Abstract: Embodiments described herein are capable of preventing the installation of unwanted software bundled with a desired application at runtime, while allowing the installation of the desired application to continue as expected. For example, the embodiments described herein create a decoy in memory that preempts unwanted code. The decoy attracts any illegitimate code and diverts it into a dead end (e.g., the code is isolated, thereby preventing it from properly executing), while installation of the legitimate code (i.e., the desired application) flows as expected. The foregoing detects that a reflective loading process of DLL associated with the unwanted application has occurred, identifies the entity that attempted to perform the reflective loading process, and prevents the entity from completing the reflective loading process without terminating the main installer.

Abstract: Embodiments described herein enable the detection, analysis and signature determination of obfuscated malicious code. Such malicious code comprises a deobfuscation portion that deobfuscates the obfuscated portion during runtime to generate deobfuscated malicious code. The techniques described herein deterministically detect and suspend the deobfuscated malicious code when it attempts to access memory resources that have been morphed in accordance with embodiments described herein. This advantageously enables the deobfuscated malicious code to be suspended at its initial phase. By doing so, the malicious code is not given the opportunity to delete its traces in memory regions it accesses, thereby enabling the automated exploration of such memory regions to locate and extract runtime memory characteristics associated with the malicious code.

Abstract: Various automated techniques are described herein for the runtime detection/neutralization of malware executing on a computing device. The foregoing is achievable during a relatively early phase, for example, before the malware manages to encrypt any of the user's files. For instance, a malicious process detector may create decoy file(s) in a directory. The decoy file(s) may have attributes that cause such file(s) to reside at the beginning and/or end of a file list. By doing so, a malicious process targeting files in the directory will attempt to encrypt the decoy file(s) before any other file. The detector monitors operations to the decoy file(s) to determine whether a malicious process is active on the user's computing device. In response to determining that a malicious process is active, the malicious process detector takes protective measure(s) to neutralize the malicious process.

Abstract: Techniques are provided for neutralizing attacks by malicious code on a computer system. In an embodiment, this is achieved by modifying certain aspects of an operating system. For example, a system call table storing pointers to system functions is duplicated to create a shadow system call table. The original table is modified with traps resulting the neutralization of processes that access the table, whereas processes that access the shadow system call table are enabled to execute properly. In order for valid applications to operate with the shadow system call table, index numbers corresponding to the different system function calls are randomized in a system library that maintains function calls to such system functions. Valid applications may be patched in order to reference such randomized index numbers, whereas malicious processes continue to reference the original non-randomized index numbers.

Abstract: Various automated techniques are described herein for protecting computing devices from malicious code injection and execution by providing a malicious process with incorrect information regarding the type and/or version and/or other characteristics of the operating system and/or the targeted program and/or the targeted computing device. The falsified information tricks the malicious process into injecting shellcode that is incompatible with the targeted operating system, program and/or computing device. When the incompatible, injected shellcode attempts to execute, it fails as a result of the incompatibility, thereby protecting the computing device.

Abstract: Embodiments described herein are capable of preventing the installation of unwanted software bundled with a desired application at runtime, while allowing the installation of the desired application to continue as expected. For example, the embodiments described herein create a decoy in memory that preempts unwanted code. The decoy attracts any illegitimate code and diverts it into a dead end (e.g., the code is isolated, thereby preventing it from properly executing), while installation of the legitimate code (i.e., the desired application) flows as expected. The foregoing detects that a reflective loading process of DLL associated with the unwanted application has occurred, identifies the entity that attempted to perform the reflective loading process, and prevents the entity from completing the reflective loading process without terminating the main installer.

Abstract: Embodiments described herein enable the detection, analysis and signature determination of obfuscated malicious code. Such malicious code comprises a deobfuscation portion that deobfuscates the obfuscated portion during runtime to generate deobfuscated malicious code. The techniques described herein deterministically detect and suspend the deobfuscated malicious code when it attempts to access memory resources that have been morphed in accordance with embodiments described herein. This advantageously enables the deobfuscated malicious code to be suspended at its initial phase. By doing so, the malicious code is not given the opportunity to delete its traces in memory regions it accesses, thereby enabling the automated exploration of such memory regions to locate and extract runtime memory characteristics associated with the malicious code.

Abstract: A method for determining a travel destination from user generated content is proposed. The method includes determining a text string in the user generated content that indicates a place or an address. Further, the method includes determining a plurality of potential travel destinations based on the text string. The method additionally includes determining similarities between the plurality of potential travel destinations and a plurality of reference positions assigned to the user, and ranking the plurality of potential travel destinations based on the similarities.

Abstract: Various approaches are described herein for, among other things, detecting and/or neutralizing attacks by malicious code. For example, instance(s) of a protected process are modified upon loading by injecting a runtime protector that creates a copy of each of the process' imported libraries and maps the copy into a random address inside the process' address space to form a “randomized” shadow library. The libraries loaded at the original address are modified into a stub library. Shadow and stub libraries are also created for libraries that are loaded after the process creation is finalized. Consequently, when malicious code attempts to retrieve the address of a given procedure, it receives the address of the stub procedure, thereby neutralizing the malicious code. When the original program's code (e.g., the non-malicious code) attempts to retrieve the address of a procedure, it receives the correct address of the requested procedure (located in the shadow library).

Abstract: Various automated techniques are described herein for protecting computing devices from malicious code injection and execution by providing a malicious process with incorrect information regarding the type and/or version and/or other characteristics of the operating system and/or the targeted program and/or the targeted computing device. The falsified information tricks the malicious process into injecting shellcode that is incompatible with the targeted operating system, program and/or computing device. When the incompatible, injected shellcode attempts to execute, it fails as a result of the incompatibility, thereby protecting the computing device.

Abstract: Various automated techniques are described herein for the runtime detection/neutralization of malware executing on a computing device. The foregoing is achievable during a relatively early phase, for example, before the malware manages to encrypt any of the user's files. For instance, a malicious process detector may create decoy file(s) in a directory. The decoy file(s) may have attributes that cause such file(s) to reside at the beginning and/or end of a file list. By doing so, a malicious process targeting files in the directory will attempt to encrypt the decoy file(s) before any other file. The detector monitors operations to the decoy file(s) to determine whether a malicious process is active on the user's computing device. In response to determining that a malicious process is active, the malicious process detector takes protective measure(s) to neutralize the malicious process.

Abstract: Various approaches are described herein for the automated classification of exploit(s) based on snapshots of runtime environmental features of a computing process in which the exploit(s) are attempted. The foregoing is achieved with a server and local station(s). Each local station is configured to neutralize operation of malicious code being executed thereon, obtain snapshot(s) indicating the state thereof at the time of the exploitation attempt, and perform a classification process using the snapshot(s). The snapshot(s) are analyzed with respect to a local classification model maintained by the local station to find a classification of the exploit therein. If a classification is found, an informed decision is made as to how to handle the classified exploit. If a classification is not found, the snapshot(s) are provided to the server for classification thereby. The server provides an updated classification model containing a classification for the exploit to the local station(s).

Abstract: Various approaches are described herein for the automated classification of exploit(s) based on snapshots of runtime environmental features of a computing process in which the exploit(s) are attempted. The foregoing is achieved with a server and local station(s). Each local station is configured to neutralize operation of malicious code being executed thereon, obtain snapshot(s) indicating the state thereof at the time of the exploitation attempt, and perform a classification process using the snapshot(s). The snapshot(s) are analyzed with respect to a local classification model maintained by the local station to find a classification of the exploit therein. If a classification is found, an informed decision is made as to how to handle the classified exploit. If a classification is not found, the snapshot(s) are provided to the server for classification thereby. The server provides an updated classification model containing a classification for the exploit to the local station(s).

Abstract: Various approaches are described herein for, among other things, detecting and/or neutralizing attacks by malicious code. For example, instance(s) of a protected process are modified upon loading by injecting a runtime protector that creates a copy of each of the process' imported libraries and maps the copy into a random address inside the process' address space to form a “randomized” shadow library. The libraries loaded at the original address are modified into a stub library. Shadow and stub libraries are also created for libraries that are loaded after the process creation is finalized. Consequently, when malicious code attempts to retrieve the address of a given procedure, it receives the address of the stub procedure, thereby neutralizing the malicious code. When the original program's code (e.g., the non-malicious code) attempts to retrieve the address of a procedure, it receives the correct address of the requested procedure (located in the shadow library).

Abstract: A system and method of adaptively managing a plurality of engines in a multi-engine system, where each engine comprises hot gas components and non-hot gas components, and each engine exhibits a performance margin and a remaining useful life, includes continuously, and in real-time, determining a plurality of different degradation mechanisms for each of the plurality of engines, and continuously, and in real-time, determining which of the determined degradation mechanisms is most limiting. The engines are controlled, based on the most limiting degradation mechanism, in a manner that the remaining useful lives of each engine are substantially equal. The plurality of different degradation mechanisms of each engine are determined based on the engine performance margin, modeled failure predictions of the hot gas components, and modeled failure predictions of the non-hot gas components.

Abstract: A system and method of adaptively managing a plurality of engines in a multi-engine system, where each engine comprises hot gas components and non-hot gas components, and each engine exhibits a performance margin and a remaining useful life, includes continuously, and in real-time, determining a plurality of different degradation mechanisms for each of the plurality of engines, and continuously, and in real-time, determining which of the determined degradation mechanisms is most limiting. The engines are controlled, based on the most limiting degradation mechanism, in a manner that the remaining useful lives of each engine are substantially equal. The plurality of different degradation mechanisms of each engine are determined based on the engine performance margin, modeled failure predictions of the hot gas components, and modeled failure predictions of the non-hot gas components.

Abstract: A system and method is provided for accessing information content that enables handheld or mobile device users, for example, to quickly and efficiently navigate images contained within the information content to access other areas of the information content. A user of the handheld device will request and receive information content, such as requesting a web page, for viewing. The user can select a navigation mode to receive a display only of interesting images pertaining to the webpage. The user can then thumb through the images and select an image of interest. The device will then display the portion of the web page associated with the selected image. Thus, the user can select an image to switch the view on the device back to a conventional browser viewing mode, for example.

Abstract: Disclosed herein are cell-based compositions for the treatment of conditions of the nervous system and methods for their use. In one embodiment, a cell-based composition comprises glial-restricted progenitors (GRPs) genetically modified to express a targeting ligand on their cell surface. Methods for the preparation of such cell-based compositions are disclosed. Also disclosed is a method for treating a subject suffering from a condition of the central nervous system by providing therapeutic cells (e.g., GRPs) through an intra-arterial route of administration.

Abstract: A system and method is provided for accessing information content that enables handheld or mobile device users, for example, to quickly and efficiently navigate images contained within the information content to access other areas of the information content. A user of the handheld device will request and receive information content, such as requesting a web page, for viewing. The user can select a navigation mode to receive a display only of interesting images pertaining to the webpage. The user can then thumb through the images and select an image of interest. The device will then display the portion of the web page associated with the selected image. Thus, the user can select an image to switch the view on the device back to a conventional browser viewing mode, for example.