Abstract: The present invention relates to the security of general purpose computing devices, such as laptop or desktop PCs, and more specifically to the detection of malicious software (malware) on a general purpose computing device. A challenge in maintaining a plurality of computing systems is that it may be required to have visibility into the extensive collection of computing related resources located across those systems as well as information about resources together with their behaviors and evolutions within those systems. Examples of such resources include files, file names, registry keys, entries in network communications logs, etc. Accordingly, we present novel methods, components, and systems for keeping track of information about these resources and presenting this information to an ultimate end user.

Abstract: A system includes a processor. The processor is configured to receive network traffic that includes a data block. The processor will generate a unique identifier (UID) for the file that includes a hash value corresponding to the file. The processor will determine whether the file is indicated as good or bad with the previously-stored UID. The processor will call a file-type specific detection nugget corresponding to the file's file-type to perform a full file inspection to detect whether the file is good or bad and store a result of the inspection together with the UID of the file, when the file is determined to be not listed in the previously-stored UIDs. The processor will not call the file-type specific detection nugget when the file's indicator is “good” or “bad” in the previously-stored UIDs. The processor will issue an alert about the bad file when the file's indicator is “bad”.

Abstract: A system includes a processor device. The processor device is configured to receive reports of operating system identities for a single host; determine which of the operating system identities are an intersection of the reported operating system identities; and assign the intersection of the reported operating system identities as a resolved operating system identity.

Abstract: A system includes a sensor and a processor. The sensor is configured to passively read data in packets as the packets are in motion on a network. The processor is cooperatively operable with the sensor The processor is configured to receive the read data from the sensor; and originate real-time map profiles of files and file data, both from the read data from the sensor, as the passively read packets are in motion on the network.

Abstract: A system includes a sensor and a processor. The sensor is configured to passively read data in packets as the packets are in motion on a network. The processor is cooperatively operable with the sensor The processor is configured to receive the read data from the sensor; and originate real-time map profiles of files and file data, both from the read data from the sensor, as the passively read packets are in motion on the network.

Abstract: A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets.

Abstract: A system includes a processor device. The processor device is configured to detect a physical topology of a network comprising hosts and sensors in the network. The processor device is also configured to generate a sensor policy for assignment of the sensors to network blocks of the hosts, that balances a processing load and accuracy of the sensors in the network based on physical closeness of the sensors to different divisions of hosts within a same network block.

Abstract: In an intrusion detection/prevention system, network traffic is received and checked for a matching pattern. Upon identifying the matching pattern, the network traffic with the matching pattern is evaluated against rules that are represented by a rule tree. References to rule options are represented in the rule tree and are stored separately from the rule tree. The rule tree represents unique rules by unique paths from a root of the tree to the leaf nodes, and represents rule options as non-leaf nodes of the rule tree. Evaluating the network traffic includes processing, against the network traffic, the rule options in the rule tree beginning at the root. Processing of the rules represented by subtrees of nodes with rule options that do not match is eliminated. The network traffic is evaluated against rules terminating in leaf nodes only for combinations of rule options that match the network traffic.

Abstract: A system includes a processor device. The processor device is configured to detect a physical topology of a network comprising hosts and sensors in the network. The processor device is also configured to generate a sensor policy for assignment of the sensors to network blocks of the hosts, that balances a processing load and accuracy of the sensors in the network based on physical closeness of the sensors to different divisions of hosts within a same network block.

Abstract: The disclosed systems and methods provide a user interface for modifying host configuration data that has been automatically and passively determined and for adding or modifying other parameters associated with a host. A host data table can store various parameters descriptive of a host including the applicability of specific vulnerabilities. If it is determined that one or more hosts should not be identified as associated with a specific vulnerability, a graphical user interface can be used to modify the vulnerability parameter.

Abstract: A method performed in a processor of an intrusion detection/prevention system (IDS/IPS) checks for valid packets in an SMB named pipe in a communication network. In a processor configured as an IDS/IPS, a packet in a transmission is received and a kind of application of a target of the packet is determined. Also, the data in the packet is inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that: (a) the FID in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and (b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table.

Abstract: A method performed in a processor of an intrusion detection/prevention system (IDS/IPS) checks for valid packets in an SMB named pipe in a communication network. In a processor configured as an IDS/IPS, a packet in a transmission is received and a kind of application of a target of the packet is determined. Also, the data in the packet is inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that: (a) the FID in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and (b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table.

Abstract: A system includes a sensor and a processor. The sensor is configured to passively read data in packets as the packets are in motion on a network. The processor is cooperatively operable with the sensor The processor is configured to receive the read data from the sensor; and originate real-time map profiles of files and file data, both from the read data from the sensor, as the passively read packets are in motion on the network.

Abstract: A computer system, device, computer software, and/or method performed by a computer system, is provided for determining a user name likely to be associated with an attack, a configuration, or a vulnerability. First data is obtained which associates user names with individual IP addresses onto which the user names were logged in. Second data is obtained which associates attacks, configurations, or vulnerabilities with individual IP addresses on which the attacks occurred or on which the configurations or vulnerabilities exist. The user names from the first data are associated with the attacks, configurations or vulnerabilities from the second data based on having the same IP address during a log-in. An individual user name is indicated as being associated with attacks which occurred while the individual user name was logged in or with configurations or vulnerabilities for an IP address onto which the user logs in.

Abstract: A system includes a processor device. The processor device is configured to receive reports of operating system identities for a single host; determine which of the operating system identities are an intersection of the reported operating system identities; and assign the intersection of the reported operating system identities as a resolved operating system identity.

Abstract: A system includes a processor device. The processor device is configured to detect a physical topology of a network comprising hosts and sensors in the network. The processor device is also configured to generate a sensor policy for assignment of the sensors to network blocks of the hosts, that balances a processing load and accuracy of the sensors in the network based on physical closeness of the sensors to different divisions of hosts within a same network block.

Abstract: A method performed in an intrusion detection/prevention system, a system or a device for determining whether a transmission control protocol (TCP) segment in a TCP connection in a communication network is acceptable. The TCP connection can include TCP segments beginning with a three way handshake. A TCP segment can include a field for a timestamp. A timestamp policy of plural timestamp policies is identified, the timestamp policy corresponding to a target associated with the segments in a TCP connection. A baseline timestamp is identified based on a three way handshake in the TCP connection. Segments in the TCP connection are monitored. The segments in the TCP connection are filtered as indicated in the timestamp policy corresponding to the target, the timestamp policy indicating whether the segments are to be filtered out or forwarded to the target by comparing the timestamp of the segments to the baseline timestamp.

Abstract: A policy component includes policy configuration information. The policy configuration information contains one or more rules. Each rule and group of rules can be associated with a set of response actions. As the nodes on the monitored networks change or intrusive actions are introduced on the networks, network change events or intrusion events are generated. The policy component correlates network change events and/or intrusions events with network map information. The network map contains information on the network topology, services and network devices, amongst other things. When certain criteria is satisfied based on the correlation, a policy violation event may be issued by the system resulting in alerts or remediations.

Abstract: A system includes a processor. The processor is configured to receive network traffic that includes a data block. The processor will generate a unique identifier (UID) for the file that includes a hash value corresponding to the file. The processor will determine whether the file is indicated as good or bad with the previously-stored UID. The processor will call a file-type specific detection nugget corresponding to the file's file-type to perform a full file inspection to detect whether the file is good or bad and store a result of the inspection together with the UID of the file, when the file is determined to be not listed in the previously-stored UIDs. The processor will not call the file-type specific detection nugget when the file's indicator is “good” or “bad” in the previously-stored UIDs. The processor will issue an alert about the bad file when the file's indicator is “bad”.

Abstract: Embodiments of the present invention relate to systems and methods for optimizing and reducing the memory requirements of state machine algorithms in pattern matching applications. Memory requirements of an Aho-Corasick algorithm are reduced in an intrusion detection system by representing the state table as three separate data structures. Memory requirements of an Aho-Corasick algorithm are also reduced by applying a banded-row sparse matrix technique to the state transition table of the state table. The pattern matching performance of the intrusion detection system is improved by performing a case insensitive search, where the characters of the test sequence are converted to uppercase as the characters are read. Testing reveals that state transition tables with sixteen bit elements outperform state transition tables with thirty-two bit elements and do not reduce the functionality of intrusion detection system using the Aho-Corasick algorithm.