Patent application number | Description | Published |
20080235372 | METHOD AND SYSTEM FOR MEASURING STATUS AND STATE OF REMOTELY EXECUTING PROGRAMS - A system and method for providing attestation and/or integrity of a server execution environment are described. One or more parts of a server environment are selected for measurement. The one or more parts in a server execution environment are measured, and the measurements result in a unique fingerprint for each respective selected part. The unique fingerprints are aggregated by an aggregation function to create an aggregated value, which is determinative of running programs in the server environment. A measurement parameter may include the unique fingerprints, the aggregated value or a base system value and may be sent over a network interface to indicate the server environment status or state. | 09-25-2008 |
20080235804 | Dynamic Creation and Hierarchical Organization of Trusted Platform Modules - A trusted platform module is presented that is capable of creating, dynamically, multiple virtual trusted platform modules in a hierarchical organization. A trusted platform module domain is created. The trusted platform module creates virtual trusted platform modules, as needed, in the trusted platform module domain. The virtual trusted platform modules can inherit the permissions of a parent trusted platform module to have the ability to create virtual trusted platform modules themselves. Each virtual trusted platform module is associated with a specific partition. Each partition is associated with an individual operating system. The hierarchy of created operating systems and their privilege of spawning new operating systems is reflected in the hierarchy of trusted platform modules and the privileges each of the trusted platform modules has. | 09-25-2008 |
20080263203 | METHOD AND APPARATUS FOR DELEGATING RESPONSES TO CONDITIONS IN COMPUTING SYSTEMS - METHOD AND APPARATUS FOR DELEGATING RESPONSES TO CONDITIONS IN COMPUTING SYSTEMS ABSTRACT One embodiment of the present method and apparatus for delegating responses to conditions in computing systems includes acknowledging (e.g., at a systems management component in the computing system) a condition, and delegating responsibility for a strategy for a response to the condition to another component. In further embodiments, the present method and apparatus for delegating responses to conditions in computing systems includes receiving (e.g., at a computing system component) an assignment from another computing system component (e.g., a systems management component), where the assignment assigns responsibility for a strategy for a response to a condition, and determining whether and how to respond to the condition. | 10-23-2008 |
20080270603 | METHOD, SYSTEM, AND PROGRAM PRODUCT FOR REMOTELY ATTESTING TO A STATE OF A COMPUTER SYSTEM - A method, system, and program product for remotely attesting to a state of computing system is provided. Specifically, the present invention allows a remote system to establish trust in the properties of the computer system. The properties to be trusted are expanded from the usual system software layers and related configuration files to novel types of data such as static data specific to the computer system, dynamic data determined at system startup, or dynamic data created as the computer system runs applications. | 10-30-2008 |
20090235324 | METHOD FOR DISCOVERING A SECURITY POLICY - Techniques for mapping at least one physical system and at least one virtual system into at least two separate execution environments are provided. The techniques include discovering an implicitly enforced security policy in an environment comprising at least one physical system and at least one virtual system, using the discovered policy to create an enforceable isolation policy, and using the isolation policy to map the at least one physical system and at least one virtual system into at least two separate execution environments. Techniques are also provided for generating a database of one or more isolation policies. | 09-17-2009 |
20090328145 | METHOD AND APPARATUS FOR MIGRATING A VIRTUAL TPM INSTANCE AND PRESERVING UNIQUENESS AND COMPLETENESS OF THE INSTANCE - A migration scheme for virtualized Trusted Platform Modules is presented. The procedure is capable of securely migrating an instance of a virtual Trusted Platform Module from one physical platform to another. A virtual Trusted Platform Module instance's state is downloaded from a source virtual Trusted Platform Module and all its state information is encrypted using a hybrid of public and symmetric key cryptography. The encrypted state is transferred to the target physical platform, decrypted and the state of the virtual Trusted Platform Module instance is rebuilt. | 12-31-2009 |
20110258610 | OPTIMIZING PERFORMANCE OF INTEGRITY MONITORING - A system, method and computer program product for verifying integrity of a running application program on a computing device. The method comprises: determining entry points into an application programs processing space that impact proper execution impact program integrity; mapping data elements reachable from the determined entry points into a memory space of a host system where the application to verify is running; run-time monitoring, in the memory space, potential modification of the data elements in a manner potentially breaching program integrity; and initiating a response to the potential modification. The run-time monitoring detects when a data transaction, e.g., a write event, reaches a malicious agent's entry point, a corresponding memory hook is triggered and control is passed to a security agent running outside the monitored system. This agent requests the values of the data elements, and determines if invariants that have been previously computed hold true or not under the set of retrieved data values. | 10-20-2011 |
20110283352 | Method and Apparatus for Migrating a Virtual TPM Instance and Preserving Uniqueness and Completeness of the Instance - A migration scheme for virtualized Trusted Platform Modules is presented. The procedure is capable of securely migrating an instance of a virtual Trusted Platform Module from one physical platform to another. A virtual Trusted Platform Module instance's state is downloaded from a source virtual Trusted Platform Module and all its state information is encrypted using a hybrid of public and symmetric key cryptography. The encrypted state is transferred to the target physical platform, decrypted and the state of the virtual Trusted Platform Module instance is rebuilt. | 11-17-2011 |
20120096549 | ADAPTIVE CYBER-SECURITY ANALYTICS - Performing adaptive cyber-security analytics including a computer implemented method that includes receiving a report on a network activity. A score responsive to the network activity and to a scoring model is computed at a computer. The score indicates a likelihood of a security violation. The score is validated and the scoring model is automatically updated responsive to results of the validating. The network activity is reported as suspicious in response to the score being within a threshold of a security violation value. | 04-19-2012 |
20130318615 | PREDICTING ATTACKS BASED ON PROBABILISTIC GAME-THEORY - Methods for determining cyber-attack targets include collecting and storing network event information from sensors to extract information regarding an attacker; forming an attack scenario tree that encodes network topology and vulnerability information including paths from known compromised nodes to a set of potential targets; calculating a likelihood for each of the paths using a processor; calculating a probability distribution for the set of potential targets to determine which potential targets are most likely pursued by the attacker; calculating a probability distribution over a set of nodes and node vulnerability types already accessed by the attacker; determining a network graph edge to remove which minimizes a defender's expected uncertainty over the potential targets; and removing the determined network graph edge. | 11-28-2013 |
20130318616 | PREDICTING ATTACKS BASED ON PROBABILISTIC GAME-THEORY - Systems for determining cyber-attack target include a network monitor module configured to collect network event information from sensors in one or more network nodes; a processor configured to extract information regarding an attacker from the network event information, to form an attack scenario tree that encodes network topology and vulnerability information including a plurality of paths from known compromised nodes to a set of potential targets, to calculate a likelihood for each of the paths, to calculate a probability distribution for the set of potential targets to determine which potential targets are most likely pursued by the attacker, to calculate a probability distribution over a set of nodes and node vulnerability types already accessed by the attacker, and to determine a network graph edge to remove that minimizes a defender's expected uncertainty over the potential targets; and a network management module configured to remove the determined network graph edge. | 11-28-2013 |
20130332539 | Method and Apparatus for Detecting Unauthorized Bulk Forwarding of Sensitive Data Over a Network - Methods and apparatus are provided for detecting unauthorized bulk forwarding of sensitive data over a network. A bulk forwarding of email from a first network environment is automatically detected by determining an arrival rate for internal emails received from within the first network environment into one or more user accounts; determining a sending rate for external emails sent from the one or more user accounts to a second network environment; and detecting the bulk forwarding of email from a given user account by comparing the arrival rate for internal emails and the sending rate for external emails. The bulk forwarding of email from a given user account can be detected by determining whether statistical models of the arrival rate for internal emails and of the sending rate for external emails are correlated in time. | 12-12-2013 |
20130332541 | Method and Apparatus for Detecting Unauthorized Bulk Forwarding of Sensitive Data Over a Network - Methods and apparatus are provided for detecting unauthorized bulk forwarding of sensitive data over a network. A bulk forwarding of email from a first network environment is automatically detected by determining an arrival rate for internal emails received from within the first network environment into one or more user accounts; determining a sending rate for external emails sent from the one or more user accounts to a second network environment; and detecting the bulk forwarding of email from a given user account by comparing the arrival rate for internal emails and the sending rate for external emails. The bulk forwarding of email from a given user account can be detected by determining whether statistical models of the arrival rate for internal emails and of the sending rate for external emails are correlated in time. | 12-12-2013 |
20130333034 | Method and Apparatus for Automatic Identification of Affected Network Resources After a Computer Intrusion - Methods and apparatus are provided for automatic identification of affected network resources after a computer intrusion. The network resources affected by a computer intrusion can be identified by collecting information about an external system from an external source; deriving a list of one or more affected internal systems on an internal network by correlating the information with internal information about internal systems that interacted with the external system: and identifying one or more user accounts associated with the one or more affected internal systems. Data residing on systems accessible by the one or more user accounts can also optionally be identified. A list can optionally be presented of the network resources that may be affected by the computer intrusion. The affected network resources can be, for example, servers, services and/or client machines. | 12-12-2013 |
20130333041 | Method and Apparatus for Automatic Identification of Affected Network Resources After a Computer Intrusion - Methods and apparatus are provided for automatic identification of affected network resources after a computer intrusion. The network resources affected by a computer intrusion can be identified by collecting information about an external system from an external source; deriving a list of one or more affected internal systems on an internal network by correlating the information with internal information about internal systems that interacted with the external system; and identifying one or more user accounts associated with the one or more affected internal systems. Data residing on systems accessible by the one or more user accounts can also optionally be identified. A list can optionally be presented of the network resources that may be affected by the computer intrusion. The affected network resources can be, for example, servers, services and/or client machines. | 12-12-2013 |
20140223560 | MALWARE DETECTION VIA NETWORK INFORMATION FLOW THEORIES - Access is obtained to a plurality of information flow theories for a plurality of malicious programs. The information flow theories include differences in information flows between the malicious programs, executing in a controlled environment, and information flows of known benign programs. Execution of a suspicious program is monitored by comparing runtime behavior of the suspicious program to the plurality of information flow theories. An alarm is output if the runtime behavior of the suspicious program matches at least one of the plurality of information flow theories. | 08-07-2014 |
20140310396 | IDENTIFICATION AND CLASSIFICATION OF WEB TRAFFIC INSIDE ENCRYPTED NETWORK TUNNELS - The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information. | 10-16-2014 |
20140310517 | IDENTIFICATION AND CLASSIFICATION OF WEB TRAFFIC INSIDE ENCRYPTED NETWORK TUNNELS - The present principles are directed to identifying and classifying web traffic inside encrypted network tunnels. A method includes analyzing network traffic of unencrypted data packets to detect packet traffic, timing, and size patterns. The detected packet, timing, and size traffic patterns are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information. | 10-16-2014 |
20140351226 | Distributed Feature Collection and Correlation Engine - A distributed feature collection and correlation engine is provided, Feature extraction comprises obtaining one or more data records; extracting information from the one or more data records based on domain knowledge; transforming the extracted information into a key/value pair comprised of a key K and a value V, wherein the key comprises a feature identifier; and storing the key/value pair in a feature store database if the key/value pair does not already exist in the feature store database using a de-duplication mechanism. Features extracted from data records can be queried by obtaining a feature store database comprised of the extracted features stored as a key/value pair comprised of a key K and a value V, wherein the key comprises a feature identifier; receiving a query comprised of at least one query key; retrieving values from the feature store database that match the query key; and returning one or more retrieved key/value pairs. | 11-27-2014 |
20140351227 | Distributed Feature Collection and Correlation Engine - A distributed feature collection and correlation engine is provided, Feature extraction comprises obtaining one or more data records; extracting information from the one or more data records based on domain knowledge; transforming the extracted information into a key/value pair comprised of a key K and a value V, wherein the key comprises a feature identifier; and storing the key/value pair in a feature store database if the key/value pair does not already exist in the feature store database using a de-duplication mechanism. Features extracted from data records can be queried by obtaining a feature store database comprised of the extracted features stored as a key/value pair comprised of a key K and a value V, wherein the key comprises a feature identifier; receiving a query comprised of at least one query key; retrieving values from the feature store database that match the query key; and returning one or more retrieved key/value pairs. | 11-27-2014 |