Abstract: Systems and methods are provided for detecting an anomaly in a computer that is part of a population of networked computers. Snapshots are received from a plurality of computers within the population of computers, where individual snapshots include a state of assets and runtime processes of a respective computer. An asset normalization model is generated from the snapshots and serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer. A snapshot from at least one of the computers is compared to the asset normalization model in order to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers.

Abstract: Systems and methods are provided for detecting a rootkit by way of a call timing deviation anomaly in a computer. The rootkits may be embedded in the operating system (OS) kernel, an application or other system function. An object call duration baseline is established for durations of object calls (e.g., a system or application call) initiated by the computer, where each object call has an associated call-type and the timing baseline is established on an object call-type basis. Object call durations initiated by the computers are monitored. An object call duration anomaly is detected when the object call duration fails a call duration deviation measurement test, and an indication of the call duration anomaly is generated when detected.

Abstract: Systems and methods for detecting malware in a selected computer that is part of a network of computers. The approach includes inspecting a predetermined set of operational attributes of the selected computer to detect a change in a state of the selected computer. In response to a detected change in state, the selected computer is scanned to create a snapshot of the overall state of the selected computer. The snapshot is transmitted to an analytic system wherein it is compared with an aggregated collection of snapshots previously respectively received from a plurality of computers in the computer network. Based on the comparison, anomalous state of the selected computer can be identified. In turn, a probe of the selected computer is launched to gather additional information related to the anomalous state of the selected computer so that a remediation action for the anomalous state of the selected computer can be generated.

Abstract: Systems and methods are provided for detecting an anomaly in a computer that is part of a population of networked computers. Snapshots are received from a plurality of computers within the population of computers, where individual snapshots include a state of assets and runtime processes of a respective computer. An asset normalization model is generated from the snapshots and serves as a baseline model for detecting an anomaly in the state of assets and runtime processes of a respective computer. A snapshot from at least one of the computers is compared to the asset normalization model in order to determine whether an anomaly is present in a state of static assets and runtime processes of the at least one of the computers.

Abstract: Systems and methods for correcting an anomaly in a target computer that is part of a network of computers. An anomaly is detected in data stored on a target computer and it is determined what corrective data is needed to correct the anomaly. A donor computer with the corrective data is located and requested to provide the corrective data to the target computer. The corrective data is used to correct the anomaly on the target computer and the target computer may acknowledge receipt of the corrective data. In one embodiment, an arbitrator component receives the requests for the corrective data, passes the requests to potential donor computers, and receives the acknowledgements from the target computers.

Abstract: Systems and methods for detecting malware in a selected computer that is part of a network of computers. The approach includes inspecting a predetermined set of operational attributes of the selected computer to detect a change in a state of the selected computer. In response to a detected change in state, the selected computer is scanned to create a snapshot of the overall state of the selected computer. The snapshot is transmitted to an analytic system wherein it is compared with an aggregated collection of snapshots previously respectively received from a plurality of computers in the computer network. Based on the comparison, anomalous state of the selected computer can be identified. In turn, a probe of the selected computer is launched to gather additional information related to the anomalous state of the selected computer so that a remediation action for the anomalous state of the selected computer can be generated.

Abstract: Systems and methods for correcting an anomaly in a target computer that is part of a network of computers. An anomaly is detected in data stored on a target computer and it is determined what corrective data is needed to correct the anomaly. A donor computer with the corrective data is located and requested to provide the corrective data to the target computer. The corrective data is used to correct the anomaly on the target computer and the target computer may acknowledge receipt of the corrective data. In one embodiment, an arbitrator component receives the requests for the corrective data, passes the requests to potential donor computers, and receives the acknowledgements from the target computers.