Abstract: The present invention provides tools and techniques for facilitating (314) management of storage (122), software (118), and other resources of a computer (102) at a distinct management computer (110) using a disassociated ample image (104) of the managed computer's storage. Ample images may be searched (310) to identify (414) infected files or illegal files, to extract (410) disk usage information, or for other reasons. Ample images may be modified (312) and then deployed (316) back to the original imaged computer and/or to other computers outside the management node. Modifications may change (502, 504, 506) application software, change (508, 510, 512) hardware drivers to match hardware changes on the target computer(s), manipulate (520) partitions, and/or perform other steps to optimize storage, software, or other resources.

Abstract: Various systems and methods for creating a user-based backup. For example, one method can involve receiving a request to perform a backup operation. The request includes information that identifies a user. The method also involves selecting a set of data objects based on detecting that the set of data objects is associated with the user. The set of data objects is a subset of the objects stored on one or more storage devices. The generated user-based backup will include only the data objects in the set, that is, only data objects that are associated with the user identified in the request to perform the backup operation.

Abstract: A computing device receives a training data set that includes a plurality of positive examples of sensitive data and a plurality of negative examples of sensitive data. The computing device analyzes the training data set using machine learning to generate a machine learning-based detection (MLD) profile that can be used to classify new data as sensitive data or as non-sensitive data. The computing device computes a quality metric for the MLD profile.

Abstract: A system or method for granular application data lifecycle sourcing from a single backup is disclosed. In one embodiment of the method, a computer system periodically creates a primary backup copy of data stored on a storage system in order to create a plurality of primary backup copies. The computer system also periodically creates a secondary backup copy of data stored on the storage system in order to create a first plurality of secondary backup copies, wherein each of the secondary backup copies of the first plurality is created in part by copying data from a respective one of the primary backup copies. The periodicity of creating the primary backup copies, however, is distinct from the periodicity of creating the secondary backup copies of the first plurality.

Abstract: A computer-implemented method for detecting malicious browser-based scripts may include (1) identifying an attempt by a web browser to access sensitive information stored on a server, (2) identifying a web browser script installed in the web browser, (3) calculating a signature hash for the web browser script, (4) querying, using the signature hash, a browser script signature database that associates web browser script signature hashes with script security indicators, (5) receiving, in response to querying the browser script signature database, a script security indicator associated with the signature hash, and (6) applying, based on the script security indicator associated with the web browser script, a script security policy associated with the web browser script. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A security module detects and remediates malware from suspicious hosts. A file arrives at an endpoint from a host. The security module detects the arrival of the file and determines the host from which the file arrived. The security module also determines whether the host is suspicious. If the host is suspicious, the security module observes the operation of the file and identifies a set of files dropped by the received file. The security module monitors the files in the set using heuristics to detect whether any of the files engage in malicious behavior. If a file engages in malicious behavior, the security module responds to the malware detection by remediating the malware, which may include removing system changes caused by the set.

Abstract: A system and method for anomaly detection and presentation. The method of anomaly detection and presentation comprises receiving information for a plurality of traits from a plurality of servers. A first server has fewer of the plurality of traits than a second server. A first trait is on fewer of the plurality of servers than a second trait. The plurality of servers is rendered in a graphical display wherein the first server is positioned to one side of the second server based on respective numbers of traits had by the first and second servers. The first trait is rendered in the graphical display to one side of the second trait based on respective numbers of systems having the first and second traits. A table may be displayed in a cell in response to a user request. Anomalous traits may be displayed in an anomaly table.

Abstract: An attempt to write to a block of data in a main volume of data is detected. An indicator associated with the block of data is accessed before a copy-on-write operation to a snapshot volume is performed for the block of data. The indicator is used to determine whether the copy-on-write operation is to be performed for the block of data.

Abstract: A computer-implemented method for securing storage space may include 1) identifying a block map that indicates whether each of a plurality of blocks within a storage system is to return zeroed data in response to read operations, 2) identifying a read operation directed to a block of the storage system that includes non-zeroed data, 3) determining, in response to identifying the read operation, that the block map indicates that the block is to return zeroed data in response to the read operation, and 4) returning zeroed data in response to the read operation based on determining that the block map indicates that the block is to return zeroed data. Various other methods, systems, and computer-readable media are also described.

Abstract: Techniques are presented herein for classifying a variety of enterprise computing resources based on asset characteristics. In particular, a computing asset, e.g., a server, may be classified based on any digital certificates provisioned on that server. That is, the properties of a digital certificate may be used to determine a measure of business value or importance of a server (or data hosted on that server). Once classified, a monitoring system may use the assigned classifications to prioritize security incidents for review.

Abstract: A computer-implemented method for optimizing security controls for virtual data centers may include 1) identifying a security policy that applies to at least one workload configured to store data on a first storage appliance, 2) identifying at least one storage-appliance functionality capable of implementing at least a part of the security policy, 3) identifying a second storage appliance that possesses the storage-appliance functionality, and 4) migrating the data from the first storage appliance to the second storage appliance in response to identifying the security policy and the storage-appliance functionality. Variants include methods, systems, and computer-readable media.

Abstract: A computer-implemented method for managing malware signatures. The method may include maintaining a set of active malware signatures and maintaining a set of dormant malware signatures. The method may also include providing the set of active malware signatures for use in malware detection more frequently than the set of dormant malware signatures and determining that a first malware signature from the set of dormant malware signatures triggers one or more positive malware detection responses. The method may further include, in response to the determination, moving the first malware signature from the set of dormant malware signatures to the set of active malware signatures. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for preventing chronic false positives may include (1) whitelisting a file based on a challenge notification that challenges a classification of the file as insecure, (2) obtaining attribute information about the file, (3) identifying, by analyzing the attribute information, a primitive that identifies a source of origin for the file, (4) determining, based on an analysis of files that originate from the source of origin, that the source of origin identified by the primitive is trustworthy, and (5) adjusting, based on the determination that the source of origin identified by the primitive is trustworthy, a security policy associated with the primitive to prevent future false positives for other files that originate from the source of origin. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method and apparatus for facilitating application recovery using configuration information is described. In one embodiment, a method for facilitating application recovery using configuration information includes accessing information in memory associated with an application configuration that correlates with source computer hardware for operating an application using at least one processor, identifying at least one portion that is to be restored of the application configuration using the at least one processor and applying the at least one portion of the application configuration in the memory to destination computer hardware using the at least one processor.

Abstract: An input dataset comprising a plurality of input items is transformed into a smaller output dataset comprising a plurality of corresponding output items. For each input item, a corresponding output item is created, wherein each input item contains some content that is not present in the corresponding output item. Creating an output item can comprise right shifting the bits of the input item by a shifting value, and performing an exclusive or operation on the input item and the results of the right shifting. The content contained in each input item that is not present in the corresponding output item is encoded in the storage address of the corresponding output item, such that the content of each input item is contained in a combination of the corresponding output item and its storage address. The output dataset comprises multiple levels.

Abstract: An InfiniBand managed storage environment is made up of processor nodes containing HCAs and managed storage devices containing TCAs and exposing a plurality of LUNs and volumes. For each InfiniBand channel between a specific HCA and a specific TCA, the paths between the HCA and any LUN or volume exposed by the TCA are grouped into a set. Occurrence of failures on specific paths of specific sets on specific channels are determined, for example by registering for callbacks or polling for occurrence of events which adversely affect communication between endpoints. Also, I/O operations executed by processor nodes are tracked and failures thereof are detected. When the occurrence of a failure on a specific path of a set is determined, all I/O operations on all paths of the set are proactively rerouted to a separate set on a separate channel that connects the same processor node and storage device.

Abstract: A computer-implemented method for scanning packed programs in response to detecting suspicious behaviors may include (1) executing a packed program that may include (i) malicious code that has been obfuscated within the packed program and (ii) unpacking code that deobfuscates and executes the malicious code when the packed program is executed, (2) monitoring, while the packed program is executing, how the packed program behaves, (3) detecting, while monitoring how the packed program behaves, a suspicious behavior of the malicious code that indicates that the unpacking code has deobfuscated and executed the malicious code, and (4) performing a security operation on the packed program in response to detecting the suspicious behavior of the malicious code. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Write operations are scheduled for multiple nodes in a shared storage cluster that supports volume replication. Requests are received from nodes for allocation of space for write operations in a replication log. In response to a received request, the current capacity of the requesting node to manage a backlog can be determined. The amount of space in the replication log allocated to the node is then calibrated to the node's capacity, thereby preventing self-throttling. A separate priority can be assigned to each volume, and space in the replication log assigned to each volume based on its priority. Nodes can target synchronous and other latency sensitive operations to higher priority volumes. A single global queue can be maintained to schedule write operations for all nodes, thereby providing a fair scheduling. A separate local queue can be maintained for each node, thereby providing specific levels of preference to specific nodes.

Abstract: A plurality of classifiers is identified. A set of test cases is selected based on time. The set of test cases are grouped into a plurality of datasets based on time where each of the plurality of datasets is associated with a corresponding interval of time. Each of the plurality of classifiers is applied to each of the plurality of datasets to generate classifications for test cases in each of the plurality of datasets. For each of the plurality of classifiers, a classification performance score is determined for each of the plurality of datasets based on the classifications generated for the test cases of each dataset. A classifier is selected from among the plurality of classifiers for production based on the classification performance scores of each of the plurality of classifiers across the plurality of datasets.

Abstract: Techniques are disclosed for protecting cryptographic secrets stored locally in a device, such as a mobile phone. A client device creates or downloads a shared secret to be used in a server transaction. To protect this shared secret locally, the client device encrypts the shared secret using a key generated a file system attributes value, along with other sources of entropy. The file system attributes value may correspond to the inode of a file in a UNIX-based file system. Thereafter, when the shared secret is required for logical computation, the client device reconstructs the key using the file system attributes value and the other previous sources of entropy. The client device may use the key to decrypt the information and use the shared secret for its required purpose, e.g., in generating a one-time password for a login session.