Abstract: Techniques for classifying non-process threats are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for classifying non-process threats comprising generating trace data of at least one observable event associated with execution of a process, representing a first feature of the at least one observable event of the trace data, calculating, using a computer processor, a similarity between the first feature and at least one sample feature, and classifying the process based on the similarity.

Abstract: A reputation server is coupled to multiple clients via a network. Each client has a security module that detect malware at the client. The security module computes a hygiene score based on detected malware and provides it to the reputation server. The security module monitors client encounters with entities such as files, programs, and websites. When a client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The security module evaluates the reputation score and optionally cancels an activity involving the entity. The reputation server computes reputation scores for the entities based on the clients' hygiene scores and operations performed in response to the evaluations. The reputation server prioritizes malware submissions from the client security modules based on the reputation scores.

Abstract: A computer-implemented method to deploy a pre-boot environment in a computing system is described. A protected area may be created at a first location on a data storage device of the computing system. An operating system may be installed in the protected area at the first location on the data storage device. The pre-boot environment is modified to enable an address offset mode. The pre-boot environment is installed in an unprotected area at a second location on the data storage device.

Abstract: Machine language instruction sequences of computer files are extracted and encoded into standardized opcode sequences. The standardized opcodes in the sequences are of the same length and do not include operands. A multi-dimension vector is generated as a static feature for each computer file, where each element in the vector corresponds to the number of occurrences of a unique N-gram (i.e., unique sequence of N consecutive standardized opcodes) in the standardized opcode sequence for that computer file. The computer files are clustered into clusters of similarly classified files based on similarities of their static features. An unknown computer file can be classified by first grouping the file into a cluster of files with similar static features (e.g., into the cluster with the shortest average distance), and then determining the classification of that file based on the classifications of other files that belong to the same cluster.

Abstract: A candidate signature for a known malware entity is selected for analysis. A set of malware entities that contain the candidate signature is identified. A diversity measurement for the candidate signature is determined. The diversity measurement describes the diversity of the set of malware entities that contain the candidate signature. A determination is made whether to use the candidate signature to identify the known malware entity based at least in part on the diversity measurement. Responsive to the determination, the candidate malware signature is stored as a signature for the known malware entity.

Abstract: A signature is identified in association with an entity at a client. A reputation score associated with the entity is identified, the reputation score indicating a likelihood that the entity will compromise the client. Whether the signature detection event is a false positive signature detection event is evaluated based on the reputation score and reported.

Abstract: A reputation server is coupled to multiple clients via a network. Each client has a security module that detect malware at the client. The security module computes a hygiene score based on detected malware and provides it to the reputation server. The security module monitors client encounters with entities such as files, programs, and websites. When a client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The security module evaluates the reputation score and optionally cancels an activity involving the entity. The reputation server computes reputation scores for the entities based on the clients' hygiene scores and operations performed in response to the evaluations. The reputation server prioritizes malware submissions from the client security modules based on the reputation scores.

Abstract: A security module detects attempted exploitations of vulnerabilities of applications executing on a computer. The security module hooks an application on the computer. The hook transfers control flow to the security module if execution reaches a hooked location. When a hook is followed, the security module saves the state of the computer and activates an analysis environment. A virtual machine within the analysis environment executes signatures that programmatically analyze the state of the computer to determine whether a vulnerability in the application is being exploited. If a signature detects an exploit, the security module blocks the exploit by skipping over the one or more instructions that constitute the exploit, terminating the application, or performing a different action. The security module reports the detected exploit attempt to the user of the client. The security module returns control flow back to the application if it does not detect an exploit.

Abstract: A set of candidate signatures for a malicious software (malware) is generated. The candidate signatures in the set are scored based on features that indicate the signatures are more unique and thus less likely to generically occur non-malicious programs. A malware signature for the malware entity is selected from among the candidate malware signatures based on the scores. The selected malware signature is stored.

Abstract: A server provides a reduced set of malware signatures to clients. The reduced set of malware signatures has the same scope of coverage as a comprehensive set of malware signatures stored on the server, but with a higher rate of false positive detections. The server receives signature detection event reports from the clients. A signature detection event report identifies the signature in the reduced set that was detected, and includes information describing the suspicious entity in which the signature was detected. Upon receiving a signature detection event report from a client, the server evaluates the information describing the suspicious entity using one or more signatures in the comprehensive set to determine whether the signature detection event is a false positive or a legitimate malware detection. The security server provides the result of the evaluation to the client from which the report was received.

Abstract: A uniformity of a cluster of samples is determined, and a corresponding raw confidence value is calculated. A confidence interval weight is calculated using a confidence interval to determine reliability of the uniformity. A trace length weight is calculated, as a function of traces of the samples. An n-gram weight is calculated, as a function of numbers of n-grams generated by the samples. A compactness weight is calculated, as a function of the similarity of the samples. A cluster weight is calculated as a function of the four above-described weights. A cluster confidence measurement is calculated as a function of the cluster weight and the raw confidence value. When a new sample is assigned to the cluster, an assignment confidence measurement is calculated, as a function of the cluster's confidence measurement and the sample's trace length, n-grams and similarity.

Abstract: A security module detects attempted exploitations of vulnerabilities of an application executing on a computer. A robust function of the application having native error handling functionality is identified. The security module wraps the robust function with an exception handler that catches a “security violation” exception. The exception handler returns an error code of a type that is handled by the application's native error handling functionality. The security module also hooks the application. When a hook is followed, the security module determines whether a vulnerability in the application is being exploited. If an attempted exploit is detected, the security module throws the security violation exception. The application's native error handling functionality unwinds the call stack for the application until it reaches the exception handler wrapping the robust function.

Abstract: A load balancing server system includes a plurality of servers. A server has a dispatcher module, a request handler module, a cache and a local database. A load balancer receives requests for information from clients and distributes the requests among dispatcher modules of the plurality of servers in a balanced manner. The dispatcher module receives a request for information, calculates an identifier of a server from a subset of a hash result responsive to the request, routes the request to the server identified by the identifier, and provides information in the response to the client that requested it. The request handler module receives the request routed by the dispatcher module, determines the requested information by searching the cache and/or the local database, and provides the determined information to the dispatcher module.

Abstract: A reputation server is coupled to multiple clients via a network. Each client has a security module that detect malware at the client. The security module computes a hygiene score based on detected malware and provides it to the reputation server. The security module monitors client encounters with entities such as files, programs, and websites. When a client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The security module evaluates the reputation score and optionally cancels an activity involving the entity. The reputation server computes reputation scores for the entities based on the clients' hygiene scores and operations performed in response to the evaluations. The reputation server prioritizes malware submissions from the client security modules based on the reputation scores.

Abstract: A gsprite engine circuit reads a display list identifying gsprite image layers to be composited for display, retrieves gsprite image data from an external memory, and transforms the gsprite data to display device coordinates. The gsprite image layers represent independently rendered graphical objects in a graphics scene. The gsprite engine can simulate the motion of the graphical objects in a sequence of display images by performing affine transformations on the gsprite image layers. The interface to the gsprite engine circuit includes the display list and gsprite header blocks. The display list enumerates the gsprites to be composited as a display image. The header blocks describe a gsprite transform, which can be an affine transform, used to transform gsprites to display device coordinates. The header blocks also provide an array of references to image blocks or "chunks" comprising the gsprite.

Abstract: A method for texture mapping an image includes passing an interpolating filter along a line of anisotropy in a texture map and computing a weighted sum of the outputs of the interpolating filter to compute pixel intensity values. The weighting of these output values can be computed using a one dimensional digital filter. The line of anisotropy is derived from the inverse transform, which describes the mapping of a point on the surface of a geometric primitive to a point in the texture map. A system supporting anisotropic filtering includes texture memory, a set-up processor, and a texture filter engine. The set-up processor parses a command stream and retrieves texture data into the texture memory. The texture filter engine determines the line of anisotropy for a pixel and computes a weighted sum of interpolated values sampled along the line of anisotropy.

Abstract: A method for merging pixel fragments to reduce memory usage in a graphics rendering system. In rendering a graphics scene, geometric primitives of objects in the scene are rasterized to create pixel data including pixel fragments representing partially covered pixels. Lists of pixel fragments having color, depth, and coverage data are stored in a fragment buffer. When a new fragment is generated, an attempt is made to merge the fragment with the last fragment stored for a corresponding pixel location. Fragments are merged if they are within predefined depth and color tolerances.

Abstract: A graphics rendering chip serially renders a stream of geometric primitives to image regions called chunks. A set-up processor in the chip parses rendering commands and the stream of geometric primitives and computes edge equation parameters. A scan-convert processor receives the edge equation parameters from the set-up processor and scan converts the geometric primitives to produce pixel records and fragment records. An internal, double-buffered pixel buffer stores pixel records for fully covered pixel addresses and also stores references to fragment lists stored in a fragment buffer. A pixel engine performs hidden surface removal and controls storage of pixel and fragment records to the pixel and fragment buffers, respectively. An anti-aliasing engine resolves pixel data for one pixel buffer while the pixel engine fills the other pixel buffer with pixel data for the next chunk.

Abstract: A system for accessing texture data in a graphics rendering system allows texture data to be stored in memories with high latency or in a compressed format. The system utilizes a texture cache to temporarily store blocks of texture data retrieved from an external memory during rendering operations. In one implementation, geometric primitives are stored in a queue long enough to absorb the latency of fetching and possibly decompressing a texture block. The geometric primitives are converted into texture block references, and these references are used to fetch texture blocks from memory. A rasterizer rasterizes each geometric primitives as the necessary texture data becomes available in the texture cache. In another implementation, geometric primitives are converted into pixels, including a pixel address, color data, and a texture request. These pixels are stored in a queue long enough to absorb the latency of a texture block fetch.

Abstract: A method for rendering graphical objects in a scene to generate a display images includes dividing the geometric primitives of models in a scene among portions or "chunks" of the view space to which the primitives will be rendered, and then rendering geometry referenced to the chunks in series in a common depth buffer. Geometry for a chunk can be rendered, including sophisticated anti-aliasing and translucency computations, using a minimum of memory. Serially rendering object geometry in chunks provides an effective form of compression because pixel fragments can be generated for one chunk at a time and then resolved. Pixel fragments can be resolved in a post-processing step for one chunk while primitives for another chunk are rasterized.