Abstract: The present disclosure relates to systems and methods for identifying highly sensitive modules and taking a remediation or preventative action if such modules are accessed by malicious software. For example, the likelihood that a module is used for an exploit, and is thus sensitive, is categorized as high, medium, or low. The likelihood that a module can be used for an exploit can dictate whether, and to what degree, an application accessing the module is “suspicious.” However, in some instances, a sensitive module may have legitimate reasons to load when used in certain non-malicious ways. The system may also consider a trust level when determining what actions to take, such that an application and/or user having a higher trust level may be less suspicious when accessing a sensitive module as compared to an application or user having a lower trust level.

Abstract: The present disclosure describes systems and methods for aggregation and management of cloud storage among a plurality of providers via file fragmenting to provide increased reliability and security. In one implementation, fragments or blocks may be distributed among a plurality of cloud storage providers, such that no provider retains a complete copy of a file. Accordingly, even if an individual service is compromised, a malicious actor cannot access the data. In another implementation, fragments may be duplicated and distributed to multiple providers, such that loss of communications to any one provider does not result in inability to access the data. This implementation may be combined with error correction techniques to allow recovery, even with loss of multiple providers. File synchronization may also be faster in these implementations by dividing reading and writing operations among multiple providers.

Abstract: Examples of the present disclosure describe systems and methods for malicious software detection based on API trust. In an example, a set of software instructions executed by a computing device may call an API. A hook may be generated on the API, such that a threat processor may receive an indication when the API is called. Accordingly, the threat processor may generate a trust metric based on the execution of the set of software instructions, which may be used to determine whether the set of software instructions poses a potential threat. For example, one or more call stack frames may be evaluated to determine whether a return address is preceded by a call instruction, whether the return address is associated with a set of software instructions or memory associated with a set of software instructions, and/or whether the set of software instructions satisfies a variety of security criteria.

Abstract: The present disclosure describes systems and methods for detection and mitigation of malicious encryption. A security agent on an infected computing device may monitor data writes to disk, memory, or network transmission buffers for strings that may represent encryption keys or moduli. The security agent may apply one or more techniques to decode and parse the string to either identify or extract the keys, or rule out the string as containing an encryption key or modulus. If a key is identified, or its presence cannot be excluded, then the security agent may generate an alert and take mitigation actions.

Abstract: Examples of the present disclosure describe systems and methods for selective export address table filtering. In aspects, the relative virtual address (RVA) of exported function names may be modified to point to a protected memory location. An exception handler may be registered to process exceptions relating to access violations of the protected memory location. If an exception is detected that indicates an attempt to access the protected memory location, the instruction pointer of the exception may be compared to an allowed range of memory addresses. If the instruction pointer address is outside the boundaries, remedial action may occur.

Abstract: Examples of the present disclosure describe systems and methods for restricting access to application programming interfaces (APIs). For example, when a process calls an API, the API call may be intercepted by a security system for evaluation of its trustfulness before the API is allowed to run. Upon intercepting an API call, the process calling the API may be evaluated to determine if the process is known to the security system, such that known processes that are untrusted may be blocked from calling the API. Further, when the security system cannot identify the process calling the API, the security service may evaluate a call stack associated with the call operation to determine if attributes of the call operation are known to the security system. If the call operation is known to the security system as untrusted, the call operation may be blocked from calling the API.

Abstract: Examples of the present disclosure describe systems and methods of determining online identity reputation. In aspects, an online identity of an entity may engage in online interactions. The content provided by the online identity may be accessed and analyzed to determine interaction characteristics and reputation metrics for the online identity. Based on the reputation metrics, the online identity and/or entity (and content therefrom) may be filtered from further online interactions. In some aspects, interaction data may be stored in a data store. An interaction mapping component having access to the data store may analyze the data store data to determine mappings between online identities, entities and interactions. In at least one aspect, an opt-in certificate system may also be provided. The opt-in system may provide an online identity or entity a certificate to securely validate identity.

Abstract: Examples of the present disclosure describe systems and methods for discrete processor feature behavior collection and analysis. In aspects, a monitoring utility may initialize a set of debugging and/or performance monitoring feature sets for a microprocessor. When the microprocessor receives from software content a set of instructions that involves the loading of a set of modules or code segments, the set of modules or code segments may be evaluated by the monitoring utility. The monitoring utility may generate a process trace of the loaded set of modules or code segments. Based on the process trace output, various execution paths may be reconstructed in real-time. The system and/or API calls made by the microprocessor may then be compared to the process trace output to quickly observe the interaction between the software content and the operating system of the microprocessor.

Abstract: Embodiments disclosed herein relate to systems and methods for providing a smart cache. In embodiments, a variable time to live (TTL) may be calculated and associated with data as it is stored in a cache. The variable TTL may be calculated based upon reputation and/or category information related to the source of the data. The reputation and/or category information may include TTL modifiers for adjusting the TTL for data from a particular data source that is stored in the cache. In further embodiments, a feedback method may be employed to update reputation and/or category information for a particular data source.

Abstract: Aspects of the present disclosure are operable to protect against malicious objects, such as JavaScript code, which may be encountered, downloaded, or otherwise accessed from a content source by a computing system. In an example, antivirus software implementing aspects disclosed herein may be capable of detecting malicious objects in real-time. Aspects of the present disclosure aim to reduce the amount of time used to detect malicious code while maintaining detection accuracy, as detection delays and/or a high false positive rate may result in a negative user experience. Among other benefits, the systems and methods disclosed herein are operable to identify malicious objects encountered by a computing system while maintaining a high detection rate, a low false positive rate, and a high scanning speed.

Abstract: Examples of the present disclosure describe systems and methods of providing real-time scanning of IP addresses. In aspects, input may be received by a real-time IP scanning system. The system may generate one or more work orders based on the input. A scanner associated with the system may access a work order and attempt to communicate with one or more devices identified by the work order. If the attempted communication with a device is successful, a protocol analyzer may be used to provide a predefined payload to the device. If the response from the device matches an expected string, the device may be determined to be a safe and/or legitimate device. If the response from the device does not match an expected string, the device may be determined to be a malicious device.

Abstract: Examples of the present disclosure describe systems and methods for exploit detection via induced exceptions. One embodiment of a method can include generating an inspection point, the inspection point causing an exception when a set of software instructions encounters the inspection point during an execution of the set of software instructions by a processor, registering an exception handler to handle the exception associated with by the inspection point; receiving, in response to the set of software instructions encountering the inspection point, an indication of an exception, accessing a context record associated with the execution of the set of software instructions, evaluating the context record to determine if an exploit is present using the first reputation information, and based on a determination that an exploit is present, performing a corrective action for the exploit.

Abstract: Examples of the present disclosure describe systems and methods for state-based entity behavior analysis. In an example, entities of a computing environment may be represented using a hierarchical entity web. In some examples, an entity may have a state associated with it, which may be modeled using a place/transition (PT) network. Events within the computing environment may be evaluated by transitions of a PT network to determine whether an entity should change state. If an entity transitions from one state to another, one or more actions may be performed, including, but not limited to, taking a remedial action, generating a recommendation, and updating the state of one or more associated entities. Thus, aspects disclosed herein may provide a high-level overview of the state of entities of a computing environment, but may also be used to view in-depth information of entities at lower levels of the hierarchical entity web.

Abstract: Techniques are provided for integrated content presentation via cells arranged geometrically in a cellular environment. Users can navigate various orientations and zoom states of the cellular environment to access information via different applications, different media types, different visual representations and from different underlying content sources. The information can be organized according to various logical relationships. Upon receiving an indication of a zoom state associated with a cell or a group of cells arranged in the cellular environment, a content reference at that zoom state is retrieved. Further, the content reference is resolved to retrieve and output content, including a visual representation associated with the zoom state.

Abstract: Configurations for a cellular user interface are provided. In one embodiment, a client configuration includes a viewer and a content development kit. A content server distributes cellularized content among several client viewers. Connectors in a scheduled configuration regularly acquire updated content from data sources. An integration server interfaces between the connectors and the content server for distributing content. A monitoring agent assists with content updating upon detecting source changes. A registration server enables cell content update in client viewers through the content server. Cells in the cellularized environment include a visual proxy component and a metadata component. The visual proxy component can be configured for displaying different content at various levels of detail. The metadata component enables intelligent organization and display of content through queries, channels, and data updates.

Abstract: Configurations for a cellular user interface are provided. In one embodiment, a client configuration includes a viewer and a content development kit. A content server distributes cellularized content among several client viewers. Connectors in a scheduled configuration regularly acquire updated content from data sources. An integration server interfaces between the connectors and the content server for distributing content. A monitoring agent assists with content updating upon detecting source changes. A registration server enables cell content update in client viewers through the content server. Cells in the cellularized environment include a visual proxy component and a metadata component. The visual proxy component can be configured for displaying different content at various levels of detail. The metadata component enables intelligent organization and display of content through queries, channels, and data updates.

Abstract: A document delivery network server having a set of integrated functions including sending, receiving, routing and filing of FAXes and e-mails to other users which achieves numerous advantages over the prior art. The document delivery system is based on a client/server model having both analog and digital Fax line capabilities. The server side provides very highly integrated systems functionality based on industry standard, commercially available hardware and a mix of industry standard and proprietary software components including integrated FAX/modem modules, an embedded OS, embedded plug-and-play driver sets, embedded e-mail gateways, an embedded FAX archive, embedded back-up/restore, proprietary high efficiency line utilization and highly efficient load balancing.

Abstract: Techniques are described for providing users of client devices with coordinated access to information and/or functionality of multiple types, such as by using multiple types of connections to multiple information services of distinct types that exchange context information related to activities of the users and/or clients. The client devices can be, for example, wireless devices with multiple distinct modes (e.g., voice and data modes) for different types of connections with different types of servers (e.g., voice servers and data servers). In some situations, coordination between different servers allows multiple distinct interaction sessions of different types with different servers to remain synchronized or otherwise coordinated over time as the user performs interactions via the different sessions. This abstract is provided to comply with rules requiring an abstract, and is not intended to be used to interpret or limit the scope or meaning of the claims.

Abstract: An automated rule-based system for facilitating delivery of a fax document from a source to a destination over a network where an initial delivery attempt has been unsuccessful. Actions to be taken are based upon a time-variable set of input conditions which may be determined from one or more of the destination, the source, a database of past delivery attempts, and a human analyst. The actions may include one or more of resubmitting the fax document to the network for a next delivery attempt, cancelling the document, sending a request to the source or destination for additional delivery information, and identifying the destination as a technical problem. The input conditions may include an identification of non-business days and non-business hours.

Abstract: A document delivery network server having a set of integrated functions including sending, receiving, routing and filing of FAXes and e-mails to other users which achieves numerous advantages over the prior art. The document delivery system is based on a client/server model having both analog and digital Fax line capabilities. The server side provides very highly integrated systems functionality based on industry standard, commercially available hardware and a mix of industry standard and proprietary software components including integrated FAX/modem modules, an embedded OS, embedded plug-and-play driver sets, embedded e-mail gateways, an embedded FAX archive, embedded back-up/restore, proprietary high efficiency line utilization and highly efficient load balancing.