| Entries |
| Document | Title | Date |
|---|
| 20080201778 | INTRUSION DETECTION USING SYSTEM CALL MONITORS ON A BAYESIAN NETWORK - Selected system calls are monitored to generate frequency data that is input to a probabilistic intrusion detection analyzer which generates a likelihood score indicative of whether the system calls being monitored were produced by a computer system whose security has been compromised. A first Bayesian network is trained on data from a compromised system and a second Bayesian network is trained on data from a normal system. The probabilistic intrusion detection analyzer considers likelihood data from both Bayesian networks to generate the intrusion detection measure. | 08-21-2008 |
| 20080201779 | AUTOMATIC EXTRACTION OF SIGNATURES FOR MALWARE - Method for the automatic generation of malware signatures from computer files. A common function library (CFL) created, wherein the CFL contains any functions identified as a part of the standard computer language used to write computer files which are known as not containing malware. The functions of a computer file which does contain a malware are extracted and the CFL is updated with any new common functions if necessary, such that the remaining functions are all considered as candidates for generating the malware signature. The remaining functions are divided into clusters according to their location in the file and the optimal cluster for generating the malware signature is determined. One or more of the functions in the optimal cluster is selected randomly, as the malware signature. | 08-21-2008 |
| 20080209557 | SPYWARE DETECTION MECHANISM - A system and method that facilitates and effectuates detection of malware secreted and/or hidden in plain sight on a machine. The system and method in order to achieve its aims generates a list of all loaded modules, identifies from the list a set of modules common to more than a threshold number of processes, and eliminates from the list those modules included in an authentication list. The resultant list is prioritized based, in one instance, on the number of occurrences a particular module makes in the resultant list, and thereafter the list is distributed analyst workstations. | 08-28-2008 |
| 20080209558 | Self-defensive protected software with suspended latent license enforcement - A method and system of computer program modules for extending the cover time of protection for a licensed software product, by increasing the difficulty and time required for an attacker to produce a workable cracked version of the program. When an attack is detected, critical information about the effectiveness of the attack are withheld from the attacker by simulating the behavior of a cracked program, thereby inducing the attacker to prematurely consider the attack successful. Latent license enforcement features are provided, whose activation is suspended until predefined environmental conditions are met. | 08-28-2008 |
| 20080209559 | Method for detecting that a protected software program is cracked - A method for determining if a software program having a protective envelope has been cracked, and signaling an indication thereof. A direct determination is made of whether the protective envelope is intact or has been compromised by an attack, without requiring a license violation to occur. Executable code in the protective envelope generates an envelope confirmation which is validated by executable code in the program itself. Any disabling or separation of the envelope from the program will be detectable by the program at validation time. Provisions are made for a secure envelope confirmation, the use of arguments as input to the confirmation generation, and for incorporating information related to the computer and user to facilitate identifying the attacker. Signaled indications can include network messaging to alert the licensor that the program has been cracked. | 08-28-2008 |
| 20080209560 | Active intrusion resistant environment of layered object and compartment key (airelock) - A secure infrastructure system and method with user transparent signaling for communicating detection of signals at a network node having characteristics of a potential attack and for controlling communications at a node from another node in response to the user transparent signals. A processor is connected to routers and the network through an encryption engine and includes a manager object to issue control commands to nodes of a locally lower hierarchical tier and managed objects to detect potential attacks and exercise control over the routers responsive to signals from a node of a locally higher hierarchical tier. Faults or potential attacks are compartmentalized to a node or sector of the network and isolated while normal communications are continued over redundant network links. | 08-28-2008 |
| 20080209561 | METHOD, COMPUTER SOFTWARE, AND SYSTEM FOR PROVIDING END TO END SECURITY PROTECTION OF AN ONLINE TRANSACTION - A method for implementing an online transaction security product includes downloading an online transaction security product program from a web site to an information handling system. The security product program includes an anti-malicious code program configured to detect malicious code on the information handling system. Lastly, the security product program is executed, wherein the anti-malicious code program of the security product program operates to detect malicious code on the information handling system. | 08-28-2008 |
| 20080222724 | PREVENTION OF DENIAL OF SERVICE (DoS) ATTACKS ON SESSION INITIATION PROTOCOL (SIP)-BASED SYSTEMS USING RETURN ROUTABILITY CHECK FILTERING - A device receives an attack on a Session Initiation Protocol (SIP)-based device, determines a type of the attack, and applies, based on the determined type of the attack, a return routability check filter to the attack. | 09-11-2008 |
| 20080222725 | GRAPH STRUCTURES AND WEB SPAM DETECTION - A SPAM detection system is provided. The system includes a graph clustering component to analyze web data. A link analysis component can be associated with the graph clustering component to facilitate SPAM detection in accordance with the web data. | 09-11-2008 |
| 20080222726 | NEIGHBORHOOD CLUSTERING FOR WEB SPAM DETECTION - A SPAM detection system is provided. The system includes a graph clustering component to analyze web data. A link analysis component can be associated with the graph clustering component to facilitate SPAM detection in accordance with the web data. | 09-11-2008 |
| 20080222727 | SYSTEMS AND METHODS FOR PREVENTING INTRUSION AT A WEB HOST - A web host intrusion prevention system includes a filter engine [ | 09-11-2008 |
| 20080229418 | System and Method to Customize a Security Log Analyzer - Systems and methods adapted to customize a security log analyzer to recognize a security log, the system including at least one network security device for processing data traffic on a data network, the network security device associated with at least one computing device, and adapted to generate a security log, the system further including rule builder software adapted to generate a rule for recognizing at least one item in a security log and a log analyzer adapted to apply the rule in analyzing a security log. | 09-18-2008 |
| 20080235798 | METHOD FOR FILTERING JUNK MESSAGES - A method of filtering junk messages has the steps of generating an implicit code, adding the implicit code to an message to be sent to an addressee, sending the message with the implicit code and a sender's address to the addressee from a sender, and determining whether the implicit code in the message matches a local reference code corresponding to a sender being recorded in an addressee's contact list. The message is correctly received in a normal message box if the implicit code matches the local reference code, otherwise the message is blocked. | 09-25-2008 |
| 20080235799 | Network Attack Signature Generation - Described is a technique for detecting attacks on a data communications network having a plurality of addresses for assignment to data processing systems in the network. The technique involves identifying data traffic on the network originating at any assigned address and addressed to any unassigned address. Any data traffic so identified is inspected for data indicative of an attack. On detection of data indicative of an attack, an alert signal is generated. | 09-25-2008 |
| 20080244741 | Intrusion event correlation with network discovery information - A policy component comprises policy configuration information. The policy configuration information contains one or more rules. Each rule and group of rules can be associated with a set of response actions. As the nodes on the monitored networks change or intrusive actions are introduced on the networks, network change events or intrusion events are generated. The policy component correlates network change events and/or intrusions events with network map information. The network map contains information on the network topology, services and network devices, amongst other things. When certain criteria is satisfied based on the correlation, a policy violation event may be issued by the system resulting in alerts or remediations. | 10-02-2008 |
| 20080244742 | Detecting adversaries by correlating detected malware with web access logs - An automated arrangement for detecting adversaries is provided by examining a log that contains records of communications into and out of the enterprise network upon the detection of a security incident by which a host computer on an enterprise network becomes compromised. The log is analyzed over a window of time starting before the occurrence of the detected security incident to identify the web site URIs (Uniform Resource Identifiers) and IP (Internet Protocol) addresses (collectively “resources”) that were respectively accessed by the compromised host and/or from which traffic was received by the compromised host. When other host computers in the enterprise are detected as being compromised, a similar analysis is performed and the results of all the analyses are correlated to identify one or more resources that are common to the logged communications of all the compromised machines. | 10-02-2008 |
| 20080244743 | Computer System Architecture And Method Providing Operating-System Independent Virus-, Hacker-, and Cyber-Terror Immune Processing Environments - Information appliance, computing device, or other processor or microprocessor based device or system provides security and anti-viral, anti-hacker, and anti-cyber terror features, and can automatically create multiple sequentially or concurrently and intermittently isolated and/or restricted computing environments to prevent viruses, malicious or other computer hacking, computer or device corruption and failure by using these computing environments in conjunction with restricted and controlled methods of moving and copying data, combined with a process that destroys malicious code located in computing environments and data stores. | 10-02-2008 |
| 20080244744 | METHOD FOR TRACKING MACHINES ON A NETWORK USING MULTIVARIABLE FINGERPRINTING OF PASSIVELY AVAILABLE INFORMATION - A method for tracking machines on a network of computers. The method includes determining one or more assertions to be monitored by a first web site which is coupled to a network of computers. The method monitors traffic flowing to the web site through the network of computers and identifies the one or more assertions from the traffic coupled to the network of computers to determine a malicious host coupled to the network of computers. The method includes associating a first IP address and first hardware finger print to the assertions of the malicious host and storing information associated with the malicious host in one or more memories of a database. The method also includes identifying an unknown host from a second web site, determining a second IP address and second hardware finger print with the unknown host, and determining if the unknown host is the malicious host. | 10-02-2008 |
| 20080244745 | METHOD AND APPARATUS FOR VERIFYING THE INTEGRITY AND SECURITY OF COMPUTER NETWORKS AND IMPLEMENTING COUNTER MEASURES - A system securing a computer network having various devices connected thereto. The system includes a security subsystem connected to the devices in the network, a master security system, and a first communication medium connected between the security subsystem and the master security system. The network devices generate event messages when under attack. The security subsystem generates multiple views, each view including a subset of the event messages generated by the devices. The security subsystem includes an event analyzer, which analyzes the event messages across multiple views to determine if any of the associated events exceeds a predetermined threshold. The master security system receives the associated events, which exceed the predetermined threshold, from the security subsystem through the first communication medium. | 10-02-2008 |
| 20080250498 | Method, Device a Program for Detecting an Unauthorised Connection to Access Points - This method of detecting address spoofing in a wireless network, comprising the steps of obtaining frames comprising an address of a device having sent the frame and a timestamp representative of the time of sending of the frame by said device; of analyzing the timestamps included in the frames having one and the same sending device address; and of detecting a spoofing of said address according to the analysis of said timestamps. | 10-09-2008 |
| 20080250499 | Method and Apparatus for Reducing Buffer Overflow Exploits by Computer Viruses - Buffer overflow exploits in a computer are reduced by encoding linkage information associated with a subroutine, following a call to the subroutine from an application executing on the computer. The encoded linkage information is stored at a first address in a run-time stack in a memory of the computer. Upon exit from the subroutine, the value stored at the first address in the run-time stack is retrieved and decoded to obtain decoded linkage information. Execution of the application continues in accordance with the decoded linkage information. Subroutine data written to the stack is not encoded. | 10-09-2008 |
| 20080250500 | Man-In-The-Middle Attack Detection in Wireless Networks - Detection of a man-in-the-middle attack. In particular implementations, a method includes detecting a first event comprising notification of an invalid wireless management frame operable to cause a termination of a connection between a wireless client and a wireless access point, wherein the notification is based on a failed verification of a management integrity code (MIC) appended to the wireless management frame. The method also includes detecting a second event involving notification of either an authentication failure associated with the wireless client or a connection between the wireless client and a rogue access point. The method also includes performing one or more actions upon detection of the first event and the second event within a threshold period of time of each other. | 10-09-2008 |
| 20080250501 | Method for Monitoring Managed Device - A method for monitoring the managed devices comprises that the manage center preserves the integrality list in advance, which includes the system integrality values of the managed devices and the corresponding relations of the managed devices and the system integrality values of themselves, and the managed device gathers the current system integrality value of itself and saves it when it starts; the managed device sends the information including the current system integrality value to the manage center after receiving the monitor command from the manage center; the manage center determines whether the received current system integrality value of the managed device coincides with the integrality value of the managed device saved by itself according to the received information and said integrality list, and implements the alert process when they do not coincide with each other. The manage center can know whether the managed device is believable currently so that the manage center can determine whether the unknown attack to the managed device exists or not according to the present invention. | 10-09-2008 |
| 20080250502 | Software Checking - A method of checking the integrity of a software component comprises: selecting a checking algorithm | 10-09-2008 |
| 20080250503 | METHOD AND SYSTEM FOR FILTERING COMMUNICATION - An e-mail relay provides message filtering services to an e-mail network. The e-mail relay monitors incoming communication and intercepts e-mail messages. The e-mail relay compares attributes of the messages to data derived from SPAM messages, which are stored in a SPAM database. The e-mail relay restricts the delivery of messages based on the comparison such as by restricting the delivery of messages having attributes close to those of SPAM messages from the SPAM database. The SPAM database is constructed by responding to user or administrator indications as to whether received messages are SPAM messages. | 10-09-2008 |
| 20080256634 | TARGET DATA DETECTION IN A STREAMING ENVIRONMENT - In embodiments of the present invention improved capabilities are described for a data stream scanner. The present invention may provide for a data portion received in association with a data stream, and the data portion may be analyzed to make an assessment. An identity pool may then be selected from a universe of identities based on the assessment, and identities from the identity pool may be selected in a scanning process to analyze the data stream. Further, an unmatched identity may remove the identity from the pool upon finding that the unmatched identity does not match data in the data stream. | 10-16-2008 |
| 20080263664 | METHOD OF INTEGRATING A SECURITY OPERATIONS POLICY INTO A THREAT MANAGEMENT VECTOR - The invention relates to the integration of a security operations policy into a threat management vector. In one embodiment, a method according to the invention includes receiving at least one threat management vector (TMV) from a TMV generator, the TMV including a root vulnerability vector, at least one system vector, at least one system level vector, and a countermeasures payload including intrusion detection countermeasures (IDC), intrusion response countermeasures (IRC), and vulnerability remediation countermeasures (VRC); forwarding to the TMDC a TMV including only the root vulnerability vector, the at least one system vector, and the at least one system level vector; propagating the TMV through a hierarchy of policy mediation regions (PMRs), each PMR being operable to refine at least one of the IDC, the IRC, and the VRC; refining at least one of the IDC, the IRC, and the VRC to conform to a security operations policy of the PMR; forwarding the refined TMV to a threat management domain controller (TMDC); recording refinements made by each PMR to each of the IDC, the IRC, and the VRC; transferring the recorded refinements to a threat management control book (TMCB); and marking the refined TMV as having been refined by each PMR making a refinement. | 10-23-2008 |
| 20080263665 | NETWORK ATTACK DETECTION USING PARTIAL DETERMINISTIC FINITE AUTOMATON PATTERN MATCHING - This disclosure describes techniques for determining whether network traffic contains one or more computer security threats. In order to determine whether a symbol stream conforms to the symbol pattern, a security device stores a full deterministic finite automaton (fDFA) that accepts streams of symbols that conform to the symbol pattern. The security device also creates a partial deterministic finite automaton (pDFA) that includes nodes that correspond to the nodes in the fDFA that have the highest visitation levels. The security device processes each symbol in the symbol stream using the pDFA until a symbol causes the pDFA to transition to a failure node or to an accepting node. If the symbol causes the pDFA to transition to the failure node, the security device processes the symbol and subsequent symbols in the symbol stream using the fDFA. | 10-23-2008 |
| 20080263666 | METHOD AND APPARATUS FOR DETECTING PORT SCANS WITH FAKE SOURCE ADDRESS - A computer implemented method, apparatus, and computer program product for port scan protection. A reply data packet having a modified transmission control protocol header is generated to form a modified reply data packet, in response to detecting a port scan. The modified reply data packet will illicit a response from a recipient of the modified data packet. The reply data packet is sent to a first Internet protocol address associated with the port scan. A second Internet protocol address is identified from a header of the response to the modified reply data packet. The second Internet protocol address is an actual Internet protocol address of a source of the port scan. All network traffic from the second Internet protocol address may be blocked to prevent an attack on any open ports from the source of the port scan. | 10-23-2008 |
| 20080263667 | COMMUNICATION APPARATUS, COMMUNICATION METHOD, AND RECORDING MEDIUM USED THEREWITH - Encoded data that is obtained by embedding subdata in advertisement information and embedding the subdata-embedded advertisement information in main data is provided to a user. At the user side, the encoded data is decoded to reproduce the main data and the subdata-embedded advertisement information, and the subdata-embedded advertisement information is decoded to reproduce the advertisement information and the subdata embedded therein. | 10-23-2008 |
| 20080263668 | Automatic Client Responses To Worm Or Hacker Attacks - A system in which a networked device automatically evaluates hacker attack notification information and, based thereon, selects and executes responses to the attack. The notification may include information such as the address of the infected system, identification of the specific worm, and a list of vulnerable applications and operating systems. The evaluation is based on factors including criticality and vulnerability of applications running on the system and connectivity of the device. A variety of automatic responses can be selected, including notification of network administration, shutdown of the device or services running on the device, updating and activation of anti-virus software, and selective handling of data sent from the address of the suspect network device. The selection of responses can occur automatically based on rules input during setup or by intervention of network administration. | 10-23-2008 |
| 20080271145 | Tamper indication system and method for a computing system - A tamper indication system for a computing system comprises a sensor reader configured to determine a state of a tamper sensor of the computing system, and firmware disposed in the computing system and configured to cause a report to evidence whether the report has been tampered with, the report indicating the state of the tamper sensor. | 10-30-2008 |
| 20080271146 | Identifying a distributed denial of service (DDoS) attack within a network and defending against such an attack - The invention provides methods, apparatus and systems for detecting distributed denial of service (DDoS) attacks within the Internet by sampling packets at a point or points in Internet backbone connections to determine a packet metric parameter. The packet metric parameter which might comprise the volume of packets received is analysed over selected time intervals with respect to specified geographical locations in which the hosts transmitting the packets are located. The expected behaviour can be employed to identify traffic distortions revealing a DDoS attack. In a complementary aspect, the invention provides a method of authenticating packets at routers in order to elevate the QoS of authenticated packets. This method can be used to block or filter packets and can be used in conjunction with the DDoS attack detection system to defend against DDoS attacks within the Internet in a distributed manner. | 10-30-2008 |
| 20080276316 | Intrusion detection strategies for hypertext transport protocol - A hypertext transport protocol (HTTP) inspection engine for an intrusion detection system (IDS) includes an HTTP policy selection component, a request universal resource identifier (URI) discovery component, and a URI normalization module. The HTTP policy selection component identifies an HTTP intrusion detection policy using a packet. The request URI discovery component locates a URI within the packet. The URI normalization module decodes an obfuscation within the URI. In another embodiment, a packet transmitted on the network is intercepted. The packet is parsed. An Internet protocol (IP) address of the packet is identified. An HTTP intrusion detection policy for a network device is determined. A URI is located in the packet. A pattern from an intrusion detection system rule is compared to the located URI. In another embodiment, an IDS includes a packet acquisition system, network and transport reassembly modules, an HTTP inspection engine, a detection engine, and a logging system. | 11-06-2008 |
| 20080276317 | Detection of Multi-Step Computer Processes Such as Network Intrusions - Multi-step processes such as intrusions into computer networks are detected from individual activities or events such as communications by identifying anchor points (FIG. | 11-06-2008 |
| 20080276318 | Spam detection system based on the method of delayed-verification on the purported responsible address of a message - A spam detection system employs a “Delayed-Verification on Purported Responsible Address” (DVPRA) module which verifies the validity of the return address of a received e-mail message in mail server in a time delay interval specifiable by the user. An implementation of the module as a Spam Mail Filter in a stand-alone spam detection system. An implementation of the module as a supplementary to the existing anti-spam systems. | 11-06-2008 |
| 20080276319 | Real-time user awareness for a computer network - A computer system, device, computer software, and/or method performed by a computer system, is provided for determining a user name likely to be associated with an attack, a configuration, or a vulnerability. First data is obtained which associates user names with individual IP addresses onto which the user names were logged in. Second data is obtained which associates attacks, configurations, or vulnerabilities with individual IP addresses on which the attacks occurred or on which the configurations or vulnerabilities exist. The user names from the first data are associated with the attacks, configurations or vulnerabilities from the second data based on having the same IP address during a log-in. An individual user name is indicated as being associated with attacks which occurred while the individual user name was logged in or with configurations or vulnerabilities for an IP address onto which the user logs in. | 11-06-2008 |
| 20080289040 | Source/destination operating system type-based IDS virtualization - Systems and methods for virtualizing network intrusion detection system (IDS) functions based on each packet's source and/or destination host computer operating system (OS) type and characteristics are described. Virtualization is accomplished by fingerprinting each packet to determine the packet's target OS and then vetting each packet in a virtual IDS against a reduced set of threat signatures specific to the target OS. Each virtual IDS, whether operating on a separate computer or operating as a logically distinct process or separate thread running on a single computer processor, may also operate in parallel with other virtual IDS processes. IDS processing efficiency and speed are greatly increased by the fact that a much smaller subset of threat signature universe is used for each OS-specific packet threat vetting operation. | 11-20-2008 |
| 20080295171 | Intrusion Detection System For Wireless Networks | 11-27-2008 |
| 20080295172 | Method, system and computer-readable media for reducing undesired intrusion alarms in electronic communications systems and networks | 11-27-2008 |
| 20080295173 | PATTERN-BASED NETWORK DEFENSE MECHANISM | 11-27-2008 |
| 20080295174 | Method and System for Preventing Unauthorized Access and Distribution of Digital Data | 11-27-2008 |
| 20080295175 | PROACTIVE TEST-BASED DIFFERENTIATION METHOD AND SYSTEM TO MITIGATE LOW RATE DoS ATTACKS | 11-27-2008 |
| 20080301808 | INTERNET ROBOT DETECTION FOR NETWORK DISTRIBUTABLE MARKUP - Embodiments of the present invention provide a method, system and computer program product for bot detection for network distributable markup. In accordance with an embodiment of the present invention, a page request for distributed markup can be processed to incorporate embedded fragment within the requested page. For instance, the fragment can include a script enabled to detect human activity within the requested page such as a mouse movement. Alternatively, the fragment can include an extraneous markup artifact. The requested page subsequently can be returned to the requestor and the embedded fragment can be monitored to detect the presence of a bot depending upon the activation of the artifact. For example, where human activity can be detected within the page or where the extraneous markup artifact becomes activated despite the extraneous nature of the artifact, a human requestor can be concluded. However, where no human activity is detected in the requested page, or where the extraneous markup artifact remains unactivated, a bot requestor can be determined. | 12-04-2008 |
| 20080301809 | SYSTEM AND METHOD FOR DETECTNG MALICIOUS MAIL FROM SPAM ZOMBIES - In recent years, the use of spam zombies has become a preferred method of sending spam. In fact, it is estimated that over 90% of all spam comes from spam zombies. Although existing spam zombie detection mechanisms such as the Spamhaus XBL blacklist exist, these techniques are limited in that they cannot block spam from newly created spam zombies. The present invention relates to a system and method for detecting malicious e-mails from spam zombies, the system comprising a processor operable to process a server identification value of a sending source by separating the value into one or more domain level terms to allow each unique term to be tokenized with an index value and to apply the one or more tokenized values as a learning feature in a learning algorithm trained to identify spam zombies. | 12-04-2008 |
| 20080301810 | MONITORING APPARATUS AND METHOD THEREFOR - A monitoring apparatus for detection of a malicious attack in a communications network comprises a pattern matching engine ( | 12-04-2008 |
| 20080301811 | System For Stabilizing of Web Service and Method Thereof - An object of the present invention is to provide a system and method for stabilizing a web service. The system of the present invention includes a reception module unit ( | 12-04-2008 |
| 20080307526 | METHOD TO PERFORM BOTNET DETECTION - A method and a system for monitoring network activities associated with a computer connected to a network are provided. The method may include detecting a bot activity associated with the computer; attributing a bot status to the computer, based on a bot activity type associated with the bot activity, prior detections of bot activities, and considering time stamps. The method may also include updating the bot status attributed to the computer, based upon detection of subsequent bot activities associated with the computer, the bot activity types associated with the subsequent bot activities, and one or more other criteria. In one example embodiment, the network activities may include network transmissions and behavioral patterns. According to example embodiments, the system may include a network monitor, a bot activity detection module, a bot status module, and a bot status update module. | 12-11-2008 |
| 20080313735 | NULLIFICATION OF MALICIOUS CODE BY DATA FILE TRANSFORMATION - To nullify any malicious code potentially contained within a data file. a transformation engine randomly selects a transformation from a number of available file transformations each arranged to alter the bit pattern of a file to which it is applied while still enabling manifestation of at least some of the file's semantic content to a user. The selected transformation is then applied to the data file to produce a transformed file. Preferably, the transformation engine runs in a dedicated virtual machine of a computing platform. | 12-18-2008 |
| 20080313736 | DATA NETWORK AND METHOD FOR CHECKING NODES OF A DATA NETWORK - The invention provides a data network, systems and methods for checking nodes of a data network that are used for detecting whether a privacy policy concerning an information is maintained. The information comprises a mark corresponding to the privacy policy. The mark defines the storage place or the accessing paths or the transferring paths of the information. The mark is automatically searchable. The mark is searched, analyzed and checked as to whether the privacy policy is maintained. The advantage of the system is that vulnerabilities of systems for protecting confidential information may be detected a long time before an attack on the confidential information occurs. | 12-18-2008 |
| 20080313737 | Stateful and Cross-Protocol Intrusion Detection for Voice Over IP - A method for detecting intrusions that employ messages of two or more protocols is disclosed. Such intrusions might occur in Voice over Internet Protocol (VoIP) systems, as well as in systems in which two or more protocols support some service other than VoIP. In the illustrative embodiment of the present invention, a stateful intrusion-detection system is capable of employing rules that have cross-protocol pre-conditions. The illustrative embodiment can use such rules to recognize a variety of VoIP-based intrusion attempts, such as call hijacking, BYE attacks, etc. In addition, the illustrative embodiment is capable of using such rules to recognize other kinds of intrusion attempts in which two or more protocols support a service other than VoIP. The illustrative embodiment also comprises a stateful firewall that is capable of employing rules with cross-protocol pre-conditions. | 12-18-2008 |
| 20080320592 | METHOD AND SYSTEM FOR CLOAKED OBSERVATION AND REMEDIATION OF SOFTWARE ATTACKS - A method and system provide security for a communication network and for one or more nodes within the network. Software can be distributed throughout the network from a centralized location or administrative console. The software can be made resident in the kernel of the operating system of a receiving node. The software can provide an observation functionality, an analysis functionality, a reporting functionality and a remediation functionality or some subset of those functionalities. | 12-25-2008 |
| 20080320593 | Method, System and Computer Readable Medium For Intrusion Control - An intrusion control system, method and computer readable medium. The system includes an input interface adapted to receive traffic over a session opened between a user and a computerized system; and a processor, adapted to control the session while determining whether the traffic is a part of an attack. The method includes determining an occurrence of an attack; and mitigating the attack by providing false information representative of a defense capability of a computerized system. | 12-25-2008 |
| 20090013407 | INTRUSION DETECTION SYSTEM/INTRUSION PREVENTION SYSTEM WITH ENHANCED PERFORMANCE - A traffic inspection and filtering system ( | 01-08-2009 |
| 20090019545 | COMPUTER SECURITY METHOD AND SYSTEM WITH INPUT PARAMETER VALIDATION - A security system, including a receiver for receiving a downloadable, a scanner, coupled with the receiver, for scanning the downloadable to identify suspicious computer operations therein, a code modifier, coupled with the scanner, for overwriting the suspicious computer operations with substitute computer operations, if at least one suspicious computer operation is identified by the scanner, and for appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is identified by the scanner, and a processor, coupled with the code modifier, for executing programmed instructions, wherein the monitoring program code includes program instructions for the processor to validate input parameters for the suspicious computer operations during run-time of the downloadable. A method is also described and claimed. | 01-15-2009 |
| 20090025082 | Method and apparatus for detecting computer-related attacks - Disclosed is a method and apparatus for detecting prefix hijacking attacks. A source node is separated from a destination network at a first time via an original path. The destination network is associated with a prefix. At a second time, a packet is transmitted from the source node to the destination network to determine a current path between the source node and the destination network. A packet is also transmitted from the source node to a reference node to determine a reference node path. The reference node is located along the original path and is associated with a prefix different than the prefix associated with the destination network. The current path and the reference node path are then compared, and a prefix hijacking attack is detected when the reference node path is not a sub-path of the current path. | 01-22-2009 |
| 20090025083 | METHOD AND APPARATUS FOR DETECTING EXECUTABLE CODE - There are provided an apparatus and method for detecting an executable code, capable of verifying reliability of an extracted signature by determining whether there is present an executable code in network data by using instruction pattern information related calling mechanism of function for distinguishing the executable code from a non-executable code, the method including: forming instructions by reverse assembling network data suspicious as an attack; comparing the respective formed instructions with instruction patterns according to calling mechanism of function; and determining whether there is present an executable code in the network data according to a result of the comparing | 01-22-2009 |
| 20090031421 | METHOD OF INTRUSION DETECTION IN TERMINAL DEVICE AND INTRUSION DETECTING APPARATUS - A method of intrusion detection in a terminal device that supports driving of a plurality of operating systems, is provided. The method includes collecting at a first operating system of the plurality of operating systems intrusion detection data for analyzing whether there is an intrusion in at least a second operating system of the plurality of operating systems; and performing at the first operating system an intrusion detection with respect to the at least a second operating system using the collected intrusion detection data. | 01-29-2009 |
| 20090031422 | METHODS AND SYSTEMS THAT SELECTIVELY RESURRECT BLOCKED COMMUNICATIONS BETWEEN DEVICES - Data communications between devices are selectively blocked and resurrected based on error notifications. Data communications from one or more source devices to one or more intended destination devices are selectively blocked based on content of the data communications. The blocked data communications are stored in a database. A blocked data communication is retrieved from the database in response to an error notification from one of the source devices and/or from one of the destination devices. The retrieved data communication is then sent to the intended destination device. | 01-29-2009 |
| 20090038010 | Monitoring and controlling an automation process - Embodiments are provided to monitor aspects of a process, such as an automation process. In an embodiment, a system includes a number of components configured to monitor and validate operational aspects of a test automation process. In one embodiment, a monitoring application can be used to detect test automation issues, such as file related issues, registry related issues, network related issues, and other operational issues for example. The monitoring application can include a number of rule sets which may be tailored to identify and detect new types of exceptions and other conditions associated with an automation process or some other process. Other embodiments are available. | 02-05-2009 |
| 20090044272 | RESOURCE-REORDERED REMEDIATION OF MALWARE THREATS - Systems and methods that mitigate affects of malware and facilitate remediation processes. An analysis engine generates a list of actions for resources associated with the malware, and prioritizes/sorts the actions for execution. Such list of actions can be generated automatically via an action list generation component associated with the analysis engine. Likewise, a sorting component as part of the analysis engine can prioritize operations between detected malware to typically ensure a smooth operation during remediation processes (e.g., avoid conflicts). | 02-12-2009 |
| 20090049550 | METHOD OF DETECTING AND BLOCKING MALICIOUS ACTIVITY - A method of detecting and blocking malicious activity of processes in computer memory during unpacking of a file after the code and data contained in the file are unpacked is described. The method includes inserting a hook function into one or more un-assessed processes running in the computer memory. A hook Is then placed on one or more system calls carried out by the one or more un-assessed processes; the one or more system calls determining an optimal time period in which to detect malicious activity in the un-assessed processes. During the optimal time period the one or more system calls carried out by the one or more un-assessed processes are suspended and attributes of the one or more un-assessed processes are detected and the likely maliciousness of the one or more un-assessed processes is determined from the attributes. | 02-19-2009 |
| 20090049551 | METHOD OF AND APPARATUS FOR MONITORING CODE TO DETECT INTRUSION CODE - A method and apparatus for monitoring a code to detect intrusion code is used to monitor target code to determine whether the target code is a resident code in a system or an intrusion code into the system. A first code pattern is extracted from the target code and a second code pattern is loaded from a storage unit, and a distance between the first code pattern and the second code pattern is calculated. The calculated distance is compared to a threshold to determine whether the target code is an intrusion code. | 02-19-2009 |
| 20090055929 | Local Domain Name Service System and Method for Providing Service Using Domain Name Service System - Provided is a local domain name system for querying an external server for a client-requested domain name and providing desired data to a user. A determination is made as to whether a special policy is to be applied to a client-input query through a test task. When a special policy is to be applied to the query, the special policy is performed to provide additional service to the client. | 02-26-2009 |
| 20090055930 | Content Security by Network Switch - A security switch detects whether requested content is either trusted content or non-trusted content. In case of network content being trusted content, network traffic bypasses the inspection gateway and goes directly to the user. If network content is non-trusted content, network traffic passes through to the inspection gateways for inspection. Additionally, when the security switch receives a reply for “trusted” content requests, it parses the reply information to verify that the content-type of the file is indeed “trusted”. If the file doesn't prove to be “trusted”, the security switch drops the connection and stops the suspected content from reaching the client. | 02-26-2009 |
| 20090064332 | METHOD AND APPARATUS FOR GENERATING HIGHLY PREDICTIVE BLACKLISTS - In one embodiment, the present invention is a method and apparatus for generating highly predictive blacklists. One embodiment of a method for generating a blacklist of network addresses for a user of a network includes collecting security log data from users of the network, the security log data identifying observed attacks by attack sources, assigning the attack sources to the blacklist based on a combination of the relevance each attack source to the user and the maliciousness of the attack source, and outputting the blacklist. | 03-05-2009 |
| 20090064333 | Pattern Discovery in a Network System - Patterns can be discovered in events collected by a network system. In one embodiment, the present invention includes collecting and storing events from a variety of monitor devices. In one embodiment, a subset of the stored events is provided to a manager as an event stream. In one embodiment, the present invention further includes the manager discovering one or more previously unknown event patterns in the event stream. | 03-05-2009 |
| 20090070872 | System and method for filtering spam messages utilizing URL filtering module - Systems and methods for filtering spam messages utilizing a URL filtering module are described. In one embodiment, the method includes detecting, in an incoming message, data indicative of a URL and comparing the URL from the incoming message with URLs characterizing spam. The method further includes determining whether the incoming message is spam based on the comparison of the URL from the incoming message with the URLs characterizing spam. | 03-12-2009 |
| 20090070873 | SAFE WEB BASED INTERACTIONS - A system is described for providing safe web based interactions. The system may include a memory, an interface, and a processor. The memory may store a request and a web page. The interface may be operative to communicate with a user and a third party server. The processor may be operatively connected to the memory and the interface and may receive a request from the user for a web page provided by the third party server. The processor may retrieve the web page and determine if malicious data is associated with the web page. If malicious data is determined to be associated with the web page the processor may disable the malicious data. The processor may modify the web page so that subsequent interactions with the web page are redirected to the processor, through the interface. The processor may provide the web page to the user, via the interface. | 03-12-2009 |
| 20090070874 | Signature-Free Intrusion Detection - An apparatus and method are disclosed for detecting intrusions in Voice over Internet Protocol systems, without the use of an attack signature database. In particular, the illustrative embodiment is based on the observation that some VoIP-related protocols (e.g., the Session Initiation Protocol [SIP], etc.) are simple enough to be represented by a finite-state machine (FSM) of compact size. A finite-state machine is maintained for each session/node/protocol combination, and any illegal state or state transition—which might be the result of a malicious attack—is flagged as a potential intrusion. | 03-12-2009 |
| 20090070875 | Distributed Stateful Intrusion Detection for Voice Over IP - An apparatus and method are disclosed for detecting intrusions in Voice over Internet Protocol systems without an attack signature database. The illustrative embodiment is based on two observations: (1) various VoIP-related protocols are simple enough to be represented by a finite-state machine (FSM) of compact size, thereby avoiding the disadvantages inherent in signature-based intrusion-detection systems.; and (2) there exist intrusions that might not be detectable locally by the individual finite-state machines (FSMs) but that can be detected with a global (or distributed) view of all the FSMs. The illustrative embodiment maintains a FSM for each session/node/protocol combination representing the allowed (or “legal”) states and state transitions for the protocol at that node in that session, as well as a “global” FSM for the entire session that enforces constraints on the individual FSMs and is capable of detecting intrusions that elude the individual FSMs. | 03-12-2009 |
| 20090070876 | APPARATUS AND METHOD FOR DETECTING MALICIOUS PROCESS - Provided are an apparatus and method for detecting a malicious process. The apparatus includes: a process monitoring unit for monitoring a process generated in a computing environment; a target process setting unit for previously setting a test target process among the processes confirmed by the process monitoring unit; a process generation time change monitoring unit for monitoring if the target process set by the target process setting unit requests to change a generation time; a generation time change preventing unit for preventing a change in the generation time of the target process when the target process requests to change the generation time; and a malicious process detecting unit for determining that a child process of the target process set by the target process setting unit is a malicious process if the child process is generated within a predetermined reference time. | 03-12-2009 |
| 20090070877 | METHOD FOR SECURING STREAMING MULTIMEDIA NETWORK TRANSMISSIONS - A method of and apparatus for securing against an unauthorized transmission within an authorized transmission from a sending data processor to a receiving data processor. The transmission is stimulated to elicit a predictable response from the receiving data processor. Upon the observance or absence of the predictable response, the transmission is determined as being potentially unauthorized. The method of this invention can be implemented in network administrator middleboxes such as firewalls. | 03-12-2009 |
| 20090077662 | APPARATUS AND METHODS FOR INTRUSION PROTECTION IN SAFETY INSTRUMENTED PROCESS CONTROL SYSTEMS - Apparatus and methods for intrusion protection in safety instrumented process control systems are disclosed. An example method of protecting a safety instrumented system includes receiving legitimate information from a component of a process control system wherein the legitimate information is intended for delivery to a safety instrumented system, determining if a signature at least substantially matches the legitimate information, and preventing the legitimate information from reaching the safety instrumented system when it is determined that the signature at least substantially matches the legitimate information. | 03-19-2009 |
| 20090077663 | Score-based intrusion prevention system - A score-based method of preventing intrusion, and related apparatus and systems, including one or more of the following: receiving traffic including new packets; decoding a protocol for same; determining that no session exists to which the packets are associated; creating a session entry for a session corresponding to the packets; setting a total score for the session to zero; performing an anomaly analysis on the packets identifying an anomaly; adding an anomaly score for the anomaly to the total score for the session; determining that the total score for the session does not exceed a threshold; determining that the anomaly analysis is finished; determining that the signature of the received new packets matches a threat signatures; adding a score assigned to the threat signature to the total score for the session; determining that the total score for the session exceeds the threshold; and triggering a threat response action. | 03-19-2009 |
| 20090083854 | Syntax-Based Security Analysis Using Dynamically Generated Test Cases - A security analysis methodology is used to analyze the security of a device-under-analysis (DUA) with respect to a particular protocol message exchange. First, the mutation points that exist in the message exchange are determined. Then, the message exchange is executed multiple times—once for each mutation point. Each execution applies the mutation associated with that particular mutation point (e.g., a particular message during the exchange is modified in a particular way) to create a mutated message exchange. In other words, each message exchange with an applied mutation point corresponds to a test case. | 03-26-2009 |
| 20090094697 | INTRUSIVE SOFTWARE MANAGEMENT - Landing pages associated with advertisements are partitioned into training landing pages and testing landing pages. Iterative training and testing of a classification mode on intrusion features of the partitioned landing pages is conducted until the occurrence of a cessation event. Feature weights are derived from the iterative training and testing, and are associated with the intrusion features. The associated feature weights and intrusion features can be used to classify other landing pages. | 04-09-2009 |
| 20090100519 | Installer detection and warning system and method - A user of a computer system is provided with warning of unexpected or covert installation attempts using a malware or anti-virus detection engine. Even though the files that are unexpectedly attempted to be installed may be legitimate, rather than malware, the malware detection software is modified or configured to detect the unexpected installation and provide the user with an opportunity to abort the installation. A method of controlling installation of software in a computer system comprises detecting an attempt to install software on the computer system, identifying the software that was attempted to be installed, taking an action in response to identifying the software that was attempted to be installed. | 04-16-2009 |
| 20090100520 | Detection and dynamic alteration of execution of potential software threats - An arrangement for dynamically identifying and intercepting potential software threats before they execute on a computer system is provided in which a file system filter driver (called a “mini-filter”) interfaces with an anti-malware service to selectively generate an alert event and allow the threat to run, in addition to generating an alert event and suspending the threat. The decision to suspend the threat or allow it to run is made through application of a cascading logic hierarchy that includes respective policy-defined actions, user-defined actions, and signature-defined actions. The mini-filter generates the alert event to the anti-malware service whenever a file is opened, or modified and closed. The service uses an engine to scan the file to identify potential threats which are handled though application of the logic hierarchy which provides for configurations defined in a lower tier of the hierarchy to be overridden by those contained in a higher tier. | 04-16-2009 |
| 20090106838 | Blocking Intrusion Attacks at an Offending Host - A method, apparatus, and program product are provided for protecting a network from intrusions. An offending packet communicated by an offending host coupled to a protected network is detected. In response to the detection, a blocking instruction is returned to the offending host to initiate an intrusion protection operation on the offending host, where the blocking instruction inhibits further transmission of offending packets by the offending host. At the offending host, a blocking instruction is received with a portion of an offending packet. The offending host verifies that the offending packet originated from the host. In response to the verification of the offending packet originating from the host, an intrusion protection operation is initiated on the host thereby inhibiting transmission of a subsequent outbound offending packet by the host. | 04-23-2009 |
| 20090106839 | METHOD FOR DETECTING NETWORK ATTACK BASED ON TIME SERIES MODEL USING THE TREND FILTERING - Method for detecting network attack based on time series model using the trend filtering. The method has the steps of: a) removing a trend component from the time series data to extract a residual component; and b) detecting an anomaly by applying a time series model to the residual component. | 04-23-2009 |
| 20090106840 | Certification Of E-Mails With Embedded Code - Certification of embedded content in e-mail is provided. A sender wishing to have code certified for inclusion in e-mail sends the code to a token authority. A code verification engine acting automatically or in conjunction with an analyst examines the code to determine whether it poses a risk of harm to e-mail recipients. If not, the token authority issues a certificate for the embedded content. The mail sender sends e-mail to recipients including the embedded content, and the certification is sent in conjunction with the content itself. A mailbox provider inspects the received e-mail to determine whether it includes embedded content and, if so, whether a certification is attached that the embedded content is not harmful. If not, or if the message includes uncertified content in addition to certified content, then the message is rejected, or delivered with a warning that certification is not present. | 04-23-2009 |
| 20090106841 | TRAFFIC MANAGER FOR DISTRIBUTED COMPUTING ENVIRONMENTS - Techniques suitable for facilitating communications between various computer programs operating on various nodes in a distributed computing environment are disclosed. The techniques can be used by a traffic manager operating in such environments. The traffic manager is capable of monitoring traffic exchanged between client and server programs operating in the distributed computing environment. Moreover, the traffic manager can be used to implement a variety of desirable features across different computing environments. These computing environments are typically separated by one or more distinguishing characteristics. As will be appreciated, the traffic manager provides an integral and cost effective solution which can bridge these distinguishing characteristics as well as define and enforce policies across disparate computing environments. This is achieved by centralizing the generation of interfaces which allow interaction between any of the nodes in a distributed computing system. This avoids the redundancy and inefficiency inherent in building these capabilities in each node, particularly in complex systems. | 04-23-2009 |
| 20090113547 | MALWARE DETECTING APPARATUS, MONITORING APPARATUS, MALWARE DETECTING PROGRAM, AND MALWARE DETECTING METHOD - A malware detecting apparatus, monitoring apparatus, malware detecting program, and malware detecting method are provided. The method detects a plurality of nodes that have sent connection request information commonly to one of first destinations among a set of monitoring target nodes, detects, for each node in the set of monitoring target nodes, the number of second destinations to which the node has sent connection request information, identifies a node infected with malware based on the plurality of nodes detected and the number of second destinations detected, and outputs a result of the identification. | 04-30-2009 |
| 20090119774 | NETWORK IMPLEMENTED CONTENT PROCESSING SYSTEM - In the present invention, a data processing device for processing streams of network borne data includes content inspection logic configurable to perform pattern matching functions on a received content stream and output match data, and a microengine for executing computer coded instructions, the microengine being coupled to the content inspection logic for configuring the pattern matching function of the content inspection unit in respect of a particular processing job for the received content stream and for processing the content stream independence on the match data. The microengine is adapted to reconfigure dynamically the content inspection logic in dependence on the match data thereby to modify the pattern matching function performed by the content inspection logic on the content stream during the course of a processing job. The present invention provides a novel architecture and method for processing content as it flows through a network. The processing of content includes parsing, analysing, modifying and controlling the delivery of a content stream using a number of pattern matching techniques. Importantly, the present invention makes it possible to adjust the parameters of the pattern matching search as the search progresses through the content stream. | 05-07-2009 |
| 20090119775 | SYSTEM FOR REAL-TIME DETECTION OF COMPUTER SYSTEM FILES INTRUSION - A system for detecting real-time system file intrusions in a user computer that is coupled to an administrator computer and includes an operating system and system files. At a boot time of the user computer, an application program interface (API) of the operating system receives a list of vital system files that consists of at least two directory files. At the boot time, one of more daemons are launched, after which the API detects one or more system calls made to one or more vital system files. The API raises an automatic interrupt ‘I’ command that awakens a daemon from a sleep mode. The awakened daemon catches the interrupt ‘I’ command and sends an alert message to the administrator computer to alert the administrator computer of the detecting of the system call made to the one or more vital system files. | 05-07-2009 |
| 20090126015 | SYSTEM AND METHOD FOR DETECTING MULTI-COMPONENT MALWARE - Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior. | 05-14-2009 |
| 20090126016 | SYSTEM AND METHOD FOR DETECTING MULTI-COMPONENT MALWARE - Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior. | 05-14-2009 |
| 20090126017 | Methods and systems for preventing security breaches - A security payload is attached to a received binary executable file. The security payload is adapted to intercept application programming interface (API) calls to system resources from the binary executable file via export address redirection back to the security payload. Upon execution of the binary executable file, the security payload replaces system library export addresses within a process address space for the binary executable file with security monitoring stub addresses to the security payload. Upon the binary executable computer file issuing a call to a given API, the process address space directs the call to the given API back to the security payload via one of the security monitoring stub addresses that is associated with the given API. The security payload then can assess whether the call to the given API is a security breach. | 05-14-2009 |
| 20090126018 | PASSWORD EXPIRATION BASED ON VULNERABILITY DETECTION - Illustrative embodiments provide a computer implemented method, a data processing system and a computer program product for password expiration based on vulnerability detection. The computer implemented method comprises receiving a request for a password after re-activating a user account and requesting a password generator, to create a hashed password. The method further comprises comparing the hashed password to a previously created password of a user, to determine a match entry. Responsive to determining a match entry, expiring an account of the user with respect to the match entry. | 05-14-2009 |
| 20090126019 | NETWORK-BASED INFECTION DETECTION USING HOST SLOWDOWN - Host malware (or change) may be detected by (1) receiving baseline set of response time information for each of one or more transactions involving (A) the host and (B) at least one peer of the host, (2) determining or receiving a later set of response time information for each of the one or more transactions involving the host and the at least one peer of the host, and (3) determining whether or not host slowdown has occurred using the baseline set of response time information and the later set of response time information. The execution of a host malware (or change) protection policy may be controlled using at least the determination of whether or not host slowdown has occurred. | 05-14-2009 |
| 20090126020 | ENGINE FOR RULE BASED CONTENT FILTERING - An engine for editing contents of data containers has a set of processors which hosts a set of controllers, each controller coupled to a respective set of transcoders. A memory device stores an array of Boolean variables characterizing the contents of a container, and an array of encoded rules for determining needed content editing, if any. The Boolean variables are determined according to content descriptors and respective criteria. A graphical user interface enables a user to provide the descriptors, the criteria, and the encoded rules. Each transcoder applies the encoded rules to specific containers. A transcoder also performs container adaptation functions which may modify contents of a container to be compatible with a respective receiver. The engine receives containers from clients through a network and directs each container to a respective controller. | 05-14-2009 |
| 20090126021 | SECURE INITIALIZATION OF INTRUSION DETECTION SYSTEM - Secure initialization for detecting intrusions is disclosed. The secure initialization includes storing a behavior profile associated with an application, and reading the stored behavior profile that is cryptographically protected. The method further includes monitoring execution of the application during a bootstrapping phase of an intrusion detection system, according to the stored behavior profile. If the behavior of the application does not conform to the behavior profile, a message is issued indicating that the application is not conforming to the behavior profile. The behavior profile can be generated by a developer of the intrusion detection system, a developer of the application, and/or a third party developer. Additionally, the behavior profile is generated by executing the system on a reference computer system or by heuristic determination. | 05-14-2009 |
| 20090133122 | METHOD AND SYSTEM FOR DETECTING SUSPICIOUS FRAME IN WIRELESS SENSOR NETWORK - A method and system for detecting a suspicious frame in a wireless sensor network that includes: a plurality of sensor nodes, for sending sensed data and data regarding an upper-level node and cluster head node. A data collecting node receives data from the sensor nodes, sends information, and extracts data received from the sensor nodes. A first probability of occurrence of the routing path is computed with respect to training frames, and a second probability of occurrence of a source routing path is computed using the first probability. The second probability is compared with a reference value, and displays an indication notifying an abnormality of the source node according to when the second probability and the reference value. | 05-21-2009 |
| 20090138970 | Method and System for Detecting Intrusions - A method of automatically detecting intrusions among events under surveillance. The method comprises comparing an event under surveillance to a set of patterns, each pattern being associated with a predetermined intrusion signature from a set of intrusion signatures, determining among said set of intrusion signatures a subset of intrusion signatures revealing a particular intrusion in said event under surveillance, and dynamically generating a new signature corresponding to said subset of intrusion signatures, said new signature being dedicated to recognizing said particular intrusion. | 05-28-2009 |
| 20090138971 | Detecting Intrusion by Rerouting of Data Packets in a Telecommunications Network - The invention proposes detection of man-in-the-middle intrusion between an entity (CL) and an access point (AP) of a network, in particular a network according to the IEEE-802.11 standard. To this end it proposes the following steps: a) reading frame bodies (FRA-i, . . . , FRA-i+3) transmitted between the entity and the access point, b) detecting frames (FRA-i, FRA-i+2) transmitted at respective different times but having identical frame bodies (fb), and c) triggering an alarm in the event of positive detection in the step b). | 05-28-2009 |
| 20090144825 | Chipset based cheat detection platform for online applications - In general, in one aspect, an interface chipset includes at least one interface to receive user commands from input devices, filters to monitor the received user commands and to copy the user commands associated with at least a subset of the input devices, and an isolated execution environment. The isolated execution environment is to provide a secure communication link between an on-line application and a remote service provider. The isolated execution environment is also to detect at least some subset of user command modifications, on-line application code modifications, and on-line application process flow modifications. The isolated execution environment is further to notify the remote service provider when a modification is detected via the secure communication link. | 06-04-2009 |
| 20090158430 | Method, system and computer program product for detecting at least one of security threats and undesirable computer files - Method, system and computer program product for detecting at least one of security threats and undesirable computer files are provided. A first method includes receiving a data stream which represents outbound, application layer messages from a first computer process to at least one second computer process. The computer processes are implemented on one or more computers. The method further includes monitoring the data stream to detect a security threat based on a whitelist having entries which contain metadata. The whitelist describes legitimate application layer messages based on a set of heuristics. The method still further includes generating a signal if a security threat is detected. A second method includes comparing a set of computer files with a whitelist which characterizes all legitimate computer files. The whitelist contains one or more entries. Each of the entries describe a plurality of legitimate computer files. | 06-18-2009 |
| 20090158431 | METHOD OF DETECTING POLYMORPHIC SHELL CODE - There is provided a method of detecting a polymorphic shell code. The decoding routine of the polymorphic shell code is detected from received data. In order for the decoding routine to access the address of an encoded code, the address of a currently executed code is stored in a stack, the value is moved in a register table, and it is determined whether the value is actually used for operating a memory. Emulation is finally performed and the degree of correctness of detection is improved. Therefore, time spent on detecting the polymorphic shell code and an overhead are reduced and the correctness of detection is increased. | 06-18-2009 |
| 20090172814 | DYNAMIC GENERATION OF INTEGRITY MANIFEST FOR RUN-TIME VERIFICATION OF SOFTWARE PROGRAM - A measurement engine generates an integrity manifest for a software program and uses it to perform active platform observation. The integrity manifest indicates an integrity check value for a section of the program's code. The measurement engine computes a comparison value on the program's image in memory and determines if the comparison value matches the expected integrity check value. If the values do not match, the program's image is determined to be modified, and appropriate remedial action may be triggered. | 07-02-2009 |
| 20090172815 | METHOD AND APPARATUS FOR DETECTING MALWARE INFECTION - In one embodiment, the present invention is a method and apparatus for detecting malware infection. One embodiment of a method for detecting a malware infection at a local host in a network, includes monitoring communications between the local host and one or more entities external to the network, generating a dialog warning if the communications include a transaction indicative of a malware infection, declaring a malware infection if, within a predefined period of time, the dialog warnings includes at least one dialog warning indicating a transaction initiated at the local host and at least one dialog warning indicating an additional transaction indicative of a malware infection, and outputting an infection profile for the local host. | 07-02-2009 |
| 20090178140 | NETWORK INTRUSION DETECTION SYSTEM - A network intrusion detection system (IDS) is built at an important network node and used to detect and monitor network packets. The network intrusion detection system includes a network card and a system core processor. When receiving a network packet, a micro-processor of the network card performs a packet decode procedure and a packet preprocess procedure, thereby verifying a type and a source address of the packet in advance and converting the packet into an IDS format packet. Afterwards, the system core processor determines whether the packet is an intrusion packet. Since the computation of the packet decode procedure and the packet pre-process procedure is handled by the network card, the network intrusion detection system will not lose packets due to too heavy computation burden, thereby greatly improving the accuracy of the network intrusion detection system. | 07-09-2009 |
| 20090187989 | System and method for controlling abnormal traffic based on fuzzy logic - A system for controlling abnormal traffic based on a fuzzy logic includes: an intrusion detection module for analyzing packets incoming from a network interface by means of a membership function defined based on a specific period of time, and outputting a fuzzy value representing a degree of a port scan attack; a fuzzy control module for recognizing the degree of the port scan attack based on the fuzzy value and outputting a control signal for traffic control according to the recognized degree of the port scan attack; and an intrusion blocking module for receiving the control signal and controlling the traffic with the network interface. | 07-23-2009 |
| 20090187990 | METHOD AND SYSTEM TO VERIFY DATA RECEIVED, AT A SERVER SYSTEM, FOR ACCESS AND/OR PUBLICATION VIA THE SERVER SYSTEM - A method and system to verify active content included within a markup language document store multiple instances of publication information (e.g., an e-commerce listing or e-mail message) in a database associated with a server system. The stored publication information includes active content (e.g., web pages that include an executable script or point to an executable script). Selected active content is retrieved from the database, and subject to a verification process. The verification process is to verify that the selected active content is not malicious. The selected active content is selectively published based on an outcome of the verification process. | 07-23-2009 |
| 20090199296 | DETECTING UNAUTHORIZED USE OF COMPUTING DEVICES BASED ON BEHAVIORAL PATTERNS - Techniques for detecting unauthorized use (e.g., malicious attacks) of the computing systems (e.g., computing devices) are disclosed. Unauthorized use can be detected based on patterns of use (e.g., behavioral patterns of use typically associated with a human being) of the computing systems. Acceptable behavioral pattern data can be generated for a computing system by monitoring the use of a support system (e.g., an operating system, a virtual environment) operating on the computing system. For example, a plurality of system support provider components of a support system (e.g., system calls, device drivers) can be monitored in order to generate the acceptable behavioral pattern data in a form which effectively defines an acceptable pattern of use (usage pattern) for the monitored system support provider components, thereby allowing detection of unauthorized use of a computing system by detecting any deviation from the acceptable pattern of use of the monitored system support provider components. | 08-06-2009 |
| 20090205045 | Bootstrap OS protection and recovery - A method, system, and computer program product for protecting a computer system provides bootstrap operating system detection and recovery and provides the capability to detect malware, such as rootkits, before the operating system has been loaded and provides the capability to patch malfunctions that block the ability of the computer system to access the Internet. A method for protecting a computer system includes reading stored status information indicating whether network connectivity was available the last time an operating system of the computer system was operational, when the stored status information indicates that network connectivity was not available, obtaining a software patch, and executing and applying the software patch. | 08-13-2009 |
| 20090205046 | METHOD AND APPARATUS FOR COMPENSATING FOR AND REDUCING SECURITY ATTACKS ON NETWORK ENTITIES - Security attacks on network entities can be compensated for and reduced through insurance that modifies incentives. In one example, a virtual slice provider includes a secure and non-secure slice having resources to provide network access to users through a service provider. The secure slice is assigned a first security level and a non-secure slice is assigned a second lower security level. In one embodiment, the second slice is isolated from the first slice. The virtual slice provider also has a risk policy between the slice provider and the service provider to establish different rates charged to the service provider for access to the secure and non-secure slices and to provide different levels of payment to the service provider for losses resulting from a lack of security in each slice. | 08-13-2009 |
| 20090217377 | Method and system for monitoring system memory integrity - A host system integrity monitor for monitoring memory, operating systems, applications, domain manager, and other host system's structures of interest is isolated and independent of the CPU and operating system of commodity systems. The system requires no modifications to the protected (monitored) host's software, and operates correctly even when the host system is compromised. Either arranged as a stand-alone computer on the add-in card which communicates with the monitored host system through the PCI bus, or as the co-processor based monitor located on the motherboard of the host system, or residing on one of the virtual CPU while the monitored system resides on another virtual CPU, or residing within the domain manager of the host system, the monitor of the present invention monitors the integrity of the examined structure by calculating hash values of the structure, comparing them with expected hash values, and sending error reports once the discrepancy between these values is detected. | 08-27-2009 |
| 20090217378 | Boot Time Remediation of Malware - Aspects of the subject matter described herein relate to removing malware from a computer system. In aspects, an anti-malware engine detects malware and writes a tool onto a storage device. The anti-malware engine disguises the tool to make it more difficult for malware to detect that the tool is on the storage device. In addition, the anti-malware engine encrypts and writes remediation actions to be taken by the tool to the storage device and requests that the computer reboot. After rebooting, the computer executes the tool which takes the remediation actions including removing the malware. | 08-27-2009 |
| 20090222920 | MALWARE DETECTION SYSTEM AND METHOD - Methods and systems are presented for detection of malware such as worms in which a network switch entices the malware into sending scan packets by allocating one or more ports as bait addresses, sending outgoing bait packets, and identifying compromised hosts that send unexpected incoming packets to a bait address. | 09-03-2009 |
| 20090222921 | Technique and Architecture for Cognitive Coordination of Resources in a Distributed Network - A system and method are disclosed for utilizing resources of a network. A constructive proof that a subset of resources is sufficient to satisfy the objective of a system can be generated. The constructive proof can comprise instructions for using the subset of resources. A set of computer-executable instructions can be created from the constructive proof and executed on a host device. The computer-executable instructions can control a data output device according to the instructions of the constructive proof. | 09-03-2009 |
| 20090222922 | SYSTEMS, METHODS, AND MEDIA PROTECTING A DIGITAL DATA PROCESSING DEVICE FROM ATTACK - In accordance with some embodiments of the disclosed subject matter, systems, methods, and media for protecting a digital data processing device from attack are provided. For example, in some embodiments, a method for protecting a digital data processing device from attack is provided, that includes, within a virtual environment: receiving at least one attachment to an electronic mail; and executing the at least one attachment; and based on the execution of the at least one attachment, determining whether anomalous behavior occurs. | 09-03-2009 |
| 20090241189 | EFFICIENT HANDLING OF INTERRUPTS IN A COMPUTING ENVIRONMENT - A method for efficiently handling interrupts in a virtual technology environment with integrity services is provided. The method comprises assigning an interrupt to a virtual machine that is running a software agent; suspending the software agent; invoking a protected interrupt handler; copying the interrupt's memory content to a protected location, in response to successfully verifying the integrity of the content; replacing the interrupt's return address with a return address for a protected function; switching from the software agent's protected context to its active context; executing the original interrupt handler; returning control to the protected function to ensure that execution of the software agent resumes safely; switching back to the software agent's protected context, in response to successfully verifying the integrity of the content; and passing control back to the software agent to resume execution. | 09-24-2009 |
| 20090241190 | System and method for securing a network from zero-day vulnerability exploits - A method of securing a network from vulnerability exploits, including the steps of a traffic analysis engine receiving a plurality of packets destined for an internal operating system; the traffic analysis engine selectively forwarding the packets to at least one virtual machine emulating the internal operating system; the virtual machine processing each forwarded packet; a rapid analysis engine identifying a malicious packet from the processed packets; and the rapid analysis engine creating a new signature to identify the malicious packet. | 09-24-2009 |
| 20090241191 | SYSTEMS, METHODS, AND MEDIA FOR GENERATING BAIT INFORMATION FOR TRAP-BASED DEFENSES - Systems, methods, and media for generating bait information for trap-based defenses are provided. In some embodiments, methods for generating bait information for trap-based defenses include: recording historical information of a network; translating the historical information; and generating bait information by tailoring the translated historical information. | 09-24-2009 |
| 20090241192 | VIRTUAL MACHINE CONFIGURATION SHARING BETWEEN HOST AND VIRTUAL MACHINES AND BETWEEN VIRTUAL MACHINES - In embodiments of the present invention improved capabilities are described for conserving computer resources by processing data through the use of a first virtual machine, causing the first virtual machine to share information about the processing of the data with a second virtual machine, and causing the second virtual machine to alter an activity as a result of the shared information, causing the host to share the information with a second virtual machine to alter an activity of the second virtual machine, causing the first virtual machine to share information about the action with a second virtual machine to alter a process of the second virtual machine, and the like. | 09-24-2009 |
| 20090241193 | Enhanced Computer Intrusion Detection Methods And Systems - Improved intrusion detection and/or tracking methods and systems are provided for use across various computing devices and networks. Certain methods, for example, form a substantially unique audit identifier during each authentication/logon process. One method includes identifying one or more substantially unique parameters that are associated with the authentication/logon process and encrypting them to form at least one audit identifier that can then be generated and logged by each device involved in the authentication/logon process. The resulting audit log file can then be audited along with similar audit log files from other devices to track a user across multiple platforms. | 09-24-2009 |
| 20090254991 | INTRUSION DETECTION USING A NETWORK PROCESSOR AND A PARALLEL PATTERN DETECTION ENGINE - An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures. | 10-08-2009 |
| 20090260084 | METHOD FOR VERIFYING CONFORMITY OF THE LOGICAL CONTENT OF A COMPUTER APPLIANCE WITH A REFERENCE CONTENT - A computer appliance and method are provided. The computer appliance includes a processor, a memory in which the processor can read and write, and an input/output device for interfacing the appliance processor with the outside world. In order to verify conformity of the logical content of the appliance with the reference content, the method includes sending to the appliance a request for loading into the memory and executing a verification program. The verification program is capable or writing data into the memory of the appliance and of reading data in the memory to send them to the input/output device. Then, the method includes sending to the appliance a request for executing the program to saturate the memory available not taken up by the program. Finally, it includes exchanging messages with the appliance by executing the program. Based on the exchanged messages, the conformity of the logical content of the appliance is verified. | 10-15-2009 |
| 20090265784 | NETWORK FAILURE DETECTION METHOD AND NETWORK FAILURE DETECTION SYSTEM - A system provides definitions of network states, and identifies a cause for the anomaly upon detection. A traffic measuring portion (characteristic quantity generating portion) counts the number of packets/time slot classified by traffic type with respect to network traffic, generating a characteristic quantity; a memory portion stores information about the characteristic quantity; a portion calculates correlation coefficients between each pair of characteristic quantities classified by traffic type; a portion generates a histogram from correlation coefficients; a portion for determining the severity of an anomaly based on the histogram; a portion evaluates the similarity of an anomaly of interest to a reference anomaly using the occurrence probabilities of correlation coefficients; and a portion assigns a color to each pixel according to its occurrence probability value, generating an n×n picture. Visualization of network state is achieved using probability distribution vectors derived from correlation coefficients obtained from each characteristic quantities pair. | 10-22-2009 |
| 20090265785 | SYSTEM AND METHOD FOR ARP ANTI-SPOOFING SECURITY - A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected. | 10-22-2009 |
| 20090271863 | Identifying unauthorized privilege escalations - Disclosed herein is a method and system of determining and/or managing potential privilege escalation attacks in a system or network comprising one or more potentially heterogeneous hosts. The step of configuration scanning optionally includes making a list of operating system specific protection mechanism on each host. Vulnerability scanning optionally includes the step of identifying the vulnerability position of each identified program. Transitive closure of all security attacks on the network and potential privilege escalations can be determined. A user interface optionally renders the potential privilege escalations as an appropriate representation. The method may include none or one or more of several pre-emptive mechanisms and reactive mechanisms. Further, the method may optionally include a mechanism for a periodic safety check on the system ensuring continued security on the network. | 10-29-2009 |
| 20090271864 | Containment of Rogue Systems in Wireless Network Environments - Methods, apparatuses and systems facilitating containment of the effects of rogue or unauthorized access points on wireless computer network environments. Embodiments of the present invention support one to a plurality of rogue containment methodologies. A first rogue containment type involves identification of the physical connection of the rogue access point to the wired network infrastructure and, thus, allows for disabling of that physical connection to contain the rogue access point. Other rogue containment methods involve wireless techniques for containing the effect of rogue access points. As discussed below, the rogue containment functionality described herein can be applied to a wide variety of wireless network system architectures. | 10-29-2009 |
| 20090271865 | METHOD AND DEVICE FOR DETECTING FLOOD ATTACKS - Disclosed is a flood attack detection method, wherein the total number of keywords of a source packet is acquired, and the number of feature parameters corresponding to the source packet is acquired. A ratio of the number of feature parameters to the total number of keywords is compared with a preset threshold, and if the ratio is greater than or equal to the preset threshold, it is determined that a flood attack occurs. | 10-29-2009 |
| 20090271866 | System and Method for Protecting Against Malware Utilizing Key Loggers - A software, system and methodology for protecting against malware key logger attacks that utilize, for example, form-grabbing techniques. The application protects the browser from key logging malware attacks, and the loss of critical user confidential information often entered into internet forms for the purpose of buying items or logging into financial institutions. An embodiment of a method for blocking form-grabbing attacks includines the following steps. Upon detecting a form submission event from the browser, and immediately after allowing the data to be properly submitted, the form input fields are cleared of data. The method prevents hook-based key loggers or form-grabbing key loggers from capturing form input data, thereby protecting the user from theft of passwords or credentials. | 10-29-2009 |
| 20090276851 | DETECTING MALICIOUS BEHAVIOR IN A SERIES OF DATA TRANSMISSION DE-DUPLICATION REQUESTS OF A DE-DUPLICATED COMPUTER SYSTEM - The present invention provides a method and system of detecting malicious behavior in a series of data transmission de-duplication requests of a de-duplicated computer system. In an exemplary embodiment, the method and system include, (1) if the series includes at least one particular de-duplication request for particular data and a reply to the particular request that the system does not have the particular data, processing at least one subsequent response and (2) determining the existence of the behavior from the at least one subsequent response. | 11-05-2009 |
| 20090276852 | STATISTICAL WORM DISCOVERY WITHIN A SECURITY INFORMATION MANAGEMENT ARCHITECTURE - A method, system, and computer program product for identifying a worm attack on a computer network. The method includes setting a predetermined time period for monitoring non-packet event(s). A log entry associated with the packet event(s) is received and stored. The one or more received log entries identify a first source of a worm infection threat, first destination(s) of the worm infection threat, first timestamp(s) of the worm infection threat, and a non-packet event type of the worm infection threat. A counter is configured for recording, within the predetermined time period, a number of infection attempts of the same event type by the first destination(s) of the worm infection threat to a second destination(s) of the worm infection threat. In response to determining that the number of infection attempts satisfies a defined infection attempt threshold value, an alert confirming the worm attack on the computer network is communicated. | 11-05-2009 |
| 20090276853 | FILTERING INTRUSION DETECTION SYSTEM EVENTS ON A SINGLE HOST - Embodiments disclosed herein describe a method to determine consequences of a privilege escalation alert from an intrusion detection system, the method comprising the steps of obtaining privilege escalation alert from the intrusion detection system and analyzing said privilege escalation alert information. The analysis further comprises of identifying the program affected by said privilege escalation alert and determining if it can be circumvented. The users affected by said privilege escalation alert and the transitive effects of said privilege escalation alert are identified. | 11-05-2009 |
| 20090282481 | METHODS, HARDWARE PRODUCTS, AND COMPUTER PROGRAM PRODUCTS FOR IMPLEMENTING INTROSPECTION DATA COMPARISON UTILIZING HYPERVISOR GUEST INTROSPECTION DATA - Introspection data comparison is implemented utilizing hypervisor guest introspection data. A hypervisor shim on a hypervisor is used to construct one or more workload management components that are independent from a participating pool member of a pool comprising a guest having a guest memory and a guest operating system. The hypervisor collects a first set of data. The guest sends a second set of data comprising guest memory data from the guest memory. The first set of data is compared with the second set of data to detect at least one of a potential security intrusion or an anomalous deviation between the first set of data and the second set of data. A policy manager takes action based upon a result of the comparison of the first and second sets of data. | 11-12-2009 |
| 20090282482 | Active Computer System Defense Technology - Active computer system defense techniques can include sending disruptive communications to attackers, where the disruptive communications include random data elements which could potentially interfere with the operation of an attacking system. Such computer system defense techniques can also be augmented to automatically optimize the disruptive communications sent to the attackers. | 11-12-2009 |
| 20090282483 | SERVER BASED MALWARE SCREENING - An Internet infrastructure is provided to transfer a packet of data between a client device and source device. The infrastructure consists of a support server that screens the packet for malware codes on behalf of a registered client. In order to scan for malware, the support server contains hardware and/or software modules to perform malware detection and quarantine functions. The modules identify malware bit sequence in the packet(s), malware bit sequences or entire contaminated code is quarantined or repaired as appropriate. After identification of malware code (if any), the support server sends warning messages to affected parties, providing information regarding the malware codes that were detected. | 11-12-2009 |
| 20090288165 | METHODS AND APPARATUS FOR INTRUSION PROTECTION IN SYSTEMS THAT MONITOR FOR IMPROPER NETWORK USAGE - Methods and apparatus for intrusion protection in systems that monitor for improper network usage are disclosed. An example method to protect a service platform comprises detecting responses from the service platform indicative of questionable signaling protocol transactions. The example method further comprises storing transaction records corresponding to questionable signaling protocol transaction records with at least one of the transaction records identifying a signaling protocol message including an associated originating device address corresponding to a respective questionable transaction record. Additionally, the method comprises determining whether the originating device address is associated with an improper intrusion of the service platform based on at least one on the transaction records corresponding to the originating device address. | 11-19-2009 |
| 20090288166 | SECURE APPLICATION STREAMING - A server includes a scanning module for determining whether an application is free of malware, a module for packaging the application into blocks for delivery via application streaming, a module for providing the blocks to a client on request, and a module for adding to each block an indication of whether the associated application has already been determined to be free of malware. A client includes a module for requesting blocks of a streamed application from the server. When the client receives a block, it employs a module for verifying that the associated applications have been determined to be free of malware by examining the indication provided by the server. If verification is successful, then the block's code is executed without first receiving and scanning any additional blocks from the server. | 11-19-2009 |
| 20090288167 | SECURE VIRTUALIZATION SYSTEM SOFTWARE - Systems and methods for protecting a virtualization environment against malware. The methods involve intercepting an event in a kernel mode of the virtualization environment, suspending execution of the event, and transmitting the event to a user mode security module that determines whether the event should be blocked, allowed, or redirected. Events may be intercepted from any level of the virtualization environment, including an interrupt request table, device driver, OS object manager, OS service dispatch table, Portable Execution (P/E) import/export table, or binary code, among others. In one embodiment, an event may trigger a chain of related events, such that interception of an event without first intercepting an expected antecedent event is one indication of malware. The method also involves securing a virtual storage device against unauthorized access and providing for secure communication between guest OS and virtualization environment security modules. | 11-19-2009 |
| 20090293122 | METHOD AND SYSTEM FOR IDENTIFYING ENTERPRISE NETWORK HOSTS INFECTED WITH SLOW AND/OR DISTRIBUTED SCANNING MALWARE - Malware detection systems are presented in which a list is constructed of enterprise hosts to or from which each given enterprise network host sends or receives packets within a current measurement period and statistics are accumulated based on two or more measurement period lists, with a count value being derived from the statistics to indicate the number of other hosts to or from which each monitored host sent or received packets, and one or more monitored hosts may be identified as suspected of being infected with slow and/or distributed scanning malware for which the count value exceeds a threshold value. | 11-26-2009 |
| 20090293123 | METHODS AND APPARATUS TO MITIGATE A DENIAL-OF-SERVICE ATTACK IN A VOICE OVER INTERNET PROTOCOL NETWORK - Methods and apparatus to mitigate a Denial-of-Service (DoS) attack in a voice over Internet protocol (VoIP) network are disclosed. An example method comprises receiving a communication session initiation message from a communication session endpoint, determining whether the communication session endpoint is associated with a probable DoS attack, and sending to the communication session endpoint a communication session initiation response message comprising a DoS header when the communication session endpoint is associated with the probable DoS attack. | 11-26-2009 |
| 20090293124 | Intrinsically Safe Remote Data Monitoring System and Monitoring Method Thereof - This invention refers to an intrinsically safe remote data monitoring system and a monitoring method for remote data monitoring by using such system. The monitoring system comprises a process control computer that monitors or controls the controlled process, a remote monitoring computer that remotely monitors the process control computer, a signal collecting device physically connected, without through network, with the process control computer, for acquiring data from the process control computer, a local monitoring computer ( | 11-26-2009 |
| 20090300761 | Intelligent Hashes for Centralized Malware Detection - A suspicious entity is identified. An intelligent hash for the suspicious entity is generated, wherein the intelligent hash includes a set of metadata that is specific to the suspicious entity and at least some of the metadata is invariant over changes to the suspicious entity. The intelligent hash is transmitted to a server for evaluation of whether the suspicious entity corresponds to the malware entity. The server is adapted to determine whether the suspicious entity corresponds to the malware entity based on the intelligent hash. A result is received from the server specifying whether the suspicious entity corresponds to the malware entity. | 12-03-2009 |
| 20090300762 | Methods And Systems For Managing A Potential Security Threat To A Network - Methods, systems and computer readable mediums storing computer executable programs for managing a potential security threat to a network are disclosed. Network data received at a network system within a network is monitored at a network management system. A determination is made at the network management system regarding whether the network data received at the network system poses a potential security threat to the network. A threat type associated with the potential security threat is identified at the network management system based on the determination. A threat assessment system operable to evaluate the identified threat type is identified at the network management system. A command is issued from the network management system to the network system to mirror network data received at the network system to the identified threat assessment system. | 12-03-2009 |
| 20090300763 | METHOD AND SYSTEM FOR DETECTING CHARACTERISTICS OF A WIRELESS NETWORK - Characteristics about one or more wireless access devices in a wireless network, whether known or unknown entities, can be determined using a system and method according to the present invention. An observation is made of the activity over a Wireless Area Network (WLAN). Based on this activity, changes in state of wireless access devices within the WLAN can be observed and monitored. These changes in state could be indicative of normal operation of the WLAN, or they may indicate the presence of an unauthorized user. In the latter case, an alert can be sent so that appropriate action may be taken. Additionally, ad hoc networks can be detected that may be connected to a wireless access point. | 12-03-2009 |
| 20090307773 | SYSTEM AND METHOD FOR ARP ANTI-SPOOFING SECURITY - A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected. | 12-10-2009 |
| 20090307774 | COMPUTER PERIPHERAL APPARATUS AND METHOD OF CONTROLLING THE SAME - A computer peripheral apparatus of this invention has a check step of checking whether received data is infected with a computer virus. If the received data satisfies a predetermined condition, the apparatus executes the check step before predetermined data processing. If the received data does not satisfy the predetermined condition, the apparatus executes the check step before the predetermined data processing. | 12-10-2009 |
| 20090307775 | IDENTIFYING FRAUDULENT ACTIVITIES AND THE PERPETRATORS THEREOF - A system for identifying perpetrators of fraudulent activity includes location logic for locating, extracting, or capturing identifying information from a client communication received from a client device. For example, the location logic may locate, or extract, a variety of message headers from an HTTP client request. The system may also include analyzer logic to analyze the identifying information, for example, by comparing the identifying information with previously captured identifying information from a previously received client communication. Finally, the system may include account identifier logic to identify user accounts associated with the previous client communication in which the same identifying information was extracted. | 12-10-2009 |
| 20090313699 | APPARATUS AND METHOD FOR PREVENTING ANOMALY OF APPLICATION PROGRAM - An apparatus and method for preventing an anomaly of an application program are provided. More particularly, an apparatus and method for preventing an anomaly of an application program that detect and stop an anomaly on the basis of a behavior profile for an application program are provided. The apparatus includes a behavior monitor that detects behavior of an application program in operation, an anomaly detector that determines whether the detected behavior of the application program is an anomaly on the basis of a behavior profile of the application program in operation, and an anomaly stopper that stops the behavior of the application program determined as an anomaly by the anomaly detector. Possible application program behavior is stored according to its purpose in a behavior profile and an anomaly is detected and stopped on the basis of the behavior profile, thereby decreasing a false-positive rate of anomaly detection and simultaneously solving a problem of a conventional security programs being incapable of defending against attacks using the authority of a program trusted by a user. | 12-17-2009 |
| 20090320131 | Method and System for Preventing Malicious Communication - A method and a system for preventing malicious communication are disclosed. The system comprises a safe module set with a specific Internet Protocol address and a Time to Live threshold value of the specific IP address to determine whether a malicious communication exists. If the malicious communication exists, the safe module can re-direct the malicious communication to a recording module of the system for recording the content of the malicious communication. | 12-24-2009 |
| 20090320132 | SYSTEMS AND METHODS FOR DISTRIBUTED NETWORK PROTECTION - By distributing various information and monitoring centers that monitor distributed networks and unauthorized access attempts, it is possible to, for example, more quickly defend against an unauthorized access attempts. For example, a Level 1 monitoring center could monitor a predetermined geographical area serving, for example, a wide variety of commercial and public sites, an organizational structure, or the like, for alarms. Upon analyzing an alarm for various characteristics, the Level 1 monitoring center can refer the unauthorized access attempt to an appropriate Level 2 center for, for example, possible retaliatory and/or legal action. Then, a Level 3 monitoring center can record and maintain an overall picture of the security of one or more networks, the plurality of monitoring centers and information about one or more hacking attempts. | 12-24-2009 |
| 20090328212 | Determination of malicious entities - A method/system of determining if one or more entities in a data storage medium of a processing system are malicious, wherein the method comprises recording entity properties of the one or more entities when at least part of the processing system is in a range of operating usage; and determining, using the entity properties, if the one or more entities are malicious. | 12-31-2009 |
| 20090328213 | Method and system for morphing honeypot - A method, system, apparatus, or computer program product is presented for morphing a honeypot system on a dynamic and configurable basis. The morphing honeypot emulates a variety of services while falsely presenting information about potential vulnerabilities within the system that supports the honeypot. The morphing honeypot has the ability to dynamically change its personality or displayed characteristics using a variety of algorithms and a database of known operating system and service vulnerabilities. The morphing honeypot's personality can be changed on a timed or scheduled basis, on the basis of activity that is generated by the presented honeypot personality, or on some other basis. | 12-31-2009 |
| 20090328214 | Secure channel reservation - A beacon method for use in a wireless communication network involves populating a beacon frame's channel identification data with accurate data associated with use of a particular channel for wireless communication; populating the beacon frame's network identification data with data including at least one false data element wherein it can be determined if an intruder has attempted to connect to the network by detecting the false data element in the intruder's attempt to connect to the network, where the beacon network identification data are intended to identify the network using the particular channel; storing the beacon frame in a computer readable storage medium; and transmitting the beacon frame over a channel to be reserved. This abstract is not to be considered limiting, since other embodiments may deviate from the features described in this abstract. | 12-31-2009 |
| 20090328215 | SEMANTIC NETWORKS FOR INTRUSION DETECTION - Semantic networks are generated to model the operational behavior of an enterprise network to provide contextual interpretation of an event or a sequence of events that are observed in that specific enterprise network. In various illustrative examples, different semantic networks may be generated to model different behavior scenarios in the enterprise network. Without the context provided by these semantic networks malicious events may inherently be interpreted as benign events as there is typically always a scenario where such events could be part of normal operations of an enterprise network. Instead, the present semantic networks enable interpretation of events for a specific enterprise network. Such interpretation enables the conclusion that a sequence of events that could possibly be part of normal operations in a theoretical enterprise network is, in fact, abnormal for this specific enterprise network. | 12-31-2009 |
| 20090328216 | PERSONALIZED HONEYPOT FOR DETECTING INFORMATION LEAKS AND SECURITY BREACHES - A honeypot in a computer network is configured for use with a wide variety of computing resources that are defined by a network administrator or user which may include desktop and network resources such as address book contacts, instant messaging contacts, active directory user accounts, IP addresses, and files that contain particular content or that are stored in particular locations. The resources may be real for which protection against leakage is desired, or fake to operate as bait to lure and detect malicious attacks. The honeypot is implemented in an extensible manner so that virtually any resource may be honeypotted to apply honeypot benefits to resources beyond static IP addresses in order to improve both the breadth of information leakage prevention and the detection of malicious attacks. | 12-31-2009 |
| 20090328217 | Database context-based intrusion detection - A method for detecting an unauthorized action in a database, the method comprising estimating correlation between a predicted result of an intercepted database statement and at least one context parameter associated with the database statement, wherein lack of correlation indicates the database statement being associated with an unauthorized action. | 12-31-2009 |
| 20090328218 | DATA PROCESSING SYSTEM, DATA PROCESSING METHOD, AND PROGRAM - A log output device and a program are provided, which append a signature to a log, prevent an undetectable tampering (alteration, insertion, deletion, etc.), and are able to narrow tampered position if tampered. The log output device forms a log record including a data part and a hash part, and outputs to a disk; the hash part is formed by combining a hash of the data part (data hash) and a hash of the hash part of the previous record (link hash); a signature is appended to only a part of records of a hash chain; when outputting the record to the disk, a copy of the hash part of the record is maintained on a process memory; when outputting next record, the hash part of the latest record on the disk and the hash part maintained on the process memory are compared; if they are matched, the record on the disk is determined as not being tampered, and if mismatched, the record is determined as tampered. | 12-31-2009 |
| 20090328219 | DYNAMIC POLICY PROVISIONING WITHIN NETWORK SECURITY DEVICES - The invention is directed to techniques for dynamic policy provisioning. A network security device may comprise a memory that stores a first policy that identifies a first set of patterns that correspond to a first set of network attacks and a second policy, and a control unit that applies the first policy to the network traffic to detect the first set of network attacks. The control unit, while applying the first policy, monitors parameters corresponding to one or more resources and dynamically determines whether to apply a second policy to the network traffic based on the parameters. The control unit, based on the dynamic determination, applies the second policy to the network traffic to detect a second set of network attacks and forwards the network traffic based on the application of the second policy. In this manner, the network security device may implement the dynamic policy provisioning techniques. | 12-31-2009 |
| 20100011440 | Computer Security Intrusion Detection System For Remote, On-Demand Users - An intrusion detection system, and a related method and computer program product, for implementing intrusion detection in a remote, on-demand computing service environment in which one or more data processing hosts are made available to a remote on-demand user that does not have physical custody and control over the host(s). Intrusion detection entails monitoring resources defined by the on-demand user (or a third party security provider) for intrusion events that are also defined by the on-demand user (or security provider), and implementing responses according to event-action rules that are further defined by the on-demand user (or security provider). An intrusion detection system agent is associated with each of the data processing hosts, and is adapted to monitor the intrusion events and report intrusion activity. If there are plural intrusion detection system agents, they can be individually programmed to monitor and report on agent-specific sets of the intrusion events. An intrusion detection system controller is associated with one of the data processing hosts. It is adapted to manage and monitor the intrusion detection system agent(s), process agent reports of intrusion activity, and communicate intrusion-related information to the on-demand user (or security provider). The responses to intrusion events can be implemented by the intrusion detection system controller in combination with the intrusion detection system agents, or by any such entity alone. | 01-14-2010 |
| 20100017879 | Method and System for Intrusion Detection - Method for protecting computer software by detecting an attack of an intruding program interfering with the execution of said protected software on a computer system with a processor and at least a processor memory, wherein the computer software to be protected communicates with a license container containing a license for using and executing the protected computer software and containing at least one cryptographic key, wherein the license container provides licenses and cryptographic keys for the protected software to protect its usage and its integrity, and wherein the protected computer software is at least partly encrypted and uses the associated cryptographic keys to decrypt said protected software for executing comprises the following steps: during execution of the protected software, analyzing the behavior of the protected software and/or the execution environment of the protected software on the computer system, and searching for patterns of an intrusion or an intruding program, detecting an intrusion into the protected software during the execution of the protected software, wherein the intruding program uses a monitoring component for gaining unauthorized access, and creating a signal on detection of an attack. | 01-21-2010 |
| 20100024033 | APPARATUS AND METHOD FOR DETECTING OBFUSCATED MALICIOUS WEB PAGE - An apparatus and method for detecting an obfuscated malicious web page are provided to find a malicious web page by deobfuscating an obfuscated malicious code. The apparatus includes an obfuscated code detector that detects whether an obfuscated code is included in a source code of a web page, a deobfuscation function inserter that reconfigures the source code by inserting a function for deobfuscating the obfuscated code into the source code, a deobfuscator that is called by the function inserted into the reconfigured source code and deobfuscates the obfuscated code, and a malicious code detector that detects a malicious code using the deobfuscated code. | 01-28-2010 |
| 20100037317 | MEHTOD AND SYSTEM FOR SECURITY MONITORING OF THE INTERFACE BETWEEN A BROWSER AND AN EXTERNAL BROWSER MODULE - A method for detecting attacks that exploit vulnerabilities in an external module of a primary application is disclosed. The method begins with receiving from the primary application an external module method call that includes a module identifier and a module parameter. Thereafter, the external module method call is intercepted prior to the instantiation of the external module. The external module method call, which may include various data, is compared to the signature rules that are correlated to an attack attempt. If there is a match, then a resulting action part defined in the signature rule is evaluated. Otherwise, the external module is invoked. | 02-11-2010 |
| 20100037318 | Network Intrusion Detection - A method of detecting network communications includes monitoring network devices for communication data; generating an output file including the communication data correlated with a communication type; computing network metrics based on the correlated data; comparing the network metrics with a policy threshold; and determining a network violation event based on the comparing. | 02-11-2010 |
| 20100037319 | TWO STAGE ACCESS CONTROL FOR INTELLIGENT STORAGE DEVICE - Systems and methods that resist malicious attacks on an intelligent storage device via an access control component that supplies security at a dual layer of defense. Such dual layer defense encompasses both resistance to brute force (e.g., unauthorized users), and resistance to a replay attack (e.g., a malicious code residing on a machine that hosts the intelligent storage device.) Accordingly, an access control component includes an anti malicious user component and an anti malicious code component, which can resist malicious attacks from both a person and a host unit with a malicious code residing thereon. | 02-11-2010 |
| 20100050259 | SYSTEM AND METHOD FOR RADIO FREQUENCY INTRUSION DETECTION - A system to detect and analyze RF signals utilizes a data structure storing RF signatures indicating characteristics of known authorized and/or unauthorized RF transmissions. When an RF signal is detected, certain analysis characteristics are extracted from the RF signal and analyzed with respect to the stored RF signatures to determine whether the RF transmission is authorized or unauthorized. In the event of an unauthorized RF transmission, the system generates an alarm condition to alert the user to an RF intrusion and may further log data related to the intruder transmission. Known techniques may be used to determine the location of the RF intrusion within a defined area of operations. | 02-25-2010 |
| 20100050260 | Attack node set determination apparatus and method, information processing device, attack dealing method, and program - An attack node set determination apparatus obtains an event log basic parameter extracted from collected event logs and attribute information based on the event log basic parameter. The attack node set determination apparatus performs a clustering on a space having dimensions of part or all of the obtained attribute information and event log basic parameter, computes a cluster, and transmits information on the cluster and a countermeasure against the cluster to a firewall. Upon detecting an attack packet from an attack node set, the firewall identifies a cluster including the attack packet and conducts a countermeasure against the whole identified cluster. | 02-25-2010 |
| 20100058473 | HEURISTIC METHOD OF CODE ANALYSIS - A method of detecting malware at a computing device. The method includes examining a software program comprising a sequence of program instructions, determining whether each instruction in the sequence meets any of a group of suspicion criteria, assigning a instruction-level score to each instruction that meets any of the suspicion criteria, summing the instruction-level scores for each instruction to yield a program-level score, determining whether the program-level score exceeds a threshold, and, if the program-level score exceeds a threshold, developing a report indicating a malware detection result. | 03-04-2010 |
| 20100064367 | INTRUSION DETECTION FOR COMPUTER PROGRAMS - A method of detecting intrusion in a computer program which has number of defined libraries and includes cross border instructions which cause execution to branch from a source library to a target library. The method comprises the step of determining whether execution of the program is in an area consistent with normal execution of the program, by checking whether the source library of a cross border instruction is the expected current execution library of the program. Each cross border instruction has a code stub identifying the source library, and when a legal cross border instruction is executed the target library becomes the current execution library. The method also checks that the target address of a cross border instruction is a legal address. In another arrangement, areas of the program are set so that a cross border instruction will generate page protection fault which is intercepted by the intrusion detection system so that the cross border instruction can be checked. | 03-11-2010 |
| 20100071061 | Method and Apparatus for Whole-Network Anomaly Diagnosis and Method to Detect and Classify Network Anomalies Using Traffic Feature Distributions - To improve network reliability and management in today's high-speed communication networks, we propose an intelligent system using adaptive statistical approaches. The system learns the normal behavior of the network. Deviations from the norm are detected and the information is combined in the probabilistic framework of a Bayesian network. The proposed system is thereby able to detect unknown or unseen faults. As demonstrated on real network data, this method can detect abnormal behavior before a fault actually occurs, giving the network management system (human or automated) the ability to avoid a potentially serious problem. | 03-18-2010 |
| 20100071062 | MECHANISM FOR IDENTIFYING MALICIOUS CONTENT, DoS ATTACKS, AND ILLEGAL IPTV SERVICES - Mechanism for identifying malicious content, DoS attacks, and illegal IPTV services. By monitoring the characteristics of various control messages being transmitted within a network that services Internet protocol television (IPTV) content to identify suspicious behavior (e.g., such as that associated with malicious content, denial of service (DoS) attacks, IPTV service stealing, etc.). In addition to monitoring control messages within such a network, deep packet inspection (DPI) may be performed for individual packets within an IPTV stream to identify malicious content therein (e.g., worms, viruses, etc. actually within the IPTV stream itself). By monitoring control messages and/or actual IPTV content within a network (e.g., vs. at the perimeter of a network only), protection against both outside and inside attacks can be effectuated. This network level basis of operation effectively guards against promulgation of malicious content to other devices within the network. | 03-18-2010 |
| 20100071063 | SYSTEM FOR AUTOMATIC DETECTION OF SPYWARE - An automatic system for spyware detection and signature generation compares packets of output from a computer in response to standard user inputs, to packets of a standard output set derived from a known clean machine. Differences between these two packet sets are analyzed with respect to whether they relate to unknown web servers and whether they incorporate user-derived information. This analysis is used to provide an automatic detection of and signature generation for spyware infecting the machine. | 03-18-2010 |
| 20100077479 | METHOD AND APPARATUS FOR DETERMINING SOFTWARE TRUSTWORTHINESS - Aspects of the invention relate to a method, apparatus, and computer readable medium for determining software trustworthiness. In some examples, a software package identified as including at least one file of unknown trustworthiness is installed on a clean machine. A report package including a catalog of files that have been installed or modified on the clean machine by the software package is generated. Identification attributes for each of the files in the catalog is determined. Each of the files in the catalog is processed to assign a level of trustworthiness thereto. The report package is provided as output. | 03-25-2010 |
| 20100083378 | Contextual Alert Of An Invasion Of A Computer System - Methods, systems, and computer-readable media for providing contextual feedback to a user of a computer system upon detection of an invasion of the computer system are provided herein. An invasion of the computer system is detected and a contextually appropriate alert is selected from a set of alerts. The alert is played immediately upon detection of the invasion so that the user is alerted to the invasion within close temporal proximity to the user's action that resulted in the invasion of the computer system. In addition, details of the invasion are logged to a diagnostic log file for later use by support personnel in repairing the computer system. | 04-01-2010 |
| 20100083379 | INFORMATION PROCESSING DEVICE, INFORMATION PROCESSING METHOD, AND COMPUTER READABLE RECORDING MEDIUM - An example of a device comprises a storage which stores data which is input from outside and to which tracking information is added, a section which detects a first reading event of first data from the storage to which the tracking information is added, a section which detects, after the first reading event, a first writing event to part of character string data to the storage, a section which detects, after the first writing event, a second reading event of second data from the storage to which the tracking information is added, a section which detects, after the second reading event, a second writing event to part of the character string data to the storage, and a section which adds, when the first reading/writing event, second reading/writing event are detected, the tracking information to data to be written to the storage by the first and second writing event. | 04-01-2010 |
| 20100088766 | METHOD AND SYSTEM FOR DETECTING, BLOCKING AND CIRCUMVENTING MAN-IN-THE-MIDDLE ATTACKS EXECUTED VIA PROXY SERVERS - A method for detecting and blocking a Man-in-the-Middle phishing attack carried out on a client connection which has been fraudulently routed through an anonymous proxy server. An agent downloaded to the client device opens a client direct connection to the security host protecting against the attack and sends a client direct connection ID to the security host for validation. By comparing IP addresses correlated via the validated client direct connection ID, the security host determines whether the original connection is direct (secure) or indirect (attack via phishing proxy). The detection and blocking can be performed by the service provider's server or by a third-party validation server handling all security without additional requirements on the service provider server. In addition to detecting and blocking such attacks, methods for client direct connection ID, as well as automatic transparent and seamless attack circumvention and preemptive circumvention are disclosed. | 04-08-2010 |
| 20100088767 | TARGET-BASED SMB AND DCE/RPC PROCESSING FOR AN INTRUSION DETECTION SYSTEM OR INTRUSION PREVENTION SYSTEM - A method performed in a processor of an intrusion detection/prevention system (IDS/IPS) checks for valid packets in an SMB named pipe in a communication network. In a processor configured as an IDS/IPS, a packet in a transmission is received and a kind of application of a target of the packet is determined. Also, the data in the packet is inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that: (a) the FID in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and (b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table. | 04-08-2010 |
| 20100095379 | METHOD AND APPARATUS FOR DETECTING MALICIOUS CODE IN AN INFORMATION HANDLING SYSTEM - A method for detecting malicious code on an information handling system includes executing malicious code detection code (MCDC) on the information handling system. The malicious code detection code includes detection routines. The detection routines are applied to executable code under investigation running on the information handling system during the execution of the MCDC. The detection routines associate weights to respective executable code under investigation in response to detections of a valid program or malicious code as a function of respective detection routines. Lastly, executable code under investigation is determined a valid program or malicious code as a function of the weights associated by the detection routines. Computer-readable media and an information handling system are also disclosed. | 04-15-2010 |
| 20100107252 | COGNIZANT ENGINES: SYSTEMS AND METHODS FOR ENABLING PROGRAM OBSERVABILITY AND CONTROLABILITY AT INSTRUCTION LEVEL GRANULARITY - The present invention is directed to system for and methods of real time observing, monitoring, and detecting anomalies in programs' behavior at instruction level. The hardware assist design in this invention provides fine grained observability, and controllability. Fine grained observability provides unprecedented opportunity for detecting anomaly. Controllability provides a powerful tool for stopping anomaly, repairing the kernel and restoring the state of processing. The performance improvement over pure software approach is estimated to be many orders of magnitudes. This invention is also effective and efficient in detecting mutating computer viruses, where normal, signature based, virus detection is under performing. | 04-29-2010 |
| 20100107253 | MDL COMPRESS SYSTEM AND METHOD FOR SIGNATURE INFERENCE AND MASQUERADE INTRUSION DETECTION - An intrusion masquerade detection system and method that includes a grammar inference engine. A grammar-based Minimum Description Length (MDL) compression algorithm is used to determine a masquerade based on a distance from a threshold in a model of an estimated algorithmic minimum sufficient statistic. | 04-29-2010 |
| 20100107254 | NETWORK INTRUSION DETECTION USING MDL COMPRESS FOR DEEP PACKET INSPECTION - A network intrusion detection system and method that includes a grammar inference engine. A grammar-based Minimum Description Length (MDL) compression algorithm is used to determine an attack based on closeness of fit to one or more compression models. The network intrusion detection system and method can determine zero day attacks. | 04-29-2010 |
| 20100107255 | Intrusion Detection Using MDL Compression - An intrusion masquerade detection system and method that includes a grammar inference engine. A grammar-based Minimum Description Length (MDL) compression algorithm is used to determine a masquerade based on a distance from a threshold in a model of an estimated algorithmic minimum sufficient statistic. | 04-29-2010 |
| 20100115617 | Event Detection/Anomaly Correlation Heuristics - A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events. | 05-06-2010 |
| 20100115618 | METHOD AND DEVICE FOR DETECTING UNKNOWN NETWORK WORMS - A method and device for detecting a network worm on the network allows early detection of an unknown network worm with less computational quantity based on a change of randomness occurring to network traffic without using a pattern-matching-based worm detecting method or a behavior-based worm detecting method. | 05-06-2010 |
| 20100122343 | Distributed Sensor for Detecting Malicious Software - Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s)operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices. | 05-13-2010 |
| 20100122344 | SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT - A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes receiving a plurality of packets, and determining an existence of a flooding attack without tracking each of the plurality of packets with a SYN bit. | 05-13-2010 |
| 20100125911 | Risk Scoring Based On Endpoint User Activities - Disclosed herein is a computer implemented method and system for ranking a user in an organization based on the user's information technology related activities and arriving at an end risk score used for determining the risk involved in activities performed by the user and for other purposes. Group risk ranking profiles and security policies for usage of the organization's resources are created. The user is associated with one or more group risk ranking profiles. A security client application tracks the user's activities. Points are assigned to the user's tracked activities based on each of the associated group risk ranking profiles. The assigned points are aggregated to generate a first risk score. The assigned points of the user's tracked activities are modified at different levels based on predefined rules. The modified points are aggregated to generate the end risk score which is used for compliance and governance purposes, optimizing resources, etc. | 05-20-2010 |
| 20100132039 | SYSTEM AND METHOD TO SELECT MONITORS THAT DETECT PREFIX HIJACKING EVENTS - Method, system and computer-readable medium to select monitors that increase the likelihood of detecting prefix hijacking events of a destination prefix are disclosed. The method includes assigning each of the candidate prefix hijack monitors to a respective cluster of a plurality of clusters. Each of the candidate prefix hijack monitors is associated with an autonomous system (AS) that indicates an AS path of autonomous systems (ASes) from the AS to a destination prefix associated with a destination AS. The method further includes iteratively merging a pair of clusters with a highest similarity score amongst cluster pairs of the plurality of clusters into a single cluster until a processed number of clusters is less than or equal to a predetermined number of clusters. The method also includes ranking each candidate prefix hijack monitor of each of the processed number of clusters according to a route type from an AS associated with the candidate prefix hijack monitor and an AS distance from the AS associated with the candidate prefix hijack monitor to the destination AS. Yet further, the method includes determining a highest ranked candidate prefix hijack monitor of each of the processed number of clusters. | 05-27-2010 |
| 20100132040 | Automated method and system for monitoring local area computer networks for unauthorized wireless access - According to an embodiment of the present invention, the wireless activity in a geographic area containing LAN connection ports is monitored using one or more sensor devices, called sniffers. By analyzing said wireless activity, one or more APs that are operating in said geographic area are identified. The active APs so identified are classified into three categories, namely “authorized” APs (those that are allowed by network administrator), “unauthorized” APs (those that are not allowed by the network administrator, but are still connected to the LAN of interest) and “external” APs (those that are not allowed by network administrator but are not connected to the LAN of interest, for example APs connected to the neighbor's LAN) by conducting one or more tests. The sniffers continue to monitor the selected geographic area to detect any wireless station attempting to connect to or communicating with the one or more identified unauthorized APs. Upon identifying unauthorized AP and/or intruding wireless station an indication is transferred to the prevention process. | 05-27-2010 |
| 20100138922 | Methods, Systems, and Products for Secure Access to File System Structures - Methods, systems, and products are disclosed for securing access to a file system. A directory is established in a hierarchical file structure having access permission defined by a first owner. A subdirectory is established in the directory. A sub-level subdirectory is established in the subdirectory having access permissions defined by a second owner. The subdirectory is publically accessible to anyone satisfying the access permission defined by the first owner, such that a change directory system call is executed for a user in the subdirectory, even though the user has not authenticated the access permission defined by the second owner. | 06-03-2010 |
| 20100138923 | 3-PRONG SECURITY/RELIABILITY/REAL-TIME DISTRIBUTED ARCHITECTURE OF INFORMATION HANDLING SYSTEM - The present invention is directed to a distributed architecture of an information handling system, including a buried nucleus inaccessible for inspection without heroic means while the buried nucleus is in operation, and a trusted authority for generating a secure protocol. The secure protocol controls the operation of the buried nucleus. | 06-03-2010 |
| 20100146622 | SECURITY SYSTEM AND METHOD FOR DETECTING INTRUSION IN A COMPUTERIZED SYSTEM - In detecting the identity of a person currently using a computer ( | 06-10-2010 |
| 20100146623 | METHOD AND APPARATUS FOR PATTERN MATCHING FOR INTRUSION DETECTION/PREVENTION SYSTEMS - A packet is compared to a pattern defined by a regular expression with back-references (backref-regex) in a single pass of a non-deterministic finite automaton corresponding to the backref-regex (backref-NFA) that includes representations for all backref-regex's back-references. The packet's characters are sequentially selected and analyzed against the backref-NFA until a match or no-match between the packet and pattern is determined. Upon selecting a character, a corresponding configurations-set is updated, where the set includes configurations associated with respective NFA-states of the backref-NFA and indicating whether the selected character is being matched against a back-reference. With the configurations-set being updated the comparison process proceeds along backref-NFA's NFA-states. The updated configurations-set includes configurations associated with NFA-states reachable from the configurations in the pre-updated set. When the configurations-set includes a final state, a match is determined. When the configurations-set becomes empty, or upon selection of all characters lacks the final state, a no-match is determined. | 06-10-2010 |
| 20100146624 | Method and apparatus for protection of a program against monitoring flow manipulation and against incorrect program running - Protection program commands are inserted into at least one program command sequence of program commands in a program, to produce and check a monitoring flow marking sequence. | 06-10-2010 |
| 20100154057 | SIP INTRUSION DETECTION AND RESPONSE ARCHITECTURE FOR PROTECTING SIP-BASED SERVICES - The present invention relates to a Session Initiation Protocol (SIP) intrusion detection and response architecture for protecting SIP-based services, and more specifically, to an SIP intrusion detection and response architecture for protecting SIP-based services, in which SIP-based attacks of a new type can be coped with by detecting the SIP-based attacks and SIP traffic anomalies and managing an SIP-aware security device without degrading quality of multimedia, and signal and media channels can be examined through an SIP-aware intrusion prevention system (IPS) for the purpose of preventing an attacker from hindering a call through manipulation of an SIP message and session-hijacking among legitimate users and attempting a toll fraud by detouring authentication. | 06-17-2010 |
| 20100154058 | METHOD AND SYSTEMS FOR COLLECTING ADDRESSES FOR REMOTELY ACCESSIBLE INFORMATION SOURCES - A method and system are described for collecting addresses for remotely accessible information sources. Messages, such as emails, carried by a messaging network (N1) are intercepted before reaching a destined terminal. Addresses for remotely accessible information sources (i.e. URLs) are identified from the intercepted email messages. The messages are analysed to be classified as either a first type of message (e.g. spam or virus messages) or a second, different, type of message. If the intercepted message is classified as the first spam/virus type then data indicative of the identified address (URL) is transmitted to a filtering system ( | 06-17-2010 |
| 20100154059 | NETWORK BASED MALWARE DETECTION AND REPORTING - An apparatus, system and method are described for use in detecting the presence of malware on subscribers computers. The apparatus, system and method are network based and may be deployed within an Internet Service Provider (ISP) network. The system may include a plurality of network sensors for receiving and analyzing network traffic to determine the presence of malware. An aggregating apparatus receives alerts of the presence of malware and translates a network identifier of the alert to a subscriber identifier. The aggregating apparatus aggregates alert information and forwards it to a reporting infrastructure that can generate notifications in order to notify a subscriber that malware has been detected on a computer associated with the subscriber. | 06-17-2010 |
| 20100162393 | Methods and Systems for Detecting Man-in-the-Browser Attacks - A computer-implemented method for detecting man-in-the-browser attacks may include identifying a transaction fingerprint associated with a web site. The method may also include tracking a user's input to the web site. The user's input may be received through a web browser. The method may further include intercepting an outgoing submission to the web site. The method may additionally include determining whether, in light of the transaction fingerprint, the user's input generated the outgoing submission. Various other methods, systems, and computer-readable media are also disclosed. | 06-24-2010 |
| 20100162394 | METHOD AND APPARATUS FOR PROVIDING SECURITY FOR AN INTERNET PROTOCOL SERVICE - A method and apparatus for providing security to an endpoint device are disclosed. For example, the method receives a signaling message by the endpoint device. The method processes the signaling message, if the signaling message is received from a device associated with one of one or more Internet Protocol (IP) addresses in an Access Control List (ACL), and discards the signaling message, if the signaling message is received from a device not associated with one of the one or more IP addresses in the ACL. | 06-24-2010 |
| 20100162395 | Methods and Systems for Detecting Malware - A method for detecting malware is disclosed. The method may include examining a plurality of metadata fields of a plurality of known-clean-executable files. The method may also include examining a plurality of metadata fields of a plurality of known-malicious-executable files. The method may further include deducing, based on information obtained from examining the plurality of metadata fields of the plurality of known-clean- and known-malicious-executable files, metadata-field attributes indicative of malware. Corresponding systems and computer-readable media are also disclosed. | 06-24-2010 |
| 20100162396 | System and Method for Detecting Remotely Controlled E-mail Spam Hosts - A system for detecting a remotely controlled e-mail spam host. The system includes an E-mail spammer detection unit and a host traffic profiling unit. The E-mail spammer detection unit identifies E-mail Spammers based on SMTP traffic characteristics. The host profiling unit extracts traffic components from the plurality of Internet traffic associated with an E-mail Spammer; interprets the extracted traffic components and determines whether the E-mail Spammer is a compromised host. The system may also include a botnet controller detection unit that analyzes traffic associated with compromised E-mail Spammers and identifies the botnet Controller remotely controlling the compromised E-mail Spammer. | 06-24-2010 |
| 20100162397 | APPARATUS AND METHOD FOR PROTECTING ASSET IN COMPUTER SYSTEM - Provided are an apparatus and method using spatial and temporal quarantine expansion to prevent important information from being leaked due to attacks such as viruses, hacking, and the like. The apparatus includes a state change unit for changing a state of at least one of a memory, a register, and a port in the computer system; a state calculation unit for calculating information on the changed state of the computer system; a security-threat-element elimination unit for eliminating security threat elements from the computer system; a communication unit for transmitting the state information calculated by the state calculation unit to the quarantine station, or receiving control information for controlling the computer system based on the state information, from the quarantine station; and a security execution unit for receiving security information from the quarantine station to execute a specific program when the computer system is faultless, wherein the state information and the control information are transmitted or received until the computer system is faultless repeatedly. | 06-24-2010 |
| 20100162398 | Method and apparatus for detecting shellcode insertion - A method of detecting malware present on a computer system where the computer system is running an application. The method comprises redirecting a function call, made by the application to a decoding function that performs decoding of an argument provided to it by an application, to a scanning function. The scanning function is then employed to scan an argument of the function call for suspect code or data. In the event that suspect code or data is detected, the function call is inhibited, otherwise program control is returned to the called decoding function. | 06-24-2010 |
| 20100169971 | METHODS FOR USER PROFILING FOR DETECTING INSIDER THREATS BASED ON INTERNET SEARCH PATTERNS AND FORENSICS OF SEARCH KEYWORDS - Disclosed are methods for user profiling for detecting insider threats including the steps of: upon a client application sending a request for a link, extracting at least one search keyword from a search session associated with the request; classifying the link into at least one classification; determining whether at least one classification is a monitored classification; capturing search elements of search sessions associated with the monitored classification; acquiring usage data from the search elements to create a user profile associated with a user's search behavior; and performing a statistical analysis, on a search frequency for the monitored classification, on user profiles associated with many users. Preferably, the method includes: designating a profile as suspicious based on the statistical analysis exceeding a pre-determined threshold value, wherein the pre-determined threshold value is based on an expected search frequency for the profile and each respective grade for at least one risk-assessment dimension. | 07-01-2010 |
| 20100169972 | SHARED REPOSITORY OF MALWARE DATA - Various principles for maintaining a shared repository of authorization scanning results, which may be populated with results of authorization scans of particular files (and other content units) as well as a signature for those particular files. When a particular file is to be scanned by a client computing device to determine whether it contains unauthorized software, a signature for the file may be calculated and provided to the shared repository. If the repository has a result for that file—as indicated by a signature for the file being present in the repository—the result in the repository may be provided to the client computing device that issued the query, and the client computing device may accept the answer in the shared repository. If the result is not in the repository (i.e., the file has not been scanned), then the file may be scanned, and a result may be placed in the repository. | 07-01-2010 |
| 20100169973 | System and Method For Detecting Unknown Malicious Code By Analyzing Kernel Based System Actions - There is provided a system and method for detecting unknown malicious code by analyzing kernel based system actions. More particularly, the system and method provides an advantage of actively countering unknown malicious code or viruses by monitoring kernel based system events in real time, organizing action data based on the collected event data, determining whether the action data corresponds to predetermined malicious actions, backtracking a subject of a malicious action when the action data is determined to correspond to the malicious action, and processing the malicious action. | 07-01-2010 |
| 20100175132 | ATTACK-RESISTANT VERIFICATION OF AUTO-GENERATED ANTI-MALWARE SIGNATURES - Techniques are disclosed for verifying whether payload signatures correspond to a vulnerability or exploit. Generally a security system may be configured to detect an attack on a server while the server is processing a payload. The security system generates (or obtains) a provisional signature corresponding to the vulnerability. For example, a provisional signature may be generated for a vulnerability from a group of payloads determined to correspond to that vulnerability. The effects of subsequent payloads which match the provisional signature may be monitored. If the effects of a payload duplicate the attack symptoms, a confidence metric for provisional signature may be increased. Once the confidence metric exceeds a predetermined threshold, then the provisional signature may be made active and used to block traffic from reaching an intended destination. | 07-08-2010 |
| 20100175133 | REORDERING DOCUMENT CONTENT TO AVOID EXPLOITS - Structured document files, such as those utilized by standard productivity applications or for portable documents can have malicious computer executable instructions embedded within them. Modifications to such files can prevent the execution of such malware. Modifications can operate at a file sector level, such as either fragmenting or defragmenting the file, or they can operate at a file record level, such as removing records, adding records, or rearranging the order of records. Other modifications include writing random data into records deemed likely to have malware, removing unaccounted for space, or removing records that are not known to be good and are inordinately large. A scan of the structured document file can identify relevant information and inform the selection of the modifications to be applied. | 07-08-2010 |
| 20100180343 | SOFTWARE UPDATING APPARATUS, SOFTWARE UPDATING SYSTEM, ALTERATION VERIFICATION METHOD AND ALTERATION VERIFICATION PROGRAM - To aim provide a software update apparatus including an install module group ( | 07-15-2010 |
| 20100180344 | Systems and Methods For Malware Classification - Disclosed are systems, methods and computer program products for detection, classification and reporting of malicious software. A method comprises loading software code into a computer system memory and emulating the software code. The software code and its activity log are then analyzed for presence of a malware. If a malware is detected, an execution flow graph is created from the activity log. The execution flow graph is then parsed using heuristic analysis to identify one or more malicious behavior patterns therein. Then, similarity indexes between the identified malicious behavior patterns and one or more malicious behavior patterns associated with known classes of malware are computed. The emulated software code is then classified into one or more classes of malware based on the computed similarity indexes. Finally, a comprehensive malware report of the emulated software code is generated based on the execution flow graph and malware classification information. | 07-15-2010 |
| 20100186088 | AUTOMATED IDENTIFICATION OF PHISHING, PHONY AND MALICIOUS WEB SITES - A method and system for automated identification of phishing, phony, and malicious web sites are disclosed. According to one embodiment, a computer implemented method, comprises receiving a first input, the first input including a universal resource locator (URL) for a webpage. A second input is received, the second input including feedback information related to the webpage, the feedback information including an indication designating the webpage as safe or unsafe. A third input is received from a database, the third input including reputation information related to the webpage. Data is extracted from the webpage. A safety status is determined for the webpage, including whether the webpage is hazardous by using a threat score for the webpage and the second input, wherein calculating the threat score includes analyzing the extracted data from the webpage. The safety status for the webpage is reported. | 07-22-2010 |
| 20100186089 | METHOD AND SYSTEM FOR PROTECTING CROSS-DOMAIN INTERACTION OF A WEB APPLICATION ON AN UNMODIFIED BROWSER - A system and method for protecting cross-domain interaction of a web application on an unmodified browser. The system includes: a security framework, which is created by a browser. The security framework further includes: a component creator for creating components from a plurality of sources; and supervision module for supervising and controlling scripts/codes executed during the creation of components and invocation and interaction operations performed by various components after the creation of components. | 07-22-2010 |
| 20100192224 | SANDBOX WEB NAVIGATION - Browsing the World Wide Web may expose a user's system to malicious attacks that can lead to data loss and/or system failure. Sometimes a user desires to access information on a web page that may contain malicious content. For example, a college student researching computer hacking may need information provided on a hacking website even though the site is potentially dangerous. Although techniques are employed to install potentially harmful executable files into a sandbox (e.g., virtual machine), these techniques do not address navigation of harmful sites. Functionality can be implemented to instantiate a web browser within a controlled virtual environment (“sandbox”) that simulates the host system while restricting the virtual environment to designated space(s) and/or resources of the host system to prevent harmful effects. Instantiating the web browser in the sandbox allows web navigation of risky web sites without deleterious effects on the host system. | 07-29-2010 |
| 20100192225 | EFFICIENT APPLICATION IDENTIFICATION WITH NETWORK DEVICES - In general, techniques are described for efficiently implementing application identification within network devices. In particular, a network device includes a control unit that stores data defining a group Deterministic Finite Automata (DFA) and an individual DFA. The group DFA is formed by merging non-explosive DFAs generated from corresponding non-explosive regular expressions (regexs) and fingerprint DFAs (f-DFAs) generated from signature fingerprints extracted from explosive regexs. The non-explosive regexs comprise regexs determined not to cause state explosion during generation of the group DFA, the signature fingerprints comprise segments of explosive regexs that uniquely identifies the explosive regexs, and the explosive regexs comprise regexs determined to cause state explosion during generation of the group DFA. The network device includes an interface that receives a packet and the control unit traverses first the group DFA and then, in some instances, the individual DFAs to more efficiently identify network applications to which packets correspond. | 07-29-2010 |
| 20100192226 | Intrusion Event Correlation System - Disclosed is a system for correlating intrusion events using attack graph distances. The system includes an attack graph generator, an exploit distance calculator, an intrusion detector, an event report/exploit associator, an event graph creator, an event graph distance calculator, a correlation value calculator, and a coordinated attack analyzer. An attack graph is constructed for exploits and conditions in a network. The exploit distance calculator determines exploit distances for exploit pair(s). The intrusion detector generates event. Events are associated with exploits. Event graph distances are calculated. Correlation values are calculated for event pair(s) using event graph distances. The correlation values are analyzed using a correlation threshold to detect coordinated attacks. | 07-29-2010 |
| 20100199348 | EFFICIENT INTRUSION DETECTION - A method to compress an unoptimized Aho-Corasick automaton is provided that can be used in network intrusion detection systems. Embodiments of the subject method use bitmaps with multiple levels of summaries as well as aggressive path compaction. By using multiple levels of summaries, a popcount can be determined with as few as 1 addition. | 08-05-2010 |
| 20100205670 | METHOD AND APPARATUS FOR TRACING PACKETS - A system and method for performing source path isolation in a network. The system comprises an intrusion detection system (IDS), a source path isolation server (SS | 08-12-2010 |
| 20100205671 | HASH-BASED SYSTEMS AND METHODS FOR DETECTING AND PREVENTING TRANSMISSION OF POLYMORPHIC NETWORK WORMS AND VIRUSES | 08-12-2010 |
| 20100212012 | Systems and Methods for Providing Real Time Access Monitoring of a Removable Media Device - In various embodiments, a method comprises detecting a removable media device coupled to a digital device, authenticating a password to access the removable media device, injecting redirection code into the digital device, intercepting, with the redirection code, a request for data, determining to allow the request for data based on a security policy, and providing the data based on the determination. The method may further comprise selecting the security policy from a plurality of security policies based, at least in part, on the password and/or filtering the content of the requested data. Filtering the content may comprise scanning the data for malware. Filtering the content may also comprise scanning the data for confidential information. | 08-19-2010 |
| 20100212013 | LOG-BASED TRACEBACK SYSTEM AND METHOD USING CENTROID DECOMPOSITION TECHNIQUE - There are provided a system and method for tracing back an attacker by using centroid decomposition technique, the system including: a log data input module collecting log data of an intrusion alarm from an intrusion detection system; a centroid node detection module generating a shortest path tree by applying a shortest path algorithm to network router connection information collected by a network administration server, detecting a centroid node by applying centroid decomposition technique removing a leaf-node to the shortest path tree, and generating a centroid tree whose node of each level is the detected centroid node; and a traceback processing module requesting log data of a router matched with the node of each level of the centroid tree, and tracing back a router identical to the log data of the collected intrusion alarm as a router connected to a source of an attacker by comparing the log data of the router with the log data of the collected intrusion alarm. According to the system and method, an attacker causing a security intrusion event may be quickly detected, a load on the system is reduced, and a passage host exposed to a danger or having weaknesses may be easily recognized, thereby easily coping with an attack. | 08-19-2010 |
| 20100212014 | Method for Detecting a Service Prevention Attack and Communication Terminal - A method for detecting a service prevention attack on a first communication terminal, wherein the detection of the service prevention attack is performed by the first communication terminal. The first and at least one second communication terminal comprise communication subscribers in a communication network. The communication connection is provided between the first and the second communication terminals. If the first communication terminal does not receive a status inquiry message of the second communication terminal in a timely manner, receipt of at least one further message indicating that the sender is the second communication terminal is interpreted as a service prevention attack on the first communication terminal and an action is taken, such as all or a plurality of packets are deleted from the input buffer memory or the connection between the two communication terminals is terminated. | 08-19-2010 |
| 20100218253 | WEB SECURITY VIA RESPONSE INJECTION - System and methods for injecting content into a response for improving client-side security. The system includes a content injection service external to network edges of at least one system. The content injection service receives a request from a client within the at least one system and identifies or anticipates a potential threat associated with the response. The content injection service is configured to determine an appropriate counter for the identified or anticipated potential threat and in response injects content into the response according to the potential or anticipated threat identified. | 08-26-2010 |
| 20100218254 | NETWORK SECURITY SYSTEM - A method and system for preventing an unacceptable data packet directed at a computing device on a first network and sent from a client device. The method includes a step of providing a network security system remotely from the first network and the client device, the network security system having a public address and including a load balancer and at least one network security subsystem having a private address, the network security subsystem further including an intrusion detection module, the load balancer of the network security subsystem receiving the data packet destined for the computing device. The load balancer translates the destination address of the packet from the public address of the network security system to the private address of the network security subsystem and forwards the packet to the intrusion detection module of the network security subsystem. The intrusion detection module then determines whether the packet is an intrusion attempt. If the packet is not the intrusion attempt, the destination address for the packet is translated to the address of the computing device, the packet source address is translated to the public address of the network security system and the packet is forwarded to the computing device. Finally, if the packet is the intrusion attempt, a network intrusion prevention technique is performed. | 08-26-2010 |
| 20100223669 | Automated Containment Of Network Intruder - The invention in the preferred embodiment features a system ( | 09-02-2010 |
| 20100229238 | HYBRID REPRESENTATION FOR DETERMINISTIC FINITE AUTOMATA - A method includes receiving a data unit, determining whether a current state, associated with a deterministic finite automata (DFA) that includes a portion of states in a bitmap and a remaining portion of states in a DFA table, is a bitmap state or not, and determining whether a value corresponding to the data unit is greater than a threshold value, when it is determined that the current state is not a bitmap state. The method further includes determining whether the current state is insensitive, when it is determined that the value corresponding to the data unit is greater than the threshold value, where insensitive means that each next state is a same state for the current state, and selecting a default state, as a next state for the current, when it is determined that the current state is insensitive. | 09-09-2010 |
| 20100235912 | Integrity Verification Using a Peripheral Device - A peripheral device includes an interface configured to communicate with a computer, the peripheral device; logic configured to perform an integrity verification of an operating system of the computer; and a display configured to display a result of the integrity verification. A method for integrity verification of a computer using a peripheral device includes connecting the peripheral device to the computer; sending a challenge from the device to the computer; computing attestation data using the challenge and information stored in the computer, retrieving the attestation data from the computer by a client program running on the computer; sending the attestation data to the peripheral device; and verifying the attestation data by the peripheral device. | 09-16-2010 |
| 20100235913 | Proactive Exploit Detection - Malware detection systems and methods for determining whether a collection of data not expected to include executable code is suspected of containing malicious executable code. In some embodiments, a malware detection system may disassemble a collection of data to obtain a sequence of possible instructions and determine whether the collection of data is suspected of containing malicious executable code based, at least partially, on an analysis of the sequence of possible instructions. In one embodiment, the analysis of the sequence of possible instructions may comprise determining whether the sequence of possible instructions comprises an execution loop. In a further embodiment, a control flow of the sequence of possible instructions may be analyzed. In a further embodiment, the analysis of the sequence of possible instructions may comprise assigning a weight that is indicative of a level of suspiciousness of the sequence of possible instructions. In a further embodiment, the sequence of possible instructions may begin with a possible instruction that comprises at least one candidate operation code (opcode) that has been determined to occur frequently in executable code. | 09-16-2010 |
| 20100235914 | INTRUSION DETECTION FOR VIRTUAL LAYER-2 SERVICES - The invention is directed to detecting an attempt of an intruder system to participate in a virtual Layer-2 service provided over a packet switching network. Embodiments of the invention monitor operational status of an interface port of a PE router to which a CE router is communicatively coupled for providing the virtual Layer-2 service, determine, consequent to a change in said status, whether information that should relate to the CE router has changed; and thereby, in the affirmative, interpret said change to indicate that an intruder system has attempted to participate in the virtual Layer-2 service. Advantageously, this capability is complementary to other security measures such as MAC filters and Anti-spoofing filters that depend on the content of data packets exchanged between the CE and PE routers and not on the operational status of communicative connections between them. | 09-16-2010 |
| 20100235915 | USING HOST SYMPTOMS, HOST ROLES, AND/OR HOST REPUTATION FOR DETECTION OF HOST INFECTION - Detecting and mitigating threats to a computer network is important to the health of the network. Currently firewalls, intrusion detection systems, and intrusion prevention systems are used to detect and mitigate attacks. As the attackers get smarter and attack sophistication increases, it becomes difficult to detect attacks in real-time at the perimeter. Failure of perimeter defenses leaves networks with infected hosts. At least two of symptoms, roles, and reputations of hosts in (and even outside) a network are used to identify infected hosts. Virus or malware signatures are not required. | 09-16-2010 |
| 20100242113 | DETECTION OF ROUTING LOOPS BASED ON TIME-TO-LIVE EXPIRIES - A method and system for detecting routing loops and time-to-live (TTL) expiry attacks in a telecommunications network are disclosed. The detection of routing loops and TTL expiry attacks can be achieved based on the comparison of TTL expiries occurring on two or more routers in the network. A quantity of TTL expiries associated with a router can be summed. Additionally, a quantity of TTL expiries associated with other routers that are operatively coupled to the router can be summed. A difference between the sums can be calculated and a determination of whether a routing loop exists can be made in response to the difference. | 09-23-2010 |
| 20100251369 | METHOD AND SYSTEM FOR PREVENTING DATA LEAKAGE FROM A COMPUTER FACILTY - In embodiments of the present invention improved capabilities are described for the steps of identifying, through a monitoring module of a security software component, a data extraction behavior of a software application attempting to extract data from an endpoint computing facility; and in response to a finding that the data extraction behavior is related to extracting sensitive information and that the behavior is a suspicious behavior, causing the endpoint to perform a remedial action. The security software component may be a computer security software program, a sensitive information compliance software program, and the like. | 09-30-2010 |
| 20100251370 | NETWORK INTRUSION DETECTION SYSTEM - A network intrusion detection system applied to detect and monitor network packets. The network intrusion detection system decides to load and operate detection rules according to a current load. The network intrusion detection system includes a network connection unit, a storage unit, and a processing unit. The processing unit operates an alert correlation program, a plurality of detection rules, and a plurality of operation policies according to the received network packets. The alert correlation program applied to detect whether contents of the network packets conform to the detection rules, assign a resource consumption level to each detection rule, and categorize the detection rules to the operation policies according to the resource consumption levels. A loading level of the processing unit is decided according to a device load and an access load. The operation policies and the alert correlation program that the processing unit operates are decided according to the loading-level. | 09-30-2010 |
| 20100251371 | REAL-TIME MALICIOUS CODE INHIBITOR - A method and system for real-time blocking of malicious requests to a compute system and real-time removal of malicious code from such requests, by comparing the request information to a database of known and recorded malicious requests. If it is determined that the request is from an IP address that is restricted or has previously attacked another system, the request may be denied, the request information will be logged, the incident will be reported to the user and also SecurePlus if the user has subscribed to SecurePlus. If the request is not denied, it will be parsed and searched for inclusion of remote files, database code, programming code, known hacking terms, and user-supplied terms. If the presence of any of these items is detected, the request may be denied, the request information will be logged, the incident will be reported to the user and also SecurePlus if the user has subscribed to SecurePlus. If the request in question has been denied, a cookie will be inserted onto the requesting system to assist in detection of known attackers. | 09-30-2010 |
| 20100263048 | MALWARE PREVENTION METHOD AND SYSTEM IN A PEER-TO-PEER ENVIRONMENT - A computer-implemented method and system for malware prevention in a peer-to-peer (P2P) environment are disclosed. Specifically, one implementation of the embodiment sets forth a method, which includes the operations of obtaining a meta information of a data, prior to initiating downloading of the data, sending the meta information to a server, and initiating downloading of the data after having received confirmation from the server that the meta information is free from being associated with any known malware. | 10-14-2010 |
| 20100263049 | VULNERABILITY DETECTION BASED ON AGGREGATED PRIMITIVES - Methods, systems, and computer-readable media are disclosed for detecting vulnerabilities based on aggregated primitives. A particular method includes receiving a plurality of data transmissions. At least one of the data transmissions includes a protocol anomaly that is not indicative of a security threat. The method includes identifying a plurality of primitives associated with the data transmissions. The primitives are aggregated, and an attack condition is identified based on the aggregated primitives. A security alert is generated based on the identified attack condition. | 10-14-2010 |
| 20100263050 | METHOD OF DETECTING PROGRAM ATTACKS - A program data attack is detected during execution of an algorithm performed by an embedded system. The algorithm uses program data stored in the embedded system. The detection is performed by asserting a detection command signal, initializing a calculation register with a calculation result in response to assertion of the detection command signal, wherein the calculation result is produced by execution of the algorithm using the program data, and comparing the calculation result stored in the calculation register with a reference value included in the program data, wherein the reference value is a value of the calculation result expected to be obtained when the program data is not attacked from outside. | 10-14-2010 |
| 20100269178 | Detecting Surreptitious Spyware - Tools and techniques are provided for detecting a particular type of spyware. Network activities and user update activities are monitored automatically, and the results are analyzed to identify related processes which perform network transmissions without performing substantive user updates. These processes are identified to a user and/or an administrator as potential spyware, and are then quarantined or otherwise handled based on instructions received from the user or administrator. In some cases, the monitoring and analysis begins with selection of a group of processes to monitor, while in other cases it begins with monitoring of network and/or user update activities in order to narrow the group of suspect processes. Devices, configured media, and method products are also described. | 10-21-2010 |
| 20100275261 | SIGNATURE SEARCHING METHOD AND APPARATUS USING SIGNATURE LOCATION IN PACKET - A method of and apparatus for searching for a signature in a packet according to a signature location. The method may include extracting a sub-payload to be compared with a signature from a payload of a packet, generating an offset that is location information about a location of the sub-payload in the payload, generating a search key that includes the extracted sub-payload and the generated offset, and performing ternary content addressable memory (TCAM) matching to check if the generated search key matches a TCAM entry. | 10-28-2010 |
| 20100275262 | Autonomous Diagnosis And Mitigation Of Network Anomalies - Autonomous diagnosis and mitigation of network anomalies may include creating a plurality of sketch matrices wherein each sketch matrix corresponds to an individual hashing function and each row in each sketch matrix corresponds to an array of hashed parameters of interest from multiple network devices for a given period of time, the parameters of interest being configurable by an administrator. A principal components analysis (PCA) input matrix is created for each of the sketch matrices by computing an entropy value for each element in the sketch matrices, and principal components analysis (PCA) is performed on each of the PCA input matrices to heuristically detect a network anomaly in real time. | 10-28-2010 |
| 20100281539 | DETECTING MALICIOUS NETWORK SOFTWARE AGENTS - This disclosure describes techniques for determining whether a network session originates from an automated software agent. In one example, a network device, such as a router, includes a network interface to receive packets of a network session, a bot detection module to calculate a plurality of scores for network session data based on a plurality of metrics, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, and an attack detection module to perform a programmed response when the network session is determined to be originated by an automated software agent. Each score represents a likelihood that the network session is originated by an automated software agent. | 11-04-2010 |
| 20100281540 | DETECTION OF CODE EXECUTION EXPLOITS - Various embodiments include a method of detecting shell code in an arbitrary file comprising determining where one or more candidate areas exist within an arbitrary file, searching at least one nearby area surrounding each of the one or more candidate areas within the arbitrary file for an instruction candidate, and calculating for any such instruction candidate a statistical probability based on a disassembly of instructions starting at a found offset for the instruction candidate that the disassembled instructions are shellcode. | 11-04-2010 |
| 20100281541 | Systems and Methods for Correlating and Distributing Intrusion Alert Information Among Collaborating Computer Systems - Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads. | 11-04-2010 |
| 20100281542 | Systems and Methods for Correlating and Distributing Intrusion Alert Information Among Collaborating Computer Systems - Systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads. | 11-04-2010 |
| 20100287615 | INTRUSION DETECTION METHOD AND SYSTEM - Intrusion detection method for detecting unauthorized use or abnormal activities of a targeted system of a network, comprising the steps: creating defined preconditions for each vulnerability related to the targeted system and/or for each attack that exploit one or several vulnerabilities; creating assurance references corresponding to said defined preconditions and considering the targeted perimeter capturing data related to the targeted system; comparing captured data with attack signatures for generating at least one security alert when captured data and at least one attack signature match; capturing assurance data from monitoring of the targeted perimeter comparing assurance data, issued from assurance monitoring of the targeted perimeter, with assurance references for generating assurance information when said data issued from assurance monitoring and at least one assurance reference match retrieving the preconditions of the generated security alert checking if assurance information corresponding to said preconditions has been retrieved generating a verified security alarm when generated security alert and its retrieved precondition match with at least one corresponding assurance information filtering said security alert when no match has been found between its retrieved preconditions and at least one corresponding assurance information; emitting a non verified security alert when no preconditions have been retrieved for this alert and/or no assurance reference corresponding to said preconditions has been defined. | 11-11-2010 |
| 20100306845 | MANAGING POTENTIALLY PHISHING MESSAGES IN A NON-WEB MAIL CLIENT CONTEXT - Computer-readable media and computerized methods for governing treatment of digital communications (e.g., emails and instant messages) upon identifying the communications as potentially phishing emails are provided. A service provider is employed to control behavior of an account that is assigned to an intended recipient of the communications. Controlling the behavior of the account is described in the context of a non-web mail server that renders a UI display, which is not dynamically configurable by the service provider. In one solution, controlling behavior alerts a user to the presence of communications identified as potentially phishing by aggregating these communications in a separate folder. In another solution, controlling behavior facilitates protecting the user by replacing the content of the potentially phishing communications with a warning message. This warning message optionally includes a URL link to a web browser where the user can view the original content of the potentially phishing communications. | 12-02-2010 |
| 20100306846 | REPUTATION BASED LOAD BALANCING - Methods and systems for operation upon one or more data processors for efficiently processing communications based upon reputation of an entity associated with the communication. | 12-02-2010 |
| 20100313267 | SYSTEMS AND METHODS FOR EFFICIENT KEYWORD SPOTTING IN COMMUNICATION TRAFFIC - Methods and systems related to keyword searching processes. A list of keywords may be first represented by a set of short substrings. The substrings are selected such that an occurrence of a substring indicates a possible occurrence of one or more of the keywords. Input data may be initially pre-processed, so as to identify locations in the input data in which the substrings occur. Then, the identified locations are searched for occurrences of the actual keywords. The pre-processing scheme enables the keyword search process to search only in the identified locations of the substrings instead of over the entire input data. | 12-09-2010 |
| 20100319070 | Transformative rendering of internet resources - Apparatus and method for transforming internet resources into safely rendered versions of the same. The invention provides transformative rendering of internet resources to remove malicious code before displaying in a browser or its associated application. Malicious code blockage is accomplished by re-writing all code that is to be transferred to the client browser. Since malicious code is often disguised (or obfuscated), the invention will not attempt to rewrite the entire code set on the page but will still make available the functionality of that code through frequent interaction between the invention's rendering processor and the client browser. | 12-16-2010 |
| 20100325728 | SYSTEM FOR POLICING JUNK E-MAIL MESSAGES - A system for policying an unsolicited e-mail communication. The system has a plurality of clients, each coupled together using a wide area network of computers, such as the Internet or an interne. Each of the clients is adapted to send an indication of an unsolicited e-mail message through an e-mail device for a display. The system also has a policying server coupled to each of the plurality of clients through the wide area network of computers. The policying server is adapted to receive the indication from at least one of the clients. The e-mail device comprises an SPAM icon on the display. The SPAM icon is adapted to send the indication from the client to the policying server. | 12-23-2010 |
| 20100333203 | METHODS FOR DETECTING MALICIOUS PROGRAMS USING A MULTILAYERED HEURISTICS APPROACH - Three heuristic layers are used to determine whether suspicious code received at a port of a data processing device is malware. First, static analysis is applied to the suspicious code. If the suspicious code passes the static analysis, dissembling analysis is applied to the suspicious code. Preferably, if the suspicious code passes the dissembling analysis, dynamic analysis is applied to the suspicious code. | 12-30-2010 |
| 20110004935 | VMM-BASED INTRUSION DETECTION SYSTEM - An intrusion detection system collects architectural level events from a Virtual Machine Monitor where the collected events represent operation of a corresponding Virtual Machine. The events are consolidated into features that are compared with features from a known normal operating system. If an amount of any differences between the collected features and the normal features exceeds a threshold value, a compromised Virtual Machine may be indicated. The comparison thresholds are determined by training on normal and abnormal systems and analyzing the collected events with machine learning algorithms to arrive at a model of normal operation. | 01-06-2011 |
| 20110010773 | HARDWARE COMMAND FILTER MATRIX INTEGRATED CIRCUIT WITH RESTRICED COMMAND ENFORCEMENT CAPABILITY - A semiconductor integrated circuit includes a hardware mechanism arranged to ensure that associations between instructions and data are enforced so that a processor cannot execute an instruction that is not authorized. A Command Filter Matrix stores entries comprising instructions and associated data memory ranges. A hardware arrangement denies command execution if the CPU attempts to make a data fetch from an instruction that is outside the range associated with data in the Command Filter Matrix. The Command Filter Matrix may be implemented in a Field Programmable Gate Array such that the memory cell content is pre-programmed with entrusted code by a separate trusted hardware source. In this way, an operating system may function normally but only execute trusted instructions, commands and memory operations. The Command Filter Matrix also contains external write-only capability to enable external monitoring of performance. | 01-13-2011 |
| 20110016525 | APPARATUS AND METHOD FOR DETECTING NETWORK ATTACK BASED ON VISUAL DATA ANALYSIS - An apparatus for detecting a network attack includes a traffic image generator for generating a traffic image using traffic information and additional IP information extracted from the traffic information; a network attack detector for comparing similarities between the traffic image and a previously generated traffic image based on a predetermined similarity threshold to detect the presence of the network attack; and a network attack analyzer for analyzing the traffic image at a time when the network attack is detected to detect network attack information and pattern information of the network attack. A representation unit for visualizing the network attack information and the pattern information of the network attack. | 01-20-2011 |
| 20110016526 | METHOD AND APPARATUS FOR PROTECTING APPLICATION LAYER IN COMPUTER NETWORK SYSTEM - A method and apparatus for protecting an application layer in a computer network system. The method includes creating a session between a client and a data provider in response to a session connection request from the client, and determining the client as an application layer attacking client when the client generates a session termination request before the data provider transmits to the client a response packet to a data request from the client under the created session. | 01-20-2011 |
| 20110016527 | Real-time network updates for malicious content - A global response network collects, analyzes, and distributes “cross-vector” threat-related information between security systems to allow for an intelligent, collaborative, and comprehensive real-time response. | 01-20-2011 |
| 20110016528 | Method and Device for Intrusion Detection - A method and device for intrusion detection are provided. The method comprises: allocating one or more detection units for each type of network attack event to detect and configuring the type of object to detect of this type of network attack event, a detection operator and a detection knowledge base; in intrusion detection, acquiring network data packets in real time and acquiring the objects to detect included therein; then corresponding detection units performing intrusion detection according to the detection operators and detection knowledge bases configured, so as to generate network attack alarm events. The intrusion detection device comprises sequentially connected data pre-processing unit, data distribution unit and detection grid including one or more detection units, and a configuration management unit connected with them. The present invention supports accurate detection of various complex network attack events and considers the execution efficiency of the entire intrusion detection device. | 01-20-2011 |
| 20110023118 | BEHAVIORAL-BASED HOST INTRUSION PREVENTION SYSTEM - In embodiments of the present invention improved capabilities are described for behavioral-based threat detection. An executing computer process is monitored for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene. A plurality of malicious behavior indications observed for the executing process are compared to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code. Upon matching the malicious behavior indications with a phenotype, an action may be caused, where the action is based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype. Related user interfaces, applications, and computer program products are disclosed. | 01-27-2011 |
| 20110023119 | TOPOLOGY-AWARE ATTACK MITIGATION - Techniques are disclosed for preventing malicious attacks or other exploits on a computer server. A network manager may be configured to determine a topology of a plurality of network devices and deploy an intrusion prevention system in one or more of the network devices to mitigate attacks against the vulnerable servers. The one or more network devices may be identified based on the topology and one or more constraints for optimizing the deployment of the intrusion prevention systems. | 01-27-2011 |
| 20110023120 | METHOD AND SYSTEM FOR CLEANING MALICIOUS SOFTWARE AND COMPUTER PROGRAM PRODUCT AND STORAGE MEDIUM - A method and a system for cleaning malicious software (malware), a computer program product, and a storage medium are provided. A relation graph is established to associate processes in an operating system and related elements. A node marking action is performed on the relation graph when a predetermined condition is satisfied. The node corresponding to a malicious process and its related nodes are marked with a first label. The nodes of other normal processes and their related nodes are marked with a second label. Then, those nodes marked with both the first label and the second label are screened, so that each of the nodes is marked with only the first label or the second label. Finally, the processes and elements corresponding to the nodes marked with the first label are removed. | 01-27-2011 |
| 20110030056 | INFORMATION PROCESSING APPARATUS - Provided is an information processing apparatus capable of protecting against an unauthorized access from outside without increasing load of packet analysis and also capable of performing protection from a device inside a network. The information processing apparatus has a first network interface (illustrated using an NIC as an example) and is communicable with other information processing apparatus via the NIC. The information processing apparatus further has a second network interface (illustrated using an energy saving NIC as an example) for performing communication with other information processing apparatus in place of the NIC. The information processing apparatus executes switching processing for switching a network interface to be operated from the NIC to the energy saving NIC when an unauthorized access from outside is detected. At the time of the switching processing, internal information of the information processing apparatus is saved in the energy saving NIC. | 02-03-2011 |
| 20110030057 | MATCHING WITH A LARGE VULNERABILITY SIGNATURE RULESET FOR HIGH PERFORMANCE NETWORK DEFENSE - Systems, methods, and apparatus are provided for vulnerability signature based Network Intrusion Detection and/or Prevention which achieves high throughput comparable to that of the state-of-the-art regex-based systems while offering improved accuracy. A candidate selection algorithm efficiently matches thousands of vulnerability signatures simultaneously using a small amount of memory. A parsing transition state machine achieves fast protocol parsing. Certain examples provide a computer-implemented method for network intrusion detection. The method includes capturing a data message and invoking a protocol parser to parse the data message. The method also includes matching the parsed data message against a plurality of vulnerability signatures in parallel using a candidate selection algorithm and detecting an unwanted network intrusion based on an outcome of the matching. | 02-03-2011 |
| 20110035802 | REPRESENTING VIRTUAL OBJECT PRIORITY BASED ON RELATIONSHIPS - Methods, systems, and computer-readable media are disclosed for representing virtual object priority based on relationships. A particular method determines relationships between a plurality of virtual objects. An abnormal condition is detected at a first virtual object. A second virtual object and a third virtual object are identified based on respective relationships with the first virtual object. The method includes generating an output that identifies the first, second, and third virtual object. The output indicates a priority level for each of the virtual objects, and the priority level for the second virtual object is greater than the priority level for the third virtual object. | 02-10-2011 |
| 20110041179 | Malware detection - According to a first aspect of the present invention there is provided a method of detecting potential malware. The method comprises, at a server, receiving a plurality of code samples, the code samples including at least one code sample known to be malware and at least one code sample known to be legitimate, executing each of the code samples in an emulated computer system, extracting bytestrings from any changes in the memory of the emulated computer system that result from the execution of each sample, using the extracted bytestrings to determine one or more rules for differentiating between malware and legitimate code, and sending the rule(s) to one or more client computers. At the or each client computer, for a given target code, executing the target code in an emulated computer system, extracting bytestrings from any changes in the memory of the emulated computer system that result from the execution of the target code, and applying the rule(s) received from the server to the extracted bytestrings to determine if the target code is potential malware. | 02-17-2011 |
| 20110041180 | AUDITING A DEVICE - Auditing a device is disclosed. One or more hardware parameters that correspond to a hardware configuration is received. A sequence of modifications to the physical memory is performed. Results are provided to a verifier. Optionally, once it is determined that no evasive software is active in the physical memory, a scan is performed. | 02-17-2011 |
| 20110041181 | METHOD FOR DETECTING ATTACKS TO MULTIMEDIA SYSTEMS AND MULTIMEDIA SYSTEM WITH ATTACK DETECTION FUNCTIONALITY - A method for detecting attacks to multimedia systems, wherein a communication path ( | 02-17-2011 |
| 20110041182 | INTRUSION DETECTION AND NOTIFICATION - A device for use in a cellular communications system, the device being provided with means for inspecting traffic packets to and from users in the system and for a first classification of said packets according to predetermined rules. The device also comprises means for initiating a process for a user who is the destination or source of a packet which is classified in said first classification as belonging to a specific kind of traffic which has as one of its characteristics that the device cannot redirect the packet from its intended destination to another destination. The process is such that at a later point in time, when the user attempts to access a webpage, the user is redirected to a predefined webpage. | 02-17-2011 |
| 20110047618 | Method, System, and Computer Program Product for Malware Detection, Analysis, and Response - A method, system, and computer program product for detecting malware from outside the host operating system using a disk, virtual machine, or combination of the two. The method, system, and computer program product detects malware at the disk level while computer files in the host operating system are in actual program execution by identifying characteristic malware properties and behaviors associated with the disk requests made. The malware properties and behaviors are identified by using rules that can reliably detect file-infecting viruses. The method, system, and computer program product also uses the disk processor to provide accelerated scanning of virus signatures, which substantially decreases overhead incurred on the host operating system by existing malware detection techniques. In the event that malware is detected, the method, system, and computer program product can respond by limiting the negative effects caused by the malware and help the system recover to its normal state. | 02-24-2011 |
| 20110047619 | NON-SENSITIVE-PASSAGE DATABASE FOR CUT-AND-PASTE ATTACK DETECTION SYSTEMS - One embodiment provides a system that detects sensitive passages. During operation, the system receives a document and disassembles the document into a plurality of passages. For a respective passage, the system performs a search through a non-sensitive-passage database to determine whether the passage is a known non-sensitive passage. If so, the system marks the passage as non-sensitive, and if not, the system determines whether the passage triggers a cut-and-paste attack detection. If so, the system forwards the passage to an administrator and allows the administrator to determine whether the passage is non-sensitive and, further, to add the passage to the non-sensitive-passage database responsive to the administrator determining the passage to be non-sensitive. | 02-24-2011 |
| 20110047620 | SYSTEM AND METHOD FOR SERVER-COUPLED MALWARE PREVENTION - This disclosure is directed to a system and method for preventing malware, spyware and other undesirable applications from affecting mobile communication devices (e.g., smartphones, netbooks, and tablets). A mobile communication device uses a server to assist in identifying and removing undesirable applications. When scanning an application, a device transmits information about the application to a server for analysis. The server receives the information, produces an assessment for the application, and transmits the assessment to the device. By performing analysis on a server, the invention allows a device to reduce the battery and performance cost of protecting against undesirable applications. The servers transmits notifications to devices that have installed applications that are discovered to be undesirable. The server receives data about applications from many devices, using the combined data to minimize false positives and provide comprehensive protection against known and unknown threats. | 02-24-2011 |
| 20110055923 | HIERARCHICAL STATISTICAL MODEL OF INTERNET REPUTATION - In embodiments of the present invention improved capabilities are described for predicting the reputation of a communication identifier, such as a web address, a domain name, an IP address, host name, email address, IM address, telephone number, VoIP telephony address, and the like. In embodiments, the present invention may receive a communication from a first communication identifier, parse the first communication identifier into its components, and assign the components to a hierarchical tree structure, where the hierarchical tree structure maintains the hierarchical relationship between the components of the communication identifier. The present invention may monitor and keep count of a number of communications from the first communication identifier, wherein the number of communications may be kept for both malicious and/or unwanted communications and non-malicious and/or unwanted communications. Attributes may then be provided to the number of communications for each appropriate component of the hierarchical tree, and a statistical measure may be calculated as related to the number of communications for each component of the hierarchical tree. The present invention may then receive a communication from a second communication identifier, where the second communication identifier may be previously unknown and have a common component with the hierarchical tree. The statistical measure of the common component may then be assigned to the second communication identifier, and utilizing the statistical measure assigned to the second communication identifier, may provide a prediction of reputation of the second communication identifier. | 03-03-2011 |
| 20110055924 | GRAPH STRUCTURES FOR EVENT MATCHING - A system for matching a system event to a rule is disclosed. The system includes a computer-readable data structure comprising a plurality of system event rules organizable as a partially ordered set. The system also includes a processor configured to analyze the computer-readable data structure to determine whether an event matches a description set of at least one rule from the plurality of system event rules. Methods and machine-readable mediums are also disclosed. | 03-03-2011 |
| 20110061104 | SYSTEM AND METHOD FOR PROBABILISTIC ATTACK PLANNING - A system and method for automated probabilistic planning of network attacks against infrastructures of computer networks and applications is provided. The embodiments automate the analysis and probabilistic planning of multi-step attacks to computer and application networks (in particular in the context of automating penetration tests), optimizing with respect to one of the following metrics: the probability of success of the actions, a numerical parameter that must be minimized (e.g., running time), or the number of logs generated by the control devices in the target network. | 03-10-2011 |
| 20110067105 | Operating System Sandbox - An operating system sandbox may include an operating system isolation module configured to restrict an operating system from transmitting machine-readable data and/or machine-readable instructions to an application, based on at least one predefined rule corresponding to abnormal operating system behavior. | 03-17-2011 |
| 20110067106 | NETWORK INTRUSION DETECTION VISUALIZATION - A network activity visualization system can include a minimum description length (MDL) based network intrusion detection system having an MDL grammar database adapted to store a plurality of MDL grammars, and a pattern matching module adapted to match a received network activity data set against the MDL grammars by calculating a distance of the network activity data set from each MDL grammar. The system can also include an intelligent icon module coupled to the MDL-based intrusion detection system and adapted to receive the MDL grammars and distances of a network data set from each respective MDL grammar, and adapted to generate intelligent icons based on the MDL grammars and distances. The system can further include a display system adapted to display the intelligent icons so as to provide a visual indication of network security. | 03-17-2011 |
| 20110067107 | INTEGRATED INTRUSION DEFLECTION, DETECTION AND INTROSPECTION - Methods and apparatus are provided for integrated deflection, detection and intrusion. Within a single computer system configured for operating system virtualization (e.g., Solaris, OpenSolaris), multiple security functions execute in logically independent zones or containers, under the control and administration of a global zone. Such functions may illustratively include a demilitarized zone (DMZ) and a honeypot. Management is facilitated because all functions work within a single operating system, which promotes the ability to configure, monitor and control each function. Any given zone can be configured with limited resources, a virtual network interface circuit and/or other features. | 03-17-2011 |
| 20110078793 | EXTENSIBLE AUTHENTICATION PROTOCOL ATTACK DETECTION SYSTEMS AND METHODS - The present disclosure provides systems and methods for detecting attacks against authentication mechanisms that generate Transport Layer Security (TLS) tunnels using a server public key. Such attacks can include misconfigured wireless local area network (WLAN) clients that fail to authenticate the server public key prior to creating the TLS tunnels and exchanging credentials. In an exemplary embodiment, an intrusion detection system (IDS) or intrusion prevention system (IPS) is aware of the server public key and monitors for authentication handshakes to detect invalid keys. | 03-31-2011 |
| 20110078794 | Network-Based Binary File Extraction and Analysis for Malware Detection - A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware. | 03-31-2011 |
| 20110078795 | THREAT PROTECTION NETWORK - Threat protection networks are described. Embodiments of threat protection network in accordance with the invention use expert systems to determine the nature of potential threats to a remote computer. In several embodiments, a secure peer-to-peer network is used to rapidly distribute information concerning the nature of the potential threat through the threat protection network. One embodiment of the invention includes at least one client computer connected to a network, a server that stores threat definition data and is connected to the network, an expert system in communication with the server. In addition, the client computer is configured to refer potential threats to the server, the server is configured to refer to the expert system any potential threat forwarded by a client computer that is not identified in the threat definition data and the expert system is configured to determine whether the potential threat is an actual threat by exposing at least one test computer to the potential threat and observing the behavior of the test computer. | 03-31-2011 |
| 20110083180 | METHOD AND SYSTEM FOR DETECTION OF PREVIOUSLY UNKNOWN MALWARE - A system, method and computer program product for detection of the previously unknown malware, the method comprising: (a) receiving event information and file metadata from a remote computer; (b) identifying whether the event information or the file metadata are indicative of the already known malware presence, indicative of the unknown malware presence, or indicative of malware absence; (c) if the event information or the file metadata are indicative of the known malware or indicative of malware absence, filtering out the event information and the file metadata; (d) performing a risk analysis and risk assessment for the remaining event information and the remaining file metadata to determine if the event and the file metadata are indicative of the previously unknown malware presence; and (e) where performing a risk analysis and risk assessment includes a “parent-child” hierarchy of the files, and the risk assessed to the parent is based on the risk associated with the child. | 04-07-2011 |
| 20110083181 | COMPREHENSIVE PASSWORD MANAGEMENT ARRANGMENT FACILITATING SECURITY - Computer-implemented process and apparatus for screening data for malware. Received data stored in at least one data store includes at least: (i) a first protected item of data containing contents that are generally inaccessible without specific access credential information, and (ii) specific access credential information corresponding to the first protected item of data. The received data is analyzed to detect any protected items of data therein based on predetermined protected data item identification criteria and to detect any access credential information contained therein based on predetermined access credential identification criteria. In response to a detection of the specific access credential information in the at least one data store, the specific access credential information is stored in the at least one data store in a grouping arrangement with other access credential information. In response to a detection of the first protected item of data, use the specific access credential information is stored in the grouping arrangement to facilitate access to the first protected item of data by a malware screening process to extract its content. The malware screening process is executed to scan the content extracted from the first protected data item to detect a presence of malware. | 04-07-2011 |
| 20110083182 | PHISHING SOLUTION METHOD - A method for preventing phishing attacks is provided. The method in one aspect includes identifying a source image file that was used fraudulently, replacing the content of the source image file with a warning, and allowing the source image file having the warning to be accessed. | 04-07-2011 |
| 20110099631 | Distributed Packet Flow Inspection and Processing - Distribution of network processing load among a set of packet processing devices is improved by employing means for eliminating, controlling, or otherwise affecting redundant packet processing operations. In one embodiment, at least two packet processing devices are present, both capable of processing data packets flowing therethrough, such as, inspecting, detecting, and filtering data packets pursuant to one or more filters from a filter set. Redundancy is controlled by providing or enabling either or both of the packet processing devices with capability for detecting during its said inspection of said data packets that, for example, one or more filters had been previously executed on said data packets by the other packet processing device, and then not executing the previously-executed filters on said data packets. | 04-28-2011 |
| 20110099632 | DETECTING USER-MODE ROOTKITS - A method and system for determining whether resources of a computer system are being hidden is provided. The security system invokes a high-level function of user mode that is intercepted and filtered by the malware to identify resources. The security system also directly invokes a low-level function of kernel mode that is not intercepted and filtered by the malware to identify resources. After invoking the high-level function and the low-level function, the security system compares the identified resources. If the low-level function identified a resource that was not identified by the high-level function, then the security system may consider the resource to be hidden. | 04-28-2011 |
| 20110107422 | EMAIL WORM DETECTION METHODS AND DEVICES - Embodiments of the invention provide a network device for detecting email worms having a port for receiving packets and a processing engine configured to inspect packets received on the port, wherein if a predetermined number of packets sent from a client represent DNS queries, the client is identified as being infected. | 05-05-2011 |
| 20110119761 | Mitigating Low-Rate Denial-of-Service Attacks in Packet-Switched Networks - A method includes determining, at a network routing device, an average packet drop rate for a plurality of aggregations of packet flows. The method also determines a threshold packet drop rate based on the average packet drop rate, a current packet drop rate for a select aggregation of the plurality of aggregations, and whether at least one packet flow of the select aggregation is potentially subject to a denial-of-service attack based on a comparison of the current packet drop rate to the threshold packet drop rate. | 05-19-2011 |
| 20110119762 | METHOD AND APPARATUS FOR DETECTION OF A FAULT ATTACK - The invention concerns a method of detecting a fault attack including providing a plurality of blinding values; generating a first set of data elements including a first group of data elements and at least one additional data element generated by performing the exclusive OR between at least one data element in the first group and at least one of the blinding values; generating a second set of data elements corresponding to the exclusive OR between each data element of the first set and a selected one of the plurality of blinding values; generating a first signature by performing a commutative operation between each of the data elements of the first set; generating a second signature by performing the commutative operation between each of the data elements of the second set; and comparing the first and second signatures to detect a fault attack. | 05-19-2011 |
| 20110131654 | SYSTEMS AND METHODS FOR AGGRESSIVE WINDOW PROBING - The present application is directed towards systems and methods for aggressively probing a client side connection to determine and counteract a malicious window size attack or similar behavior from a malfunctioning client. The solution described herein detects when a connection may be under malicious attach via improper or unusual window size settings. Responsive to the detection, the solution described herein will setup probes that determine whether or not the client is malicious and does so within an aggressive time period to avoid the tying up of processing cycles, transport layer sockets and buffers, and other resources of the sender. | 06-02-2011 |
| 20110138465 | MITIGATING MALICIOUS FILE PROPAGATION WITH PROGRESSIVE IDENTIFIERS - A method and system for mitigating a propagation of a file that includes malicious code. Segments of the file are determined by a series of sizes determined by a function ƒ. Signatures identifying segments of the file are determined by applying a hash function to each segment. A complete match between the file and a malicious file is determined by determining a first match between signature(s) identifying a first set of segment(s) of the file and signature(s) identifying corresponding segment(s) of the malicious file and by determining a second match between a signature identifying a final segment of the file and a signature identifying a last segment of the malicious file. Responsive to determining the complete match, the file is identified as the malicious file and a transfer of the final segment of the file is interdicted. | 06-09-2011 |
| 20110138466 | METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR PROTECTING AGAINST IP PREFIX HIJACKING - A communication network is operated by identifying at least one potential hijack autonomous system (AS) that can be used to generate a corrupt routing path from a source AS to a destination AS. For each of the at least one potential hijack AS the following operations are performed: identifying at least one regional AS that is configured to adopt the corrupt routing path from the source AS to the destination AS and determining a reflector AS set such that, for each reflector AS in the set, a source AS to reflector AS routing path and a reflector AS to destination AS routing path do not comprise any of the at least one regional AS. A reflector AS is then identified that is common among the at least one reflector AS set responsive to performing the identifying and determining operations for each of the at least one potential hijack AS. | 06-09-2011 |
| 20110145921 | OBFUSCATED MALWARE DETECTION - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for obfuscated malware. In one aspect, a method includes executing from a binary executable a call instruction and a plurality of instruction subsequent to a target of the call instruction, determining if the value identified by the stack pointer of the call stack is equal to a default value stored in the call stack prior to emulation, determining if there is a non-obfuscation signal resulting from the execution of the call instructions and the plurality of instructions, and if the value identified by the stack pointer is the default value and there is no obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; Additionally, the method includes determining that if the number of call instructions identified as possibly obfuscated call instructions exceeds a threshold number, identifying the binary executable as an obfuscated executable. | 06-16-2011 |
| 20110154490 | Malicious Software Prevention Using Shared Information - A method and apparatus for managing executable files. Responsive to detecting a request to run an executable file on a computer, a processor unit determines whether the executable file was downloaded to the computer within a period of time associated with a recent download. Responsive to a determination that the executable file was downloaded to the computer within the period of time, the processor unit determines whether feedback for the executable file from a number of users of the executable file is present in a repository. The feedback identified for the executable file in the repository is presented using a presentation system. User input as to whether the executable file should be run is prompted for by the processor unit after presenting the feedback. | 06-23-2011 |
| 20110154491 | REMOVING AN ACTIVE APPLICATION FROM A REMOTE DEVICE - A system and a method are disclosed for managing applications on a mobile computing device. A command message is received at the mobile computing device specifying a command and a target application. The command message may have been sent by a application provider server. The command may be a removal command, an enable command, or a disable command. A removal or disable command may be used to remove or disable a problematic target application. The specified command is performed on the target application. | 06-23-2011 |
| 20110154492 | MALICIOUS TRAFFIC ISOLATION SYSTEM AND METHOD USING BOTNET INFORMATION - The present invention relates to a malicious traffic isolation system and method using botnet information, and more particularly, to a malicious traffic isolation system and method using botnet information, in which traffics for a set of clients having the same destination are routed to the isolation system based on a destination IP/Port, and botnet traffics are isolated using botnet information based on similarity among groups of the routed and flowed in traffics. The present invention may provide a malicious traffic isolation method using botnet information, which can accommodate traffics received from a PC or a C&C server infected with a bot into a quarantine area, isolate traffics generated by normal users from traffics transmitted from malicious bots, and block the malicious traffics. In addition, the present invention may provide a malicious traffic isolation method using botnet information, which can provide a function of mitigating DDoS attacks of a botnet. | 06-23-2011 |
| 20110154493 | METHODS FOR INSPECTING DATA AND DEVICES THEREOF - A method, computer readable medium, and apparatus that inspects data includes isolating retrieved target data within a protected construct with the data inspection processing apparatus. The security software is isolated such that the security software is able to access the target data within the protected construct with the data inspection processing apparatus. The data inspection processing apparatus scans the isolated target data with the isolated security software. The data inspection processing apparatus reports whether one or more security threats have been identified from the scan of the isolated retrieved target data. | 06-23-2011 |
| 20110154494 | Methods and Systems for Network Attack Detection and Prevention Through Redirection - Methods and systems for detection and/or prevention of network attacks can include the use of multiple and/or time-dependent addresses coupled with filtering by the directory or naming service. The directory service can respond to requests for the address of a resource by returning an address that can be relocated over time by coordinating the directory service entry with the host and network address configuration data and/or by returning an address specific to the requestor. Thus, the directory service can track and build profiles of matches between requestors and accesses. The methods and systems can use the time dependent addresses and profiles to distinguish legitimate accesses from unauthorized or malicious ones. Requests for non-valid addresses can be misdirected to “empty” addresses or to detection devices. | 06-23-2011 |
| 20110162070 | MALWARE DETECTION VIA REPUTATION SYSTEM - A computer network device receives a digital file and extracts a plurality of high level features from the file. The plurality of high level features are evaluated using a classifier to determine whether the file is benign or malicious. The file is forwarded to a requesting computer if the file is determined to be benign, and blocked if the file is determined to be malicious. | 06-30-2011 |
| 20110162071 | ANIT-WORM-MEASURE PARAMETER DETERMINING APPARATUS, NUMBER-OF-NODES DETERMINING APPARATUS, NUMBER-OF-NODES LIMITING SYSTEM, AND COMPUTER PRODUCT - An anti-worm-measure parameter determining apparatus determines parameters for controlling timing for an anti-worm-measure means to start blocking of a communication by a worm in a network, for preventing a spread of the worm. An infectivity calculating unit calculates infectivity of the worm based on number of nodes connected to the network. A number-of-infected-nodes estimating unit calculates an expected value of number of infected nodes at a time when the worm transmits a predetermined number of packets, based on the infectivity calculated by the infectivity calculating unit. | 06-30-2011 |
| 20110167491 | Computer Security Process Monitor - A computer security process monitor detects security intrusions of a networked computing platform by monitoring execution statistics associated with one or more computer processes executed by the platform in relation to expected (or “valid”) execution parameters. The execution statistics in one example include system process statistics (e.g., process name, peak memory usage, maximum number of threads, peak CPU utilization) and network interface statistics (e.g., IP ports, protocols) associated with the one or more computer processes; and the valid execution parameters define acceptable values or states corresponding to the execution statistics. | 07-07-2011 |
| 20110167492 | Virtual Browsing Environment - An embodiment for providing a secure virtual browsing environment includes creating a virtual browsing environment with a virtualized operating system sharing an operating system kernel of a supporting operating system and executing the browser application within the virtual browsing environment. Another embodiment includes receiving a website selection within a browser application, determining if the website selection corresponds to a secure bookmark, and creating a second virtual browsing environment and executing the browser application within the second virtual browsing environment to access the website selection when the website selection corresponds to a website specified as a secure bookmark. Yet another embodiment includes monitoring operation of the operating system within the at least one virtual browsing environment, determining when the operation of the operating system includes potential malicious activity, and terminating the virtual browsing environment when the operation includes potential malicious activity. | 07-07-2011 |
| 20110167493 | SYSTEMS, METHODS, ANE MEDIA FOR DETECTING NETWORK ANOMALIES - Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous. | 07-07-2011 |
| 20110173698 | MITIGATING FALSE POSITIVES IN MALWARE DETECTION - An anti-malware system that reduces the likelihood of detecting a false positive. The system is applied in an enterprise network in which a server receives reports of suspected malware from multiple hosts. Files on hosts suspected of containing malware are compared to control versions of those files. A match between a suspected file and a control version is used as an indication that the malware report is a false positive. Such an indication may be used in conjunction with other information, such as whether other hosts similarly report suspect files that match control versions or whether the malware report is generated by a recently changed component of the anti-malware system. | 07-14-2011 |
| 20110173699 | NETWORK INTRUSION DETECTION WITH DISTRIBUTED CORRELATION - A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be indicated and protective action may be taken. | 07-14-2011 |
| 20110179487 | METHOD AND SYSTEM FOR USING SPAM E-MAIL HONEYPOTS TO IDENTIFY POTENTIAL MALWARE CONTAINING E-MAILS - A method and apparatus for employing honeypot systems to identify potential malware containing messages whereby a decoy system to receive illegitimate e-mails is established. E-mails sent to the spam e-mail honeypot decoy are initially scanned/filtered and e-mails that are not considered possible malware containing e-mails are filtered out while the remaining e-mails sent to the spam e-mail honeypot decoy are identified as potential malware containing e-mails. One or more features, and/or feature values, of the identified e-mails are then identified, extracted and ranked. Once a given feature, and/or feature value, occurs more than a burst threshold number of times, the status of the given feature, and/or feature value, is transformed to that of suspicious e-mail parameter. | 07-21-2011 |
| 20110179488 | KERNAL-BASED INTRUSION DETECTION USING BLOOM FILTERS - Kernel-based intrusion detection using Bloom filters is disclosed. In one of many possible embodiments for detecting an intrusion attack, a Bloom filter is provided and used to generate a Bloom filter data object. The Bloom filter data object contains data representative of expected system-call behavior associated with a computer program. The Bloom filter data object is embedded in an operating system (“OS”) kernel upon an invocation of the computer program. Actual system-call behavior is compared with the data in the Bloom filter data object. | 07-21-2011 |
| 20110179489 | HOST INTRUSION PREVENTION SERVER - An intrusion-prevention server supporting a set of hosts comprises data filters and an engine which uses a set of encoded rules for assigning data filters to hosts according to metadata characterizing the hosts. Each data filter corresponds to at least one intrusion pattern from among a set of intrusion patterns and the data filters are continuously updated as intrusion patterns change. Metadata acquired from a host varies with a changing state of the host. Acquisition of metadata from each host is streamlined to reduce communications between the server and the hosts and to minimize processing effort for both the server and the hosts. | 07-21-2011 |
| 20110185422 | Method and system for adaptive anomaly-based intrusion detection - The input characteristics of a real-time IDS change continuously with time therefore setting a rigid (time and behavior invariant) classification threshold limits the accuracy that the IDS can potentially achieve. A generic threshold tuning method and system is proposed which can adaptively tune the detection threshold of a real-time IDS in accordance with varying host and network behavior. The method and system perform statistical and information-theoretic analyses of network and host-based IDSs' anomaly based intrusions to reveal a consistent time correlation structure between benign activity periods which is used to predict future anomaly scores and to adapt an IDS' detection threshold accordingly. | 07-28-2011 |
| 20110185423 | METHOD AND SYSTEM FOR DETECTION OF MALWARE THAT CONNECT TO NETWORK DESTINATIONS THROUGH CLOUD SCANNING AND WEB REPUTATION - A method for detecting malware includes the steps of identifying a one or more open network connections of an electronic device, associating one or more executable objects on the electronic device with the one or more open network connections of the electronic device, determining the address of a first network destination that is connected to the open network connections of the electronic device, receiving an evaluation of the first network destination, and identifying one or more of the executable objects as malware executable objects. The evaluation includes an indication that the first network destination is associated with malware. The malware executable objects includes the executable objects that are associated with the open network connections that are connected to the first network destination. | 07-28-2011 |
| 20110185424 | SYSTEM AND METHOD FOR PROACTIVE DETECTION AND REPAIR OF MALWARE MEMORY INFECTION VIA A REMOTE MEMORY REPUTATION SYSTEM - A method for detecting malware memory infections includes the steps of scanning a memory on an electronic device, determining a suspicious entry present in the memory, accessing information about the suspicious entry in a reputation system, and evaluating whether the suspicious entry indicates a malware memory infection. The memory includes memory known to be modified by malware. The suspicious entry is not recognized as a safe entry. The reputation system is configured to store information on suspicious entries. The evaluation is based upon historical data regarding the suspicious entry. | 07-28-2011 |
| 20110185425 | NETWORK ATTACK DETECTION DEVICES AND METHODS - A network attack detection device is provided, including a spatial coordinate database for storing spatial coordinate data; a standard time zone database for storing standard time zone data; a domain name system packet collector for collecting a domain name system packet; a spatial snapshot feature extractor for extracting internet protocol address corresponding to the domain name system packet according to the domain name system packet, and generating spatial feature data corresponding to the internet protocol address according to the internet protocol address, the spatial coordinate data and the standard time zone data; and an attack detector for determining whether the domain name system packet is an attack according to the spatial feature data and a spatial snapshot detection model, and when determining that the domain name system packet is an attack, sending a warning to indicate the attack. | 07-28-2011 |
| 20110185426 | DETECTION OF NETWORK SECURITY BREACHES BASED ON ANALYSIS OF NETWORK RECORD LOGS - Computer program products and methods of inspecting a log of security records in a computer network are provided. The method includes retrieving a log record, processing the log record including deriving a key to a table, determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique. One or more entries of the table are evaluated based on predetermined criteria to detect attempted security breaches. | 07-28-2011 |
| 20110191849 | SYSTEM AND METHOD FOR RISK RATING AND DETECTING REDIRECTION ACTIVITIES - A method in one example implementation includes sending a first request to a first network address on a first server and determining whether the first network address has been redirected on the server to a second network address. The method further includes searching a memory element for a predetermined risk rating associated with the second network address if the first network address has been redirected to the second network address. The method also includes providing a risk response to a client if a predetermined risk rating is found. In more specific embodiments, the risk response includes sending an alert to the client or blocking the client from accessing the second network address if the predetermined risk rating indicates the second network address is malicious. In other more specific embodiments, the first network address is redirected to one or more other network addresses before being redirected to the second network address. | 08-04-2011 |
| 20110197277 | SYSTEM AND METHOD FOR PRIORITIZING COMPUTERS BASED ON ANTI-MALWARE EVENTS - Tracking malware state information assigned to computers in an enterprise network is described. A computer may transition from a current malware state to a new malware state in accordance with a plurality of stored rules and detection of an anti-malware event on the computer. Examples of anti-malware events include, but are not limited to, detection of new malware on the computer or cleaning of the computer. The malware state information for computers on the network may be mapped to a risk level representing an amount of risk that infected computers present to other computers on the network. The results of a risk level assessment for the computers on the network may be output via a user interface to enable an administrator of the network to prioritize servicing of computers with detected malware. | 08-11-2011 |
| 20110209218 | ENVIRONMENTAL IMAGING - A method and system for detecting whether a computer program, sent to a first computer having an operating environment including a plurality of files, includes malware is provided. A second computer obtains a plurality of environment details of the operating environment of the first computer. The second computer simulates in the second computer the presence of the plurality of files in the operating environment by exhibiting the plurality of environment details without installing the plurality of files in the second computer. The second computer executes the computer program in the second computer with the simulation and determines whether the computer program attempts to access or utilize the plurality of files in a manner indicative of malware. If not, the second computer records and generates a notification that the computer program is not malware. | 08-25-2011 |
| 20110209219 | Protecting User Mode Processes From Improper Tampering or Termination - In one embodiment, a malware protection system may protect a computing system from a malware event. A data storage device | 08-25-2011 |
| 20110214181 | DUAL BYPASS MODULE AND METHODS THEREOF - A dual bypass module for managing an integrated secured network environment is provided. The module includes network ports that receive and transmit data traffic flowing through the network. The module also includes a set of monitoring ports that is configured for transmitting the data traffic between the dual bypass module and a set of monitoring systems. The module further includes a set of relays configured for controlling the flow of data through the dual bypass module. The module yet also includes a configurable integrated circuit. The configurable integrated circuit includes at least one of a first logic arrangement for determining conditions of the set of monitoring systems, a second logic arrangement for redirecting the data traffic through a secured alternate path when a monitoring system is unavailable, and a third logic arrangement for redirecting the data traffic through a secured alternate path when a communication path becomes unavailable. | 09-01-2011 |
| 20110214182 | METHODS FOR PROACTIVELY SECURING A WEB APPLICATION AND APPARATUSES THEREOF - A method, non-transitory computer readable medium, and apparatus that proactively secures a web application includes injecting one or more decoys into an executing web application. An attempt to exploit one of the one more injected decoys in the executing application is identified. At least one action to secure the executing application from the attempted exploitation is performed. | 09-01-2011 |
| 20110214183 | SYSTEMS AND METHODS FOR PERFORMING RISK ANALYSIS - A method for analyzing a network element may include assigning values to each of a plurality of vulnerabilities. The method may also include identifying a vulnerability associated with the network element and generating a risk indicator for the network element based on the assigned value associated with the identified vulnerability. | 09-01-2011 |
| 20110219448 | SYSTEMS AND METHODS FOR RISK RATING AND PRO-ACTIVELY DETECTING MALICIOUS ONLINE ADS - Methods and systems for risk rating and pro-actively detecting malicious online ads are described. In one example embodiment, a system for risk rating and pro-actively detecting malicious online ads includes an extraction module, an analysis engine, and a filter module. The extraction module is configured to extract a SWF file from a web page downloaded by the system. The analysis engine is communicatively coupled to the extraction module. The analysis engine is configured to determine a risk rating for the SWF file and send the risk rating to a web application for display. In an example, determining the risk rating includes locating an embedded redirection URL and determining a risk rating for the embedded redirection URL. The filter module is configured to determine, based on the risk rating, whether to block the SWF file and send a warning to the web application for display. | 09-08-2011 |
| 20110219449 | MALWARE DETECTION METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT - A method, electronic device and computer program product for real-time detection of malicious software (“malware”) are provided. In particular, execution of a suspicious software application attempting to execute on a user's device may be emulated in a virtual operating system environment in order to observe the behavior characteristics of the suspicious application. If after observing the behavior of the suspicious application in the virtual environment, it is determined that the application is malicious, the application may not be permitted to execute on the user's actual device. The suspicious application may be identified as malicious if an isolated data string of the application matches a “blacklisted” data string, a certain behavior of the application matches a behavior that is known to be malicious, and/or the overall behavior of the application is substantially the same or similar to a known family of malware. | 09-08-2011 |
| 20110219450 | System And Method For Malware Detection - According to one embodiment, a computer-implemented method for execution on one or more processors includes receiving a first file and determining a file type of the first file. The method also includes determining, according to a first policy, a plurality of malware detection schemes to apply to the first file based on the determined file type of the first file. In addition, the method includes scheduling the application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy. Further, the method includes determining, in response to determining the results of applying the plurality of malware detection schemes, that the first file is malware or determining that the first file is suspected malware according to a third policy. | 09-08-2011 |
| 20110219451 | System And Method For Host-Level Malware Detection - According to one embodiment, a computer-implemented method includes: accessing a set of configuration parameters, accessing a set of identifiers of files known not to be malware, and accessing a set of identifiers of files known to be malware. Further, the method includes: comparing a first file to the set of configuration parameters, determining that a first hash of the first file is not in the set of identifiers of files known not to be malware and that the first hash is not in the set of identifiers of files known to be malware, and sending the at least one file and information related to the at least one file to be analyzed for malware. The method includes deleting the set of configuration parameters, the set of identifiers of files known not to be malware, and the set of identifiers of files known to be malware after sending the first file. | 09-08-2011 |
| 20110219452 | Method and Apparatus for Network Intrusion Detection - The current invention discloses a method and apparatus to detect and mitigate network intrusion by collecting a first log of wireless network traffic in the vicinity of an area and a second log of network traffic from a switch port connected to the area; pre-processing the logs; and then detecting the presence of unauthorized access points (APs) by attempting to identify matching patterns in the pre-processed first and second logs. | 09-08-2011 |
| 20110231932 | SECURITY INTRUSION DETECTION AND RESPONSE - A system comprises an enclosure, host logic contained in the enclosure, and intrusion security logic also contained in the enclosure. The intrusion security logic is coupled to the host logic and configured to detect a security intrusion to the system and to respond to a security intrusion with a user-configurable trigger event. The intrusion security logic implements at least two tamper blocks, each tamper block configured to monitor one more input signals and initiate a trigger event when a security breach of the enclosure is detected. At least one of the tamper blocks comprises a state machine whose operation is controlled by way of user-programmable registers. | 09-22-2011 |
| 20110231933 | LOADBALANCING NETWORK TRAFFIC ACROSS MULTIPLE REMOTE INSPECTION DEVICES - An apparatus includes a checking functionality (CF) for processing data packets in a computer network that comprises a plurality of CFs. The CF includes an interface for communication with one or more source switches that route data packets to the CF for processing, a packet processing capability for processing the data packets, and logic for communicating data regarding the packet processing capability to the source switch through the interface. | 09-22-2011 |
| 20110239298 | CONCURRENT AND DELAYED PROCESSING OF MALWARE WITH REDUCED I/O INTERFERENCE - Systems, methods and non-transitory, tangible computer readable storage mediums encoded with processor readable instructions to scan files for malware are disclosed. An exemplary method includes writing, via a communication pathway, a first file to a storage medium that is utilized by the computer, requesting access to the first file so as to enable the first file to be scanned for malware, and delaying, when the first file resides on the storage medium, access to the first file while there is at least one I/O operation relative to the storage medium that has a higher priority level than a priority level of the request to access the first file. In addition, except to enable the first file to be scanned for malware, access to the first file is prevented until the first file has been scanned for malware. | 09-29-2011 |
| 20110239299 | ADAPTIVE DISTINCT COUNTING FOR NETWORK-TRAFFIC MONITORING AND OTHER APPLICATIONS - In one embodiment, a counting method of the invention uses an adaptive sketching-update process to compress an unknown cardinality into a counter value that counts the number of binary ones in a hashed bitmap vector. The sketching-update process is probabilistic in nature and uses bit-flip probabilities that are adaptively decreased as the counter value increases. Parameters of the sketching-update process are selected so that the relative error of cardinality estimates obtained based on the counter values is relatively small and substantially constant over a relatively wide range of cardinalities, e.g., from one to about one million. Due to the latter property, the counting method can advantageously be implemented in the form of embedded software that relies on a relatively small, fixed amount of memory. | 09-29-2011 |
| 20110239300 | WEB BASED REMOTE MALWARE DETECTION - A method for detecting HTML-modifying malware present in a computer includes providing a server which serves a web page (HTML) to a browser. A determination is made whether a modified string exists in the page received by said browser and if a modifying element is found, determining the malware is present in the computer. | 09-29-2011 |
| 20110239301 | TECHNIQUE OF DETECTING DENIAL OF SERVICE ATTACKS - The invention detects a denial of service attack at a node by monitoring the number of discarded packets in relationship to the number of inbound packets. When an attack is detected, relevant inbound packet information is collected during the attack to help characterize the attack and at least to pinpoint the source of the last hop to the attacked node. | 09-29-2011 |
| 20110252474 | SYSTEM AND METHOD FOR ENSURING SCANNING OF FILES WITHOUT CACHING THE FILES TO NETWORK DEVICE - A method and system for ensuring scanning of suspicious computer files without unnecessary caching of the files on a network device is provided. A network device receives a suspicious computer file and determines whether a target computer is protected by a malware protection program. If the network device determines that the target computer is protected by the malware protection program, the network device modifies the suspicious computer file to make the suspicious computer file unusable by the target computer and sends the modified suspicious computer file to the target computer. | 10-13-2011 |
| 20110252475 | Complementary Character Encoding for Preventing Input Injection in Web Applications - Method to prevent the effect of web application injection attacks, such as SQL injection and cross-site scripting (XSS), which are major threats to the security of the Internet. Method using complementary character coding, a new approach to character level dynamic tainting, which allows efficient and precise taint propagation across the boundaries of server components, and also between servers and clients over HTTP. In this approach, each character has two encodings, which can be used to distinguish trusted and untrusted data. Small modifications to the lexical analyzers in components such as the application code interpreter, the database management system, and (optionally) the web browser allow them to become complement aware components, capable of using this alternative character coding scheme to enforce security policies aimed at preventing injection attacks, while continuing to function normally in other respects. This approach overcomes some weaknesses of previous dynamic tainting approaches by offering a precise protection against persistent cross-site scripting attacks, as taint information is maintained when data is passed to a database and later retrieved by the application program. The technique is effective on a group of vulnerable benchmarks and has low overhead. | 10-13-2011 |
| 20110258701 | Protecting A Virtualization System Against Computer Attacks - In certain embodiments, protecting a virtualization system against computer attacks comprises facilitating operation of hypervisors comprising operation zone hypervisors and one or more forensic hypervisors. Each hypervisor operates on a corresponding physical machine, and each operation zone hypervisor manages one or more virtual machines. An assurance procedure is initiated for the hypervisors. At least one virtual machine of a first operation zone hypervisor is moved to a forensic hypervisor to analyze the potential attack. The first operation zone hypervisor is cleaned. | 10-20-2011 |
| 20110271341 | BEHAVIORAL SIGNATURE GENERATION USING CLUSTERING - A behavioral signature for detecting malware is generated. A computer is used to collect behavior traces of malware in a malware dataset. The behavior traces describe sequential behaviors performed by the malware. The behavior traces are normalized to produce malware behavior sequences. Similar malware behavior sequences are clustered together. The malware behavior sequences in a cluster describe behaviors of a malware family. The cluster is analyzed to identify a behavior subsequence common to the cluster's malware family. A behavior signature for the malware family is generated using the behavior subsequence. A trace of new malware is normalized and aligned with an existing cluster, if possible. The behavioral signature for that cluster is generated based on the behavior sequence of the new malware and the other sequences in the cluster. | 11-03-2011 |
| 20110271342 | DEFENSE METHOD AND DEVICE AGAINST INTELLIGENT BOTS USING MASQUERADED VIRTUAL MACHINE INFORMATION - A defense method and device against intelligent bots using masqueraded virtual machine information are provided. The method includes performing global hooking on a virtual machine detection request transmitted by a process, determining, on the basis of pre-stored malicious process information, whether or not, the process transmitting the virtual machine detection request corresponds to a malicious process, and when the process is found to correspond to the malicious process as a result of the determination, determining that the process is generated by the intelligent bot, and returning the masqueraded virtual machine information to the process. | 11-03-2011 |
| 20110271343 | APPARATUS, SYSTEM AND METHOD FOR DETECTING MALICIOUS CODE - Provided are an apparatus, system and method for detecting malicious code inserted into a normal process in disguise. The apparatus includes a malicious code detection module for extracting information on a thread generated by a process running on a computer system to identify code related to the thread, preliminarily determining whether or not the identified code is malicious and extracting the code preliminarily determined to be malicious; and a forcible malicious code termination module for finally determining the code as malicious code based on an analysis result of behavior of the extracted code executed in a virtual environment and forcibly terminating execution of the code. | 11-03-2011 |
| 20110271344 | ILLEGAL MODULE IDENTIFYING DEVICE, INFORMATION PROCESSING DEVICE, ILLEGAL MODULE IDENTIFYING METHOD, ILLEGAL MODULE IDENTIFYING PROGRAM, INTEGRATED CIRCUIT, ILLEGAL MODULE DISABLING SYSTEM, AND ILLEGAL MODULE DISABLING METHOD - A malicious-module identification device ( | 11-03-2011 |
| 20110271345 | DETECTION OF ROGUE WIRELESS DEVICES FROM DYNAMIC HOST CONTROL PROTOCOL REQUESTS - A method to determine if a rogue device is connected to a specific wired network from dynamic host control protocol (DHCP) requests on the wired network. These DHCP requests are analyzed to determine the type of device issuing the request. Once the type of device has been determined, it can be checked against a list of authorized device types. If the device issuing the DHCP request is not an authorized device type, then it can be determined that the suspect device is a rogue that is connected to the specific wired network. Additionally, even if the system of the present invention determines that it is an authorized device type, if the device is not one of the few authorized devices of this type, e.g. because its MAC address is not recognized as that of one of the authorized devices, the system can flag the suspect as a rogue. | 11-03-2011 |
| 20110277031 | Token Processing - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for mapping security processing rules into a data structure that facilitates a more efficient processing of the security processing rules. In one aspect, a method includes receiving security processing rules, each of the security processing rules defining one or more security checks and security operations corresponding to the security checks and that are to be performed when the security checks occur; and generating from the security processing rules a mapping of security checks to security operations, the mapping including a security check entry for each security check that is defined in one or more of the security processing rules, and each security check entry being mapped to one or more security operations that the security processing rules define as corresponding to the security check. | 11-10-2011 |
| 20110277032 | Time-Key Hopping - In certain embodiments, a first network device stores a security key associated with a second network device. The first network device computes access information according to the security key and a time value. The access information may be a network address or a port/socket. The first network device sends a packet to the second network device using the access information. The first network device then computes next access information according to the security key and a next time value and sends a packet to the second network device using the next access information. | 11-10-2011 |
| 20110283358 | METHOD AND SYSTEM TO DETECT MALWARE THAT REMOVES ANTI-VIRUS FILE SYSTEM FILTER DRIVER FROM A DEVICE STACK - A method for detecting removal of a filter driver includes performing an operation on an element of a kernel mode of an operating system, the operation initiated by a user mode entity, obtaining the result of performing the operation, and comparing the result of performing the operation against an expected result of the operation. If the result of performing the operation matches the expected result of the operation, it is determined that a file system filter driver in the kernel mode of the operating system is working correctly. If the result of performing the operation does not match the expected result of the operation, it is determined that a file system filter driver in the kernel mode of the operating system has been compromised by malware. | 11-17-2011 |
| 20110283359 | Validating Visitor Internet-Based Security Threats - A validating server receives from a client device a first request that does not include a cookie for a validating domain that resolves to the validating sever. The first request is received at the validating server as a result of a proxy server redirecting the client device to the validating domain upon a determination that a visitor belonging to the client device is a potential threat based on an IP (Internet Protocol) address assigned to the client device used for a second request to perform an action on an identified resource hosted on an origin server for an origin domain. The validating server sets a cookie for the client device, determines a set of characteristics associated with the first client device, and transmits the cookie and a block page to the client device that has been customized based on the set of characteristics, the block page indicating that the second request has been blocked. | 11-17-2011 |
| 20110296525 | Malware scanning - According to a first aspect of the present invention there is provided a method of scanning a computer system for malware. The method includes determining when an application being executed on the computer system is attempting to open a file, adding data written to the open file by the application into a malware scanner queue, and ensuring that the application has been notified that the file has been closed before scanning the queued file data to determine if it relates to potential malware. | 12-01-2011 |
| 20110302654 | METHOD AND APPARATUS FOR ANALYZING AND DETECTING MALICIOUS SOFTWARE - A method for providing analysis and detection of malicious software may include directing a comparison of patterns within sample code to a predetermined set of malicious software patterns, determining whether the sample code is likely to be malicious software based on the comparison, and, in response to a determination that the sample code is likely to be malicious software, determining a malicious software cluster with which the sample code is associated based on the patterns within the sample code. A corresponding computer program product and apparatus are also provided. | 12-08-2011 |
| 20110307955 | SYSTEM AND METHOD FOR DETECTING MALICIOUS CONTENT - A system and method for detecting malicious code in web content is described. A controller receives information, routes the information to the appropriate module and determines whether a user receives the web content or a report of a detection of malicious code. A vulnerability definition generator generates vulnerability definitions. A parser parses web content into static language constructions. A translation engine translates the static language constructions into trap rules, translates the web content into application programming interface (API) calls and determines whether the API calls trigger any of the trap rules. A sandbox engine generates an environment that mimics a browser and executes dynamic parts of the web content and determines whether a dynamic part triggers a trap rule. | 12-15-2011 |
| 20110314542 | TREATMENT OF MALICIOUS DEVICES IN A MOBILE-COMMUNICATIONS NETWORK - A method of remotely treating malicious mobile terminals connected to a mobile communications network. In one embodiment, when a malicious mobile terminal is detected by the intrusion-detection services of the network, the network changes the subscriber profile associated with the mobile terminal to operate the latter in a quarantine mode. The packet-switched subsystem of the network then links the quarantined mobile terminal to a remediation manager. The remediation manager remotely treats the mobile terminal, e.g., to repair or reinstall any corrupted software, terminate any active malicious processes, delete or quarantine any malware, and restore the operating system, configuration, and/or memory of the mobile terminal to a clean operational state. After the treatment, the network reverts the subscriber profile back to the initial state and removes the mobile terminal from the quarantine. | 12-22-2011 |
| 20110314543 | SYSTEM STATE BASED DIAGNOSTIC SCAN - In some embodiments, a local agent on a target system may evaluate current and/or historical system state information from a store (either local or remote) and dynamically adjust the level of diagnosis performed during the scan based on the evaluated state information. Individual diagnostic scans may, for example, be enabled and disabled based on the context in the store, and each scan may update the context for further evaluation. By employing such an approach, systems with a low risk profile and lacking symptoms of a problem may be scanned quickly while systems that show signs of a problem or have a high risk profile may receive a more thorough evaluation. | 12-22-2011 |
| 20110314544 | EVALUATING SHELL CODE FINDINGS - Concepts and technologies are described herein for evaluating shellcode findings. In accordance with the concepts and technologies disclosed herein, shellcode findings can be evaluated to determine if the shellcode findings are legitimate, or if the shellcode findings are false positive shellcode findings. Legitimate shellcode findings can be determined based not simply upon patterns associated with the suspected shellcode itself, but also based upon a pattern of bit-level entropy in the memory around the suspected shellcode. Mathematical models of the memory can be generated and analyzed to determine if the shellcode finding is legitimate. | 12-22-2011 |
| 20110314545 | METHOD AND SYSTEM FOR AUTOMATIC INVARIANT BYTE SEQUENCE DISCOVERY FOR GENERIC DETECTION - A method for creating a set of genericized signatures for detection of byte sequences in computer code includes accessing a first set of sample signatures, determining a maximum number of wildcards that a wildcarded signature may comprise, determining a first wildcarded signature corresponding to the first set of sample signatures, evaluating the first wildcarded signature, and repeating the steps of evaluating for any second wildcarded signatures. Each of the signatures corresponds to an instance of malware. The evaluation further includes if the number of wildcards in the first wildcarded signature exceeds the maximum number of wildcards, determining a plurality of second wildcarded signatures corresponding to a plurality of subsets of the set of sample signatures. The evaluation further includes if the number of wildcards in the first wildcarded signature is less than or equal to the maximum number of wildcards, adding the first wildcarded signature to a set of genericized signatures. | 12-22-2011 |
| 20120005750 | Systems and Methods for Alternating Malware Classifiers in an Attempt to Frustrate Brute-Force Malware Testing - A computer-implemented method for alternating malware classifiers in an attempt to frustrate brute-force malware testing may include (1) providing a group of heuristic-based classifiers for detecting malware, wherein each classifier within the group differs from all other classifiers within the group but has an accuracy rate that is substantially similar to all other classifiers within the group, (2) including the group of classifiers within a security-software product, and (3) alternating the security-software product's use of the classifiers within the group in an attempt to frustrate brute-force malware testing by (a) randomly selecting and activating an initial classifier from within the group and then, upon completion of a select interval, (b) replacing the initial classifier with an additional classifier randomly selected from within the group. Various other methods, systems, and computer-readable media are also disclosed. | 01-05-2012 |
| 20120005751 | Systems and Methods for Creating Customized Confidence Bands for Use in Malware Detection - A computer-implemented method for creating customized confidence bands for use in malware detection may include 1) identifying a portal for receiving executable content, 2) identifying metadata relating to the portal, 3) analyzing the metadata to determine what risk executable content received via the portal poses, and then 4) creating, based on the analysis, a confidence band to apply during at least one disposition of executable content received via the portal. Various other methods, systems, and computer-readable media are also disclosed. | 01-05-2012 |
| 20120005752 | Method and system for detecting and removing hidden pestware files - A method and system for detecting and removing a hidden pestware file is described. One illustrative embodiment detects, using direct drive access, a file on a computer storage device; determines whether the file is also detectable by the operating system by attempting to access the file using a standard file Application-Program-Interface (API) function call of the operating system; identifies the file as a potential hidden pestware file, when the file is undetectable by the operating system; confirms through an automated pestware-signature scan of the potential hidden pestware file that the potential hidden pestware file is a hidden pestware file; and removes automatically, using direct drive access, the hidden pestware file from the storage device. | 01-05-2012 |
| 20120005753 | INTRUSIVE SOFTWARE MANAGEMENT - Intrusion features of a landing page associated with sponsored content are identified. A feature score for the landing page based on the identified intrusion features is generated, and if the feature score for the landing page exceeds a feature threshold, the landing page is classified as a candidate landing page. A sponsor account associated with the candidate landing page can be suspended, or sponsored content associated with the candidate landing page can be suspended. | 01-05-2012 |
| 20120023579 | PROTECTION AGAINST MALWARE ON WEB RESOURCES - A method and system for identification of malware threats on web resources. The system employs a scheduled antivirus (AV) scanning of web resources. The scheduled scanning of web resources allows to create malware check lists and to configure access to web resources. Frequency and depth of inspection (i.e., scan) are determined for each web resource. The user identifiers are used for scheduled AV scanning of web resources. The system allows for scanning a web resource based on selected configurations without using additional client applications. | 01-26-2012 |
| 20120023580 | METHOD FOR DETECTING AN ATTACK BY FAULT INJECTION INTO A MEMORY DEVICE, AND CORRESPONDING DETECTION SYSTEM - The method for detecting an attack by fault injection into memory positions includes a generation of an initial value of a reference indication including an application of a reversible mathematical operator to the values of the information stored in the memory positions. An updating of the value of this reference indication is performed on each write in at least one memory position by using the operator, the reverse operator and the values of the stored information before and after each write in the at least one memory position. And, in the presence of a request, a check is performed as to whether a criterion involving the values of the information stored in the memory positions at the time of the request and the operator or its reverse is or is not satisfied by the value of the reference indication at the time of the request. | 01-26-2012 |
| 20120023581 | SYSTEMS, METHODS, AND APPARATUS FOR OTOACOUSTIC PROTECTION OF AUTONOMIC SYSTEMS - Systems, methods and apparatus are provided through which in some embodiments an autonomic unit transmits an otoacoustic signal to counteract a potentially harmful incoming signal. | 01-26-2012 |
| 20120023582 | SYSTEMS, METHODS, AND APPARATUS FOR OTOACOUSTIC PROTECTION OF AUTONOMIC SYSTEMS - Systems, methods and apparatus are provided through which in some embodiments an autonomic unit transmits an otoacoustic signal to counteract a potentially harmful incoming signal. | 01-26-2012 |
| 20120030759 | SECURITY PROTOCOL FOR DETECTION OF FRAUDULENT ACTIVITY EXECUTED VIA MALWARE-INFECTED COMPUTER SYSTEM - A security protocol is disclosed for detecting occurrences of intruder activity, including hidden or concealed activity that may occur in a computer system including a host platform operably connected to an application platform. The protocol relies on parameters defining a tag sequence and syntax commonly known to the application platform and host platform (and hence the user) to detect occurrences of intruder activity during the session. | 02-02-2012 |
| 20120030760 | METHOD AND APPARATUS FOR COMBATING WEB-BASED SURREPTITIOUS BINARY INSTALLATIONS - The present invention relates to a method and apparatus for combating web-based surreptitious binary installations. One embodiment of a method combating web-based surreptitious binary installations on a computing device includes intercepting a download of a file to a local file system of the computing device, storing the file in the local file system when the file is correlated with a user consent, and storing the file in a secure zone of the computing device when the file is not correlated with a user consent, wherein files stored in the secure zone cannot be executed or propagated. | 02-02-2012 |
| 20120030761 | IMPROPER COMMUNICATION DETECTION SYSTEM - An improper communication detection system that acquires packets that are circulated through a plant network by mirroring and detects improper communication includes a storage unit configured to prestore a session whitelist, which is a list of sessions that can be generated in the plant network; a session determination/separation unit configured to make a determination as to a success or failure of session approval on the basis of the acquired packet and configured to generate session information indicating an approved session; and a first improper communication detection unit configured to compare the session information generated by the session determination/separation unit with the session whitelist, and configured to detect communication related to the relevant session as improper communication when the session information does not match any session in the session whitelist. | 02-02-2012 |
| 20120030762 | FUNCTIONAL PATCHING/HOOKING DETECTION AND PREVENTION - A method for preventing malicious attacks on software, using the patching method, includes providing a database of malicious known patches (malware). The database contains characteristic signatures of the malware. The method also includes detecting whether a patch is malicious by comparing it with a signature in the database and performing one or more activities needed to prevent the malicious patch from performing undesired activities. | 02-02-2012 |
| 20120030763 | COUNTER-INVASIVE SOFTWARE SYSTEM AND METHOD - A method and apparatus for detecting, curing and remedying invasive software installation inadvertently, negligently, or intentionally marketed by a vendor. A party may procure a product that sends back invasive data to a source. A testing regimen may identify and defeat sources of any invasive executables found. Accordingly, a party may identify those software packages deemed invasive, and may optionally provide a solution to either defeat or monitor them, where practicable. An independent developer may obtain intellectual property rights in the testing, solution or both of the counter-invasive software system or product. An independent developer may become a supplier of testing or solution systems, motivating a supplier by one of several mechanisms. The developer or damaged party may obtain a legal status with respect to the vendor or of a host of software as a customer, user, clients, shareholder, etc., in order to exercise rights and remedies or provide motivation to a vendor who does not take responsibility for its actions as executed by its marketed products. | 02-02-2012 |
| 20120030764 | SYSTEM FOR TRACKING MEDIA CONTENT TRANSACTIONS - A system that incorporates teachings of the present disclosure may include, for example, a web server having a controller adapted to manage an archive of media content for a subscriber, and record a transaction description and a corresponding tracking identifier for a transaction that manipulates the archive. Other embodiments are disclosed. | 02-02-2012 |
| 20120036576 | APPARATUS AND METHOD FOR DEFENDING AGAINST INTERNET-BASED ATTACKS - A system for defending against internet-based attacks is disclosed. The system may include an electronic data processor which may be configured to receive information associated with a device when a web request is transmitted by the device to access a web page monitored by the electronic data processor. The processor may also determine whether traffic associated with the web request from the device is suspected of being used for malicious activity and, if not, enable the device to access the web page. If the traffic is suspected of being used for malicious activity, then the processor may transmit a challenge to the device if the traffic is determined to be suspected. Furthermore, the processor may receive information associated with the web request, which may be provided by a uniform resource locator invoked in response to the traffic being determined to be suspected. The processor may also deny the device access to the web page based on a variety of factors. | 02-09-2012 |
| 20120036577 | METHOD AND SYSTEM FOR ALERT CLASSIFICATION IN A COMPUTER NETWORK - A method and a system for classification of intrusion alerts in computer network is provided. The method comprises the steps of monitoring traffic data in a computer network, detecting an intrusion, providing an intrusion alert and data in relation to the intrusion alert, generating a statistical analysis of the data in relation to the intrusion alert and classifying the intrusion alert based on said statistical analysis. The intrusion alerts and the data in relation to an intrusion alert may be generated by anomaly-based intrusion detection system. The generating a statistical analysis may comprise generating information about a statistical distribution of n-grams in the data. The classification may comprise comparing the statistical analysis with a model analysis of intrusion alerts with predefined alert classes. This model may be generated by providing a training set of data in relation to alerts, generating a model statistical analysis of said data, predefining at least two alert classes, and assigning predefined alert classes to the statistical analysis, based on information provided by a signature-based intrusion detection system, or by a human operator. | 02-09-2012 |
| 20120036578 | TRACING TRAITOR COALITIONS AND PREVENTING PIRACY OF DIGITAL CONTENT IN A BROADCAST ENCRYPTION SYSTEM - Embodiments of the invention relate to finding coalitions of receivers who collude to produce pirated protected content, then evaluates the confidence that particular members of each identified coalition are traitors versus innocent receivers incriminated by chance. Typically, each file in a group of original files is modified to include variations of critical file segments. The group of files is then broadcast with individualized codes that enable particular authorized receivers to properly process the modified files. The modifications in a pirated version of a file can identify which traitorous receivers contributed to its piracy. Candidate coalitions of differing size are first evaluated to determine if they cover observed file variations with greater than a predetermined likelihood that an innocent coalition is falsely incriminated by chance. Individual members of satisfactory coalitions are then evaluated. Traitors may be cryptographically revoked. | 02-09-2012 |
| 20120047579 | INFORMATION DEVICE, PROGRAM, METHOD FOR PREVENTING EXECUTION OF UNAUTHORIZED PROGRAM CODE, AND COMPUTER READABLE RECORDING MEDIUM - An unauthorized access relating to buffer overflow is prevented reliably and easily, without dependence on the function that a CPU processes. An information device ( | 02-23-2012 |
| 20120060217 | ATOMIC DETECTION AND REPAIR OF KERNEL MEMORY - A method for detecting memory modifications includes allocating a contiguous block of a memory of an electronic device, and loading instructions for detecting memory modifications into the contiguous block of memory. The electronic device includes a plurality of processing entities. The method also includes disabling all but one of a plurality of processing entities of the electronic device, scanning the memory of the electronic device for modifications performed by malware, and, if a memory modification is detected, repairing the memory modification. The method also includes enabling the processing entities that were disabled. The remaining processing entity executes the instructions for detecting memory modifications. | 03-08-2012 |
| 20120060218 | SYSTEM AND METHOD FOR BLOCKING SIP-BASED ABNORMAL TRAFFIC - Provided is a system for blocking session initiation protocol (SIP)-based abnormal traffic. The system includes: a policy database (DB) in which allowed traffic is stored according to transmission priority; an abnormal traffic response module which receives traffic from a first network and transmits only portions of the received traffic, which match the allowed traffic stored in the policy DB, to a second network in order of transmission priority; and an abnormal traffic detection module which analyzes the traffic received from the first network and provides an activation signal to the abnormal traffic response module when detecting that the received traffic is abnormal traffic, wherein the abnormal traffic response module transmits the portions of the received traffic, which match the allowed traffic stored in the policy DB, to the second network such that the sum of the portions transmitted to the second network does not exceed a maximum allowed traffic limit. | 03-08-2012 |
| 20120060219 | Deviating Behaviour of a User Terminal - The invention relates to a method, device ( | 03-08-2012 |
| 20120066765 | System and method for improving security using intelligent base storage - The present invention presents a system and method for providing improved security within a computer system by using an intelligent based storage system operating with the host unit whereby, the intelligent based storage system independently provides monitoring of files that should not be accessed, monitoring of files that should be accesses with strict regularity, and analysis of access patterns. | 03-15-2012 |
| 20120066766 | SYSTEMS AND METHODS FOR DETECTING A SECURITY BREACH IN A COMPUTER SYSTEM - The present invention provides systems and methods for applying hard-real-time capabilities in software to software security. For example, the systems and methods of the present invention allow a programmer to attach a periodic integrity check to an application so that an attack on the application would need to succeed completely within a narrow and unpredictable time window in order to remain undetected. | 03-15-2012 |
| 20120072987 | METHOD FOR EVOLVING DETECTORS TO DETECT MALIGN BEHAVIOR IN AN ARTIFICIAL IMMUNE SYSTEM - A system, apparatus, and method are directed to evolving detectors in an Artificial Immune System for use in detecting unauthorized computing activities. In one embodiment, a population of detectors is generated with a matching value and expectation value of zero. The detectors are then compared to logged fragments of system calls within a computing device to modify the matching value. When the matching value for a given detector is equal to or greater than an expectation value, the detector's expectation value may be set to the matching value. The detectors may then evolve and/or generate other detectors using mutation, and/or recombination, or the like. Detectors continue to generate and/or to evolve until a detector's matching value reaches a determined value, in which case, the detector may be evaluated to determine if an unauthorized activity is detected. If an unauthorized activity is detected, a detection response may be performed. | 03-22-2012 |
| 20120079593 | System and Method For Hindering a Cold Boot Attack - A method for hindering a cold boot attack on a user equipment (UE) is provided. The method includes, in response to detection of the cold boot attack, executing prioritized security procedures. A user equipment (UE) is also provided that includes a processor configured to execute prioritized security procedures responsive to detection of a cold boot attack. | 03-29-2012 |
| 20120079594 | MALWARE AUTO-ANALYSIS SYSTEM AND METHOD USING KERNEL CALLBACK MECHANISM - In a malware auto-analysis method using a kernel callback mechanism, a function, present in a kernel driver within a PsSetCreateProcessNotifyRoutine function, is registered by a process monitor driver as a callback function when a computer boot. A function present in a registry monitor driver is registered by the registry monitor driver as a callback function in a CmRegisterCallback function when the driver is loaded. A kernel driver is registered by a file monitor driver as a mini-filter driver in a Filter Manager present in a Windows system. At least one of a process event, a registry event, or an Input/Output (I/O) event is received by a behavior event collector from the process monitor driver, the registry monitor driver, or the file monitor driver, respectively. | 03-29-2012 |
| 20120079595 | Snoop Echo Response Extractor - A mechanism is provided for identifying a snooping device in a network environment. A snoop echo response extractor generates an echo request packet with a bogus MAC address that will only be received by a snooping device. The snoop echo response extractor also uses an IP address that will cause the snooping device to respond to the echo request. | 03-29-2012 |
| 20120084859 | REALTIME MULTIPLE ENGINE SELECTION AND COMBINING - Architecture that selects a classification engine based on the expertise of the engine to process a given entity (e.g., a file). Selection of an engine is based on a probability that the engine will detect an unknown entity classification using properties of the entity. One or more of the highest ranked engines are activated in order to achieve the desired performance. A statistical, performance-light module is employed to skip or select several performance-demanding processes. Methods and algorithms are utilized for learning based on matching the best classification engine(s) to detect the entity class based on the entity properties. A user selection option is provided for specifying a maximum number of ranked, classification engines to consider for each state of the machine. A user can also select the minimum probability of detection for a specific entity (e.g., unknown file). The best classifications are re-evaluated over time as the classification engines are updated. | 04-05-2012 |
| 20120084860 | SYSTEM AND METHOD FOR DETECTION OF DOMAIN-FLUX BOTNETS AND THE LIKE - In one embodiment, a method for detecting malicious software agents, such as domain-flux botnets. The method applies a co-clustering algorithm on a domain-name query failure graph, to generate a hierarchical grouping of hosts based on similarities between domain names queried by those hosts, and divides that hierarchical structure into candidate clusters based on percentages of failed queries having at least first- and second-level domain names in common, thereby identifying hosts having correlated queries as possibly being infected with malicious software agents. A linking algorithm is used to correlate the co-clustering results generated at different time periods to differentiate actual domain-flux bots from other domain-name failure anomalies by identifying candidate clusters that persist for relatively long periods of time. Persistent candidate clusters are analyzed to identify which clusters have malicious software agents, based on a freshness metric that characterizes whether the candidate clusters continually generate failed queries having new domain names. | 04-05-2012 |
| 20120084861 | METHODS AND SYSTEMS THAT SELECTIVELY RESURRECT BLOCKED COMMUNICATIONS BETWEEN DEVICES - Data communications between devices are selectively blocked and resurrected based on error notifications. Data communications from one or more source devices to one or more intended destination devices are selectively blocked based on content of the data communications. The blocked data communications are stored in a database. A blocked data communication is retrieved from the database in response to an error notification from one of the source devices and/or from one of the destination devices. The retrieved data communication is then sent to the intended destination device. | 04-05-2012 |
| 20120084862 | Detecting Malicious Use of Computer Resources by Tasks Running on a Computer System - A method, apparatus, and computer program product for identifying malware is disclosed. The method identifies processes in a running process list on a host computer system. The method identifies ports assigned to the processes in the running process list on the host computer system. The method determines whether any one of ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list. The method then makes a record that a hidden, running process is present as a characteristic of an attack in response to a determination that one of the ports is currently in use but is not assigned to any of the processes in the running process list in the host computer system. | 04-05-2012 |
| 20120084863 | METHOD AND SYSTEM FOR IDENTIFYING COMPROMISED NODES - The invention relates to a method for identifying compromised nodes in a ZigBee network comprising a general trust center, divided in at least two security domains, each security domain corresponding to a spatial or temporal area, and being associated with a different root keying material, and each node being identified by an identifier, the method comprising: upon detection of a node (U | 04-05-2012 |
| 20120090030 | IDENTIFYING BOTS - A method of identifying if a web client has browser capabilities. An originating machine receives a web page request from the web client. The originating machine generates a page request id (PRID) and a script which, when executed by a web client with a browser, regenerates a PRID, and embeds the script in a response. The originating machine sends the response to the web client for the web client to process and, if the web client is capable, to execute the embedded script, thereby to regenerate a PRID, and to return the regenerated PRID to the originating machine. The originating machine compares the returned regenerated PRID with the generated PRID, a match indicating that the web client has browser capabilities. | 04-12-2012 |
| 20120096548 | NETWORK ATTACK DETECTION - A method and apparatus are provided for detecting attacks on a data communication network. The apparatus includes a router with a mechanism for monitoring return messages addressed to an originating user system local to the router. The mechanism includes a message checker for identifying a return message of a specified nature and a rerouter for temporarily routing subsequent messages from the originating user system to the intrusion detection sensor. | 04-19-2012 |
| 20120096549 | ADAPTIVE CYBER-SECURITY ANALYTICS - Performing adaptive cyber-security analytics including a computer implemented method that includes receiving a report on a network activity. A score responsive to the network activity and to a scoring model is computed at a computer. The score indicates a likelihood of a security violation. The score is validated and the scoring model is automatically updated responsive to results of the validating. The network activity is reported as suspicious in response to the score being within a threshold of a security violation value. | 04-19-2012 |
| 20120096550 | PROVIDING SECURITY FOR A VIRTUAL MACHINE BY SELECTIVELY TRIGGERING A HOST SECURITY SCAN - The disclosed embodiments provide a system that protects an application from malware on a host system. During operation, the system receives a command to commence execution of the application on the host system. In response to the command, the system causes a security scan to be performed on the host system to detect malware, wherein the malware can compromise the security of the application. The system also restricts one or more operations associated with the application until the security scan successfully completes. | 04-19-2012 |
| 20120096551 | INTRUSION DETECTING SYSTEM AND METHOD FOR ESTABLISHING CLASSIFYING RULES THEREOF - A method for establishing classifying rules of an intrusion detecting system is provided with the following steps. First, at least one decision tree is provided. Internal nodes of the decision tree respectively represent an attribute judgment condition, and leaf nodes respectively represent an attack event or non-attack event. Next, a plurality of attribute data of at least one new attack event is received. Then, a tree structure of the decision tree is adjusted according to the attribute data. Afterwards, at least one attack rule or at least one non-attack rule is outputted according to the adjusted decision tree. Further, the intrusion detection system is also provided. | 04-19-2012 |
| 20120096552 | SYSTEM FOR AN ENGINE FOR FORECASTING CYBER THREATS AND METHOD FOR FORECASTING CYBER THREATS USING THE SYSTEM - A system for an engine for forecasting cyber threats and a method enabling the forecast of a low-level cyber threat and the forecast of a high-level cyber threat using the low-level cyber threat in a hierarchical structure of cyber threats are provided. The system includes a forecast information database which stores forecast information including cyber threat forecast items, a forecast schedule related to the items, forecast simulation information, forecast item hierarchical structure information, time series data on cyber threats, and sample data on cyber threats; a forecast engine core subsystem which forecasts the levels of threats for the cyber threat forecast items having a hierarchical structure using the forecast information stored in the forecast information database; and a forecast engine control interface which receives control commands for the forecast engine core subsystem from a user or external system, and delivers the received control commands to the forecast engine core subsystem. | 04-19-2012 |
| 20120102568 | SYSTEM AND METHOD FOR MALWARE ALERTING BASED ON ANALYSIS OF HISTORICAL NETWORK AND PROCESS ACTIVITY - A method for malware protection includes receiving detection information for detecting malware on an electronic device, accessing historical information of an electronic device, comparing the detection information to the historical information, and based on the comparison of the detection information with the historical information, alerting a user of the electronic device of risks of malware evidenced by the historical information. Comparing detection information to historical information includes determining that information from a first category of historical information is associated with a source of malware, cross-referencing information from a second category of historical information to the information from the first category, and associating the information from the second category with the malware. | 04-26-2012 |
| 20120110665 | Intrusion Detection Within a Distributed Processing System - A computer implemented method monitors activity within a device driver layer of a computer. An arrival rate is identified within a device driver for the node. The arrival rate is a rate at which packets arrive at a network adapter of the node from all other nodes within a network. If the arrival rate exceeds at least one threshold, the node undergoes a state change. The at least one threshold delineates between a plurality of states for the node. | 05-03-2012 |
| 20120110666 | DETECTING SURREPTITIOUS SPYWARE - Tools and techniques are provided for detecting a particular type of spyware. Network activities and user update activities are monitored automatically, and the results are analyzed to identify related processes which perform network transmissions without performing substantive user updates. These processes are identified to a user and/or an administrator as potential spyware, and are then quarantined or otherwise handled based on instructions received from the user or administrator. In some cases, the monitoring and analysis begins with selection of a group of processes to monitor, while in other cases it begins with monitoring of network and/or user update activities in order to narrow the group of suspect processes. Devices, configured media, and method products are also described. | 05-03-2012 |
| 20120117647 | Computer Worm Curing System and Method and Computer Readable Storage Medium for Storing Computer Worm Curing Method - A computer worm curing system includes a string receiving module, a string generating module and a string replying module. The string receiving module receives an infected string, which is generated by a computer worm, from an infected host, which is infected by the computer worm, through a network. The infected string includes a shellcode, and the shellcode is executed utilizing a vulnerable process. The string generating module generates a curing code for curing the computer worm, and replaces the shellcode in the infected string with the curing code to generate a curing string, such that the curing string can be executed utilizing the vulnerable process. The string replying module replies the curing string to the infected host, such that the curing code of the curing string can be executed utilizing the vulnerable process of the infected host to cure the infected host of the computer worm. | 05-10-2012 |
| 20120117648 | Malware Determination - A method and apparatus for a determining whether an electronic file stored at a client device is malware. A server receives from the client device a request message that signature information of the electronic file. The server queries a database of signature information of a multiplicity of electronic files. If the signature information of the electronic file corresponds to signature information stored on the database, a determination is made as to whether the electronic file is malware. If the signature information of the electronic file does not correspond to signature information stored on the database, a determination is made as to whether a predetermined number of further request messages for the electronic file are received from further client devices within a predetermined time period. If fewer request messages are received within the time period, it is likely that the electronic file is malware. | 05-10-2012 |
| 20120124666 | METHOD FOR DETECTING AND PREVENTING A DDOS ATTACK USING CLOUD COMPUTING, AND SERVER - A method for detecting and preventing a Distributed Denial of Service (DDoS) attack in a cloud computing environment including a plurality of clients connected to a server, the method includes collecting, by the server, file deoxyribonucleic acid (DNA) extracted from a file currently being executed by each of the clients and traffic information about network traffic caused by the file, from each client by using an agent that is installed in the client and that monitors the file currently being executed by the client. Further, the method includes analyzing, by the server, a risk level of a DDoS attack based on whether the file DNA of the file is malicious or unidentified and based on the traffic information. Furthermore, the method includes sending a command related to whether to block the file to the client according to the analyzed risk level. | 05-17-2012 |
| 20120131672 | Secure Notification on Networked Devices - A system, device and method to securely notify a user of a compromise of a device are provided. The system, device and method may include a detection device adapted for determining a compromise of the device communicatively coupled to the first path, a user database including at least information regarding the device and other devices associated with the user, and the secure signal path to at least one of the other devices. | 05-24-2012 |
| 20120131673 | APPARATUS AND METHOD FOR PROTECTION OF CIRCUIT BOARDS FROM TAMPERING - A method and system for protecting a printed circuit board (PCB) from tampering positions a physical sensor proximal to the PCB. An initialization period is established and an output signal from the sensor is continuously monitored to establish threshold parameter data. Periodically, the sensor is polled and an output signal received which is compared to the threshold parameter data. A detected intrusion signal is generated if the received signal exceeds the threshold by a predetermined level. A detected intrusion is validated using a sent of validation rules which analyze the detected intrusion based on historical sensor output values and factors such as duration or frequency of intrusion detections. If the detected intrusion is validated, a validated signal is generated which triggers a reset processor to output a reset signal that causes erasure of at least a portion of onboard memory. | 05-24-2012 |
| 20120131674 | Vector-Based Anomaly Detection - Methods of detecting anomalous behaviors associated with a fabric are presented. A network fabric can comprise many fungible networking nodes, preferably hybrid-fabric apparatus capable of routing general purpose packet data and executing distributed applications. A nominal behavior can be established for the fabric and represented by a baseline vector of behavior metrics. Anomaly detection criteria can be derived as a function of a variation from the baseline vector based on measured vectors of behavior metrics. Nodes in the fabric can provide a status for one or more anomaly criterion, which can be aggregated to determine if an anomalous behavior has occurred, is occurring, or is about to occur. | 05-24-2012 |
| 20120137365 | ANTI-MALWARE SCANNING SYSTEM AND METHOD THEREOF - Provided are an anti-malware scanning system and a method thereof. The system includes: a host; and a chip which is removably connected to the host, receives a file to be scanned from the host, and scans whether malware exists in the file, wherein the host adjusts a size of the file to be scanned to correspond to a storage capacity of a storage unit of the chip and transmits the adjusted file to the chip. Accordingly, scanning is performed effectively even in an environment in which resources of the anti-malware scanning system are limited. | 05-31-2012 |
| 20120137366 | TECHNIQUES FOR NETWORK PROTECTION BASED ON SUBSCRIBER-AWARE APPLICATION PROXIES - Techniques for responding to intrusions on a packet switched network include receiving user data at a subscriber-aware gateway server between a network access server and a content server. The user data includes subscriber identifier data that indicates a unique identifier for a particular user, network address data that indicates a network address for a host used by the particular user, NAS data that indicates an identifier for the network access server, flow list data that indicates one or more open data packet flows, and suspicious activity data. The suspicious activity data indicates a value for a property of the open data packet flows that indicates suspicious activity. It is determined whether an intrusion condition is satisfied based on the suspicious activity data. If the intrusion condition is satisfied, then the gateway responds based at least in part on user data other than the network address data. | 05-31-2012 |
| 20120144485 | COMPUTER SECURITY METHOD AND SYSTEM WITH INPUT PARAMETER VALIDATION - A security system, including a receiver for receiving a downloadable, a scanner, coupled with the receiver, for scanning the downloadable to identify suspicious computer operations therein, a code modifier, coupled with the scanner, for overwriting the suspicious computer operations with substitute computer operations, if at least one suspicious computer operation is identified by the scanner, and for appending monitoring program code to the downloadable thereby generating a modified downloadable, if at least one suspicious computer operation is identified by the scanner, and a processor, coupled with the code modifier, for executing programmed instructions, wherein the monitoring program code includes program instructions for the processor to validate input parameters for the suspicious computer operations during run-time of the downloadable. A method is also described and claimed. | 06-07-2012 |
| 20120144486 | METHOD AND SYSTEM FOR PROTECTING AGAINST UNKNOWN MALICIOUS ACTIVITIES BY DETECTING A HEAP SPRAY ATTACK ON AN ELECTRONIC DEVICE - A method and system for protecting against unknown malicious activities by detecting a heap spray attack on a electronic device are disclosed. A script is received at an electronic device from a remote device via a network and a loop operation is detected in the script that contains a write operation operable to write data to a memory of the electronic device. The amount of the data operable to be written to the memory by the write operation is determined and the data is prevented from being written to the memory if the amount of the data is greater than or equal to a threshold. | 06-07-2012 |
| 20120144487 | ROUTING APPARATUS AND METHOD FOR DETECTING SERVER ATTACK AND NETWORK USING THE SAME - Routing apparatus and method for detecting a server attack are disclosed. The routing apparatus includes: a reception unit configured to receive a packet transmitted in a network; a transmission unit configured to transmit the packet along a transmission path; a memory unit configured to store data and/or information required for an operation; and a controller configured to set the transmission path of the packet in the network and perform packet switching along the set transmission path, wherein the reception unit receives server state information from servers at every certain time, the memory unit stores the received server state information, and the controller calculates a change in the state of the servers based on the received server state information, and determines that a server is attacked when a change in the state of the server is greater than a certain threshold value. | 06-07-2012 |
| 20120151582 | Offline Scan, Clean and Telemetry Using Installed Antimalware Protection Components - The subject disclosure relates to antimalware scanning, and more particularly to offline antimalware scanning of a host environment via an alternate, known safe operating system. An offline scanning product obtains data previously written by the host environment online antimalware scanning tool, e.g., configuration data and antimalware signatures in shared data stores accessible to the offline and online products, and uses that data to perform the offline antimalware scan. The offline scanning product writes results information and any quarantined files to other shared data stores, whereby the online environment, when rebooted, has access to the information, such as for review and to upload telemetry information to an online service for analysis. Also described is offline replacement of operating system files that cannot be cleaned or removed when online. | 06-14-2012 |
| 20120151583 | DDOS ATTACK DETECTION AND DEFENSE APPARATUS AND METHOD - A Distributed Denial of Service (DDoS) attack detection and defense apparatus and method are provided. The Distributed Denial of Service (DDoS) attack detection and defense apparatus includes: a flow information collection unit to collect, from one or more input packets with an IP address of an attack target system as a destination IP address, flow information including source IP addresses of the input packets and packet counts of one or more flows that are classified for each of the source IP addresses and each of different protocol types; an inspection unit to calculate packets per second (PPS) values of the flows based on the packet counts; and a response unit to determine a DDoS attack response method for each of the flows based on the PPS value and the protocol type of a corresponding flow and to process the corresponding flow using the determined DDoS attack response method | 06-14-2012 |
| 20120151584 | METHOD FOR BLOCKING DENIAL-OF-SERVICE ATTACK - Disclosed herein is a method for blocking a Denial-of-Service (DoS) attack. A server extracts a plurality of suspicious packets including data, length of which is equal to or greater than a preset length, from a plurality of received packets. The server determines a packet, which includes data composed of characters or character strings identical to each other, among the plurality of suspicious packets, to be an attack packet. The server blocks a packet corresponding to the attack packet. Accordingly, the present invention can block a DoS attack based on UDP flooding. | 06-14-2012 |
| 20120159624 | COMPUTER SECURITY METHOD, SYSTEM AND MODEL - A computer security method includes receiving a security alert associated with an electronic attack to at least one computer system of a data network, identifying a first set of business services which may be affected by the electronic attack, estimating, based on an identified first set of potentially affected business services, a first potential cost to a business when the electronic attack is successful, identifying at least one counteraction which may be employed to prevent or mitigate the electronic attack, identifying a second set of business services which may be affected by the at least one counteraction, estimating, based on the identified second set of potentially affected business services, a second potential cost to the business when the counteraction is employed, and comparing the first potential cost and the second potential cost. | 06-21-2012 |
| 20120159625 | MALICIOUS CODE DETECTION AND CLASSIFICATION SYSTEM USING STRING COMPARISON AND METHOD THEREOF - The present invention provides a malicious code detection and classification system using a string comparison technique, including a string extracting unit configured to extract all expressed strings existing in a binary file from the malicious code binary file; a string refining unit configured to refine elements obstructing malicious code detection and classification in the strings extracted from the string extracting unit; and a string comparison unit configured to determine how similar one binary is to another binary by comparing strings refined from the string refining unit. | 06-21-2012 |
| 20120159626 | GEOGRAPHICAL INTRUSION RESPONSE PRIORITIZATION MAPPING SYSTEM - Systems and methods for geographically mapping an intrusion into a network having one or more network points include receiving intrusion information identifying a intrusion into a point of the network, correlating the intrusion information with location information for the identified network point, and network identification information for the identified network point, and generating a map displaying a geographical location of the intrusion. | 06-21-2012 |
| 20120159627 | SUSPICIOUS NODE DETECTION AND RECOVERY IN MAPREDUCE COMPUTING - Embodiments of the present invention address deficiencies of the art in respect to distributed computing for large data sets on clusters of computers and provide a novel and non-obvious method, system and computer program product for detecting and correcting malicious nodes in a cloud computing environment (e.g., MapReduce computing). In one embodiment of the invention, a computer-implemented method for detecting and correcting malicious nodes in a cloud computing environment can include selecting a task to dispatch to a first worker node, setting a suspicion index threshold for the selected task, determining a suspicion index for the selected task, comparing the suspicion index to the suspicion index threshold and receiving a result from a first worker node. The method further can include applying a recovery action when the suspicion index exceeds the selected suspicion index threshold. | 06-21-2012 |
| 20120167214 | METHOD AND SYSTEM FOR CLOAKED OBSERVATION AND REMEDIATION OF SOFTWARE ATTACKS - A method and system provide security for a communication network and for one or more nodes within the network. Software can be distributed throughout the network from a centralized location or administrative console. The software can be made resident in the kernel of the operating system of a receiving node. The software can provide an observation functionality, an analysis functionality, a reporting functionality and a remediation functionality or some subset of those functionalities. | 06-28-2012 |
| 20120167215 | SYSTEM AND METHOD OF FACILITATING THE IDENTIFICATION OF A COMPUTER ON A NETWORK - A system and method for facilitating identification of an attacking computer in a network is provided. A user attempting to login to a network application may be presented with a screen prior to the login which lists preconditions of gaining access to the application. If a user concurs with the preconditions, a security module is downloaded to the user's computer and executed which gathers various configuration settings and transmits the gathered information to a predetermined destination. The security module may also attempt to place a call to a predetermined destination over a modem in the computer to cause registration of caller-ID data when answered at the predetermined destination. Once the security check is completed, login may proceed with the network application. Any data gathered by the security module may be stored for later recall and use to identify the computer in the event of an attack. | 06-28-2012 |
| 20120167216 | METHOD AND APPARATUS HAVING RESISTANCE TO FORCED TERMINATION ATTACK ON MONITORING PROGRAM FOR MONITORING A PREDETERMINED RESOURCE - Exemplary embodiments include a method and system having resistance to a forced termination attack on a monitoring program for monitoring a predetermined resource. Aspects of the exemplary embodiment include a device that executes a predetermined process including a monitoring program that monitors a predetermined resource, wherein the predetermined process is a process for which the predetermined resource becomes unavailable in response to termination of the predetermined process; a program starting unit for starting the monitoring program in response to an execution of the predetermined process; and a terminator for terminating the predetermined process in the case where the monitoring program is forcibly terminated from the outside. | 06-28-2012 |
| 20120174220 | DETECTING AND MITIGATING DENIAL OF SERVICE ATTACKS - Embodiments of this invention provide methods for detecting a denial of service attack (DoS) and isolating traffic that relates to the attack. The method may begin by collecting network traffic data by observing individual packets carried over the network. The data may then be compiled into a time series comprising network traffic data relating successive time-intervals. A difference value based upon the entry in the time series for a large time-window and for a small time-window. A deviation score may then be determined by calculating the ratio of the difference values. The deviation score may indicate whether an attack occurred. In an embodiment of the invention, an attack is deemed to occur if the deviation score is between 0.6 and 1.4. | 07-05-2012 |
| 20120174221 | Apparatus and method for blocking zombie behavior process - Provided are an apparatus and method for blocking a zombie behavior process. The apparatus includes a security policy storage configured to store zombie-behavior-type-specific traffic characteristics and security policies, a traffic monitor configured to monitor traffic generated on the computer and detect abnormal traffic exceeding a predetermined reference value, a process and traffic analyzer configured to find an abnormal process causing the abnormal traffic and detect a zombie behavior type associated with the abnormal process by analyzing the abnormal traffic on the basis of the zombie-behavior-type-specific traffic characteristics stored in the security policy storage, and a process handler configured to handle the process whose zombie behavior type has been detected according to a security policy defined for the detected zombie behavior type. Also, the apparatus according to another aspect includes a system process monitor and handler configured to detect whether or not a file associated with a system process is modified and block the system process. | 07-05-2012 |
| 20120174222 | METHOD FOR THE SAFETY OF NETWORK TERMINAL DEVICES - The present invention provides a method for the safety of network terminal devices that utilizes the basic operations in network terminal devices (NTDs) and a network security center (NSC), as well as the analyzing and processing ability provided by the NSC to solve network security issues based on hierarchical network security structure of client request-server response. In the NSC, the solution is broken into a plurality of basic operations with their respective corresponding parameters. Each basic operation is encoded according to an operation code table (OCT) and encapsulated in a network security suspicion information packet (NSSIP). The NSC sends the NSSIP to the NTD. The NTD receives and splits the network security solution packet (NSSP) to get the plurality of operation codes and their respective corresponding parameters. The NTD retrieves a plurality of call interfaces from the OCT according to the plurality of operation codes. The plurality of call interfaces and their respective corresponding parameters is combined together to form a completely local solution to replace traditional patch and anti-virus module. Using this invention, the requirements on hardware are released so to fit well for various small-sized NTDs. | 07-05-2012 |
| 20120174223 | SYSTEMS AND METHODS FOR DETECTION OF SESSION TAMPERING AND FRAUD PREVENTION - The invention provides methods and apparatus for detecting when an online session is compromised. A plurality of device fingerprints may be collected from a user computer that is associated with a designated Session ID. A server may include pages that are delivered to a user for viewing in a browser at which time device fingerprints and Session ID information are collected. By collecting device fingerprints and session information at several locations among the pages delivered by the server throughout an online session, and not only one time or at log-in, a comparison between the fingerprints in association with a Session ID can identify the likelihood of session tampering and man-in-the middle attacks. | 07-05-2012 |
| 20120180130 | METHOD FOR DEFENDING AGAINST DENIAL-OF-SERVICE ATTACK ON THE IPV6 NEIGHBOR CACHE - A method of defending against a denial-of-service (DoS) attack on an IPv6 neighbor cache includes steps of determining a number of neighbor cache entries currently stored in the neighbor cache and then determining whether the number of entries exceeds a neighbor cache threshold that is less than a neighbor cache limit defining a maximum capacity of the neighbor cache. When the number of entries in the neighbor cache exceeds the neighbor cache threshold, stateless neighbor resolution is triggered. Stateless neighbor resolution entails sending a neighbor solicitation to resolve an address for an incoming packet without logging a corresponding entry in the neighbor cache. Additional techniques that complement the above method involve purging of neighbor cache entries designated as incomplete, prioritization of the entries based on trustworthiness, shortening the incomplete-status timer to less than 3 seconds, and curtailing the number of retransmissions of the neighbor solicitations. | 07-12-2012 |
| 20120185938 | DETECTING AND DEFENDING AGAINST MAN-IN-THE-MIDDLE ATTACKS - A system, method and program product for defending against man in the middle (MITM) attacks directed at a target server. A system is provided that includes an activity recording system that records an incoming IP address, userid, and time of each session occurring with the target server; an activity analysis system that identifies suspect IP addresses by determining if an unacceptable number of sessions are occurring from a single incoming IP address during a predefined time period; and a countermeasure system for taking action against suspect IP addresses. | 07-19-2012 |
| 20120192272 | Mitigating multi-AET attacks - Aspects of the invention relate to a method of identifying a potential attack in network traffic that includes payload data transmitted to a host entity in the network. The method includes: performing a first data-check on one or more data bytes of the payload data at the host entity; performing a second data-check, equivalent to the first data-check, on data of the network equivalent to the one or more bytes of payload data; and comparing the results of the first and second data-checks to determine if there is a mismatch, the mismatch being an indication of a potential attack. | 07-26-2012 |
| 20120192273 | Malware detection - First data relating to a selected file is obtained. Based upon the first data it is determined if malware detection processing can be selected. Malware detection processing of the file is selected based upon said first data if it is determined that malware detection processing can be selected based upon the first data. If it is determined that, based upon the first data, malware detection processing cannot be selected based upon the first data, second data relating to the selected file is obtained and malware detection processing of the file is selected based upon said first and second obtained data. The selected malware detection processing is applied to said selected file. In an exemplary embodiment the first data is metadata and represents a faster scan of the file, and the second data is content of the file's header and represents a more in-depth scan of the file. | 07-26-2012 |
| 20120192274 | System, Method, and Device for Storing and Delivering Data - A system and device includes a data storage that stores a use record and data readable by a platform processor at a platform. An executable controller executed from the data storage directs the relationship between the data storage and the platform processor. The platform processor reads the data and, optionally, generates and writes a use record to the data storage. | 07-26-2012 |
| 20120198551 | METHOD, SYSTEM AND DEVICE FOR DETECTING AN ATTEMPTED INTRUSION INTO A NETWORK - Described herein are embodiments of methods, systems and devices for detecting an attempted intrusion into a network. In one aspect, the network is an advanced metering infrastructure (AMI) network. In another aspect, the network is an home area network (HAN). In accordance with one aspect, a method of detecting an attempted intrusion into a network is described. This embodiment of a method comprises configuring an entrapment meter such that it receives data packets from a network, but does not transmit data packets to the network. The entrapment meter is also configures such that the entrapment meter appears vulnerable to unauthorized intrusion to the network. The configured entrapment meter is used to detect an attempted unauthorized intrusion into the network. The attempted unauthorized intrusion is monitored. | 08-02-2012 |
| 20120198552 | METHOD, COMPUTER SOFTWARE, AND SYSTEM FOR PROVIDING END TO END SECURITY PROTECTION OF AN ONLINE TRANSACTION - Techniques for categorizing programs running on an information handling system. One method includes, while a program is running on an information handling system in a manner that permits the program to infect the information handling system, calculating a first score and a second score. The first score is indicative of the likelihood that the program is malicious; the second score is indicative of the likelihood that the program is valid. This method further includes categorizing the program with respect to the likelihood of the program infecting the information handling system, including by categorizing the program as valid code based on the second score being above a threshold value, regardless of the first score. | 08-02-2012 |
| 20120204262 | METHOD FOR TRACKING MACHINES ON A NETWORK USING MULTIVARIABLE FINGERPRINTING OF PASSIVELY AVAILABLE INFORMATION - A method for tracking machines on a network of computers includes determining one or more assertions to be monitored by a first web site which is coupled to a network of computers. The method monitors traffic flowing to the web site through the network of computers and identifies the one or more assertions from the traffic coupled to the network of computers to determine a malicious host coupled to the network of computers. The method includes associating a first IP address and first hardware finger print to the assertions of the malicious host and storing information associated with the malicious host in one or more memories of a database. The method also includes identifying an unknown host from a second web site, determining a second IP address and second hardware finger print with the unknown host, and determining if the unknown host is the malicious host. | 08-09-2012 |
| 20120204263 | METHOD AND APPARATUS FOR PREVENTING DOS ATTACKS ON TRUNK INTERFACES - A method of protecting a data network from denial of service (DOS) attacks is described. The method may use various network tools to selectively block or disable portions of a data trunk experiencing a DOS attack, thereby preventing the DOS attack from reaching at least some resources on the network. In one embodiment, a network switch identifies a virtual LAN (VLAN) carrying suspect data on a data trunk. The network switch then adjusts a spanning tree for the network so that one or more ports on the compromised VLAN are blocked or disabled, while non-compromised VLANs are allowed to continue carrying data. Other approaches are also presented for avoiding the loss of valid data when a network blocks one or more VLANs or other portions of a network in response to a DOS attack or other intrusion. | 08-09-2012 |
| 20120204264 | METHOD, APPARATUS AND SYSTEM FOR DETECTING BOTNET - A method, an apparatus, and a system for detecting Botnet are disclosed. The method for detecting Botnet includes: obtaining an address information about a control host in a Bot sample by using an auto breakout environment; sending a query request message to a traffic analysis device to obtain an address information of a Bot host connected with the control host, in which the query request message carries the address information about the control host; and receiving a query response message returned by the traffic analysis device, in which the query response message carries the address information of the Bot host connected with the control host. The method for detecting Botnet can obtain the Botnet information in real time and construct a topology of the Botnet. | 08-09-2012 |
| 20120210427 | CONFIGURABLE INVESTIGATIVE TOOL - This disclosure provides example techniques to invoke one or more tools, with an investigative tool. The investigative tool provides a common framework that allows investigators to invoke their own trusted tools or third-party generated tools. The investigative tool described herein seamlessly and transparently invokes the tools in accordance with an investigative profile created by the investigator. | 08-16-2012 |
| 20120210428 | FLOW DATA FOR SECURITY INTRUSION DETECTION - Disclosed herein are techniques for detecting possible security intrusions in a computer network. The security intrusion detection may be based on analyzing patterns of how transactions flow through one or more software applications. For example, patterns of transaction flows are determined for an initial time period to establish a baseline of normal flow patterns. These normal flow patterns may be compared with patterns for transaction flows for a later time period. Deviations in the patterns of transaction flow may indicate a possible security intrusion. | 08-16-2012 |
| 20120210429 | Adaptive Behavioral Intrusion Detection Systems and Methods - Systems and methods for analyzing historical network traffic and determining which traffic does not belong in a network are disclosed. Intrusion detection is performed over a period of time, looking for behavioral patterns within networks or information systems and generating alerts when these patterns change. The intrusion detection system intelligently forms correlations between disparate sources to find traffic anomalies. Over time, behaviors are predictive, and the intrusion detection system attempts to predict outcomes, becoming proactive instead of just reactive. Intrusions occur throughout whole information systems, including both network infrastructure and application servers. By treating the information system as a whole and performing intrusion detection across it, the chances of detection are increased significantly. | 08-16-2012 |
| 20120210430 | INTRUSION DETECTION USING A NETWORK PROCESSOR AND A PARALLEL PATTERN DETECTION ENGINE - An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures. | 08-16-2012 |
| 20120216280 | DETECTION OF CODE-BASED MALWARE - This document describes techniques for detection of code-based malware. According to some embodiments, the techniques utilize a collection of known malicious code and know benign code and determine which features of each type of code can be used to determine whether unclassified code is malicious or benign. The features can then be used to train a classifier (e.g., a Bayesian classifier) to characterize unclassified code as malicious or benign. In at least some embodiments, the techniques can be used as part of and/or in cooperation with a web browser to inspect web content (e.g., a web page) to determine if the content includes code-based malware. | 08-23-2012 |
| 20120216281 | Systems and Methods for Providing a Computing Device Having a Secure Operating System Kernel - A method and apparatus for resisting malicious code in a computing device. A software component corresponding to an operating system kernel is analyzed prior to executing the software component to detect the presence of one or more specific instructions such as malicious code, a change in mode permissions or instructions to modify or turn off security monitoring software, and taking a graduated action in response to the detection of one or more specific instructions. The graduated action taken is specified by a security policy (or policies) stored on the computing device. The analyzing may include off-line scanning of a particular code or portion of code for certain instructions, op codes, or patterns, and includes scanning in real-time as the kernel or kernel module is loading while the code being scanned is not yet executing (i.e., it is not yet “on-line”). Analysis of other code proceeds according to policies. | 08-23-2012 |
| 20120216282 | METHODS AND SYSTEMS FOR DETECTING AND MITIGATING A HIGH-RATE DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK - Methods and systems for detecting and mitigating high-rate Distributed Denial of Service (DDoS) attacks are herein described. The present invention contemplates a variety of improved techniques for using a flow-based statistical collection mechanism to monitor and detect deviations in server usage data. The method further includes combining multiple anomaly algorithms in a unique way to improve the accuracy of identifying a high-rate DDoS attack. The DDoS solution includes a two-phase approach of detection and mitigation, both of which operate on a local- and a global-basis. Moreover, the anomaly algorithms can be modified or extrapolated to obtain the traffic deviation parameters and therefore, the attack probabilities. | 08-23-2012 |
| 20120222115 | USING A DECLARATION OF SECURITY REQUIREMENTS TO DETERMINE WHETHER TO PERMIT APPLICATION OPERATIONS - Provided are a computer program product, system, and method for using a declaration of security requirements to determine whether to permit application operations. A declaration of security requirements indicates actions the application designates to perform with respect to resources in a computer system, wherein a plurality of the indicated actions are indicated for at least two operation modes of the application. A detection is made of whether the application is requesting to perform a requested action with respect to a requested resource in the computer system. A determination is made of a current operation mode of the application comprising one of the at least two operation modes in response to detecting that the application is requesting the requested action. A determination is made as to whether the declaration of security requirements indicates the requested action with the current operation mode. The requested action with respect to the requested resource is allowed to proceed in response to determining that the declaration of security requirements indicates the requested action with respect to the requested resource as indicated with the current operation mode. | 08-30-2012 |
| 20120222116 | SYSTEM AND METHOD FOR DETECTING WEB BROWSER ATTACKS - A method and system for detecting a heap corruption exploit of a web browser is described. The method comprises installing or injecting a detection module into the web browser. Next, the detection module patches or hooks all calls to the detection module in order to identify calls indicating a heap corruption exploit. The identified calls are then analyzed to determine whether a heap corruption exploit is occurring. | 08-30-2012 |
| 20120222117 | METHOD AND SYSTEM FOR PREVENTING TRANSMISSION OF MALICIOUS CONTENTS - A method and a system for preventing transmission of malicious contents are provided. The method includes intercepting at a network gateway device of a server network a digital communication being sent from the server network to an external network; searching the digital communication for a malicious transmission schema that can be used to cause a malicious transmission on a recipient of the digital communication; and taking an action to hinder the transmission of malicious contents if a malicious transmission schema is found. | 08-30-2012 |
| 20120222118 | TIERED OBJECT-RELATED TRUST DECISIONS - Adware and viruses are examples of objects that may be embedded in a web page or linked to a web page. When such an object is detected to be associated with a web page loading on a browser, an analysis may be performed to determine a trust level for the object. The object is suppressed based on the trust level. A prompt is displayed to advise a user that the object has been suppressed, and to provide an opportunity to interactively accept or decline activation of an action for the object. | 08-30-2012 |
| 20120222119 | ACTIVE COMPUTER SYSTEM DEFENSE TECHNOLOGY - Active computer system defense techniques can include sending disruptive communications to attackers, where the disruptive communications include random data elements which could potentially interfere with the operation of an attacking system. Such computer system defense techniques can also be augmented to automatically optimize the disruptive communications sent to the attackers. | 08-30-2012 |
| 20120227107 | CUSTOMER PREMISES EQUIPMENT AND METHOD FOR AVOIDING ATTACKS - A customer premises equipment (CPE) receives data packets from a network service device via a primary service flow. When the CPE detects flood of packets in the data packets received via the primary service flow, the CPE determines a source Internet protocol (IP) address of the flood of packets. The CPE establishes a new service flow with the network service device. A source IP address of the new service flow is set to the source IP address of the flood of packets, and a transfer speed of the new service flow is less than that of the primary service flow. The CPE transfers the flood of packets from the primary service flow to the new service flow. | 09-06-2012 |
| 20120227108 | Intrusion Event Correlation System - Disclosed is a system for correlating intrusion events using attack graph distances. The system includes an attack graph generator, an exploit distance calculator, an intrusion detector, an event report/exploit associator, an event graph creator, an event graph distance calculator, a correlation value calculator, and a coordinated attack analyzer. An attack graph is constructed for exploits and conditions in a network. The exploit distance calculator determines exploit distances for exploit pair(s). The intrusion detector generates event. Events are associated with exploits. Event graph distances are calculated. Correlation values are calculated for event pair(s) using event graph distances. The correlation values are analyzed using a correlation threshold to detect coordinated attacks. | 09-06-2012 |
| 20120233693 | METHODS AND SYSTEMS FOR FULL PATTERN MATCHING IN HARDWARE - Methods and systems are provided for hardware-based pattern matching. In an embodiment, an intrusion-prevention system (IPS) identifies a full match between a subject data word comprising subject-data blocks and a signature data pattern comprising signature-data blocks. The IPS receives the subject data word via a network interface, and thereafter makes a partial-match determination that two or more but less than all of the subject-data blocks respectively match the same number of the signature-data blocks stored in partial-match hardware with respect to both value and position. Thereafter, the IPS makes a full-match determination that all of the subject-data blocks respectively match all of the signature-data blocks stored in the IPS's full-match hardware with respect to both value and position. The IPS then stores an indicator that the full-match determination has been made, and may carry out one or more additional intrusion-prevention responses as well. | 09-13-2012 |
| 20120233694 | MOBILE MALICIOUS SOFTWARE MITIGATION - Mitigation of malicious software in wireless networks and/or on mobile devices is provided. A mobile malicious software mitigation component is provided that obtains an internet protocol address that is exhibiting malicious software behavior, a profile of the malicious software behavior, and a time of the malicious software behavior. The malicious software mitigation component can determine an identity of a mobile device that was assigned the internet protocol address during the time it was exhibiting malicious software behavior, and transmit the profile to the mobile device. In addition, the malicious software mitigation component determine if the duration of the assignment of the internet protocol address to the mobile device is sufficient for positive identification. | 09-13-2012 |
| 20120233695 | SYSTEM AND METHOD FOR SERVER-COUPLED APPLICATION RE-ANALYSIS TO OBTAIN TRUST, DISTRIBUTION AND RATINGS ASSESSMENT - A system and method for preventing malware, spyware and other undesirable applications from affecting mobile communication devices uses a server to assist in identifying and removing undesirable applications. When scanning an application, a device transmits information about the application to a server for analysis. The server receives the information, produces a characterization assessment and can also provide a characterization re-assessment for the application, or data object, and transmits the assessment to the device. By performing analysis on a server, the invention allows a device to reduce the battery and performance cost of protecting against undesirable applications. The servers transmit notifications to devices that have installed applications that are discovered to be undesirable. The server can accumulate this data and then perform a characterization re-assessment of a data object it has previously assessed to provide an assessment based upon one of trust, distribution and ratings information. | 09-13-2012 |
| 20120246725 | VISUAL STYLES FOR TRUST CATEGORIES OF MESSAGES - A message queue (e.g., an email mailbox) may comprise messages received from various sources and including various types of content. For respective messages, a trust category may be identified, e.g., a trusted message category comprising messages received from a known source, an untrusted message category comprising messages received from an unverified source, and a suspicious message category comprising messages containing potentially malicious attachments or potentially unwanted content. The message queue may be presented to the user with the messages of each trust category having a visual style that visually distinguishes the trust categories; e.g., trusted messages may be visually emphasized, and suspicious messages may be visually de-emphasized. This manner of distinguishing messages may enable the user to triage the messages of the message queue, and may mitigate the disadvantages of a false positive in the trust level identification (as compared with moving the suspicious message to a different folder). | 09-27-2012 |
| 20120246726 | DETERMINING HEAVY DISTINCT HITTERS IN A DATA STREAM - A data traffic monitor for determining a heavy distinct hitter (HDH) in a data stream, the data stream comprising a plurality of element-value (e,v) pairs, includes a HDH module, the HDH module configured to receive the plurality of (e,v) pairs from the data stream; and a counter block in communication with the HDH module, the counter block comprising a plurality of hash functions, and further comprising a respective pair of distinct counting primitives associated with each hash function of the plurality of hash functions, wherein each of the plurality of (e,v) pairs is added to one of the distinct counting primitives of the respective pair of distinct counting primitives for each of the plurality of hash functions in each of the plurality of counter blocks. | 09-27-2012 |
| 20120246727 | System that provides early detection, alert, and response to electronic threats - The invention is a computer system that provides early detection alert and response to electronic threats (eThreats) in large wide area networks. The system harnesses the processing power of dedicated hardware, software residing in specialized servers, distributed personal computers connected to the network, and the human brain to provide multi-layered early detection, alarm and response. The layers comprise a Protection Layer, a Detection Layer, an Expert Analysis Layer, and a Collaborative Detection & Protection Layer. A Dynamic Sandbox Protection Layer associated with the distributed personal computers connected to the network can optionally be part of the system of the invention. | 09-27-2012 |
| 20120246728 | TARGET-BASED SMB AND DCE/RPC PROCESSING FOR AN INTRUSION DETECTION SYSTEM OR INSTRUSION PREVENTION SYSTEM - A method performed in a processor of an intrusion detection/prevention system (IDS/IPS) checks for valid packets in an SMB named pipe in a communication network. In a processor configured as an IDS/IPS, a packet in a transmission is received and a kind of application of a target of the packet is determined. Also, the data in the packet is inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that: (a) the FID in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and (b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table. | 09-27-2012 |
| 20120254999 | SYSTEMS AND METHOD FOR REGULATING SOFTWARE ACCESS TO SECURITY-SENSITIVE PROCESSOR RESOURCES - A method for protecting an electronic device against malware includes consulting one or more security rules to determine a processor resource to protect, in a module below the level of all operating systems of the electronic device, intercepting an attempted access of the processor resource, accessing a processor resource control structure to determine a criteria by which the attempted access will be trapped, trapping the attempted access if the criteria is met, and consulting the one or more security rules to determine whether the attempted access is indicative of malware. The attempted access originates from the operational level of one of one or more operating systems of the electronic device | 10-04-2012 |
| 20120255000 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING AND SECURING OF INTERDRIVER COMMUNICATION - In one embodiment, a system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access by a first driver of the operating system of a second driver of the electronic device, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device accessing the second driver. | 10-04-2012 |
| 20120255001 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING OF DRIVER FILTER ATTACHMENT - A system for protecting an electronic system against malware includes an operating system configured to execute on the electronic device, a driver coupled to the operating system, and a below-operating-system security agent. The below-operating-system security agent is configured to identify one or more resources for changing filters of the driver, trap an attempted access of the one or more resources that originates from the operational level of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic system accessing the one or more resources for changing filters of the driver. | 10-04-2012 |
| 20120255002 | SYSTEM AND METHOD FOR BELOW-OPERATING SYSTEM TRAPPING OF DRIVER LOADING AND UNLOADING - A system for protecting an electronic device against malware includes a memory, an operating system configured to execute on the electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to trap an attempted access of one or more resources of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, operate at a level below all of the operating systems of the electronic device accessing the one or more resources. The attempted access includes an attempted loading or unloading of a driver in the operating system. | 10-04-2012 |
| 20120255003 | SYSTEM AND METHOD FOR SECURING ACCESS TO THE OBJECTS OF AN OPERATING SYSTEM - In one embodiment, a system for protecting an electronic device against malware includes an object-oriented operating system configured to execute on the electronic device and a below-operating-system security agent. The below-operating-system security agent may be configured to trap an attempted access of an object manager of the operating system, access one or more security rules to determine whether the attempted access is indicative of malware, and operate at a level below all of the operating systems of the electronic device. In some embodiments, the below-operating-system security agent may determine whether the attempted access is indicative of malware by comparing the attempted access to a behavioral state map to determine if the attempted access represents behavior associated with malware. | 10-04-2012 |
| 20120255004 | SYSTEM AND METHOD FOR SECURING ACCESS TO SYSTEM CALLS - In one embodiment, a system for securing access to system calls includes a memory, an operating system configured to execute on an electronic device, and a below-operating-system security agent. The below-operating-system security agent is configured to identify one or more resources associated with a system call for which attempted accesses will be trapped, trap an attempted access of the one or more resources that originates from the operational level of the operating system, access one or more security rules to determine whether the attempted access is authorized, and operate at a level below all of the operating systems of the electronic device accessing the one or more resources associated with a system call. | 10-04-2012 |
| 20120255005 | INFORMATION PROCESSING APPARATUS AND METHOD, AND PROGRAM - An information processing apparatus including: an attack detection unit that detects an attack; and a strength adjustment unit that incrementally raises the strength of a security measure every time that an attack is detected by the attack detection unit. | 10-04-2012 |
| 20120255006 | TWO-TIER DEEP ANALYSIS OF HTML TRAFFIC - A computer-implemented process for two-tier deep analysis of hypertext transport protocol data, monitors Web traffic, receives a packet of Web traffic from a network to form a received packet, wherein the received packet represents Web traffic, and stores the Web traffic temporarily to form stored Web traffic. The computer-implemented process further determines whether the Web traffic is suspicious using a first tier analysis and responsive to a determination that the Web traffic is suspicious, consumes the stored Web traffic using a deep analysis module. The computer-implemented process further determines whether the stored Web traffic is a case of misuse using a second tier analysis and responsive to a determination that the stored Web traffic is a case of misuse, feeding back data about a malicious connection to an intrusion protection system before returning to monitor the Web traffic. | 10-04-2012 |
| 20120255007 | SYSTEMS AND METHODS FOR MANAGING APPLICATIONS - A system for managing applications. The system includes a first device, a second device, a first interface and a second interface. The first device is responsible for exhibiting and providing the applications to one or more user(s). The second device is responsible for managing the applications which are uploaded by one or more developer(s) who have developed the applications. The first interface is provided for the second device to submit the applications to the first device. The second interface is provided for the first device to transmit at least a report message to the second device. | 10-04-2012 |
| 20120255008 | Method of Handling Malicious Application in Telco's Application Store System and Related Communication Device - A method of handling a malicious application for a client of a service system is disclosed. The method comprises transmitting a malicious application report message to a storefront of the service system when detecting a malicious application, for reporting the malicious application to the storefront; and receiving a malicious application response message in response to the malicious application report message, wherein the malicious application response message is transmitted by the storefront. | 10-04-2012 |
| 20120255009 | METHOD AND APPARATUS FOR COMBATING MALICIOUS CODE - A method and apparatus are provided for combating malicious code. In one embodiment, a method for combating malicious code in a network includes implementing a leap-ahead technique to defend against the malicious code reaching a full saturation potential in the network, by sending alert messages to a group of peers, and reselecting the membership of that group from time to time. | 10-04-2012 |
| 20120260339 | Imposter Prediction Using Historical Interaction Patterns - An approach is provided in which an electronic message is received from a source at a network interface that is accessible from the information handling system. A source address corresponding to the electronic message is identified, wherein the source address also corresponds to a legitimate source. Current usage patterns are extracted from the received electronic message and historical usage patterns are retrieved that correspond to the identified source address. The historical usage patterns being previously gathered from previous messages received from the legitimate source. The extracted current usage patterns and the retrieved historical usage patterns are compared. A user of the system is notified in response to the comparison revealing that the source is an imposter. | 10-11-2012 |
| 20120260340 | METHODS AND APPARATUS FOR DEALING WITH MALWARE - Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored or processed wherein the base computer comprises plural threat servers arranged to receive the data from the plural remote computers and apply rules or heuristics against the data in real time to determine whether or not the object is malware and to communicate the determination to the remote computers. The base computer includes at least one central server in communication with the threat servers and arranged to receive the data about objects from the threat servers to maintain a master database of data received about objects from all threat servers. | 10-11-2012 |
| 20120260341 | FIREWALLS FOR SECURING CUSTOMER DATA IN A MULTI-TENANT ENVIRONMENT - Network security is enhanced in a multi-tenant database network environment using a query plan detection module to continually poll the database system to locate and raise an alert for suspect query plans. Security also can be enhanced using a firewall system sitting between the application servers and the client systems that records user and organization information for each client request received, compares this with information included in a response from an application server, and verifies that the response is being sent to the appropriate user. Security also can be enhanced using a client-side firewall system with logic executing on the client system that verifies whether a response from an application server is being sent to the appropriate user system by comparing user and organization id information stored at the client with similar information in the response. | 10-11-2012 |
| 20120266242 | APPARATUS AND METHOD FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACK FROM MOBILE TERMINAL - An apparatus for defending a Distributed Denial of Service (DDoS) attack from a mobile terminal is provided. The apparatus includes a monitoring unit, a transmission/non-transmission inquiry unit, and a critical file management unit. The monitoring unit monitors all network data transmitted from a mobile terminal to the outside based on the current mode of the mobile terminal. The transmission/non-transmission inquiry unit asks a user whether to transmit corresponding network data to the outside based on the results of monitoring. The critical file management unit manages a critical file which includes information about at least one protocol used by the mobile terminal and at least one service provided using the protocol. | 10-18-2012 |
| 20120272317 | SYSTEM AND METHOD FOR DETECTING INFECTIOUS WEB CONTENT - Systems and methods are disclosed herein for detecting a threat to a computing device. The system includes a server and a computing device in communication with the server and configured to browse the Internet. The server receives data indicating a configuration parameter of the computing device and executes an emulation of the computing device that replicates the configuration parameter. The server also receives data relating to the computing device's browsing behavior and replicates the browsing behavior on the emulation. Upon detecting an undesired modification to the emulation of the computing device caused by the replicated browsing behavior, the server automatically generates and outputs an alert related to the undesired modification and related browsing behavior. | 10-25-2012 |
| 20120278887 | REPORTING COMPROMISED EMAIL ACCOUNTS - The claimed subject matter provides a method for detecting compromised accounts. The method includes receiving a communication from a sender's account to a recipient. The sender's account is associated with a sender. The method also includes presenting a compromised account reporting interface to the recipient based on specific conditions. Further, the method includes receiving a selection by the recipient indicating the sender's account is compromised. The method also includes determining that the sender's account is compromised based on the selection. Additionally, the method includes generating, in response to a selection by the recipient, a report indicating that the account is compromised. | 11-01-2012 |
| 20120278888 | GATEWAY AND METHOD FOR AVOIDING ATTACKS - A gateway assigns an IP address included in an address list to a client in a local area network (LAN). The gateway inquires whether the assigned IP address is used by other clients in the LAN. The gateway records a media access control (MAC) address of the client and the assigned IP address in a mapping table when the assigned IP address is not used by the other clients in the LAN. The gateway transmits an address resolution protocol (ARP) request packet to the client, and determines whether an ARP response packet is received from the client. The gateway can determine that the client is an attacker if no ARP response packet is received from the client. | 11-01-2012 |
| 20120278889 | DETECTING MALICIOUS BEHAVIOUR ON A NETWORK - An intrusion detection device ( | 11-01-2012 |
| 20120278890 | INTRUSION DETECTION IN COMMUNICATION NETWORKS - An intrusion detection arrangement ( | 11-01-2012 |
| 20120278891 | METHODS AND APPARATUS FOR DEALING WITH MALWARE - In one aspect, a method of classifying a computer object as malware includes receiving at a base computer data about a computer object from each of plural remote computers on which the object or similar objects are stored. The data about the computer object received from the plural computers is compared in the base computer. The computer object is classified as malware on the basis of said comparison. In one embodiment, the data about the computer object includes one or more of: executable instructions contained within or constituted by the object; | 11-01-2012 |
| 20120284793 | INTRUSION DETECTION USING MDL CLUSTERING - An intrusion detection method, system and computer-readable media are disclosed. The system can include a processor programmed to perform computer network intrusion detection. The intrusion detection can include an identification module and a detection module. The identification module can be adapted to perform semi-supervised machine learning to identify key components of a network attack and develop MDL models representing those attack components. The detection module can cluster the MDL models and use the clustered MDL models to classify network activity and detect polymorphic or zero-day attacks. | 11-08-2012 |
| 20120284794 | PEER INTEGRITY CHECKING SYSTEM - A distributed file integrity checking system is described. The described peer integrity checking system (PICS) may negate an attack by storing a properties database amongst nodes of a peer-to-peer network of hosts, some or all of which co-operate to protect and watch over each other. | 11-08-2012 |
| 20120284795 | METHOD AND SYSTEM FOR REGULATING HOST SECURITY CONFIGURATION - A recommendation engine coupled to a server computer in communication with a plurality of hosts is described. The recommendation engine includes computer readable intrusion-protection instructions stored in a memory device, which cause a processor of said server computer to determine a current host-protection configuration for a target host; detect discrepancy between said current host-protection configuration and a prior host-protection configuration; install said current host-protection configuration in said target host upon detecting said discrepancy; record successive host-reconfiguration periods, a host reconfiguration period being a difference between successive instants of time at which a current host-protection configuration differs from a prior host-protection configuration; determine a monitoring period according to a value of at least one of said successive host-reconfiguration periods; and a scheduler for activating said intrusion-protection instructions according to said monitoring period. | 11-08-2012 |
| 20120291129 | DETECTING WEB BROWSER BASED ATTACKS USING BROWSER DIGEST COMPUTE TESTS LAUNCHED FROM A REMOTE SOURCE - The detection of web browser-based attacks using browser tests launched from a remote source is described. In one example, a digest is computed based on the content of an HTTP response message. The message is modified and sent to a client device that also computes a digest. The digests are compared to determine whether content has been modified by malware on the HTTP client. The results of the test are analyzed and defensive measures are taken. | 11-15-2012 |
| 20120291130 | Contextual Alert of an Invasion of a Computer System - Methods, systems, and computer-readable media for providing contextual feedback to a user of a computer system upon detection of an invasion of the computer system are provided herein. An invasion of the computer system is detected and a contextually appropriate alert is selected from a set of alerts. The alert is played immediately upon detection of the invasion so that the user is alerted to the invasion within close temporal proximity to the user's action that resulted in the invasion of the computer system. In addition, details of the invasion are logged to a diagnostic log file for later use by support personnel in repairing the computer system. | 11-15-2012 |
| 20120297480 | Application revocation - In accordance with an example embodiment of the present invention, there is provided apparatus, including: at least one processor; and at least one memory including executable instructions, the at least one memory and the executable instructions being configured to, in cooperation with the at least one processor, cause the apparatus to perform at least the following: receiving an application revocation request; confirming whether initiating an application revocation process is allowed; generating application revocation data once initiating the application revocation process has been allowed; storing the generated application revocation data to a reputation service network; and provide one or more revocation clients the generated application revocation data from the reputation service network in order to enable the one or more revocation clients revoking the application. | 11-22-2012 |
| 20120297481 | SYSTEMS, METHODS, AND APPARATUS FOR NETWORK INTRUSION DETECTION - Systems, methods, and apparatus for network intrusion detection are provided. A device configured to facilitate intrusion detection may include at least one memory and at least one processor. The at least one memory may be configured to store an application that facilitates inspection of communications received by or transmitted by the device. The at least one processor may be configured to access the at least one memory and execute the application to (i) identify a device type associated with the device; (ii) determine, based at least in part upon the identified device type, a list of acceptable content; (iii) analyze, based at least in part upon the determined list, the content of a communication associated with the device; and (iv) determine, based at least in part upon the analysis, whether the content is acceptable content. | 11-22-2012 |
| 20120297482 | SYSTEMS, METHODS, AND APPARATUS FOR NETWORK INTRUSION DETECTION - Systems, methods, and apparatus for network intrusion detection are provided. A device configured to facilitate network intrusion detection may include at least one memory and at least one processor. The at least one memory may be configured to store computer-executable instructions. The at least one processor may be configured to access the at least one memory and execute the computer-executable instructions to (i) identify a communication, the communication comprising one of (a) a communication received by the device or (b) a communication generated by the device; (ii) identify a type associated with the communication; (iii) determine, based at least in part upon the identified type, a list of acceptable content for the communication; (iv) analyze, based at least in part upon the determined list, the content of the communication; and (v) determine, based at least in part upon the analysis, whether the content is acceptable content. | 11-22-2012 |
| 20120297483 | SYSTEMS, METHODS, AND APPARATUS FOR NETWORK INTRUSION DETECTION BASED ON MONITORING NETWORK TRAFFIC - Systems, methods, and apparatus for network intrusion detection are provided. A device may include at least one memory and at least one processor. The at least one memory may be configured to store computer-executable instructions that facilitate traffic inspection of communications received by the device. The at least one processor may be configured to access the at least one memory and execute the computer-executable instructions to (i) identify a communications interface associated with at least one received communication; (ii) determine one or more network traffic parameters associated with a network traffic profile for the communications interface; (iii) evaluate, based at least in part upon the one or more network traffic parameters, the at least one communication received by the device; and (iv) determine, based at least in part upon the evaluation, whether the at least one communication satisfies the traffic profile. | 11-22-2012 |
| 20120297484 | DETECTING A COMPROMISED ONLINE USER ACCOUNT - One or more techniques and/or systems are disclosed for detecting and/or mitigating a potentially compromised online user account. One or more baselines can be established for a user's online account to determine a normal usage pattern for the account by the user (e.g., frequency of incoming/outgoing emails, text messages, etc.). The online user account can be periodically or continually monitored for use of the same resources used to determine the baseline(s). If a deviation from the baseline is detected, the deviation may be compared against a threshold to determine whether the deviation indicates that the account may be compromised. When an indication of a potentially compromised account is detected, the user can be notified of the indication, so that one or more actions can be taken to mitigate the potentially compromised account. | 11-22-2012 |
| 20120297485 | INFORMATION PROCESSING DEVICE AND INFORMATION PROCESSING METHOD - To improve the responsiveness of a system call process without compromising safety, an information processing device according to the present invention includes: an application identification unit configured to identify a program being executed in the information processing device, by acquiring the application identifier; a caller identification unit configured to identify a caller indicating a portion of the program from which a program code is called when the identified program calls the program code; a checked-application management unit configured to manage a check result which is information including a result of previous check for safety of executing the identified program; and an attack check determination unit configured to determine, based on the identified caller and the check result, whether a check if the identified program is under attack is to be made. | 11-22-2012 |
| 20120304296 | DETECTING WEB BROWSER BASED ATTACKS USING BROWSER RESPONSE COMPARISON TESTS LAUNCHED FROM A REMOTE SOURCE - The detection of web browser-based attacks using browser test launched from a remote source is described. In one example, it is determined that a test should be performed responsive to receiving an HTTP message sent by a client device and a policy. The test is performed with the client device to determine only whether content intended to be communicated between the HTTP client and the web application server using an HTTP message has been modified by malware on the HTTP client. The test includes the sending of an HTTP response to the HTTP client. The results of the test are analyzed and defensive measures are taken. | 11-29-2012 |
| 20120304297 | DETECTING MALICIOUS DEVICE - A wireless access point and a method may be provided for detecting a malicious device in a network. The wireless access point may include a controller, a search unit, a message generation unit, and a determination unit. The controller may be configured to initiate a malicious device detection mode regularly at predefined intervals. The search unit may be configured to detect candidate devices broadcasting a signal with the first SSID from neighbor devices in an associated network. The message generation unit may be configured to generate a test message in the malicious device detection mode and transmit the test message to the candidate devices. The determination unit may be configured to determine a corresponding device in the candidate device as a malicious device when a test response message is not received from the corresponding device in response to the test message. | 11-29-2012 |
| 20120311707 | INTRUSIVE SOFTWARE MANAGEMENT - Intrusion features of a landing page associated with sponsored content are identified. A feature score for the landing page based on the identified intrusion features is generated, and if the feature score for the landing page exceeds a feature threshold, the landing page is classified as a candidate landing page. A sponsor account associated with the candidate landing page can be suspended, or sponsored content associated with the candidate landing page can be suspended. | 12-06-2012 |
| 20120324575 | System, Method, Program, and Recording Medium for Detecting and Blocking Unwanted Programs in Real Time Based on Process Behavior Analysis and Recording Medium for Storing Program - A system, method and program for detecting and blocking unwanted programs in real time based on process behavior analysis and a recording medium for storing the program. In particular, the invention relates to a system, method and program for detecting and blocking unwanted programs in real time based on process behavior analysis and a recording medium for storing the program, in which a security server defines lists of unwanted abnormal actions of a process in advance, detects the number of abnormal actions that have occurred, collects the abnormal actions, and detects and blocks an unwanted process by matching a program executed on a user terminal with the lists of abnormal actions. | 12-20-2012 |
| 20120324576 | BLOCKING INTRUSION ATTACKS AT AN OFFENDING HOST - A method, apparatus, and program product are provided for protecting a network from intrusions. An offending packet communicated by an offending host coupled to a protected network is detected. In response to the detection, a blocking instruction is returned to the offending host to initiate an intrusion protection operation on the offending host, where the blocking instruction inhibits further transmission of offending packets by the offending host. At the offending host, a blocking instruction is received with a portion of an offending packet. The offending host verifies that the offending packet originated from the host. In response to the verification of the offending packet originating from the host, an intrusion protection operation is initiated on the host thereby inhibiting transmission of a subsequent outbound offending packet by the host. | 12-20-2012 |
| 20120331553 | DYNAMIC SIGNATURE CREATION AND ENFORCEMENT - A dynamic signature creation and enforcement system can comprise a tap configured to copy network data from a communication network, and a controller coupled to the tap. The controller is configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if the network data is suspicious, flag the network data as suspicious based on the heuristic determination, simulate transmission of the network data to a destination device to identify unauthorized activity, generate an unauthorized activity signature based on the identification, and transmit the unauthorized activity signature to a digital device configured to enforce the unauthorized activity signature. | 12-27-2012 |
| 20120331554 | Regex Compiler - A method and corresponding apparatus relate to converting a nondeterministic finite automata (NFA) graph for a given set of patterns to a deterministic finite automata (DFA) graph having a number of states. Each of the DFA states is mapped to one or more states of the NFA graph. A hash value of the one or more states of the NFA graph mapped to each DFA state is computed. A DFA states table correlates each of the number of DFA states to the hash value of the one or more states of the NFA graph for the given pattern. | 12-27-2012 |
| 20120331555 | Performing A Defensive Procedure In Response To Certain Path Advertisements - In certain embodiments, performing a defensive procedure involves receiving at a first speaker of a first autonomous system a path advertisement from a second speaker of a second autonomous system. The path advertisement advertises a path from the second speaker of the second autonomous system. It is determined whether the second autonomous system is a stub autonomous system and whether a path length of the path is greater than one. If the second autonomous system is a stub and the path length is greater than one, a defensive measure is performed for the path. Otherwise, a default procedure is performed for the path. | 12-27-2012 |
| 20120331556 | SYSTEM AND METHOD FOR PROTOCOL FINGERPRINTING AND REPUTATION CORRELATION - A method is provided in one example embodiment that includes generating a fingerprint based on properties extracted from data packets received over a network connection and requesting a reputation value based on the fingerprint. A policy action may be taken on the network connection if the reputation value received indicates the fingerprint is associated with malicious activity. The method may additionally include displaying information about protocols based on protocol fingerprints, and more particularly, based on fingerprints of unrecognized protocols. In yet other embodiments, the reputation value may also be based on network addresses associated with the network connection. | 12-27-2012 |
| 20130014256 | JCVM BYTECODE EXECUTION PROTECTION AGAINST FAULT ATTACKS - The invention relates to a computing device comprising means to store and execute bytecodes, the computing device storing bytecodes which comprise a bytecode for calling a method. An attack detection bytecode is present after the bytecode for calling the method, and when executing bytecode, the computing device is set, upon return from the method, to continue bytecode execution after the attack detection bytecode. The invention also relates to a procedure for generating secure bytecode and to an applet development tool. | 01-10-2013 |
| 20130014257 | LIMITING EXECUTION OF SOFTWARE PROGRAMS - Techniques are disclosed for limiting execution of software programs. For example, a method comprises the following steps. A first set of program code is extracted from a second set of program code. The extracted first set of program code is parsed to generate a parsed structure. The parsed structure generated from the first set of program code is examined for one or more expressions predetermined to be unsafe for execution. The one or more expressions predetermined to be unsafe for execution that are contained in the first set of program code are detected. In one example, the first set of program code may be a script generated with the JavaScript™ scripting language and the second set of program code may be a business process. | 01-10-2013 |
| 20130019309 | SYSTEMS AND METHODS FOR DETECTING MALICIOUS INSIDERS USING EVENT MODELSAANM Strayer; William TimothyAACI West NewtonAAST MAAACO USAAGP Strayer; William Timothy West Newton MA USAANM Partridge; CraigAACI East LansingAAST MIAACO USAAGP Partridge; Craig East Lansing MI USAANM Jackson; Alden WarrenAACI BrooklineAAST MAAACO USAAGP Jackson; Alden Warren Brookline MA USAANM Polit; Stephen HenryAACI BelmontAAST MAAACO USAAGP Polit; Stephen Henry Belmont MA US - Systems and methods are disclosed for determining whether a mission has occurred. The disclosed systems and methods utilize event models that represent a sequence of tasks that an entity could or must take in order to successfully complete the mission. As a specific example, an event model may represent the sequence of tasks a malicious insider may complete in order to exfiltrate sensitive information. Most event models include certain tasks that must be accomplished in order for the insider to successfully exfiltrate an organization's sensitive information. Many of the observable tasks in the attack models can be monitored using relatively little information, such as the source, time, and type of the communication. The monitored information is utilized in a traceback search through the event model for occurrences of the tasks of the event model to determine whether the mission that the event model represents occurred. | 01-17-2013 |
| 20130019310 | DETECTION OF ROGUE SOFTWARE APPLICATIONSAANM Ben-Itzhak; YuvalAACI BrnoAACO CZAAGP Ben-Itzhak; Yuval Brno CZAANM Osis; KasparsAACI RigaAACO LVAAGP Osis; Kaspars Riga LVAANM Boz; MikeAACI Foster CityAAST CAAACO USAAGP Boz; Mike Foster City CA US - Software applications are analyzed to determine if they are legitimate applications and warnings are provided to users to avoid installation and/or purchases of unnecessary and/or potentially harmful software based on comparisons of user-interface characteristics of the software applications to visual characteristics of authentic applications to determine to what extent they match (or do not match) or are attempting to mirror the legitimate application. | 01-17-2013 |
| 20130019311 | Method and system for handling computer network attacks - A method and apparatus for serving content requests using global and local load balancing techniques is provided. Web site content is cached using two or more point of presences (POPs), wherein each POP has at least one DNS server. Each DNS server is associated with the same anycast IP address. A domain name resolution request is transmitted to the POP in closest network proximity for resolution based on the anycast IP address. Once the domain name resolution request is received at a particular POP, local load balancing techniques are performed to dynamically select the appropriate Web server at the POP for use in resolving the domain name resolution request. Approaches are described for handling bursts of traffic at a particular POP, security, and recovering from the failure of various components of the system. | 01-17-2013 |
| 20130019312 | Computer Network Defense - Training defense of a computer network. The system includes an enterprise asset subsystem to be defended. The enterprise asset subsystem runs operating system, support services, and application programs. The system also includes a neutral subsystem that is in communication with the enterprise asset subsystem and is used to set up and run at least one exercise scenario, and score performance of enterprise asset defenders in defending the system against exploits. Exploits are launched by an exploitation subsystem communication with the enterprise asset subsystem. | 01-17-2013 |
| 20130024936 | AUDITING A DEVICE - The auditing of a device that includes a physical memory is disclosed. One or more hardware parameters that correspond to a hardware configuration is received. Initialization information is also received. The physical memory is selectively written in accordance with a function. The physical memory is selectively read and at least one result is determined. The result is provided to a verifier. | 01-24-2013 |
| 20130024937 | Intrusion detection using taint accumulation - A method operable in a computing device adapted for handling security risk can use taint accumulation to detect intrusion. The method can comprise receiving a plurality of taint indicators indicative of potential security risk from a plurality of distinct sources at distinct times, and accumulating the plurality of taint indicators independently using a corresponding plurality of distinct accumulation functions. Security risk can be assessed according to a risk assessment function that is cumulative of the plurality of taint indicators. | 01-24-2013 |
| 20130024938 | SYSTEM AND METHOD FOR SECURING DATA TO BE PROTECTED OF A PIECE OF EQUIPMENT - A system and method for securing data to be protected of a piece of equipment are provided. The equipment comprises: a space; at least one device for processing the data; a safety module comprising at least one controller connected to at least one memory for sensitive data, the sensitive data giving access to the data; and at least one supervision sensor. The method comprises: transmitting at least one signature through the sensor(s), to the safety module, the signature being based on a signal received by the respective sensor and giving information on the physical condition of the space; comparing in the safety module at least one of the signatures and/or a value inferred from at least one of the signatures with at least one reference value and/or at least one reference signature; limiting access to the data being based on the comparison of at least one of the signatures. | 01-24-2013 |
| 20130031631 | DETECTION OF UNAUTHORIZED DEVICE ACCESS OR MODIFICATIONS - Devices, methods and products are described that provide for recording an unauthorized event, such as rooting, on an information handling device. One aspect provides a method comprising determining whether at least one unauthorized event has occurred on an information handling device; setting at least one unauthorized event flag stored on the information handling device responsive to an unauthorized event; and allowing external access to the at least one unauthorized event flag. Other embodiments and aspects are also described herein. | 01-31-2013 |
| 20130031632 | System and Method for Detecting Malicious Content - An intrusion prevention system receives a file, determines that the file does not correspond to an entry of a database, sends a request associated with the file to an intrusion prevention server responsive to determining that the file does not correspond to the entry, receives a reply from the intrusion prevention server, and provides an indication to a client system that the file includes the exploit responsive to the reply. | 01-31-2013 |
| 20130031633 | System and methods for adaptive model generation for detecting intrusion in computer systems - A system and methods for detecting intrusions in the operation of a computer system comprises a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format. A data warehouse is configured to receive the data record from the sensor in the predetermined data format and to store the data in a SQL database. A detection model generator is configured to request data records from the data warehouse in the predetermined data format, to generate an intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format. A detector is configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model. A data analysis engine is configured to request data records from the data warehouse according to the predetermined data format and to perform a data processing function on the data records. | 01-31-2013 |
| 20130036468 | ANTI-PHISHING DOMAIN ADVISOR AND METHOD THEREOF - A method of anti-phishing and domain name protection. The method comprises capturing a system call sent to an operating system of a client by an application requesting an access to an Internet resource; extracting a URL included in the captured system call; capturing a response to the system call sent from operating system to the application; determining if the system call's response includes any one of a domain name system (DNS) error code and fake internet protocol (IP) address; checking the extracted URL against an anti-phishing blacklist to determine if the Internet resource is a malicious website; performing a DNS error correction action if any one of the DNS error code and the fake IP address was detected; and performing an anti-phishing protection action if the internet resource is determined to be a malicious website. | 02-07-2013 |
| 20130036469 | DETECTING SUSPICIOUS NETWORK ACTIVITY USING FLOW SAMPLING - Methods, media, and computing devices for network security can include receiving flow sampled network traffic from multiple network devices with a network monitoring computing device for network traffic among multiple computing devices, comparing source ports and destination ports in the flow sampled network traffic to a list of approved ports with the network monitoring computing device, and detecting suspicious network activity for flow sampled network traffic having a source port and a destination port exceptional to the list of approved ports with the network monitoring computing device. Alternatively, a suspicious network activity list can be maintained for flow sampled network traffic having source and destination ports exceptional to the list of approved ports. Alternatively, a network administrator can be alerted when a port is added to the suspicious network activity list in response to a total number of ports in the suspicious network activity list exceeding a threshold number. | 02-07-2013 |
| 20130036470 | CROSS-VM NETWORK FILTERING - A security virtual machine inspects all data traffic between other virtual machines on a virtualization platform in order to prevent an inter-VM attack. Data traffic between the machines is intercepted at the privileged domain and directed to the security virtual machine via a hook mechanism and a shared memory location. The traffic is read by the security machine and analyzed for malicious software. After analysis, the security machine sends back a verdict for each data packet to the privileged machine which then drops each data packet or passes each data packet on to its intended destination. The privileged domain keeps a copy of each packet or relies upon the security machine to send back each packet. The security machine also substitutes legitimate or warning data packets into a malicious data package instead of blocking data packets. The shared memory location is a circular buffer for greater performance. Traffic is intercepted on a single host computer or between host computers. | 02-07-2013 |
| 20130036471 | System and Method for Rule Matching in a Processor - In one embodiment, a system includes a format block configured to receive a key, at least one rule, and rule formatting information. The rule can have one or more dimensions. The format block can be further configured to extract each of the dimensions from the at least one rule. The system can further include a plurality of dimension matching engines (DME). Each DME can be configured to receive the key and a corresponding formatted dimension, and process the key and the corresponding dimension for returning a match or nomatch. The system can further include a post processing block configured to analyze the matches or no matches returned from the DMEs and return a response based on the returned matches or nomatches. | 02-07-2013 |
| 20130042322 | SYSTEM AND METHOD FOR DETERMINING APPLICATION LAYER-BASED SLOW DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK - A technology for defending a Distributed Denial-of-Service (DDoS) attack is provided. A system for determining an application layer-based slow DDoS attack may include a packet collecting unit to collect a packet in a network, a packet parsing unit to extract at least one header field from the collected packet, and a DDoS attack determining unit to determine whether a DDoS attack against the packet is detected, using a session table and a flow table. | 02-14-2013 |
| 20130042323 | HIGH AVAILABILITY FOR NETWORK SECURITY DEVICES - In one example, a backup intrusion detection and prevention (IDP) device includes one or more network interfaces to receive a state update message from a primary IDP device, wherein the state update message indicates a network session being inspected by the primary IDP device and an identified application-layer protocol for the device, to receive an indication that the primary device has switched over or failed over to the backup device, and to receive a plurality of packets of the network session after receiving the indication, each of the plurality of packets comprising a respective payload including application-layer data, a protocol decoder to detect a beginning of a new transaction from the application-layer data of one of the plurality of packets, and a control unit to statefully process only the application-layer data of the network session that include and follow the beginning of the new transaction. | 02-14-2013 |
| 20130042324 | SERVER BASED MALWARE SCREENING - An Internet infrastructure is provided to transfer a packet of data between a client device and source device. The infrastructure consists of a support server that screens the packet for malware codes on behalf of a registered client. In order to scan for malware, the support server contains hardware and/or software modules to perform malware detection and quarantine functions. The modules identify malware bit sequence in the packet(s), malware bit sequences or entire contaminated code is quarantined or repaired as appropriate. After identification of malware code (if any), the support server sends warning messages to affected parties, providing information regarding the malware codes that were detected. | 02-14-2013 |
| 20130047255 | SYSTEM AND METHOD FOR INDIRECT INTERFACE MONITORING AND PLUMB-LINING - A method is provided in one example embodiment that includes monitoring a first interface, monitoring a second interface, and taking a policy action if the second interface is not executed before the first interface. In more particular embodiments, monitoring the second interface may include walking a call stack associated with the first interface. Moreover, a program context for calling code associated with the second interface may be identified and acted upon. | 02-21-2013 |
| 20130055393 | METHOD AND APPARATUS FOR ENHANCING PRIVACY OF CONTACT INFORMATION IN PROFILE - A mobility technology for strengthening safety for an invasion of privacy caused by leakage of contact information is provided. A privacy protection system may include an acquisition attempt detecting unit to detect an external communication terminal that attempts to acquire contact information included in the profile, and an access controller to provide the detected external communication terminal with a right to use the contact information, and to determine whether the contact information is to be provided. | 02-28-2013 |
| 20130061322 | Systems and Methods for Detecting Design-Level Attacks Against a Digital Circuit - Systems and methods for detecting design-level attacks against a digital circuit which includes various functional units. A target unit is selected from among the functional units for monitoring and a predictor unit is arranged to receive events before they reach the target unit. A reactor unit is selected from among the functional units of the digital circuit which are arranged to receive events after they pass through the target unit. A monitor unit is arranged to receive predicted event messages from the predictor unit and actual event messages from the reactor unit. The monitor unit is configured to indicate an alarm based on a comparison of the predicted event messages received from the predictor unit and the actual event messages received from the reactor unit. | 03-07-2013 |
| 20130061323 | SYSTEM AND METHOD FOR PROTECTING AGAINST MALWARE UTILIZING KEY LOGGERS - A software, system and methodology for protecting against malware key logger attacks that utilize, for example, form-grabbing techniques. The application protects the browser from key logging malware attacks, and the loss of critical user confidential information often entered into internet forms for the purpose of buying items or logging into financial institutions. An embodiment of a method for blocking form-grabbing attacks includes the following steps. Upon detecting a form submission event from the browser, and immediately after allowing the data to be properly submitted, the form input fields are cleared of data. The method prevents hook-based key loggers or form-grabbing key loggers from capturing form input data, thereby protecting the user from theft of passwords or credentials. | 03-07-2013 |
| 20130061324 | SIGNATURE CHECKING USING DETERMINISTIC FINITE STATE MACHINES - The occurrence of false positives and the post-processing of digital streams subjected to examination by a deterministic finite state machine for character strings are reduced by combining location-based pattern matching, e.g. on packet headers, and content-based pattern matching, e.g. on payloads of packets. One scheme allows automatic transition from a header match state into an initial state of a content matching machine. Another scheme is based on a rules graph defining strings of match states and the examination of a list of match states (rather than characters) which have been previously determined, for example by means of header matching and content matching. The latter is also capable of comparing offset and depth values associated with the match states with offset and depth criteria. | 03-07-2013 |
| 20130067574 | FIGHT-THROUGH NODES FOR SURVIVABLE COMPUTER NETWORK - A survivable network is described in which one or more network device includes enhanced functionality to fight through cyber attacks. A Fight-Through Node (FTN) is described, which may be a combined hardware/software system that enhances existing networks with survivability properties. A network node comprises a hardware-based processing system having a set of one or more processing units, and a hypervisor executing on each one of the processing units; and a plurality of virtual machines executing on each of the hypervisor. The network node includes an application-level dispatcher to receive a plurality of transaction requests from a plurality of network communication session with a plurality of clients and distribute a copy of each of the transaction requests to the plurality of virtual machines executing on the network node over a plurality of time steps to form a processing pipeline of the virtual machines. | 03-14-2013 |
| 20130067575 | DETECTION OF NETWORK SECURITY BREACHES BASED ON ANALYSIS OF NETWORK RECORD LOGS - Computer program products and methods of inspecting a log of security records in a computer network are provided. The method includes retrieving a log record, processing the log record including deriving a key to a table, determining a data value from information in the log record and adding the data value to a list of data values associated with the key if the data value is unique. One or more entries of the table are evaluated based on predetermined criteria to detect attempted security breaches. | 03-14-2013 |
| 20130081137 | Simultaneous Determination of a Computer Location and User Identification - An apparatus including an intrusion detection arrangement and a location identification arrangement which ties digital information (i.e. transaction events such as parameters of information, database queries, transaction ranges, etc.) submitted to a computer system with the physical characteristics of the event such as the picture of the person(s) originating the information. | 03-28-2013 |
| 20130081138 | RESPONDING TO IMPERMISSIBLE BEHAVIOR OF USER DEVICES - A device detects an impermissible behavior by a user device. The device further identifies a rule associated with the impermissible behavior and executes a response to the impermissible behavior based on the rule. The response restricts access of the user device to a service provided by or via a network device. The device also transmits, to the user device, a message that specifies the response. The device also verifies a termination of a cause of the impermissible behavior and restores the access of the user device to the service. | 03-28-2013 |
| 20130081139 | QUARANTINE NETWORK SYSTEM, SERVER APPARATUS, AND PROGRAM - A quarantine network system | 03-28-2013 |
| 20130081140 | METHODS AND SYSTEM FOR DETERMINING PERFORMANCE OF FILTERS IN A COMPUTER INTRUSION PREVENTION DETECTION SYSTEM - An intrusion prevention/detection system filter (IPS filter) performance evaluation is provided. The performance evaluation is performed at both the security center and at the customer sites to derive a base confidence score and local confidence scores. Existence of new vulnerability is disclosed and its attributes are used in the generation of new IPS filter or updates. The generated IPS filter is first tested to determine its base confidence score from test confidence attributes prior to deploying it to a customer site. A deep security manager and deep security agent, at the customer site, collect local confidence attributes that are used for determining the local confidence score. The local confidence score and the base confidence score are aggregated to form a global confidence score. The local and global confidence scores are then compared to deployment thresholds to determine whether the IPS filter should be deployed in prevention or detection mode or sent back to the security center for improvement. | 03-28-2013 |
| 20130081141 | SECURITY THREAT DETECTION ASSOCIATED WITH SECURITY EVENTS AND AN ACTOR CATEGORY MODEL - Security events associated with network devices and an actor category model are stored ( | 03-28-2013 |
| 20130086680 | SYSTEM AND METHOD FOR COMMUNICATION IN A NETWORK - A method for providing secure communication in an electrical power distribution network includes detecting an enhanced threat level in the electrical power distribution network. A threshold number of different configuration command shadows are received and processed to generate a configuration command data. A verified configuration command data is generated by comparing the configuration command data with a stored configuration commands and a verified configuration command related to the verified configuration command data is executed. | 04-04-2013 |
| 20130086681 | PROACTIVE BROWSER CONTENT ANALYSIS - A protection module operates to analyze threats, at the protocol level (e.g., at the HTML level), by intercepting all requests that a browser engine resident in a computing device sends and receives, and the protection agent completes the requests without the help of the browser engine. And then the protection module analyzes and/or modifies the completed data before the browser engine has access to it, to, for example, display it. After performing all of its processing, removing, and/or adding any code as needed, the protection module provides the HTML content to the browser engine, and the browser engine receives responses from the protection agent as if it was speaking to an actual web server, when in fact, browser engine is speaking to an analysis engine of the protection module. | 04-04-2013 |
| 20130086682 | SYSTEM AND METHOD FOR PREVENTING MALWARE ON A MOBILE COMMUNICATION DEVICE - A server receives from a mobile communication device information about a data object (e.g., application) on the device when the device cannot assess the data object. The server uses the information along with other information stored at the server to assess the data object. Based on the assessment, the device may be permitted to access the data object or the device may not be permitted to access the data object. The other information stored at the server can include data objects known to be bad, data objects known to be good, or both. | 04-04-2013 |
| 20130091570 | SHORT-RANGE MOBILE HONEYPOT FOR SAMPLING AND TRACKING THREATS - Files received by a mobile device are sampled for malware tracking. The method includes configuring file transfer mechanisms that use short-range communication technology on the mobile device to appear, to other devices, to be open for accepting all attempts to transfer files. The method further comprises intercepting files transferred via the short-range communication technology to the mobile device from another device. The method also comprises quarantining the files transferred to the mobile device and logging identifying information about each of the files quarantined and about the other devices from which each of the files originated. The method further includes providing the logged identifying information for the files received to a security server. The method can also include, responsive to a request from the security server for more information about one of the files, providing a copy of that file to the security server for malware analysis and for updating a reputation system tracking mobile device malware. | 04-11-2013 |
| 20130091571 | SYSTEMS AND METHODS OF PROCESSING DATA ASSOCIATED WITH DETECTION AND/OR HANDLING OF MALWARE - The present disclosure relates to malware and, more particularly, towards systems and methods of processing information associated with detecting and handling malware. According to certain illustrative implementations, methods of processing malware are disclosed. Moreover, such methods may include one or more of unpacking and/or decrypting malware samples, dynamically analyzing the samples, disassembling and/or reverse engineering the samples, performing static analysis of the samples, determining latent logic execution path information regarding the samples, classifying the samples, and/or providing intelligent report information regarding the samples. | 04-11-2013 |
| 20130091572 | Systems, methods, and devices for defending a network - Certain exemplary embodiments comprise a method comprising: within a backbone network: for backbone network traffic addressed to a particular target and comprising attack traffic and non-attack traffic, the attack traffic simultaneously carried by the backbone network with the non-attack traffic: redirecting at least a portion of the attack traffic to a scrubbing complex; and allowing at least a portion of the non-attack traffic to continue to the particular target without redirection to the scrubbing complex. | 04-11-2013 |
| 20130091573 | SYSTEM AND METHOD FOR A DISTRIBUTED APPLICATION OF A NETWORK SECURITY SYSTEM (SDI-SCAM) - A widely distributed security system (SDI-SCAM) that protects computers at individual client locations, but which constantly pools and analyzes information gathered from machines across a network in order to quickly detect patterns consistent with intrusion or attack, singular or coordinated. When a novel method of attack has been detected, the system distributes warnings and potential countermeasures to each individual machine on the network. Such a warning may potentially consist of a probability distribution of the likelihood of an intrusion or attack as well as the relative probabilistic likelihood that such potential intrusion possesses certain characteristics or typologies or even strategic objectives in order to best recommend and/or distribute to each machine the most befitting countermeasure(s) given all presently known particular data and associated predicted probabilistic information regarding the prospective intrusion or attack. If any systems are adversely affected, methods for repairing the damage are shared and redistributed throughout the network. | 04-11-2013 |
| 20130097704 | Handling Noise in Training Data for Malware Detection - Described systems and methods allow the reduction of noise found in a corpus used for training automatic classifiers for anti-malware applications. Some embodiments target pairs of records, which have opposing labels, e.g. one record labeled as clean/benign, while the other labeled as malware. When two such records are found to be similar, they are identified as noise and are either discarded from the corpus, or relabeled. Two records may be deemed similar when, in a simple case, they share a majority of features, or, in a more sophisticated case, they are sufficiently close in a feature space according to some distance measure. | 04-18-2013 |
| 20130104230 | System and Method for Detection of Denial of Service Attacks - Systems and methods for detecting a denial of service attack are disclosed. These may include receiving a plurality of web log traces from one of a plurality of web servers; extracting a first set of features from the plurality of web log traces; applying a first machine learning technique to the first set of features; producing a first plurality of user classifications for communication to the web server; extracting a second set of features from the plurality of web log traces; applying a second machine learning technique to the second set of features; producing a second plurality of user classification for communication to the web server; communicating the first plurality of user classifications to the web server based at least on the plurality of web log traces; and communicating the second plurality of user classifications to the web server based at least on the plurality of web log traces. | 04-25-2013 |
| 20130104231 | CYBER SECURITY IN AN AUTOMOTIVE NETWORK - Preventing spoofing in an automotive network includes monitoring, by electronic control unit, data packets on a bus in the automotive network. Upon determining, in response to the monitoring, that a data packet is from a source other than the electronic control unit, the preventing spoofing in the automotive network includes generating and transmitting a diagnostic message to at least one module in the automotive network over the bus, the diagnostic message instructing the at least one module to take no action on the data packet. | 04-25-2013 |
| 20130104232 | APPLIQUE PROVIDING A SECURE DEPLOYMENT ENVIRONMENT (SDE) FOR A WIRELESS COMMUNICATIONS DEVICE - A security appliqué provides a secure deployment environment (SDE) for a wireless communications device. The Security appliqué isolates the security features, requirements, and information security boundaries such that no hardware modifications are required to a wireless communications device. Rather, a security module thin client is provided to the wireless communications device to provide the Secure Deployment Environment (SDE). The wireless communications device is coupled to the security appliqué via the standard connection interface. Through the standard connection interface, the security appliqué provides the SDE for the wireless communications device without implementing modifications to the wireless communications device. | 04-25-2013 |
| 20130104233 | NETWORK DATA CONTROL DEVICE AND NETWORK DATA CONTROL METHOD FOR CONTROLING NETWORK DATA THAT GENERATES MALICIOUS CODE IN MOBILE EQUIPMENT - Provided are a device and a method of controlling network data induced by a malicious code of a mobile apparatus. Information input by a user through an input unit of a mobile apparatus is analyzed to determine whether or not the network data generated in the mobile apparatus are network data which are generated in accordance with user's intention, the network data generated in accordance with user's intention are transmitted to an external communication network, the network data which are generated irrespective of user's intention is consider to be network data which causes extrusion of personal information of the user which is induced by the malicious code residing in the mobile apparatus or an external attacker or network data which attack the external communication network, so that transmission of the network data to the external communication network is blocked. | 04-25-2013 |
| 20130111586 | COMPUTING SECURITY MECHANISM | 05-02-2013 |
| 20130111587 | Detecting Software Vulnerabilities in an Isolated Computing Environment | 05-02-2013 |
| 20130111588 | Method and system for detecting intrusive anomalous use of a software system using multiple detection algorithms | 05-02-2013 |
| 20130111589 | SYSTEM AND METHOD FOR DETECTING ADDRESS RESOLUTION PROTOCOL (ARP) SPOOFING | 05-02-2013 |
| 20130111590 | METHODS AND SYSTEMS THAT SELECTIVELY RESURRECT BLOCKED COMMUNICATIONS BETWEEN DEVICES | 05-02-2013 |
| 20130117848 | Systems and Methods for Virtualization and Emulation Assisted Malware Detection - Systems and methods for virtualization and emulation malware enabled detection are described. In some embodiments, a method comprises intercepting an object, instantiating and processing the object in a virtualization environment, tracing operations of the object while processing within the virtualization environment, detecting suspicious behavior associated with the object, instantiating an emulation environment in response to the detected suspicious behavior, processing, recording responses to, and tracing operations of the object within the emulation environment, detecting a divergence between the traced operations of the object within the virtualization environment to the traced operations of the object within the emulation environment, re-instantiating the virtualization environment, providing the recorded response from the emulation environment to the object in the virtualization environment, monitoring the operations of the object within the re-instantiation of the virtualization environment, identifying untrusted actions from the monitored operations, and generating a report regarding the identified untrusted actions of the object. | 05-09-2013 |
| 20130117849 | Systems and Methods for Virtualized Malware Detection - Systems and methods for virtualized malware enabled detection are described. In some embodiments, a method comprises intercepting an object provided from a first digital device, determining one or more resources the object requires, instantiating a virtual environment with the one or more resources, processing the object within the virtual environment, tainting operations of the object within the virtual environment, monitoring the operations of the object, identifying an additional resource of the object while processing that is not provided in the virtual environment, re-instantiating the virtual environment with the additional resource, monitoring the operations of the object while processing within the re-instantiated virtual environment, identifying untrusted actions from the monitored operations, and generating a report identifying the operations and the untrusted actions of the object. | 05-09-2013 |
| 20130117850 | System and Method for Bidirectional Trust Between Downloaded Applications and Mobile Devices Including a Secure Charger and Malware Scanner - A system and method are described that will enable mobile smart devices, such as a cellular phones, PDAs, or iPads, smartphones, mobile payment systems, mobile healthcare systems, handheld law enforcement systems, and other types of tablet devices, to trust download applications and for the download applications to trust the mobile smart devices onto which they are downloaded. The system and method enables charging a mobile smart device and while charging the mobile smart device scans for malware and other viruses in the applications and the operating system on the mobile smart device. | 05-09-2013 |
| 20130117851 | Automated method and system for monitoring local area computer networks for unauthorized wireless access - The wireless activity in a geographic area containing LAN connection ports is monitored using one or more sensor devices, called sniffers. By analyzing said wireless activity, one or more APs that are operating in said geographic area are identified. The active APs so identified are classified into three categories, namely “authorized” APs (those that are allowed by network administrator), “unauthorized” APs (those that are not allowed by the network administrator, but are still connected to the LAN of interest) and “external” APs (those that are not allowed by network administrator but are not connected to the LAN of interest, for example APs connected to the neighbor's LAN) by conducting one or more tests. The sniffers detect any wireless station attempting to connect to or communicating with the one or more identified unauthorized APs. Upon identifying unauthorized AP and/or intruding wireless station an indication is transferred to the prevention process. | 05-09-2013 |
| 20130117852 | Detecting Emergent Behavior in Communications Networks - Systems and methods of detecting emergent behaviors in communications networks are disclosed. In some embodiments, a method may include decomposing a plurality of data packets into a plurality of component data types associated with a candidate alert representing a potential security threat in a network. The method may also include retrieving, from a database, a count for each of a plurality of historical data types matching at least a subset of the component data types, each of the counts quantifying an amount of data of a corresponding historical data type previously detected in the network in a given time period. The method may further include calculating a score that indicates a discrepancy between an amount of data in each of the subset of the component data types and the counts for each corresponding historical data type in the same time period, and handling the candidate alert based upon the score. | 05-09-2013 |
| 20130117853 | METHODS FOR DETECTING MALICIOUS PROGRAMS USING A MULTILAYERED HEURISTICS APPROACH - Three heuristic layers are used to determine whether suspicious code received at a port of a data processing device is malware. First, static analysis is applied to the suspicious code. If the suspicious code passes the static analysis, dissembling analysis is applied to the suspicious code. Preferably, if the suspicious code passes the dissembling analysis, dynamic analysis is applied to the suspicious code. | 05-09-2013 |
| 20130125237 | OFFLINE EXTRACTION OF CONFIGURATION DATA - A configuration scanning system is described herein that scans a system configuration database for malware-related information with less impact on other operations that access the system configuration database. The system employs techniques to reduce the impact on other operations that access the configuration database, including parsing a file-based stored version of the configuration database, accessing the configuration database using opportunistic locking, and caching configuration information obtained by scanning the configuration database. In this way, the system is able to respond to requests antimalware programs using cached information without impacting other programs using the configuration database. Thus, the configuration scanning system protects a computer system against malware while reducing the burden on the configuration database and on other programs that access the configuration database. | 05-16-2013 |
| 20130133066 | TRANSACTION-BASED INTRUSION DETECTION - Systems and methods are provided for intrusion detection. The systems and methods may include receiving transaction information related to one or more current transactions between a client entity and a resource server, accessing a database storing a plurality of transaction groups, analyzing the received transaction information with respect to information related to at least one of the plurality of transaction groups, and based on said analyzing, determining a possibility of an occurrence of an intrusion act at the resource server. The transaction groups may be formed based on a plurality of past transactions between a plurality of client entities and the resource server. Identity information of a user associated with the one or more current transactions may also be received along with the transaction information. The user may be associated with at least one of the plurality of transaction groups. | 05-23-2013 |
| 20130133067 | PATTERN MATCHING ENGINE, TERMINAL APPARATUS USING THE SAME, AND METHOD THEREOF - Provided is a pattern matching engine. The pattern matching engine calculates an error detection sign of target data and compares the calculated error detection sign with an error detection sign of a malware pattern DB. When the error detection sign of the target data and the error detection sign of the malware pattern DB are identical to each other, the pattern matching engine compares the target data with the malware pattern. | 05-23-2013 |
| 20130133068 | METHOD, APPARATUS AND SYSTEM FOR PREVENTING DDOS ATTACKS IN CLOUD SYSTEM - A method, an apparatus and a system for preventing DDoS (Distributed Denial of Service) attacks in a cloud system. The method for preventing DDoS attacks in a cloud system includes: monitoring, by a protection node in a cloud system, data traffic input into virtual machines, where the cloud system includes the protection node and multiple virtual machines, and data streams communicated between the virtual machines pass through the protection node; extracting data streams to be input into virtual machines if it is detected that the data traffic input into the virtual machines is abnormal; sending the extracted data streams to a traffic cleaning apparatus for cleaning; receiving the data streams cleaned by the traffic cleaning apparatus; and inputting the cleaned data streams into the virtual machines. The technical solutions provided in the embodiments of the present disclosure can effectively prevent DDoS attacks between virtual machines in the cloud system. | 05-23-2013 |
| 20130133069 | SILENT-MODE SIGNATURE TESTING IN ANTI-MALWARE PROCESSING - Method and computer program product for signature testing used in anti-malware processing. Silent signatures, after being tested, are not updated into a white list and are sent directly to users instead. If the silent signature coincides with malware signature, a user is not informed. A checksum (e.g., hash value) of a suspected file is sent to a server, where statistics are kept and analyzed. Based on collected false positive statistics of the silent-signature, the silent-signature is either valid or invalid. Use of the silent signatures provides for effective signature testing and reduces response time to new malware-related threats. The silent signature method is used for turning off a signature upon first false positive occurrence. Use of silent signatures allows improving heuristic algorithms for detection of unknown malware. | 05-23-2013 |
| 20130133070 | SYSTEM AND METHOD FOR ATTACK AND MALWARE PREVENTION - The present invention is a system and method for detecting and preventing attacks and malware on mobile devices such as a cell phones, smartphones or PDAs, which are significantly limited in power consumption, computational power, and memory. The invention enables mobile devices to analyze network data, executable data files, and non-executable data files in order to detect and prevent both known and unknown attacks and malware over vectors that are not typically protected by desktop and server security systems. Security analysis is performed by a combination of “known good,” “known bad,” and decision components. The invention identifies known good executables and/or known characteristics of network data or data files that must be present in order for the data to be considered good. Furthermore, known good and known bad identifier databases may be stored on a server which may be queried by a mobile device. | 05-23-2013 |
| 20130133071 | SYSTEM AND METHOD FOR ATTACK AND MALWARE PREVENTION - The present invention is a system and method for detecting and preventing attacks and malware on mobile devices such as a cell phones, smartphones or PDAs, which are significantly limited in power consumption, computational power, and memory. The invention enables mobile devices to analyze network data, executable data files, and non-executable data files in order to detect and prevent both known and unknown attacks and malware over vectors that are not typically protected by desktop and server security systems. Security analysis is performed by a combination of “known good,” “known bad,” and decision components. The invention identifies known good executables and/or known characteristics of network data or data files that must be present in order for the data to be considered good. Furthermore, known good and known bad identifier databases may be stored on a server which may be queried by a mobile device. | 05-23-2013 |
| 20130133072 | NETWORK PROTECTION SYSTEM AND METHOD - Systems and methods for protecting at least one client from becoming part of at least one botnet. The system may comprise virtual machines deliberately infected with malicious content and operable to record botnet communications to and from criminal servers. The virtual machines are in communication with a processing unit configured to index data collected. Data related to the prevalence of cyber threats may be presented to users in response to queries. | 05-23-2013 |
| 20130139260 | Providing a Malware Analysis Using a Secure Malware Detection Process - In certain embodiments, a computer-implemented system comprises a boundary controller and a first malware detection agent. The boundary controller is operable to implement a security boundary between a first computer network environment and a second computer network environment. The second computer network environment has a security classification level that is more restrictive than a security classification level of the first computer network environment. The boundary controller is operable to receive from the first computer network environment a file. The first malware detection agent is positioned in the second computer network environment and is operable to receive via the boundary controller the file and apply a first malware detection process on the file. The first malware detection process is subject to the security classification level of the second computer network environment. | 05-30-2013 |
| 20130139261 | METHOD AND APPARATUS FOR DETECTING MALICIOUS SOFTWARE THROUGH CONTEXTUAL CONVICTIONS - Novel methods, components, and systems that enhance traditional techniques for detecting malicious software are presented. More specifically, we describe methods, components, and systems that leverage important contextual information from a client system (such as recent history of events on that system) to detect malicious software that might have otherwise gone ignored. The disclosed invention provides a significant improvement with regard to detection capabilities compared to previous approaches. | 05-30-2013 |
| 20130139262 | Taint injection and tracking - An embodiment or embodiments of an electronic device can comprise an input interface and a hardware component coupled to the input interface. The input interface can be operable to receive a plurality of taint indicators corresponding to at least one of a plurality of taints indicative of potential security risk which are injected from at least one of a plurality of resources. The hardware component can be operable to track the plurality of taints. | 05-30-2013 |
| 20130139263 | SYSTEMS AND METHODS FOR FINGERPRINTING PHYSICAL DEVICES AND DEVICE TYPES BASED ON NETWORK TRAFFIC - Systems and methods for providing device and/or device type fingerprinting based on properties of network traffic originating from a device to be identified. In one implementation, the method includes capturing packets routed through a network at an intermediate node between the originating device to be identified and destination, measuring properties of the captured traffic, including packet inter-arrival time, and generating a signature based on the measured properties that includes identifying information about the hardware and/or software architecture of the device. Various implementations do not require deep packet inspection, do not require a managed device-side client, are protocol and packet payload agnostic, and effective for MAC or IP-level encrypted streams. Also, various implementations can provide wired-side detection of wireless devices and device types and can detect both previously detected and unknown devices. | 05-30-2013 |
| 20130145465 | MULTILAYERED DECEPTION FOR INTRUSION DETECTION AND PREVENTION - Concepts and technologies are disclosed herein for multilayered deception for intrusion detection. According to various embodiments of the concepts and technologies disclosed herein, a multilayer deception system includes honey servers, honey files and folders, honey databases, and/or honey computers. A multilayer deception system controller generates honey activity between the honey entities and exposes a honey profile with contact information associated with a honey user. Contact directed at the honey user and/or activity at any of the honey entities can trigger alarms and/or indicate an attack, and can be analyzed to prevent future attacks. | 06-06-2013 |
| 20130145466 | System And Method For Detecting Malware In Documents - In one embodiment, a method includes identifying, using one or more processors, a plurality of characteristics of a Portable Document Format (PDF) file. The method also includes determining, using the one or more processors, for each of the plurality of characteristics, a score corresponding to the characteristic. In addition, the method includes comparing, using the one or more processors, the determined scores to a first threshold. Based at least on the comparison of the determined scores to the first threshold, the method includes determining, using the one or more processors, that the PDF file is potential malware. | 06-06-2013 |
| 20130145467 | SYSTEMS AND METHODS FOR DETECTING A SECURITY BREACH IN A COMPUTER SYSTEM - The present invention provides systems and methods for applying hard-real-time capabilities in software to software security. For example, the systems and methods of the present invention allow a programmer to attach, a periodic integrity check to an application so that an attack on the application would need to succeed completely within a narrow and unpredictable time window in order to remain undetected. | 06-06-2013 |
| 20130145468 | SECURITY SYSTEM BASED ON INPUT SHORTCUTS FOR A COMPUTER DEVICE - A method of activating security functions on a computer device, for example a mobile communications device. The computer device includes a device state that may be realized by way of a first user input or a second user input. The method includes designating the first user input to realize the device state as a security rule having an associated security function, detecting realization of the device state, and activating the associated security function if the device state was realized by way of the second user input rather than the first user input. For example, the first user input may be a shortcut input, and the second user input may be a conventional or normal input. | 06-06-2013 |
| 20130152199 | Decoy Network Technology With Automatic Signature Generation for Intrusion Detection and Intrusion Prevention Systems - Improved methods and systems for decoy networks with automatic signature generation for intrusion detection and intrusion prevention systems. A modular decoy network with front-end monitor/intercept module(s) with a processing back-end that is separate from the protected network. The front-end presents a standard fully functional operating system that is a decoy so that the instigator of an attack is lead to believe a connection has been made to the protected network. The front-end includes a hidden sentinel kernal driver that monitors connections to the system and captures attack-identifying information. The captured information is sent to the processing module for report generation, data analysis and generation of an attack signature. The generated attack signature can then be applied to the library of signatures of the intrusion detection system or intrusion prevention system of the protected network to defend against network based attacks including zero-day attacks. | 06-13-2013 |
| 20130160119 | SYSTEM SECURITY MONITORING - A computing device may receive netflow data that includes information corresponding to network-side activity associated with a target device. The computing device may evaluate the netflow data based on a netflow signature to identify potentially malicious activity. The netflow signature may include information corresponding to two or more network events occurring in a particular order. The computing device may report, to another computing device, that potentially malicious activity, corresponding to the network data, has been detected based on the evaluation of the netflow data. | 06-20-2013 |
| 20130160120 | PROTECTING END USERS FROM MALWARE USING ADVERTISING VIRTUAL MACHINE - Techniques are disclosed for an AdVM (Advertising Virtual Machine) system, modules, components and methods that provide multiple layers of ad security for end-users. AdVM browsers isolate, monitor and restrict ads in sandboxes. AdVM browsers are configurable to monitor, report abuse and restrict ad performance based on configurable parameters such as system usage, security, privacy, inadvertent clicks, required ad ratings, permissions (whitelisting) and denials (blacklisting). AdVM browser abuse reports are used to generate profiles, whitelists and blacklists for ads, advertisers and other ad participants, which AdVM browsers use to allow or deny ad performances. Publishers assist AdVM browsers with ad detection by declaring ads in content. Ad security is improved by participation of advertisers, ad networks and an ad quality authority in creating trusted or rated ads that can be selected and verified over untrusted or unrated ads. Improving end-user trust in online advertising protects both end-users and legitimate online advertising. | 06-20-2013 |
| 20130160121 | METHOD AND APPARATUS FOR DETECTING INTRUSIONS IN A COMPUTER SYSTEM - The present invention provides a method and apparatus for detecting intrusions in a processor-based system. One embodiment of the method includes calculating a first checksum from first bits representative of instructions in a block of a program concurrently with executing the instructions. This embodiment of the method also includes issuing a security exception in response to determining that the first checksum differs from a second checksum calculated prior to execution of the block using second bits representative of instructions in the block when the second checksum is calculated. | 06-20-2013 |
| 20130160122 | TWO-STAGE INTRUSION DETECTION SYSTEM FOR HIGH-SPEED PACKET PROCESSING USING NETWORK PROCESSOR AND METHOD THEREOF - A system and method for detecting network intrusion by using a network processor are provided. The intrusion detection system includes: a first intrusion detector, configured to use a first network processor to perform intrusion detection on layer 3 and layer 4 of a protocol field among information included in a packet header of a packet transmitted to the intrusion detection system, and when no intrusion is detected, classify the packets according to stream and transmit the classified packets to a second intrusion detector; and a second intrusion detector, configured to use a second network processor to perform intrusion detection through deep packet inspection (DPI) for the packet payload of the packets transmitted from the first intrusion detector. Thereby, intrusion detection for high-speed packets can be performed in a network environment. | 06-20-2013 |
| 20130160123 | Methods, Systems, and Computer Program Products for Mitigating Email Address Harvest Attacks by Positively Acknowledging Email to Invalid Email Addresses - A method of detecting and responding to an email address harvest attack at an Internet Service Provider (ISP) email system includes counting a number of failed email address look-ups during a single Simple Mail Transfer Protocol (SMTP) session associated with an originating Internet Protocol (IP) address and responding to the originating IP address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold. | 06-20-2013 |
| 20130167231 | PREDICTIVE SCORING MANAGEMENT SYSTEM FOR APPLICATION BEHAVIOR - A system may be provided that comprises one or more servers to: receive information regarding known epitypes of malness, where the information includes malness scores and behaviors for the known epitypes of malness; store the information regarding the known epitypes of malness; generate rules for a model based on the information regarding the known epitypes of malness; input application data from an application on a device into the model; output a malness score from the model based on the application data; and allow the application and/or the device access to a network when the malness scores for the application is below a first threshold level, or block the application and/or the device access to the network when the malness score the application is above a second threshold level, where the first threshold level is less than the second threshold level. | 06-27-2013 |
| 20130167232 | EVENT DETECTION/ANOMALY CORRELATION HEURISTICS - A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events. | 06-27-2013 |
| 20130167233 | SYSTEMS, METHODS, AND MEDIA PROTECTING A DIGITAL DATA PROCESSING DEVICE FROM ATTACK - In accordance with some embodiments of the disclosed subject matter, systems, methods, and media for protecting a digital data processing device from attack are provided. For example, in some embodiments, a method for protecting a digital data processing device from attack is provided, that includes, within virtual environment: receiving at least one attachment to an electronic mail; and executing the at least one attachment; and based on the execution of the at least one attachment, determining whether anomalous behavior occurs. | 06-27-2013 |
| 20130167234 | Method for Processing Messages in a Communication Network Comprising a Plurality of Network Nodes - A method for processing messages in a communication network, wherein messages are transmitted between network nodes of the communication network, which are each combined with test information that is verifiable to determine whether a corresponding message is admissible, where an admissible message leads to a positive test result and an inadmissible message leads to a negative test result. For at least one message that is provided for a respective network node, an action coupled to the message is performed from the respective network node in time a message is received in the respective network node without checking the test information combined with the message, wherein, upon execution of the action, the test information is verified by the respective network node and, when the test result is negative, at least one predefined measure is performed. | 06-27-2013 |
| 20130174256 | NETWORK DEFENSE SYSTEM AND FRAMEWORK FOR DETECTING AND GEOLOCATING BOTNET CYBER ATTACKS - A network defense system is described that provides network sensor infrastructure and a framework for managing and executing advanced cyber security algorithms specialized for detecting highly-distributed, stealth network attacks. In one example, a system includes a data collection and storage subsystem that provides a central repository to store network traffic data received from sensors positioned within geographically separate networks. Cyber defense algorithms analyze the network traffic data and detect centrally-controlled malware that is configured to perform distributed network attacks (“botnet attacks”) from devices within the geographically separate networks. A visualization and decision-making subsystem generates a user interface that presents an electronic map of geographic locations of source devices and target devices of the botnet attacks. The data collection and storage subsystem stores a manifest of parameters for the network traffic data to be analyzed by each of the cyber defense algorithms. | 07-04-2013 |
| 20130174257 | Active Defense Method on The Basis of Cloud Security - The present invention relates to an active defense method based on cloud security comprising: a client collecting and sending a program behavior launched by a program thereon and/or a program feature of the program launching the program behavior to a server; with respect to the program feature and/or the program behavior sent by the client, the server performing an analysis and comparison in its database, making a determination on the program based on the comparison result, and feeding back to the client; based on the feedback determination result, the client deciding whether to intercept the program behavior, terminate execution of the program and/or clean up the program, and restore the system environment. The invention introduces a cloud security architecture, and employs a behavior feature based on active defense to search and kill a malicious program, thereby ensuring network security. | 07-04-2013 |
| 20130179969 | Apparatus and Method for Domain Name Resolution - An apparatus and method for enhancing the infrastructure of a network such as the Internet is disclosed. Multiple edge servers and edge caches are provided at the edge of the network so as to cover and monitor all points of presence. The edge servers selectively intercept domain name translation requests generated by downstream clients, coupled to the monitored points of presence, to subscribing Web servers and provide translations which either enhance content delivery services or redirect the requesting client to the edge cache to make its content requests. Further, network traffic monitoring is provided in order to detect malicious or otherwise unauthorized data transmissions. | 07-11-2013 |
| 20130179970 | Receiving Security Risk Feedback From Linked Contacts Due to a User's System Actions and Behaviors - An approach is provided in receiving risk feedback from a social network. Feedback transmissions are received by a user's system with each of the feedback transmissions being received over a computer network from a social network contact. The received feedback transmissions are analyzed and, based on the analysis, a risky action that was performed by the user is identified. The user performs a risk avoidance measure to counteract the identified risky action. In one embodiment, the risk avoidance measure is reported back to the user's contacts. | 07-11-2013 |
| 20130179971 | Virtual Machines - A computerized method for detecting a threat by observing multiple behaviors of a computer system in program execution from outside of a host virtual machine, including mapping a portion of physical memory of the system to a forensic virtual machine to determine the presence of a first signature of the threat; and, on the basis of the determination deploying multiple further forensic virtual machines to determine the presence of multiple other signatures of the threat. | 07-11-2013 |
| 20130185795 | METHODS AND SYSTEMS FOR PROVIDING NETWORK PROTECTION BY PROGRESSIVE DEGRADATION OF SERVICE - Systems and methods are provided for protecting a defense with a self defending intrusion system. Data packets may be monitored to detect a pattern of activity indicating a potential attack. Upon detection of a threat, a countermeasure or progressive degradation of network services may be initiated on a selected basis so controllable reduce performance of data communication of the device. | 07-18-2013 |
| 20130185796 | METHOD AND APPARATUS FOR SECURE AND RELIABLE COMPUTING - In one embodiment, the invention is a method and apparatus for secure and reliable computing. One embodiment of an end-to-end security system for protecting a computing system includes a processor interface coupled to at least one of an application processor and an accelerator of the computing system, for receiving requests from the at least one of the application processor and the accelerator, a security processor integrating at least one embedded storage unit and connected to the processor interface with a tightly coupled memory unit for performing at least one of: authenticating, managing, monitoring, and processing the requests, and a data interface for communicating with a display, a network, and at least one embedded storage unit for securely holding at least one of data and programs used by the at least one of the application processor and the accelerator. | 07-18-2013 |
| 20130185797 | WHITELIST-BASED INSPECTION METHOD FOR MALICIOUS PROCESS - A method of detecting a malware based on a white list comprises: receiving on a server side a program feature and/or a program behavior of a program to be detected sent from a client side; comparing the program feature and/or the program behavior of the detected program with legitimate program features and/or legitimate program behaviors stored in a white list; obtaining a legitimacy information of the unknown program based on the comparison result and feeding this back to the client side. In the invention, a legitimate program is determined by using a white list, thereby determining an illegitimate program excluded from the white list as a malware, which performs a determination and detecting and removing of a malware from another perspective. | 07-18-2013 |
| 20130191915 | METHOD AND SYSTEM FOR DETECTING DGA-BASED MALWARE - System and method for detecting a domain generation algorithm (DGA), comprising: performing processing associated with clustering, utilizing a name-based features clustering module accessing information from an electronic database of NX domain information, the randomly generated domain names based on the similarity in the make-up of the randomly generated domain names; performing processing associated with clustering, utilizing a graph clustering module, the randomly generated domain names based on the groups of assets that queried the randomly generated domain names; performing processing associated with determining, utilizing a daily clustering correlation module and a temporal clustering correlation module, which clustered randomly generated domain names are highly con-elated in daily use and in time; and performing processing associated with determining the DGA that generated the clustered randomly generated domain names. | 07-25-2013 |
| 20130191916 | DEVICE AND METHOD FOR DATA MATCHING AND DEVICE AND METHOD FOR NETWORK INTRUSION DETECTION - The present invention discloses a device and method for data matching and a device and method for network intrusion detection. The method for data matching includes: searching in a regular expression set one or more complex regular expressions causing a sharp increase in number of states generated based on a regular expression during interaction; constructing a corresponding simplified expression for each complex regular expression; compiling a simplified state machine; compiling one or more substate machines, wherein each of the one or more substate machines is compiled based on a corresponding one of the one or more complex regular expressions; and matching data based on the simplified state machine and the one or more substate machines. The present invention further discloses a device for data matching employing the method for data matching and a device and method for intrusion detection employing the device and method for data matching. | 07-25-2013 |
| 20130191917 | PATTERN DETECTION - Data is moved through a pipeline as processing of the data unrelated to detection of pattern is performed. The detector detects the pattern within the data at a predetermined location or based on a predetermined reference as the data is moved through the pipeline, in parallel with the processing of the data as the data is moved through the pipeline. The detector detects the pattern within the data as the data is moved through the pipeline without delaying movement of the data into, through, and out of the pipeline. | 07-25-2013 |
| 20130198841 | Malware Classification for Unknown Executable Files - Devices, methods and instructions encoded on computer readable medium are provided herein for implementation of classification techniques in order to determine if an unknown executable file is malware. In accordance with one example method, an unknown executable file comprising a sequence of operation codes (opcodes) is received. Based on the operation codes of the unknown executable, a subset of executable files in a training set is identified in which each of the files in the subset have the same beginning sequence of operation codes as the unknown executable. After the subset is identified, a feature set extracted from the unknown executable file is compared to one or more feature sets extracted from each of executable files in the identified subset. A determination is made, based on the feature set comparison, whether the unknown executable file is malware. | 08-01-2013 |
| 20130198842 | METHOD FOR DETECTING A MALWARE - System and method for determining, by a security application, whether an examined software code is a malware, according to which the system detects whenever the examined process code performs system calls and further detects a call site. Pieces of code in the surrounding area of the site and/or in branches related to the site are analyzed and the properties of the analyzed pieces of code are compared with a predefined software code patterns, for determining whether the examined process code corresponds to one of the predefined software code patterns. Then the examined process code is classified according to the comparison results. | 08-01-2013 |
| 20130205392 | METHOD AND SYSTEM FOR CONTENT DISTRIBUTION NETWORK SECURITY - A content delivery system includes an upload module, a content delivery module, and a monitoring module. The upload module is configured to receive content from a content provider, detect content containing malicious software or proprietary information, and provide information about the content to a monitoring module. The content delivery module is configured to detect content containing malicious software or unauthorized changes, detect operational changes to the content delivery module, provide information about the content and the operational changes to the monitoring module, receive a request for the content from a client system, and provide the content to the client system. The monitoring module is configured to monitor a network for potentially malicious traffic, receive information from the content delivery module and the upload module, correlate the information and the potentially malicious traffic to identify a security event, and trigger a response to the security event. | 08-08-2013 |
| 20130205393 | Increasing Availability of an Industrial Control System - A mechanism is provided to improve the availability of an ICS and an external system that uses data from the ICS by ensuring operation of the ICS and opera on of the system even if an anomaly has occurred in a device in the ICS. The mechanism receives measured data from the plurality of devices, calculates prediction data by using the measured data and correlation information used for deriving prediction data for correlated devices, and provides the measured data and the prediction data. | 08-08-2013 |
| 20130205394 | Threat Detection in a Data Processing System - A mechanism is provided for resolving a detected threat. A request is received from a requester to form a received request, statistics associated with the received request are extracted to form extracted statistics, rules validation is performed for the received request using the extracted statistics, and a determination is made as to whether the request is a threat. Responsive to a determination that the request is a threat, the requester is escalated using escalation increments, where the using escalation increments further comprises increasing user identity and validation requirements through one of percolate to a next user level or direct entry to a user level. | 08-08-2013 |
| 20130212680 | METHODS AND SYSTEMS FOR PROTECTING NETWORK DEVICES FROM INTRUSION - Methods and systems for protecting a computing device to ensure network security are provided. In particular, one or more blacklists may be maintained by an Intrusion Protection System (IPS) for a computing device. Such blacklists may include information such as network addresses of suspected or confirmed rogue entities that pose threat to the security of the computing device. In an embodiment, the blacklists are dynamically updated (e.g., purged) when a network-related change is detected indicating, for example, that the computing device is moving from one network location to another. In some embodiments, one or more blacklists may each correspond to a communication channel, application, process or the like. In some embodiments, only selected blacklists are updated, such as those that are rendered stale or inapplicable by the detected network changes. | 08-15-2013 |
| 20130212681 | Security Monitoring System and Security Monitoring Method - The objective of the present invention is to provide a security monitoring system and a security monitoring method which is capable of a quick operation when an unauthorized access, a malicious program, and the like are detected, while the normal operation of the control system is not interrupted by an erroneous detection. The security monitoring system | 08-15-2013 |
| 20130219497 | NETWORK INTRUSION DETECTION IN A NETWORK THAT INCLUDES A DISTRIBUTED VIRTUAL SWITCH FABRIC - A network intrusion detection system (NIDS) works in conjunction with a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems. The NIDS accesses network information from the distributed virtual switch fabric, which gives the NIDS access to a virtual view that includes hardware information for all networking devices in the network. This allows the NIDS to automatically determine network topology, update itself as hardware in the network is added or changed, and promptly take automated service actions in response to detected network intrusions. The result is a NIDS that is easier to configure, maintain, and use, and that provides enhanced network security. | 08-22-2013 |
| 20130219498 | MOBILE TERMINAL HAVING SECURITY DIAGNOSIS FUNCTIONALITY AND METHOD OF MAKING DIAGNOSIS ON SECURITY OF MOBILE TERMINAL - A mobile terminal having security diagnosis functionality and a method of making a diagnosis on the security of the mobile terminal are provided. The mobile terminal includes a system check unit, an interface unit, a blacklist check unit, and a security diagnosis unit. The system check unit collects the basic information of the mobile terminal by performing a system check on the mobile terminal. The interface unit provides the basic information of the mobile terminal to a user and receives a control command from the user. The blacklist check unit checks whether at least one application installed in the mobile terminal is present in a blacklist registered on a server. The security diagnosis unit checks whether an abnormality has occurred in the corresponding application based on results of the comparison between the basic information of the mobile terminal with preset abnormality detection reference information and the control command. | 08-22-2013 |
| 20130219499 | APPARATUS AND METHOD FOR PROVIDING SECURITY FOR VIRTUALIZATION - Provided is a security providing method based on a security breach in a security providing apparatus in which a physical device is virtualized so that a virtual machine monitor operates and is capable of working in a main domain and one or more sub domains. The method includes repairing sub domains experiencing security breaches; and updating security modules of the sub domains. | 08-22-2013 |
| 20130219500 | NETWORK INTRUSION DETECTION IN A NETWORK THAT INCLUDES A DISTRIBUTED VIRTUAL SWITCH FABRIC - A network intrusion detection system (NIDS) works in conjunction with a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems. The NIDS accesses network information from the distributed virtual switch fabric, which gives the NIDS access to a virtual view that includes hardware information for all networking devices in the network. This allows the NIDS to automatically determine network topology, update itself as hardware in the network is added or changed, and promptly take automated service actions in response to detected network intrusions. The result is a NIDS that is easier to configure, maintain, and use, and that provides enhanced network security. | 08-22-2013 |
| 20130219501 | MALICIOUS CODE REAL-TIME INSPECTING DEVICE IN A DRM ENVIRONMENT AND RECORDING MEDIUM FOR RECORDING A PROGRAM TO EXECUTE A METHOD THEREOF - Disclosed are a malicious code real-time inspecting device in a DRM environment and a recording medium for recording a program to execute a method thereof. A DRM module performs decryption and encryption during file reading/writing operations through a handle after confirming user rights relating to a file on the basis of a handle of a file having DRM applied when an execute command is inputted, outputs an inspection request message including a handle and a path of a file, and determines whether to perform an open operation of a file according to a malicious code inspection result on a file. A malicious code inspecting module inspects whether an original file, which is to be decrypted and read by the DRM module, is infected by malicious code or not on the basis of a handle and a path of a file in an inspection request message delivered from an interface module. According to the present invention, whether a document encrypted with DRM applied is infected by malicious code is inspected and treated in real-time. | 08-22-2013 |
| 20130219502 | MANAGING A DDOS ATTACK - A method, system, and/or computer program product manages a distributed denial of service attack in a multiprocessor environment. A determination is made of (a) a first upper threshold for a normal number of packets from the multiprocessor environment to multiple destination addresses, (b) a second upper threshold for a normal ratio of the packets from the multiprocessor environment to a single destination address compared to the packets from the multiprocessor environment to the multiple destination addresses, and (c) a third upper threshold for a normal ratio of packets from the multiprocessor environment to a single port at a single destination address compared to packets from the multiprocessor environment to the multiple destination addresses. In response to the first and second thresholds being exceeded, a specific port is monitored to determine if the third upper threshold is being exceeded at that port, thus indicating an apparent distributed denial of service attack. | 08-22-2013 |
| 20130227687 | MOBILE TERMINAL TO DETECT NETWORK ATTACK AND METHOD THEREOF - A method for detecting a network attack in a wireless terminal, including storing, in a pattern database (DB), information about an attack pattern that is determined using a plurality of control bits indicating a type of a socket data packet, receiving a socket data packet of a target selected to be accessed through a wireless communication interface identifying the at least one socket data packet received, and generating a socket access history by extracting the plurality of control bits indicating the type of the socket data packet using the at least one socket data packet identified, and determining whether a network is under attack, using the pattern DB and the socket access history. | 08-29-2013 |
| 20130227688 | METHOD AND APPARATUS FOR DETECTING TAMPERED APPLICATION - A method and an apparatus for detecting a tampered application are provided. The method of detecting a tampered application includes acquiring a package of an application, extracting and installing a first execution code from the acquired package of the application, extracting a second execution code from the package of the application when an execution command of the application is received after the first execution code is installed, and performing a preset operation when the second execution code differs from the first execution code. | 08-29-2013 |
| 20130227689 | METHOD AND SYSTEM FOR PACKET ACQUISITION, ANALYSIS AND INTRUSION DETECTION IN FIELD AREA NETWORKS - A system for intrusion detection in a field area network where data is transmitted via packets, includes a processor for analyzing the packets to ascertain whether the packets conform to a sets of rules indicating an intrusion, and a database for storing an alert indicating an intrusion if the packets conform to at least one rule in the sets. The sets of rules are for field network layer data, internet protocol traffic data and field area application traffic data. A method for detecting intrusion in a field area network where data is transmitted via packets, including analyzing the packets to ascertain whether the packets conform to the sets of rules, and storing an alert indicating an intrusion if the packets conform to at least one rule in the sets of rules. | 08-29-2013 |
| 20130227690 | PROGRAM ANALYSIS SYSTEM AND METHOD THEREOF - A program analysis system that analyzes a program while adjusting time elapse velocity in program execution environment sets analysis conditions such as time elapse velocity in the execution environment, program execution start time and execution termination time, adjusts the time elapse velocity and the program execution start time according to the determination of an analysis manager, executes the program till the execution termination time, monitors the execution environment, acquires an action record of the program, analyzes the action record, and clarifies the behavior of the program. Further, the program analysis system resets the analysis conditions based upon a result of analysis, re-analyzes, monitors communication between a sample and an external terminal, and varies the time elapse velocity set by the analysis manager to prevent time-out from occurring in communication. | 08-29-2013 |
| 20130239213 | METHODS AND SYSTEMS FOR FULL PATTERN MATCHING IN HARDWARE - According to an example, an intrusion-prevention system may include a network interface to receive a subject data word via a network. The intrusion-prevention system may include hardware to determine whether the subject data word partially matches a signature data pattern, and determine whether the subject data word fully matches the signature data pattern if the subject data word partially matches the signature data pattern. | 09-12-2013 |
| 20130247189 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR REACTING IN RESPONSE TO A DETECTION OF AN ATTEMPT TO STORE A CONFIGURATION FILE AND AN EXECUTABLE FILE ON A REMOVABLE DEVICE - A system, method, and computer program product are provided for reacting in response to a detection of an attempt to store a configuration file and an executable file on a removable device. In use, a first device removably coupled to a second device is identified. Additionally, an attempt to store on the first device a configuration file for the first device and an executable file is detected. Further, a reaction is performed in response to the detection of the attempt. | 09-19-2013 |
| 20130247190 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR UTILIZING A DATA STRUCTURE INCLUDING EVENT RELATIONSHIPS TO DETECT UNWANTED ACTIVITY - A system, method, and computer program product are provided for utilizing a data structure including event relationships to detect unwanted activity. In use, a plurality of events is identified. Additionally, a data structure including objects associated with the plurality of events and relationships associated with the plurality of events is generated. Further, unwanted activity is detected utilizing the data structure. | 09-19-2013 |
| 20130247191 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR PERFORMING A REMEDIAL ACTION WITH RESPECT TO A FIRST DEVICE UTILIZING A SECOND DEVICE - A system, method, and computer program product are provided for performing a remedial action with respect to a first device utilizing a second device. In use, data is received from a first device at a second device via a network. Additionally, it is determined whether the data is unwanted, utilizing the second device. Furthermore, a remedial action is performed utilizing the second device at least partially blocking the first device from accessing the network, based on the determination. | 09-19-2013 |
| 20130247192 | SYSTEM AND METHOD FOR BOTNET DETECTION BY COMPREHENSIVE EMAIL BEHAVIORAL ANALYSIS - A method is provided in one example embodiment that includes receiving message sender traits associated with email senders, and receiving a dataset of known malware identifiers and network addresses from a spamtrap. The message sender traits may include behavior features and/or content resemblance factors in various embodiments. The method further includes classifying the email senders as malicious or benign based on the behavior features, and further classifying the malicious senders by malware identifiers based on similarity of content resemblance factors and the dataset of known malware identifiers and network addresses. In certain specific embodiments, a supervised classifier, such as a support vector machine, may be used to classify the malicious senders by malware identifiers. | 09-19-2013 |
| 20130247193 | SYSTEM AND METHOD FOR REMOVAL OF MALICIOUS SOFTWARE FROM COMPUTER SYSTEMS AND MANAGEMENT OF TREATMENT SIDE-EFFECTS - Removing malware from a computer system. An inspection module obtains an inspection log representing operational history of the operating system and the application programs of the computer system. The inspection log is analyzed to detect a presence of any malware on the computer system. A treatment scenario is generated that defines a plurality of actions to be executed for removing any malware present on the computer system, as detected in the analyzing. The treatment scenario is generated based on the information contained in the inspection log and on a knowledge base of malware removal rules. The generated treatment scenario is evaluated to assess the actions defined in the generated treatment scenario that are associated with a risk of damaging the operating system or the application programs of the computer system. A modified treatment scenario can be created to reduce the risk in response to an assessment of the risk. | 09-19-2013 |
| 20130247194 | SECURING MEDICAL DEVICES THROUGH WIRELESS MONITORING AND ANOMALY DETECTION - A medical device monitor (MedMon), method and computer readable medium is disclosed. The MedMon is configured to operate in a system having communications between a first medical device associated with a patient and a second device. The MedMon includes a receiver configured to snoop on communications between the first medical device and second device. An anomaly detector having a set of security polices is configured to detect an anomaly by analyzing the communications between the first medical device and second device for compliance with the security policies. A response generator configured to generate a response on a condition that an anomaly is detected. The response may be a warning message configured to warn the patient. The MedMon may include a transmitter configured to transmit the response. The response may be a jamming signal configured to disrupt communications between the first medical device and second device. | 09-19-2013 |
| 20130247195 | OUTPUT CONTROL APPARATUS, COMPUTER-READABLE MEDIUM FOR STORING PROGRAM FOR OUTPUT CONTROL APPARATUS, OUTPUT CONTROL METHOD, AND OUTPUT CONTROL SYSTEM - Provided is an output section that outputs data to outside; a condition storage section that stores an abnormal condition showing at least one of a characteristic of data to be outputted from the output section by means of malicious software and a characteristic of an operational pattern of the output section that results when the malicious software outputs data; and an output control section that prohibits output of data when at least one of a characteristic of data to be outputted from the output section and a characteristic of an operational pattern of the output section satisfies the abnormal condition. | 09-19-2013 |
| 20130247196 | SYSTEM AND METHOD FOR DETECTION OF NON-COMPLIANT SOFTWARE INSTALLATION - A system and method for performing a security check may include using at least one processor to periodically check a status of a flag, generate and store a baseline representation of modules stored on the device where the flag is determined to be set to a first state, and, where the flag is determined to be set to a second state, generate an active representation of modules stored on the first device, compare the active representation of modules to the baseline representation of modules, and, responsive to a determination in the comparing step of a difference between the baseline and active representations of modules, output an alert. The flag status may depend on an association of the device with one of a plurality of authorization policies, each mapped to one of the two states. Results of the comparison may be appended to an activity log of the device. | 09-19-2013 |
| 20130254885 | SYSTEM AND METHOD FOR DETECTING POTENTIAL THREATS BY MONITORING USER AND SYSTEM BEHAVIOR ASSOCIATED WITH COMPUTER AND NETWORK ACTIVITY - A system and method is provided to monitor user and system behavior associated with computer and network activity to determine deviations from normal behavior that represent a potential cyber threat or cyber malicious activity. The system and method uses a multi-factor behavioral and activity analysis approach to determine when a trusted insider might be exhibiting threatening behavior or when a user's computer or network credentials have been compromised and are in use by a third-party. As a result, changes in insider behavior that could be indicative of malicious intent can be detected, or an external entity masquerading as a legitimate user can be detected. | 09-26-2013 |
| 20130254886 | Mitigating Low-Rate Denial-Of-Service Attacks in Packet-Switched Networks - A method includes determining, at a network routing device, an average packet drop rate for a plurality of aggregations of packet flows. The method also determines a threshold packet drop rate based on the average packet drop rate, a current packet drop rate for a select aggregation of the plurality of aggregations, and whether at least one packet flow of the select aggregation is potentially subject to a denial-of-service attack based on a comparison of the current packet drop rate to the threshold packet drop rate. | 09-26-2013 |
| 20130254887 | Prefix Hijacking Detection Device and Methods Thereof - A method of placing prefix hijacking detection modules in a communications network includes selecting a set of candidate locations. For each candidate location, a detection coverage ratio with respect to a target Autonomous System is calculated. Based on the relative size of the coverage ratios, proposed locations for the prefix hijacking detection modules are determined. | 09-26-2013 |
| 20130254888 | SYSTEM AND METHOD FOR IDENTIFYING SECURITY BREACH ATTEMPT OF A WEBSITE - The present invention is a method, circuit and system for detecting, reporting and preventing an attempted security breach of a commercial website (for example a banking website), such as identity theft, website duplication (mirroring/Phishing), MITB (man in the browser) attacks, MITM (man in the middle) attacks and so on. | 09-26-2013 |
| 20130254889 | Server-Side Restricted Software Compliance - Server-side restricted software compliance may be provided. An application installed on a user device may be identified and analyzed to determine whether the application comprises a security threat by comparing the application to a copy of the application. In response to determining that the application comprises a security threat, a user of the user device may be notified that the application comprises a security threat. | 09-26-2013 |
| 20130254890 | Method, System and Program Product for Optimizing Emulation of a Suspected Malware - A method, system and program product for optimizing emulation of a suspected malware. The method includes identifying, using an emulation optimizer tool, whether an instruction in a suspected malware being emulated by an emulation engine in a virtual environment signifies a long loop and, if so, generating a first hash for the loop. Further, the method includes ascertaining whether the first hash generated matches any long loop entries in a storage and, if so calculating a second hash for the long loop. Furthermore, the method includes inspecting any long loop entries ascertained to find an entry having a respective second hash matching the second hash calculated. If an entry matching the second hash calculated is found, the method further includes updating one or more states of the emulation engine, such that, execution of the long loop of the suspected malware is skipped, which optimizes emulation of the suspected malware. | 09-26-2013 |
| 20130254891 | COMPUTER SYSTEM, CONTROLLER AND NETWORK MONITORING METHOD - The computer system includes: a controller; a switch configured to perform, on a received packet complying with a flow entry set by the controller, a relay operation regulated by the flow entry; and a host terminal configured to be connected to the switch. The switch notifies the controller of transmission source address information of a received packet which does not comply with a flow entry set for itself. The controller judges, when legal address information of a host terminal does not coincide with the transmission source address information, that a transmission source address of the received packet is spoofed. | 09-26-2013 |
| 20130263264 | DETECTION OF PHISHING ATTEMPTS - A method for alerting a service provider and/or a user of a web browser of a phishing attempt comprises providing on a page that it is desired to protect against phishing, a Javascript that when caused by a phishing page to run not in the context of the original page generates an indication that a phishing attempt may exist. | 10-03-2013 |
| 20130263265 | SYSTEMS AND METHODS FOR USING PROPERTY TABLES TO PERFORM NON-ITERATIVE MALWARE SCANS - A computer-implemented method for using property tables to perform non-iterative malware scans may include (1) obtaining at least one malware signature from a security software provider that identifies at least one property value for an item of malware, (2) accessing a property table for a computing device that identifies property values shared by one or more application packages installed on the computing device and, for each property value, each application package that shares the property value in question, and (3) determining, by comparing each property value identified in the malware signature with the property table, whether any of the application packages match the malware signature without having to iterate through the individual property values of each application package. Various other methods, systems, and computer-readable media are also disclosed. | 10-03-2013 |
| 20130263266 | SYSTEMS AND METHODS FOR AUTOMATED MALWARE ARTIFACT RETRIEVAL AND ANALYSIS - An automated malware analysis method is disclosed which can perform receiving a first universal resource locator identifying a first intermediate network node, accessing the first intermediate network node to retrieve a first malware artifact file, storing the malware artifact file in a data storage device, analyzing the malware artifact file to identify a second universal resource locator within the malware artifact file, and accessing a second intermediate network node to retrieve a second malware artifact file. | 10-03-2013 |
| 20130263267 | METHODS, COMPUTER PROGRAM PRODUCTS AND DATA STRUCTURES FOR INTRUSION DETECTION, INTRUSION RESPONSE AND VULNERABILITY REMEDIATION ACROSS TARGET COMPUTER SYSTEMS - Computer security threat management information is generated by receiving a notification of a security threat and/or a notification of a test that detects intrusion of a computer security threat. A computer-actionable TMV is generated from the notification that was received. The TMV includes a computer-readable field that provides identification of at least one system type that is effected by the computer security threat, a computer-readable field that provides identification of a release level for a system type, and a computer-readable field that provides identification of the test that detects intrusion of the computer security threat for a system type and a release level, a computer-readable field that provides identification of a method to reverse the intrusion exploit of the computer security threat for a system type and a release level, and a computer-readable field that provides identification of a method to remediate the vulnerability subject to exploit of the computer security threat for a system type and a release level. The TMV is transmitted to target systems for processing by the target systems. | 10-03-2013 |
| 20130263268 | METHOD FOR BLOCKING A DENIAL-OF-SERVICE ATTACK - A server receives a first echo request message which complies with an Internet control message protocol, extracts filtering information from hear information of the received first echo request message, and when a second echo request message which complies with the Internet control message protocol is received, compares header information of the received second echo request message and the extracted filtering information so as to determine whether to block an attacking packet for the received second echo request message. According to the present invention, the server blocks the attacking packet using the Internet control message protocol, thereby blocking a denial-of-service attack. | 10-03-2013 |
| 20130269032 | Detecting Network Intrusion Using a Decoy Cryptographic Key - Systems and methods for detecting intrusion into a data network are disclosed. Such intrusion can be detected, for example, by providing at least two network devices in a data network. Each of the network devices has a decoy cryptographic key that is used to detect unauthorized data and an authentic cryptographic key that is used to encrypt authorized data. The first network device receives data from the second network device that is encrypted using the decoy cryptographic key. The first network device determines that the data is encrypted using the decoy cryptographic key. The first network device deletes or otherwise discards the data encrypted using the decoy cryptographic key. The first network device can generate an alert message instructing other network devices that the second network device is generating the unauthorized data. The alert message also instructs the other network devices to ignore data originating from the second network device. | 10-10-2013 |
| 20130269033 | METHOD AND SYSTEM FOR CLASSIFYING TRAFFIC - A method and system for classifying traffic in a communication network. The method comprises the steps of: capturing IP packets ( | 10-10-2013 |
| 20130276109 | System, method and computer program product for detecting activity in association with program resources that has at least a potential of an unwanted effect on the program - A system, method and computer program product are provided. In use, at least one resource utilized by a program is monitored. In addition, activity in association with the at least one resource that has at least a potential of an unwanted effect on the program is detected. Further, a reaction is performed in response to detecting the activity to prevent the unwanted effect. | 10-17-2013 |
| 20130276110 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR DETECTING AT LEAST POTENTIALLY UNWANTED ACTIVITY BASED ON EXECUTION PROFILE MONITORING - A system, method, and computer program product are provided for detecting at least potentially unwanted activity based on execution profile monitoring. In use, an execution profile of code is monitored utilizing call frame monitoring. Further, at least potentially unwanted activity is detected based on the monitoring of the execution profile. | 10-17-2013 |
| 20130276111 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR PROVIDING AT LEAST ONE STATISTIC ASSOCIATED WITH A POTENTIALLY UNWANTED ACTIVITY TO A USER - A system, method, and computer program product provide at least one statistic associated with a potentially unwanted activity to a user. In use, a potentially unwanted activity is identified. Further, at least one statistic associated with at least one characteristic of the potentially unwanted activity is determined. Additionally, the at least one statistic is provided to a user. | 10-17-2013 |
| 20130276112 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR DYNAMICALLY ADJUSTING A LEVEL OF SECURITY APPLIED TO A SYSTEM - A system, method, and computer program product are provided for dynamically adjusting a level of security applied to a system. In use, predetermined activity that is at least potentially associated with unwanted activity is identified on a system. Further, a level of security applied to the system is dynamically adjusted, in response to the identification of the predetermined activity. | 10-17-2013 |
| 20130276113 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR REMOVING MALWARE FROM A SYSTEM WHILE THE SYSTEM IS OFFLINE - A system, method, and computer program product are provided for removing malware from a system while the system is offline. In use, a system is identified as being infected with malware. Additionally, it is determined whether the malware can be fully removed from the system while the system is online. Further, at least part of the malware is conditionally removed from the system while the system is offline, based on the determining. | 10-17-2013 |
| 20130276114 | METHOD AND APPARATUS FOR RETROACTIVELY DETECTING MALICIOUS OR OTHERWISE UNDESIRABLE SOFTWARE - A system for retroactively detecting malicious software on an end user system without performing expensive cross-referencing directly on the endpoint device. A client provides a server with information about files that are on it together with what it knows about these files. The server tracks this information and cross-references it against new intelligence it gathers on clean or malicious files. If a discrepancy is found (i.e., a file that had been called malicious, but that is actually benign or vice versa), the server informs the client, which in turn takes an appropriate action based on this information. | 10-17-2013 |
| 20130276115 | NETWORK VIRTUAL USER RISK CONTROL METHOD AND SYSTEM - Embodiments of the present application relate to a method of controlling user risk, a system for controlling user risk, and a computer program product for controlling user risk. A method is provided. The method includes retrieving association data of a first user and association data of a second user, the association data including multidimensional data, and data relating to each dimension identifying a user and serving as an association dimension, based on the association data, computing an association value between the first user and the second user for an association dimension, gathering the association value to obtain a degree of real association, and determining that the other user is malicious. | 10-17-2013 |
| 20130276116 | ENVIRONMENTAL IMAGING - A method and system for detecting whether a computer program, sent to a first computer having an operating environment including a plurality of files, includes malware is provided. A second computer lists in a file a plurality of environment details of the operating environment of the first computer. The second computer simulates in the second computer the presence of the plurality of files in the operating environment by exhibiting the plurality of environment details without installing the plurality of files in the second computer. The second computer executes the computer program in the second computer with the simulation and determines whether the computer program attempts to access or utilize the plurality of files in a manner indicative of malware. If not, the second computer records and generates a notification that the computer program is not malware. | 10-17-2013 |
| 20130276117 | METHOD AND APPARATUS FOR DETECTING A MALWARE IN FILES - An apparatus for detecting a malware in files includes an acquisition unit configured to obtain from a file system information about a first time point when an interested folder is created by the file system, and information about a second time point when an interested file is created in the interested folder by the file system, a candidate determination unit configured to determine whether the interested file is a candidate file to be subjected to a malware inspection, based on the information on the first and the second time point, and an inspection unit configured to perform the malware inspection on the interested file determined to be the candidate file for the malware inspection. | 10-17-2013 |
| 20130283377 | DETECTION AND PREVENTION OF INSTALLATION OF MALICIOUS MOBILE APPLICATIONS - A combination of shim and back-end server applications may be used to identify and block the installation of malicious applications on mobile devices. In practice, a shim application registers with a mobile device's operating system to intercept application installation operations. Upon intercepting an attempted installation operation, the shim application identifies the application seeking to be installed, generates a key uniquely identifying the application, and transmits the key over a network connection to a back-end server. The back-end server may be configured to crawl the Internet to identify malicious applications and compile and maintain a database of such applications. Upon receiving a key from the shim application, the back-end server can search its database to locate a matching application and, if found, respond to the mobile device with the application's status (e.g., malicious or not). The shim application can utilize this information to allow or block installation of the application. | 10-24-2013 |
| 20130283378 | SYSTEM AND METHOD FOR DISTINGUISHING HUMAN SWIPE INPUT SEQUENCE BEHAVIOR AND USING A CONFIDENCE VALUE ON A SCORE TO DETECT FRAUDSTERS - Recording, analyzing and categorizing of user interface input via touchpad, touch screens or any device that can synthesize gestures from touch and pressure into input events. Such as, but not limited to, smart phones, touch pads and tablets. Humans may generate the input. The analysis of data may include statistical profiling of individual users as well as groups of users, the profiles can be stored in, but not limited to data containers such as files, secure storage, smart cards, databases, off device, in the cloud etc. A profile may be built from user/users behavior categorized into quantified types of behavior and/or gestures. The profile might be stored anonymized. The analysis may take place in real time or as post processing. Profiles can be compared against each other by all the types of quantified behaviors or by a select few. | 10-24-2013 |
| 20130283379 | SYSTEM, METHOD AND APPARATUS THAT EMPLOY VIRTUAL PRIVATE NETWORKS TO RESIST IP QOS DENIAL OF SERVICE ATTACKS - An approach provides a communication network that supports one or more network-based Virtual Private Networks (VPNs) to resist Denial of Service (DoS) attacks. A first boundary router is configured to provide a Virtual Private Network (VPN) that supports quality of service levels, and interfaces an access network via a Customer Premise Equipment (CPE) edge router and a physical access link. A second boundary router is coupled to a public network. The access network connects to the first boundary router, and wherein the first boundary router and the second boundary router are connected by a separate logical connection to prevent denial of service attacks on the physical access link originating from sources outside the VPN. | 10-24-2013 |
| 20130283380 | USER CONTROLLABLE PLATFORM-LEVEL TRIGGER TO SET POLICY FOR PROTECTING PLATFORM FROM MALWARE - Embodiments of systems, apparatuses, and methods to protect data stored in a storage system of a device from malware alternation are described. In some embodiments, a system receives an indication that the data is to be protected. In addition, the system further triggers an interrupt of the device and secures the data from the malware alternation. | 10-24-2013 |
| 20130283381 | SYSTEMS AND METHODS FOR PROVIDING ANTI-MALWARE PROTECTION ON STORAGE DEVICES - Systems and methods for providing anti-malware protection on storage devices are described. In one embodiment, a storage device includes a controller, firmware, and memory. The firmware communicates with an authorized entity (e.g., external entity, operating system) to establish a secure communication channel. The system includes secure storage to securely store data. | 10-24-2013 |
| 20130283382 | SYSTEM AND METHOD FOR DETECTING MALWARE IN FILE BASED ON GENETIC MAP OF FILE - A method for detecting whether a file includes malware is performed on a device. The method includes extracting information of at least two predetermined items in the file; creating a genetic map for the file by altering the extracted information into a previously set format; comparing the created genetic map with a previously stored malware genetic map to obtain a similarity between the created genetic map and the previously stored malware genetic map; and determining that the file is a malware when the similarity is higher than a reference value. | 10-24-2013 |
| 20130291106 | Enterprise level information alert system - A Common Architecture System Assurance Information Assurance (IA) alert system that monitors IA events that may occur on a separate computer or computer system that is vulnerable to attack from internal misuse and penetration by outside sources. The system collects IA event messages and translates them into a common format for processing. It then analyzes the IA event, determines its seriousness, analyzes possible repairs for problems resulting from the IA event, and reports this information in real time to system monitors. These reports are in a readily-understood format this is free of computer jargon. The system reports are designed to be read and understood even by a person with limited education who is not trained in computer or IA technology. | 10-31-2013 |
| 20130291107 | System and Method for Mitigating Application Layer Distributed Denial of Service Attacks Using Human Behavior Analysis - A method of mitigating an application distributed denial of service (DDoS) attack on a network includes receiving at an application DDoS mitigation appliance application layer logs, parsing the application layer logs into an application layer forensic file, comparing an entry of the application layer forensic file with a human behavior profile to determine a malicious qualifier associated with an application DDoS attack on the network, parsing the application layer log into a per-source forensic file, comparing an entry of the per-source forensic files with the malicious qualifier to determine a malicious Internet protocol (IP) addresses associated with the application DDoS attack, and providing the malicious IP address to a network device, wherein the network device drops network traffic associated with the application DDoS attack based upon the malicious IP address. | 10-31-2013 |
| 20130291108 | APPARATUS AND METHOD FOR DETECTING TRAFFIC FLOODING ATTACK AND CONDUCTING IN-DEPTH ANALYSIS USING DATA MINING - Provided is an apparatus and method for detecting a traffic flooding attack and conducting an in-depth analysis using data mining that may rapidly detect a distributed denial of service (DDoS) attack, for example, a traffic flooding attack, developed more variously and firmly from a denial of service (DoS) attack, perform an attack type classification, and conduct a semantic analysis with respect to the attack. The apparatus and method may support a system operation and provide a more stable service, by rapidly detecting a traffic flooding attack, classifying a type of the attack, and conducting a semantic analysis based on a prediction and analysis scheme of data mining. | 10-31-2013 |
| 20130291109 | Systems and Methods for Scheduling Analysis of Network Content for Malware - A method for detecting malicious network content comprises inspecting one or more packets of network content, identifying a suspicious characteristic of the network content, determining a score related to a probability that the network content includes malicious network content based on at least the suspicious characteristic, identifying the network content as suspicious if the score satisfies a threshold value, executing a virtual machine to process the suspicious network content, and analyzing a response of the virtual machine to detect malicious network content. | 10-31-2013 |
| 20130291110 | SYSTEMS AND METHODS FOR PROVIDING ANTI-MALWARE PROTECTION AND MALWARE FORENSICS ON STORAGE DEVICES - Systems and methods for providing features that enable anti-malware protection on storage devices are described. In one embodiment, a storage device includes a controller, firmware, and memory. The controller manages input/output operations for the storage device. The firmware provides features for protection against malware. The memory includes secure storage that is configured to provide a set of storage operations. | 10-31-2013 |
| 20130291111 | Method and Device for Program Identification Based on Machine Learning - The invention discloses a method and device for programidentification based on machine learning. The method comprises: analyzing an inputted unknown program, and extracting a feature of the unknown program; coarsely classifying the unknown program according to the extracted feature; judging by inputting the unknown program into a corresponding decision-making machine generated by training according to a result of the coarse classification; and outputting an identification result of the unknown program, wherein the identification result is a malicious program or a non-malicious program. The embodiments of the invention adopt the machine learning technology, achieve the decision-making machine for identifying a malicious program by analyzing a large number of program samples, and can save a lot of manpower and improve the identification efficiency for a malicious program by using the decision-making machine; and furthermore, can find an inherent law of programs based on data mining for massive programs, prevent a malicious program that has not happened and make it difficult for a malicious program to avoid killing. | 10-31-2013 |
| 20130298235 | SYSTEMS AND METHODS FOR DYNAMICALLY CHANGING NETWORK STATES | 11-07-2013 |
| 20130298236 | SYSTEMS AND METHODS FOR IDENTIFYING, DETERRING AND/OR DELAYING ATTACKS TO A NETWORK USING SHADOW NETWORKING TECHNIQUES | 11-07-2013 |
| 20130298237 | SYSTEMS AND METHODS FOR SPONTANEOUSLY CONFIGURING A COMPUTER NETWORK | 11-07-2013 |
| 20130298238 | METHOD AND SYSTEM FOR AUTOMATIC DETECTION OF EAVESDROPPING OF AN ACCOUNT BASED ON IDENTIFIERS AND CONDITIONS - A system and method for detecting whether a user account has been compromised. A server computer determines, for a client device, a first identifier associated with the client device. The server computer analyzes an activity log associated with an account of a user to determine if an eavesdropping condition has been met during a given duration. The analysis includes: 1) determining that an eavesdropping activity has occurred during the given duration and determining that no normal activity has occurred during the given duration for the first identifier; 2) determining a second identifier associated with a second device used to access the user account; and 3) determining that a normal activity associated with the second identifier has occurred during the given duration. | 11-07-2013 |
| 20130298239 | Method and System for Monitoring a Computer System - In one embodiment, a method for monitoring a computer system that includes activating and controlling a target processor by way of an electromagnetic signal. The method also includes generating a key for a computer security method via processor readable instructions stored on a first memory device; transmitting the key to the target processor via an electromagnetic signal; and requesting the target processor to perform the computer security method on a target memory device via an electromagnetic signal, where the computer security method uses the key as a seed. | 11-07-2013 |
| 20130298240 | Prioritizing Malicious Website Detection - A computer implemented method includes identifying a universal resource locator and characterizing a traffic pattern associated with the universal resource locator. The traffic pattern can include referrer information, referring information, advertising network relationship information, and any combination thereof. The method can further include classifying the universal resource locator into a risk category based on the traffic pattern. | 11-07-2013 |
| 20130305365 | SYSTEM AND METHOD FOR OPTIMIZATION OF SECURITY TRAFFIC MONITORING - A method and system for security processing of a network data stream. Threat-related statistics are collected and the network data stream is selectively checked based on the statistics data identifying the areas of the stream where the threats had been previously detected. A system for processing a network data stream includes at least one network Intrusion Detection System (IDS) for checking a pre-determined portion of the data stream for presence of threats. The IDS collects threat-related statistics and provides it to statistics database. A unit for determining areas of the data stream to be checked queries the statistics database for determining or changing the current checked area based on the received statistics. The information about changes in the areas of the data stream to be checked is provided to the IDS, which checks the selected areas of the data stream. | 11-14-2013 |
| 20130305366 | APPARATUS AND METHOD FOR DETECTING MALICIOUS FILES - An apparatus for detecting a malicious file, includes a program driving unit configured to output an execution address of a command executed by driving a program corresponding to a non-executable file; and an address storage unit configured to store normal address range information in accordance with the driving of the program. | 11-14-2013 |
| 20130305367 | DETECTING METHOD AND DEVICE - A method includes: generating object information that indicates an object designated from among a header item, text, and attached information of a received email, or feature amount information based on the object information and a predetermined function, when a source is an address in an internal network, decrypting verification information added to the received email using secret key information shared in the internal network, when the source is an address over an external network, decrypting the verification information using public key information shared with the source, and verifying whether or not the received email is a spoofed mail based on the object information or the feature amount information, and the decrypted verification information. | 11-14-2013 |
| 20130305368 | METHODS AND APPARATUS FOR IDENTIFYING AND REMOVING MALICIOUS APPLICATIONS - A system, method, and apparatus for identifying and removing malicious applications are disclosed. An example apparatus includes an analysis server configured to receive from an executable application operating on a client device a data structure including information identifying processes operating on the client device during a time period and analyze the data structure to identify a malicious application by determining which of the processes on the client device were triggered after an application server was accessed by the executable application and identifying processes associated with the malicious application by comparing the determined processes to records of processes of a device similarly configured as the client device. The apparatus also includes a remover configured to determine files on the client device that are associated with the identified malicious application and transmit instructions to the executable application causing the executable application to remove the malicious application from operation on the client device. | 11-14-2013 |
| 20130305369 | DETECTION OF THREATS TO NETWORKS, BASED ON GEOGRAPHIC LOCATION - A method for a wireless network. The network includes at least a server and a plurality of computer devices wirelessly connected to the server. At least one of the computer devices is under attack by an ‘attacker’ device. The method provides for detection and reporting of the attack as to the location of the attack. The method includes detecting an attack by one of the computer devices, using a zCore module and transmitting an ‘attack report’ to the server. The report includes at least the attack location. The method also includes notifying at least one of the plurality of computer devices and an external computer device that the network is compromised. | 11-14-2013 |
| 20130305370 | DETECTION OF INTRUSION IN A WIRELESS NETWORK - A method and associated system for detecting intrusion of a wireless network. A determination is made that a first data stream received by the wireless network does not include N1 communication protocols included in a second data stream previously determined to be valid, N1 being a positive integer. A determination is made that N1 exceeds a predetermined first tolerance, and in response, that the first data stream does not include N2 communication protocols included in a third data stream previously determined to be intrusive to the wireless network, N2 being an integer equal to or greater than zero. A determination is made that N2 is less than a predetermined second tolerance, and in response, an alert that the received data stream is potentially intrusive to the wireless network is generated. | 11-14-2013 |
| 20130305371 | NETWORK INTRUSION DETECTION WITH DISTRIBUTED CORRELATION - A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be to indicated and protective action may be taken. | 11-14-2013 |
| 20130305372 | Preventing Unauthorized Data Extraction - An electronic device ( | 11-14-2013 |
| 20130312094 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR MEASURING DETECTION ACCURACY OF A SECURITY DEVICE USING BENIGN TRAFFIC - Methods, systems, and computer readable media for measuring detection accuracy of a security device using benign traffic are disclosed. According to one method, the method occurs at an Internet protocol (IP) traffic simulator having a first communications interface and a second communications interface. The method includes sending, by the first communications interface, a plurality of benign data packets to a security device, wherein the plurality of benign data packets is engineered to be similar to one or more malicious data packets. The method also includes receiving, by the second communications interface, zero or more of the plurality of benign data packets via the security device. The method further includes determining, using statistics associated with the plurality of benign data packets, a detection accuracy metric associated with the security device. | 11-21-2013 |
| 20130312095 | IDENTIFYING ROOTKITS BASED ON ACCESS PERMISSIONS - A method for monitoring for malware includes, during a boot process on an electronic device, determining a portion of memory, determining that the portion of memory is reserved for exclusive access by an entity on the electronic device, and, based on the determination that a portion of memory is reserved for exclusive access during the boot process, determining that the reservation is indicative of malware. | 11-21-2013 |
| 20130318605 | SYSTEM FOR DETECTING ROGUE NETWORK PROTOCOL SERVICE PROVIDERS - A method, system, and computer program product embodied in a computer readable storage medium are disclosed for identifying a rogue network protocol service provider. Embodiments include passively monitoring traffic on a target network, and identifying a response to a network protocol request in the traffic on the network. The source of the response to a network protocol request is compared with a preconfigured list of authorized servers. Based on the results of the comparison, it can be determined whether the source of the response is an authorized server. In cases in which the source is a server on the preconfigured list of authorized servers, the source is deemed an authorized server. In cases in which the source is not a server on the preconfigured list of authorized servers, the source is deemed to be an unauthorized, or rogue, network protocol service provider. | 11-28-2013 |
| 20130318606 | Systems and Methods for Correlating and Distributing Intrusion Alert Information Among Collaborating Computer Systems - Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed, without generating excess traffic loads. | 11-28-2013 |
| 20130318607 | Using Power Fingerprinting (PFP) to Monitor the Integrity and Enhance Security of Computer Based Systems - Procedures are described for enhancing target system execution integrity determined by power fingerprinting (PFP): by integrating PFP into the detection phase of comprehensive defense-in-depth security; by deploying a network of PFP enabled nodes executing untrusted devices with predefined inputs forcing a specific state sequence and specific software execution; by embedding module identification information into synchronization signaling; by combining signals from different board elements; by using malware signatures to enhance PFP performance; by automatic characterization and signature extraction; by providing secure signature updates; by protecting against side-channel attacks; performing real-time integrity assessment in embedded platform by monitoring their dynamic power consumption and comparing it against signatures from trusted code, including pre-characterizing power consumption of the platform by concentrating on trace sections carrying the most information about the internal execution status; by using PFP from sequence of bit transitions to detect deviations from authorized execution of software in a digital processor. | 11-28-2013 |
| 20130318608 | APPARATUS FOR DETECTING AND CONTROLLING INFECTED MOBILE TERMINAL - In a technique of isolating an infected mobile terminal, the disclosed embodiment relates to an apparatus for detecting and controlling an infected mobile terminal, in which the infected mobile terminal is detected from a communication network associated with a mobile communication network. | 11-28-2013 |
| 20130318609 | METHOD AND APPARATUS FOR QUANTIFYING THREAT SITUATIONS TO RECOGNIZE NETWORK THREAT IN ADVANCE - An apparatus for quantifying network threat situations includes a traffic analyzing unit to analyze packet patterns of traffics occurring on a target network being monitored to extract one or more suspicious domains. An IP monitoring unit gives security levels among a plurality of security levels to the suspicious domains according to the number of access IPs accessing the suspicious domains. An activity index computing unit computes activity indices for the suspicious domains from activity indices according to the access times to the suspicious domains of the access IPs. An attack amount anticipation unit analogizes an expected amount of attacks for each suspicious domain according to an expected amount of attacks for each zombie computer, the security level and the activity index of the suspicious domain. | 11-28-2013 |
| 20130326622 | Trusted Communication Network - A system includes a processing node configured to send authorized inbound messages to registered enterprise networks. An authorized message is a message that includes trusted source indicia. Trusted source indicia indicates that the message was sent by one or more of the processing node or an authenticated message transfer node associated with one of the registered enterprise networks. The system may further include an administration node configured to maintain registration of a plurality of message transfer nodes associated with the enterprise networks. A method includes receiving outbound messages from an authenticated message transfer node of an enterprise network, screening the messages for threats to determine whether to send the messages to associated recipients, applying a first message identifier to each message, wherein the first message identifier can be used to track the message and, for each message, sending the message to the associated recipient if no threats are detected in the message. | 12-05-2013 |
| 20130326623 | CROSS-USER CORRELATION FOR DETECTING SERVER-SIDE MULTI-TARGET INTRUSION - Technologies are generally described for time-correlating administrative events within virtual machines of a datacenter across many users and/or deployments. In some examples, the correlation of administrative events enables the detection of confluences of repeated unusual events that may indicate a mass hacking attack, thereby allowing attacks lacking network signatures to be detected. Detection of the attack may also allow the repair of affected systems and the prevention of further hacking before the vulnerability has been analyzed or repaired. | 12-05-2013 |
| 20130326624 | RESISTING THE SPREAD OF UNWANTED CODE AND DATA - A method of processing an electronic file by identifying portions of content data in the electronic file and determining if each portion of content data is passive content data having a fixed purpose or active content data having an associated function. If a portion is passive content data, then a determination is made as to whether the portion of passive content data is to be re-generated. If a portion is active content data, then the portion is analysed to determine whether the portion of active content data is to be re-generated. A re-generated electronic file is then created from the portions of content data which are determined to be re-generated. | 12-05-2013 |
| 20130326625 | INTEGRATING MULTIPLE DATA SOURCES FOR MALWARE CLASSIFICATION - Disclosed herein are representative embodiments of tools and techniques for classifying programs. According to one exemplary technique, at least one graph representation of at least one dynamic data source of at least one program is generated. Also, at least one graph representation of at least one static data source of the at least one program is generated. Additionally, at least using the at least one graph representation of the at least one dynamic data source and the at least one graph representation of the at least one static data source, the at least one program is classified. | 12-05-2013 |
| 20130333032 | NETWORK BASED DEVICE SECURITY AND CONTROLS - Protection against security attacks involves monitoring network traffic for a computing device security attack and determining whether there is a security event, using one or more network based security tools. Next, it is determined whether an event pattern involving two or more security events meets a predetermined criteria. Upon determining that there is a security attack, corrective action is tailored, based on the type of the computing device, the operating system of the computing device, the type of security attack, and/or the available protection tools. A course of action is performed depending on whether an account of the computing device includes a security protection service. If there is a security protection service, a message is sent over a secure link to the computing device. This message includes the corrective action to cure the computing device from the security attack. | 12-12-2013 |
| 20130333033 | SOFTWARE PROTECTION MECHANISM - Techniques for detecting malware activity are described. In some examples, a method for monitoring executing software for malware may include monitoring behavior of software during execution. Based on comparison of the monitored behavior and corresponding expected behavior derived from analysis of the software, it may be determined that the monitored behavior deviates from the expected behavior in accordance with a predetermined trigger. An appropriate action may be initiated in response. | 12-12-2013 |
| 20130333034 | Method and Apparatus for Automatic Identification of Affected Network Resources After a Computer Intrusion - Methods and apparatus are provided for automatic identification of affected network resources after a computer intrusion. The network resources affected by a computer intrusion can be identified by collecting information about an external system from an external source; deriving a list of one or more affected internal systems on an internal network by correlating the information with internal information about internal systems that interacted with the external system: and identifying one or more user accounts associated with the one or more affected internal systems. Data residing on systems accessible by the one or more user accounts can also optionally be identified. A list can optionally be presented of the network resources that may be affected by the computer intrusion. The affected network resources can be, for example, servers, services and/or client machines. | 12-12-2013 |
| 20130333035 | METHOD AND APPARATUS FOR DETECTING SCANS IN REAL-TIME - A method and apparatus for detecting scans are described. In one example, a plurality of flows is allocated into a plurality of bins associated with different source internet protocol (SIP) addresses. A set of bin characteristics for at least one bin of the plurality of bins is generated if the at least one bin reaches a predefined flow capacity. Afterwards, the set of bin characteristics is compared to a scan characteristics list to determine if a potential scan exists. | 12-12-2013 |
| 20130333036 | SYSTEM, METHOD AND PROGRAM FOR IDENTIFYING AND PREVENTING MALICIOUS INTRUSIONS - Computer system, method and program product for identifying a malicious intrusion. A first number of different destination IP addresses, a second number of different destination ports and a third number of different signatures of messages, are identified from a source IP address during a predetermined period. A determination is made that in one or more other such predetermined periods the source IP address sent messages having the first number of different destination IP addresses, the second number of different destination ports and the third number of different signatures. Based on the determination that in the one or more other such predetermined periods the source IP address sent messages having the first number of different destination IP addresses, the second number of different destination ports and the third number of different signatures, a determination is made that the messages are characteristic of a malicious intrusion. | 12-12-2013 |
| 20130333037 | METHODS, SYSTEMS, AND MEDIA FOR DETECTING COVERT MALWARE - Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: receiving a first set of user actions; generating a second set of user actions based on the first set of user actions and a model of user activity; conveying the second set of user actions to an application inside the computing environment; determining whether state information of the application matches an expected state after the second set of user actions is conveyed to the application; and determining whether covert malware is present in the computing environment based at least in part on the determination. | 12-12-2013 |
| 20130333038 | EVALUATING A QUESTIONABLE NETWORK COMMUNICATION - Identifying a questionable network address from a network communication. In an embodiment, a network device receives an incoming or outgoing connection request, a web page, an email, or other network communication. An evaluation module evaluates the network communication for a corresponding network address, which may be for the source or destination of the network communication. The network address generally includes an IP address. The evaluation module determines one or more properties of the network communication, such as time of day, content type, directionality, or the like. The evaluation module then determines whether the properties match or are otherwise allowed based on properties specified in the white list in association with the IP address. | 12-12-2013 |
| 20130340076 | CODE REPOSITORY INTRUSION DETECTION - The disclosed subject matter provides for code repository intrusion detection. A code developer profile can be generated based on characteristic features present in code composed by the developer. Characteristic features can be related to the coding propensities peculiar to individual developers and, over sufficient numbers of characteristic features, can be considered pseudo-signatures. A target code set is analyzed in view of one or more developer profiles to generate a validation score related to a likelihood of a particular developer composing a portion of the target code set. This can serve to confirm or refute a claim of authorship, or can serve to identify likely author candidates from a set of developers. Where the target code set authorship is determined to be sufficiently suspect, the code set can be subjected to further scrutiny to thwart intrusion into the code repository. | 12-19-2013 |
| 20130340077 | SECURE CLOUD HYPERVISOR MONITOR - This disclosure addresses systems and methods for the protection of hardware and software in a computing environment. A hypervisor-monitor may be nested between the hardware of a host system and a hypervisor that is capable of supporting one or more guest virtual machines. The hypervisor-monitor may intercept exceptions generated by one or more processors in the host system and inspect software instructions for the hypervisor and the guests. Inspection may include performing a hash of the software instructions and a comparison of the hash with authorized software modules or a set of known malware. In this manner the hypervisor-monitor may monitor prevent the execution of malware by the hypervisor or the guests or provide a record of when code of an unknown origin was executed. | 12-19-2013 |
| 20130340078 | SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT - A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes receiving a plurality of packets, and determining an existence of a flooding attack without tracking each of the plurality of packets with a SYN bit. | 12-19-2013 |
| 20130340079 | SYSTEM AND METHOD FOR REAL-TIME REPORTING OF ANOMALOUS INTERNET PROTOCOL ATTACKS - A system and a method for detecting anomalous attacks in Internet network flow operate by counting a number of Internet traffic messages that are detected as anomalous attacks to provide a count; computing a running average of the number of messages that are detected as anomalous attacks; and comparing the count to the running average to provide an anomalous attack alarm if the count is greater than a multiple of the running average. The attacks can include at least one of spoofing attacks or denial of service attacks. A computer readable storage medium stores instructions of a computer program, which when executed by a computer system, results in performance of steps of the method. | 12-19-2013 |
| 20130347109 | Techniques for Detecting Program Modifications - Techniques are provided for detecting modifications to software instructions. At a computing apparatus configured to execute a software program comprising a plurality of instructions, at least a first check point having a first check value and a second check point having a second check value are assigned within the instructions. At least first and second portions of the instructions are identified. The first portion of the instructions comprises one or more check points other than the first check point. The second portion of the instructions comprises one or more check points other than the second check point. A first hashing operation is performed over the first portion resulting in a first equation and a second hashing operation is performed over the second portion resulting in a second equation. The first check value and the second check value are computed based on the first equation and the second equation. | 12-26-2013 |
| 20130347110 | EFFICIENT PACKET HANDLING, REDIRECTION, AND INSPECTION USING OFFLOAD PROCESSORS - A packet handling system is disclosed that can include at least one main processor; a plurality of offload processors connected to a memory bus and configured to provide security related services on packets prior to redirection to the main processor; and a virtual switch respectively connected to the main processor and the plurality of offload processors using the memory bus, the virtual switch configured to receive memory read/write data over the memory bus. | 12-26-2013 |
| 20130347111 | SYSTEM AND METHOD FOR DETECTION AND PREVENTION OF HOST INTRUSIONS AND MALICIOUS PAYLOADS - A computerized system for preventing host intrusions on a communication device. The device is wirelessly connected to a wireless communication network. The system includes a computer readable management software module configured to analyze malicious payloads. The management software module includes an asset manager module configured to assign updates to the communication device, a device database module configured to describe the communication device characteristics and a build database module configured to automate software builds of the communication device core operating system. The management software module also includes a component builder module configured to run a plurality of instruction sets to establish a build environment for the communication device according to the communication device characteristics, a configuration manager module configured to build the instruction sets and an operating system product module configured by the build database module as part of a build process triggered by the asset manager module. | 12-26-2013 |
| 20130347112 | METHOD FOR A FINE OPTICAL LINE MONITORING IN COMMUNICATION LINES THROUGH QKD SYSTEMS - Two ends of a QKD system are connected through a private quantum channel using a protocol based on the principles of quantum physics and a conventional channel, both channels being introduced through the same medium using multiplexing techniques, wherein a possible intrusion in the communication is detected by checking the variability of the distribution of exchanged photons between both ends of said private quantum channel and in case of detecting an intrusion due to the risk identified on the communication channel the system launches an alarm. To avoid other attacks another conventional channel different from the quantum channel is further used in order to check the error rate in the exchanges. | 12-26-2013 |
| 20140007234 | PREVENTING ATTACKS ON DEVICES WITH MULTIPLE CPUs | 01-02-2014 |
| 20140007235 | Identification of Infected Devices in Broadband Environments | 01-02-2014 |
| 20140007236 | SYSTEMS, METHODS, AND APPARATUS FOR IMPROVED APPLICATION SECURITY | 01-02-2014 |
| 20140007237 | Modeling and Outlier Detection in Threat Management System Data | 01-02-2014 |
| 20140013431 | METHODS AND SYSTEMS FOR USE IN IDENTIFYING CYBER-SECURITY THREATS IN AN AVIATION PLATFORM - Methods and apparatus for use in identifying cyber-security threats for an aircraft are provided. The method includes storing parts information relating to each hardware and software component used on the aircraft in an aircraft parts database, receiving, by a computing device, a cyber-security threat, and determining, by the computing device, a threat is relevant to the aircraft by comparing the received threats to the stored parts information. | 01-09-2014 |
| 20140013432 | METHOD AND APPARATUS FOR VISUALIZING NETWORK SECURITY STATE - A network security state visualization scheme is suitable for collecting security events existing in a network, analyzing the security events, categorizing and contracting the analyzed security events into attack state information, and visualizing the attack state information as a three-dimensional (3D) screen to display the visualized information on a display panel. Unlike the related art where security events are expressed from the viewpoint of IPs, this scheme normalizes collected security event information, analyzes the normalized information, categorizes and contracts the analyzed information into the attack state information, extracts visualization target data, visualizes the visualization target data as the 3D screen, and displays the visualized 3D screen on the display panel. | 01-09-2014 |
| 20140013433 | Methods to dynamically establish overall national security for sensitivity classification... - A method to establish virtual security perimeters for classified electronic documents on a computer system. The security perimeters are based upon a full classification determination of all informational content of an electronic document file. The full classification determination is uniquely coded to identify a classification value, the classification regime used to classify the information as well as ownership of the electronic information of the electronic document, and is embedded in the electronic document. The classification determination code is matrixed with identification codes for elements of a file management system and used to control computer events initiated on a computer involving the electronic document. Computer events on computers are monitored for the coded full classification determination. The code scheme is also used to identify a breach of a security perimeter on a computer of an unauthorized classified electronic document and warning of the breach. | 01-09-2014 |
| 20140020099 | SYSTEM AND METHOD FOR CREATING BGP ROUTE-BASED NETWORK TRAFFIC PROFILES TO DETECT SPOOFED TRAFFIC - An inventive system and method for creating source profiles to detect spoofed traffic comprises obtaining a routing path for data to traverse nodes using traffic profiles, each routing path comprising at least a target AS, initializing one or more AS sets with last hop ASes, enhancing the AS sets by connecting the AS sets to routers, for each enhanced AS set, filtering observed traffic flows, and using the filtered flows to associate enhanced AS sets with network monitoring points to create the source profiles. In one aspect, filtering flows comprise TCP session filtering and/or destination bogon filtering. In one aspect, the routers are border gateway protocol routers. In one aspect, the last hop ASes are one hop away from the target AS. | 01-16-2014 |
| 20140020100 | DETECTING NETWORK ANOMALY - A method for detecting an anomaly in a network can include combining a number of data-created sketch-sets and requesting a finer sketch-set for an identified sketch-set among the combined number of sketch-sets using an aggregator, and creating the finer sketch-set for the identified sketch-set to detect the anomaly in the network using a monitor. | 01-16-2014 |
| 20140020101 | TRUSTED ZONE PROTECTION - A trusted zone protector in exemplary embodiments of an electronic system helps reduce unwanted attempts to use a consumer machine in a trusted zone to address a network resource that lies inside the trusted zone on behalf of a website that lies outside of the trusted zone. An address manager in the electronic system is arranged to provide an indication whether an element retrieved by a network-enabled application executing on the consumer machine is arranged to address a network resource that lies inside the trusted zone. The trusted zone protector is arranged to generate a protective action in response to the indication that the element retrieved by the network-enabled application is arranged to address the network resource that lies inside the trusted zone. | 01-16-2014 |
| 20140020102 | INTEGRATED NETWORK ARCHITECTURE - An integrated network architecture can provide information centric and Internet Protocol processing. The integrated network architecture can comprise a packet core that supports packet processing for information centric network packets and Internet Protocol packets, a service core that comprises services supporting a plurality of different operation modes that can be enabled and disabled independently (including an access operation mode, an edge operation mode, a core operation mode, and a proxy operation mode), a client management service that supports network client mobility between network devices, and/or a cache management service that supports cache lookup and cache update services. | 01-16-2014 |
| 20140020103 | System and Method of Opportunistically Protecting a Computer from Malware - The present invention provides a system, method, and computer-readable medium that opportunistically install a software update on a computer that closes a vulnerability that existed on the computer. In accordance with one aspect of the present invention, when antivirus software on a computer identifies malware, a method causes a software update that closes the vulnerability exploited by the malware to be installed on the computer. The method includes identifying the vulnerability exploited by the malware, using a software update system to obtain a software update that is configured to close the vulnerability; and causing the software update to be installed on the computer where the vulnerability exists. | 01-16-2014 |
| 20140020104 | System and Method of Opportunistically Protecting a Computer from Malware - The present invention provides a system, method, and computer-readable medium that opportunistically install a software update on a computer that closes a vulnerability that existed on the computer. In accordance with one aspect of the present invention, when antivirus software on a computer identifies malware, a method causes a software update that closes the vulnerability exploited by the malware to be installed on the computer. The method includes identifying the vulnerability exploited by the malware, using a software update system to obtain a software update that is configured to close the vulnerability; and causing the software update to be installed on the computer where the vulnerability exists. | 01-16-2014 |
| 20140026216 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR DETECTING UNWANTED DATA BASED ON SCANNING ASSOCIATED WITH A PAYLOAD EXECUTION AND A BEHAVIORAL ANALYSIS - A system, method, and computer program product are provided for detecting unwanted data based on scanning associated with a payload execution and a behavioral analysis. In use, an execution of a payload is detected, utilizing interface monitoring. Additionally, process memory associated with the execution of the payload is scanned. Further, a behavioral analysis is performed. Still yet, unwanted data is detected based on the scanning and the performance of the behavioral analysis. | 01-23-2014 |
| 20140026217 | METHODS FOR IDENTIFYING KEY LOGGING ACTIVITIES WITH A PORTABLE DEVICE AND DEVICES THEREOF - A method, non-transitory computer readable medium, and apparatus that establishes a connection with a host computing device. One or more processes running on the host computing device are identified. One or more hooking operations performed in the one or more identified processes are identified. One or more suspected key logging actions are identified from the one or more identified hooking operations based on one or more of a first set of rules and output. | 01-23-2014 |
| 20140026218 | ROLLBACK FEATURE - A file stored in a first portion of a computer memory of a computer is determined to be a malicious file. A duplicate of the file is stored in a quarantine area in the computer memory, the quarantine area being in a second portion of the computer memory that is different from the first portion of the computer memory. One or more protection processes are performed on the file. The determination that the file is a malicious file is determined to be a false positive and the file is restored, during a boot sequence, to a state prior to the one or more protection processes being performed on the file. | 01-23-2014 |
| 20140026219 | Ascertaining Domain Contexts - Various embodiments pertain to ascertaining domain contexts. In one embodiment, an application receives content that may contain a script (i.e. code). In this case, the domain context is ascertained and the script is executed in the context of the domain associated with the received content, rather than requiring the application or some other component to navigate to a location, such as a web location, to attempt to ascertain the domain context of the script. In another embodiment, third party objects or code are required to provide their domain context to an application in order for the application to make a security-based decision. | 01-23-2014 |
| 20140026220 | DETECTION OF SPOOFING OF REMOTE CLIENT SYSTEM INFORMATION - Digital fingerprint generation logic executed by a client device includes quirk-exposing logic configured to expose behavioral differences between various system configurations of client devices. The digital fingerprint generation logic queries a remote client device for system configuration, and generates a digital fingerprint of the client device that includes a system configuration characteristic reported by the client device in response to the query. Results of execution of the quirk-exposing logic are compared to expected results that are specific to the reported system configuration. If the results of execution do not match the expected results, the digital fingerprint is determined to have been spoofed. | 01-23-2014 |
| 20140033308 | DATA DRIVEN SYSTEM FOR RESPONDING TO SECURITY VULNERABILITY - A data-driven system for fast response to security vulnerability, in one example embodiment, comprises a request detector, a content type evaluator, and a presentation module. A request detector may be configured to detect a request to display content. A content type evaluator may be configured to determine a type of the requested content. A presentation module may be configured to selectively display the requested content based on the determined type of the requested content. The content type evaluator and the presentation module may utilize a data file that stores information related to potential vulnerabilities associated with a content viewing application. Example data file may be an XML file. | 01-30-2014 |
| 20140033309 | TAINT TRACKING MECHANISM FOR COMPUTER SECURITY - A system that includes a memory and processor is provided. The processor is programmed to receive input data, determine that the input data is tainted, store the tainted input data in a location in the memory, and based on storing the tainted input data in the location, label the location as a tainted location. The processor is further programmed to assign a triggering event to the tainted location such that an action is initiated when the triggering event has occurred. | 01-30-2014 |
| 20140033310 | System and Method of Active Remediation and Passive Protection Against Cyber Attacks - A system and method for active remediation and/or passive protection against cyber attacks includes an active remediation and passive protection server computer for monitoring at least a portion of network data between at least one first network and at least one second network to detect one or more attacks and/or unauthorized access to at least one first agent in the at least one first network by at least one second agent in the at least one second network. The active remediation and passive protection server computer executes at least one of (i) one or more active remediation mechanisms to actively respond to the one or more detected attacks and/or unauthorized access and (ii) one or more passive protection mechanisms to passively protect against the one or more detected attacks and/or unauthorized access. | 01-30-2014 |
| 20140041031 | STATISTICAL FINGERPRINTING FOR MALWARE DETECTION AND CLASSIFICATION - A system detects malware in a computing architecture with an unknown pedigree. The system includes a first computing device having a known pedigree and operating free of malware. The first computing device executes a series of instrumented functions that, when executed, provide a statistical baseline that is representative of the time it takes the software application to run on a computing device having a known pedigree. A second computing device executes a second series of instrumented functions that, when executed, provides an actual time that is representative of the time the known software application runs on the second computing device. The system detects malware when there is a difference in execution times between the first and the second computing devices. | 02-06-2014 |
| 20140041032 | System and Method for Detecting Network Intrusions Using Statistical Models and a Generalized Likelihood Ratio Test - A system and method for detecting network intrusions using one or more statistical models and a generalized likelihood ratio test (GLRT) is provided. The system includes a computer system and a network intrusion detection engine executed by the computer system. To detect network intrusions, the system receives network traffic data, computes a likelihood using one or more statistical models, such as an Markov-modulated Poisson process, and processes the traffic data using a GLRT. The statistical models are used to assess the likelihood of seeing a particular pattern of network traffic. The GLRT is used to classify a particular pattern as either indicative of an attack or not indicative of an attack. The system could apply one or more types of statistical models, such as in a flexible multi-tiered approach. | 02-06-2014 |
| 20140041033 | HARDWARE ENFORCED MEMORY ACCESS PERMISSIONS - Embodiments of apparatuses and methods for hardware enforced memory access permissions are disclosed. In one embodiment, a processor includes address translation hardware and memory access hardware. The address translation hardware is to support translation of a first address, used by software to access a memory, to a second address, used by the processor to access the memory. The memory access hardware is to detect an access permission violation. | 02-06-2014 |
| 20140047542 | Mitigating a Denial-of-Service Attack in a Cloud-Based Proxy Service - A proxy server in a cloud-based proxy service receives a message that indicates that a domain, whose traffic passes through the proxy server, may be under a denial-of-service (DoS) attack. The proxy server enables a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges. In response to receiving a request for a resource of that domain from a visitor, the proxy server presents the set of challenges that, if not passed, are an indication that that the visitor is part of the DoS attack. If the set of challenges are passed, the request may be processed. If the set of challenges are not passed, the request may be dropped. | 02-13-2014 |
| 20140047543 | APPARATUS AND METHOD FOR DETECTING HTTP BOTNET BASED ON DENSITIES OF WEB TRANSACTIONS - An apparatus and method for detecting a Hyper Text Transfer Protocol (HTTP) botnet based on the densities of transactions. The apparatus includes a collection management unit, a web transaction classification unit, and a filtering unit. The collection management unit extracts metadata from HTTP request packets collected by a traffic collection sensor. The web transaction classification unit extracts web transactions by analyzing the metadata, and generates a gray list by arranging the extracted web transactions according to the frequency of access. The filtering unit detects an HTTP botnet by filtering the gray list based on a white list and a black list. | 02-13-2014 |
| 20140047544 | Server-Side Malware Detection and Classification - A server-side system that detects and classifies malware and other types of undesirable processes and events operating on network connected devices through the analysis of information collected from said network connected devices. The system receives information over a network connection and collects information that is identified as being anomalous. The collected information is analyzed by system process that can group data based on optimally suited cluster analysis methods. Upon clustering the information, the system can correlate an anomalous event to device status, interaction, and various elements that constitute environmental data in order to identify a pattern of behavior associated with a known or unknown strain of malware. The system further interprets the clustered information to extrapolate propagation characteristics of the strain of malware and determine a potential response action. | 02-13-2014 |
| 20140053267 | METHOD FOR IDENTIFYING MALICIOUS EXECUTABLES - In a computer system, a method detects a suspected malware behavior. Activities on a computer system conducted within a given time frame are monitored during the installation of a suspected file. The monitored activities are recorded and the monitored/recorded activities are compared with patterns of malware behavior, stored in a database. Upon detecting a suspicious program, the recorded monitored activities are provided for further analysis to be performed by appropriate software removal tools. | 02-20-2014 |
| 20140053268 | METHOD OF DETECTING POTENTIAL PHISHING BY ANALYZING UNIVERSAL RESOURCE LOCATORS - A method for detecting potential phishing URLs includes extracting a URL from a document, analyzing the URL context, and comparing the URL to stored trusted URLs and stored known phishing URLs. The URL context includes anchor text and surrounding content associated with the URL. The method further includes generating a phishing alert based on the comparing and the analyzing. | 02-20-2014 |
| 20140053269 | ATTACK RESISTANT CONTINUOUS NETWORK SERVICE TRUSTWORTHINESS CONTROLLER - An attack resistant continuous network service trustworthiness controller comprising: state estimation module(s), response selection module(s), actuation module(s), and client dispatcher communication module(s) for maintaining the availability and integrity of online server(s). The state estimation module(s) are configured to generate state estimate(s) for online server(s) using behavior data obtained using sensor module(s). The response selection module(s) are configured to determine corrective action(s) to maintain the availability and integrity of online server(s) when state estimate(s) indicate that the integrity of an online server(s) is compromised. The actuation module(s) are configured to activate actuator(s) based upon the corrective action(s). Client dispatcher communication module(s) are configured to communicate online server availability information to a client dispatcher. | 02-20-2014 |
| 20140053270 | DETECTING MALICIOUS COMPUTER CODE IN AN EXECUTING PROGRAM MODULE - A computer program includes a plurality of different types of computer program instructions. Prior to execution of the computer program, the computer the computer program instructions of each of the types. At a time during execution of the computer program, the computer counts the computer program instructions of each of the types. The computer, in response to determining that the count for one of the instruction types determined prior to execution of the computer program differs by at least an associated threshold value from the count for the same instruction type determined during execution, makes a record that the computer program has an indicia of maliciousness. | 02-20-2014 |
| 20140053271 | SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT - A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes receiving a plurality of packets, and determining an existence of a flooding attack without tracking each of the plurality of packets with a SYN bit. | 02-20-2014 |
| 20140059683 | Cooperative intrusion detection ecosystem for IP reputation-based security - An intrusion detection system (IDS) is enhanced to operate in a cluster of such systems, and IDSs organized into a cluster cooperate to exchange IP reputation influencing events information between or among the cooperating systems in real-time to enhance overall system response time and to prevent otherwise hidden attacks from damaging network resources. An IDS includes an IP reputation analytics engine to analyze new and existing events, correlate information, and to raise potential alerts. The IP reputation analytics engines may implement an algorithm, such as a pattern matching algorithm, a continuous data mining algorithm, or the like, to facilitate this operation. Clustering IDS endpoints to share IP reputation influencing events, using the cluster-wide view to determine IP reputation, and feeding the cluster-wide view back to the IDS endpoints, provides for enhanced and early detection of threats that is much more reliable and scalable as compared to prior art techniques. | 02-27-2014 |
| 20140059684 | SYSTEM AND METHOD FOR COMPUTER INSPECTION OF INFORMATION OBJECTS FOR SHARED MALWARE COMPONENTS - Embodiments of a system and method for computer inspection of information objects, for example, executable software applications for common components that may include elements of computer viruses, items from hacker exploit libraries, or other malware components. Information objects may contain identified sequences of instructions, each of which may be identified and hierarchically grouped based on their structural relationship(s). In the software context, programming languages may include multiple components that include functional code; these components are often shared between programmers. In some embodiments, an inspection of the hierarchical relationship of components (e.g., constituent functions) in the information objects may allow for identification of common components shared between programs. In some embodiments, authorship of objects or components in the objects may be identified by comparisons between component samples. In some embodiments, inspection of the relationship between components is limited to component groups having a specified structural size, complexity, or eccentricity. | 02-27-2014 |
| 20140059685 | System, Method and Computer Program Product for Monitoring and/or Analyzing at Least One Aspect of an Invocation of an Interface - A system, method and computer program product are provided. In use, execution of a portion of internal code of an interface is identified. Further, in response to the execution of the portion of internal code, at least one aspect of an invocation of the interface is monitored and/or analyzed. | 02-27-2014 |
| 20140059686 | System and Method for Detecting Behavior Anomaly in Information Access - A system and method for identifying anomalies in information requests. The information requests are modeled into a plurality of basic elements and association among the basic elements are tracked. The association of one information request is compared with a plurality of bitmap tables and counters representing a baseline information from a historical behavior information. If the association of this information request differs from the baseline information, an alert is issued. The system responds dynamically to changing baselines in assessment of which behaviors constitute an anomaly. | 02-27-2014 |
| 20140068765 | METHOD AND APPARATUS FOR AUTHENTICATING USER IN MULTIPARTY QUANTUM COMMUNICATIONS - the present invention provides a method for authenticating a user in a multiparty quantum communication comprising: generating l quantum entangled states with N particles and transmitting each particle of the l quantum entangled states to N users, by a quantum communication server, wherein the N is a natural number larger than 2; determining, by the quantum communication server, whether a disguised attacker exists among N users on the basis of a first error rate calculated by using n quantum states randomly selected from the l quantum states possessed by the users respectively and a previously shared secret key in each of the users; and controlling, by the quantum communication server, each of the users to generate a new secret key using m | 03-06-2014 |
| 20140068766 | Secure Code Verification Enforcement In A Trusted Computing Device - Secure code verification enforcement in a trusted computing device, including: examining, by a secure code validation module, a trusted computing device that is locked in a powered down state in response to an impermissible physical access of the trusted computing device; determining, by the secure code validation module, whether content of trusted memory in the trusted computing device has been altered; and responsive to determining that the content of trusted memory in the trusted computing device has not been altered, unlocking, by the secure code validation module, the trusted computing device such that the trusted computing device can be powered up. | 03-06-2014 |
| 20140068767 | SYSTEMS AND METHODS FOR DETECTING ILLEGITIMATE APPLICATIONS - A computer-implemented method for detecting illegitimate applications may include 1) identifying an installation of an application on a computing system, 2) determining, in response to identifying the installation of the application, that at least one system file with privileged access on the computing system has changed prior to the installation of the application, 3) determining that the application is illegitimate based at least in part on a time of the installation of the application relative to a time of a change to the system file, and 4) performing a remediation action on the application in response to determining that the application is illegitimate. Various other methods, systems, and computer-readable media are also disclosed. | 03-06-2014 |
| 20140068768 | Apparatus and Method for Identifying Related Code Variants in Binaries - An apparatus for identifying related code variants may include processing circuitry configured to execute instructions for receiving query binary code, processing the query binary code to generate one or more query code fingerprints comprising compressed representations of respective functional components of the query binary code, comparing the one or more query code fingerprints to at least some reference code fingerprints stored in a database to determine a similarity measure between the one or more query code fingerprints and at least some of the reference code fingerprints, and preparing at least one report based on the similarity measure. | 03-06-2014 |
| 20140068769 | USING NEW EDGES FOR ANOMALY DETECTION IN COMPUTER NETWORKS - Creation of new edges in a network may be used as an indication of a potential attack on the network. Historical data of a frequency with which nodes in a network create and receive new edges may be analyzed. Baseline models of behavior among the edges in the network may be established based on the analysis of the historical data. A new edge that deviates from a respective baseline model by more than a predetermined threshold during a time window may be detected. The new edge may be flagged as potentially anomalous when the deviation from the respective baseline model is detected. Probabilities for both new and existing edges may be obtained for all edges in a path or other subgraph. The probabilities may then be combined to obtain a score for the path or other subgraph. A threshold may be obtained by calculating an empirical distribution of the scores under historical conditions. | 03-06-2014 |
| 20140068770 | Enhanced Security and Safety in Telerobotic Systems - Methods and systems for securing remotely-operable devices are provided. A security device can receive a plurality of commands to control a remotely-operable device in a remote environment. At least one command in the plurality of commands can include command data that is related to the remotely-operable device. The security device can receive a plurality of responses to the plurality of commands. The security device can process the plurality of commands and the plurality of responses to determine a signature related to an operator that issued the plurality of commands for the remotely-operable device. The security device can determine an identity of the operator based on the signature. The security device can generate an identity report that includes the identity of the operator. | 03-06-2014 |
| 20140068771 | Transforming User-Input Data in Scripting Language - A mechanism for preventing injection attacks of scripting languages is provided. There is a mechanism of transforming user-input data in a scripting language included. The mechanism comprises a step of tracing a script instruction to separate instruction related variables and user-input related, variables; and a step of encoding the user-input related variables into data belonging to safe-character-set area which do not include reserved character, and passing the encoded user-input related variables to a statement of the script instruction. | 03-06-2014 |
| 20140068772 | Fuzzy Whitelisting Anti-Malware Systems and Methods - In some embodiments, an anti-malware system accounts for benign differences between non-malicious data objects, such as differences introduced by compilers and other polymorphisms. A target object is separated into a multitude of code blocks, and a hash is calculated for each code block. The obtained set of target hashes is then compared against a database of hashes corresponding to code blocks extracted from whitelisted objects. A target object may be labeled as whitelisted (trusted, non-malicious) if it has a substantial number of hashes in common with a whitelisted object. Objects which are slightly different from known whitelisted objects may still receive whitelisting status. By allowing a certain degree of mismatch between the sets of hashes of distinct objects, some embodiments of the present invention increase the efficiency of whitelisting without an unacceptable decrease in safety. | 03-06-2014 |
| 20140075555 | System and method for protecting computer systems from malware attacks - The malware protection system provides a virtual logon session which runs in the background invisible to the user. The virtual logon session is created on a computer system with the help of the operating system using a separate/partitioned kernel resources such as a desktop, that provides a limited access environment under the context of a logged-on user. The system is configured to run applications inside virtual logon sessions under the logged-on user's credentials with limited access. The system also includes an interceptor module that launches the web browser or web application inside the virtual logon session. The interceptor module intercepts every URL passing through the web browser or web application being run in the virtual logon session. The module checks if the primary web URL is infected by malware and adds the malicious URL to a malicious URL database and a non-malicious URL to a non-malicious URL database. | 03-13-2014 |
| 20140075556 | Threat Detection for Return Oriented Programming - Techniques for detecting security exploits associated with return-oriented programming are described herein. For example, a computing device may determine that a retrieved count is indicative of malicious activity, such as return oriented programming The computing device may retrieve the count from a processor performance counter of prediction mismatches, the prediction mismatches resulting from comparisons of a call stack of the computing device and of a shadow call stack maintained by a processor of the computing device. In response to determining that the count indicates malicious activity, the computing device may perform at least one security response action. | 03-13-2014 |
| 20140075557 | Streaming Method and System for Processing Network Metadata - An improved method and system for processing network metadata is described. Network metadata may be processed by dynamically instantiated executable software modules which make policy-based decisions about the character of the network metadata and about presentation of the network metadata to consumers of the information carried by the network metadata. The network metadata may be type classified and each subclass within a type may be mapped to a definition by a unique fingerprint value. The fingerprint value may be used for matching the network metadata subclasses against relevant policies and transformation rules. For template-based network metadata such as NetFlow v9, an embodiment of the invention can constantly monitor network traffic for unknown templates, capture template definitions, and informs administrators about templates for which custom policies and conversion rules do not exist. Conversion modules can efficiently convert selected types and/or subclasses of network metadata into alternative metadata formats. | 03-13-2014 |
| 20140075558 | AUTOMATION DISCOVERY TO IDENTIFY MALICIOUS ACTIVITY - Systems and methods may use automation discovery to identify malicious activity. An automation discovery system comprising a processor in communication with a network and in communication with a database may receive potentially automated network traffic data. The system may analyze the potentially automated network traffic data to determine whether the potentially automated network traffic data is likely to be automated. When the potentially automated network traffic data is not likely to be automated, the system may generate a low automation confidence score associated with the potentially automated network traffic data. When the potentially automated network traffic data is likely to be automated, the system may generate a high automation confidence score associated with the potentially automated network traffic data. | 03-13-2014 |
| 20140082725 | Systems, Methods, and Media for Outputting a Dataset Based Upon Anomaly Detection - Systems, methods, and media for outputting a dataset based upon anomaly detection are provided. In some embodiments, methods for outputting a dataset based upon anomaly detection: receive a training dataset having a plurality of n-grams, which plurality includes a first plurality of distinct training n-grams each being a first size; compute a first plurality of appearance frequencies, each for a corresponding one of the first plurality of distinct training n-grams; receive an input dataset including first input n-grams each being the first size; define a first window in the input dataset; identify as being first matching n-grams the first input n-grams in the first window that correspond to the first plurality of distinct training n-grams; compute a first anomaly detection score for the input dataset using the first matching n-grams and the first plurality of appearance frequencies; and output the input dataset based on the first anomaly detection score. | 03-20-2014 |
| 20140082726 | REAL-TIME CLASSIFICATION OF EMAIL MESSAGE TRAFFIC - A classification system has a classification server that receives data for an email and determines if the email message is suspicious, legitimate but failing authentication, forwarded or fully authenticated and legitimate when the domains are owned, or not owned, by the domain owner, Email messages are categorized and presented in a report that enables the email sender to identify and fix a network, malicious traffic, and legitimate messages that have failed authentication beyond control. It also highlights where everything is going well. | 03-20-2014 |
| 20140082727 | ELECTRONIC DEVCIE AND METHOD FOR MONITORING APPLICATION - An electronic device includes an operating system to determine hardware modules being used when an application of the electronic device is run. The electronic device stores a table recording hardware modules used by the running of each application obtained from a creditable service provider. The electronic device obtains the hardware modules being used by the operating system when an application is running, determines whether all the hardware modules being used are the hardware modules corresponding to the running application in the table if the running application is recorded in the table, and determines that the running application is a malicious application if not all of the hardware modules being used are the hardware modules corresponding to the running application in the table. The electronic device executes a safeguard operation to protect the electronic device when the running application is a malicious application. A related method is also provided. | 03-20-2014 |
| 20140082728 | DONGLE DEVICE FOR WIRELESS INTRUSION PREVENTION - Disclosed is a dongle device for wireless intrusion prevention, which can provide a wireless intrusion prevention service to a wireless access point in a wireless local area communication network. A dongle device for wireless intrusion prevention including an interface unit connected to an access point and configured to receive a data frame from the access point, a control unit configured to determine a security threat on the basis of the received data frame and generate prevention information if there is the security threat according to the determination result, and a storage unit configured to store information for security threat determination can make an existing wireless access point a wireless access point that can provide wireless intrusion prevention. | 03-20-2014 |
| 20140082729 | SYSTEM AND METHOD FOR ANALYZING REPACKAGED APPLICATION THROUGH RISK CALCULATION - The present invention relates to a system and method for analyzing a repackaged application through risk calculation, and more specifically, to a system and method for analyzing a repackaged application through risk calculation, which confirms existence of a malicious code by scoring whether or not an application installed in an Android smart phone is repackaged. | 03-20-2014 |
| 20140082730 | SYSTEM AND METHOD FOR CORRELATING HISTORICAL ATTACKS WITH DIVERSE INDICATORS TO GENERATE INDICATOR PROFILES FOR DETECTING AND PREDICTING FUTURE NETWORK ATTACKS - An apparatus and method predict and detect network attacks by using a diverse set of indicators to measure aspects of the traffic and by encoding traffic characteristics using these indicators of potential attacks or anomalous behavior. The set of indicators is analyzed by supervised learning to automatically learn a decision rule which examines the temporal patterns in the coded values of the set of indicators to accurately detect and predict network attacks. The rules automatically evolve in response to new attacks as the system updates its rules periodically by analyzing new data and feedback signals about attacks associated with that data. To assist human operators, the system also provides human interpretable explanations of detection and prediction rules by pointing to indicators whose values contribute to a decision that there is an existing network attack or an imminent network attack. When such indictors are detected, an operator can take remediation actions. | 03-20-2014 |
| 20140082731 | Contextual Alert of an Invasion of a Computer System - Methods, systems, and computer-readable media for providing contextual feedback to a user of a computer system upon detection of an invasion of the computer system are provided herein. An invasion of the computer system is detected and a contextually appropriate alert is selected from a set of alerts. The alert is played immediately upon detection of the invasion so that the user is alerted to the invasion within close temporal proximity to the user's action that resulted in the invasion of the computer system. In addition, details of the invasion are logged to a diagnostic log file for later use by support personnel in repairing the computer system. | 03-20-2014 |
| 20140090056 | SECURITY ALERT PRIORITIZATION - In one implementation, a security alert prioritization system identifies a host and a domain associated with a security alert that was generated in response to a communication between the host and the domain. The security alert prioritization system accesses a security state associated with the host and a security state associated with the domain, and compute a priority of the security alert based on the security state associated with the host and the security state associated with the domain. | 03-27-2014 |
| 20140090057 | METHODS AND SYSTEMS FOR FULL PATTERN MATCHING IN HARDWARE - Methods and systems are provided for hardware-based pattern matching. In an embodiment, an intrusion-prevention system (IPS) identifies a full match between a subject data word comprising subject-data blocks and a signature data pattern comprising signature-data blocks. The IPS receives the subject data word via a network interface, and thereafter makes a partial-match determination that two or more but less than all of the subject-data blocks respectively match the same number of the signature-data blocks stored in partial-match hardware with respect to both value and position. Thereafter, the IPS makes a full-match determination that all of the subject-data blocks respectively match all of the signature-data blocks stored in the IPS's full-match hardware with respect to both value and position. The IPS then stores an indicator that the full-match determination has been made, and may carry out one or more additional intrusion-prevention responses as well. | 03-27-2014 |
| 20140090058 | TRAFFIC SIMULATION TO IDENTIFY MALICIOUS ACTIVITY - Systems and methods may simulate traffic to identify malicious activity. A dynamic analysis system comprising a processor in communication with a network may receive a copy of a malware program and load the copy of the malware program into a simulated endpoint. The system may monitor simulated endpoint network traffic to or from the simulated endpoint, assess the simulated endpoint network traffic to determine a source and/or destination for the simulated endpoint network traffic and/or content of the simulated endpoint network traffic, and capture and store metadata associated with, the simulated endpoint network traffic. A comparison system may compare simulated network traffic metadata to observed network traffic metadata to determine whether the metadata are statistically similar. When the metadata are not statistically similar, the system may generate a low infection confidence score. When the metadata are statistically similar, the system may generate a high infection confidence score. | 03-27-2014 |
| 20140090059 | HEURISTIC BOTNET DETECTION - In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score. | 03-27-2014 |
| 20140090060 | TRUSTED NETWORK INTERFACE - Systems and methods for combating and thwarting attacks by cybercriminals are provided. Network security appliances interposed between computer systems and public networks, such as the Internet, are configured to perform defensive and/or offensive actions against botnets and/or other cyber threats. According to some embodiments, network security appliances may be configured to perform coordinated defensive and/or offensive actions with other network security appliances. | 03-27-2014 |
| 20140096245 | Protection Against Return Oriented Programming Attacks - In one embodiment, a processor includes at least one execution unit. The processor also includes a Return Oriented Programming (ROP) logic coupled to the at least one execution unit. The ROP logic may validate a return pointer stored on a call stack based on a secret ROP value. The secret ROP value may only be accessible by the operating system. | 04-03-2014 |
| 20140096246 | PROTECTING USERS FROM UNDESIRABLE CONTENT - Systems, methods, routines and/or techniques are described to protect users from undesirable content, for example, on an open platform. One or more embodiments may prevent the installation of an application package or warn a user if the application package may be undesirable (e.g., because it may contain malware). In one or more embodiments, a method may include receiving a first request to install an application package, and receiving and/or capturing metadata related to the application package. The method may include communicating a second request (e.g., including the metadata) to a remote server, such that the remote server can determine whether the application package may be undesirable. The method may include receiving a response from the remote server, where the response may indicate whether the application package may be undesirable, and initiating installation of the application package if the application package is determined to be safe and/or acceptable. | 04-03-2014 |
| 20140096247 | Protection Against Return Oriented Programming Attacks - In one embodiment, a processor includes at least one execution unit. The processor also includes a Return Oriented Programming (ROP) logic coupled to the at least one execution unit. The ROP logic may validate a return pointer stored on a call stack based on a secret ROP value. The secret ROP value may only be accessible by the operating system. | 04-03-2014 |
| 20140096248 | IDENTIFYING WHETHER AN APPLICATION IS MALICIOUS - Identifying whether a first application is malicious. The first application can be presented for installation on a processing system. The first application can be scanned, via a static analysis implemented by a processor, to determine whether a user interface layout of the first application is suspiciously similar to a user interface layout of a second application installed on the processing system. When the user interface layout of the first application is suspiciously similar to the user interface layout of the second application installed on the processing system, an alert can be generated indicating that the first application is malicious. | 04-03-2014 |
| 20140096249 | CONTINUOUS ANOMALY DETECTION BASED ON BEHAVIOR MODELING AND HETEROGENEOUS INFORMATION ANALYSIS - The present disclosure describes a continuous anomaly detection method and system based on multi-dimensional behavior modeling and heterogeneous information analysis. A method includes collecting data, processing and categorizing a plurality of events, continuously clustering the plurality of events, continuously model building for behavior and information analysis, analyzing behavior and information based on a holistic model, detecting anomalies in the data, displaying an animated and interactive visualization of a behavioral model, and displaying an animated and interactive visualization of the detected anomalies. | 04-03-2014 |
| 20140096250 | SYSTEM AND METHOD FOR COUNTERING DETECTION OF EMULATION BY MALWARE - Instructions of an application program are emulated such that they are carried out sequentially in a first virtual execution environment that represents the user-mode data processing of the operating system. A system API call requesting execution of a user-mode system function is detected. In response, the instructions of the user-mode system function called by the API are emulated according to a second emulation mode in which the instructions of the user-mode system function are carried out sequentially in a second virtual execution environment that represents the user-mode data processing of the operating system, including tracking certain processor and memory states affected by the instructions of the user-mode system function. Results of the emulating of the application program instructions according to the first emulation mode are analyzed for any presence of malicious code. | 04-03-2014 |
| 20140096251 | APPARATUS, SYSTEM AND METHOD FOR IDENTIFYING AND MITIGATING MALICIOUS NETWORK THREATS - Implementations of the present disclosure involve a system and/or method for identifying and mitigating malicious network threats. Network data associated is retrieved from various sources across a network and analyzed to identify a malicious network threat. When a threat is found, the system performs a mitigating action to neutralize the malicious network threat | 04-03-2014 |
| 20140096252 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR DYNAMICALLY ADJUSTING A LEVEL OF SECURITY APPLIED TO A SYSTEM - A system, method, and computer program product are provided for dynamically adjusting a level of security applied to a system. In use, predetermined activity that is at least potentially associated with unwanted activity is identified on a system. Further, a level of security applied to the system is dynamically adjusted, in response to the identification of the predetermined activity. | 04-03-2014 |
| 20140096253 | AVOIDANCE OF HOSTILE ATTACKS IN A NETWORK - For improving the protection of a network against denial of service attacks and other hostile attacks, while keeping the operation of the network simple and efficient and considering restricted capacities of single network nodes, a control unit, a system and a method for operating a network with a plurality of nodes are provided, wherein at least one operation parameter of at least one node is adjusted based on a current network phase and a data packet received by the node ( | 04-03-2014 |
| 20140101761 | SYSTEMS AND METHODS FOR CAPTURING, REPLAYING, OR ANALYZING TIME-SERIES DATA - Provided is an intrusion detection system configured to detect anomalies indicative of a zero-day attack by statistically analyzing substantially all traffic on a network in real-time. The intrusion detection system, in some aspects, includes a network interface; one or more processors communicatively coupled to the network interface; system memory communicatively coupled to the processors. The system memory, in some aspects, stores instructions that when executed by the processors cause the processors to perform steps including: buffering network data from the network interface in the system memory; retrieving the network data buffered in the system memory; applying each of a plurality of statistical or machine-learning intrusion-detection models to the retrieved network data; aggregating intrusion-likelihood scores from each of the intrusion-detection models in an aggregate score, and upon the aggregate score exceeding a threshold, outputting an alert. | 04-10-2014 |
| 20140101762 | SYSTEMS AND METHODS FOR CAPTURING OR ANALYZING TIME-SERIES DATA - Provided is an intrusion detection system configured to detect anomalies indicative of a zero-day attack by statistically analyzing substantially all traffic on a network in real-time. The intrusion detection system, in some aspects, includes a network interface; one or more processors communicatively coupled to the network interface; system memory communicatively coupled to the processors. The system memory, in some aspects, stores instructions that when executed by the processors cause the processors to perform steps including: buffering network data from the network interface in the system memory; retrieving the network data buffered in the system memory; applying each of a plurality of statistical or machine-learning intrusion-detection models to the retrieved network data; aggregating intrusion-likelihood scores from each of the intrusion-detection models in an aggregate score, and upon the aggregate score exceeding a threshold, outputting an alert. | 04-10-2014 |
| 20140101763 | SYSTEMS AND METHODS FOR CAPTURING OR REPLAYING TIME-SERIES DATA - Provided is an intrusion detection system configured to detect anomalies indicative of a zero-day attack by statistically analyzing substantially all traffic on a network in real-time. The intrusion detection system, in some aspects, includes a network interface; one or more processors communicatively coupled to the network interface; system memory communicatively coupled to the processors. The system memory, in some aspects, stores instructions that when executed by the processors cause the processors to perform steps including: buffering network data from the network interface in the system memory; retrieving the network data buffered in the system memory; applying each of a plurality of statistical or machine-learning intrusion-detection models to the retrieved network data; aggregating intrusion-likelihood scores from each of the intrusion-detection models in an aggregate score, and upon the aggregate score exceeding a threshold, outputting an alert. | 04-10-2014 |
| 20140101764 | METHODS AND APPARATUS TO DETECT RISKS USING APPLICATION LAYER PROTOCOL HEADERS - Methods, apparatus, systems and articles of manufacture to detect risks using application protocol headers are disclosed. An example method includes extracting characteristics from a header of a received hypertext transport protocol (HTTP) request, determining a first score corresponding to a first characteristic of the characteristics, determining a second score corresponding to a second characteristic of the characteristics, adding the first score and the second score to determine a combined score, and indicating that the received HTTP request is malware when the combined score meets a threshold. | 04-10-2014 |
| 20140101765 | AUDITING A DEVICE - The auditing of a device that includes a physical memory is disclosed. One or more hardware parameters that correspond to a hardware configuration is received. Initialization information is also received. The physical memory is selectively read and at least one result is determined. The result is provided to a verifier. | 04-10-2014 |
| 20140101766 | DATA MANAGEMENT OF POTENTIALLY MALICIOUS CONTENT - In a data management system, examination of first data for malicious content by a malicious content scanner is initiated in response to a request to write first data to a data storage device. In response to the examination revealing no malicious content in the first data, the first data, a first signature representative of a version of the malicious content scanner at a time of the examination of the first data, and second data linking the first signature to the first data as read-only data are written to the data storage device. | 04-10-2014 |
| 20140109223 | PROVIDING A REAL-TIME ANOMALOUS EVENT DETECTION AND NOTIFICATION SERVICE IN A WIRELESS NETWORK - A method and apparatus for providing a notification service in a wireless network are disclosed. For example, the method registers a mobile device associated with a customer for the notification service, collects traffic data related to the mobile device of the customer, determines if an anomaly is detected for the traffic data that is collected for the mobile device, and provides a notification to the mobile device of the customer, if the anomaly is detected for the traffic data that is collected for the mobile device. | 04-17-2014 |
| 20140109224 | Method for Detecting Eavesdropping Activity and Terminal Device - A method for detecting an eavesdropping activity and a terminal device. The method includes determining whether a terminal device is in a conversation; when the terminal device is in a conversation, determining whether the terminal device has an application that starts a recording function; and when the terminal device has an application that starts a recording function, sending out an eavesdropping alarm prompt. By adopting the technical solutions of the present invention, an eavesdropping activity in a manner of recording may be detected. | 04-17-2014 |
| 20140109225 | Identifying a Denial-of-Service Attack in a Cloud-Based Proxy Service - A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves. | 04-17-2014 |
| 20140115701 | DEFENDING AGAINST CLICKJACKING ATTACKS - Described is a technology directed towards protecting against clickjacking attacks against interactive user interface elements in code that are described by the code author as sensitive to clickjacking attacks. Various defenses are described, including defenses to ensure target display integrity, pointer integrity, and temporal integrity. For example, a browser click on an element/web page may be determined to be invalid if target display integrity is compromised. Also described are defenses that act to increase the user's attention to what is actually being clicked, and defenses that disable or disallow functions and features used by attackers, such as when a sensitive element is being hovered over. | 04-24-2014 |
| 20140115702 | ENCRYPTED DATA INSPECTION IN A NETWORK ENVIRONMENT - Technologies are provided in example embodiments for analyzing an encrypted network flow. The technologies include monitoring the encrypted network flow between a first node and a second node, the network flow initiated from the first node; duplicating the encrypted network flow to form a copy of the encrypted network flow; decrypting the copy of the encrypted network flow using a shared secret, the shared secret associated with the first node and the second node; and scanning the network flow copy for targeted data. | 04-24-2014 |
| 20140115703 | THREAT DETECTION THROUGH THE ACCUMULATED DETECTION OF THREAT CHARACTERISTICS - Embodiments of the present disclosure provide for improved capabilities in the detection of malware, where malware threats are detected through the accumulated identification of threat characteristics for targeted computer objects. Methods and systems include dynamic threat detection providing a first database that correlates a plurality of threat characteristics to a threat, wherein a presence of the plurality of the threat characteristics confirms a presence of the threat; detecting a change event in a computer run-time process; testing the change event for a presence of one or more of the plurality of characteristics upon detection of the change event; storing a detection of one of the plurality of characteristics in a second database that accumulates detected characteristics for the computer run-time process; and identifying the threat when each one of the plurality of characteristics appears in the second database. | 04-24-2014 |
| 20140115704 | HOMOGLYPH MONITORING - A homoglyph monitoring system includes an attack vector string matching module to determine potential attack vector strings for a target domain name. Each potential attack vector string includes a different homoglyph of a character in the target domain name. The system includes a domain name system (DNS) analyzer module to facilitate lookups on DNS servers based on the potential attack vector strings and to identify a DNS record including a potential attack vector string. | 04-24-2014 |
| 20140115705 | METHOD FOR DETECTING ILLEGAL CONNECTION AND NETWORK MONITORING APPARATUS - A network monitoring apparatus acquires a first packet transmitted from a first information processing apparatus to a second information processing apparatus. The network monitoring apparatus acquires a second packet transmitted from the second information processing apparatus to the first information processing apparatus. The second packet is transmitted within a predetermined time period since the transmission of the first packet. The network monitoring apparatus determines whether the first packet is a packet according to a protocol used for transmitting a file and the second packet is related to a connection established from the second information processing apparatus to the first information processing apparatus. The network monitoring apparatus outputs result information depending on a result of the determination. | 04-24-2014 |
| 20140115706 | NETWORK INFRASTRUCTURE OBFUSCATION - A shadow network, which can be a virtual reproduction of a real, physical, base computer network, is described. Shadow networks duplicate the topology, services, host, and network traffic of the base network using shadow hosts, which are low interaction, minimal-resource-using host emulators. The shadow networks are connected to the base network through virtual switches, etc. in order to form a large obfuscated network. When a hacker probes into a host emulator, a more resource-intensive virtual machine can be swapped in to take its place. When a connection is attempted from a host emulator to a physical computer, the a host emulator can step in to take the place of the physical computer, and software defined networking (SDN) can prevent collisions between the duplicated IP addresses. Replicating the shadow networks within the network introduces problems for hackers and allows a system administrator easier ways to identify intrusions. | 04-24-2014 |
| 20140123278 | DENIAL-OF-SERVICE ATTACK PROTECTION - In one embodiment, a device detects a denial-of-service attack and generates a message in response to the detection of the denial-of-service attack. The message is then virally distributed to a plurality of subscribed devices. | 05-01-2014 |
| 20140123279 | DYNAMIC QUARANTINING FOR MALWARE DETECTION - A method includes detecting a portion of data on an electronic device, determining a first representation of the malware status of the data, quarantining the data for a period of time, estimating whether the data is associated with malware by comparing the first and second representation, and, based on the estimation, releasing the data from quarantine. The first representation indicates that the malware status of the data is not certain to be safe and the malware status of the data is not certain to be malicious. | 05-01-2014 |
| 20140123280 | RUNTIME DETECTION OF SELF-REPLICATING MALWARE - A method for detecting malicious active processes and self replicating executable binary files on a computing device. The method comprises monitoring in runtime active processes running on a computing device, extracting unique identifier(s) of each of the active processes which maps the active process to executable binary file(s) containing executable code of the active process, monitoring in runtime creation and modification of data files hosted by the computing device, identifying executable binary files among the data files, monitoring concurrent operation of logical sensors which detect malicious behavioral patterns of the active processes and maintain one or more lists of malicious behavioral pattern findings, and detecting malicious active process(es) of a malware from the active processes and self-replicating executable binary file(s) of the malicious active process(es) according to a match between the respective unique identifier(s), the malicious behavioral pattern findings and at least one the executable binary files. | 05-01-2014 |
| 20140123281 | DETECTION OF RETURN ORIENTED PROGRAMMING ATTACKS - In one embodiment, a processor includes at least one execution unit and Return Oriented Programming (ROP) detection logic. The ROP detection logic may determine a ROP metric based on a plurality of control transfer events. The ROP detection logic may also determine whether the ROP metric exceeds a threshold. The ROP detection logic may also, in response to a determination that the ROP metric exceeds the threshold, provide a ROP attack notification. | 05-01-2014 |
| 20140123282 | UNPACKING FLASH EXPLOITS WITH AN ACTIONSCRIPT EMULATOR - Methods and systems for detecting an attempt to load embedded Flash are provided. According to one embodiment, an ActionScript emulator running on a computer system receives a Flash file to be tested. The ActionScript emulator implements a modified version of a class typically implemented by an ActionScript virtual machine. The ActionScript emulator reveals one or more tagged data blocks (tags) contained within the Flash file by decoding the Flash file. The ActionScript emulator determines whether the one or more tags are capable of containing ActionScript bytecode (ABC) by evaluating the one or more tags. When an affirmative determination results with respect to a tag of the one or more tags, then the ActionScript emulator interprets and executes the ABC associated with the tag. Responsive to invocation of a predetermined method of the modified class by the ABC, the ActionScript emulator reports existence of embedded Flash within the Flash file. | 05-01-2014 |
| 20140123283 | DETECTION OF HEAP SPRAYING BY FLASH WITH AN ACTIONSCRIPT EMULATOR - Methods and systems for detecting heap spraying by ActionScript bytecode (ABC) contained within a Flash file are provided. According to one embodiment, an ActionScript emulator receives a Flash file to be tested. The emulator implements a modified version of a class typically implemented by an ActionScript virtual machine. The emulator reveals one or more tagged data blocks (tags) contained within the Flash file by decoding the Flash file. The emulator determines whether the one or more tags are capable of containing ABC by evaluating the one or more tags. When an affirmative determination results with respect to a tag of the one or more tags, then the emulator interprets and executes the ABC associated with the tag. Responsive to observing one or more predetermined conditions by a detector implemented within a predetermined method of the modified class, the emulator reports existence of heap spraying functionality within the Flash file. | 05-01-2014 |
| 20140123284 | UNPACKING JAVASCRIPT WITH AN ACTIONSCRIPT EMULATOR - Methods and systems for detecting an attempt to evaluate embedded JavaScript are provided. According to one embodiment, an ActionScript emulator receives a Flash file to be tested. The emulator implements a modified version of a class typically implemented by a Flash file container. The emulator reveals one or more tagged data blocks (tags) contained within the Flash file by decoding the Flash file. The emulator determines whether the one or more tags are capable of containing ActionScript bytecode (ABC) by evaluating the one or more tags. When an affirmative determination results with respect to a tag of the one or more tags, then the emulator interprets and executes the ABC associated with the tag. Responsive to invocation of a predetermined method of the modified version of the class by the ABC and meeting one or more predetermined conditions, the emulator reports existence of embedded JavaScript within the Flash file. | 05-01-2014 |
| 20140123285 | SOFTWARE EXPLOIT DETECTION - A method may include, in a computing device including a processor, memory, an operating system, and at least one installed application, detecting an attempted exploitation of at least one known vulnerability associated with the device. The attempted exploitation may be logged. At least one remedial action may be performed on the device based on the logged attempted exploitation. The known vulnerability may be associated with the operating system and/or the at least one installed application. The at least one known vulnerability may include one or more of at least one known coding flaw in the operating system or in the at least one installed application, at least one known weakness in a protocol running on the computing device, a known family of coding flaws in the operating system or in the at least one installed application, an unauthorized triggering of premium SMS services, and/or triggering of a hostile misconfiguration. | 05-01-2014 |
| 20140123286 | Detection Of Return Oriented Programming Attacks - In one embodiment, a processor includes at least one execution unit and Return Oriented Programming (ROP) detection logic. The ROP detection logic may determine a ROP metric based on a plurality of control transfer events. The ROP detection logic may also determine whether the ROP metric exceeds a threshold. The ROP detection logic may also, in response to a determination that the ROP metric exceeds the threshold, provide a ROP attack notification. | 05-01-2014 |
| 20140123287 | SECURING THERMAL MANAGEMENT PARAMETERS IN FIRMWARE FROM CYBER ATTACK - Methods and systems may provide for identifying a thermal management setting in a computing system, and comparing the thermal management setting to valid configuration information. In addition, the thermal management setting may be modified if it does not comply with the valid configuration information, wherein the modification can cause the thermal management setting to comply with the valid configuration information. Additionally, a threat risk notification can be initiated in order to notify users of the non-compliance. | 05-01-2014 |
| 20140123288 | NETWORK INTRUSION DETECTION APPARATUS AND METHOD USING PERL COMPATIBLE REGULAR EXPRESSIONS-BASED PATTERN MATCHING TECHNIQUE - A network intrusion detection apparatus and method that perform Perl Compatible Regular Expressions (PCRE)-based pattern matching on the payloads of packets using a network processor equipped with a Deterministic Finite Automata (DFA) engine. The network intrusion detection apparatus includes a network processor core for receiving packets from a network, and transmitting payloads of the received packets to a Deterministic Finite Automata (DFA) engine. A detection rule converter converts a PCRE-based detection rule, preset to detect an attack packet, into a detection rule including a pattern to which only PCRE grammar corresponding to the DFA engine is applied. The DFA engine performs PCRE pattern matching on the payloads of the packets based on the detection rule converted by the detection rule converter. | 05-01-2014 |
| 20140123289 | Computing Device to Detect Malware - Disclosed is an apparatus and method for a computing device to determine if an application is malware. The computing device may include: a query logger to log the behavior of the application on the computing device to generate a log; a behavior analysis engine to analyze the log from the query logger to generate a behavior vector that characterizes the behavior of the application; and a classifier to classify the behavior vector for the application as benign or malware. | 05-01-2014 |
| 20140130157 | METHOD AND SYSTEM FOR DISCRETE STATEFUL BEHAVIORAL ANALYSIS - A method for analyzing a computing system includes the steps of at a first moment in time, scanning the resources of the computing system for indications of malware, at a second moment in time scanning the resources of the computing system for indications of malware and determining the system executable objects loaded on the computing system, determining malware system changes, identifying a relationship between the malware system changes and the system executable objects loaded on the computing system, and identifying as suspected malware the system executable objects loaded on the computing system which have a relationship with the malware system changes. The malware system changes include differences between the results of scanning the resources of the computing system for indications of malware at the second and first moment of time. | 05-08-2014 |
| 20140130158 | IDENTIFICATION OF MALWARE DETECTION SIGNATURE CANDIDATE CODE - A region of HTML or PDF file bytecode run on a virtual machine is identified as possible malware, allowing a detection signature to be generated. A determination is made, based on code behavior, that malware may be present. Variables visible in this identification start state can be found by mapping the start state to scopes in an abstract syntax data structure. Searching previously executed states of the virtual machine for any assignment of a variable that belongs to the set of variables of interest provides a set of assignments of interest, even in obfuscated code. Nonterminated assignments of interest will lead in turn to other variables of interest and assignments of interest, until all assignments of interest are terminated. At that point, a region of code defined by the assignments of interest is identified as a malware detection signature generation candidate, and submitted to a human or automated analyst. | 05-08-2014 |
| 20140130159 | METHODS AND SYSTEMS FOR DETECTING AN ELECTRONIC INTRUSION - Methods and systems for detecting an electronic intrusion are described. The system receives a notification, over a network, from a first application server that is hosting a first electronic service that is hosting a first user account. The notification reports the detection of a user activity associated with the first user account. The first user account is monitored for user activity. Next, the system may identify the notification reporting the detection of the user activity associated with the first user account as a possible electronic intrusion into the first account. | 05-08-2014 |
| 20140130160 | SYSTEM AND METHOD FOR RESTRICTING PATHWAYS TO HARMFUL HOSTS IN COMPUTER NETWORKS - System and method for detecting malicious activity in a computer network that includes hosts and connectors between the hosts. Network pathways to a plurality of investigated hosts are explored. A graph is formed based on results of the exploring of the network pathways. The graph represents topology of explored portions of the computer network, including connectors (e.g., communication links) between the investigated hosts and intermediary hosts situated along explored pathways that include the investigated hosts, and an indication of a prevalence of connectors in pathways to each of the investigated hosts. The prevalence of connectors along pathways to each of the investigated hosts is compared against a threshold, and any suspicious host situated along pathways to a common investigated host that is associated with a connector having a low prevalence that is below the prevalence threshold is identified. An access restriction can be associated with the suspicious host. | 05-08-2014 |
| 20140130161 | System and Method for Cloud-Based Detection of Computer Malware - Disclosed are systems, methods and computer program products for detecting computer malware. In one example, a security server receives information about a suspicious software object detected by a client computer using one or more malware detection methods. The server identifies the malware detection methods used to detect the suspicious object, and selects one or more different malware detection methods to check whether the suspicious object is malicious or clean. The server analyzes the suspicious object using the selected one or more different malware analysis methods to check whether the object is malicious or clean. If the object is determined to be malicious, the server generates and sends to the client computer detection instructions specific to the one or more malware detection methods used by the client computer for detecting and blocking the malicious object on the client computer. | 05-08-2014 |
| 20140130162 | PHISHING PREVENTING SYSTEM AND OPERATING METHOD THEREOF - A phishing preventing system includes: a user computer outputting, at the time of accessing a predetermined website, a request signal for verifying whether the website is authenticated; a web server generating link information on the website at the time of inputting user information on the user computer and the request signal at the time of accessing the website and outputting the link information to the user computer; and a user terminal verifying whether the website is authenticated by comparing the link information with set normal authentication information by receiving the user information corresponding to the link information from the web server at the time of inputting terminal link information corresponding to the link information from the user computer. | 05-08-2014 |
| 20140130163 | Method and Apparatus for Setting Secure Connection in Wireless Communications System - A method of setting a secure connection in a wireless communications system is disclosed. The method comprises setting a protocol information to a terminal; and checking a packet received in the terminal according to the protocol information; wherein the packet comprises a protocol type, a source port, and a destination port. | 05-08-2014 |
| 20140130164 | Malicious Object Detection - Malicious object detection is disclosed. An apparatus includes one or more processors, and one or more memories including computer program code. The one or more memories and the computer program code are configured to, with the one or more processors, cause the apparatus at least to perform: obtain image data; obtain association data relating to the image data; identify the image data as corresponding to an identified image among known reference images; and set reputation data of the association data as suspicious, if the association data does not match acceptable associations for the identified image. | 05-08-2014 |
| 20140130165 | Protecting a User from a Compromised Web Resource - According to an aspect of the invention, there is provided a method of protecting a user from a compromised web resource. The method may include monitoring a user's requests for trusted web resources to determine one or more web resources to be checked. The method may include querying a network database based on the determined one or more web resources to obtain historical data relating to whether any of the one or more web resources has been compromised at any time during a preceding time period. The method may include providing a predetermined response to protect the user if any of the one or more web resources has been compromised. | 05-08-2014 |
| 20140130166 | GEOGRAPHICAL INTRUSION MAPPING SYSTEM USING TELECOMMUNICATION BILLING AND INVENTORY SYSTEMS - Systems and methods for geographically mapping a threat into a network having one or more network points include receiving threat information identifying a threat to a point of the network, correlating the threat information with location information for the identified network point, and network identification information for the identified network point, and generating a map displaying a geographical location of the threat. | 05-08-2014 |
| 20140137247 | Limiting Information Leakage and Piracy due to Virtual Machine Cloning - Techniques for detecting a cloned virtual machine instance. A method includes transmitting an identifier associated a virtual machine from an agent embedded in the virtual machine akin to a malware to a detection entity in a network, determining whether the identifier is a unique identifier or whether the identifier is a clone of an identifier associated with a separate virtual machine in the network, and initiating at least one remedial action with the agent embedded in the virtual machine if the identifier is determined to be a clone of an identifier associated with a separate virtual machine in the network. | 05-15-2014 |
| 20140137248 | Client Token Storage for Cross-Site Request Forgery Protection - Systems and methods can secure against cross-site request forgery using client-side token storage. A client browser can initiate an action associated with a first web service and generate a token. The token may be stored in client-side storage at the computing device. An indicator of the action may also be stored within the client-side storage. A return link, associated with a passed copy of the token, may be generated. The client may perform the redirect and return to the first web service according to the return link. The passed copy of the token can be extracted from the return link. The indicator of the action and the stored token may be loaded from the client storage. The passed copy of the token and the stored token may be compared. The action according to the indicator of the action may be performed in response to the comparison matching. | 05-15-2014 |
| 20140137249 | Dynamic Selection and Loading of Anti-Malware Signatures - An anti-malware system dynamically loads and unloads additional malware detection signatures based on a collection of data sources that indicate what signatures are relevant to a host machine in its current environment. A signature selector component determines what relevant signatures should be loaded. The signature selector component uses a variety of data sources either individually, or in combination, to determine relevancy of the available malware detection signatures. The anti-malware system dynamically determines which of the available malware detection signatures and classes of signatures are relevant and should be provided to a machine based on available information. The malware detection signatures are obtained and loaded automatically from one or more sources when a threat becomes relevant. A program or application may be blocked from accessing files until the relevant malware detection signatures have been loaded onto the machine. | 05-15-2014 |
| 20140137250 | SYSTEM AND METHOD FOR DETECTING FINAL DISTRIBUTION SITE AND LANDING SITE OF MALICIOUS CODE - A system and method for detecting final distribution and landing sites of a malicious code. The method extracts and collecting new article URLs and advertisement banner URLs by inspecting a main page of a press company; filters malicious-suspected URLs suspicious of hiding the malicious code from the new article URLs and the advertisement banner URLs; collects files created when the malicious-suspected URLs are visited, through visit inspection; self-inspects the created files collected through the created file collection using a commercial vaccine; and traces, if the malicious code is detected in the created file, the final distribution and landing sites distributing the detected malicious code. | 05-15-2014 |
| 20140137251 | SYSTEM FOR IDENTIFYING MALICIOUS CODE OF HIGH RISK - Disclosed is a system for identifying malicious codes of high risk. The system includes a statistical data creation module for creating statistical data by collecting and processing malicious codes by channel, ranking, period, type, re-infection and vaccine diagnosis; a trend data creation module for creating trend data by processing the collected malicious codes by channel, field and type; a malicious code filtering module for extracting the malicious code of high risk from the collected malicious codes based on priority information including a URL type, the number of distribution sites, the number of landing sites, a vaccine diagnosis rate and the number of reports; and a database for processing and storing the statistical data, the trend data and the malicious codes of high risk in a form of a graph, a pie chart and a table. | 05-15-2014 |
| 20140143868 | MONITORING FOR ANOMALIES IN A COMPUTING ENVIRONMENT - A method of monitoring for anomalies in a computing environment comprises, with a processor building an anomaly detection system based on topology guided statistical analysis, and creating a number of correlation rules based on a number of detected anomalies and information provided by a security alerts database. | 05-22-2014 |
| 20140143869 | USING TELEMETRY TO REDUCE MALWARE DEFINITION PACKAGE SIZE - Clients send telemetry data to a cloud server, where the telemetry data includes security-related information such as file creations, timestamps and malware detected at the clients. The cloud server analyzes the telemetry data to identify malware that is currently spreading among the clients. Based on the analysis of the telemetry data, the cloud server segments malware definitions in a cloud definition database into a set of local malware definitions and a set of cloud malware definitions. The cloud server provides the set of local malware definitions to the clients as a local malware definition update, and replies to cloud definition lookup requests from clients with an indication of whether a file identified in a request contains malware. If the file is malicious, the client remediates the malware using local malware definition update. | 05-22-2014 |
| 20140143870 | METHOD AND SYSTEM FOR REDUCING CYBER ATTACKS - A system and method for reducing cyber attacks on vetted web sites includes a haven web site hosted on a server computer. A list of certified web sites meeting specified criteria is maintained by the haven web site. The certified list is accessible over a global computer network for query or download. A computer virus or the like, operating on a remote computer, runs software coding, available for download on the haven web site, that determines whether a proposed targeted address is on the certified list. If so, the attack by the remote computer is aborted, and if not, the attack proceeds. Alternatively, a certification marker is included on certified web sites, and the remote computer runs software coding, available for download on the haven web site, to determine whether a proposed targeted address corresponds to a certified web site. | 05-22-2014 |
| 20140143871 | METHOD OF INSPECTING MASS WEBSITES BY VISITING - Disclosed is a method of inspecting mass websites by visiting, which inspects the mass websites by visiting at a high speed using multiple browsers and multiple frames. The method of inspecting mass websites includes the steps of: simultaneously visiting, if a list of inspection target websites is received, a plurality of inspection target websites using multiple browsers; inspecting whether or not a malicious code infection attack is generated at the plurality of inspection target websites visited through the multiple browsers; and tracing, if the malicious code infection attack is detected among the plurality of inspection target websites, a malicious website through revisit inspection using a tree search algorithm. | 05-22-2014 |
| 20140143872 | METHOD OF DETERMINING WHETHER OR NOT WEBSITE IS MALICIOUS AT HIGH SPEED - Disclosed is a method of determining whether or not a website is malicious at a high speed, which determines unknown attacks, detection avoidance attacks and the like at a high speed when the website is inspected by visiting. The method of determining whether or not a website is malicious at a high speed includes the steps of: simultaneously visiting, if a list of inspection target websites is received, a plurality of inspection target websites using multiple browsers; and grasping whether or not malicious code infection is attempted through a correlation analysis of behavior information created when the plurality of inspection target websites is visited through the multiple browsers. | 05-22-2014 |
| 20140143873 | CYBER-SEMANTIC ACCOUNT MANAGEMENT SYSTEM - Systems, methods, and apparatus for identifying anomalous behavior are provided. For example, a method may include receiving raw data, generating a behavior profile for the entity based on the raw data, receiving comparison data, determining whether the comparison data deviates from a pattern of behavior defined in the behavior profile, and identifying the comparison data as anomalous behavior when the comparison data deviates from the pattern of behavior. In one embodiment, the raw data includes recorded activity for the entity. In one embodiment, the behavior profile defines a pattern of behavior for the entity. In one embodiment, a countermeasure is performed upon identifying anomalous behavior. The countermeasure may include at least one of revoking the entity's credentials, denying the entity access to a resource, shutting down access to a port, and denying access to the entity. The method may further include providing a report of the anomalous behavior. | 05-22-2014 |
| 20140143874 | METHOD AND APPARATUS FOR PATTERN MATCHING FOR INTRUSION DETECTION/PREVENTION SYSTEMS - A system, method, apparatus and mechanism for estimating worst-case time complexity of a regular expression defining a pattern adapted for identifying malicious packets and comprising one or more back-references (backref-regex) by constructing a non-deterministic finite automaton (NFA) corresponding to the backref-regex (backref-NFA), wherein the backref-NFA comprises a plurality of NFA-states and a respectively labeled edge for each of the one or more back-references of the backref-regex; performing liveness analysis on the backref-NFA to determine for each NFA-state of the backref-NFA a set of back-references alive at the NFA-state; and determining a maximum number of alive back-references over the plurality of NFA-states, wherein the determined maximum number is indicative of the worst-case time complexity of the backref-regex. | 05-22-2014 |
| 20140150102 | DETECTING ALTERED APPLICATIONS USING NETWORK TRAFFIC DATA - A method, computer readable medium and apparatus for detecting an altered application are disclosed. Network traffic data is obtained for a number of endpoint devices to determine a network traffic signature for a first application. The signature comprises a set of flows within a time window. Network traffic data is monitored to determine a network traffic signature for a second application. The signature for the second application comprises the network traffic signature of the first application plus a flow to an additional address. The method determines a ratio of endpoint devices having network traffic data that matches the signature for the second application as compared to a percentage of endpoint devices having network traffic data that matches the signature for the first application. When the percentage satisfies a threshold, the method determines that the second application is the altered application comprising an altered version of the first application. | 05-29-2014 |
| 20140150103 | APPLICATION MODULE INJECTION DEVICE, COMPUTING DEVICE INCLUDING APPLICATION MODULE INJECTION FUNCTION, AND RECORDING MEDIUM FOR RECORDING PROGRAM FOR EXECUTING APPLICATION MODULE INJECTION METHOD - Provided are an application module injection device, a computing device including an application module injection function, and a recording medium that records a program for executing an application module injection method. The application module injection device includes a function registration unit configured to register, in an operating system (OS), a first callback function for receiving a notice about whether a process corresponding to a program whose execution is instructed by a user is created from the OS and a second callback function for receiving a notice about whether an image corresponding to the program whose execution is instructed by the user is driven, a process information acquisition unit configured to receive the notice about whether the process corresponding to the program whose execution is instructed by the user is created from the OS through the first callback function, a process determination unit configured to select a process generated so as to correspond to the program whose execution is instructed by the user as an application module injection target process when the program whose execution is instructed by the user, which is determined through the second callback function, corresponds to a predetermined type of program, a context change unit configured to change a first entry point included in a context of a thread corresponding to the application module injection target process into a second entry point of an injected application module, and an application module injection unit configured to inject the application module into the application module injection target process. | 05-29-2014 |
| 20140150104 | ELECTRONIC ASSEMBLY COMPRISING A DISABLING MODULE - An electronic assembly for an electronic device may include a detection module to detect a security anomaly of a Rich-OS operating system and a disabling module to disable at least one secure function of the electronic device in response to the detection. The disablement nevertheless allows use of the electronic device in fail-soft mode. The electronic assembly may be implemented such that these two modules are dependent on a trusted operating system, and the trusted operating system and the Rich-OS operating system may be stored in a memory of the electronic assembly and executed on the electronic assembly. | 05-29-2014 |
| 20140157410 | Secure Environment for Graphics Processing Units - In accordance with some embodiments, a protected execution environment may be defined for a graphics processing unit. This framework not only protects the workloads from malware running on the graphics processing unit but also protects those workloads from malware running on the central processing unit. In addition, the trust framework may facilitate proof of secure execution by measuring the code and data structures used to execute the workload. If a part of the trusted computing base of this framework or protected execution environment is compromised, that part can be patched remotely and the patching can be proven remotely throughout attestation in some embodiments. | 06-05-2014 |
| 20140157411 | SAFETY PROTECTION METHOD AND SAFETY PROTECTION DEVICE - A safety protection method which is performed with a controller includes steps of providing an index table, calling one of the APIs (API), filtering the called API based on a predetermined condition, and blocking the API if the API confirms the predetermined condition. Furthermore, a safety protection device is also disclosed herein. | 06-05-2014 |
| 20140157412 | DEVICE, METHOD AND NON-TRANSITORY COMPUTER READABLE STORAGE MEDIUM THEREOF FOR PERFORMING ANONYMOUS TESTING ON ELECTRONIC DIGITAL - A method for performing anonymous testing on electronic digital data is provided. The method comprises the steps outlined below. At least one electronic digital data is received. A type of the electronic digital data is identified to retrieve a plurality of data fields according to the type of the electronic digital data, in which the data fields further comprises a plurality of data blocks. The data fields and the data blocks are analyzed such that they are categorized as at least one logic operation part and at least one data content part. A data-hiding process is performed on the data content part only to generate output electronic digital data and a subsequent analysis is performed on the output electronic digital data. | 06-05-2014 |
| 20140157413 | APPLICATION TESTING SYSTEM AND METHOD - A method, computer program product, and computer system for sending, by a first computing device, a payload from a plurality of payloads to a second computing device. A response from the second computing device responding to the payload is received at the first computing device. It is determined whether the payload has successfully attacked an application executing at the second computing device based upon, at least in part, the response. If not, at least a portion of the plurality of payloads that shares a structural overlap with the first payload is identified. At least a second payload of the portion is prevented from being sent to the second computing device in response to identifying that the second payload shares the structural overlap with the first payload. | 06-05-2014 |
| 20140157414 | METHOD AND SYSTEM FOR DETECTING MALICIOUS DOMAIN NAMES AT AN UPPER DNS HIERARCHY - A method and system for detecting a malicious domain name, comprising: collecting domain name statistical information from a non-recursive domain name system name server (RDNS NS); and utilizing the collected domain name statistical information to determine if a domain name is malicious or benign. | 06-05-2014 |
| 20140157415 | INFORMATION SECURITY ANALYSIS USING GAME THEORY AND SIMULATION - Vulnerability in security of an information system is quantitatively predicted. The information system may receive malicious actions against its security and may receive corrective actions for restoring the security. A game oriented agent based model is constructed in a simulator application. The game ABM model represents security activity in the information system. The game ABM model has two opposing participants including an attacker and a defender, probabilistic game rules and allowable game states. A specified number of simulations are run and a probabilistic number of the plurality of allowable game states are reached in each simulation run. The probability of reaching a specified game state is unknown prior to running each simulation. Data generated during the game states is collected to determine a probability of one or more aspects of security in the information system. | 06-05-2014 |
| 20140157416 | Determining the Likelihood of Traffic Being Legitimately Received At a Proxy Server in a Cloud-Based Proxy Service - Message(s) are received from each one of multiple proxy servers, which are anycasted to the same IP address, that indicate source IP addresses of packets that are received that are directed to that same IP address. These proxy servers receive the packets as result of domain(s) resolving to that same IP address, and a particular one of the proxy servers receives the packets as a result of an anycast protocol implementation selecting that proxy server. Based on these message(s) from each of the proxy servers, a determination of the likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers is determined. A message is transmitted to each of the proxy servers that indicates which source IP addresses of packets are not likely to be legitimately received at that proxy server. | 06-05-2014 |
| 20140165194 | Attack Protection Against XML Encryption Vulnerability - Protection against an attack which exploits an eXtensible Markup Language (XML) Encryption vulnerability includes receiving a ciphertext request utilizing an EncryptedKey element and detecting either a failure to decrypt the cipher value in the EncryptedData element or a failure to parse the resulting decrypted XML. Upon detecting the failure, a count of failures associated with the EncryptedKey element is incremented, and when the count exceeds a threshold number of failures, subsequent usage of the EncryptedKey element and delivery of the request to an application service are prevented. Optionally, a rejection message is returned to the requester. | 06-12-2014 |
| 20140165195 | METHOD AND SYSTEM FOR THWARTING INSIDER ATTACKS THROUGH INFORMATIONAL NETWORK ANALYSIS - One embodiment of the present invention provides a system for detecting insider attacks in an organization. During operation, the system collects data describing user activities. The system extracts information from the data that includes user information and user communications. The system then generates a topic-specific graph based on the extracted information. The system analyzes a structure of the graph to determine if one or more rules have been violated. The system may determine that a rule associated with the graph has been violated and signal an alarm in response to detecting the rule violation. | 06-12-2014 |
| 20140165196 | EFFICIENT PACKET HANDLING, REDIRECTION, AND INSPECTION USING OFFLOAD PROCESSORS - Method for handling packets are disclosed that can include providing at least one main processor connected to a plurality of offload processors by a memory bus; providing an arbiter connected to each of the plurality of offload processors, the arbiter capable of scheduling resource priority for instructions or data received from the memory bus; configuring the offload processors to provide security related services on packets prior to redirection to the main processor; operating a virtual switch respectively connected to the main processor and the plurality of offload processors using the memory bus, with the virtual switch capable of receiving memory read/write data over the memory bus; and directing at least some memory read/write data to the arbiter from the virtual switch. | 06-12-2014 |
| 20140165197 | MALWARE ATTACK PREVENTION USING BLOCK CODE PERMUTATION - Technologies are generally described for systems and methods configured to produce an executable code. In some examples, a developer may send machine language code to a system manager. The machine language code may include two or more machine language blocks and linking information. The system manager may include a processor configured to permute the machine language blocks to produce permuted machine language code. The processor may modify the linking information based on the permuted machine language code to produce modified linking information. The processor may link the permuted machine language code with use of the modified linking information to produce the executable code. | 06-12-2014 |
| 20140165198 | SYSTEM AND METHOD FOR MALWARE DETECTION USING MULTIDIMENSIONAL FEATURE CLUSTERING - Methods and systems for malware detection techniques, which detect malware by identifying the Command and Control (C&C) communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The fine-granularity features are examined, which are present in the transactions and are indicative of whether the transactions are exchanged with malware. A feature comprises an aggregated statistical property of one or more features of the transactions, such as average, sum median or variance, or of any suitable function or transformation of the features. | 06-12-2014 |
| 20140165199 | METHOD AND APPARATUS FOR DETERMINING MALICIOUS PROGRAM - Various embodiments provide methods, apparatus, and computer readable medium for determining a malicious program. In an exemplary method, a specific application programming interface (API) within an application program can be obtained. Call logic for calling the specific API can be determined. The call logic can include a triggering event to trigger the specific API to be called, a feedback path provided after the specific API is called, or a combination thereof. Whether the application program is a malicious program can be determined according to the call logic. | 06-12-2014 |
| 20140165200 | SYSTEMS AND METHODS FOR DISTRIBUTED RULE-BASED CORRELATION OF EVENTS - Systems and methods for distributed rule-based correlation of events are provided. A notification of a partial match of a distributed rule by an event of a first subset of events is received. The notification includes a set of properties of the event of the first subset of events. The distributed rule is evaluated using the set of properties of the event of the first subset of events and a set of properties of an event of a second subset of events. A complete match of the rule is determined based on the evaluation, and a correlation event is generated. | 06-12-2014 |
| 20140165201 | Vector-Based Anomaly Detection - Methods of detecting anomalous behaviors associated with a fabric are presented. A network fabric can comprise many fungible networking nodes, preferably hybrid-fabric apparatus capable of routing general purpose packet data and executing distributed applications. A nominal behavior can be established for the fabric and represented by a baseline vector of behavior metrics. Anomaly detection criteria can be derived as a function of a variation from the baseline vector based on measured vectors of behavior metrics. Nodes in the fabric can provide a status for one or more anomaly criterion, which can be aggregated to determine if an anomalous behavior has occurred, is occurring, or is about to occur. | 06-12-2014 |
| 20140165202 | MULTI-LAYER SYSTEM FOR PRIVACY ENFORCEMENT AND MONITORING OF SUSPICIOUS DATA ACCESS BEHAVIOR - A method for controlling data access in a data-at-rest system includes executing a link intrusion prevention analysis between multiple layers of the data-at-rest system, introducing a privacy policy at enforcement points that span multiple system layers, and dynamically altering the privacy policy. | 06-12-2014 |
| 20140173733 | EXPLOIT DETECTION AND REPORTING OF A DEVICE USING SERVER CHAINING - A server configured for managing server access by a first client application of a device over a communications network. The server receives a status message from the first client application over the communications network, the first client application managed by the server, the message including at least one compliance characteristic associated with a security policy of the server and an unique identification of the device. The server can access the security policy and compare the at least one compliance characteristic with a corresponding policy of the security policy to determine a current state of the device as contrary to the corresponding policy and in response generate a compromised status indicator for the device. The server can also access a storage to obtain a network address associated with a second server managing a second client application of the device and send a device status message to the network address of the second server including the compromised status indicator and identification data uniquely identifying the device to the second server. | 06-19-2014 |
| 20140173734 | METHODS, MEDIA, AND SYSTEMS FOR DETECTING AN ANOMALOUS SEQUENCE OF FUNCTION CALLS - Methods, media, and systems for detecting an anomalous sequence of function calls are provided. The methods can include compressing a sequence of function calls made by the execution of a program using a compression model; and determining the presence of an anomalous sequence of function calls in the sequence of function calls based on the extent to which the sequence of function calls is compressed. The methods can further include executing at least one known program; observing at least one sequence of function calls made by the execution of the at least one known program; assigning each type of function call in the at least one sequence of function calls made by the at least one known program a unique identifier; and creating at least part of the compression model by recording at least one sequence of unique identifiers. | 06-19-2014 |
| 20140181968 | Monitoring Operational Activities In Networks And Detecting Potential Network Intrusions And Misuses - Concepts and technologies disclosed herein are for monitoring operational activities in networks and detecting potential network intrusions and misuses. According to one aspect disclosed herein, an intrusion detection system can collect logs from an authentication, authorization, and accounting system. The intrusion detection system can extract information from the logs, update intrusion detection information utilized by an intrusion detection rule based upon the information extracted from the logs, update a profile utilized by the intrusion detection rule, compare the profile and the intrusion detection rule against a running state of an on-going session, tag corresponding log entries with a threat score, calculate the threat scores from the corresponding log entries to create an aggregated threat score, and present the aggregated threat score. The intrusion detection system can also present an alarm if the aggregated threat score triggers an alarm condition. | 06-26-2014 |
| 20140181969 | System and Method for Uploading and Verifying a Document - An upload and verification system allows a user to upload files which the user would like to attached to the electronic record of a certain event associated with the company, for example, an insurance claim. A quarantine server may receive the uploaded file and scan the file for malicious code. The quarantine server may transmit the file to temporary storage server. The temporary storage server may receive the file, may convert the file to a file format supported by the company system and may compress the file. The temporary storage server may also transmit a preview of the file back to the client device, where the user can verify that the correct document has been uploaded and no mistakes have been made. | 06-26-2014 |
| 20140181970 | SYSTEM AND METHOD FOR IMPROVING THE EFFICIENCY OF APPLICATION EMULATION ACCELERATION - An improved emulator for analyzing software code, and associated method. The emulator includes a virtual execution environment in which a series of virtual processing states are represented during emulation of a first portion of the software code, and a hardware accelerator that performs an initialization of the computing hardware to directly execute a second portion of the software code under investigation without emulation thereof in the virtual execution environment. An efficiency assessment module determines a measure of efficiency of performing the executing of the second portion of the software code under investigation without emulation thereof, and an acceleration decision module performs selection of the second portion of the software code under investigation to be directly executed by the hardware accelerator module based on the determined measure of efficiency. | 06-26-2014 |
| 20140181971 | SYSTEM AND METHOD FOR DETECTING MALWARE THAT INTERFERES WITH THE USER INTERFACE - System and method for detecting ransomware. A current user behavior pattern is monitored based on user input via a user input device. The user behavior is compared against a reference set of behavior patterns associated with user frustration with non-responsiveness of the user interface module. A current status pattern of the operating system is also monitored. The current status pattern is compared against a reference set of operating system status patterns associated with predefined ransomware behavior. In response to indicia of current user frustration with non-responsiveness of the user interface, and further in response to indicia of the current status pattern having a correlation to the predefined ransomware behavior, an indication of a positive detection of ransomware executing on the computer system is provided. | 06-26-2014 |
| 20140181972 | PREVENTIVE INTRUSION DEVICE AND METHOD FOR MOBILE DEVICES - A method for providing an intrusion prevention system to prevent hacking into files located on enterprise users' endpoint devices functioning as mobile computing platforms. The method includes filtering low-level network packets for each of a plurality of received network packets, offloading the received packets to an inspecting processing module and marking suspicious packets based on at least one of a header and pattern of each of said received packets. The method also includes taking preventive measures by the system to ensure protection of the device and network, taking active steps by the system to block suspicious traffic and disconnecting the current connection by the system, when it detects suspicious traffic. | 06-26-2014 |
| 20140181973 | METHOD AND SYSTEM FOR DETECTING MALICIOUS APPLICATION - A malicious applications detection method is provided. The method includes: extracting a plurality of static features from a manifest file and a de-compiled code respectively obtained from a plurality of training malicious applications (APK files) and a plurality of training benign applications (APK files); generating at least one malicious application group using a clustering algorithm and generating at least one benign application group; generating application detecting models respectively representing the malicious and benign application groups based on static features of the training malicious and benign applications in each malicious application group and each benign application group; extracting target static features from a target manifest file and a target de-compiled code of a target application; using a classification algorithm, the target static features, and the application detecting models to determine whether the target application belongs to the malicious application group; and generating a warning message when a determination result is positive. | 06-26-2014 |
| 20140181974 | System and Method for Detecting Malware Using Isolated Environment - Disclosed system and methods for detecting malicious applications. The system provides a library of handler functions. The handlers functions control access of one or more applications to protected resources on a user device The system also modifies the one or more applications to access the library of handler functions instead of corresponding application program interface (API) functions of the user device. The handler functions receive API function calls from a modified application. The system analyzes the received API function calls for malicious behavior characteristics. When the. API function calls do not exhibit malicious behavior characteristics, the handier functions perform the API function calls to the protected resources. When the API function calls exhibit malicious behavior characteristics, the system prevents access of the modified application to the protected resources. | 06-26-2014 |
| 20140181975 | METHOD TO SCAN A FORENSIC IMAGE OF A COMPUTER SYSTEM WITH MULTIPLE MALICIOUS CODE DETECTION ENGINES SIMULTANEOUSLY FROM A MASTER CONTROL POINT - A multi-engine malicious code scanning method for scanning data sets from a storage device is provided. The method includes, among other steps obtaining at least one data set from a storage device and generating a single forensic image of the data set and also applying a recover data application to the data set to generate a single recovered data set. A scanning is initiated of the single forensic image and the single recovered data set using the selected plurality of malware engines, where each of the malware engines, installed on the independent operating systems of the virtual operating system may be run concurrently on the single forensic image and the single recovered data set. A report is generated combining each of the malware engines reporting the results of the scans. | 06-26-2014 |
| 20140181976 | METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR DETECTING INJECTED MACHINE CODE - According to one aspect, the subject matter described herein includes a method for detecting injected machine code. The method includes extracting data content from a buffer. The method also includes providing an operating system kernel configured to detect injected machine code. The method further includes executing, using the operating system kernel, the data content on a physical processor. The method further includes monitoring, using the operating system kernel, the execution of the data content to determine whether the data content contains injected machine code indicative of a code injection attack. | 06-26-2014 |
| 20140181977 | HANDLING POTENTIALLY MALICIOUS COMMUNICATION ACTIVITY - At least some incoming traffic is distributed into a first set of traffic groups according to a first grouping scheme. Communication activity from a potentially malicious source may be grouped in a given traffic group in which communication activity from an acceptable source is also grouped. Potentially malicious communication activity is detected in the given traffic group. Traffic in the given traffic group is processed using a first traffic processing mode associated with potentially malicious communication activity, in which at least some traffic that is distributed into the given traffic group is discarded. In response to a dynamic trigger the grouping scheme is altered to one or more further grouping schemes in order that the communication activity from the acceptable source is likely to be subsequently grouped into a traffic group which is different to a group into which the communication activity from the potentially malicious source is subsequently grouped. | 06-26-2014 |
| 20140189864 | IDENTIFYING WEB PAGES IN MALWARE DISTRIBUTION NETWORKS - Technologies pertaining to analyzing content extracted from web pages by a static crawler to determine whether respective web pages are members of a malware distribution network (MDN) are described. A set of features is learned based upon output of a dynamic crawler over known landing pages of a particular MDN, wherein the set of features are indicative of membership in the MDN. Using such set of features, additional members of the MDN (not subjected to crawling by a dynamic crawler) are identified. | 07-03-2014 |
| 20140189865 | SECURITY MANAGEMENT IN A NETWORKED COMPUTING ENVIRONMENT - An approach for addressing (e.g., preventing) detected network intrusions in a virtualized/networked (e.g., cloud) computing environment is provided. In a typical embodiment, users may group components/systems of an environment/domain according to a range of security sensitivity levels/classifications. The users may further configure rules for responding to security threats for each security sensitivity level/classification. For example, if a “highly dangerous” security threat is detected in or near a network segment that contains highly sensitive systems, the user may configure rules that will automatically isolate those systems that fall under the high security classification. Such an approach allows for more granular optimization and/or management of system security/intrusion prevention that may be managed at a system level rather than at a domain level. | 07-03-2014 |
| 20140189866 | IDENTIFICATION OF OBFUSCATED COMPUTER ITEMS USING VISUAL ALGORITHMS - A method to identify character strings associated with potentially malicious software items. The method includes employing a visual algorithm to translate one or more characters of a character string into corresponding characters in a visual ID for use in grouping and comparing computer items having similar visual IDs, such as a reference ID for a computer item that is known to be non-malicious. The method may, among other things, elucidate an attacker's attempt to obfuscate malicious software by using file names that are very similar to those used for harmless files. | 07-03-2014 |
| 20140189867 | DDoS ATTACK PROCESSING APPARATUS AND METHOD IN OPENFLOW SWITCH - An OpenFlow switch in an OpenFlow environment includes an attack determination module to collect statistical information on packet processing with respect to incoming packets to be processed in the OpenFlow switch at a predetermined period interval to determine whether a DDoS attack occurs. The Openflow switch also includes an attack responding module to perceive a feature of the DDoS attack by using the incoming packets introduced into the OpenFlow switch after the determination of the occurrence of the DDoS attack and process the incoming packets in line with the perceived feature of the DDoS attack. Therefore, it is possible to determine and responds to DDos attacks in the OpenFlow switches. | 07-03-2014 |
| 20140189868 | METHOD FOR DETECTING INTRUSIONS ON A SET OF VIRTUAL RESOURCES - A method for detecting intrusions on a set of virtual resources in a computer system including at least one physical machine hosting the set of virtual resources. The method includes: calculating an intrusion detection itinerary defined by a sequence of virtual resources from the set, the virtual resources being integrated and arranged in the sequence on the basis of respective vulnerability criticality levels assigned to the virtual resources of the set; and carrying out an intrusion detection operation, following the calculated itinerary. | 07-03-2014 |
| 20140189869 | METHOD OF INTRUSION DETECTION IN TERMINAL DEVICE AND INTRUSION DETECTING APPARATUS - A method of intrusion detection in a terminal device that supports driving of a plurality of operating systems, is provided. The method includes collecting at a first operating system of the plurality of operating systems intrusion detection data for analyzing whether there is an intrusion in at least a second operating system of the plurality of operating systems; and performing at the first operating system an intrusion detection with respect to the at least a second operating system using the collected intrusion detection data. | 07-03-2014 |
| 20140189870 | VISUAL COMPONENT AND DRILL DOWN MAPPING - A drill down manager system may include an introspect module to determine fields for visual components, and a mappings module to map a drill down to a visual component based on the fields and data outputs for the drill down. The system may present the data outputs for the drill down in the visual component mapped to the drill down. | 07-03-2014 |
| 20140196146 | System, method and computer program product for inserting an emulation layer in association with a COM server DLL - A system, method and computer program product are provided. In use, a COM server dynamic link library is identified. Further, an emulation layer is inserted in association with the COM server dynamic link library to emulate interfaces exported by the COM server dynamic link library. As an option, it may be determined whether the COM server DLL is loaded, and the emulation layer may be inserted in response to the determination. | 07-10-2014 |
| 20140196147 | APPARATUS METHOD AND MEDIUM FOR DETECTING PAYLOAD ANOMALY USING N-GRAM DISTRIBUTION OF NORMAL DATA - A method, apparatus and medium are provided for detecting anomalous payloads transmitted through a network. The system receives payloads within the network and determines a length for data contained in each payload. A statistical distribution is generated for data contained in each payload received within the network, and compared to a selected model distribution representative of normal payloads transmitted through the network. The model payload can be selected such that it has a predetermined length range that encompasses the length for data contained in the received payload. Anomalous payloads are then identified based on differences detected between the statistical distribution of received payloads and the model distribution. The system can also provide for automatic training and incremental updating of models. | 07-10-2014 |
| 20140196148 | Methods and systems for preventing security breaches - A security payload is attached to a received binary executable file. The security payload is adapted to intercept application programming interface (API) calls to system resources from the binary executable file via export address redirection back to the security payload. Upon execution of the binary executable file, the security payload replaces system library export addresses within a process address space for the binary executable file with security monitoring stub addresses to the security payload. Upon the binary executable computer file issuing a call to a given API, the process address space directs the call to the given API back to the security payload via one of the security monitoring stub addresses that is associated with the given API. The security payload then can assess whether the call to the given API is a security breach. | 07-10-2014 |
| 20140201835 | IDENTITY THEFT COUNTERMEASURES - In some embodiments, techniques for computer security comprise preventing and/or mitigating identity theft such as phishing. | 07-17-2014 |
| 20140201836 | Automated Internet Threat Detection and Mitigation System and Associated Methods - A risk assessment and managed security system for network users provides security services for dealing with formidable cyber threats, malware creations and phishing techniques. Automated solutions in combination with human-driven solutions establish an always-alert positioning for incident anticipation, mitigation, discovery and response. A proactive, intelligence-driven and customized approach is taken to protect network users. Assessments of threats are made before and after a breach. Cyber threats are identified in advance of a resulting network problem, and automated analysis locates the threats and stops them from having an adverse effect. Humans can focus on the high-level view, instead of looking at every single potential problem area. Troubling patterns may be reviewed within the network environment to identify issues. Cyber analysis is conducted to provide a baseline over time via statistically proven, predictive models that anticipate vulnerabilities brought on by social-media usage, Web surfing and other behaviors that invite risk. | 07-17-2014 |
| 20140201837 | METHODS AND SYSTEMS TO DETECT AN EVASION ATTACK - A method and system to detect an evasion attack are provided. The system may include a repository to store signature fragments that together constitute an attack signature, an interceptor to intercept a data packet associated with a network connection, a string-matching module to determine whether the payload of the data packet includes any of the stored signature fragments thereby identifying a match, a responder to perform a prevention action in response to the match, and a detector to detect that a size of the data packet is less than a size threshold. The system may further include a state machine to commence maintaining a state for the network connection in response to the detector determining that the size of the data packet is less than the size threshold. | 07-17-2014 |
| 20140201838 | SYSTEMS AND METHODS FOR DETECTING AND MITIGATING THREATS TO A STRUCTURED DATA STORAGE SYSTEM - Systems, methods, and computer-readable media for detecting threats on a network. In an embodiment, target network traffic being transmitted between two or more hosts is captured. The target network traffic comprises a plurality of packets, which are assembled into one or more messages. The assembled message(s) may be parsed to generate a semantic model of the target network traffic. The semantic model may comprise representation(s) of operation(s) or event(s) represented by the message(s). Score(s) for the operation(s) or event(s) may be generated using a plurality of scoring algorithms, and potential threats among the operation(s) or event(s) may be identified using the score(s). | 07-17-2014 |
| 20140208424 | IMPOSTER ACCOUNT DETECTION AND REMEDIATION IN A SOCIAL NETWORKING SYSTEM - When a request to connected a requesting user to a target user is received by the social networking system, information associated with the requesting user and with users connected to the target user is retrieved. A fraud probability score indicating a probability that the requesting user is impersonating a user connected to the target user is determined based on the information associated with the requesting user and with users connected to the target user. Based on the fraud probability score, a determination is made whether the requesting user is a suspected imposter and remedial action is taken if imposter is suspected. | 07-24-2014 |
| 20140208425 | Agent Based Application Reputation System for Operating Systems - A method for implementing a security agent on behalf of a device, the method comprising: obtaining a list of applications installed on the device from a remote repository; for each respective application on the list, comparing reputation attributes obtained from a reputation database against attributes of the application installed on the device; and for any of the respective applications for which it is determined from the comparing that the application installed on the device is malicious, taking action to limit malicious activity by the respective application installed on the device. | 07-24-2014 |
| 20140208426 | SYSTEMS AND METHODS FOR DYNAMIC CLOUD-BASED MALWARE BEHAVIOR ANALYSIS - A cloud-based method, a behavioral analysis system, and a cloud-based security system can include a plurality of nodes communicatively coupled to one or more users, wherein the plurality of nodes each perform inline monitoring for one of the one or more users for security comprising malware detection and preclusion; and a behavioral analysis system communicatively coupled to the plurality of nodes, wherein the behavioral analysis system performs offline analysis for any suspicious content from the one or more users which is flagged by the plurality of nodes; wherein the plurality of nodes each comprise a set of known malware signatures for the inline monitoring that is periodically updated by the behavioral analysis system based on the offline analysis for the suspicious content. | 07-24-2014 |
| 20140208427 | APPARATUS AND METHODS FOR DETECTING DATA ACCESS - The following abstract is not intended as a limiting description of the invention. Apparatus and methods are provided for detecting in real-time, data access in an information or file system and generating an alert to indicate a type of access. File activity is monitored on a network device over discrete, uninterrupted time periods. A determination is made whether a minimum number of files within a group of files were accessed during at least one of the time periods. If enough files were accessed during the time period a determination is made whether they were all accessed by a single action. The pattern of the file access is analyzed and compared to known patterns of access and an alert may be generated to indicate the results of the comparison. | 07-24-2014 |
| 20140215613 | ATTACK RESISTANT COMPUTER SYSTEM - A computer system where a second, dedicated processor (sometimes called an SPU, to distinguish from the central processing unit (CPU)) has logic to manage and control an intrusion detection hardware set and an intrusion response hardware set. The intrusion response hardware detects physical intrusions (for example, cryogenic attacks), and the response hardware set responds in various ways to attempt to protect the sensitive data in a volatile memory from the detected physical intrusion. A dedicated power storage device powers the SPU and the intrusion response hardware set. | 07-31-2014 |
| 20140215614 | SYSTEM AND METHOD FOR A SECURITY ASSESSMENT OF AN APPLICATION UPLOADED TO AN APPSTORE - A method for assessing the level of security of an application to be uploaded to an App Store, comprises: (i) Providing a security system comprising an attack dictionary relevant to a specific device, information regarding security sensitivity grades of subsystems of said device and an Identifier, suitable to recognize the API's related to each of said subsystems and to inspect each line of the code to calculate the maximum security sensitivity grade for each information flow emanating from a given line of code; (ii) For each specific attack present in the attack dictionary, inspecting a code to determine whether the attack is attempted; and (iii) If a suspicion of attack is detected, taking corrective action. | 07-31-2014 |
| 20140215615 | Apparatus and Method for Characterizing the Risk of a User Contracting Malicious Software - A non-transitory computer readable storage medium includes executable instructions to identify specified network interactions initiated by a client machine. The specified network interactions are compared to normative values to produce a promiscuity score indicative of the risk of the client machine contracting malicious software. Depending upon the promiscuity score, prophylactic actions are optionally applied to the client machine. | 07-31-2014 |
| 20140215616 | ATTACK NOTIFICATION - Systems, methods, and machine-readable and executable instructions are provided for attack notification. Attack notification can include receiving security-related data from a number of computing devices that are associated with a number of entities through a communication link and analyzing a first portion of the security-related data that is associated with a first entity from the number of entities to determine whether the first entity has experienced an attack. Attack notification can include analyzing a second portion of the security-related data that is associated with a second entity from the number of entities and the first portion of the security-related data that is associated with the first entity to determine whether the second entity is experiencing the attack. Attack notification can include notifying, through the communication link, the second entity that the second entity is experiencing the attack if it is determined that the second entity is experiencing the attack. | 07-31-2014 |
| 20140215617 | SYSTEM AND METHOD FOR ADVANCED MALWARE ANALYSIS - A system and a method for advanced malware analysis. The method filters incoming messages with a watch-list, the incoming messages including attachments, if an incoming message matches the watch-list, forwards the message to a malware detection engine, strips the attachments from the forwarded message, the one or more attachments including one or more executable files, launches a plurality of sandboxes, executes each of the executable files in the plurality of sandboxes, the sandboxes generating analysis results that may be used to determine whether each executable file is malicious, normalizes the analysis results, evaluates the risk level of the attachments to the forwarded message based on the normalized analysis results of the executable files in the attachments to the forwarded message, and, if the risk level of an attachment to the forwarded message is above a certain level, determines that the forwarded message is malicious and permanently quarantines the forwarded message. | 07-31-2014 |
| 20140215618 | METHOD AND APPARATUS FOR COMPUTER INTRUSION DETECTION - A method and apparatus for intrusion detection, the method comprising: receiving a description of a computerized system, the description comprising two or more entities, one or more attribute for each entity and one or more statistical rule related to relationship between the entities; receiving data related to activity of the computerized system, the data comprising two or more events; grouping the events into two or more groups associated with the entities; comparing the groups in accordance with the statistical rule, to identify a group not complying with any of the statistical rules. | 07-31-2014 |
| 20140215619 | WEBSHELL DETECTION AND RESPONSE SYSTEM - A webshell detection and response system is provided. The webshell detection and response system may collect information from a detection target server through an information collection script inserted into a webpage home path of the detection target server without installing a separate web shell detection application compiled in the form of binary file in the detection target server, and determine whether the detection target server is infected with a webshell remotely using the collected information. | 07-31-2014 |
| 20140215620 | System for Testing Computer Application - This document discloses a method, apparatus, and computer program product for testing a computer program application in a server computer. The method comprises: receiving, from a client device, a test request requesting the server computer to test suspicious behaviour associated with the computer program application; acquiring the computer program application on the basis of the test request; applying at least one test routine to the computer program application and testing for suspicious behaviour associated with the computer program application; creating a test report specifying at least some features of the suspicious behaviour, if any found during the at least one test routine; and communicating the test report to the client device. | 07-31-2014 |
| 20140215621 | SYSTEM, METHOD, AND APPARATUS FOR PROVIDING NETWORK SECURITY - Methods, systems, and apparatuses for proactively protecting a computing network are disclosed. A proactive security mechanism is disclosed, among other things, with the ability to monitor a protected domain in real-time and safely identify inoculation procedures for responding to threats introduced to the protected domain via malware. The proactive security mechanism includes an Artificial Neural Network Interface (ANNI) configured to execute at least some features of the proactive security mechanism. | 07-31-2014 |
| 20140215622 | METHOD AND SYSTEM FOR DETECTING RESTRICTED CONTENT ASSOCIATED WITH RETRIEVED CONTENT - In embodiments of the present invention improved capabilities are described for detecting restricted content associated with retrieved content. The method and system may include receiving a client request for content, saving contextual information from the client request, presenting retrieved content in response to the client request, and presenting the contextual information from the client request, and retrieved content, to a scanning facility. The scanning facility may utilize the contextual information from the client request to aid in the detection of restricted content associated with retrieved content. | 07-31-2014 |
| 20140215623 | System, Method, and Computer Program Product for Identifying Unwanted Data Communicated Via Session Initiation Protocol - A system, method, and computer program product are provided fur identifying unwanted data communicated via a session initiation protocol. In use, packets associated with an electronic message communicated over a network utilizing a session initiation protocol are identified. Additionally, it is determined whether the packets include unwanted data. Furthermore, a reaction is performed, based on the determination. | 07-31-2014 |
| 20140215624 | Method and System for Analysis of Security Events in a Managed Computer Network - An event retrieval and analysis system compares counts of event data for a device to stored profile counts to determine if alerts should be triggered. Event data can be retrieved by a sensor. Rules for analyzing the event data can be retrieved based on the device. The event data is analyzed based on the rules to determine recordable events. Recordable events are organized into categories representing a type or severity of attack. Current event counts are calculated by summing the recordable events for each category. A normal profile is retrieved for the device and compared to the current event count. A percentage change trigger can be retrieved from a threshold matrix based on the current event count. The percentage increase of the current event count over the normal profile is calculated and compared to the percentage change trigger to determine if an alert is triggered by the analysis system. | 07-31-2014 |
| 20140215625 | DATA LEAKAGE PREVENTION SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR PREVENTING A PREDEFINED TYPE OF OPERATION ON PREDETERMINED DATA - A data leakage prevention system, method, and computer program product are provided for preventing a predefined type of operation on predetermined data. In use, an attempt to perform an operation on predetermined data that is protected using a data leakage prevention system is identified. Additionally, it is determined whether a type of the operation attempted includes a predefined type of operation. Furthermore, the operation on the predetermined data is conditionally prevented based on the determination to prevent circumvention of the protection of the data leakage prevention system. | 07-31-2014 |
| 20140215626 | METHOD AND SYSTEM FOR TRACKING FRAUDULENT ACTIVITY - A method and system for tracking potentially fraudulent activities associated with one or more web sites is disclosed. The system includes a fraud tracking server connected to a fraud tracking database. The fraud tracking server includes a communications module to facilitate the exchange of data between the server and multiple client devices. The fraud tracking server receives data from one or more client devices that identifies a potential spoof site. The fraud tracking server also includes control logic to generate a spoof site tracking record in the fraud tracking database. The spoof site tracking record includes the data identifying the potential spoof site. After the spoof site tracking record has been created, the fraud tracking server notifies an administrator of the potential spoof site by communicating the data received and stored in the fraud tracking database to an administrator. | 07-31-2014 |
| 20140223560 | MALWARE DETECTION VIA NETWORK INFORMATION FLOW THEORIES - Access is obtained to a plurality of information flow theories for a plurality of malicious programs. The information flow theories include differences in information flows between the malicious programs, executing in a controlled environment, and information flows of known benign programs. Execution of a suspicious program is monitored by comparing runtime behavior of the suspicious program to the plurality of information flow theories. An alarm is output if the runtime behavior of the suspicious program matches at least one of the plurality of information flow theories. | 08-07-2014 |
| 20140223561 | Domain-specific Hardwired Symbolic Machine - A domain-specific hardwired symbolic machine is disclosed that processes information via the flexible formation and hardwired mapping of symbols from one or more domains onto other such domains, computing and communicating with improved security because it has no CPU, no Random Access Memory (RAM), no instruction registers, no Instruction Set Architecture (ISA), no operating system (OS) and no applications programming. The machine may learn, e.g. from its users, via hardwired analysis of domain faults with associated recovery. The machine may modify itself according to interaction with its authorized authenticated users with self-modification via learning within application-specific, user-specific constraints hardwired into the original machine, eliminating configuration management and computer programming. | 08-07-2014 |
| 20140223562 | System and Method for Distributed Denial of Service Identification and Prevention - Systems and methods for discovery and classification of denial of service attacks in a distributed computing system may employ local agents on nodes thereof to detect resource-related events. An information later agent may determine if events indicate attacks, perform clustering analysis to determine if they represent known or unknown attack patterns, classify the attacks, and initiate appropriate responses to prevent and/or mitigate the attack, including sending warnings and/or modifying resource pool(s). The information layer agent may consult a knowledge base comprising information associated with known attack patterns, including state-action mappings. An attack tree model and an overlay network (over which detection and/or response messages may be sent) may be constructed for the distributed system. They may be dynamically modified in response to changes in system configuration, state, and/or workload. Reinforcement learning may be applied to the tuning of attack detection and classification techniques and to the identification of appropriate responses. | 08-07-2014 |
| 20140223563 | DYNAMIC PROVISIONING OF PROTECTION SOFTWARE IN A HOST INSTRUSION PREVENTION SYSTEM - Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer. | 08-07-2014 |
| 20140223564 | SYSTEM AND METHOD FOR PATTERN MATCHING IN A NETWORK SECURITY DEVICE - A pattern matching system for a network security device includes a pattern matching card configured to generate a pattern matching result by matching data of a received packet with a pre-stored pattern of a signature pattern table, and an analyzing engine configured to copy the packet and transfer the copied packet to the pattern matching card and configured to detect a bad traffic based on packet analysis information of the packet and the pattern matching result received from the pattern matching card. The analyzing engine is configured to detect a bad traffic based on a pattern matching result for a single packet and packet analysis information during a single-packet-based analysis and is configured to detect a bad traffic based on a pattern matching result for successive packets and packet analysis information during a multi-packet-based analysis. | 08-07-2014 |
| 20140223565 | Apparatus And Method For Identifying Similarity Via Dynamic Decimation Of Token Sequence N-Grams - An apparatus for identifying related code variants or text samples includes processing circuitry configured to execute instructions for receiving query binary code, processing the query binary code to generate one or more query code fingerprints comprising compressed representations of respective functional components of the query binary code, generating token sequence n-grams of the fingerprints, hashing the n-grams, partitioning samples by length to compare selected samples based on length, and identifying similarity via dynamic decimation of token sequence n-grams. | 08-07-2014 |
| 20140237594 | METHODS AND SYSTEMS FOR API-LEVEL INTRUSION DETECTION - This disclosure generally relates to computer security, and more particularly to methods and systems for application programming interface (API)-level intrusion detection. In some embodiments, a computer-readable medium is disclosed, storing instructions for: receiving an API call for a service at an API sandbox module; parsing the API call to extract at least one of: an API call name; and or one or more API call parameters; generating a copy of the at least one of: the API call name and or the one or more API call parameters; determining, via an intrusion detection rules execution engine, whether the API call violates one or more security rules obtained from a security rules object, using the copy of the at least one of: the API call name and or the one or more API call parameters; and providing an indication of whether the API call violates the one or more security rules. | 08-21-2014 |
| 20140237595 | APIs for Obtaining Device-Specific Behavior Classifier Models from the Cloud - The various aspects provide a system and methods implemented on the system for generating a behavior model on a server that includes features specific to a mobile computing device and the device's current state/configuration. In the various aspects, the mobile computing device may send information identifying itself, its features, and its current state to the server. In response, the server may generate a device-specific lean classifier model for the mobile computing device based on the device's information and state and may send the device-specific lean classifier model to the device for use in detecting malicious behavior. The various aspects may enhance overall security and performance on the mobile computing device by leveraging the superior computing power and resources of the server to generate a device-specific lean classifier model that enables the device to monitor features that are actually present on the device for malicious behavior. | 08-21-2014 |
| 20140237596 | ROBUST MALWARE DETECTOR - A system, method and computer readable medium for detecting and diffusing malware on a computer. Malware is analysed to generate signatures and determine a fixing moment. All of the system calls of the operating system of a client computer are hooked and processed without emulation or the need for unpackers or decrypters, and a multi-level filter removes all system calls that are not associated with malware. The resulting system calls are accumulated on a per-thread basis and scanned, and the relevant threads are compared with the signatures to match with malware. The threads associated with malware are addressed at the fixing moment before the malware can operate to cause undesirable effects on the client computer. | 08-21-2014 |
| 20140237597 | AUTOMATIC SIGNATURE GENERATION FOR MALICIOUS PDF FILES - In some embodiments, automatic signature generation for malicious PDF files includes: parsing a PDF file to extract script stream data embedded in the PDF file; determining whether the extracted script stream data within the PDF file is malicious; and automatically generating a signature for the PDF file. | 08-21-2014 |
| 20140245439 | Systems and Methods for Detection and Suppression of Abnormal Conditions Within a Networked Environment - Systems and methods are provided for handling a malicious computer-related security event that occurs at central network access points of the Internet involving networks of autonomous and different internet service providers. A system includes a non-signature based security event detection software system operating on a first computer connected to a first network of a first internet service provider, where the non-signature based security event detection software system detects the security event by examining runtime state of the first computer. A security event management software system operates on a processor-based platform and has access to security event detection results generated by the non-signature based security event detection software system. | 08-28-2014 |
| 20140245440 | Software Inspection System - A method for software inspection analyzes a body of computer code to assess whether the body of computer code contains malware. Various embodiments extract the executable elements of the body of computer code and modify those elements using rules defining the format of instructions for the programming language in which the computer code was written, and using rules defined from the security specification of that programming language, to produce a model of the body of computer code. The method then analyzes the model using a model checking system, which determines whether any of the language rules have been violated, in which case the method flags the computer code as potentially including malware. | 08-28-2014 |
| 20140245441 | APPARATUS FOR ANALYZING VULNERABILITY OF WIRELESS LOCAL AREA NETWORK - Disclosed herein is an apparatus for analyzing the vulnerability of a wireless local area network (LAN). The apparatus includes a collection unit, an analysis unit, and an attack unit. The collection unit collects packets transmitted and received in a wireless LAN service. The analysis unit analyzes the state of a network using the collected packets. The attack unit makes a wireless attack against an attack target using the state of the network, and controls the mode switching of a device driver based on an operating mode. | 08-28-2014 |
| 20140245442 | DEVICE-SPECIFIC CONTENT DELIVERY - Devices of an individual's device-sphere recognize risky or undesirable behavior requested by devices outside of the device-sphere and allow the user to prevent the behavior. The user's decision is stored and used to protect all devices of the user's device-sphere from similar risky behavior from the outside devices. If the choice is made for all devices of the user's device-sphere, the choice is broadcast to other devices of the user's device-sphere such that other devices can benefit from the choice made by the user. | 08-28-2014 |
| 20140245443 | Cyber Defense Systems And Methods - Cyber defense systems and methods protect an enterprise system formed of a plurality of networked components. Connectivity and relationship information indicative of connectivity and behavior of the components are collected. A relationship graph is created based upon the connectivity data and the relationship data, wherein nodes of the relationship graph represent the components and edges of the graph represent connectivity and relationships. At least part of the relationship graph is stored to form a chronology. The relationship graph and the chronology are analyzed to predict connectivity and relationship changes within the enterprise system, and a first anomaly is identified when the current connectivity and relationships do not match the prediction | 08-28-2014 |
| 20140250527 | METHOD AND DEVICE FOR DETERMINING PROPAGATION RELATIONSHIP OF TROJAN HORSE FILES - A method performed by a computer system determines propagation relationships of Trojan horse files. A current Trojan horse file is stored into a corresponding current level of a propagation relationship tree. A condition of the current Trojan horse file or of the propagation relationship tree is assessed. The following steps are repeated until the condition is satisfied: search Trojan horse files for a parent, child or sibling relative to the current Trojan horse file, identify one of the Trojan horse files as the current Trojan horse file, and store the current Trojan horse file into a corresponding current level of the propagation relationship tree. When the condition is satisfied, the propagation relationship tree is displayed. The storing of the current Trojan horse file may include storing an identifier of the current Trojan horse file, which may include data abstraction output, and/or a downloading address of the current Trojan horse file. | 09-04-2014 |
| 20140250528 | ELECTRONIC CONTROL UNIT WITH VEHICLE INTRUSION DETECTION - An electronic control unit is provided for installation in a vehicle. The electronic control unit is operable to provide intrusion detection for the vehicle electronic systems. The electronic control unit comprises: a processor; a memory; and an interface to a vehicle network bus coupled to vehicle electronic control units. The processor utilizes the interface to monitor data on the vehicle network bus. An intrusion detection program is stored in the memory and is executable by the processor. The processor utilizes the intrusion detection program to detect one or more anomalies in the monitored data. The electronic control unit generates an alert upon detection of one or more anomalies. | 09-04-2014 |
| 20140250529 | MOBILE ROUTER WITH VEHICLE INTRUSION DETECTION - An embodiment is provided of a mobile router for installation in a vehicle comprising a vehicle network bus coupled to a plurality of electronic control units. The mobile router comprises: a processor; a memory comprising a plurality of programs; a wireless wide area network interface; a wireless local area network interface; and an interface to the vehicle network bus coupled to vehicle electronic control units. The processor utilizes the interface to monitor data on the vehicle network bus. The plurality of programs comprises an intrusion detection program executable by the processor to detect one or more anomalies in the monitored data; and to generate an alert upon detection of one or more anomalies. | 09-04-2014 |
| 20140250530 | METHOD FOR VEHICLE ELECTRONIC SYSTEM INTRUSION DETECTION - An embodiment is provided of a mobile router for installation in a vehicle comprising a vehicle network bus coupled to a plurality of electronic control units. The mobile router comprises: a processor; a memory comprising a plurality of programs; a wireless wide area network interface; a wireless local area network interface; and an interface to the vehicle network bus coupled to vehicle electronic control units. The processor utilizes the interface to monitor data on the vehicle network bus. The plurality of programs comprises an intrusion detection program executable by the processor to detect one or more anomalies in the monitored data; and to generate an alert upon detection of one or more anomalies. | 09-04-2014 |
| 20140250531 | METHOD FOR VEHICLE INTRUSION DETECTION WITH ELECTRONIC CONTROL UNIT - A method of operating a predetermined electronic control unit is provided for a vehicle comprising: a vehicle network bus and one or more electronic control units coupled to the bus. The method comprises: providing the predetermined electronic control unit of with a processor, a memory, an interface to the vehicle network bus, and an intrusion detection program. The method further comprises: utilizing the predetermined electronic control unit to monitor data on the vehicle network bus; executing the intrusion detection program to detect one or more anomalies in the monitored data; and utilizing the predetermined electronic control unit to generate an alert upon detection of one or more anomalies. | 09-04-2014 |
| 20140259166 | TAMPER RESISTANT VIDEO RENDERING - Video media subscribers attempt to circumvent embedded ads in downloads by modifying the media files to render only the content feature. A media program is defined as an integrated set of media files including the requested content feature and the accompanying promotional materials. Media files associated with a particular content feature are stored as an integrated whole, and security tokens computed on selected random portions of the collection of media files that define the media program (content feature and interspersed ads). A hash engine computes a security token on selected blocks of the media files. The security tokens and corresponding metadata are stored in a secure repository. Before rendering the content feature, the hash values are recomputed on the downloaded media program; and compared to the corresponding locations from the stored hash values and metadata. | 09-11-2014 |
| 20140259167 | BEHAVIOR BASED APPLICATION BLACKLISTING - A network system and a method for detecting behavior in a network device are provided. The method includes generating a list of one or more prohibited behaviors, generating a list of one or more corrective actions, mapping each of the one or more prohibited behaviors to at least one of the one or more corrective actions, identifying one or more of a user, a process or an application involved in a prohibited behavior, and applying, to the one or more of the user, the process or the application involved in the prohibited behavior, the at least one of the one or more corrective actions mapped to the prohibited behavior performed. | 09-11-2014 |
| 20140259168 | MALWARE IDENTIFICATION USING A HYBRID HOST AND NETWORK BASED APPROACH - Identifying malware on a user device allows corrective actions, such as removing the malware, to be taken. Malware can be detected using a hybrid approach that uses both network based devices and an agent running on the user device. The network based devices can detect network traffic associated with malware that is sent to or from the user device. A notification can be generated and sent to the user device, which uses information in the notification to identify possible malware on the user device. | 09-11-2014 |
| 20140259169 | VIRTUAL MACHINES - In one implementation, a secure computing method includes deploying a plurality of detector forensic virtual machines, receiving an indication of the presence of an identified threat signature from a plurality of threat signatures, and deploying, in response to the indication, an analysis forensic virtual machine to verify a presence of a threat within the computer system. Each detector forensic virtual machine from the plurality of detector forensic virtual machines is configured to identify a presence of a threat signature from the plurality of threat signatures within the computer system. The indication is received from the detector forensic virtual machine from the plurality of forensic virtual machines configured to identify the presence of the identified threat signature from the plurality of threat signatures. | 09-11-2014 |
| 20140259170 | Internet Security Cyber Threat Reporting System and Method - A risk assessment and managed security system for network users provides security services for dealing with formidable cyber threats, malware creations and phishing techniques. Automated solutions in combination with human-driven solutions establish an always-alert positioning for incident anticipation, mitigation, discovery and response. Assessments of threats are made and reported to a client system being monitored. The system provides an ability to receive in different file formats, and/or export from leading IT asset products asset lists for client enterprise computer systems and infrastructure, so that assets are linked to the client computer systems that are described in an incident that is being reported to the client. | 09-11-2014 |
| 20140259171 | TUNABLE INTRUSION PREVENTION WITH FORENSIC ANALYSIS - An intrusion prevention system for use in a networked server-client system includes a server interactively connected with a client over a network, the server including: a user device activity sensor configured to detect one or more of activity and inactivity; an intrusion alarm prompter configured to prompt an alarm under predetermined conditions; and intrusion event correlation software operably connected with the user device activity sensor, wherein the intrusion event correlation software is operably connected with the intrusion alarm prompter, so as to prevent intrusions into the server-client system. | 09-11-2014 |
| 20140259172 | Multilayered Deception for Intrusion Detection and Prevention - Concepts and technologies are disclosed herein for multilayered deception for intrusion detection. According to various embodiments of the concepts and technologies disclosed herein, a multilayer deception system includes honey servers, honey files and folders, honey databases, and/or honey computers. A multilayer deception system controller generates honey activity between the honey entities and exposes a honey profile with contact information associated with a honey user. Contact directed at the honey user and/or activity at any of the honey entities can trigger alarms and/or indicate an attack, and can be analyzed to prevent future attacks. | 09-11-2014 |
| 20140283046 | ANTI-MALWARE SCANNING OF DATABASE TABLES - Technologies for determining malware may include causing a query of contents of a field of a database. The field may include a large object. The technologies may also include obtaining results of the query of the contents of the field and determining whether the results of the query of the contents of the field indicate malware. | 09-18-2014 |
| 20140283047 | INTELLIGENT CYBERPHYSICAL INTRUSION DETECTION AND PREVENTION SYSTEMS AND METHODS FOR INDUSTRIAL CONTROL SYSTEMS - The embodiments described herein include a system and a method. In one embodiment, a system includes a device monitoring component configured to measure control system behavior and an intrusion prevention system communicatively coupled to the device monitoring component and a communications network. The intrusion prevention system includes a control system analysis component configured to analyze the control system behavior measured by the device monitoring component against a first rule set to determine whether an anomaly, an intrusion, or both are present. | 09-18-2014 |
| 20140283048 | DATA TREND ANALYSIS - According to an example, a method for data trend analysis may include retrieving data from data sources, associating the data with a time, and identifying co-occurrences of terms and concepts within the data. In response to determining that co-occurrences of term and concept pairs reach a predefined threshold, the method may include adding the term and concept pairs to an ontology. The method may include logging occurrences of terms in the ontology within the data with respect to associated data times, identifying a plurality of time periods, and for one of the plurality of time periods and for the logged terms, determining a first score indicative of a weighted term frequency metric for a logged term within the data during the one time period, and determining a second score indicative of a commonality of a presence of the logged term within the data among the plurality of time periods. | 09-18-2014 |
| 20140283049 | HANDLING INFORMATION SECURITY INCIDENTS - Methods, systems, computer-readable media, and apparatuses for handling information security incidents are presented. In some embodiments, a computing device may receive information indicating that a network address is associated with an information security incident. Subsequently, the computing device may monitor activity associated with the network address. Based on the monitoring, the computing device may determine whether the network address represents an information security threat. In response to determining that the network address represents an information security threat, the computing device may cause one or more remediation actions to be performed. In some arrangements, the information security incident may be a denial of service attack. In additional or alternative arrangements, the network address may be located in a particular net block, and the computing device may evaluate one or more remediation criteria, which may include analyzing network activity for one or more other addresses that are located within the net block. | 09-18-2014 |
| 20140283050 | METHOD AND APPARATUS FOR COLLECTING INFORMATION FOR IDENTIFYING COMPUTER ATTACK - A computer-implemented method and apparatus for identifying attacks, comprising: receiving information related to a computerized network, the information comprising description of the network and events occurring within the network; processing the events, comprising determining whether additional data is required; responsive to determining that additional information is required, collecting the additional information and processing the additional information; and providing attack information based on the information and on the additional information, wherein the additional information is more resource consuming to obtain or process than the information. | 09-18-2014 |
| 20140283051 | SYSTEM AND METHOD THEREOF FOR MITIGATING DENIAL OF SERVICE ATTACKS IN VIRTUAL NETWORKS - A method for efficient mitigation of denial of service (DoS) attacks in a virtual network. The method maintains a security service level agreement (SLA) guaranteed to protected objects. The method comprises ascertaining that a denial of service (DoS) attack is performed in the virtual network; checking if the DoS attack affects at least one physical machine hosting at least one protected object, wherein the protected object is provisioned with at least a guaranteed security service level agreement (SLA); determining, by a central controller of the virtual network, an optimal mitigation action to ensure the at least one security SLA guaranteed to the least one protected object; and executing the determined optimal mitigation action to mitigate the DoS attack, wherein the optimal mitigation action is facilitated by means of resources of the virtual network. | 09-18-2014 |
| 20140283052 | HETEROGENEOUS SENSORS FOR NETWORK DEFENSE - Heterogeneous sensors simultaneously inspect network traffic for attacks. A signature-based sensor detects known attacks but has a blind spot, and a machine-learning based sensor that has been trained to detect attacks in the blind spot detects attacks that fail to conform to normal network traffic. False positive rates of the machine-learning based sensor are reduced by iterative testing using statistical techniques. | 09-18-2014 |
| 20140283053 | SYSTEMS AND METHODS FOR ZONE-BASED INTRUSION DETECTION - Systems and methods for zone-based intrusion detection are described herein. The system may comprise a multi-tenant system; a server communicatively coupled with the multi-tenant system; a zone-based intrusion detection module running on the server; a zone within the server, the zone being a tenant and including at least one process running on it; and a debugger module that examines the process in real-time. | 09-18-2014 |
| 20140283054 | Automatic Fraudulent Digital Certificate Detection - A computing device analyzes digital certificates received from various different sites (e.g., accessed via the Internet or other network) in order to automatically detect fraudulent digital certificates. The computing device maintains a record of the digital certificates it receives from these various different sites. A certificate screening service operating remotely from the computing device also accesses these various different sites and maintains a record of the digital certificates that the service receives from these sites. In response to a request to access a target site the computing device receives a current digital certificate from the target site. The computing device determines whether the current digital certificate is genuine or fraudulent based on one or more of previously received digital certificates for the target site, confirmation certificates received from the certificate screening service, and additional characteristics of the digital certificates and/or the target site. | 09-18-2014 |
| 20140283055 | PROVIDING ALERTS BASED ON UNSTRUCTURED INFORMATION METHODS AND APPARATUS - A system, method, and apparatus for providing alerts based on unstructured information are disclosed. An example method includes receiving a data item from a remotely located information source, the data item including unstructured information. The method also includes determining a threat score for the data item by matching information associated with the data item to pre-identified information associated with a numerical value. The method further includes responsive to the threat score exceeding a predetermined threshold, creating a Common Alerting Protocol data structure that includes at least a portion of the information associated with the data item and transmitting the Common Alerting Protocol data structure. | 09-18-2014 |
| 20140283056 | Linear Address Mapping Protection - Technologies for securing an electronic device include determining addresses of one or more memory pages, injecting for each memory page a portion of identifier data into the memory page, storing an indication of the identifier data injected into each of the memory pages, determining an attempt to access at least one of the memory pages, determining any of the identifier data present on a memory page associated with the attempt, comparing the indication of the identifier data with the determined identifier data present on the memory page, and, based on the comparison, determining whether to allow the access. | 09-18-2014 |
| 20140283057 | TCP VALIDATION VIA SYSTEMATIC TRANSMISSION REGULATION AND REGENERATION - The present invention provides a technique for validating TCP communication between a client requesting resources and a server providing requested resources to protect the specified server from a denial of service attack wherein a plurality of clients initiate communication with a server, but do not complete the communication for the purpose of denying service to the server from other legitimate clients. Through systematic transmission regulation of TCP packets, an intermediary apparatus or set of apparatuses, can, to a high degree of certainty, validate client connections to protect the server from this saturated condition. The communication is then reproduced by the apparatus or apparatuses. | 09-18-2014 |
| 20140283058 | GENERIC UNPACKING OF APPLICATIONS FOR MALWARE DETECTION - A technique for detecting malware in an executable allows unpacking of a packed executable before determining whether the executable is malware. In systems with hardware assisted virtualization, hardware virtualization features may be used to iteratively unpack a packed executable in a controlled manner without needing knowledge of a packing technique. Once the executable is completely unpacked, malware detection techniques, such as signature scanning, may be employed to determine whether the executable contains malware. Hardware assisted virtualization may be used to facilitate the scanning of the run-time executable in memory. | 09-18-2014 |
| 20140283059 | Continuous Monitoring of Computer User and Computer Activities - Methods, systems, and computer programs are presented for securing a computer device. One method includes an operation for capturing interaction data for a user interfacing with the computer device, the interaction data including keyboard inputs and screen captures taken periodically. Further, the method includes operations for extracting semantic meaning of the interaction data, and generating a schema, based on the extracted semantic meaning, to create meaningful tags for the interaction data. The schema is analyzed based on a model in order to identify security threats, and an alarm is created when non-conforming behavior for the model is detected. | 09-18-2014 |
| 20140283060 | MITIGATING VULNERABILITIES ASSOCIATED WITH RETURN-ORIENTED PROGRAMMING - The disclosed embodiments provide a system that operates a processor in a computer system. During operation, the system identifies one or more return sites associated with a call instruction of a software program. Next, the system restricts execution of a return from the call instruction by the processor to the one or more return sites. | 09-18-2014 |
| 20140283061 | ATTACK DETECTION AND PREVENTION USING GLOBAL DEVICE FINGERPRINTING - This disclosure describes a global attacker database that utilizes device fingerprinting to uniquely identify devices. For example, a device includes one or more processors and network interface cards to receive network traffic directed to one or more computing devices protected by the device, send, to the remote device, a request for data points of the remote device, wherein the data points include characteristics associated with the remote device, and receive at least a portion of the requested data points. The device also includes a fingerprint module to compare the received portion of the data points to sets of data points associated with known attacker devices, and determine, based on the comparison, whether a first set of data points of a first known attacker device satisfies a similarity threshold. The device also includes an security module to selectively manage, based on the determination, additional network traffic directed to the computing devices. | 09-18-2014 |
| 20140283062 | APPARATUS, SYSTEM AND METHOD FOR SUPPRESSING ERRONEOUS REPORTING OF ATTACKS ON A WIRELESS NETWORK - According to one embodiment, a method for suppressing erroneous alert messages for suspected network attacks comprises a first operation of determining an intrusion event. This may be conducted at a first network device. Then, the intrusion event is verified prior to transmission of the alert message. The verification may be conducted at a second network device. Thereafter, transmission of the alert message is suppressed in response to verifying that the intrusion event has been erroneously determined. | 09-18-2014 |
| 20140283063 | System and Method to Manage Sinkholes - A system and method operable to manage and/or distribute sinkholes. | 09-18-2014 |
| 20140283064 | NETWORK ATTACK OFFENSIVE APPLIANCE - A network system for launching a cyber-offensive countermeasure to improve network security is provided. For example, a system that enables launching a cyber-offensive countermeasure on a network may include a receiving section that receives packets routed on the network and analyzes the received packets to detect an attack directed toward a device on the network when the attack is external to the device, an editing section that edits the received packets, and a transmitting section that transmits the edited packets on the network. | 09-18-2014 |
| 20140283065 | SERVER-ASSISTED ANTI-MALWARE CLIENT - A host-based antimalware client can interface with a server-based antimalware support server. A file is identified at a host device. It is determined whether local reputation data for the file is available at the host device for the file. A query is sent to an antimalware support system relating to the file. Particular reputation data is received from the antimalware support system corresponding to the query. It is determined whether to allow the file to be loaded on the host device based at least in part on the particular reputation data. | 09-18-2014 |
| 20140283066 | SERVER-ASSISTED ANTI-MALWARE CLIENT - An antimalware support system is provided to support one or more host-based antimalware clients. A query is received from a particular host device that identifies a file detected by an antimalware tool local to the particular host device. Reputation data is determined for the file, and a response to the query is sent to the particular host device. The query response includes the reputation data determined for the file. | 09-18-2014 |
| 20140283067 | DETECTING THE INTRODUCTION OF ALIEN CONTENT - A computer-implemented method for identifying abnormal computer behavior includes receiving, at a computer server subsystem, data that characterizes subsets of particular document object models for web pages rendered by particular client computers; identifying clusters from the data that characterize the subsets of the particular document object models; and using the clusters to identify alien content on the particular client computers, wherein the alien content comprises content in the document object models that is not the result of content that is the basis of the document object model served. | 09-18-2014 |
| 20140283068 | PROTECTING AGAINST THE INTRODUCTION OF ALIEN CONTENT - In one implementation, a computer-implemented method can identify abnormal computer behavior. The method can receive, at a computer server subsystem and from a web server system, computer code to be served in response to a request from a computing client over the internet. The method can also modify the computer code to obscure operational design of the web server system that could be determined from the computer code, and supplement the computer code with instrumentation code that is programmed to execute on the computing client. The method may serve the modified and supplemented computer code to the computing client. | 09-18-2014 |
| 20140283069 | PROTECTING AGAINST THE INTRODUCTION OF ALIEN CONTENT - In one implementation, a computer-implemented method can identify abnormal computer behavior. The method can receive, at a computer server subsystem and from a web server system, computer code to be served in response to a request from a computing client over the internet. The method can also modify the computer code to obscure operational design of the web server system that could be determined from the computer code, and supplement the computer code with instrumentation code that is programmed to execute on the computing client. The method may serve the modified and supplemented computer code to the computing client. | 09-18-2014 |
| 20140283070 | COMPUTER NETWORK ATTRIBUTE BILATERAL INHERITANCE - Current approaches to managing security intelligence data often address both threat and malicious behavior at the individual computer level, tracked by the Internet Protocol (IP) address. For example, important facts, observed behavior, and other indications that are tracked by security organizations are only tracked with respect to individual IP addresses. Bilateral network inheritance generally refers to inheriting a variety of attributes from parents to children and from children to parents in a computer network hierarchy. The computer network hierarchy may comprise various entities such as, for example, top level entities, autonomous systems, address ranges, and individual IP addresses. | 09-18-2014 |
| 20140283071 | APPLICATION MALWARE ISOLATION VIA HARDWARE SEPARATION - A system for application malware isolation via hardware separation for use in a networked server-client system in the event of a possible malicious intrusion including a client; and a remote application physically separate from the client, the remote application interactively connected with the client over an encrypted network, the remote application comprising an isolation encoding module configured to create a secure version of potentially malicious client content, the remote application further comprising an application isolation container configured to run operations of interest to the client, so as to perform application malware isolation via hardware separation in the server-client system. | 09-18-2014 |
| 20140283073 | MANAGING ROGUE DEVICES THROUGH A NETWORK BACKHAUL - Managing rogue devices in a network through a network backhaul. A rogue device is detected in a network and a rogue device message that includes the rogue device is sent to a plurality of switches in a backhaul of the network. The rogue device is added into a rogue monitor table. Whether the rogue device is In-Net or Out-Of-Net is determined using forwarding tables of the plurality of switches in the backhaul of the network and the rogue monitor table. Mitigation is performed using a nearest switch to the rogue device of the plurality of switches in the backhaul of the network if it is determined that the rogue device is In-Net. | 09-18-2014 |
| 20140283074 | METHOD AND SYSTEM FOR PROTECTIVE DISTRIBUTION SYSTEM (PDS) ANDINFRASTRUCTURE PROTECTION AND MANAGEMENT - A method and system for managing a protective distribution system is disclosed. The method includes monitoring an information transmission line, detecting a disturbance on the information transmission line, displaying the disturbance as a graphical representation, comparing the disturbance to a preset threshold, and triggering an alert if the disturbance is greater than the preset threshold or the number of disturbances less than the preset threshold meets a preset number within a preset time period. A system for managing a protective distribution system is also provided. The system includes a set of instructions which when executed causes a processor to perform a method for managing an information transmission line. The system further includes an intrusion detector, an optical line terminal and/or network switch, an optical circuit switch, an optical test access point device, and a network analytic tool | 09-18-2014 |
| 20140283075 | STORAGE APPLIANCE AND THREAT INDICATOR QUERY FRAMEWORK - Systems are described for capturing network traffic data and efficiently storing the data on solid state storage devices. The systems can include a capture process module, a storage management module, and a query module. The storage management module can include circuitry configured to hold an arbitrarily large number of solid state storage devices configured to appear to a host system as a single large solid state drive. | 09-18-2014 |
| 20140289851 | Malware Discovery Method and System - A process for identifying potentially harmful malware, comprises the steps of: a) identifying an executable that is about to run; b) providing a monitoring agent that monitors all threads that are descendent of a thread initiated by the process of said executable; and c) configuring said monitoring agent to conclude that a high probability of malware presence exists, if one of said descendent threads reaches a target process in which suspicious patches are created. | 09-25-2014 |
| 20140289852 | SYSTEMS AND METHODS FOR REMOTE MONITORING, SECURITY, DIAGNOSTICS, AND PROGNOSTICS - A system includes a physical analysis module, a cyber analysis module, and a determination module. The physical analysis module is configured to obtain physical diagnostic information, and to determine physical analysis information using the physical diagnostic information. The cyber analysis module is configured to obtain cyber security data of the functional system, and to determine cyber analysis information using the cyber security data. The determination module is configured to obtain the physical analysis information and the cyber analysis information, and to determine a state of the functional system using the physical analysis information and the cyber analysis information. The state determined corresponds to at least one of physical condition or cyber security threat. The determination module is also configured to identify if the state corresponds to one or more of a non-malicious condition or a malicious condition. | 09-25-2014 |
| 20140289853 | REMOTE MALWARE REMEDIATION - An opportunity to assist with remediation of a file at a remote particular host device is identified. One or more remediation techniques are identified that can be applied to assist with remediation of the file at the particular host device. In one aspect, one or more remediation scripts are identified from a plurality of remediation scripts for remediation of the file and provided to the particular host device for execution on the particular host device. In another aspect, a remediation tool is identified and launched on a computing device remote from the particular host device with operations of the remediation tool applied to resources of the particular host device. In another aspect, at least a portion of the remediation techniques are remotely initiated to be performed locally at the particular host device. | 09-25-2014 |
| 20140289854 | METHOD FOR THWARTING APPLICATION LAYER HYPERTEXT TRANSPORT PROTOCOL FLOOD ATTACKS FOCUSED ON CONSECUTIVELY SIMILAR APPLICATION-SPECIFIC DATA PACKETS - The present invention provides a methodology to thwart attacks that utilize consecutive hypertext transport protocol packets with similar structures, arriving from a plurality of computer systems on a network, such as the Internet, destined for a single or more computer systems on a secondary network, at such a rate with sufficient complexity to produce an effect on the target computer system or systems such that legitimate clients are denied access to requested services, thus creating a “denial of service” situation. The methodology focuses on the dynamic and proactive reassessment of data packet payload content to maintain a running value of similarity or dissimilarity, thus permitting intermediary apparatuses that are performing this computation to create distinction between legitimate clients and illegitimate clients. | 09-25-2014 |
| 20140289855 | DETECTING WEB BROWSER BASED ATTACKS USING BROWSER DIGEST COMPUTE TESTS USING DIGEST CODE PROVIDED BY A REMOTE SOURCE - The detection of web browser-based attacks using browser tests launched from a remote source is described. In one example, a digest is computed based on the content of an HTTP response message. The message is modified and sent to a client device that also computes a digest. The digests are compared to determine whether content has been modified by malware on the HTTP client. The results of the test are analyzed and defensive measures are taken. | 09-25-2014 |
| 20140289856 | Method and Device for Optimizing and Configuring Detection Rule - A method and a device for optimizing and configuring a detection rule, where the method includes: a network entity receives network traffic; extracts a packet from the network traffic, and identifies, according to a feature of the packet, protocol related information used in the network; saves the protocol related information and correspondence between pieces of information in the protocol related information to a first learning association table; and matches a corresponding rule from a vulnerability rule base according to the protocol related information to generate a first compact rule set. Through the generated compact rule set in the present invention, subsequent protocol detection is performed only for a protocol threat that may occur in a live network; therefore, content that needs to be detected subsequently is reduced, the detection efficiency is improved, and unnecessary performance consumption is avoided at the same time. | 09-25-2014 |
| 20140298460 | MALICIOUS UNIFORM RESOURCE LOCATOR DETECTION - The techniques described herein use training data to train classification models to detect malicious Uniform Resource Locators (URLs) that target authentic resources (e.g., Web page, Web site, or other network locations accessed via a URL). The techniques train the classification models using one or more machine learning algorithms. The training data may include known benign URLs and known malicious URLs (e.g., training URLs) that are associated with a target authentic resource. The techniques then use the trained classification models to determine whether an unknown URL is a malicious URL. The malicious URL determination may be based on one or more lexical features (e.g., brand name edit distances for a domain and path of the URL) and/or site/page features (e.g., a domain age and a domain confidence level) extracted. | 10-02-2014 |
| 20140298461 | DISTRIBUTED TRAFFIC PATTERN ANALYSIS AND ENTROPY PREDICTION FOR DETECTING MALWARE IN A NETWORK ENVIRONMENT - Technologies are provided in embodiments to detect malware. The embodiments are configured to receive an entropy rate of a potentially affected system. The embodiments are further configured to compare the entropy rate to an average entropy rate, and to determine a probability that the potentially affected system is infected with malware. The probability is based, at least in part, on a result of the comparison. More specific embodiments can include the received entropy rate being generated, at a least in part, by a genetic program. Additional embodiments can include a configuration to provide the potentially affected system with a specified time-span associated with the genetic program. The specified time-span indicates an amount of time to observe context information on the potentially affected system. In at least some embodiments, the result of the comparison includes an indicator of whether the entropy rate correlates to an infected system or a healthy system. | 10-02-2014 |
| 20140298462 | Restricted Software Automated Compliance - Automated restricted software compliance may be provided. Periodic scans may be performed to identify applications as potentially restricted applications. Upon identifying a restricted application, a notification of the presence of the restricted application and a proposed remedial action may be provided. If the restricted application is not removed, the remedial action may be performed. | 10-02-2014 |
| 20140298463 | Information Processing Method, Device, and Server - Embodiments of the present invention provide an information processing method, device, and server, relating to the technical field of communications, and solving the problem that a user continuously releasing illegal information in the network. The method comprises: receiving network information; determining, according to the network information, a rating result of a network object corresponding to the network information; controlling the network object according to the rating result of the network object corresponding to the network information. Embodiments of the present invention further provide an information processing device and server. The present invention is applied to the network information management. | 10-02-2014 |
| 20140298464 | ANTI-PHISHING PROTECTION - Anti-Phishing protection assists in protecting against phishing attacks. Any links that are contained within a message that has been identified as a phishing message are disabled. A warning message is shown when the phishing message is accessed. The first time a disabled link within the phishing message is selected a dismissible dialog box is displayed containing information about how to enable links in the message. After the user dismisses the dialog, clicking on a disabled link causes the warning message to flash drawing the user's attention to the potential severity of the problem. The links may be enabled by the user by selecting the warning message and choosing the appropriate option. Once the user enables the links, future displays of the message show the links as enabled. | 10-02-2014 |
| 20140298465 | APPLICATION REPUTATION SERVICE - The claimed subject matter is directed to the use of an application reputation service to assist users with minimizing their computerized machines' exposure to and infection from malware. Specifically, the claimed subject matter provides a method and system of an application reputation service that contains the reputations for elements that are known to be non-malicious as well as those known to be malicious. | 10-02-2014 |
| 20140298466 | Data Detecting Method and Apparatus for Firewall - A data detecting method and apparatus for a firewall device connected with a network to identify security threat in the data, where the method is implemented by a fast forwarder in the firewall device and includes: the fast forwarder receives application data; obtains application information in the received application data; determines an application protocol type corresponding to the application data according to the application information and an application identifying table; queries a configuration item for threat detection according to the application protocol type to determine whether the application data requires threat detection; and if the application data does not require threat detection, forwarding the application data. The data detecting method avoids a problem that performance of a firewall is degraded because all application data is sent to a detecting processor in the firewall device for detection, thereby improving an performance of the firewall device. | 10-02-2014 |
| 20140298467 | AUTOMATED SNIFFER APPARATUS AND METHOD FOR MONITORING COMPUTER SYSTEMS FOR UNAUTHORIZED ACCESS - An apparatus for wireless communication including an automated intrusion detection process is provided. The apparatus has a portable housing, which may have a length no greater than 1 meter, a width no greater than 1 meter, and a height of no greater than 1 meter. A processing unit (e.g., CPU) is within the housing. One or more wireless network interface devices are within the housing and are coupled to the processing unit. The apparatus has an Ethernet (or like) network interface device within the housing and coupled to the processing unit. A network connector is coupled to the Ethernet network device. One or more memories are coupled to the processing unit. A code is directed to perform a process for detection of a wireless activity within a selected local geographic region. According to a specific embodiment, the wireless activity is derived from at least one authorized device or at least an other device. A code is directed to receiving at least identity information associated with the wireless activity from the detection process in a classification process. A code is directed to labeling the identity information into at least one of a plurality of categories in the classification process. Depending upon the embodiment, other codes may exist to carry out the functionality described herein. | 10-02-2014 |
| 20140298468 | UNAUTHORIZED APPLICATION DETECTION SYSTEM AND METHOD - The objective of the present invention is to provide technology for detecting malicious action of an application upon a terminal device using a low load as well as to increase accuracy of detection; in particular, to provide technology capable of performing detection even regarding an application which has been deleted upon the terminal device. A change in the installation state of an application in a terminal device is detected, upon which information for the installed application is reported to a fraud detection server so as to be recorded. In addition, a predetermined feature value based on an application file or component files configuring a package of the application is reported to the fraud detection server. The feature value is associated with the malicious action of the application so as to be registered in an application DB, whereupon if malicious action of the application is detected, fraud detection information is transmitted to the terminal device. When the fraud detection information is received, predetermined response processing is performed upon the terminal device. | 10-02-2014 |
| 20140298469 | SYSTEM FOR DETECTING, ANALYZING, AND CONTROLLING INFILTRATION OF COMPUTER AND NETWORK SYSTEMS - A method for detecting and manipulating a malicious actor/communication on a computer network or system. The method includes the steps of incorporating one or more synthetic vulnerabilities into the computer system at distinct locations, where each synthetic vulnerability presents an opportunity for exploitation by a malicious actor/communication, detecting an exploitation of one of the vulnerabilities by an actor, analyzing the actor to determine if the actor is a malicious actor/communication; and manipulating the malicious actor/communication. A computer program on a storage medium is also disclosed. | 10-02-2014 |
| 20140304816 | CLIENT BASED LOCAL MALWARE DETECTION METHOD - A method for detecting malware in a user terminal device that has been infected by malware via a browser running on the user terminal device, according to which upon detecting a predetermined a triggering event on the user terminal, a security application installed on the terminal automatically activates a transparent browser to navigate to one or more predetermined URLs. Then the security application checks the code of an inspected webpage that has been received immediately after it is opened by the transparent browser and rechecks the code after being at least partially processed by the transparent browser. If a change the code is detected, an alert is issued, indicating that the terminal has been infected by malware. | 10-09-2014 |
| 20140304817 | APPARATUS AND METHOD FOR DETECTING SLOW READ DoS ATTACK - A method for detecting a slow read DoS attack in a virtualized environment, the method comprising: receiving a connection request packet transmitted from a client to a server using a web protocol; checking whether the received packet is a TCP SYN packet or a packet of an HTTP GET request message; when it is checked that the received packet is the packet of the HTTP GET request message, detecting whether the received packet is a packet for the slow read DoS attack by analyzing a window size of the HTTP GET request message. | 10-09-2014 |
| 20140310809 | PREVENTING MALICIOUS INSTRUCTION EXECUTION - Systems and techniques for preventing malicious instruction execution are described herein. A first instance of an instruction for a graphics processing unit (GPU) may be received. The instruction may be placed in a target list. A notification that the instruction caused a problem with the GPU may be received. The instruction may be moved from the target list to a black list in response to the notification. A second instance of the instruction may be received. The second instance of the instruction may be prevented from executing on the GPU in response to the instruction being on the black list. | 10-16-2014 |
| 20140310810 | FIGHT-THROUGH NODES FOR SURVIVABLE COMPUTER NETWORK - A survivable network is described in which one or more network device includes enhanced functionality to fight through cyber attacks. A Fight-Through Node (FTN) is described, which may be a combined hardware/software system that enhances existing networks with survivability properties. A network node comprises a hardware-based processing system having a set of one or more processing units, a hypervisor executing on each one of the processing units, and a plurality of virtual machines executing on each of the hypervisor. The network node includes an application-level dispatcher to receive a plurality of transaction requests from a plurality of network communication session with a plurality of clients and distribute a copy of each of the transaction requests to the plurality of virtual machines executing on the network node over a plurality of time steps to form a processing pipeline of the virtual machines. | 10-16-2014 |
| 20140310811 | Detecting and Marking Client Devices - Methods, apparatus, connection systems, and client devices are described. The apparatus receives a multiplicity of DNS query messages from multiple client devices. For each received DNS query message to a malware domain name or a particular domain name, the apparatus sends a marker DNS response message to the corresponding client device for use in detecting whether the client device is infected with malware or is accessing the particular domain name. The connection system receives a connection request from a client device of the multiple client devices for access to the communication network, and sends marker detection information to the client device for use in identifying whether client device is marked as infected with malware or accessing a particular domain name. It is determined whether the client device is infected with malware or accessed the particular domain name. The client device may be blocked or granted access to the communication network. | 10-16-2014 |
| 20140317735 | METHODS AND SYSTEMS FOR RECIPROCAL GENERATION OF WATCH-LISTS AND MALWARE SIGNATURES - The present disclosure is directed to methods and systems for reciprocal generation of watch-lists and traffic models characteristic of malicious network activity. In some aspects, the described methods and systems relate to maintaining data for recognition of malicious network activity. In general, the methods include monitoring network traffic; comparing endpoint data from monitored data packets to endpoints in a watch-list of network endpoints and comparing packet data from monitored data packets to traffic models in a catalog of traffic models characterizing malicious network activity; and determining, based on the comparisons, that a set of data packets comprise suspect network activity. The methods include adding a network endpoint to the watch-list when the determination is based on comparing packet data to a traffic model or adding a traffic model to the catalog when the determination is based on comparing endpoint data. | 10-23-2014 |
| 20140317736 | METHOD AND SYSTEM FOR DETECTING FAKE ACCOUNTS IN ONLINE SOCIAL NETWORKS - A system and method for detecting fake accounts in OSNs is proposed to aid the OSN provider | 10-23-2014 |
| 20140317737 | HYPERVISOR-BASED INTRUSION PREVENTION PLATFORM AND VIRTUAL NETWORK INTRUSION PREVENTION SYSTEM - Hypervisor-based intrusion prevention platform is provided. The hypervisor-based intrusion prevention platform comprises a virtual network intrusion prevention system (vIPS) framework which obtains internal information of a virtualization system from a hypervisor and performs security control on the hypervisor in response to the result of intrusion detection carried out by using the internal information of the virtualization system, a hypervisor security application programming interface (API) module which provides an API used by the vIPS framework to access the hypervisor, an administrator account management and authentication module which manages an administrator account of a vIPS and authenticates the administrator account, an environment setting management module which manages environment setting values of modules within the vIPS, and an external interface module which provides an interface for system control and security control. | 10-23-2014 |
| 20140317738 | AUTOMATIC GENERATION OF ATTRIBUTE VALUES FOR RULES OF A WEB APPLICATION LAYER ATTACK DETECTOR - According to one embodiment, a web application layer attack detector (AD) is coupled between an HTTP client and a web application server. Responsive to receipt of a set of packets from the HTTP client carrying a web application layer message that violates a condition of a security rule, the AD transmits an alert package to an automatic attribute value generation and rule feedback module (AVGRFM). The AVGRFM uses the alert package, and optionally other alert packages from the same AD or other ADs, to automatically generate a new set of attribute values for each of a set of attribute identifiers for use, by the AD or other ADs, in a different security rule than the violated security rule. The new set of attribute values may be used in an attack specific rule to detect a previously unknown web application layer attack. | 10-23-2014 |
| 20140317739 | ITERATIVE AUTOMATIC GENERATION OF ATTRIBUTE VALUES FOR RULES OF A WEB APPLICATION LAYER ATTACK DETECTOR - According to one embodiment, a computing device is coupled to a set of web application layer attack detectors (AD), which are coupled between HTTP clients and web application servers. The computing device learns a new set of attribute values for a set of attribute identifiers for each of a sequence of rules through an iterative process having a plurality of iterations. The iterative process begins with an attack specific rule, and the sequence of rules includes an attacker specific rule and another attack specific rule. Each iteration includes receiving a current alert package from one of the ADs sent responsive to a set of packets carrying a web application layer request meeting a condition of a current rule used by the AD, automatically generating a new set of attribute values based upon the current alert package, and transmitting the new set of attribute values to the set of ADs. | 10-23-2014 |
| 20140317740 | COMMUNITY-BASED DEFENSE THROUGH AUTOMATIC GENERATION OF ATTRIBUTE VALUES FOR RULES OF WEB APPLICATION LAYER ATTACK DETECTORS - According to one embodiment, a computing device is coupled to a set of web application layer attack detectors (ADs), which are coupled between HTTP clients and web application servers. The computing device automatically learns a new condition shared by a plurality of alert packages reported by the set of ADs due to a triggering of one or more rules that is indicative of a web application layer attack. The computing device automatically generates a new set of attribute values by analyzing the plurality of alert packages to identify the condition shared by the plurality of alert packages, and transmits the new set of attribute values for delivery to the set of ADs for a different rule to be used to protect against the web application layer attack from the HTTP clients or any other HTTP client. | 10-23-2014 |
| 20140317741 | AUTOMATIC GENERATION OF DIFFERENT ATTRIBUTE VALUES FOR DETECTING A SAME TYPE OF WEB APPLICATION LAYER ATTACK - According to one embodiment, a computing device is coupled to a web application layer attack detector (AD), which itself is coupled between an HTTP client and a web application server. The computing device automatically learns a new condition to detect a first type of web application layer attack. Responsive receiving a web application layer message from the HTTP client that violates a rule for detecting the first type of web application layer attack, the AD transmits an alert package to the computing device, which uses the alert package, and optionally other alert packages, to automatically generate a new set of attribute values for each of a set of attribute identifiers to be transmitted to the AD or optionally other ADs for use in a different rule than the violated rule. The different rule is another attack specific rule for detecting the first type of web application layer attack. | 10-23-2014 |
| 20140317742 | HYPERVISOR-BASED BUFFER OVERFLOW DETECTION AND PREVENTION - Technologies for securing an electronic device include determining addresses of one or more memory pages, injecting for each memory page a portion of identifier data into the memory page, storing an indication of the identifier data injected into each of the memory pages, determining an attempt to access at least one of the memory pages, determining any of the identifier data present on a memory page associated with the attempt, comparing the indication of the identifier data with the determined identifier data present on the memory page, and, based on the comparison, determining whether to allow the access. | 10-23-2014 |
| 20140317743 | METHOD AND APPARATUS FOR MANAGEMENT AND TROUBLESHOOTING OF A PROCESSING SYSTEM - The present invention includes an apparatus connected to a processing system including a data collector to gather and store data regarding operation of the processing system, a device relationship manager to send data regarding the operation of the processing system to a remote administrative console, and a security policy manager to control the sending of data regarding the operation of the processing system by the device relationship manager to the remote administrative console based on a security policy. | 10-23-2014 |
| 20140317744 | DEVICE, SYSTEM, AND METHOD OF USER SEGMENTATION - Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a possible attacker. The methods include monitoring of user-side input-unit interactions, in general and in response to an interference introduced to user-interface elements. The monitored interactions are used for detecting an attacker that utilizes a remote access channel; for detecting a malicious automatic script, as well as malicious code injection; to identify a particular hardware assembly; to perform user segmentation or user characterization; to enable a visual login process with implicit two-factor authentication; to enable stochastic cryptography; and to detect that multiple users are utilizing the same subscription account. | 10-23-2014 |
| 20140325649 | METHOD AND SYSTEM TO DYNAMICALLY DETECT TRAFFIC ANOMALIES IN A NETWORK - Methods implemented in a network are disclosed for dynamically distributing tasks of traffic anomaly monitoring and detecting traffic anomalies. The method starts collecting traffic statistics of large blocks of traffic flows as traffic aggregates. Based on the traffic statistics of traffic aggregates, a traffic anomaly is detected. Then for a traffic aggregate with a traffic anomaly, increased traffic sampling rate is applied to a smaller set of traffic flows within the traffic aggregate. If the smaller set of traffic flows does not contain a percentage of the traffic within the traffic aggregate, the sampling rate is further increase to an even smaller set of traffic flows until a small set of traffic flows are identified as the ones cause the traffic anomaly. | 10-30-2014 |
| 20140325650 | SELECTIVE ASSESSMENT OF MALICIOUSNESS OF SOFTWARE CODE EXECUTED IN THE ADDRESS SPACE OF A TRUSTED PROCESS - System and method for detection of malicious code injected into processes associated with known programs. Execution of processes in a computer system is monitored. From among the processes being monitored, only certain processes are selected for tracking. For each of the processes selected, function calls made by threads of the process are tracked. From among the tracked function calls, only those function calls which are critical function calls are identified. For each identified critical function call, program instructions that caused the critical function call are subjected to analysis to assess their maliciousness. | 10-30-2014 |
| 20140325651 | METHOD OF DEFENDING AGAINST A SPOOFING ATTACK BY USING A BLOCKING SERVER - The present invention relates to a method of defending against a spoofing attack using a blocking server, and more particularly, to a method of defending against a spoofing attack using a blocking server, which is characterized in that it involves inspecting an IP and MAC address included in an ARP packet received by a client in a network, and changing the addresses to a legitimate IP address and to a corresponding MAC address when the addresses are found to be used in a spoofing attack. According to the present invention, in the blocking of a spoofing attack against a network, an IP address and a MAC address for legitimate hardware connected to the network may be prestored and monitored, so as to exhibit the effect of an accurate defense being enabled in a short time. | 10-30-2014 |
| 20140325652 | DETECTION OF DEVICE TAMPERING - A device such as a network appliance compares reference device attributes of the device obtained during manufacture to attributes of the device sampled at start-up to determine whether the device has been tampered with since manufacture. At manufacture, attributes of components of the device are measured, including attributes not normally measurable after manufacture. Upon initial power up in the field, the device measures the same attributes and compares the resulting measurements to the corresponding attribute values measured at manufacture. If any attribute has changed, the device determines that it may have been modified or tampered with and so indicates. | 10-30-2014 |
| 20140325653 | SYSTEM AND METHOD FOR AUTOMATED CONFIGURATION OF INTRUSION DETECTION SYSTEMS - Methods and systems for automated generation of malicious traffic signatures, for use in Intrusion Detection Systems (IDS). A rule generation system formulates IDS rules based on traffic analysis results obtained from a network investigation system. The rule generation system then automatically configures the IDS to apply the rules. An analysis process in the network investigation system comprises one or more metadata filters that are indicative of malicious traffic. An operator of the rule generation system is provided with a user interface that is capable of displaying the network traffic filtered in accordance with such filters. | 10-30-2014 |
| 20140331320 | TECHNIQUES FOR DETECTING MALICIOUS ACTIVITY - Techniques for detecting malicious activity are disclosed. In one particular embodiment, the techniques may be realized as a method for detecting malicious activity including receiving information indicating a first process being executed, the first process including a plurality of first process components, receiving information specific to at least one of the plurality of first process components, determining whether the first process exhibits malicious behavior; and identifying which of the plurality of first process components is responsible for the malicious behavior based on the received information. | 11-06-2014 |
| 20140331321 | BUILDING FILTER THROUGH UTILIZATION OF AUTOMATED GENERATION OF REGULAR EXPRESSION - A system and method performed by a computing device connected to a network and having one or more processors and memory storing one or more programs for execution by the one or more processors. At least one packet is received over a network. The packet is analyzed to detect predetermined content. The predetermined content is selected if it is determined that the packet contains the predetermined content. Future transmission of any packet containing the predetermined content is prevented in response to selection of the predetermined content. | 11-06-2014 |
| 20140331322 | METHOD AND APPARATUS FOR PROVIDING FORENSIC VISIBILITY INTO SYSTEMS AND NETWORKS - Methods and systems for providing forensic visibility into systems and networks are provided. More particularly, a sensor agent may receive events defining an action of a first object acting on a target. The object, the event, and the target are then correlated to at least one originating object such that an audit trail for each individual event is created. A global perspective indicating an age, popularity, a determination as to whether the object may be malware, and IP/URL information associated with the event may then be applied to at least one of the object, the event, the target, and the originating object. A priority may then be determined and assigned to the event based on at least the global perspective. An event line containing event information is then transmitted to an end recipient where the information may be heuristically displayed. | 11-06-2014 |
| 20140331323 | DETECTION OF ROGUE SOFTWARE APPLICATIONS - Software applications are analyzed to determine if they are legitimate applications and warnings are provided to users to avoid installation and/or purchases of unnecessary and/or potentially harmful software based on comparisons of user-interface characteristics of the software applications to visual characteristics of authentic applications to determine to what extent they match (or do not match) or are attempting to mirror the legitimate application. | 11-06-2014 |
| 20140331324 | METHODS, MEDIA, AND SYSTEMS FOR DETECTING ATTACK ON A DIGITAL PROCESSING DEVICE - Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack. In some embodiments, the methods include: selecting a data segment in at least one portion of an electronic document; determining whether the arbitrarily selected data segment can be altered without causing the electronic document to result in an error when processed by a corresponding program; in response to determining that the arbitrarily selected data segment can be altered, arbitrarily altering the data segment in the at least one portion of the electronic document to produce an altered electronic document; and determining whether the corresponding program produces an error state when the altered electronic document is processed by the corresponding program. | 11-06-2014 |
| 20140331325 | ANTI-MALWARE SYSTEM AND METHOD FOR PROCESSING DATA INSYSTEM - Disclosed are an anti-malware system and a method for processing data in the system. The anti-malware system, according to one embodiment of the present invention, comprises: a host device which requests a malware detection scan on a file to be scanned; an anti-malware module which performs the malware detection scan on the file to be scanned, and which transmits the scan results to the host device, wherein a preprocessing for the malware detection scan of the file to be scanned is performed in the host device or the anti-malware module according to the size of the file to be scanned. | 11-06-2014 |
| 20140337974 | SYSTEM AND METHOD FOR SEMANTIC INTEGRATION OF HETEROGENEOUS DATA SOURCES FOR CONTEXT AWARE INTRUSION DETECTION - A semantic approach to intrusion detection is provided that can utilize traditional as well as nontraditional data sources collaboratively. The information extracted from these traditional and nontraditional data sources is expressed in an ontology, and reasoning logic rules that correlate at least two separate and/or distinct data sources are used to analyze the extracted information in order to identify the situation or context in which an attack can occur. By utilizing reasoning logic rules that contain rules that correlate at least two separate and/or distinct data sources, a threat or attack can be determined using data that is spatially (e.g., geographically) and temporally separated, resulting in a context aware IDPS that can relate disparate activities spread across time and multiple systems as part of the same attack. | 11-13-2014 |
| 20140337975 | METHOD FOR ANALYZING SPYWARE AND COMPUTER SYSTEM - A method for analyzing spyware and a computer system that relates to communication technology are provided. A trace of an executed spyware process is captured by the computer system. The spyware process includes a data packet returning operation that transmits a data packet to a control host as a result of executing the spyware process. The data packet returning operation has a subprogram which is extracted from the execution trace. The subprogram includes at least one call interface. Semantic information from each component of information of the at least one call interface is analyzed and output. In this manner a specific format of a data packet returned to the control host is determined, a communication protocol of the spyware is obtained, and a user may rewrite control commands of the spyware according to the obtained communication protocol, to control execution of the spyware. | 11-13-2014 |
| 20140337976 | METHOD FOR VEHICLE INTRUSION DETECTION WITH MOBILE ROUTER - A method of operating a mobile router installed in a vehicle is provided. The vehicle comprises a vehicle network bus coupled to a plurality of electronic control units. The mobile router comprises: a wireless wide area network interface a wireless local area network interface; an interface to the vehicle network bus; a processor; and a memory comprising a plurality of programs. The plurality of programs comprises an intrusion detection program executable by the processor. The method of operating a mobile router comprises: monitoring data on the vehicle network bus; utilizing the intrusion detection program to detect one or more anomalies in the monitored data; and generating an alert upon detection of one or more of anomalies. | 11-13-2014 |
| 20140337977 | AUTOMATED DEPLOYMENT OF PROTECTION AGENTS TO DEVICES CONNECTED TO A DISTRIBUTED COMPUTER NETWORK - Network traffic is monitored to detect attempted inter-network communications, including attempts by devices internal to the network to communicate with resources external to the network and attempts by devices external to the network to establish VPN sessions with resources internal to the network. Upon detecting an attempted inter-network communication, the device responsible for initiating such communication is identified. Then, it is determined whether the identified device is running a valid protection agent. If so, the attempted inter-network communication is permitted. If not, the attempted inter-network communication is blocked in compliance with a network security policy and the identified device is prompted to download and install a protection agent from a designated storage location, or to activate a previously installed protection device. The prompt may include a hyperlink for initiating download of the protection agent. | 11-13-2014 |
| 20140337978 | SYSTEMS, METHODS, AND MEDIA FOR GENERATING BAIT INFORMATION FOR TRAP-BASED DEFENSES - Systems, methods, and media for generating bait information for trap-based defenses are provided. In some embodiments, methods for generating bait information for trap-based defenses include: recording historical information of a network; translating the historical information; and generating bait information by tailoring the translated historical information. | 11-13-2014 |
| 20140337979 | Using Telemetry to Reduce Malware Definition Package Size - Clients send telemetry data to a cloud server, where the telemetry data includes security-related information such as file creations, timestamps and malware detected at the clients. The cloud server analyzes the telemetry data to identify malware that is currently spreading among the clients. Based on the analysis of the telemetry data, the cloud server segments malware definitions in a cloud definition database into a set of local malware definitions and a set of cloud malware definitions. The cloud server provides the set of local malware definitions to the clients as a local malware definition update, and replies to cloud definition lookup requests from clients with an indication of whether a file identified in a request contains malware. If the file is malicious, the client remediates the malware using local malware definition update. | 11-13-2014 |
| 20140344930 | Network Eavesdropping Detection - In one implementation, network taps are detected using impedance measurements from a network. A network device is configured to calculate a baseline impedance as a function of a sequence of impedance values. As impedance measurements subsequent to the sequence of impedance values are received, the network device is configured to calculate a difference between the impedance measurement and the baseline impedance. The network device generates a network tap warning message when the difference between the impedance measurement and the baseline impedance exceeds a threshold. The network device may be an endpoint computer, a data switch, or an external device remote from the network. | 11-20-2014 |
| 20140344931 | SYSTEMS AND METHODS FOR EXTRACTING CRYPTOGRAPHIC KEYS FROM MALWARE - A method and system for extracting cryptographic data from a data transmission. A sample of a first data transmission is received over a network. The sample is classified as belonging to a malware family. An extraction engine is selected corresponding to the malware family. The extraction engine is utilized to extract cryptographic data from the sample. | 11-20-2014 |
| 20140344932 | SYSTEMS, METHODS, AND MEDIA FOR DETECTING RETURN-ORIENTED PROGRAMMING PAYLOADS - Systems, methods, and media for detecting the presence of return-oriented programming (ROP) payloads are provided, comprising; identifying a potential gadget address space; determining if a piece of the data corresponds to an address of the potential gadget address space; and in response to determining that the piece of the data corresponds to an address of the potential gadget address space: determining whether a plurality of operations, each associated one of a plurality instructions beginning at the address, indicates that an ROP payload is present in the data, and indicating that an ROP payload is present in the data in response to making a determination that a plurality of operations indicates that an ROP payload is present in the data a given number of times. | 11-20-2014 |
| 20140344933 | METHOD AND APPARATUS FOR DETECTING AN INTRUSION ON A CLOUD COMPUTING SERVICE - Provided is a method and apparatus for detecting an intrusion in a cloud computing service. An elementary detector may monitor a virtual machine provided by a cloud computing service, and may generate a raw alert based on a result of the monitoring. An intrusion detection system (IDS) dispatcher may determine occurrence of an intrusion into the cloud computing service by comparing the raw alert and a local database. The IDS dispatcher may generate a hyper alert when it is determined that the intrusion has occurred. An intrusion detection system (IDS) manager may determine the occurrence of the intrusion by comparing the hyper alert and a global database. | 11-20-2014 |
| 20140351933 | SYSTEM AND METHOD FOR INSPECTING HARMFUL INFORMATION OF MOBILE DEVICE - Disclosed herein are a system and a method for inspecting harmful information of a mobile device capable of temporarily stopping an automatic access to a web site using access information for accessing a web site when the access information is obtained from various paths through a mobile device, requesting an inspecting server to inspect whether or not the corresponding web site includes harmful information, and receiving and displaying an inspection result in response to the request. | 11-27-2014 |
| 20140351934 | METHOD AND APPARATUS FOR DETECTING MALWARE AND RECORDING MEDIUM THEREOF - A method of detecting malware in a terminal, the method including: generating a plurality of virtual machines in the server, the plurality of virtual machines respectively corresponding to a plurality of terminals; clustering the plurality of generated virtual machines into groups based on respective profile information of each terminal of the plurality of terminals; and in response to the malware being detected in a first terminal among the plurality of terminals, providing information with respect to the detection of the malware to a second terminal among the plurality of terminals corresponding to a second virtual machine, via the second virtual machine among the plurality of virtual machines, the second virtual machine being clustered into the same group as a first virtual machine. | 11-27-2014 |
| 20140351935 | METHOD, APPARATUS AND VIRTUAL MACHINE FOR DETECTING MALICIOUS PROGRAM - A method, an apparatus and a virtual machine for detecting a malicious program(s) are disclosed. The method comprises: setting a virtual memory ( | 11-27-2014 |
| 20140359766 | METHOD AND SYSTEM FOR PREVENTION OF WINDOWLESSSCREEN CAPTURE - A method for preventing the acquisition of data by a screen capturing malware, comprises preventing an unidentified process that does not open a window from performing screen capture. | 12-04-2014 |
| 20140359767 | METHOD AND SYSTEM FOR APPLICATION MIGRATION DUE TO DEGRADED QUALITY OF SERVICE - A method and system for managing an application in a cloud data center by monitoring the bandwidth of a subnet of which the primary operating instance of an application is a member. If a severe deterioration in the bandwidth caused by an over consumption of the subnet resources from other subnet constituents is detected, a suitable secondary instance in an alternate, uncompromised subnet is located and primary operation of the application is transferred from the former primary operating instance to the secondary instance. The secondary instance can be pre-launched or dynamically requisitioned according to various embodiments. | 12-04-2014 |
| 20140359768 | SYSTEM AND METHOD FOR DETECTING, ALERTING AND BLOCKING DATA LEAKAGE, EAVESDROPPING AND SPYWARE - A computer implemented method for detecting, alerting and blocking data leakage, eavesdropping and spyware in one or more networked computing devices includes providing a graphical user interface (GUI) and displaying all available hardware device interfaces in each networked computing device. Next, providing a turn-on switch and a turn-off switch for each displayed hardware device interface in each networked computing device. Next, providing a turn-all-on switch and a turn-all-off switch for all displayed hardware device interfaces in each networked computing device. Next, monitoring status of each available hardware device interface and data traffic across each available hardware device interface. Upon detecting an unauthorized change of status of a specific hardware device interface or unauthorized data traffic across a specific hardware device interface providing a warning signal, turning off the specific hardware device interface by activating the turn-off switch for the specific hardware device interface or the turn-all-off switch. | 12-04-2014 |
| 20140359769 | CLOUD PROTECTION TECHNIQUES - Cloud protection techniques are provided. A security breach is detected in a source cloud environment. An enterprise system processing in the source cloud environment is immediately locked down and is dynamically migrated to a target cloud environment. While the enterprise system is migrating, the source cloud environment creates a fake environment with fake resources within the source cloud environment to dupe an intruder having access as a result of the security breach. Metrics and logs are gathered with respect to activities of the intruder within the source cloud environment. | 12-04-2014 |
| 20140359770 | APPARATUS AND METHODS FOR PREVENTING PAYMENT WEBPAGE TAMPERING - Apparatus and method for preventing payment page tampering are described herein that determine whether a request received by a webpage modification interface is an inter-process request made by another process different from a process running the webpage modification interface and that, in response to determining that the first request is an external request, intercepts the first request. Embodiments of the apparatus and method can improve security of Internet payment transactions. | 12-04-2014 |
| 20140359771 | CLUSTERING EVENT DATA BY MULTIPLE TIME DIMENSIONS - Systems and methods for processing log data are provided. A set of data chunks is determined. Each data chunk is associated with a set of events, which are grouped according to a primary time dimension field of each event of the set of events. A metadata structure is determined for each of the data chunks. The metadata structure includes comprises a range of the primary time dimension field of all of the events in the data chunk and a range of a secondary time dimension field of all of the events in the data chunk. A subset of the data chunks is selected. A data chunk associated with at least one event of the plurality of events is generated according to the secondary time dimension field of the at least one event. | 12-04-2014 |
| 20140366134 | Malicious Code Blocking Method Using Management System for Monitoring Status of Vaccine - The present invention relates to a malicious code blocking method using a management system for monitoring a state of a vaccine, and more specifically, to a malicious code blocking method using a management system for monitoring a state of a vaccine, in which the management system connected through the Internet monitors in real-time whether or not a vaccine program installed in an individual user terminal normally operates and transmits an alarm to a user when the vaccine program does not operate normally, thereby removing a malicious code. According to the present invention, because an error or a paralyzed state of a vaccine program which cannot be easily understood by general users is informed in real-time, the vaccine program can be promptly normalized regardless of the knowledge and interest of a user, and thus it is effective in that infection and additional damage of the malicious code can be prevented. | 12-11-2014 |
| 20140366135 | DETECTION OF FAULT INJECTIONS IN A RANDOM NUMBER GENERATOR - A method for detecting a fault injection in a random number generation circuit, wherein a bit pattern is mixed to a bit stream originating from a noise source and the presence of this pattern is detected in a signal sampled downstream of the mix. | 12-11-2014 |
| 20140366136 | BEHAVIORAL-BASED HOST INTRUSION PREVENTION SYSTEM - In embodiments of the present invention improved capabilities are described for behavioral-based threat detection. An executing computer process is monitored for an indication of malicious behavior, wherein the indication of the malicious behavior is a result of comparing an operation with a predetermined behavior, referred to as a gene. A plurality of malicious behavior indications observed for the executing process are compared to a predetermined collection of malicious behaviors, referred to as a phenotype, which comprises a grouping of specific genes that are typically present in a type of malicious code. Upon matching the malicious behavior indications with a phenotype, an action may be caused, where the action is based on a prediction that the executing computer process is the type of malicious code as indicated by the phenotype. Related user interfaces, applications, and computer program products are disclosed. | 12-11-2014 |
| 20140373144 | System and method for analyzing unauthorized intrusion into a computer network - The method analyzes unauthorized intrusion into a computer network. Access is allowed through one or more open ports to one or more virtualized decoy operating systems running on a hypervisor operating system hosted on a decoy network device. This may be done by opening a port on one of the virtualized decoy operating systems. A network attack on the virtualized operating system is then intercepted by an introspection module running on the hypervisor operating system. The attack-identifying information is communicated through a private network interface channel and stored on a database server as forensic data. A signature-generation engine uses this forensic data to generate a signature of the attack. An intrusion prevention system then uses the attack signature to identify and prevent subsequent attacks. A web-based visualization interface facilitates configuration of the system and analysis of (and response to) forensic data generated by the introspection module and the signature generation engine, as well as that stored in the processing module's relational databases. | 12-18-2014 |
| 20140373145 | SIGNED RESPONSE TO AN ABUSIVE EMAIL ACCOUNT OWNER AND PROVIDER SYSTEMS AND METHODS - Systems and methods for abusive email account detection and transmission of a signed response to an abusive email account owner and provider. The methods include receiving an email from a first email account on a second email account, wherein the email contains malicious content, determining if a trust relationship exists between a first email server corresponding to the first email account and a second email server corresponding to the second email account, and transmitting, using a hardware processor of the second email server, an alert email to the first email account corresponding to the trust relationship, wherein the alert email includes a digital signature and a secure field having an abusive category descriptor in an email header. The secure field may include an abusive category descriptor, for example transmitting spam, transmitting malware, transmitting phishing attempts, and committing fraud. | 12-18-2014 |
| 20140373146 | DOS DETECTION AND MITIGATION IN A LOAD BALANCER - A load balancer that is able to detect and mitigate a Denial of Service (DOS) attack. The load balancer is placed in the flow path of network data packets that are destined for one or more tenant addresses. The load balancer analyzes performance parameters regarding the network data packets that are destined for the one or more tenant addresses and are received at the load balancer. The performance parameters describe network data packet flow to the tenant addresses. The load balancer detects, based on the analysis of the performance parameters, that one or more of the tenant addresses are being subjected to a DOS attack. The load balancer performs a mitigation operation to isolate the one or more tenant addresses being subjected to the DOS attack. | 12-18-2014 |
| 20140373147 | SCANNING FILES FOR INAPPROPRIATE CONTENT DURING SYNCHRONIZATION - The present invention extends to methods, systems, and computer program products for scanning files for inappropriate content during file synchronization. Embodiments of the invention are mindful of the order of operations when scanning files for inappropriate content and in subsequent file processing. In some embodiments, during synchronization, an intermediary server scans a file for inappropriate content. The file is not permitted to be fully downloaded to a client device until the scan determines that the file does not contain inappropriate content. In other embodiments, during synchronization, a client device scans a newer version of a file for inappropriate content. An older version of the file is not deleted until the scan determines that the newer version of the file does not contain inappropriate content. In further embodiments, server side scanning and client side scanning are both used to enhance capabilities for detecting inappropriate content. | 12-18-2014 |
| 20140373148 | SYSTEMS AND METHODS FOR TRAFFIC CLASSIFICATION - Systems and methods of classifying network traffic may monitor network traffic. Monitored traffic may be compared with a control protocol template (CPT). When a similarity between the monitored traffic and the CPT exceeds a match threshold, the monitored traffic may be associated with the CPT. | 12-18-2014 |
| 20140373149 | TIME ZERO DETECTION OF INFECTIOUS MESSAGES - Detecting infectious messages comprises performing an individual characteristic analysis of a message to determine whether the message is suspicious, determining whether a similar message has been noted previously in the event that the message is determined to be suspicious, classifying the message according to its individual characteristics and its similarity to the noted message in the event that a similar message has been noted previously. | 12-18-2014 |
| 20140373150 | SYSTEMS, METHODS, AND MEDIA FOR DETECTING NETWORK ANOMALIES - Systems, methods, and media for detecting network anomalies are provided. In some embodiments, a training dataset of communication protocol messages having argument strings is received. The content and structure associated with each of the argument strings is determined and a probabilistic model is trained using the determined content and structure of each of the argument strings. A communication protocol message having an argument string that is transmitted from a first processor to a second processor across a computer network is received. The received communication protocol message is compared to the probabilistic model and then it is determined whether the communication protocol message is anomalous. | 12-18-2014 |
| 20140380471 | Binary Document Content Leak Prevention Apparatus, System, and Method of Operation - An apparatus, system, and method for measuring the similarity of communication packet binary objects to classified object binary objects is disclosed. The method determines at least one pattern signature in an Nth binary object, accessing a location in a similarity store which has object identifiers for each of the previous N−1 binary objects which contain the corresponding pattern, and writing the object identifier of the Nth binary object at that same location in the similarity store. Reporting the number of locations in similarity store which contain the object identifiers of a communication packet and a classified object is a measure of similarity to each other. Outgoing packets are blocked if they correlate highly with confidential documents or objects. | 12-25-2014 |
| 20140380472 | MALICIOUS EMBEDDED HYPERLINK DETECTION - For malicious embedded hyperlink detection, an identification module identifies an uncertain universal resource locator (URL) address in a hyperlink. A display module displays a status indicator in response to identifying the uncertain URL address. | 12-25-2014 |
| 20140380473 | ZERO-DAY DISCOVERY SYSTEM - A method for determining a zero-day attack by an electronic device is described. According to one embodiment, the method comprises instantiating, by the electronic device, at least one virtual machine, the at least one virtual machine being based on a fortified software profile. The method further comprises executing content capable of behaving as an exploit on the at least one virtual machine, and determining that the exploit is associated with zero-day exploit when the exploit, upon execution of the content on the at least one virtual machine, performs an undesired behavior. | 12-25-2014 |
| 20140380474 | System and Method for Detecting Time-Bomb Malware - According to one embodiment, a system comprises one or more counters; comparison logic; and one or more hardware processors communicatively coupled to the one or more counters and the comparison logic. The one or more hardware processors are configured to instantiate one or more virtual machines that are adapted to analyze received content, where the one or more virtual machines are configured to monitor a delay caused by one or more events conducted during processing of the content and identify the content as including malware if the delay exceed a first time period. | 12-25-2014 |
| 20140380475 | USER CENTRIC FRAUD DETECTION - A computer detects fraudulent access to user accounts of a network application. The computer receives user account usage profile information for a plurality of user accounts. Rules are determined, based in part on the user account profile information, that define account usage patterns across two or more user accounts that identify fraudulent user account usage. The computer receives user account usage event information for a plurality of user accounts. Based on the determined rules, the computer identifies fraudulent user account usage patterns in the user account usage event information and transmits a security alert to the user accounts associated with the identified fraudulent user account usage pattern. | 12-25-2014 |
| 20140380476 | METHOD AND SYSTEM TO MODIFY FUNCTION CALLS FROM WITHIN CONTENT PUBLISHED BY A TRUSTED WEB SITE - A network-based publication system, to publish data over a communications network, includes an interface to receive, via the communications network and from a first user, user data to be published by a network-based publication system. The publication system further includes a publisher component to generate publication data (e.g., an HTML document) including the user data and function modifying code. The publisher component generates the publication data in accordance with a publication format. The interface publishes the publication data via the communications network. The function modifying code is interpreted and executed, at a browser application, to disable (or modify) least one function of programming language supported by the browser application. | 12-25-2014 |
| 20140380477 | METHODS AND DEVICES FOR IDENTIFYING TAMPERED WEBPAGE AND INENTIFYING HIJACKED WEB ADDRESS - Disclosed are methods and devices for identifying a tampered webpage and identifying a hijacked web address. The method for identifying a tampered webpage comprises: by simulating a mode of inputting a URL in an address bar of a browser, initiating a request to access a target webpage, and determining obtained page content as the first page content; by simulating a mode of jumping from a link, initiating a request to access the target webpage, and determining obtained page content as the second page content; comparing the first page content with the second page content to obtain a comparison result; and identifying, according to the comparison result, whether the target webpage is a tampered webpage. The present invention can effectively identify whether a target webpage is a tampered webpage, so that an effective means for determining whether a target webpage is tampered is provided to a user and computer services. | 12-25-2014 |
| 20140380478 | USER CENTRIC FRAUD DETECTION - A computer detects fraudulent access to user accounts of a network application. The computer receives user account usage profile information for a plurality of user accounts. Rules are determined, based in part on the user account profile information, that define account usage patterns across two or more user accounts that identify fraudulent user account usage. The computer receives user account usage event information for a plurality of user accounts. Based on the determined rules, the computer identifies fraudulent user account usage patterns in the user account usage event information and transmits a security alert to the user accounts associated with the identified fraudulent user account usage pattern. | 12-25-2014 |
| 20140380479 | Method and System for Controlling Closing of Terminal, and Computer Storage Medium - A method for controlling closing of a terminal including: intercepting a shutdown operation; carrying out corresponding safety detection according to preset safety detection items; and processing potential safety hazards and closing the terminal after the processing. According to the method, the potential safety hazards of the terminal are processed before the terminal is closed, so that the terminal safety is improved. In addition, a system for controlling closing of a terminal and a computer storage medium are provided. | 12-25-2014 |
| 20150020197 | IDENTIFYING MISUSE OF LEGITIMATE OBJECTS - A query is received from a client device regarding an object. The query includes an identifier of the object and a set of associated usage attributes describing a usage of the object on the client device. A set of usage facts associated with the identified object is identified. The set of usage facts describe typical usages of the object on a plurality of client devices. A determination is made whether the usage of the object on the client device is suspicious based on the set of usage facts associated with the object and the set of usage attributes included in the query. A report is provided to the client device based on the determination. | 01-15-2015 |
| 20150020198 | METHODS OF DETECTION OF SOFTWARE EXPLOITATION - A method for detecting software exploitation broadly comprises the steps of gathering information about processes and threads executing on a computing device, monitoring instructions executed by a thread that is currently running, performing the following steps if a function to create a process or a function to load a library is called, examining a thread information block, determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block, and determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions. | 01-15-2015 |
| 20150020199 | PATH SCANNING FOR THE DETECTION OF ANOMALOUS SUBGRAPHS AND USE OF DNS REQUESTS AND HOST AGENTS FOR ANOMALY/CHANGE DETECTION AND NETWORK SITUATIONAL AWARENESS - A system, apparatus, computer-readable medium, and computer-implemented method are provided for detecting anomalous behavior in a network. Historical parameters of the network are determined in order to determine normal activity levels. A plurality of paths in the network are enumerated as part of a graph representing the network, where each computing system in the network may be a node in the graph and the sequence of connections between two computing systems may be a directed edge in the graph. A statistical model is applied to the plurality of paths in the graph on a sliding window basis to detect anomalous behavior. Data collected by a Unified Host Collection Agent (“UHCA”) may also be used to detect anomalous behavior. | 01-15-2015 |
| 20150020200 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR MOUNTING AN IMAGE OF A COMPUTER SYSTEM IN A PRE-BOOT ENVIRONMENT FOR VALIDATING THE COMPUTER SYSTEM - A system, method, and computer program product are provided for mounting an image of a computer system in a pre-boot environment for validating the computer system. An image of an operating system is mounted in a pre-boot environment of the programmable device. An untrusted component of the operating system is identified that is registered to be automatically loaded or loaded during a boot-up stage of the operating system that is predetermined to be early. The untrusted component is rescheduled to be initiated after loading of at least a portion of a security system on the programmable device. | 01-15-2015 |
| 20150026806 | Mitigating a Cyber-Security Attack By Changing a Network Address of a System Under Attack - In response to determining that a computer is undergoing a cyber attack, a newly assigned IP address is received for the computer. A currently assigned IP address of the computer is changed to the newly assigned IP address. | 01-22-2015 |
| 20150026807 | Page Fault Injection In Virtual Machines - Described systems and methods allow protecting a host system from malware using virtualization technology. In some embodiments, a memory introspection engine operates below a virtual machine (VM) executing on the host system. The engine is configured to analyze the content of a virtual memory page used by software executing within the VM, and/or to protect the respective content from unauthorized modification, for instance by malware. When the respective content is swapped out of memory, the memory introspection engine injects a page fault into the respective VM, to force a swap-in of the respective content. | 01-22-2015 |
| 20150026808 | METHOD AND SYSTEM FOR NETWORK-BASED DETECTING OF MALWARE FROM BEHAVIORAL CLUSTERING - A computerized system and method for performing behavioral clustering of malware samples, comprising: executing malware samples in a controlled computer environment for a predetermined time to obtain HTTP traffic; clustering the malware samples into at least one cluster based on network behavioral information from the HTTP traffic; and extracting, using the at least one processor, network signatures from the HTTP traffic information for each cluster, the network signatures being indicative of malware infection. | 01-22-2015 |
| 20150026809 | SYSTEMS AND METHODS FOR IDENTIFYING MALICIOUS HOSTS - A malware detection system analyzes communication traffic to and/or from a certain host. The malware detection system uses the mismatch between host name and IP address to assign a quantitative score, which is indicative of the probability that the host is malicious. The system may use this score, for example, in combination with other indications, to decide whether the host in question is malicious or innocent. The overall decision may use, for example, a rule engine, machine learning techniques or any other suitable means. The malware detection system may also analyze alerts regarding hosts that are suspected of being malicious. The alerts may originate, for example, from Command & Control (C&C) detection, from an Intrusion Detection System (IDS), or from any other suitable source. A given alert typically reports a name of the suspected host and an IP address that allegedly belongs to that host. | 01-22-2015 |
| 20150026810 | Method and Apparatus for Detecting Malicious Software Using Machine Learning Techniques - Novel methods, components, and systems for detecting malicious software in a proactive manner are presented. More specifically, we describe methods, components, and systems that leverage machine learning techniques to detect malicious software. The disclosed invention provides a significant improvement with regard to detection capabilities compared to previous approaches. | 01-22-2015 |
| 20150026811 | PROVISIONING A MODERATED DATA SERVICE USING A SYNDICATED RADIO ACCESS NETWORK (RAN) - A system is configured to receive, from a content provider, traffic associated with a data service and that is destined for a group of user devices; retrieve service information, associated with the data service, that includes a value, associated with the data service, that represents a level of service quality associated with the data service; determine whether the traffic is authorized to be transmitted to the user devices based on the value; discard the traffic based on a determination that the value is less than a threshold; process the traffic to identify whether a condition is associated with the traffic based on a determination that the value is not less than the threshold; transmit the traffic to one or more of the user devices based on a determination that the traffic is not associated with a condition; and discard the traffic based on a determination that the traffic is associated with a condition. | 01-22-2015 |
| 20150033336 | LOGGING ATTACK CONTEXT DATA - Methods and systems are provided for improved attack context data logging. In one embodiment, additional context is provided for an attack by logging either a predetermined or configurable number or predetermined or configurable timeframe of packets before and optionally after detection of a packet associated with an attack. This additional context facilitates understanding of the attack and can help in connection with improving the implementation of signatures that are used to detect attacks and reducing false positives. In one aspect, the system is configured to assess multiple packets across one or more sessions and temporarily store each packet in a buffer having a configurable size such that once an attack is detected, a log can be generated based at least in part on packets present in the buffer. Then, the log can be analyzed so as to understand the context of the attack. | 01-29-2015 |
| 20150033337 | CYBER SECURITY ANALYTICS ARCHITECTURE - Systems and methods are disclosed for responding to security events in real time. The disclosed systems and methods utilize the vast amount of risk and asset knowledge collected in a security data warehouse and aggregated in a security information manager, without the expense and latency associated with performing such calculations in real time. The disclosed systems and methods, thereby, significantly extend the time intervals feasible for temporal analysis. | 01-29-2015 |
| 20150033338 | HARDENING DATA TRANSMISSIONS AGAINST POWER SIDE CHANNEL ANALYSIS - Embodiments of an invention for hardening data transmissions against power side channel attacks are disclosed. In one embodiment, a system includes a first agent and a second agent. The first agent is to transmit an encoded datum through an interface in a plurality of encoded packets. The second agent is to receive each of the plurality of encoded packets from the interface and decode each of the encoded packets to generate a plurality of decoded packets. Each of the encoded packets has the same Hamming weight. The Hamming distance between any two consecutively transmitted encoded packets is constant. | 01-29-2015 |
| 20150033339 | Irrelevant Code Identification - The techniques described herein identify, and/or distinguish between, legitimate code and/or irrelevant code in programs so that an analyst does not have to spend additional time sifting through and/or considering the irrelevant code when viewing the code of the program. Therefore, the analyst can be more efficient when determining a type of a program (e.g., malware) and/or when determining the actions of the program. For instance, a security researcher may be tasked with identifying the malware and/or determining the harmful or deceptive actions the malware executes on a computer (e.g., deletion of a file, the targeting of sensitive information such as social security numbers or credit card numbers, etc.). | 01-29-2015 |
| 20150033340 | SYSTEMS AND METHODS FOR SELF-TUNING NETWORK INTRUSION DETECTION AND PREVENTION - Systems and method of the present disclosure are directed to a network security tool. In some embodiments, the tool identifies a current vulnerability of a private network. The tool can determine a signature of an attack configured to exploit the current vulnerability. The tool can comparing the signature with active and inactive signatures stored in a signature repository. The tool can compare the signatures to identify an inactive signature corresponding to the signature of the attack configured to exploit the current vulnerability. The tool can automatically activate, responsive to the comparison, the identified inactive signature. The tool can use the activated signature to identify an exploit based on data packets received via the private network. | 01-29-2015 |
| 20150033341 | SYSTEM AND METHOD TO DETECT THREATS TO COMPUTER BASED DEVICES AND SYSTEMS - Aspects of the present disclosure relate to systems and methods for detecting a threat of a computing system. In one aspect, a plurality of instances of input data may be received from at least one sensor. A feature vector based upon at least one instance of the plurality of instances of input data may be generated. The feature vector may be sent to a classifier component, where a threat assessment score is determined for the feature vector. The threat assessment score may be determined by combining information associated with the plurality of instances of input data. A threat assignment may be assigned to the at least one instance of data based on the determined threat assessment score. The threat assignment and threat assessment score may be disseminated. | 01-29-2015 |
| 20150033342 | SECURITY DETECTION METHOD AND SYSTEM - Disclosed are a security detection method and system. The method comprises: (a) performing security scanning on code of an application program; if a high risk is detected, marking the application program as a high risk application program, generating a detection result, and performing step (d); otherwise, performing step (b) (S | 01-29-2015 |
| 20150033343 | Method, Apparatus, and Device for Detecting E-Mail Attack - A method, an apparatus, and a device for detecting an E-mail attack. The device receives a data flow; obtains an E-mail traffic parameter of each statistic period within a predetermined number of statistic periods, where within each statistic period, the E-mail traffic parameter of each of the statistic periods is determined according to a protocol type of the received data flow; and determines that an E-mail attack is detected when the E-mail traffic parameter of each statistic period within the predetermined number of statistic periods matches a first threshold. By applying the disclosed embodiments, a detection result of the E-mail attack is more accurate. | 01-29-2015 |
| 20150040222 | DETECTING AND REACTING TO INAPPROPRIATE EQUIPMENT AND PROGRAMMING IN A COMPUTER SYSTEM WITHOUT GENERATING ALERTS TO UNAUTHORIZED USERS OF THE DETECTION - A method, computer program product and system of detecting changes in hardware, software, or programming of a device in a computer system by a computer in the system coupled to the device through a network, without generating alerts or alerting unauthorized users of the detection of the changes. | 02-05-2015 |
| 20150040223 | SYSTEMS AND METHODS FOR DEFEATING MALWARE WITH POLYMORPHIC SOFTWARE - Systems and methods for defeating malware with polymorphic software are described. The system generates randomized relocatable image information by randomizing a plurality of function information that is included in relocatable image information. The plurality of function information includes a first function information. The first function information includes a first location that is used to enter the first function information. The randomizing further includes updating instruction information in the randomized relocatable image information. Updating the instruction information further includes updating relative address information utilized to enter the first function via the first location based on a new location of the first function in the randomized relocatable image information. The system further applies a base address to the randomized relocatable image information to generate randomized executable image information, loads the randomized executable image information into the memory, and executes the randomized executable image information. | 02-05-2015 |
| 20150040224 | Method And System For Dynamic Platform Security In A Device Operating System - A system and method is provided for implementing platform security on a consumer electronic device having an open development platform. The device is of the type which includes an abstraction layer operable between device hardware and application software. A secure software agent is provided for embedding within the abstraction layer forming the operating system. A secure store is provided for storing security information unique to one or more instances of the application plication software. The secure software agent uses the security information for continuous runtime assurance of ongoing operational integrity of the operating system and application software and thus operational integrity of the device. | 02-05-2015 |
| 20150040225 | BLACKLISTING AND WHITELISTING OF SECURITY-RELATED EVENTS - A disclosed computer-implemented method includes receiving and indexing the raw data. Indexing includes dividing the raw data into time stamped searchable events that include information relating to computer or network security. Store the indexed data in an indexed data store and extract values from a field in the indexed data using a schema. Search the extracted field values for the security information. Determine a group of security events using the security information. Each security event includes a field value specified by a criteria. Present a graphical interface (GI) including a summary of the group of security events, other summaries of security events, and a remove element (associated with the summary). Receive input corresponding to an interaction of the remove element. Interacting with the remove element causes the summary to be removed from the GI. Update the GI to remove the summary from the GI. | 02-05-2015 |
| 20150040226 | DATUM READING ERROR DETECTION METHOD - There is disclosed a method for detecting an error in the reading of a data item, this method includes | 02-05-2015 |
| 20150040227 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR PREVENTING A MODIFICATION TO A DOMAIN NAME SYSTEM SETTING - A system, method, and computer program product are provided for preventing a modification to a domain name system setting. In use, an attempt to modify a domain name system setting is detected. Additionally, a source of the attempt and an attribute of the modification are verified. Further, the modification to the domain name system setting is prevented, based on the verification. | 02-05-2015 |
| 20150047032 | SYSTEM AND METHOD FOR COMPUTER SECURITY - A system and method for providing computer network security, including providing programs on a non-transitory computer readable medium, configuring said programs with an actuation threshold, actuating the programs in a manner to direct an unauthorized user to at least one pre-selected file of said network, forming at least one computer system decoy, and notifying an authorized computer user of the actuation of the program. | 02-12-2015 |
| 20150047033 | DETECTING CO-OCCURRENCE PATTERNS IN DNS - Techniques for inferring the existence of suspicious software by detecting multiple name server requests for the same sets of non-existent domains. Implementations can allow for detecting the existence of malware or other suspicious software without requiring reverse engineering of the malware's domain generation algorithm. | 02-12-2015 |
| 20150047034 | COMPOSITE ANALYSIS OF EXECUTABLE CONTENT ACROSS ENTERPRISE NETWORK - Identification, characterization and attribution of executable content within and across an enterprise infrastructure (e.g., hosts, subnets, routers, etc.) to provide situational awareness for cyber security for purposes of supporting proactive defense and response. Copies of executable content collected at one or more locations within an infrastructure (e.g., hosts, network edges, etc.) may be passed to a central analysis server whereby various characteristics of the executable content may be extracted or gleaned from the copies such as author marks (e.g., directory names), tool marks (e.g., compiler settings), behaviors (e.g., function extraction), patterns (e.g., byte sequences), text, and/or the like. The characteristics may be analyzed in various manners to build profiles of actors or organizations associated with (e.g., responsible for) executable content within the enterprise infrastructure. | 02-12-2015 |
| 20150047035 | Cyber Attack Disruption Through Multiple Detonations of Received Payloads - Apparatus and method for disrupting cyber attacks. In accordance with some embodiments, the apparatus includes a local computer system and an associated security system. The security system employs a decoy environment operationally isolated from the local computer system. The decoy environment operates to, responsive to receipt of a payload from an outside source, load the received payload into a memory of the decoy environment and detonate the loaded payload a plurality of times. | 02-12-2015 |
| 20150047036 | REAL-TIME NETWORK ATTACK DETECTION AND MITIGATION INFRASTRUCTURE - The invention features systems and methods for detecting and mitigating network attacks in a Voice-Over-IP (VoIP) network. A server is configured to receive information related to a mitigation action for a call. The information can include a complexity level for administering an audio challenge-response test to the call and an identification of the call. The server also generates i) a routing label based on the identification of the call, and ii) a script defining a plurality of variables that store identifications of a plurality of altered sound files for the audio challenge-response test. Each altered sound file is randomly selected by the server subject to one or more constraints associated with the complexity level. The server is further configured to transmit the script to a guardian module and the routing label to a gateway. | 02-12-2015 |
| 20150047037 | Computer Security System and Method - The present invention is a computer security system and method in which the various algorithms not only do not search for or detect the presence of a steganographic or other hidden image in a data file or across data files, but also includes at least one or more combined approaches for altering and neutralizing any hidden messages without significantly detracting from the underlying integrity of the data file or files thus treated. | 02-12-2015 |
| 20150047038 | TECHNIQUES FOR VALIDATING DISTRIBUTED DENIAL OF SERVICE ATTACKS BASED ON SOCIAL MEDIA CONTENT - A technique for validating a distributed denial of service attack against a computer network service associated with a computing device adapted to be connected to a computer network includes monitoring requests to the computer network service on the computer network. Social media for current trending topics or popular items is monitored to detect content directly linked to content located on the computing device or directly related to content located on the computing device. Responsive to the monitoring requests to the computer network service indicating an increased number of requests and the monitoring social media indicating that content located on the computing device or directly related to content located on the computing device is currently trending or popular, a response provided to the requests to the computer network service is modified to avoid overloading the computer network service. | 02-12-2015 |
| 20150047039 | SECURE NOTIFICATION ON NETWORKED DEVICES - A system, device and method to securely notify a user of a compromise of a device are provided. The system, device and method may include a detection device adapted for determining a compromise of the device communicatively coupled to the first path, a user database including at least information regarding the device and other devices associated with the user, and the secure signal path to at least one of the other devices. | 02-12-2015 |
| 20150047040 | COGNITIVE INFORMATION SECURITY USING A BEHAVIORAL RECOGNITION SYSTEM - Embodiments presented herein describe a method for processing streams of data of one or more networked computer systems. According to one embodiment of the present disclosure, an ordered stream of normalized vectors corresponding to information security data obtained from one or more sensors monitoring a computer network is received. A neuro-linguistic model of the information security data is generated by clustering the ordered stream of vectors and assigning a letter to each cluster, outputting an ordered sequence of letters based on a mapping of the ordered stream of normalized vectors to the clusters, building a dictionary of words from of the ordered output of letters, outputting an ordered stream of words based on the ordered output of letters, and generating a plurality of phrases based on the ordered output of words. | 02-12-2015 |
| 20150047041 | METHOD FOR PREFIX REACHABILITY IN A COMMUNICATION SYSTEM - A method, arrangement, and first access router in a packet-switched communication network for determining that a first endpoint originating a communication session with a second endpoint is not initiating a malicious man-in-the-middle attack. The first access router provides access for the first endpoint to the network and a second access router provides access for the second endpoint. The first and second access routers facilitate conducting a secure key exchange between the first and second endpoints, wherein a shared secret key is generated. The first access router utilizes a Prefix Reachability Detection (PRD) protocol to determine the first endpoint is topologically legitimate due to being topologically located behind the first access router, and then sends a Prefix Request Test Initialization (PRTI) message to the second access router indicating the first endpoint is topologically legitimate. | 02-12-2015 |
| 20150047042 | TECHNIQUES FOR VALIDATING DISTRIBUTED DENIAL OF SERVICE ATTACKS BASED ON SOCIAL MEDIA CONTENT - A technique for validating a distributed denial of service attack against a computer network service associated with a computing device adapted to be connected to a computer network includes monitoring requests to the computer network service on the computer network. Social media for current trending topics or popular items is monitored to detect content directly linked to content located on the computing device or directly related to content located on the computing device. Responsive to the monitoring requests to the computer network service indicating an increased number of requests and the monitoring social media indicating that content located on the computing device or directly related to content located on the computing device is currently trending or popular, a response provided to the requests to the computer network service is modified to avoid overloading the computer network service. | 02-12-2015 |
| 20150047043 | USING A CONTENT DELIVERY NETWORK FOR SECURITY MONITORING - A content delivery network includes a plurality of cache servers. Each cache server is configured to receive a request for content from a client system and receive content and security data from a content server. Each cache server is further configured to provide the content to the client system and provide the security data to a monitoring system. | 02-12-2015 |
| 20150052605 | MALWARE DETECTION AND COMPUTER MONITORING METHODS - A method is disclosed, where some embodiments of the method include installing at least one benign malware indicator on one or more computing devices, monitoring the one or more computing devices for the presence of the at least one benign malware indicator, and responsive to determining the benign malware indicator is no longer present, sending a notification indicating the benign malware indicator is no longer detected as present on the one or more computing devices. Other embodiments include performing an antivirus scan or identifying unauthorized software programs. An apparatus and one or more non-transitory computer-readable media storing computer-readable instructions capable of performing similar actions, the latter in conjunction with a computer executing instructions stored on the media, are also disclosed. | 02-19-2015 |
| 20150052606 | METHOD AND A SYSTEM TO DETECT MALICIOUS SOFTWARE - In the method of the invention said detection is performed in an Anomaly Detection System, or ADS, by analyzing the behavior of a network and looking for deviations with respect to a normality, said normality indicating common behavior of users of said network and being defined previous to said detection. The method is characterised in that it comprises building a plurality of detection models, each of said plurality of detection models adapted to different entities of said network and to different algorithms, said different algorithms implementing different detection strategies and said plurality of detection models representing said normality. The system of the invention is arranged to implement the method of the invention. | 02-19-2015 |
| 20150052607 | METHOD AND SYSTEM FOR PROTECTING WEB APPLICATIONS AGAINST WEB ATTACKS - The present disclosure provided a method and system for protecting web applications against web attacks comprising a cloud service for generating rules and receiving reports, an agent manager in communication with the cloud service receiving rules from the cloud service and passing reports thereto, and an in-application agent in communication with the agent manager for receiving rules therefrom and passing reports thereto for protecting an application in which the in-application agent is embedded. | 02-19-2015 |
| 20150052608 | METHOD AND SYSTEM FOR DETECTION OF MALWARE THAT CONNECT TO NETWORK DESTINATIONS THROUGH CLOUD SCANNING AND WEB REPUTATION - A method for detecting malware includes the steps of identifying a one or more open network connections of an electronic device, associating one or more executable objects on the electronic device with the one or more open network connections of the electronic device, determining the address of a first network destination that is connected to the open network connections of the electronic device, receiving an evaluation of the first network destination, and identifying one or more of the executable objects as malware executable objects. The evaluation includes an indication that the first network destination is associated with malware. The malware executable objects includes the executable objects that are associated with the open network connections that are connected to the first network destination. | 02-19-2015 |
| 20150052609 | HETEROGENEOUS SENSORS FOR NETWORK DEFENSE - Heterogeneous sensors simultaneously inspect network traffic for attacks. A signature-based sensor detects known attacks but has a blind spot, and a machine-learning based sensor that has been trained to detect attacks in the blind spot detects attacks that fail to conform to normal network traffic. False positive rates of the machine-learning based sensor are reduced by iterative testing using statistical techniques. | 02-19-2015 |
| 20150058981 | SYSTEMS, METHODS, AND MEDIA FOR OUTPUTTING DATA BASED UPON ANOMALY DETECTION - Systems, methods, and media for outputting data based on anomaly detection are provided. In some embodiments, a method for outputting data based on anomaly detection is provided, the method comprising: receiving, using a hardware processor, an input dataset; identifying grams in the input dataset that substantially include distinct byte values; creating an input subset by removing the identified grams from the input dataset; determining whether the input dataset is likely to be anomalous based on the identified grams, and determining whether the input dataset is likely to be anomalous by applying the input subset to a binary anomaly detection model to check for an n-gram in the input subset; and outputting the input dataset based on the likelihood that the input dataset is anomalous. | 02-26-2015 |
| 20150058982 | Methods of unsupervised anomaly detection using a geometric framework - A method for unsupervised anomaly detection, which are algorithms that are designed to process unlabeled data. Data elements are mapped to a feature space which is typically a vector space | 02-26-2015 |
| 20150058983 | REVIVAL AND REDIRECTION OF BLOCKED CONNECTIONS FOR INTENTION INSPECTION IN COMPUTER NETWORKS - A method for network security includes monitoring traffic exchanged over a computer network. A failed attempt to communicate with a target computer by an initiating computer is identified in the monitored traffic. The identified failed attempt is revived by establishing an investigation connection with the initiating computer while impersonating the target computer. Verification is made as to whether the failed attempt was malicious or innocent, by communicating with the initiating computer over the investigation connection. | 02-26-2015 |
| 20150058984 | COMPUTER-IMPLEMENTED METHOD FOR DISTILLING A MALWARE PROGRAM IN A SYSTEM - A computer-implemented method for distilling a malware program in a system is disclosed. The computer-implemented method includes steps of receiving a known malware program sample; providing a benign program containing a first instruction set associated with a security; extracting the instruction set; tracing a program segment associated with the instruction set from the benign program using a plurality of data flow pathways; slicing the program segment into a plurality of independent data flow elements; identifying a partial program having elements identical to the plurality of independent data flow elements from the known malware program sample; and removing the partial program from the known malware program sample to distill the malware program. | 02-26-2015 |
| 20150058985 | Network Access Apparatus Having a Control Module and a Network Access Module - A network access apparatus includes a processor and an interface to receive a plurality of packets that originate from a client device. The apparatus also includes a network access module that is to perform a forwarding function on the plurality of packets, to determine whether the received plurality of packets comprise a predetermined type of communication, and to instruct the control module to analyze the plurality of packets in response to the plurality of packets being determined as comprising the predetermined type of communication. The apparatus further includes a control module that is to determine a feature of the plurality of packets received from the network access module, to determine whether the feature matches a configuration of a plurality of predetermined configurations, and to perform a predefined action on the plurality of packets in response to the feature matching the configuration. | 02-26-2015 |
| 20150058986 | Method, Device, and System for Implementing Network Access, and Network System - Disclosed are a method, device, and system for implementing network access, and a network system. The method comprises: in the case that a terminal requests to access a webpage, a server determining content of the webpage that the terminal requests to access; and the server searching for a webpage, used as a reference webpage, with relevant content matching the content of the webpage, and providing information of the found reference webpage for the terminal. The present invention can enable a user terminal to obtain multiple associated access results by performing webpage access once. Even though the terminal cannot for some reason access a webpage originally expected to be accessed, or content of a webpage originally expected to be accessed cannot meet a user requirement, has a bad display effect, or even cannot be displayed, other webpages with associated or same content can be provided for the terminal, so that a webpage that comprises sufficient information, has a better display effect, and is securer is provided for the terminal, thereby avoiding an additional access operation of the terminal and improving the browsing efficiency and experience of a user. | 02-26-2015 |
| 20150058987 | Detecting File Encrypting Malware - A method in a computer for detecting a file encryption attack. The computer detects an attempt to overwrite current file data of a file with new file data. The computer then compares the new file data to the current file data to obtain a measure of the difference between the current and the new file data, and if the difference exceeds a threshold, the computer considers this to identify a file encryption attack. | 02-26-2015 |
| 20150058988 | REVERSION OF SYSTEM OBJECTS AFFECTED BY A MALWARE - A computerized method of reverting system data affected by a malware. The method comprises monitoring, in run time, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device, logging in an event log, in run time, the plurality of events, classifying, in run time, a first process of the plurality of processes as a malware, identifying a set of events of the first process from the plurality of events using the event log, and reverting, in response to the classification, at least one system object hosted in the computing device to remove an effect of the set of events on the OS. | 02-26-2015 |
| 20150058989 | METHOD FOR DEFENDING AGAINST DENIAL-OF-SERVICE ATTACK ON THE IPV6 NEIGHBOR CACHE - A method of defending against a denial-of-service (DoS) attack on an IPv6 neighbor cache includes steps of determining a number of neighbor cache entries currently stored in the neighbor cache and then determining whether the number of entries exceeds a neighbor cache threshold that is less than a neighbor cache limit defining a maximum capacity of the neighbor cache. When the number of entries in the neighbor cache exceeds the neighbor cache threshold, stateless neighbor resolution is triggered. Stateless neighbor resolution entails sending a neighbor solicitation to resolve an address for an incoming packet without logging a corresponding entry in the neighbor cache. Additional techniques that complement the above method involve purging of neighbor cache entries designated as incomplete, prioritization of the entries based on trustworthiness, shortening the incomplete-status timer to less than 3 seconds, and curtailing the number of retransmissions of the neighbor solicitations. | 02-26-2015 |
| 20150058990 | DEVICE-SPECIFIC CONTENT DELIVERY - Devices of an individual's device-sphere recognize risky or undesirable behavior requested by devices outside of the device-sphere and allow the user to prevent the behavior. The user's decision is stored and used to protect all devices of the user's device-sphere from similar risky behavior from the outside devices. If the choice is made for all devices of the user's device-sphere, the choice is broadcast to other devices of the user's device-sphere such that other devices can benefit from the choice made by the user. | 02-26-2015 |
| 20150067845 | Detecting Anomalous User Behavior Using Generative Models of User Actions - A method for detecting abnormal behavior of users is disclosed. Processors identify from a log of user activity, a first number of actions performed by a user over a first time period that match a pattern of user activity for a task associated with one or more roles of the users. Processors also identify from the log of user activity, a second number of actions performed by the user over a second time period that match the pattern of user activity. Processors calculate an amount of deviation between the first number of actions and the second number of actions. The deviation identifies a difference between amounts of time spent in the one or more roles. Processors then determine whether the amount of deviation between the first number of actions and the second number of actions exceeds a threshold for abnormal behavior. | 03-05-2015 |
| 20150067846 | Malicious Activity Detection of a Functional Unit - A mechanism is provided for detecting malicious activity in a functional unit of a data processing system. A set of activity values associated with a set of functional units and a set of thermal levels associated with the set of functional units are monitored. For a current activity value associated with the functional unit in the set of functional units, a determination is made as to whether a thermal level associated with the functional unit differs from a verified thermal level beyond a predetermined threshold. Responsive to the thermal level associated with the functional unit differing from the verified thermal level beyond the predetermined threshold, sending an indication of suspected abnormal activity associated with the given functional unit. | 03-05-2015 |
| 20150067847 | Malicious Activity Detection of a Processing Thread - A mechanism is provided for detecting malicious activity in a functional unit. For a current activity value associated with a functional unit, a determination is made as to whether a thermal level associated with the functional unit differs from a verified thermal level beyond a first predetermined threshold. Responsive to the thermal level associated with the functional unit differing from the verified thermal level beyond the first predetermined threshold, a determination is made as to whether there is a known profile of thread activity levels that substantially matches current thread activity levels. Responsive to identifying the known profile that substantially matches the current thread activity levels, thread activity levels are compared to the known profile of thread activity levels. Responsive to the thread activity levels differing from the known profile beyond a second predetermined threshold, an indication of suspected abnormal activity associated with the given functional unit is sent. | 03-05-2015 |
| 20150067848 | DETECTING AUTOMATED SITE SCANS - Automated site scans are often seen as precursors to a cyber attack, from URI enumeration and version mapping to timing scans used to identify the most valuable DDoS targets. Disclosed are methods and apparatuses for detecting automated site scans and identifying the source of cyber attacks. Honeypot links are provided on a web page via a server. If multiple honeypot links are selected by a visitor of the web page, the server may identify the visitor as an automated system and generate a session ID. The server induces an artificial delay prior to displaying the data associated with the selected honeypot link. After a subsequent attack, the server is able to identify the attacker by association with the stored session ID of an automated site scan. | 03-05-2015 |
| 20150067849 | NEUTRALIZING PROPAGATION OF MALICIOUS INFORMATION - Methods and arrangements for controlling a spread of malicious information in a network. A viral spread of information is tracked, in a network comprising interconnected nodes. Malicious information in the viral spread of information is identified. A topic-specific sub-network of nodes prone to be affected by the malicious information is predicted, and the effect of the malicious information at the sub-network of nodes is neutralized, via initiating a spread of neutralizing information to the sub-network of nodes. Other variants and embodiments are broadly contemplated herein. | 03-05-2015 |
| 20150067850 | DDOS DETECTION USING SENSOR GRID - Methods and apparatus for detecting a network attack are disclosed. A sensor grid may be established in a network (e.g., an enterprise network). The sensors may monitor network assets across various network layers and transmit to a server signals that indicate the probability of an attack on the network. The server may apply an amplification algorithm to combine and amplify all of the received signals into a single signal that more accurately displays the probability of an attack on the network. | 03-05-2015 |
| 20150067851 | Malicious Activity Detection of a Functional Unit - A mechanism is provided for detecting malicious activity in a functional unit of a data processing system. A set of activity values associated with a set of functional units and a set of thermal levels associated with the set of functional units are monitored. For a current activity value associated with the functional unit in the set of functional units, a determination is made as to whether a thermal level associated with the functional unit differs from a verified thermal level beyond a predetermined threshold. Responsive to the thermal level associated with the functional unit differing from the verified thermal level beyond the predetermined threshold, sending an indication of suspected abnormal activity associated with the given functional unit. | 03-05-2015 |
| 20150067852 | Malicious Activity Detection of a Processing Thread - A mechanism is provided for detecting malicious activity in a functional unit. For a current activity value associated with a functional unit, a determination is made as to whether a thermal level associated with the functional unit differs from a verified thermal level beyond a first predetermined threshold. Responsive to the thermal level associated with the functional unit differing from the verified thermal level beyond the first predetermined threshold, a determination is made as to whether there is a known profile of thread activity levels that substantially matches current thread activity levels. Responsive to identifying the known profile that substantially matches the current thread activity levels, thread activity levels are compared to the known profile of thread activity levels. Responsive to the thread activity levels differing from the known profile beyond a second predetermined threshold, an indication of suspected abnormal activity associated with the given functional unit is sent. | 03-05-2015 |
| 20150067853 | SYSTEMS AND METHODS FOR DETECTING MALICIOUS MOBILE WEBPAGES - The disclosed technology includes techniques for identifying malicious mobile electronic documents, e.g., webpages or emails, based on static document features. The static features may include mobile-specific features, such as mobile web API calls, hosted mobile-specific binaries, noscript content, or misleading URL tokens visible on a mobile-specific interface. The static features may instead or also include various JavaScript (JS) features, HTML features, and URL features detected in numbers outside ranges expected for desktop electronic documents. These features may be used with machine learning techniques to classify benign and malicious documents in real time. | 03-05-2015 |
| 20150067854 | APPARATUS AND METHOD FOR MULTI-CHECKING FOR MOBILE MALWARE - An apparatus and method for multi-checking for mobile malware are provided. The apparatus for multi-checking for mobile malware includes a communication unit and a user interface (UI) unit. The communication unit communicates with at least one relay server. The UI unit receives an app to be checked from a user before sending the app to the relay server, or provides the user with the check results of the app obtained by a plurality of collection agents located in respective user terminals or emulators based on the app. | 03-05-2015 |
| 20150067855 | SERVER AND METHOD FOR ATTESTING APPLICATION IN SMART DEVICE USING RANDOM EXECUTABLE CODE - The present invention discloses an application attestation server and an application attestation method. Specially, there is provided an application attestation server that attests a certain application in a smart device, the application attestation server comprising: an executable code generation unit configured to generate executable codes for attestation with respect to the application; a transceiver configured to transmit an executable code randomly selected from the generated executable codes to the smart device, and receive a result of execution of the selected executable code with respect to the application from the smart device; a malicious application analysis unit configured to analyze whether the application is a malicious application based on the received result; and an analysis result providing unit configured to provide an analysis result of the malicious application analysis unit to a user. Herein, the executable code generation unit configures to generate the executable codes by randomly combining information relevant to the application. | 03-05-2015 |
| 20150067856 | SYSTEM, METHOD AND COMPUTER PROGRAM PRODUCT FOR SCANNING PORTIONS OF DATA - A scanning system, method and computer program product are provided. In use, portions of data are scanned. Further, access to a scanned portion of the data is allowed during scanning of another portion of the data. | 03-05-2015 |
| 20150067857 | IN-SITU TRAINABLE INTRUSION DETECTION SYSTEM - A computer implemented method detects intrusions using a computer by analysing network traffic. The method includes a semi-supervised learning module connected to a network node. The learning module uses labeled and unlabeled data to train a semi-supervised machine learning sensor. The method records events that include a feature set made up of unauthorized intrusions and benign computer requests. The method identifies at least some of the benign computer requests that occur during the recording of the events while treating the remainder of the data as unlabeled. The method trains the semi-supervised learning module at the network node in-situ, such that the semi-supervised learning modules may identify malicious traffic without relying on specific rules, signatures, or anomaly detection. | 03-05-2015 |
| 20150067858 | DETECTING UNWANTED INTRUSIONS INTO AN INFORMATION NETWORK - The present invention relates to a device for detecting unwanted intrusions into an information network comprising a module for receiving raw data from the network, a plurality of search engines configured to detect an attack indicator and any derived data which may be corrupted, a distribution module suitable for allocating at least one search engine to each piece of raw data, an administrator module linked to the search engines and to the distribution module and configured to transmit each piece of derived data to said module as new raw data if it has not already been processed by said same search engine(s), so as to provide recursive analysis of each piece of raw data received by said receiving module. The invention further relates to a process implemented by a device of this type. | 03-05-2015 |
| 20150067859 | PREEMPTIVE EVENT HANDLING - A computerized method of preemptive event handling, The method comprises monitoring, in run time at kernel level, a plurality of events of a plurality of processes executed by an operating system (OS) running on a computing device, detecting, in run time, a first event of the plurality of events, the first event being performed by a first process of the plurality of processes on the computing device, classifying, in run time, the first process as a malware in response to the detection of the first event, and preventing, in run time, the first process from running on the computing device before the first event is processed by the OS. | 03-05-2015 |
| 20150074806 | SYSTEMS AND METHODS FOR USING EVENT-CORRELATION GRAPHS TO DETECT ATTACKS ON COMPUTING SYSTEMS - A computer-implemented method for using event-correlation graphs to detect attacks on computing systems may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing an event-correlation graph that includes a first node that represents the first actor, a second node that represents a second actor, and an edge that interconnects the first node and the second node and represents a suspicious event involving the first actor and the second actor, (3) calculating, based at least in part on the additional suspicious event, an attack score for the event-correlation graph, (4) determining that the attack score is greater than a predetermined threshold, and (5) determining, based at least in part on the attack score being greater than the predetermined threshold, that the suspicious event may be part of an attack on the computing system. Various other methods, systems, and computer-readable media are also disclosed. | 03-12-2015 |
| 20150074807 | Discovery of Suspect IP Addresses - A method of discovering suspect IP addresses, the method including, at a client computer: monitoring the computer for malware; on detection of malware, obtaining a list of IP addresses with which a connection has been made or attempted at the client computer within a preceding time frame; sending the list of IP addresses to a central server; and receiving from the central server a blacklist of suspect IP addresses to allow the client computer to block connections with IP addresses within said blacklist | 03-12-2015 |
| 20150074808 | Rootkit Detection in a Computer Network - Systems and methods are provided for detecting a rootkit by way of a call timing deviation anomaly in a computer. The rootkits may be embedded in the operating system (OS) kernel, an application or other system function. An object call duration baseline is established for durations of object calls (e.g., a system or application call) initiated by the computer, where each object call has an associated call-type and the timing baseline is established on an object call-type basis. Object call durations initiated by the computers are monitored. An object call duration anomaly is detected when the object call duration fails a call duration deviation measurement test, and an indication of the call duration anomaly is generated when detected. | 03-12-2015 |
| 20150074809 | METHOD FOR TRACKING MACHINES ON A NETWORK USING MULTIVARIABLEFINGERPRINTING OF PASSIVELY AVAILABLE INFORMATION - A method for tracking machines on a network of computers includes determining one or more assertions to be monitored by a first web site which is coupled to a network of computers. The method monitors traffic flowing to the web site through the network of computers and identifies the one or more assertions from the traffic coupled to the network of computers to determine a malicious host coupled to the network of computers. The method includes associating a first IP address and first hardware finger print to the assertions of the malicious host and storing information associated with the malicious host in one or more memories of a database. The method also includes identifying an unknown host from a second web site, determining a second IP address and second hardware finger print with the unknown host, and determining if the unknown host is the malicious host. | 03-12-2015 |
| 20150074810 | MALWARE AND EXPLOIT CAMPAIGN DETECTION SYSTEM AND METHOD - A malware and exploit campaign detection system and method are provided that cannot be detected by the malware or exploit campaign. The system may provide threat feed data to the vendors that produce in-line network security and end point protection (anti virus) technologies. The system may also be used as a testing platform for 3 | 03-12-2015 |
| 20150074811 | System and Method for Analyzing Unauthorized Intrusion Into a Computer Network - The method analyzes unauthorized intrusion into a computer network. Access is allowed to a virtualized operating system running on a hypervisor operating system hosted on a network device. A network attack is intercepted on the virtualized operating system using an introspection module with a virtual-machine-based rootkit module and its associated userland processes running on the hypervisor operating system. The network attack includes attack-identifying information. Forensic data is generated on the network attack from the attack-identifying information. | 03-12-2015 |
| 20150074812 | Detecting Malicious Use of Computer Resources by Tasks Running on a Computer System - A method, apparatus, and computer program product for identifying malware is disclosed. The method identifies processes in a running process list on a host computer system. The method identifies ports assigned to the processes in the running process list on the host computer system. The method determines whether any one of ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list. The method then makes a record that a hidden, running process is present as a characteristic of an attack in response to a determination that one of the ports is currently in use but is not assigned to any of the processes in the running process list in the host computer system. | 03-12-2015 |
| 20150082429 | PROTECTING WIRELESS NETWORK FROM ROGUE ACCESS POINTS - In one embodiment, a method includes receiving at an access point, notification of a rogue device in a wireless network, transmitting a plurality of association requests to the rogue device from the access point, and for each of the association requests that is accepted, transmitting a message to maintain an association between the access point and the rogue device to prevent association of clients with the rogue device. An apparatus and logic are also disclosed herein. | 03-19-2015 |
| 20150082430 | Data Flow Based Behavioral Analysis on Mobile Devices - Methods, devices and systems for detecting suspicious or performance-degrading mobile device behaviors intelligently, dynamically, and/or adaptively determine computing device behaviors that are to be observed, the number of behaviors that are to be observed, and the level of detail or granularity at which the mobile device behaviors are to be observed. The various aspects efficiently identify suspicious or performance-degrading mobile device behaviors without requiring an excessive amount of processing, memory, or energy resources. | 03-19-2015 |
| 20150082431 | DETECTION OF INFECTED NETWORK DEVICES AND FAST-FLUX NETWORKS BY TRACKING URL AND DNS RESOLUTION CHANGES - A system and method for detecting Fast-Flux malware are presented. Domain name system (DNS) lookup requests to DNS servers from a local area network (LAN) to a wide area network (WAN) are monitored. The DNS lookup requests comprise requests to resolve uniform resource locators (URLs) to network addresses. The network addresses (IP) received from the DNS servers for the DNS lookup requests are monitored provide a URL-to-IP associations list. The DNS servers used for the DNS lookup requests for the URLs are monitored to provide a DNS Domain-to-DNS server associations list. A suspicious URL log based on the URL-to-IP associations list, and a suspicious DNS log based on the DNS Domain-to-DNS server associations list are generated. | 03-19-2015 |
| 20150082432 | SYSTEM AND METHOD OF SEMANTICALLY MODELLING AND MONITORING APPLICATIONS AND SOFTWARE ARCHITECTURE HOSTED BY AN IAAS PROVIDER - The present disclosure is directed to a monitoring system for automatically inferring, without human modelling input or information regarding actual physical network connectivity, a service architecture of a widely distributed service operated by an Infrastructure-as-a-Service (IaaS) tenant but deployed on a set of virtual resources controlled by an independent IaaS provider. The monitoring system can collect infrastructure metadata and/or system-level metric data characterizing the set of virtual resources from the IaaS provider, and automatically infer from the metadata and/or metric data how the virtual resources should be organized into groups, clusters and hierarchies. The monitoring system can automatically infer this service architecture using naming conventions, security rules, software types, deployment patterns, and other information gleaned from the metadata and/or metric data. The monitoring system can then run analytics based on this inferred service architecture to report on service operation. | 03-19-2015 |
| 20150082433 | SYSTEMS AND METHODS FOR CAPTURING, REPLAYING, OR ANALYZING TIME-SERIES DATA - Provided is an intrusion detection system configured to detect anomalies indicative of a zero-day attack by statistically analyzing substantially all traffic on a network in real-time. The intrusion detection system, in some aspects, includes a network interface; one or more processors communicatively coupled to the network interface; system memory communicatively coupled to the processors. The system memory, in some aspects, stores instructions that when executed by the processors cause the processors to perform steps including: buffering network data from the network interface in the system memory; retrieving the network data buffered in the system memory; applying each of a plurality of statistical or machine-learning intrusion-detection models to the retrieved network data; aggregating intrusion-likelihood scores from each of the intrusion-detection models in an aggregate score, and upon the aggregate score exceeding a threshold, outputting an alert. | 03-19-2015 |
| 20150082434 | SYSTEMS AND METHODS TO COUNTER SIDE CHANNELS ATTACKS - Disclosed are devices, systems, apparatus, methods, products, and other implementations, including a method that includes identifying a process to obtain timing information of a processor-based device, and in response to identifying the process to obtain the timing information, delaying delivery of the timing information for a time-delay period. In some embodiments, identifying the process to obtain the timing information may include identifying a request to obtain the timing information of the processor-based device. In some embodiments, identifying the process to obtain the timing information may include identifying a memory-access process. | 03-19-2015 |
| 20150082435 | CYCLIC REDUNDANCY CHECK METHOD WITH PROTECTION FROM SIDE-CHANNEL ATTACKS - The present invention relates to a method for processing a binary data item, comprising a step of calculating a cyclic redundancy check code for the data item by means of a generator polynomial, wherein the step of calculating the cyclic redundancy check code comprises the steps of: masking the data item with a random binary mask that is a multiple of the generator polynomial, and generating the cyclic redundancy check code for the data item from the masked data item. | 03-19-2015 |
| 20150082436 | ANTI-TAMPERING SERVER - A method for preventing tampering with the accessibility of resources specified by Universal Resource Locators (URLs) comprising receiving a primary URL from a web server; creating a unique identifier and associating, in a database, the unique identifier with the received primary URL; creating a secondary URL that includes the unique identifier; and providing the secondary URL to the web server wherein the primary URL is cross referenced to the secondary URL through the unique identifier. | 03-19-2015 |
| 20150082437 | METHOD AND APPARATUS FOR DETECTING IRREGULARITIES ON A DEVICE - A system and method for the detection of irregularities, such as fraud or malware ( | 03-19-2015 |
| 20150082438 | SYSTEM AND SERVER FOR DETECTING WEB PAGE CHANGES - Disclosed embodiments include a distributed system and server for detecting changes to web pages comprises (a) a Web Change Detection (WCD) server connected to the network, and (b) one or more WCD agents stored on the WCD server configured to be executed directly on a web browser to detect web page changes. The WCD comprises (a) an agent storage module configured to store the WCD agents, (b) a WCD repository to store a WCD information regarding the web pages in the server memory, and (c) a WCD changes detector configured for receiving information sent by the WCD agents and detecting changes on the web pages. The WCD system relies on the web users accessing sites to collaboratively detect the changes on the web pages, eliminating the need for crawler estimates of web-page changes. | 03-19-2015 |
| 20150082439 | AUTOMATIC CONTEXT-SENSITIVE SANITIZATION - An automatic context-sensitive sanitization technique detects errors due to the mismatch of a sanitizer sequence with a browser parsing context. A pre-deployment analyzer automatically detects violating paths that contain a sanitizer sequence that is inconsistent with a browsing context associated with outputting an untrusted input. The pre-deployment analyzer determines a correct sanitizer sequence which is stored in a sanitization cache. During the runtime execution of the web application, a path detector tracks execution of the web application in relation to the violating paths. The correct sanitizer sequence can be applied when the runtime execution follows a violating path | 03-19-2015 |
| 20150089645 | METHOD AND SYSTEM FOR PREVENTING AND DETECTING SECURITY THREATS - A system and method is provided for implementing platform security on a consumer electronic device having an open development platform. The device is of the type which includes an abstraction layer operable between device hardware and application software. A secured software agent is provided for embedding within the abstraction layer forming the operating system. The secured software agent is configured to limit access to the abstraction layer by either blocking loadable kernel modules from loading, blocking writing to the system call table or blocking requests to attach debug utilities to certified applications or kernel components. | 03-26-2015 |
| 20150089646 | APPARATUS AND METHOD FOR PROTECTING COMMUNICATION PATTERN OF NETWORK TRAFFIC - An apparatus for protecting traffic trend in a network of a control system using artificial communication is provided. In accordance with an embodiment, the apparatus includes a communication terminal device installed in a network and configured to create and filter artificial communication. A communication server device determines whether to create artificial communication at a current time in the communication terminal device, requests a transmitting side-communication terminal device to create artificial communication, and requests a receiving side-communication terminal device to filter the artificial communication. | 03-26-2015 |
| 20150089647 | Distributed Sample Analysis - A method of inspecting a file on a client computer in order to determine if the file is malicious. The client computer sends a hash of the file to a server. The server then compares the hash of the file to a database of hashes of known files, and uses results of the comparison to determine whether or not the file is unknown to the server. If the file is unknown, the server sends a request for a first security analysis of the file to the client computer. The client computer then performs the first security analysis on the file, modifies the results of the first security analysis by removing or hashing selected data from results, and sends the modified results of the first security analysis to the server. The server performs a second security analysis on the modified results in order to determine if the file is malicious. | 03-26-2015 |
| 20150089648 | MALWARE MANAGEMENT THROUGH KERNEL DETECTION DURING A BOOT SEQUENCE - A system and method for managing pestware on a protected computer is described. The method in one variation includes monitoring events during a boot sequence of the computer; managing pestware-related events before native applications can run and after a kernel is loaded; managing pestware-related events when native applications can run; and scanning a registry of the computer for pestware when native applications can run. In variations, a pestware management engine is initialized after an operating system of the protected computer is initialized and the pestware management system both receives an event log of the monitored events and compiles the set of behavior rules utilized by kernel-level monitor. | 03-26-2015 |
| 20150089649 | HARDWARE BASED DETECTION DEVICES FOR DETECTING NETWORK TRAFFIC CONTENT AND METHODS OF USING THE SAME - A device for detecting network traffic content is provided. The device includes a first input port configured to receive one or more signatures, each of the one or more signatures associated with content desired to be detected, a second input port configured to receive data associated with network traffic content. The device also includes a processor configured to process the one or more signatures and the data to determine whether the network traffic content matches the content desired to be detected, and an output port configured to couple the device to a computer system of an intended recipient of the network traffic content. The output port passes the network traffic content to the computer system when it is determined that the network traffic content does not match the content desired to be detected. | 03-26-2015 |
| 20150089650 | METHODS OF DETECTION OF SOFTWARE EXPLOITATION - A method for detecting software exploitation broadly comprises the steps of gathering information about processes and threads executing on a computing device, monitoring instructions executed by a thread that is currently running, performing the following steps if a function to create a process or a function to load a library is called, examining a thread information block, determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block, and determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions. | 03-26-2015 |
| 20150089651 | METHODS OF DETECTION OF SOFTWARE EXPLOITATION - A method for detecting software exploitation broadly comprises the steps of gathering information about processes and threads executing on a computing device, monitoring instructions executed by a thread that is currently running, performing the following steps if a function to create a process or a function to load a library is called, examining a thread information block, determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block, and determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions. | 03-26-2015 |
| 20150089652 | METHODS OF DETECTION OF SOFTWARE EXPLOITATION - A method for detecting software exploitation broadly comprises the steps of gathering information about processes and threads executing on a computing device, monitoring instructions executed by a thread that is currently running, performing the following steps if a function to create a process or a function to load a library is called, examining a thread information block, determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block, and determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions. | 03-26-2015 |
| 20150089653 | METHODS OF DETECTION OF SOFTWARE EXPLOITATION - A method for detecting software exploitation broadly comprises the steps of gathering information about processes and threads executing on a computing device, monitoring instructions executed by a thread that is currently running, performing the following steps if a function to create a process or a function to load a library is called, examining a thread information block, determining whether an address included in a stack pointer of the thread is in a range of addresses for a stack specified by the thread information block, and determining whether a first plurality of no-operation instructions is followed by shell code that is followed by a second plurality of no-operation instructions. | 03-26-2015 |
| 20150089654 | MALWARE REMOVAL METHOD AND SYSTEM, AND COMPUTER STORAGE MEDIUM - A method, device, and a computer storage medium are provided. The method includes: starting a core file and building an environment after running an operation system, then loading a driver in the built environment; reading a configuration file by the driver to obtain a path of a malware; and deleting a registry and file of the malware in a kernel layer according to the path. The device includes: a start loading module configured to start a core file and build an environment after running an operation system, then load a driver in the built environment; a path reading module configured to calculate a configuration file by the driver to obtain a path of a malware; and a program deleting module configured to delete a registry and file of the malware in a kernel layer according to the path. | 03-26-2015 |
| 20150096018 | Systems and Methods for Using a Reputation Indicator to Facilitate Malware Scanning - Described systems and methods allow protecting a computer system from malware, such as viruses, Trojans, and spyware. A reputation manager executes in conjunction with an anti-malware engine. The reputation manager determines a reputation of a target process executing on the computer system according to a reputation of a set of executable modules, such as shared libraries, loaded by the target process. The anti-malware engine may be configured to employ a process-specific protocol to scan the target process for malware, the protocol selected according to process reputation. Processes trusted to be non-malicious may thus be scanned using a more relaxed protocol than unknown or untrusted processes. The reputation of executable modules may be static; an indicator of module reputation may be stored and/or retrieved by a remote reputation server. Process reputation may be dynamically changeable, i.e. re-computed repeatedly by the reputation manager in response to process life-cycle and/or security events. | 04-02-2015 |
| 20150096019 | SOFTWARE NETWORK BEHAVIOR ANALYSIS AND IDENTIFICATION SYSTEM - A particular method includes detecting, at a detection module, an indicator corresponding to a suspicious software component, where the indicator is detected based on monitored network data of a network system and based on a plurality of network behavior profiles. At least one of the network behavior profiles includes an ordered sequence of network actions. The method further includes determining, at an identification module, whether the indicator corresponds to any of the plurality of network behavior profiles. The method further includes generating output data in response to a determination that the indicator corresponds to a particular network behavior profile of the plurality of network behavior profiles. | 04-02-2015 |
| 20150096020 | LIMITING THE EFFICACY OF A DENIAL OF SERVICE ATTACK BY INCREASING CLIENT RESOURCE DEMANDS - A device may detect an attack. The device may receive, from a client device, a request for a resource. The device may determine, based on detecting the attack, a computationally expensive problem to be provided to the client device, where the computationally expensive problem requires a computation by the client device to solve the computationally expensive problem. The device may instruct the client device to provide a solution to the computationally expensive problem. The device may receive, from the client device, the solution to the computationally expensive problem. The device may selectively provide the client device with access to the resource based on the solution. | 04-02-2015 |
| 20150096021 | METHOD AND SYSTEM FOR METADATA DRIVEN TESTING OF MALWARE SIGNATURES - Techniques are disclosed for evaluating the effectiveness of a malware signature. A query tool translates a markup language malware signature definition into a database query. The query is then executed against a database of application features to identify software packages that the signature would identify as malware. The results of the query are compared with threat information stored in the database and classified as being true/false positives and true/false negatives. | 04-02-2015 |
| 20150096022 | DYNAMICALLY ADAPTIVE FRAMEWORK AND METHOD FOR CLASSIFYING MALWARE USING INTELLIGENT STATIC, EMULATION, AND DYNAMIC ANALYSES - Techniques for malware detection are described herein. According to one aspect, control logic determines an analysis plan for analyzing whether a specimen should be classified as malware, where the analysis plan identifies at least first and second analyses to be performed. Each of the first and second analyses identified in the analysis plan including one or both of a static analysis and a dynamic analysis. The first analysis is performed based on the analysis plan to identify suspicious indicators characteristics related to processing of the specimen. The second analysis is performed based on the analysis plan to identify unexpected behaviors having processing or communications anomalies. A classifier determines whether the specimen should be classified as malicious based on the static and dynamic analyses. The analysis plan, the indicators, the characteristics, and the anomalies are stored in a persistent memory. | 04-02-2015 |
| 20150096023 | FUZZY HASH OF BEHAVIORAL RESULTS - A computerized method is described in which a received object is analyzed by a malicious content detection (MCD) system to determine whether the object is malware or non-malware. The analysis may include the generation of a fuzzy hash based on a collection of behaviors for the received object. The fuzzy hash may be used by the MCD system to determine the similarity of the received object with one or more objects in previously classified/analyzed clusters. Upon detection of a “similar” object, the suspect object may be associated with the cluster and classified based on information attached to the cluster. This similarity matching provides 1) greater flexibility in analyzing potential malware objects, which may share multiple characteristics and behaviors but are also slightly different from previously classified objects and 2) a more efficient technique for classifying/assigning attributes to objects. | 04-02-2015 |
| 20150096024 | ADVANCED PERSISTENT THREAT (APT) DETECTION CENTER - A computerized method is described in which one or more received objects are analyzed by an advanced persistent threat (APT) detection center to determine if the objects are APTs. The analysis may include the extraction of features describing and characterizing features of the received objects. The extracted features may be compared with features of known APT malware objects and known non-APT malware objects to determine a classification or probability of the received objects being APT malware. Upon determination that the received objects are APT malware, warning messages may be transmitted to a user of associated client devices. Classified objects may also be used to generate analytic data for the prediction and prevention of future APT attacks. | 04-02-2015 |
| 20150096025 | System, Apparatus and Method for Using Malware Analysis Results to Drive Adaptive Instrumentation of Virtual Machines to Improve Exploit Detection - According to one embodiment, an electronic device comprises a memory to store information and a processor. The processor is adapted to receive information associated with content such as network traffic, to process the stored information and to conduct operations on the content. These operations may comprise determining, by a virtual machine processed by the processor, an occurrence of an event during malware analysis of an object associated with the content, and dynamically altering a virtual machine instrumentation of the virtual machine based on information associated with the event. | 04-02-2015 |
| 20150096026 | CYBER SECURITY - Systems and methods that use probabilistic grammatical inference and statistical data analysis techniques to characterize the behavior of systems in terms of a low dimensional set of summary variables and, on the basis of these models, detect anomalous behaviors are disclosed. The disclosed information-theoretic system and method exploit the properties of information to deduce a structure for information flow and management. The properties of information can provide a fundamental basis for the decomposition of systems and hence a structure for the transmission and combination of observations at the desired levels of resolution (e.g., component, subsystem, system). | 04-02-2015 |
| 20150096027 | SYSTEM AND METHOD FOR EVALUATING MALWARE DETECTION RULES - A malware detection rule is evaluated for effectiveness and accuracy. The detection rule defines criteria for distinguishing files having a characteristic of interest from other files lacking that characteristic, for instance, malicious files vs. benign files. The detection rule is applied to a set of unknown files. This produces a result set that contains files detected from among the set of unknown files as having the at least one characteristic of interest. Each file from the result set is compared to at least one file from a set of known files having the characteristic to produce a first measure of similarity, and to at least one file from a set of known files lacking the characteristic to produce a second measure of similarity. In response to the first measure of similarity exceeding a first similarity threshold, the detection rule is deemed effective. In response to the second measure of similarity exceeding a second similarity threshold, the detection rule is deemed inaccurate. | 04-02-2015 |
| 20150096028 | Method of Detecting Malware in an Operating System Kernel - The present invention relates to means for detecting malware. The method is realized on a computer with an operating system (OS) installed thereon, and comprises a step in which a point of interrupt is established when a system call is made by a user application requesting the transfer of control via an address in the kernel of the loaded OS. Next, the data structure of the loaded OS is checked. As this check is carried out, the address of the command in the random-access memory of the computer, by means of which command control will be transferred during the system call, is determined and the addresses of the commands to be executed during the system call are checked to see if they belong to the normal range of addresses of the OS kernel and OS kernel modules in the random-access memory. The presence of malware is then detected in the event that a command address does not belong to the normal range of addresses. The proposed method includes a dynamic check of the execution of the OS kernel code in order to detect the illegal interception and alteration of the code in the kernel and in the kernel modules (drivers) that are to be loaded. The proposed method enables the detection of both known and previously unregistered malware in an OS kernel and in OS kernel modules that are to be loaded. | 04-02-2015 |
| 20150096029 | Dynamic Selection and Loading of Anti-Malware Signatures - An anti-malware system dynamically loads and unloads additional malware detection signatures based on a collection of data sources that indicate what signatures are relevant to a host machine in its current environment. A signature selector component determines what relevant signatures should be loaded. The signature selector component uses a variety of data sources either individually, or in combination, to determine relevancy of the available malware detection signatures. The anti-malware system dynamically determines which of the available malware detection signatures and classes of signatures are relevant and should be provided to a machine based on available information. The malware detection signatures are obtained and loaded automatically from one or more sources when a threat becomes relevant. A program or application may be blocked from accessing files until the relevant malware detection signatures have been loaded onto the machine. | 04-02-2015 |
| 20150096030 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR PREVENTING COMMUNICATION OF UNWANTED NETWORK TRAFFIC BY HOLDING ONLY A LAST PORTION OF THE NETWORK TRAFFIC - A system, method, and computer program product are provided for preventing communication of unwanted network traffic by holding only a last portion of the network traffic. In use, network traffic associated with a file transfer is received. Additionally, only a last portion of the network traffic associated with the file transfer is held for determining whether the file is unwanted. Further, the last portion of the network traffic associated with the file transfer is conditionally forwarded to a destination device, based on the determination. | 04-02-2015 |
| 20150101047 | Pre-Identifying Probable Malicious Behavior Based on Configuration Pathways - The various aspects include systems and methods for enabling mobile computing devices to recognize when they are at risk of experiencing malicious behavior in the near future given a current configuration. Thus, the various aspects enable mobile computing devices to anticipate malicious behaviors before a malicious behavior begins rather than after the malicious behavior has begun. In the various aspects, a network server may receive behavior vector information from multiple mobile computing devices and apply pattern recognition techniques to the received behavior vector information to identify malicious configurations and pathway configurations that may lead to identified malicious configurations. The network server may inform mobile computing devices of identified malicious configurations and the corresponding pathway configurations, thereby enabling mobile computing devices to anticipate and prevent malicious behavior from beginning by recognizing when they have entered a pathway configuration leading to malicious behavior. | 04-09-2015 |
| 20150101048 | Malware Detection and Prevention by Monitoring and Modifying a Hardware Pipeline - The various aspects provide a method for recognizing and preventing malicious behavior on a mobile computing device before it occurs by monitoring and modifying instructions pending in the mobile computing device's hardware pipeline (i.e., queued instructions). In the various aspects, a mobile computing device may preemptively determine whether executing a set of queued instructions will result in a malicious configuration given the mobile computing device's current configuration. When the mobile computing device determines that executing the queued instructions will result in a malicious configuration, the mobile computing device may stop execution of the queued instructions or take other actions to preempt the malicious behavior before the queued instructions are executed. | 04-09-2015 |
| 20150101049 | Complex Scoring for Malware Detection - Described systems and methods allow protecting a computer system from malware such as viruses, Trojans, and spyware. For each of a plurality of executable entities (such as processes and threads executing on the computer system), a scoring engine records a plurality of evaluation scores, each score determined according to a distinct evaluation criterion. Every time an entity satisfies an evaluation criterion (e.g, performs an action), the respective score of the entity is updated. Updating a score of an entity may trigger score updates of entities related to the respective entity, even when the related entities are terminated, i.e., no longer active. Related entities include, among others, a parent of the respective entity, and/or an entity injecting code into the respective entity. The scoring engine determines whether an entity is malicious according to the plurality of evaluation scores of the respective entity. | 04-09-2015 |
| 20150101050 | DETECTING AND MEASURING MALWARE THREATS - Methods, systems, computer-readable media, and apparatuses for detecting and measuring malware threats are presented. In some embodiments, a computing device may collect malware detection data from one or more monitored applications. Subsequently, the computing device may aggregate the collected malware detection data. Then, the computing device may generate a heat map based on the aggregation of the collected malware detection data, where the heat map is configured to identify one or more malware threats associated with one or more monitored applications. In some arrangements, collecting the malware detection data may include monitoring various aspects of a client computing device and/or the client computing device's communications with one or more servers and/or other devices that may be configured to provide the one or more monitored applications. | 04-09-2015 |
| 20150101051 | Method and device for the performance of a function by a microcircuit - A method for the performance of a function by a microcircuit, includes:
| 04-09-2015 |
| 20150106927 | REAL-TIME DETECTION AND CLASSIFICATION OF ANOMALOUS EVENTS IN STREAMING DATA - A system is described for receiving a stream of events and scoring the events based on anomalousness and maliciousness (or other classification). The events can be displayed to a user in user-defined groupings in an animated fashion. The system can include a plurality of anomaly detectors that together implement an algorithm to identify low probability events and detect atypical traffic patterns. The atypical traffic patterns can then be classified as being of interest or not. In one particular example, in a network environment, the classification can be whether the network traffic is malicious or not. | 04-16-2015 |
| 20150106928 | SCREENING OF EMAIL TEMPLATES IN CAMPAIGN MANAGEMENT - Various embodiments of systems and methods for uploading email templates in campaign management are described herein. In an aspect, the method includes screening an email template prior to uploading the email template to a campaign management application. The criteria for screening includes, but is not limited to, scanning for malware, checking for conformance with code page, and checking for conformance of placeholders with pre-defined format or syntax. Upon detecting an error an error message is notified to a user otherwise the email template is uploaded to the campaign management application for executing an email campaign. | 04-16-2015 |
| 20150106929 | SYSTEM AND METHOD FOR ATTACK AND MALWARE PREVENTION - A system and method for preventing malware attacks on mobile devices is presented. A server receives data from a mobile communications device and applies, by a known good component, logic on the data to determine if the data is safe. When the data is determined as being safe, the data is allowed to be processed by the mobile communications device. When the data is determined as not safe, a known bad component applies logic on the data to determine if the data is malicious. The data is rejected from being processed by the mobile communications device when the data is determined as being malicious. When the data is not malicious, a decision component performs an analysis on the data. If decision component determines the data to be safe, the data is allowed to be processed by the mobile communications device. Otherwise, the data is rejected from being processed. | 04-16-2015 |
| 20150106930 | LOG ANALYSIS DEVICE AND METHOD - A log analysis device that classifies, based on a log collected from a network device, a plurality of attack target communication devices receiving attacks from an attack source communication device includes a correlation coefficient calculation unit that calculates, based on the log, a correlation coefficient relating to the number of the attacks in a time period during which the attacks were carried out for a combination of the plurality of attack target communication devices, the time period including a detection time at which and the detection period of time during which the network device detected the attack, and an extraction unit that extracts, as a high-correlation communication device group, a combination of the plurality of attack target communication devices, for which the correlation coefficient is equal to or greater than a prescribed threshold and of which the attack source communication device is identical in the time period. | 04-16-2015 |
| 20150106931 | CLASSIFYING MALWARE BY ORDER OF NETWORK BEHAVIOR ARTIFACTS - The present invention generally relates to systems and methods for classifying executable files as likely malware or likely benign. The techniques utilize temporally-ordered network behavioral artifacts together with machine learning techniques to perform the classification. Because they rely on network behavioral artifacts, the disclosed techniques may be applied to executable files with obfuscated code. | 04-16-2015 |
| 20150106932 | METHOD AND SYSTEM FOR COMBINING FIBER OPTIC LINK HIERARCHICAL STREAM METADATA WITH INTERNET PROTOCOL METADATA - Physical Layer and Data-Link Layer data are connected with Networking through Application Layer data/information to enable searching, sorting, and identification of novel relationships between signal sources and their contents. Metadata can be used at the Physical Layer in an optical fiber network, connecting with metadata generated at the Data Link Layer, connected to metadata generated at the Network to Application Layer. The Physical Layer metadata is obtained from configuration and provisioning data within an Intelligent Optical System. The Data-Link Layer metadata is obtained from a signal processing device. The Network through Application Metadata is obtained from a packet capture or flow capture probe. The metadata from all layers are linked in a data store such that the network traffic, passing through stream(s) in optical fiber(s) layer data are combined. The effect of that combination enables security, intelligence, surveillance, or network analysts to separate application and network information by original source. | 04-16-2015 |
| 20150106933 | DEVICE FOR DETECTING CYBER ATTACK BASED ON EVENT ANALYSIS AND METHOD THEREOF - There are provided a device for detecting a cyber attack and a method thereof. The device for detecting a cyber attack includes an event receiving unit configured to receive an event generated in at least one user terminal according to a behavior of a user who accesses a web server and uses web services provided from a web page, a model generating unit configured to generate an event model by extracting an event pattern corresponding to a behavior of the user based on the received event, and an attack detecting unit configured to detect whether access of the web server by a specific user terminal is an attack by comparing the event model with an event received from the specific user terminal. Therefore, various forms of cyber attacks are rapidly and accurately detected, and it is possible to provide a security service having high availability and reliability. | 04-16-2015 |
| 20150106934 | POWER GRID UNIVERSAL DETECTION AND COUNTERMEASURE OVERLAY INTELLIGENCE ULTRA LATENCY HYPERVISOR - Any system with an interface may be attacked by a bad actor. If that interface is exposed to a network, the bad actor may launch a remote attack or cause other systems to attack the system. Many attacks exploit vulnerabilities that are unknown to the system operators (e.g., zero-day attacks). Power grid components, such as electricity meters, are increasingly networked and, therefore, increasingly attacked. By determining a pattern of behavior for a meter and then looking for a variation of the pattern, an attack may be identified. Once an attack is discovered, countermeasures may be launched to restore the system to normal operations, harden the system against future attack, and/or retaliate against the attacker. | 04-16-2015 |
| 20150106935 | DETECTING MALICIOUS NETWORK SOFTWARE AGENTS - This disclosure describes techniques for determining whether a network session originates from an automated software agent. In one example, a network device, such as a router, includes a network interface to receive packets of a network session, a bot detection module to calculate a plurality of scores for network session data based on a plurality of metrics, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, and an attack detection module to perform a programmed response when the network session is determined to be originated by an automated software agent. Each score represents a likelihood that the network session is originated by an automated software agent. | 04-16-2015 |
| 20150106936 | MANAGING INFECTIOUS FORWARDED MESSAGES - Systems and methods for managing forwarded infectious messages are provided. Managing electronic message comprises receiving a message, forwarding the message, determining that the forwarded message is infectious after the message has been forwarded and preventing the infectious forwarded message from spreading. | 04-16-2015 |
| 20150113643 | INFORMATION SECURITY METHOD - A method for information security comprises determining by a first processor whether web content includes malicious software by matching the web content with at least one recorded threat, determining by the first processor whether the quantity of malicious software reaches a threshold, processing by a second processor the malicious software with a cryptographic protocol to generate a processing result, if the quantity of malicious software reaches the threshold, and generating a message indicating a threat in response to the processing result. | 04-23-2015 |
| 20150113644 | Exploit Detection/Prevention - An Agent for detecting and/or preventing an Exploit attack, comprises: a) means for monitoring the operation of one or more process elements in a computer system; b) means for determining whether said one or more process elements has initiated, or is about to initiate a “create process” operation; and c) means for performing preventive activities as a result of the determination. | 04-23-2015 |
| 20150113645 | SYSTEM AND METHOD FOR OPERATING POINT AND BOX ENUMERATION FOR INTERVAL BAYESIAN DETECTION - When using intrusion detection systems, security specialists are concerned with false positive rates and true positive rates. False positives are when an alert is raised, but no actual intrusion occurs. True positives are when an alert is raised for an actual intrusion. Ideally, true positive rate is 1 and false positive rate is zero, but such a situation is impossible in the real world. So one must balance a true positive rate and a false positive rate to produce the best result at the best price. One can simplify the choice of detection sets by, instead of determining each possible operating point of the information detection system, by only choosing operating points that are not dominated by other operating points. | 04-23-2015 |
| 20150113646 | APPARATUS AND METHOD FOR IMPROVING DETECTION PERFORMANCE OF INTRUSION DETECTION SYSTEM - An apparatus for improving detection performance of an intrusion detection system includes a transformed detected data generation unit for changing original detected data, detected based on current detection rules, to transformed detected data complying with transformed detected data standard. A transformed detected data classification unit classifies the transformed detected data by attack type, classifies transformed detected data for attack types by current detection rule, and classifies transformed detected data for detection rules into true positives/false positives. A transformed keyword tree generation unit generates a true positive transformed keyword tree and a false positive transformed keyword tree. A true positive path identification unit generates a true positive node, and identifies a true positive path connecting a base node to the true positive node in the true positive transformed keyword tree. A true positive detection pattern generation unit generates a true positive detection pattern based on the true positive path. | 04-23-2015 |
| 20150113647 | APPARATUS FOR SWITCHING BETWEEN MULTIPLE SERVERS IN A WEB-BASED SYSTEM - A main server and a mirror server hold the same content. A server switching apparatus sets only one of the web servers to be active. In the case where the mirror server has not been attacked in an immediately-previous operating period, the server switching apparatus switches from the main server to the mirror server. Upon receiving a request from a client computer, the server switching apparatus transfers the request to the active web server. The active web server then sends the requested content. | 04-23-2015 |
| 20150113648 | SYSTEMS AND METHODS FOR IDENTIFYING ASSOCIATIONS BETWEEN MALWARE SAMPLES - Systems and methods are disclosed for identifying associations between binary samples, such as e-mail files and their attachments or a document and an executable program associated with the document. In one implementation, the method includes receiving a plurality of binary samples, and extracting metadata from the plurality of binary samples. The metadata for a binary sample from the plurality of binary samples includes a set of attributes of the binary sample. The method further includes identifying a set of associations between the plurality of binary samples based on the extracted metadata. Each association is characterized by at least one attribute the associated binary samples have in common, and each association has a confidence level indicative of a strength of the association. The method also includes identifying associations with a confidence level that exceeds a predefined threshold. | 04-23-2015 |
| 20150113649 | ANOMALOUS SYSTEM STATE IDENTIFICATION - A real-time method and data processing apparatus for identifying an anomalous state of a system are described. The system includes a sensor outputting time series data items relating to a property of the system. A current data item is received from the sensor. An estimate of a current data density for the time series data items is recursively estimated using the current data item. At least one statistical property of the estimate of the current data density is recursively calculated. It is determined, from the at least one statistical property, whether the current data item indicates an anomalous state of the system. A signal is output if it is determined that the current data item indicates an anomalous state of the system. | 04-23-2015 |
| 20150113650 | METHOD AND SYSTEM FOR PROACTIVE DETECTION OF MALICIOUS SHARED LIBRARIES VIA A REMOTE REPUTATION SYSTEM - A method for proactively detecting shared libraries suspected of association with malware includes the steps of determining one or more shared libraries loaded on an electronic device, determining that one or more of the shared libraries include suspicious shared libraries by determining that the shared library is associated with indications that the shared library may have been maliciously injected, loaded, and/or operating on the electronic device, and identifying the suspicious shared libraries to a reputation server. | 04-23-2015 |
| 20150121522 | PERIODIC MOBILE FORENSICS - A forensics analysis is conducted on each of multiple mobile devices in an enterprise system to detect malicious activity. The systems and methods described include storing a single baseline image for the multiple mobile devices at a server. A client-side application on each mobile device scans storage locations to identify changes in data compared to a previous scan. At least a portion of the information about the changes is sent to the server. The server reconstructs snapshot images for each mobile device based on the baseline image and the received information. Malicious activity is detected by comparing the reconstructed snapshot image to a previous snapshot image for each mobile device. | 04-30-2015 |
| 20150121523 | SYSTEMS AND METHODS FOR FACILITATING REMOTE SECURITY THREAT DETECTION - Systems and methods are disclosed for detecting security threats in a network environment. A local workstation is used to inspect an item and submit a request for assistance to determine whether the item raises a security threat. A server receives the request for assistance from the local workstation over a network, selects a remote expert device that is available to receive the request and routes the request to the remote expert device. In response to the request being accepted at the remote expert device, the server may transmit information associated with the local workstation to the remote expert device and establish a connection between the local workstation and the remote expert device. The remote expert device utilizes attribute information pertaining to the local workstation or local operator to facilitate effective communications between the local workstation and remote expert device for determining whether the item raises a security threat. | 04-30-2015 |
| 20150121524 | Method and System for Performing Behavioral Analysis Operations in a Mobile Device based on Application State - Methods, systems and devices use operating system execution states while monitoring applications executing on a mobile device to perform comprehensive behavioral monitoring and analysis include configuring a mobile device to monitor an activity of a software application, generate a shadow feature value that identifies an operating system execution state of the software application during that activity, generate a behavior vector that associates the monitored activity with the shadow feature value, and determine whether the activity is malicious or benign based on the generated behavior vector, shadow feature value and/or operating system execution states. The mobile device may also be configured to intelligently determine whether the operating system execution state of a software application is relevant to determining whether any of the monitored mobile device behaviors are malicious or suspicious, and monitor only the operating system execution states of the software applications for which such determinations are relevant. | 04-30-2015 |
| 20150121525 | Filtering Network Traffic Using Protected Filtering Mechanisms - Concepts and technologies are disclosed herein for filtering network traffic using protected filtering mechanisms. An indication that traffic is to be filtered can be received, and a hash key, a signature representation, and an obfuscated signature can be identified or generated. The hash key and the signature representation can be provided to a first device without exposing the contents of the signature to the second device, and the obfuscated signature can be provided to a second device without exposing the contents of the signature to the second device. The first device and the second device can execute independent operations to collectively determine if the traffic is to be filtered. | 04-30-2015 |
| 20150121526 | METHODS AND SYSTEMS FOR MALWARE ANALYSIS - Methods, system, and media for analyzing a potential malware sample are disclosed. A sample for malware analysis may be received. The sample may be received through a web interface. The sample may be analyzed using a plurality of analyzers implemented on one or more computing devices. The analyzers may perform a sequence of configurable analytic steps to extract information about the sample. The extracted information may be displayed to a user through the web interface. | 04-30-2015 |
| 20150121527 | METHOD AND APPARATUS FOR DETECTING UNAUTHORIZED ACCESS POINT - There is provided a method and apparatus for detecting an unauthorized access point. The method for detecting an unauthorized access point according to an embodiment of the present disclosure includes making an attempt to deliver, through an access point to a validation server, a message that includes network information regarding a network access of a terminal device and requests a validity verification of the network information; and determining that the access point is unauthorized when a response indicating that the network information is valid is not received from the validation server. According to the embodiment of the present disclosure, it is possible to implement a device for determining an unauthorized access point device in a general manner, independent of a specific device. | 04-30-2015 |
| 20150121528 | SYSTEMS AND METHODS FOR FACILITATING REMOTE SECURITY THREAT DETECTION - Systems and methods are disclosed for detecting security threats in a network environment. A local workstation is used to inspect an item and submit a request for assistance to determine whether the item raises a security threat. A server receives the request for assistance from the local workstation over a network and retrieves a dialing plan associated with the origin of the request. The server utilizes the dialing plan to route the request to expert groups assigned to the dialing group. In response to the request being accepted by a remote expert device in one of the expert groups, the server establishes a connection between the local workstation and the remote expert device that accepted the request. | 04-30-2015 |
| 20150121529 | DYNAMIC SERVICE HANDLING USING A HONEYPOT - A network device comprises one or more processors coupled to a memory, and a dynamic services module configured for execution by the one or more processors to receive, from a client device, a service request specifying a service. The dynamic service module is further configured for execution by the one or more processors to, in response to obtaining a negative indication for the service, send a representation of the service request to a honeypot to cause the honeypot to offer the service to the client device. | 04-30-2015 |
| 20150128262 | Taint vector locations and granularity - An embodiment or embodiments of a computing system can be adapted to manage security risk by accumulating and monitoring taint indications, and can respond to predetermined taint conditions detecting by the monitoring. An illustrative computing system can comprise a plurality of resources operationally coupled into the computing system, and at least one taint vector operable to list a plurality of taints indicative of potential security risk associated with a selected location and granularity of selected ones of the plurality of resources. | 05-07-2015 |
| 20150128263 | Methods and systems for malware detection - Methods, system, and media for detecting malware are disclosed. A network may be monitored for a configured time interval collecting all of or some of the network traffic or samples of the network traffic. Feature vectors may be extracted from the network traffic resulting in feature vectors. One or more machine learning models may be applied to the feature vectors producing a score. The score may indicate the presence of malware or the presence of a particular type of malware. One or more scores obtained by applying learning models may be fused by another machine learning model into a resulting score. A threshold value may be calculated to accompany a score indicating the likelihood that the traffic sample indicates the presence of malware and the likely effectiveness of planned remediation effort. An alert may be generated from the score and the threshold when the threshold is acceded. The alert may be presented to a user based on an indication by the user as to the type of malware of interest. | 05-07-2015 |
| 20150128264 | METHOD AND SYSTEM FOR DELEGATING ADMINISTRATIVE CONTROL ACROSS DOMAINS - In one embodiment, a method for delegating partial administrative controls across one or more administrative domains is provided. An upstream network device may advertise capabilities for controlling certain administrative functions to a downstream network device. The downstream network device may chose to act on one or more capabilities, allowing for partial administrative control across the administrative domain. | 05-07-2015 |
| 20150128265 | Malware And Anomaly Detection Via Activity Recognition Based On Sensor Data - A system for malware and anomaly detection via activity recognition based on sensor is disclosed. The system may analyze sensor data collected during a selected time period from one or more sensors that are associated with a device. Once the sensor data is analyzed, the system may determine a context of the device when the device is in a connected state. The system may determine the context of the device based on the sensor data collected during the selected time period. The system may also determine if traffic received or transmitted by the device during the connected state is in a white list. Furthermore, the system may transmit an alert if the traffic is determined to not be in the white list or if the context determined for the device indicates that the context does not correlate with the traffic. | 05-07-2015 |
| 20150128266 | Systems and methods for detecting return-oriented programming (ROP) exploits - Described systems and methods allow protecting a computer system from malware, such as return-oriented programming (ROP) exploits. In some embodiments, a set of references are identified within a call stack used by a thread of a target process, each reference pointing into the memory space of an executable module loaded by the target process. Each such reference is analyzed to determine whether it points to a ROP gadget, and whether the respective reference was pushed on the stack by a legitimate function call. In some embodiments, a ROP score is indicative of whether the target process is subject to a ROP attack, the score determined according to a count of references to a loaded module, according to a stack footprint of the respective module, and further according to a count of ROP gadgets identified within the respective module. | 05-07-2015 |
| 20150128267 | CONTEXT-AWARE NETWORK FORENSICS - Systems and methods for management of security events and their related forensic context are disclosed. Network forensics involves monitoring and analyzing data flows in a network to assist security analysts to review, analyze and remove a security threat. Security threats in a network environment are generally detected by one or more devices on the network. If a security threat is determined to be severe or significant enough, a security event corresponding to the security threat is often created and stored in the system. To assist in future review and analysis of security threats, timely and relevant context information about network security events may be obtained and stored along with each security event. The forensic context may be accessible to security administrators viewing the security events to provide detailed information about the circumstances surrounding a security event. | 05-07-2015 |
| 20150128268 | MALICIOUS ATTACK PREVENTION THROUGH CARTOGRAPHY OF CO-PROCESSORS AT DATACENTER - Technologies are directed to prevention of malicious attacks through cartography of co-processors at a datacenter. According to some examples, configuration data to create a co-processor at a field programmable gate array (FPGA) may be received at a configuration controller. The configuration controller may determine unused arrangements for the co-processor and unused placements at the FPGA corresponding to the unused arrangements. The used arrangements and the unused placements, associated with a type of the co-processor, may be stored in a configuration matrix. One of the unused arrangements and one of the unused placements corresponding to the selected unused arrangement may then be selected by the configuration controller to create the co-processor. | 05-07-2015 |
| 20150128269 | ANTI-MALWARE DETECTION AND REMOVAL SYSTEMS AND METHODS - An anti-malware system including at least one database, remote from a plurality of computers to be protected, which stores identification of computer applications resident on the computers to be protected and an application-specific communications footprint for the computer applications, and at least one server, remote from the plurality of computers to be protected, and being operative to calculate a reference computer-specific communications composite pattern based on multiple application-specific communications footprints for applications installed on the computers to be protected, calculate a current computer-specific communications composite pattern based on actual communications of at least one the plurality of computers to be protected, and provide an alert when the current computer-specific communications composite pattern of the at least one of the plurality of computers to be protected differs from the reference computer-specific communications composite pattern of the at least one of the plurality of computers to be protected. | 05-07-2015 |
| 20150128270 | INTELLIGENT WIRELESS INVASION PREVENTION SYSTEM AND SENSOR USING CLOUD SENSOR NETWORK - A wireless intrusion prevention system, according to one embodiment of the present invention, comprises: a first group comprising at least one first sensor and at least one first authorized wireless LAN equipment; a second group comprising at least one second sensor and at least one second authorized wireless LAN equipment; and a management server for managing the at least one first sensor and the at least one second sensor, wherein the first sensor detects the occurrence of an event from an unauthorized wireless LAN equipment and transmits a first broadcast signal on the occurrence of the event to the other first sensors in the first group and the at least one second sensor. | 05-07-2015 |
| 20150128271 | APPARATUS AND METHOD FOR COLLECTING NETWORK DATA TRAFFIC - The present invention relates to an apparatus and method for collecting network data traffic. The apparatus for collecting network data traffic includes a graph creation unit, an initialization unit, an edge selection unit, a reconstruction unit, an algorithm application unit and a traffic collection route provision unit. The reconstruction unit converts the selected edge into an inactive edge and connects the inactive edge to two nodes, so that the reconstruction unit reconstructs the tree structure. The algorithm application unit applies a minimal spanning tree algorithm to the reconstructed tree structure. The traffic collection route provision unit eliminates a leaf node and a leaf edge from the tree structure to which the minimal spanning tree algorithm has been applied, and generates a monitoring tree for providing a traffic collection route minimizing a total weight of the edges. | 05-07-2015 |
| 20150128272 | SYSTEM AND METHOD FOR FINDING PHISHING WEBSITE - Disclosed are a system and method for finding a phishing website. The system comprises: a seed library establishing unit, configured to place the original link of a target web page having the number of hits on known phishing websites that is greater than a predetermined threshold value into a seed library as a seed link; a seed extractor, configured to extract the seed link from the seed library; a seed web page analyzer, configured to find a corresponding seed web page according to the extracted seed link, and analyze the seed web page to acquire a suspicious link found in the seed web page; a judgement unit, configured to find a suspicious web page corresponding to the suspicious link, and judge whether the suspicious web page is a phishing website; and an output interface, configured to output the corresponding phishing website when the suspicious web page is a phishing website. The system and method greatly increase the speed in finding the phishing website, and reduce the security risks for the netizens to use the Internet. | 05-07-2015 |
| 20150128273 | REMOTE DOM ACCESS - A method for protecting a browser from malicious processes, comprises providing at least one process-proxy object and at least a browser-proxy object, interposed between the browser and a process, such that when the process invokes one of the DOM entry points, the process-proxy object isolates it from the real browser implementation and executes the process-proxy object's code instead. | 05-07-2015 |
| 20150128274 | SYSTEM AND METHOD FOR IDENTIFYING INFECTED NETWORKS AND SYSTEMS FROM UNKNOWN ATTACKS - Systems and method of the present disclosure are directed to a network security monitor. The monitor can receive logs of a second computer network indicative of a status of the second computer network determined by a monitoring agent executing on the second computer network. The monitor can generate indexed logs from the logs based on log format. The monitor can retrieving a list of threat indicators from a database based on a schema from a plurality of threat indicators received from a plurality of heterogeneous repositories via the first computer network. The monitor can compare the list of threat indicators with the indexed logs. The monitor can generate a report based on the comparing to identify a threat. | 05-07-2015 |
| 20150128275 | SYSTEM AND METHOD FOR UPLOADING AND VERIFYING A DOCUMENT - A computer implemented method may allow for the upload and verification of a document. In one aspect, the method may receive a file associated with an insurance company event, determine if the file contains malicious code and transmit the file to a temporary data server. The method may also determine if the file is in a supported file format and if the file meets a supported file size, convert the file and transmit the converted file to the client device for a verification that the converted file can be uploaded. The method may further receive the verification from the client device that the converted file can be uploaded, flag the converted file for association with a customer account associated with the client device and transmit the converted file to a permanent storage server. | 05-07-2015 |
| 20150135315 | SYSTEM AND METHOD FOR BOTNET DETECTION - A method, system, and apparatus configured to use a Bayesian inference model for detecting botnets in a network is disclosed. The system and apparatus may include an event generator and a controller. The event generator may detect at least one event in received data, and provide information associated with the at least one event. The controller may receive the information associated with the at least one event, determine, using a Bayesian learning process, a Bayesian network model based on the information associated with the at least one event, and determine whether at least one host associated with the received data is a bot. | 05-14-2015 |
| 20150135316 | SYSTEM AND METHOD OF PROTECTING CLIENT COMPUTERS - A threat response platform to act as a bridge between non-inline security programs and inline security programs. The threat response platform receives event reports, relating to client devices, from the non-inline security programs and creates incident reports for a user. The incident reports describe the event report and also additional data gathered by an active correlation system of the threat response platform. The active correlation system automatically gathers various types of data that are potentially useful to a user in determining whether the reported event is an incidence of malware operating on the client device or a false positive. The active correlation system places a temporary agent on the client device to identify indications of compromise. | 05-14-2015 |
| 20150135317 | SYSTEM AND METHOD OF PROTECTING CLIENT COMPUTERS - A threat response platform to act as a bridge between non-inline security programs and inline security programs. The threat response platform receives event reports, relating to client devices, from the non-inline security programs and creates incident reports for a user. The incident reports describe the event report and also additional data gathered by an active correlation system of the threat response platform. The active correlation system automatically gathers various types of data that are potentially useful to a user in determining whether the reported event is an incidence of malware operating on the client device or a false positive. The active correlation system places a temporary agent on the client device to identify indications of compromise. | 05-14-2015 |
| 20150135318 | METHOD OF DETECTING INTRUSION BASED ON IMPROVED SUPPORT VECTOR MACHINE - A method of detecting network intrusion based on improved support vector machine is disclosed. The method comprises the steps of identifying a plurality of features; computing information gain of each of the features; selecting a pre-determined number of features based on the computed information gain and augmenting that set of pre-determined number of features with special features to form a set of selected features; and classifying a network connection based on the selected features using support vector machine. In order to achieve better detection accuracy, cross-validation and grid-search are applied to select the radial basis function for the support vector machine. | 05-14-2015 |
| 20150135319 | SECURITY MONITORING FOR OPTICAL NETWORK - Apparatus for an optical communications network has optical paths for optical traffic, and optical ports, one of which is an unused output port. A security monitoring system has a blocking part coupled removably to the unused output port to occupy it to prevent unauthorised access. An optical detector can detect optical signals passing through the unused output port to the blocking part, and there is alarm circuitry configured to output an alarm signal based on the detecting of the optical signals. This monitoring can help make the node more secure from interference or from eavesdropping. By blocking the port, the monitoring can be independent of the type of signals on the optical paths. The system can be passive or active, and does not require a change in the installed node configuration and so can be added easily to existing infrastructure. | 05-14-2015 |
| 20150143521 | SYSTEM AND METHOD FOR DETECTING MALICIOUS SOFTWARE USING MALWARE TRIGGER SCENARIOS IN A MODIFIED COMPUTER ENVIRONMENT - Disclosed system and methods for malware testing of software programs. An example method includes storing a plurality of malware trigger scenarios specifying different sets of malware trigger events known to trigger malicious behaviour in software programs; in response to obtaining a software program, modifying a computer environment for operating the software program by creating malware trigger events associated with a selected one of the plurality of malware trigger scenarios; analyzing an execution of the software program in the modified computer environment in response to the malware trigger events; upon detecting that the software program exhibits malicious behaviour, performing remedial actions on the software program; and upon detecting that the software program exhibits no malicious behaviour, selecting a different malware trigger scenario from the plurality of malware trigger scenarios for malware testing of the software program. | 05-21-2015 |
| 20150143522 | IDENTIFICATION OF SYSTEMS WITH ANOMALOUS BEHAVIOUR USING EVENTS DERIVED FROM MACHINE DATA PRODUCED BY THOSE SYSTEMS - Methods and apparatus consistent with the invention provide the ability to organize and build understandings of machine data generated by a variety of information-processing environments. Machine data is a product of information-processing systems (e.g., activity logs, configuration files, messages, database records) and represents the evidence of particular events that have taken place and been recorded in raw data format. In one embodiment, machine data is turned into a machine data web by organizing machine data into events and then linking events together. | 05-21-2015 |
| 20150150129 | METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR PROTECTING A COMMUNICATION NETWORK AGAINST INTERNET ENABLED CYBER ATTACKS THROUGH USE OF SCREEN REPLICATION FROM CONTROLLED INTERNET ACCESS POINTS - A method includes receiving from a client device at a client interface application a request to access an application, determining whether the application is external to a communication network, redirecting the request to an external communication server when the application is external to the communication network, sending the request from the external communication server to the application that is external to the communication network, receiving information from the application that is external to the communication network at the external communication server responsive to sending the request, and replicating a screen of the external communication server containing the information received from the application for display at the client interface application. | 05-28-2015 |
| 20150150130 | Pre-identifying Probable Malicious Rootkit Behavior Using Behavioral Contracts - The various aspects provide for a computing device and methods implemented by the device to ensure that an application executing on the device and seeking root access will not cause malicious behavior while after receiving root access. Before giving the application root access, the computing device may identify operations the application intends to execute while having root access, determine whether executing the operations will cause malicious behavior by simulating execution of the operations, and pre-approve those operations after determining that executing those operations will not result in malicious behavior. Further, after giving the application root access, the computing device may only allow the application to perform pre-approved operations by quickly checking the application's pending operations against the pre-approved operations before allowing the application to perform those operations. Thus, the various aspects may ensure that an application receives root access without compromising the performance or security integrity of the computing device. | 05-28-2015 |
| 20150150131 | Method and Product for Providing a Predictive Security Product and Evaluating Existing Security Products - A method, product and computer program product for effecting an Evolutionary Process on malware, the method including the steps of: (a) receiving a malware specimen; (b) generating variants of the malware specimen; (c) evaluating the variants and awarding each the variant a Fitness Score; (d) selecting the variants having at least a predefined the Fitness Score; and (e) using the selected variants as the malware specimens in step (a) from which to generate a new generation of the variants. | 05-28-2015 |
| 20150150132 | INTRUSION DETECTION SYSTEM FALSE POSITIVE DETECTION APPARATUS AND METHOD - Disclosed herein is an Intrusion Detection System (IDS) false positive detection apparatus and method. An IDS false positive detection apparatus includes a payload extraction unit for extracting payloads by dividing each packet corresponding to an IDS detection rule into a header and a payload. A false positive payload information generation unit generates false positive payload information required to identify a false positive payload by extracting a payload of a false positive packet based on results of packet analysis received from a manager. A false positive payload determination unit transmits results of a determination of whether each payload extracted by the payload extraction unit corresponds to a false positive payload, based on the false positive payload information, to the manager. | 05-28-2015 |
| 20150150133 | APPARATUS AND METHOD FOR ATTACK SOURCE TRACEBACK - An apparatus and a method for an attack source traceback capable of tracing back an attacker, that is, an attack source present behind a command and control (C&C) server in a cyber target attack having non-connectivity over a transmission control protocol (TCP) connection are disclosed. The apparatus for the attack source traceback includes: a server information extracting unit detecting an attack for a system, which is generated via a server to thereby extract information on the server; a traceback agent installing unit installing a traceback agent in the server based on the information on the server; and a traceback unit finding an attack source for the system by analyzing network information of the server obtained by the traceback agent. | 05-28-2015 |
| 20150150134 | DETECTING MALICIOUS RESOURCES IN A NETWORK BASED UPON ACTIVE CLIENT REPUTATION MONITORING - Systems and methods for detecting malicious resources by analyzing communication between multiple resources coupled to a network are provided. According to one embodiment, a method is performed for client reputation monitoring. A monitoring unit within a network observes activities relating to multiple monitored devices within the network. For each observed activity, the monitoring unit assigns a score to the observed activity based upon a policy of multiple polices established within the monitoring unit. For each of the monitored devices, the monitoring unit maintains a current reputation score for the monitored device based upon the score and a historical score associated with the monitored device. The monitoring unit classifies one of the monitored devices as potentially being a malicious resource based upon its current reputation score. | 05-28-2015 |
| 20150294111 | UNAUTHORIZED-COMMUNICATION DETECTING APPARATUS, UNAUTHORIZED-COMMUNICATION DETECTING METHOD AND NON-TRANSITORY COMPUTER READABLE MEDIUM - There is provided an unauthorized-communication detecting apparatus. A measuring unit measures a transition of a communication state value between the unauthorized-communication detecting apparatus and a client apparatus. A transition pattern storage unit stores a transition pattern of the communication state value. An unauthorized-communication detecting unit detects unauthorized communication of the client apparatus on the basis of the transition pattern and a transition of the measured communication state value. | 10-15-2015 |
| 20150295942 | METHOD AND SERVER FOR PERFORMING CLOUD DETECTION FOR MALICIOUS INFORMATION - According to an example, an address of a web page to be identified is obtained, data of the web page from the address of the web page is crawled, the data of the web page is parsed and data for identification is obtained. The web page determined as malicious information according to the data for the identification, and the malicious information is intercepted. | 10-15-2015 |
| 20150295945 | Multi-Channel Change-Point Malware Detection - A malware detection system and method detects changes in host behavior indicative of malware execution. The system uses linear discriminant analysis (LDA) for feature extraction, multi-channel change-point detection algorithms to infer malware execution, and a data fusion center (DFC) to combine local decisions into a host-wide diagnosis. The malware detection system includes sensors that monitor the status of a host computer being monitored for malware, a feature extractor that extracts data from the sensors corresponding to predetermined features, local detectors that perform malware detection on each stream of feature data from the feature extractor independently, and a data fusion center that uses the decisions from the local detectors to infer whether the host computer is infected by malware. | 10-15-2015 |
| 20150295949 | Using Supplemental Encrypted Signals to Mitigate Man-in-the-Middle Attacks on Teleoperated Systems - Methods and systems for securing remotely-operable devices are provided. A remotely-operable device can receive a command related to a component of the remotely-operable device operating in an environment. The remotely-operable device can include a reality-rules database (RRDB) that is configured to store a plurality of reality rules with each reality rule relating to a constraint on the remotely-operable device. The remotely-operable device can determine a reasonableness value for the command based on a constraint, where the constraint is determined based on a constraint related to at least one reality rule of the plurality of reality rules stored in the RRDB. The remotely-operable device can encode the reasonableness value for the command in a feedback message. The remotely-operable device can send the encoded feedback message from the remotely-operable device. | 10-15-2015 |
| 20150302193 | PARALLEL SNOOP AND HAZARD CHECKING WITH INTERCONNECT CIRCUITRY - A system-on-chip integrated circuitry includes interconnect circuitry for connecting transaction sources with transaction destinations. A buffer circuit buffers a plurality of access transactions received from the transaction sources before they are passed on to respective transaction destinations. Hazard checking circuitry, such as identifier reuse circuitry, performs hazard checks for access transactions in parallel with snoop operations performed by snoop circuitry for managing coherence between data values stored within the plurality of cache memories. The snoop circuitry includes snoop reordering circuitry for permitting reordering of snoop responses. The snoop circuitry may issue a snoop request for a given access transaction in parallel with the hazard checking circuitry performing one or more hazard checks for that transaction. | 10-22-2015 |
| 20150302195 | HARDWARE-BASED STACK CONTROL INFORMATION PROTECTION - Techniques for protecting contents of a stack associated with a processor are provided. The techniques include a method including receiving a store instruction from a software program being executed by the processor, the store instruction including control information associated with a subroutine, altering the control information to generate secured control information responsive to receiving the store instruction from the software program, storing the secured control information on the stack, receiving a load instruction from the software program; and responsive to receiving the load instruction from the software program, loading the secured control information from the stack, altering the secured control information to recover the control information, and returning the control information to the software program. | 10-22-2015 |
| 20150302196 | Local System Health Assessment - Techniques for local system health assessment are described. In at least some embodiments, a health assessment can be performed by an isolated security environment that resides locally on a system without requiring a network connection and/or access to a remote attestation service. In at least some embodiments, a health assessment ascertains whether modules that reside on a system have been altered such that the modules may be considered unsafe. For example, a known safe list is generated that includes measurements of known safe versions of modules that may be compared to current measurements of the modules to determine whether the modules have been altered. Health policies may be employed to specify various rules and parameters for performing system health assessments. | 10-22-2015 |
| 20150302197 | Apparatus and Method for Identifying Similarity Via Dynamic Decimation of Token Sequence N-Grams - An apparatus for identifying related code variants or text samples includes processing circuitry configured to execute instructions for receiving query binary code, processing the query binary code to generate one or more query code fingerprints comprising compressed representations of respective functional components of the query binary code, generating token sequence n-grams of the fingerprints, hashing the n-grams, partitioning samples by length to compare selected samples based on length, and identifying similarity via dynamic decimation of token sequence n-grams. | 10-22-2015 |
| 20150302198 | Detection of Malicious Code Insertion in Trusted Environments - Methods and computer program products which facilitate detection of malicious code insertion by an insider during the software development lifecycle are disclosed Aspects focus on behavioral characteristics associated with the introduction of malcode during the software development process. Injection of malcode by an insider threat, and the malcode itself, may leave behind behavioral signatures in the source code repository and source code that can be detected by a multi-dimensional combination of sensors. By detecting the behavioral signatures of malcode within artifacts generated by the software development process, instances of malcode can be isolated and prevented before release. | 10-22-2015 |
| 20150302230 | Method for Operating a Communication System - A method for operating a communication system comprises a transponder having at least one antenna, in particular in the form of a portable data carrier, and a reading device having at least one antenna. The reading device is configured to exchange data with the transponder. An exchange of data between the transponder and the reading device is possible within a predetermined range. A measurement and evaluation is effected of the time of a command transmitted from the reading device to the transponder and the receipt of a corresponding response of the transponder by the reading device. In so doing, a processing is effected of a card-individual length of time T_icc, wherein the card-individual length of time T_icc specifies how long the transponder takes for the receipt and the processing of a command received from the reading device and the sending of a corresponding response. | 10-22-2015 |
| 20150304258 | ON-DEMAND SPAM REPORTING - A device is configured to report spam on demand. The spam is reported to a spam reporting service center in a communications network. As content is received by the device, the user of the device analyzes the content to determine if the content comprises spam. If the user determines that the content comprises spam, the user triggers the device to report the spam. The content can be of any type of content or combinations of content type, such as SMS, SMS, VM, email, VVM, VVM, and advertisements. The device comprises multiple clients configured to processes, respectively, each content type. In response to receiving the trigger, the appropriate client encapsulates the content. The encapsulated content is sent to a Report Spam client to generate a spam report. The spam report includes the encapsulated content and a disposition instruction. | 10-22-2015 |
| 20150304343 | METHOD AND SYSTEM FOR PROVIDING SELF-MONITORING, SELF-REPORTING, AND SELF-REPAIRING VIRTUAL ASSETS IN A CLOUD COMPUTING ENVIRONMENT - Self-monitoring, self-reporting, and self-repairing virtual assets are provided that include virtual asset self-monitoring logic for detecting one or more trigger events within the self-monitoring, self-reporting, and self-repairing virtual assets, virtual asset self-reporting logic representing instructions for generating trigger event reporting data from the self-monitoring, self-reporting, and self-repairing virtual assets, and virtual asset self-reporting communications channel creation logic for opening a self-reporting communications channel between the self-monitoring, self-reporting, and self-repairing virtual assets and a virtual asset monitoring system. | 10-22-2015 |
| 20150304345 | System to Detect Behaviour in a Telecommunications Network - A system is provided for detecting behaviour of a mobile telecommunications device in a telecommunications network. Malware in mobile devices can cause malicious behaviour in the device, for example sequential attaching and detaching of an infected device relative to a telecommunications network. A telecommunications network is provided which is configured to identify at least one mobile telecommunications device and to receive signals from the mobile telecommunications device and process the signals into data streams. The data streams include data of a first type arranged to cause an event of a first type within the telecommunications network. The network is arranged to monitor an occurrence in the data streams of the data of the first type and to register when the occurrence exceeds a level indicating acceptable behaviour of the mobile telecommunications device in the telecommunications network. A device for detection of mobile device behaviour is also described. | 10-22-2015 |
| 20150304346 | APPARATUS AND METHOD FOR DETECTING ANOMALY OF NETWORK - Disclosed are an apparatus and method for detecting an anomaly of a network and a recording medium on which the method is recorded. The method for detecting an anomaly in a network measures self-similarity from at least one attribute information representing a traffic state of the network in a normal state in advance to set a critical value for the self-similarity, measures self-similarity in real time from the at least one attribute information in the network, and determines an anomaly of the network by comparing the measured real-time self-similarity value with the set critical value. | 10-22-2015 |
| 20150304350 | DETECTION OF MALWARE BEACONING ACTIVITIES - Malware beaconing activity detection is disclosed, including: monitoring a plurality of conversations between an internal device and one or more external destinations; extracting feature sets based at least in part on the plurality of conversations; and determining that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets. | 10-22-2015 |
| 20150304353 | METHOD FOR PROCESSING DATA AND ELECTRONIC DEVICE THEREFOR - A method for preventing a message from being modified or deleted by a malicious application when the message is received by an electronic device based on a service provided in the electronic device and an electronic device therefor are provided. The method includes successively loading at least two received messages in a sequence filter, and determining whether data of the at least two received messages are identical to each other. A method for operating an electronic device is not limited to the above method, and other embodiments are possible within the same or similar scope as the present disclosure. | 10-22-2015 |
| 20150310207 | METHOD FOR ANALYSING PROGRAM CODE OF ELECTRONIC DEVICE AND ELECTRONIC DEVICE - A method of analyzing a program code of an electronic device includes configuring a tree by using a key string included in the program code and; in response to a command to find a specific key being received, performing a predetermined order traversal of the tree by using a string included in the specific key; in response to a node which matches a last string included in the specific key having a leaf node as a result of the predetermined order traversal, returning a value of the leaf node; and analyzing the program code by using the return value. | 10-29-2015 |
| 20150310211 | METHOD, APPARATUS AND SYSTEM FOR DETECTING MALICIOUS PROCESS BEHAVIOR - A method, apparatus and system for detecting a malicious process behavior. A detection apparatus monitors a process to obtain behavior information about a target process behavior, and then sends the behavior information to a server, which determines whether the target process behavior is a malicious process behavior. The detection apparatus can receive first operation indication information returned by the server according to a detection result of the target process behavior, and perform an operation on the target process behavior according to the first operation indication information. The target process behavior is subjected to a comprehensive detection by the server according to the behavior information, rather than depending on a specified feature analysis of a single sample of the target process behavior by the detection apparatus, so that malicious process behavior can be detected in time, thereby improving the security performance of the system. | 10-29-2015 |
| 20150312268 | INTRUSION DETECTION USING A HEARTBEAT - A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection. | 10-29-2015 |
| 20150312271 | Application Spam Detector - A method for performing an application search. The method includes receiving a search query from a remote device and determining a consideration set of applications based on the search query. The consideration set indicates one or more applications corresponding to the search query. For each application indicated in the consideration set, the method includes determining whether the application is a potential spam application based on one or more developer features indicating features associated with a developer of the application. When the application is determined to be a potential spam application, the method includes applying a penalty to the application. The method further includes generating search results based on the consideration set and any penalties applied to the one or more application indicated in the consideration set and providing the search results. The search results indicate one or more of the applications indicated in the consideration set. | 10-29-2015 |
| 20150312273 | METHODS AND SYSTEMS FOR DETECTING AND MITIGATING A HIGH-RATE DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK - Methods and systems for detecting and mitigating high-rate Distributed Denial of Service (DDoS) attacks are herein described. The present invention contemplates a variety of improved techniques for using a flow-based statistical collection mechanism to monitor and detect deviations in server usage data. The method further includes combining multiple anomaly algorithms in a unique way to improve the accuracy of identifying a high-rate DDoS attack. The DDoS solution includes a two-phase approach of detection and mitigation, both of which operate on a local- and a global-basis. Moreover, the anomaly algorithms can be modified or extrapolated to obtain the traffic deviation parameters and therefore, the attack probabilities. | 10-29-2015 |
| 20150317475 | SYSTEMS, METHODS, AND APPARATUS TO ENHANCE THE INTEGRITY ASSESSMENT WHEN USING POWER FINGERPRINTING SYSTEMS FOR COMPUTER-BASED SYSTEMS - A power fingerprinting system is adopted for assessing integrity of a target computer-based system. In one implementation, the power fingerprinting system may receive, at a first module, side-channel information of a first target component of a system, the first module being collocated with the first target component; obtain a power fingerprint for the first target component based on the side-channel information for the first target component, the power fingerprint for the first target component representing a plurality of execution statuses of the first target component; receive, at a second module, side-channel information of a second target component of the system, the second module being collocated with the second target component, the power fingerprint for the second target component representing a plurality of execution statuses of the second target component; and obtain a power fingerprint for the second target component based on the side-channel information for the second target component. | 11-05-2015 |
| 20150317476 | Distributed Pattern Discovery - Example embodiments disclosed herein relate to distributed pattern discovery. A local frequent pattern tree or local frequent pattern trees can be merged. The merging can be based on activities or transactions associated with the local frequent pattern tree or trees. | 11-05-2015 |
| 20150317477 | System For Automatically Collecting and Analyzing Crash Dumps - A system for automatically collecting and analyzing crash dumps to determine if a security exploit was unsuccessful and generating a report. | 11-05-2015 |
| 20150317478 | Clock Rollback Security - Methods and systems for preventing clock rollback attacks are described herein. A rollback attack may occur when a user manually sets a system clock to a date/time earlier than the actual present day date and time, thereby tricking any software relying on the system clock to believe it is in fact the earlier date and time rather than the current date and time. According to aspects described herein, a particular application may check and store a record of the system time when an application goes inactive (or at intervals) and again when the application subsequently is activated again. When the application determines that the time has gone backward, the application (or system) may take some remedial measure(s) to prevent further use of the application (or system) until the user reestablishes trust (e.g., by reauthenticating or reestablishing a connection with a trusted time server). | 11-05-2015 |
| 20150317479 | Scanning device, cloud management device, method and system for checking and killing malicious programs - The invention discloses a scanning device, a cloud management device, a method and system for checking and killing a malicious program. Therein, a cloud management device for checking and killing a malicious program comprises: a second transmission interface; a first indicator configured to generate a first scanning content indication according to characteristics of a newborn malicious program and system environment information transmitted by a client device; a first matcher configured to obtain via the second transmission interface feature data of the unknown program file transmitted by the client device, and hereby perform matching in known records of feature data of malicious programs; and a second indicator configured to generate a second scanning content indication when the first matcher fails to match to a known record, the second scanning content indication comprising scanning a specified attribute of the unknown program file and/or a specified attribute of the contextual environment of the unknown program file, and transmit the same to the client device through the second transmission interface. | 11-05-2015 |
| 20150319181 | Application Graph Builder - Disclosed is a system for recommending content of a predefined category to an account holder, detecting spam applications, or account holders based on the account holder application graphs. The system receives information corresponding to applications executing on the client device of the account holders and generates an application graph for each account holder that includes a list of predefined application categories that are preferred by the account holder. For each predefined category, a list of account holders preferring content relevant to that category is predicted based on the set of generated application graphs. Some application graphs may be detected as spam application graphs by comparing the generated application graphs with a set of predefined spam application graphs. Alternatively, if the generated application graph does not match the predefined spam application graphs, they are compared to a set of application graphs from a database to find similar application graphs. | 11-05-2015 |
| 20150319183 | SYSTEM AND METHOD FOR PROTECTING AGAINST POINT OF SALE MALWAREUSING MEMORY SCRAPING - A software, system and methodology for protecting against malware Point-of-Sale attacks that utilize, for example, memory scraping techniques. The application protects Point-of-sale hardware and its software against memory scraping malware attacks, and the loss of critical user credit card and confidential information often swiped at a terminal or stored in point of sale application databases. An embodiment of a method for blocking memory scraping attacks includes the following steps. Upon detecting a credit card swipe submission event from local hardware or comport event specific memory table events are flagged as unreadable, and immediately after allowing the data to be properly submitted, the system memory tables are cleared of data and specific memory processes are flagged as readable again. The method prevents memory scraping or point of sale malware from capturing swiped credit card data or input data, thereby protecting the user from theft of credit card data or other credentials. | 11-05-2015 |
| 20150319185 | Systems and Methods for Contextual and Cross Application Threat Detection and Prediction in Cloud Applications - Systems and methods for contextual and cross application threat detection in cloud applications in accordance with embodiments of the invention are disclosed. In one embodiment, a method for detecting threat activity in a cloud application using past activity data from cloud applications includes receiving activity data concerning actions performed by a user account associated with a user within a monitored cloud application, receiving external contextual data about the user that does not concern actions performed using the user account within the monitored cloud application, where the external contextual data is retrieved from outside of the monitored cloud application, deriving a baseline user profile using the activity data and external contextual data and associating the baseline user profile with the user account, and determining the likelihood of anomalous activity using the baseline user profile. | 11-05-2015 |
| 20150319191 | ANTI-PHISHING DOMAIN ADVISOR AND METHOD THEREOF - A method of anti-phishing and domain name protection. The method comprises: capturing a system call; extracting a URL included in the captured system call; capturing a response to the system call; determining if the system call's response includes any one of a domain name system (DNS) error code and fake internet protocol (IP) address; checking the extracted URL against an anti-phishing blacklist to determine if the Internet resource is a malicious website; redirecting the application to an advisor server; marking a communication session between the application and the Internet resource as blocked; detecting a system call's response call that includes content received from the internet resource during the blocked session; modifying the system call's response by replacing the content with redirection information; and sending the modified system call's response to the application, thereby causing the application to access the advisor server. | 11-05-2015 |
| 20150324580 | APPARATUS AND METHOD FOR ANALYZING MALICIOUS CODE IN REAL ENVIRONMENT - An apparatus and method for analyzing malicious code in a real environment are provided. The apparatus for analyzing malicious code in a real environment includes a storage unit, a VHD control unit, and an analysis unit. The storage unit stores an original virtual hard disk (VHD) and a child VHD. The VHD control unit performs booting using an uninfected clean VHD. The analysis unit executes an object of analysis after the booting, generates the first results of the analysis based on static, dynamic and state analyses, generates the second results of the analysis by comparing the state of an infected VHD with the state of the clean, generates the results of malicious code analysis based on the first results of the analysis and the second results of the analysis, and sends the results of the malicious code analysis to the VHD control unit. | 11-12-2015 |
| 20150324582 | DISTRIBUTED VOTING MECHANISM FOR ATTACK DETECTION - In one embodiment, a network node receives a voting request from a neighboring node that indicates a potential network attack. The network node determines a set of feature values to be used as input to a classifier based on the voting request. The network node also determines whether the potential network attack is present by using the set of feature values as input to the classifier. The network node further sends a vote to the neighboring node that indicates whether the potential network attack was determined to be present. | 11-12-2015 |
| 20150324583 | Method for operating a control unit - A method for operating a control unit, such a control unit, and an electronic hardware security module are provided. A manipulation of a main computer unit is detected by the electronic hardware security module, and a check takes place whether reprogramming is possible. | 11-12-2015 |
| 20150324584 | METHOD AND DEVICE FOR PROVIDING A SECURITY BREACH INDICATIVE AUDIO ALERT - A device for providing a security breach indicative audio alert. The device includes: a security monitor adapted to detect a security breach in device and a loudspeaker, the device wherein including a secure audio alert generating hardware, adapted to participate, in response to the detection of the security breach, in a generation of a security breach indicative audio alert. The secure audio alert generating hardware is connected to an audio mixer that is adapted to mix the security breach indicative audio alert signal with audio signals generated by a software controlled audio source to provide a mixed signal. The audio mixer is further adapted to provide the mixed signal to the loudspeaker that reproduces the mixed signal as sound. | 11-12-2015 |
| 20150324586 | METHODS AND APPARATUS FOR CONTROL AND DETECTION OF MALICIOUS CONTENT USING A SANDBOX ENVIRONMENT - A non-transitory processor-readable medium storing code representing instructions to cause a processor to perform a process includes code to cause the processor to receive a set of indications of allowed behavior associated with an application. The processor is also caused to initiate an instance of the application within a sandbox environment. The processor is further caused to receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the application in response to initiating the instance of the application within the sandbox environment. The processor is also caused to send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior does not correspond to an indication from the set of indications of allowed behavior. | 11-12-2015 |
| 20150326587 | DISTRIBUTED SYSTEM FOR BOT DETECTION - A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. The Sinkhole module may implement a proxy mode in which traffic received by the Sinkhole module is transmitted to a destination specified in the traffic but modified to reference the Sinkhole as the source. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code. | 11-12-2015 |
| 20150326588 | SYSTEM AND METHOD FOR DIRECTING MALICOUS ACTIVITY TO A MONITORING SYSTEM - A system of client devices and a server system implementing services makes use of credentials to facilitate authentication of the client devices with the server and generates log entries for different accesses to the server system. A monitoring system places credentials and log entries referencing the monitoring system with the credentials and log entries on the client devices without any authentication or actual access attempts by the client devices to the monitoring system. Unauthorized access to the client devices may result in the credentials and log entries to the monitoring system being accessed and used to access the monitoring system. Attempts to exploit the monitoring system using the credentials and log entries is contained within the monitoring system and data is collected to characterize malicious code attempting to exploit the monitoring system. The data is then used to prevent attacks and detect compromised client devices and server systems. | 11-12-2015 |
| 20150326590 | INTERDICTING UNDESIRED SERVICE - Interdicting an undesired service is disclosed. For example, a malware service is interdicted. The undesired service is identified. A vulnerability of the undesired service is identified from among a hierarchy of vulnerabilities. The undesired service is interdicted according to the vulnerability. For example, a corresponding action of a vulnerability to interdict the undesired service is performed in the order of the hierarchy until the undesired service is interdicted. | 11-12-2015 |
| 20150326594 | NETWORK DATA COLLECTION AND RESPONSE SYSTEM - Embodiments include a network data collection and response system for enhancing security in an enterprise network providing a user-supplied computing device with access to the network. A network data collection and response system tracks network activity of the device and maintains a device inventory recording the device type and configuration information for the device along with a resource utilization profile for the device. The network data collection and response system detects high-risk or unauthorized network activity involving the device through passive monitoring without utilization of a data monitoring agent installed on the device and implements a response action to mitigate the high-risk or unauthorized network. | 11-12-2015 |
| 20150326597 | SYSTEMS, METHODS, AND MEDIA FOR GENERATING SANITIZED DATA, SANITIZING ANOMALY DETECTION MODELS, AND/OR GENERATING SANITIZED ANOMALY DETECTION MODELS - Systems, methods, and media for generating sanitized data, sanitizing anomaly detection models, and generating anomaly detection models are provided. In some embodiments, methods for sanitizing anomaly detection models are provided. The methods including: receiving at least one abnormal anomaly detection model from at least one remote location; comparing at least one of the at least one abnormal anomaly detection model to a local normal detection model to produce a common set of features common to both the at least one abnormal anomaly detection model and the local normal detection model; and generating a sanitized normal anomaly detection model by removing the common set of features from the local normal detection model. | 11-12-2015 |
| 20150326605 | METHOD AND APPARATUS FOR PROVIDING NOTIFICATION OF DETECTED ERROR CONDITIONS IN A NETWORK - Methods for managing a communication session in a communication network are disclosed. For example, a method includes detecting, by a first endpoint comprising at least one processor, an error condition associated with the communication session, sending, by the first endpoint, a notification of the error condition to a second endpoint that is using a transport layer session and receiving, by the first endpoint, a communication from the second endpoint, proposing a response to the error condition. Another method includes receiving, by a first endpoint comprising at least one processor, a notification of an error condition associated with the communication session, selecting, by the first endpoint, a response to the error condition, and sending, by the first endpoint, a communication to a second endpoint that is using a transport layer session, proposing a response to the error condition. | 11-12-2015 |
| 20150326606 | SYSTEM AND METHOD FOR IDENTIFYING PHISHING WEBSITE - The present invention discloses a system and method for identifying a phishing website. The system comprises: a domain name acquisition unit, a domain name statistic unit and a website identification unit; the domain name acquisition unit being configured to collect all links found in a website to be identified so as to acquire the domain names corresponding to the links; the domain name statistic unit being configured to carry out a statistic on the number of times that the domain names occur in the website to be identified, and finding the domain name which has the most number of occurrences and mark it as a target domain name; and the website identification unit being configured to judge whether the website to be identified is a phishing website on the basis of the target domain name and the domain name of the website to be identified. | 11-12-2015 |
| 20150326607 | DETECTION OF SPYWARE THREATS WITHIN VIRTUAL MACHINES - A system analyzes content accessed at a network site to determine whether it is malicious. The system employs a tool able to identify spyware that is piggy-backed on executable files (such as software downloads) and is able to detect “drive-by download” attacks that install software on the victim's computer when a page is rendered by a browser program. The tool uses a virtual machine (VM) to sandbox and analyze potentially malicious content. By installing and running executable files within a clean VM environment, commercial anti-spyware tools can be employed to determine whether a specific executable contains piggy-backed spyware. By visiting a Web page with an unmodified browser inside a clean VM environment, predefined “triggers,” such as the installation of a new library, or the creation of a new process, can be used to determine whether the page mounts a drive-by download attack. | 11-12-2015 |
| 20150326608 | SOCIAL NETWORK HONEYPOT - The invention is a method and system for detecting attackers that are interested in attacking an organization's infrastructure during the reconnaissance phase of an Advanced Persistent Threat (APT). APTs are very sophisticated attacks and incorporate advanced methods for evading current security mechanisms. Therefore, the present invention uses an innovative social network honeypot. | 11-12-2015 |
| 20150332043 | APPLICATION ANALYSIS SYSTEM FOR ELECTRONIC DEVICES - An analysis system for analysing applications executing on a target device. The system comprises an analysis agent operating on the target device that is configured to receive or retrieve information indicative of system call invocations initiated by applications during execution. The system also comprises an analysis device in data communication with the target device over a data communication link that is configured to receive the information from the analysis agent of the target device over the data communication link. The analysis device comprises an analysis graphical user interface (GUI) that is configured to display the received information for viewing and/or interaction by a user. | 11-19-2015 |
| 20150332045 | MONITORING DEVICE AND MONITORING METHOD - A monitoring unit in a monitoring system determines whether or not a program to be executed is a program to be monitored. If it is determined that the program to be executed is a program to be monitored, the monitoring unit in the monitoring system adds, in order, before an instruction string included in a function called by the program to be monitored, an instruction string satisfying a predetermined condition, and a condition branch instruction, which is an instruction starting a predetermined control process when the predetermined condition is satisfied. | 11-19-2015 |
| 20150332047 | COMPUTER PROTECTION AGAINST MALWARE AFFECTION - A method is provided of protecting a computer against malware affection. The computer has a data storage and an operating system for managing the data storage. The method comprises providing a filter module in the operating system which operates to detect an attempt to store data in the data storage, to determine a data format of the data to be stored in the data storage, and to prevent storage of the data if the data format is determined to relate to a predefined type. The filter module may be provided as a file system filter driver in a kernel of the operating system. The filter module may be arranged to operate between an input/output manager of the operating system and a driver associated with the data storage. The input/output manager and driver associated with the data storage may form part of the kernel of the operating system. | 11-19-2015 |
| 20150334123 | GROUND TRUTH EVALUATION FOR VOTING OPTIMIZATION - In one embodiment, attack observations by a first node are provided to a user interface device regarding an attack detected by the node. Input from the user interface device is received that confirms that a particular attack observation by the first node indicates that the attack was detected correctly by the first node. Attack observations by one or more other nodes are provided to the user interface device. Input is received from the user interface device that confirms whether the attack observations by the first node and the attack observations by the one or more other nodes are both related to the attack. The one or more other nodes are identified as potential voters for the first node in a voting-based attack detection mechanism based on the attack observations from the first node and the one or more other nodes being related. | 11-19-2015 |
| 20150334128 | DISCOVERING AND CONSTRAINING IDLE PROCESSES - Methods and systems for process constraint include collecting system call information for a process. It is detected whether the process is idle based on the system call information and then whether the process is repeating using autocorrelation to determine whether the process issues system calls in a periodic fashion. The process is constrained if it is idle or repeating to limit an attack surface presented by the process. | 11-19-2015 |
| 20150334130 | FIGHT-THROUGH NODES FOR SURVIVABLE COMPUTER NETWORK - A survivable network is described in which one or more network device includes enhanced functionality to fight through cyber attacks. A Fight-Through Node (FTN) is described, which may be a combined hardware/software system that enhances existing networks with survivability properties. A network node comprises a hardware-based processing system having a set of one or more processing units, a hypervisor executing on each one of the processing units, and a plurality of virtual machines executing on each of the hypervisor. The network node includes an application-level dispatcher to receive a plurality of transaction requests from a plurality of network communication session with a plurality of clients and distribute a copy of each of the transaction requests to the plurality of virtual machines executing on the network node over a plurality of time steps to form a processing pipeline of the virtual machines. | 11-19-2015 |
| 20150339475 | APPLICATION WHITELISTING USING USER IDENTIFICATION - Methods and systems for protecting a virtual machine network are disclosed. In an embodiment, a method involves storing an application whitelist including application-to-user associations in memory such that the application whitelist is immutable by a guest virtual machine, receiving a request to execute an application including an application identifier and a user identifier, comparing the application identifier and the user identifier of the request with the application whitelist, and generating an execution decision indicating whether the requested application can execute on the guest virtual machine. | 11-26-2015 |
| 20150339477 | RISK ASSESSMENT MODELING - One or more techniques and/or systems are provided for risk assessment. Historical authentication data and/or compromised user account data may be evaluated to identify a set of authentication context properties associated with user authentication sessions and/or a set of malicious account context properties associated with compromised user accounts (e.g., properties indicative of whether a user recently visited a malicious site, created a fake social network profile, logged in from unknown locations, etc.). The set of authentication context properties and/or the set of malicious account context properties may be annotated to create an annotated context property training set that may be used to train a risk assessment machine learning model to generate a risk assessment model. The risk assessment model may be used to evaluate user context properties of a user account event to generate a risk analysis metric indicative of a likelihood the user account event is malicious or safe. | 11-26-2015 |
| 20150339478 | SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR MOUNTING AN IMAGE OF A COMPUTER SYSTEM IN A PRE-BOOT ENVIRONMENT FOR VALIDATING THE COMPUTER SYSTEM - A system, method, and computer program product are provided for controlling loading of an operating system, including mounting an image of an operating system in a pre-boot environment of a programmable device, identifying an untrusted component of the operating system registered to be automatically loaded or loaded during a boot-up stage of the operating system that is predetermined to be early, and substituting a trusted component for the untrusted component. | 11-26-2015 |
| 20150341372 | IDENTIFYING SUSPECTED MALWARE FILES AND SITES BASED ON PRESENCE IN KNOWN MALICIOUS ENVIRONMENT - Disclosed herein is a system and method for identifying potential sources of malicious activity as well as identifying potentially malicious files that originated from suspected malicious sources. Using an anchor event and telemetry data from devices known to have been infected by malicious activity similar events in the telemetry data between two devices can be identified. These satellite events are then used to identify other files that may have been deposited by the satellite event such that those files can be highlighted to a malware researcher. Additionally, the malware protection may be updated based on this analysis to label an associated site with the satellite event as a malicious site such that the site may be blocked or quarantined. | 11-26-2015 |
| 20150341373 | METHOD AND APPARATUS FOR PREVENTING INSERTION OF MALICIOUS CONTENT AT A NAMED DATA NETWORK ROUTER - An object-forwarding device can block a malicious Content Object from being inserted into an Interest's reverse path over a named data network. During operation, the device can receive a Content Object via a first interface, and can perform a lookup operation in a Pending Interest Table (PIT) to identify a PIT entry for an Interest associated with the Content Object. The device then determines, from the PIT entry, an egress interface used to forward the Interest. If the device determines that the egress interface of the PIT entry matches the first interface for the Content Object, the device forwards the Content Object via a return interface specified in the PIT entry. On the other hand, if the egress interface of the PIT entry does not match the first interface for the Content Object, the device can block the Content Object. | 11-26-2015 |
| 20150341374 | UNIFIED INTERFACE FOR ANALYSIS OF AND RESPONSE TO SUSPICIOUS ACTIVITY ON A TELECOMMUNICATIONS NETWORK - The invention is a platform for analysis of disparate data sources and automated and or user driven incident response via a single user interface. The platform includes an agent server, message broker, index, correlation engine and user interface. Telemetry sources may include network appliances, mobile devices, and standard terminals. Each telemetry type has interactions that enable incident response from the unified interface. | 11-26-2015 |
| 20150341376 | DETECTION OF ANOMALY IN NETWORK FLOW DATA - Disclosed is a method | 11-26-2015 |
| 20150341377 | METHOD AND APPARATUS TO PROVIDE REAL-TIME CLOUD SECURITY - A cloud includes an application delivery controller (ADC) receives traffic intended for a specific application, from a user, the specific application being executed by a virtual machine (VM). The ADC detects the received traffic as an attack traffic, the received traffic being intended for routing through software defined network (SDN) switches. The cloud further includes a controller that is in communication with the ADC and that launches virtual machines (VMs) based on the detected attack traffic. The controller re-configures the SDN switches from routing the received traffic to the VM that is executing the specific application to re-routing the received traffic, as the attack traffic, to one or more of the launched VMs. | 11-26-2015 |
| 20150341382 | SCALABLE INLINE BEHAVIORAL DDOS ATTACK MITIGATION - Methods and systems for a scalable solution to behavioral Distributed Denial of Service (DDoS) attacks targeting a network are provided. According to one embodiment, a method to determine the scaling treatment is provided for various granular layer parameters of the Open System Interconnection (OSI) model for communication systems. A hardware-based apparatus helps identify packet rates and determine packet rate thresholds through continuous and adaptive learning with multiple DDoS attack mitigation components. The system can be scaled up by stacking multiple DDoS attack mitigation components to provide protection against large scale DDoS attacks by distributing load across these stacked components. | 11-26-2015 |
| 20150341384 | Randomizing Countermeasures For Fault Attacks - A device may include countermeasure circuitry that provides a countermeasure check that protects device logic. The device may also include enforcement circuitry that non-deterministically enforces the countermeasure check on the device logic so that the device logic is not always protected by a countermeasure action within the countermeasure check. The device may non-deterministically enforce the countermeasure check according to an enforcement rate, and the device may adjust the enforcement rate depending on a priority of the device logic or device logic portion protected by a particular countermeasure check. | 11-26-2015 |
| 20150341385 | WEB PAGE AND WEB BROWSER PROTECTION AGAINST MALICIOUS INJECTIONS - A method comprising: loading a web page in a web browser, wherein the web page comprises a call to an anti-injection client-side code; loading the anti-injection client-side code in the web browser; and executing the anti-injection client-side code in the web browser, to: (a) intercept an injection of a node into the DOM (Document Object Model) of the web page, (b) compare the injected node with a list, and (c) based on the comparison, permit or block execution of the injected code. | 11-26-2015 |
| 20150347750 | METHOD AND APPARATUS FOR A SCORING SERVICE FOR SECURITY THREAT MANAGEMENT - A method and system for providing a security threat scoring se |
