Abstract: An intrusion detection system (IDS) that uses application monitors for detecting application-based attacks against computer systems. The IDS implements application monitors in the form of a software program to learn and monitor the behavior of system programs in order to detect attacks against computer hosts. The application monitors implement machine learning algorithms to provide a mechanism for learning from previously observed behavior in order to recognize future attacks that it has not seen before. The application monitors include temporal locality algorithms to increased the accuracy of the IDS. The IDS of the present invention may comprise a string-matching program, a neural network, or a time series prediction algorithm for learning normal application behavior and for detecting anomalies.

Abstract: An execution management utility designed to prevent software from executing without the prior approval of system administrative or other security staff. For example, the present invention can assist corporations by enforcing policies regarding unauthorized, unlicensed, or pirated software, such as, but not limited to, games; entertainment software; and non-standard utilities, such as advertising-enhanced browsers. A Windows NT based system is disclosed in which a kernel module selectively intercepts process creation requests.

Abstract: A system and method by which novel, malicious execution traces may be detected by applying a combination of finite automation and heuristic analysis techniques. Such execution traces may be obtained by instrumenting system-level operating system calls, as well as by other techniques, such as, but not limited to, reading error log files, such as Windows NT event logs. With proper instrumentation, known good and known malicious programs may be run and their execution traces monitored. From such monitoring, a model may be derived, which can indicate those execution traces typically associated with malicious software. With this information, novel malicious programs which invoke execution traces similar to known malicious traces may be detected, and such programs may be stopped before significant damage can occur.

Abstract: A method for assessing how long continuously operating software systems can be expected to remain executing in a safe and/or reliable manner before anomalous conditions will ultimately lead to failure. For safety-critical applications the method can provide a safe upper bound on the time between rebooting. Also disclosed is an empirical technique for determining which portions of the state, if corrupted create the greatest risks to safe and/or reliable continual execution of the software. Armed with this information, developers, testers, and certifiers can create justifiable plans for the frequency with which the software should be rebooted. Further, they can customize and embed internal self-tests into those portions of the state found to have the greatest risks to safe and/or reliable, continual execution of the software.

Abstract: A method and method that builds accurate operational profiles for COTS software. The systems and methods disclosed allow software vendors to detect misused and unused features; identify common machine configurations for a given piece of software or software component; monitor changing user habits as new software version are released; derive more accurate testing methods for in-house testing purposes; and create user manuals which focus on those features most frequently used, or misused, by users. The disclosed system and method provides the tools enabling a software certification laboratory (SCL) to gather detailed usage data and failure data for a software application as it is used in the field. With this data the SCL can confidently issue certificates of reliability for software products.