Abstract: A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. In the case of shellcode attacks, unsuccessful attacks may be emulated by selecting a corresponding emulator that will receive and execute instructions, as would a successful shellcode attack. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code.

Abstract: A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. In the case of shellcode attacks, unsuccessful attacks may be emulated by selecting a corresponding emulator that will receive and execute instructions, as would a successful shellcode attack. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code.

Abstract: A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. In the case of shellcode attacks, unsuccessful attacks may be emulated by selecting a corresponding emulator that will receive and execute instructions, as would a successful shellcode attack. Events occurring on the BotMagnet and Sinkhole are correlated and used to characterize the malicious code. The characterization may be transmitted to other computer systems in order to detect instances of the malicious code.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for using transition table templates. In one aspect, a method includes receiving a transition table for a current state of a finite automaton and determining whether the transition table for the current state is similar to a transition table template in a set of transition table templates. The method further includes generating a condensed representation of the transition table if the transition table is similar to a transition table template and otherwise adding the transition table to the set of transition table templates. In another aspect, a method includes receiving an input element and determining whether a next state corresponding to the input element is in the difference region of a condensed transition table. The method further includes retrieving the next state from the difference region, or a transition table template, based on the determination.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for using transition table templates. In one aspect, a method includes receiving a transition table for a current state of a finite automaton and determining whether the transition table for the current state is similar to a transition table template in a set of transition table templates. The method further includes generating a condensed representation of the transition table if the transition table is similar to a transition table template and otherwise adding the transition table to the set of transition table templates. In another aspect, a method includes receiving an input element and determining whether a next state corresponding to the input element is in the difference region of a condensed transition table. The method further includes retrieving the next state from the difference region, or a transition table template, based on the determination.