Abstract: A method is provided in one example embodiment and includes identifying a network location of an endpoint, which is attempting to initiate an application; identifying whether the endpoint is operating in an enterprise environment; determining whether the application is trusted based on metadata associated with the application; and provisioning a tunnel for data traffic associated with the application. In more detailed implementations, the tunnel can be provisioned if the application is trusted and the endpoint is outside of an enterprise environment. In addition, the tunnel can be provisioned if the application is untrusted and the endpoint is within an enterprise environment.

Abstract: A system inserts at least one notifying identifier in the computer system. The at least one notifying identifier provides execution information associated with the computer system. The system receives execution information from the at least one notifying identifier, the execution information identifies details associated with a traffic flow on the computer system. The system then generates a signature based on a deterministic link provided by the execution information provided by the at least one notifying identifier. The signature is utilized to prevent further damage caused to the computer system by at least one attack.

Abstract: A Stateful Reference Monitor can be loaded into an existing commercial operating system, and then can regulate access to many different types of resources. The reference monitor maintains an updateable storage area whose contents can be used to affect access decisions, and access decisions can be based on arbitrary properties of the request.

Abstract: A system inserts at least one notifying identifier in the computer system. The at least one notifying identifier provides execution information associated with the computer system. The system receives execution information from the at least one notifying identifier, the execution information identifies details associated with a traffic flow on the computer system. The system then generates a signature based on a deterministic link provided by the execution information provided by the at least one notifying identifier. The signature is utilized to prevent further damage caused to the computer system by at least one attack.

Abstract: A system inserts at least one notifying identifier in the computer system. The at least one notifying identifier provides execution information associated with the computer system. The system receives execution information from the at least one notifying identifier, the execution information identifies details associated with a traffic flow on the computer system. The system then generates a signature based on a deterministic link provided by the execution information provided by the at least one notifying identifier. The signature is utilized to prevent further damage caused to the computer system by at least one attack.

Abstract: A Stateful Reference Monitor can be loaded into an existing commercial operating system, and then can regulate access to many different types of resources. The reference monitor maintains an updateable storage area whose contents can be used to affect access decisions, and access decisions can be based on arbitrary properties of the request.

Abstract: A Stateful Reference Monitor can be loaded into an existing commercial operating system, and then can regulate access to many different types of resources. The reference monitor maintains an updateable storage area whose contents can be used to affect access decisions, and access decisions can be based on arbitrary properties of the request.

Abstract: A system inserts at least one notifying identifier in the computer system. The at least one notifying identifier provides execution information associated with the computer system. The system receives execution information from the at least one notifying identifier, the execution information identifies details associated with a traffic flow on the computer system. The system then generates a signature based on a deterministic link provided by the execution information provided by the at least one notifying identifier. The signature is utilized to prevent further damage caused to the computer system by at least one attack.

Abstract: A method, apparatus and computer program product for providing challenge protected user queries on a local system is presented. A query is presented to a user. A response to the query is received and a determination is made whether the response is administratively less desirable than a threshold. When the response is administratively less desirable than said threshold, then a challenge is provided to the user. The response is accepted when the user responds correctly to the challenge and the response is not accepted when the user fails to correctly respond to the challenge.

Abstract: A system inserts at least one notifying identifier in the computer system. The at least one notifying identifier provides execution information associated with the computer system. The system receives execution information from the at least one notifying identifier, the execution information identifies details associated with a traffic flow on the computer system. The system then generates a signature based on a deterministic link provided by the execution information provided by the at least one notifying identifier. The signature is utilized to prevent further damage caused to the computer system by at least one attack.

Abstract: A method is provided in one example embodiment and includes identifying a network location of an endpoint, which is attempting to initiate an application; identifying whether the endpoint is operating in an enterprise environment; determining whether the application is trusted based on metadata associated with the application; and provisioning a tunnel for data traffic associated with the application. In more detailed implementations, the tunnel can be provisioned if the application is trusted and the endpoint is outside of an enterprise environment. In addition, the tunnel can be provisioned if the application is untrusted and the endpoint is within an enterprise environment.

Abstract: Methods and apparatus for providing security for mobile devices are disclosed. In one embodiment, a method includes maintaining responsibility for a first item when the first item is in a first range of a first container. Maintaining responsibility for the first item includes monitoring a locator tag associated with the first item when the locator tag is within the first range. The method also includes determining when the first item is in the first range, determining if the first item is in a second range associated with a second container when the first item is not in the first range, and determining if the second container is trusted with respect to the first container if the first item is in the second range. Additionally, the method includes transferring responsibility for the first item to the second container if the second container is trusted with respect to the first container.

Abstract: An example method is provided and includes monitoring activity within an endpoint, and identifying a source associated with a particular data segment received by the endpoint. The method also includes monitoring an antivirus mechanism within the endpoint. The antivirus mechanism is configured to identify the particular data segment as being associated with malware. The source associated with the particular data segment can be communicated to any suitable next destination.

Abstract: A system provides security to a computerized device by detecting a sequence of related processing operations within the computerized device and recording the sequence of related processing operations in a security history. The system identifies a security violation when a processing operation performed in the computerized device produces an undesired processing outcome that violates a security policy and subsequently detecting attempted performance of at least one processing operation that attempts to produce the undesired processing outcome that violates the security policy and in response, denies operation of the processing operation(s) within the computerized device to avoid violation of the security policy.

Abstract: A security management system provides rules for monitoring network activity of applications to groups of host, computers, specifically activity indicating that communications mechanisms have been established (i.e. open TCP ports) but are receiving little or no use (i.e., few connection acceptances). Agents on the hosts utilize monitoring software inserted between the applications and the network protocol stacks. The agents store network activity data gathered during the monitoring in local storage, and periodically upload the data to a centralized server in a compressed and optionally encrypted fashion. The server uses the uploaded data from all hosts to update a security management database reflecting the network activity of all the hosts. Reports may be generated to identify activity that may present security risks, such as open but inactive ports, to enable a network administrator to take remedial action such as de-activating or de-installing applications.

Abstract: Methods and apparatus for providing security for mobile devices are disclosed. In one embodiment, a method includes maintaining responsibility for a first item when the first item is in a first range of a first container. Maintaining responsibility for the first item includes monitoring a locator tag associated with the first item when the locator tag is within the first range. The method also includes determining when the first item is in the first range, determining if the first item is in a second range associated with a second container when the first item is not in the first range, and determining if the second container is trusted with respect to the first container if the first item is in the second range. Additionally, the method includes transferring responsibility for the first item to the second container if the second container is trusted with respect to the first container.

Abstract: A security agent extends the trust barrier, or trust point, from network gateway nodes to end user devices. A security agent operable to scrutinize network traffic executes on the user device and compares QoS marking attempts with the established QoS marking policy in effect. The security agent examines network traffic attributes deterministic of connection attempts by user processes. Attempts to apply inappropriate or disallowed QoS markings, as dictated by the QoS marking policy, are detected and disallowed. Therefore, only user connections consistent with the QoS marking policy are permitted into the network. Network admission control (NAC) mechanisms ensure that the security agent is the only access point from the user device to the secure network, and the security agent communicates the establishment of the trusted access point to the network gateway, thus ensuring that the network gateway may trust service level designations emanating from the user device executing the security agent.

Abstract: A computer-implemented system, method and apparatus for operating a reference monitor simulator is operable to recreate the operations performed by a reference monitor on a computer system. In one configuration, the system defines at least one security rule specifying whether to allow or deny a request to access at least one resource under a given set of circumstances and supplies at least one request to access a resource. The system further applies the at least one security rule in response to the at least one request to access a resource to determine whether to allow or prevent the at least one request.

Abstract: The invention provides method and apparatus for maintaining a networked computer system including first and second nodes and an event processing server, the method comprising the first and second nodes detecting changes in state, the event processing server receiving notification of the changes in state from the first and second nodes, the event processing server correlating changes in state detected in the first and second nodes, and the event processing server executing a maintenance decision which affects the first and second nodes. The detecting, transmitting, correlating, and executing occurs without human intervention.

Abstract: An automated method and apparatus for creating a security policy for one or more applications is provided. The method includes exercising the features of the one or more applications to generate behavioral data, applying a heuristic to aggregate the behavioral data into a subset of representative actions, and organizing the representative actions according to a structure defined by a template into a security policy for the one or more applications. The security policy may be downloaded to one or more workstations for deployment, and provides a safeguard to protect a computer system against cyber-terrorism.