Abstract: Malicious software is identified in an executable file by identifying malicious structural features, decryption code, and cryptographic functions. A malicious structural feature is identified by comparing a known malicious structural feature to one or more instructions of the executable file. A malicious structural feature is also identified by graphically and statistically comparing windows of bytes or instructions in a section of the executable file. Cryptography is an indicator of malicious software. Decryption code is identified in an executable file by identifying a tight loop around a reversible instruction that writes to random access memory. Cryptographic functions are identified in an executable file be obtaining a known cryptographic function and performing a string comparison of the numeric constants of the known cryptographic function with the executable file.

Abstract: Systems and methods to understand how commercial-off-the-shelf (COTS) software components interact with a system when the COTS components are integrated into a system. A software wrapping technology is utilized to encase the COTS software components such that a wrapper isolates the COTS components during testing.

Abstract: Embodiments of the present invention relate to systems and methods for static analysis of a software application. According to an embodiment, a system includes a program scanner coupled to an analysis engine. The program scanner is configured to identify one or more vulnerability patterns in a software program and to output an initial potential vulnerability list. The analysis engine is configured to apply one or more rules to a potential vulnerability to determine whether the potential vulnerability is a vulnerability.

Abstract: Embodiments of the present invention relate to systems and methods for detecting software buffer security vulnerabilities. According to an embodiment, a computer-readable medium stores a plurality of instructions to be executed by a processor for detecting software buffer security vulnerabilities. The plurality of instructions comprise instructions to receive software code associated with a potential buffer vulnerability, generate constraints related to the software code associated with the potential buffer vulnerability, partition the software code into one or more procedures, and generate for each procedure a set of constraints that summarizes the impact of a procedure on buffer variables.

Abstract: A system and method for certifying software for essential and security-critical systems. The system and method provide a methodology and corresponding analysis engines increase the level of confidence that common vulnerabilities are not present in a particular application. A pipeline system consisting of independent modules which involve increasingly complex analysis is disclosed. The pipeline approach allows the user to reduce computation time by focusing resources on only those code segments which were not eliminated previously in the pipeline.

Abstract: An intrusion detection system (IDS) that uses application monitors for detecting application-based attacks against computer systems. The IDS implements application monitors in the form of a software program to learn and monitor the behavior of system programs in order to detect attacks against computer hosts. The application monitors implement machine learning algorithms to provide a mechanism for learning from previously observed behavior in order to recognize future attacks that it has not seen before. The application monitors include temporal locality algorithms to increased the accuracy of the IDS. The IDS of the present invention may comprise a string-matching program, a neural network, or a time series prediction algorithm for learning normal application behavior and for detecting anomalies.

Abstract: An execution management utility designed to prevent software from executing without the prior approval of system administrative or other security staff. For example, the present invention can assist corporations by enforcing policies regarding unauthorized, unlicensed, or pirated software, such as, but not limited to, games; entertainment software; and non-standard utilities, such as advertising-enhanced browsers. A Windows NT based system is disclosed in which a kernel module selectively intercepts process creation requests.

Abstract: A system and method by which novel, malicious execution traces may be detected by applying a combination of finite automation and heuristic analysis techniques. Such execution traces may be obtained by instrumenting system-level operating system calls, as well as by other techniques, such as, but not limited to, reading error log files, such as Windows NT event logs. With proper instrumentation, known good and known malicious programs may be run and their execution traces monitored. From such monitoring, a model may be derived, which can indicate those execution traces typically associated with malicious software. With this information, novel malicious programs which invoke execution traces similar to known malicious traces may be detected, and such programs may be stopped before significant damage can occur.

Abstract: A method for assessing how long continuously operating software systems can be expected to remain executing in a safe and/or reliable manner before anomalous conditions will ultimately lead to failure. For safety-critical applications the method can provide a safe upper bound on the time between rebooting. Also disclosed is an empirical technique for determining which portions of the state, if corrupted create the greatest risks to safe and/or reliable continual execution of the software. Armed with this information, developers, testers, and certifiers can create justifiable plans for the frequency with which the software should be rebooted. Further, they can customize and embed internal self-tests into those portions of the state found to have the greatest risks to safe and/or reliable, continual execution of the software.

Abstract: A method and method that builds accurate operational profiles for COTS software. The systems and methods disclosed allow software vendors to detect misused and unused features; identify common machine configurations for a given piece of software or software component; monitor changing user habits as new software version are released; derive more accurate testing methods for in-house testing purposes; and create user manuals which focus on those features most frequently used, or misused, by users. The disclosed system and method provides the tools enabling a software certification laboratory (SCL) to gather detailed usage data and failure data for a software application as it is used in the field. With this data the SCL can confidently issue certificates of reliability for software products.