Abstract: A false positive reduction manager reduces false positives generated by database intrusion detection systems. In one embodiment, the false positive reduction manager monitors attempted database activities executed by a plurality of users. The false positive reduction manager detects at least one attempt by at least one user to execute suspicious database activity, and determines whether the at least one attempt to execute suspicious database activity is legitimate responsive to whether a threshold of users in the same group as the at least one user attempt substantially similar suspicious database activity.

Abstract: Detecting anomalous network activity through transformation of a terrain is disclosed. A set of network properties is mapped into a multidimensional terrain. The terrain is transformed into an observation domain in which data events of interest are amplified relative to other data comprising the terrain. The transformed terrain is evaluated for anomalous network activity.

Abstract: Computer-implemented methods, systems, and computer-readable media for determining (200) an action time when an action is taken regarding an executable content; storing (205) the action time with an indication of the executable content; storing (215) an entry time and an indication of the entered data source when the data processing system enters one of the plurality of data sources; receiving (220) an indication that the executable content is infected with a malicious code; receiving (225) an indication of a data source targeted by the malicious code; scanning the data processing system for the malicious code at a scan time; storing (230) the scan time; determining (245) whether one of the plurality of data sources corresponds to the targeted data source; and when it is determined that one of the plurality of data sources corresponds to the targeted data source, determining (255) whether the entry time occurs after the action time and before the scan time; and when it is determined that the entry time occurs

Abstract: Methods, apparati, and computer-readable media for associating computer network identifications with network policies. A plurality of network detectors (3) are coupled to a client computer (1). A network probe (4), coupled to the network detectors (3), associates each network identification revealed by a network detector (3) with a netspec. A netspec database (6), coupled to the network probe (4), associates netspecs with locations. A policy guide (8), coupled to the network probe (4), associates network identifications with locations. A network interface module (9), coupled to the policy guide (8), implements network policies based upon locations.

Abstract: Method and apparatus for managing digital identities through a single interface is described. One aspect of the invention relates to managing digital identities related to a user. An identity policy of an entity is obtained. At least one relevant digital identity is selected from the digital identities. Each relevant digital identity includes information required by the identity policy. A selected digital identity is obtained from the relevant digital identity or identities. A representation of the selected digital identity is provided to the entity that complies with the identity policy.

Abstract: A method, system and computer program product for scanning firmware of a processing system for malware. The method (400) comprises obtaining a copy of firmware stored in the processing system (410); and analysing the copy of the firmware to determine if the firmware has been modified or infected by malware (420).

Abstract: A backup computer storage system that protects and/or recovers data on a primary computer storage system is disclosed. The backup computer system may be used to backup databases, files, and/or applications. The backup system may be used to backup an image of the primary computer system. The backup system may also be used to backup one or more databases. The backup system may replicate an image of data that is on a primary computer system. The backup system may also be used to restore data from the backup system to the primary computer system. The backup system may restore data to a database while non-affected portions of the database are available and can be used. The backup system may record all transactions in real time without overwriting any previously stored backup data. The backup system may maintain historical and/or chronological information related to the backed up data.

Abstract: Systems and methods are provided for pre-emptively isolating vulnerabilities, or potential vulnerabilities in a network. In one embodiment, application data corresponding to a plurality of software applications hosted by respective network devices is stored in a network database. Based on the application data, a set of applications is determined that correspond to a software update. The set of applications are then blocked such that they cannot be executed until the software update is applied or until it is determined that they do not include a vulnerability targeted by the software update. In some embodiments, applications are blocked when a vulnerability becomes known, even if a fix for the vulnerability is not yet known. In one embodiment, new devices attempting to connect to the network are restricted until known vulnerabilities are resolved.

Abstract: A method of recovering a target data object. In one embodiment, the method includes restoring the target data object to a data state that existed at a point of time prior. Once the target data object is restored, a first object is retrieved from backup memory, wherein the first object comprises a plurality of transactions for modifying the target data object. After the target data object is restored, the target data object is modified in accordance with the transactions of the first object. A second object is retrieved from backup memory, wherein the second object comprises a plurality of transactions for modifying the target data object. The second object is retrieved from backup memory before the target data object is modified in accordance with all of the transactions of the first object.

Abstract: Systems and methods for restoring data in a file system are disclosed. In one method, a backup copy of a first file to be restored may be identified, the location of the backup copy may be determined, the original location of the first file within the file system may be determined, and the first file may be restored by copying the backup copy of the first file to the original location of the first file within the file system. The backup copy of the first file may comprise a copy of contents of the first file and a file header comprising file-location information that identifies the original location of at least a portion of the first file within the file system. Exemplary computer-readable media comprising computer-executable instructions for restoring data are also disclosed.

Abstract: A parental control system is used to verify the identity of parents, based on children's instant messaging aliases. A plurality of verified parental accounts is maintained, each of which includes the identity of the parents and their children, including the children's instant messaging aliases. When a first child wishes to electronically communicate with a second child, s/he makes a request which includes the second child's alias. The parental accounts are searched for the second child's alias. If the alias is not found, instant messaging between the children is not allowed. If an account containing the alias is found, an identity verification request is transmitted, disclosing the identity of the first child's parents, and requesting reciprocal identity verification. Only if the second child's parents disclose their identity is the instant messaging between the children permitted.

Abstract: Methods, apparati, and computer-readable media for matching patterns of symbols within computer systems. A method embodiment of the present invention comprises composing (11) a pattern matching expression; and embedding (12) a function using storage means within the expression to form a character matching string. The expression may be a regular expression. The character matching string is compared (13) against a target string. The target string may be one that is suspected to contain malicious computer code.

Abstract: Scanning engine (i.e. program(s) or application(s)) 310 sends request 315 to direct file system access engine (i.e. program(s) or application(s)) 360. Direct file system access engine 360 receives request 315 and passes request 315 to file system(s) 350 as request 325. No filter program(s) 340 receive program control as request 325 bypasses any filter program(s) 340. The direct file system access engine 360 receives unaltered information from file system(s) 350. Utilising Direct File Access (DFA) allows bypass of user mode hooking-type malwares, kernel, and file system filter programs to obtain access to or communicate with the real underlying file system(s). This provides a ‘clean’ view of the file system(s) in situations where user/kernel components are compromised or rootkit file system filter programs are installed.

Abstract: A system and method for providing identity protection services. According to an embodiment, a validation server receives over a network a response from a credential associated with a user, the credential response provided by the user in order to authenticate the user to one of a plurality of sites on the network that accepts the credential as a factor for authentication, the validation server verifies the credential response on behalf of the one network site, a fraud detection server receives over the network information in connection with a transaction associated with the user at the one network site, and the fraud detection server evaluates the transaction information for suspicious activity based at least in part on information provided to the fraud detection server in connection with one or more transactions at one or more sites on the network other than the one network site.

Abstract: A spim detection manager automatically detects and blocks spim. The spim detection manager detects a first incoming instant message from an unrecognized source, and sends a response to that source. The spim detection manager receives a second incoming instant message from the unrecognized source in reply to the sent response. The spim detection manager examines the second incoming instant message, and determines whether the incoming instant messages comprise spim based on its content. In some embodiments, the spim detection manager concludes that at least one of the incoming instant messages was generated by an automated process, and that therefore the incoming messages comprise spim. Where the spim detection manager determines that an incoming instant message comprises spim, it blocks that incoming message. Where the spim detection manager determines that an incoming instant message is legitimate, it forwards that message to the target user.

Abstract: Techniques for file system recovery are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for file system recovery comprising starting a recovery process for a failed node, utilizing the recovery process to read one or more committed but un-applied transactions from storage associated with the failed node, and recreating the one or more committed but un-applied transactions in memory associated with the recovery process.

Abstract: A system and method are disclosed for generating fictitious computer file system content. A template is created. A collection of data items available to be inserted into the template is provided. The template is populated with at least one data item from the collection.

Abstract: A system, method, and computer program product for backing up data from a backup source to a central repository using deduplication, where the data comprises source data segments is disclosed. A fingerprint cache comprising fingerprints of data segments stored in the central repository is received, where the data segments were previously backed up from the backup source. Source data fingerprints comprising fingerprints (e.g., hash values) of the source data segments are generated. The source data fingerprints are compared to the fingerprints in the fingerprint cache. The source data segments corresponding to fingerprints not in the fingerprint cache may not be currently stored in the central repository. After further queries to the central repository, one or more of the source data segments are sent to the central repository for storage responsive to comparison.

Abstract: A method and apparatus for automatically restoring the structure and data of a disk drive of a live client computer, i.e., a disk drive that does not store the operating system of the computer system has failed. A “live” computer is one that is booted into an operating system from the computer's own system disks. In one example, the method commences by obtaining a disk layout file from backup storage. This disk layout file typically contains the original disk structure of a particular disk drive. The new disk structure is then rebuilt on a disk drive. Next, file data stored in backup storage is acquired and subsequently written onto the disk drive. In an alternative example, the disk structure on the disk layout file is acquired and adjusted in accordance to the user's needs. This modified disk structure layout is then established on the disk drive.

Abstract: Network evasion and misinformation detection are disclosed. Techniques are provided for network security, including determining whether a particular packet, segment, frame, or other data encapsulation has been retransmitted. By detecting and tracking retransmits, the packet may be compared to the original packet to determine whether an attack exists. By evaluating the original data stream and a copy of the original data stream modified with the retransmitted packet, an evasion or misinformation attempt may be detected, invoking pattern or signature matching to determine whether an attack is attempted against a target host.