Abstract: A system and method determines whether software includes malicious code. A validation machine is instrumented with tools and monitors that capture the static and dynamic behavior of software. Software under examination is executed on the validation machine, and the tools and monitors are used to log data representative of the behavior of the software to detect vulnerable or malicious code. If possible, one or more operations are automatically performed on the software to enhance the security of the software by neutralizing the vulnerable or malicious code. Activities that cannot be neutralized automatically are flagged for human inspection. The software executed on the validation machine may be source code or non-source code, with different operations being disclosed and described in each case.

Abstract: Apparatus and methods prevent malicious data in Universal Serial Bus (USB) configurations by providing a hardware firewall. A hardware device interconnected between a host and the USB monitors communication packets and blocks packets having unwanted or malicious intent. The device may act as a hub, enabling multiple devices to connect to a single host. The device may only allow mass storage packets from a device recognized as a mass storage device. The device may block enumeration of unwanted devices by not forwarding packets between the device and the host. The device may be operative to assign a bogus address to a malicious device so as not to transfer communications from the device further up the chain to the host. The device may provide shallow or deep packet inspection to determine when a trusted device is sending possible malicious data, or provide packet validation to block packets that are malformed.

Abstract: Apparatus and methods prevent malicious data in Universal Serial Bus (USB) configurations by providing a hardware firewall. A hardware device interconnected between a host and the USB monitors communication packets and blocks packets having unwanted or malicious intent. The device may act as a hub, enabling multiple devices to connect to a single host. The device may only allow mass storage packets from a device recognized as a mass storage device. The device may block enumeration of unwanted devices by not forwarding packets between the device and the host. The device may be operative to assign a bogus address to a malicious device so as not to transfer communications from the device further up the chain to the host. The device may provide shallow or deep packet inspection to determine when a trusted device is sending possible malicious data, or provide packet validation to block packets that are malformed.

Abstract: An intelligent system for automatically monitoring, diagnosing, and repairing complex hardware and software systems is presented. A number of functional modules enable the system to collect relevant data from both hardware and software components, analyze the incoming data to detect faults, further monitor sensor data and historical knowledge to predict potential faults, determine an appropriate response to fix the faults, and finally automatically repair the faults when appropriate. The system leverages both software and hardware modules to interact with the complex system being monitored. Additionally, the lessons learned on one system can be applied to better understand events occurring on the same or similar systems.

Abstract: A system and method determines whether software includes malicious code. A validation machine is instrumented with tools and monitors that capture the static and dynamic behavior of software. Software under examination is executed on the validation machine, and the tools and monitors are used to log data representative of the behavior of the software to detect vulnerable or malicious code. If possible, one or more operations are automatically performed on the software to enhance the security of the software by neutralizing the vulnerable or malicious code. Activities that cannot be neutralized automatically are flagged for human inspection. The software executed on the validation machine may be source code or non-source code, with different operations being disclosed and described in each case.

Abstract: A hardware-assisted security system for networked computers can detect, prevent, and mitigate rootkits. The solution relies upon an add-on card that monitors the system, alerting administrators when malicious changes are made to a system. The technical detail lies in the techniques needed to detect rootkits, preventing rootkits when possible, and granting administration of protected systems. A beneficial side-effect of the solution is that it allows many other security features, like system auditing, forensic capabilities to determine what happened after an attack, and hardware lock-down of important system resources.