to a semiconductor device, comprising means for detecting an unauthorized access to the semiconductor device, wherein the semiconductor device carries out an initialization of the semiconductor device following detection of an unauthorized access, wherein an information item relating to the unauthorized access can be stored by the semiconductor device prior to the initialization, and wherein the stored information item relating to the unauthorized access remains intact following the initialization of the semiconductor device. It is advantageously provided that the stored information item remains intact for a predetermined period of time following disconnection of the semiconductor device from a power supply. | 02-19-2009 |
| 20090049549 | APPARATUS AND METHOD FOR DETECTION OF MALICIOUS PROGRAM USING PROGRAM BEHAVIOR - An apparatus and method of diagnosing whether a computer program executed in a computer system is a malicious program and more particularly, an apparatus and method of diagnosing whether a computer program is a malicious program using a behavior of a computer program, and an apparatus and method of generating malicious code diagnostic data is provided. The apparatus for diagnosing a malicious code may include a behavior vector generation unit which generates a first behavior vector based on a behavior signature extracted from a diagnostic target program; a diagnostic data storage unit which stores a plurality of second behavior vectors for a plurality of sample programs predetermined to be malicious or normal; and a code diagnostic unit which diagnoses whether the diagnostic target program is a malicious code by comparing the first behavior vector with the plurality of second behavior vectors. | 02-19-2009 |
| 20090055927 | Networked Computer System with Reduced Vulnerability to Directed Attacks - An attacker is prevented from obtaining information about the configuration of a computer system. Each of one or more revealing content elements that may be found in outgoing data transmitted by the computer system and that are capable of being used by the attacker to obtain the information about the configuration of the computer system is associated with one or more respective replacement content elements. Outgoing data to be transmitted by the computer system are then scanned for these one or more revealing content elements. A revealing content element found in the outgoing data is replaced by a replacement content element from the one or more replacement content elements associated with that revealing content element. This is done before the outgoing data is transmitted. | 02-26-2009 |
| 20090055928 | METHOD AND APPARATUS FOR PROVIDING PHISHING AND PHARMING ALERTS - Provided is an Internet information security technique, and more particularly, a method for alerting a user that a connected web site is a phishing site by comparing connected web site information with normal site information. | 02-26-2009 |
| 20090064323 | USE OF GLOBAL INTELLIGENCE TO MAKE LOCAL INFORMATION CLASSIFICATION DECISIONS - Methods and systems are provided for delaying local information classification until global intelligence has an opportunity to be gathered. According to one embodiment, an initial information identification process, e.g., an initial spam detection, is performed on received electronic information, e.g., an e-mail message. Based on the initial information identification process, classification of the received electronic information is attempted. If the received electronic information cannot be unambiguously classified as being within one of a set of predetermined categories (e.g., spam or clean), then an opportunity is provided for global intelligence to be gathered regarding the received electronic information by queuing the received electronic information for re-evaluation. The electronic information is subsequently classified by performing a re-evaluation information identification process, e.g., re-evaluation spam detection, which provides a more accurate categorization result than the initial information identification process. Handling the electronic information in accordance with a policy associated with the categorization result. | 03-05-2009 |
| 20090064324 | NON-INTRUSIVE MONITORING OF SERVICES IN A SERVICE-ORIENTED ARCHITECTURE - A method for monitoring a service provided in a service-oriented architecture may include submitting a subscription request to a plurality of intermediaries in the service-oriented architecture from which to receive monitored data related to the service and determining which ones of the plurality of intermediaries to rely upon for monitoring the service. The method may also include receiving the monitored data from the determined ones of the plurality of intermediaries and presenting the monitored data for monitoring the service. | 03-05-2009 |
| 20090064325 | PHISHING NOTIFICATION SERVICE - A method includes determining whether new phishing site identifiers (URLs and/or IP addresses) have been created. Upon a determination that the new phishing site identifiers have been created, the new phishing site identifiers are compared to site identifiers of sites to which critical values have been provided in the past. Upon a determination that at least one of the new phishing site identifiers matches at least one of the site identifiers, a phishing notification is provided that the user was successfully phished in the past. | 03-05-2009 |
| 20090064326 | METHOD AND A SYSTEM FOR ADVANCED CONTENT SECURITY IN COMPUTER NETWORKS - The present invention relates to a method and a system for protecting data in a computer network. A device is placed on a network edge in such a way, that all outgoing data has to pass through it. Separately, a set of data that is not allowed to leave the network is defined and stored in a secure form (typically, one way hash). The device determines the network protocol, file type, transforms and normalizes the passing data, and seeks the presence of the data from the defined set. If a threshold amount of the protected data is present, the device takes one of the following actions: block, alert, log, redact, store, redirect, encrypt, notify sender. | 03-05-2009 |
| 20090064327 | Low cost high efficiency anti-phishing method and system called 'safety gates' - A low-cost, secure, reliable, convenient, and efficient way to reduce the efficiency of phishing attacks method and system, which consists in putting before login page one or several complimentary login pages, called ‘safety gates’, which lead to web pages with content known only to a legitimate user, who created the online account and pre-loaded digital content displayed after login into the ‘safety gate’. | 03-05-2009 |
| 20090064328 | SYSTEM, APPARATUS AND METHOD OF MALWARE DIAGNOSIS MECHANISM BASED ON IMMUNIZATION DATABASE - An immunization system including: an immunization client apparatus which determines whether a target code is a malicious code by performing an immunization operation with respect to a first immunization signature and a code signature that is extracted from the target code and reports the result of the determination to an immunization server; and the immunization server which diagnoses whether the target code is the malicious code, updates a second immunization signature based on the reported result of the determination, and transmits to the immunization client apparatus an update message about the updated second immunization signature, wherein the immunization client apparatus updates the first immunization signature based on the received update message is provided. | 03-05-2009 |
| 20090064329 | Zero-hour quarantine of suspect electronic messages - The zero-hour quarantine comprises a tool for flagging potentially harmful messages/files prior to having an anti-virus signature published for a particular virus. The suspect file is sent to the zero-hour quarantine and periodically scanned, giving time for creation of a signature file that would then detect the virus. An example method may include receiving and examining a message for attributes indicative of its undesirability, and assigning a threat score to the message. The method may comprise disposing of the message by comparing the threat score to first and second thresholds, and the message sent to a permanent quarantine if the threat score passes the first threshold. The message is sent to the zero-hour quarantine if the assigned threat score does not pass the second threshold but passes the second threshold, or is delivered to the recipient if the assigned threat score does not pass the first or second threshold. | 03-05-2009 |
| 20090064330 | METHODS AND SYSTEMS FOR ANALYZING DATA RELATED TO POSSIBLE ONLINE FRAUD - Various embodiments of the invention provide methods, systems and software for analyzing data. In particular embodiments, for example, a set of data about a web site may be analyzed to determine whether the web site is likely to be illegitimate (e.g., to be involved in a fraudulent scheme, such as a phishing scheme, the sale of gray market goods, etc.). In an exemplary embodiment, a set of data may be divided into a plurality of components (each of which, in some cases, may be considered a separate data set). Merely by way of example, a set of data may comprise data gathered from a plurality of data sources, and/or each component may comprise data gathered from one of the plurality of data sources. As another example, a set of data may comprise a document with a plurality of sections, and each component may comprise one of the plurality of sections. Those skilled in the art will appreciate that the analysis of a particular component may comprise certain tests and/or evaluations, and that the analysis of another component may comprise different tests and/or evaluations. In other cases, the analysis of each component may comprise similar tests and/or evaluations. The variety of tests and/or evaluations generally will be implementation specific. | 03-05-2009 |
| 20090064331 | System and method for preventing detection of a selected process running on a computer - A system and method are disclosed for preventing detection of a monitoring process running on a computer. A request to access a process file concerning a process running on the computer is received from a user. It is determined whether the process file requested by the user relates to the selected process. If the requested process file does not relate to the selected process, the user is provided with access to the file. | 03-05-2009 |
| 20090070869 | PROXY ENGINE FOR CUSTOM HANDLING OF WEB CONTENT - Processes and techniques for protecting web users from malicious executable code are described. A proxy engine is implemented that intercepts communications between a web browser and a script engine. The proxy engine can invoke a variety of custom event handlers that are configured to handle specific types of events (e.g., script events) that occur in the processing of web content. A script shield event handler detects the presence of script in pre-defined script-free zones and prevents the script from being executed on a user's device. | 03-12-2009 |
| 20090070870 | Detecting network attacks - Described is a technique for detecting attacks on a data communications network having a plurality of addresses for assignment to data processing systems in the network. The technique involves identifying data traffic on the network originating at any assigned address and addressed to any unassigned address. Any data traffic so identified is inspected for data indicative of an attack. On detection of data indicative of an attack, an alert signal is generated. | 03-12-2009 |
| 20090070871 | COMMUNICATION SYSTEM AND METHOD - A method and system for communicating packetized audio or audio-visual communications over a data communications network is disclosed. Packets meeting a predetermined criterion are identified and bypass integrity protection. Integrity protection is applied to all other packets | 03-12-2009 |
| 20090077660 | Security Module and Method for Controlling and Monitoring the Data Traffic of a Personal Computer - The invention disclosed herein relates to a security module ( | 03-19-2009 |
| 20090077661 | Method and Apparatus for the Reliability of Host Data Stored on Fibre Channel Attached Storage Subsystems - A method for improving the reliability of host data stored on Fibre Channel attached storage subsystems by performing end-to-end data integrity checks. When a read or write operation is initiated, an initial checksum for data in the read/write operation is generated and associated with the data, wherein the association exists through a plurality of layers of software and attached storage subsystems. The initial checksum is passed with the data in the read/write path. When a layer of software in the read/write path receives the initial checksum and data, the layer performs an integrity check of the data, which includes generating another checksum and comparing it to the initial checksum. If the checksums do not match, the read/write operation fails and the error is logged. If the checksums match, the integrity check is repeated through each layer in the read/write path to enable detecting data corruption at the point of source. | 03-19-2009 |
| 20090083852 | Whitelist and Blacklist Identification Data - Aspects of the subject matter described herein relate to identifying good files and malware based on whitelists and blacklists. In aspects, a node starts a scan of files on a data store. In conjunction with starting the scan, the node creates a data structure that indicates the directories on the data store. The node sends the data structure to a whitelist server and a blacklist server and an indication of a last successful time of communication. The whitelist and blacklist servers respond to the node with information about any new files that have been added to the directories since the last successful communication. The node may subsequently use the information to identify known good files and malware. | 03-26-2009 |
| 20090083853 | METHOD AND SYSTEM PROVIDING EXTENDED AND END-TO-END DATA INTEGRITY THROUGH DATABASE AND OTHER SYSTEM LAYERS - Providing extended or end-to-end data integrity through layers of a system. In one aspect, information is to be transmitted between an application end of the system and a physical storage medium that stores the information for a database of the system, the information to be transmitted via a database server in a database server layer of the system. At least a portion of data protection is provided for the information, the data protection causing the information to be protected from corruption between a system layer and the physical storage medium, where the system layer is a separate layer provided closer to the application end of the system than the database server layer. | 03-26-2009 |
| 20090089877 | DYNAMIC EMAIL DIRECTORY HARVEST ATTACK DETECTION AND MITIGATION - Dynamic directory harvest attack detection and mitigation system is accomplished by altering the logic surrounding how a receiving email server enforces its email delivery rules. The email server's assumed response to received emails is changed when it is determined that the server is under attack, thereby foiling the unauthorized acquisition of valid email addresses and other information retained by the email server. | 04-02-2009 |
| 20090089878 | System and Method for Detecting Multi-Component Malware - Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior. | 04-02-2009 |
| 20090094696 | SCANNING CIRCUIT AND METHOD FOR DATA CONTENT - The present invention relates to a data scanning circuit and method. According to the present invention, a memory circuit stores a plurality of codes. Each of the code corresponds to a sub-rule. The memory circuit outputs at least first bit and at least second bit of each code, respectively, according to a first and a second data items. An operational circuit performs logic operations on the first and second bits, and produces an operated result. A decision circuit decides whether the input data satisfies the scanning rule according to the operated result. | 04-09-2009 |
| 20090100517 | APPARATUS AND METHOD FOR MONITORING AND PROTECTING SYSTEM RESOURCES FROM WEB BROWSER - An apparatus and method for preventing an attempt to perform malicious activities using web browser weaknesses are provided. A file protection module monitors attempts to access at least one file resource when the web browser executes a program, and allows or denies access. A registry protection module monitors attempts to access at least one registry resource when the web browser executes a program, and allows or denies access. A process protection module monitors attempts to execute or terminate at least one process when the web browser executes a program, and allows or denies the execution or termination. | 04-16-2009 |
| 20090100518 | SYSTEM AND METHOD FOR DETECTING SECURITY DEFECTS IN APPLICATIONS - A system and method for detecting vulnerabilities in a deployed web application includes developing a profile of acceptable behavior for inbound communication and outbound communication of a web application. The method also includes receiving a current inbound communication and a current outbound communication from the web application. The current inbound communication includes an inbound user request and the current outbound communication is in response to the current inbound communication. The current inbound communication and the current outbound communication are validated with the profile of acceptable behavior to identify an anomaly. The identified anomaly includes an occurrence of an acceptable behavior for the current inbound communication in combination with an occurrence of an unacceptable behavior for the current outbound communication. | 04-16-2009 |
| 20090106836 | Equipment Monitoring Device - An equipment monitoring server is provided to prevent wrong acts in a local area network. An equipment monitoring server | 04-23-2009 |
| 20090106837 | Module for Controlling Integrity Properties of a Data Stream - A module for controlling integrity properties of a data stream input into a device, such as a machine for manufacturing or a management system related to such machines. A plurality of control items are registered in a database. At least one activable control means executes a control of one integrity property according to one of several registered control items. A list is attached to the database with selectable links for activating at least one of the control means. Configuration means perform on at least one of the links a chronological selection according to a predefined management profile on integrity properties of the data stream in order to introduce a selectable relative time delay between activations of control items. Due to that configuration, the integrity control thus obtained is provided with high reliability as well as in a very flexible manner. | 04-23-2009 |
| 20090113545 | Method and System for Tracking and Filtering Multimedia Data on a Network - The method for identifying and filtering multimedia data consists of monitoring off-line, on a data transmission network, multimedia data with reference to reference multimedia data and using an on-line intervention module to intercept, query or listen to the multimedia data recognized on-line using formal data stored in a formal activation database generated during off-line monitoring using suspicious data obtained during a search for multimedia data on the network. | 04-30-2009 |
| 20090113546 | MEMORY SYSTEM FOR SENSING ATTACK - A memory system includes a main memory, a sub-memory, a controller, first and second data readers and a comparator. The main memory stores data and the sub-memory stores data extracted from the data stored in the main memory for detection of an attack. The controller controls operations of the memory system through interfacing with a host. The first data reader is configured to read first data from the main memory based on address information from the controller. The second data reader is configured to store information relating to second data stored in the sub-memory and to read the second data from the sub-memory based on address information from the controller which is the same as the address information received by the first data reader. The comparator compares the first data read by the first data reader with the second data read by the second data reader to detect the attack. | 04-30-2009 |
| 20090126012 | Risk Scoring System For The Prevention of Malware - A method suitable for detecting malicious files includes several steps. A file that is received into a computer system is analyzed to determine a presence or absence of each of a plurality of predefined properties in the file. A score is calculated based on the presence or absence of the plurality of properties in the file. This score is reflective of the risk that the file is malicious. Once the score is calculated, the file can be further processed based on the score. | 05-14-2009 |
| 20090126013 | SYSTEMS AND METHODS FOR DETECTING CHILD IDENTITY THEFT - Embodiments of the present invention provide systems and methods for detecting an indication of a suspicious event associated with personal information of a child. Personal information representing a social security number of the child and a name of the child is received. Parent personal information representing contact information for a parent of the child is received. A child file for the child is created and stored on a computer-readable medium. The child file for the child includes the personal information representing the social security number of the child and the name of the child. The child file for the child is locked by associating an electronic notice to the child file for the child to prevent access to a database using at least part of the personal information of the child. The database includes credit data. The child file and the credit data is monitored for the indication of the suspicious event using the personal information representing the social security number of the child. A notification is transmitted to the parent using the parent personal information representing contact information for the parent. The notification is transmitted after detecting the indication of the suspicious event. The notification includes information associated with the indication of the suspicious event. | 05-14-2009 |
| 20090126014 | METHODS AND SYSTEMS FOR ANALYZING SECURITY EVENTS - In one aspect, the technology relates to a method for analyzing a security event in a distributed fashion. The method includes the steps of detecting an occurrence of a security event within a customer network and querying a first component of the customer network for data in response to the detected occurrence of the security event. The method also includes the steps of receiving, by a data monitor located within the customer network, first data from the component in response to the query and determining, based on the received first data, whether to query for additional data. The method additionally includes querying at least one of the first component and another component of the customer network to obtain the additional data in response to the determining step, and analyzing the security event using at least one of the first data and the additional data. | 05-14-2009 |
| 20090133121 | Method for processing messages and message processing device - A message processing device for processing messages has at least one reception buffer, a message includes at least one authentication element and one message content. The message is received and stored in the reception buffer. A characteristic variable of a priority for security checking of the message is determined as a function of the message content. A processing sequence for further message processing for the security checking, taking into account the at least one authentication element of the messages in the reception buffer is defined and carried out as a function of the characteristic variable. | 05-21-2009 |
| 20090138967 | Windows registry modification verification - A method and system is provided by which unauthorized changes to the registry may be detected and that provides the capability to verify whether registry, or other system configuration data, changes that occur on a computer system are undesirable or related to possible malware attack before the changes become effective or are saved on the system. A method for verifying changes to system configuration data in a computer system comprises generating an identifier representing an entry in the system configuration data, packaging the identifier, and sending the packaged identifier to a client for verification. The identifier may be generated by hashing the first portion of the entry and the second portion of the entry to generate the identifier, or by filtering the first portion of the entry and hashing the filtered first portion of the entry and the second portion of the entry to generate the identifier. | 05-28-2009 |
| 20090138968 | DISTRIBUTED NETWORK PROTECTION - A method for processing frames transmitted in a network including nodes and network segments connecting the nodes. Frames transmitted over network segments are detected. Frame information from each detected frame is stored in a frame information repository. A stored hierarchical data structure includes vectors specifying frame information defining frames permitted in the network, classes including vectors with constraints on the vectors, and patterns including classes with constraints on the classes. The frame information in the detected frames may not match the frame information specified in the vectors. The vectors, if matched by the frame information in the detected frames, may not satisfy the constraints in the classes. The vectors, if matched by the frame information in the detected frames, may satisfy the constraints in the classes, and the classes whose constraints are satisfied by the matched vectors may not satisfy the constraints in the patterns. | 05-28-2009 |
| 20090138969 | DEVICE AND METHOD FOR BLOCKING AUTORUN OF MALICIOUS CODE - A device and method for blocking autorun of a malicious code through an autorun file stored in a removable storage device are provided. A device manager monitors a connection of a removable storage device, acquires a global unique identifier of the removable storage device, and deletes an autorun file for running the malicious code from the removable storage. A registry manager determines whether a registry key for storing content of the autorun file is generated using the global unique identifier of the removable storage device and deletes the registry key. The present invention can block autorun of a malicious code stored in the removable storage device by retrieving and deleting a registry key for performing the autorun technique when a removable storage device is connected to a system. | 05-28-2009 |
| 20090144820 | System, Method and Apparatus for Protecting a Network or Device Against High Volume Attacks - The present invention provides a system, method and apparatus for protecting against high volume attacks. The present invention receives a packet, determines a source of the received packet, and updates a tree-based data structure based on the source of the received packet. The received packet is accepted or passed on whenever one or more statistics stored within the tree-based data structure do not exceed a threshold. The received packet is dropped whenever the one or more statistics exceed the threshold. The present invention can be implemented in hardware, software or a combination thereof. The software will implement the steps as one or more code segments of a computer program embodied on a computer readable medium. | 06-04-2009 |
| 20090144821 | AUXILIARY METHOD FOR INVESTIGATING LURKING PROGRAM INCIDENTS - An auxiliary method for investigating lurking program incidents is disclosed. The method is to keep monitoring a plurality of processes run by a computer system and save process-invoking relationship data of each process being monitored when the process is created and terminated. Simultaneously, a system registry database of the computer system is also monitored and autostart-registered data of the programs is saved. Then correlate the process-invoking relationship data to the autostart-registered data for generating and saving process-invoking relationship log so as to extract and save high-level crucial clues of suspicious lurking programs. By the present method, only a little amount of high level crucial clues and process-invoking relationship log is collected and a few system resources is consumed for providing clear evidence that is helpful to investigation of lurking program incidents. Thus cost of time and labor for collecting and analyzing large amount of low-level logs is saved. | 06-04-2009 |
| 20090144822 | WITHHOLDING LAST PACKET OF UNDESIRABLE FILE TRANSFER - A system and method for disrupting the download of undesirable files. A data store traps the final block or blocks of a file transfer which is held for detection of viruses, trojan horses, spyware, worms, dishonest ads, scripts, plugins, and other files considered computer contaminants. Innocuous file transfers are completed with minimum disruption as perceived by the user. | 06-04-2009 |
| 20090144823 | Method and System for Mobile Network Security, Related Network and Computer Program Product - A honeypot system for protecting a mobile communication network against malware includes one or more user-less mobile devices including a monitoring module for monitoring the events conveying software applications in the associated mobile device as well as a controller client module that emulates human-like interaction with the user-less devices as a function of the events monitored. The system controllably performs, for the applications conveyed by the events monitored, one or more of the following steps: i) installing the application on the device; ii) executing the application installed on the device; and iii) de-installing the application from the- device. After any of these steps, the state of the device is checked in order to detect if any anomalous variation has occurred in the state of the device indicative of the device being exposed to the risk of malware. If any anomalous variation is detected, the system issues a malware alert message. | 06-04-2009 |
| 20090144824 | Integrated Protection Service Configured to Protect Minors - An integrated system configured to provide a safe environment for a minor is described. The system includes a training segment, a set-up segment, and a consulting segment. The training segment is configured to train parents and/or guardians of minors about dangers including those involving the internet. The set-up system is configured to help the parents or guardians establish tracking of the minor's internet activity. The consulting segment is configured to providing initial and ongoing consulting regarding particular threats or concerns associated with safety of the minor. | 06-04-2009 |
| 20090150996 | APPLICATION PROTECTION FROM MALICIOUS NETWORK TRAFFIC - A program, method and system for embedding a programmable packet filter into an application to protect the application against malicious network packets are disclosed. Traditional packet filtering techniques to protect against malicious packets designed to exploit defects in applications, based on external packet filtering devices create a bottleneck in network traffic and present a large overhead cost. In addition, when security vulnerabilities in applications are discovered, traditional application updating methods lack a fast enough turn-around time to protect the application and users data from attack. These problems can be overcome by embedding a programmable packet filter into the application itself. The application can use the filter to discard malicious network packets. Furthermore, the filter can be updated via configuration files downloaded from the application vendor to update the application's embedded programmable packet filter without having to update the entire program code of the application. | 06-11-2009 |
| 20090150997 | APPARATUS AND METHOD FOR DETECTING MALICIOUS FILE IN MOBILE TERMINAL - Provided is an apparatus and method for detecting a malicious file that attempts to initiate communication in a mobile terminal without a user's approval. The method of detecting a malicious file in a mobile terminal includes: determining whether a file to be examined is an executable file; when the file is an executable file, examining whether the file is a malicious file that can cause unapproved communication based on at least one predetermined examination condition; and outputting the result of examining whether the file is the malicious file. Accordingly, an attack caused by a new type of malicious code can be coped with. | 06-11-2009 |
| 20090150998 | REMOTE COLLECTION OF COMPUTER FORENSIC EVIDENCE - The invention is directed to techniques for allowing a user to remotely interrogate a target computing device in order to collect and analyze computer evidence that may be stored on the target computing device. A forensic device receives input from a remote user that identifies computer evidence to acquire from the target computing device. The forensic device acquires the computer evidence from the target computing device and presents a user interface for the forensic device through which the remote user views the computer evidence acquired from the target computing device. In this manner, forensic device allows the user to interrogate the target computing device to acquire the computer evidence without seizing or otherwise “shutting down” the target device. | 06-11-2009 |
| 20090158426 | TRACEBACK METHOD AND SIGNAL RECEIVING APPARATUS - The present invention provides a traceback method including: receiving data including router information according to a path of an attacker; filtering the data to hash the data, and storing the resultant hashed information; determining whether the data is normally received on the basis of the hashed information; and predicting a path loss on the basis of the determination result. Therefore, it is possible to perform an accurate IP traceback using a probabilistic packing marking method and a hash-based traceback method. | 06-18-2009 |
| 20090158427 | SIGNATURE STRING STORAGE MEMORY OPTIMIZING METHOD, SIGNATURE STRING PATTERN MATCHING METHOD, AND SIGNATURE STRING MATCHING ENGINE - Enclosed are a signature string storage memory optimizing method, a signature string pattern matching method, and a signature matching engine. Signature is tokenized in units of substrings and the tokenized substrings are stored in an internal memory block and an external memory block to optimize a memory storage pattern. Therefore, matching of introduction data to signature patterns is effectively performed. | 06-18-2009 |
| 20090158428 | Method and Device for Integrating Multiple Threat Security Services - A method and device for integrating multiple threat security services are disclosed. The method may comprise parsing an incoming packet at a current layer and analyzing the packet with respect to multiple threat security services and so that one or more threat security services needed by the packet may be determined. According to an exemplary embodiment, the current layer may be a layer in a protocol stack constructed based on the multiple threat security services. With this method, integrated multiple threat security services may filter application data and parse network packet data via a single integrated entity, and thus the efficacy of filtering application data may be improved while computation overhead may be reduced. | 06-18-2009 |
| 20090158429 | METHODS AND SYSTEMS FOR ENABLING ANALYSIS OF COMMUNICATION CONTENT WHILE PRESERVING CONFIDENTIALITY - Disclosed are methods and systems for enabling analysis of communication content while preserving confidentiality. In one embodiment, communication content is processed to increase the similarity of superficially dissimilar instances of communication content and/or to increase the distinctiveness of superficially similar instances of communications content. In this embodiment at least part of the processed communication content is hashed to obscure the actual communication content. In one embodiment, social network analysis is performed on the communication content after hashing, and visualization of the social network analysis includes thread graphs and/or circular graphs. | 06-18-2009 |
| 20090165131 | DETECTION AND PREVENTION OF MALICIOUS CODE EXECUTION USING RISK SCORING - A system and method for preventing malicious code execution, includes detecting a request for execution of a file. The file is scanned for risk before processing the request. A score is assigned to the risk. Execution of the file is either allowed or prohibited responsive to the risk score. | 06-25-2009 |
| 20090165132 | SYSTEM AND METHOD FOR SECURITY AGENT MONITORING AND PROTECTION - A security agent monitoring and protection system is provided. A security agent on an end point computing device can be accompanied by or can load into the device's memory at startup one or more independent software processes whose primary function is to directly protect the security agent itself and take protective actions against the end point computing device should a security agent protecting the device become disabled. Protection of the security agent can be achieved in several ways, including installing the security agent with restricted permissions, making it difficult to shutdown, restarting the security agent automatically if it is halted without authorization, disabling network connectivity of the end point device if the security agent does not successfully start or restart, protecting executable and dynamic link library (DLL) files of the security agent, and controlling access to the security agent's Common Object Model (COM) interfaces. These protective aspects can also be used by the monitoring agent itself to protect it from unauthorized access or disabling, further providing protection to the device. | 06-25-2009 |
| 20090165133 | SYSTEM FOR EXECUTING PROGRAM USING VIRTUAL MACHINE MONITOR AND METHOD OF CONTROLLING THE SYSTEM - A system for executing a program using a virtual machine monitor and a method of controlling the system are provided. The system includes a virtual machine monitor which divides an operating system (OS) into at least one root domain and a plurality of domains having different trust levels, and a trust-management module which is included in the root domain and periodically measures the trust level of an application program currently being executed in the OS. The virtual machine monitor executes the application program in one of the domains in consideration of the trust level of the application program. The method includes dividing an OS into at least a root domain and a plurality of domains having different trust levels by using a virtual machine monitor, enabling the root domain to periodically measure the trust level of an application program currently being executed in the OS, and executing the application program in one of the domains according to the trust level of the application program. | 06-25-2009 |
| 20090165134 | Look ahead of links/alter links - A computationally-implemented method comprising retrieving at least a portion of data from a data source, determining an effect of the data, determining an acceptability of the effect of the data at least in part via a virtual machine representation of at least a part of a real machine having one or more end-user specified preferences and providing at least one data display option based on the determining acceptability of the effect of the data. | 06-25-2009 |
| 20090165135 | SYSTEM AND METHODS FOR DETECTING SOFTWARE VULNERABILITIES AND MALICIOUS CODE - A system and method determines whether software includes malicious code. A validation machine is instrumented with tools and monitors that capture the static and dynamic behavior of software. Software under examination is executed on the validation machine, and the tools and monitors are used to log data representative of the behavior of the software to detect vulnerable or malicious code. If possible, one or more operations are automatically performed on the software to enhance the security of the software by neutralizing the vulnerable or malicious code. Activities that cannot be neutralized automatically are flagged for human inspection. The software executed on the validation machine may be source code or non-source code, with different operations being disclosed and described in each case. | 06-25-2009 |
| 20090172813 | Non-Invasive Monitoring of the Effectiveness of Electronic Security Services - Systems for the non-invasive monitoring of the effectiveness of a customer's electronic security services include a test generation engine for generating and launching a denatured attack towards a customer's network. A monitoring and evaluation agent is operatively coupled to the test generation engine and is adapted to monitor and evaluate the denatured attack. A recording and analysis engine is adapted to record and analyze the results of the denatured attack. Other systems and methods are also provided. | 07-02-2009 |
| 20090178137 | SYSTEMS AND METHODS FOR SECURELY PROCESSING SENSITIVE STREAMS IN A MIXED INFRASTRUCTURE - A system and method for securely processing sensitive streams in a mixed infrastructure includes analyzing a stream to determine data sensitivity. A likelihood that processing elements employed to process the stream would result in a risk to sensitive information is determined. At least a portion of the data stream having sensitive information is transferred to a secure processing environment to ensure security of the data stream during processing. | 07-09-2009 |
| 20090178138 | Stateless attestation system - A method includes assessing a trustworthiness level of a user computer by communication between the user computer and a first server. A record indicating the trustworthiness level is sent from the first server to the user computer, for storage by the user computer. A request is sent from the user computer to a second server, different from the first server, for a service to be provided to the user computer by the second server. The record is provided from the user computer to the second server by communicating between the user computer and the second server. At the second server, the trustworthiness level is extracted from the record, and the requested service is conditionally allowed to be provided to the user computer depending on the extracted trustworthiness level. | 07-09-2009 |
| 20090178139 | Systems and Methods of Network Security and Threat Management - The present disclosure generally provides systems and methods of network security and threat management. An exemplary system includes detection and prevention modules (DPM) designed specifically to collect and transmit suspicious binary network packet data. The collected network packets are sent to a behavioral correlation module to perform automatic behavioral correlation: (1) within each DPM, (2) across all DPMs installed on a network, and (3) across all DPMs installed on all networks. The results of the behavioral correlation are sent to a security dashboard module (SDM), which generally acts as a fully integrated Security Event Management system and collects, correlates, and prioritizes global network alerts, local network alerts, posted vendor alerts, and detected network vulnerabilities with enterprise assets. The SDM could display the results in a user-friendly graphical user interface and has the ability to perform geographic mapping of externally generated threats. | 07-09-2009 |
| 20090187987 | Learning framework for online applications - Learning to, and detecting spam messages using a multi-stage combination of probability calculations based on individual and aggregate training sets of previously identified messages. During a preliminary phase, classifiers are trained, lower and upper limit probabilities, and a combined probability threshold are iteratively determined using a multi-stage combination of probability calculations based on minor and major subsets of messages previously categorized as valid or spam. During a live phase, a first stage classifier uses only a particular subset, and a second stage classifier uses a master set of previously categorized messages. If a newly received message can not be categorized with certainty by the first stage classifier, and a computed first stage probability is within the previously determined lower and upper limits, first and second stage probabilities are combined. If the combined probability is greater than the previously determined combined probability threshold, the received message is marked as spam. | 07-23-2009 |
| 20090187988 | CROSS-NETWORK REPUTATION FOR ONLINE SERVICES - A reputation server associates feedback from previous network transactions with an account of a user in a network. A reputation score for the user is calculated based on the feedback to indicate the probability the user will abuse the network. When an online service receives a request to perform a transaction from the user, the online service performs the transaction based on the user's reputation score. Additionally, a server generates a reputation packet including the reputation score for a user for use by an online service when the user requests the online service to perform a transaction. The online service may authenticate the reputation packet with the server and, if the reputation packet is authenticated, the online service performs the transaction based on the user's reputation score. | 07-23-2009 |
| 20090193521 | ELECTRONIC DEVICE, UPDATE SERVER DEVICE, KEY UPDATE DEVICE - The present invention offers an electronic device that reduces the amount of data for communication required when files pertaining to software are to be updated, as compared to the conventional devices, and performs tamper detection. The present invention is an electronic device having an application file pertaining to an operation of application software and updating the application file via a network. The electronic device (i) stores therein the application file including one or more data pieces, (ii) receives, from an external apparatus via the network, update data and location information indicating a location, within the application file, which is for rewrite with the update data, (iii) rewrites only part of the application file by writing over a data piece present at the indicated location with the update data, to update the application file, and (iv) examines whether the updated application file has been tampered with. | 07-30-2009 |
| 20090193522 | COMPUTER RESOURCE VERIFYING METHOD AND COMPUTER RESOURCE VERIFYING PROGRAM - A computer resource verifying method verifies computer resources introduced into a client device. The computer resource verifying method includes performing, by the client device, client side processing including verification of individual computer resources introduced into the client device and information collection for a dependence relation between computer resources; performing, by a server device, a server side processing by receiving information on a result of the client side processing performed in the performing of the client side processing to perform verification of the dependence relation between computer resources; and determining, by the server device, whether the client device is normal based on a verification result of the computer resources and a verification result of the dependence relation between computer resources. | 07-30-2009 |
| 20090205044 | APPARATUS, SYSTEM, AND METHOD FOR SECURE HARD DRIVE SIGNED AUDIT - An apparatus, system, and method are disclosed for secure hard disk signed audit. The apparatus is provided with a plurality of modules configured to functionally execute the necessary steps of monitoring interactions with an audited system, detecting an interrupt event corresponding to an auditable interaction, and logging an audit record for the auditable interaction in response to the interrupt event, wherein the audit record is logged in an access-restricted portion of a portion-securable hard disk. These modules in the described embodiments include a gate module, a detection module, and a logging module. | 08-13-2009 |
| 20090217376 | HOME-USE INFORMATION PRODUCT AND MOBILE TERMINAL - A mobile terminal and a home-use information product capable of retaining the security even under a network attack, while achieving P2P connection. When detecting a network attack, a home-use information product ( | 08-27-2009 |
| 20090222917 | DETECTING SPAM FROM METAFEATURES OF AN EMAIL MESSAGE - Detecting spam from metafeatures of an email message. As a part of detecting spam, the email message is accessed and a distribution of numerical values is accorded to a set of features of the email message. It is determined whether the distribution of numerical values accorded the set of features of the email message is consistent with that of spam. Access is provided to the determination of whether the email message has a distribution of numerical values accorded the set of features that is consistent with that of spam. | 09-03-2009 |
| 20090222918 | Systems and methods for protecting a server computer - A server computer protection apparatus protects a server computer against DoS attacks, but allows access to the server. The server computer protection apparatus comprises a unit configured to calculate the load state of the server computer on the basis of the number of data requests made upon the server computer, and the number of data responses of the server responsive to the data requests, and for changing the rate of data requests to be transferred to the server, in accordance with the load state. | 09-03-2009 |
| 20090222919 | METHOD AND SYSTEM FOR CONTENT CATEGORIZATION - The invention discloses a method and system for content categorization, which aims at reducing the processing burthen of the content categorization as well as the network transmission traffic. The method comprises: transmitting, by a content categorization requester, a content digest of a content to be categorized to a content categorization provider; and performing, by the content categorization provider, content categorization according to the content digest. The device for requesting content categorization comprises: a digest operation determination component, adapted to determine whether it is necessary to obtain a content digest of a content to be categorized; a digest obtaining component, adapted to obtain the content digest of the content to be categorized when the digest operation determination component determines it necessary to obtain the content digest of the content to be categorized; and a first transmit component, adapted to transmit the content digest obtained by the digest obtaining component. | 09-03-2009 |
| 20090241187 | METHOD AND SYSTEM FOR PROTECTION AGAINST INFORMATION STEALING SOFTWARE - A system and method for identifying infection of unwanted software on an electronic device is disclosed. A software agent configured to generate a bait and is installed on the electronic device. The bait can simulate a situation in which the user performs a login session and submits personal information or it may just contain artificial sensitive information. Parameters may be inserted into the bait such as the identity of the electronic device that the bait is installed upon. The output of the electronic device is monitored and analyzed for attempts of transmitting the bait. The output is analyzed by correlating the output with the bait and can be done by comparing information about the bait with the traffic over a computer network in order to decide about the existence and the location of unwanted software. Furthermore, it is possible to store information about the bait in a database and then compare information about a user with the information in the database in order to determine if the electronic device that transmitted the bait contains unwanted software. | 09-24-2009 |
| 20090241188 | COMMUNICATION MONITORING APPARATUS AND COMMUNICATION MONITORING METHOD - A communication monitoring apparatus includes a session extracting unit which extracts a packet in a session established between a pair of a transmitting device and a receiving device from a plurality of packets, a lead-packet extracting unit which extracts a lead packet including control information on communication between the transmitting device and the receiving device from the packet, a storage unit in which an unauthorized signature is stored, a verification unit which performs verification between the lead packet and the unauthorized signature, and an output unit which supplies a monitoring result indicating that the session extracted by the session extracting unit is an unauthorized communication when the lead packet includes a portion matched with the unauthorized signature. | 09-24-2009 |
| 20090249480 | MINING USER BEHAVIOR DATA FOR IP ADDRESS SPACE INTELLIGENCE - The claimed subject matter is directed to mining user behavior data for increasing Internet Protocol (“IP”) space intelligence. Specifically, the claimed subject matter provides a method and system of mining user behavior within an IP address space and the application of the IP address space intelligence derived from the mined user behavior. | 10-01-2009 |
| 20090249481 | BOTNET SPAM DETECTION AND FILTRATION ON THE SOURCE MACHINE - A method and device are disclosed. In one embodiment the method includes determining that a packet attempting to be sent from a first computer system has at least a portion of a human communication message that may contain spam. The method then increments a spam counter when the difference in time between a first time value in a time stamp within the packet and a second time value of a most recent activity from a human input device coupled to the first computer system is greater than a threshold difference in time value. The method also disallows the packet to be sent to a remote location if the spam counter exceeds a spam outbound threshold value. | 10-01-2009 |
| 20090249482 | METHOD AND SYSTEM FOR DETECTING RESTRICTED CONTENT ASSOCIATED WITH RETRIEVED CONTENT - In embodiments of the present invention improved capabilities are described for contextual information caused to be attached to data as it passes through a series of computing devices, the contextual information relating to the series of computing devices. The data and the contextual information may then be scanned to determine if the data is a target data. In response to the identification of a target data, the contextual information may be communicated to a central repository. The contextual information may then be analyzed in relation to other information stored in the central repository to determine a target source. | 10-01-2009 |
| 20090249483 | Command and Control Systems for Cyber Warfare - According to one embodiment, a method includes receiving data regarding a plurality of first parameters of a network. Each first parameter is mapped to a respective second parameter of a computer-readable cyber battle management language. The computer-readable cyber battle management language is operable to express an operational order in the form of a text-based instruction having a computational grammatical structure. The operational order is to be executed at least partially within the network and is related to cyber warfare. The computer-readable battle management language is also operable to express a situation report related to cyber warfare. The situation report is expressed in terms of one or more of the second parameters. The situation report may describe a change in one or more of the first parameters. | 10-01-2009 |
| 20090254988 | EVALUATION APPARATUS, EVALUATION METHOD, EVALUATION PROGRAM AND INTEGRATED CIRCUIT - In a system for transmitting/receiving information, each of users of terminals subjectively determines a direct evaluation value of a party that the user knows personally and so on. Since the direct evaluation value determined in this way changes depending on the subjective evaluation criterion, the direct evaluation value is not generated based on the single evaluation criterion. In view of this, a terminal device | 10-08-2009 |
| 20090254989 | CLUSTERING BOTNET BEHAVIOR USING PARAMETERIZED MODELS - Identification and prevention of email spam that originates from botnets may be performed by finding similarity in their host property and behavior patterns using a set of labeled data. Clustering models of host properties pertaining to previously identified and appropriately tagged botnet hosts may be learned. Given labeled data, each botnet may be examined individually and a clustering model learned to reflect upon a set of selected host properties. Once a model has been learned for every botnet, clustering behavior may be used to look for host properties that fit into a profile. Such traffic can be either discarded or tagged for subsequent analysis and can also be used to profile botnets preventing them from launching other attacks. In addition, models of individual botnets can be further clustered to form superclusters, which can help understand botnet behavior and detect future attacks. | 10-08-2009 |
| 20090254990 | SYSTEM AND METHOD FOR INTELLIGENT COORDINATION OF HOST AND GUEST INTRUSION PREVENTION IN VIRTUALIZED ENVIRONMENT - A distributed and coordinated security system providing intrusion-detection and intrusion-prevention for the virtual machines (VMs) in a virtual server is described. The virtualization platform of the virtual server is enhanced with networking drivers that provide a “fast path” firewall function for pre-configured guest VMs that already have dedicated deep packet inspection security agents installed. A separate security VM is deployed to provide virtual security agents providing deep packet inspection for non pre-configured guest VMs. The network drivers are then configured to intercept the data traffic of these guest VMs and route it through their corresponding virtual security agents, thus providing a “slow-path” for intrusion detection and prevention. | 10-08-2009 |
| 20090260079 | INFORMATION PROCESSING DEVICE, AND METHOD THEREFOR - To provide an information processing device that can perform highly accurate tampering detection of distinguishing between an alteration by an administrator and significant tampering. The information processing device acquires content from a web server in accordance with an acquisition request for the content by a browser terminal. The information processing device includes: a conversion unit ( | 10-15-2009 |
| 20090260080 | SYSTEM AND METHOD FOR VERIFICATION OF DOCUMENT PROCESSING DEVICE SECURITY BY MONITORING STATE TRANSISTIONS - The subject application is directed to a system and method for verification of document processing device security by monitoring of state transitions. State data is first acquired corresponding to a monitored sequence of states entered by a document processing device during operations and stored in an associated data storage. Authenticity data is thereafter generated representing the authenticity of the stored state data. State template data is then stored in the associated data storage corresponding to at least one acceptable sequence of states. Destination data is also stored in the associated data storage representing at least one preselected notification destination. A comparison is then performed of the acquired state data and the template state data. Notification data is then output based upon the result of the comparison of the state data and the state template data. | 10-15-2009 |
| 20090260081 | System and Method for Monitoring and Securing a Baseboard Management Controller - In certain embodiments, a method for monitoring and securing a baseboard management processor is provided. The method includes coupling to a baseboard management controller of a computer system via a console port, maintaining a persistent connection to the baseboard management controller, monitoring data from the console port, determining from the data whether an unauthorized access has occurred, and sending an alert if the unauthorized access has occurred. | 10-15-2009 |
| 20090260082 | Signature based authentication of the configuration of a configurable logic component - A configurable logic component is shown with a signature generator, responsive to a commanded configuration information signal from a processor, for providing a signed commanded configuration information signal, and with a memory device, responsive to the signed commanded configuration information signal from the signature generator, for storing the signed commanded configuration information signal in the configurable logic component for use by the processor in checking a current configuration of the configurable logic component against a trusted signed configuration file to ensure the current configuration matches the commanded configuration and allowing use of the configurable logic component in case of a match. | 10-15-2009 |
| 20090260083 | SYSTEM AND METHOD FOR SOURCE IP ANTI-SPOOFING SECURITY - A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets. Further, the system and method provide for validating initially learned source IP addresses, and for determining whether the number of unsuccessful attempts to validate new source IP addresses exceeds a threshold level, and where the number does exceed the threshold number the system and method can provide for operation in a possible attack mode. | 10-15-2009 |
| 20090265780 | ACCESS EVENT COLLECTION - On-line and computationally efficient methods and systems are provided for back resolving path names of files from inode numbers during data access request processing. As a result, a near real-time recording of data access events is achieved, including identification of the user who performed the access, and the full path name of the data object that was accessed. In a typical application, access events are collected for use in access control of storage elements in complex organizational file systems. | 10-22-2009 |
| 20090265781 | Location information verification - Location information is provided with an authenticator in order to enable future providing of an authentication to a service or application making use of the location information. The authenticator is based on a cryptographic method known by a provider and recipient of and also optionally based on position data provided by the location information. The authenticator is carried as a watermark in the location information so that the location information can be used by prior existing systems and enables the authentication of the location information in compatible authentication enabled systems. On receiving the location information, an authentication enabled recipient obtains the authenticator from the location information and checks using the authenticator whether use of the location information may be allowed. | 10-22-2009 |
| 20090265782 | MOBILE STATION AND METHOD FOR AVOIDING ATTACKS - A mobile station wirelessly communicates with an access point during an awake mode of the mobile station through a wireless network and avoids attacks from an attacking station. The mobile station includes a detecting module, an attack-proof module, and a data transmission module. The detecting mobile is configured for detecting a fake null frame from the wireless network during the awake mode. The fake null frame is for interrupting communication between the mobile station and the access point in order for the mobile station to enter a power saving mode. The attack-proof module is configured for transmitting an attack-proof frame to the access point so as to notify the access point that the mobile station has not entered into the power saving mode. The data transmission module is for transmitting data to the access point and receiving data from the access point. A method for avoiding attacks is also provided. | 10-22-2009 |
| 20090265783 | Method to Enhance Platform Firmware Security for Logical Partition Data Processing Systems by Dynamic Restriction of Available External Interfaces - A system and method to reduce external access to hypervisor interfaces in a computer system, thereby reducing the possibility of attacks. In a preferred embodiment, addresses for calls are used to fill a table, where the addresses are specifically selected for a requesting computer. For example, in one embodiment, a routine searches for the adapter type of a requesting computer and populates the table with calls specific to that type of adapter. Other types of calls are not put in the table. Instead, those calls are replaced by routines that will return an error. In other embodiments, the operating system type is used to determine what addresses are used to populate the table. These and other embodiments are explained more fully below. | 10-22-2009 |
| 20090271862 | DETERMINING THE DEGREE OF RELEVANCE OF DUPLICATE ALERTS IN AN ENTITY RESOLUTION SYSTEM - An entity resolution system and alert analysis system configured to process inbound identity records and to generate alerts based on relevant identities, entities, conditions, activities, or events is disclosed. One process of resolving identity records and detecting relationships between entities may be performed using a pre-determined or configurable entity resolution rules. Further, the entity resolution system may include an alert analysis system configured to allow analysts to review and analyze alerts, entities, and identities, as well as provide comments or assign a disposition to alerts generated by the entity resolution system. Furthermore, the entity resolution system may be configured to handle duplicate alerts, i.e., one or more identical or near-identical alerts generated using the same entities and/or identities as well as assign a relevance score to the particular entities and identities included in the alert. | 10-29-2009 |
| 20090276850 | CONTENT SCREENING METHOD, APPARATUS AND SYSTEM - A content screening method, apparatus and system are provided for a content screening component to verify the trust relationship and the categorization standard used by a categorization component. A method includes the following steps: the content screening component receives a categorized content; and when determining that a first categorization component that categorizes the content is trustworthy according to the information of the categorization component carried in the categorized content, the content screening component screens the content by the content category carried in the categorized content. Another method includes the following step: when determining that the categorization component that categorizes the content uses the same categorization standard as the content screening component according to the information of the categorization component carried in the categorized content, the content screening component screens the content by the content category carried in the categorized content. | 11-05-2009 |
| 20090282476 | Hygiene-Based Computer Security - A reputation server is coupled to multiple clients via a network. Each client has a security module that detect malware at the client. The security module computes a hygiene score based on detected malware and provides it to the reputation server. The security module monitors client encounters with entities such as files, programs, and websites. When a client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The security module evaluates the reputation score and optionally cancels an activity involving the entity. The reputation server computes reputation scores for the entities based on the clients' hygiene scores and operations performed in response to the evaluations. The reputation server prioritizes malware submissions from the client security modules based on the reputation scores. | 11-12-2009 |
| 20090282477 | METHOD FOR VALIDATING AN UNTRUSTED NATIVE CODE MODULE - A system that validates a native code module. During operation, the system receives a native code module comprised of untrusted native program code. The system validates the native code module by: (1) determining that code in the native code module does not include any restricted instructions and/or does not access restricted features of a computing device; and (2) determining that the instructions in the native code module are aligned along byte boundaries such that a specified set of byte boundaries always contain a valid instruction and control flow instructions have valid targets. The system allows successfully-validated native code modules to execute, and rejects native code modules that fail validation. By validating the native code module, the system facilitates safely executing the native code module in the secure runtime environment on the computing device, thereby achieving native code performance for untrusted program binaries without significant risk of unwanted side effects. | 11-12-2009 |
| 20090282478 | METHOD AND APPARATUS FOR PROCESSING NETWORK ATTACK - A network attack processing method and a processing apparatus are disclosed herein. The method may include; after determining an attacked object, searching for a recorded attack event related to the attacked object to determine a controlled host in an attack network; searching for a recorded control event related to the controlled host to determine a controlling host in the attack network; and determining a detected host which performs similar communication with the multiple controlling hosts as an attack manipulator. Accordingly, embodiments for a processing apparatus adapted to perform the methods are disclosed herein. | 11-12-2009 |
| 20090282479 | METHOD AND SYSTEM FOR MISUSE DETECTION - A method and system for discovering inappropriate and/or illegitimate use of Web page content, comprising: monitoring access to a first Web page by a user; comparing information from the first Web page to information from a second known legitimate Web page; and determining whether the first Web page is legitimate based on the compared information. | 11-12-2009 |
| 20090282480 | Apparatus and Method for Monitoring Program Invariants to Identify Security Anomalies - A computer readable storage medium includes executable instructions to insert monitors at selected locations within a computer program. Training output from the monitors is recorded during a training phase of the computer program. Program invariants are derived from the training output. During a deployment phase of the computer program, deployment output from the monitors is compared to the program invariants to identify security anomalies. | 11-12-2009 |
| 20090288161 | METHOD FOR ESTABLISHING A TRUSTED RUNNING ENVIRONMENT IN THE COMPUTER - The present invention discloses a method for establishing a trusted running environment in a computer. A trusted file authentication module and a trusted process memory code authentication module are preset in operation system (OS) of the computer and a secured OS is loaded and run. The trusted file authentication module intercepts all file operation behaviors, checks whether current file to be operated is a trusted file or not, and processes the file according to its operation type if it is trusted, otherwise processes the file after its eligibility is verified; the trusted process memory code authentication module authenticates on timing whether the running state and the integrality for all process code are normal or not; if any process is abnormal, giving an alarm, saving field data run by the process and closing down the process; otherwise continuing to run normally. With this invention, the security for the running environment in the computer can be ensured whether the attack from known or unknown virus exists or not, and this facilitates application and reduces implementation cost. | 11-19-2009 |
| 20090288162 | SYSTEM AND METHOD FOR DEFENDING AGAINST DENIAL OF SERVICE ATTACKS ON VIRTUAL TALK GROUPS - In one embodiment, a method includes establishing a first virtual talk group (VTG) that includes a plurality of endpoints and has a first multicast address. The plurality of endpoints includes a first endpoint and a second endpoint. The method also includes monitoring traffic associated with the first VTG, determining when a denial of service (DOS) attack is indicated by the traffic, and identifying at least one rogue endpoint responsible for the DOS attack when it is determined that the DOS attack is indicated. The first endpoint and the second endpoint are notified that they are to participate in a dynamic switchover to a second VTG when a DOS attack is indicated. The second VTG is established using a second multicast address, and includes the first endpoint and the second endpoint, but not the rogue endpoint. | 11-19-2009 |
| 20090288163 | CONTROLLING THE SPREAD OF INTERESTS AND CONTENT IN A CONTENT CENTRIC NETWORK - One embodiment of the present invention provides a system for controlling the spread of interests and content in a content centric network (CCN). During operation, the system maintains a routing policy for content data. The system also receives a packet associated with a piece of content or an interest for the content. Next, the system determines that the structured name included in the packet is within the namespace specified in the routing policy. The system further determines that the packet satisfies the condition in the routing policy. Subsequently, the system routes the packet based on in part the action corresponding to the condition as specified in the routing policy. | 11-19-2009 |
| 20090288164 | DIGITAL FORENSIC ANALYSIS USING EMPIRICAL PRIVILEGE PROFILING (EPP) FOR FILTERING COLLECTED DATA - A forensic device allows a user to remotely interrogate a target computing device in order to collect and analyze computer evidence that may be stored on the target computing device. The forensic device acquires the computer evidence from the target computing device and filters the computer evidence using an application-specific system-level privilege profile that describes the aggregate exercise of system-level privileges by a plurality of software application instances executing throughout an enterprise. The forensic device presents a user interface through which the remote user views the filtered computer evidence acquired from the target computing device. In this manner, forensic device allows the user to filter the collected computer evidence to data that is likely to have forensic relevance. | 11-19-2009 |
| 20090293121 | DEVIATION DETECTION OF USAGE PATTERNS OF COMPUTER RESOURCES - Embodiments of the invention provide a method for detecting changes in behavior of authorized users of computer resources and reporting the detected changes to the relevant individuals. The method includes evaluating actions performed by each user against user behavioral models and business rules. As a result of the analysis, a subset of users may be identified and reported as having unusual or suspicious behavior. In response, the management may provide feedback indicating that the user behavior is due to the normal expected business needs or that the behavior warrants further review. The management feedback is available for use by machine learning algorithms to improve the analysis of user actions over time. Consequently, investigation of user actions regarding computer resources is facilitated and data loss is prevented more efficiently relative to the prior art approaches with only minimal disruption to the ongoing business processes. | 11-26-2009 |
| 20090300759 | ATTACK PREVENTION TECHNIQUES - Techniques for detecting and responding to attacks on computer and network systems including denial-of-service (DoS) attacks. A packet is classified as potentially being an attack packet if it matches an access control list (ACL) specifying one or more conditions. One or more actions may be performed responsive to packets identified as potential attack packets. These actions may include dropping packets identified as potential attack packets for a period of time, rate limiting a port over which the potential attack packets are received for a period of time, and other actions. | 12-03-2009 |
| 20090300760 | Grid Security Intrusion Detection Configuration Mechanism - A method, apparatus, and article of manufacture are provided to support security in a distributed gird computer cluster. Each non-node root node in the cluster is configured with a local security agent, and the root node is configured with a security controller to manage each of the security agents of each non-root node. The security agent of each non-root node is in communication with an associated configuration file that contains data private to the respective non-root node, to allow the security agent to manage security local to the node. The security controller of the root node is in communication with a controller configuration file that contains data that applies to all security agents in the grid cluster, to allow the controller to manager the security agents. | 12-03-2009 |
| 20090307769 | METHOD AND APPARATUS FOR PROVIDING NETWORK SECURITY - The invention relates to the provision of virus scanning capabilities in a network environment. Optimum use is made of a plurality of virus scanners by inspecting content passed over the network to identify which of the scanners is most suitable for that content. The content is then passed to the appropriate scanners in dependence on the results of the inspection. | 12-10-2009 |
| 20090307770 | APPARATUS AND METHOD FOR PERFORMING INTEGRITY CHECKS ON SOFWARE - An apparatus and method are provided for performing integrity checking of software code executing on a processing unit of the apparatus. The apparatus further includes debug logic used when debugging program code executed by the processing unit, and trusted logic for performing trusted integrity checking operations on less-trusted program code executed by the processing unit. The debug logic has an interface via which the trusted logic can program one or more control registers, that interface not being accessible by the less-trusted program code. The trusted logic programs the control registers so as to cause the debug logic to be re-used to detect one or more activities of the processing logic during execution of the less-trusted program code, and the trusted integrity checking operations performed by the trusted logic are influenced by the activities detected by the debug logic. Such an approach has been found to provide an efficient and secure technique for performing run-time integrity checking of program code. | 12-10-2009 |
| 20090307771 | DETECTING SPAM EMAIL USING MULTIPLE SPAM CLASSIFIERS - A method for detecting undesirable emails combines input from two or more spam classifiers to provide improved classification effectiveness and robustness. The method includes obtaining a score from each of a plurality of constituent spam classifiers by applying them to a given input email. The method further includes obtaining a combined spam score from a combined spam classifier that takes as input the plurality of constituent spam classifier scores, the combined spam classifier being computed automatically in accordance with a specified false-positive vs. false-negative tradeoff. The method further includes identifying the given input email as an undesirable email if the combined spam score indicates that the input e-mail is undesirable. | 12-10-2009 |
| 20090307772 | FRAMEWORK FOR SCALABLE STATE ESTIMATION USING MULTI NETWORK OBSERVATIONS - A framework for state estimation using multi-network observation. Highly scalable qualitative probabilistic algorithms may be used to combine noisy, uncertain outputs having multi-modal event data from numerous networks into a relatively accurate and coherent estimate of the system state. Models of disparate networks may be pulled together to result in unified multi-modal event data. Information from multiple networks may be graphed and analyzed. | 12-10-2009 |
| 20090313696 | CALCULATING A PASSWORD STRENGTH SCORE BASED UPON CHARACTER PROXIMITY AND RELATIVE POSITION UPON AN INPUT DEVICE - A solution for computing password strength based upon layout positions of input mechanisms of an input device that entered a password. A password including an ordered sequence of at least two characters can be identified. A position of each of the characters of the sequence can be determined relative to a layout of an input device used for password entry. Each position can correspond to an input region (key) of the input device (keyboard). A proximity algorithm can generate a proximately score for the determined positions based upon a pattern produced by the positions given the layout of the input device. A password strength score can be computed based at least in part upon the proximity score. | 12-17-2009 |
| 20090313697 | System and method for pathological pattern protection - In a frame synchronous scrambled communications network, communications are protected from pathological bit patterns that may lead to loss of receiver lock by detecting a pathological bit pattern in an incoming traffic stream using a pathological pattern detector. When a pathological bit pattern, such as a transition-less bit pattern, is detected, a corrective bit pattern is generated and inserted or substituted into the incoming traffic stream before transmission to the receiver. The receiver can be configured to revert the modified traffic stream back to the original traffic stream. | 12-17-2009 |
| 20090313698 | Method for protecting a packet-based network from attacks, and security border node - The invention relates to a security border node ( | 12-17-2009 |
| 20090320128 | SYSTEM MANAGEMENT INTERRUPT (SMI) SECURITY - A system management interrupt (SMI) security system includes one or more subsystems to define a first variable using advanced configuration and power interface (ACPI) source language (ASL) code, define a second variable using system management mode (SMM) code, generate a first soft SMI to generate a random value, update the first and second variables with the generated value, generate a second SMI to perform an operation, compare the values of the first and second variables and perform the operation in response to the first and second variables having a value substantially the same as one another. | 12-24-2009 |
| 20090320129 | SECURE CONTROL FLOWS BY MONITORING CONTROL TRANSFERS - A cross-module detection system and method for detecting and monitoring control flow transfers between software modules in a computer system. The system and method detect and monitor control flows entering and exiting the software modules. For a particular module, a checking model is extracted from the binary file of that module. In addition, a relaxed shadow stack is generated. If the module is an original module, meaning that the control flow originated from that module, then the checking model is used to check the validity of the control flow transfer. Otherwise, the relaxed shadow stack is used. An interception module is used to intercept and terminate invalid control flow transfers. If an invalid control flow transfer is detected, then the transfer is terminated. Otherwise, the control flow transfer is allowed to continue. | 12-24-2009 |
| 20090320130 | TRAITOR DETECTION FOR MULTILEVEL ASSIGNMENT - One embodiment of the present invention includes a method for traitor tracing that includes performing an inner code traitor tracing on a recovered pirated digital file, the recovered digital file incorporating an inner code for assigning segments of the digital file and an outer code for assigning inner codes to individual digital files. The method also includes extracting partial information regarding the outer code from the inner code tracing. An outer code tracing procedure may then be performed using the partial information. | 12-24-2009 |
| 20090328204 | INFORMATION SECURITY APPARATUS, SECURITY SYSTEM, AND METHOD FOR PREVENTING LEAKAGE OF INPUT INFORMATION - Provided are an information security apparatus and a security system which prevent eavesdropping on input information input by an input device and identify eavesdroppers. In information security apparatus | 12-31-2009 |
| 20090328205 | USER ESTABLISHED GROUP-BASED SECURITY FOR USER CREATED RESTFUL RESOURCES - A system for securing user created Web resources that includes a data store and a URI security engine. The data store can store digitally encoded content comprising a set of user created, URI identified resources. The URI security engine can provide declarative instance based URI access control to the user created URI identified resources. The URI security engine can apply semantics of user/group control for accessing the URI identified resource. These controls can be group controlled based upon deployer (creator) established privileges rather than being based upon an explicit developer established privileges, which may not be possible since the resources can be deployer (end-user) created resources not existing at development time. | 12-31-2009 |
| 20090328206 | Method for Adminstration of Computer Security Threat Countermeasures to a Computer System - A countermeasure for a computer security threat to a computer system is administered by establishing a baseline identification of an operating or application system type and an operating or application system release level for the computer system that is compatible with a Threat Management Vector (TMV). A TMV is then received, including therein a first field that provides identification of at least one operating system type that is affected by a computer security threat, a second field that provides identification of an operating system release level for the operating system type, and a third field that provides identification of a set of possible countermeasures for an operating system type and an operating system release level. Countermeasures that are identified in the TMV are processed if the TMV identifies the operating system type and operating system release level for the computer system as being affected by the computer security threat. The received TMV may be mutated to a format for processing of the countermeasure. | 12-31-2009 |
| 20090328207 | VERIFICATION OF SOFTWARE APPLICATION AUTHENTICITY - Various techniques are provided for verifying the authenticity of software applications. Such techniques are particularly useful for verifying the authenticity of software applications used in online transactions involving users, payment service providers, and/or merchants. In one example, a set of application identifiers associated with a plurality of authenticated software applications are maintained and a verification request is received comprising an application identifier associated with an unverified software application. A token is generated in response to the verification request if the application identifier is in the set of application identifiers. The generated token is passed to the unverified software application. A user token is received and processed to determine whether the unverified software application is one of the authenticated software applications. A verification request is sent based on the processing. Additional methods and systems are also provided. | 12-31-2009 |
| 20090328208 | METHOD AND APPARATUS FOR PREVENTING PHISHING ATTACKS - The disclosure generally relates to a method for preventing phishing attacks on a computer browser. The method includes the steps of: providing a web browser having a bookmark group; directing the browser to a first Uniform Resource Locator (“URL”) having a first URL address, the first URL address having a plurality of alpha-numeric characters pointing to a first IP address; saving the first URL address in the bookmark group as a first bookmark; receiving an email communication containing a second URL address, the second URL address having a plurality of alpha-numeric characters similar to the first URL address and purporting to point to the first IP address; comparing the first URL address with the second URL address; and determining whether the first URL address and the second URL address share an identical IP addresses. | 12-31-2009 |
| 20090328209 | Simplified Communication of a Reputation Score for an Entity - A reputation server is coupled to multiple clients via a network. A security module in each client monitors client encounters with entities such as files, programs, and websites, and then computes a hygiene score based on the monitoring. The hygiene scores are then provided to the reputation server, which computes reputation scores for the entities based on the clients' hygiene scores and the interactions between the clients and the entity. When a particular client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The reputation score may comprises a statistical measure based on a number of other trustworthy or “good hygiene” clients that have a hygiene score above a threshold. The client communicates this reputation score to a user with a message indicating that the reputation score is based on other clients deemed trustworthy. | 12-31-2009 |
| 20090328210 | CHAIN OF EVENTS TRACKING WITH DATA TAINTING FOR AUTOMATED SECURITY FEEDBACK - An automated security feedback arrangement is provided by which a specialized audit record called a tainting record is linked to data crossing the perimeter of a corpnet that comes from potentially untrusted sources. The linked tainting record operates to taint such data which may be received from external sources such as e-mail and websites or which may comprise data that is imported into the corpnet from mobile computing devices. Data that is derived from the original data is also tainted using a linked tainting record which includes a pointer back to the previous tainting record. The linking and pointing back are repeated for all subsequent derivations of data to thus create an audit trail that may be used to reconstruct the chain of events between the original data crossing the perimeter and any security compromise that may later be detected in the corpnet. | 12-31-2009 |
| 20090328211 | CONTROL FLOW DEVIATION DETECTION FOR SOFTWARE SECURITY - Provided are methods and systems for control flow deviation detection. Provided are methods for software security, comprising executing a software program, generating a run-time signature variable, updating the run-time signature variable as the software program executes, comparing the run-time signature variable with a pre-computed signature, and detecting a deviation in control flow of the software program based on the comparison between the run-time signature variable and the pre-computed signature. | 12-31-2009 |
| 20100005527 | SYSTEM AND METHOD FOR PROVIDING AND HANDLING EXECUTABLE WEB CONTENT - The present invention relates to a system for providing executable web content to a terminal. The present invention provides a system comprising a server, which provides an executable web content comprising a declarative language part in declarative language and a non-declarative part, and a gateway, which receives the executable web content from the server, converts it into a format executable in a web browser of the terminal, and transmits the converted content to the terminal. | 01-07-2010 |
| 20100005528 | METHODS FOR HOOKING APPLICATIONS TO MONITOR AND PREVENT EXECUTION OF SECURITY-SENSITIVE OPERATIONS - The present invention discloses methods and media for hooking applications to monitor and prevent execution of security-sensitive operations, the method including the steps of: reading at least one configuration parameter list from a configuration module; hooking, by a hooking engine, a hooking point in an application, wherein the hooking point is defined in the configuration module; calling, by the application, the hooking point during operation of the application; matching at least one hooking parameter in the hooking point to at least one configuration parameter in at least one configuration parameter list; and upon detecting a match between the hooking parameter and at least one configuration parameter, performing at least one configuration-defined action. Preferably, the method further includes the step of: updating a state of the hooking engine. Preferably, the hooking engine is operative to prevent malicious operations by obfuscated code. | 01-07-2010 |
| 20100005529 | PLATFORM VERIFICATION PORTAL - Described are computer-based methods and apparatuses, including computer program products, for a platform verification portal. A plurality of configuration items are stored with each comprising a plurality of verification commands capable of being executed by a verification scanning engine executing a verification scan on a target server to compare a set of actual software or configuration settings of the software against a desired software stack. A plurality of configuration item rules is stored. Execution of one or more verification scanning engines across a selected set of target servers is remotely initiated. A request for configuration items is received from each of the target servers. For each of the target servers a set of configuration items applicable to the target server is dynamically selected. For each of the target servers, a list identifying the set of configuration items is transmitted to the target server for execution by the verification scanning engine. | 01-07-2010 |
| 20100005530 | SYSTEM AND METHOD FOR SCANNING MEMORY FOR PESTWARE OFFSET SIGNATURES - Systems and methods for managing pestware processes on a protected computer are described. In one implementation, a reference point in the executable memory that is associated with a process running in the executable memory is located. A first and second sets of information from corresponding first and second portions of the executable memory are then retrieved. The first and second portions of the executable memory are separated by a defined offset, and each of the first and second portions of the executable memory are offset from the reference point. The process is identifiable as a particular type of pestware when the first and second sets of information each include information previously found to be separated by the defined offset in other processes that are of the particular type of pestware. In some variations, the reference point is a starting address and/or an API implementation in the process. | 01-07-2010 |
| 20100017877 | METHODS AND SYSTEMS FOR DETERMINING FILE CLASSIFICATIONS - A computer-implemented method for determining file classifications. The method may include determining identification information of a first file stored on a first computing system. The method may also include querying a second computing system for classification information by sending the identification information of the first file to the second computing system. The first computing system may receive, in response to the query, identification information of a second file. The first computing system may also receive the classification information. The classification information may indicate that the first file and second file are trusted. The first computing system may use the identification information of the second file to determine that the second file is stored on the first computing system. The first computing system may also apply the classification information to the first and second files by excluding the first and second files from a security scan. | 01-21-2010 |
| 20100017878 | PRECISE WEB SECURITY ALERT - A method for providing an alert when a potentially or likely malicious web site is browsed to by a user. The method maintains web site identification details. If a web site purporting to be a known, previously identified, encountered and utilized web site is browsed to and requests information, the user is alerted to the precise differences between the stored web site historical identity and the identity of the present requester. | 01-21-2010 |
| 20100024032 | METHOD AND APPARATUS FOR EFFECTING AN INTERNET USER'S PRIVACY DIRECTIVE - Disclosed is a method for effecting an internet user's privacy directive. In the method, copied packets, that are based on original packets sent from a user client, are monitored for a web content request including state information that is not in compliance with a user's privacy directive. Upon detection of a copied packet having a web content request including noncompliant state information, the state information is modified to comply with the user's privacy directive. A replacement packet is forwarded to the user client such that the user client receives the replacement packet before receiving a response packet from a target server of the corresponding original packet. The replacement packet has a redirection with a renewed web content request including the modified state information. | 01-28-2010 |
| 20100031353 | Malware Detection Using Code Analysis and Behavior Monitoring - Aspects of the subject matter described herein relate to malware detection using code analysis and behavior monitoring. In aspects, an anti-malware engine performs static analysis on program code and monitors behavior of the program code that is exhibited when the program code executes in a virtual and/or non-virtual environment. The anti-malware engine combines the results of both types of malware detection to determine whether the program code includes malware. The anti-malware engine may use feedback from one or more of the malware detection mechanism to direct additional malware detection (e.g., static and/or behavior detection) for the program code. | 02-04-2010 |
| 20100031354 | Distributive Security Investigation - A security investigation system uses a central server to distribute requests for security information regarding an asset, receive responses, and manage the information in the responses in a case object. Requests may be distributed to various servers, each of which may have an agent that may receive the request, search various databases, logs, and other locations, and generate a response. A case object may be continually updated in some embodiments. The case object may be viewed, analyzed, and other requests generated using automated or manual tools. A case object may be sanitized for analysis without compromising sensitive information. | 02-04-2010 |
| 20100031355 | UNVALIDATED PRIVILEGE CAP - A method for securely accessing an executable file object includes a step in which a request from the target process to access the executable file object is received by an operating system component, and the object is examined for validity before access is allowed. For objects that cannot be validated, the process is run with privileges bounded by the privilege cap, if the privilege cap permits execution of the object. | 02-04-2010 |
| 20100031356 | BINDING UPDATE METHOD IN MIPv6 - A binding update method in MIPv6 is provided which includes: a first step of allowing a mobile node to generate a HoTI (Home Test Init) message including a HoA (Home Address) encoded with a product of a first prime number and a second prime number and to transmit the HoTI message to a corresponding node through a home agent along with a first index; a second step of allowing the mobile node to generate a CoTI (Care of Test Init) message including a CoA (Care-of Address) encoded with a product of the first prime number and a third prime number and to transmit the CoTI message directly to the corresponding node along with a second index; a third step of allowing the corresponding node to generate a HoT (Home of Test) message including a first nonce and to transmit the HoT message to the mobile node through the home agent; a fourth step of allowing the corresponding node to generate a CoT (Care-of Test) message including a second nonce and to transmit the CoT message to the mobile node; a fifth step of allowing the mobile node to generate a BU (Binding Update) message by adding the first prime number to the first nonce and the second nonce included in the HoT message and the CoT message and to transmit the BU message to the corresponding node; and a sixth step of allowing the corresponding node to verify the BU message using an exclusive OR operation and a factorization operation in prime numbers with the first prime number and to transmit a BA (Binding Ack) message to the mobile node. | 02-04-2010 |
| 20100031357 | Defending Smart Cards Against Attacks by Redundant Processing - A method is provided which defends a computer program against attacks independently of the complexity of the program. A request to invoke the application is received. A process execution state is set to indicate a first execution. The application is executed in response to the request, and application data and control information calculated by the application is stored while the application is executed. The process execution state is set to indicate a subsequent execution. At least part of the application is executed for at least one subsequent time. Application data and control information calculated by the application during subsequent executions is compared with the data/information stored during first execution. The comparison is done by operation system services which are responsive to the process execution state. When the comparison shows a discrepancy in the compared application data and control information, appropriate error handling takes place. | 02-04-2010 |
| 20100037314 | METHOD AND SYSTEM FOR DETECTING MALICIOUS AND/OR BOTNET-RELATED DOMAIN NAMES - A method and system of detecting a malicious and/or botnet-related domain name, comprising: reviewing a domain name used in Domain Name System (DNS) traffic in a network; searching for information about the domain name, the information related to: information about the domain name in a domain name white list and/or a domain name suspicious list; and information about the domain name using an Internet search engine, wherein the Internet search engine determines if there are no search results or search results with a link to at least one malware analysis site; and designating the domain name as malicious and/or botnet-related based on the information. | 02-11-2010 |
| 20100037315 | TAMPER-AWARE VIRTUAL TPM - Methods, software/firmware and apparatus for implementing a tamper-aware virtual trusted platform module (TPM). Under the method, respective threads comprising a virtual TPM thread and a security-patrol threads are executed on a host processor. In one embodiment, the host processor is a multi-threaded processor having multiple logical processors, and the respective threads are executed on different logical processors. While the virtual TPM thread is used to perform various TPM functions, the security-patrol thread monitors for physical attacks on the processor by implementing various numerical calculation loops, wherein an erroneous calculation is indicative of a physical attack. In response to detection of such an attack, various actions can be taken in view of one or more predefined security policies, such as logging the event, shutting down the platform and/or informing a remote management entity. | 02-11-2010 |
| 20100037316 | MANAGING A SOFTWARE ITEM ON A MANAGED COMPUTER SYSTEM - A method and system is provided of managing a current software item on a managed computer system connectable to a management computer system via a computer network. The method includes identifying, using an agent application, the current software item on the managed computer system, identifying if the current software item is an unauthorized software item; and selectively disabling the unauthorized software item. | 02-11-2010 |
| 20100043071 | SYSTEM AND METHOD FOR COMBATING PHISHING - In one embodiment, the present invention relates to a method and system for combating phishing. A computer receives an email comprising a sender email address and a link. The computer determines a sender domain name from the sender email address and ascertains a Uniform Resource Locator (URL) corresponding to the link. The computer then determines a link domain name from the URL. The computer then determines whether the sender domain name is different than the link domain name, so as to classify the URL as a potential phishing URL. | 02-18-2010 |
| 20100050255 | DETECTION AND SUPPRESSION OF SHORT MESSAGE SERVICE DENIAL OF SERVICE ATTACKS - A method, system, and medium are provided for suppressing a Short Message Service (SMS) induced Denial of Service (DoS) attack on a telecommunications network. A register is updated to include information relevant to SMS messages that are requested to be communicated by way of a wireless telecommunications network. The register includes information of the location where the target devices of SMS messages are located. The register is utilized to detect an SMS induced DoS attack. A trigger is communicated to an SMS router to enable a DoS mode that restricts the communication of SMS messages. In an exemplary embodiment, only those SMS messages identified as part of the DoS attack are restricted. | 02-25-2010 |
| 20100050256 | METHODS AND SYSTEMS FOR INTERNET PROTOCOL (IP) PACKET HEADER COLLECTION AND STORAGE - A computer-based method for providing information about a potential security incident ascertained from received internet protocol (IP) packets is described. The method includes capturing IP packets from a computer network, stripping packet header data from the captured IP packets, reviewing the stripped packet header data for multiple occurrences of matching packet header data, and storing, in a database, only a single instance of packet header data for any reviewed packet header data that is determined to have occurred multiple times. | 02-25-2010 |
| 20100050257 | CONFIRMATION METHOD OF API BY THE INFORMATION AT CALL-STACK - The present invention relates to a method of verifying an API using information recorded in the call stack. In the API verification method, whether at least one application is executed is determined in a system in which the application is installed. An API function requested when the application is executed is hooked. Details of a call stack for the API function are output. A stack Database (DB), in which call stack details for various types of API functions required for operation of the application are stored, is searched for the output call stack details, and the output call stack details are checked. | 02-25-2010 |
| 20100050258 | LIGHTWEIGHT PACKET-DROP DETECTION FOR AD HOC NETWORKS - In packet-drop attacks in ad hoc networks, a malicious network node chooses to selectively drop packets that are supposed to be forwarded, which results in adverse impact on application good-put and network stability. A method and system for detection of packet-drop attacks in ad hoc networks requires network nodes to report statistics on IP flow packets originated, received, or forwarded to neighbors. These statistics are analyzed and correlated to determine nodes suspected of dropping packets. | 02-25-2010 |
| 20100058467 | EFFICIENCY OF ACTIVE CONTENT FILTERING USING CACHED RULESET METADATA - A start offset and an end offset can be identified within unfiltered content that is to be filtered. This unfiltered content can include HTML content. A corresponding start offset and an end offset of the unfiltered content can be matched against a set of content objects contained in a content cache. Each of the content objects can be associated with rule metadata. At least one filter rule can be extracted from metadata of a matching cache object. A programmatic action can be performed based upon the extracted filter rule. Computer readable output can result from the programmatic action. The output can include content that has been filtered in accordance with the extracted filter rule. | 03-04-2010 |
| 20100058468 | IDENTIFYING REPUTATION AND TRUST INFORMATION FOR SOFTWARE - Methods, systems, and computer program products identify trust and reputation information for an application. Status information including installation information and/or rating information corresponding to a software application is stored in a service or in a local computer cache. A software application is identified as corresponding to the status information, and the installation information and/or rating information is presented to a user prior to installation, launch, and/or update of the software application. Using the status information the user can make an informed decision on whether the user will trust the software application to permit the installation, launch, and/or update to occur. | 03-04-2010 |
| 20100058469 | ANOMALY INFORMATION DISTRIBUTION WITH THRESHOLD - Embodiments of the present disclosure provide techniques for distributing information about possible anomalies in a network. A sensor in a network may detect packets with payloads that match an anomaly signature. Address dispersion information, for example, in the form of source and address bitmaps, may be gathered at the sensor. The address dispersion information may be distributed to one or more peer sensors if the information indicates that the number of different addresses of the detected matching packets exceeds a threshold. | 03-04-2010 |
| 20100058470 | MOBILE TERMINAL TO PREVENT VIRUS INFECTION AND METHOD OF CONTROLLING OPERATION OF THE MOBILE TERMINAL - A mobile terminal and a method of controlling operation of the mobile terminal may be provided that include outputting a sensing signal corresponding to a detected attempt to make a call, connecting the call when user input indicates that it is allowed to connect the call, and if the user input indicates that it is not allowed to connect the call, shutting down the detected attempt. Accordingly, suspicious operation that may have been caused by a virus may be shut down to prevent damage to a mobile terminal caused by a virus. | 03-04-2010 |
| 20100058471 | METHOD AND SYSTEM FOR DEFENDING DDOS ATTACK - In a method of defending a Distributed Denial of Service (DDoS) attack, an attack target server determines whether the attack target server suffers a DDoS attack from a plurality of terminals and, according to a result of the determination, informs a control server that the attack target server suffers the DDoS attack by transmitting its own information to the control server. The control server which has received the information of the attack target server confirms the plurality of terminals which transmits data to the attack target server and transmits an attack prevention message to the plurality of confirmed terminals. Each of the plurality of terminals which has received the attack prevention message determines whether the terminal launches the DDoS attack and, according to a result of the determination, blocking the DDoS attack. | 03-04-2010 |
| 20100058472 | METHOD FOR PROTECTING COMPUTER PROGRAMS AND DATA FROM HOSTILE CODE - A method that protects computer data from untrusted programs. Each computer's object and process is assigned with trust attributes, which define the way it can interact with other objects within the system. When an object is classified as untrusted, it can interact with other object within the system on a limited basis. A virtualized system is provided on the computer so that when the untrusted object attempts to perform an operation that is outside its scope of authorization, the virtualized system intercepts the operation but present the untrusted program with an indication that the requested operation has been performed. The method further includes processes to securely move a program from an untrusted group to a trusted group. | 03-04-2010 |
| 20100064366 | Request processing in a distributed environment - A method for request processing in a distributed system includes obtaining event request information at a plurality of application servers, at least some of the event request information pertaining to a resource access request that is sent from a client terminal and that corresponds to a Uniform Resource Locator (URL) resource, transferring the event request information to an anti-attack server, determining, based at least in part on the at least some of the event request information, a total number of access requests to the URL resource made by the client terminal in a specified period of time, and determining, based at least on the total number of access request determined and a predefined access rule, whether an abnormal access request has been made by the client terminal. | 03-11-2010 |
| 20100077476 | METHOD AND APPARATUS FOR DETECTING MALWARE IN NETWORK TRAFFIC - A method and apparatus for detecting malware in network traffic is described. One embodiment executes, in an emulation environment, an executable file as it is being received serially over a network, execution beginning once a block of data including an entry point of the executable file has been received, execution halting whenever an instruction in the executable file references data not yet received and resuming once the data not yet received has been received, execution ceasing upon satisfaction of a termination condition; examining the emulation environment for indications that the executable file includes malware; and taking corrective action responsive to the results of examining the emulation environment for indications that the executable file includes malware. | 03-25-2010 |
| 20100077477 | AUTOMATIC MANAGING SYSTEM AND METHOD FOR INTEGRITY REFERENCE MANIFEST - The present invention relates to a system for automatically managing integrity reference information and a method of managing the same. The system includes one or more systems, a system management server, and an integrity management server. The systems are connected over a network and communication with each other. Each of the systems has an integrity measurement program to generate integrity information. The system management server has registration information about each of the systems connected over the network and registration information about a program distributed to each of the systems. Further, the system management server controls network access by each of the systems. If integrity reference information matching integrity information provided from a specific system does not exist in pieces of integrity reference information for verifying integrity of each of the systems, the integrity management server determines whether to register the integrity information as integrity reference information of the specific system depending on whether the specific system has been registered with the system management server. | 03-25-2010 |
| 20100077478 | Method and Apparatus for Publishing Documents Over a Network - An apparatus and method for publishing an electronic document on a network is described. In one embodiment, an apparatus for publishing an electronic document on a wide area network comprising at least one server and a client, a client having memory for storing an electronic document, and means for sending the electronic document to the server, wherein a URL is associated with the electronic document, a security key associated with the URL, and means for sending a URL to a user. | 03-25-2010 |
| 20100083375 | DETECTION ACCURACY TUNING FOR SECURITY - Aspects of the subject matter described herein relate to tuning detection components of a security system. In aspects, a history of alerts is collected. This history is then used together with knowledge about tunable objects of the system to determine parameters of the tunable objects that can be changed to improve detection of the system. Parameters of tunable objects are adjusted in a simulator that determines an effect on alerts in the history based on the adjusted parameters. A recommendation of one or more tuning actions may be provided together with information regarding the effect of each tuning action. | 04-01-2010 |
| 20100083376 | METHOD AND APPARATUS FOR REDUCING FALSE POSITIVE DETECTION OF MALWARE - Method and apparatus for detecting malware are described. In some examples, files of unknown trustworthiness are identified as potential threats on the computer. A trustworthiness level for each of the files is received from a backend. The trustworthiness level of each of the files is compared to a threshold level. Each of the files where the trustworthiness level thereof satisfies the threshold level is designated as a false positive threat. Each of the files where the trustworthiness level thereof does not satisfy the threshold level is designated as a true positive threat. | 04-01-2010 |
| 20100083377 | METHOD AND APPARATUS TO DEFINE THE SCOPE OF A SEARCH FOR INFORMATION FROM A TABULAR DATA SOURCE - A method and apparatus for defining the scope of a search is described. In one embodiment, user input is received, and the scope is defined, based on the user input, for a search of free-form text for information from any random rows within a tabular structure of source data. In one embodiment, the search is intended for finding, in the free-form text, a sub-set of data fragments that matches information from any single row within the tabular structure of the source data. | 04-01-2010 |
| 20100088761 | CROSS-DOMAIN ACCESS PREVENTION - A method, system, and computer program product for cross-domain access prevention are provided. The method includes detecting a request from a first domain to access a second domain, and applying cross-domain access heuristics to determine whether to allow the request. The cross-domain access heuristics define common ownership characteristics between the first domain and the second domain. The method further includes performing the requested access in response to determining that the request complies with at least one of the cross-domain access heuristics, and blocking the requested access in response to determining that the request fails to comply with the cross-domain access heuristics. | 04-08-2010 |
| 20100088762 | APPARATUS AND METHOD FOR MONITORING NETWORK EQUIPMENT - A system that incorporates teachings of the present disclosure may include, for example, a server having a controller to receive a monitoring signal from a network plug-in device where the monitoring signal includes location and identification information associated with the network plug-in device and where the server is remote from the network plug-in device, and determine whether the network plug-in device is in an unauthorized location based at least in part on the monitoring signal. Other embodiments are disclosed. | 04-08-2010 |
| 20100088763 | Method for Preventing Denial of Service Attacks Using Transmission Control Protocol State Transition - Disclosed is a method of preventing a denial of service (DoS) attack using transmission control protocol (TCP) state transition. Flow of packets transmitted between a client and a server using TCP is monitored to prevent the DoS attack, e.g., SYN flooding, and to efficiently reduce the load on the server and provide mor secure service. By applying the method to a firewall, a proxy server, an intrusion detection system, etc., of a server, it is possible to make up for vulnerabilities regarding a DoS attack without disturbing a conventional TCP state transition operation and detect, verify and block DoS attacks abusing the vulnerabilities, thereby providing more secure service. | 04-08-2010 |
| 20100088764 | RELAY DEVICE AND RELAY METHOD - An apparatus relays packets transferred over a network and discards an attack packet detected among the packets. The apparatus includes: an inspection-packet outputting unit that outputs, when detecting the attack packet, an inspection packet in which a transmission-source address contained in the attack packet is set as a destination address and a destination address contained in the attack packet is set as a transmission-source address; a filter table storing unit that stores, when acquiring a response packet for the inspection packet, a transmission-source address, a destination address, and identification information of an interface, which has received the response packet, that are contained in the response packet, in a filter table in an associated manner; and a transfer control unit that determines whether to transfer a packet as a transfer object based on the filter table. | 04-08-2010 |
| 20100088765 | SYSTEM AND METHOD FOR FILTERING ELECTRONIC MESSAGES USING BUSINESS HEURISTICS - Disclosed are systems and methods for use in filtering electronic messages using business heuristics. In one aspect, a method includes determining whether the electronic message is associated with a desirable business, and adjusting the likelihood of delivering the electronic message to an intended recipient of the message if the electronic message is determined to be associated with the desirable business. In a more specific embodiment, the method further includes assigning a spam-score to the electronic message based on a likelihood that the electronic message is not unwanted by the intended recipient, blocking delivery of the electronic message to the intended recipient when the spam-score does not cross an overall threshold, and delivering the electronic message to the intended recipient based on the adjusted likelihood when the electronic message is determined to be associated with the desirable business. | 04-08-2010 |
| 20100095374 | GRAPH BASED BOT-USER DETECTION - Computer implemented methods are disclosed for detecting bot-user groups that send spam email over a web-based email service. Embodiments of the present system employ a two-prong approach to detecting bot-user groups. The first prong employs a historical-based approach for detecting anomalous changes in user account information, such as aggressive bot-user signups. The second prong of the present system entails constructing a large user-user relationship graph, which identifies bot-user sub-graphs through finding tightly connected subgraph components. | 04-15-2010 |
| 20100095375 | Method for locating fraudulent replicas of web sites - A method for detecting Web sites used for phishing, including preselecting one or more Web sites to be examined for duplication, selecting at least one or more elements that are present in the preselected Web site and that relate to characteristic identifying features of the preselected Web site, forming at least one search query using the one or more elements, and submitting the at least one search query to an indexed public search engine. The elements illustratively may be URL substrings, content identification substrings, or tree structure-related substrings. A report of Web sites using the selected one or more search terms is received from the public search engine in response to the query, and the preselected Web site is eliminated from the Web sites found in the search. The remaining Web sites retrieved in the search are further analyzed, by additional focused searching of the retrieved pages, by comparing header or tree structure information, or other techniques to compare them with the preselected Web site to identify unauthorized near-replicas of the known legitimate Web site for responsive action. | 04-15-2010 |
| 20100095376 | SOFTWARE WATERMARKING - Various techniques for uniquely marking software, such as by reference to hidden information or other telltale features, are detailed. Some marks are evident in static code. Others are observable when the code is executed. Some do not manifest themselves until the code is exercised with specific stimulus. Different of the techniques are applicable to source code, object code, and firmware. A great number of other features and arrangements are also disclosed. | 04-15-2010 |
| 20100095377 | DETECTION OF SUSPICIOUS TRAFFIC PATTERNS IN ELECTRONIC COMMUNICATIONS - Methods and systems for detecting suspicious traffic patterns in electronic communications are provided. According to one embodiment, an electronic mail (email) message is received by a mail filter (milter), which evaluates a traffic pattern represented by the email message by scanning information associated with the email message and comparing it to information associated with one or more traffic analysis profiles. If the email message is identified by the milter as being inconsistent with normal email traffic patterns as represented by the one or more traffic analysis profiles, then the milter causes the email message to be handled in accordance with an email security policy associated with suspicious traffic patterns. For example, in the context of an outbound message, the originator may be alerted to a factor contributing to the identification and the originator may be provided with an opportunity to address the factor. | 04-15-2010 |
| 20100095378 | Classifying a Message Based on Fraud Indicators - Systems, methods, and media for classifying messages are disclosed. A plurality of fraud indicators are identified in the message. A signature of the message is generated. The generated signature of the message is compared to a stored signature. The stored signature is based on a statistical analysis of fraud indicators in a second message associated with the stored signature. A determination as to whether the message is fraudulent is made based on the comparison. The message is processed based on the determination that the message is a fraudulent message. | 04-15-2010 |
| 20100100957 | Method And Apparatus For Controlling Unsolicited Messages In A Messaging Network Using An Authoritative Domain Name Server - Methods for controlling unsolicited messages in a messaging network using an authoritative domain name (DNS) server, in which a requester intending to send an e-mail message to a recipient queries the DNS server associated with the recipient's domain. The response sent from the DNS server is dependent upon a security policy associated with the requester, which results from interrogations to determine the probability that the requester is sending unsolicited messages or spam. A validity factor is set to a first indicator if the request passes or to a second indicator if the request fails. The response from the DNS server provides the network address if the validity factor is set to the first indicator. A suitable not-the-network-address response is sent if the validity factor is set to the second indicator. The authoritative DNS server thereby controls, blocks, or reroutes the message and lightens the load on the recipient's mail server and ISP(s). | 04-22-2010 |
| 20100100958 | VISUAL DISPLAY OF WEBSITE TRUSTWORTHINESS TO A USER - Website trustworthiness is automatically displayed to a user by pre-establishing a user-defined good list identifying one or more known good website addresses. Each known good website address in the user-defined good list has associated therewith at least one user-defined visual characteristics for display. Subsequently, responsive to the user selecting to visit a website address identified in the user-defined good list, the website is displayed for the user and the user-defined visual characteristics associated therewith from the user-defined good list are also concurrently displayed with the website. The user-defined visual characteristics provide the user with a visual indication of website trustworthiness concurrently with display of the website. | 04-22-2010 |
| 20100100959 | SYSTEM AND METHOD FOR MONITORING AND ANALYZING MULTIPLE INTERFACES AND MULTIPLE PROTOCOLS - The present invention is a system and method for providing security for a mobile device by analyzing data being transmitted or received by multiple types of networks. The invention can provide security for many types of network interfaces on a mobile device, including: Bluetooth, WiFi, cellular networks, USB, SMS, infrared, and near-field communication. Data is gathered at multiple points in a given processing pathway and linked by a protocol tracking component in order to analyze each protocol present in the data after an appropriate amount of processing by the mobile device. Protocol analysis components are utilized dynamically to analyze data and are re-used between multiple data pathways so as to be able to support an arbitrary number of network data pathways on a mobile device without requiring substantial overhead. | 04-22-2010 |
| 20100107244 | Trust Event Notification and Actions Based on Thresholds and Associated Trust Metadata Scores - An approach is provided for selecting one or more trust factors from trust factors included in a trust index repository. Thresholds are identified corresponding to one or more of the selected trust factors. Actions are identified to perform when the selected trust factors reach the corresponding threshold values. The identified thresholds, identified actions, and selected trust factors are stored in a data store. The selected trust factors are monitored by comparing one or more trust metadata scores with the stored identified thresholds. The stored identified actions that correspond to the selected trust factors are performed when one or more of the trust metadata scores reach the identified thresholds. At least one of the actions includes an event notification that is provided to a trust data consumer. | 04-29-2010 |
| 20100107245 | TAMPER-TOLERANT PROGRAMS - Tamper-tolerant programs enable correct and continued execution despite attacks. Programs can be transformed into tamper-tolerant versions that correct effects of tampering in response to detection thereof Tamper-tolerant programs can execute alone or in conjunction with tamper resistance/prevention mechanisms such as obfuscation and encryption/decryption, among other things. In fact, the same and/or similar mechanisms can be employed to protect tamper tolerance functionality. | 04-29-2010 |
| 20100107246 | TERMINAL DEVICE AND METHOD FOR CHECKING A SOFTWARE PROGRAM - A terminal device according to the present invention includes: a first domain configured to execute multiple software programs; and a second domain configured to operate independently of the first domain and to check whether or not the software programs are safe. The second domain includes: an execution sequence storage unit configured to store execution priority of the multiple software programs to be executed by the first domain; a software program checking unit configured to check whether or not the multiple software programs are safe, according to the execution sequence storage unit; and an execution restricting unit configured to restrict the first domain from executing a software program included in the multiple software programs and having a check result indicating that the software program is unsafe, before checking of all the multiple, software programs is completed. | 04-29-2010 |
| 20100107247 | SYSTEM AND METHOD FOR IDENTIFICATION, PREVENTION AND MANAGEMENT OF WEB-SITES DEFACEMENT ATTACKS - A system and method for identifying websites' defacement attacks by identifying of unauthorized network content pages or parts of pages that are defined as defaced-pages. The application may enable identifying defacing parts of a network content page by comparing the source code of the network content page with the source code of reference defaced-pages, which may be network content pages that were already identified as unauthorized defaced-pages and their source codes have already been stored in at least one database. Once a defacing-page is identified, the system may enable removing of the defacing-page and replacing it with the last corresponding network content page that has preceded the defacing one. | 04-29-2010 |
| 20100107248 | REAL-TIME DATA PROTECTION METHOD AND DATA PROTECTION DEVICE FOR IMPLEMENTING THE SAME - A real-time data protection method includes: receiving input data from an input device; storing the input data; sending the input data to a computing device, thereby permitting the computing device to generate result data based on the input data; receiving the result data from the computing device; generating test data that correspond to the result data; comparing the test data to the input data; and when it is determined that the test data are not identical to the input data, indicating that the result data have been modified. A data protection device that implements the real-time data protection method is also disclosed. | 04-29-2010 |
| 20100107249 | Method, Apparatus, and Device for Protecting Against Programming Attacks and/or Data Corruption - The method and accompanying apparatus and device protects against programming attacks and/or data corruption by computer viruses, malicious code, or other types of corruption. In one example, signature verification policy information that identifies a plurality of policies associated with a plurality of target memory segments is programmed during a secure boot process. The programmed signature verification policy information associated with each of the plurality of target memory segments is then evaluated during run-time. Signature verification is then repeatedly performed, during run-time, on each of the plurality of target memory segments based on the programmed signature verification policy information associated with each target memory segment. | 04-29-2010 |
| 20100107250 | METHOD AND APPARATUS FOR DEFENDING AGAINST ARP SPOOFING ATTACKS - A method and an apparatus for defending against Address Resolution Protocol (ARP) spoofing attacks are disclosed. The method includes: when an ARP entry is updatable, judging whether the MAC address of a received ARP message is the same as the MAC address in the ARP entry, where the ARP message has the same Internet Protocol (IP) address as the ARP entry; if the MAC addresses are different, determining the received ARP message as an ambiguous ARP message and starting an ARP verification process, or else starting no ARP verification. In this way, when no address spoofing attacks occur, no verification messages are generated, and thus reducing signaling interactions and saving network resources; besides, spooling attacks possibly happening at any time are avoided, which effectively prevents address spoofing attacks via random scanning and protects the normal application of the real host. | 04-29-2010 |
| 20100107251 | MIME Handling Security Enforcement - A model restricts un-trusted data/objects from running on a user's machine without permission. The data is received by a protocol layer that reports a MIME type associated with the DATA, and caches the data and related cache file name (CFN). A MIME sniffer is arranged to identify a sniffed MIME type based on the cached data, the CFN, and the reported MIME type. Reconciliation logic evaluates the sniffed MIME type and the CFN to determine a reconciled MIME type, and to update the CFN. A class ID sniffer evaluates the updated CFN, the cached data, and the reconciled MIME type to determine an appropriate class ID. Security logic evaluates the updated CFN, the reported class ID, and other related system parameters to build a security matrix. Parameters from the security matrix are used to intercept data/objects before an un-trusted data/object can create a security breach on the machine. | 04-29-2010 |
| 20100115612 | Context-Based User Authentication, Workflow Processing, and Data Management in a Centralized Application in Communication with a Plurality of Third-Party Applications - Described are computer-based methods and apparatuses, including computer program products, for providing context-based user authentication, workflow processing and data management in a centralized application in communication with a plurality of third-party applications. Changed data from a first third-party application is received by a centralized application. The changed data is processed by the centralized application. The processing comprises determining an urgency type, a second third-party application to which at least a portion of the data is applicable, mapping the data to a second third-party application data structure, and generating a request including the data structure and based on the urgency type and the second third-party application. The request is sent to the second third-party application. Data in a database associated with the centralized application is updated based on the changed data. | 05-06-2010 |
| 20100115613 | Cacheable Mesh Browsers - Methods and systems for improving the end-user experience by reducing the latency of data access across networks by accessing peer browser caches are disclosed. In one embodiment, a method of accessing a web data element includes: transmitting a first request for the web data element from a first browser to a home location of the web data element; transmitting a second request for the web data element from the first browser to one or more hosts including a second browser accessible by the first browser; receiving a cached copy of the web data element by the first browser from the second browser; and displaying the cached copy of the web data element. In another embodiment, a method of improving access to a web data element, includes: receiving a copy of the web data element at a first browser in response to a first request initiated from the first browser; storing the copy of the web data element in a cache controlled by the first browser as a cached web data element; receiving a request for the web data element from a second browser; and providing a copy of the cached web data element to the second browser. | 05-06-2010 |
| 20100115614 | DATA LOSS PROTECTION THROUGH APPLICATION DATA ACCESS CLASSIFICATION - A method and apparatus for classifying behavior of an application based on its data access pattern is described. In one embodiment, the method includes monitoring file access events associated with an application, and determining whether at least one of the file access events indicates the application's attempt to manipulate data of a file. If at least one file access event indicates the application's attempt to manipulate the data within the file, then at least one action is caused to be performed. | 05-06-2010 |
| 20100115615 | SYSTEM AND METHOD FOR DYNAMIC AND REAL-TIME CATEGORIZATION OF WEBPAGES - A system and method for categorizing content on a webpage is disclosed. The method comprises receiving a request for a webpage from a user's computer. Next, the system determines whether there is dynamic content on the webpage by analyzing the address, links, reputation, type, style and other indicators of being able to easily change the webpage. If the webpage contains content that can be changed, then the webpage is analyzed to determine a current categorization thereof. If the webpage does not have dynamic content then the categorization of the webpage will remain the same thereby freeing system resources by only analyzing dynamic webpages. | 05-06-2010 |
| 20100115616 | Storage Device and Method for Dynamic Content Tracing - A storage device and method for dynamic content tracing are provided. In one embodiment, a storage device stores content having a plurality of sequences of data, each sequence of data having original data and at least one variation of the original data. The storage device receives an identifier of a host device and, for each sequence of data, selects either the original data or one of the at least one variation of the original data based on the identifier of the host device. The storage device then assembles a version of the content from the selections and provides the assembled version of the content to the host device. The assembled version of the content is unique to the host device and therefore can be used to trace the assembled version of the content back to the host device. | 05-06-2010 |
| 20100122342 | IDENTIFYING ABORMAL NETWORK TRAFFIC - A method of identifying traffic within a network representative of an abnormal network condition, including: monitoring a communications link for a high traffic volume level; identifying a domain being the source of the high traffic volume level; identifying within the domain, a sending entity transmitting traffic from the domain; using a detector located at or proximate to the domain to invoke a response from the sending entity; wherein a failure by the sending entity to provide an expected response to the message in accordance with a network protocol indicates that the traffic transmitted by the sending entity is traffic representative of an abnormal network condition. | 05-13-2010 |
| 20100125909 | MONITOR DEVICE, MONITORING METHOD AND COMPUTER PROGRAM PRODUCT THEREOF FOR HARDWARE - A monitor device, a monitor method and a computer program product thereof for hardware are disclosed. The hardware comprises a central processing unit (CPU) and a storage module. The monitor device comprises a retrieval module and an analysis module. The retrieval module is configured to retrieve the entry point information of a process before the process is executed, wherein the process comprises at least one instruction from the hardware. The analysis module is configured to retrieve an address corresponding to the process according to the entry point information. When the CPU executes the at least one instruction, the storage module records the at least one instruction according to the address. | 05-20-2010 |
| 20100125910 | Systems and methods for media authentication - A method and system for authenticating a digital optical medium, such as a CD-ROM, determine whether the medium is an unauthorized copy, or the original. The original media is created, or altered, so as to contain anomalous locations from which the transfer of data is accomplished at different rates than a standard digital copy would exhibit. One implementation of the process involves timing analysis of the differences in data transfer rates, and does not necessarily require the retrying of data reads, nor does the process require the media to exhibit fatal errors, as in conventional approaches. The process can be employed in systems that control access to unauthorized copies, or may be used for other informative purposes. Theft, distribution, and piracy of digital content on optical media, such as computer software (also games, video, audio, e-book content), is often accomplished by copying it directly to another disc using commonly available copy tools and recordable optical media, or the replication of media to another mass manufactured disc. The present invention, which helps to irrefutably identify a unit of optical media as the original, and can correspondingly identify any copy made by any currently available means as such a copy, may prevent an unauthorized individual from making use of any unauthorized copies. This offers significant advantages to content creators who wish to protect their products. | 05-20-2010 |
| 20100132036 | VERIFICATION OF OUTSOURCED DATA STREAMS - Embodiments disclosed herein are directed to verifying query results of an untrusted server. A data owner outsources a data stream to the untrusted server, which is configured to respond to a query from a client with the query result, which is returned to the client. The data owner can maintain a vector associated with query results returned by the server and can generate a verification synopsis using the vector and a seed. The verification synopsis includes a polynomial, where coefficients of the polynomial are determined based on the seed. The data owner outputs the verification synopsis and the seed to a client for verification of the query results. | 05-27-2010 |
| 20100132037 | SYSTEM AND METHOD TO LOCATE A PREFIX HIJACKER WITHIN A ONE-HOP NEIGHBORHOOD - Method, system and computer-readable medium to locate a prefix hijacker of a destination prefix within a one-hop neighborhood on a network. The method includes generating one-hop neighborhoods from autonomous system (AS)-level paths of plural monitors to a destination prefix. The method also includes determining a suspect set of AS identifiers resulting from a union of the one-hop neighborhoods. The method further includes calculating a count and a distance associated with each AS identifier of the suspect set. The count indicates how often the AS identifier appeared in the one-hop neighborhoods. The distance indicates a total distance from the AS identifier to AS identifiers associated with the plural monitors. Yet further, the method includes generating a one-hop suspect set of AS identifiers from the suspect set that have highest counts and highest distances. | 05-27-2010 |
| 20100132038 | System and Method for Computer Malware Detection - Disclosed are systems and methods for computer malware detection. The system is configured to emulate execution of a program code, monitor events of program execution, classify the monitored events as malicious or non-malicious, and collect information about unclassifiable events. The system further includes one or more analyst workstations configured to isolate a program analyst from external audiovisual stimuli. The workstation includes a video output device operable to display a list of unclassifiable events and event-related information to the program analyst and a user input device operable to receive analyst's physiological response indicative of whether the displayed list of unclassifiable events exhibits malicious behavior. | 05-27-2010 |
| 20100138917 | REFRESH MECHANISM FOR RATE-BASED STATISTICS - Rate-based statistics are aperiodically refreshed. For example, for each Internet Protocol address being monitored, a time stamp of the last (most recent) statistics object (e.g., packet) and corresponding rate-based statistics are stored. The time stamp of a new statistics object is compared with the stored time stamp. The stored time stamp may be updated, and the stored statistics may be updated or refreshed, depending on the result of the comparison. | 06-03-2010 |
| 20100138918 | Keyboard Security Status Check Module and Method - A keyboard security status check module and method are provided. The module is provided to enable a user to easily check the operating status of a keyboard security program installed in a user terminal. The module includes a keyboard security monitor linked to the keyboard security program and configured to monitor a reception status of key input data protected by keyboard security, and a controller configured to display a dynamic keyboard security check representation on a screen of the user terminal according to the reception status of the key input data monitored by the keyboard security monitor. | 06-03-2010 |
| 20100138919 | SYSTEM AND PROCESS FOR DETECTING ANOMALOUS NETWORK TRAFFIC - A process for detecting anomalous network traffic in a communications network, the process including: generating reference address distribution data representing a statistical distribution of source addresses of packets received over a first time period, the received packets being considered to represent normal network traffic; generating second address distribution data representing a statistical distribution of source addresses of packets received over a second time period; and determining whether the packets received over the second time period represent normal network traffic on the basis of a comparison of the second address distribution data and the reference address distribution data. | 06-03-2010 |
| 20100138920 | METHOD AND SYSTEM FOR DETECTING AND RESPONDING TO HARMFUL TRAFFIC - There is provided a method and system for detecting and responding to harmful traffic. The system includes a router determining whether or not received data is harmful traffic, by using a dynamic flow identification (DFI) function and a deep packet inspection (DPI) function, sending Cflowd information of the received data, and then encapsulating the received data when the received data is determined to be harmful traffic, a policy & resource control entity receiving the Cflowd information from the router, determining whether or not the received data is harmful traffic by using the received Cflowd information, and then sending a result of the determination to the router, and a security management server receiving the encapsulated data from the router, reconfirming whether or not the encapsulated data is harmful traffic, and then processing the encapsulated data. | 06-03-2010 |
| 20100138921 | Countering Against Distributed Denial-Of-Service (DDOS) Attack Using Content Delivery Network - Method and apparatus for blocking a distributed denial-of-service (DDoS) attack are provided. It is first determined whether a traffic status of an origin server is based on the DDoS attack. When it is determined that the traffic status of the origin server is based on the DDoS attack, a DNS is requested to change an Internet protocol (IP) address of the origin server to the IP address of at least one of plural servers. Accordingly, it is possible to accept a normal service providing request and also to determined and block the DDoS attack. In addition, since a device for determining and blocking the DDoS attack need not be installed in each site or server, it is possible to efficiently determine and block the DDoS attack at reduced cost. | 06-03-2010 |
| 20100146621 | METHOD OF EXTRACTING WINDOWS EXECUTABLE FILE USING HARDWARE BASED ON SESSION MATCHING AND PATTERN MATCHING AND APPRATUS USING THE SAME - A method and apparatus for extracting a windows executable file that can search for a pattern related to windows executable files among a large quantity of network packets using a hardware-based session tracking and pattern matching technology and that can extract all packets included in the corresponding session are provided. The method of extracting a windows executable file includes: collecting incoming packets having a payload according to a session of a reference packet having an MZ pattern; performing a portable executable (PE) pattern matching for the collected incoming packets; and forming a PE file based on at least one incoming packet satisfying the PE pattern matching. | 06-10-2010 |
| 20100154055 | Prefix Domain Matching for Anti-Phishing Pattern Matching - Phishing uniform resource locators are detected and/or filtered. After a uniform resource locator is received, it is determined if at least a portion of a prefix of the uniform resource locator matches at least a portion of a blacklist entry and the uniform resource locator is filtered if at least a portion of the prefix of the uniform resource locator matches at least a portion of the blacklist entry. The prefix of the uniform resource locator is constrained to be a predetermined number of the highest level domain labels of the domain name in the received uniform resource locator. | 06-17-2010 |
| 20100154056 | Context-Aware Real-Time Computer-Protection Systems and Methods - A computer-implemented method for determining, in response to an event of interest, whether to perform a real-time file scan by examining the full context of the event of interest may comprise: 1) detecting an event of interest, 2) identifying at least one file associated with the event of interest, 3) accessing contextual metadata associated with the event of interest, 4) accessing at least one rule that comprises criteria for determining, based on the event of interest and the contextual metadata, whether to perform a security scan on the file, and then 5) determining, by applying the rule, whether to perform the security scan on the file. Corresponding systems and computer-readable media are also disclosed. | 06-17-2010 |
| 20100162390 | Automatic proactive means and methods for substantially defeating a password attack - Automatic proactive means and methods for substantially defeating a password attack against a computer having a password-protected program installed in it. These means and methods range from not responding at all, to responding with instructions to disrupt the ability of the computer having the attack program in it to continue the attack. | 06-24-2010 |
| 20100162391 | Online Risk Mitigation - Online risk mitigation techniques are described. In an implementation, a service is queried for a reputation associated with an object from an online source in response to selection of the object. A backup of a client that is to receive the object is stored prior to obtaining the object when the reputation does not meet a threshold reputation level. | 06-24-2010 |
| 20100162392 | APPARATUS AND METHOD FOR MONITORING SECURITY STATUS OF WIRELESS NETWORK - An apparatus for monitoring the security status of a wireless network is provided. The apparatus includes a radio frequency (RF) signal collection unit which collects at least one piece of RF signal information; a security event information collection unit which collects security event information including at least one of traffic information and alert information; a security event information mapping unit which maps the RF signal information and the security event information based on the correlation between the RF signal information and the security event information; and a security event information display unit which displays the result of the mapping performed by the security event information mapping unit. Therefore, it is possible to allow a network administrator to intuitively recognize the security status of a wireless network by collecting RF signal information and security event information from the wireless network, mapping the RF signal information and the security event information based on the correlation therebetween and displaying the result of the mapping. | 06-24-2010 |
| 20100169967 | Apparatus and method for runtime integrity verification - In some embodiments, a processor-based system may include at least one processor, at least one memory coupled to the at least one processor, a code block, and code which is executable by the processor-based system to cause the processor-based system to generate integrity information for the code block upon a restart of the processor-based system, securely store the integrity information, and validate the integrity of the code block during a runtime of the processor-based system using the securely stored integrity information. Other embodiments are disclosed and claimed. | 07-01-2010 |
| 20100169968 | PROCESSOR EXTENSIONS FOR EXECUTION OF SECURE EMBEDDED CONTAINERS - Methods and apparatus relating to processor extensions for execution of secure embedded containers are described. In an embodiment, a scalable solution for manageability function is provided, e.g., for UMPC environments or otherwise where utilizing a dedicated processor or microcontroller for manageability is inappropriate or impractical. For example, in an embodiment, an OS (Operating System) or VMM (Virtual Machine Manager) Independent (generally referred to herein as “OI”) architecture involves creating one or more containers on a processor by dynamically partitioning resources (such as processor cycles, memory, devices) between the HOST OS/VMM and the OI container. Other embodiments are also described and claimed. | 07-01-2010 |
| 20100169969 | FUNCTIONAL PATCHING/HOOKING DETECTION AND PREVENTION - A method for preventing malicious attacks on software, using the patching method, includes providing a database of legitimate and known patches, the database contains characteristic code paths of said legitimate patches. The method also includes detecting whether a patch is malicious by inspecting one or more characteristic paths of the patch and matching one or more code paths against the database of legitimate and known patches. An activity needed to prevent the malicious patch from performing undesired activities is then performed. | 07-01-2010 |
| 20100169970 | SYSTEM AND METHODS FOR DETECTING MALICIOUS EMAIL TRANSMISSION - A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique. | 07-01-2010 |
| 20100175129 | METHOD FOR NOTIFICATION UPON EXPOSURE TO OFFENSIVE BEHAVIOURAL PATTERNS IN COLLABORATION - A system and method for protecting a user from offensive behavior in communications and notifying the user and/or an enforcement entity of the offensive behavior. The offensive content analysis system monitors communications between users for offensive behavior. The offensive content analysis system may measure the level of current offense in the communication and determine a historical offensive behavior pattern for the user. The offensive content analysis system may then determine if the offensive behavior, both current and historical, rises to a threshold behavior level. The offensive content analysis system may take notification action if the offensive behavior meets the threshold level. | 07-08-2010 |
| 20100175130 | Pattern-Recognition Processor with Matching-Data Reporting Module - Disclosed are methods and devices, among which is a device that includes a pattern-recognition processor. The pattern-recognition processor may include a matching-data reporting module, which may have a buffer and a match event table. The buffer may be coupled to a data stream and configured to store at least part of the data stream, and the match event table may be configured to store data indicative of a buffer location corresponding with a start of a search criterion being satisfied. | 07-08-2010 |
| 20100175131 | METHOD AND SYSTEM FOR NETWORK PROTECTION AGAINST CYBER ATTACKS - A method, system, and device for protecting networking computers or devices from cyber attacks, including periodically changing cyber coordinates of a communications network or system; communicating the changed cyber coordinates to corresponding or reciprocal networks and/or devices so they can maintain communications; detecting a cyber attack or receiving notification from the corresponding or reciprocal networks and/or devices of a cyber attack; and changing the cyber coordinates of the network or system upon such detection or notification and communicating the changed cyber coordinates to the corresponding or reciprocal networks and/or devices. | 07-08-2010 |
| 20100180340 | Method and System for Filing and Monitoring Electronic Claim Submissions in Multi-Claimant Lawsuits - The invention relates to systems and methods for filing and monitoring electronic claim submissions in proceedings involving a large number of claimants, such as securities class action lawsuits, estate dissolutions, arbitrations, and bankruptcies. The systems and methods create an easy-to-use and convenient way for institutions and individual claimants to register their claim relief upon judgment or settlement. | 07-15-2010 |
| 20100180341 | METHOD FOR PROTECTION A NETWORK THROUGH PORT BLOCKING - A method for protecting a network against a security attack from an user, and in particular, for a layer 2 switch, against a MAC flooding attack. Here, the MAC flooding attack floods the layer 2 switch with at least one packet, a database is provided which saves a MAC address and its allocation and the database has a maximum quantity. According to the method, an interface between the user of the network and a network access functions as a line of demarcation. When the limit of the maximum quantity for a port is reached, the port is blocked during a blocking time. This not only protects the first access node, but also the following network nodes and users respectively, against a security attack. | 07-15-2010 |
| 20100180342 | Method for Using Extended Security System, Extended Security System and Devices - Embodiments of the present invention disclose a method for using an extended security system, including: configuring one of security processing devices in the extended security system as a primary security processing device and configuring other security processing devices as at least one secondary security processing device connected with the primary security processing device; the method further includes: when the extended security system receives an external packet, selecting, by the primary security processing device, a security processing device to process the received external packet, the selected security processing device being the primary security processing device or the secondary security processing device. The embodiments of the present invention also disclose an extended security system and a primary security processing device and secondary security processing devices. By data interaction between the security processing devices, resource sharing between the security processing devices can be implemented, thereby improving the performance of the extended security system. | 07-15-2010 |
| 20100186086 | METHODS FOR INSPECTING SECURITY CERTIFICATES BY NETWORK SECURITY DEVICES TO DETECT AND PREVENT THE USE OF INVALID CERTIFICATES - Disclosed are methods and media for inspecting security certificates. Methods include the steps of: scanning, by a network security device, messages of a security protocol between a server and a client system; detecting the messages having a security certificate; detecting suspicious security certificates from the messages; and aborting particular sessions of the security protocol associated with the suspicious certificates. Preferably, the step of scanning is performed only on messages of server certificate records. Preferably, the method further includes the step of: sending an invalid-certificate notice to the server and the client system. Preferably, the step of detecting the suspicious certificates includes detecting a use of an incorrectly-generated private key for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting an unavailability of revocation information for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting a use of an invalid cryptographic algorithm for the certificates. | 07-22-2010 |
| 20100186087 | PROCESSING PACKET STREAMS - Systems and methods are disclosed that includes a data-bus, system memory, a first processor arranged to receive an input stream, and a second processor programmed to apply one or more security algorithms to secure packets of the input stream to generate at least partially security-processed packets. | 07-22-2010 |
| 20100192222 | MALWARE DETECTION USING MULTIPLE CLASSIFIERS - A method of identifying a malware file using multiple classifiers is disclosed. The method includes receiving a file at a client computer. The file includes static metadata. A set of metadata classifier weights are applied to the static metadata to generate a first classifier output. A dynamic classifier is initiated to evaluate the file and to generate a second classifier output. The method includes automatically identifying the file as potential malware based on at least the first classifier output and the second classifier output. | 07-29-2010 |
| 20100192223 | Detecting Malicious Network Content Using Virtual Environment Components - Malicious network content is identified based on the behavior of one or more virtual environment components which process network content in a virtual environment. Network content can be monitored and analyzed using a set of heuristics. The heuristics identify suspicious network content communicated over a network. The suspicious network content can further be analyzed in a virtual environment that includes one or more virtual environment components. Each virtual environment component is configured to mimic live environment components, for example a browser application component or an operating system component. The suspicious network content is replayed in the virtual environment using one or more of the virtual environment components. The virtual environment component behavior is analyzed in view of an expected behavior to identify malicious network content. The malicious network content is then identified and processed. | 07-29-2010 |
| 20100205668 | APPARATUS AND METHOD FOR SPAM CONFIGURATION - An apparatus and a method for spam registration in a portable terminal are provided. The method includes determining whether there is a spam registration request for a number, determining whether spam registration prohibit condition not to register the number as spam is satisfied when there is the spam registration request for the number and not registering the number as spam when the spam registration prohibit condition is satisfied. | 08-12-2010 |
| 20100205669 | O-TOUCH AND 1-TOUCH TECHNIQUES FOR IMPROVING THE AVAILABILITY OF COMPUTER PROGRAMS UNDER PROTECTION WITHOUT COMPROMISING SECURITY - Protected software, such as an application and/or DLL, is monitored by protective software to guard against attacks, while distinguishing spurious, benign events from attacks. In a 1-touch approach, the protected software is monitored in a testing environment to detect spurious, benign events caused by, e.g., incompatibility or interoperability problems. The spurious events can be remediated in different ways, such as by applying a relaxed security policy. In a production mode, or 0-touch mode, when the protected software is subject to attacks, the corresponding remediation can be applied when the spurious events are again detected. Security events which occur in production mode can also be treated as benign when they occur within a specified time window. The applications and/or DLLs can further be classified according to whether they are known to have bad properties, known to be well-behaved, or unknown. Appropriate treatment is provided based on the classification. | 08-12-2010 |
| 20100212010 | SYSTEMS AND METHODS THAT DETECT SENSITIVE DATA LEAKAGES FROM APPLICATIONS - In embodiments, the present invention may be a computer program product embodied in a computer readable medium that, when executing on one or more computers, may select a software application for monitoring, where the selection may be based at least in part on the basis that the software application controls confidential information, and where the software application may be an end-point application, a web application, a cloud application, and the like. The present invention may monitor the software application by determining an output data quantity that may be written from the software application. The output data may then be compared with a predetermined quantity, where the predetermined quantity may be indicative of confidential information being written from the software application. | 08-19-2010 |
| 20100212011 | METHOD AND SYSTEM FOR SPAM REPORTING BY REFERENCE - Methods and systems for spam reporting by reference are described. In one embodiment, an electronic message may be received by a mobile electronic device. A spam report may be transmitted from the mobile electronic device to a report server. The spam report may notify the report server that the electronic message is spam and include a reference to the electronic message without including the electronic message itself. The reference may be usable to identify the received message. | 08-19-2010 |
| 20100218250 | NETWORK MONITORING APPARATUS, NETWORK MONITORING METHOD, AND NETWORK MONITORING PROGRAM - A traffic monitoring system ( | 08-26-2010 |
| 20100218251 | Detection of Artificially Generated System Load - A system and method are provided for detecting artificially generated load on a search system. The system may include a load monitoring component for monitoring a current load for comparison with an expected load. The system may additionally include an abnormality detection component for detecting an abnormality when the monitored load exceeds an expected amount by a predetermined threshold. The system may further include an analysis component for determining if the monitored load is an artificial load. | 08-26-2010 |
| 20100218252 | NETWORK PROTECTION VIA EMBEDDED CONTROLS - The present disclosure provides a method for providing network protection. A method according to one embodiment may include detecting an infected data packet at an in-line device. The method may further include receiving a first instruction from the in-line device at a central management server, the instruction identifying the origin of the infected data packet. The method may also include receiving a marking instruction from the central management server at an infected endpoint device and marking outgoing data packets at the infected endpoint device to create marked data packets. Of course, many alternatives, variations and modifications are possible without departing from this embodiment. | 08-26-2010 |
| 20100223668 | APPARATUS AND METHOD FOR MANAGING TERMINAL USERS - The present invention relates to an apparatus and method of managing terminal users that is capable of securely managing personal information and data of a user in a mobile terminal. An embodiment of the present invention provides an apparatus and method of managing terminal users that monitors whether a terminal of a user is abnormally used, including whether the terminal is not used over a predetermined period of time, to collect and check data, and, when it is determined that the terminal is abnormally used as a checked result, forces the user to log out. Therefore, a login situation of the user can be accurately recognized, and the internal operation of the terminal can be secured from external users to securely manage user data and improve security. | 09-02-2010 |
| 20100229235 | REGION ACCESS AUTHORIZATION IN A VIRTUAL ENVIRONMENT - The passage of avatars into and out of regions in a virtual universe is regulated through the use of secure communications between and among the avatar, an authority managing of the region and a trusted third party who maintains a database of avatar characteristics. Permission to move from one virtual region to another is determined based upon the avatar characteristics. | 09-09-2010 |
| 20100229236 | METHOD AND SYSTEM FOR SPAM REPORTING WITH A MESSAGE PORTION - Methods and systems for spam reporting with a message portion are described. In one embodiment, an electronic message is received on a mobile electronic device. A spam report policy is used on the mobile electronic device to identify a portion of the electronic message to include with a spam report. The spam report is transmitted from the mobile electronic device to a server, the spam report notifying the server that the electronic message is spam and including the portion of the electronic message without including a copy of the entire electronic message. | 09-09-2010 |
| 20100229237 | Dual Use Counters for Routing Loops and Spam Detection - A method for detecting an undesirable condition within a messaging network. A message is received and a source of the message is identified. If an entry in a database for the source has not been created, an entry is created. A source counter for the source is then set to one and a timestamp is created for the source. If an entry in the database for the source has been previously created, the source counter is incremented by one and the timestamp is updated. The source counter is then compared to a source threshold, and if the source counter exceeds the source threshold over the course of predetermined amount of time, a source alarm is triggered. A sliding with respect to the predetermined amount of time may also be implemented to account for total counts that may fall across or be split by set periods of time. The invention is particularly useful for detecting “spam” events and undesirable routing loops. | 09-09-2010 |
| 20100235908 | System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Analysis - A system and method for identifying the change of user behavior on a website includes analyzing the actions of users on a website comprising a plurality of parameters or parameters that identify the actions performed on a website including parameters or fields related to previous actions by that user or other users of the website. The parameters or fields are represented in a vector format where each vector represents a different session of activity on the website, page of the website, user of the website, or other attribute of the use of a website. Analysis is performed to determine if new sessions are similar or dissimilar to previously known sessions. | 09-16-2010 |
| 20100235909 | System and Method for Detection of a Change in Behavior in the Use of a Website Through Vector Velocity Analysis - A system and software for identifying the change of user behavior on a website includes analyzing the actions of users on a website comprising a plurality of fields or input parameters that identify the actions performed on a website including fields related to previous actions by that user or other users of the website. The fields or input parameters are represented in a vector format where vectors represent different sessions of activity on the website, pages of the website, users of the website, or other attributes of the use of a website. Analysis is performed to determine if new sessions are similar or dissimilar to previously known sessions and if a session is converging or diverging from known sessions based on the velocity and direction of the velocity of the vectors in the vector space. | 09-16-2010 |
| 20100235910 | SYSTEMS AND METHODS FOR DETECTING FALSE CODE - Systems and methods for detecting false code in web pages linked to a web site are provided. One system includes a web server for administering the web site and a surveillance server for collecting generated or updated web pages from among the web pages linked to the web site, selecting tags of a given tag type included in the collected web pages, determining whether the selected tags comprise false code, and providing the determination result to an administrator terminal such that an administrator can check the determination result. One method includes collecting web pages that were generated or updated within a set time period from among the web pages linked to the web site, determining whether tags included in the collected web pages comprise false code, and providing the determination result to an administrator terminal such that an administrator can check the determination result. | 09-16-2010 |
| 20100235911 | SYSTEMS, METHODS, AND COMPUTER READABLE MEDIA FOR DETECTING AND MITIGATING ADDRESS SPOOFING IN MESSAGING SERVICE TRANSACTIONS - Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions are disclosed. A messaging service firewall (MSF) separate from a short message service center (SMSC) receives a mobility management reply message (MMR) that is sent by a mobile location register element in response to an associated mobility management query (MMQ) and that includes a serving switch identifier. The MSF allocates a global title address (GTA) from a pool of GTAs and stores a correlation between the allocated GTA and the originating SMSC. The MSF replaces the serving switch identifier in the MMR with the allocated GTA and routes the modified MMR. The MSF then receives a messaging service message (MSM) that is addressed to the allocated GTA and that includes the purported originating SMSC. If the purported originating SMSC does not match the SMSC to which the GTA is correlated, the MSM is discarded. | 09-16-2010 |
| 20100242109 | METHOD AND SYSTEM FOR PREEMPTIVE SCANNING OF COMPUTER FILES - In embodiments of the present invention improved capabilities are described for reducing computer file access time associated with on-access scanning through predictive preemptive scanning, where the prediction may be enabled through the development and use of a file access performance cost mapping of a computing facility's file system. In a first step, file access information describing a pattern of each of a plurality of computer files that have been accessed in a computer file system may be collected. In a second step, the file access information may be processed to generate a file access performance cost statistic for each of the plurality of computer files, where the file access performance cost statistic may be a measure of the time aggregate effect on the computing facility's system performance associated with the access of the file. In a third step, the file access performance cost statistic may be maintained for each of the plurality of files accessed by the computing facility. In a fourth step, the file access performance cost mapping of the computing facility's file system relating to the plurality of computer file may be generated, where the file access performance cost mapping may provide an indication of which of the plurality of files in the file system produce the greatest time aggregate file access effect based on the computing facility's system performance. Finally, in a fifth step, files from the computer file system may be pre-scanned based on the file access performance cost mapping. In embodiments, pre-scanning may access at least one of the plurality of files for scanning prior to the file being called for a use, such as by an operating system, an application, a utility program, and the like. The step of pre-scanning may be performed during periods of low computing facility processing activity, and may result in a reduced need to scan the computer file when the computer file is accessed for use. | 09-23-2010 |
| 20100242110 | Widget Security - A widget security system, method and computer-readable medium detects a security event associated with a widget, assesses the risk associated with the security event, and initiates a security action based on the assessed risk. | 09-23-2010 |
| 20100242111 | Methods and apparatus providing computer and network security utilizing probabilistic policy reposturing - A system defines at least one key event to be monitored by at least one agent, and creates a graphical model for the at least one key event. The system observes the at least one key event. The system infers a degree of attack on the computer system based on an observation of the at least one key event in conjunction with a result of an effect the at least one key event has on the graphical model. The system then adjusts a security policy based on an output of the graphical model. | 09-23-2010 |
| 20100242112 | SYSTEM AND METHOD FOR PROTECTING NETWORK RESOURCES FROM DENIAL OF SERVICE ATTACKS - The present disclosure generally pertains to systems and methods for protecting network resources from denial of service attacks. In one exemplary embodiment, a responder stores an access filter value used to determine whether an incoming message frame has been transmitted from an authorized user. In this regard, a user communication device includes logic for determining the access filter value stored at the responder and includes the access filter value in a message frame transmitted from the computer to the responder. The responder compares the received access filter value to the stored access filter value. If such values match or otherwise correspond, the responder authenticates the message frame. However, if such values do not match or otherwise correspond, the responder discards the message frame. Thus, the responder processes authenticated message frames and discards unauthenticated message frames thereby preventing denial of service attacks from malicious users. | 09-23-2010 |
| 20100251362 | DYNAMIC SPAM VIEW SETTINGS - A method of displaying email messages to a user is provided. Spam classification information and meta data is associated with email messages received for a user. Email message summary information is displayed in a user interface based on whether the meta data associated with the message meets or exceeds a threshold display level for the summary information. The user provides input via the user interface which is an indication to change the threshold display level and the change is dynamically displayed. | 09-30-2010 |
| 20100251363 | MODIFIED FILE TRACKING ON VIRTUAL MACHINES - In embodiments of the present invention improved capabilities are described for tracking modified files on a virtual machine including the steps of identifying an altered disk sector, associating the altered disk sector with code that is operated in a virtual machine, and causing a malicious code scan to be performed on the code. | 09-30-2010 |
| 20100251364 | METHOD AND APPARATUS FOR CLASSIFYING HARMFUL PACKET - A network apparatus and method of classifying received packets based on a predetermined standard are disclosed. The method of classifying received packets in a security system, the method comprises parsing a received packet and extracting a payload from the parsed packet; scanning the payload to check whether or not a predetermined signature code is included in the payload; if it is determined from the result of the scanning that the predetermined signature code is included in the payload, generating a presumptive signature based on information included in the predetermined signature code; and determining whether or not the generated presumptive signature is identical with a signature corresponding to the predetermined signature code, and allocating an classification identifier (ID) to the received packet according to the result of the determination, thereby classifying the received packet according to the classification ID, wherein the predetermined signature code is formed by a part of the signature corresponding to the signature code. Accordingly, possible harmful packets such as attack packets can be classified at high speed, and thereby being blocked immediately. | 09-30-2010 |
| 20100251365 | DYNAMIC SCANNING BASED ON COMPLIANCE METADATA - In embodiments of the present invention improved capabilities are described for systems, methods, and devices that assess a metadata factor associated with metadata of code to determine a compliance state of said code; assign or adjust a security sensitivity factor based at least in part on said compliance state of said code; and provide a security facility with an indicator of how aggressively to monitor the code for malicious code infection. | 09-30-2010 |
| 20100251366 | DISCOVERY OF THE USE OF ANONYMIZING PROXIES BY ANALYSIS OF HTTP COOKIES - In embodiments of the present invention improved capabilities are described for systems, methods, and devices that determine whether a website request is from a proxy website or an anonymizer. Embodiments intercept a website request from an end point; identify at least one cookie present in said website request; analyze a predetermined characteristic of said website request, where the predetermined characteristic associated with the cookie; and apply a rule corresponding to said predetermined characteristic to make the determination as to whether the request is from a proxy website or anonymizer. | 09-30-2010 |
| 20100251367 | METHOD AND APPARATUS FOR PROVIDING INFORMATION ASSURANCE ATTRIBUTES THROUGH A DATA PROVIDENCE ARCHITECTURE - A method and apparatus that provides information assurance attributes through a data providence architecture is disclosed. The method may include receiving a message having a data provenance wrapper, examining each data provenance record of the message and any attachments for discrepancies, identifying any discrepancies in the examination of each data provenance record of the message and any attachments; calculating a degree of trust based on any discrepancies identified in the examination of each data provenance record of the message and any attachments, and outputting the degree of trust to the user. | 09-30-2010 |
| 20100251368 | SYSTEM AND METHOD FOR HANDLING AN EVENT IN A COMPUTER SYSTEM - Systems for handling an event in a computer system which has a kernel-mode and a user-mode. The systems comprise at least one computing device. The computing device is configured to suspend an occurrence of the event in the kernel-mode of an operating system running thereon. The computing device is also configured to cause the event to occur in the user-mode of the operating system. The computing device is further configured to determine if an occurrence of the event in the kernel-mode will compromise the computer system by analyzing the occurrence of the event in the user-mode. If it is determined that the occurrence of the event in the kernel-mode will compromise the computer system, then the computing device executes at least one security measure. | 09-30-2010 |
| 20100263045 | SYSTEM FOR RECLASSIFICATION OF ELECTRONIC MESSAGES IN A SPAM FILTERING SYSTEM - A method for indicating probability of spam for email comprises tracking network traffic characteristics for the email, and comparing the tracked characteristics for the email to characteristics for email from trusted or known spam sources. | 10-14-2010 |
| 20100263046 | SECURITY WRAPPER METHODS AND SYSTEMS - In one example, a web content security system embedded in a computer-usable storage medium that identifies potential threats when executed by one or more processors is provided. The web content security system includes a communications monitor module that monitors at least one of data communications between web objects on a web page and data communications between web objects on a web page and a server, and that identifies a potential threat based on the data communications. A logger module generates report data based on the identified potential threat. | 10-14-2010 |
| 20100263047 | GROUP INTERCOM, DELAYED PLAYBACK, AND AD-HOC BASED COMMUNICATIONS SYSTEMS AND METHODS - Methods and apparatuses for escalating a problem with a personal communications device in a wireless communications network, each personal communications device having at least one communications session associated therewith, at least one process associated therewith, at least one IP address associated therewith and at least one personal communications device identification associated therewith. A problem is identified with a particular communication session associated with a particular personal communications device. The particular communications session is excluded from the wireless communications network. The device determines if the problem associated with the particular communications sessions has exceeded a problem threshold. If the problem associated with the particular communications sessions has exceeded a problem threshold, the exclusion of the particular communications session. | 10-14-2010 |
| 20100269174 | SYSTEMS AND METHODS FOR GENERATING A DNS QUERY TO IMPROVE RESISTANCE AGAINST A DNS ATTACK - The present solution provides systems and methods for generating DNS queries that are more resistant to being compromised by attackers. To generate the transaction identifier, the DNS resolver uses a cryptographic hash function. The inputs to the hash function may include a predetermined random number, the destination IP address of the name server to be queried, and the domain name to be queried. Because of the inclusion of the name server's IP address in the formula, queries for the same domain name to different name servers may have different transaction identifiers, preventing an attacker from observing a query and predicting the identifiers for other queries. Additional entropy may be provided for generating transaction identifiers by including the port number of the name server and/or a portion of the domain name as inputs to the hash function. If it is determined that the responding server may preserve capitalization in its responses, the upper and lower case characters may be salted within the domain name to provide additional entropy in generating transaction identifiers. | 10-21-2010 |
| 20100269175 | METHODS, SYSTEMS, AND MEDIA FOR MASQUERADE ATTACK DETECTION BY MONITORING COMPUTER USER BEHAVIOR - Methods, systems, and media for masquerade attack detection by monitoring computer user behavior are provided. In accordance with some embodiments, a method for detecting masquerade attacks is provided, the method comprising: monitoring a first plurality of user actions and access of decoy information in a computing environment; generating a user intent model for a category that includes at least one of the first plurality of user actions; monitoring a second plurality of user actions; comparing the second plurality of user actions with the user intent model by determining deviation from the generated user intent model; identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the decoy information in the computing environment. | 10-21-2010 |
| 20100269176 | Content Playback Apparatus and Content Playback Method - According to one embodiment, a content playback apparatus which acquires desired content from a specific site accessed via a network and plays back the acquired content, comprises a determination module configured to determine, when a data input request is received from a currently accessed site, whether or not the site is at least a site included in the specific site, and a controller configured to generate, when the determination module determines that the currently accessed site is not included in the specific site, a warning that advises accordingly. | 10-21-2010 |
| 20100269177 | SWITCHING NETWORK EMPLOYING A USER CHALLENGE MECHANISM TO COUNTER DENIAL OF SERVICE ATTACKS - A communication infrastructure includes an intermediate routing node that routes a plurality of packets between a source device and a plurality of destination devices, a plurality of templates stored on the intermediate routing node and a service function. The intermediate routing node, e.g., a switch, router, access point, bridge, or gateway, identifies packets containing requests for a webpage, the requests being a service attack attempt by comparing the packet with the plurality of templates. Then, the intermediate routing node denies service attack by interacting with the server and client devices. That is, the intermediate routing node sends messages with challenge mechanism to the server, based on the response or otherwise, sends messages and anti-service attack downloads to the client devices and receives response. | 10-21-2010 |
| 20100281535 | Electronic message delivery with estimation approaches - Interfaces for message delivery approaches are disclosed. The interface may include pages for administering accounts for senders, pages for administering message processing systems, and pages for viewing information about senders or message processing systems. In another aspect, automatic alert mechanisms are disclosed. The alert mechanisms send a message to one or more users or machines that have been registered to receive alerts. Alerts may be triggered by any event related to a sender, a message, or a message processing system or may be triggered by any other condition or event. In another aspect, techniques for automatically disabling senders are disclosed. The automatic disabling of a sender may be triggered by any event related to a sender, a message, or a message processing system or may be triggered by any other condition or event. | 11-04-2010 |
| 20100281536 | PHISH PROBABILITY SCORING MODEL - In general, embodiments of the invention relate to systems, methods, and computer program products for determining the probability that a given website is conducting or is related to fraudulent activity, including phishing activity. More particularly, embodiments of the invention relate to automatically monitoring and scoring URLs for fraudulent activity by parsing keywords, combinations of keywords, and other relevant data from an input communication, such as an email, and analyzing the data obtained against a database containing a plurality of grading factors. | 11-04-2010 |
| 20100281537 | SECURE MULTI-PRINCIPAL WEB BROWSER - A web browser operating system using a browser kernel places principals having different origins in separate principal instances, where each separate principal instance executes in a separate protection domain. Principal origin may be determined using the combination of protocol, domain name, and port. The browser kernel mediates communications between principal instances, and between the principal instances and the operating system. Within each principal instance, a browser runtime executes as a restricted operating system process (ROSP), while any plugins are executed as a separate ROSP. Renderings from each browser runtime are combined by the browser kernel for presentation to a user. | 11-04-2010 |
| 20100281538 | Identification of Content by Metadata - Systems and methods for identifying content in electronic messages are provided. An electronic message may include certain content. The content is detected and analyzed to identify any metadata. The metadata may include a numerical signature characterizing the content. A thumbprint is generated based on the numerical signature. The thumbprint may then be compared to thumbprints of previously received messages. The comparison allows for classification of the electronic message as spam or not spam. | 11-04-2010 |
| 20100287613 | SANITIZATION OF PACKETS - Methods, systems, and computer-readable media are disclosed for packet sanitization. A particular method intercepts a packet of a packet stream, where the packet stream is transmitted in accordance with a particular protocol. The packet is analyzed based on a specification associated with the particular protocol. Based on the analysis, a data value of a field of the packet is replaced with a sanitized data value to create a sanitized packet. The sanitized packet may be injected into the packet stream or may optionally be forwarded to a signature module that checks the sanitized packet for malicious content. When malicious content is found, the sanitized packet may be dropped, the sanitized packet may be logged, the sanitized packet may be redirected, or a notification regarding the sanitized packet may be sent to an administrator. | 11-11-2010 |
| 20100287614 | Decoding method for a probabilistic anti-collusion code comprising the selection of the collusion strategy - The invention relates to a decoding method for a probabilistic anti-collusion code aiming to identify at least one sequence of the code present in a multimedia content having served in the creation of an illegal copy of the multimedia content, this method comprising a step of selection of the collusion strategy used to constitute the illegal copy from among a set of collusion strategy models. In addition, the invention relates to a method for filtering sequences of a probabilistic anti-collusion code for the decoding of this code aiming to identify at least one sequence of the code present in a multimedia content having served in the creation of an illegal copy of the multimedia content comprising a step of selection of a sub-group of the smallest possible sequences of code containing at least one sequence present in a multimedia content having served in the creation of the illegal copy by comparing for each sequence of the code and for a selected given symbol index, the symbol of the sequence of the code with the symbol of the sequence contained in the illegal copy. | 11-11-2010 |
| 20100293614 | Method, Apparatus, and Computer Program for Providing Application Security - In response to an initialization of the apparatus, a validation value is calculated for each of a plurality of application executable files and the validation values are stored in a protected memory portion of random access memory. An attempt to launch an application on the apparatus is determined, and a current validation value for an executable file associated with the application is calculated. The current validation value is compared with a corresponding one of the stored validation values, and launching of the application is regulated based on results of the comparison. | 11-18-2010 |
| 20100293615 | METHOD AND APPARATUS FOR DETECTING THE MALICIOUS BEHAVIOR OF COMPUTER PROGRAM - A method and an apparatus for detecting malicious behavior of a computer program are disclosed. The method and apparatus analyze behavior characteristics of a malicious program using the concept of a monitored process set. The method comprises: monitoring an action executed by the computer program; searching for a process set associated with the monitored action within a library of monitored process sets, the process set including information of suspicious processes correlated with each other in creating relationships; and if the process set associated with the monitored action is found, judging whether the monitored action belongs to malicious behavior by correlation analysis based on information recorded in the process set found. | 11-18-2010 |
| 20100299752 | Identification of Content - Systems and methods for identifying content in electronic messages are provided. An electronic message may include certain content. The content is detected and analyzed to identify any metadata. The metadata may include a numerical signature characterizing the content. A thumbprint is generated based on the numerical signature. The thumbprint may then be compared to thumbprints of previously received messages. The comparison allows for classification of the electronic message as spam or not spam. | 11-25-2010 |
| 20100299753 | Method of Preventing TCP-Based Denial-of-Service Attacks on Mobile Devices - Provided is a method of preventing a Transmission Control Protocol (TCP)-based Denial of Service (DoS) attack on a mobile device. The method efficiently prevents a DoS attack on a mobile device, which wirelessly and constantly transmits TCP packets to the mobile device using a TCP protocol and thereby exhausts resources of a wireless network and also battery power of the mobile device depending on a battery. An attack conventionally made in a wired network by abusing TCP-based three-way handshaking is more severe in the wireless network of mobile devices. To prevent such an attack on a mobile device, the method capable of checking three-way handshaking and each transition operation makes the mobile device check whether or not a received TCP packet is valid. Therefore, it is possible to efficiently prevent a DoS attack from exhausting wireless resources and battery power of the mobile device. | 11-25-2010 |
| 20100306844 | APPLICATION INFORMATION TAMPERING MONITORING APPARATUS AND METHOD - A tampering monitoring apparatus ( | 12-02-2010 |
| 20100319069 | INTEGRATED CYBER NETWORK SECURITY SYSTEM AND METHOD - A computer system for providing security in a computer network includes: a global sensor device configured to determine potential threats to the computer network; a global threat manager device configured to determine identification information associated with the potential threats; and a local security device configured to detect the existence of the potential threats based on the identification information and to take remedial action in response to the potential threats. The system also provides for responding to network attacks in a sufficiently granular method that is optimized according to the current state of the network by maintaining a virtual model of the network; detecting a network attack; generating a plurality of alternative candidate remedial responses to the network attack; and determining a potential network impact of each candidate remedial response using the virtual model of the network. | 12-16-2010 |
| 20100325726 | UNAUTHORIZED OPERATION MONITORING PROGRAM, UNAUTHORIZED OPERATION MONITORING METHOD, AND UNAUTHORIZED OPERATION MONITORING SYSTEM - It is possible to provide an unauthorized operation monitoring program for calculating a modified score by reflecting a suspicious value determined from a series of operations by a user who operates a computer in order to monitor an unauthorized operation on the computer. When a modified score that indicates probability of an unauthorized operation is calculated for an object event, a suspicious value (PSV) corresponding to the level of the calculated modified score is set. When a new event occurs next time, for the score (direct score) calculated for the new event, a modified score reflecting the PSV set for the previous event and a time difference between the previous event and the new event is calculated. When operations that the probability of the unauthorized operation is high are continuously performed, or when operations of which the suspicious value is high are repeated, a higher level of a modified score is calculated. | 12-23-2010 |
| 20100325727 | SECURITY VIRTUAL MACHINE FOR ADVANCED AUDITING - A security system collects an audit trail on a computer outside of a boundary created by one or more virtual machines. The security system uses a privileged virtual machine to collect audit logs for each protected virtual machine. As the protected virtual machines run, they send auditing information to the privileged virtual machine. The privileged virtual machine can collect auditing information from protected virtual machines much more quickly than a network server, as well as collecting auditing events from multiple protected virtual machines. Because the auditing destination is located on the same computer as the virtual machine monitored by the audit trail, no network dependency is present. Thus, the security system allows for monitoring the activity of administrators and other users while preventing tampering with the audit trail of each user's actions. | 12-23-2010 |
| 20100333199 | Method and system for scanning a computer system for sensitive content - A computer-implemented method for scanning a computer system for sensitive data. A scan manager manages a scan of files of a second computer. The scan manager receives a request to scan and identify files stored on the second computer based on at least one category of sensitive data. The scan manager receives scan report recipient information and generates a user profile based on the at least one category and the recipient information. The scan manager makes the user profile available to a category server for use in creating a scan profile defining the scan criteria and deploys a scan agent to a computer to conduct the scan based on the scan profile. When the scan is complete and upon creation of the scan report, the scan manager makes the scan report available to the intended recipients. | 12-30-2010 |
| 20100333200 | METHOD AND APPARATUS FOR SPAM MESSAGE DETECTION - A method, apparatus and computer program product for spam message detection. The method includes collecting time domain transmission characteristic of a message source; computing frequency domain transmission characteristic of the message source with the time domain transmission characteristic of the message source; and identifying the message source to be a spammer in response to the frequency domain transmission characteristic of the message source satisfying predefined criteria; wherein the steps of the method are carried out using a computer device. An apparatus and computer program product for carrying out the above method is also provided. | 12-30-2010 |
| 20100333201 | SYSTEM, METHOD, AND PROGRAM FOR DETERMINING VALIDITY OF STRING - A computer-implemented method, program product, and system for determining the validity of a string generated by a computer programming language program. The method includes: abstracting a constraint between variables extracted from a source code for a programming language, describing the constraint in M2L, and storing the constraint; and evaluating the validity of the string on an M2L solver on the basis of the constraint and a M2L specification to determine whether the string is safe or unsafe. | 12-30-2010 |
| 20100333202 | METHOD AND DEVICE FOR DEFENDING AGAINST ATTACKS TO SYSTEMS COMPRISING A PLUG & PLAY FUNCTION - Method for recognizing attacks to at least one interface of a computer system, in particular an automated self-service machine, comprising: monitoring the interface in order to determine changes at the interface; if changes occur, the change is used to determine the probability that an unallowed attack is occurring at the interface; if the probability is beyond a defined threshold, defensive maneuvers are introduced. | 12-30-2010 |
| 20110010771 | DETECTING A DENIAL OF SERVICE ATTACK - A plurality of ranging processes are performed to monitor a status of a wireless link associated with a device identifier. A ranging request that includes the device identifier and a message skip indicator is received. It is determined that the device identifier is already associated with the wireless link. A duration since a previously completed ranging process is determined. Based on the duration, and the message skip indicator, it is determined whether to respond to the ranging request. | 01-13-2011 |
| 20110010772 | File System Event Tracking - Automated file system event tracking and reporting techniques are described in which file system events requested by a user application are intercepted and recorded prior to the request being permitted to pass to the file system for execution. Similarly, file system responses to a prior captured file system event are also intercepted and recorded. Predefined patterns of file system event may be aggregated and reported as a single event. | 01-13-2011 |
| 20110016522 | INTRUSION DETECTION SYSTEMS AND METHODS - Systems and methods for intrusion and virus detection in computer networks. Data from a file, network byte stream, or other source is segmented and resulting data items are subjected to multiple processing techniques to obtain respective result values, or thumbprints. The multiple thumbprints for respective data items are then aggregated to obtain a single result value, or aggregate thumbprint. The components of the aggregate thumbprint may be “fuzzified” to allow for less preciseness in the single result value. The aggregate thumbprint is compared to other similarly generated aggregate thumbprints stored in a library. Alerts may be generated when the same aggregate thumbprint is detected multiple times. | 01-20-2011 |
| 20110016523 | APPARATUS AND METHOD FOR DETECTING DISTRIBUTED DENIAL OF SERVICE ATTACK - An apparatus for detecting a distributed denial of service (DDoS) attack includes: a monitoring unit for monitoring multiple GET requests and responses transmitted and received depending on a session establishment between a client and a server; and an attack detection unit for analyzing the monitored multiple GET requests and responses between the client and the server to detect a traffic of the DDoS attack against the server. | 01-20-2011 |
| 20110016524 | BLIND VERIFICATION OF COMPUTER FIRMWARE - The means for using zero-knowledge protocols to provide assurance that the executable program instructions in a particular computing device are identical to given set of executable program instructions without revealing the executable program instructions themselves are disclosed. | 01-20-2011 |
| 20110023114 | Method and System For Traffic Management Via Virtual Machine Migration - Aspects of a method and system for traffic management via virtual machine migration include detecting an abnormal traffic pattern in traffic communicated by a first virtual machine that utilizes a first set of network resources. Responsive to the detection of the abnormal pattern, a second virtual machine that utilizes a second set of network resources may be initialized. The second virtual machine may take over functions performed by the first virtual machine and initialization of the second virtual machine is based on an analysis of the traffic. The second virtual machine may be initialized utilizing stored virtual machine sate information in instances that the abnormal traffic is a result of a malicious attack. The second virtual machine may be initialized utilizing current virtual machine state information in instances that the abnormal traffic is not a result of a malicious attack. | 01-27-2011 |
| 20110023115 | HOST INTRUSION PREVENTION SYSTEM USING SOFTWARE AND USER BEHAVIOR ANALYSIS - In embodiments of the present invention improved capabilities are described for threat detection using a behavioral-based host-intrusion prevention method and system for monitoring a user interaction with a computer, software application, operating system, graphic user interface, or some other component or client of a computer network, and performing an action to protect the computer network based at least in part on the user interaction and a computer code process executing during or in association with a computer usage session. | 01-27-2011 |
| 20110023116 | METHOD AND APPARATUS FOR SPAM SHORT MESSAGE DETECTION - A method and apparatus for spam short message detection. The method includes obtaining sending characteristics of at least two suspected short message sources, judging whether the two suspected short message sources have similar sending characteristics, and determining the two suspected short message sources as spammer if they have similar sending characteristics. A spammer that makes multiple short message sources send short messages alternately can be detected through similar sending characteristics of the short message sources. | 01-27-2011 |
| 20110023117 | Method and System for Restricting Access to User Resources - A user's set top box (STB), or other client, executes a shell and has an application program interface (API) by which certain features of the client can be controlled. The client is in communication with a walled garden proxy server (WGPS), which controls access to a walled garden. The walled garden contains links to one or more servers providing network-based services. The client sends a request to the WGPS to access a service provided by a site in the garden. To provide the service, the site sends the client a message containing code calling a function in the API. The WGPS traps the message from the site and looks up the site in a table to determine the access control list (ACL) for the site. The ACL is a bit-map that specifies which functions of the client's API can be invoked by code from the site. The WGPS includes the ACL in the header of the hypertext transport protocol (HTTP) message to the client. The shell receives the message and extracts the ACL. The shell uses the ACL to determine whether the code has permission to execute any called functions in the API. If the code lacks permission, the shell stops execution and sends a message to the site indicating that the site lacks permission. Otherwise, the shell allows the code to call the function. | 01-27-2011 |
| 20110030054 | Progressive wiretap - Disclosed is a method and system for identifying a controller of a first computer transmitting a network attack to an attacked computer. To identify an attacker implementing the attack on the attacked computer, the present invention traces the attack back to the controller one hop at a time. The invention examines traces of the attacked computer to identify the first computer. Traffic transmitted to the first computer is redirected through a monitoring complex before being transmitted to the first computer. The controller is then detected from traffic monitoring by the monitoring complex. | 02-03-2011 |
| 20110030055 | Detecting Spoofing in Wireless Digital Networks - Detecting spoofing in a digital network. Packets of information in a digital network using a shared medium contain a unique identifier for the device originating the packet. An individual device may be transmitting, or receiving, but not both. If a device receives a packet containing its unique identifier as the origin address, that packet must have been transmitted by another device, and a spoofing alert is raised. | 02-03-2011 |
| 20110035800 | MALICIOUS ADVERTISEMENT MANAGEMENT - Methods and systems are provided for managing malicious advertisements, including threats or risks posed by malicious advertisements or potentially malicious or risky advertisements. Methods are provided in which an advertisement is tested to determine behavioral characteristics at a non-active time and at an active time, and the two sets of characteristics are compared. If a difference is determined to exist, an action is taken that reflects a higher chance of the advertisement being malicious than if no difference was detected. Furthermore, the characteristics at a non-active time may be used in determining a degree of risk associated with an advertisement. | 02-10-2011 |
| 20110035801 | METHOD, NETWORK DEVICE, AND NETWORK SYSTEM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACK - A method for defending a distributed denial of service (“DDoS”) attack includes analyzing at least one of a running status of a server or a network data stream flowing to the server at the server side to detect whether a DDoS attack occurs on the server and notifying a data stream cleaner that the data stream cleaner needs to clean the network data stream flowing to the server, if the DDoS attack occurs on the server. | 02-10-2011 |
| 20110041178 | AUDITING A DEVICE - The auditing of a device that includes a physical memory is disclosed. One or more hardware parameters that correspond to a hardware configuration is received. Initialization information is also received. The physical memory is selectively read and at least one result is determined. The result is provided to a verifier. | 02-17-2011 |
| 20110047617 | PROTECTING AGAINST NETWORK RESOURCES ASSOCIATED WITH UNDESIRABLE ACTIVITIES - Various embodiments provide protection against web resources associated with one or more undesirable activities. In at least some embodiments, a method detects and responds to a user-initiated activity on a computing device. Responding can include, by way of example and not limitation, checking locally, on the computing device, whether a web resource that is associated with the user-initiated activity has been identified as being associated with a safe site. Furthermore, in at least some embodiments, the method checks remotely, away from the computing device, whether the web resource is identified as being at least possibly associated with one or more undesirable activities. | 02-24-2011 |
| 20110055920 | METHOD AND SYSTEM FOR AUTONOMOUS CONTROL AND PROTECTION OF COMPUTER SYSTEMS - A management system includes a plurality of components within a computer system. A plurality of component resource managers is provided, and each of the components is controlled by at least one of the plurality of component resource managers. A plurality of component management interfaces is also provided. Each of the components communicates with at least one of the controlling component resource managers via one of the component management interfaces. At least one runtime manager autonomously controls operation of the components and the component resource managers. | 03-03-2011 |
| 20110055921 | PROTECTING AGAINST DISTRIBUTED NETWORK FLOOD ATTACKS - A network security device performs a three-stage analysis of traffic to identify malicious clients. In one example, a device includes an attack detection module to, during a first stage, monitor network connections to a protected network device, during a second stage, to monitor a plurality of types of transactions for the plurality of network sessions when a parameter for the connections exceeds a connection threshold, and during a third stage, to monitor communications associated with network addresses from which transactions of the at least one of type of transactions originate when a parameter associated with the at least one type of transactions exceeds a transaction-type threshold. The device executes a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a client-transaction threshold. | 03-03-2011 |
| 20110055922 | Method for Detecting and Blocking Phishing Attacks - A method for detecting a suspected phishing attack characterized by monitoring strings of characters in a questionnaire presented by a non-approved address to a user terminal for similarity to a substring of a string of sensitive data, such that the substring has a length of one or more characters less than the length of the string of sensitive data, such that on detecting a substring of critical length, an alert is triggered. | 03-03-2011 |
| 20110067101 | Individualized Time-to-Live for Reputation Scores of Computer Files - An individualized time-to-live (TTL) is determined for a reputation score of a computer file. The TTL is determined based on the reputation score and the confidence in the reputation score. The confidence can be determined based on attributes such as the reputation score, an age of the file, and a prevalence of the file. The reputation score is used to determine whether the file is malicious during a validity period defined by the TTL, and discarded thereafter. | 03-17-2011 |
| 20110067102 | Outgoing email check system, check data providing apparatus, check data inspecting apparatus, and outgoing email check method - To allow inspecting whether a security check of a planned outgoing email is finished in an outgoing email check system, a check data providing apparatus | 03-17-2011 |
| 20110067103 | ROUTER FOR PREVENTING PORT SCANS AND METHOD UTILIZING THE SAME - A router and method for preventing port scans using a router includes receiving a datagram from a remote computer, transferring the datagram to a local computer, and receiving a response datagram from the local computer. The router and method further includes dropping the response datagram if the response datagram is an Internet Control Messages Protocol (ICMP) port unreachable datagram and the ICMP port unreachable datagram is abnormal, and recording a port scan event of the remote computer into the log system. | 03-17-2011 |
| 20110067104 | METHOD OF SECURING EXECUTION OF A PROGRAM - A method of securing execution of a main program that implements nested functions, the method comprising the steps of executing a security management program arranged to update a list of current functions, informing the security management program of the beginning of execution of each function of the main program and updating the list of current functions, informing the security management program of the end of execution of each function, and, after being informed of each end of execution of a function, verifying that the function is indeed the function that was begun the most recently. | 03-17-2011 |
| 20110072514 | Scan Engine Manager with Updates - A scan management system may configure various workloads and data streams within those workloads to be directed to various scan engines. The scan management system may be updatable and configurable by receiving a catalog of available scan engines and configuring the workloads and scan engines according to a policy that may be locally created and managed. The scan management system may be capable of reconfiguring the scan engines, including upgrading, adding, deprecating, and changing scan engines while being fully operational. In some cases, a single data stream may be scanned by two or more different scan engines, and a single scan engine may be used to scan two or more different data streams. | 03-24-2011 |
| 20110072515 | METHOD AND APPARATUS FOR COLLABORATIVELY PROTECTING AGAINST DISTRIBUTED DENIAL OF SERVICE ATTACK - A method and apparatus for collaboratively protecting against a Distributed Denial of Service (DDoS) attack are provided. The method performed by a network apparatus includes detecting data suspected as being used in the DDoS attack by monitoring traffic forwarded to a service server, notifying a security apparatus that the detected data is suspected as being used in the DDoS attack, and performing at least one of a first operation and a second operation, the first operation being receiving an analysis result for the detected data from the security apparatus and controlling the traffic based on the analysis result, and the second operation being controlling, prior to the first operation, the traffic based on a rule set in advance. | 03-24-2011 |
| 20110072516 | PREVENTION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS - A method of automating the ability of a network to distinguish between a traffic generated by automated means and the traffic generated by human beings for blocking automated traffic during a distributed denial of service attack is disclosed. The method includes placing at least one validated traffic manager (VTM) computer on a computer network by a user. The method further includes monitoring a plurality of network requests by storing a plurality of user traffic source (UTS) lists such as a white list, a grey list and a black list on the at least one VTM computer. The method utilizes a reverse turning test (RTT) that includes a human verification process (HVP) to distinguish between the traffic generated by human beings and the automated traffic. | 03-24-2011 |
| 20110078790 | API Signature Verification for High-Security Platforms - A system and method is disclosed for verifying whether a test API of a high-security software platform implements a reference API when a verification tool has insufficient permissions to detect one or more members of the test API. A signature is determined for a reference API implementation, which includes multiple API members. Determining the signature involves identifying a proper subset of the API members, where the subset excludes one or more API members that are not programmatically detectable by a given verification tool executing on a high-security platform that implements the reference API. The member may not be detectable by the verification tool because the tool has insufficient permission to programmatically detect the member on the high-security platform. The signature is then configured to indicate the members of the subset and not the excluded members. The signature is then stored. | 03-31-2011 |
| 20110078791 | Using chipset-based protected firmware for host software tamper detection and protection - A method, system, and computer program product for a host software tamper detection and protection service. A secure partition that is isolated from a host operating system of the host system, which may be implemented by firmware of a chipset of the host system, obtains file metadata from the host system and uses the file metadata to identify a first file for examination for tampering. The secure partition obtains data blocks for the first file, communicates with a service via an out-of-band communication channel, and uses information obtained from the service and the data blocks to determine whether the first file has been corrupted. The secure partition obtains the file metadata and the data blocks for the first file without invoking an operating system or file system of the host system. | 03-31-2011 |
| 20110078792 | SYSTEM AND METHOD FOR PROVIDING NETWORK SECURITY - A method includes receiving an indication of at least one detected security issue at a network device. The indication is received from a security agent at a security manager processor. The method includes polling, via the security manager processor, at least one other network device in response to the indication in order to retrieve additional information when the security manager processor determines that the additional information is needed. The method includes selecting, via the security manager processor, at least one executable security object responsive to the indication and the additional information. The method also includes initiating communication of the at least one executable security object to the network device via the security manager processor. | 03-31-2011 |
| 20110083179 | SYSTEM AND METHOD FOR MITIGATING A DENIAL OF SERVICE ATTACK USING CLOUD COMPUTING - A system and method for mitigating a denial of service attack that includes distributing network communication messages directed at a resource within a resource cloud, directing the distributed network communication messages, filtering the network communication messages according to filter parameters that relate to the legitimacy of the communication message, and sending the communication message to the resource if the communication message is filtered as legitimate or performing a request limiting response to the communication message if the communication message is filtered as illegitimate. | 04-07-2011 |
| 20110088092 | DETECTION OF NETWORK ADDRESS SPOOFING AND FALSE POSITIVE AVOIDANCE - A method for detection of network address spoofing and false positive avoidance in a network is described herein. The network may include one or more hosts and a network management system. The network management system may identify a suspicious host in the network. A condition indicative of network address spoofing by the suspicious host may be detected. It may be determined whether the spoofing condition is expected in normal traffic of the network. In response to a determination that the spoofing condition is expected, it is determined that the suspicious host generated normal traffic. | 04-14-2011 |
| 20110088093 | USB CONNECTOR AND INTRUSION PREVENTION SYSTEM USING THE SAME - A security USB connector implements an intrusion prevention function preventing the propagation of malicious codes to a host terminal from a USB device while minimizing host terminal resource consumption, and an intrusion prevention system using the same are disclosed. A security USB connector is positioned between the host terminal supporting a USB host and a USB device, and a security inspection is performed on data transferred from the USB device to the host terminal through the security USB connector. Also, a host terminal without an intrusion prevention function can prevent an intrusion by using the portable security USB connector. | 04-14-2011 |
| 20110088094 | System for efficiently handling cryptographic messages containing nonce values in a wireless connectionless environment without comprising security - A system for determining the validity of a received cryptographic message while ensuring for out-of-order messages is utilized to provide for secure communications among peers in a network. In particular, a secure communication module may be configured to accept the cryptographic message in response to a received nonce value of the received message is greater than the largest nonce value yet seen. Otherwise, when the received nonce value is not the largest nonce value yet seen, the secure communication module may be configured to compare the received nonce value with a nonce acceptance window. If the received nonce value falls outside the nonce acceptance window, the secure communication module may be further configured to reject the received message and assume that a replay attack has been detected. If the received nonce value falls within the nonce acceptance window, the secure communication module may be further configured to determine if the received nonce value has been seen before by comparing the received nonce value with a replay window mask. If the received nonce has been seen before, the secure communication module may be further configured to reject the received message and assume a replay attack. Otherwise, the secure communication module may be further configured to accept the message and add the received nonce value to the replay window mask. | 04-14-2011 |
| 20110099628 | METHOD AND SYSTEM FOR WEIGHTING TRANSACTIONS IN A FRAUD DETECTION SYSTEM - A method of computing a similarity between a first transaction having a set of properties and a second transaction having the set of properties includes computing an initial weight for each of the properties of the set of properties and computing a similarity between each of the properties of the first transaction and the properties of the second transaction. The method also includes adjusting the initial weight for each of the properties based on a measure of the commonness of each of the properties of the set of properties, normalizing the adjusted weights, and computing the similarity by summing the products of the normalized adjusted weights and the computed similarities. | 04-28-2011 |
| 20110099629 | AUTHENTICATING A WEB PAGE WITH EMBEDDED JAVASCRIPT - A method for detecting if a digital document (e.g. an HTML document) is changed by others than authenticated script code (e.g. JavaScript code) is presented. The method comprises loading the authenticated script code into a trusted computer application and storing a snapshot of the digital document in the trusted computer application. Before the authenticated script code is executed, the snapshot of the digital document is compared with the document to verify if the digital document is still authentic. After executing the authenticated script code, the snapshot of the digital document is replaced with an up-to-date copy reflecting eventual changes made to the digital document by the executed script code. The digital document can then at any time be compared with the most recent snapshot to verify if it is authentic. | 04-28-2011 |
| 20110099630 | SYSTEM AND METHOD FOR PROTECTING COMMUNICATION DEVICES FROM DENIAL OF SERVICE ATTACKS - A system for preventing successful denial of service attacks comprises a first communication device, a second communication device, and a network. The first and second communication devices establish a communication session via the network. Based on various information, such as a pre-shared secret, one of the communication devices determines a network access filter value and compares this value to at least one data frame in order to authenticate such data frame without committing significant computing resource and any memory space. By updating the network access filter over time, an unauthorized user who discovers the outdated network access filter values is prevented from successfully launching a denial of service attack. | 04-28-2011 |
| 20110107417 | Detecting AP MAC Spoofing - Detecting access point MAC spoofing in a wireless digital network. A sensor in a wireless digital network learns the MAC address and operating channel for at least one access point. If the sensor detects frames being sent to a MAC address on a channel other than the channel associated with that MAC address, then the access point associated with the MAC address is being spoofed. These frames may be association frames, or data frames. If the sensor is running as part of an access point the sensor also knows what clients are associated with the access point. If the sensor detects frames indicating association, such as data frames, sent to its MAC address, but the client is not associated with the access point, then the access point is being spoofed. Similarly, if the sensor receives frames on a channel other than that associated with the access point and receives traffic for the access point's MAC address, the access point is being spoofed. The sensor may be a separate device on the wireless network, or may be functionality included in one or more access points on the network. | 05-05-2011 |
| 20110107418 | DETECTING ANOMALIES IN ACCESS CONTROL LISTS - An access control anomaly detection system and method to detect potential anomalies in access control permissions and report those potential anomalies in real time to an administrator for possible action. Embodiments of the system and method input access control lists and semantic groups (or any dataset having binary matrices) to perform automated anomaly detection. This input is processed in three broad phases. First, policy statements are extracted from the access control lists. Next, object-level anomaly detection is performed using thresholds by categorizing outliers in the policies discovered in the first phase as potential anomalies. This object-level anomaly detection can yield object-level security anomalies and object-level accessibility anomalies. Group-level anomaly detection is performed in the third phase by using semantic groups and user sets extracted in first phase to find maximal overlaps using group mapping. This group-level anomaly detection can yield group-level security anomalies and group-level accessibility anomalies. | 05-05-2011 |
| 20110107419 | SYSTEMS AND METHODS FOR IMPROVED IDENTIFICATION AND ANALYSIS OF THREATS TO A COMPUTING SYSTEM - A security tool can access a tagging tool and the history generated by the tagging tool in order to identify potential threats and analyze the identified threats. When a potential threat is detected or an actual threat is identified, the security tool can request the history of actions from the tagging tool corresponding to the threat. The security tool can compare the potential or actual threat with the history of any action recorded by the tagging tool in order to classify a potential threat as an actual threat or determine the source or cause of an actual threat. | 05-05-2011 |
| 20110107420 | LOCATOR CODING IN A COMMUNICATIONS NETWORKS - A method for use in interconnected communications networks, comprising negotiating a locally unique interface identifier between a network entity and a network such that the locally unique interface identifier differs from any interface identifier used by either of the network entity and the network; and using the locally unique interface identifier to identify an egress interface from the network entity to the network, and using the locally unique interface identifier to identify an egress interface from the network to the network entity. By using a common locally unique interface identifier between networks and network entities on a path between a source or destination network entity and a core network, a globally unique locator for the source or destination network entity can be constructed by concatenating elements derived from a plurality of negotiated common local interface identifiers between networks and network entities on the path. | 05-05-2011 |
| 20110107421 | METHOD AND APPARATUS FOR PROVIDING FRAUD DETECTION USING CONNECTION FREQUENCY THRESHOLDS - An approach provides detection of unauthorized use of data services. A determination is made as to whether connections supporting remote access to a data network are completed. The number of completed connections associated with a selected attribute is tracked over a time period. It is then determined whether the number of completed connections satisfies a connection frequency threshold. A fraud alert is generated if the connection frequency threshold is satisfied. | 05-05-2011 |
| 20110113489 | SYSTEM AND METHOD FOR MITIGATING A DENIAL OF SERVICE ATTACK IN A SUBSCRIBER NETWORK - A system and method for mitigating a denial of service attack in a subscriber network. A traffic monitor monitors bandwidth usage of a subscriber network that is directed to a particular port. The traffic monitor detects excessive traffic based on preset thresholds or algorithms. When excessive traffic is detected, the traffic monitor may obtain the source IP address from headers in the packet stream and identify the device or devices from which the packets were delivered to the network. Using the IP addresses of affected devices, a policy may be implemented to throttle packets originating from those devices that are directed to the particular port. | 05-12-2011 |
| 20110113490 | TECHNIQUES FOR PREVENTING ATTACKS ON COMPUTER SYSTEMS AND NETWORKS - Techniques for detecting and responding to attacks on computer and network systems including denial-of-service (DoS) attacks. A packet is classified as potentially being an attack packet if it matches an access control list (ACL) specifying one or more conditions. One or more actions may be performed responsive to packets identified as potential attack packets. These actions may include dropping packets identified as potential attack packets for a period of time, rate limiting a port over which the potential attack packets are received for a period of time, and other actions. | 05-12-2011 |
| 20110119760 | CLASSIFICATION OF SOFTWARE ON NETWORKED SYSTEMS - A method and system for the classification of software in networked systems, includes: determining a software received by a sensor is attempting to execute on a computer system of the sensor; classifying the software as authorized or unauthorized to execute, and gathering information on the software by the sensor if the software is classified as unauthorized to execute. The sensor sends the information on the software to one or more actuators, which determine whether or not to act on one or more targets based on the information. If so, then the actuator sends a directive to the target(s). The target(s) updates its responses according to the directive. The classification of the software is definitive and is not based on heuristics or rules or policies and without any need to rely on any a priori information about the software. | 05-19-2011 |
| 20110126283 | System for Tracking Digital Information Over a Communications Network - A method for tracking digital files transmitted over the Internet by placing certain identifying indicia within a file, and monitoring selected sites through which Internet traffic is transmitted, to determine the source and destination of a transmission containing a file with particular identifying indicia. Identifying indicia (“ID”) is placed in the header of each digital file whose transmission over the Internet is to be monitored. A data communications monitoring device is installed at an Internet service provider's (ISP's) facility. The monitoring device intercepts packets received by the ISP. These intercepted packets are then examined to determine whether they contain an ID of interest. If a sought ID is found within the packet, the source and destination fields in the Internet Protocol (IP) header are logged, along with the ID and other information, in a database. The pertinent contents of the database are then periodically sent to the proprietors whose IDs were discovered in packets in transit across the Internet. A proprietor may then take appropriate steps to secure compensation for the unauthorized copies, or to prevent further dissemination thereof. | 05-26-2011 |
| 20110126284 | CONTENT REPRODUCTION DEVICE, CONTENT REPRODUCTION DEVICE CONTROL METHOD, CONTENT REPRODUCTION PROGRAM, RECORDING MEDIUM, AND INTEGRATED CIRCUIT - A content playback device of the present invention includes a playback unit | 05-26-2011 |
| 20110126285 | INTERNET SITE SECURITY SYSTEM AND METHOD THERETO - The present invention discloses an internet site security system and method thereof. That is, the present invention comprises a browser execution module which executes the browser for providing a work-performing environment on the internet site according to the selection of a user; a memory protection module which, according to the execution of the browser, prevents an external module from accessing a memory area allocated to the browser and detects whether the memory area is tampered or not and whether the executing code is tampered or not; and a browser protection module which prevents another process or module from debugging the browser execution module according to the execution of the browser, and distinguishing several modules loaded to the memory area into acceptable modules and unacceptable modules, and thereby is able to provide a secure electronic transaction based environment against a malicious attack. | 05-26-2011 |
| 20110131650 | METHODS, DEVICES, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR EDGE DRIVEN COMMUNICATIONS NETWORK SECURITY MONITORING - An edge monitoring approach can be utilized to detect an attack which includes a plurality of relatively low bandwidth attacks, which are aggregated at a victim sub-network. The aggregated low bandwidth attacks can generate a relatively high bandwidth attack including un-solicited data traffic directed to the victim' so that the aggregated attack becomes more detectable at an edge monitor circuit located proximate to the victim. Related systems, devices, and computer program products are also disclosed. | 06-02-2011 |
| 20110131651 | METHOD AND DEVICE FOR DETECTING A SPOOFING ATTACK IN A WIRELESS COMMUNICATION NETWORK - A method and device enables detecting a spoofing attack in a wireless communication network ( | 06-02-2011 |
| 20110131652 | TRAINED PREDICTIVE SERVICES TO INTERDICT UNDESIRED WEBSITE ACCESSES - Webcrawlers and scraper bots are detrimental because they place a significant processing burden on web servers, corrupt traffic metrics, use excessive bandwidth, excessively load web servers, create spam, cause ad click fraud, encourage unauthorized linking, deprive the original collector/poster of the information of exclusive rights to analysis and summarize information posted on their own site, and enable anyone to create low-cost Internet advertising network products for ultimate sellers. A scaleable predictive service distributed in the cloud can be used to detect scraper activity in real time and take appropriate interdictive access up to and including denial of service based on the likelihood that non-human agents are responsible for accesses. Information gathered from a number of servers can be aggregated to provide real time interdiction protecting a number of disparate servers in a network. | 06-02-2011 |
| 20110131653 | SYSTEMS AND METHODS FOR MANAGING MESSAGES IN AN ENTERPRISE NETWORK - A protocol management system is capable of detecting certain message protocols and applying policy rules to the detected message protocols that prevent intrusion, or abuse, of a network's resources. In one aspect, a protocol message gateway is configured to apply policy rules to high level message protocols, such as those that reside at layer 7 of the ISO protocol stack. | 06-02-2011 |
| 20110138462 | SYSTEM AND METHOD FOR DETECTING VOIP TOLL FRAUD ATTACK FOR INTERNET TELEPHONE - Provided is a system for detecting a voice over Internet protocol (VoIP) toll fraud attack. The system includes: a database (DB) storing registration information of normal users; a packet reception module receiving a call set-up packet from a network; and a VoIP signaling message forgery/falsification detection module receiving the call set-up packet from the packet reception module and comparing sender address information or header information of the call set-up packet with the registration information stored in the DB to detect whether the call set-up packet is a packet received from one of the normal users. | 06-09-2011 |
| 20110138463 | METHOD AND SYSTEM FOR DDOS TRAFFIC DETECTION AND TRAFFIC MITIGATION USING FLOW STATISTICS - Disclosed are a method and system for distributed denial of service (DDoS) attack detection and traffic mitigation using flow statistics. The method for DDoS attack detection and traffic mitigation using flow statistics includes: collecting first statistics for each flow based on flow information generated by traffic flow of a network connection device; and grouping the first statistics for each flow on a per-flow basis and processing the same into second statistics containing at least one of the number of bytes, the number of packets, and the number of flows per unit time. | 06-09-2011 |
| 20110138464 | STATE NOTIFICATION APPARATUS, STATE NOTIFICATION METHOD, AND COMPUTER-READABLE STORAGE MEDIUM - A state notification apparatus comprises: a holding unit that, when one or more secure runtime environments and one or more non-secure runtime environments are selectively executed in a foreground, holds an identifier of a runtime environment that is being executed in the foreground; a determination unit that determines a state of the runtime environment executed in the foreground based on the identifier held by the holding unit; and a notification unit that causes a hardware device that cannot be accessed from the one or more non-secure runtime environments to notify the state determined by the determination unit. | 06-09-2011 |
| 20110145918 | SENSITIVE DATA TRACKING USING DYNAMIC TAINT ANALYSIS - A system and method for tracking sensitive data uses dynamic taint analysis to track sensitive data as the data flows through a target application running on a computer system. In general, the system and method for tracking sensitive data marks data as tainted when the data input to the target application is indicated as sensitive. The system and method may then track the propagation of the tainted data as the data is read from and written to memory by the target application to detect if the tainted data is output from the application (e.g., leaked). Dynamic binary translation may be used to provide binary instrumentation of the target application for dynamic taint analysis to track propagation of the tainted data at the instruction level and/or the function level. Of course, many alternatives, variations, and modifications are possible without departing from this embodiment. | 06-16-2011 |
| 20110145919 | METHOD AND APPARATUS FOR ENSURING CONSISTENT SYSTEM CONFIGURATION IN SECURE APPLICATIONS - In exemplary embodiments, methods and apparatuses for securing electronic devices against tampering or unauthorized modifications are presented herein. One or more system locks may be installed in the system at a location between two or more subsystems along a communications path. Each system lock may be associated with a particular subsystem. The system locks may monitor the state of the system, including transactions targeting associated subsystems, and the transactions and/or state of the system may be compared to known valid transactions and states. If the requested transaction or enacted system state differs from a known acceptable transaction or state, a notification may be generated and countermeasures may be enacted. In some embodiments, the system locks may be located in a system bus on an electronic device to ensure that software executed on the electronic device remains free of tampering. | 06-16-2011 |
| 20110145920 | SYSTEM AND METHOD FOR ADVERSE MOBILE APPLICATION IDENTIFICATION - A system and method identifies mobile applications that can have an adverse effect on a mobile device or mobile network. In an implementation, a server monitors behavioral data relating to a mobile application and applies a model to determine if the application has an adverse effect or has the potential to cause an adverse effect on a mobile device or a network the mobile device may connect to. A mobile device may monitor behavioral data, apply a model to the data, and transmit a disposition to the server. The server may aggregate behavioral data or disposition information from multiple devices. The server may transmit or make available the disposition information to a subscriber through a web interface, API, email, or other mechanism. After identifying that an application may have an adverse effect, the server may enact corrective actions, such as generating device or network configuration data. | 06-16-2011 |
| 20110154487 | SOFTWARE BEHAVIOR MODELING DEVICE, SOFTWARE BEHAVIOR MODELING METHOD, SOFTWARE BEHAVIOR VERIFICATION DEVICE, AND SOFTWARE BEHAVIOR VERIFICATION METHOD - A software behavior modeling device which forms a model of a behavior of software includes; an event information acquisition unit configured to acquire event information indicating a specific event which occurs during execution of the software; a stack information acquisition unit configured to acquire stack information stored in a call stack at a time of occurrence of the specific event; a score setting unit configured to set a score in accordance with a storage location in which each element included in the stack information is stored in the call stack; and a model generating unit configured to form a model of a relationship between the specific event and the element by using the score, and to generate a behavior model of the software. | 06-23-2011 |
| 20110154488 | SYSTEMS AND METHODS FOR GENERATING AND MANAGING COOKIE SIGNATURES FOR PREVENTION OF HTTP DENIAL OF SERVICE IN MULTI-CORE SYSTEM - The present application is directed towards systems and methods for generating and maintaining cookie consistency for security protection across a plurality of cores in a multi-core system. A packet processing engine executing on one core designated as a primary packet processing engine generates and maintains a global random seed. The global random seed may be used as an initial seed for creation of cookie signatures by each of a plurality of packet processing engines executing on a plurality of cores of the multi-core system using a deterministic pseudo-random number generation function such that each core creates an identical set of cookie signatures. | 06-23-2011 |
| 20110154489 | SYSTEM FOR ANALYZING MALICIOUS BOTNET ACTIVITY IN REAL TIME - A system for analyzing malicious botnet activity in real time is disclosed. This system may include: a control server configured to generate botnet activity information relating to a type of malicious botnet activity, and transmit the botnet activity information to the outside, after receiving bot occurrence information from the outside; | 06-23-2011 |
| 20110162069 | SUSPICIOUS NODE DETECTION AND RECOVERY IN MAPREDUCE COMPUTING - Embodiments of the present invention address deficiencies of the art in respect to distributed computing for large data sets on clusters of computers and provide a novel and non-obvious method, system and computer program product for detecting and correcting malicious nodes in a cloud computing environment (e.g., MapReduce computing). In one embodiment of the invention, a computer-implemented method for detecting and correcting malicious nodes in a cloud computing environment can include selecting a task to dispatch to a first worker node, setting a suspicion index threshold for the selected task, determining a suspicion index for the selected task, comparing the suspicion index to the suspicion index threshold and receiving a result from a first worker node. The method further can include applying a recovery action when the suspicion index exceeds the selected suspicion index threshold. | 06-30-2011 |
| 20110167490 | SYSTEM AND METHOD FOR SECURE DISTRIBUTED EXECUTION - This invention discloses a method and system for processing logic modules, each having a separate functionality, into a unique functionality that is to be executed in an interlocked mode as a unique functionality. The method is based on taking logic modules (programs and data) with known functionality and transforming them into a hidden program by integrating modules to execute together into a logic which is partially obfuscated and/or encrypted and/or physically hidden. The hidden program is being updated dynamically to strengthen it against reverse engineering efforts. The program includes the functionality for generating security signals, which are unpredictable by observers, such as a pseudo random sequence of security signals. Only elements that share the means for producing the security signals can check their validity. The modules include operational tasks and performance parameters for this operation. The operation can be transmission of data packets with given parameters of performance that the hidden program contains. The generated security signals thus assure that the correct operation was taken place and can be used to signal various cryptographic parameters as well. | 07-07-2011 |
| 20110173696 | QUANTUM COMMUNICATION SYSTEM AND METHOD - A quantum communication system, said system comprising:
| 07-14-2011 |
| 20110173697 | SYSTEM AND METHOD FOR DETECTING AND PREVENTING DENIAL OF SERVICE ATTACKS IN A COMMUNICATIONS SYSTEM - A method and system are provided for use in detecting and preventing attacks in a communications network. In one example, the method includes calculating first and second traffic volumes based on messages received at a first time and a second time, respectively. An average acceleration is calculated based on the first and second traffic volumes, and the method identifies whether the average acceleration has crossed a threshold. The messages are serviced only if the average acceleration has not crossed the threshold. | 07-14-2011 |
| 20110179483 | METHODS FOR HANDLING A FILE ASSOCIATED WITH A PROGRAM IN A RESTRICTED PROGRAM ENVIRONMENT - Techniques for handling a file associated with a program are described herein. According to an aspect of the invention, in response to a request for accessing a file received through a first program, the file is stored in a first sandboxed storage area, where the file is to be accessed by a second program. An atomic move operation is then performed on the file that atomically moves the file from the first sandboxed storage area to a second sandboxed storage area, where the first sandboxed storage area is not accessible to the first program and second program. The second program is launched to access the file stored in the second sandboxed storage area, where the second sandboxed storage area is a part of a sandbox associated with the second program. | 07-21-2011 |
| 20110179484 | MALWARE DETECTION SYSTEM AND METHOD FOR MOBILE PLATFORMS - In one example, a management server is configured to provide malware protection for one or more client mobile platforms in communication with the management server via a mobile network. In the example, the management server includes a processor configured to detect malware in the mobile network, select a client mobile platform having a malware scanning agent, and, manage the malware scanning agent of the client mobile platform using a device independent secure management protocol based at least in part on the malware detected in the mobile network. | 07-21-2011 |
| 20110179485 | METHOD AND DEVICE FOR RECOGNIZING ATTACKS ON A SELF-SERVICE MACHINE - The invention relates to a method for recognizing attacks on at least one interface of a computer system, particularly a self-service machine, comprising: monitoring the interface in order to detect changes to the interface; if changes occur, the probability of an impermissible attack on the interface is determined based on the nature of the change; if the probability is above a defined threshold value, defensive measures are taken. | 07-21-2011 |
| 20110179486 | METHOD FOR NEUTRALIZING THE ARP SPOOFING ATTACK BY USING COUNTERFEIT MAC ADDRESSES - The present invention is related to a method for neutralizing a malicious ARP spoofing attack generated in a local network and in particular, the present invention provides a method for neutralizing an ARP spoofing attack comprising a step for detecting an ARP spoofing attack based on an ARP request packet generated for an ARP spoofing attack; a step for generating a plurality of counterfeit MAC addresses and dynamically changing MAC addresses of network devices or servers which are to be protected whenever an ARP spoofing attack is generated; and a step for neutralizing an ARP spoofing attack by using a counterfeit MAC address which is capable of neutralizing an ARP spoofing attack adequately. | 07-21-2011 |
| 20110185417 | Memory Whitelisting - An enhanced whitelisting module associated within a system whitelists unknown files for execution on the system. The whitelisting module may oversee the computation of a hash of a file loaded into the memory and comparison of the hash to hashes within a hash table generated from clean files located on a clean system. The whitelisting module may communicate to a device internal and/or external to the system to retrieve the hash table of clean files. In certain embodiments, a rolling hash (or other piecewise hash) may be used to determine the location and/or extent of the differences between a modified file and a clean file. | 07-28-2011 |
| 20110185418 | DIGITAL FILTER CORRELATION ENGINE - A digital filter correlation engine, wherein the correlation engine combines N arbitrary digital filter states based on the weights and along with a threshold generate a network incident. This network incident in turn can be feedback to another digital filter. This multi-layering capability allows the creation of higher level event detections that are time-based for a cyber security analyst to analyze, thereby reducing the amount of manual work the analyst has to do in inspecting behaviors within the network. | 07-28-2011 |
| 20110185419 | METHOD AND APPARATUS FOR DETECTING SSH LOGIN ATTACKS - A digital filter correlation engine, wherein the correlation engine combines N arbitrary digital filter states based on the weights and along with a threshold generate a network incident. This network incident in turn can be feedback to another digital filter. This multi-layering capability allows the creation of higher level event detections that are time-based for a cyber security analyst to analyze, thereby reducing the amount of manual work the analyst has to do in inspecting behaviors within the network. | 07-28-2011 |
| 20110185420 | DETECTION METHODS AND DEVICES OF WEB MIMICRY ATTACKS - A web mimicry attack detection device is provided, including: a first token sequence collector receiving a hypertext transfer protocol request and extracting string content of the hypertext transfer protocol request according to a token collection method to generate a token sequence corresponding to the hypertext transfer protocol request, wherein the token sequence comprises a plurality of the tokens; and a mimicry attack detector generating a label and a confidence score corresponding individually to the tokens according to the tokens and a conditional random field probability model, summing the confidence score individually corresponding to the tokens in the token sequence by a summary rule to generate a summary confidence score, and determining whether the hypertext transfer protocol request is an attack according to the summary confidence score and the label individually corresponding to the tokens. | 07-28-2011 |
| 20110185421 | SYSTEM AND METHOD FOR NETWORK SECURITY INCLUDING DETECTION OF MAN-IN-THE-BROWSER ATTACKS - A method is performed in a network security system implemented in a computer or electronic device that is coupled to secured online resources for detecting unauthorized accesses of those secured online resources. The method includes monitoring a user activity session. It is determined whether the user activity session is indicative of a hidden session by an attacker, where the determination includes comparing the user activity session to an average user activity session. | 07-28-2011 |
| 20110191847 | ACTIVITY FILTERING BASED ON TRUST RATINGS OF NETWORK ENTITIES - The filtering of activities generated by nodes of a network while interacting with a device may be performed by evaluating the desirability of the activities (e.g., a spam or not-spam determination of email messages sent by the node) and assigning a trust rating to the node. However, nodes are often identified by network address, and an operator of a node sending undesirable activities may reassign the network address of the node in order to avoid heavy filtering. Instead, nodes may be identified as being controlled by a network entity (e.g., an autonomous system identified in a border gateway protocol routing table.) The network entity is assigned a network entity trust rating based on the trust ratings of the nodes controlled thereby, and an appropriate level of activity filtering based on the network entity trust rating may be selected for subsequent activities received from all nodes controlled by the network entity. | 08-04-2011 |
| 20110191848 | PREVENTING MALICIOUS JUST-IN-TIME SPRAYING ATTACKS - A method disclosed herein includes acts of receiving code at a Just-in-Time compiler executing in an application on a computing device and compiling the code to generate machine code and causing the machine code to be placed on at least one page that is accessible by at least one processor on the computing device, wherein the Just-in-Time compiler compiles the code utilizing at least one technique for preventing a Just-in-Time spraying attack. | 08-04-2011 |
| 20110197274 | RATE LIMITING DATA TRAFFIC IN A NETWORK - A network device coordinates with other devices in a network to create a distributed filtering system. The device detects an attack in the network, such as a distributed denial of service attack, and forwards attack information to the other devices. The devices may categorize data into one or more groups and rate limit the amount of data being forwarded based on rate limits for the particular categories. The rate limits may also be updated based on the network conditions. The rate limits may further be used to guarantee bandwidth for certain categories of data. | 08-11-2011 |
| 20110197275 | STOPPING AND REMEDIATING OUTBOUND MESSAGING ABUSE - Systems and methods are provided for allowing subscriber message sending profiles to be maintained and used in conjunction with behavior-based anomaly detection techniques and traditional content-based spam signature filtering to enable application of appropriate message disposition policies to outbound subscriber message traffic. According to one embodiment, subscriber profiles are constructed for multiple subscriber accounts associated with a service provider based on outbound message flow originated from the subscriber accounts. Then, possible subscriber account misuse may be discovered by performing behavior-based anomaly detection, including a comparison of a subscriber profile associated with the subscriber account with recent subscriber account usage information, to identify one or more behavioral anomalies in outbound message flow originated from a subscriber account, the behavior-based anomaly detection. | 08-11-2011 |
| 20110197276 | SYSTEM AND METHOD FOR VALIDATING AND CONTROLLING APPLICATIONS - A system and method for validating an application and for controlling execution of an application. A plurality of parameters may be computed for an authenticated object and for a tested object. A plurality of comparison and other metrics may be computed based on the computed plurality of parameters. Control of an execution of programs may be based on said metrics. Other embodiments are described and claimed. | 08-11-2011 |
| 20110202995 | Single hardware platform multiple software redundancy - A process detects an attack on a software system, eradicates the attack, automatically loads software into the software system in response to the attack, and executes one or more of a reboot of the software system or a boot of the loaded software. The loaded software comprises a substantially similar functionality of at least a portion of the software system and a different implementation of the functionality of the portion of the software system. | 08-18-2011 |
| 20110202996 | Method and apparatus for verifying the integrity of software code during execution and apparatus for generating such software code - Self-modifying software code comprising a number of modules that each may be modified to be in a plurality of states during execution. In order to verify the integrity of such code, the different states of the code are calculated. For each state a checksum, e.g. a hash value, is generated for at least part of the code. During execution the state of the code is changed, modifying a module, and an integrity check is performed using the checksum for the state of the code. The checksum may be stored in a look-up table or it may be embedded in the integrity verification function. A state variable indicating the state of the modules may be used to look-up the checksum in the table. Possible states of a module is encrypted and decrypted. Also provided is an apparatus for generating protected software code. | 08-18-2011 |
| 20110202997 | METHOD AND SYSTEM FOR DETECTING AND REDUCING BOTNET ACTIVITY - A method and system for detecting and reducing botnet activity includes tracking the number of connections to a destination address over predetermined periods of time. A persistence value is assigned to the destination address based on the number of time periods during which the destination address was connected. The persistence value is compared to a threshold value and an alert is generated if the persistence value is greater than the threshold value. Known safe destinations may be entered into a whitelist. | 08-18-2011 |
| 20110209215 | Intelligent Network Security Resource Deployment System - An electronic communication network includes a connectivity subsystem and security scanning resources. The connectivity subsystem checks the present trust level of the source of received traffic to determine if security scanning resources are to be used and how to use the security scanning resources. | 08-25-2011 |
| 20110209216 | METHOD AND SYSTEM FOR WEBSITE DATA ACCESS MONITORING - In a network comprising number of web sites and at least one simulator web page calls are simulated or monitored and the response to the calls, including content, re-directed calls and cookies are examined in order to identify whether the content of cookies has been written or modified illegally. Illegal modification of content of cookies is referred to as writing of data by a Buyer in cookies of a User that was directed to the Buyer by a Data Publisher, without the consent of the Data Publisher. In some embodiments when illegal cookies are identified an alert may be issued to a user. | 08-25-2011 |
| 20110209217 | INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND PROGRAM - There is provided a PC including a guest OS group which manages a group including an OS executed in an office, an information-management section which manages communication capability information which is set to communication-capable information or communication-incapable information, a being-inside-office determination processing section which determines whether or not the PC is used in the office, which sets the communication capability information to the communication-capable information when the being-inside-office determination processing section determines that the PC is used in the office, and which sets the communication capability information to the communication-incapable information when the being-inside-office determination processing section determines that the PC is not used in the office, and a communication control section which controls communication with another device performed by an OS execution section which executes the OS included in the group based on the communication capability information. | 08-25-2011 |
| 20110214177 | System and Method for Avoiding and Mitigating a DDoS Attack - Described is a system and method for receiving a data packet including a destination address and a source address, the data packet corresponding to a port number, assigning an address risk value for the data packet based on the source address and a port risk value for the data packet based on the port number. The data packet is categorized into a community based on the source address, wherein the community is predefined by a user corresponding to the destination address, the community includes a utility value. The address risk value and the port risk value are compared to the utility value to yield a benefit coefficient and the data packet is treated based on the benefit coefficient. | 09-01-2011 |
| 20110214178 | System and Method for Detecting and Evicting Malicious Vehicles in a Vehicle Communications Network - In a vehicle communication network, some vehicles may be used by attackers to send false information to other vehicles which may jeopardize the safety of other vehicles. Vehicles should be able to detect malicious communications activities and to mitigate the impact of malicious vehicles by evicting (eliminating) suspected malicious vehicles from the system. Evicting a vehicle is to ignore the messages sent from the vehicle for a specified time period. Voting and sacrifice principles are combined using a mathematical model based on the “Mafia Game”. The Mafia Game model focuses on the relative size of the group of attackers within a neighborhood necessary to dominate the entire network in the neighborhood (i.e., to eventually evict all the innocent vehicles). | 09-01-2011 |
| 20110214179 | SECURE METHOD AND SYSTEM FOR COMPUTER PROTECTION - Attacks by computer viruses, worm programs, and other hostile software (‘malware’), have become very serious problems for computer systems connected to large communication networks such as the Internet. One potential defence against such attacks is to employ diversity—that is, making each copy of the attacked software different. However, existing diversity techniques do not offer sufficient levels of protection. The invention provides an effective diversity solution by applying tamper resistant software (TRS) encoding techniques, to the communications that take place between software components, with corresponding changes to the code handling those communications. These communications may include, for example, data passed between software routines via parameters or mutually accessible variables, light-weight messages, signals and semaphores passed between threads, and messages passed between software processes. Effective TRS encoding techniques include data-flow encoding and mass-data encoding techniques. | 09-01-2011 |
| 20110214180 | Network Amplification Attack Mitigation - An improved network protocol for mitigating network amplification attacks is provided. The absolute network load that any transient distributed attack can cause is bounded based on a resource crediting scheme. The protocol accumulates “credit” upon reception and detection of candidate attack request packets, and draws against that credit when transmitting responsive packets. In some implementations, the time frame of such an attack is also bounded using time limits applied to a resource crediting scheme. Other resources may also be bounded by the resource crediting scheme, including without limitation CPU utilization, storage capacity, power, etc. | 09-01-2011 |
| 20110219445 | Methods, Systems and Computer Program Products for Identifying Traffic on the Internet Using Communities of Interest - Methods for identifying wanted traffic on the Internet are provided. The methods include determining a traffic history for a user of the Internet; identifying wanted traffic in a stream of Internet traffic based on the determined traffic history; and prioritizing the identified wanted traffic such that unwanted traffic is assigned a lower priority than the wanted traffic. Related systems and computer program products are also provided. | 09-08-2011 |
| 20110219446 | INPUT PARAMETER FILTERING FOR WEB APPLICATION SECURITY - Techniques are disclosed for enhancing the security of a web application by using input filtering. An input filter may be configured to process untrusted input data, character by character, and to replace certain characters in text-based input with visually similar characters. This approach may be used to block a specified list of “triggering” characters as they come in and replace them with characters similar in appearance but without the syntactic meaning that triggers an attack or otherwise exploits a vulnerability in a web-application. | 09-08-2011 |
| 20110219447 | Identification of Unauthorized Code Running in an Operating System's Kernel - Computer implemented methods, system and apparatus for managing execution of a running-page in a virtual machine include associating an execution trace code with the running page by a security virtual machine. The execution trace code generates a notification upon initiation of the execution of the running page by the virtual machine. The notification is received by the security virtual machine running independent of the virtual machine executing the running-page. The running page associated with the execution trace code is validated by the security virtual machine as authorized for execution. An exception is generated if the running-page is not authorized for execution. The generated exception is to prevent the execution of the running page in the virtual machine. | 09-08-2011 |
| 20110225649 | Protecting Computer Systems From Malicious Software - A method, computer program product, and apparatus for determining whether newly installed software is malicious software are presented. In one illustrative embodiment, software is installed on a computer system to produce newly installed software running in a secured part of the computer system. The newly installed software is only permitted to access a subset of resources in the computer system when running in the secured part. The newly installed software is run on the computer system until a selected event occurs. The newly installed software running on the computer system is monitored until the selected event occurs. The monitoring creates information used to evaluate the software for malicious behavior. The information is presented on a display to a user after the selected event has occurred, wherein the presented information comprises a recommendation of whether to provide the software access to the resources in the computer system outside the subset of resources. | 09-15-2011 |
| 20110225650 | SYSTEMS AND METHODS FOR DETECTING AND INVESTIGATING INSIDER FRAUD - Systems, methods, and apparatus, including computer programs encoded on computer storage media, for detecting insider fraud. One method includes identifying one or more insider threat detection rules for an enterprise and obtaining behavioral data for an enterprise insider from multiple behavioral data sources. The enterprise is associated with a plurality of enterprise insiders, and the behavioral data describes at least one action of the first enterprise insider. The method further includes determining a threat score for the first enterprise insider based on the behavioral data for the first enterprise insider and one or more of the insider threat detection rules and initiating, when the threat score satisfies a threat threshold, one or more protective actions. | 09-15-2011 |
| 20110225651 | Trojan-Resistant Bus Architecture and Methods - A method of securing bus architecture from a Trojan attack. A restricted address access detector generates an unauthorized access detection, signal when a master ID signal is within a restricted range. The unauthorized access detection signal disables the requested slave select signal, and the address decoder instead outputs a default slave select signal. A counter determines the duration of a lock signal from a master, and a comparator activates a malicious bus lock signal if the lock signal duration exceeds a threshold. The master mask register forcibly gates the lock signal upon receipt of the malicious bus lock signal. If the duration of a wait request from a slave exceeds a maximum duration register value, a comparator activates a malicious wait detection signal to disable the wait request signal. The method might include storing identifying information about the malicious master and storing a slave ID corresponding to the malicious slave. | 09-15-2011 |
| 20110225652 | IDENTITY THEFT COUNTERMEASURES - In some embodiments, techniques for computer security comprise preventing and/or mitigating identity theft such as phishing. | 09-15-2011 |
| 20110225653 | MONITORING SYSTEM, PROGRAM-EXECUTING DEVICE, MONITORING PROGRAM, RECORDING MEDIUM AND INTEGRATED CIRCUIT - To aim to provide a monitoring system and a program execution apparatus that are capable of maintaining the security intensity even in the case where an unauthentic install module is invalidated. Install modules | 09-15-2011 |
| 20110231931 | METHOD AND DEVICE FOR PREVENTING DOMAIN NAME SYSTEM SPOOFING - A method for preventing Domain Name System (DNS) spoofing includes: performing uppercase/lowercase conversion for letters of a DNS question field in a DNS request packet according to a preset rule; sending the DNS request packet; receiving a DNS response packet; obtaining uppercase/lowercase distribution of the letters of the DNS question field in the DNS response packet; and forwarding the DNS response packet to a target DNS client if the uppercase/lowercase distribution of the letters of the DNS question field in the DNS response packet complies with the preset rule. Corresponding to the method, a device for preventing DNS spoofing is disclosed. The method and device reduce occupation of storage resources of the device. | 09-22-2011 |
| 20110239294 | SYSTEM AND METHOD FOR DETECTING MALICIOUS SCRIPT - Provided are a system and method for detecting a malicious script. The system includes a script decomposition module for decomposing a web page into scripts, a static analysis module for statically analyzing the decomposed scripts in the form of a document file, a dynamic analysis module for dynamically executing and analyzing the decomposed scripts, and a comparison module for comparing an analysis result of the static analysis module and an analysis result of the dynamic analysis module to determine whether the decomposed scripts are malicious scripts. The system and method can recognize a hidden dangerous hypertext markup language (HTML) tag irrespective of an obfuscation technique for hiding a malicious script in a web page and thus can cope with an unknown obfuscation technique. | 09-29-2011 |
| 20110239295 | METHOD FOR SUPPORTING ATTACK DETECTION IN A DISTRIBUTED SYSTEM - A method for supporting attack detection in a distributed system, wherein a message being sent within the distributed system from a source entity to one or more target entities is transmitted via one or more intermediate entities, and wherein at least one of the one or more intermediate entities—tagging entity—appends an attack information tag to the message indicating whether the message constitutes or is part of an attack, is characterized in that a reputation system is provided, the reputation system being configured to receive the attack information tag generated by the tagging entity, and to generate a rating of the attack information tag. | 09-29-2011 |
| 20110239296 | TRACING UNAUTHORIZED USE OF SECURE MODULES - At least methods and systems for generating tracing data for tracing rogue secure modules in a population of secure modules are described wherein said rogue secure modules are configured for unauthorized provisioning of control words to a control word sharing network. One method comprises: executing a predetermined number of tracing experiments on said population, wherein each of said tracing experiments comprises: sending at least one tracing event message to each secure module in said selected population, wherein event information in said tracing event message is used to select at least part of said secure modules in said population to generate a tracing event; in response to the reception of said at least one tracing event message, a tracing event detector monitoring for a predetermined time the presence of at least one tracing event in said control word sharing network; and, storing tracing data in an event database, said tracing data comprising said event information and event detection information indicating whether or not a tracing event is detected. | 09-29-2011 |
| 20110239297 | TAMPERING MONITORING SYSTEM, CONTROL DEVICE, AND TAMPERING CONTROL METHOD - A management device detects whether any normal monitoring module that has not been tampered with exists by referring to monitoring results received from an information security device and selects, when existence is detected, one of the monitoring modules and assumes that the selected monitoring module has been tampered with. The monitoring device then successively applies a procedure to monitoring modules other than the selected monitoring module by referring to the monitoring results, starting from the selected monitoring module, the procedure being to assume that any monitoring module determining that a monitoring module assumed to have been tampered with is normal has also been tampered with. As a result of the procedure, when all of the monitoring modules are assumed to have been tampered with the management device determines the selected monitoring module to be a normal monitoring module that has not been tampered with. | 09-29-2011 |
| 20110247068 | Method And Apparatus For Enhanced Security In A Data Communications Network - A method and apparatus for enhancing the security of a data communications network. When a packet or other data unit enters the network, an associated geolocation is ascertain and a value representing that geolocation, that is, geolocation information, is inserted into the packet. When a packet is about to leave the network, the previously inserted geolocation information is analyzed, and in most cases, removed, and a decision is made according the analysis as to whether to forward the packet or discard it due to a suspect character. In some cases, suspect packets are instead flagged and forwarded, sometimes in connection with sending a warning to the intended recipient. | 10-06-2011 |
| 20110247069 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR DETERMINING A RISK SCORE FOR AN ENTITY - In accordance with embodiments, there are provided mechanisms and methods for determining a risk score for an entity. These mechanisms and methods for determining a risk score for an entity can enable more effective monitoring of a system, can create more relevant data associated with the entity, etc. | 10-06-2011 |
| 20110247070 | ANTI-PHISHING PROTECTION - Anti-Phishing protection assists in protecting against phishing attacks. Any links that are contained within a message that has been identified as a phishing message are disabled. A warning message is shown when the phishing message is accessed. The first time a disabled link within the phishing message is selected a dismissible dialog box is displayed containing information about how to enable links in the message. After the user dismisses the dialog, clicking on a disabled link causes the warning message to flash drawing the user's attention to the potential severity of the problem. The links may be enabled by the user by selecting the warning message and choosing the appropriate option. Once the user enables the links, future displays of the message show the links as enabled. | 10-06-2011 |
| 20110252472 | Bot-Network Detection Based on Simple Mail Transfer Protocol (SMTP) Characteristics of E-Mail Senders Within IP Address Aggregates - A method and system for determining whether an IP address is part of a bot-network are provided. The IP-address-aggregate associated with the IP address of an e-mail sender is determined. The IP-address-aggregate is associated with an IP-address-aggregate-category based on the current SMTP traffic characteristics of the IP-address-aggregate and the known SMTP traffic characteristics of an IP-address-aggregate-category. A bot-likelihood score of the IP-address-aggregate-category is then associated with IP-address-aggregate. IP-address-aggregate-categories can be established based on historical SMTP traffic characteristics of the IP-address-aggregates. The IP-address-aggregates are grouped based on SMTP characteristics, and the IP-address-aggregate-categories are defined based on a selection of IP-address-aggregates with similar SMTP traffic characteristics that are diagnostic of spam bots vs. non-botnet-controllers spammers. Bot likelihood scores are determined for the resulting IP-address-aggregate-categories based on historically known bot IP addresses. | 10-13-2011 |
| 20110252473 | Protection of Computer System - Protection of a computer system ( | 10-13-2011 |
| 20110258699 | METHOD AND APPARATUS FOR THE PREVENTION OF A SERVICE DEGRADATION ATTACK - In a wireless communication system where the data transmission is optimized with respect to the channel state information fed back by the users, a service degradation attack can be made by feeding back faked channel state information. A method for preventing a service degradation attack on a first wireless communication device by a second wireless communication device in a wireless communication system, said method comprising: verifying by a base station whether the channel state information sent to the base station by the second wireless communication device corresponds to its real channel. | 10-20-2011 |
| 20110258700 | VERIFYING AUTHENTICITY OF INSTANT MESSAGING MESSAGES - A method comprises performing verification of an IM message sent using a specified Instant Messaging (IM) screen name and received by an information recipient after successful verification of authenticity of an authentication certificate received by the information recipient from the specified IM screen name. Verifying the IM message includes successfully verifying authenticity of the IM message using authentication information contained in the received authentication certificate. The IM message includes an encoded checksum for designated parts of the IM message. Performing verification of the IM message includes verifying authenticity of the encoded checksum. | 10-20-2011 |
| 20110265179 | RESTRICTING USER ACCESS ON SHARED COMPUTER - A method for restricting, based on predefined user profile information, access to software executing on a computing device of a user. The method comprises the following steps. Input data is intercepted from a user input device. The input data is compared with a list of restrictions in the user profile information to determining if an action associated with the input data is prohibited. The input data is passed to the software for execution only if the action associated with the input data is not prohibited. A method for restricting, based on predefined user profile information, access to notifications generated for a user is also provided. | 10-27-2011 |
| 20110265180 | TAMPERING MONITORING SYSTEM, MANAGEMENT APPARATUS, AND MANAGEMENT METHOD - An information security apparatus ( | 10-27-2011 |
| 20110265181 | METHOD, SYSTEM AND GATEWAY FOR PROTECTION AGAINST NETWORK ATTACKS - A method, a system and a gateway for protection against network attacks are provided. The method includes: receiving source request information and destination request information that are sent by a client, where the destination request information is notified by a Domain Name System (DNS) to the client sending the source request information; checking the source request information and the destination request information; and discarding the source request information and the destination request information when the checking result is undesirable. Through the technical solution, the DNS selects the destination request information according to the source request information sent by the client, and establishes a corresponding relation between the client and a server according to a matching relation between the source request information and the destination request information, so as to prevent DDOS attacks. | 10-27-2011 |
| 20110271340 | METHOD AND APPARATUS FOR DETECTING SPOOFED NETWORK TRAFFIC - A method and apparatus for detecting spoofed IP network traffic is presented. A mapping table is created to indicate correlations between IP address prefixes and AS numbers, based on routing information collected from a plurality of data sources. At each interface of a target network, IP address prefixes from a training traffic flow are acquired and further converted into AS numbers based on the mapping table. An EAS (Expected Autonomous System) table is populated by the AS numbers collected for each interface. The EAS table is used to determine if an operation traffic flow is allowed to enter the network. | 11-03-2011 |
| 20110283355 | EDGE COMPUTING PLATFORM FOR DELIVERY OF RICH INTERNET APPLICATIONS - An edge computing platform that provides on-demand delivery of Rich Internet Applications and other applications is disclosed. One embodiment includes an optional manager node and content distribution network (CDN) that include one or more compute nodes. The CDN collects information pertaining to execution of a software application. The CDN aggregates the information and transfers the aggregated information to the manager node. The manager node analyzes the information from the CDN and transfers results of the analysis to the CDN. The CDN receives a software application that is designed to be dynamically updated when executed at the clients. The CDN modifies the software application based on the information from the manager node. The CDN receives a request that pertains to the software application from a client device. The CDN transfers at least a portion of the modified software application to the client. | 11-17-2011 |
| 20110283356 | Security Monitoring - Disclosed are systems, apparatus, methods, and computer readable media for determining a combined trust level for a website. In one embodiment, a user account associated with the creation or maintenance of the website may be analyzed. The analysis of the user account may be capable of identifying the presence or absence of a first risk factor affecting a likelihood that the user account is engaged in a malicious activity. A source code file capable of being used to create a message for sending to a remote computing device may be analyzed. The analysis of the source code file may be capable of identifying the presence or absence of a second risk factor affecting a likelihood that the source code file is facilitating a malicious activity. Based on the analysis, a combined trust level for the website may be determined. | 11-17-2011 |
| 20110283357 | SYSTEMS AND METHODS FOR IDENTIFYING MALICIOUS DOMAINS USING INTERNET-WIDE DNS LOOKUP PATTERNS - Systems and methods are disclosed for identifying domains as malicious based on Internet-wide DNS lookup patterns. Disclosed embodiments look for variance in the servers that look up a domain and also look at the popularity growth (quantity of queries from unique addresses) of a domain after registration to identify malicious domains. Other disclosed embodiments measure the similarity of servers that query a domain and cluster domains based on the similarity of those servers. Disclosed embodiments may use such temporal and spatial lookup patterns as input to a blacklist process to more effectively and quickly blacklist domains based on their Internet-wide lookup patterns. | 11-17-2011 |
| 20110289582 | METHOD FOR DETECTING MALICIOUS JAVASCRIPT - An apparatus and system for scoring and grading websites and method of operation. An apparatus receives one or more Uniform Resource Identifiers (URI), requests and receives a resource such as a webpage, and observes the behaviors of an enhanced browser emulator as controlled by javascript provided by the webpage. The enhanced browser emulator tracks behaviors which when aggregated imply malicious intent. | 11-24-2011 |
| 20110289583 | CORRELATION ENGINE FOR DETECTING NETWORK ATTACKS AND DETECTION METHOD - A method for detecting network attacks is provided. In one implementation, the method receives a plurality of attack indications based on data transmitted on the network and applies rules to the plurality of attack indications. Also, the method generates an alert if an application of at least a subset of the rules on the plurality of attack indications indicates a potential attack. In addition, a network device that performs the method and a computer program corresponding to the method are provided. | 11-24-2011 |
| 20110296524 | Campaign Detection - Campaign detection techniques are described. In implementations, a signature is computed for each of a plurality of emails to be communicated by a service provider to respective intended recipients. A determination is made that two or more of the plurality of emails is similar based on the respective signatures. Responsive to a finding that a number of similar emails exceeds a threshold, an indication is output that the similar emails have a likelihood of being involved in a spam campaign. | 12-01-2011 |
| 20110302651 | VERIFICATION OF A SEGMENTED PROGRAM ON A PARALLEL PROCESSING COMPUTING SYSTEM - Embodiments of the invention provide a method, apparatus, and program product to verify a program that includes a plurality of sections with a computing system that is configured to process a plurality of threads of execution. The method comprises verifying and executing a first section of the program utilizing a first thread of execution in response to activation of the program and determining a second section of the program to execute subsequent to the first section. The method further comprises verifying the second section utilizing a second thread of execution in parallel with the execution of the first section. Another embodiment of the invention provides a method of compiling program that includes program code by grouping the program code into sections based upon the execution time of the program code and based upon which program code is most commonly executed. | 12-08-2011 |
| 20110302652 | SYSTEM AND METHOD FOR DETECTING REAL-TIME SECURITY THREATS IN A NETWORK DATACENTER - The system and method described herein may include a configuration management database that describes every known service endpoint in a network datacenter to represent a steady state for the datacenter. One or more listeners may then observe traffic in the datacenter in real-time to detect network conversations initiating new activity in the datacenter, which may be correlated, in real-time, with the information in the configuration management database representing the steady state for the datacenter. Thus, in response to the new activity failing to correlate with the known service endpoints, a real-time security alert may be generated to indicate that any network conversations initiating such activity fall out-of-scope from the steady state for the information technology datacenter. | 12-08-2011 |
| 20110302653 | System and Method for Network Security Including Detection of Attacks Through Partner Websites - A computer readable storage medium has instructions for execution on a computer. The instructions monitor transactions between a server and a set of clients. An evaluation of session indicators associated with the transactions is performed. Individual sessions between the server and individual clients of the plurality of clients are isolated in response to the evaluation. | 12-08-2011 |
| 20110307953 | Radio Channel Metrics for Secure Wireless Network Pairing - Technologies are generally described for using metrics of radio path characteristics within a wireless network to establish signal signature vectors. These signal signature vectors may be used as a shared secret between network nodes to establish affirmative identification. For example, a signal signature vector may be established when a new node sends a fixed number of packets to the existing nodes and the existing nodes send a fixed number of other packets back to the new node. The number of properly received packets can be counted to establish a success probability between the new node and each existing node. These probabilities can be normalized and quantized to generate signal signature vectors at each node. Without every transmitting any of the vectors, the vector at the new node should be highly correlated to the vectors at existing nodes since the pair-wise channels between each of the nodes should be reasonably symmetrical. | 12-15-2011 |
| 20110307954 | SYSTEM AND METHOD FOR IMPROVING COVERAGE FOR WEB CODE - A system and method for improving code coverage for web code that is analyzed for security purposes by dynamic code execution are described. A controller receives information, routes the information to the appropriate engine, analyzer or module and provides the functionality for improving code coverage for code analyzed for security purposes. A code rewrite engine rewrites code in such a way that all branches and stray functions will be executed. A dynamic analyzer performs dynamic analysis on web content to detect malicious code. Additionally, a static analyzer performs static analysis on web content. The static analyzer scans web content and detects a style of coding, a style of obfuscation of the code or patterns in the code. | 12-15-2011 |
| 20110321160 | SYSTEMS AND METHODS TO DETECT MALICIOUS MEDIA FILES - Systems and method to detect malicious media file are described. In one example, an apparatus including a network connection, a memory, and a programmable processor communicatively coupled to the memory is discussed. The memory can include instructions, which when executed by the programmable processor cause the apparatus to receive a data stream from the network connection and detect at least a portion of a media file within the data stream. The instructions can also cause the apparatus to determine a file type of the media file and extract the media file from the data stream. Further, the instructions cause the apparatus to parse the media file to location a suspicious tag, extract an embedded URL from the suspicious tag, determine with the embedded URL is malicious, and block the media file if the embedded URL is malicious. | 12-29-2011 |
| 20110321161 | MITIGATING EXCESSIVE OPERATIONS ATTACKS IN A WIRELESS COMMUNICATION NETWORK - A technique for mitigating excessive operations attacks in a wireless communication network includes receiving message requests from stations, detecting an excessive operation attack, checking if a received request is a first request or a retry request, and ignoring any first requests. The method can also include saving information about the first request, and wherein if checking reveals that the received request is a retry request, the method further confirms that the retry request and the saved information about the first request meet matching conditions, whereupon the retry request is further processed as normal. Since attacks rarely utilize retry requests, this technique effectively ignores attack messages. | 12-29-2011 |
| 20110321162 | Methods And Systems For Providing Security For Page Framing - Techniques for analyzing a page to be presented by a browser running on a computing platform. The page is disabled. The page is tested to determine if the page is framed by a second page. The page is enabled if the testing indicates that the page is not framed by a second page. Each level of a hierarchy of framed pages is inspected to determine whether each level is authorized. The page is enabled if the inspecting indicates that each level of the hierarchy of framed pages is authorized. | 12-29-2011 |
| 20120005749 | Generic Fraud Detection Model - A method for dynamically updating a model is described. The method includes accessing a model that specifies expected characteristics for a transaction. The model includes variables associated with fraud. The method also includes receiving at least one value for each of the variables while monitoring transactions, and updating a distribution of values for each variable based on the received value. The received value is compared with the updated distribution to determine a deviation from a threshold value associated with a percentile of the updated distribution that is indicative of fraud. | 01-05-2012 |
| 20120017274 | WEB SCANNING SITE MAP ANNOTATION - A computerized website vulnerability scanner includes a scanning module operable to navigate through a website and scan the website for vulnerabilities, and an annotation module operable to present a map of web pages comprising a part of the website. The annotation module is also operable to receive annotations from a user that are associated with the web pages, and the scanning module is further operable to use the user-provided annotations in subsequently scanning the website. | 01-19-2012 |
| 20120023576 | INSIDER THREAT CORRELATION TOOL - Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a threat score representing a first time period may be calculated. The first threat score may be calculated from a quantification of a plurality of activity violations across a plurality of control groups. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further embodiments may be configured to consider additional indicators. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating. | 01-26-2012 |
| 20120023577 | VERIFYING WORK PERFORMED BY UNTRUSTED COMPUTING NODES - Techniques for verifying work performed by untrusted computing nodes are provided. A central computing system determines a first computation that is to be performed, at least in part, by a first untrusted computing node. The central computing system also determines a transformation function that is applied to the first computation to produce an equivalent second computation that is to be performed, at least in part, by a second untrusted computing node. The central computing system assigns the first computation to the first untrusted computing node and the second computation to the second untrusted computing node while keeping the transformation function secret. The central computing system receives a first result for the first computation and a second result for the second computation. The central computing system analyzes the first and second results to verify the work performed by the first and second untrusted computing nodes. | 01-26-2012 |
| 20120023578 | MALICIOUS CODE DETECTION - A device includes a pipeline and a detector that are both implemented at least in hardware. Data is moved through the pipeline to perform processing of the data unrelated to detection of malicious code. The detector detects the malicious code within the data as the data is moved through the pipeline, in parallel with the processing of the data as the data is moved through the pipeline. The detector detects the malicious code within the data as the data is moved through the pipeline without delaying movement of the data into, through, and out of the pipeline. | 01-26-2012 |
| 20120030757 | LOGIN INITIATED SCANNING OF COMPUTING DEVICES - Embodiments of the invention relate to systems, methods, and computer program products for login initiated remote scanning of computer devices. The present invention detects login to the network via access management systems. The login data provides information that identifies the device so that the device can be checked against a scan database to determine if and when a previous scan occurred. Based on the findings in the scan database determinations are made as to whether to perform a scan. Additionally, the level of scanning can be determined based on previous scan dates and previous scan results, which may dictate customized scanning In addition, the priority of the impending scan may be dictated by previous scan dates and results. Further embodiments provide for assessing risk, such as risk scoring or the like, concurrently or in near-real-time with the completion of the scan so that alerts may be communicated. | 02-02-2012 |
| 20120030758 | Automated Diversity Using Return Oriented Programming - A method of automatically creating functionally and structurally diverse equivalent copies of software executables using return oriented programming for the purpose of passing through a filter and other purposes includes starting with a program and a target runtime environment, creating a return oriented instruction library having a plurality of code fragments which end in a ‘return’ instruction from the program and chaining fragments together to automatically form diverse equivalent copies of software executables using return oriented programming. | 02-02-2012 |
| 20120042380 | SECURE MODULE AND INFORMATION PROCESSING APPARATUS - A secure module includes a generating unit that executes generation processing of generating a scanning program that causes scan processing, which generates unique code for a program under test, to be executed at a connected device and further executes update processing of randomly updating contents of the scanning program; a storage device storing therein the unique code for the program under test; and an authenticating unit that if the scanning program is executed by the connected device and executed with respect to the program under test stored at a designated storage area in the connected device, authenticates validity of the program under test stored at the designated storage area, based on the unique code stored in the storage device and execution results of the scanning program executed at the connected device. | 02-16-2012 |
| 20120042381 | METHOD AND SYSTEM FOR DETERMINING WHETHER DOMAIN NAMES ARE LEGITIMATE OR MALICIOUS - A system and method for determining whether at least one domain is legitimate or malicious by obtaining passive DNS query information, using the passive DNS query information to measure statistical features of known malicious domain names and known legitimate domain names, and using the statistical features to determine at least one reputation for at least one new domain, where the reputation indicates whether the at least one new domain is likely to be for malicious or legitimate uses. | 02-16-2012 |
| 20120042382 | SYSTEM AND METHOD FOR MONITORING AND ANALYZING MULTIPLE INTERFACES AND MULTIPLE PROTOCOLS - The present invention is a system and method for providing security for a mobile device by analyzing data being transmitted or received by multiple types of networks. The invention can provide security for many types of network interfaces on a mobile device, including: Bluetooth, WiFi, cellular networks, USB, SMS, infrared, and near-field communication. Data is gathered at multiple points in a given processing pathway and linked by a protocol tracking component in order to analyze each protocol present in the data after an appropriate amount of processing by the mobile device. Protocol analysis components are utilized dynamically to analyze data and are re-used between multiple data pathways so as to be able to support an arbitrary number of network data pathways on a mobile device without requiring substantial overhead. | 02-16-2012 |
| 20120047576 | Hardware-Implemented Hypervisor for Root-of-Trust Monitoring and Control of Computer System - A system and method for modifying a processor system with hypervisor hardware to provide protection against malware. The processor system is assumed to be of a type having at least a CPU and a high-speed bus for providing data links between the CPU, other bus masters, and peripherals (including a debug interface unit). The hypervisor hardware elements are (1) a co-processor programmed to perform one or more security tasks; (2) a communications interface between the co-processor and the debug interface unit; (3) a behavioral interface on the high-speed bus, configured to monitor control signals from the CPU, and (4) an access controller on the high-speed bus, configured to store access control data, to intercept requests on the high-speed bus, to evaluate the requests against the access control data, and to grant or deny the requests. | 02-23-2012 |
| 20120047577 | SAFE URL SHORTENING - A safe URL shortening service creates a short URL from any valid long URL. At resolution time, the service determines if the resulting URL points to a known bad, known good, or unknown site. Depending on the determination results, the service may redirect a user to the target site, block redirection, or present a warning page that allows the user to manually activate the target link. | 02-23-2012 |
| 20120047578 | Method and System for Device Integrity Authentication - Device integrity authentication is performed by receiving, at a second device, data from a first device. A determination is made at the second device as to whether at least a portion of the data is associated with a protected datatype. A measured integrity value of the first device is determined in response to the portion of the data being associated with the protected datatype. The measured integrity value of the first device is compared to an embedded integrity value associated with the second device. Application of at least one of a plurality of policies associated with processing the data is facilitated at the second device based on the comparison and the protected datatype. | 02-23-2012 |
| 20120066762 | SYSTEM AND METHOD OF WHITELISTING PARENT VIRTUAL IMAGES - In embodiments of the present invention improved capabilities are described for virtual machine scan optimization. In response to a change in the primary virtual machine, the virtual machine scan optimization may involve comparing the primary virtual machine to the related virtual machine and tracking changes of the primary virtual machine with respect to the related virtual machine wherein the changes are identified by location within the primary virtual machine; forming a tracked changes log; generating a relevant file map of the primary virtual machine wherein the relevant file map includes a plurality of relevant files and each of the plurality of relevant files' locations in the primary virtual machine; comparing the changed locations identified in the track changes log with the locations of the plurality of relevant files to determine if any one of the plurality of relevant files has been changed; and in the event that a relevant file has been changed, as indicated by the comparison of the relevant file map to the tracked changes log, causing the changed relevant file to be security scanned. | 03-15-2012 |
| 20120066763 | Insider Threat Correlation Tool - Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a first threat score representing a first time period may be calculated. The first threat score may be compared with aspects of the same user accounts for a second time period. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating. Blocked transmissions enforced upon a user account may also be received. Certain activity, such as accessing the internet, may be monitored for the presence of a security threat and/or an ethics threat. | 03-15-2012 |
| 20120066764 | METHOD AND APPARATUS FOR ENHANCING SECURITY IN A ZIGBEE WIRELESS COMMUNICATION PROTOCOL - The present invention relates to a technique for solving security vulnerability of a ZigBee wireless communication protocol frequently used as a low-power wireless communication protocol in a home network, a sensor network, or the like, and an apparatus therefor. An ACL security hardware block having diverse security functions is proposed, and a safe and reliable ZigBee wireless communication protocol is provided by applying a method of effectively detecting a replay attack, a method of efficiently managing a group key, and a method of detecting transmission of the same nonce value in advance. | 03-15-2012 |
| 20120072982 | DETECTING POTENTIAL FRAUDULENT ONLINE USER ACTIVITY - One or more techniques and/or systems are disclosed herein for identifying potentially fraudulent use of user generated content (UGC) for an online activity by a user. Server-based information and browser-based information associated with the user is identified and used to create a user signature. The user signature is associated with the UGC for the online activity in a cache-key. The cache-key is compared to a desired threshold for identifying potentially fraudulent use of the UGC for the online activity, where potential fraud may be detected if the cache key meets the desired threshold. | 03-22-2012 |
| 20120072983 | SYSTEM AND METHOD FOR PRIVACY-ENHANCED CYBER DATA FUSION USING TEMPORAL-BEHAVIORAL AGGREGATION AND ANALYSIS - A method of determining, within a deployed environment over a data communication network, network threats and their associated behaviors. The method includes the steps of acquiring sensor data that identifies a specific contact, normalizing the acquired sensor data to generate transformed sensor data, deriving, for the specific contact from the transformed sensor data, a contact behavior feature vector for each of a plurality of time periods, determining, for the specific contact, scores associated with each of a plurality of classification modules to form a contact score vector, the contact score vector being independent of an identity of the specific contact, identifying a type of the specific contact based on the contact score vector, and determining a threat type, based on the contact behavioral profile and the contact score vector, when the specific contact is determined to be a threat in the identifying step. | 03-22-2012 |
| 20120072984 | REGULATING ATOMIC MEMORY OPERATIONS TO PREVENT DENIAL OF SERVICE ATTACK - In one embodiment, the present invention includes a method for identifying a termination sequence for an atomic memory operation executed by a first thread, associating a timer with the first thread, and preventing the first thread from execution of a memory cluster operation after completion of the atomic memory operation until a prevention window has passed. This method may be executed by regulation logic associated with a memory execution unit of a processor, in some embodiments. Other embodiments are described and claimed. | 03-22-2012 |
| 20120072985 | MANAGING SERVICES IN A CLOUD COMPUTING ENVIRONMENT - What is provided are a system and method which enables an organization or user to manage computational services in a cloud computing network for security, compliance and governance. The management including creating a trusted virtual network including encrypted data storage, encrypted data transport, and trusted instances of servers all communicatively coupled together forming a trusted cloud computing environment that is associated with the organization. A web portal running on a web server provides a point of access to the cloud computing environment. A workflow is accessed to implement one or more policies in trusted computing environment to manage the trusted cloud computing environment, the workflow customized to the organization. The access control; and to the trusted cloud computing environment is used to ensure access by users authorized by the organization to ensure compliance with adopted standards. | 03-22-2012 |
| 20120072986 | METHODS FOR DETECTING AND CLASSIFYING SIGNALS TRANSMITTED OVER A RADIO FREQUENCY SPECTRUM - A method for classifying a signal is disclosed. The method can be used by a station or stations within a network to classify the signal as non-cooperative (NC) or a target signal. The method performs classification over channels within a frequency spectrum. The percentage of power above a first threshold is computed for a channel. Based on the percentage, a signal is classified as a narrowband signal. If the percentage indicates the absence of a narrowband signal, then a lower second threshold is applied to confirm the absence according to the percentage of power above the second threshold. The signal is classified as a narrowband signal or pre-classified as a wideband signal based on the percentage. Pre-classified wideband signals are classified as a wideband NC signal or target signal using spectrum masks. | 03-22-2012 |
| 20120079591 | Data Filtering for Communication Devices - Technologies are generally described for data filtering for communication devices. In one example, a method of receiving data from a data source on a communication device is disclosed. The method includes determining, at the communication device, a domain name of the data source. The method also includes determining, at the communication device, one or more communication networks the communication device is connected to. The method further includes processing, at the communication device, the domain name for acceptance based on the one or more connected communication networks. The method also includes receiving the data from the data source, at the communication device, if the domain name is accepted. | 03-29-2012 |
| 20120079592 | IP PRIORITIZATION AND SCORING SYSTEM FOR DDOS DETECTION AND MITIGATION - A method and system to mitigate an attack over the Internet includes collecting information related to a plurality of client IP addresses from a plurality of sources and analyzing the collected information to determine confidence scores for the plurality of client IP addresses. The method and system also include receiving network traffic from the Internet and limiting network traffic from a first subset of the plurality of client IP addresses characterized by a confidence score less than a first threshold. The method, and system further include determining a level of the network traffic and limiting network traffic from a second subset of the plurality of client IP addresses characterized by a confidence score less than a second threshold greater than the first threshold. | 03-29-2012 |
| 20120084857 | DEVICE SECURITY SYSTEM - A computer-implemented method may include identifying a security event condition associated with a device. One or more security rules may be identified for execution based on the device and the identified security event condition, wherein the one or more security rules define security related actions to be performed upon occurrence of the security event condition. The security related actions may be initiated by at least one processor on the device to secure the device from unauthorized use. | 04-05-2012 |
| 20120084858 | SYSTEM AND METHOD FOR DETECTION OF ABERRANT NETWORK BEHAVIOR BY CLIENTS OF A NETWORK ACCESS GATEWAY - Embodiments of systems and methods for detecting aberrant network behavior are disclosed. One embodiment comprises a network interface over which network communications are received from a client. These network communications can then be analyzed to determine if aberrant network behavior is occurring with respect to the client. | 04-05-2012 |
| 20120090025 | SYSTEMS AND METHODS FOR DETECTION OF MALICIOUS SOFTWARE PACKAGES - A software repository offering a software package or a computing system downloading a software package can utilize a security tool to verify the security of the software package. The security tool can check and verify that the software package is secure utilizing a black list of components. To check the security, the security tool can compare the components (archival files) of the software package to the the black list. A black list can include a list of components that are known to be insecure. | 04-12-2012 |
| 20120090026 | CROSS-SITE SCRIPTING PREVENTION IN DYNAMIC CONTENT - Embodiment relate to systems, methods, and computer storage media for suppressing cross-site scripting in a content delivery system. A request is received for content that includes a scripted item or scripted items. The scripted item is identified within the content. An identifier is associated with the scripted element when the scripted element is an intended scripted element to be associated with the content. The identifier may be a hash value based from a hash function and the scripted item. Prior to communicating the content to a user, the scripted item is identified again to determine if an identifier is associated with the scripted item. If an identifier is associated with the scripted item, the identifier is evaluated to determine if the identifier is appropriate. When the identifier is determined to not be appropriate, the scripted item is prevented from being communicated to a user. | 04-12-2012 |
| 20120090027 | APPARATUS AND METHOD FOR DETECTING ABNORMAL HOST BASED ON SESSION MONITORING - An apparatus for detecting an abnormal host based on session monitoring includes: a host information collection unit for collecting information of processes being executed in hosts and information of sessions connected by the hosts; a network traffic monitoring unit for collecting network traffic information; an analysis unit for calculating an entropy of each host based on the collected session information to analyze correlation between hosts based on the calculated entropy and the network traffic information; and a detection unit for detecting an abnormal host and a process causing harmful traffic in the abnormal host based on the correlation and updating a black list based on the detected host and process. | 04-12-2012 |
| 20120090028 | REAL-TIME NETWORK ATTACK DETECTION AND MITIGATION INFRASTRUCTURE - The invention features systems and methods for detecting and mitigating network attacks in a Voice-Over-IP (VoIP) network. A server is configured to receive information related to a mitigation action for a call. The information can include a complexity level for administering an audio challenge-response test to the call and an identification of the call. The server also generates i) a routing label based on the identification of the call, and ii) a script defining a plurality of variables that store identifications of a plurality of altered sound files for the audio challenge-response test. Each altered sound file is randomly selected by the server subject to one or more constraints associated with the complexity level. The server is further configured to transmit the script to a guardian module and the routing label to a gateway. | 04-12-2012 |
| 20120090029 | METHOD FOR PROTECTING COMPUTER PROGRAMS AND DATA FROM HOSTILE CODE - A method that protects computer data from untrusted programs. Each computer's object and process is assigned with trust attributes, which define the way it can interact with other objects within the system. When an object is classified as untrusted, it can interact with other object within the system on a limited basis. A virtualized system is provided on the computer so that when the untrusted object attempts to perform an operation that is outside its scope of authorization, the virtualized system intercepts the operation but present the untrusted program with an indication that the requested operation has been performed. The method further includes processes to securely move a program from an untrusted group to a trusted group. | 04-12-2012 |
| 20120096546 | Edge server HTTP POST message processing - A CDN edge server process receives an HTTP message, takes a given action with respect to that message, and then forwards a modified version of the message to a target server, typically a server associated with a CDN customer. The process may include an associated intermediate processing agent (IPA) or a sub-processing thread to facilitate the given action. In one embodiment, the message is an HTTP POST, and the given action comprises the following: (i) recognizing the POST, (ii) removing given data from the POST, (iii) issuing an intermediate (or subordinate) request to another process (e.g., a third party server), passing the given data removed from the POST to the process, (iv) receiving a response to the intermediate request, (v) incorporating data received from or associated with the response into a new HTTP message, and (vi) forwarding the new HTTP message onto the target server. In this manner, the given data in the POST may be protected as the HTTP message “passes through” the edge server on its way from the client to the target (merchant) server. In an alternative embodiment, data extracted from the POST message is enhanced by passing the data to an externalized process and adding a derived value (such as a fraud risk score based on the data) back into the message. | 04-19-2012 |
| 20120096547 | METHOD FOR DETECTING AN ATTEMPTED ATTACK, RECORDING MEDIUM, AND SECURITY PROCESSOR FOR SAID METHOD - This method in which an attempt to attack a security processor is detected by the security processor itself comprises:
| 04-19-2012 |
| 20120110664 | METHOD AND APPARATUS FOR AVOIDING DENIAL OF SERVICE IN WEB-SERVICE BASED SYSTEMS - The disclosure relates to a method for identifying and preventing propagation of a DOS attack on a WS-Notification NotificationBroker by inspecting the subscription request. If the address of the NotificationConsumer identified by the subscription request is equivalent to that of the NotificationBroker then the subscription request is rejected. | 05-03-2012 |
| 20120117644 | System and Method for Internet Security - A computer implemented method for preventing SQL injection attacks comprises intercepting a web request associated with a web service at a first software hook in a first web service execution context, persisting at least a portion of the intercepted web request in a storage location associated with the first software hook and accessible to at least one additional execution context, intercepting a database query generated by at least one web service processing operation at a second software hook associated with the execution of the query, wherein the query is generated in response to the intercepted web request and the second hook retrieves the persisted portion of the intercepted web request, comparing a portion of the persisted portion of the intercepted web request with at least a portion of the intercepted database query, and determining, prior to the query being executed, whether the query corresponds to a potential SQL injection attack. | 05-10-2012 |
| 20120117645 | DETECTION CIRCUIT, DETECTION METHOD THEREOF, AND MEMORY SYSTEM INCLUDING THE DETECTION CIRCUIT - A detection circuit, including a sensing circuit configured to sense whether there is an external attack and generate second data from first data, a data conversion circuit configured to convert the first data to third data, and a comparator configured to compare the second data with the third data. | 05-10-2012 |
| 20120117646 | TRANSMISSION CONTROL PROTOCOL FLOODING ATTACK PREVENTION METHOD AND APPARATUS - Disclosed herein is a Transmission Control Protocol (TCP) flooding attack prevention method. The TCP flooding attack prevention method includes identifying the type of a packet received at an intermediate stage between a client and a server; determining the direction of the packet; defining a plurality of session states based on the type and the direction of the packet; detecting a TCP flooding attack by tracking the session states for each flow; and responding to the TCP flooding attack based on the type of the TCP flooding attack. | 05-10-2012 |
| 20120124664 | DIFFERENTIATING BETWEEN GOOD AND BAD CONTENT IN A USER-PROVIDED CONTENT SYSTEM - A system differentiates good content from bad content in a user-provided content system. Messages are analyzed for features that characterize messages. A feature may occur in one or more messages. A feature that has more than a threshold number of occurrences in messages in a time interval is identified for further analysis. Enhanced authentication is requested from senders of the messages with occurrences of the identified feature. Based on the rate at which senders of the messages pass authentication, the content associated with the message is determined to be good content or bad content. Subsequent messages are blocked or successfully delivered based on whether features occurring in the messages are indicative of good content or bad content. | 05-17-2012 |
| 20120124665 | METHOD AND APPARATUS FOR DETECTING A ROGUE ACCESS POINT IN A COMMUNICATION NETWORK - A method and apparatus for detecting a rogue access point in a communication network is described herein. The method includes a probing unit sending a pre-detection message to an associated access point in the communication network. The pre-detection message indicates a start of rogue access point detection mode and informs the associated access point not to respond to probe requests following the pre-detection message. The method further includes the probing unit broadcasting probe requests in the communication network. The probing unit detect that one or more of the plurality of access points is the rogue access point based on receiving a probe response in reply to the broadcasted probe request from the rogue access point. A method for detecting a rogue access point includes broadcasting a probe request with a proprietary information bit and detecting the rogue access point based on receiving a probe response for the broadcasted probe request. | 05-17-2012 |
| 20120131668 | Policy-Driven Detection And Verification Of Methods Such As Sanitizers And Validators - A method includes performing a static analysis on a program having sources and sinks to track string flow from the sources to the sinks. The static analysis includes, for string variables in the program that begin at sources, computing grammar of all possible string values for each of the string variables and, for methods in the program operating on any of the string variables, computing grammar of string variables returned by the methods. The static analysis also includes, in response to one of the string variables reaching a sink that performs a security-sensitive operation, comparing current grammar of the one string variable with a policy corresponding to the security-sensitive operation, and performing a reporting operation based on the comparing. Apparatus and computer program products are also disclosed. | 05-24-2012 |
| 20120131669 | Determining whether method of computer program is a validator - An illegal pattern and a computer program having a method are received. The method has one or more return statements, and a number of basic blocks. The method is normalized so that each return statement of the target method relating to the illegal pattern returns a constant Boolean value. A first path condition and a second path condition for one or more corresponding paths is determined such that one or more corresponding basic blocks return a constant Boolean value of true for the first path condition and a constant Boolean value of false for the second path condition. An unsatisfiability of each path condition is determined using a monadic second-order logic (M2L) technique. Where the unsatisfiability of either path condition is false, the method is reported as not being a validator. Where the unsatisfiability of either path condition is true, the method is reported as being a validator. | 05-24-2012 |
| 20120131670 | Global Variable Security Analysis - A method includes determining selected global variables in a program for which flow of the selected global variables through the program is to be tracked. The selected global variables are less than all the global variables in the program. The method includes using a static analysis performed on the program, tracking flow through the program for the selected global variables. In response to one or more of the selected global variables being used in security-sensitive operations in the flow, use is analyzed of each one of the selected global variables in a corresponding security-sensitive operation. In response to a determination the use may be a potential security violation, the potential security violation is reported. Apparatus and computer program products are also disclosed. | 05-24-2012 |
| 20120131671 | Securing An Access Provider - To secure an access provider, communications to/from the access provider are monitored for a partially-completed connection transaction. Detected partially-completed connection transactions are terminated when they remain in existence for a period of time that exceeds a threshold period of time. The monitoring may include detecting partially-completed connection transactions initiated by an access requestor, measuring the period of time that a partially-completed connection transaction remains in existence, comparing the period of time with the threshold period of time, and resetting a communication port located on the access provider. | 05-24-2012 |
| 20120137361 | NETWORK SECURITY CONTROL SYSTEM AND METHOD, AND SECURITY EVENT PROCESSING APPARATUS AND VISUALIZATION PROCESSING APPARATUS FOR NETWORK SECURITY CONTROL - A network security control system includes: a network event generator for generating network events; a security event processing apparatus for collecting the network events from the network event generator via a network and processing the collected network events as a target data for visualization; and a visualization processing apparatus for visualizing the target data to display a security status as a third-dimensional (3D) visualization information on an organization basis. | 05-31-2012 |
| 20120137362 | COLLABORATIVE SECURITY SYSTEM FOR RESIDENTIAL USERS - The invention relates to a collaborative system for security information exchange between users, based on the fact that a determined function (whether storing or processing) is spread out at different points of a network to achieve more scalable processing and storing factors than if they were all done at one and the same point. | 05-31-2012 |
| 20120137363 | Method and Device for Preventing CSRF Attack - The disclosure provides a device and method for preventing CSRF attacks, in which the method comprises: intercepting request sent from a client browser to a server; generating a token; generating a response to the request; inserting the token into the response to the request; and sending the response to the request to the client browser with the token inserted into the response. With the method and device of the disclosure, it is assured that a token is inserted into all the requests made by a user through a client browser for accessing a resource. And it can be assured that the request is issued by the user himself by verifying whether the token in the request is valid, thereby preventing a CSRF attack. | 05-31-2012 |
| 20120137364 | REMOTE ATTESTATION OF A MOBILE DEVICE - Secure services and hardware on a mobile device are disabled if it is detected that software in the untrusted domain, such as the operating system, has been hacked or tampered with. Mobile devices often have rich, unprotected operating systems which are vulnerable to hacking, especially from execution of one or more apps. These apps are separated from secure services on the device, such as e-wallet services, NFC functionality, camera, enterprise access, and the like, and the present invention ensures that tampering with code in the untrusted domain or operating system does not affect these and other secure services. If tampering in the untrusted space is detected, the secure services and possible hardware on the device are shutdown or disabled. The extent of this disablement may depend on various factors, such as use of the device, type of device, context in which device is used (e.g., military, enterprise). | 05-31-2012 |
| 20120144480 | Using Virtual Table Protections to Prevent the Exploitation of Object Corruption Vulnerabilities - The subject disclosure is directed towards preventing the exploitation by malicious code of object state corruption vulnerabilities, such as use-after-free vulnerabilities. An object class is configured with a secret cookie in a virtual function table of the object, e.g., inserted at compile time. An instrumentation check inserted in the program code evaluates the secret cookie to determine whether the object state has been corrupted before object access (e.g., a call to one of the object's methods) is allowed. If corrupted, access to the object is prevented by the instrumentation check. Another instrumentation check may be used to determine whether the object's virtual table pointer points to a location outside of the module that contains the legitimate virtual function table; if so, object access is prevented. | 06-07-2012 |
| 20120144481 | HOST IP REPUTATION - Various embodiments described above are directed to identifying abuse-hosting services at their source, rather than using such intermediaries as URLs and associated domains. In one or more embodiments, threats can be blocked by using the Internet protocol (IP) address of an identified attacker that is hosting content associated with abuse. | 06-07-2012 |
| 20120144482 | Method and System for Whitelisting Software Components - A method and system for whitelisting software components is disclosed. In a first operating environment, runtime information may be collected about a first loaded and executing software component. The collected information may be communicated to a second software component operating in a second operating environment that is isolated from the first operating environment. The collect runtime information may be compared with a validated set of information about the first software component. Other embodiments are described and claimed. | 06-07-2012 |
| 20120144483 | METHOD AND APPARATUS FOR PREVENTING NETWORK ATTACK - The present disclosure relates to the communication field, and discloses a method for preventing a network attack. The method includes: receiving a packet; when the received packet is a first packet, determining whether a source IP address and a source MAC address information that are carried in the first packet exist in a first record table; if so, obtaining a second packet, the source addresses of which are the same as the source as addresses of the first packet, and sending the second packet to a CPU for processing. Through this method, a network attack can be prevented effectively, and a packet can be sent to the CPU for processing in the case that the validity of the packet is determined. Therefore, some application that requires sending packets to the CPU for processing is supported. The present disclosure further discloses an apparatus for preventing a network attack. | 06-07-2012 |
| 20120144484 | METHODS, MEDIA, AND SYSTEMS FOR DETECTING AN ANOMALOUS SEQUENCE OF FUNCTION CALLS - Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers. | 06-07-2012 |
| 20120151578 | Detecting a suspicious entity in a communication network - A method and apparatus for detecting a suspicious entity in a communication network. A receiving device receives a message from a sender. A processor obtains domain information or a user identity, and further contact information from data contained in the message. A reputation query message is sent to a Network Reputation Server (NRS), the reputation query message including the domain information or user identity. A reply is received from the NRS that indicates that the domain information or user identity is related to a suspicious entity. The receiving device then associates the contact information with the suspicious entity. In this way, if a user of the receiving device attempts to use the contact information, they can be prevented from doing this or informed that it relates to a suspicious entity. | 06-14-2012 |
| 20120151579 | Network Device, Network Packet Processing Method and Computer Readable Storage Medium for Storing Thereof - A network device builds connection with a network through a Network Interface Card (NIC). The network device includes a processor and a storage unit. The processor includes at least one transmission processing core, at least one security core, and a main core. The storage unit stores a packet receiving module and a packet output module. The main core loads the packet receiving module to receive several packets from the network, makes the at least one transmission processing core process the packets for a network transmission and makes the at least one security core check the packets for security. The main core loads the packet output module to output the packets after the at least one transmission processing core processes the packets for network transmission and the at least one security core checks the packets for security. | 06-14-2012 |
| 20120151580 | COMPUTING SYSTEM - Disclosed is a computing system which comprises a data processing device exchanging communication data with the external and processing the communication data; and a security integrated circuit (IC) monitoring the communication data. | 06-14-2012 |
| 20120151581 | METHOD AND SYSTEM FOR INFORMATION PROPERTY MANAGEMENT - A system for managing sensitive information property, includes a monitoring agent installed in a host system needed for sensitive information property management and configured to monitor the sensitive information property; an information property storage configured to store a list of the sensitive information property for the host system; and an information property manager configured to determine whether or not the sensitive property has leaked. | 06-14-2012 |
| 20120159619 | Formal Analysis of the Quality and Conformance of Information Flow Downgraders - Mechanisms for evaluating downgrader code in application code with regard to one or more security guidelines are provided. Downgrader code in application code is identified, where the downgrader code is a portion of code in the application code that operates on an information flow of the application code to ensure confidentiality of information input to the downgrader code, in the output of the downgrader code. Processes of the downgrader code are evaluated against security guidelines to determine if the processes violate the security guidelines. A notification is generated in response to the evaluation indicating that the processes of the downgrader code violate the security guidelines. The notification is output to a computing device for consideration. | 06-21-2012 |
| 20120159620 | Scareware Detection - A machine-implemented method for detecting scareware includes the steps of accessing one or more landing pages to be evaluated, extracting one or more features from the landing pages, and providing a classifier to compare the features extracted from the landing pages with features of known scareware and non-scareware pages. The classifier determines a likelihood that the landing page is scareware. If determined to be scareware, the landing page is removed from search results generated by a search engine. The features can be URLs, text, image interest points, image descriptors, a number of pop-ups generated, IP addresses, hostnames, domain names, text derived from images, images, metadata, identifiers of executables, and combinations thereof. | 06-21-2012 |
| 20120159621 | DETECTION SYSTEM AND METHOD OF SUSPICIOUS MALICIOUS WEBSITE USING ANALYSIS OF JAVASCRIPT OBFUSCATION STRENGTH - The present invention provides a detection system of a suspicious malicious website using the analysis of a JavaScript obfuscation strength, which includes: an entropy measuring block of measuring an entropy of an obfuscated JavaScript present in the website, a special character entropy, and a variable/function name entropy; a frequency measuring block of measuring a specific function frequency, an encoding mark frequency and a % symbol frequency of the JavaScript; a density measuring block of measuring the maximum length of a single character string of the JavaScript; and a malicious website confirming block of determining whether the relevant website is malicious by comparing an obfuscation strength value, measured by the entropy measuring block, the frequency measuring block and the density measuring block, with a threshold value. | 06-21-2012 |
| 20120159622 | METHOD AND APPARATUS FOR GENERATING ADAPTIVE SECURITY MODEL - A method for generating an adaptive security model includes: generating an initial security model with respect to data input via an Internet during a learning process; and continuously updating the initial security model by applying characteristics of the input data during an online process. Said generating an initial security model includes: matching the input data with a unit having a weight vector with distance closest to the input data using a first unsupervised algorithm; generating a map composed of weight vectors of units; and performing a second unsupervised algorithm using the weight vectors forming the map as input values to partition an attack cluster. | 06-21-2012 |
| 20120159623 | METHOD AND APPARATUS FOR MONITORING AND PROCESSING DNS QUERY TRAFFIC - A method for monitoring and processing domain name system (DNS) query traffic includes: monitoring DNS query traffic in each time slot during a monitoring period comprised of n number of time slots; extracting traffic information during the monitoring period by using the DNS query traffic monitored in said each time slot; and analyzing the extracted traffic information to detect a DNS traffic flooding attack. | 06-21-2012 |
| 20120167204 | ISOLATION TOOL FOR USER ASSISTANCE IN SOLVING A CAPTCHA TEST - A method includes displaying a CAPTCHA test comprising an image with distorted alphanumeric characters. The method also includes associating a mask with the image that maps the alphanumeric characters to coordinates. Further, the method includes, enhancing a portion of the image corresponding to one of the alphanumeric characters responsive to a user positioning an assistance tool proximate to one alphanumeric character to reduce distortion. | 06-28-2012 |
| 20120167205 | RUNTIME PLATFORM FIRMWARE VERIFICATION - Embodiments of the invention are directed towards logic and/or modules stored in processor secure storage to determine whether a first platform firmware image (e.g., basic input/output system (BIOS), device read-only memory (ROM), manageability engine firmware) loaded onto a processor cache is valid. The processor executes the first platform firmware image if it is determined to be valid. If the first platform image is determined to be invalid, a second platform firmware image is located. If this platform firmware image is determined to be valid, the processor will execute said second platform image. | 06-28-2012 |
| 20120167206 | SYSTEM AND METHOD FOR ENABLING SECURE DISPLAY OF EXTERNAL IMAGES - A system and method for securely displaying to a user images retrieved from an external image source. Upon the request for a product catalog by the user via a user interface a backend retrieves images for the product catalog from external image sources and converts the retrieved images to render inoperable potentially malicious code embedded in the images. The converted images may then be used in the product catalog displayed to the user via the user interface. In an embodiment, the frontend compiles the product catalog and requests images from the backend. Product catalog information may be stored in a database implemented at the backend. | 06-28-2012 |
| 20120167207 | Unauthorized Location Detection and Countermeasures - A location sentry system is provided for use within a mobile device. The sentry system can be configured to detect unauthorized attempts to locate mobile devices by monitoring messages passed between the mobile device and the wireless network and/or messages passed between components of the mobile device, and determining that one or more of the messages is/are indicative of an attempt to locate the mobile device. In response to a determination that an unauthorized attempt has been detected, the location sentry can be configured to take one or more actions. For example, the location sentry system could prevent location information from being sent back to the wireless network and/or the location sentry system could cause incorrect information to be sent to the wireless network. | 06-28-2012 |
| 20120167208 | SYSTEM AND METHOD FOR VOIP HONEYPOT FOR CONVERGED VOIP SERVICES - Disclosed herein are systems, methods, and computer-readable storage media for a honeypot addressing cyber threats enabled by convergence of data and communication services in an enterprise network. Suspicious incoming VoIP calls from the Internet to the enterprise network are intercepted and directed to a VoIP honeypot that acts as a network decoy and responds automatically during call sessions for the suspicious incoming VOIP calls while tracing the suspicious incoming VOIP calls. Suspicious outgoing VoIP calls from the enterprise network to the Internet are also intercepted and directed to the VoIP honeypot. Moreover, an unsolicited VoIP call is redirected to the VoIP honeypot when the unsolicited VoIP call has been received by a user agent in the enterprise network and a human user of the user agent confirms that the unsolicited VoIP call was unsolicited. | 06-28-2012 |
| 20120167209 | AUTOMATIC CONTEXT-SENSITIVE SANITIZATION - An automatic context-sensitive sanitization technique detects errors due to the mismatch of a sanitizer sequence with a browser parsing context. A pre-deployment analyzer automatically detects violating paths that contain a sanitizer sequence that is inconsistent with a browsing context associated with outputting an untrusted input. The pre-deployment analyzer determines a correct sanitizer sequence which is stored in a sanitization cache. During the runtime execution of the web application, a path detector tracks execution of the web application in relation to the violating paths. The correct sanitizer sequence can be applied when the runtime execution follows a violating path. | 06-28-2012 |
| 20120167210 | METHOD AND SYSTEM FOR ESTIMATING THE RELIABILITY OF BLACKLISTS OF BOTNET-INFECTED COMPUTERS - A system and a method for determining the reliability of blacklists is disclosed. Each blacklist comprises IP addresses of supposedly infected computers. The reliability is computed by analyzing whether the blacklist reports or not controlled infections from sandboxed environments and by measuring the elapsed time between reported infections and disinfections. The obtained information is then used in combination with several metrics for determining the trustworthiness of the IP address of a given Internet host that requests an online transaction with the purpose of granting or denying access to a service. | 06-28-2012 |
| 20120167211 | Method and Apparatus to Harden a Software Execution in Random Access Memory - Example embodiments of the present invention relate to a system, apparatus and methods for preserving the integrity of a code to prevent it from being modified, maliciously or inadvertently, while it is in execution in the RAM of a computer platform. This method also may be referred to as code hardening. Code to be hardened in example embodiments of the present invention may be referred to as protected code. Example embodiments of the present invention are able to externally detect unauthorized stoppage of the hypervisor by employing (1) a launch-time metric of the protected code; (2) a run-time metric of the protected code; and (3) a liveliness indicator of the protected code. | 06-28-2012 |
| 20120167212 | METHODS FOR INSPECTING SECURITY CERTIFICATES BY NETWORK SECURITY DEVICES TO DETECT AND PREVENT THE USE OF INVALID CERTIFICATES - Disclosed are methods and media for inspecting security certificates. Methods include the steps of: scanning, by a network security device, messages of a security protocol between a server and a client system; detecting the messages having a security certificate; detecting suspicious security certificates from the messages; and aborting particular sessions of the security protocol associated with the suspicious certificates. Preferably, the step of scanning is performed only on messages of server certificate records. Preferably, the method further includes the step of sending an invalid-certificate notice to the server and the client system. Preferably, the step of detecting the suspicious certificates includes detecting a use of an incorrectly-generated private key for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting an unavailability of revocation information for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting a use of an invalid cryptographic algorithm for the certificates. | 06-28-2012 |
| 20120167213 | SAFE FILE TRANSMISSION AND REPUTATION LOOKUP - A method of safe file transmission and reputation lookup is provided. As a part of the safe file transmission and reputation lookup methodology, a data file that is to be made available to a data file receiver is accessed and it is determined whether the data file needs to be provided a protective file. The data file is wrapped in a protective file to create a non-executing package file. Access is provided to the non-executing package file where the associated data file is prevented from being executed until data file reputation information is received. | 06-28-2012 |
| 20120174216 | SECURITY PROTOCOL PROCESSING FOR ANTI-REPLAY PROTECTION - Described embodiments provide a network processor that includes a security protocol processor to prevent replay attacks on the network processor. A memory stores security associations for anti-replay operations. A pre-fetch module retrieves an anti-replay window corresponding to a data stream of the network processor. The anti-replay window has a range of sequence numbers. When the network processor receives a data packet, the security hardware accelerator determines a value of the received sequence number with respect to minimum and maximum values of a sequence number range of the anti-replay window. Depending on the value, the data packet is either received or accepted. The anti-replay window might be updated to reflect the receipt of the most recent data packet. | 07-05-2012 |
| 20120174217 | NETWORK SECURITY MANAGEMENT - A method may include receiving session control messages and counting the session control messages of a same type having a same transaction identifier (ID). The method may further include blocking the session control messages of the same type having the same transaction ID when the count exceeds a threshold number. The method may further include determining whether the blocked session control messages are associated with an anomalous event and, when the blocked session control messages are not associated with the anomalous event, increasing the threshold number. | 07-05-2012 |
| 20120174218 | Network Communication System With Improved Security - A computer network communication method and system wherein software rendering software is interposed in the data communication path between a browser running on a user computer and the internet data sources (for example, internet-accessible server computers) that the user browser wants to receive information from. The software rendering application gets data from internet data sources, but this data may contain malware. To provide enhanced security, the software rendering application renders this data to form a new browser readable code set (for example, an xml page with CSS layers), and this new and safe browser readable code set is sent along to the browser on the user computer for appropriate presentation to the user. As part of the rendering process, dedicated and distinct virtual machines may be used to render certain portion of the data, such as executable code. These virtual machines may be watched, and quickly destroyed if it is detected that they have encountered some type of malware. | 07-05-2012 |
| 20120174219 | IDENTIFYING MOBILE DEVICE REPUTATIONS - Methods and systems for operation upon one or more data processors for assigning a reputation to a messaging entity by analyzing the attributes of the entity, correlating the attributes with known attributes to define relationships between entities sharing attributes, and attributing a portion of the reputation of one related entity to the reputation of the other related entity. | 07-05-2012 |
| 20120180124 | AUTHENTICATION RISK EVALUATION - A computer is configured to receive an authentication request that identifies one or more authentication form factors, and for each form factor identified, further identifies at least one parameter. The computer is further configured to generate a risk score for the authentication request using the parameter, the risk score being based at least in part on a complexity associated with each of the one or more authentication form factors. The computer is further configured to provide the risk score to a requester. | 07-12-2012 |
| 20120180125 | METHOD AND SYSTEM FOR PREVENTING DOMAIN NAME SYSTEM CACHE POISONING ATTACKS - A method for preventing domain name system cache poisoning attacks comprises steps of inputting a domain name by an internet application program of an Internet communication device, determining in which area the Internet communication device is located, randomly selecting at least two domain name system resolvers of the area, retrieving at least one Internet protocol address from the domain name system resolvers and evaluating the Internet protocol addresses to generate at least one security score, selecting a trustworthy Internet protocol address based on the security scores, comparing the security score of the selected Internet protocol address with a predetermined security score threshold, and sending the trustworthy Internet protocol address to the Internet application program of the Internet communication device when the security score is greater than the security score threshold. A system for preventing domain name system cache poisoning attacks comprises an Internet communication device and an optional proxy server. | 07-12-2012 |
| 20120180126 | Probable Computing Attack Detector - A probable computing attack detector monitors electrical power consumption of a computing device. Task data may be acquired for at least one task operating on the computing device. A predicted electrical power consumption may be calculated for the computing device employing a user-centric power model and the task data. A probable attack may be detected when the electrical power consumption disagrees with the predicted electrical power consumption by a determined margin. | 07-12-2012 |
| 20120180127 | SYSTEM AND METHOD FOR IMPLEMENTING A HIDDEN SERVER - A technology for preventing network attacks. A service request is intercepted at an unaddressed port of a hidden device from a second device. The service request intended for a visible device is processed by the hidden device. A response may be provided based on the processing and sent to the second device. | 07-12-2012 |
| 20120180128 | Preventing Cross-Site Request Forgery Attacks on a Server - Preventing Cross-Site Request Forgery security attacks on a server in a client-server environment. In one aspect, this comprises embedding a nonce and a script in all responses from the server to the client wherein, when executed, the script adds the nonce to each request from the client to the server; sending the response with the nonce and the script to the client; and verifying that each request from the client includes the nonce sent by the server to the client. The script preferably modifies all objects, including dynamically generated objects, in a server response that may generate future requests to the server to add the nonce to the requests. The server verifies the nonce value in a request and optionally confirms the request with the client if the value differs from the value previously sent. Server-side aspects might be embodied in the server or a proxy. | 07-12-2012 |
| 20120180129 | SYSTEM AND METHOD FOR PREVENTING WEB FRAUDS COMMITTED USING CLIENT-SCRIPTING ATTACKS - A method for detecting and blocking Javascript hijacking attacks, comprising checking if an incoming request belongs to a valid session established between a client and a trusted server. When said incoming request does belong to a valid session, it is checked if a Referer header of said incoming request includes a valid domain name. The incoming request is marked as suspicious, when said incoming request does not include a valid domain name. It is checked if a respective response of said suspicious incoming request includes a script code. A preventive action responsive to a user input is taken when said respective response includes a script code. | 07-12-2012 |
| 20120185935 | IMPLEMENTING AUTOMATIC ACCESS CONTROL LIST VALIDATION USING AUTOMATIC CATEGORIZATION OF UNSTRUCTURED TEXT - A method, system and computer program product are provided for implementing automatic access control list validation using automatic categorization of unstructured text. Automatic categorization of unstructured text is performed on a plurality of documents of an access control list for determining an average term vector. Each of the documents is scored against the average term vector to identify a dissimilar document, flagged as a possible security risk. Automatic categorization of unstructured text is performed on user information of a plurality of members of a candidate access control list for determining a typical term vector. A similarity score is determined by user information and the typical term vector, members of an access control list that are dissimilar from other members of the access control list are identified. | 07-19-2012 |
| 20120185936 | Systems and Methods for Detecting Fraud Associated with Systems Application Processing - Systems and methods for detecting fraud associated with systems application processing are provided. An example method may include: for each of at least a subset of multiple application services, receiving an audit log message indicating a respective point in an execution path associated with execution of the application services; and prior to executing an application service endpoint of the application services, analyzing the received audit log messages to determine whether the execution path satisfies at least one predefined expected execution path. | 07-19-2012 |
| 20120185937 | SYSTEM AND METHOD FOR SELECTIVELY STORING WEB OBJECTS IN A CACHE MEMORY BASED ON POLICY DECISIONS - A system and method for selectively storing one or more web objects in a memory is disclosed. A server response is received at a network traffic management device, wherein the server response is associated with a client request sent from a client device and includes at least one web object. The server response is analyzed using a security module of the network traffic management device which determines if the at least a portion of the server response contains suspicious content in relation to one or more defined policy parameters handled by the security module. An instruction is sent from the security module to a cache module of the network traffic management device upon determining that the at least a portion of the server response contains suspicious information, wherein the cache module does not store the at least one web object upon receiving the instruction. | 07-19-2012 |
| 20120192271 | Apparatus and Method for Enhancing Security of Data on a Host Computing Device and a Peripheral Device - A method is provided of enhancing security of at least one of a host computing device and a peripheral device. In the method, the host computing device is coupled to the peripheral device through a communication interface. The method includes transparently receiving data from one of the peripheral device and the host computing device, and storing the received data. The method further includes analyzing the stored data to identify a circumstance posing a security risk. If analyzing does not identify such a circumstance, then the method includes transparently echoing the data to the other of the peripheral device and the host. If analyzing does identify such a circumstance, then the method includes performing a security process defined by a rule. Related apparatus is provided, as well as other methods and apparatus. | 07-26-2012 |
| 20120198549 | METHOD AND SYSTEM FOR DETECTING MALICIOUS DOMAIN NAMES AT AN UPPER DNS HIERARCHY - A method and system for detecting a malicious domain name, comprising: collecting domain name statistical information from a non-recursive domain name system name server (RDNS NS); and utilizing the collected domain name statistical information to determine if a domain name is malicious or benign. | 08-02-2012 |
| 20120198550 | ELECTRONIC TRANSACTION RISK MANAGEMENT - A method of detecting unauthorized activity in an electronic message transfer system comprising a plurality of devices, each device being configured to generate and receive cryptographically secured transfer messages for exchanging content with other devices in the system. In each device, audit information is accumulated in a memory of the device. The device periodically forwards at least part of its accumulated audit information to a secure server. | 08-02-2012 |
| 20120204260 | Controlling access to sensitive data based on changes in information classification - A Data Loss Prevention (DLP) system includes an automated method for tracking changes to a security classification (e.g., content category) associated with an artifact to determine whether an attempt is being made to subvert a DLP policy. The method exploits the basic principle that, depending on context, the classification of a particular artifact, or a change to an existing classification, may indicate an attempt to subvert the policy. According to the method, an artifact classification state machine is implemented within a DLP system. For each policy-defined content category on each artifact, the machine identifies a content category change that may be of interest, as defined by policy. When a change in a classification has occurred, an artifact notification event (or, more generally, a notification of the change in classification) is issued. | 08-09-2012 |
| 20120204261 | SYSTEM AND METHOD FOR UNIFIED COMMUNICATIONS THREAT MANAGEMENT (UCTM) FOR CONVERGED VOICE, VIDEO AND MULTI-MEDIA OVER IP FLOWS - A method and system for unified communications threat management (UCTM) for converged voice and video over IP is disclosed. A computer-implemented method for threat management receives an incoming packet. The incoming packet is broken into sub-packets and fed to a plurality of packet processing engines. Each packet processing engine inspects the sub-packets and annotate the sub-packets with meta-data. The annotated sub-packets are combined and processed by a plurality of application engine to generate a processed packet. The processed packet is classified and stored in a database. | 08-09-2012 |
| 20120210420 | Systems and Methods of Probing Data Transmissions for Detecting Spam Bots - A computer-implemented system and method for detecting, by a mail server module, spam bot activity by a client device. An email session is conducted between the mail server module and the client device according to a predetermined protocol that includes exchange of messages between the mail server module and the client device. The mail server module probes compliance with the predetermined protocol including: purposefully introducing at least one irregularity into a first message from the mail server module; monitoring a subsequent message transmission from the client device; comparing the subsequent message against reference criteria; and producing a reputability determination for the client device based on an extent to which the subsequent message was a proper response to the at least one irregularity according to the predetermined protocol, the reputability determination being indicative of a likelihood that the client device conducts spam bot activity. | 08-16-2012 |
| 20120210421 | MALICIOUIS USER AGENT DETECTION AND DENIAL OF SERVICE (DOS) DETECTION AND PREVENTION USING FINGERPRINTING - A method may include receiving a session control protocol request message and fingerprinting the received session control protocol message. The method may further include comparing the fingerprint of the received request message to a list of fingerprints associated with known malicious user agents and rejecting the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known malicious user agents. The method may include comparing the fingerprint of the received request message to the list of fingerprints associated with known non-malicious user agents and accepting the request message when the fingerprint of the received message matches any fingerprint in the list of fingerprints associated with known non-malicious user agents. | 08-16-2012 |
| 20120210422 | METHOD AND APPARATUS FOR DETECTING MALICIOUS SOFTWARE USING GENERIC SIGNATURES - Novel methods, components, and systems for automatically detecting malicious software are presented. More specifically, we describe methods, components, and systems for the automated deployment of generic signatures to detect malicious software. (Typically, generic signature creation and deployment require more extensive manual processes.) The disclosed invention provides a significant improvement with regard to automation compared to previous approaches. | 08-16-2012 |
| 20120210423 | METHOD AND APPARATUS FOR DETECTING MALICIOUS SOFTWARE THROUGH CONTEXTUAL CONVICTIONS, GENERIC SIGNATURES AND MACHINE LEARNING TECHNIQUES - Novel methods, components, and systems that enhance traditional techniques for detecting malicious software are presented. More specifically, methods, components, and systems that use important contextual information from a client system (such as recent history of events on that system), machine learning techniques, the automated deployment of generic signatures, and combinations thereof, to detect malicious software. The disclosed invention provides a significant improvement with regard to automation compared to previous approaches. | 08-16-2012 |
| 20120210424 | System for Efficiently Handling Cryptographic Messages Containing Nonce Values in a Wireless Connectionless Environment Without Comprising Security - A secure communication module that accepts a cryptographic message if a nonce value for the received message is greater than the largest nonce value yet seen. If the received nonce value is not the largest nonce value yet seen, the secure communication module compares the received nonce value with a nonce acceptance window. If the nonce value falls outside the nonce acceptance window, the secure communication module rejects the received message and assumes a replay attack. Alternatively, if the nonce value falls within the nonce acceptance window, the secure communication module compares the received nonce value with a replay window mask. If comparison with the replay window mask indicates that the received nonce value has been seen before, the secure communication module rejects the received message and assumes a replay attack. Otherwise, the secure communication module accepts the message and adds the received nonce value to the replay window mask. | 08-16-2012 |
| 20120210425 | Network Surveillance - A method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and at least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity. | 08-16-2012 |
| 20120210426 | ANALYSIS SYSTEM FOR UNKNOWN APPLICATION LAYER PROTOCOLS - An analysis system for unknown application layer protocols, which could automatically discover unknown applications existing in a network, and then obtain keywords, attribute values, status codes or type codes representing semantic meaning of each field in each type of unknown application as well as message formats, dialogue rules and status transfer relations of application layer protocols by using cluster analysis and optimal partitioning method based on hidden semi-Markov model. Unknown application analysis result could be used for flow management and safety protection of a network. The system has the following advantages: it avoids difficulties arising from manual discovery and analysis of unknown applications, and improves network management efficiency and responding speed against new types of network attacks. | 08-16-2012 |
| 20120216278 | METHOD AND SYSTEM FOR REAL TIME CLASSIFICATION OF EVENTS IN COMPUTER INTEGRITY SYSTEM - Method and system using a designated known secure computer for real time classification of change events in a computer integrity system are disclosed. In the embodiment of the invention, the known secure computer, having only inbound connection, is dedicated for providing permissible change events, which are compared with change events generated on client operational computers. An alert is generated when the change event at the client operational computer and the respective permissible change event provided by the known secure computer mismatch. | 08-23-2012 |
| 20120216279 | Backward researching time stamped events to find an origin of pestware - A system and method for identifying an origin of suspected pestware activity on a computer is described. One embodiment includes establishing a time of interest relating to a suspicion of pestware on the computer; issuing a timestamp in response to the establishing the time of interest; identifying, in response to the issuing the timestamp, indicia of pestware; and accessing at least a portion of a recorded history of sources that the computer received files from so as to identify, based at least in part upon the identified indicia of pestware, a reference to an identity of a source that is suspected of originating pestware. | 08-23-2012 |
| 20120222110 | DATA LEAKAGE PROTECTION IN CLOUD APPLICATIONS - A computer-implemented method for data leakage protection is disclosed. A monitoring template corresponding to the cloud application is selected based upon communication between a user and a cloud application and from a plurality of monitoring templates. A monitor is generated using the selected monitoring template. Identifying information of content shared between the user and the cloud application is obtained using the generated monitor. Data about the shared content for security analysis is obtained according to the identifying information of the shared content. | 08-30-2012 |
| 20120222111 | CLASSIFYING A MESSAGE BASED ON FRAUD INDICATORS - Systems, methods, and media for classifying messages are disclosed. A plurality of fraud indicators are identified in the message. A signature of the message is generated. The generated signature of the message is compared to a stored signature. The stored signature is based on a statistical analysis of fraud indicators in a second message associated with the stored signature. A determination as to whether the message is fraudulent is made based on the comparison. The message is processed based on the determination that the message is a fraudulent message. | 08-30-2012 |
| 20120222112 | INFORMATION TECHNOLOGY GOVERNANCE AND CONTROLS METHODS AND APPARATUSES - Embodiments of the present invention provide methods and systems for automated change audit of an enterprise's IT infrastructure, including independent detection of changes, reconciliation of detected changes and independent reporting, to effectuate a triad of controls on managing changes within the IT infrastructure, preventive controls, detective controls and corrective controls. | 08-30-2012 |
| 20120222113 | Logical Partition Media Access Control Impostor Detector - Provided are techniques for to enable a virtual input/output server (VIOS) to establish cryptographically secure signals with target LPARs to detect an imposter or spoofing LPAR. The secure signal, or “heartbeat,” may be configured as an Internet Key Exchange/Internet Protocol Security (IKE/IPSec) encapsulated packet (ESP) connection or tunnel. Within the tunnel, the VIOS pings each target LPAR and, if a heartbeat is interrupted, the VIOS makes a determination as to whether the tunnel is broken, the corresponding LPAR is down or a media access control (MAC) spoofing attach is occurring. The determination is made by sending a heartbeat that is designed to fail unless the heartbeat is received by a spoofing device. | 08-30-2012 |
| 20120222114 | METHOD AND APPARATUS FOR NETWORK FILTERING AND FIREWALL PROTECTION ON A SECURE PARTITION - A management virtual machine on a virtualization technology enabled platform includes a means for providing a firewall and deep packet inspection. An isolated secure partition is provided to host the management application and network packet filtering and firewall functions to provide a secure and trusted platform for manageability applications. A protected component in the operating system in a user partition moves network traffic to the secure partition for inspection and filtering. | 08-30-2012 |
| 20120227104 | SYSTEMS AND METHODS FOR DETECTING EMAIL SPAM AND VARIANTS THEREOF - The present disclosure provides systems and methods for detecting email spam and variants thereof. The systems and methods are configured to detect spam messages and variations thereof for different senders and with slight differences within the message body. In an exemplary embodiment, an incoming message body (m) is converted to a sequence of successive word lengths (S | 09-06-2012 |
| 20120227105 | METHOD AND APPARATUS FOR DETECTING MALICIOUS SOFTWARE USING MACHINE LEARNING TECHNIQUES - Novel methods, components, and systems for detecting malicious software in a proactive manner are presented. More specifically, we describe methods, components, and systems that leverage machine learning techniques to detect malicious software. The disclosed invention provides a significant improvement with regard to detection capabilities compared to previous approaches. | 09-06-2012 |
| 20120227106 | SYSTEM AND METHOD FOR PREVENTING WEB FRAUDS COMMITTED USING CLIENT-SCRIPTING ATTACKS - A method for detecting and blocking Javascript hijacking attacks, comprising checking if an incoming request belongs to a valid session established between a client and a trusted server. When said incoming request does belong to a valid session, it is checked if a Referer header of said incoming request includes a valid domain name. The incoming request is marked as suspicious, when said incoming request does not include a valid domain name. It is checked if a respective response of said suspicious incoming request includes a script code. A preventive action responsive to a user input is taken when said respective response includes a script code. | 09-06-2012 |
| 20120233691 | METHOD, DEVICE AND SYSTEM FOR ALERTING AGAINST UNKNOWN MALICIOUS CODES - A method, a device, and a system for alerting against unknown malicious codes are disclosed. The method includes: detecting characteristics of a packet; judging whether any suspicious code exists in the packet according to a result of the detection; recording a source address of the suspicious code if the suspicious code exists in the packet; and sending alert information that carries the source address to a monitoring device. The embodiments of the present invention can report source addresses of numerous suspicious codes proactively at the earliest possible time, lay a foundation for shortening the time required for overcoming virus threats, and avoid the trouble of installing software on the client. | 09-13-2012 |
| 20120233692 | APPARATUS AND METHOD FOR DETECTING MALICIOUS SITES - The invention relates to an apparatus for detecting malicious sites, comprising: a monitoring unit for monitoring all processes being executed in a computing apparatus; a hook code insertion unit for inserting a hook code in a process executed in a browser when the execution of the browser is detected by the monitoring unit; a danger level determining unit that, upon the detection of a website movement, uses the hook code to inspect a stack structure of a process implemented according to the website movement and determine whether or not to perform the stack structure inspection, and determines whether or not the website to which the movement has been made is a malicious site; and a database for storing a list of sites determined to be malicious. | 09-13-2012 |
| 20120240225 | VERIFICATION APPARATUS AND VERIFICATION METHOD - A verification apparatus for verifying a verified apparatus corresponding to a first apparatus included in a plurality of information processing apparatuses includes a storage and a processor. The storage stores captured data acquired by capturing data transmitted and received among the plurality of information processing apparatuses. The processor receives first data transmitted from the verified apparatus. The first data is destined for a second apparatus included in the plurality of information processing apparatuses. The processor extracts, from the storage, second data transmitted from the second apparatus in response to third data transmitted from the first apparatus to the second apparatus. The third data corresponds to the first data. The processor transmits the extracted second data to the verified apparatus. | 09-20-2012 |
| 20120240226 | NETWORK ROUTERS AND NETWORK TRAFFIC ROUTING METHODS - A network router comprising a first communication interface for receiving traffic from a first traffic source and a second communication interface for receiving traffic from a second traffic source, a processor and memory. The processor of the router is to execute instructions stored in the memory to forward data traffic received at the first communication interface according to a first routing policy and to forward data traffic received at the second communication interface according to a second routing policy. | 09-20-2012 |
| 20120240227 | METHODS AND APPARATUS FOR CONDUCTING ELECTRONIC TRANSACTIONS - A system and method for conducting electronic commerce are disclosed. In various embodiments, the electronic transaction is a purchase transaction. A user is provided with an intelligent token, such as a smartcard containing a digital certificate. The intelligent token suitably authenticates with a server on a network that conducts all or portions of the transaction on behalf of the user. In various embodiments a wallet server interacts with a security server to provide enhanced reliability and confidence in the transaction. In various embodiments, the wallet server includes a toolbar. In various embodiments, the digital wallet pre-fills forms. Forms may be pre-filled using an auto-remember component. | 09-20-2012 |
| 20120240228 | MULTI-DIMENSIONAL REPUTATION SCORING - Methods and systems for assigning reputation to communications entities include collecting communications data from distributed agents, aggregating the communications data, analyzing the communications data and identifying relationships between communications entities based upon the communications data. | 09-20-2012 |
| 20120246719 | SYSTEMS AND METHODS FOR AUTOMATIC DETECTION OF NON-COMPLIANT CONTENT IN USER ACTIONS - Described herein are methods, systems, apparatuses and products for automatic detection of non-compliant content in user actions. An aspect provides a method including, responsive to receiving a user selection to share data via an electronic device, analyzing the data to be shared; and automatically identifying non-compliant content within the data prior to sharing the data. Other embodiments are disclosed. | 09-27-2012 |
| 20120246720 | USING SOCIAL GRAPHS TO COMBAT MALICIOUS ATTACKS - Detection of user accounts associated with spammer attacks may be performed by constructing a social graph of email users. Biggest connected components (BCC) of the social graph may be used to identify legitimate user accounts, as the majority of the users in the biggest connected components are legitimate users. BCC users may be used to identify more legitimate users. Using degree-based detection techniques and PageRank based detection techniques, the hijacked user accounts and spammer user accounts may be identified. The users' email sending and receiving behaviors may also be examined, and the subgraph structure may be used to detect stealthy attackers. From the social graph analysis, legitimate user accounts, malicious user accounts, and compromised user accounts can be identified. | 09-27-2012 |
| 20120246721 | METHOD AND APPARATUS FOR DETERMINING SOFTWARE TRUSTWORTHINESS - Aspects of the invention relate to a method, apparatus, and computer readable medium for determining software trustworthiness. In some examples, a software package identified as including at least one file of unknown trustworthiness is installed on a clean machine. A report package including a catalog of files that have been installed or modified on the clean machine by the software package is generated. Identification attributes for each of the files in the catalog is determined. Each of the files in the catalog is processed to assign a level of trustworthiness thereto. The report package is provided as output. | 09-27-2012 |
| 20120246722 | BACKWARDS RESEARCHING ACTIVITY INDICATIVE OF PESTWARE - A system and method for researching an identity of a source of activity that is indicative of pestware is described. In one embodiment the method comprises monitoring, using a kernel-mode driver, API call activity on the computer; storing information related to the API call activity in a log; analyzing, heuristically, the API call activity to determine whether one or more weighted factors associated with the API call activity exceeds a threshold; identifying, based upon the API call activity, a suspected pestware object on the computer; identifying, in response to the identifying the suspected pestware object, a reference to an identity of an externally networked source of the suspected pestware object; and reporting the identity of the externally networked source to an externally networked pestware research entity. | 09-27-2012 |
| 20120246723 | WINDOWS KERNEL ALTERATION SEARCHING METHOD - The present invention relates to a method of detecting the alteration of the driver of a windows kernel and a system using system module information that is the unalterable information of the windows kernel. | 09-27-2012 |
| 20120246724 | SYSTEM AND METHOD FOR DETECTING AND DISPLAYING CYBER ATTACKS - A method, system, and computer program product for displaying detected cyber attacks over communications networks, including a radar type display section including one or more icons representing detected cyber attacks; an activity tracking display section including information regarding the detected cyber attacks represented by the icons; and an application information display section including at least one of system user information, session information, and statistics information regarding the cyber attacks. | 09-27-2012 |
| 20120254993 | SYSTEM AND METHOD FOR VIRTUAL MACHINE MONITOR BASED ANTI-MALWARE SECURITY - A system for securing an electronic device includes a memory, a processor, one or more operating systems residing in the memory for execution by the processor, a resource of the electronic device communicatively coupled to the operating system, a virtual machine monitor configured to execute on the electronic device at a level below all of the operating systems of the electronic device accessing the resource, and a security agent configured to execute on the electronic device at a level below all operating systems of the electronic device accessing the resource. The virtual machine monitor is configured to intercept a request of the resource made from a level above the virtual machine monitor and inform the security agent of the request. The security agent is configured to determine whether the request is indicative of malware. | 10-04-2012 |
| 20120254994 | SYSTEM AND METHOD FOR MICROCODE BASED ANTI-MALWARE SECURITY - A system for securing an electronic device includes a processor comprising microcode, a resource coupled to the processor, and a microcode security agent embodied the microcode. The microcode security agent is configured to intercept a communication and determine whether the communication is indicative of malware. The communication includes a request made of the resource or information generated from the resource. | 10-04-2012 |
| 20120254995 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING AND SECURING LOADING OF CODE INTO MEMORY - A system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access of a resource of the electronic device, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device accessing the memory. The attempted access includes attempting to write instructions to the memory and attempting to execute the instructions. | 10-04-2012 |
| 20120254996 | DNS RESOLUTION, POLICIES, AND VIEWS FOR LARGE VOLUME SYSTEMS - Systems and methods for resolving domain name system (DNS) queries are provided herein. Methods may include receiving a DNS query from a DNS client via a DNS server, responsive to the DNS query, generating the DNS response utilizing the at least one policy associated with the view, providing the DNS response to the DNS client from which the DNS query was received, and storing the DNS response in a shared cache, the shared cache including previously generated DNS responses that are available to the DNS server, wherein previously generated DNS responses may be provided to DNS clients upon receiving a DNS query corresponding to at least one of the previously generated DNS responses. | 10-04-2012 |
| 20120254997 | METHODS AND APPARATUSES FOR AVOIDING DAMAGE IN NETWORK ATTACKS - Methods and apparatuses in a client terminal ( | 10-04-2012 |
| 20120254998 | METHOD FOR BLOCKING THE EXECUTION OF A HACKING PROCESS - The present invention discloses a method of blocking the execution of a hacking process. In the method, a security process selects a process to be tested. The security process extracts the pattern of the process to be tested and compares it with hack diagnosis references. If the pattern of the process to be tested is included in the hack diagnosis references, the security process determines that the process to be tested is a hacking process. The security process calculates the unique hash value of the hacking process and compares it with hack blocking references. If the unique hash value of the hacking process is included in the hack blocking references, the security process blocks the execution of the hacking process, and, if the unique hash value of the hacking process is not included in the hack blocking references, the security process does not block the execution of the hacking process. | 10-04-2012 |
| 20120260335 | FRONT-END PROTOCOL FOR SERVER PROTECTION - The present invention provides for protecting against denial of service attacks. A request is sent by a client, the request comprises client indicia. The request is received at a server. A request count is incremented by the server. A sequence number is assigned as a function of the client indicia. A problem is selected by the server. The problem is sent by the server to the client. A solution to the problem is sent to the server. It is determined if the solution by client is correct. If the solution is correct, a session is performed. If the solution is not correct, the request is discarded. This can substantially decrease the amount of attacks performed by a rogue client, as the session set-up time can be substantial. | 10-11-2012 |
| 20120260336 | NETWORK ACCOUNTABILITY AMONG AUTONOMOUS SYSTEMS - In one kind of DoS attack, malicious customers may try to send a large number of filter requests against an innocent customer. In one implementation, a Filter Request Server (FRS) may allow a customer against who a filter request is made to dispute the implicit accusation of the filter request or stop sending malicious traffic. If the customer claims innocence, the FRS may log destination addresses of data packets sent by the customer and identify and ignore false filter requests if these filter requests come from customers who do not correspond to one or more of the destination addresses that have previously been logged by the FRS. | 10-11-2012 |
| 20120260337 | System and Method for Avoiding and Mitigating a DDoS Attack - Described is a system and method for receiving a data packet including a destination address and a source address, categorizing the data packet into a community based on the source address, wherein the community is predefined by a user corresponding to the destination address and selecting a treatment for the data packet based on the community. The method may be implemented on a router to avoid and/or mitigate the harmful effects of a Distributed Denial of Service (“DDoS”) attack on a computer system or network. | 10-11-2012 |
| 20120260338 | ANALYSIS OF SCRIPTS - A method and system for analyzing scripts. A script is analyzed to determine whether the script includes malicious content. A computer executes at least two text blocks of code derived from a script of a web page. The execution of a text block of the at least two text blocks generates an additional text block of code. The computer determines whether the additional text block includes new code that is malicious. If so, the computer prevents transmission of the web page to a client computer. If not, the computer transmits the web page to the client computer. | 10-11-2012 |
| 20120266240 | Method and apparatus for filtering malicious call completion indicator and calling-side network device - A method for filtering a malicious call completion indicator in a CCBS service is provided, in which a calling-side network device rejects the current call request or removes the call completion indicator information from the call request and then forwards the call request, when determining the call request carries the information. The disclosure also provides a corresponding apparatus, which includes a reception unit configured to receive a call request, a detection unit configured to detect the call request and to trigger the rejection unit when determining that the call request carries call completion indicator information and a rejection unit configured to reject the current call request. A calling-side network device is also provided. According to the disclosure, the sequence for accessing the calls from calling subscribers to a called subscriber is well kept, thus assuring fairness of the call access and avoiding preferential call access of malicious subscribers. | 10-18-2012 |
| 20120266241 | Communications system having security apparatus, security apparatus and method herefor - The present invention relates to a communications system having at least one communications means by means of which the communications system can be connected to at least one further processing unit and/or to a further communications system, having at least one first memory means, having at least one second memory means and having at least one security apparatus, wherein identical information is stored on the first and second memory means and wherein damage to the communications system can be determined with reference to a comparison of this information by means of the security apparatus. The present invention furthermore relates to a security apparatus and to a method of determining damage to a communications system. | 10-18-2012 |
| 20120272314 | DATA COLLECTION SYSTEM - A data collection system for generating alerts is disclosed. In some embodiments, information is gathered from a plurality of internet facilities that are used for malicious purposes. In response to detecting in the gathered information data that satisfies an alert condition associated with malicious activity, an alert to warn a potential target of the malicious activity is generated. | 10-25-2012 |
| 20120272315 | QUARANTINING PACKETS RECEIVED AT DEVICE IN NETWORK COMMUNICATIONS UTILIZING VIRTUAL NETWORK CONNECTION - A method of engaging in network communications by a device includes spawning a first virtual machine for a network connection that virtualizes network capabilities of a device; receiving a packet communicated from a transmitting device at the first virtual machine of the device; determining that the packet is corrupted, said determination being based on information from an application running on the device; in response to said step of determining that the packet is corrupted, quarantining the packet; spawning a second virtual machine for a network connection that virtualizes network capabilities of the device; and communicating, using the second virtual machine, a message to the transmitting device. | 10-25-2012 |
| 20120272316 | METHOD FOR DETECTING THE HIJACKING OF COMPUTER RESOURCES - The present invention provides a method for detecting the hijacking of computer resources, located on an internal network implementing security and confidentiality criteria specific to this internal network, connected to an external network with no such security and confidentiality criteria, through a connection managed by a service provider, comprising:
| 10-25-2012 |
| 20120278884 | METHOD AND SYSTEM FOR PROCESSING A FILE TO IDENTIFY UNEXPECTED FILE TYPES - A method and system for testing a file (or packet) formed from a sequential series of information units, each information unit within a predetermined set of information units, e.g., each information unit may correspond to a character within the ASCII character set. An information unit-pair entropy density measurement is calculated for the received file using a probability matrix. The probability matrix tabulates the probabilities of occurrence for each possible sequential pair of information units of the predetermined set of information units. The computed information unit-pair entropy density measurement is compared with a threshold associated with an expected file type to determine whether the received file is of the expected file type or of an unexpected file type. The probability matrix may optionally be generated from the received file prior to calculating the density thereof. The probability matrix may optionally be predetermined based on the expected file type. | 11-01-2012 |
| 20120278885 | MAINTAINING DATA INTEGRITY - Aspects of the present invention maintain data integrity of a monitored data object in a monitored storage repository. A first security value for the monitored data object is determined. The first security value is stored along with an authentic copy of the monitored data object in the secure repository. The second security value for the monitored data object is determined after a predetermined time interval. The first security value is compared with the second security value. An alert is generated in response to determining a difference between the second security value and the first security value. | 11-01-2012 |
| 20120278886 | DETECTION AND FILTERING OF MALWARE BASED ON TRAFFIC OBSERVATIONS MADE IN A DISTRIBUTED MOBILE TRAFFIC MANAGEMENT SYSTEM - Systems and methods for detections and filtering of malware based on traffic observations made in a distributed mobile traffic management system are disclosed. One embodiment of a method which can be implemented on a system includes, collecting information about a request or information about a response to the request initiated at the mobile device and using the information collected about the request or the response to identify or to detect malicious traffic. The information that is collected about the request or response received for the request initiated at the mobile device can be further used to determine cacheability of the response. | 11-01-2012 |
| 20120284790 | LIVE SERVICE ANOMALY DETECTION SYSTEM FOR PROVIDING CYBER PROTECTION FOR THE ELECTRIC GRID - Provided is a method of improving security in an electrical grid network. The method includes configuring a lifecycle map associated with an operation in the electrical grid network, the lifecycle map including at least a start configuration, a final configuration, and a plurality of valid events arranged to link the start configuration and the final configuration, the start configuration and the final configuration corresponding to particular states of the electrical grid network. The method also includes monitoring at least one of messages and device configurations in the electrical grid network to detect one or more live events associated with the operation and comparing the plurality of live events to the lifecycle map to identify an anomaly in the live events. | 11-08-2012 |
| 20120284791 | ROBUST ANOMALY DETECTION AND REGULARIZED DOMAIN ADAPTATION OF CLASSIFIERS WITH APPLICATION TO INTERNET PACKET-FLOWS - Sound, robust methods identify the most suitable, parsimonious set of tests to use with respect to prioritized, sequential anomaly detection in a collected batch of sample data. While the focus is on detecting anomalies in network traffic flows and classifying network traffic flows into application types, the methods are also applicable to other anomaly detection and classification application settings, including detecting email spam, (e.g. credit card) fraud detection, detecting imposters, unusual event detection (for example, in images and video), host-based computer intrusion detection, detection of equipment or complex system failures, as well as of anomalous measurements in scientific experiments. | 11-08-2012 |
| 20120284792 | System and Method for Aggressive Self-Modification in Dynamic Function Call Systems - Provided are a system and method for software obfuscation for transforming a program from a first form to more secure form that is resistant to static and dynamic attacks. The method utilizes a sophisticated pre-analysis step to comprehend the function-call structure, the function-call layout, and the entire function call graph of the program, in order to determine strategic points in the program for changing the program. This provides resistance to static attacks by transforming the original function-call layout to a new layout. Changing the layout may include changing the function boundaries. The method also provides resistance to static attacks by transforming the original function-call structure to a new structure to be able to self modify as the transformed program executes in memory. Changing the function-call structure may include modifying when and how functions are called, and/or choosing random paths of execution that lead to the same result. | 11-08-2012 |
| 20120291124 | CARRIER NETWORK SECURITY INTERFACE FOR FIELDED DEVICES - The disclosed subject matter provides carrier-side security services for fielded devices. In contrast to conventional authentication systems for fielded devices, wherein an end-to-end communications pathway is typically established for authentication of a fielded device by a back-end service provider, authentication and security services can be moved into the carrier network. A security service monitor component can be at the carrier network and can authenticate field components without establishing a communications pathway to the back-end service provider. Further, security service monitor component can provide security services for communications with an authenticated field component. In an aspect, this can allow for centralization of security elements from the periphery of back-end service providers into the carrier network. In a further aspect, security service monitor component can host a security services platform for back-end service providers. | 11-15-2012 |
| 20120291125 | DYNAMIC AND SELECTIVE RESPONSE TO CYBER ATTACK FOR TELECOMMUNICATIONS CARRIER NETWORKS - The disclosed subject matter provides a response to a cyber attack on a carrier network. The response can be based on inspection of traffic flowing through a carrier network. The response can automatically adapt the traffic flow in response to a perceived threat. Traffic can be adapted by dynamically updating permission variables related to allowing access for user equipment (UE) to a carrier network, withdrawing or denying access to the carrier network for selected UEs. In other embodiments, signaling can be initiated at the carrier network to cause selected UEs to disable transmission of traffic contributing to the traffic flow. Determining a cyber attack condition can be based on predetermined rules associated with the traffic flow. Further, the determination can be performed at a front end of the carrier network to limit exposure of the carrier network to a detected cyber attack. | 11-15-2012 |
| 20120291126 | Balancing Malware Rootkit Detection with Power Consumption on Mobile Devices - The subject disclosure presents a novel technique for balancing the tradeoff between security monitoring and energy consumption on mobile devices. Security/energy tradeoffs for host-based detectors focusing on rootkits are analyzed along two axes: a scanning frequency, and a surface of attack. Experimental results are applied to a hypervisor-based framework, and a sweet spot is identified to minimize both energy consumption and a window of vulnerability for critical operating system objects such as code pages and kernel data. | 11-15-2012 |
| 20120291127 | DISTINGUISHING BETWEEN BLUETOOTH VOICE AND DATA LINKS - Techniques are provided for receiving a transmitted first packet that was formatted using a known scrambling algorithm with an unknown scrambling seed. An encoded packet payload is extracted from the first packet header. The encoded packet payload header is decoded to obtain a first scrambled packet payload header. For each potential value of the unknown seed, the first scrambled packet payload header is descrambled to produce a first set of descrambled packet payload headers and for each potential value of initial register values associated with a cyclic redundancy check, the cyclic redundancy check is executed comprising polynomial division on each of the descrambled packet payload headers such that when the polynomial division results in a zero remainder, a potential unscrambled payload header for the first packet is obtained. Information about the first packet is obtained from the potential unscrambled payload header. | 11-15-2012 |
| 20120291128 | System and Method for Location, Time-of-Day, and Quality-of-Service Based Prioritized Access Control - A priority server for a provider network includes a traffic volume detection module, a traffic analyzer module, and a rules module. The traffic volume detection module receives operational information from the provider network and determines that a host is experiencing a flash event based upon the operational information. The traffic analyzer module determines that the flash event is not a distributed denial of service attack on the host. When it is determined that the flash event is not a distributed denial of service attack, the rules module provides a priority rule to an access router that is coupled to the host. | 11-15-2012 |
| 20120297476 | Verifying Transactions Using Out-of-Band Devices - The present disclosure relates to verifying transactions using user devices. A client device used to complete a transaction with a server computer. The client device communicates with a user device such as a smart phone, laptop computer, or other computing device. The user device communicates with the client device and a verification server via the out-of-band communication channel. The verification server receives two or more copies of session data associated with the transaction occurring between the client device and the server computer. One copy of the session data is received from the server computer and another copy of the session data is provided by the user device. The two copies of the session data are compared by the verification server or by the user device, and mismatches are reported as suspected malicious software attacks. | 11-22-2012 |
| 20120297477 | DETECTION OF ACCOUNT HIJACKING IN A SOCIAL NETWORK - To protect a user of a social network, the user's activity is monitored during a baseline monitoring period to determine a baseline activity record. If subsequently monitored activity of the user deviates sufficiently from the baseline activity record to indicate abuse (hijacking) of the user's account, the abuse is mitigated, for example by notifying the user of the abuse. Monitored activity includes posting links, updating statuses, sending messages, and changing a profile. Monitoring also includes logging times of the user activity. Monitoring anomalous profile changes does not need a baseline. | 11-22-2012 |
| 20120297478 | METHOD AND SYSTEM FOR PREVENTING DNS CACHE POISONING - A method for preventing the poisoning of at least one DNS cache ( | 11-22-2012 |
| 20120297479 | METHOD FOR EXECUTING AN APPLICATION - A method for executing an application (A) which includes executable native or interpretable code and calls functions of an operating system (BS), whereby the operating system (BS) transmits a result of the respective function call (f | 11-22-2012 |
| 20120304286 | METHODS AND APPARATUS FOR BLOCKING USAGE TRACKING - Methods and apparatuses that maintain one or more data stores capable of storing local data in a device for loading a resource of a domain are described. The resource may be loaded to cause one or more data access operations on the data stores. Access to usage tracking data of the device from the domain may depend on at least one of the data access operations. The data access operations may be configured to block the usage tracking data of the device from the domain. The data access operations may be performed on the data stores for the loading of the resource. A web page may be presented to a user when the resource is successfully loaded. | 11-29-2012 |
| 20120304287 | AUTOMATIC DETECTION OF SEARCH RESULTS POISONING ATTACKS - Search result poisoning attacks may be automatically detected by identifying groups of suspicious uniform resource locators (URLs) containing multiple keywords and exhibiting patterns that deviate from other URLs in the same domain without crawling and evaluating the actual contents of each web page. Suspicious websites are identified and lexical features are extracted for each such website. The websites are clustered based on their lexical features, and group analysis is performed on each group to identify at least one suspicious group. Other implementations are directed to detecting a search engine optimization (SEO) attack by processing a large population of URLs to identify suspicious URLs based on the presence of a subset of keywords in each URL and the relative newness of each URL. | 11-29-2012 |
| 20120304288 | Modeling and Outlier Detection in Threat Management System Data - Methods, systems, and computer-readable media for identifying potential threats on a network based on anomalous behavior in communication between endpoints are provided. Traffic data for a network is accumulated over some period of time. The traffic data is grouped by one or more keys, such as source IP address, and sets of metric values are calculated for the keys. A mixture distribution, such as a negative binomial mixture distribution, is fitted to each set of metric values, and outlying metric values are determined based on the mixture distribution(s). A list of outliers is then generated comprising key values having outlying metric values in one or more of the sets of metric values. | 11-29-2012 |
| 20120304289 | ROTATION OF WEB SITE CONTENT TO PREVENT E-MAIL SPAM/PHISHING ATTACKS - Embodiments of the invention provide a method, system and computer program product for phishing attack management through Web site content rotation. In an embodiment of the invention, a method for phishing attack management through Web site content rotation is provided. The method includes receiving a request for a variation of a component to be incorporated into a Web page from a requesting Web page rendering engine from over a computer communications network. The method also includes comparing the requested variation of the component to a currently configured variation of the component. Finally, the method includes returning both the requested variation of the component and an alert indicating a possible phishing attack in response to the request if the requested variation of the component differs from the currently configured variation of the component. | 11-29-2012 |
| 20120304290 | CYBER ISOLATION, DEFENSE, AND MANAGEMENT OF A INTER-/INTRA- ENTERPRISE NETWORK - Methodologies, tools and processes for the cyber isolation, defense, and management of an inter-/intra-enterprise network utilizing NSA-approved Type-1 encryptors to first completely isolate all HardNet fixed and mobile participants from the logical internet. Secondly, to enable inter-corporation traffic exchange while maintaining the established security barrier. Next, to create a network demarcation point through which all traffic shall enter or exit HardNet, and through which all traffic shall be inspected with DoD grade cyber security and information assurance (IA) capabilities. Effective net end result is a weapons-grade cyber security shield and cyber management capability for the business, educational, non-profit, governmental and all other enterprises. | 11-29-2012 |
| 20120304291 | ROTATION OF WEB SITE CONTENT TO PREVENT E-MAIL SPAM/PHISHING ATTACKS - Embodiments of the invention provide a method, system and computer program product for phishing attack management through Web site content rotation. In an embodiment of the invention, a method for phishing attack management through Web site content rotation is provided. The method includes receiving a request for a variation of a component to be incorporated into a Web page from a requesting Web page rendering engine from over a computer communications network. The method also includes comparing the requested variation of the component to a currently configured variation of the component. Finally, the method includes returning both the requested variation of the component and an alert indicating a possible phishing attack in response to the request if the requested variation of the component differs from the currently configured variation of the component. | 11-29-2012 |
| 20120304292 | EXTERNAL LINK PROCESSING - A system and method of external link processing is disclosed. The system includes an interface configured to receive a user request to access an encoded external link in networked content. The encoded external link comprises a domain name of an external link server and an encoded portion which is an encoded result of an original external link encoded with an encoding function, wherein the original external link is an address to an external destination. One or more processors determine a safety level of the encoded external link using a criterion. In the event that the determined safety level of the encoded external link is determined unsafe, a warning message is generated indicating that the original external link is unsafe and the user is prevented from directly navigating to the original external link. | 11-29-2012 |
| 20120304293 | SYSTEM AND METHOD FOR DOWNLOADING USER INTERFACE COMPONENTS TO WIRELESS DEVICES - A method of processing a user interface component is provided and includes receiving one or more user interface components that can be communicated to a wireless device. A component risk level for each of the one or more user interface components is determined and assigned to each of the one or more user interface components. Each of the one or more user interface components can be digitally signed using an embedded risk code that indicates the assigned risk level. Further, the component risk level can be selected from a plurality of component risk levels. In a particular embodiment, the component risk level can be determined based on the type of the user interface component. Further, the component risk level can be determined based on a developer of the user interface component. | 11-29-2012 |
| 20120304294 | Network Monitoring Apparatus and Network Monitoring Method - According to one embodiment, a network monitoring apparatus includes an unauthorized node determination module, a spoofed address resolution protocol request transmission module, and a spoofed address resolution protocol reply transmission module. The unauthorized node determination module determines whether a sender node which transmits an address resolution protocol request packet is an unauthorized node. The spoofed address resolution protocol request transmission module transmits a spoofed address resolution protocol request packet to a target node corresponding to a target network address in the address resolution protocol request packet if the sender node is an unauthorized node. The spoofed address resolution protocol reply transmission module transmits to the unauthorized node a spoofed address resolution protocol reply packet which includes a predetermined physical address other than the physical address of the target node as a sender physical address and a network address of the target node as a sender network address. | 11-29-2012 |
| 20120304295 | Method and Apparatus for Detecting Computer Fraud - Techniques are provided for detecting computer fraud. The techniques include obtaining a text version of a candidate destination and a graphical rendering of the candidate destination, comparing the text version of the candidate destination and the graphical rendering of the candidate destination with a corresponding text version of a stored destination and a corresponding graphical rendering of the stored destination, and generating a fraud warning if the graphical rendering of the candidate destination is substantially similar to the graphical rendering of the stored destination while the text version of the candidate destination differs substantially from the corresponding text version of the stored destination. | 11-29-2012 |
| 20120311702 | SYSTEM AND METHOD FOR PRESERVING REFERENCES IN SANDBOXES - Disclosed herein are systems, methods, and non-transitory computer-readable storage media for preserving references in sandboxes. A system implementing the method receives a document for use in a sandbox environment and passes the document to a parser, via a coordinator. The parser finds references in the document to other resources and outputs a list of references. The system passes the list of references to a verifier that verifies each reference and outputs a list of verified references. The system passes the list of verified references to the sandboxed application which extends the sandbox to include the resources on the list of verified references. In one embodiment, the system preserves references in sandboxes without the use a coordinator. | 12-06-2012 |
| 20120311703 | REPUTATION-BASED THREAT PROTECTION - Information concerning a plurality of identified threats provided by a plurality of preselected sources is stored in memory. An e-mail message may be received over a communication network. The received e-mail message is separated into a plurality of components. The stored information is searched to identify a reputation score associated with each of the plurality of components. It is then determined whether the e-mail is a threat based on the identified reputation score of each of the plurality of components. The determination is sent to a designated recipient. | 12-06-2012 |
| 20120311704 | Method and Apparatus for Efficient Netflow Data Analysis - A flow based detection system for detecting networks attacks on data networks. Flow records are collected in a novel data structure that facilitates efficient sorting. The sorted data structure can be subsequently analyzed in an efficient manner to find out if the network is under attack. An attack is identified if the numbers of unique corresponding addresses or conversations are too large. | 12-06-2012 |
| 20120311705 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR PRESENTING AN INDICIA OF RISK REFLECTING AN ANALYSIS ASSOCIATED WITH SEARCH RESULTS WITHIN A GRAPHICAL USER INTERFACE - A system, method, and computer program product comprise presenting a plurality of search results within a graphical user interface. Further, an indicia of risk is presented that reflects an analysis in association with at least one of the plurality of search results within the graphical user interface. | 12-06-2012 |
| 20120311706 | PAYMENT CARD INDUSTRY (PCI) COMPLIANT ARCHITECTURE AND ASSOCIATED METHODOLOGY OF MANAGING A SERVICE INFRASTRUCTURE - A system to ensure compliance with data security standards includes a security appliance to perform multiple security functions, with the security appliance including an initial configuration. The system further includes a display unit to provide information of compliance performance of the system on a secure basis. The system also includes a control unit to monitor compliance performance in real-time and to implement additional procedures required based on the monitored compliance to ensure compliance with data security standards. | 12-06-2012 |
| 20120317641 | PEER-TO-PEER (P2P) BOTNET TRACKING AT BACKBONE LEVEL - A method, computer-readable medium, and system for analyzing backbone traffic to determine compromised hosts from among hosts on a network are provided. The backbone traffic includes data flows. Each of the data flows is analyzed to determine peer-to-peer data flows from among the data flows. Each of the peer-to-peer data flows is one of the data flows having a source address and a destination address that are each unassociated with a domain name. The peer-to-peer data flows are analyzed to determine the compromised hosts from among the hosts. Each of the compromised hosts is interconnected with another of the compromised hosts via at least one of the peer-to-peer data flows. | 12-13-2012 |
| 20120317642 | Parallel Tracing Apparatus For Malicious Websites - An apparatus and system for scoring and grading websites and method of operation. An apparatus receives one or more Uniform Resource Identifiers (URI), requests and receives a resource such as a webpage, and observes the behaviors of a commercial browser operating within a commercial operating system over a multi-core processor having hardware containing virtualization extensions. The apparatus records and stores objects and packets captured while the browser is controlled by software received from a server accessed via the URI. | 12-13-2012 |
| 20120317643 | APPARATUS AND METHOD PREVENTING OVERFLOW OF PENDING INTEREST TABLE IN NAME BASED NETWORK SYSTEM - A node apparatus and method are described to prevent overflow of a pending interest table (PIT) in a name based network system. The node apparatus and method increases a number of PITs to correspond to a number of interface units so that the PITs match the interface units, respectively, and stores a request message flowing in per interface unit in the matching PITs. In addition, when a capacity used at each of the PITs exceeds a threshold, the node apparatus and method transmits a traffic control message for traffic control through respectively matching interface units to prevent overflow of the PITs. | 12-13-2012 |
| 20120324572 | SYSTEMS AND METHODS THAT PERFORM APPLICATION REQUEST THROTTLING IN A DISTRIBUTED COMPUTING ENVIRONMENT - Methods of managing network traffic in a distributed computing environment include segmenting a plurality of virtual hosts into sub-groups. A first security agent monitors first communications of virtual hosts within a first sub-group of virtual hosts, and a second security agent monitors second communications of virtual hosts within a second sub-group of virtual hosts. Information regarding the first communications and the second communications is collected from the security agents and analyzed to detect a denial of service attack. A defense mechanism is initiated in response to detecting the denial of service attack. | 12-20-2012 |
| 20120324573 | METHOD FOR DETERMINING WHETHER OR NOT SPECIFIC NETWORK SESSION IS UNDER DENIAL-OF-SERVICE ATTACK AND METHOD FOR THE SAME - Provided is an apparatus and method for determining whether or not a specific network session is under a denial-of-service (DoS) attack. The method includes detecting a packet transmitted in the session, initializing the number of attack-suspicion continuation packets, increasing the number of attack-suspicion continuation packets by a predetermined number, and determining that the session is under the DoS attack. | 12-20-2012 |
| 20120324574 | ENGINE, SYSTEM AND METHOD OF PROVIDING A DOMAIN SOCIAL NETWORK HAVING BUSINESS INTELLIGENCE LOGIC - An engine, system and method for a domain social network that interconnects Internet users with at least domains owned by or of interest to those Internet users, and that may obtain and/or forward obtained dynamic data regarding those domains automatically, such as by web service or email service. The dynamic data may be used to filter and protect content and data of the respective domains, to protect users by identifying low quality web pages or malicious software or pages, to isolate or improve search results regarding the domain, and/or to improve Internet-based transaction flow, such as the creation of advertising. | 12-20-2012 |
| 20120331550 | TRUSTED LANGUAGE RUNTIME ON A MOBILE PLATFORM - Disclosed is a trusted language runtime (TLR) architecture that provides abstractions for developing a runtime for executing trusted applications or portions thereof securely on a mobile device (e.g., a smartphone). TLR offers at least two abstractions to mobile developers: a trustbox and a trustlet. The trustbox is a runtime environment that offers code and data integrity, and confidentiality. Code and data running inside a trustbox cannot be read or modified by any code running outside the trustbox. A trustlet is the code portion of an application that runs inside a trustbox. With TLR, programmers can write applications in .NET and specify which parts of the application handle sensitive data, and thus, run inside the trustbox. With the TLR, the developer places these parts in a trustlet class, and the TLR provides all support needed to run the parts in the trustbox. | 12-27-2012 |
| 20120331551 | Detecting Phishing Attempt from Packets Marked by Network Nodes - A service is provided to an end-user of a first data communication device when receiving via a data network a plurality of data packets from a second data communication device. At least a particular data packet has been marked with node attribute data by one or more network nodes. The attribute data is indicative of a path of the data packet across the data network. An identifier, as declared by the second device is determined and correlated with one or more reference identifiers registered in advance. If there is a correlation, the node attribute data is correlated with reference attribute data registered in advance as associated with the reference identifier. If there is a discrepancy between the node attribute data and the reference attribute data, an alert is issued. | 12-27-2012 |
| 20120331552 | MALWARE AUTOMATED REMOVAL SYSTEM AND METHOD - The present invention automates the operation of multiple malware removal software products using a computerized system that systematically operates the multiple selected software products. These products are operated them in a customized “Safe Mode” using a shell that is different than the computer's other shell environments. Unlike the ordinary Safe Modes shells, the Custom Safe Mode prevents malware from functioning that ties itself to the normal shell, such as the Windows Explorer shell. In addition, the Custom Safe Mode allows the automation of tasks beyond that which is available under the standard command line shell. | 12-27-2012 |
| 20130007879 | Method of and Apparatus for Monitoring for Security Threats in Computer Network Traffic - A method of and apparatus for monitoring for security threats in computer network traffic is disclosed. The method comprises operating computer processing means ( | 01-03-2013 |
| 20130007880 | DATA PLANE PACKET PROCESSING TOOL CHAIN - This present disclosure relates to systems and methods for providing a data plane processing tool chain for processing packets that can use OSI layers | 01-03-2013 |
| 20130007881 | System and Method for Dynamic, Variably-Timed Operation Paths as a Resistance to Side Channel and Repeated Invocation Attacks - A system and method for constructing variably-timed operation paths and applying those paths to any algorithm. In particular, the system and method may be applied to cryptography algorithms as a means to resist side-channel, repeated invocation, and any similar attacks based on the physical characteristics of a system for a given software implementation. The method has the benefit of being generally applicable to any algorithm and has the ability to constrain performance to known timing windows. | 01-03-2013 |
| 20130014253 | Network Protection Service - A network protection method is provided. The network protection method may include receiving a Domain Name System (DNS) request, logging the DNS request, classifying the DNS request based on an analysis of a DNS name associated with the DNS request, taking a security action based on the classification, analyzing network traffic after taking the security action, and providing substantially real-time feedback associated with the network traffic to improve future DNS request classifications. The method may further include receiving a DNS response and logging the DNS response. The analysis of the DNS name may include receiving DNS data related to the DNS name from a plurality of sources, receiving reputation data related to the plurality of sources, scoring each of the plurality of sources based on the reputation data, and aggregating the DNS data related to the DNS name based on the scoring. | 01-10-2013 |
| 20130014254 | RESPONDING TO A MAINTENANCE FREE STORAGE CONTAINER SECURITY THREAT - A method for responding to a security threat for a maintenance free storage container begins by a dispersed storage (DS) processing module identifying a security threat for the maintenance free storage container, wherein the maintenance free storage container allows for multiple storage servers of a plurality of storage servers to be in a failure mode without replacement. The method continues with the DS processing module determining a failure mode level that is indicative of whether one or more of the multiple storage servers are in the failure mode. The method continues with the DS processing module selecting a security threat countermeasure based on the security threat and the failure mode level. The method continues with the DS processing module implementing the security threat countermeasure. | 01-10-2013 |
| 20130014255 | System and Method for Providing Network Security - A method includes receiving an indication of at least one detected security issue at a network device. The indication is received at a security manager processor from a security agent. The method includes selecting, via the security manager processor, at least one executable security object responsive to the indication. The security manager processor verifies compatibility between the at least one executable security object, the network device, and communication media. The method also includes sending the at least one executable security object to the network device via the security manager processor to provide a protective security measure to the network device against the at least one detected security issue upon execution of the at least one executable security object. | 01-10-2013 |
| 20130019306 | Remote-Assisted Malware DetectionAANM Lagar-Cavilla; Horacio AndresAACI Morris PlainsAAST NJAACO USAAGP Lagar-Cavilla; Horacio Andres Morris Plains NJ USAANM Varshavsky; AlexanderAACI East HanoverAAST NJAACO USAAGP Varshavsky; Alexander East Hanover NJ US - Remote assistance is provided to a mobile device across a network to enable malware detection. The mobile device transmits potentially infected memory pages to a remote server across a network. The remote server performs analysis, and provides feedback to the mobile device. Based on the received feedback, the mobile device halts a process, or retrieves and transmits additional memory pages to the remote server for more analysis. This process is repeated until a compromised region of memory is identified and/or isolated for further repair to be performed. The feedback from the remote server reduces the processing and storage burden on the mobile device, resulting in a more reliable detection that uses fewer resources. Embodiments including hypervisors and virtual machines are disclosed. | 01-17-2013 |
| 20130019307 | Secure Computer Architecture - A secure computer architecture is provided. With this architecture, data is received, in a component of an integrated circuit chip implementing the secure computer architecture, for transmission across a data communication link. The data is converted, by the component, to one or more first fixed length frames. The one or more first fixed length frames are then transmitted, by the component, on the data communication link in a continuous stream of frames. The continuous stream of frames includes one or more second fixed length frames generated when no data is available for inclusion in the frames of the continuous stream. | 01-17-2013 |
| 20130019308 | Method and Device for Preventing CSRF Attack - The disclosure provides method for preventing CSRF attacks, in which the method provides: intercepting request sent from a client browser to a server; generating a token; generating a response to the request; inserting the token into the response to the request; and sending the response to the request to the client browser with the token inserted into the response. With the method of the disclosure, it is assured that a token is inserted into all the requests made by a user through a client browser for accessing a resource. And it can be assured that the request is issued by the user himself by verifying whether the token in the request is valid, thereby preventing a CSRF attack. | 01-17-2013 |
| 20130024933 | AUDITING A DEVICE - The auditing of a device that includes a physical memory is disclosed. One or more hardware parameters that correspond to a hardware configuration is received. Initialization information is also received. The physical memory is selectively written in accordance with a function. The physical memory is selectively read and at least one result is determined. The result is provided to a verifier. | 01-24-2013 |
| 20130024934 | CLASSIFICATION OF SOFTWARE ON NETWORKED SYSTEMS - A method and system for the classification of software in networked systems, includes: determining a software received by a sensor is attempting to execute on a computer system of the sensor; classifying the software as authorized or unauthorized to execute, and gathering information on the software by the sensor if the software is classified as unauthorized to execute. The sensor sends the information on the software to one or more actuators, which determine whether or not to act on one or more targets based on the information. If so, then the actuator sends a directive to the target(s). The target(s) updates its responses according to the directive. The classification of the software is definitive and is not based on heuristics or rules or policies and without any need to rely on any a priori information about the software. | 01-24-2013 |
| 20130024935 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR CONDITIONALLY PERFORMING A SCAN ON DATA BASED ON AN ASSOCIATED DATA STRUCTURE - A system, method, and computer program product are provided for conditionally performing a scan of data based on an associated data structure. In use, at least one aspect is identified for each of a first plurality of scanners utilized to perform a scan on data at a first network device. Additionally, at least one data structure is associated with the data, where the at least one data structure reflects the at least one aspect of each of the first plurality of scanners. Furthermore, a subsequent scan on the data is conditionally performed utilizing each of a second plurality of scanners at a second network device, based on the at least one data structure. | 01-24-2013 |
| 20130031625 | CYBER THREAT PRIOR PREDICTION APPARATUS AND METHOD - Disclosed are a cyber threat prior prediction apparatus, including a DNS based C&C server detecting unit configured to analyze DNS traffic to extract a domain address which is suspected as a C&C server; a network based abnormality detecting unit configured to analyze the network traffic to detect IP addresses of zombie PCs which access the C&C server and information of the zombie PCs; and a cyber threat predicting unit configured to predict a cyber threat situation based on the information of the zombie PCs. | 01-31-2013 |
| 20130031626 | METHODS OF DETECTING DNS FLOODING ATTACK ACCORDING TO CHARACTERISTICS OF TYPE OF ATTACK TRAFFIC - Disclosed are methods of detecting a domain name server (DNS) flooding attack according to characteristics of a type of attack traffic. A method of detecting an attack by checking a DNS packet transmitted over a network in a computer device connected to the network, includes determining whether the number of DNS packets previously generated within a threshold time with the same type of message, the same specific address and the same field value as in the transmitted packet is greater than or equal to a given number, and determining the transmitted DNS packet as a packet related to the attack if the number of DNS packets previously generated within the threshold time is greater than or equal to the given number. | 01-31-2013 |
| 20130031627 | Method and System for Preventing Phishing Attacks - A method, system and program product for preventing phishing attacks, wherein the method comprises: acquiring links in a Web page; classifying the acquired links according link types; and determining whether a phishing attack exists according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page, and external links belonging to a different domain from the address of the Web page. By carrying out the method or system according to the above one or more embodiments of the present disclosure, since it is first detected whether a Web page is a fake website of a phishing attack before displaying the reproduced Web page to the user and the user is warned upon detecting a fake website, unnecessary losses due to phishing attacks can be prevented. | 01-31-2013 |
| 20130031628 | Preventing Phishing Attacks - A method, system and program product for preventing phishing attacks, wherein the method comprises: acquiring links in a Web page; classifying the acquired links according link types; and determining whether a phishing attack exists according to the classified links, wherein the links are classified into two types: internal links belonging to the same domain as the address of the Web page, and external links belonging to a different domain from the address of the Web page. By carrying out the method or system according to the above one or more embodiments of the present disclosure, since it is first detected whether a Web page is a fake website of a phishing attack before displaying the reproduced Web page to the user and the user is warned upon detecting a fake website, unnecessary losses due to phishing attacks can be prevented. | 01-31-2013 |
| 20130031629 | Apparatus and Method for Enhancing Security of Data on a Host Computing Device and a Peripheral Device - A method of enhancing security of at least one of a host computing device and a peripheral device coupled to the host computing device through a communication interface. Data is transparently received from the peripheral device or the host computing device, and the received data is stored. The stored data is analyzed to detect a circumstance associated with a security risk. If such a circumstance is not detected, then the data is transparently forwarded to the other of the peripheral device or the host. However, if a circumstance associated with a security risk is detected, then a security process, defined by a rule, is performed. Related apparatus are provided, as well as other methods and apparatus. | 01-31-2013 |
| 20130031630 | Method and Apparatus for Identifying Phishing Websites in Network Traffic Using Generated Regular Expressions - According to an aspect of this invention, a method to detect phishing URLs involves: creating a whitelist of URLs using a first regular expression; creating a blacklist of URLs using a second regular expression; comparing a URL to the whitelist; and if the URL is not on the whitelist, comparing the URL to the blacklist. False negatives and positives may be avoided by classifying Internet domain names for the target organization as “legitimate”. This classification leaves a filtered set of URLs with unknown domain names which may be more closely examined to detect a potential phishing URL. Valid domain names may be classified without end-user participation. | 01-31-2013 |
| 20130036464 | Processor operable to ensure code integrity - A processor can be used to ensure that program code can only be used for a designed purpose and not exploited by malware. Embodiments of an illustrative processor can comprise logic operable to execute a program instruction and to distinguish whether the program instruction is a legitimate branch instruction or a non-legitimate branch instruction. | 02-07-2013 |
| 20130036465 | Security controller - A security controller has first and second read request paths for performing security checking of read requests received from a master device and for controlling issuing of the read request to a safe device. If the first read request path is selected for an incoming read request then the first read request path controls issuing of the read request in dependence on result of the security checking. If the second read request path is selected, then the incoming read request is issued without waiting for a result of the security checking, and tracking data is stored indicating the result of the security checking. When receiving a response to a read request issued using the second read request path, a response path modifies the response to mask read data if the tracking data stored for the corresponding read request indicates that a security violation occurred. | 02-07-2013 |
| 20130036466 | INTERNET INFRASTRUCTURE REPUTATION - One or more techniques and/or systems are provided for internet connectivity protection. In particular, reputational information assigned to infrastructure components (e.g., IP addresses, name servers, domains, etc.) may be leveraged to determine whether an infrastructure component associated with a user navigating to content of a URL is malicious or safe. For example, infrastructure component data associated with a web browser navigating to a website of a URL may be collected and sent to a reputation server. The reputation server may return reputation information associated with the infrastructure component data (e.g., an IP address may be known as malicious even though the URL may not yet have a reputation). In this way, the user may be provided with notifications, such as warnings, when various unsafe conditions arise, such as interacting with an infrastructure component with a bad reputation, a resolved IP address not matching the URL, etc. | 02-07-2013 |
| 20130036467 | METHOD AND PROCESS FOR PIN ENTRY IN A CONSISTENT SOFTWARE STACK IN CASH MACHINES - Method for checking the consistency of control software of a controller of a self-service automat having a trustworthy domain ( | 02-07-2013 |
| 20130042319 | METHOD AND APPARATUS FOR DETECTING AND DEFENDING AGAINST CC ATTACK - A method for detecting and defending against a CC attack is disclosed, which comprises the following steps of: recording the number of times m of requests for a webpage and the number of times n of related requests for the webpage within a preset time interval if a user's request of accessing the webpage is a dynamic webpage request; and determining that the webpage is subjected to a CC attack if a value (m−n)/m is greater than or equal to a preset threshold. A corresponding apparatus is further disclosed. The method and the apparatus for detecting and defending against a CC attack of the present disclosure can accurately detect and defend against the CC attack. | 02-14-2013 |
| 20130042320 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR SCANNING PORTIONS OF DATA - A scanning system, method and computer program product are provided. In use, portions of data are scanned. Further, access to a scanned portion of the data is allowed during scanning of another portion of the data. | 02-14-2013 |
| 20130042321 | SECURITY SYSTEMS AND METHODS - Security methods are provided. The method can include comparing a first device identifier ( | 02-14-2013 |
| 20130047253 | METHOD AND APPARATUS FOR TOKEN-BASED REAL-TIME RISK UPDATING - According to one embodiment, an apparatus may store a plurality of tokens indicating a user is accessing a resource over a network. The plurality of tokens may include a risk token indicating a risk associated with access by the user to the resource. The apparatus may detect a token indicating a change associated with accessing the resource, and determine that the change triggers a risk update. The apparatus may then generate a dataset token that represents the risk token and the token indicating the change, and communicate the dataset token to a token provider to perform the risk update. The apparatus may then receive a recomputed risk token representing an updated risk. The updated risk may indicate the risk associated with continuing access to the resource with the change. | 02-21-2013 |
| 20130047254 | METHOD AND APPARATUS FOR TOKEN-BASED TRANSACTION TAGGING - According to one embodiment, an apparatus may monitor a session that facilitates the processing of a transaction. The transaction may represent an action taken against a resource during the session. The apparatus may determine that the transaction qualifies for additional monitoring, and in response, generate a tag. The tag may be unique to the transaction. The apparatus may then associate the tag with the transaction to facilitate tracing of the transaction. The apparatus may then trace the transaction during the processing of the transaction by following the tag, and communicate a message to transfer the transaction to an isolated processing unit. The isolated processing unit processes the transaction in isolation. | 02-21-2013 |
| 20130055383 | COORDINATED DETECTION OF A GREY-HOLE ATTACK IN A COMMUNICATION NETWORK - In one embodiment, a security device receives one or more first unique identifications of packets sent by a first device to a second device for which a corresponding acknowledgment was purportedly returned by the second device to the first device. The security device also receives one or more second unique identifications of packets received by the second device from the first device and acknowledged by the second device to the first device. By comparing the first and second unique identifications, the security device may then determine whether acknowledgments received by the first device were truly returned from the second device based on whether the first and second unique identifications exactly match. | 02-28-2013 |
| 20130055384 | DEALING WITH WEB ATTACKS USING CRYPTOGRAPHICALLY SIGNED HTTP COOKIES - According to one embodiment, a security gateway (SG) is coupled between a hypertext transport protocol (HTTP) client and a web application server. Responsive to a first HTTP message being transmitted between the HTTP client and the web application server as part of an HTTP session, the SG generates security gateway session security state information (SGI) based on a policy. The SG also generates a digital signature (SGS) from the SGI, creates an SG signed session security state information cookie (SGC), and sends the SGC to the HTTP client for storage instead of storing the SGI in the SG. Responsive to a second HTTP message of the HTTP session, the SG attempts to validate a claim made in the second HTTP request using at least the policy and the SGC that is supposed to be returned with the second HTTP message. | 02-28-2013 |
| 20130055385 | SECURITY EVENT MANAGEMENT APPARATUS, SYSTEMS, AND METHODS - Apparatus, systems, and methods may operate to receive multiple security event data streams from a plurality of hardware processing nodes, the multiple security event data streams comprising multiple security events. Additional operations may include extracting multiple security events from multiple security event data streams, and classifying the extracted multiple security events to form domain-specific, categorized data streams. A hierarchy of statistical data streams may then be generated from the domain-specific, categorized data streams. Additional apparatus, systems, and methods are disclosed. | 02-28-2013 |
| 20130055386 | APPARATUS AND METHOD FOR PREVENTING FALSIFICATION OF CLIENT SCREEN - An apparatus and method for preventing falsification of a client screen is provided, in which a web server dynamically generates URIs and provides them to clients, thus preventing the falsification of client screens due to a web injection attack or a memory hacking attack. The apparatus includes a random web generation unit for converting an identical web page into random URIs that are randomly generated, at a request of a plurality of clients, generating different random web sources, and providing the different random web sources to the respective clients. A web falsification determination unit compares display web source eigenvalues respectively generated by the clients with respect to any one of the random web sources with a generative web source eigenvalue for the one of the random web sources, thus determining whether screens corresponding to the random web sources displayed on the respective clients have been falsified. | 02-28-2013 |
| 20130055387 | APPARATUS AND METHOD FOR PROVIDING SECURITY INFORMATION ON BACKGROUND PROCESS - An apparatus and method for providing security information on a background process are provided. The method includes executing an application, detecting an event associated with the execution of the application, identifying a security related permission associated with the application, determining whether the security related permission matches a registered security related permission, determining an application identifier in response to the security related permission matching the registered security related permission, determining whether the event is associated with the background process, and displaying a security risk alert icon based on the detected event. The apparatus includes an application execution unit to execute an application; a security risk detection unit to detect an event associated with a background process of the application; and a screen configuration unit to configure a security risk alert icon to be displayed based on the detected event. | 02-28-2013 |
| 20130055388 | METHOD AND SYSTEM FOR TRACKING MACHINES ON A NETWORK USING FUZZY GUID TECHNOLOGY - A method for querying a knowledgebase of malicious hosts numbered from 1 through N. The method includes providing a network of computers, which has a plurality of unknown malicious host machines. In a specific embodiment, the malicious host machines are disposed throughout the network of computers, which includes a world wide network of computers, e.g., Internet. The method includes querying a knowledge base including a plurality of known malicious hosts, which are numbered from 1 through N, where N is an integer greater than 1. In a preferred embodiment, the knowledge base is coupled to the network of computers. The method includes receiving first information associated with an unknown host from the network; identifying an unknown host and querying the knowledge base to determine if the unknown host is one of the known malicious hosts in the knowledge base. The method also includes outputting second information associated with the unknown host based upon the querying process. | 02-28-2013 |
| 20130055389 | SECURITY EVENT LOGGING IN PROCESS CONTROL - A method and gateway are provided for extracting 61850 security events from general IEC 61850 events and merging them together with standard IT or other security events at station level or even higher system levels. Thus, the coexistence of two different protocols on the substation bus is allowed, providing greater flexibility in the design of a Substation Automation (SA) system, for example in SA systems with a mix of IEC 61850-compliant Intelligent Electronic Devices (IEDs) and SA devices that do not adhere to IEC 61850 communication protocols. | 02-28-2013 |
| 20130055390 | SEARCH INFRASTRUCTURE SUPPORTING TRADEMARK RIGHTS - A system and method monitors and weeds out illegitimate/illegal websites during search engine indexing and domain name registration. The whois database generated during domain name registration is used as a reference database for correlation with a database generated by the search crawler on a search engine server. A whois analyzer from the search engine server extracts a set of URLs into a database called the uncorrelated URL database. The uncorrelated URL database contains those URLs from both the aggregate whois database and reverse index database after removing common URLs. The uncorrelated URLs are contacted and advised by the whois administrator to take necessary action to be listed in the whois database and properly be indexed during search engine crawling. This process ensures that URLs are properly registered and identified on the Internet thus eliminating the success of illegal/unwanted websites. Trademark information may also be used in the site validation process. | 02-28-2013 |
| 20130055391 | METHOD AND APPARATUS FOR ADAPTIVE INTEGRITY MEASUREMENT OF COMPUTER SOFTWARE - Systems and methods are described herein that discuss how a computing platform executing a virtualized environment, in one example, can be integrity verified adaptively and on demand. This may occur at initial runtime, as well as during continued operations, and allows the platform user to install software from various vendors without sacrificing the integrity measurement and therefore the trustworthiness of the platform. | 02-28-2013 |
| 20130055392 | File System Event Tracking - Automated file system event tracking and reporting techniques are described in which file system events requested by a user application are intercepted and recorded prior to the request being permitted to pass to the file system for execution. Similarly, file system responses to a prior captured file system event are also intercepted and recorded. Predefined patterns of file system event may be aggregated and reported as a single event. | 02-28-2013 |
| 20130061321 | Using Aggregated DNS Information Originating from Multiple Sources to Detect Anomalous DNS Name Resolutions - A DNS security system collects and uses aggregated DNS information originating from a plurality of client computers to detect anomalous DNS name resolutions. A server DNS security component receives multiple transmissions of DNS information from a plurality of client computers, each transmission of DNS information concerning a specific instance of a resolution of a specific DNS name. The server component aggregates the DNS information from the multiple client computers. The server component compares DNS information received from a specific client computer concerning a specific DNS name to aggregated DNS information received from multiple client computers concerning the same DNS name to identify anomalous DNS name resolutions. Where an anomaly concerning received DNS information is identified, a warning can be transmitted to the specific client computer from which the anomalous DNS information was received. | 03-07-2013 |
| 20130067570 | Content Inspection - Content inspection techniques are described. In one or more implementations, it is detected that an application executing on a computing device is calling a particular code element of a group of code elements to be used to process content. For example, the group of code elements can include a pre-specified group of code elements (e.g., functions and/or properties) that may enable access to particular functionalities of a computing device and thus are associated with a known security risk. It is then ascertained that the content is untrusted and, in response to ascertaining that the content is untrusted, the content is inspected to determine if the content is safe to be passed to the code element. | 03-14-2013 |
| 20130067571 | METHOD AND SYSTEM FOR MANAGING SUSPICIOUS DEVICES ON NETWORK - A method and system for managing suspicious devices on a network. The method includes, setting based on a manager's input or selection a suspicious group corresponding to each of at least one suspicious management item for managing a plurality of devices on a network via a user interface; accessing the devices and reading information corresponding to the suspicious management item; determining whether each device is a suspicious device based on the information corresponding to the suspicious management item, and registering the device in the suspicious group if the device is determined as a suspicious device; checking whether an error of the device comprised in the suspicious group is resolved; and eliminating the device from the suspicious group if the error of the device is resolved. | 03-14-2013 |
| 20130067572 | SECURITY EVENT MONITORING DEVICE, METHOD, AND PROGRAM - The security event monitoring device includes: a storage module which stores in advance a correlation rule; a log collection unit which receives each log from each monitoring target device; a correlation analysis unit which generates scenario candidates by associating each of the logs; a scenario candidate evaluation unit which calculates the importance degrees of each scenario candidate; and a result display unit which displays/outputs the scenario candidate of a high importance degree. The scenario candidate evaluation unit includes: a user association degree evaluation function which calculates user association degrees; an operation association degree evaluation function which calculates the operation association degrees; and a scenario candidate importance reevaluation function which recalculates the importance degrees of each of the scenario candidates by each user according to the user association degrees and the operation association degrees. | 03-14-2013 |
| 20130067573 | SYSTEM AND METHOD FOR HUMAN IDENTIFICATION PROOF FOR USE IN VIRTUAL ENVIRONMENTS - System, method and computer program product for verifying an avatar owner as a human user of an avatar in a virtual world environment in which humans interact through avatars via client devices in network communication with a server device. A request for challenging an avatar in the virtual world environment is received to determine whether that avatar is controlled by an application program user (bot). A user client device associated with a challenged avatar is identified and a Human Identification Proof (HIP) message for detecting a human user versus a bot controlling the challenged avatar is generated and communicated, for receipt at the identified user client device. It is determined from the response, whether the user is a bot or a human user. If a challenged avatar is determined to be a bot, then the server device prevents the challenged avatar from further interaction in the virtual world environment. | 03-14-2013 |
| 20130074181 | Auto Migration of Services Within a Virtual Data Center - Techniques are provided herein for detecting that virtual data center services provided to one of at least two customers are being subjected to an attack, wherein the virtual data center services are provided to the least two customers using a same first set of physical servers via a first network element such as a physical access switch, and responsive to detecting that virtual data center services provided to the one of the at least two customers are being subjected to an attack (e.g., a virus or denial of service attack), the technique causes the virtual data center services provided to the one of the at least two customers to be migrated to, e.g., instantiated on, a second set of physical servers that is not accessible via the first network element. | 03-21-2013 |
| 20130074182 | INFORMATION PROCESSING APPARATUS AND CONTROL METHOD OF THE SAME - A device function to be used by an application is specified, a risk level of the specified device function is acquired, and a risk level of the application is calculated based on the acquired risk level of the device function. | 03-21-2013 |
| 20130074183 | METHOD AND APPARATUS FOR DEFENDING DISTRIBUTED DENIAL-OF-SERVICE (DDOS) ATTACK THROUGH ABNORMALLY TERMINATED SESSION - There are provided a method and apparatus for defending a Distributed Denial-of-Service (DDoS) attack through abnormally terminated sessions. The DDoS attack defending apparatus includes: a session tracing unit configured to parse collected packets, to extract header information from the collected packets, to trace one or more abnormally terminated sessions corresponding to one of pre-defined abnormally terminated session cases, based on the header information, and then to count the number of the abnormally terminated sessions; and an attack detector configured to compare the number of the abnormally terminated sessions to a predetermined threshold value, and to determine whether a DDoS attack has occurred, according to the results of the comparison. Therefore, it is possible to significantly reduce a false-positive rate of detection of a DDoS attack and the amount of computation for detection of a DDoS attack. | 03-21-2013 |
| 20130074184 | PACKET PROCESSING IN A MULTIPLE PROCESSOR SYSTEM - Packet processing is provided in a multiple processor system including a first processor to processing a packet and to create a tag associated with the packet. The tag includes information about the processing of the packet. A second processor receives the packet subsequent to the first processor and processes the packet using the tag information. | 03-21-2013 |
| 20130081134 | Instruction set adapted for security risk monitoring - A processor is adapted to manage security risk by updating and monitoring a taint storage element in response to receipt of taint indicators, and responding to predetermined taint conditions detecting by the monitoring. The processor can be operable to execute instructions of a defined instruction set architecture and comprises an instruction of the instruction set architecture operable to access data from a source and operable to receive a taint indicator indicative of potential security risk associated with the data. The processor can further comprise a taint storage element operable for updating in response to receipt of the taint indicator and logic. The logic can be operable to update the taint storage element, process the taint storage element, determine a security risk condition based on the processing of the taint storage element, and respond to the security risk condition. | 03-28-2013 |
| 20130081135 | INJECTION ATTACK MITIGATION USING CONTEXT SENSITIVE ENCODING OF INJECTED INPUT - A method for preventing malicious code being embedded within a scripting language of a web application accessed by a web browser ( | 03-28-2013 |
| 20130081136 | METHOD AND DEVICE FOR DETECTING FLOOD ATTACKS - Disclosed is a flood attack detection method, wherein the total number of keywords of a source packet is acquired, and the number of feature parameters corresponding to the source packet is acquired. A ratio of the number of feature parameters to the total number of keywords is compared with a preset threshold, and if the ratio is greater than or equal to the preset threshold, it is determined that a flood attack occurs. | 03-28-2013 |
| 20130086676 | CONTEXT-SENSITIVE TAINT ANALYSIS - In one implementation, a taint processing applied to a tainted value of an application is identified and an output context of the application associated with output of the tainted value is determined. A notification is generated if the taint processing is incompatible with the output context. | 04-04-2013 |
| 20130086677 | METHOD AND DEVICE FOR DETECTING PHISHING WEB PAGE - The embodiments of the present invention provide a method and a device for detecting a phishing web page. The method includes: judging whether a unique domain name corresponding to a to-be-detected web page exists in a trusted domain name database; if the unique domain name does not exist in the trusted domain name database, determining a similarity between a content characteristic extracted from the to-be-detected web page and a content characteristic of each template file in a template file database; and determining that the to-be-detected web page is a phishing web page if the similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of at least one template file is greater than a preset similarity threshold. In the embodiments of the present invention, accuracy of a result of detecting a phishing web page is improved. | 04-04-2013 |
| 20130086678 | INTEGRATING SECURITY PROTECTION TOOLS WITH COMPUTER DEVICE INTEGRITY AND PRIVACY POLICY - At computer device power on, the operating system of the computer device initiates a monitor. The monitor assigns a monitoring program to each program and object (collectively, “program”) running on the computer device to monitor the activities of the program. When the monitoring program is assigned to a program, the monitoring program is assigned an integrity and/or privacy label (collectively, “integrity label”) based on predetermined criteria applied to the monitored program. The monitoring program, in turn, assigns an integrity label to the program monitored by the monitoring program. The integrity label assigned to the monitored program is less than or equal to the integrity label of the monitoring program. The monitor enforces an integrity policy of the computer device based on the integrity label assigned to monitored programs and the integrity label associated with data, another program, or a remote network resource that the monitored program is seeking to access. | 04-04-2013 |
| 20130086679 | Responses To Server Challenges Included In A Hypertext Transfer Protocol Header - Example embodiments relate to verification of client requests based on a response to a challenge ( | 04-04-2013 |
| 20130091566 | INTERNET PROTOCOL ADDRESS SPACE MANAGEMENT TO MITIGATE AND DETECT CLOAKING AND OTHER ABUSE - In one embodiment, an intelligent detection system | 04-11-2013 |
| 20130091567 | DEVICE AND METHOD FOR ENERGY MANAGEMENT IN A HOUSEHOLD - An energy management system comprises one or more appliances, a remote device, and a communication device. In one embodiment, the communication device forms a physical connection with the remote device and thereafter a physical connection with an associated appliances. The first physical connection binds the communication to the remote device, thereby forming a secure connection over which inputs and outputs can be exchanged between the remote and the associated appliance when the communication device is connected to the appliance. | 04-11-2013 |
| 20130091568 | SYSTEMS AND METHODS FOR SECURE IN-VM MONITORING - Security systems can provide secure and efficient in-VM monitoring. An exemplary security system can be built upon hardware virtualization features and can comprise a virtual machine having a plurality of standard virtual address spaces, as well as a hidden virtual address space. While the standard virtual address spaces can be directly accessible by a kernel in the virtual machine, the hidden virtual address space can be hidden from the kernel, which can be absent a virtual page table corresponding to the hidden virtual address space. A security monitor can reside in the hidden address space, monitoring the kernel without being modifiable by the kernel. A processor can transfer focus from the standard virtual address spaces to the hidden virtual address space only through predetermined entry gates, and the processor can transfer focus from the hidden virtual address space to the standard virtual address spaces only through predetermined exit gates. | 04-11-2013 |
| 20130091569 | LOGIN INITIATED SCANNING OF COMPUTING DEVICES - Embodiments of the invention relate to systems, methods, and computer program products for login initiated remote scanning of computer devices. The present invention detects login to the network via access management systems. The login data provides information that identifies the device so that the device can be checked against a scan database to determine if and when a previous scan occurred. Based on the findings in the scan database determinations are made as to whether to perform a scan. Additionally, the level of scanning can be determined based on previous scan dates and previous scan results, which may dictate customized scanning. In addition, the priority of the impending scan may be dictated by previous scan dates and results. Further embodiments provide for assessing risk, such as risk scoring or the like, concurrently or in near-real-time with the completion of the scan so that alerts may be communicated. | 04-11-2013 |
| 20130097699 | SYSTEM AND METHOD FOR DETECTING A MALICIOUS COMMAND AND CONTROL CHANNEL - A method is provided in one example embodiment that includes detecting repetitive connections from a source node to a destination node, calculating a score for the source node based on the connections, and taking a policy action if the score exceeds a threshold score. In more particular embodiments, the repetitive connections use a hypertext transfer protocol and may include connections to a small number of unique domains, connections to small number of unique resources associated with the destination node, and/or a large number of connections to a resource in a domain. Moreover, heuristics may be used to score the source node and identify behavior indicative of a threat, such as a bot or other malware. | 04-18-2013 |
| 20130097700 | Phishing Detecting Method and Network Apparatus and Computer Readable Storage Medium Applying the Method - A phishing detecting method includes: a web-page accessing request for accessing a target web page at a target address is received; the target web page from the target address is obtained; the target web page is snapshotted to obtain a present page snapshot; the present page snapshot is compared with several pre-stored page snapshots stored in a database, wherein each of the pre-stored page snapshots corresponds to a pre-stored address; if the present page snapshot matches one of the pre-stored page snapshots, the target address is compared with the pre-stored address, corresponding pre-stored page snapshot of which matches the present page snapshot; if the target address does not match the pre-stored address, the corresponding pre-stored page snapshot of which matches the present page snapshot, it is determined that the target web page is a phishing web page. | 04-18-2013 |
| 20130097701 | USER BEHAVIORAL RISK ASSESSMENT - A particular activity performed by a particular user of a computing device is identified, for instance, by an agent installed on the computing device. It is determined that the particular activity qualifies as a particular use violation in a plurality of pre-defined use violations. A behavioral risk score for the particular score for the user is determined based at least in part on the determination that the particular activity of the particular user qualifies as a particular use violation. Determining that the particular activity qualifies as a particular use violation can include determining that the particular activity violates a particular rule or event trigger corresponding to a particular pre-defined use violation. | 04-18-2013 |
| 20130097702 | WEBSITE DEFACEMENT INCIDENT HANDLING SYSTEM, METHOD, AND COMPUTER PROGRAM STORAGE DEVICE - A website defacement incident handling system and associated methodology and non-transitory computer program storage device for detecting a defacement of a website and taking appropriate corrective action upon detection of the defacement. The website defacement incident handling system receives web page information and snapshot images corresponding to websites and performs comparisons against corresponding information and snapshot images of a reference website. Probability scores indicating the likelihood that a website has been defaced are calculated based on the comparisons and corrective actions are taken as appropriate to protect the affected website. | 04-18-2013 |
| 20130097703 | SYSTEM AND METHOD TO LOCATE A PREFIX HIJACKER WITHIN A ONE-HOP NEIGHBORHOOD - Method, system and computer-readable device to locate a prefix hijacker of a destination prefix within a one-hop neighborhood. The method includes generating one-hop neighborhoods from autonomous system-level paths associated with a plurality of monitors to a destination prefix. The method also includes determining a suspect set of autonomous system identifiers resulting from a union of the one-hop neighborhoods. The method further includes calculating a count and a distance associated with each autonomous system identifier in the suspect set of autonomous system identifiers. The count represents how often an autonomous system identifier appears in the one-hop neighborhoods. The distance represents a total number of autonomous system identifiers from the autonomous system identifier to autonomous system identifiers associated with the plurality of monitors. Yet further, the method includes generating a one-hop suspect set including autonomous system identifiers in the suspect set that have a greatest sum of the count and the distance. | 04-18-2013 |
| 20130104228 | STEALTH NETWORK NODE - A method, a network node, and a set of instructions are disclosed. A network interface | 04-25-2013 |
| 20130104229 | Private Domain Name Registration - A service for protecting the privacy of domain name registrants while preserving the registrant's ability to directly change the registration information or transfer the registration. A whois record is created that reflects the registrant's actual identity but contains contact information that is entirely associated with a privacy service. | 04-25-2013 |
| 20130111584 | METHOD AND APPARATUS FOR PREVENTING UNWANTED CODE EXECUTION | 05-02-2013 |
| 20130111585 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR RENDERING DATA OF AN ON-DEMAND DATABASE SERVICE SAFE | 05-02-2013 |
| 20130117842 | OPTIMIZING PERFORMANCE INFORMATION COLLECTION - A network management system may detect a network condition corresponding to a network and evaluate the network condition to identify types of network performance information corresponding to the network condition. The network management system may prioritize the types of network performance information and communicate priority information to a network device. The priority information may include the types of network performance information identified by the network management system and/or the priority associated with each type of network performance information. The network device may receive the priority information, evaluate the availability of device resources, collect network performance information based on the priority information and the availability of device resources, and communicate the network performance information to the network management system. | 05-09-2013 |
| 20130117843 | Methods, Devices, And Systems For Detecting Return-Oriented Programming Exploits - Methods, devices, and systems for detecting return-oriented programming (ROP) exploits are disclosed. A system includes a processor, a main memory, and a cache memory. A cache monitor develops an instruction loading profile by monitoring accesses to cached instructions found in the cache memory and misses to instructions not currently in the cache memory. A remedial action unit terminates execution of one or more of the valid code sequences if the instruction loading profile is indicative of execution of an ROP exploit involving one or more valid code sequences. The instruction loading profile may be a hit/miss ratio derived from monitoring cache hits relative to cache misses. The ROP exploits may include code snippets that each include an executable instruction and a return instruction from valid code sequences. | 05-09-2013 |
| 20130117844 | MICROCIRCUIT CARD PROTECTED BY A FUSE - A microcircuit card ( | 05-09-2013 |
| 20130117845 | ENCODING LABELS IN VALUES TO CAPTURE INFORMATION FLOWS - Methods, servers, and systems for encoding security labels in a dynamic language value to allow cross script communications within client application while limiting the types of information that is allowed to be communicated back to a host server. Static analysis is performed during compilation, and the results are used to generate and insert additional code that updates, modifies and propagates labels (e.g., JavaScript labels) attached to values (e.g., JavaScript values) during execution of a program. To support popular language features that allow for strong integration with other web-based systems, malicious code is allowed to perform operations locally (e.g., on the client), and a detection and prevention mechanism identifies and stops malicious code from sending requests or gathered information over the network, naturalizing attacks and improving the security of applications that embed dynamic language code. | 05-09-2013 |
| 20130117846 | SYSTEM AND METHOD FOR SERVER-COUPLED APPLICATION RE-ANALYSIS TO OBTAIN CHARACTERIZATION ASSESSMENT - This disclosure is directed to a system and method for preventing malware, spyware and other undesirable applications from affecting mobile communication devices (e.g., smartphones, netbooks, and tablets). A mobile communication device uses a server to assist in identifying and removing undesirable applications. When scanning an application, a device transmits information about the application to a server for analysis. The server receives the information, produces a characterization assessment and can also provide a characterization re-assessment for the application, or data object, and transmits the assessment to the device. By performing analysis on a server, the invention allows a device to reduce the battery and performance cost of protecting against undesirable applications. The servers transmits notifications to devices that have installed applications that are discovered to be undesirable. The server receives data about applications from many devices, using the combined data to minimize false positives and provide comprehensive protection against known and unknown threats. The server can accumulate this data and then perform a characterization re-assessment of a data object it has previously assessed. | 05-09-2013 |
| 20130117847 | Streaming Method and System for Processing Network Metadata - A method and system for processing network metadata is described. Network metadata may be processed by dynamically instantiated executable software modules which make policy-based decisions about the character of the network metadata and about presentation of the network metadata to consumers of the information carried by the network metadata. The network metadata may be type classified and each subclass within a type may be mapped to a definition by a unique fingerprint value. The fingerprint value may be used for matching the network metadata subclasses against relevant policies and transformation rules. For template-based network metadata such as NetFlow v9, an embodiment of the invention can constantly monitor network traffic for unknown templates, capture template definitions, and informs administrators about templates for which custom policies and conversion rules do not exist. Conversion modules can efficiently convert selected types and/or subclasses of network metadata into alternative metadata formats. | 05-09-2013 |
| 20130125235 | Method, Apparatus and Program for Detecting Spoofed Network Traffic - A method, an apparatus and a program for detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of autonomous systems (AS) is provided. The method comprises receiving an incoming packet through an AS, the incoming packet containing a source IP address and a destination IP address, acquiring a corresponding source and destination IP address prefixes, converting the corresponding source and destination IP address prefixes into a source AS number and a destination AS number, determining if the incoming packet arrived from an unexpected source based upon the corresponding destination IP address prefix and the converted source and destination AS number using an unexpected pair tuple table generated from network routing information and generating an alert indicating that the incoming packet is not allowed to enter the network. | 05-16-2013 |
| 20130125236 | RENDER ENGINE, AND METHOD OF USING THE SAME, TO VERIFY DATA FOR ACCESS AND/OR PUBLICATION VIA A COMPUTER SYSTEM - A method and system to verify active content at a server system include receiving, at the server system a communication (e.g., an e-mail message or e-commerce listing) that includes active content that is to be made accessible via the server system. At the server system, the active content is rendered to generate rendered active content. The rendered active content presents a representation of information and processes to which an end user will be subject. At the server system, the rendered active content is verified as not being malicious. | 05-16-2013 |
| 20130133063 | TUNNELING-BASED METHOD OF BYPASSING INTERNET ACCESS DENIAL - The tunneling-based method of bypassing Internet access denial allows for the re-routing of communication between a local system and a destination system when the local system's Internet Protocol (IP) address has been blocked by a malicious higher-tier Internet service provider (ISP). If it is determined that the local system is blocked from communicating with the destination system, then it is determined if a malicious higher-tier ISP is responsible for the blockage of service. If the local system is blocked by the ISP, then the ISP is identified and communication is established between the local system and a neighboring system that is not blocked by the ISP. Finally, communications are then transmitted from the local system to the destination system, through the established tunnel, by first transmitting from the local system to the neighboring system, and then transmitting from the neighboring system through the ISP to the destination system. | 05-23-2013 |
| 20130133064 | REVERSE NFA GENERATION AND PROCESSING - In a processor of a security appliance, an input of a sequence of characters is walked through a finite automata graph generated for at least one given pattern. At a marked node of the finite automata graph, if a specific type of the at least one given pattern is matched at the marked node, the input sequence of characters is processed through a reverse non-deterministic finite automata (rNFA) graph generated for the specific type of the at least one given pattern by walking the input sequence of characters backwards through the rNFA beginning from an offset of the input sequence of characters associated with the marked node. Generating the rNFA for a given pattern includes inserting processing nodes for processing an input sequence of patterns to determine a match for the given pattern. In addition, the rNFA is generated from the given type of pattern. | 05-23-2013 |
| 20130133065 | SYSTEM AND METHOD OF INDICATING THE STRENGTH OF ENCRYPTION - A method and system are provided for secure messaging on mobile computing devices. The method and system provide for an indication of a security trust level associated with a security method used with an electronic message. | 05-23-2013 |
| 20130139252 | SECURING NETWORK COMMUNICATIONS FROM BLIND ATTACKS WITH CHECKSUM COMPARISONS - Blind attacks on a protocol connection, such as a TCP connection, are prevented by inserting checksums computed during protocol connection establishment handshake into data sent through the connection and invalidating data sent through the connection that lacks the protocol setup information checksums. Reset attacks are prevented by invalidating reset requests unless a master checksum computed from the protocol setup information checksums is included with the reset request. Checksums computed from protocol setup information have improved robustness by including a random number with the protocol setup information. | 05-30-2013 |
| 20130139253 | Deceptive indicia notification in a communications interaction - Systems, methods, computer-readable storage mediums including computer-readable instructions and/or circuitry for monitoring deceptive indicia in communications content may implement operations including, but not limited to: receiving one or more signals associated with communication content provided by a first participant in a communications interaction; detecting one or more indicia of deception associated with the one or more signals associated with the communication content; and providing a notification associated with the one or more indicia of deception associated with the communication content to a second participant in the communications interaction receiving the communication content. | 05-30-2013 |
| 20130139254 | Deceptive indicia notification in a communications interaction - Systems, methods, computer-readable storage mediums including computer-readable instructions and/or circuitry for monitoring deceptive indicia in communications content may implement operations including, but not limited to: receiving one or more signals associated with communication content provided by a participant in a communications interaction; detecting one or more indicia of deception associated with the one or more signals associated with the communication content; and providing a notification associated with the one or more indicia of deception associated with the communication content to the participant providing the communication content. | 05-30-2013 |
| 20130139255 | Detection of deceptive indicia masking in a communications interaction - Systems, methods, computer-readable storage mediums including computer-readable instructions and/or circuitry for detecting masking of deceptive indicia in communications content may implement operations including, but not limited to: receiving one or more signals associated with communications content provided by a first participant in a communications interaction; and detecting at least one indicia of a modification of the communications content associated with at least one indicia of deception by the first participant. | 05-30-2013 |
| 20130139256 | Deceptive indicia profile generation from communications interactions - Systems, methods, computer-readable storage mediums including computer-readable instructions and/or circuitry for generating deceptive indicia profiles may implement operations including, but not limited to: detecting one or more indicia of deception associated with one or more signals associated with communication content provided by a participant in a first communications interaction; detecting one or more indicia of deception associated with the one or more signals associated with communications content provided by the participant in a second communications interaction; and generating a deceptive indicia profile for the participant according to indicia of deception detected in the communications content provided by the participant in the first communications interaction and indicia of deception detected in the communications content provided by the participant in the second communications interaction. | 05-30-2013 |
| 20130139257 | Deceptive indicia profile generation from communications interactions - Systems, methods, computer-readable storage mediums including computer-readable instructions and/or circuitry for generating deceptive indicia profiles may implement operations including, but not limited to: detecting one or more indicia of deception associated with one or more signals associated with communication content provided by a participant in a first communications interaction; detecting one or more indicia of deception associated with one or more signals associated with communications content provided by the participant in a second communications interaction; generating a deceptive indicia profile for the participant according to indicia of deception detected in the communications content provided by the participant in the first communications interaction and indicia of deception detected in the communications content provided by the participant in the second communications interaction; and providing a notification associated with the deceptive indicia profile for the participant to the participant. | 05-30-2013 |
| 20130139258 | DECEPTIVE INDICIA PROFILE GENERATION FROM COMMUNICATIONS INTERACTIONS - Systems, methods, computer-readable storage mediums including computer-readable instructions and/or circuitry for generating deceptive indicia profiles may implement operations including, but not limited to: detecting one or more indicia of deception associated with one or more signals associated with communication content provided by a participant in a first communications interaction; detecting one or more indicia of deception associated with one or more signals associated with communications content provided by the participant in a second communications interaction; generating a deceptive indicia profile for the participant according to indicia of deception detected in the communications content provided by the participant in the first communications interaction and indicia of deception detected in the communications content provided by the participant in the second communications interaction; and providing a notification associated with the deceptive indicia profile for the participant to a second participant in a communications interaction with the participant. | 05-30-2013 |
| 20130139259 | DECEPTIVE INDICIA PROFILE GENERATION FROM COMMUNICATIONS INTERACTIONS - Systems, methods, computer-readable storage mediums and/or circuitry for generating deceptive indicia profiles may implement: detecting one or more indicia of deception associated with one or more signals associated with communication content provided by a participant in a first communications interaction; detecting one or more indicia of deception associated with one or more signals associated with communications content provided by the participant in a second communications interaction; generating a deceptive indicia profile for the participant according to indicia of deception detected in the communications content provided by the participant in the first communications interaction and indicia of deception detected in the communications content provided by the participant in the second communications interaction; and detecting one or more indicia of deception associated with one or more signals associated with communications content provided by the participant in a third communications interaction according to the deceptive indicia profile for the participant. | 05-30-2013 |
| 20130145461 | Security Method for Mobile Ad Hoc Networks with Efficient Flooding Mechanism Using Layer Independent Passive Clustering (LIPC) - A security method and system for Layer Independent Passive Clustering (LIPC) is presented. The inventive method and system maintains the states in the LIPC cluster formation protocol while adding a ‘Trusworthy’ event to each state and provides a methodology that depends on the state of the transmitting node to quantify Trustworthy and derive a Trust Confidence Value (TCV) to represent the level of confidence in quantifying ‘Trustworthy’. The invention dynamically computes a degree of trustworthiness for each participating network node and eliminates nodes from participating in the PC cluster formation protocol and packet forwarding if they do not meet established trust metrics. The security solution can also apply to PC-based Mobile Ad hoc Networks (MANETs). The novel system and method applies a multidimensional set of security algorithms to protect the LIPC cluster formation protocol from malicious attacks that compromise cluster formation and secure routing. | 06-06-2013 |
| 20130145462 | Phishing Processing Method and System and Computer Readable Storage Medium Applying the Method - A phishing processing method includes: an information input web page comprising an information input interface, through which information is transmitted to an information receiving address, is received. Determine if the information input web page is a phishing web page. If it is determined that the information input web page is the phishing web page, fake input information is transmitted to the information receiving address. When information for verification is received from an information transmitting address, if the received information for verification is the fake input information is determined. If the received information for verification is the fake input information, it is determined that the information transmitting address is a malicious address. | 06-06-2013 |
| 20130145463 | METHODS AND APPARATUS FOR CONTROL AND DETECTION OF MALICIOUS CONTENT USING A SANDBOX ENVIRONMENT - A non-transitory processor-readable medium storing code representing instructions to cause a processor to perform a process includes code to cause the processor to receive a set of indications of allowed behavior associated with an application. The processor is also caused to initiate an instance of the application within a sandbox environment. The processor is further caused to receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the application in response to initiating the instance of the application within the sandbox environment. The processor is also caused to send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior does not correspond to an indication from the set of indications of allowed behavior. | 06-06-2013 |
| 20130145464 | Network Overload Detection and Mitigation System and Method - Systems and methods are provided for detecting and mitigating overload conditions affecting one or more computers attached to a network, such as overloads resulting from distributed denial of service (DDoS) attacks, for example. According to some described embodiments, an attempted overload condition is detected, e.g., by a system, through following a method, or both, within a data cleaning center. Detection may be achieved, e.g., by analyzing data packets traveling over the network to identify packets that bear characteristics that may be associated with DDoS attacks, and this analysis may include examination of the packets' data payloads. Mitigation, in turn, may include discarding some data packets, redirecting network traffic, or some combination thereof. | 06-06-2013 |
| 20130152195 | Replay Attack Protection With Small State For Use In Secure Group Communication - A replay detection technique with “small state” (e.g., with relatively few bits of state information). A sending node generates a random number r | 06-13-2013 |
| 20130152196 | THROTTLING OF ROGUE ENTITIES TO PUSH NOTIFICATION SERVERS - Techniques for throttling of rogue entities to push notification servers are described. An apparatus may comprise a processor and a memory communicatively coupled to the processor. The memory may store an application, the application maintaining a monitored domain table, the application maintaining an offending domain table, the application operative to receive an incoming request from a client in a domain, to detect harmful activity based on the request, and to respond to the harmful activity based on one or both of the monitored domain table and the offending domain table. Other embodiments are described and claimed. | 06-13-2013 |
| 20130152197 | EVENT DETECTION METHOD AND APPARATUS IN A DISTRIBUTED ENVIRONMENT - An event detection method in a distributed environment includes, when a non-parsable event occurred during grammar parsing, executing the following process until the first grammar parser module obtains a detection result, including the event that the current grammar parser module can not parse in a scheduling request as a next event to be detected and sending it to the grammar control module, scheduling, by the grammar control module, other grammar parser module as the target grammar parser module for further parsing based on the scheduling strategy table, performing grammar parsing based on the local parsing table in the scheduled target grammar parser module, returning parsing results to the grammar control module for further parsing when no non-parsable event is found; or repeating the above process with the target grammar parser module as a new current grammar parser module when an non-parsable event is found. | 06-13-2013 |
| 20130152198 | Anomaly Detection To Implement Security Protection of a Control System - An anomaly detection mechanism is provided that detects an anomaly in a control network, and includes an identifying unit to receive event information on an event that occurs, and to identify a group including a resource related to the event information by referring to a configuration management database for retaining dependence relationships between processes and resources including a control system; a policy storing unit to store one or more policies each of which associates one or more actions with a condition defining a situation suspected to have an anomaly; an adding unit to acquire group-related information needed for application to the one or more policies, and to add the acquired information to the event information; and a determining unit to apply the event information to the one or more policies and to determine the one or more actions associated with the matched condition as one or more actions to be taken. | 06-13-2013 |
| 20130160115 | SANDBOXING FOR MULTI-TENANCY - Systems and methods according to various embodiments disclose a worker process manager adapted to spawn one or more worker processes on a server and to load an application on each of the worker processes. The worker process manager is adapted to isolate the one or more worker processes from each other and to control resource usage by the worker processes. A resource manager is adapted to detect applications that overuse system resources. The worker process manager is adapted to isolate worker processes and to control resource usage using one or more of the following techniques: least-privilege execution, messaging isolation, credentials isolation, data isolation, network isolation, fair share resource usage, and managed runtime security. Heuristic algorithms are used to detect applications that frequently overuse system resources that are unchargeable and that cause system unresponsiveness. | 06-20-2013 |
| 20130160116 | DATA SECURITY SEEDING SYSTEM - In one aspect of the invention there is provided a system for tracking seed data that has been inserted into a secured private information database listing. The system includes a network, computer, and database. Incoming communications to the network are monitored and are matched to a phone number, credit card number, address, email, or fax number that corresponds to the seed data. Depending on the incoming communication software is configured to track and store third party identification information. The information is sent to a user to determine if the incoming phone call was conducted by breaching the secured private information database listing. | 06-20-2013 |
| 20130160117 | IDENTIFYING REQUESTS THAT INVALIDATE USER SESSIONS - An illustrative embodiment of a computer-implemented process for identifying a request invalidating a session excludes all marked logout requests of a Web application, crawls an identified next portion of the Web application and responsive to a determination, in one instance, that the state of the crawl is out of session, logs in to the Web application. The computer-implemented process further selects all crawl requests sent since a last time the crawl was in-session, excluding all marked logout requests and responsive to a determination that requests remain, crawls a selected next unprocessed request. Responsive to a determination, in the next instance, that state of the crawl is out of session and the selected request meets logout request criteria, the computer-implemented process marks the selected request as a logout request. | 06-20-2013 |
| 20130160118 | Methods, Communication Networks, and Computer Program Products for Monitoring, Examining, and/or Blocking Traffic Associated with a Network Element Based on Whether the Network Element Can be Trusted - A communication network is operated by determining whether a network element can be trusted and monitoring traffic associated with the network element based on whether the network element can be trusted. At least some of the monitored traffic may be selected for examination based on the degree of trust for the network element. At least some of the monitored and/or examined traffic is selected to be blocked based on the degree of trust for the network element. | 06-20-2013 |
| 20130167229 | TRAFFIC MANAGING DEVICE AND METHOD THEREOF - Disclosed is a traffic managing device which includes an information collector collecting primary information associated with a flow; a controller judging a traffic state, collecting secondary information associated with the traffic based on the judged traffic state and the primary information, and judging whether the flow is abnormal, based on the secondary information; and a traffic correspondence unit dropping the flow based on the judged traffic state and whether the flow is abnormal. The primary information includes internet protocol addresses of source and destination of the flow and the secondary information includes a flow number of each internet protocol address of a source. | 06-27-2013 |
| 20130167230 | DEVICE REPUTATION MANAGEMENT - A device reputation server recognizes malicious devices used in prior attacks and prevents further attacks by the malicious devices. Server computers require a digital fingerprint of any client devices prior to providing any service to such client devices. Logging of network activity include the digital fingerprint of the device perpetrating the attack. When an attack is detected or discovered, the attacked server reports the attack and the digital fingerprint of the perpetrating device to a device reputation server. The device reputation server uses the report to improve future assessments of the reputation of the device associated with the reported digital fingerprint. | 06-27-2013 |
| 20130174253 | SYSTEMS AND METHODS FOR DETECTING SIMILARITIES IN NETWORK TRAFFIC - A system, computer-readable medium, and method for identifying similarities in network traffic are provided. Hash values are calculated from Internet Protocol (IP) addresses in a group of IP addresses that request a domain name, a hash signature is generated from the hash values and paired with the domain name, and the domain name is then clustered with another domain name having a paired hash of the same value. The clustered domain names are then extracted and used in a similarity calculation. | 07-04-2013 |
| 20130174254 | METHOD FOR ADMINISTERING A TOP-LEVEL DOMAIN - A method for administering a top-level domain by analyzing domain name registrations for requests for suspicious or malicious domain names. A request to register a domain name is received. The requested domain name's information may be stored in a registry database. The requested domain name may also be conditionally stored in the domain name system (DNS) zone. The requested domain name is compared to a list of botnet domain names stored in a watch list database. If the requested domain name corresponds to one of the botnet domain names, the requested domain name is prevented from being added to the DNS zone or is removed from the DNS zone, if it has already been stored there. The information regarding the requested domain name is stored in the registry database, even if the domain name does not ultimately stay in the DNS zone. | 07-04-2013 |
| 20130174255 | APPARATUS METHOD AND MEDIUM FOR TRACING THE ORIGIN OF NETWORK TRANSMISSIONS USING N-GRAM DISTRIBUTION OF DATA - A method, apparatus, and medium are provided for tracing the origin of network transmissions. Connection records are maintained at computer system for storing source and destination addresses. The connection records also maintain a statistical distribution of data corresponding to the data payload being transmitted. The statistical distribution can be compared to that of the connection records in order to identify the sender. The location of the sender can subsequently be determined from the source address stored in the connection record. The process can be repeated multiple times until the location of the original sender has been traced. | 07-04-2013 |
| 20130179967 | Method to deter softwear tampering using interlinked sub-processes - A method is disclosed for deterring the reverse engineering of computer software code. The method involves the recognition of an unauthorized access attempt by one of a plurality of linked sub-processes embedded in the computer software code. In response to the unauthorized attempt, each of the sub-processes begins a recursive execution, resulting in computer system resources being increasingly diverted to the linked sub-processes, making it difficult to continue unauthorized attempts to access the computer software code. | 07-11-2013 |
| 20130179968 | SYSTEMS, METHODS, AND MEDIA FOR GENERATING SANITIZED DATA, SANITIZING ANOMALY DETECTION MODELS, AND/OR GENERATING SANITIZED ANOMALY DETECTION MODELS - Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and generating anomaly detection models are provided. In some embodiments, methods for sanitizing anomaly detection models are provided. The methods including: receiving at least one abnormal anomaly detection model from at least one remote location; comparing at least one of the at least one abnormal anomaly detection model to a local normal detection model to produce a common set of features common to both the at least one abnormal anomaly detection model and the local normal detection model; and generating a sanitized normal anomaly detection model by removing the common set of features from the local normal detection model. | 07-11-2013 |
| 20130185791 | VOUCHING FOR USER ACCOUNT USING SOCIAL NETWORKING RELATIONSHIP - Trusted user accounts of an application provider are determined. Graphs, such as trees, are created with each node corresponding to a trusted account. Each of the nodes is associated with a vouching quota, or the nodes may share a vouching quota. Untrusted user accounts are determined. For each of these untrusted accounts, a trusted user account that has a social networking relationship is determined. If the node corresponding to the trusted user account has enough vouching quota to vouch for the untrusted user account, then the quota is debited, a node is added for the untrusted user account to the graph, and the untrusted user account is vouched for. If not, available vouching quota may be borrowed from other nodes in the graph. | 07-18-2013 |
| 20130185792 | DYNAMIC EXECUTION PREVENTION TO INHIBIT RETURN-ORIENTED PROGRAMMING - A method, apparatus, and/or system for execution prevention is provided. A state indicator for a first subset of a plurality of memory pages of executable code in a memory device is set to a non-executable state. A state indicator for a second subset of the plurality of memory pages is set to an executable state, where the second subset of the plurality of memory pages includes indirection stubs to functions in the first subset of the plurality of memory pages. Upon execution of an application, a function call is directed to a corresponding indirection stub in the second subset of the plurality of memory pages which modifies the state indicator for a corresponding function in the first subset of the plurality of memory pages prior to directing execution of the called function from the first subset of the plurality of memory pages. | 07-18-2013 |
| 20130185793 | Apparatus and Method for Tracking Network Path - An apparatus and method for effectively tracking a network path by using packet information generated when visiting a Web page are provided. | 07-18-2013 |
| 20130185794 | BASE STATION FOR DETECTING DENIAL-OF-SERVICE ATTACKS IN COMMUNICATION SYSTEM AND METHOD FOR CONTROLLING THE SAME - Provided is a base station for detecting Denial-of-Service (DoS) attacks in a communication system and a method for controlling the same. The base station includes a first estimator for estimating, for a predetermined time, a reception rate of data that is received at the base station from a communication network to be transmitted to at least one wireless terminal; a second estimator for estimating, for a predetermined time, a bandwidth allocated for transmission of data to the at least one wireless terminal, based on at least one of feedback information transmitted from the at least one wireless terminal and channel capacity of the base station; and a controller for calculating a ratio of the bandwidth to the reception rate for the at least one wireless terminal, and determining whether there is a DoS attack, using the calculated ratio. | 07-18-2013 |
| 20130191912 | SECURE NETWORK TOPOLOGY ON A VIRTUALIZED SERVER - Generally, this disclosure describes a secure network topology on a virtualized server (and methods thereof). A virtualization management module is deployed as part of a software layer of a virtualized server system. The virtualization management module generates an internal network among the virtual machines and controls access to the network. The virtualization management module translates incoming and outgoing traffic between the virtual machines and an external internet IP address, thus keeping the virtual machines indirectly coupled to the external network. The virtualization management module also provides remote administration and control over each virtual machine (or collection of virtual machines). | 07-25-2013 |
| 20130191913 | DYNAMICALLY SCANNING A WEB APPLICATION THROUGH USE OF WEB TRAFFIC INFORMATION - Collecting log file data from at least one log file. From the collected log file data, at least one HTTP request can be generated to exercise a web application to perform a security analysis of the web application. The HTTP request can be communicated to the web application. At least one HTTP response to the HTTP request can be received. The HTTP response can be analyzed to perform validation of the web application. Results of the validation can be output. | 07-25-2013 |
| 20130191914 | CLOUD-BASED GATEWAY SECURITY SCANNING - Some embodiments of cloud-based gateway security scanning have been presented. In one embodiment, some data packets are received sequentially at a gateway device. The data packets constitute at least a part of a file being addressed to a client machine coupled to the gateway device. The gateway device forwards an identification of the file to a remote datacenter in parallel with forwarding the data packets to the client machine. The datacenter performs signature matching on the identification and returns a result of the signature matching to the gateway device. The gateway device determining whether to block the file from the client machine based on the result of the signature matching from the datacenter. | 07-25-2013 |
| 20130198838 | METHOD AND APPARATUS FOR PROVIDING SECURITY TO DEVICES - Systems, methods, and apparatus are provided for generating verification data that may be used for validation of a wireless transmit-receive unit (WTRU). The verification data may be generated using a tree structure having protected registers, represented as root nodes, and component measurements, represented as leaf nodes. The verification data may be used to validate the WTRU. The validation may be performed using split-validation, which is a form of validation described that distributes validation tasks between two or more network entities. Subtree certification is also described, wherein a subtree of the tree structure may be certified by a third party. | 08-01-2013 |
| 20130198839 | SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT - A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes receiving a plurality of packets, and determining an existence of a flooding attack without tracking each of the plurality of packets with a SYN bit. | 08-01-2013 |
| 20130198840 | SYSTEMS, METHODS AND COMPUTER PROGRAMS PROVIDING IMPACT MITIGATION OF CYBER-SECURITY FAILURES - Disclosed is a method and system to operate a governed data processing system in concert with a governing data processing system. The method includes operating a secure governing data processing system to monitor operation of at least one governed data processing system to detect a deviation from modeled user and governed data processing system behavior. The method further includes, upon detecting a deviation from the modeled behavior, taking proactive action to mitigate an occurrence of a potential adverse result of an occurrence of a cyber-security threat. | 08-01-2013 |
| 20130205388 | SELECTIVE RANDOMIZATION FOR NON-DETERMINISTICALLY COMPILED CODE - A method and an apparatus for runtime compilation that generates non-deterministic and unpredictable code to protect against un-trusted code attacks are described. The runtime compilation may be based on heuristic rules without requiring deterministic behavior reduction operations for all the code generated. The heuristic rules may include estimations on, for example, runtime overhead or cost incurred for code protection, amount of code protection required and/or other applicable factors and their relationships. | 08-08-2013 |
| 20130205389 | DATA PROCESSING APPARATUS AND METHOD FOR PROTECTING SECURE DATA AND PROGRAM CODE FROM NON-SECURE ACCESS WHEN SWITCHING BETWEEN SECURE AND LESS SECURE DOMAINS - A data processing apparatus includes processing circuitry and a data store including a plurality of regions including a secure region and a less secure region. The secure region is configured to store sensitive data accessible by the circuitry when operating in a secure domain and not accessible by the circuitry when operating in a less secure domain. The data store includes a plurality of stacks with a secure stack in the secure region. Stack access circuitry is configured to store predetermined processing state to the secure stack. The processing circuitry further comprises fault checking circuitry configured to identify a first fault condition if the data stored in the predetermined relative location is the first value. This provides protection against attacks from the less secure domain, for example performing a function call return from an exception, or an exception return from a function call. | 08-08-2013 |
| 20130205390 | NETWORK ASSISTED FRAUD DETECTION APPARATUS AND METHODS - Methods and apparatus for detecting fraudulent device operation. In one exemplary embodiment of the present disclosure, a device is issued a user access control client that is uniquely associated with a shared secret that is securely stored within the network and the access control client. Subsequent efforts to activate or deactivate the access control client require verification of the shared secret. Each change in state includes a change to the shared secret. Consequently, requests for a change to state which do not have the proper shared secret will be disregarded, and/or flagged as fraudulent. | 08-08-2013 |
| 20130205391 | Formal Analysis of the Quality and Conformance of Information Flow Downgraders - Mechanisms for evaluating downgrader code in application code with regard to one or more security guidelines are provided. Downgrader code in application code is identified, where the downgrader code is a portion of code in the application code that operates on an information flow of the application code to ensure confidentiality of information input to the downgrader code, in the output of the downgrader code. Processes of the downgrader code are evaluated against security guidelines to determine if the processes violate the security guidelines. A notification is generated in response to the evaluation indicating that the processes of the downgrader code violate the security guidelines. The notification is output to a computing device for consideration. | 08-08-2013 |
| 20130212675 | DYNAMIC COMPUTER NETWORK WITH VARIABLE IDENTITY PARAMETERS - Method for communicating data in a computer network involves dynamically modifying at a first location in the computer network a plurality of true values. The true values correctly represent the plurality of identify parameters. These true values are transformed to false values, which incorrectly represent the identity parameters. Subsequently, the identity parameters are modified at a second location to transform the false values back to the true values. The position of the first and/or second locations varies dynamically as part of this process. A bridge transforms identity parameter values when communicating outside the network. Dynamic modification of the identity parameters occurs in accordance with a mission plan that can be modified without interrupting communication of data in the network. | 08-15-2013 |
| 20130212676 | MISSION MANAGEMENT FOR DYNAMIC COMPUTER NETWORKS - Method for communicating data in a computer network involves dynamically modifying at a first location in the computer network a plurality of true values. The true values correctly represent the plurality of identify parameters. These true values are transformed to false values, which incorrectly represent the identity parameters. Subsequently, the identity parameters are modified at a second location to transform the false values back to the true values. The position of the first and/or second locations varies dynamically as part of this process. A bridge transforms identity parameter values when communicating outside the network. Dynamic modification of the identity parameters occurs in accordance with a mission plan that can be modified without interrupting communication of data in the network. | 08-15-2013 |
| 20130212677 | Thwarting Attacks that involve Analyzing Hardware Sensor Output - A hardware sensor and a hardware user-input component are integrated in a portable electronic device. The hardware sensor is operable to produce hardware sensor output indicative of orientation or motion or both of the device within its environment. The hardware user-input component has multiple elements operable to accept user input through touch. A user-input driver and the device's operating system are jointly operable to detect touch events involving the elements. A software application stored in the device's memory is executable by the device's processor as a process. A sensor driver or the operating system or both are configured to control what hardware sensor output, if any, is receivable by the process. This control may thwart an attack based on analysis of the hardware sensor output, the attack designed to deduce what user input has been made via multiple elements of the hardware user-input component. | 08-15-2013 |
| 20130212678 | Altering Sampling Rate to Thwart Attacks that involve Analyzing Hardware Sensor Output - A hardware sensor and a hardware user-input component are integrated in a portable electronic device. The hardware sensor is operable to produce hardware sensor output indicative of orientation or motion or both of the device within its environment. The hardware user-input component has multiple elements operable to accept user input through touch. A user-input driver and the device's operating system are jointly operable to detect touch events involving the elements. A software application stored in the device's memory is executable by the device's processor as a process. A sensor driver or the operating system or both are configured to control what hardware sensor output, if any, is receivable by the process. This control may thwart an attack based on analysis of the hardware sensor output, the attack designed to deduce what user input has been made via multiple elements of the hardware user-input component. | 08-15-2013 |
| 20130212679 | PROACTIVE TEST-BASED DIFFERENTIATION METHOD AND SYSTEM TO MITIGATE LOW RATE DoS ATTACKS - A low rate DoS attack detection algorithm is used, which relies on a characteristic of the low rate DoS attack in introducing high rate traffic for short periods, and then uses a proactive test based differentiation technique to filter the attack packets. The proactive test defends against DDoS attacks and low rate DoS attacks which tend to ignore the normal operation of network protocols, but it also differentiates legitimate traffic from low rate DoS attack traffic instigated by botnets. It leverages on the conformity of legitimate flows, which obey the network protocols. It also differentiates legitimate connections by checking their responses to the proactive tests which include puzzles for distinguishing botnets from human users. | 08-15-2013 |
| 20130219491 | SYSTEM AND METHOD FOR INTEGRITY RECONSTITUTION - A method of communicating data in a network comprises receiving a copy of a message on a first channel via at least one of a first port and a second port, the first port coupled to a first neighbor node and the second port coupled to a first neighbor's neighbor node; and selecting either the copy of the message received via the first port or the copy of the message received via the second port if a copy of the message is received via both the first port and the second port. If a copy of the message is only received via one of the first port or the second port, the received copy of the message is selected. The selected copy of the message is forwarded on the first channel to a second neighbor node via a third port and to a second neighbor's neighbor node via a fourth port; and the integrity of the selected copy of the message is determined based on supplemental integrity data received from another node, wherein the supplemental integrity data is exclusive of a copy of the message communicated on a second channel. | 08-22-2013 |
| 20130219492 | SYSTEM FOR FINDING CODE IN A DATA FLOW - A code finder system deployed as a software module, a web service or as part of a larger security system, identifies and processes well-formed code sequences. For a data flow that is expected to be free of executable or interpreted code, or free of one or more known styles of executable or interpreted code, the code finder system can protect participants in the communications network. Examples of payload carried by data flows that can be monitored include, but are not limited to, user input data provided as part of interacting with a web application, data files or entities, such as images or videos, and user input data provided as part of interacting with a desktop application. | 08-22-2013 |
| 20130219493 | Remote Security Self-Assessment Framework - A system for security self-assessment for a computer platform. The system comprises a memory, a processor, and an application stored in the memory. When executed by the processor, the application in association with a call to action transmits security self-assessment logic and at least one security self-assessment policy to a computer platform, wherein the security self-assessment policy defines at least one scan tool to be used by the security self-assessment logic when executed on the computer platform to perform a security self-assessment of the computer platform. The system further comprises a plurality of scan tools stored in the memory and accessible for downloading by the computer platform. The security self-assessment logic is configured to cause a processor of the computer platform to download at least one scan tool defined by the security self-assessment policy and to perform a security self-assessment. | 08-22-2013 |
| 20130219494 | METHOD OF ANALYZING THE BEHAVIOR OF A SECURE ELECTRONIC TOKEN - The invention is a method of analyzing the behavior of a secure electronic token which comprises an interface for exchanging data with an external entity. The token has a lifecycle wherein the token is intended to be created then issued. The method comprises the steps of:
| 08-22-2013 |
| 20130219495 | SYSTEM AND METHOD FOR OPTIMIZATION OF SECURITY TASKS BY CONFIGURING SECURITY MODULES - A system and method for dynamic configuration of the security modules for optimization of execution of security tasks are provided. The system includes: a mechanism for identifying the clients connected to the network; a client data collection unit that determines hardware/software configurations of each detected client; a security module selection and installation unit that selects required modules for each client; a statistics collection unit that collects the security tasks execution statistics from user modules and from client modules; and a configuration unit that configures the client and server modules based on the collected statistics in order to optimize execution of the security tasks. | 08-22-2013 |
| 20130219496 | SECURITY CONFIGURATION VERFICIATION DEVICE AND METHOD AND NETWORK SYSTEM EMPLOYING THE SAME - The invention discloses a security configuration verification device for performing a security configuration verification on a network device, which comprises: one or more preconfigured scanning policies; a scanning policy generator, which selects a scanning policy from the one or more preconfigured scanning policies to generate a new scanning policy corresponding to the network device; and a scanner, which performs the security scanning on the network device with the generated new scanning policy and thereby performs the security configuration verification. The invention also discloses a corresponding security configuration verification method and a network system employing the verification device. | 08-22-2013 |
| 20130227681 | SYSTEM, APPARATUS, AND METHOD FOR VERIFYING AUGMENTED REALITY SERVICE - A system for the verifying the security of information provided to an augmented reality service includes a terminal and a server. The terminal collects information about an object and transmits the object information to the server. The server transmits tag information related to the object information to the terminal. The terminal determines if the tag information includes harmful information. If the tag information includes harmful information, the terminal may process the harmful information with a vaccine or transmit the tag information to the server for processing. The terminal displays the object information and tag information according to a user settings related to the display of tag information including harmful information. | 08-29-2013 |
| 20130227682 | Apparatus for E-Learning and method therefor - A method or apparatus for assisting a user to access a plurality of eBooks is provided. When a user accesses an eBook, the method or apparatus can assist the user to seek assistance from the Internet, or prepare homework, while at the same time, prevent plagiarisms of homework. | 08-29-2013 |
| 20130227683 | QUANTIFYING THE RISKS OF APPLICATIONS FOR MOBILE DEVICES - Quantifying the risks of applications (“apps”) for mobile devices is disclosed. In some embodiments, quantifying the risks of apps for mobile devices includes receiving an application for a mobile device; performing an automated analysis of the application based on a risk profile; and generating a risk score based on the automated analysis of the application based on the risk profile. | 08-29-2013 |
| 20130227684 | METHOD AND SYSTEM FOR PROTECTION AGAINST INFORMATION STEALING SOFTWARE - Methods and systems reduce exposure to a dictionary attack while verifying whether data transmitted over a computer network is a password. In one aspect, a method includes performing a search of network traffic based, at least in part, on a weak validation using a Bloom filter based on an organizational password file, determining the existence of a password in the network traffic based only on the weak validation, and determining whether to block, alert, or quarantine the network traffic based at least in part on the existence of the password in the network traffic. | 08-29-2013 |
| 20130227685 | SYSTEM AND METHOD FOR INTELLIGENT COORDINATION OF HOST AND GUEST INTRUSION PREVENTION IN VIRTUALIZED ENVIRONMENT - A distributed and coordinated security system providing intrusion-detection and intrusion-prevention for the virtual machines (VMs) in a virtual server is described. The virtualization platform of the virtual server is enhanced with networking drivers that provide a “fast path” firewall function for pre-configured guest VMs that already have dedicated deep packet inspection security agents installed. A separate security VM is deployed to provide virtual security agents providing deep packet inspection for non pre-configured guest VMs. The network drivers are then configured to intercept the data traffic of these guest VMs and route it through their corresponding virtual security agents, thus providing a “slow-path” for intrusion detection and prevention. | 08-29-2013 |
| 20130227686 | METHOD AND APPARATUS FOR BLOCKING MALICIOUS ACCESS TO PROCESS - An apparatus for blocking an external access to a browser includes an access monitor for monitoring whether a program is accessing the browser; and a document-object acquisition detector for detecting whether the program detected to access the browser by the access monitor acquires a document object of the browser; and an injection blocker for blocking the access of the program to the browser when the document object acquisition detector detects the document object acquisition by the corresponding program. | 08-29-2013 |
| 20130232573 | METHOD AND SYSTEM FOR APPLICATION-BASED POLICY MONITORING AND ENFORCEMENT ON A MOBILE DEVICE - A method and system for application-based monitoring and enforcement of security, privacy, performance and/or other policies on a mobile device includes incorporating monitoring and policy enforcement code into a previously un-monitored software application package that is installable on a mobile device, and executing the monitoring and policy enforcement code during normal use of the software application by a user of the mobile device. | 09-05-2013 |
| 20130232574 | Systems and Methods of DNS Grey Listing - To circumvent being blacklisted by an ISP, some viruses use a domain name generator algorithm or a domain generator algorithm (DGA). In an example, the DGA may use the current date and time to generate a random domain name based on the date. So for a given date, the botnet registers a particular domain in order to control the Trojan horse virus. The domain name that the botnet uses typically changes every day, which helps circumvent blacklisting. To counteract that, the disclosed systems and methods of DNS greylisting place a domain name in a grey list for a time period, for example a day, that the domain is resolved by the ISP. The first time the ISP experiences a customer trying to contact a particular domain, the ISP prevents the domain from resolving. After the time period (for example, 24 hours) expires, the domain is allowed to resolve normally. | 09-05-2013 |
| 20130232575 | CONTROLLING IPSEC OFFLOAD ENABLEMENT DURING HARDWARE FAILURES - Provided are techniques for receiving a packet transmitted in conjunction with a security association associated with Internet Protocol Security (IPSec); determining, based upon the security Association that the packet is faulty; incrementing a count corresponding to previous faulty packets received; determining that the count exceeds a threshold; and disabling IPSec accelerator hardware in response to the determining that the count exceeds the threshold. | 09-05-2013 |
| 20130239209 | MANAGING DOMAIN NAME ABUSE - A method for providing an abuse sentry service for responding to domain name abuse is described. The method comprises the following steps. A plurality of disparate abuse feeds is received, each comprising data relating to a subset of potential domain name abuse. Filters are applied to the data to create a custom abuse feed. Data from the custom abuse feed is grouped based on priority levels. For each of the groups, one or more corresponding workflows are executed as a response to the potential domain name abuse. A computer readable medium including instructions for implementing the method is also described. | 09-12-2013 |
| 20130239210 | SYSTEM AND METHODS FOR DETECTING MALICIOUS EMAIL TRANSMISSION - A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique. | 09-12-2013 |
| 20130239211 | SYSTEM FOR TRACKING MEDIA CONTENT TRANSACTIONS - A system that incorporates teachings of the present disclosure may include, for example, a web server having a controller adapted to manage an archive of media content for a subscriber, and record a transaction description and a corresponding tracking identifier for a transaction that manipulates the archive. Other embodiments are disclosed. | 09-12-2013 |
| 20130239212 | SEARCH ENGINE WITH WEBPAGE RATING FEEDBACK BASED INTERNET SEARCH OPERATION - Feedback of a web page quality/legitimacy factor, various user interaction parameters, a contact address correlation factor, and an explicit web page rating on the reverse path from the client to the severs for Internet search operations improve the quality of websites/web pages and enhances the efficiency of the Internet search operation. This reverse communication also allows for the automatic blockage of any illegitimate websites due to poor “contact address correlation factor” and poor “web page quality factor.” The rating of the websites is based on a computed number called “web page quality factor.” The “web page quality factor” is communicated in the reverse path of Internet search operation back to various Whois servers, domain registrars, and web servers on the Internet to further improve quality. This facilitates the filtering of scammers, squatters, illegal/unwanted sites, etc., which have low “web page quality factor” rating resulting in high efficiency of search operations. | 09-12-2013 |
| 20130247178 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR MAKING A SCAN DECISION DURING COMMUNICATION OF DATA OVER A NETWORK - A system, method, and computer program product are provided for scanning data during communication of the data over a network. In use, a process is initiated for determining whether to scan data, during communication of the data over the network. Further, the data is conditionally scanned based on the determination. | 09-19-2013 |
| 20130247179 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR SENDING DATA ASSOCIATED WITH CONTENT TO A SERVER FOR ANALYSIS - A system, method, and computer program product are provided for sending data associated with content to a server for analysis. In use, tracking information associated with content stored on a client is identified. Further, data associated with the content is sent from the client to a server for analysis. | 09-19-2013 |
| 20130247180 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR COMPARING AN OBJECT WITH OBJECT ENUMERATION RESULTS TO IDENTIFY AN ANOMALY THAT AT LEAST POTENTIALLY INDICATES UNWANTED ACTIVITY - A system, method, and computer program product are provided for comparing an object with object enumeration results to identify at least potentially unwanted activity. In use, a change in a state of an object is identified. Additionally, the object is compared with results of an object enumeration. Further, at least potentially unwanted activity is identified based on the comparison. | 09-19-2013 |
| 20130247181 | Method of and system for computer system denial-of-service protection - A method of and system for protecting a computer system against denial-of-service attacks or other exploitation. The method comprises collecting network data and analyzing the network data using statistical and heuristic techniques to identify the source of the exploitation upon receiving an indication of exploitation. Upon identifying the network source, the network data associated with the network is blocked, redirected, or flow controlled. Preferably, the method also includes identifying when the system is being exploited. | 09-19-2013 |
| 20130247182 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR IDENTIFYING HIDDEN OR MODIFIED DATA OBJECTS - A system, method, and computer program product are provided for detecting hidden or modified data objects. In use, a first set of data objects stored in a device is enumerated, where the enumeration of the first set of data objects is performed within an operating system of the device. Additionally, a second set of data objects stored in the device is enumerated, where the enumeration of the second set of data objects is performed outside of the operating system of the device. Further, the first set of data objects and the second set of data objects are compared for identifying hidden or modified data objects. | 09-19-2013 |
| 20130247183 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR PREVENTING A MODIFICATION TO A DOMAIN NAME SYSTEM SETTING - A system, method, and computer program product are provided for preventing a modification to a domain name system setting. In use, an attempt to modify a domain name system setting is detected. Additionally, a source of the attempt and an attribute of the modification are verified. Further, the modification to the domain name system setting is prevented, based on the verification. | 09-19-2013 |
| 20130247184 | Stealth Network Attack Monitoring - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for stealth attack monitoring. In one aspect, a method includes monitoring a network for failed connection attempts in the network, wherein each failed internal connection attempt is initiated by a source asset and is an attempt to connect to a destination asset; and only in response to detecting a failed connection attempt initiated by a source asset, instantiating a source asset tracking instance in a computer memory, and for each source asset tracking instance in the computer memory: monitoring the corresponding source asset for a threshold number of failed connection attempts to destination assets during a time period; and in response to detecting the threshold number of failed connection attempts from the source asset during the time period for the source asset tracking instance, designating the source asset as a security risk. | 09-19-2013 |
| 20130247185 | SYSTEMS AND METHODS FOR TRACKING AND RECORDING EVENTS IN A NETWORK OF COMPUTING SYSTEMS - A security client can be configured to operate on the one or more computing systems and record all events occurring on the one or more computing systems. The security client can operate as a “security camera” for the computing systems by identifying and retaining data and information that describes and details different events that occur on the computing systems. The security client can be configured to generate event records for the events that are uniquely associated with the process that requested or performed event. Likewise, the security client can be configured to uniquely associate the event records with the specific computing system associated with the event. | 09-19-2013 |
| 20130247186 | System to Bypass a Compromised Mass Storage Device Driver Stack and Method Thereof - A method to circumvent malicious software via a system configured to bypass a device driver stack and, consequently, also bypass the malicious software that may be adversely affecting the device driver stack by using an alternative stack such as a crash dump I/O stack. The crash dump I/O stack is poorly documented relative to the device driver stack and functions independently from the device driver stack. | 09-19-2013 |
| 20130247187 | Computing device to detect malware - Disclosed is an apparatus and method for a computing device to determine if an application is malware. The computing device may include: a query logger to log the behavior of the application on the computing device to generate a log; a behavior analysis engine to analyze the log from the query logger to generate a behavior vector that characterizes the behavior of the application; and a classifier to classify the behavior vector for the application as benign or malware. | 09-19-2013 |
| 20130247188 | Mobile Point-Of-Presence for On Demand Network Client Services and Security - Devices, systems and methods are disclosed which relate to implementing a point-of-presence system on a mobile service network. Such a point-of-presence system includes a mobile device communications network; a mobile device; a point-of-presence logic installed on a mobile device; and an application server in communication with the point-of-presence logic via the communications network. Communications between the point-of-presence logic and the network and application server include network data, configuration, and/or installation of connection and device management applications. This point-of-presence system constitutes a mechanism for the service provider to best optimize network resources, even at the device level, while providing optimum network service to mobile users—even for mobile devices that have not been pre-configured for the mobile service network. | 09-19-2013 |
| 20130254878 | METHOD AND APPARATUS FOR DATA TRANSFER RECONCILIATION - A method and system for monitoring data transfers over a one-way data link from a send node to a receive node. A send log file monitoring and transmitting module associated with the send node on a first server outputs a send log file containing information about data sent by the send node. A receive log file monitoring and transmitting module associated with the receive node on a second server outputs a receive log file containing information about data received by the receive node. A reconciliation module on a third server receives the send log file and the receive log file and identifies any data transfer errors by comparing the send log file with the receive log file. A web server is coupled to the reconciliation module to provide user access to the identified data transfer errors. | 09-26-2013 |
| 20130254879 | METHOD AND SYSTEM FOR DETECTING AND MITIGATING ATTACKS PERFORMED USING CRYPTOGRAPHIC PROTOCOLS - A method and security system for detecting and mitigating encrypted denial-of-service (DoS) attacks. The system includes a DoS defense (DoSD) module configured to detect an encrypted DoS attack in an inbound traffic by analyzing attributes only in the inbound traffic that relate to at least one of a network layer and an application layer, wherein the DoSD module is further configured to mitigate a detected encrypted attack, the inbound traffic originates at a client and is addressed to a protected server; and a cryptographic protocol engine (CPE) configured to establish a new encrypted session between the client and the security system, decrypt requests included in the inbound traffic, and send encrypted responses to the client over the new encrypted session between the client and the security system. | 09-26-2013 |
| 20130254880 | SYSTEM AND METHOD FOR CROWDSOURCING OF MOBILE APPLICATION REPUTATIONS - A system and method in one embodiment includes modules for obtaining a collection of attributes of a mobile application, comparing one or more of the attributes with crowdsourced data associated with other mobile applications to determine one or more trustworthiness indicators, and calculating a reputation score based on the one or more trustworthiness indicators. More specific embodiments include a collection of attributes comprising a manifest, and an application behavior. Other embodiments include determining a suitable action based on the reputation score, such as changing a configuration of the mobile application, deleting the mobile application from a mobile device, generating a security alert on a display of the mobile device, etc. | 09-26-2013 |
| 20130254881 | Method to Detect Tampering of Data - A method to detect tampering of data includes constant acquiring of raw measurement data in a sensor unit. The raw measurement data of a defined time interval is processed in a metrology unit to obtain first measurement results. The first measurement results are transmitted to an authority at defined time instances via a communication channel. A defined fraction of raw measurement data is transmitted to the authority in a random manner via the communication channel. The raw measurement data of the defined time interval is processed at the authority to obtain second measurement results. The first and second measurement results of a time interval are compared. | 09-26-2013 |
| 20130254882 | MULTI-DOMAIN IDENTITY INTEROPERABILITY AND COMPLIANCE VERIFICATION - An identity management deployment, interoperability, and compliance verification is discussed. In one embodiment, the system also provides on-demand services including automated certification, monitoring, alerting, routing, and translation of tokens for federated identity related interactions between multi-domain identity management systems is provided. | 09-26-2013 |
| 20130254883 | METHOD AND SYSTEM FOR INFORMATION LEAK PREVENTION - A method for mitigating false positive type errors while applying an information leak prevention policy to identify important information and to prevent outward leakage. A positive criterion is defined for a positive set, and a negative criterion for a negative set of benign traffic. An ambiguity set contains items showing indications for both positive and negative sets. An ambiguity resolution criterion allows ambiguous items to be placed in/removed from the positive set or negative set. Each information item is searched for matches with the positive set. Each item in the positive set is checked for membership in the ambiguity set. The ambiguity resolution criteria are used for each member of the ambiguity set and to remove items from the positive set accordingly. The leak prevention policy is applied for all items remaining in the positive set thus protecting the important information. | 09-26-2013 |
| 20130254884 | SYSTEMS AND METHODS FOR BEHAVIORAL SANDBOXING - Methods and system for behavioral sandboxing are described. In one example embodiment, a system for behavioral sandboxing can include a network and a computer. The network communicatively coupled to a source of an executable application. The computer communicatively couple to the network and including a behavioral analysis module and a plurality of execution environments. The behavioral analysis module is configured to perform behavioral analysis on the executable application downloaded over the network. The plurality of execution environments including a standard execution environment and a protected execution environment. The behavioral analysis module is configured to evaluate a plurality of behavioral characteristics of the executable application to determine whether the executable application should be executed within the protected execution environment prior to execution of the executable application. The behavioral analysis module also monitors execution of the executable application to determine whether the execution environment can be changed. | 09-26-2013 |
| 20130263256 | TECHNIQUES FOR PROTECTING AGAINST DENIAL OF SERVICE ATTACKS NEAR THE SOURCE - Systems and methods protect against denial of service attacks. Remotely originated network traffic addressed to one or more network destinations is routed through one or more locations. One or more of the locations may be geographically proximate to a source of a denial of service attack. One or more denial of service attack mitigation strategies is applied to portions of the network traffic received at the one or more locations. Network traffic not blocked pursuant to the one or more denial of service attack mitigation strategies is dispatched to its intended recipient. Dispatching the unblocked network traffic to its intended recipient may include the use of one or more private channels and/or one or more additional denial of service attack mitigation strategies. | 10-03-2013 |
| 20130263257 | SYSTEM AND METHOD FOR PROVIDING SERVICES - Systems and methods for providing services are disclosed. One aspect comprises detecting a compromised state of a user device, determining a device identifier associated with the user device, locating a service identifier the device identifier, and transmitting the service identifier to the user device. | 10-03-2013 |
| 20130263258 | Information Security Management - A system and method for information security management. An anomaly in data traffic directed to a data processing environment is identified. The anomaly indicates a threat to the data processing environment. The data processing environment comprises a number of data processing systems. A threatened data processing system is identified. The threatened data processing system is one of the number of data processing systems to which the threat is directed. The threatened data processing system is isolated. The threatened data processing system is monitored after the threatened data processing system is isolated. The threatened data processing system is replicated to form a replicated data processing system. | 10-03-2013 |
| 20130263259 | ANALYZING RESPONSE TRAFFIC TO DETECT A MALICIOUS SOURCE - A system and method are provided to receive mirrored versions of transmissions sent by a node in response to initiating transmissions received by the node over a network. At least one mirrored response transmission sent from the node in response to at least one corresponding initiating transmission is analyzed to determine whether or not the corresponding at least one initiating transmission is malicious. | 10-03-2013 |
| 20130263260 | SYSTEM AND METHOD FOR ASSESSING AN APPLICATION TO BE INSTALLED ON A MOBILE COMMUNICATION DEVICE - A system and method checks for harmful behavior of an application to be installed on a mobile communication device. A server computer receives from the mobile communication device data pertaining to the application to be installed and information pertaining to the mobile communication device. The server processes the data and information to determine an assessment for the application to be installed. The assessment is provided to the mobile communication device and the assessment is displayed on the device if the assessment is one of dangerous and potentially dangerous. | 10-03-2013 |
| 20130263261 | CENTRALIZED SECURITY MANAGEMENT SYSTEM - A centralized security management system (CSMS) is provided to monitor a network to detect and mitigate attacks in or to the network. The CSMS includes a variety of devices located throughout the network to collect and synthesize data collected or obtained from devices operating in the network. The collected data is analyzed using behavioral engines or other software algorithms to develop trends for a normal and abnormal operating condition. The abnormal operating conditions are analyzed further to determine attacks to the devices or the network. Based on the attacks, a mitigation scheme is implemented to remove or reduce the attacks. | 10-03-2013 |
| 20130263262 | VERIFYING FIRMWARE INTEGRITY OF A DEVICE - In one embodiment, the present invention includes a method for receiving an integrity request in a device of a computer system from a software entity external to the device, performing a measurement of firmware of the device using an integrity measurement logic of the device, analyzing a plurality of pointer structures of the device to determine whether a potential security violation exists, and sending the measurement and a status report regarding the analysis to the software entity. Other embodiments are described and claimed. | 10-03-2013 |
| 20130263263 | WEB ELEMENT SPOOFING PREVENTION SYSTEM AND METHOD - A method of inspecting Web elements for real-time classification and detection of Web elements spoofing attempts, according to which trustworthy Web locations are identified for generating a database of safe zones. For each inspected element, it is checked whether or not its top frame URL is included in the database, and if it is included, the element is classified as suspected in Web elements location spoofing attempt. | 10-03-2013 |
| 20130269028 | UNIFIED SCAN MANAGEMENT - A particular scan set to be performed on at least a portion of a computing environment is identified. A particular scan engine, in a plurality of scan engines, is identified that is adapted to perform at least one scan in the particular scan set, each scan engine in the plurality of scan engines adapted to perform one or more scans on one or more host devices in the computing environment. A request is sent to the particular scan engine to perform the at least one scan in the particular scan set and scan result data is received from the particular scan engine corresponding to the at least one scan in the particular scan set. | 10-10-2013 |
| 20130269029 | UNIFIED SCAN ENGINE - A scan engine receives a request to perform a particular scan on at least a portion of a computing environment. The scan engine identifies a particular language interpreter in a set of available language interpreters for use in performing the particular scan and performs the particular scan using the particular language interpreter. The scan engine returns results of the particular scan. In some implementations, the scan engine is implemented on an agent enabling communication between the scan engine and an asset management system. | 10-10-2013 |
| 20130269030 | DETECTION OF UNEXPECTED SERVER OPERATION THROUGH PHYSICAL ATTRIBUTE MONITORING - Technologies are generally presented for identifying inconsistent usage of computing devices in a multiple computing device environment. When software or hardware are compromised or faulty, the results of self-monitoring may be unreliable for determining inconsistent usage arising from a security breach, a hardware fault, or a software error. Computing devices may be independently monitored for physical attributes, such as temperature, vibration, emitted noise, etc., and such attributes may be compared to expected values based on computing load, network load, or the like. When the monitored and expected physical attribute values differ or conflict, possible inconsistent usage may be identified so that appropriate measures may be taken to rectify the situation. | 10-10-2013 |
| 20130269031 | NETWORK SYSTEM, NETWORK RELAY METHOD, AND NETWORK RELAY DEVICE - A history management unit within a discard determination unit manages transmission and reception packets related to a resource to be protected for each of users, and records communication history information for users high in use frequency through stateful measurement. A priority determination unit determines the priority of a communication on a per received packet basis on the basis of communication history information. A load determination unit determines a load level of the resource to be protected, and combines the load level with the priority of the communication determined on the per received packet basis. A discard rate determination unit and a packet discard unit implement forwarding processing, determine the priority of the communication on the per user basis, and discard communications low in the priority at a high ratio. | 10-10-2013 |
| 20130276104 | System, method and computer program product for displaying security actions for undo purposes - A security system, method and computer program product are provided. In use, a plurality of security actions is conducted. The plurality of security actions are further displayed to a user. In addition, a selection of one or more of the security actions is received from the user. Further, the selected one or more security actions are undone. | 10-17-2013 |
| 20130276105 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR DETECTING UNWANTED DATA BASED ON AN ANALYSIS OF AN ICON - A system, method, and computer program product are provided for detecting unwanted data based on an analysis of an icon. In use, an icon is analyzed. Furthermore, unwanted data is detected based on the analysis. | 10-17-2013 |
| 20130276106 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR VERIFYING AN IDENTIFICATION OF PROGRAM INFORMATION AS UNWANTED - A system, method, and computer program product are provided for verifying an identification of program information as unwanted. In use, program information is identified as unwanted at a client. Furthermore, the identification of the program information as unwanted is verified, utilizing a communication between the client and a server. | 10-17-2013 |
| 20130276107 | BEHAVIORAL TRACKING SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR UNDOING EVENTS BASED ON USER INPUT - A behavioral tracking system, method, and computer program product are provided for undoing events based on user input. In use, a plurality of unclassified events is identified on a system utilizing behavioral tracking. Additionally, input associated with at least one of the unclassified events is received from a user of the system for classifying the at least one of the unclassified events as an unwanted event. Further, the at least one unwanted event is undone in response to the receipt of the input. | 10-17-2013 |
| 20130276108 | FLOW DATA FOR SECURITY DATA LOSS PREVENTION - There are techniques for detecting and preventing possible security violations in a computer network. The security violation detection may be based on data attached to transactions as they flow through one or more software applications. A transaction that is processed by a sequence of software components that execute on one or more electronic devices may be traced. Data that is associated with the transaction as the transaction flows through the sequence of software components may be accessed. The accessed data may be analyzed to detect a possible security violation. The accessed data may be compared to one or more pre-defined patterns. The transaction may be intercepted upon detection of a possible security violation. | 10-17-2013 |
| 20130283373 | TECHNIQUES FOR SEPARATING THE PROCESSING OF CLIENTS' TRAFFIC TO DIFFERENT ZONES - A system and method for separation of traffic processing in a computing farm. The method comprises allocating a first group of computing resources of the computing farm to a trusted zone and a second group of computing resources to an un-trusted zone, wherein the computing resources in the first group are allocated to ensure at least service-level agreements (SLA) guaranteed to a group of trusted clients; determining, based on a plurality of security risk indication parameters, if a client associated with an incoming traffic is a trusted client or an un-trusted client; forwarding the incoming traffic to the second group of computing resources when the client is determined to be an un-trusted client; and diverting the incoming traffic to the first group of computing resources when the client is determined to be a trusted client, thereby ensuring at least the SLA guaranteed to the trusted client. | 10-24-2013 |
| 20130283374 | TECHNIQUES FOR SEPARATING THE PROCESSING OF CLIENTS' TRAFFIC TO DIFFERENT ZONES IN SOFTWARE DEFINED NETWORKS - A method and system for separation of traffic processing in a software defined network (SDN). The method comprises allocating a first group of computing resources of a computing farm to a trusted zone and a second group of computing resources to an un-trusted zone; assigning the computing resources in the first group to a first ADC and the computing resources in the second group with a second ADC; triggering a zoning mode in the computing frame to mitigate a potential cyber-attack; and causing at least one network element in the SDN to divert traffic from a trusted client to the first group of computing resources and traffic from an un-trusted client to the second group of computing resources based on a plurality of zoning rules implemented by the at least one network element. | 10-24-2013 |
| 20130283375 | Browser System and Method for Warning Users of Potentially Fraudulent Websites - A user is warned of a potentially fraudulent document, such as a webpage, by a warning message that is overlaid on top of the document and of the browser chrome. The warning message is associated with a warning icon displayed in the browser chrome. The potentially fraudulent document is rendered in the browser such that the links within are not accessible to the user. The rendering may include superimposing an image over the document or rendering a snapshot of the document instead of the document itself. | 10-24-2013 |
| 20130283376 | SYSTEM AND METHOD FOR SECURITY ANALYSIS BASED ON MULTIPLE PROTOCOLS - A security analysis of data received on a mobile communications device includes gathering information about the data through at least two of multiple network interfaces, each of the at least two network interfaces having different protocols. Based upon the gathering, a first protocol is assigned to the data received from a first of the at least two network interfaces. A second protocol is assigned to the data received from a second of the at least two network interfaces. A common security analysis is performed on at least a part of the data received from each of the first and second network interfaces to determine whether the data received by the mobile communications device is safe or malicious. | 10-24-2013 |
| 20130291099 | NOTIFICATION SERVICES WITH ANOMALY DETECTION - A system is configure to monitor financial and/or identification inquiries for anomalous behavior; identify anomalous behavior by comparing the financial and/or identification inquiries to historical financial transactions and/or identification information; send a notification to a mobile device when anomalous behavior is identified for a user of the mobile device; and receive a signal from the mobile device approving, denying, or requesting more information about the anomalous behavior. | 10-31-2013 |
| 20130291100 | Detection And Prevention Of Machine-To-Machine Hijacking Attacks - An example method includes receiving at a network node a packet destined for an intended destination. The network node determines whether the packet is associated with a machine-to-machine communication. The network node determines whether forwarding of the packet to the intended destination is prohibited, wherein forwarding of the packet is prohibited when the packet is originated from a first machine-to-machine device and is destined to a first host other than a machine-to-machine server associated with machine-to-machine communications. The network node forwards the packet to the intended destination when forwarding the packet is not prohibited. | 10-31-2013 |
| 20130291101 | DETECTING AND BLOCKING DOMAIN NAME SYSTEM CACHE POISONING ATTACKS - Concepts and technologies for detecting and blocking Domain Name System (“DNS”) cache poisoning attacks are provided. An inline detector and blocker apparatus implements a detection algorithm to monitor DNS response packets and detects a DNS cache poisoning attack utilizing the detection algorithm. The inline detector and blocker apparatus detects the DNS cache poisoning attack by receiving a DNS response packet and determining that the response packet includes poison data. The poison data may be included within an additional section of the response packet and/or an answer section of the response packet. As appropriate, the inline detector and blocker apparatus removes the additional section and/or the answer section of the response packet to effectively block the poison data from being cached by a DNS caching resolver. | 10-31-2013 |
| 20130291102 | Rendered Image Collection of Potentially Malicious Web Pages - Techniques are described which may provide a rendered image of a website from a potentially malicious party. In an implementation, a rendered image is collected of a web page that is identified as potentially malicious from a frame buffer. A communication is then formed to be communicated over a network that includes the collected image. | 10-31-2013 |
| 20130291103 | System and Method for Run-Time Attack Prevention - Preventing attacks on a computer at run-time. Content that is configured to access at least one function of a computer is received by the computer. Protections corresponding to the function are added to the content, wherein the protections override the function. The content and the protections are then transmitted to the computer. The function may expose a vulnerability of the computer, and arguments passed to the function may exploit that vulnerability. The protections are executed when the content is executed, and determine whether the arguments the content passed into the function represent a threat. In response to determining that the arguments represent a threat, execution of the content is terminated without executing the function. | 10-31-2013 |
| 20130291104 | File Transfer Method and Device - Embodiments of the present invention provide a file transfer method. A file is received and cached from a sending device. At least one data packet is sent to a receiving device at a preset interval to maintain a data connection between the sending device and the receiving device. The file is detected after the file is cached to determine whether the file has a security risk. The cached file is sent to the receiving device if the file has no security risk. | 10-31-2013 |
| 20130291105 | METHOD, APPARATUS, AND COMPUTER PROGRAM PRODUCT FOR MANAGING UNWANTED TRAFFIC IN A WIRELESS NETWORK - Various methods for unwanted traffic control in a wireless network are provided. One example method may include detecting an occurrence of unwanted content as indicated by receipt of a complaint about a content item provided by a source device, wherein the complaint may be received from a remote mobile device or generated locally based on a local detection. The example method may further include determining a trust value for the source device based at least on the complaint, determining that the source device is a distrusted device based at least on a comparison between the trust value and a trust threshold value, and causing traffic from the source device to be controlled as unwanted traffic. Similar and related example methods, example apparatuses, and example computer program products are also provided. | 10-31-2013 |
| 20130298227 | SYSTEMS AND METHODS FOR IMPLEMENTING MOVING TARGET TECHNOLOGY IN LEGACY HARDWARE | 11-07-2013 |
| 20130298228 | ROUTER FOR COMMUNICATING DATA IN A DYNAMIC COMPUTER NETWORK - A router and methods for its use are disclosed. The router includes input and output circuitry for receiving and routing data packets to computing devices connected to the network. The router also includes a memory configured to store a number of tables relating the destinations of particular packets with routes for the packets to follow. The router is capable of correctly routing data packets which specify false identity parameters. The router is also capable of dynamically varying routing protocols used to route data packets. The router is also capable of routing data packets to one of a number of output ports based on a comparison of at least one of the identity parameters that specifies false information to a table stored in the router's memory. | 11-07-2013 |
| 20130298229 | ENTERPRISE SECURITY MANAGER REMEDIATOR - Methods, computer readable media, and apparatuses for remediating violations associated with files on one or more servers are disclosed. A violation list including one or more violations associated with one or more files on one or more servers may be received. A type of violation for each of the one or more violations may be determined. A severity may be associated with each of the violations. A fix may be identified for each of the one or more violations and each of the one or more violations may be fixed using the identified fix. The violations may be fixed in order of the associated severity. | 11-07-2013 |
| 20130298230 | SYSTEMS AND METHODS FOR NETWORK FLOW REMEDIATION BASED ON RISK CORRELATION - Instrumented networks and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects and applications on the instrumented target platform. Methods and systems are disclosed for network flow and device/platform remediation in response to reconnaissance-based intelligence correlation based on network monitoring, to accomplish network flow remediation and device/platform remediation. In an embodiment, a system receives system warnings and endpoint threat intelligence. The system correlates risk based on inputs from sensory inputs that monitor network activity, system configuration, resource utilization, and device integrity. The system then performs a calculus of risk on a global security context including endpoint assessment reports and sends system warnings based upon the endpoint threat intelligence. The system includes a remediation engine for receiving real time directives to control the device. | 11-07-2013 |
| 20130298231 | METHOD AND DEVICE FOR DATA TRANSMISSION - Embodiments of the present disclosure provide a method and a device for data transmission. In the method, a network layer communication entity of a receiving device receives an IP packet from a sending device, where a header of the IP P packet carries a random value corresponding to the sending device. The receiving device decapsulates the IP packet and obtains the random value carried in the header of the IP packet. The receiving device sends the random value to a transport layer communication entity of the receiving device so that the transport layer communication entity of the receiving device verifies the random value. The receiving device in embodiments of the present disclosure includes a receiving module, an obtaining module, and a verifying module. | 11-07-2013 |
| 20130298232 | MESSAGING SECURITY DEVICE - In one embodiment, a system can comprise an interface that receives data related to a communication session and a messaging security device component that evaluates the data and enables a security measure for preventative monitoring of a threat based on the evaluation, the security measure can be universally applied to two or more messaging formats. | 11-07-2013 |
| 20130298233 | WEB PAGE FALSIFICATION DETECTION APPARATUS AND STORAGE MEDIUM - According to one embodiment, a Web page falsification detection apparatus, a dynamic information falsification determination module determines whether extracted dynamic information corresponds to dynamic characteristic information, and extracts a plurality of static information items. A second generation module couples the extracted static information items, and generates second static characteristic information. A static information falsification determination module determines whether first static characteristic information matches with the generated second static characteristic information, and transmits the Web page information to a user terminal. | 11-07-2013 |
| 20130298234 | METHOD FOR PROTECTING COMPUTER PROGRAMS AND DATA FROM HOSTILE CODE - A method that protects computer data from untrusted programs. Each computer's object and process is assigned with trust attributes, which define the way it can interact with other objects within the system. When an object is classified as untrusted, it can interact with other object within the system on a limited basis. A virtualized system is provided on the computer so that when the untrusted object attempts to perform an operation that is outside its scope of authorization, the virtualized system intercepts the operation but present the untrusted program with an indication that the requested operation has been performed. The method further includes processes to securely move a program from an untrusted group to a trusted group. | 11-07-2013 |
| 20130305356 | SYSTEM AND METHOD FOR DETERMINING A RISK ROOT CAUSE - A system and method for determining a risk root cause are provided. A first and second fraud related risk scores respectively associated with a first and second nodes may be determined. A relation strength value related to at least one relation between the first and second nodes may be determined. A relation strength value and a first and second node risk scores may be used to calculate a cluster risk score for a cluster including the first and second nodes. Other embodiments are described and claimed. | 11-14-2013 |
| 20130305357 | Context Aware Network Security Monitoring for Threat Detection - The disclosed method involves monitoring behavior of at least one node, associated with at least one user, in a network to generate a behavior profile for the user(s). The method further involves comparing the behavior profile for at least one user with a baseline behavior profile for the user(s). Also, the method involves determining when there is a difference between the behavior profile for at least one user and the baseline behavior profile for the user(s). Further, the method involves flagging an event associated with the difference: when the difference exceeds a baseline threshold level, does not exceed a baseline threshold level, meets at least one criterion, and/or does not meet at least one criterion. Additionally, the method involves classifying the event to an event classification. Further, the method involves transmitting the event to at least one other node in the network and/or a network operations center. | 11-14-2013 |
| 20130305358 | Minimizing Latency of Behavioral Analysis Using Signature Caches - The various aspects include methods, systems, and devices configured to make use of caching techniques and behavior signature caches to improve processor performance and/or reduce the amount of power consumed by the computing device by reducing analyzer latency. The signature caching system may be configured to adapt to rapid and frequent changes in behavioral specifications and models and provide a multi-fold improvement in the scalability of behavioral analysis operations performed on the mobile device. | 11-14-2013 |
| 20130305359 | Adaptive Observation of Behavioral Features on a Heterogeneous Platform - Methods, devices and systems for monitoring behaviors of a mobile computing device include observing in a non-master processing core a portion of a mobile device behavior that is relevant to the non-master processing core, generating a behavior signature that describes the observed portion of the mobile device behavior, and sending the generated behavior signature to a master processing core. The master processing core combines two or more behavior signatures received from the non-master processing cores to generate a global behavior vector, which may be used by an analyzer module to determine whether a distributed software application is benign or not benign. | 11-14-2013 |
| 20130305360 | DETECTING METHOD AND DEVICE - A detecting method includes: receiving a text information mail including text information, first verification information on the text information, first verification information of attached information which is attached to the text information, and an attached information mail including the attached information, first verification information of the text information, and first verification information of the attached information from a transmission source; generating second verification information of the text information, and second verification information of the attached information, based on shared information which is shared with the transmission source, and an algorithm; and detecting a spoof, based on a comparison result of the first verification information of the text information and the second verification information of the text information, and a comparison result of the first verification information of the attached information and the second verification information of the attached information. | 11-14-2013 |
| 20130305361 | PROTECTION OF A PRIME NUMBER GENERATION AGAINST SIDE-CHANNEL ATTACKS - A method for protecting the generation, by an electronic circuit, of at least one prime number by testing the primality of successive candidate numbers, including for each candidate number tests of primality with respect to prime numbers of at least one set of consecutive prime numbers, wherein the order of application of the tests is modified at least from one prime number generation to another. | 11-14-2013 |
| 20130305362 | Mitigating Threats in a Network - Mitigating threats in a network includes receiving a message at a network device. The message includes device-independent parameters generated in response to a threat. The network device converts the parameters into one or more device-specific operations and then performs the operations to mitigate the threat. | 11-14-2013 |
| 20130305363 | METHOD, SYSTEM, AND STORAGE MEDIUM FOR ADAPTIVE MONITORING AND FILTERING TRAFFIC TO AND FROM SOCIAL NETWORKING SITES - Embodiments disclosed herein provide a system, method, and computer readable storage medium storing computer instructions for implementing a Socialware architecture encompassing a suite of applications for continuously and adaptively monitoring and filtering traffic to and from social networking sites, particularly useful in an enterprise computing environment. In some embodiments, an appliance may be coupled to a proxy server for providing a plurality of Socialware services, including analyzing, logging, and reporting on traffic to and from social networking sites. Some embodiments may allow a user to report, identify, and prevent malicious and potentially malicious content and/or activity by another user. Some embodiments may encrypt outgoing traffic to and decrypt incoming traffic from social networking sites. Some embodiments may provide an enterprise user to define and restrict certain social networking activities outside of the enterprise computing environment. | 11-14-2013 |
| 20130305364 | Techniques for Attesting Data Processing Systems - A technique for attesting a plurality of data processing systems includes generating a logical grouping for a data processing system. The logical grouping is associated with a rule that describes a condition that must be met in order for the data processing system to be considered trusted. A list of one or more children associated with the logical grouping is retrieved. The one or more children are attested to determine whether each of the one or more children is trusted. In response to the attesting, the rule is applied to determine whether the condition has been met in order for the data processing system to be considered trusted. A plurality of logical groupings is associated to determine whether an associated plurality of data processing systems can be considered trusted. | 11-14-2013 |
| 20130312092 | SYSTEM AND METHOD FOR FORENSIC CYBER ADVERSARY PROFILING, ATTRIBUTION AND ATTACK IDENTIFICATION - A system and method is provided for identifying and analyzing cyber-attacks and profiling adversaries responsible for such attacks. The system and method allows for the quantitative measurement of adversary attack behavior. The system and method is able to extract quantitative data from raw attack data and compare the quantitative data to a database of quantifiable metrics associated with known adversaries. This allows for the possible linking of a cyber-attack to a known adversary or known adversary behavior. | 11-21-2013 |
| 20130312093 | Foiling a Document Exploit Attack - A method of foiling a document exploit type attack on a computer, where the attack attempts to extract malware code from within a document stored on the computer. The method includes monitoring the computer in order to detect repeated function calls made by a given process in respect of the same function but different file descriptors; and in the event that such repeated function calls are detected or the number of such repeated function calls exceeds some threshold, terminating the process that initiated the function calls. | 11-21-2013 |
| 20130318600 | Reporting and Management of Computer Systems and Data Sources - A system and method are provided for managing data, such as for example security or other business data. For the example of security data, security data is received from a plurality of assets that may or may not be remotely located. A plurality of security metrics are computed and normalized according to thresholds. Security metrics are aggregated to generate an aggregate score, this may include weighting the metrics according to metric priorities. A change effort corresponding to each metric is also received and a corresponding change effort for the aggregate score is calculated. Aggregate scores and aggregate change efforts are analyzed to generate risk reduction recommendations. Upon instruction, metrics corresponding to an aggregate score may be displayed including recommendations of metrics for risk reduction. The recommended metrics may be selected according to analysis of change-to-effort ratios for the metrics. | 11-28-2013 |
| 20130318601 | METHOD AND SYSTEM FOR REAL TIME CLASSIFICATION OF EVENTS IN COMPUTER INTEGRITY SYSTEM - Method and system using a designated known secure computer for real time classification of change events in a computer integrity system are disclosed. In the embodiment of the invention, the known secure computer, having only inbound connection, is dedicated for providing permissible change events, which are compared with change events generated on client operational computers. An alert is generated when the change event at the client operational computer and the respective permissible change event provided by the known secure computer mismatch. | 11-28-2013 |
| 20130318602 | DOMAIN NAME SYSTEM SECURITY EXTENSIONS (DNSSEC) FOR GLOBAL SERVER LOAD BALANCING - Techniques are provided to enable a network device, such as a switch, to perform global server load balancing (GSLB) while operating as a proxy to a domain name system security extensions (DNSSEC)-capable authoritative DNS server. The network device preserves an original signature generated by the DNSSEC-capable authoritative DNS server for a resource record set contained in a DNSSEC reply. | 11-28-2013 |
| 20130318603 | SECURITY THREAT DETECTION BASED ON INDICATIONS IN BIG DATA OF ACCESS TO NEWLY REGISTERED DOMAINS - Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name. | 11-28-2013 |
| 20130318604 | BLACKLISTING AND WHITELISTING OF SECURITY-RELATED EVENTS - A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI. | 11-28-2013 |
| 20130326616 | Internet Monitoring and Alerting System - A monitoring and alerting system for detecting a disruptive event on the Internet includes a data collection and wrapping module configured to process input data that includes messages produced by a network routing protocol, including a live stream of messages on the network, historical dumps of the message to a computer's file system, or both. An automated analysis engine includes analysis modules configured to analyze routing information and selected Internet behaviors from the input data. User output includes automated alerts to the user and an interactive analysis module. The analysis modules include a probabilistic origin hijack analysis module; a probabilistic route hijack analysis module; a Hidden Markov Model analysis module; a tensor decomposition and analysis module and a static topology analysis module; and a dynamic topology analysis module. | 12-05-2013 |
| 20130326617 | CLICKJACKING PROTECTION - A clickjacking protector in an electronic system helps prevent unwanted clickjacking. The elements clicked on by the click position are evaluated to determine whether any of the elements clicked on by the click position is obscured (including being transparent or partially transparent). A protective action is generated in response to a determination that an element clicked on by the click position is obscured. | 12-05-2013 |
| 20130326618 | SYSTEMS, METHODS AND MEDIA FOR MANAGING PROCESS IMAGE HIJACKS - Disclosed is a method of checking the authenticity of an executable process including at least one section. The method includes, when an initial thread of the executable process is created in a suspended state, mapping from storage a copy of the executable process into a spare memory area, where it will not be executed. The method also includes comparing a header of a first section of the executable process with a header of a first section of the copy. The method further includes terminating the executable process when the header of the first section of the executable process and the header of the first section of the copy are not identical. | 12-05-2013 |
| 20130326619 | MANAGING PROCESS IMAGE HIJACKS - In some embodiments, a method includes storing, at a first time, a copy of an executable process at a memory area if an initial thread of the executable process is defined in a suspended state such that the copy of the executable process is not executed at the memory area. The executable process can be maintained at a storage different from the memory area. The method also includes comparing, at a second time after the first time, a header of a section of the executable process with a header of a section of the copy of the executable process. The method further includes determining not to execute the executable process if the header of the section of the executable process is different from the header of the section of the copy of the executable process. | 12-05-2013 |
| 20130326620 | INVESTIGATIVE AND DYNAMIC DETECTION OF POTENTIAL SECURITY-THREAT INDICATORS FROM EVENTS IN BIG DATA - A metric value is determined for each event in a set of events that characterizes a computational communication or object. For example, a metric value could include a length of a URL or agent string in the event. A subset criterion is generated, such that metric values within the subset are relatively separated from a population's center (e.g., within a distribution tail). Application of the criterion to metric values produces a subset. A representation of the subset is presented in an interactive dashboard. The representation can include unique values in the subset and counts of corresponding event occurrences. Clients can select particular elements in the representation to cause more detail to be presented with respect to individual events corresponding to specific values in the subset. Thus, clients can use their knowledge system operations and observance of value frequencies and underlying events to identify anomalous metric values and potential security threats. | 12-05-2013 |
| 20130326621 | METHOD AND SYSTEM FOR DYNAMIC PROTOCOL DECODING AND ANALYSIS - A method for dynamically decoding protocol data on a computer system is provided using a protocol decoder, which inspects and analyzes protocol data received by the computer system. A protocol decoding program controls the decoding and analysis process. The method may be used by an intrusion prevention system to identify anomalous protocol data that may cause harm to applications receiving the data. | 12-05-2013 |
| 20130333026 | MALICIOUS MESSAGE DETECTION AND PROCESSING - Malicious message detection and processing systems and methods are provided herein. According to some embodiments, the messages are emails and the method for processing emails may be facilitated by way of an intermediary node which may be cloud-based. The intermediary node may be communicatively couplable with an email client and an email server. The intermediary node may execute a method that includes analyzing a link included in an email to determine if the link is associated with a potentially malicious resource, and replacing the link with an alternate link to a trusted resource if the link is associated with a potentially malicious resource. | 12-12-2013 |
| 20130333027 | DYNAMIC RIGHTS ASSIGNMENT - In a first embodiment of the present invention, a method for blocking malicious software in an operating system, comprising: receiving a command to open a file; determining a file association for the file, wherein the file association points to a dynamic rights assignment module; evaluating what process issued the command to open the file; determining if the process that issued the command to open the file is known to be safe; when it is determined that the process that issued the command to open the file is not known to be safe, prompting a user whether to run in protected mode; when the user indicates that protected mode should be run, creating a temporary user of the operating system; and running a program associated with the file association for the file, as the temporary user. | 12-12-2013 |
| 20130333028 | Dashboards for Displaying Threat Insight Information - Dashboards for displaying threat insight information are provided herein, as well as systems and methods for generating the same. According to some embodiments, methods for providing a threat dashboard may include locating metrics regarding a malicious attack against a targeted resource, where the metrics indicate instances where users were exposed to the malicious attack or instances where a cloud-based threat detection system prevented the user from being exposed to the malicious attack. The method may also include rendering a threat dashboard for a web browser application of a client device, where the threat dashboard includes the located metrics. | 12-12-2013 |
| 20130333029 | TECHNIQUES FOR TRAFFIC DIVERSION IN SOFTWARE DEFINED NETWORKS FOR MITIGATING DENIAL OF SERVICE ATTACKS - A method for mitigating of denial of service (DoS) attacks in a software defined network (SDN). The method comprises receiving a DoS attack indication performed against at least one destination server; programming each network element in the SDN to forward a packet based on a diversion value designated in a packet diversion field, upon reception of the DoS attack indication; instructing at least one peer network element in the SDN to mark a diversion field in each packet in the incoming traffic addressed to the destination server to allow diversion of the packet to a security server; and instructing edge network elements in the SDN to unmark the diversion field of each packet output by the security server, wherein each network element in the SDN is programmed to forward the unmarked packets processed by the security server to the at least one destination server. | 12-12-2013 |
| 20130333030 | VERIFYING SOURCE OF EMAIL - A system is configured to generate an email with a main hyperlink and a verification hyperlink; transmit the email to an email account of a user; receive an indication of a selection of the verification hyperlink; and transmit a confirmation message to a recipient device of the user when the verification hyperlink is selected. | 12-12-2013 |
| 20130333031 | DYNAMIC CODE INSERTION AND REMOVAL FOR STATIC ANALYSIS BASED SANDBOXES - Methods and apparatus for dynamically adding and deleting new code to previously validated application executing in a secured runtime. New code is written to a portion of secured memory not executable by application. New code is validated to ensure it cannot directly call operating system, address memory outside of secured memory, or modify secured memory state. Indirect branch instructions may only target addresses aligned on fixed size boundaries within the secured memory. Validated code is copied to portion of secured memory executable by application in two stage process that ensures partially copied segments cannot be executed. Validated new code can be deleted once all threads reach safe execution point, provided code was previously inserted as unit or contains no internal targets that can be called by code not also being deleted. | 12-12-2013 |
| 20130340074 | MANAGING SOFTWARE PATCH INSTALLATIONS - A computer hardware-implemented method, system, and/or computer program product manages software patches. A computer monitoring hardware system receives a notification of a new release of a software patch. The computer monitoring hardware system scores a security posture of a monitored computer system to generate a security posture value based on a set of computer system parameters for the monitored computer system. In response to patch control logic within the computer monitoring hardware system determining that the monitored computer system is authorized to install the software patch and that the security posture value exceeds the predetermined value, the computer monitoring hardware system retrieves and installs the software patch in the monitored computer system. | 12-19-2013 |
| 20130340075 | ENHANCED DATA PROTECTION FOR MESSAGE VOLUMES - In a message replication environment, instances of a message volume are hosted by message systems. Each message system exchanges condition information with the other message systems indicative of the health of the volume instance hosted by the message system. Each message system then determines independently from the other message systems whether or not the message volume is sufficiently protected. In the event that the message volume is insufficiently protected, a protection action can be initiated. | 12-19-2013 |
| 20130347103 | PACKET CAPTURE FOR ERROR TRACKING - A method of tracking network traffic anomalies in a computing system, comprises receiving an ingress network packet at a configurable logic device (CLD), associating a timestamp with the packet, identifying at least one anomaly based on the contents of the packet, and storing the anomalous packet and the timestamp in a persistent memory. | 12-26-2013 |
| 20130347104 | ANALYZING EXECUTABLE BINARY CODE WITHOUT DETECTION - Analysis of executable binary code is performed without detection by defensive elements embedded within the executable binary code or within a system in which the executable binary code is executing. An identified suspect executable file is disassembled. Statically and dynamically analysis is performed on binary code of the disassembled executable file. An anti-anti-debugging function is implemented by executing program call functions in a manner which avoids detection of a debugging program by the defensive elements embedded within the executable binary code of the anti-debugging function of the executable binary code, thereby avoiding detection by the source of the suspect executable file. | 12-26-2013 |
| 20130347105 | METHOD AND DEVICE FOR COUNTERING FINGERPRINT FORGERY ATTACKS IN A COMMUNICATION SYSTEM - A method and a fingerprinting device for countering fingerprint forgery in a communication system. The fingerprinting device obtains and stores a reference fingerprint for a client device, generates and transmits decoy traffic that appears to originate from the client device, the decoy traffic having different fingerprinting properties than real traffic from the client device, generates a fingerprint for non-decoy traffic purportedly from the client device, and compares the generated fingerprint with a reference fingerprint. A forged fingerprint is detected if there is a mismatch. The decoy traffic preferably comprises frames to which no response is needed. The invention is particularly suited for 802.11 using fingerprints based on duration fields of received frames and the decoy traffic is then preferably probe request frames and null data frames. | 12-26-2013 |
| 20130347106 | SYSTEM AND METHOD OF FRAUD AND MISUSE DETECTION USING EVENT LOGS - A system and method are provided for detecting fraud and/or misuse of data in a computer environment through generating a rule for monitoring at least one of transactions and activities that are associated with the data. The rule can be generated based on one or more criteria related to the at least one of the transactions and the activities that is indicative of fraud or misuse of the data. The rule can be applied to the at least one of the transactions and the activities to determine if an event has occurred, where the event occurs if the at least one criteria has been met. A hit is stored if the event has occurred and a notification can be provided if the event has occurred. A compilation of hits related to the rule can be provided. | 12-26-2013 |
| 20130347107 | SYSTEM AND METHOD FOR AUTOMATED POLICY AUDIT AND REMEDIATION MANAGEMENT - A prevention-based network auditing system includes a central compliance server providing a user interface allowing a user to schedule and configure a network audit. The configured audit is stored in an audit repository until its scheduled time. At such a time, the compliance server automatically invokes one or more audit servers to gather information about the network. The compliance server receives the gathered information and electronically applies a network policy to the information for determining compliance with the policy. A remediation task may be generated if the policy has been violated, and the task monitored until its completion. | 12-26-2013 |
| 20130347108 | REPUTATION-BASED METHOD AND SYSTEM FOR DETERMINING A LIKELIHOOD THAT A MESSAGE IS UNDESIRED - A system and method for providing a reputation service for use in messaging environments employs a reputation of compiled statistics, representing whether SPAM messages have previously been received from respective a selected set of identifiers for the origin of the message, in a decision making process for newly received messages. In a preferred embodiment, the set of identifiers includes the IP address, a tuple of the domain and IP address and a tuple of the user and IP address and the set of identifiers allows for a relatively fine grained set of reputation metrics to be compiled and used when making a determination of a likelihood as to whether a received message is undesired in accordance with the invention. | 12-26-2013 |
| 20140007228 | SYSTEM AND METHOD FOR PREVENTION OF MALWARE ATTACKS ON DATA | 01-02-2014 |
| 20140007229 | SYSTEM AND METHOD FOR IDENTIFYING INSTALLED SOFTWARE PRODUCTS | 01-02-2014 |
| 20140007230 | METHOD, SYSTEM, AND DEVICE FOR SECURELY HANDLING VIRTUAL FUNCTION DRIVER COMMUNICATIONS WITH A PHYSICAL FUNCTION DRIVER | 01-02-2014 |
| 20140007231 | SWITCH ROUTE EXPLORING METHOD, SYSTEM AND DEVICE | 01-02-2014 |
| 20140007232 | METHOD AND APPARATUS TO DETECT AND BLOCK UNAUTHORIZED MAC ADDRESS BY VIRTUAL MACHINE AWARE NETWORK SWITCHES | 01-02-2014 |
| 20140007233 | SYSTEM AND METHOD FOR REAL TIME DATA AWARENESS | 01-02-2014 |
| 20140013425 | METHOD AND APPARATUS FOR DIFFERENTIAL POWER ANALYSIS PROTECTION - This disclosure provides techniques for processing an input signal while providing protection from differential power analysis. In one example, random delay units may receive the input signal, a random delay generator may generate random delay values, and the random delay units may add the random delay values to the input signal to generate delayed signals, such that each delayed signal is substantially desynchronized relative to one or more other delayed signals. Subsequently, processing units may process the delayed signals to generate delayed output signals, and random delay removal units may add additional delay values to the delayed output signals, such that each delayed output signal is substantially synchronized relative to other delayed output signals, to produce output signals. Finally, a combination unit may combine the output signals to generate a common output signal that corresponds to the input signal that is processed by any one of the processing units. | 01-09-2014 |
| 20140013426 | PROVIDING CONSISTENT SECURITY INFORMATION - A method for providing consistent security information between multiple applications is described herein. The method includes detecting potentially deceptive content from a communication application in a browser application. The method also includes generating consistent security information for the potentially deceptive content with the browser application. Additionally, the method includes sending the consistent security information for the potentially deceptive content to the communication application. Furthermore, the method includes providing a warning based on the consistent security information to the communication application. | 01-09-2014 |
| 20140013427 | System And Method Providing Dependency Networks Throughout Applications For Attack Resistance - A method and system is provided to automatically propagate dependencies from one part of a software application to another previously unrelated part. Propagation of essential code functionality and data to other parts of the program serves to augment common arithmetic functions with Mixed Boolean Arithmetic (MBA) formulae that are bound to pre-existing parts of the program. A software application is first analyzed on a compiler level to determine the program properties which hold in the program. Thereafter, conditions are constructed based on these properties and encoded in formulae that encode the condition in data and operations. Real dependencies throughout the application are therefore created such that if a dependency is broken the program will no longer function correctly. | 01-09-2014 |
| 20140013428 | APPARATUS AND METHOD FOR MANAGING OPERATION OF A MOBILE DEVICE - A power charger includes a first storage area to store control software, a charging circuit to send power through an interface, and a processor to generate at least one control signal based on the control software. The power to be sent through the interface is to charge a battery of a device coupled to the interface, and the at least one control signal includes information to cause a monitoring operation to be performed to determine a status of the device. | 01-09-2014 |
| 20140013429 | METHOD FOR PROCESSING AN OPERATING APPLICATION PROGRAM AND DEVICE FOR THE SAME - A method for processing an operating application program and device for the same is disclosed in the embodiment of the present disclosure. The method includes following steps: a step of determining a target system call of a target application program when the target application program is initiated, a step of suspending the target system call when receiving a parameter of the target application program and a step of stopping or continuing the target system call in accordance with the parameter. The device includes a determining module, a suspending module and a processing module. The embodiment of the present disclosure can stop the action before the suspected action is executed without terminating the execution of the application program. Such a method can carry out instantaneous monitor and wide ranging applicability, that it is widely used in monitoring the suspected application program and protecting the sensitive application program. | 01-09-2014 |
| 20140013430 | Native Code Module Security for Arm Instruction Set Architectures - Some embodiments provide a system that executes a native code module. During operation, the system obtains the native code module. Next, the system loads the native code module into a secure runtime environment. Finally, the system safely executes the native code module in the secure runtime environment by using a set of software fault isolation (SFI) mechanisms that constrain store instructions in the native code module. The SFI mechanisms also maintain control flow integrity for the native code module by dividing a code region associated with the native code module into equally sized code blocks and data blocks and starting each of the data blocks with an illegal instruction. | 01-09-2014 |
| 20140020092 | Mitigation of function pointer overwrite attacks - Methods are disclosed for improving security of computer software and preventing potential attackers from gaining control of computer software via function pointer overwrite attacks. One or more additional layers of complexity may be imposed that would have to be circumvented in order to gain execution control over portions of software. One or more function pointers can be encoded using a value that may be generated on program initialization and decoded before any dynamic function call occurs. In the event of memory corruption that affects an encoded function pointer, the value will cause the destination of the function pointer to decode to an invalid and random address and will induce an error. An application may be prevented from calling an attacker corrupted function pointer by introducing various checks around the call point at compile time that check the validity of the destination to which the function pointer points. | 01-16-2014 |
| 20140020093 | PRESERVING WEB DOCUMENT INTEGRITY THROUGH WEB TEMPLATE LEARNING - The embodiments provide a runtime validation apparatus including a runtime interceptor configured to intercept a server request for a requested web resource and a response including response data, and an output validation policy identifier configured to identify an output validation policy from a database storing a plurality of output validation policies based on the requested web resource. The identified output validation policy may represent a template that encompasses allowed responses for the requested web resource. The runtime validation apparatus may further include a validation evaluator configured to compare the response data with the template, and a validation controller configured to permit the response to be transmitted if the response data complies with the template and block the response if at least a portion of the response data does not comply with the template. | 01-16-2014 |
| 20140020094 | COMPUTING ENVIRONMENT SECURITY METHOD AND ELECTRONIC COMPUTING SYSTEM - A computing environment security method is provided. The method includes: a) dissolving an application package to be tested to obtain at least one data set, wherein each data set corresponds to contents with respect to one of a plurality of aspects of the application package; and b) evaluating whether the application package is a repackaged application according to the at least one data set. Step (b) includes: c) for each data set, analyzing a characteristic relationship of the contents with respect to the aspect corresponding to the data set to accordingly generate characteristic data for the data set; and d) determining whether the application package to be tested is a repackaged application package according to the characteristic data of the at least one data set and a search result obtained from a database, wherein the search result corresponds to the characteristic data within a corresponding distance. | 01-16-2014 |
| 20140020095 | DATA PROCESSING DEVICE AND A SECURE MEMORY DEVICE INCLUDING THE SAME - A data processing device includes a first register unit, a second register unit and a data handling unit. The first register unit generates an address signal based on a first control signal. The address signal points to a region in an external storage device where first data is stored. The second register unit receives the first data output from the external storage device, generates second data based on the first data and a second control signal, and selectively generates a detectable error in the second data according to an operating mode when a fault is injected into the first data. A bit number of the detectable error in the second data is larger than a bit number of the fault injected into the first data. The data handling unit selectively processes the second data depending on whether the detectable error is generated. | 01-16-2014 |
| 20140020096 | SYSTEM TO PROFILE APPLICATION SOFTWARE - In an example, a system is provided, the system including mobile device having an instance of a operating system installed thereon and a remote device coupled to the mobile device via a network, the remote device having an instrumented instance of the same operating system installed thereon. The remote device may be configured to install an instance of a new application on the remote device responsive to receiving a signal that originates from the mobile device and is indicative of the new application on the mobile device. The remote device may be configured to run the installed instance and determine whether the remote device performed any operations included in a preset list of operations. | 01-16-2014 |
| 20140020097 | METHOD OF DETECTING FAULT ATTACK - In a method of detecting a fault attack in a secure memory device, payload data is initialized by determining whether the payload data is consistent. The payload data is stored in a plurality of ephemeral registers included in the secure memory device. A count value included in the payload data is increased by detecting whether a fault is injected in the secure memory device from outside, during a processing operation of secure data, stored in the secure memory device. It is determined whether the fault injected in the secure memory device from the outside is caused by the fault attack based on the count value and a threshold value. | 01-16-2014 |
| 20140020098 | Method and Vehicle-to-X Communication System for Selectively Checking Data Security Sequences of Received Vehicle-to-X Messages - A method for selectively checking data security sequences of received vehicle-to-X messages, in which a number of the vehicle-to-X messages are received and/or sent in an operating cycle of a vehicle-to-X communication system. In an operating cycle, a reliability assessment of the received vehicle-to-X message is performed by checking the data security sequence, an information content of the received messages is read without prior checking of the data security sequence. In the operating cycle, a subset of the number of received vehicle-to-X messages is selected on the basis of the information contents, and solely the data security sequences of selected vehicle-to-X messages are checked. This results in the advantage that a reliability assessment is no longer carried out on all the received vehicle-to-X messages before they are processed, thereby enabling a reduction in the checking capacity that must be reserved for checking the data security sequence. | 01-16-2014 |
| 20140026214 | Method of Securing Non-Native Code - A method to secure a non-native application. The non-native application is processed to obtain an application stub to be triggered within a virtual machine. The processing of the non-native application also provide a native code function upon which the application stub depends. The non-native function is part of a trusted module that extends security services from the trusted module to the virtual machine. The trusted module is a native code application that creates a trusted zone as a root of trustiness extending to the virtual machine by an execution-enabling mechanism between the application tab and the non-native function. | 01-23-2014 |
| 20140026215 | SYSTEM AND METHOD FOR DETECTION OF ABERRANT NETWORK BEHAVIOR BY CLIENTS OF A NETWORK ACCESS GATEWAY - A first network interface coupled to one or more clients. The first network interface analyzes received network communications to determine if a first rule of any of one or more rules corresponds to the received network communications associated with a first client. The network interface updates a first set of statistical information accumulated over a time period associated with the first client responsive to a determination that the first rule corresponds to the network communications. The network interface analyzes the first set of statistical information to determine if aberrant network behavior is occurring with respect to the first client by applying a set of conditions to the first set of statistical information. Each of the set of conditions corresponds to aberrant network behavior and comprises a threshold to be applied to at least a portion of the statistical information. | 01-23-2014 |
| 20140033304 | METHOD AND APPARATUS FOR PREVENTING AN IDT-BASED SECURITY SANDBOX FROM CAUSING A KERNEL PANIC WHEN USING A CALL GATE - A method and apparatus for preventing an IDT-based security sandbox from causing a kernel panic when using a call gate is disclosed. The method comprises receiving a request from an application to create a secure sandbox, wherein epilog code is mapped into the application upon receiving the request; enabling a call gate, wherein the call gate defines a location of call gate target code for enabling the secure sandbox; executing the epilog code to facilitate an interrupt disable instruction; jumping through the call gate; and enabling the secure sandbox. | 01-30-2014 |
| 20140033305 | CODE VALIDATION - Methods and apparatus for validating a system include reading protected record data for a section of the system from a secure storage element, and verifying integrity of the section of the system using the record data. The secure storage element independently verifies that all record data and data to be written to the system is valid. | 01-30-2014 |
| 20140033306 | Method and Apparatus of Identifying User Risk - The present disclosure provides techniques to identify suspicious user logins. These techniques may include acquiring, by a computing device, a routing path associated with a user login based on login information. The computing device may extract current routing characteristic information from the routing path, and identify whether the current user login is suspicious based on the current routing characteristic information. These techniques reduce the influence of IP address changes on user identification as well as errors associated with user identification, and identify geographic positions more accurately. | 01-30-2014 |
| 20140033307 | SYSTEM AND METHOD TO PROVIDE AUTOMATIC CLASSIFICATION OF PHISHING SITES - A phishing classification model that detects a phishing website based on one or more feature vectors for the website is provided. The phishing classification model may operate on a server and may further select a website, generate a feature vector for a landing page of the website, create a feature vector for every iframe that is a descendent of the landing page, and derive a final feature vector from the feature vectors of the landing page and the descendent iframe pages. Further, machine learning techniques may be applied to generate, or train, a classification model based upon one or more known phishing websites. Based on the feature vector, the classification modeler may classify a website as either a phishing website or as a non-phishing website. Feedback in the form of human verification may further be incorporated. | 01-30-2014 |
| 20140041022 | METHOD AND APPARATUS FOR PROVIDING NOTIFICATION OF DETECTED ERROR CONDITIONS IN A NETWORK - Methods for managing a communication session in a communication network are disclosed. For example, a method includes detecting, by a first endpoint comprising at least one processor, an error condition associated with the communication session, sending, by the first endpoint, a notification of the error condition to a second endpoint that is using a transport layer session and receiving, by the first endpoint, a communication from the second endpoint, proposing a response to the error condition. Another method includes receiving, by a first endpoint comprising at least one processor, a notification of an error condition associated with the communication session, selecting, by the first endpoint, a response to the error condition, and sending, by the first endpoint, a communication to a second endpoint that is using a transport layer session, proposing a response to the error condition. | 02-06-2014 |
| 20140041023 | FLEXIBLE AND SECURE CLICKJACKING PROTECTION MECHANISM - Methods, systems, and computer-readable storage media for preventing a clickjacking attack on a web page. Implementations include inhibiting rendering of content of the web page, receiving a message from an embedding web page, the embedding web page having called the web page, the message including metadata, and determining whether the embedding web page is trusted based on the metadata, wherein rendering of content of the web page remains inhibited if the embedding web page is untrusted, and rendering of content of the web page is executed if the embedding web page is trusted. | 02-06-2014 |
| 20140041024 | Method and Apparatus for Baiting Phishing Websites - A cyber fraud phish baiting system for baiting a phishing website is disclosed. The cyber fraud phish baiting system is configured to store a plurality of URLs in a database and enter each of the URLs into a browser to view internet resources linked to the URLs. It is configured to scan the internet resources for information requests, obtain information responsive to the information requests from a database, enter responsive information into the information requests, and store the information requests and the responsive information entered into the information requests for each of the URLs. The internet resource may be a phishing website, and fake information is entered into the information requests. | 02-06-2014 |
| 20140041025 | DEFENDING AGAINST BROWSER ATTACKS - In one example the opening of a primary browser to a URL may be detected, a reference browser may then be opened to the same URL, data input to respective data fields on the primary browser may be copied to respectively corresponding data fields on the reference browser, and security on the primary browser may be evaluated based on, at least, the data copied to the reference browser. | 02-06-2014 |
| 20140041026 | Hybrid Virtual Machine - A method and system are disclosed for a hybrid virtual machine that allows untrusted software programs to be run securely and with high performance on computers having processors that lack hardware-assisted memory management. Contemporary computer platforms built to enable application developers to deploy software (“apps”) typically employ (a) hardware assisted memory-management and an operating system that “sandboxes” applications' access to hardware peripherals or (b) an interpreted code execution environment that acts as an insulating layer between running application code and the underlying computer hardware, with the environment configured to prevent inappropriate actions. Both contemporary approaches require a processor with a certain base level of performance and/or built-in features, which increases hardware costs. The present invention satisfies the goals of more expensive platforms but is operable on hardware with lesser performance capabilities and/or fewer features. | 02-06-2014 |
| 20140041027 | SAFE COMMAND EXECUTION AND ERROR RECOVERY FOR STORAGE DEVICES - Techniques for execution of commands securely within a storage device are disclosed. Integrity of a command interpreter is verified before allowing it to execute commands within the storage device. The integrity of the commands can also be checked to safeguard against various threats including, for example, malicious attacks, unintentional errors and defects that can adversely affect stored content and execution. Error recovery techniques can be used to reconstruct the command interpreter and/or commands that are found to be defective. In addition, secure techniques can be used to obtain trusted versions of the command interpreter and/or commands from an authenticated external source. | 02-06-2014 |
| 20140041028 | System and Method for Assessing Whether a Communication Contains an Attack - Communications can be processed with multiple countermeasures to identify attacks. Each countermeasure can compute a probability of a communication containing an attack and an accompanying confidence score indicating confidence in the probability. Combining the probabilities can produce a composite probability and associated confidence of the communication containing an attack. The composite probability and confidence scores can be produced from a weighted combination of the individual countermeasure probabilities and confidence scores. Weighting factors can be generated or obtained from a database that stores profiles of confirmed attacks. | 02-06-2014 |
| 20140041029 | METHOD AND SYSTEM FOR PROCESSING WEBSITE ADDRESS RISK DETECTION - Disclosed are a method and a device for processing URL risk detection, which belong to the field of computer technologies. The method comprises: querying a risk type of a URL for detection; querying a configuration file according to the risk type of the URL for detection, to obtain a corresponding risk level and processing policy, the configuration file including a correspondence relation between a risk type, a risk level and the processing policy; and processing the URL for detection according to the risk level and the processing policy. In the present disclosure, the risk level is determined according to the risk type of the URL for detection, and the corresponding processing policy is obtained, different types of URLs processed according to different risk levels and processing policies, so that URLs having a risk can be intercepted using diversified methods; moreover, when the risk type is determined, by matching data in a pre-created risk database, the risk type of the URL for detection is obtained without the need of binding a URL risk monitoring component, the codes are concise, and the robustness is strong. | 02-06-2014 |
| 20140041030 | SYSTEM FOR FINDING CODE IN A DATA FLOW - A code finder system deployed as a software module, a web service or as part of a larger security system, identifies and processes well-formed code sequences. For a data flow that is expected to be free of executable or interpreted code, or free of one or more known styles of executable or interpreted code, the code finder system can protect participants in the communications network. Examples of payload carried by data flows that can be monitored include, but are not limited to, user input data provided as part of interacting with a web application, data files or entities, such as images or videos, and user input data provided as part of interacting with a desktop application. | 02-06-2014 |
| 20140047538 | STATIC TAINTING ANASYSTEM AND METHOD FOR TAINT ANALYSIS OF COMPUTER PROGRAM CODELYSIS - A method is provided to infer taintedness in code expressions encoded in a computer readable device comprising: configuring a computer system to, store a representation of a computer program that is to be evaluated in non-transitory storage media; identify within the representation a pointer cast operation; determine whether an identified cast operation involves a cast from a pointer to a raw memory data type to a pointer to a structured data type; determine whether a structured data type casted to is associated with indicia of externalness; designating data addressed by that pointer as tainted; and determine whether data designated as tainted is consumed by an operation in the computer program that acts as a taintedness sink. | 02-13-2014 |
| 20140047539 | DETERMINING THE LIKELIHOOD OF TRAFFIC BEING LEGITIMATELY RECEIVED AT A PROXY SERVER IN A CLOUD-BASED PROXY SERVICE - Message(s) are received from each one of multiple proxy servers, which are anycasted to the same IP address, that indicate source IP addresses of packets that are received that are directed to that same IP address. These proxy servers receive the packets as result of domain(s) resolving to that same IP address, and a particular one of the proxy servers receives the packets as a result of an anycast protocol implementation selecting that proxy server. Based on these message(s) from each of the proxy servers, a determination of the likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers is determined A message is transmitted to each of the proxy servers that indicates which source IP addresses of packets are not likely to be legitimately received at that proxy server. | 02-13-2014 |
| 20140047540 | SENTINEL SYSTEM FOR AN ONLINE DEVICE - A Sentinel System For an Online Device (“SOD”) is disclosed that is capable of protecting a computing device from mining and tracking. | 02-13-2014 |
| 20140047541 | METHOD AND SYSTEM FOR PROTECTING A COMPUTER SYSTEM DURING BOOT OPERATION - A method for protecting a computer system from malicious network traffic is provided using a driver which inspects network packets. A security profile comprising packet inspection rules is compiled and stored on the computer system. During the startup or boot operation of an operating system, the driver loads the compiled security profile and inspects network packets using the inspection rules. | 02-13-2014 |
| 20140053259 | Security Central Processing Unit Monitoring of On-Chip Conditions - A system includes a security processing unit to monitor inputs from process, voltage and temperature sensors to maintain a security of the system. The security processing unit can operate at a determined clock frequency. A timing path detector can connect with the security processing unit. The timing path detector can monitor a condition near the security processing unit. The timing path detector can switch the clock frequency to a lower frequency before the security processing unit fails from the condition. | 02-20-2014 |
| 20140053260 | Adaptive Observation of Behavioral Features on a Mobile Device - Methods, devices and systems for detecting suspicious or performance-degrading mobile device behaviors intelligently, dynamically, and/or adaptively determine computing device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the mobile device behaviors are to be observed. The various aspects efficiently identify suspicious or performance-degrading mobile device behaviors without requiring an excessive amount of processing, memory, or energy resources. | 02-20-2014 |
| 20140053261 | On-Line Behavioral Analysis Engine in Mobile Device with Multiple Analyzer Model Providers - Methods, systems and devices for generating data models in a client-cloud communication system may include applying machine learning techniques to generate a first family of classifier models that describe a cloud corpus of behavior vectors. Such vectors may be analyzed to identify factors in the first family of classifier models that have the highest probability of enabling a mobile device to better determine whether a mobile device behavior is malicious or benign. Based on this analysis, a second family of classifier models may be generated that identify significantly fewer factors and data points as being relevant for enabling the mobile device to better determine whether the mobile device behavior is malicious or benign based on the determined factors. A mobile device classifier module based on the second family of classifier models may be generated and made available for download by mobile devices, including devices contributing behavior vectors. | 02-20-2014 |
| 20140053262 | Secure Display for Secure Transactions - A platform may use a central processing unit to run an operating system. Independently of the operating system, in the central processing unit, a hardware controller, such as a manageability engine, may be used to control which window is on the top of the Z-order and thereby control which window is displayed to the user. As a result, in some embodiments, the hardware controller can prevent an interloper or malware from interjecting an illegitimate window over a legitimate window that the user actually desired to access. In addition, a hardware indicator may be provided to assure the user when an accessed website is legitimate. | 02-20-2014 |
| 20140053263 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR SENDING INFORMATION EXTRACTED FROM A POTENTIALLY UNWANTED DATA SAMPLE TO GENERATE A SIGNATURE - A system, method and computer program product are provided for sending information extracted from a potentially unwanted data sample to generate a signature. In use, information is extracted from a portion of a sample of potentially unwanted data. Further, the information is sent to generate a signature. | 02-20-2014 |
| 20140053264 | METHOD AND APPARATUS TO PERFORM MULTIPLE PACKET PAYLOADS ANALYSIS - A method and apparatus for identifying data patterns of a file are described herein. In one embodiment, an exemplary process includes, but is not limited to, receiving a data packet of a data stream containing a file segment of a file originated from an external host and destined to a protected host of a local area network (LAN), the file being transmitted via multiple file segments contained in multiple data packets of the data stream, and performing a data pattern analysis on the received data packet to determine whether the received data packet contains a predetermined data pattern, without waiting for a remainder of the data stream to arrive. Other methods and apparatuses are also described. | 02-20-2014 |
| 20140053265 | SYSTEM AND METHOD FOR CONTINUOUS DEVICE PROFILING - A system and method for monitoring, modeling and assessing networked devices. A continuous device profiling (CDP) system builds and maintains device-specific and network-specific behavioral models based on observation of network traffic. The behavioral models may be used for network management, detecting misconfigured or malware infected devices, performing network asset inventory, network access control, network discovery in support of network integration, and information security incident response management. CDP models and monitors the active roles that devices assume on the network based on a set of matching profiles, monitors transitions between roles, and triggers corrective action when role transitions violate the policies of the network. | 02-20-2014 |
| 20140053266 | Method and server for discriminating malicious attribute of program - The present disclosure provides a method and a server for discriminating a malicious attribute of a program. The method includes: acquiring action data of a program at a client ( | 02-20-2014 |
| 20140059678 | ANALYSIS OF NETWORK OPERATION - A network device is configured to receive information from a number of different types of data collection devices. The information may relate to operation of devices in a network and communications in the network. The network device is configured to further analyze the information and determine that an issue exists relating to operation of the network. The network device is configured further to send a message to a policy device based on determining that the issue exists relating to the operation of the network. The policy device may generate or change a rule or policy associated with the operation of the network, based on the message, to instruct one or more other network devices to change the operation of the network. | 02-27-2014 |
| 20140059679 | SOFTWARE UPDATING APPARATUS, SOFTWARE UPDATING SYSTEM, INVALIDATION METHOD, AND INVALIDATION PROGRAM - To aim provide a software update apparatus including an install module group composed of a plurality of install modules. Each of the install modules has a function of receiving, from an external server, a replacement protection control module to be used for updating a protection control module having a function of verifying whether a predetermined application has been tampered with. Each of the install modules simultaneously running is verified by at least another one of the install modules simultaneously running, as to whether the install module has a possibility of performing malicious operations. If any of the install modules is verified as having the possibility of performing the malicious operations, any another one of the install modules that is verified as not having the possibility revokes the any install module verified as having the possibility. | 02-27-2014 |
| 20140059680 | LOCAL SECURE SERVICE PARTITIONS FOR OPERATING SYSTEM SECURITY - Systems and methods provide multiple partitions hosted on an isolation technology such as a hypervisor where at least one of the partitions, a local secure service partition (LSSP), provides security services to other partitions. The service partitions (LSSPs) host those high assurance services that require strict security isolation, where the service can be shared across partitions and accessed even when the user is not connected to a network. The LSSP also can certify the results of any computation using a key signed by a TPM attestation identity key (AIK), or other key held securely by the hypervisor or a service partition. The LSSPs may be configured to provide trusted audit logs, trusted security scans, trusted cryptographic services, trusted compilation and testing, trusted logon services, and the like. | 02-27-2014 |
| 20140059681 | METHOD AND AN APPARATUS TO PERFORM MULTIPLE PACKET PAYLOADS ANALYSIS - A method and an apparatus to perform multiple packet payload analysis have been disclosed. In one embodiment, the method includes receiving a plurality of data packets, each of the plurality of data packets containing a portion of a data pattern, determining whether each of the plurality of data packets is out of order, and making and storing a local copy of the corresponding data packet if the corresponding data packet is out of order. Other embodiments have been claimed and described. | 02-27-2014 |
| 20140059682 | Determination of Adaptive Idle Timeout - In various embodiments, a method may be provided comprising: determining an adaptive idle timeout value based on the relationship between the number of established TCP connections to a server and the upper threshold value. | 02-27-2014 |
| 20140068761 | ABUSE IDENTIFICATION OF FRONT-END BASED SERVICES - Systems and techniques of monitoring, detecting and handling abusive client behavior among data communication to and from a server system is presented. In one embodiment, a method for detecting and handling abusive client comprises: monitoring communications traffic between said server and said client; testing said traffic for abusive activity substantially in real-time; and if abusive activity has been detected, taking action against said abusive activity within a desired time period. In another embodiment, a server system comprises: a capture module that captures data between said server and a client; a package module that packages the said captured data; an analyze data module that detects abusive activity within said captured data; and a recommendations and/or actions module to perform actions in response to said abusive activity. | 03-06-2014 |
| 20140068762 | DETECTION ARRANGEMENT - There is provided a detection arrangement for detecting an attack to internal signals in a semiconductor device. The detection arrangement comprises a first input terminal, a second input terminal, and a comparison unit. The first input terminal is adapted to receive a first signal being indicative for a signal at a first stage of a driver of the semiconductor device, the driver being capable to drive signals internally to the semiconductor device. The second input terminal is adapted to receive a second signal being indicative for a signal at a second stage of the driver of the semiconductor device. The comparison unit is adapted to compare the first signal and the second signal and to determine a time period during which the signals are equal, wherein the determined time period is indicative for a potential attack, if the determined time period is above a predefined threshold. | 03-06-2014 |
| 20140068763 | DATA MINING TO IDENTIFY MALICIOUS ACTIVITY - Systems and methods may determine suspicious network traffic. A monitoring system comprising a processor in communication with a network may monitor network traffic to or from an asset associated with the network. The monitoring system may assess the network traffic to determine a source and/or destination for the network traffic anchor content of the network traffic. The monitoring system may determine whether the network traffic is suspicious network traffic based on the assessed source and/or destination and/or content. When the network traffic is determined to be suspicious network traffic, the monitoring system may capture metadata associated with the suspicious network traffic and store the metadata in a database in communication with the processor. When the network traffic is not determined to be suspicious network traffic, the monitoring system may disregard metadata associated with the network traffic. | 03-06-2014 |
| 20140068764 | METHOD AND SYSTEM FOR PERFORMING SECURITY MONITORING ON FILE DOWNLOADING - The present invention discloses method and system for performing security monitoring on file downloading, and a non-transitory computer-readable medium that stores instructions for performing security monitoring on file downloading. The method includes upon detecting a file downloading operation, performing security detection on a downloaded file to determine whether the downloaded file is secure; if the downloaded file is secure, determining whether a downloading tool adopted when the file is downloaded is instant messenger (IM) software; and if the adopted downloading tool is IM software, modifying a filename extension of the downloaded file to ensure that the downloaded file is capable of being directly opened or run. | 03-06-2014 |
| 20140075553 | DOMAIN NAME SYSTEM REBINDING ATTACK PROTECTION - A network-enabled electronic system is arranged to determine whether a subsequent DNS request uses a selected domain name of a previous DNS request. A protective action is taken in response to an indication that the subsequent DNS request uses the selected domain name of a previous DNS request. The protective action can include flushing state information that could be used to generate a request using an address that is (maliciously, for example) rebound to the selected domain name. | 03-13-2014 |
| 20140075554 | SYSTEMS AND METHODS FOR PERFORMING SELECTIVE DEEP PACKET INSPECTION - A computer-implemented method for performing selective deep packet inspection may include 1) identify a traffic flow that includes a stream of data packets, 2) sample at least one packet from the stream of data packets, 3) analyze the sampled packet using a computing resource to determine whether the traffic flow is trustworthy, 4) determine that the traffic flow is trustworthy based on analyzing the sampled packet, and 5) divert the traffic flow to a hardware accelerator in response to determining that the traffic flow is trustworthy. Various other methods, systems, and computer-readable media are also disclosed. | 03-13-2014 |
| 20140082724 | METHODS AND APPARATUS TO PROTECT MEMORY REGIONS DURING LOW-POWER STATES - A disclosed example method involves when transitioning a processor system to a low-power mode, generating at least a first signature based on a data structure storing memory addresses of memory regions to be protected during the low-power mode. During a resume process of the processor system from the low-power mode, at least a second signature is generated based on the data structure storing the memory addresses of the memory regions to be protected during the low-power mode. When the first signature matches the second signature, the processor system resumes from the low-power mode. When the first signature does not match the second signature, an error is generated. | 03-20-2014 |
| 20140090053 | Internet Protocol Address Distribution Summary - Examples disclosed herein relate to an Internet Protocol address distribution summary. A processor may determine a statistical distribution between at least one portion of bits of Internet Protocol addresses accessing a website and determine a summary value representative of the degree of change within the statistical distribution. The processor may output the summary value. | 03-27-2014 |
| 20140090054 | System and Method for Detecting Anomalies in Electronic Documents - A system and method are described herein for detecting an anomaly in an electronic document. In a computer system, a detection engine is attached to an application program which processes the electronic document. Function calls to a service provided through an application program interface (API) are intercepted by the detection engine as the application program processes the electronic document. If an entry for the intercepted function call is not present in the detection model, or an entry is present but the argument value does not match the argument value in the detection model, an alert is raised. The detection model is populated by processing a plurality of known good documents, populating the detection model with entries on intercepted good function calls and their argument values. A threshold may be applied to the detection model, removing from the detection model function calls which were observed less than the threshold amount. | 03-27-2014 |
| 20140090055 | Automated Detection of Harmful Content - This document discloses a solution for automatically detecting malicious content by computer security routine executed in a processing device. A user input to a social media application is detected by the computer security routine. The user input indicates that a user wants to share content with at least one other user through the social media application. In response, the computer security routine suspends said sharing and performs, before determining whether or not to allow the sharing, a security check for suspiciousness of contents the user intends to share. | 03-27-2014 |
| 20140096240 | IDENTIFYING WHETHER AN APPLICATION IS MALICIOUS - Identifying whether a first application is malicious. The first application can be presented for installation on a processing system. The first application can be scanned, via a static analysis implemented by a processor, to determine whether a user interface layout of the first application is suspiciously similar to a user interface layout of a second application installed on the processing system. When the user interface layout of the first application is suspiciously similar to the user interface layout of the second application installed on the processing system, an alert can be generated indicating that the first application is malicious. | 04-03-2014 |
| 20140096241 | CLOUD-ASSISTED METHOD AND SERVICE FOR APPLICATION SECURITY VERIFICATION - A method, device, and system for browser-based application security verification is disclosed. A client device requests a browser-based application from a web server. An application security module of the client device intervenes and transmits an application verification request to a cloud service system. The cloud service system retrieves data regarding the security of the application and source from cloud resources and a local database of the cloud server. The cloud service system then uses the data to authenticate the source and verify the security of the browser-based application. The cloud service system provides the client device with a recommendation regarding the security of the browser-based application and updates its local database. The client device may then consider the recommendation in determining whether to download or execute the browser-based application and provide feedback to the cloud service system. The client device may also perform a local security analysis after receiving the cloud service system's recommendation. | 04-03-2014 |
| 20140096242 | METHOD, SYSTEM AND CLIENT TERMINAL FOR DETECTION OF PHISHING WEBSITES - One aspect of the present invention relates to a method for detecting a phishing website. The method includes acquiring information related to a microblog post containing a uniform resource locator (URL) of a website; analyzing the information related to the microblog post to extract features of the microblog post; calculating credibility of the URL of the website contained in the microblog post according to the extracted features of the microblog post; and determining according to the credibility of the URL of the website whether the URL of the website is a URL of a phishing website. | 04-03-2014 |
| 20140096243 | ELECTRONIC MESSAGE MANAGER SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR SCANNING AN ELECTRONIC MESSAGE FOR UNWANTED CONTENT AND ASSOCIATED UNWANTED SITES - A system, method, and computer program product are provided for scanning an electronic message for unwanted content and associated unwanted sites in response to a request. In use, a request is received via a network to scan an electronic message prior to opening the electronic message, utilizing an electronic message manager. In addition, the electronic message is scanned for unwanted content and associated unwanted sites, in response to the request. Further, a response to the request is sent via the network. | 04-03-2014 |
| 20140096244 | USING A DECLARATION OF SECURITY REQUIREMENTS TO DETERMINE WHETHER TO PERMIT APPLICATION OPERATIONS - Provided are a computer program product, system, and method for using a declaration of security requirements to determine whether to permit application operations. A declaration of security requirements indicates actions the application designates to perform with respect to resources in a computer system, wherein a plurality of the indicated actions are indicated for at least two operation modes of the application. A detection is made of whether the application is requesting to perform a requested action with respect to a requested resource in the computer system. A determination is made of a current operation mode of the application comprising one of the at least two operation modes in response to detecting that the application is requesting the requested action. A determination is made as to whether the declaration of security requirements indicates the requested action with the current operation mode. The requested action with respect to the requested resource is allowed to proceed in response to determining that the declaration of security requirements indicates the requested action with respect to the requested resource as indicated with the current operation mode. | 04-03-2014 |
| 20140101756 | REMEDIATION OF SECURITY VULNERABILITIES IN COMPUTER SOFTWARE - Processing a downgrader specification by constructing a set of candidate downgrader placement locations found within a computer software application, where each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and where each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application, applying a downgrader specification to the set of candidate downgrader placement locations, and determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations. | 04-10-2014 |
| 20140101757 | ADAPTIVE INTEGRITY VALIDATION FOR PORTABLE INFORMATION HANDLING SYSTEMS - Portable information handling systems dynamically allocate resources to anti-malware functions based upon available resources and threat status. Dynamic allocation of resources to anti-malware functions provides a timely and targeted response to specific threats with resources dedicated based upon availability and the impact on other information handling system functions. An adaptive mobile integrity validation system interfaces with plural portable information handling systems to selectively update anti-malware settings as threats emerge. | 04-10-2014 |
| 20140101758 | SERVER WITH MECHANISM FOR REDUCING INTERNAL RESOURCES ASSOCIATED WITH A SELECTED CLIENT CONNECTION - According to certain non-limiting embodiments disclosed herein, the functionality of a server is extended with a mechanism for identifying connections with clients that have exhibited attack characteristics (for example, characteristics indicating a DoS attack), and for transitioning internal ownership of those connections such that server resources consumed by the connection are reduced, while keeping the connection open. The connection thus moves from a state of relatively high resource use to a state of relatively low server resource use, and the server is able to free resources such as memory and processing cycles previously allocated to the connection. In some cases, the server maintains the connection for at least some time and uses it to keep the client occupied so that it cannot launch—or has fewer resources to launch—further attacks, and possibly to gather information about the attacking client. | 04-10-2014 |
| 20140101759 | METHOD AND SYSTEM FOR DETECTING MALWARE - A system and method of analysis. NX domain names are collected from an asset in a real network. The NX domain names are domain names that are not registered. The real network NX domain names are utilized to create testing vectors. The testing vectors are classified as benign vectors or malicious vectors based on training vectors. The asset is then classified as infected if the NX testing vector created from the real network NX domain names is classified as a malicious vector. | 04-10-2014 |
| 20140101760 | DAD-NS TRIGGERED ADDRESS RESOLUTION FOR DOS ATTACK PROTECTION - A first network element that receives an appropriation message from a second network element that indicates a target address which the second network element intends to appropriate for its use. In response to the appropriation message, the first network element broadcasts a discovery message to a plurality of network elements on the network to request a link-layer address in association with the first target address. The first network element receives a discovery response from the second network element with the first target address and the link-layer address of the second network element. Then the first network element updates a neighbor cache to include a pre-cached neighbor cache entry associating the link-layer address to the first target address. This prevents one or more future neighbor cache misses associated with the first target address. | 04-10-2014 |
| 20140109222 | Method and System for Performing Scanning and Killing on Browser Bookmarks - The present invention discloses a method and a system for performing scanning and killing on browser bookmarks, the method comprising: receiving, by a browser background server, a synchronization request that includes a user account and bookmark web addresses from a browser client; storing, by the browser background server, the bookmark web addresses correspondingly to the user account; and receiving a cloud scanning and killing instruction that includes the user account from the browser client, performing risk scanning and killing on the bookmark web addresses which the user account corresponds to, determining a risky web address, and feeding back a scanning and killing result that includes the risky web address to the browser client, by the browser background server. The solutions of the present invention can improve security of the browser bookmarks, and save storage spaces of a terminal device where the browser client resides. | 04-17-2014 |
| 20140115699 | SYSTEM AND METHOD FOR ANALYZING WEB CONTENT - A system and computer based method are provided for identifying active content in websites on a network. One embodiment includes a computer based method of classifying web content. The method receives content of a web page, and determines a first property associated with the content, the first property including static content. The method executes active content associated with the webpage, and determines a second property associated with the content based at least in part on the executing, the second property including the active content. The method also evaluates a logical expression relating the first property and the second property, and associates the web page with a category based on a result of the evaluation. The evaluation of the logical expression at least in part evaluates whether a constant value matches at least a portion of the content of the web page. | 04-24-2014 |
| 20140115700 | METHOD AND SYSTEM FOR DETECTING WEBSITE VISIT ATTEMPTS BY BROWSERS - A method and system of detecting website visit attempts by browsers includes monitoring networking operations generated by a client and intercepting a network address associated with the networking operations, detecting a type of website from the intercepted network address, and determining that a browser on the client has attempted to visit a website of the detected type based on the browser being in a running state and a website identified as historically visited by the browser matching the detected type of website. This can allow for the accurate detection of a browser's attempt to visit a restricted website, thereby accomplishing accurate monitoring of networking activities of the browser and enhancing the accuracy of subsequent prompting or intercepting of the networking activities of the browser. | 04-24-2014 |
| 20140130149 | REFINEMENT-BASED SECURITY ANALYSIS - A method, computer program product, and computer system for assigning, by a computing device, a value to a first data-flow of a first summary associated with a control flow graph and assigning the value to a second data-flow of a second summary associated with the control flow graph. The first data-flow with the value is identified to flow into a type of sink. The second data-flow with the value is identified not to flow into the type of sink. The first summary of a behavior of the first data-flow is refined in response to identifying that the first data-flow does flow into the type of sink. Refinement of the second summary of a behavior of the second data-flow is skipped in response to identifying that the second data-flow does not flow into the type of sink. | 05-08-2014 |
| 20140130150 | CONTENT-BASED ISOLATION FOR COMPUTING DEVICE SECURITY - The subject disclosure is directed towards securing a computing device using content-based isolation. When the computing device requests content data having different ownership, a monitor component identifies and groups trusted portions of the content data into one or more isolation containers such that only trusted programs are permitted access. Other programs are, therefore, untrusted and can be denied access in order to prevent malicious activity, unless access is approved by the content owner. | 05-08-2014 |
| 20140130151 | METHODS FOR PROVIDING ANTI-ROLLBACK PROTECTION OF A FIRMWARE VERSION IN A DEVICE WHICH HAS NO INTERNAL NON-VOLATILE MEMORY - Methods, systems, computer-readable media, and apparatuses for providing anti-rollback protection in a device which has no internal non-volatile memory are presented. One embodiment comprises of a device for providing anti-rollback protection. The device may obtain a firmware version number associated with a first firmware installation for the device, wherein the device is implemented on a substrate that includes no non-volatile memory. The device may obtain a lowest acceptable firmware version number, wherein the lowest acceptable firmware version number is stored in a secure element environment, wherein the secure element environment utilizes memory separated from the substrate. The device may compare the firmware version number and the lowest acceptable firmware version number, wherein if the firmware version number is less than the lowest acceptable firmware version number, then disallow the first firmware installation In at least one arrangement, the device comprises a near field communication (NFC) controller. | 05-08-2014 |
| 20140130152 | DEFENSE AGAINST DNS DOS ATTACK - A method for defending a computer system comprising a DNS server against a DoS or a DDoS attack directed at said DNS server comprises replacing the address of said system provided by a user to a client software with an alternative address, wherein said address is replaced by a software agent associated with said user, such that said client software is capable of connecting with said system. | 05-08-2014 |
| 20140130153 | SOUND AND EFFECTIVE DATA-FLOW ANALYSIS IN THE PRESENCE OF ALIASING - A method is disclosed that includes, using a data flow model of a program suitable for taint analysis of the program, tracking information from sources of taint to entities in a heap using a model of the heap based on the program. The tracking is performed so that the information is relevant for taint propagation and is performed in a manner that is field-sensitive for the entities in the heap. The method includes, based on output of the tracking, performing data-flow analysis to determine taint flow from the sources of the taint through data flow paths to sinks using the taint. | 05-08-2014 |
| 20140130154 | SOUND AND EFFECTIVE DATA-FLOW ANALYSIS IN THE PRESENCE OF ALIASING - An apparatus is disclosed including one or more memories including computer-readable program code and one or more processors. The one or more processors, in response to execution of the computer-readable program code, cause the apparatus to track, using a data flow model of a program suitable for taint analysis of the program, information from sources of taint to entities in a heap using a model of the heap based on the program. The tracking is performed so that the information is relevant for taint propagation and is performed in a manner that is field-sensitive for the entities in the heap. The one or more processors in response to execution of the computer-readable program code cause the apparatus to perform, based on output of the tracking, the operation of performing data-flow analysis to determine taint flow from the sources of the taint through data flow paths to sinks using the taint. | 05-08-2014 |
| 20140130155 | METHOD FOR TRACKING OUT ATTACK DEVICE DRIVING SOFT ROGUE ACCESS POINT AND APPARATUS PERFORMING THE METHOD - A method including: detecting an unauthorized soft rogue AP; collecting information about the detected soft rogue AP, information about one or more access terminals connected to the detected soft rogue AP, and information about one or more candidate attack terminals that are not connected to the detected soft rogue AP, and storing the collected information; | 05-08-2014 |
| 20140130156 | REFINEMENT-BASED SECURITY ANALYSIS - A method, computer program product, and computer system for assigning, by a computing device, a value to a first data-flow of a first summary associated with a control flow graph and assigning the value to a second data-flow of a second summary associated with the control flow graph. The first data-flow with the value is identified to flow into a type of sink. The second data-flow with the value is identified not to flow into the type of sink. The first summary of a behavior of the first data-flow is refined in response to identifying that the first data-flow does flow into the type of sink. Refinement of the second summary of a behavior of the second data-flow is skipped in response to identifying that the second data-flow does not flow into the type of sink. | 05-08-2014 |
| 20140137238 | METHOD AND SYSTEM FOR TRACING INFORMATION LEAKS IN ORGANIZATIONS THROUGH SYNTACTIC AND LINGUISTIC SIGNATURES - One embodiment of the present invention provides a system for tracing information leaks. The system introduces linguistic and syntactic changes to a document, and associates these changes with a user identifier, which facilitates identification of a user that may have leaked the document. During operation, the system receives a document. The system then determines a most similar original document based on the received document. The system determines difference between the most similar original document and the received document, and determines a user identifier based on the determined difference. | 05-15-2014 |
| 20140137239 | Application-Level Anomaly Detection - An example includes intercepting one or more activities performed by an application on a computing device. The intercepting uses an instrumentation layer separating the application from an operating system on the computing device. The one or more activities are compared with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies. In response to the comparison detecting presence of one or more anomalies, indication(s) of the one or more anomalies are stored. Another example includes receiving indication(s) of anomaly(ies) experienced by an application on computing device(s) and analyzing the indication(s) of the anomaly(ies) to determine whether corrective action(s) should be issued. Responsive to a determination corrective action(s) should be issued based on the analyzing, the corrective action(s) are issued to the computing device(s). Methods, program products, and apparatus are disclosed. | 05-15-2014 |
| 20140137240 | AUTOMATED SECURITY ANALYTICS PLATFORM - A network security platform stores network telemetry information in an active memory, such as DRAM, and analyzes the network telemetry information to detect and respond to network security threats. Using a common active memory to store sensed network telemetry information and analyze that information provides a real-time dataflow engine for detecting security threats and neutralizing detected threats. | 05-15-2014 |
| 20140137241 | AUTOMATED SECURITY ANALYTICS PLATFORM WITH PLUGGABLE DATA COLLECTION AND ANALYSIS MODULES - Pluggable network security modules provide a collaborative response across plural networks by allowing modules associated with detection and neutralization of a network security threat to plug into a network security platform of other networks. Plugging the security modules in provides an automated insertion of detection and neutralization tools into the network security platform to respond to potential threats based upon proven successful responses at other networks. | 05-15-2014 |
| 20140137242 | AUTOMATED SECURITY ANALYTICS PLATFORM WITH MULTI-LEVEL REPRESENTATION CONVERSION FOR SPACE EFFICIENCY AND INCREMENTAL PERSISTENCE - Active memory for managing network telemetry information, or other types of information stored as objects, has objects partially-serialized to allow greater amounts of information to store in a memory of a given size with slightly increased retrieval times. Storing additional information in an active memory provides an overall increase in network security platform responsiveness by allowing a greater amount of information to be accessible from the active memory instead of archive. | 05-15-2014 |
| 20140137243 | AUTOMATED SECURITY ANALYTICS PLATFORM WITH VISUALIZATION AGNOSTIC SELECTION LINKED PORTLETS - Visualization agnostic selection linked portlets provide a tree from a parent to one or more children that present each portlet with its own visualization and data synchronized with a root portlet based upon related filters. Each portlet uses its visualization to display a data set derived by applying its filter in conjunction with the filters of its ancestors. Each portlet then presents data that is at most the same size as its root in a visualization adapted to the child's type and quantity of data. | 05-15-2014 |
| 20140137244 | Runtime Based Application Security and Regulatory Compliance in Cloud Environment - A mechanism is provided in a data processing system for runtime based application security. The application runtime environment executing within a virtual machine on the data processing system receives notification of a change in execution environment for the virtual machine. Responsive to determining the virtual machine is being migrated to a virtualized environment based on the notification of a change in execution environment, the application runtime environment dynamically modifies execution of an application in the application runtime environment, wherein the application comprises a set of application modules. | 05-15-2014 |
| 20140137245 | INFORMATION PROCESSING APPARATUS AND CONTROL METHOD - According to one embodiment, a controller detects generation of an event and transmits a content of the event to a management module. The management module transmits to the controller a determination result which represents permission or inhibition of execution of the processing. The determination result is decided based on a first policy or a second policy different from the first policy that are selectively employed in accordance with a use situation of the apparatus. The management module decides whether to notify a server of the content of the event, in accordance with which of a period in which the first policy is employed and a period in which the second policy is employed is a period in which the event has occurred. | 05-15-2014 |
| 20140137246 | Application-Level Anomaly Detection - An example includes intercepting one or more activities performed by an application on a computing device. The intercepting uses an instrumentation layer separating the application from an operating system on the computing device. The one or more activities are compared with one or more anomaly detection policies in a policy configuration file to detect or not detect presence of one or more anomalies. In response to the comparison detecting presence of one or more anomalies, indication(s) of the one or more anomalies are stored. Another example includes receiving indication(s) of anomaly(ies) experienced by an application on computing device(s) and analyzing the indication(s) of the anomaly(ies) to determine whether corrective action(s) should be issued. Responsive to a determination corrective action(s) should be issued based on the analyzing, the corrective action(s) are issued to the computing device(s). Methods, program products, and apparatus are disclosed. | 05-15-2014 |
| 20140143863 | ENHANCED NETWORK SECURITY - According to one embodiment, a system may receive a plurality of security threats and categorize each security threat in the plurality of security threats into security threat categories. The system may then determine, based at least in part upon an instance of a security threat category, a future occurrence of the security threat category and determine, based at least in part upon the future occurrence of the security threat category, that the security threat category is an emerging threat. | 05-22-2014 |
| 20140143864 | SYSTEM AND METHOD FOR DETECTING, ALERTING AND BLOCKING DATA LEAKAGE, EAVESDROPPING AND SPYWARE - A computer implemented method for detecting, alerting and blocking data leakage, eavesdropping and spyware in one or more networked computing devices includes providing a graphical user interface (GUI) and displaying all available hardware device interfaces in each networked computing device. Next, providing a turn-on switch and a turn-off switch for each displayed hardware device interface in each networked computing device. Next, providing a turn-all-on switch and a turn-all-off switch for all displayed hardware device interfaces in each networked computing device. Next, monitoring status of each available hardware device interface and data traffic across each available hardware device interface. Upon detecting an unauthorized change of status of a specific hardware device interface or unauthorized data traffic across a specific hardware device interface providing a warning signal, turning off the specific hardware device interface by activating the turn-off switch for the specific hardware device interface or the turn-all-off switch. | 05-22-2014 |
| 20140143865 | SOFTWARE IDENTIFICATION - A method of generating identification data for identifying software is disclosed. The method includes executing said software so as to alter one or more addresses of a memory stack reserved in memory for execution of the software. Identification data is then generated for identifying the software based on the one or more altered addresses of the memory stack. | 05-22-2014 |
| 20140143866 | METHOD OF INSPECTING MASS WEBSITES AT HIGH SPEED - Disclosed is a method of inspecting mass websites at a high speed, which visits and inspects the mass websites at a high speed and, at the same time, correctly detects unknown attacks, detection avoidance attacks and the like and extracts URLs related to vulnerability attacks. The method of inspecting mass websites at a high speed includes the steps of: simultaneously visiting, if a list of inspection target websites is received, a plurality of inspection target websites using multiple browsers; inspecting whether or not malicious code infection is attempted at the plurality of inspection target websites visited through the multiple browsers; extracting a malicious website where the attempt of malicious code infection is generated among the plurality of inspection target websites; and visiting the malicious website and tracing a malicious URL distributing a malicious code. | 05-22-2014 |
| 20140143867 | COMMUNICATION DEVICE, COMMUNICATION SYSTEM, AND COMPUTER PROGRAM PRODUCT - According to an embodiment, a communication device is connected to a plurality of external devices which share key information with each other. The communication device includes a detector and an instructing unit. The detector is configured to, from among the external devices, detect an external device that has been subject to attack. The instructing unit is configured to issue an instruction to stop using key information which is shared with the detected external device. | 05-22-2014 |
| 20140150094 | SYSTEMS AND METHODS FOR TRANSPARENTLY MONITORING NETWORK TRAFFIC FOR DENIAL OF SERVICE ATTACKS - A mitigation service can monitor network traffic in one direction between a client computer and a server computer. The mitigation service can receive a request from a client computer to establish a network connection with a server computer. The mitigation service can reply to the client computer with an acknowledgment that is configured to cause the client computer to issue a request to reset the connection. The acknowledgement is configured not to affect the establishment of the network connection with the server computer. The mitigation service can compare the details of the reset request with the request to establish the network connection. If the details match, the mitigation service can forward the request to establish the network connection to the server computer. | 05-29-2014 |
| 20140150095 | SYSTEMS AND METHODS TO DETECT AND RESPOND TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS - Embodiments relate to systems, devices, and computer-implemented methods for mitigating Distributed Denial of Service (“DDoS”) attacks. The method can include receiving, by a server, a response message from an application server. The method can further include determining a source internet protocol (IP) address associated with the source client based on a request message received from a source client. The request message received from the source client corresponds to the response message received from the application server. In addition, the method can include identifying, by the server, a plurality of counters associated with the source IP address, and identifying, by the server, a response type of the response message. Further, the method can include causing a value of at least one of the plurality of counters to change based on the response message and the response type. | 05-29-2014 |
| 20140150096 | METHOD FOR ASSURING INTEGRITY OF MOBILE APPLICATIONS AND APPARATUS USING THE METHOD - An apparatus for assuring integrity of a mobile application or application software (app) includes a developer registration management unit configured to authenticate a mobile app developer based on an authentication means in response to a subscription and registration request of the mobile app developer, and an integrity verification unit configured to verify whether the mobile app has the integrity by unpackaging the mobile app uploaded to an app store server in a packaged state and determine whether to write a code signature of the app store server to the mobile app based on an integrity verification result. Thus, a secure mobile ecosystem can be constructed. | 05-29-2014 |
| 20140150097 | SYSTEM AND METHOD FOR EMAIL FRAUD RISK ASSESSMENT - Email address Fraud Risk Assessment using a system of data element collection and computation. Data elements for each potion of an email address's local and domain portion is acquired from internal and external data sources, captured, evaluated, and then assigned a value. Data acquisition may include use of domain information, databases, Email Service Providers, Simple Mail Transfer Protocol, corporate and social media services, and search engine services. Using the assigned values, a Fraud Risk Score is computed and then displayed to a user along with additional information, explanations and recommendations. | 05-29-2014 |
| 20140150098 | SYSTEM AND METHOD FOR PREVENTING OPERATION OF UNDETECTED MALWARE LOADED ONTO A COMPUTING DEVICE - Methods and devices for protecting computing devices against the effects of surreptitiously loaded machine language programs from a malware source. The user defines a pattern of disruption of the sequence of bytes. The user then installs legitimate programs to be run on a particular computing device by loading the original program onto the local hard drive and replacing the program by one to which the pattern of disruption has been applied. Using the user-defined disruption pattern, the computing device can define the transforms necessary to reverse the application of the disruptive pattern. As part of the process the operating system for the computing device is modified to apply transforms that reverse the disruption pattern when executing a program file loaded into RAM. | 05-29-2014 |
| 20140150099 | METHOD AND DEVICE FOR DETECTING MALICIOUS CODE ON WEB PAGES - A method for detecting malicious code on web pages includes: obtaining a function list by executing a specified code and a predefined object code; parsing the specified code and obtaining variable values according to a parsing result and the function list; and determining whether a malicious code exists on web pages according to variable values. A device for detecting malicious code on web pages is also provided. | 05-29-2014 |
| 20140150100 | Adaptive Observation of Driver and Hardware Level Behavioral Features on a Mobile Device - Methods, devices and systems for detecting suspicious or performance-degrading mobile device behaviors intelligently, dynamically, and/or adaptively determine computing device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the mobile device behaviors are to be observed. The various aspects efficiently identify suspicious or performance-degrading mobile device behaviors without requiring an excessive amount of processing, memory, or energy resources. | 05-29-2014 |
| 20140150101 | METHOD FOR RECOGNIZING MALICIOUS FILE - A method for recognizing malicious file has steps: receiving a static file through a network or an input/out interface to be stored in the memory; defining suspicious positions where components of a malware are possibly encrypted in the static file; decrypting the suspicious positions to identify a PE header and a shellcode; extracting the PE header and the shellcode terms in segments; and determining whether the PE header and the shellcode terms can be assembled into an executable binary which indicates a recognition of the malicious file. | 05-29-2014 |
| 20140157404 | VIRTUALIZING A HARDWARE MONOTONIC COUNTER - Embodiments of an invention for virtualizing a hardware monotonic counter are disclosed. In one embodiment, an apparatus includes a hardware monotonic counter, virtualization logic, a first non-volatile storage location, and a second non-volatile storage location. The virtualization logic is to create a virtual monotonic counter from the hardware monotonic counter. The first non-volatile storage location is to store an indicator that the count of the hardware monotonic counter has changed. The second non-volatile storage location is to store an indicator that the count of the virtual monotonic counter has changed. | 06-05-2014 |
| 20140157405 | Cyber Behavior Analysis and Detection Method, System and Architecture - A scalable cyber-security system, method and architecture for the identification of malware and malicious behavior in a computer network. Host flow, host port usage, host information and network data at the application, transport and network layers are aggregated from within the network and correlated to identify a network behavior such as the presence of malicious code. | 06-05-2014 |
| 20140157406 | APPLICATION TESTING SYSTEM AND METHOD - A method, computer program product, and computer system for sending, by a first computing device, a payload from a plurality of payloads to a second computing device. A response from the second computing device responding to the payload is received at the first computing device. It is determined whether the payload has successfully attacked an application executing at the second computing device based upon, at least in part, the response. If not, at least a portion of the plurality of payloads that shares a structural overlap with the first payload is identified. At least a second payload of the portion is prevented from being sent to the second computing device in response to identifying that the second payload shares the structural overlap with the first payload. | 06-05-2014 |
| 20140157407 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR EFFICIENT COMPUTER FORENSIC ANALYSIS AND DATA ACCESS CONTROL - According to one aspect, the subject matter described herein includes a method for efficient computer forensic analysis and data access control. The method includes steps occurring from within a virtualization layer separate from a guest operating system. The steps include monitoring disk accesses by the guest operating system to a region of interest on a disk from which data is copied into memory. The steps also include tracking subsequent accesses to the memory resident data where the memory resident data is copied from its initial location to other memory locations or over a network. The steps further include linking operations made by the guest operating system associated with the disk accesses with operations made by the guest operating system associated with the memory accessed. | 06-05-2014 |
| 20140157408 | METHOD FOR SCANNING FILE, CLIENT AND SERVER THEREOF - A method for scanning files includes enumerating unscanned files; obtaining attributions of the unscanned files from the enumerated files one by one, and transmitting to a server the attributions; comparing the attributions with features that are stored in the server; obtaining the features that are consistent with the attributions and types that the features belong to; and generating a mapping relationship between the unscanned files, the attributions and the types according to the features that are consistent with the attributions and the types of the features, and recording the mapping relationship in a first scanning result. The above method uploads the attributions of the files to the server; and makes the safety and risky recognition of the file through comparing with the features and the corresponding types. | 06-05-2014 |
| 20140157409 | CLASSIFYING A MESSAGE BASED ON FRAUD INDICATORS - Systems, methods, and media for classifying messages are disclosed. A plurality of fraud indicators are identified in the message. A signature of the message is generated. The generated signature of the message is compared to a stored signature. The stored signature is based on a statistical analysis of fraud indicators in a second message associated with the stored signature. A determination as to whether the message is fraudulent is made based on the comparison. The message is processed based on the determination that the message is a fraudulent message. | 06-05-2014 |
| 20140165189 | Directing Audited Data Traffic to Specific Repositories - Data traffic is monitored on a network and data access elements thereof are collected. The collected data access elements are compared to security rules providing sets of predefined data access elements for identifying predefined data accesses. First audit data collections for data accesses are sent to a first repository. For a data access that matches one of the rules, a second audit data collection defined by the matching rule is sent to at least a second repository designated by the matching rule. | 06-12-2014 |
| 20140165190 | METHOD AND APPARATUS FOR ENHANCED FILE SYSTEM MONITORING ON MOBILE COMMUNICATIONS DEVICES - A system and method for using file system events to trigger a security scan. A file system watches all writable directory paths for defined file system events on files in the watched paths. Upon occurrence of a watched event, the file is scanned using known security methods. A data structure stores events and can be used to update and track events. Cookies can be used to correlate MOVE events. A timer can be used to avoid repetitive scanning after discrete WRITE events. | 06-12-2014 |
| 20140165191 | APPARATUS AND METHOD FOR DETECTING IN-VEHICLE NETWORK ATTACK - An apparatus for detecting an in-vehicle network attack, is configured to cumulatively count packets for each device that has a respective ID and is connected to an in-vehicle network bus. The apparatus is configured to cumulate a check value every time the packets are cumulatively counted to calculate a cumulated value, and determine that an attack is conducted when an average cumulated value obtained by dividing the cumulated value by a cumulative counted value does not exceed a first threshold value. | 06-12-2014 |
| 20140165192 | System and Method of Monitoring Attacks of Cross Site Script - The present disclosure provides techniques for monitoring a cross site scripting attack. These techniques may receive and reply to, by a computing device, a service request from a client terminal. The computing device may then redefine a scripting internal function applied by the cross site scripting attack, and return redefined information for the scripting internal function to the client terminal. The computing device may monitor calling information of the client terminal in relation to the redefined scripting internal function, and analyze the security of the calling information. The computing device may monitor an attacking source, an attacking time period, leakage information in the attack, and/or a vulnerability point in the attack that are associated with the cross site scripting attack. | 06-12-2014 |
| 20140165193 | Detecting Anomalous Process Behavior - A method for learning a process behavior model based on a process past instances and on one or more process attributes, and a method for detecting an anomalous process using the corresponding process behavior model. | 06-12-2014 |
| 20140173722 | Methods and Systems for Mitigating Attack Traffic Directed at a Network Element - An exemplary method includes an attack traffic mitigation system 1) identifying a range of ports left open by a firewall for a network element to receive network traffic provided by a computing device, 2) designating a subset of one or more ports included in the range of open ports as being included in a legitimate port range configured to receive legitimate network traffic provided by the computing device, and 3) directing the network element to drop network traffic provided by the computing device and received by each port included in the range of open ports that is not included in the legitimate port range. Corresponding methods and systems are also disclosed. | 06-19-2014 |
| 20140173723 | REPUTATION OF NETWORK ADDRESS - Example embodiments disclosed herein relate to determining a reputation of a network address. A long-term reputation of the network address is determined. A short-term reputation of the network address is determined based on the long-term reputation and trend information associated with the long-term reputation. | 06-19-2014 |
| 20140173724 | Tuning of Data Loss Prevention Signature Effectiveness - In at least one embodiment, a method and a system include capability to fine-tune a data loss prevention system. An example method includes gaining access to or creating an alert database and a signature set by an analytics module and an adjustment module, where the alert database includes an alert validity attribute for each alert; quantifying for each signature contained in the signature set an effect on the change in the number of alerts from its removal; determining with an analytics module whether any signature has a ratio of valid to false positive alerts less than a threshold; and when at least one signature has the ratio less than the first threshold identifying and removing with an adjustment module at least one signature from the signature database having a ratio less than the threshold where the signature is removed from the signature set, and repeating quantifying and determining. | 06-19-2014 |
| 20140173725 | TRAFFIC SEGMENTATION IN PREVENTION OF DDOS ATTACKS - Systems, methods, and computer storage media for traffic segmentation in prevention of DDoS attacks are provided. Data associated with one or more users of a particular service or network is collected. Legitimate properties associated with the data are identified. In embodiments, the legitimate properties are shared with one or more related services. One or more requests are received for the service or related services and request properties are identified. The legitimacy of the one or more requests is predicted based on a comparison of the legitimate and request properties. | 06-19-2014 |
| 20140173726 | METHODS AND SYSTEMS FOR PREVENTING UNAUTHORIZED ACQUISITION OF USER INFORMATION - The embodiments provide methods and systems for detecting and preventing phishing of a user's information, such as their username and password. In one embodiment, a website detects as a threshold matter whether the user has arrive at the site due to an automatic redirection from a prior visited site or by the user having clicked on a link to the website from the previous site. If this threshold is met, then the prior website is evaluated based on various criteria to determine if it appears to be a phishing site. If phishing is suspected, then the user may be notified and various other protective actions may be performed. | 06-19-2014 |
| 20140173727 | Tuning of Data Loss Prevention Signature Effectiveness - In at least one embodiment, a method and a system include capability to fine-tune a data loss prevention system. An example system includes a computer readable storage medium for storing at least one alert database and at least one associated signature set to each alert database; an analytics module in communication to the computer readable storage medium, the analytics module analyzes at least one alert database present on the computer storage medium to determine whether any signatures from the signature set associated with the alert database being analyzed are ineffective based at least on a ratio of valid alerts to false positive alerts for individual signatures selected from a group including a plurality of signatures present in the signature set; and an adjustment module in communication to the computer readable storage medium and the analytics module, the adjustment module removes at least one ineffective signature from the signature set. | 06-19-2014 |
| 20140173728 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR MOUNTING AN IMAGE OF A COMPUTER SYSTEM IN A PRE-BOOT ENVIRONMENT FOR VALIDATING THE COMPUTER SYSTEM - A system, method, and computer program product are provided for mounting an image of a computer system in a pre-boot environment for validating the computer system. In use, an image of a computer system is mounted in a pre-boot environment of the computer system, where the image includes a file system structure and initialization data of the computer system. Furthermore, at least one task is performed on the mounted image for validating the computer system. | 06-19-2014 |
| 20140173729 | PROVIDING A FAST, REMOTE SECURITY SERVICE USING HASHLISTS OF APPROVED WEB OBJECTS - A security system and service, which improves the performance of SECaaS services, is described. A security server system tracks the content that has successfully passed through its security modules and distributes this information to the end user client devices as hashlist information. The remote client devices can then safely bypass the cloud for a significant fraction of Web object requests by using information on a locally stored hashlist to validate Web objects. | 06-19-2014 |
| 20140173730 | Security Method and Apparatus - In accordance with an example embodiment of the present invention, there is provided a method comprising: maintaining a local database of trusted uniform resource locators (URL) where an URL is qualified to said database based on fulfilling predetermined criteria; detecting a request to access a uniform resource locator (URL); obtaining reputation data for the URL from a reputation server or from a local reputation scanner; comparing the obtained reputation data of the requested URL with the reputation data of the requested URL that is stored in the local database of trusted URLs if any; if there is a conflict between the reputation data obtained and the reputation data stored in the local database of trusted URLs, using the reputation data stored in the local database of trusted URLs to determine whether access to the URL is allowed. | 06-19-2014 |
| 20140173731 | System and Method for Unified Communications Threat Management (UCTM) for Converged Voice, Video and Multi-Media Over IP Flows - A method and system for unified communications threat management (UCTM) for converged voice and video over IP is disclosed. A computer-implemented method for threat management receives an incoming packet. The incoming packet is broken into sub-packets and fed to a plurality of packet processing engines. Each packet processing engine inspects the sub-packets and annotate the sub-packets with meta-data. The annotated sub-packets are combined and processed by a plurality of application engine to generate a processed packet. The processed packet is classified and stored in a database. | 06-19-2014 |
| 20140173732 | Advocate for Facilitating Verification for the Online Presence of an Entity - Some embodiments provide an advocate system to facilitate automated online presence verification for different entities on behalf of the entities. The advocate system places service providers on notice that profiles and information hosted by them and that form the online presence for a particular entity should first be verified with that particular entity. The advocate system further facilitates online presence verification by 1) directly or indirectly connecting the service providers that are placed on notice with the appropriate authoritative entities to facilitate the verification of the profiles and information, 2) selectively targeting service providers hosting profiles and information that are unverified, 3) automatedly verifying hosted profiles and information based on a verified profile lists and verified information that authoritative entities provide to a central repository. In so doing, the advocate system prevents potential damage to the authoritative entity's credibility while also mitigating potential for fraud, identity theft, etc. | 06-19-2014 |
| 20140181966 | CLOUD-BASED DISTRIBUTED DENIAL OF SERVICE MITIGATION - A method, performed by a computer device, may include receiving an indication of a distributed denial of service event at a front end system associated with a customer; generating one or more virtual front end systems for the customer, in response to receiving the indication of the distributed denial of service event; and redirecting traffic intended for the customer's front end system to the generated one or more virtual front end systems. The method may further include determining whether resource capacity of the generated one or more virtual front end systems has been reached; and generating an additional one or more virtual front end systems for the customer, in response to determining that the resource capacity of the generated one or more virtual front end systems has been reached. | 06-26-2014 |
| 20140181967 | PROVIDING-REPLAY PROTECTION IN SYSTEMS USING GROUP SECURITY ASSOCIATIONS - A method and apparatus is disclosed which enables detection of undesired packets received at a device in a network, where the device is a member of a group of devices in the network. A registration table stores transform identifiers for each member of a group and controls the forwarding of the transform identifiers to the members of the group as members are added and deleted. A transform identifier indicates a format or transformation of a packet transmitted by an associated member. The transform identifier can therefore be used at a receiving device to distinguish between transmissions by different members of the group, thereby enabling the receiving device to extract sequence information associated with the member from the packet. The sequence information can be compared against an expected sequence number for the member to determine whether the packet is an undesirable or rogue packet. | 06-26-2014 |
| 20140189858 | Generation Method and Device for generating anonymous dataset, and method and device for risk evaluation - An anonymous dataset generation method comprises following steps. A critical attribute set and a quasi-identifier (QID) set are acquired, and one of the critical attribute and the quasi-identifier is set as an anchor attribute. An attribute sequence and an equivalence table are generated according to the quasi-identifier set and the critical attribute set. A data cluster and a cluster table are generated according to the equivalence table. The content of the cluster table is generalized to generate and output an anonymous dataset corresponding to an original dataset. A risk evaluation method for an anonymous dataset calculates data weight to extract distinctive data and to attacking defects of the anonymous dataset according to the distinctive data, thereby enhancing a risk evaluation efficiency of the anonymous dataset. | 07-03-2014 |
| 20140189859 | HERD BASED SCAN AVOIDANCE SYSTEM IN A NETWORK ENVIRONMENT - A method in one example embodiment includes generating a signature for an object in a compute node in a network, searching a memory element for the signature, and responsive to determining the memory element does not contain the signature, scanning the object. The method also includes updating the memory element with a scan result, and synchronizing the memory element of the compute node with one or more memory elements of one or more other compute nodes in the network. In specific embodiments, the scan result includes the signature of the object and a threat level of the object. In further embodiments, the synchronizing includes sending the scan result to one or more other compute nodes in the network. In more specific embodiments, the scan result is sent with one or more other scan results after a predetermined interval of time from a previous synchronization. | 07-03-2014 |
| 20140189860 | CONTROL SYSTEM CYBER SECURITY - Devices, methods, and systems for control system cybersecurity are described herein. One method includes receiving a plurality of measurements from each of a number of sensing and actuating devices of a control system, determining a suspected portion of the received measurements, monitoring the suspected portion of the received measurements over a particular time period, and determining whether the suspected portion of the received measurements is associated with a cyber attack. | 07-03-2014 |
| 20140189861 | SYSTEM AND METHOD FOR CORRELATING NETWORK INFORMATION WITH SUBSCRIBER INFORMATION IN A MOBILE NETWORK ENVIRONMENT - A method is provided in one example embodiment and includes receiving information for network traffic in a wireless network; correlating the information with a subscriber of a plurality of subscribers; and generating a behavior profile for the subscriber based on the information over a period of time. | 07-03-2014 |
| 20140189862 | VIRTUAL MACHINE MONITOR (VMM) EXTENSION FOR TIME SHARED ACCELERATOR MANAGEMENT AND SIDE-CHANNEL VULNERABILITY PREVENTION - Technologies are presented for automatically generating accelerator code for datacenter users, detecting multiple hardware tenants with overlapping accelerator needs, and managing the accelerator needs of the tenants so that they can share use of programmable accelerator hardware. In some examples, the accelerator code may also be customer supplied. In other examples, a delay that simulates accelerator programming for a user first accessing an accelerator that was virtualized from a pre-existing one may be applied. By simulating the delay, co-location detection (a form of side channel attack) may be prevented. | 07-03-2014 |
| 20140189863 | Distributed Client Side User Monitoring and Attack System - An embodiment invention provides a new way of creating a distributed client side user monitoring and attack system for use within the security market. In one embodiment of the invention, a distributed client side user monitoring and attack system, includes: a security application server; a target application server; a target application; and a first code in the target application to permit backchannel communications with the security application server. | 07-03-2014 |
| 20140196144 | Method and Apparatus for Detecting Malicious Websites - A method and apparatus for detecting malicious websites is disclosed. | 07-10-2014 |
| 20140196145 | PREVENTION OF USER INPUT CAPTURE - Systems and methods may provide to prevent user input capture. in one example, the method may include measuring an attribute based on a user's interaction with a user input component of a user input device, generating a user input signature based on the measured attribute, generating an obscuring signature based on the user input signature, and transmitting a control signal, based on the obscuring signature, to obscure a user's input activity and prevent user input capture. | 07-10-2014 |
| 20140208420 | SYSTEM FOR REMOTELY MONITORING STATUS INFORMATION OF DEVICES CONNECTED TO A NETWORK - A system for monitoring the status of one or more networks and/or of devices coupled to each of the one or more networks. Status monitoring applications are associated with the networks and/or devices. The status monitoring applications output a respective status log file containing information about the system status of the associated network or device. In one embodiment, the system status is derived from the Windows Event Log. The status monitoring applications are coupled to a remote receive module via a one-way data link or a firewall. The remote receive module receives the log files and processes the log files to either identify any unauthorized status conditions identified therein or to generate a cumulative log file consisting of events occurring over a predetermined time interval. | 07-24-2014 |
| 20140208421 | SECURE AND SCALABLE DETECTION OF PRESELECTED DATA EMBEDDED IN ELECTRONICALLY TRANSMITTED MESSAGES - A method and apparatus for detecting preselected data embedded in electronically transmitted messages is described. In one embodiment, the method comprises monitoring messages electronically transmitted over a network for embedded preselected data and performing content searches on the messages to detect the presence of the embedded preselected data using an abstract data structure derived from the preselected data. | 07-24-2014 |
| 20140208422 | Passing Hidden Information Using Attack Detectors - An electronic device ( | 07-24-2014 |
| 20140208423 | METHOD AND DEVICE FOR PREVENTING DOMAIN NAME SYSTEM SPOOFING - A method for preventing Domain Name System (DNS) spoofing includes: performing uppercase/lowercase conversion for letters of a DNS question field in a DNS request packet according to a preset rule; sending the DNS request packet; receiving a DNS response packet; obtaining uppercase/lowercase distribution of the letters of the DNS question field in the DNS response packet; and forwarding the DNS response packet to a target DNS client if the uppercase/lowercase distribution of the letters of the DNS question field in the DNS response packet complies with the preset rule. Corresponding to the method, a device for preventing DNS spoofing is disclosed. The method and device reduce occupation of storage resources of the device. | 07-24-2014 |
| 20140215605 | MONITORING AND MITIGATING CLIENT-SIDE EXPLOITATION OF APPLICATION FLAWS - A system for monitoring and mitigating client-side exploitation of application flaws, the system comprising a client device operating an application, a server communicatively coupled to the client device, and an application flaw service module communicatively coupled to the client device and server in which the application flaw service module receives a request from the client device comprising transactional metadata and inspecting the transactional metadata for malicious content within the request. A method of monitoring and mitigating client-side exploitation of application flaws by adding computer usable program code to the response to a first request from a client, receiving a second request from the client, determining that transactional metadata within the response contains an attack vector, and returning a response to the browser including attack vector countermeasures embedded in the response. | 07-31-2014 |
| 20140215606 | SYSTEM AND METHOD FOR DETECTING A COMPROMISED COMPUTING SYSTEM - A digital security threat management system is disclosed. The system detects the presence of a computing system, on a network, that has been compromised by an undetected and/or unknown digital security threat. The digital security threat management system recognizes characteristic emanations from a computer system that has been compromised. Because the characteristic emanations that result from a known threat can be the same as the characteristic emanations that result from an undetected and/or unknown threat, the digital security threat management system can learn to detect a computing system that has been compromised by an unknown threat if the security threat management system recognizes characteristic emanations from a previous attack, based on a known threat, of the computing system. In this way, the system can detect the presence of a compromised computing system, even if the cause of the compromise remains undetected and/or unknown. Appropriate remedial action may be taken upon detection. | 07-31-2014 |
| 20140215607 | THREAT EXCHANGE INFORMATION PROTECTION - Threat exchange information protection can include receiving security information from a number of participants of a threat exchange community, wherein a portion of the received security information is encoded with pseudonyms by each of the number of participants, analyzing the security information collectively from the number of participants, wherein the portion of the received security information remains encoded, and sending analysis results to each of the number of participants, wherein the analysis results include information relating to the portion. | 07-31-2014 |
| 20140215608 | SECURITY THREAT ANALYSIS - An example of security threat analysis can include generating a security threat hypothesis based on security data in a threat exchange server. A request for analysis based on the security data can be sent via communication links to at least one security monitored participant to analyze the security data. A response can be received from the at least one security monitored participant with information related to the completed security related task. | 07-31-2014 |
| 20140215609 | MONITORING CONTROL SYSTEM - In order to deal with security threat in a monitoring control system having a plurality of networks different in security level, the monitoring control system performs unidirectional physical communication between a monitoring control device connected to a network with a higher security level and a monitoring device connected to a network with a lower security level via a sender and a receiver, thereby securing safety of the network with the higher security level. | 07-31-2014 |
| 20140215610 | ENCRYPTED NETWORK TRAFFIC INTERCEPTION AND INSPECTION - A method of operating a computing device that allows inspecting data that the device attempts to transmit over a network in an encrypted form for presence of malware, viruses or confidential information. The method includes intercepting a request from an application to an encryption component of an operating system to encrypt the data and acquiring encrypted data generated by the encryption component in response to the request. SSL or TLS protocol may be used for encryption. The request may be intercepted using API hooking. The data in an unencrypted form and an identifier of the encrypted data may be provided to a data inspection facility for establishing a correspondence between the unencrypted and encrypted data, using the identifier. The data inspection facility performs inspection of the unencrypted data to determine whether to allow transmission of the encrypted data over the network. | 07-31-2014 |
| 20140215611 | APPARATUS AND METHOD FOR DETECTING ATTACK OF NETWORK SYSTEM - An attack detection apparatus includes a window size change unit configured to change a size of a window to be applied to traffic, and an abnormal state detection unit configured to detect an abnormal state of the traffic to which the changed window is applied. | 07-31-2014 |
| 20140215612 | METHOD AND SYSTEM FOR DETECTING ANOMALY OF USER BEHAVIOR IN A NETWORK - A method and system for detecting anomaly of user behavior in a network with a hierarchical topology, including a plurality of users, at least two bridges to each of which at least one user is connected to and wherein the bridges are configured to be operable to connect the corresponding users to the network, and at least one predetermined profiling network entity, the method includes the steps of:
| 07-31-2014 |
| 20140223553 | Location based process-monitoring - Disclosed are systems, apparatus, devices, methods, computer program products, and other implementations, including a method that includes determining location of a device, and controlling monitoring of behavior of one or more processes executing on the device based on the determined location of the device to identify potential one or more security-risky processes from the monitored one or more executing processes. In some embodiments, controlling the monitoring of the behavior of the one or more processes may include one or more of, for example, adjusting frequency of the monitoring of the one or more processes based on the determined location of the device, adjusting level of detail obtained for the monitored behavior of the one or more processes based on the determined location of the device, and/or adjusting features being observed for the monitored one or more processes based on the determined location of the device. | 08-07-2014 |
| 20140223554 | DYNAMIC OPERATIONAL WATERMARKING FOR SOFTWARE AND HARDWARE ASSURANCE - This disclosure addresses systems and methods for the protection of proprietary information by monitoring operational watermarks of an apparatus. A monitoring device may receive logical or physical watermark data from a defended apparatus. Watermark data may include any operational or environmental variable related to the defended apparatus. The monitoring device may maintain a baseline profile for the defended apparatus that includes watermark data. During monitoring of the defended apparatus by the monitor device, changes in the watermark data may be analyzed to determine if the baseline should be dynamically updated, or if the change indicates an anomaly. Anomalies may indicate an attempt to tamper with the defended apparatus. In response to the change that indicates an anomaly, the monitoring device may scrub the contents of the defended apparatus. In an embodiment, the monitoring device may also scrub its own memory in response to an anomaly. | 08-07-2014 |
| 20140223555 | METHOD AND SYSTEM FOR IMPROVING SECURITY THREATS DETECTION IN COMMUNICATION NETWORKS - Method and system for improving the detection of security threats in a communication network, including security devices which generate security events. The present invention assigns a dynamic tag to each event according to the description of the event, and the tags related to the same security threat are clustering forming a data model pattern. An artificial intelligence algorithm, learning from known real information, analyzes said patterns and decides whether an alarm should be generated or not. | 08-07-2014 |
| 20140223556 | Method for Detecting Attacks and for Protection - A method is provided for attack detection and protection of a set of virtual machines in a system, which includes at least one first host server hosting said set of virtual machines. The method includes: receiving an attack detection message regarding a virtual machine, triggering a first migration of the virtual machine from the first host server toward a security system, and receiving an attack treatment message regarding the migrated virtual machine. | 08-07-2014 |
| 20140223557 | PERMANENT LOCKOUT ATTACK DETECTION - This document discusses, among other things, an attack detection module configured to permanently shut down a slave device after a number of consecutive attacks. | 08-07-2014 |
| 20140223558 | METHOD AND DEVICE FOR INTEGRATING MULTIPLE THREAT SECURITY SERVICES - A method and device for integrating multiple threat security services are disclosed. The method may comprise parsing an incoming packet at a current layer and analyzing the packet with respect to multiple threat security services and so that one or more threat security services needed by the packet may be determined. According to an exemplary embodiment, the current layer may be a layer in a protocol stack constructed based on the multiple threat security services. With this method, integrated multiple threat security services may filter application data and parse network packet data via a single integrated entity, and thus the efficacy of filtering application data may be improved while computation overhead may be reduced. | 08-07-2014 |
| 20140223559 | Systems, methods, and devices for defending a network - Certain exemplary embodiments comprise a method comprising: within a backbone network: for backbone network traffic addressed to a particular target and comprising attack traffic and non-attack traffic, the attack traffic simultaneously carried by the backbone network with the non-attack traffic: redirecting at least a portion of the attack traffic to a scrubbing complex; and allowing at least a portion of the non-attack traffic to continue to the particular target without redirection to the scrubbing complex. | 08-07-2014 |
| 20140237590 | SIMULTANEOUS SCREENING OF UNTRUSTED DIGITAL FILES - A plurality of untrusted digital files are run simultaneously in fewer sandboxes than there are files, while monitoring for malicious activity. Preferably, only one sandbox is used. If the monitoring detects malicious activity, either the files are run again in individual sandboxes, or the files are divided among subsets whose files are run simultaneously in one or more sandboxes, while monitoring for malicious activity. | 08-21-2014 |
| 20140237591 | PROTECTING MULTI-FACTOR AUTHENTICATION - Methods are detailed for online fraud prevention. In one approach state information of a first and a second device is monitored, both of which are associated with one user. During a multi-factor authentication procedure which utilizes at least one of the first and the second devices for authorizing a transaction by an Internet domain, a security server participates in a supplemental security procedure which is conditional on the monitored state information. In another approach the second device receives a message that is ostensibly related to multi-factor authorization by an Internet domain, and in response sends a query about state information of the first device. Based on the response to the query that indicates the state information, the second device performs a supplemental security procedure. | 08-21-2014 |
| 20140237592 | METHOD AND SYSTEM FOR DETECTING DATA MODIFICATION WITHIN COMPUTING DEVICE - A method and apparatus for detecting data modification in a layered operating system is disclosed. Outbound content indicators at different layers are compared to detect potential outbound data modifications. Likewise, inbound content indicators at different layers are compared to detect potential inbound data modifications. Content indicators include checksum, cryptographic hash, signature, and fingerprint indicators. Embodiments of the present invention enable detection of data modifications across an operating system's kernel and user mode spaces, prevention of modified outbound data from reaching a network, prevention of modified input data from reaching a user application, and detection of malware and faults within an operating system. | 08-21-2014 |
| 20140237593 | METHOD, DEVICE AND SYSTEM FOR DETECTING SECURITY OF DOWNLOAD LINK - A method, a device and a system for detecting security of a download link are provided. The method comprises: pre-acquiring an information set of download link security (S | 08-21-2014 |
| 20140245435 | OUT-OF-BAND IP TRACEBACK USING IP PACKETS - A method and system for tracing interne protocol packets is disclosed. One aspect of the method involves generating traceback packets containing information relating to their origin, destination, and encountered devices. The generated traceback packets can differ depending on the network configuration and Internet traffic scenarios. Another aspect involves analyzing incoming Internet traffic and generating traceback packets based on the performed analysis. Another aspect involves discovering a denial-of-service attack. Another aspect involves modifying operational parameters in response to the attack. One aspect of the system involves traceback servers, which can collect and provide traceback information to the public or on a private network. Another aspect involves the dissemination of traceback information to interested and/or authorized parties. | 08-28-2014 |
| 20140245436 | METHOD AND SYSTEM FOR DETECTING AND RESPONDING TO ATTACKING NETWORKS - A system and method for detecting a first network of compromised computers in a second network of computers, comprising: collecting Domain Name System (DNS) data for the second network; examining the collected data relative to DNS data from known comprised and/or uncompromised computers in the second network; and determining the existence of the first network and/or the identity of compromised computers in the second network based on the examination. | 08-28-2014 |
| 20140245437 | SANDBOXED EXECUTION OF PLUG-INS - A sandbox architecture that isolates and identifies misbehaving plug-ins (intentional or unintentional) to prevent system interruptions and failure. Based on plug-in errors, the architecture automatically disables and blocks registration of the bad plug-in via a penalty point system. Publishers of bad plug-ins are controlled by disabling the bad plug-ins and registering the publisher in an unsafe list. Isolation can be provided in multiple levels, such as machine isolation, process isolation, secure accounts with limited access rights, and application domain isolation within processes using local security mechanisms. A combination of the multiple levels of isolation achieves a high level of security. Isolation provides separation from other plug-in executions and restriction to system resources such as file system and network IP. Moreover, the architecture is highly scalable, stateless, and low administration architecture for the execution of the plug-ins, which can be scaled by adding/removing additional sandbox servers on-the-fly without prior configuration. | 08-28-2014 |
| 20140245438 | DOWNLOAD RESOURCE PROVIDING METHOD AND DEVICE - Disclosed are download resource providing method and device, wherein the method comprises: detecting security of an original resource to be downloaded by a user; if the original resource is detected to be insecure, querying a secure download resource matching the user's download requirement; and providing the user with link information of the secure download resource. The technical solution of the present invention ensures that the provided alternative resource is secure, meanwhile avoids consumption of the system resource and network bandwidth due to repeated searching and downloading operations of the user. | 08-28-2014 |
| 20140250524 | Deception-Based Responses to Security Attacks - Deception-based techniques for responding to security attacks are described herein. The techniques include transitioning a security attack to a monitored computing device posing as a computing device impacted by the security attack and enabling the adversary to obtain deceptive information from the monitored computing device. Also, the adversary may obtain a document configured to report identifying information of an entity opening the document, thereby identifying the adversary associated with the attack. Further, the techniques include determining that a domain specified in a domain name request is associated with malicious activity and responding to the request with a network address of a monitored computing device to cause the requesting process to communicate with the monitored computing device in place of an adversary server. Additionally, a service may monitor dormant domains names associated with malicious activity and, in response to a change, respond with an alert or a configuration update. | 09-04-2014 |
| 20140250525 | SYSTEMS AND METHODS FOR PREVENTING DATA REMANENCE IN MEMORY - A system for preventing data remanence in memory is provided. The system includes a computing device, a memory chip coupled to the computing device and including memory, and a heater, the heater configured to prevent data remanence in a memory by providing heat to at least a portion of the memory. The memory includes a plurality of bits configured to electronically store data. | 09-04-2014 |
| 20140250526 | DETECTING FRAUDULENT ACTIVITY BY ANALYSIS OF INFORMATION REQUESTS - Techniques are described for use in inhibiting attempts to fraudulently obtain access to confidential information about users. In some situations, the techniques involve automatically analyzing at least some requests for information that are received by a Web site or other electronic information service, such as to determine whether they likely reflect fraudulent activities by the request senders or other parties that initiate the requests. For example, if a request is being made to a Web site based on a user's interaction with a third-party information source (e.g., another unaffiliated Web site) that is not authorized to initiate the request, the third-party information source may be a fraudulent phishing site or engaging in other types of fraudulent activity. If fraudulent activity is suspected based on analysis of one or more information requests, one or more actions may be taken to inhibit the fraudulent activity. | 09-04-2014 |
| 20140259156 | DETECTION OF LOCKSTEP BEHAVIOR - Disclosed here are methods, systems, paradigms and structures for determining fraudulent content in a social network. The methods include identifying a plurality of users of the social network who perform a plurality of tasks within the social network in a lockstep manner. In the method, the plurality of users are determined to be performing a given task in the lockstep manner when the plurality of users each perform the given task within a predefined duration of time, where the predefined duration of time is associated with the given task. The method further includes identifying content data generated by the performance of the plurality of tasks by each of the plurality of users. The method further includes determining at least a portion of the content data generated by the performance of the plurality of tasks as fraudulent content. | 09-11-2014 |
| 20140259157 | Document Classification Using Multiscale Text Fingerprints - Described systems and methods allow a classification of electronic documents such as email messages and HTML documents, according to a document-specific text fingerprint. The text fingerprint is calculated for a text block of each target document, and comprises a sequence of characters determined according to a plurality of text tokens of the respective text block. In some embodiments, the length of the text fingerprint is forced within a pre-determined range of lengths (e.g. between 129 and 256 characters) irrespective of the length of the text block, by zooming in for short text blocks, and zooming out for long ones. Classification may include, for instance, determining whether an electronic document represents unsolicited communication (spam) or online fraud such as phishing. | 09-11-2014 |
| 20140259158 | Risk Ranking Referential Links in Electronic Messages - A computer system enables a business to reduce risks from phishing electronic messages. One or more original web links embedded in the electronic message may be replaced with a replacement web link. If the determined risk score for the original webpage is large enough webpage and the user clicks on the embedded web link, a user is directed to an intermediate webpage rather than to the original webpage. The intermediate webpage may provide details about the original webpage so that the user can make an informed choice whether to proceed to the original website. For example, the intermediate webpage may provide pertinent information to a user such as the actual domain of the remote site, the country the site is hosted in, how long the site has been online, and a rendered screen capture of the remote website, and/or a confidence score. | 09-11-2014 |
| 20140259159 | Securing File Trust with File Format Conversions - Approaches for ensuring a digital file does not contain malicious code. A digital file in an original format may or may not contain malicious code. An intermediate copy of the digital file in an intermediate format is created from the digital file in the original format. The intermediate format preserves a visual or audio presentation of the digital file without supporting metadata or file format data structures of the original format. A sterilized copy of the digital file is created from the intermediate copy. The sterilized copy is in the original format. The sterilized copy comprises a digital signature indicating that the sterilized copy has been converted from the intermediate format to the original format. Advantageously, the sterilized copy is guaranteed to not possess any malicious code. | 09-11-2014 |
| 20140259160 | DETECTION OF A THREAT IN A COMMUNICATIONS NETWORK - Disclosed is a method for detecting a threat against a host computer coupled to the front-end computer. A communication connection is established between the host computer and a source computer with a handshake procedure through a front-end computer. Application data is received in the front-end computer from the source computer. The received application data is returned from the front-end computer to the source computer. It is monitored in the front-end computer if a predetermined message is received from the source computer in response to the return of the application data. If the predetermined message is received in the front-end computer, it is determined that the source computer is a trusted communication party, But if the predetermined message is not received, the source computer is determined as a threat. The invention relates also to computing device implementing the method and a computer program product. | 09-11-2014 |
| 20140259161 | METHOD AND SYSTEMS FOR DETECTING AND ISOLATING HARDWARE TIMING CHANNELS - A method for detecting a timing channel in a hardware design includes synthesizing the hardware design to gate level. Gate level information flow tracing is applied to the gate level of the hardware design via a simulation to search for tainted flows. If a tainted flow is found, a limited number of traces are selected. An input on the limited number of traces is simulated to determine whether the traces are value preserving with respect to taint inputs, and to determine that a timing flow exists if the traces are value preserving with respect to the taint inputs. | 09-11-2014 |
| 20140259162 | Mobile Devices with Inhibited Application Debugging and Methods of Operation - Applications that have the ability to be debugged also provide an access to violate the security of the application. The present invention provides a means to ensure that the debugging aspects of an application can be defeated after development and other test procedures, to keep persons or other applications from starting a debugging procedure that can lead to the discovery of secured or sensitive information and data. The application of the present invention is greatly automated such that anyone beginning a debugging program against the application in a device will be stymied by the application shutting down the debugging before data or other sensitive information can be released. | 09-11-2014 |
| 20140259163 | SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT - A method for processing network traffic data includes receiving a packet, and determining whether the packet or a session of the packet is associated with a flooding attack. Some embodiments are implemented on network switching devices. | 09-11-2014 |
| 20140259164 | SECURITY MONITORING - Disclosed are systems, apparatus, methods, and computer readable media for determining a confidentiality for a site record. In one embodiment, a site record for analysis is identified at a computing device. The computing device may identify a source for the site record and determine, based on the source, a source-based confidentiality for the site record. The computing device may identify, based on the site record, a designated confidentiality for the site record, and determine that the designated confidentiality is different from the source-based confidentiality. Responsive to the determination that the designated confidentiality is different from the source-based confidentiality, the computing device may store the source-based confidentiality for the site record on a storage medium. | 09-11-2014 |
| 20140259165 | METHOD AND DEVICE FOR MANAGING AN ARRAY OF KEYS, WITH PROTECTION AGAINST AN ACTIVE SPY DEVICE, COMPUTER PROGRAM PRODUCT AND STORAGE MEANS CORRESPONDING THERETO - There is proposed a method of managing an array of keys by a device, each key pressed short-circuiting a row and a column of the array. During at least part of a time slot lying between two successive iterations of a sweep phase, the device performs a first protection mechanism, including reading a logic value on at least one row or column, and detecting an attempted illicit sweep as a function of the logic value read, and/or a second protection mechanism, including writing an arbitrary logic value, equal to or different from the predetermined logic value, on at least one row or column, so as to prevent an attempted illicit sweep. | 09-11-2014 |
| 20140283024 | Method for efficient behavioral analysis on a mobile station - Disclosed is a method for efficient behavioral analysis on a mobile station. In the method, one or more first behavioral characteristics associated with a first state of a finite state machine are observed. The one or more first behavioral characteristics may comprise a first subset of observable behavioral characteristics. The mobile station transitions from the first state to a second state. One or more second behavioral characteristics associated with the second state of the finite state machine are observed. The one or more second behavioral characteristics may comprise a second subset of the observable behavioral characteristics. | 09-18-2014 |
| 20140283025 | SYSTEMS AND METHODS FOR MONITORING ACTIVITY WITHIN RETAIL ENVIRONMENTS USING NETWORK AUDIT TOKENS - Systems and methods for monitoring activity within retail environments using network audit tokens are disclosed herein. According to an aspect, a method may include using a processor and memory of a first computing device for determining information associated with an activity of the first computing device within a network environment. The method also includes receiving a network audit token from a second computing device within the retail environment. Further, the method includes communicating the information associated with the activity to a third computing device in response to receipt of the network audit token. | 09-18-2014 |
| 20140283026 | METHOD AND APPARATUS FOR CLASSIFYING AND COMBINING COMPUTER ATTACK INFORMATION - A method and apparatus for classifying and combining computer attack information identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other, the method comprising identifying as malicious events, events in a network that cause organizationally or functionally distant entities to become closer to each other. | 09-18-2014 |
| 20140283027 | Auditing User Actions in Treatment Related Files - The subject matter disclosed herein provides methods for monitoring treatment related files for the occurrence of audit events and logging these occurrences. In one aspect, there is provided a method that can include associating one or more audit events with one more files stored in a database. The files can be related to providing a treatment to a patient, and the audit events can include the viewing of the one or more files. The method can further include monitoring the one or more files for an occurrence of the one or more associated audit events, and adding a log entry to a log when the associated audit events occurs in the files. The log entry can identify the files in which the associated audit events occurs and an entity that initiated the audit event. Related apparatus, computer program products, systems, techniques and articles are also described. | 09-18-2014 |
| 20140283028 | MALICIOUS REQUEST ATTRIBUTION - Methods, apparatuses, and computer readable media for malicious request attribution are presented. For example, according to one aspect, requests for one or more records may be received from a requesting computing device. A determination may be made that the requests are of a malicious nature. Responsive to determining that the requests are of a malicious nature, one or more requests for obtaining information about the requesting computing device may be generated, and communicated to the requesting computing device. In some embodiments, at least one of the one or more requests for obtaining information about the requesting computing device may be configured to cause the requesting computing device to fail to properly render at least a portion of a web page comprising at least one of the one or more records. | 09-18-2014 |
| 20140283029 | SYSTEM AND METHOD FOR DETECTION OF ROGUE ROUTERS IN A COMPUTING NETWORK - A method and apparatus for detecting the presence of a rogue router in a computer network is described. The method may include transmitting a router solicitation message. The method may also include receiving a plurality of response messages to the router solicitation message from a first plurality of router devices, wherein the response messages are used to perform an operation other than assigning an internet protocol (IP) address to the device. | 09-18-2014 |
| 20140283030 | PROTECTING NETWORKS FROM CYBER ATTACKS AND OVERLOADING - Packets may be received by a packet security gateway. Responsive to a determination that an overload condition has occurred in one or more networks associated with the packet security gateway, a first group of packet filtering rules may be applied to at least some of the packets. Applying the first group of packet filtering rules may include allowing at least a first portion of the packets to continue toward their respective destinations. Responsive to a determination that the overload condition has been mitigated, a second group of packet filtering rules may be applied to at least some of the packets. Applying the second group of packet filtering rules may include allowing at least a second portion of the packets to continue toward their respective destinations. | 09-18-2014 |
| 20140283031 | SYSTEMS AND METHODS FOR DETERMINING TRUST LEVELS FOR COMPUTING COMPONENTS - Systems and methods for determining trust levels for components of a computing application including a development framework, a trust matrix, a trust level calculation module, a visual design subsystem, and a deployment subsystem, where trust levels are associated with components, combinations of components, graphs, and blueprints, where trust levels relate to categories of use. | 09-18-2014 |
| 20140283032 | INTER-PROCESSOR ATTESTATION HARDWARE - Embodiments of an invention for inter-processor attestation hardware are disclosed. In one embodiment, an apparatus includes first attestation hardware associated with a first portion of a system. The first attestation hardware is to attest to a second portion of the system that the first portion of the system is secure. | 09-18-2014 |
| 20140283033 | SYSTEMS AND METHODS FOR TOKENIZING USER-GENERATED CONTENT TO ENABLE THE PREVENTION OF ATTACKS - The present invention relates to systems and methods for the tokenization of user-generated content in order to prevent attacks on the user-generated content. The systems and methods initially pre-process the user-generated content string utilizing a secondary input of target language. Pre-processing may also include initialization of finite state machines, token markers and string buffers (text, HTML tag name, HTML attribute name, HTML attribute value, CSS selector, CSS property name, and CSS property value). The user-generated content string is scanned by rune, and the system sends each rune to a specific buffer based upon signaling by individual finite state machine states. Buffers are then converted to token stream nodes to be inserted into the token stream. The tokens represent a string of characters and are symbolically categorized according to activated finite state machine states. | 09-18-2014 |
| 20140283034 | SECURE DEVICE PROFILING COUNTERMEASURES - Systems and method are disclosed for performing profiling on a secure device. In embodiments, a plurality of counters are established. Each counter may be related to a different type of message. When the secure device receives and/or processes a message, it determines the type of message and adjusts a counter related to the determined message type. A ratio may be computed between the different counters. When the ratio deviates from a threshold, the secure device may be performing illegitimate operations, and one or more countermeasures are deployed against the illegitimate secure device. | 09-18-2014 |
| 20140283035 | TECHNIQUES FOR PREDICTING AND PROTECTING SPEARPHISHING TARGETS - Techniques for predicting and protecting spearphishing targets are disclosed. In one particular exemplary embodiment, the techniques may be realized as a system for predicting and protecting spearphishing targets. The system may comprise one or more processors communicatively coupled to a network. The one or more processors may be configured to identify one or more potential spearphishing targets based on information from an organization, receive additional information associated with the one or more potential spearphishing targets and the organization from publicly available sources, determine a threat level of a spearphishing attack on the one or more potential spearphishing targets based on the information from the organization and the additional information, and generate a report of the one or more potential spearphishing targets and the threat level associated with the one or more potential spearphishing targets. | 09-18-2014 |
| 20140283036 | MITIGATING JUST-IN-TIME SPRAYING ATTACKS IN A NETWORK ENVIRONMENT - An example method for mitigating JIT spraying attacks in a network environment is provided and includes protecting an output of a just-in-time (JIT) compiler against attacks during application execution at least by intervening from outside the application into a JIT page generated by the JIT compiler in a memory element of a host. In a specific embodiment, the intervening can include rewriting the JIT page. In specific embodiments, the method can further include generating a shadow page corresponding to the JIT page in the memory element. The method can further include randomly choosing at least one block of instructions in the JIT page, moving the at least one block of instructions to the shadow page, and replacing the at least one block of instructions in the JIT page with at least one of invalid opcodes and halt instructions. | 09-18-2014 |
| 20140283037 | System and Method to Extract and Utilize Disassembly Features to Classify Software Intent - A system and method operable to identify malicious software by extracting one or more features disassembled from software suspected to be malicious software and employing one or more of those features in a machine-learning algorithm to classify such software. | 09-18-2014 |
| 20140283038 | Safe Intelligent Content Modification - A computer-implemented method for deflecting abnormal computer interactions includes receiving, at a computer server system and from a client computer device that is remote from the computer server system, a request for web content; identifying, by computer analysis of mark-up code content that is responsive to the request, executable code that is separate from, but programmatically related to, the mark-up code content; generating groups of elements in the mark-up code content and the related executable code by determining that the elements within particular groups are programmatically related to each other; modifying elements within particular ones of the groups consistently so as to prevent third-party code written to interoperate with the elements from modifying from interoperating with the modified elements, while maintain an ability of the modified elements within each group to interoperate with each other; and recoding the mark-up code content and the executable code to include the modified elements. | 09-18-2014 |
| 20140283039 | ENHANCED SECURITY FOR HARDWARE DECODER ACCELERATOR - A software security layer may be used to protect a system against exploitation of a hardware encoder accelerator by malicious data embedded in the one or more frames of encoded digital streaming data. It is emphasized that this abstract is provided to comply with the rules requiring an abstract that will allow a searcher or other reader to quickly ascertain the subject matter of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. | 09-18-2014 |
| 20140283040 | Hard Object: Lightweight Hardware Enforcement of Encapsulation, Unforgeability, and Transactionality - A hardware-implemented method to support three desirable software properties: encapsulation, referential integrity/capabilities, and transactions. These properties in turn may be used to support software correctness, specifically the enforcement of invariants, and computer security, specifically protecting parts of programs from each other within a single process. | 09-18-2014 |
| 20140283041 | MALICIOUS CODE DETECTION TECHNOLOGIES - An embodiment of the present application provides technologies for detecting malicious content embedded in a content downloaded from an external source. The downloaded content converted into an opcode sequence by a web browser in a computing device. The opcode sequence is compared with a pre-stored opcode signature. The opcode signature comprises multiple sentences, and each sentence has multiple clauses. Each clause may include a matching opcode, a condition, an instruction, and an identifier. When a matching opcode in a clause matches with an opcode of the opcode sequence, and the condition as specified in the clause is determined to be true, the instruction in the clause is taken and next sentence identified by the identifier is taken to match the opcode sequence. Eventually, the last taken clause in the opcode signature may instruct whether opcode sequence contains malicious code. | 09-18-2014 |
| 20140283042 | DETECTION OF NON-VOLATILE CHANGES TO A RESOURCE - Policies are communicated to a kernel service of an Operating System (OS) that define resource identifiers and events. When an event is received (from the kernel service) for a resource, the event is noted. Subsequent events received (from the kernel service) are: tracked, evaluated, and a determination is made whether a near real-time or real-time notification is to be sent. | 09-18-2014 |
| 20140283043 | SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT - A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes receiving a plurality of packets, and determining an existence of a flooding attack without tracking each of the plurality of packets with a SYN bit. | 09-18-2014 |
| 20140283044 | Method and Device For Preventing Application in an Operating System From Being Uninstalled - Provided are a method and device for preventing the application in an operating system from being uninstalled. The method includes monitoring the operation executed for the application; determining whether the operation executed for the application is to uninstall the application; displaying at the client a prompt whether it is agreed to uninstall the application, if the operation executed for the application is to uninstall the application; the prompt whether it is agreed to uninstall the application may be displayed at the client after the operation executed for the application is determined to uninstall the application. Therefore, the method may prevent the malicious software from uninstalling maliciously, enhancing the security of the intelligent terminal | 09-18-2014 |
| 20140283045 | MANAGING VIRTUAL COMPUTING TESTING - Systems, methods, and interfaces for the management of virtual machine networks and other programmatically controlled networks are provided. Hosted virtual networks are configured in a manner such that a virtual machine manager of the virtual network may monitor activity such as user requests, network traffic, and the status and execution of various virtual machine instances to determine possible security assessments. A security assessment may be performed before, after, or simultaneous to the execution of the activity associated with the security assessment event. The execution of an activity may further be synchronous with the results of the security assessment. The timing of the assessment may correspond to the type of assessment or type of activity that is requested or detected. | 09-18-2014 |
| 20140289847 | SYSTEMS AND METHODS FOR SCALABLE NETWORK MONITORING - A network security device may gather a large amount of metadata pertaining to the connections being managed thereby. A refinement module may filter and/or aggregate the connection metadata. The metadata may be refined on the network security device. The refined metadata may be provided for display on a terminal. The refined metadata may include a subset of the larger connection metadata, which may reduce the overhead required to display and/or transmit monitoring information to the terminal device. The refined metadata may comprise connection groups, which may be formed based on aggregation criteria, such as connection source, destination, application, security policy, protocol, port, and/or the like. The connection groups may be ranked in accordance with ranking criteria. | 09-25-2014 |
| 20140289848 | METHOD FOR CLASSIFYING PACKING ALGORITHMS USING ENTROPY ANALYSIS - A method for classifying packed executable is provided. The method includes unpacking an input packed executable by using a decompression module included in the packed executable; calculating an entropy value of a memory space on which decompressed code is mounted in the unpacking step; converting the entropy value into symbolic representations; and classifying packing algorithms of the packed executables based on the entropy value converted into symbolic representations. The step of classifying includes inputting the entropy value converted into symbolic representations to a packing classifier which classifies packing algorithms of the packed executables based on similarity between a pattern of the packing classifier and the data converted into the symbolic representations. | 09-25-2014 |
| 20140289849 | APPLICATION SELECTION USING CURRENT DETECTION INTELLIGENCE - Selecting one or more applications from the plurality of similar or near redundant applications to activate. A method includes retrieving information about current characteristics of one or more applications. The method further includes retrieving information about a current computing operational landscape. Based on the information about current characteristics of one or more applications and the information about a current computing operational landscape, the method further includes creating a ranking of applications. The rankings are made available to a system with a plurality of applications with similar or near redundant functionality. At the system, one or more of the applications in the plurality of applications are selected to activate based on the ranking of applications. | 09-25-2014 |
| 20140289850 | AUTOMATIC APPROACH FOR THE PERSONALIZED PRIVACY RECOMMENDATION RELATED TO THE LOCATION - A method for personalized location privacy recommendation comprises: obtaining information of one or more locations for a user; collecting features of the one or more locations; and recommending respective privacy levels of the one or more locations automatically based at least in part on the information and the features. | 09-25-2014 |
| 20140298452 | SECURE COMPUTING DEVICE USING NEW SOFTWARE VERSIONS - A computing device includes a central processing resource, memory, a network interface, and a security control module. The security control module is operable to determine to change at least a portion of a program of the computing device. When the program, or portion thereof, is to be changed, the security control module sends a request to a software generation module for a new version of the program, or portion thereof. The security control module then receives the new version of the program, or portion thereof, and replaces, within the memory, the program, or portion thereof, with the new version of the program, or portion thereof. When the program is evoked, the central processing resource uses the new version of the program, or portion thereof, such that execution of the program is changed, which changes internal operation of the computing device thereby reducing adverse impact of malicious software. | 10-02-2014 |
| 20140298453 | SECURE COMPUTING DEVICE USING A LIBRARY OF PROGRAMS - A computing device includes a central processing resource, memory, a network interface, and a security control module. The security control module determines when to change a program of the computing device. When the program is to be changed, the security control module accesses a library of programs that includes a plurality of versions of the program and selects one of the plurality of versions of the program. The security control module then updates an active program list to include the selected version of the program. When the program is evoked, the central processing resource uses the selected version of the program such that execution of the program is changed, which changes internal operation of the computing device thereby reducing adverse impact of the malicious software. | 10-02-2014 |
| 20140298454 | SECURE COMPUTING DEVICE USING DIFFERENT CENTRAL PROCESSING RESOURCES - A computing device includes central processing resources, memory, a network interface, and a security control module. The security control module determines when to change operation of a program of the computing device. When the operation of the program is to be changed, the security control module identifies a first processing resource of the central processing resources that is currently assigned to execute the program and selects a second processing resource of the central processing resources for subsequent execution the program. The security control module then ascertains first execution settings of the program as used by the first processing resource and facilitates conversion of the first execution settings into second execution settings for the second processing resource. The security control module then de-assigns the first processing resource from executing the program and assigns the second processing resource to execute the program. | 10-02-2014 |
| 20140298455 | CRYPTOGRAPHIC MECHANISMS TO PROVIDE INFORMATION PRIVACY AND INTEGRITY - A security engine may be selected from a plurality of security engines to apply one or more security mechanisms to a section of source code of an application. In some cases, the section of source code may be identified by one or more security mechanism identifiers included in the source code. The security engine may generate machine-readable code that corresponds to the section of source code for which the one or more security mechanisms are to be applied. The machine-readable code may be executed on a plurality of computing devices. In one implementation, applying the security mechanisms to the section of source code may include producing zero-knowledge proofs of knowledge for the section of source code. | 10-02-2014 |
| 20140298456 | SECURING APPLICATIONS FOR COMPUTING DEVICES - Systems and methods for securing hybrid applications for computing devices are described. According to the present subject matter, the system(s) implement the described method(s) for building and execution of secure hybrid applications. During build of the hybrid application, the disclosed method may incorporate identifying of at least one non-native file of the hybrid application, generating a primary Unique Identifier (UI) associated with the at least one non-native file, and storing the generated primary UI as a part of the hybrid application to form a secure hybrid application. During execution of the secure hybrid application the disclosed method may incorporate identifying of at least one non-native file of the secure hybrid application, generating a secondary UI associated with the at least one non-native file, extracting primary UI stored in the secure hybrid application. The system/method may further implement determining whether the generated secondary UI is different from the extracted primary UI. | 10-02-2014 |
| 20140298457 | METHOD AND APPARATUS FOR COLLECTING HARMFUL INFORMATION USING BIG DATA ANALYSIS - Disclosed are a method and apparatus for collecting harmful information that analyze a plurality of packets collected in real time from a network and collect information on harmful sites. The harmful information collecting method includes receiving a plurality of packets collected by at least one packet collecting unit, analyzing whether the received packets include harmful information, extracting information on harmful sites from which corresponding packets are transmitted if the analyzed packets include harmful information, and storing the extracted information on harmful sites in a database. | 10-02-2014 |
| 20140298458 | DEVICE AND METHOD FOR PROCESSING DATA - An electronic device for processing data includes: an input interface for receiving input data; a processing module for processing data; and an encoding unit configured to encode data words received at the input interface as input data, in order to obtain encoded data words. The encoding unit is configured to encode the data words in such a manner that a specified proportion of all encoded data words have a specified Hamming distance and/or a specified Hamming weight. The processing module is configured to process the encoded data words. | 10-02-2014 |
| 20140298459 | Device and method for processing data - A device for processing data, the device having an input interface for receiving input data and a processing module for processing data, characterized in that an encoding unit is provided, which is configured to encode data words received at the input interface as input data, in order to obtain encoded data words; measured values characterizing the encoded data words and/or their processing by the device being ascertainable for encoded data words as a function of at least one physical variable of the device; the encoding unit being configured to encode the data words in such a manner, that a specifiable proportion of all measured values, which may be at least approximately 50% of all measured values, exhibit a difference from the setpoint value, which is less than or equal to a specifiable threshold value; and the processing module is configured to process the encoded data words. | 10-02-2014 |
| 20140304810 | SYSTEMS AND METHODS FOR PROTECTING CLUSTER SYSTEMS FROM TCP SYN ATTACK - The present solution is directed to systems and methods for synchronizing a random seed value among a plurality of multi-core nodes in a cluster of nodes for generating a cookie signature. The cookie signature may be used for protection from SYN flood attacks. A cluster of nodes comprises one master node and one or more other nodes. Each node comprises one master core and one or more other cores. A random number is generated at the master core of the master node. The random number is synchronized across every other core. The random number is used to generated a secret key value that is attached in the encoded initial sequence number of a SYN-ACK packet. If the responding ACK packet does not contain the secret key value, then the ACK packet is dropped. | 10-09-2014 |
| 20140304811 | MECHANISM FOR MONITORING DATA USING WATCHLIST ITEMS - Embodiments of the present invention provide a mechanism for monitoring data using a watchlist item and a watchlist item definition that includes a set of parameters for identifying a set of data items for user action and criteria for recommending or requiring user action for the set of data items to be identified. | 10-09-2014 |
| 20140304812 | FILE SCANNING METHOD AND SYSTEM, CLIENT AND SERVER - A file scanning method and a file scanning system, a client and a server are disclosed. The server may determine a property indicator of a file, that represents probability of the file being a malicious program. The server may make this determination based on a comprehensive consideration of attribute information of the file. The attribute information may be reported by a plurality of clients. The server may send the property indicator to the clients. The clients may determine, according to the property indicator, a scanning strategy on whether to scan the file. Alternatively, the server may determine, according to the property indicator, a scanning strategy on whether to scan the file, and may send the scanning strategy to the clients. The clients may scan the file in accordance with the scanning strategy. Accordingly, only the file with higher probability of being a malicious program may be selectively scanned. | 10-09-2014 |
| 20140304813 | DISTRIBUTED NETWORK ANOMALY DETECTION - A network device may include multiple interfaces, each including a local database to store, in a first group of local records, information associated with a first group of data units sent from or received by a first one of the group of interfaces; a global database to store, in a group of global records, information associated with the first group of data units and information associated with a second group of data units sent from or received by a second one of said group of interfaces. The device may include a processor, to manage the local database and the global database; broadcast at least one of the local records to the second one of the group of interfaces; and analyze each of the local records to identify potential anomalies in the first group of data units. | 10-09-2014 |
| 20140304814 | SYSTEM AND METHODS FOR AUTOMATICALLY DETECTING DECEPTIVE CONTENT - Systems and methods for detecting deceptive opinion spam. Certain embodiments include a classifier with improved accuracy for detecting deceptive opinion entries. A feature analysis of learned models reveals a relationship between deceptive opinions and imaginative writing. By modeling deception in a generative framework, the prevalence of deception in two popular online review communities may be determined. Deceptive opinion spam is a rapidly growing and widespread problem, especially in review communities with minimal posting requirements. | 10-09-2014 |
| 20140304815 | PROGRAM ANALYSIS/VERIFICATION SERVICE PROVISION SYSTEM, CONTROL METHOD FOR SAME, CONTROL PROGRAM, CONTROL PROGRAM FOR DIRECTING COMPUTER TO FUNCTION, PROGRAM ANALYSIS/VERIFICATION DEVICE, PROGRAM ANALYSIS/VERIFICATION TOOL MANAGEMENT DEVICE - A program analysis/verification service provision system ( | 10-09-2014 |
| 20140310807 | Cloud-based secure download method - The invention provides a cloud-based secure download method. A download terminal carries out an information interaction with a cloud security server via the Internet, comprising the following steps of: acquiring, by the download terminal, a URL address of a file to be downloaded by a user; comparing the URL address of the file to be downloaded with a malicious URL list in the cloud security server; and prompting a comparison result to the user by the download terminal. | 10-16-2014 |
| 20140310808 | Detection of Stealthy Malware Activities with Traffic Causality and Scalable Triggering Relation Discovery - A computer system for distinguishing user-initiated network traffic from malware-initiated network traffic comprising at least one central processing unit (CPU) and a memory communicatively coupled to the CPU. The memory includes a program code executable by the CPU to monitor individual network events to determine for an individual network event whether the event has a legitimate root-trigger. Malware-initiated traffic is identified as an individual network event that does not have a legitimate root-trigger. | 10-16-2014 |
| 20140317730 | Providing a Domain to IP Address Reputation Service - An approach is provided to verify a network address. In the approach, a network address is received from a domain name service (DNS) based on a requested uniform resource locator (URL) that corresponds to a requested domain. A set of one or more network addresses previously established as corresponding to the requested domain is retrieved from a data store accessible from the information handling system. The information handling system is automatically connected to the network address in response to the received network address matching one of the set of one or more retrieved network addresses. | 10-23-2014 |
| 20140317731 | Executable Component Injection Utilizing Hotpatch Mechanisms - Techniques for causing a component loader associated with a hotpatch mechanism to execute a user-mode component which, when executed, creates a user-mode process, thread, or held reference are described herein. The component may further indicate to the component loader that it lacks hotpatch data, causing the component loader to unload the component. In some implementations, a kernel-mode module may initially provide the component to the hotpatch mechanism with an entrypoint of the component set to zero and with hotpatch data for the component loader. The hotpatch mechanism may apply the hotpatch data, modifying the component loader such that the component loader requests execute rights for a section object for the component. The kernel-mode module may then set the entrypoint such that the component becomes executable, and provides the section object and component to the hotpatch mechanism to cause the component loader to execute the component. | 10-23-2014 |
| 20140317732 | CATEGORIZING SOCIAL NETWORKING SYSTEM USERS BASED ON USER CONNECTIONS TO OBJECTS - When a social networking system receives a report of malicious activity, the social networking system calculates disabled connectivity score for a user reporting the activity or identified by the report. The disabled connectivity score indicates how strongly the user is associated with other objects that have been disabled by the social networking system. Hence, the disabled connectivity score provides a measure of the user's trustworthiness that is used to determine a type of action to be taken in response to the report. Examples of actions that may be taken when a report is received include ignoring the report, further reviewing the report, or taking remedial action by disabling or deleting an object maintained by the social networking system that is the subject of the report. | 10-23-2014 |
| 20140317733 | METHOD AND CLIENT FOR ENSURING USER NETWORK SECURITY - A method and client for ensuring user network security, the method comprising: detecting whether a user opens a login operation mode or payment operation mode via a client; and when detecting that the user opens the login operation mode or payment operation mode, performing security monitoring for the login procedure or payment procedure of the user according to a preset security strategy. By applying the embodiment of the present invention, when a client user is in a login procedure or online payment procedure, security protection can be implemented for the login procedure or payment procedure via multiple security strategies specially used for ensuring the login procedure or payment procedure, and network security is ensured for the user during the login procedure or payment procedure via risky process interception, executable file prompt and browser invoke monitoring. | 10-23-2014 |
| 20140317734 | Adaptive Observation of Behavioral Features on a Mobile Device - Methods, devices and systems for detecting suspicious or performance-degrading mobile device behaviors intelligently, dynamically, and/or adaptively determine computing device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the mobile device behaviors are to be observed. The various aspects efficiently identify suspicious or performance-degrading mobile device behaviors without requiring an excessive amount of processing, memory, or energy resources. | 10-23-2014 |
| 20140325643 | DETECTING ANOMALIES IN WORK PRACTICE DATA BY COMBINING MULTIPLE DOMAINS OF INFORMATION - One embodiment of the present invention provides a system for multi-domain clustering. During operation, the system collects domain data for at least two domains associated with users, wherein a domain is a source of data describing observable activities of a user. Next, the system estimates a probability distribution for a domain associated with the user. The system also estimates a probability distribution for a second domain associated with the user. Then, the system analyzes the domain data with a multi-domain probability model that includes variables for two or more domains to determine a probability distribution of each domain associated with the probability model and to assign users to clusters associated with user roles. | 10-30-2014 |
| 20140325644 | OPERATING SYSTEM-INDEPENDENT INTEGRITY VERIFICATION - An integrity verification subsystem can verify the integrity of software and firmware modules on a computing device at load time and/or at run time, independently of any operating systems that may be installed on the computing device. Some versions of the integrity verification subsystem can operate in physical and/or virtualized system environments, including virtualized mobile device architectures. | 10-30-2014 |
| 20140325645 | DEVICE, SYSTEM, AND METHOD OF DETECTING HARDWARE COMPONENTS - Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a possible attacker. The methods include monitoring of user-side input-unit interactions, in general and in response to an interference introduced to user-interface elements. The monitored interactions are used for detecting an attacker that utilizes a remote access channel; for detecting a malicious automatic script, as well as malicious code injection; to identify a particular hardware assembly; to perform user segmentation or user characterization; to enable a visual login process with implicit two-factor authentication; to enable stochastic cryptography; and to detect that multiple users are utilizing the same subscription account. | 10-30-2014 |
| 20140325646 | DEVICE, SYSTEM, AND METHOD OF DETECTING MULTIPLE USERS ACCESSING THE SAME ACCOUNT - Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a possible attacker. The methods include monitoring of user-side input-unit interactions, in general and in response to an interference introduced to user-interface elements. The monitored interactions are used for detecting an attacker that utilizes a remote access channel; for detecting a malicious automatic script, as well as malicious code injection; to identify a particular hardware assembly; to perform user segmentation or user characterization; to enable a visual login process with implicit two-factor authentication; to enable stochastic cryptography; and to detect that multiple users are utilizing the same subscription account. | 10-30-2014 |
| 20140325647 | METHODS AND SYSTEMS FOR INTERNET PROTOCOL (IP) PACKET HEADER COLLECTION AND STORAGE - A computer-based method for providing information about a potential security incident ascertained from received internet protocol (IP) packets is described. The method includes capturing IP packets from a network, stripping packet header data from the captured IP packets, calculating a cyclic redundancy code (CRC) from one or more fields of the packet header data, determining whether any packet header data has occurred multiple times by comparing the calculated CRC to stored CRCs in each of successive entries in a cache, and storing, in a database, only a single instance of packet header data for any packet header data that is determined to have occurred multiple times. | 10-30-2014 |
| 20140325648 | Attack Defense Method and Device - An attack defense method and device. The method includes counting the number of renegotiations in a transmission control protocol (TCP) connection, where the number of the renegotiations is the number of repeated negotiations between a client and a server in the TCP connection. When the number of the renegotiations in the TCP connection is greater than a preset threshold of the number of renegotiations, determining that the TCP connection is an abnormal connection and disconnecting the TCP connection. Embodiments of the present invention also provide an attack defense device, implementing effective defense against a secure socket layer (SSL) denial of service (DOS) attack behavior. | 10-30-2014 |
| 20140331317 | CONTEXT-AWARE PERMISSION CONTROL OF HYBRID MOBILE APPLICATIONS - Controlling access to secure resources of a data processing system is provided. An input-to-output mapping of an application installed on the data processing system is generated that determines whether a secure resource in the data processing system is shared with an external entity associated with the application and under what specified conditions. It is determined whether the specified conditions exist during runtime of the application. In response to determining that the specified conditions do not exist during runtime of the application, sharing of the secure resource of the data processing system with the external entity associated with the application is prevented. In response to determining that the specified conditions do exist during runtime of the application, sharing of the secure resource of the data processing system with the external entity associated with the application is allowed. | 11-06-2014 |
| 20140331318 | SECURING EMAIL COMMUNICATIONS - Methods and systems are provided for securing email communications. According to one embodiment, a network device evaluates whether a domain name of a target recipient of an outbound email is present in a local white list or a local black list. If it is found in the local white list, the email is transmitted to the target recipient. If it is found in the local black list, transmission of the email to the target recipient is prevented. When the domain name is not present in the local black list and the local whitelist, a global doppelganger database is checked. If it is found in the global doppelganger database, the email is handled according to a corresponding acceptability flag; otherwise, the validity of the domain name is dynamically verified and handled according to the verification result. | 11-06-2014 |
| 20140331319 | Method and Apparatus for Detecting Malicious Websites - A method and apparatus for detecting malicious websites is disclosed. | 11-06-2014 |
| 20140337971 | COMPUTER INFRASTRUCTURE SECURITY MANAGEMENT - A mapping system is provided that makes use of security data collected from various data sources. Following appropriate pre-processing, the mapping system analyses the security data to provide estimated values for parameters in a security model, the security model in turn being based on one or more mathematical representations. | 11-13-2014 |
| 20140337972 | Social Threat Scoring - A method includes identifying data on a social network that is associated with a social entity, and determining one or more characteristics of the identified data. A reference to the identified data is generated for each of the one or more characteristics. Each generated reference is compared to one or more known references, and a risk score for a social entity is determined based on each of the comparisons. A confidence score for the risk score is determined. | 11-13-2014 |
| 20140337973 | SOCIAL RISK MANAGEMENT - A method includes a protected social entity is determined based on one or more user inputs, and data on one or more social networks that is related to the protected social entity is monitored. A risk to the protected social entity is determined based on monitoring the data on the one or more social networks that is related to the protected social entity. The risk management data is provided to a user. | 11-13-2014 |
| 20140344924 | PREVENTING UNAUTHORIZED CALLS TO A PROTECTED FUNCTION - An obfuscated program can be configured to resist attacks in which an attacker directly calls a non-entry function by verifying that an execution path to the function is an authorized execution path. To detect an unauthorized execution order, a secret value is embedded in each function along an authorized execution path. At runtime, the secrets are combined to generate a runtime representation of the execution path, and the runtime representation is verified against an expected value. To perform the verification, a verification polynomial is evaluated using the runtime representation as input. A verification value result of zero means the execution path is an authorized execution path. | 11-20-2014 |
| 20140344925 | SYSTEMS AND METHODS FOR REDUCING DENIAL OF SERVICE ATTACKS AGAINST DYNAMICALLY GENERATED NEXT SECURE RECORDS - In one aspect, the present disclosure is directed to a method for reducing denial of service (DoS) attacks against dynamically generated next secure (NSEC) records. A domain name system (DNS) proxy may prevent spoofed IP addresses by forcing clients to transmit DNS queries via transmission control protocol (TCP), by replying to a user datagram protocol (UDP) DNS request with a blank or predetermined resource record with a truncation bit set to indicate that the record is too large to fit within a single UDP packet payload. Under the DNS specification, the client must re-transmit the DNS request via TCP. Upon receipt of the retransmitted request via TCP, the DNS proxy may generate fictitious neighbor addresses and a signed NSEC record and transmit the record to the client. Accordingly, the DNS Proxy need not waste time and processor cycles generating and signing records for requests from spoofed IP addresses via UDP. | 11-20-2014 |
| 20140344926 | SYSTEM AND METHOD EMPLOYING STRUCTURED INTELLIGENCE TO VERIFY AND CONTAIN THREATS AT ENDPOINTS - A system and method to detect and contain threatening executable code by employing a threat monitor, verifier, endpoint agent, and a security information and event management module. | 11-20-2014 |
| 20140344927 | DEVICE, SYSTEM, AND METHOD OF DETECTING MALICIOUS AUTOMATIC SCRIPT AND CODE INJECTION - Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a possible attacker. The methods include monitoring of user-side input-unit interactions, in general and in response to an interference introduced to user-interface elements. The monitored interactions are used for detecting an attacker that utilizes a remote access channel; for detecting a malicious automatic script, as well as malicious code injection; to identify a particular hardware assembly; to perform user segmentation or user characterization; to enable a visual login process with implicit two-factor authentication; to enable stochastic cryptography; and to detect that multiple users are utilizing the same subscription account. | 11-20-2014 |
| 20140344928 | SYSTEMS AND METHODS FOR RISK RATING AND PRO-ACTIVELY DETECTING MALICIOUS ONLINE ADS - Methods and systems for risk rating and pro-actively detecting malicious online ads are described. In one example embodiment, a system for risk rating and pro-actively detecting malicious online ads includes an extraction module, an analysis engine, and a filter module. The extraction module is configured to extract a SWF file from a web page downloaded by the system. The analysis engine is communicatively coupled to the extraction module. The analysis engine is configured to determine a risk rating for the SWF file and send the risk rating to a web application for display. In an example, determining the risk rating includes locating an embedded redirection URL and determining a risk rating for the embedded redirection URL. The filter module is configured to determine, based on the risk rating, whether to block the SWF file and send a warning to the web application for display. | 11-20-2014 |
| 20140344929 | SYSTEM AND METHOD FOR IDENTIFYING ABUSIVE ACCOUNT REGISTRATION - Disclosed is a system and method for processing account registration by identifying account candidates attempting to open an account as abusive. That is, the present disclosure discusses identifying, and challenging and marking abusive account registration. The present disclosure takes into account users' behaviors on a network and the impact to the cost and/or revenue of the network. The present disclosure is proactive as it allows for actions to be taken at the earliest possible time in the registration process before an account is created. This prevents abusive activity from taking place within the network and effecting services and privileges available to legitimate users. Additionally, the effects of the disclosed systems and methods minimize the negative impacts of abusive activity on normal user accounts. | 11-20-2014 |
| 20140351929 | METHOD AND SYSTEM FOR MITIGATING INTEREST FLOODING ATTACKS IN CONTENT-CENTRIC NETWORKS - One embodiment of the present invention provides a system for mitigating interest flooding attacks in content-centric networks (CCNs). During operation, the system receives, at a physical interface of a router, an interest packet; obtains current interest satisfaction statistics associated with the physical interface; and determines whether to forward or drop the interest packet based on the current interest satisfaction statistics. | 11-27-2014 |
| 20140351930 | GENERIC PRIVILEGE ESCALATION PREVENTION - An apparatus, method, computer readable storage medium are provided in one or more examples and comprise accessing an application, identifying an access token of the application, determining if the access token is a system token, and responsive to the access token failing to be a system token, enabling a runtime module. | 11-27-2014 |
| 20140351931 | METHODS, SYSTEMS AND MEDIA FOR DETECTING NON-INTENDED TRAFFIC USING CO-VISITATION INFORMATION - A non-transitory processor-readable medium is provided that stores code representing instructions to be executed by a processor to receive data associated with access by a first plurality of entities to a first website location and to receive data associated with access by a second plurality of entities to a second website location. The processor is also caused to define a co-visitation factor for each of the first website location and the second website location based on the received data. The processor is also caused to, if the co-visitation factor of the first website location and/or the co-visitation factor of the second website location is over a predefined threshold, select the first website location and/or the second website location as target website locations. The processor is caused to send a signal to set a flag associated with each target website location indicating the target website location as a suspicious website location. | 11-27-2014 |
| 20140351932 | SYSTEMS AND METHODS FOR BROADCAST WLAN MESSAGES WITH MESSAGE AUTHENTICATION - Systems, methods, and devices for multicast wireless local area network messages with message authentication are contained herein. The method includes determining a message integrity check value for each of a plurality of wireless devices. The method further includes transmitting a multicast packet to each of the plurality of devices on a wireless local area network, the multicast packet including an indication of each of the plurality of devices and the message integrity check value for each of the plurality of devices. | 11-27-2014 |
| 20140359759 | FRAUDULENT DATA DETECTOR - An apparatus identifies suspicious data records having two or more numerical fields. A first hardware selector identifies a set of records for analysis. A second hardware selector identifies fields within identified records that are appropriate for a Benford analysis. A Benford analysis engine calculates, for each identified field, a Benford distribution for each identified field. A hardware aggregator sums a total score for each record from the set of records, where each total score comprises a summation of deviant values for each appropriate field value within each record, and where a deviant value represents a difference between a calculated Benford distribution for each field and a theoretical Benford distribution for each field. A third hardware selector selects a record from the set of records according to a highest total score. | 12-04-2014 |
| 20140359760 | SYSTEM AND METHOD FOR DETECTING PHISHING WEBPAGES - A processor controlled hybrid method, an apparatus and a computer readable storage medium for identifying a phishing webpage are provided. The method comprises capturing overall visual information and overall structural information about a webpage being browsed by a user, comparing the overall visual information and overall structural information of the webpage with overall visual information and overall structural information of a legitimate webpage or a phishing webpage stored in a webpage database, calculating a measure of similarity, assessing the measure on the basis of a pre-determined threshold and concluding the measure of similarity is above the pre-determined threshold, thereby identifying a phishing webpage. The method may also provide for collecting and comparing visual information and, optionally, structural information. | 12-04-2014 |
| 20140359761 | SYSTEM AND METHOD FOR MALWARE DETECTION LEARNING - Malware detection techniques that detect malware by identifying the C&C communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The system distinguishes between malware transactions and innocent transactions using malware identification models, which it adapts using machine learning algorithms. However, the number and variety of malicious transactions that can be obtained from the protected network are often too limited for effectively training the machine learning algorithms. Therefore, the system obtains additional malicious transactions from another computer network that is known to be relatively rich in malicious activity. The system is thus able to adapt the malware identification models based on a large number of positive examples—The malicious transactions obtained from both the protected network and the infected network. As a result, the malware identification models are adapted with high speed and accuracy. | 12-04-2014 |
| 20140359762 | BEHAVIORAL TRACKING SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR UNDOING EVENTS BASED ON USER INPUT - A behavioral tracking system, method, and computer program product are provided for undoing events based on user input. In use, a plurality of unclassified events is identified on a system utilizing behavioral tracking. Additionally, input associated with at least one of the unclassified events is received from a user of the system for classifying the at least one of the unclassified events as an unwanted event. Further, the at least one unwanted event is undone in response to the receipt of the input. | 12-04-2014 |
| 20140359763 | Determination of Spoofing of a Unique Machine Identifier - In one embodiment, an edge network device may monitor a network service that is provided at a network service device. Information related to the monitored network service may be temporarily stored at the edge network device and transmitted to a remote network device. In one embodiment, an administrative device may compare current extracted information with stored historical information to determine if a unique machine identifier of an end user device has been spoofed. | 12-04-2014 |
| 20140359764 | REASSEMBLY-FREE DEEP PACKET INSPECTION ON MULTI-CORE HARDWARE - Some embodiments of reassembly-free deep packet inspection (DPD on multicore hardware have been presented. In one embodiment, a set of packets of one or more files is received at a networked device from one or more connections. Each packet is scanned using one of a set of processing cores in the networked device without buffering the one or more files in the networked device. Furthermore, the set of processing cores may scan the packets substantially concurrently. | 12-04-2014 |
| 20140359765 | Method for Validating an Untrusted Native Code Module - A system that validates a native code module. During operation, the system receives a native code module comprised of untrusted native program code. The system validates the native code module by: (1) determining that code in the native code module does not include any restricted instructions and/or does not access restricted features of a computing device; and (2) determining that the instructions in the native code module are aligned along byte boundaries such that a specified set of byte boundaries always contain a valid instruction and control flow instructions have valid targets. The system allows successfully-validated native code modules to execute, and rejects native code modules that fail validation. By validating the native code module, the system facilitates safely executing the native code module in the secure runtime environment on the computing device, thereby achieving native code performance for untrusted program binaries without significant risk of unwanted side effects. | 12-04-2014 |
| 20140366132 | Systems and Methods for Dynamic Protection from Electronic Attacks - Systems and methods for gathering, classifying, and evaluating real time security intelligence data concerning security threats presented by an IP address, and reporting in real time the degree and character of such security threats. | 12-11-2014 |
| 20140373136 | PROACTIVE SECURITY SYSTEM FOR DISTRIBUTED COMPUTER NETWORKS - According to some embodiments, a method and apparatus are provided to receive, at a central security manager located on a computer network, first network information from a first network resource associated with a first network perspective and receive, at the central security manager, second network information from a second network resource associated with a first network perspective. The first network information and the second network information are aggregated. A potential attack to the network is determined and a defensive measure is implemented in response to the potential attack to the network. | 12-18-2014 |
| 20140373137 | MODIFICATION OF APPLICATION STORE OUTPUT - Technologies for electronic communication may include receiving a group of indications. Each indication of an element of digital content may be configured to be downloaded to a client from a digital distribution framework. The technologies may also include evaluating each of the elements of digital content and, based on the evaluations, suppressing a display of one or more of the indications on the client. | 12-18-2014 |
| 20140373138 | METHOD AND APPARATUS FOR PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACK - An apparatus for preventing a distributed denial of service (DDoS) attack transmits a redirect message containing a redirect URL (Uniform resource Locator) to a client terminal that has transmitted a request for accessing a web server, in place of the web server. The apparatus authenticates the client terminal that re-sends the request for accessing the web server as a normal client terminal, and permits the client terminal to access the web server. | 12-18-2014 |
| 20140373139 | METHOD AND SYSTEM OF DISTINGUISHING BETWEEN HUMAN AND MACHINE - A method and a system of distinguishing between a human and a machine are disclosed. The method includes: when a request for accessing a designated network service is received, recording information of the request which include a time of receiving the request and information of an access object that sends the request; computing a statistical value of requests sent by the access object in real time based on a record; and determining the access object to be abnormal when the statistical value of the requests sent by the access object falls outside a predetermined normal range. The disclosed system of distinguishing between a human and a machine includes a recording module, a computation module and a determination module. Identification between humans and machines using the disclosed scheme is difficult to be cracked down and can improve an accuracy rate of human-machine identification. | 12-18-2014 |
| 20140373140 | DATA CENTER REDUNDANCY IN A NETWORK - Aspects of the present disclosure involve systems, methods, computer program products, and the like, for data center redundancy in relation to a computer network. In particular, the present disclosure provides for one or more available redundant data centers, or bunkers, associated with a computer network. In one embodiment, the bunker data centers are configured to absorb traffic intended for an application operating on a data center when the traffic threatens to overwhelm the application. For example, during a distributed denial of service (DDOS) attack, the bunker data centers are configured to absorb some of the traffic from the DDOS attack to prevent the application that is the target of the attack from being overwhelmed. | 12-18-2014 |
| 20140373141 | REPUTATION-BASED THREAT PROTECTION - Information concerning a plurality of identified threats provided by a plurality of preselected sources is stored in memory. An e-mail message may be received over a communication network. The received e-mail message is separated into a plurality of components. The stored information is searched to identify a reputation score associated with each of the plurality of components. It is then determined whether the e-mail is a threat based on the identified reputation score of each of the plurality of components. The determination is sent to a designated recipient. | 12-18-2014 |
| 20140373142 | SYSTEMS AND METHODS FOR REPORTER-BASED FILTERING OF ELECTRONIC COMMUNICATIONS AND MESSAGES - Methods and apparatuses for filtering electronic communications in a communication system. The method includes receiving a message report from a user in response to an electronic message received by the user, and identifying a confidence value associated with the user from whom the message report is received. The method also includes adding, if the confidence value exceeds a predetermined confidence value threshold, the confidence value to a signature value associated with the electronic message, and determining if the signature value exceeds a signature value threshold. The method further includes filtering the electronic message if the signature value exceeds the signature value threshold. | 12-18-2014 |
| 20140373143 | METHOD AND SYSTEM FOR DETECTING AND MITIGATING ATTACKS PERFORMED USING CRYPTOGRAPHIC PROTOCOLS - A method and system for detecting and mitigating attacks performed using a cryptographic protocol are provided. The method comprises establishing an encrypted connection with the client using the cryptographic protocol, upon receiving an indication about a potential attack; receiving an inbound traffic from a client, wherein the inbound traffic is originally directed to a protected entity; analyzing application layer attributes of only the inbound traffic received on the encrypted connection to detect at least one encrypted attack; and causing to establish a new encrypted connection between the client and the protected entity, if the at least one encrypted attack at the application layer has not been detected. | 12-18-2014 |
| 20140380466 | METHOD AND APPARATUS FOR PROVIDING HIERARCHICAL PATTERN RECOGNITION OF COMMUNICATION NETWORK DATA - An approach for providing hierarchical pattern recognition of communication network data is described. A network security brain platform may process communication network data associated with one or more levels of communication network hierarchies. The network security brain platform may further determine a network information pattern of the communication network data based on one or more network information pattern models. The network security brain platform may also identify a network service issue based on the determined network information pattern. The network information pattern may include a network security pattern. | 12-25-2014 |
| 20140380467 | FORCED ALERT THRESHOLDS FOR PROFILED DETECTION - A node in a communication network determines a data rate capacity of one or more nodes of the communication network and creates a single managed object grouping for each node of the one or more nodes having a same data rate capacity. The node establishes one or more static thresholds for the single managed object grouping based on the data rate capacity. The static thresholds are independent of a baseline condition of detected data rates at each node of the single managed object grouping. The node further detects a current rate of received data at each node of the single managed grouping and triggers at least one alert for each node of the single managed grouping when the current rate of the received data at a particular node exceeds the one or more static thresholds. | 12-25-2014 |
| 20140380468 | SYSTEMS AND METHODS FOR PROCEDURE RETURN ADDRESS VERIFICATION - An example processing system may comprise: a stack pointer configured to reference a first return address stored on a stack; a return address buffer pointer configured to reference a second return address stored in a return address buffer; and a return address verification logic configured, responsive to receiving a return instruction, to compare the first return address to the second return address. | 12-25-2014 |
| 20140380469 | METHOD AND DEVICE FOR DETECTING SOFTWARE-TAMPERING - A method and system for detecting software tampering includes: at a device having one or more processors and memory: receiving a software verification instruction from a server, the software verification instruction comprising a verification parameter dynamically selected by the server for verifying whether particular software stored at the device contains unauthorized modifications; executing a respective verification procedure corresponding to the verification parameter to obtain a first verification data value; and returning the first verification data value to the server, wherein the server compares the first verification data value to a second verification data value to determine whether the particular software stored at the device contains unauthorized modifications. | 12-25-2014 |
| 20140380470 | SECURE AND SEAMLESS WAN-LAN ROAMING - Systems and methods are described for secure and seamless roaming between internal and external networks. Double and triple tunnels may be used to connect a mobile node to a correspondent host. A mobile node may include the ability to connect to two networks simultaneously to enable seamless roaming between networks. | 12-25-2014 |
| 20150020193 | Automatic Isolation and Detection of Outbound Spam - Embodiments provide IP address partitioning features that can be used to source outbound email communications, but the embodiments are not so limited. In an embodiment, a computer-based method operates to identify and/or isolate one or more customers that may be misusing one or more IP addresses of a partition. A system of an embodiment is configured in part to divide a partition that includes one or more potentially misused IP addresses into one or more levels of sub-partitions as part of identifying offending or potentially offending customers. Other embodiments are included. | 01-15-2015 |
| 20150020194 | SYSTEM AND METHOD FOR IMPROVING THE RESILIENCY OF WEBSITES AND WEB SERVICES - A system is disclosed for monitoring the status of a website operating on a host and for remedying any identified problems. A first platform is coupled to the host for monitoring the website and periodically transmits status information about the website. A second platform is coupled to the first platform for periodically receiving the status information about the at least one feature. The second platform is configured to compare the received status information with a copy of the website and based thereon determine if the website has been compromised. The second platform is further configured to output an alert signal after determining that the website has been compromised. A third platform is coupled to the second platform and separately coupled to the host computer. The third platform is configured to receive the alert signal from the second platform and to forward the alert signal to the host computer. | 01-15-2015 |
| 20150020195 | ENSURING DATA QUALITY BY FILTERING NETWORK ADDRESS OBSERVATIONS - In one embodiment, a filtering technique is provided for ensuring data quality of network address observations. A network address observation is obtained of a network address associated with a source device, the network address observation associating the network address with one or more directly observed attributes. The network address observation is filtered based on a comparison of a selected one of the one or more directly observed attributes to a predetermined criteria, and using a result of the comparison as indicative of whether the network address observation should be used for association of the network address with one or more directly observed attributes. The filtering either associates one or more indicators with the network address observation, or removes the network address observation. A network address to attribute association system executed on one or more electronic devices stores a record that maintains any network address observation that has not been removed and any indicator. | 01-15-2015 |
| 20150020196 | MESSAGE FLOODING PREVENTION IN MESSAGING NETWORKS - A message flooding prevention system ( | 01-15-2015 |
| 20150026800 | SCALABLE INLINE BEHAVIORAL DDOS ATTACK MITIGATION - Methods and systems for a scalable solution to behavioral Distributed Denial of Service (DDoS) attacks targeting a network are provided. According to one embodiment, a method to determine the scaling treatment is provided for various granular layer parameters of the Open System Interconnection (OSI) model for communication systems. A hardware-based apparatus helps identify packet rates and determine packet rate thresholds through continuous and adaptive learning with multiple DDoS attack mitigation components. The system can be scaled up by stacking multiple DDoS attack mitigation components to provide protection against large scale DDoS attacks by distributing load across these stacked components. | 01-22-2015 |
| 20150026801 | Process of Reliability for the Generation of Warning Messages on a Network of Synchronized Data - The method for reliabilisation of the supervision of a network comprises: acquisition of a set of events, said events comprising a time stamp corresponding with the emission time of said event; storage of the received events; storage of at least one scenario (SC) comprising a first sequence (S1) of events to be received within a time interval threshold (ΔTs) and a first condition (CD1) to be satisfied; detection of at least a part (pS2) of a received second sequence of events (S2) similar to the first sequence (Si); determination of a second emission time interval (ΔT3) of the second sequence (S2); verification that the first condition (CD1) of the scenario (SC) is satisfied in function of the determined emission time interval (ΔT3), the time interval threshold (ΔTs) of scenario (SC), and the first sequence (S1) and the second sequence (S2) received, and generation of a second status message (M2ET). | 01-22-2015 |
| 20150026802 | FAKE WEB ADDRESSES AND HYPERLINKS - A destination address is processed to determine if the destination address is a fake web address or hyperlink. The destination address may be compared with a database of known domain names to see if the domain name is legitimate or illegitimate. The designation address may also be compared to other domain names to see if it is an honest or dishonest transformation of the other domain names. Appropriate action may be taken if the designation address is a dishonest transformation of another domain name. | 01-22-2015 |
| 20150026803 | Native Code Module Security for Arm Instruction Set Architectures - Some embodiments provide a system that executes a native code module. During operation, the system obtains the native code module. Next, the system loads the native code module into a secure runtime environment. Finally, the system safely executes the native code module in the secure runtime environment by using a set of software fault isolation (SFI) mechanisms that constrain store instructions in the native code module. The SFI mechanisms also maintain control flow integrity for the native code module by dividing a code region associated with the native code module into equally sized code blocks and data blocks and starting each of the data blocks with an illegal instruction. | 01-22-2015 |
| 20150026804 | Method and Apparatus for Reclassifying E-mail or Modifying a Spam Filter Based on Users' Input - A method is disclosed including passing a plurality of e-mails through a spam filter and classifying at least of the plurality of e-mails as not spam. Thereafter, the plurality of e-mails are received at each of a plurality of user computers. The method may further include receiving a plurality of reports, the plurality of reports including one report from each of the plurality of user computers that one or more of the plurality of e-mails are spam that was not classified as spam by the spam filter. Based on the plurality of reports, one or more of the plurality of e-mails is reclassified as spam and/or the spam filter is modified. | 01-22-2015 |
| 20150026805 | DEVICE REPUTATION MANAGEMENT - A device reputation server recognizes malicious devices used in prior attacks and prevents further attacks by the malicious devices. Server computers require a digital fingerprint of any client devices prior to providing any service to such client devices. Logging of network activity include the digital fingerprint of the device perpetrating the attack. When an attack is detected or discovered, the attacked server reports the attack and the digital fingerprint of the perpetrating device to a device reputation server. The device reputation server uses the report to improve future assessments of the reputation of the device associated with the reported digital fingerprint. | 01-22-2015 |
| 20150033331 | SYSTEM AND METHOD FOR WEBPAGE ANALYSIS - A system and method for classifying a webpage may include generating, by an analysis server, a first representation of a webpage. A system and method may include generating, by a unit installed in a user web browser, a second representation of the webpage and the method may comprise producing a classification of the webpage by relating the first representation to the second representation. | 01-29-2015 |
| 20150033332 | GRAPHIC DISPLAY OF SECURITY THREATS BASED ON INDICATIONS OF ACCESS TO NEWLY REGISTERED DOMAINS - Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name. | 01-29-2015 |
| 20150033333 | SECURITY THREAT DETECTION OF NEWLY REGISTERED DOMAINS - Domain names are determined for each computational event in a set, each event detailing requests or posts of webpages. A number of events or accesses associated with each domain name within a time period is determined. A registrar is further queried to determine when the domain name was registered. An object is generated that includes a representation of the access count and an age since registration for each domain names. A client can interact with the object to explore representations of domain names associated with high access counts and recent registrations. Upon determining that a given domain name is suspicious, a rule can be generated to block access to the domain name. | 01-29-2015 |
| 20150033334 | METHOD, APPARATUS, AND SYSTEM OF DETECTING DATA SECURITY - Methods, apparatus and system of detecting data security are provided herein. Data for detection are acquired. Whether the data for detection are to be updated for a first time is determined. When the data for detection are to be updated for the first time, the data for detection can be updated, encrypted, and stored as first encrypted data. When the data for detection are not to be updated for the first time, the data for detection can be acquired and encrypted to provide second encrypted data. The second encrypted data are compared with the stored first encrypted data to determine whether the second encrypted data having been unauthorizedly modified. The present disclosure is simple to be implemented without relying on specific logical of a certain application. Development costs, maintenance costs and occupancy of server resources can be reduced. System performance and user experience can be improved. | 01-29-2015 |
| 20150033335 | SYSTEMS AND METHODS TO DETECT AND RESPOND TO DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACKS - Embodiments relate to systems, devices, and computer-implemented methods for mitigating Distributed Denial of Service (“DDoS”) attacks. The method may include receiving, by a server, a response message from an application server. A client identifier corresponding to a source client may be determined based on a request message received from the source client. The request message received from the source client corresponds to the response message received from the application server. The server may identify one or more counters corresponding to the source client. The one or more counters include a discrete bad request counter (DBRC), a consecutive bad request counter (CBRC), or both. The server may identify a response type of the response message and cause a value of at least one of the one or more counters to change based on the response message and the response type. | 01-29-2015 |
| 20150040215 | REMOTE CUSTOMER RELATIONSHIP MANAGEMENT ACTIVITY WORKSPACE - A secure activity workspace including a monitoring device connected to a power source and a managed router and a monitoring router connected to a communication channel, and the managed router and a power source wherein the monitoring device controls the managed router. | 02-05-2015 |
| 20150040216 | Systems and Methods for Restricting Application Binary Interfaces - Systems and methods for restricting application binary interfaces. An example method may comprise: initializing, by a process spawned by a kernel of an operating system running on a computer system, a system call filter inhibiting at least one type of application binary interface (ABI) calls; receiving a system call issued by a user space program executed by the computer system; intercepting the system call by the system call filter; determining that the system call is disabled by the system call filter; and performing a pre-determined action with respect to the system call. | 02-05-2015 |
| 20150040217 | DATA PROTECTION IN A NETWORKED COMPUTING ENVIRONMENT - An approach for monitoring and protecting electronic data in a networked computing environment (e.g., a cloud computing environment) is provided. In a typical embodiment, an activity monitor gathers characteristics of data traffic of one or more virtual machines. The data traffic is analyzed to determine whether any of the data traffic is indicative of a malicious activity (e.g., unauthorized data transfers). If it appears a VM is engaging in malicious activity, then a counter for the VM is incremented by a predefined value that is associated with the malicious activity. When the counter for the VM exceeds a point threshold, a remediation action is taken with respect to the VM. | 02-05-2015 |
| 20150040218 | DETECTING IMAGE SPAM - Methods and systems for operation upon one or more data processors for detecting image spam by detecting an image and analyzing the content of the image to determine whether the incoming communication comprises an unwanted communication. | 02-05-2015 |
| 20150040219 | USER EVALUATION - Improving the integrity of a computer system including a plurality of user accounts by, for each user account, monitoring events on the computer system that are related to the user account, assigning an importance score to the monitored user account that is indicative of the importance of the monitored user account to the integrity of the computer system, the importance score being calculated from the monitored events, and providing the importance score to a system administrator upon the administrator attempting to alter the monitored user account. | 02-05-2015 |
| 20150040220 | System and Method for Unified Communications Threat Management (UCTM) for Converged Voice, Video and Multi-Media Over IP Flows - A method and system for unified communications threat management (UCTM) for converged voice and video over IP is disclosed. A computer-implemented method for threat management receives an incoming packet. The incoming packet is broken into sub-packets and fed to a plurality of packet processing engines. Each packet processing engine inspects the sub-packets and annotate the sub-packets with meta-data. The annotated sub-packets are combined and processed by a plurality of application engine to generate a processed packet. The processed packet is classified and stored in a database. | 02-05-2015 |
| 20150040221 | SERVER WITH MECHANISM FOR CHANGING TREATMENT OF CLIENT CONNECTIONS DETERMINED TO BE RELATED TO ATTACKS - According to certain non-limiting embodiments disclosed herein, the functionality of a server is extended with a mechanism for identifying connections with clients that have exhibited attack characteristics (for example, characteristics indicating a DoS attack), and for transitioning internal ownership of those connections such that server resources consumed by the connection are reduced, while keeping the connection open. The connection thus moves from a state of relatively high resource use to a state of relatively low server resource use. According to certain non-limiting embodiments disclosed herein, the functionality of a server is extended by enabling the server to determine that any of a client and a connection exhibits one or more attack characteristics (e.g., based on at least one of client attributes, connection attributes, and client behavior during the connection, or otherwise). As a result of the determination, the server changes its treatment of the connection. | 02-05-2015 |
| 20150047026 | ANOMALY DETECTION TO IDENTIFY COORDINATED GROUP ATTACKS IN COMPUTER NETWORKS - Systems, apparatuses, methods, and computer programs for detecting anomalies to identify coordinated group attacks on computer networks are provided. An anomaly graph of a network including nodes, edges, and an indegree of the nodes in the anomaly graph may be determined. Nodes with an indegree of at least two may be designated as potential targets. Nodes with no incoming connections may be designated as potentially compromised nodes. The designated potentially compromised nodes may be outputted as potentially associated with a coordinated attack on the network when the potentially compromised nodes connect to one or more of the same potential target nodes. | 02-12-2015 |
| 20150047027 | APPARATUS AND METHOD FOR TRANSMITTING AND RECEIVING MESSAGES - A message reception apparatus includes a reception module configured to receive a message transmitted from a message transmission apparatus, a determination module configured to compare a serial number of the received message with a serial number stored in a serial number management buffer, and to classify the received message as a normal message or an abnormal message based on a result of the comparison, and a processing module configured to process the normal message. | 02-12-2015 |
| 20150047028 | METHOD, APPARATUS AND SYSTEM FOR DETECTING UNWANTED DIGITAL CONTENT DELIVERED TO A MAIL BOX - Email messages stored on a mail server are filtered to identify the email messages that contain unwanted content. The mail server receives incoming email messages over a network. A content filter performs an initial scan to identify the incoming email messages that contain unwanted content by determining whether signatures associated with the email messages are included on a list of signatures that identify email messages that are known to include unwanted content. The email messages that are not identified as containing unwanted content are forwarded to appropriate mail boxes on the mail server. Multiple scanning threads perform a subsequent scan of the email messages in the mail boxes to identify those email messages containing unwanted content that were not identified by the initial scan. The subsequent scan determines whether signatures associated with the email messages in the mail boxes are included in an updated list of the signatures. | 02-12-2015 |
| 20150047029 | AUDITOR SYSTEM - An auditing system and method for analyzing email, including capturing email transferred over a network and transferring the email to a data analyzer. The email can be encrypted for safe transfer to the analysis location. Once the email is delivered to the analysis location, it is decrypted and the analysis process begins. The analysis of the email includes scanning the email for specific search terms found in a lexicon and then identifying trends based on scanning results. | 02-12-2015 |
| 20150047030 | Methods and Systems for Implementing a Secure Application Execution Environment Using Derived User Accounts for Internet Content - Methods and systems are disclosed for implementing a secure application execution environment using Derived User Accounts (SAE DUA) for Internet content. Content is received and a determination is made if the received content is trusted or untrusted content. The content is accessed in a protected derived user account (DUA) such as a SAE DUA if the content is untrusted otherwise the content is accessed in a regular DUA if the content is trusted. | 02-12-2015 |
| 20150047031 | SECURING EXECUTION OF CUSTOMER-SUPPLIED NETWORK PAGE GENERATION CODE - Disclosed are various embodiments for securing execution of page generation code supplied by customers. The page generation code may be instrumented with code that facilitates monitoring of one or more resources consumed by the page generation code. Various compile-time checks relating, for example, to code size and whether exception-handling code is present may be performed. The page generation code is executed to generate a network page in response to a request obtained from a client. One or more resource consumption limits are enforced upon the page generation code. | 02-12-2015 |
| 20150052603 | ANTI-TAMPER SYSTEM WITH SELF-ADJUSTING GUARDS - An anti-tamper system is disclosed that includes self-adjusting guards inserted in software. Self-adjusting guards include invocation criteria and guard function. During run-time, each time the self-adjusting guard is invoked, the invocation criteria is evaluated and the guard function is only executed if the invocation criteria is satisfied. The invocation criteria can be static or dynamic, satisfied randomly with fixed or varying probability, a monotonically or exponentially decreasing function or most any other type of function. The invocation criteria can be satisfied based on elapsed inter-guard invocation time (time since last guard function execution), target inter-guard invocation time, and/or guard execution time. A method is disclosed of inserting self-adjusting guards into software, and executing the software. Evaluating the invocation criteria can include adjusting the invocation criteria when satisfied. The self-adjusting guards can be inserted into the software at a source or object code level. | 02-19-2015 |
| 20150052604 | METHOD AND DEVICE FOR PROTECTING USER PRIVATE DATA OF APPLICATION PROGRAM - The disclosure provides a device for protecting user private data of an application program, including: a space managing module configured to create a normal space and one or more private spaces and setting one or more protected application programs; a monitoring module configured to monitor a switching instruction for switching from a current space to a target space, and inform a space switching module after receiving the switching instruction; the space switching module configured to back up user data of the protected application programs into a memory area corresponding to the current space, and after receiving the switching instruction, replace current user data of the corresponding protected application programs with the user data of the protected application programs, backed up in a memory area of the target space. By using the present disclosure, security of the user private data in the application programs can be enhanced. | 02-19-2015 |
| 20150058975 | METHOD AND APPARATUS FOR SELECTIVELY SNOOPING AND CAPTURING DATA FOR SECURE COMPUTER INTERFACES - The present invention relates to methods and apparatuses for securing otherwise unsecured computer communications that addresses the above shortcomings among others. According to certain aspects, the invention relates to methods and apparatuses for implementing device snooping, in which some or all traffic passing between a host and a connected device is captured into memory and analyzed in real time by system software. According to other aspects, the invention relates to real time capture of certain types of traffic and communication of the captured traffic to a remote management system. According to still further aspects, the invention relates to detecting security threats in real time. Upon threat detection, possible actions are blocking individual devices or alerting a system administrator. According to certain additional aspects, the security functions performed by methods and apparatuses according to the invention can be logically transparent to the upstream host and to the downstream device. | 02-26-2015 |
| 20150058976 | METHOD AND APPARATUS FOR MITIGATING DISTRIBUTED DENIAL OF SERVICE ATTACKS - An approach for mitigating distributed denial of service (DDoS) attacks includes assigning a set of temporary network addresses to a hostname for a finite period and assigning one or more other sets of temporary network addresses to the hostname in one or more following finite periods, responding to a hostname lookup request based on the set of temporary network addresses, the one or more other sets of temporary network addresses, or a combination thereof that are active, responding to a network address lookup request based on at least one of the set of temporary network addresses and the one or more other sets of temporary network addresses that is associated with a current one of the finite period or the one or more following finite periods, and retiring the set of temporary network addresses, the one or more sets of temporary network addresses, or a combination thereof after a configurable number of finite periods, wherein no further network address or hostname lookup request is served based on the retired set of temporary network addresses, the retired one or more sets of temporary network addresses, or a combination thereof. | 02-26-2015 |
| 20150058977 | HEALTH MONITOR BASED DISTRIBUTED DENIAL OF SERVICE ATTACK MITIGATION - Provided are methods and systems for mitigating a DDoS event. The method may comprise receiving an indication of a collapse of a collapsible virtual data circuit associated with network data traffic. In response to the received indication of the collapse, the collapse may be attributed to the DDoS event. Furthermore, the method may comprise redirecting the network data traffic to one or more DDoS mitigation services. The method may further comprise mitigating the DDoS event by the one or more DDoS mitigation services. | 02-26-2015 |
| 20150058978 | METHOD AND DEVICE FOR PROMPTING INFORMATION ABOUT E-MAIL - The present invention discloses a method and a device for prompting information about an e-mail. The method comprises: extracting information from a currently opened e-mail; according to the extracted information, determining whether an unsafe webpage link is contained in content of the currently opened e-mail; and if yes, providing security prompting information to a user. By means of the present invention, security is ensured when a person uses an e-mail box. | 02-26-2015 |
| 20150058979 | PROCESSING SYSTEM - A processing system is disclosed along with a concept for controlling access of a processing unit of the processing system to firmware code. It is proposed to identify a valid key stored in a first region of memory based on validation data of a second region of the memory, the validation data indicating whether a key is valid or not. The firmware code is processed in accordance with a predetermined verification algorithm to compute a verification value for the firmware code. The verification value and the valid key are analysed to determine if the firmware code is trusted. Access of the processing unit to the firmware code is controlled based on whether the firmware code is determined to be trusted or not. | 02-26-2015 |
| 20150058980 | Methods and Apparatuses for Avoiding Damage in Network Attacks - Methods and apparatuses in a client terminal and a web server for enabling safe communication between said terminal and server. When the terminal obtains a web page from the server in a session, the terminal creates a context-specific key, Ks_NAF′, based on one or more context parameters, P1, . . . Pn, pertaining to said session and/or web page. The terminal then indicates the context-specific key in a login request to the server, and the server determines a context-specific key, Ks_NAF′, in the same manner to verify the client if the context-specific key determined in the web server matches the context-specific key received from the client terminal. The context-specific key is thus bound to and valid for the present context or session only and cannot be used in other contexts or sessions. | 02-26-2015 |
| 20150067830 | DYNAMIC APPLICATION SECURITY VERIFICATION - Disclosed are various embodiments for performing security verifications for dynamic applications. An instance of an application is executed. During runtime, it is determined whether the application is accessing dynamically loaded code from a network site. In one embodiment, the access may be detected via the use of a particular application programming interface (API). In another embodiment, the access may be detected via the loading of downloaded data into an executable portion of memory. A security evaluation is performed on the dynamically loaded code, and an action is initiated responsive to the security evaluation. | 03-05-2015 |
| 20150067831 | SYSTEMS AND METHODS FOR IDENTIFYING PRIVATE KEYS THAT HAVE BEEN COMPROMISED - A computer-implemented method for identifying private keys that have been compromised may include (1) identifying a private key that enables a signatory to digitally sign applications, (2) collecting information about the private key from at least one public source, (3) determining, based on the information collected from the public source, that the private key has been compromised and is accessible to unauthorized signatories, and (4) performing a security action in response to determining that the private key has been compromised and is accessible to the unauthorized signatories. Various other methods, systems, and computer-readable media are also disclosed. | 03-05-2015 |
| 20150067832 | Client Side Phishing Avoidance - In one implementation, a phishing scam involves a communication sent to a user by an impersonator. Rather than detect the communication and verify the identity of the sender, the data entry of the user is monitored. For example, an example embodiment scans data entry from a user for a security word and queries a list of authorized terms for the security word. In response to the security word being included in the list of authorized terms, a destination address associated with the security word is identified. A list of authorized destination addresses is queried with the destination address associated with the security word. | 03-05-2015 |
| 20150067833 | AUTOMATIC PHISHING EMAIL DETECTION BASED ON NATURAL LANGUAGE PROCESSING TECHNIQUES - A comprehensive scheme to detect phishing emails using features that are invariant and fundamentally characterize phishing. Multiple embodiments are described herein based on combinations of text analysis, header analysis, and link analysis, and these embodiments operate between a user's mail transfer agent (MTA) and mail user agent (MUA). The inventive embodiment, PhishNet-NLP™, utilizes natural language techniques along with all information present in an email, namely the header, links, and text in the body. The inventive embodiment, PhishSnag™, uses information extracted form the embedded links in the email and the email headers to detect phishing. The inventive embodiment, Phish-Sem™ uses natural language processing and statistical analysis on the body of labeled phishing and non-phishing emails to design four variants of an email-body-text only classifier. The inventive scheme is designed to detect phishing at the email level. | 03-05-2015 |
| 20150067834 | Building Reusable Function Summaries for Frequently Visited Methods to Optimize Data-Flow Analysis - A method includes inspecting function summaries generated during a static analysis of a program and identifying a set of function summaries for a same method that have structural similarities. The method includes replacing the set of structurally similar summaries with a coarse summary. The method further includes using the coarse summary in subsequent static analysis operations. Apparatus and program products are also disclosed. | 03-05-2015 |
| 20150067835 | Detecting Anomalous User Behavior Using Generative Models of User Actions - An apparatus for detecting abnormal behavior of users is disclosed. The apparatus identifies from a log of user activity, a first number of actions performed by a user over a first time period that match a pattern of user activity for a task associated with one or more roles of the users. The apparatus also identifies from the log of user activity, a second number of actions performed by the user over a second time period that match the pattern of user activity. The apparatus calculates an amount of deviation between the first number of actions and the second number of actions. The deviation identifies a difference between amounts of time spent in the one or more roles. The apparatus then determines whether the amount of deviation between the first number of actions and the second number of actions exceeds a threshold for abnormal behavior. | 03-05-2015 |
| 20150067836 | System and Method to Traverse a Non-Deterministic Finite Automata (NFA) Graph Generated for Regular Expression Patterns with Advanced Features - In one embodiment, a method of walking an non-deterministic finite automata (NFA) graph representing a pattern includes extracting a node type and an element from a node of the NFA graph. The method further includes matching a segment of a payload for the element by matching the payload for the element at least zero times, the number of times based on the node type. | 03-05-2015 |
| 20150067837 | SOFTWARE SELF-CHECKING SYSTEMS AND METHODS - Software self-checking mechanisms are described for improving software tamper resistance and/or reliability. Redundant tests are performed to detect modifications to a program while it is running. Modifications are recorded or reported. Embodiments of the software self-checking mechanisms can be implemented such that they are relatively stealthy and robust, and so that it they are compatible with copy-specific static watermarking and other tamper-resistance techniques. | 03-05-2015 |
| 20150067838 | TRUSTED EXECUTION OF BINARIES AND MODULES - A computer system mechanism is provided that restricts execution of binaries, such as applications, kernel modules, shared libraries, on the computing system to only those that have been installed by an approved mechanism. The approved mechanism acts as a single entry point on the computing for installing new binaries. Any change in file content or metadata taints an executable file and prevents execution by the kernel. Files copied over and not installed via, the approved mechanism will not be executed. | 03-05-2015 |
| 20150067839 | Syntactical Fingerprinting - A method for identifying phishing websites and illustrating the provenance of each website through the structural components that compose the websites. The method includes identifying newly observed phishing websites and using the method as a distance metric for clustering phishing websites. Varying the threshold value within method demonstrates the potential capability for phishing investigators to identify the source of many phishing websites as well as individual phishers. | 03-05-2015 |
| 20150067840 | METHOD FOR PACKET PROCESSING, ELECTRONIC DEVICE AND STORAGE MEDIUM - A method for processing packets, an electronic device and a storage medium are proposed. The present invention presets a defense module preventing DoS in the mobile terminal. A connection requesting side establishes connection with the defense module according to three-handshake principle of TCP, and a defense module sends a SYN packet to a mobile terminal as the connection requesting side. When the defense module successfully handshakes with the mobile terminal, connection between the connection requesting side and the mobile terminal is created, so that DoS attack, especially SYN attack can be effectively prevented. When mobile terminals, especially mobile phones are network hotspot, attack on internal mobile terminal from external network can be effectively prevented. | 03-05-2015 |
| 20150067841 | METHOD FOR HIDING SOURCE OF WIRELESS SENSOR NETWORK AND NODE - A method for hiding a source of a wireless sensor network and a node are provided. The method comprises: determining a first node having a shortest distance from the source; sending a real data packet via a shortest path between the first node and a base station, wherein the real data packet is generated by the first node according to the source; selecting a second node satisfying a preset condition on the shortest path as an initial false source node; establishing a false path with the initial false source node as a terminal node of the false path; and sending a false data packet to the initial false source node via the false path, such that the real data packet is hidden by the false data packet. | 03-05-2015 |
| 20150067842 | Intelligent Communication Screening to Restrict Spam - A system is provided to restrict the ability of a spammer to freely contact an entity over a communication channel. To do so, the system reconfigures a communication channel used to contact the target entity such that the system can intercept a communication from a source contacting entity en route to the target entity. The system extracts an identifier (e.g., contacting entity's telephone number) from the communication and uses the identifier to query a database storing information about the contacting entity. The information reveals the contacting entity's industry, occupation, credibility, etc. From this information, the system automatically identifies the contacting entity as a spammer, potential spammer, or non-spammer. The system performs a default screening of the communication based on the classification. Alternatively, the target contacted entity can specify a configuration for different actions the system takes to screen the communication based on the source contacting entity classification. | 03-05-2015 |
| 20150067843 | Method and System for Scanning a Computer System for Sensitive Content - A computer-implemented method for scanning a computer system for sensitive data. A scan manager manages a scan of files of a second computer. The scan manager receives a request to scan and identify files stored on the second computer based on at least one category of sensitive data. The scan manager receives scan report recipient information and generates a user profile based on the at least one category and the recipient information. The scan manager makes the user profile available to a category server for use in creating a scan profile defining the scan criteria and deploys a scan agent to a computer to conduct the scan based on the scan profile. When the scan is complete and upon creation of the scan report, the scan manager makes the scan report available to the intended recipients. | 03-05-2015 |
| 20150067844 | SYSTEM AND METHODOLOGY PROVIDING AUTOMATION SECURITY ANALYSIS, VALIDATION, AND LEARNING IN AN INDUSTRIAL CONTROLLER ENVIRONMENT - The present invention relates to a system and methodology facilitating automation security in a networked-based industrial controller environment. Various components, systems and methodologies are provided to facilitate varying levels of automation security in accordance with security analysis tools, security validation tools and/or security learning systems. The security analysis tool receives abstract factory models or descriptions for input and generates an output that can include security guidelines, components, topologies, procedures, rules, policies, and the like for deployment in an automation security network. The validation tools are operative in the automation security network, wherein the tools perform security checking and/or auditing functions, for example, to determine if security components are in place and/or in suitable working order. The security learning system monitors/learns network traffic patterns during a learning phase, fires alarms or events based upon detected deviations from the learned patterns, and/or causes other automated actions to occur. | 03-05-2015 |
| 20150074801 | SECURITY VERIFICATION DEVICE AND A SECURITY VERIFICATION METHOD - The present invention provides a security verification device and a security verification method which are capable of verifying that elements for implementing security measures necessary for a system can be prepared without omission. The security verification device and the security verification method select a verification item on the basis of security requirement information, generate security requirement information of parts specified by the verification item on the basis of a security target model, generate information which indicates a possessed function of security of the parts included in the security target model on the basis of a function item which is extracted on the basis of an implementation method included in the verification item and output a comparison and verification result of the security requirement information of the parts and the information which indicates the possessed function. | 03-12-2015 |
| 20150074802 | SPAM NOTIFICATION DEVICE - A device is configured to receive triggering information including a set of conditions associated with spam. The device is configured to receive a message from a sending device, and to determine that the message is spam based on determining that the message satisfies a threshold quantity of conditions of the set of conditions. The device is configured to provide a notification indicating that the message may be spam, and receive response information, based on the notification, indicating that the sending device is to be blacklisted. The device is configured to cause, based on the response information, a future message from the sending device to be blocked prior to being presented to a user. | 03-12-2015 |
| 20150074803 | SYSTEM AND METHOD OF INTERLOCKING TO PROTECT SOFTWARE-MEDIATED PROGRAM AND DEVICE BEHAVIOURS - Methods and devices for thwarting code and control flow based attacks on software. The source code of a subject piece of software is automatically divided into basic blocks of logic. Selected basic blocks are amended so that their outputs are extended. Similarly, other basic blocks are amended such that their inputs are correspondingly extended. The amendments increase or create dependencies between basic blocks such that tampering with one basic block's code causes other basic blocks to malfunction when executed. | 03-12-2015 |
| 20150074804 | METHOD AND SYSTEM FOR TRACKING MACHINES ON A NETWORK USING FUZZY GUID TECHNOLOGY - A method for querying a knowledgebase of malicious hosts numbered from 1 through N. The method includes providing a network of computers, which has a plurality of unknown malicious host machines. In a specific embodiment, the malicious host machines are disposed throughout the network of computers, which includes a worldwide network of computers, e.g., Internet. The method includes querying a knowledge base including a plurality of known malicious hosts, which are numbered from 1 through N, where N is an integer greater than 1. In a preferred embodiment, the knowledge base is coupled to the network of computers. The method includes receiving first information associated with an unknown host from the network; identifying an unknown host and querying the knowledge base to determine if the unknown host is one of the known malicious hosts in the knowledge base. The method also includes outputting second information associated with the unknown host based upon the querying process. | 03-12-2015 |
| 20150074805 | METHOD FOR PREVENTING RELAY-ATTACK ON SMART KEY SYSTEM - The present invention relates to a method for preventing a relay-attack on a smart key system, and in particular, provides an advantage of preventing a vehicle and equipment stored inside the vehicle from being stolen by using predetermined information transmitted and received when the SMK UNIT of the vehicle and a FOB Key wirelessly communicate with each other and enabling a holder of the FOB Key to make the relay-attack once the holder secures visibility from the vehicle. | 03-12-2015 |
| 20150082424 | Active Web Content Whitelisting - The disclosed invention is a new method and apparatus for using a white-list to authenticate active contents in web pages and removing all unauthorized active content received in the web pages. A computer system receives plurality of web pages from a web server. Web pages are scanned for plurality of active contents. A database includes attributes of plurality of active content that are permitted on the web page. A web page filtering components compares active content in web pages with the entries in the database. Any unauthorized active content in the page is removed. The modified web page is sent to the intended destination. | 03-19-2015 |
| 20150082425 | SECURING ACCESSIBLE SYSTEMS USING BASE FUNCTION ENCODING - Systems and techniques for securing accessible computer-executable program code and systems are provided. One or more base functions may be generated and blended with existing program code, such that it may be difficult or impossible for a potential attacker to distinguish the base functions from the existing code. The systems and code also may be protected using a variety of other blending and protection techniques, such as fractures, variable dependent coding, dynamic data mangling, and cross-linking, which may be used individually or in combination, and/or may be blended with the base functions. | 03-19-2015 |
| 20150082426 | Method and System for Inferring Risk of Data Leakage from Third-Party Tags - A method and system for assessing the data leakage threat associated with third-party tags on a particular website, such as a content publisher site, is assessed by mimicking a standard web browser. Each third-party tag on the site is identified and investigated in a hierarchical manner, and a data leakage threat score is assigned to each third-party tag based on certain attributes associated with the tag and the resource linked by the third-party tag. A cumulative data leakage threat score is then calculated to determine if the site is a data leakage threat, such as a threat for misuse of a consumer's data. | 03-19-2015 |
| 20150082427 | Systems, Methods and Apparatuses for Prevention of Relay Attacks - The systems, methods and apparatuses described herein provide an apparatus configured for preventing relay attacks on a communication link between the apparatus and a communication partner. The apparatus may comprise a communication port, a timer and a processor. The processor may be configured to generate a request, transmit the request through the communication link using the communication port and start counting time using the timer, receive a response via the communication port and stop the timer, receive authentication data via the communication port, authenticate the authentication data, compare the counted time with a predefined threshold, compare a first field within the request with a second field within the response and determine whether there is a relay attack. | 03-19-2015 |
| 20150082428 | DETECTING ANOMALOUS BEHAVIOR PATTERNS IN AN ELECTRONIC ENVIRONMENT - The behavior of a group of resources, such as a fleet of servers, can be monitored to attempt to determine a baseline of acceptable behaviors. When a behavior is observed, the baseline can be consulted to determine whether the behavior is indicated to be acceptable. If not, the rate or extent at which the newly observed behavior is observed on groupings of similar resources can be monitored. This information can be used to determine whether the behavior is acceptable in which case information for the observed behavior can be used to automatically update the baseline such that the baseline is representative of current acceptable behavior within the group of resources. | 03-19-2015 |
| 20150089638 | SMART METER SECURITY SYSTEM AND METHOD - A system, method and computer program product for protecting utility usage information from utility company users, e.g., power company endpoints. Smart meters monitor endpoint service usage to identify the start of a critical usage period. During critical usage periods the smart meters select and modulates a generic usage pattern by the difference between the pattern and actual usage. Instead of sending actual usage data, the smart meter sends the modulated generic usage pattern to the service provider. The service provider extracts the deltas and determines endpoint service usage from the extracted deltas. | 03-26-2015 |
| 20150089639 | SMART METER SECURITY SYSTEM AND METHOD - A system, method and computer program product for protecting utility usage information from utility company users, e.g., power company endpoints. Smart meters monitor endpoint service usage to identify the start of a critical usage period. During critical usage periods the smart meters select and modulates a generic usage pattern by the difference between the pattern and actual usage. Instead of sending actual usage data, the smart meter sends the modulated generic usage pattern to the service provider. The service provider extracts the deltas and determines endpoint service usage from the extracted deltas. | 03-26-2015 |
| 20150089640 | ENDPOINT LOAD REBALANCING CONTROLLER - A endpoint load rebalancing controller, method of controlling endpoint activity to suppress side channel variation and computer program product for controlling endpoint activity for suppressing side channel variation in information from utility company users, e.g., from power company endpoints. The load rebalancing controller monitors period to period endpoint service usage and predicts next period endpoint service usage. Whenever the controller maintains determines that the endpoint usage will exhibit a change that may be sufficient to convey activity information in side channel activity, the controller rebalances activity for the next period. Rebalancing may include shifting off-line execution from one period to another and capping or increasing on-line execution activity. | 03-26-2015 |
| 20150089641 | COMPUTER SYSTEM AND SIGNATURE VERIFICATION SERVER - Disclosed are a computer system, a signature verification server, a method of supporting signature verification by a computer system, and a method of verifying signature. Embodiments of the present disclosure relates to a technology of misdiagnosis verification of signature used for a malicious code diagnosis, and more particularly to technologies which derive a result of performance of a malicious code diagnosis simulation on signature in a multi-user computer environment to use an actual client antivirus software and thus can overcome physical, spatial, and temporal limitations of conventional signature misdiagnosis verification by pre-distributing preliminary application signature in a state where misdiagnosis verification has not been completed to a plurality of user computers to reflect the preliminary application signature to a malicious code diagnosis on files stored in the plurality of user computers and performing misdiagnosis verification on the preliminary application signature based on information collected in connection with a result of the diagnosis. | 03-26-2015 |
| 20150089642 | Detecting Phishing of a Matrix Barcode - A method and a system for detecting phishing of a matrix barcode is provided. The matrix barcode comprises colored and white squares in rows and columns. The method comprises scanning the matrix barcode row by row and column by column resulting in received squares, storing a corresponding white color level for each received white square, and comparing the white color levels of the received white squares couple-wise. | 03-26-2015 |
| 20150089643 | MALICIOUS REQUEST ATTRIBUTION - Methods, apparatuses, and computer readable media for malicious request attribution are presented. For example, according to one aspect, requests for one or more records may be received from a requesting computing device. A determination may be made that the requests are of a malicious nature. Responsive to determining that the requests are of a malicious nature, one or more requests for obtaining information about the requesting computing device may be generated, and communicated to the requesting computing device. In some embodiments, at least one of the one or more requests for obtaining information about the requesting computing device may be configured to cause the requesting computing device to fail to properly render at least a portion of a web page comprising at least one of the one or more records. | 03-26-2015 |
| 20150089644 | Document Classification Using Multiscale Text Fingerprints - Described systems and methods allow a classification of electronic documents such as email messages and HTML documents, according to a document-specific text fingerprint. The text fingerprint is calculated for a text block of each target document, and comprises a sequence of characters determined according to a plurality of text tokens of the respective text block. In some embodiments, the length of the text fingerprint is forced within a pre-determined range of lengths (e.g. between 129 and 256 characters) irrespective of the length of the text block, by zooming in for short text blocks, and zooming out for long ones. Classification may include, for instance, determining whether an electronic document represents unsolicited communication (spam) or online fraud such as phishing. | 03-26-2015 |
| 20150096017 | MANAGING DOMAIN NAME ABUSE - A method for providing an abuse sentry service for responding to domain name abuse is described. The method comprises the following steps. A plurality of disparate abuse feeds is received, each comprising data relating to a subset of potential domain name abuse. Filters are applied to the data to create a custom abuse feed. Data from the custom abuse feed is grouped based on priority levels. For each of the groups, one or more corresponding workflows are executed as a response to the potential domain name abuse. A computer readable medium including instructions for implementing the method is also described. | 04-02-2015 |
| 20150101043 | Application Identification And Dynamic Signature Generation For Managing Network Communications - Systems and methods are disclosed for application identification and dynamic signature generation for managing network communication systems. Communication sessions and related packet flows are monitored within a network communication system. Application level information is extracted from session packets by unpacking one or more communication protocols associated with the network packets to obtain application level information encapsulated within the network packets. The extracted application level information is compared to a database of known application signatures in order to identify known applications. For unknown applications, the application level information is used to generate new dynamic application signatures. The application level information can also be used to identify and access external network-accessible resources to obtain additional identification information for the unknown application. Identification information for the newly detected application can then be provided to a user along with flow control options for the newly detected application. | 04-09-2015 |
| 20150101044 | Event Model for Correlating System Component States - A computing device described herein is configured to receive a notification of an event associated with a plurality of system components. In response, the computing device determines a state for the system components based on a state for one of those system components specified in an event model. That specified state in the event model reflects a previous occurrence of another event. | 04-09-2015 |
| 20150101045 | CREATING A RELATIVELY UNIQUE ENVIRONMENT FOR COMPUTING PLATFORMS - Systems and methods for significantly disrupting both the execution and distribution capabilities of computer viruses across computer networks and devices are provided. According to one embodiment, an attempt to execute a computer program is detected by a monitoring process running on a computer system. Responsive thereto, the computer program is transformed from a locally unique form into an executable form using a diversity mechanism. In the locally unique form, semantics of the computer program are in an altered state based on the diversity mechanism. Execution of the locally unique form will fail to perform as intended unless the locally unique form is first or concurrently transformed, using the diversity mechanism, into the executable form having correct semantics. Use of the diversity mechanism differentiates an execution or loading environment of the computer system from other computer systems by affecting operational behavior of computer programs attempting to execute on the computer system. | 04-09-2015 |
| 20150101046 | SYSTEMS AND METHODS FOR CATEGORIZING NETWORK TRAFFIC CONTENT - A method for categorizing network traffic content includes determining a first characterization of the network traffic content determining a first probability of accuracy associated with the first characterization, and categorizing the network traffic content based at least in part on the first characterization and the first probability of accuracy. A method for use in a process to categorize network traffic content includes obtaining a plurality of data, each of the plurality of data representing a probability of accuracy of a characterization of network traffic content, and associating each of the plurality of data with a technique for characterizing network traffic content. A method for categorizing network traffic content includes determining a characterization of the network traffic content, determining a weight value associated with the characterization, and categorizing network traffic content based at least in part on the characterization of the network traffic content and the weight value. | 04-09-2015 |
| 20150106921 | MOBILE COMMUNICATOR NETWORK ROUTING DECISION SYSTEM AND METHOD - A mobile communicator network routing decision system communicating with each mobile communicator device of a plurality of mobile communicator devices, the plurality of mobile communicator devices communicating with a network via at least one computerized network gateway server, the system including security risk calculation functionality operable for calculating a calculated malware-associated risk associated with each mobile communicator device, and security risk responsive decision functionality, operating in response to the calculated malware-associated risk, for ascertaining whether to allow the communicating of each mobile communicator device with the network via the computerized network gateway server. | 04-16-2015 |
| 20150106922 | PARAMETER ADJUSTMENT FOR PATTERN DISCOVERY - Pattern discovery performed on event data may include selecting an initial set of parameters for the pattern discovery. The parameters may specify conditions for identifying a pattern in the event data. A pattern discovery run is executed on the event data based on the initial set of parameters, and a parameter may be adjusted based on the output of the pattern discovery run. | 04-16-2015 |
| 20150106923 | SECURITY METHODS AND SYSTEMS - A system/method for preventing a computer virus from accessing message addresses is described. The system comprises an interception component or client plug-in that communicates with a messaging client and a messaging server. The interception component alters messages from the server and destined for the client. The interception component replaces message addresses in incoming messages with a unique identifier. The interception component also alters messages from the client destined for the server. The interception component replaces a unique identifier with a message addresses. A system/method for preventing keyboard sniffer programs from intercepting input, a system for preventing a computer virus from activating a send confirmation of a messaging client and a method for altering displayed objects to show encrypted data in decrypted form are also described and claimed. A system/method for reducing the impact of keyboard sniffer programs by altering keyboard input. | 04-16-2015 |
| 20150106924 | ENTERPRISE-WIDE SECURITY SYSTEM FOR COMPUTER DEVICES - A system and method for securing data in mobile devices ( | 04-16-2015 |
| 20150106925 | SECURITY SYSTEM AND METHOD - A security system and method for the application at a self-service or financial terminal is disclosed. This system comprises at least: a peripheral device ( | 04-16-2015 |
| 20150106926 | USER BEHAVIORAL RISK ASSESSMENT - A predetermined particular behavioral profile is identified associated with at least one particular user of a computing system, the particular behavioral profile identifying expected behavior of the at least one user within the computing system. Activities associated with use of the computing system by the particular user are identified and it is determined whether the identified activities correlate with the particular behavioral profile. Identifying an activity that deviates from the particular behavioral profile beyond a particular threshold triggers a risk event relating to the particular user. | 04-16-2015 |
| 20150113637 | DATA PROCESSING ARRANGEMENT AND METHOD FOR ENSURING THE INTEGRITY OF THE EXECUTION OF A COMPUTER PROGRAM - According to one embodiment, a data processing arrangement is described comprising a processor configured to carry out a computer program including a plurality of program instructions; a signature determination arrangement configured to determine a signature of the program instructions carried out by the processor wherein the processor is configured to, when it carries out a program instruction of the plurality of program instructions which indicates the next program instruction of the plurality of program instructions to be carried out, provide information about the indication to the signature determination arrangement; wherein the signature determination arrangement is configured to take into account the information in the determination of the signature; and a detector configured to check, when the computer program is completely carried out, whether the determined signature is equal to a reference signature. | 04-23-2015 |
| 20150113638 | ELECTRONIC SYSTEM FOR DETECTING AND PREVENTING COMPROMISE OF VEHICLE ELECTRICAL AND CONTROL SYSTEMS - A method for detecting threats or attacks on an automobile network, the automobile network connected to a plurality of electronic components and an attack monitoring unit including a processor, the method including: monitoring, by the processor of the attack monitoring unit, data messages transmitted on the automobile network; determining, by the processor of the attack monitoring unit, whether at least one data message among the data messages transmitted on the mobile network is a threat to one or more of the plurality of electronic components on the automobile network; and when it is determined, by the processor, that the at least one data message is a threat, performing at least one action based on the threat. | 04-23-2015 |
| 20150113639 | DELIVERY OF CONTEXTUAL DATA TO A COMPUTING DEVICE WHILE PRESERVING DATA PRIVACY - A method, device, system, or article of manufacture is provided for improved delivery of contextual data to a computing device while preserving data privacy. In one embodiment, a method comprises sending, from a first computing device, to a second computing device, first communication data; receiving, at the first computing device, from the second computing device, second communication data; in response to determining that a data privacy attribute of the second computing device is the same as a predetermined data privacy attribute, determining to protect the second communication data, including: converting the first communication data to a first set of text; converting the second communication data to a second set of text; and applying a privacy filter to the first set of text to generate a first set of filtered text, wherein the privacy filter removes any text that is associated with the second set of text; determining a first keyword from the first set of filtered text; sending, from the first computing device, to a computer, the first keyword; and receiving, at the first computing device, from the computer, contextual data associated with the first keyword. | 04-23-2015 |
| 20150113640 | METHOD AND APPARATUS FOR PROGRAM FLOW IN SOFTWARE OPERATION - The present disclosure provides a description of a computer implemented method and system for protecting a software program from attack during runtime. The system comprises a plurality of software blocks for providing desired functions during execution of a software program and a trusted address server having a table for mapping predetermined source tokens to destination tokens. The trusted address server couples each of the plurality of software blocks for receipt of predetermined source tokens from any one of the plurality of software blocks, while returning a mapped destination token from the predetermined destination tokens to said any one of the plurality of software blocks in dependence upon the table for mapping predetermined source tokens to destination tokens. | 04-23-2015 |
| 20150113641 | PLUG-IN ANTI-REGENERATION METHOD, SYSTEM, AND STORAGE MEDIUM - The present invention provides a plug-in anti-regeneration method and system and a storage medium. The plug-in anti-regeneration method comprises: obtaining a plug-in anti-regeneration filter feature set; judging whether a to-be-installed plug-in matches plug-in anti-regeneration filter features in the plug-in anti-regeneration filter feature set; and preventing the to-be-installed plug-in from being installed if the to-be-installed plug-in matches the plug-in anti-regeneration features. The present invention further provides a corresponding plug-in anti-regeneration system. The method, system, and storage medium of the present invention can prevent the regeneration of the plug-in to facilitate the use of the computer. | 04-23-2015 |
| 20150113642 | METHOD AND SYSTEM FOR PREVENTING UNAUTHORIZED PROCESSOR MODE SWITCHES - A system comprising a processor adapted to activate multiple security levels for the system and a monitoring device coupled to the processor and employing security rules pertaining to the multiple security levels. The monitoring device restricts usage of the system if the processor activates the security levels in a sequence contrary to the security rules. | 04-23-2015 |
| 20150121518 | PRIVILEGED ANALYTICS SYSTEM - A computer-implemented method for determining whether a computer network is compromised by unauthorized activity on the computer network. The computer-implemented method comprises identifying a behavioral anomaly of an entity on the computer network, classifying the anomaly as a system event based on an assigned score for the anomaly being at least at a predetermined score threshold, updating an incident based on at least one common parameter between the system event and other system events which comprise the incident, each system event of the incident including an assigned score from when the event was an anomaly, updating a system status based on at least the incident, and assigning a system status score to the system status, and, determining whether the system status score is at least at a predetermined threshold system status score indicating that the computer network may be compromised. | 04-30-2015 |
| 20150121519 | SYSTEM AND METHOD FOR MONITORING AND CONTROLLING A PERFORMANCE STATE CHANGE - The present disclosure relates to a method and system for securing a performance state change of one or more processors. A disclosed method includes detecting a request to change a current performance state of a processor to a target performance state, and adjusting an operating level tolerance range of the current performance state to include operating levels associated with a transition from the current performance state to the target performance state. A disclosed system includes an operating system module operative to transmit a request for a performance state change of at least one processing core. The system includes performance state control logic operative to change the performance state of the at least one processing core based on the request. The system further includes performance state security logic operative to adjust, in response to the request, an operating level tolerance range of the current performance state to include operating levels associated with a transition from the current performance state to the target performance state. | 04-30-2015 |
| 20150121520 | SYSTEM AND METHOD FOR SECURITY PROCESSOR CONTROL OVER CPU POWER STATES - The present disclosure presents methods and apparatuses for controlling a power state, which may include a C-state, of one or more processing cores of a processor. In an aspect, an example method of securing a power state change of a processor is presented, the method including the steps of receiving a power state change request from the processor, the processor having a plurality of potential power states each including an operating power profile; determining a power state change request mode associated with the processor; forwarding the power state change request to a security processor where the power state change request mode is a one-time request mode; receiving a power state change request response from the security processor in response to the request; and adjusting the current power state of the processor to the target power state where the power state change request response comprises a power state change approval. | 04-30-2015 |
| 20150121521 | CONTENT SCREENING METHOD, APPARATUS AND SYSTEM - A content screening method, apparatus and system are provided for a content screening component to verify the trust relationship and the categorization standard used by a categorization component. A method includes the following steps: the content screening component receives a categorized content; and when determining that a first categorization component that categorizes the content is trustworthy according to the information of the categorization component carried in the categorized content, the content screening component screens the content by the content category carried in the categorized content. Another method includes the following step: when determining that the categorization component that categorizes the content uses the same categorization standard as the content screening component according to the information of the categorization component carried in the categorized content, the content screening component screens the content by the content category carried in the categorized content. | 04-30-2015 |
| 20150128259 | SOFTWARE DISTRIBUTION SYSTEM AND SOFTWARE DISTRIBUTION METHOD - A software distribution system comprises a computer; a first distribution device; and a second distribution device, wherein the computer includes a first software reception unit configured to receive the software; a second software reception unit configured to receive the test program corresponding to the software; and a software execution unit configured to merge the software described in an executable format and the test program, and execute, the second software reception unit attempts to acquire a test program corresponding to the software at a timing at which the first software reception unit has received the software, and makes repeated attempts at a predetermined interval when the test program cannot be acquired, and the software execution unit merges the software and the test program at a timing at which the second software reception unit has received the test program. | 05-07-2015 |
| 20150128260 | METHODS AND SYSTEMS FOR CONTROLLING COMMUNICATION IN A VIRTUALIZED NETWORK ENVIRONMENT - Methods and related systems for controlling communication between Network Virtualization Edges (NVEs) in a network virtualization domain are provided. The methods generally involves generating and transmitting, by a Network Virtualization Authority (NVA), a list of participating NVEs to the NVEs comprised in the list, and the selective processing by the NVEs of messages received from other NVEs. By limiting NVE to NVE communication only to NVEs comprised in the list, attacks on the network can be mitigated. | 05-07-2015 |
| 20150128261 | SAFE FILE TRANSMISSION AND REPUTATION LOOKUP - A method of safe file transmission and reputation lookup is provided. As a part of the safe file transmission and reputation lookup methodology, a data file that is to be made available to a data file receiver is accessed and it is determined whether the data file needs to be provided a protective file. The data file is wrapped in a protective file to create a non-executing package file. Access is provided to the non-executing package file where the associated data file is prevented from being executed until data file reputation information is received. | 05-07-2015 |
| 20150135311 | VIRTUAL MACHINE VALIDATION - A system, method, and computer program product for providing validation of the compliance of a trusted host environment with a requirement of a virtual machine (VM). The system includes: a store component for cryptographically storing configuration data associated with the trusted host environment in at least one cryptographic data structure; a send component, responsive to the store component storing the configuration data, for sending the at least one cryptographic data structure to a control component; an analyse component, responsive to the control component receiving the at least one cryptographic data structure, for analysing the at least one cryptographic data structure; a compare component, responsive to the analyse component determining the configuration data, for comparing the configuration data with the requirement; and a verify component, responsive to the compare component determining that the configuration data matches the requirement, for allowing verification of the VM. | 05-14-2015 |
| 20150135312 | SERVICE PERFORMANCE MONITORING METHOD - A monitoring system for monitoring a service execution infrastructure for providing a service to client computers via a network manages baselines of monitoring values of components per load of the service provided by the infrastructure, and uses the baselines depending on a current service load. When detecting an abnormality of a service monitoring value or component monitoring value by use of the baselines, the monitoring system compares events up to predetermined minutes ago from now with events in the baseline time zone thereby to specify a differential event (or non-normal recent event). | 05-14-2015 |
| 20150135313 | Control Flow Integrity System and Method - An improved CFI system and method is described that provides security from attacks to hijack computer software. The improved CFI system and method inserts two tags to execute label identification. The first tag is positioned before any instruction that would result in an indirect control flow transfer and requires the program to execute a check. The second tag is located before the first line of any legitimate transfer destination and when discovered by the tag check allows a program to carry out the indirect transfer. This tag orientation does not prevent transfers to targets other than the origin instruction's specific intended destination but limits transfers to destinations that begin with the proper label dedication. Although, an incorrect address may be called, that will be within the software program's assortment of legitimate indirect transfer targets. Attempts to exploit or reroute indirect transfers outside of the established control flow are eliminated. | 05-14-2015 |
| 20150135314 | MANAGING DOMAIN NAME ABUSE - A computer-implemented method for automatically responding to domain name abuse is described. The method comprises the following steps. A plurality of disparate abuse feeds are received from a plurality of service providers. Each of the service providers is configured to collect information regarding a subset of potential domain name abuse and each abuse feed comprises data identifying domain names associated with the subset of potential domain name abuse. The data is filtered to create a custom abuse feed comprising a selective portion of the plurality of disparate abuse feeds. The filtered data from the custom abuse feed is grouped into groups of data based on predefined priority levels of the filtered data. For each of the groups of data, one or more corresponding workflows is executed as a response to the potential domain name abuse, wherein the workflow includes temporarily suspending a domain associated with the potential domain name abuse. | 05-14-2015 |
| 20150143516 | SESSION HOPPING - Method for communicating in a computer network from a first node ( | 05-21-2015 |
| 20150143517 | SECURITY ARCHITECTURE FOR MALICIOUS INPUT - A computing device detects and mitigates malicious input at the point of origin before such input invades a communication network. A computing device receives, at an operating system kernel, a first input string and stores, in a cache accessible to the kernel, a copy of the first input string. The computing device receives, by the operating system kernel, a second input string and compares the copy of the first input string and the second input string for redundancy before committing the second input string to an application or communication interface. The computer device rejects the second input when the comparing indicates that the copy of the first input string and the second input string are redundant. | 05-21-2015 |
| 20150143518 | DATA LOSS PREVENTION OF INFORMATION USING STRUCTURED DOCUMENT TEMPLATES AND FORMS - A method and apparatus for identifying information as protected information using a structure is described. A DLP system, incorporating a structure analyzer, monitors outbound data transfers performed by the computing system for violations of a DLP policy. The DLP system analyzes a structure of information contained in an outbound data transfer against a protected structure defined in a DLP policy. The DLP system identifies the information as protected information to be protected by the DLP policy based on the analysis, and, when the information is identified as protected, the DLP system detects a violation of the DLP policy. The protected structure may be derived from document templates, document forms, or from a set of training documents. | 05-21-2015 |
| 20150143519 | DETECTION OF POTENTIALLY COPYRIGHTED CONTENT IN USER-INITIATED LIVE STREAMS - Systems and methods modifying a presentation of media content in response to a detected violation are provided. In particular, media content such as a media stream broadcasted by a user to other users can be monitored. The broadcasted media stream can be fingerprinted and compared to a fingerprint repository that includes entries associated with media content that is copyrighted or otherwise considered a violation. If the fingerprint matches entries included in the fingerprint repository, then the media stream can be modified such as modified to terminate. | 05-21-2015 |
| 20150143520 | DISTRIBUTED NETWORK PROTECTION - A method and system for processing frames transmitted in a network including nodes and network segments connecting the nodes. Frames transmitted over network segments are detected. Frame information from each detected frame is stored in a frame information repository. A stored hierarchical data structure includes vectors specifying frame information defining frames permitted in the network, classes including vectors with constraints on the vectors, and patterns including classes with constraints on the classes. The frame information in the detected frames may not match the frame information specified in the vectors. The vectors, if matched by the frame information in the detected frames, may not satisfy the constraints in the classes. The vectors, if matched by the frame information in the detected frames, may satisfy the constraints in the classes, and the classes whose constraints are satisfied by the matched vectors may not satisfy the constraints in the patterns. | 05-21-2015 |
| 20150150123 | COORDINATED DETECTION AND DIFFERENTIATION OF DENIAL OF SERVICE ATTACKS - According to one embodiment, an analyzer module (AM) within a same protected network and on-premise with a web application server (WAS) detects and distinguishes between types of Denial-of-Service (DoS) attacks. The AM tracks whether test HTTP messages, which include test HTTP request messages that a signal generation module (SGM) is configured to transmit to the WAS and test HTTP response messages that the WAS is expected to transmit in response to the test HTTP request messages, are timely received. The AM is aware of a timeliness that the SGM is expected to transmit the test HTTP request messages and that the WAS is expected to transmit the test response HTTP messages. The AM detects an occurrence of a DoS attack and identifies the type of the DoS attack based upon the result of the tracking indicating that a number of the test HTTP messages have not been timely received. | 05-28-2015 |
| 20150150124 | CLOUD-ASSISTED THREAT DEFENSE FOR CONNECTED VEHICLES - In an example embodiment herein, there is provided methods and a system for cloud-assisted threat defense for connected vehicles. A vehicle suitably includes an on-board computer system for operating and/or controlling various systems on the vehicle. The on-board computer system suitably operates in connection with or includes an on-board threat defense module for detecting and protecting against malware attacks and other security threats to the vehicle. In an example embodiment, a cloud-based security component or security cloud assists with the detection and protection against security threats and malware attacks to the vehicle while minimizing the processing load and memory requirements for the on-board threat defense module. | 05-28-2015 |
| 20150150125 | CORRELATION BASED SECURITY RISK IDENTIFICATION - Methods and systems are disclosed for identifying security risks, arising from credentials existing on machines in the networks that enable access to other machines on the networks. Account credentials indications are retrieved from machines in the network, which indicate that credentials for accounts are stored on those machines. Access rights for accounts are collected, describing the access and operation permissions of these accounts on machines in the networks. A correlation is then performed to identify machines that can be accessed by employing credentials of accounts retrieved from other machines in the network. | 05-28-2015 |
| 20150150126 | COMPUTER DEVICE AND METHOD FOR ISOLATING UNTRUSTED CONTENT - A computer system and method are provided to intercept a task from a primary user account | 05-28-2015 |
| 20150150127 | METHOD OF VERIFYING INTEGRITY OF ELECTRONIC DEVICE, STORAGE MEDIUM, AND ELECTRONIC DEVICE - Disclosed herein are techniques for verifying the integrity of an electronic device. A normal world virtual processor and a secure world virtual processor are instantiated. An integrity verification agent is executed by the secure world virtual processor. A kernel operation attempted by the normal world virtual processor is intercepted by the secure world virtual processor. | 05-28-2015 |
| 20150150128 | METHOD AND APPARATUS FOR INTERCEPTING OR CLEANING-UP PLUGINS - The present invention discloses a method and apparatus for intercepting or cleaning-up plugins. The methods may include: obtaining performance attributes of a plugin; determining if the plugin meets a performance criterion based on the obtained performance attributes and empirical data; and intercepting or cleaning-up the plugin if the plugin does not meet the performance criterion. In accordance with embodiments of the present invention, the performance attributes of a plugin can be evaluated to determine whether the plugin meets a preset performance criterion, and the plugin can then be processed according to the result of the determination. | 05-28-2015 |
| 20150295893 | EXTERNAL LINK PROCESSING - A system and method of external link processing is disclosed. The system includes an interface configured to receive a user request to access an encoded external link in networked content. The encoded external link comprises a domain name of an external link server and an encoded portion which is an encoded result of an original external link encoded with an encoding function, wherein the original external link is an address to an external destination. One or more processors determine a safety level of the encoded external link using a criterion. In the event that the determined safety level of the encoded external link is determined unsafe, a warning message is generated indicating that the original external link is unsafe and the user is prevented from directly navigating to the original external link. | 10-15-2015 |
| 20150295946 | SYSTEM AND METHOD FOR HANDLING ROGUE DATA PACKETS - The present disclosure is directed towards a system and method for handling rogue data packets. The method may include receiving, using one or more processors, a first data packet having header information associated therewith. The method may further include obtaining, from the header information, sequence number, timestamp and synchronization source identifier information. The method may also include detecting one or more rogue data packets, based upon, at least in part, at least one of the sequence number, timestamp and synchronization source identifier information. | 10-15-2015 |
| 20150295951 | METHOD, SERVER, AND SYSTEM FOR AUTOMATICALLY RATING REPUTATION OF A WEB SITE - The present disclosure discloses a method, server, and system for automatically rating the reputation of a web site, wherein the method comprises: when a web address of the web site is triggered and intercepted, detecting whether the web address of the web site is a malicious web address or a non-malicious web address; making statistics of the number of malicious and non-malicious visits to the web addresses under the web site during a predefined time period and saving the statistics to a database; and reading records from the database and calculating an average reputation of the web site by weighting the statistics of visiting the web site during the predefined time period and history statistics. The present disclosure is able to mark the reputation of a web site in time and efficiently, thus improving the security of using the network. | 10-15-2015 |
| 20150301570 | DETECTION OF MALWARE THROUGH VOLTAGE MEASUREMENTS OF FIELD PROGRAMMABLE GATE ARRAY - Technologies are generally described to detect malware on field programmable gate arrays (FPGAs). In some examples, a power map of an FPGA executing coprocessors may be created by determining voltages associated with distinct areas within the FPGA. The power map may then be compared with expected activity information associated with the executing coprocessors to determine whether any mismatches occur, such as detected power usage where no power usage is expected. Mismatches may indicate the presence of malware executing on the FPGA. | 10-22-2015 |
| 20150302184 | COMPUTER SECURITY SYSTEM AND METHOD - A method is provided for protecting a computer system, comprising creating an isolated process, then assigning a first process group to the process; creating an additional group process within the first process group; performing a first determination by an application programming interface (API) that the additional group process is within the first process group, and as a result of the first determination, causing the additional group process to inherit and duplicate a handle of the process. Process communications and control within isolated groups is permitted freely, whereas process control by an isolated process for non-isolated processes or isolated processes in different groups is constrained or prohibited. | 10-22-2015 |
| 20150302191 | PROGRAM EXECUTION APPARATUS AND PROGRAM ANALYSIS APPARATUS - Execute a countermeasure process for vulnerability reliably before an attack aiming at vulnerability occurs. A vulnerability countermeasure processing unit performs a countermeasure process for vulnerability of a vulnerable library function being a general-purpose library function that has vulnerability among the general-purpose library functions included in a general-purpose library. A countermeasure selection unit, when a call for the vulnerable library function is requested at execution of a Web application, makes the vulnerability countermeasure processing unit perform the countermeasure process for the vulnerability of the vulnerable library function, and after the countermeasure process is performed by the vulnerability countermeasure processing unit, calls the vulnerable library function. | 10-22-2015 |
| 20150302194 | METHOD FOR PROTECTING AN ELECTRONIC TERMINAL, CORRESPONDING COMPUTER PROGRAM AND ELECTRONIC TERMINAL - A method is provided for protecting an electronic terminal. The method includes: activating a state of monitoring the terminal; in the state of monitoring, detecting a manipulation of the terminal, generating the passage of the terminal to a so-called suspect state, representative of a risk of attempted fraudulent use of the terminal; in the suspect state, triggering a reaction by the terminal, the reaction of the terminal including updating an alert level representative of a probability of attempted fraudulent use of the terminal, and a implementing at least one reactive action dependent on the alert level. | 10-22-2015 |
| 20150302201 | DEVICE AND METHOD FOR PROCESSING TRANSACTION REQUEST IN PROCESSING ENVIRONME |
