Abstract: Methods are provided for retargeting captured images to new hardware. An image taken from a computer having hardware drivers and other system information in one hardware configuration can be modified to adapt it for use on a computer having different hardware requiring different drivers, even when the second hardware configuration was not known at the time of imaging. Systems and configured storage media for retargeting captured images to new hardware are also provided.

Abstract: Various systems and methods for maintaining write order fidelity in a distributed environment are disclosed. One method, which can be performed by each node in a cluster, involves associating a current sequence number with each of several write operations included in a set of independent write operations. In response to detecting that one of the write operations in the set is ready to complete, a new sequence number is selected, and that new sequence number is thereafter used as the current sequence number. None of write operations in the set is allowed to return to the application that initiated the write operations until the new sequence number has been advertised to each other node in the cluster. The method also involves receiving a message advertising a first sequence number from another node in the cluster, and subsequently using the first sequence number as the current sequence number.

Abstract: An apparatus comprises a plurality of nodes interconnected as peers in a peer-to-peer network. At least some nodes are configured to update an object, thereby generating a plurality of versions of the object. Any of the plurality of nodes is configured to detect a conflict between a first version and a second version of the plurality of versions, and any of the plurality of nodes is configured to provide an indication of a resolution of the conflict to other ones of the plurality of nodes. Each version may be identified by a version descriptor that includes a version identifier (ID) and a parent version ID. If the version is the result of a conflict resolution, the version descriptor may also include a resolved version ID identifying the losing version. The resolved version ID may be used to prevent the raising of the same conflict after it has been resolved.

Abstract: A cloning manager reads contents of a source file system as a stream of objects. The cloning manager identifies a destination file system into which to merge the source file system stream during the cloning operation. The cloning manager proceeds to merge objects of the source file system stream into the destination file system according to a specific merging strategy, replacing some or all corresponding objects in the destination file system with their counterpart objects from the source file system stream, or preserving corresponding objects in the destination by discarding their counterpart objects from the source, as desired.

Abstract: Certain events, such as data input operating system calls, are likely to initiate a buffer overflow attack. A timing module generates timestamps that indicate when such possible initiating events occur. The timestamp is associated with a particular process and/or thread executing on the computer. If subsequent evidence of a buffer overflow attack is detected on the computer, the timestamps are consulted to determine if a possible initiating event occurred recently. If there is a recent initiating event, a buffer overflow attack is declared. Evidence of a buffer overflow attack can include receiving a signal from the processor indicating that the processor was asked to execute an instruction residing in non-executable memory. Evidence of a buffer overflow attack can also include detecting an action on the computer that malicious software is likely to perform, such as opening a file or network connection, being performed by an instruction residing in non-executable memory.

Abstract: A system and method for applying a file system security model to a query system. In one embodiment, the system may include a storage device configured to store data and a file system configured to manage access to the storage device, to store file system content, and to implement a first security model, where the first security model is configured to control access to the file system content. The system may further include a query system configured to query the file system content, and security mapping functionality configured to apply the first security model to the query system.

Abstract: A table-based packet sniffing/decoding system and method suitable for cluster server systems is provided. Packets having portions of various protocols are communicated between nodes of a cluster server. Fields of the packets are decoded using protocol definition tables and may be stored for subsequent analysis. A protocol is identified from a protocol identification field of a packet and the field definition table is identified for the identified protocol. The field definition table defines fields of packets for a particular protocol and identifies a field decode handler for use in decoding each field. A filter may be applied to selectively decode (or refrain from decoding) certain fields. A filter may also be applied to selectively decode particular protocols.

Abstract: A volume server for flexibly combining mirroring, striping and concatenation in virtual storage devices includes virtualization functionality and a layout table. The virtualization functionality may be configured to aggregate storage within one or more block devices into a logical volume. The layout table may include multiple extent entries, where each extent entry represents a mapping of an extent of block device storage to a virtual address range of the logical volume, including an indication of a stripe of the logical volume to which the extent is mapped. An overlap in virtual address range between a first and a second extent entry may indicate mirroring of the overlapping blocks at each extent. In response to a storage request, the virtualization functionality may obtain a block device address corresponding to the logical volume virtual address of the storage request from the layout table.

Abstract: A database intrusion detection system (DIDS) monitors database queries to detect anomalous queries that might by symptomatic of a code injection attack on the database. A proxy server intercepts HTTP messages from clients that contain query data used to generate database queries. The proxy server extracts the query data from a message and determines origin data describing the origin of the message, such as the IP address of the client that sent the message. The proxy server stores the query and origin data in a cache. Upon detecting an anomalous query, the DIDS extracts a portion of the query, such as the literals. The DIDS searches the cache to identify entries having query data that match the extracted portions of the query. The DIDS reports the origin data of the matching cache entries.

Abstract: A system and method for managing data in a computer system. A backup server is configured to harvest data indicative of logical relationships among data entries in a backup data set. The harvested data and backup data set are stored on a backup medium. Catalog entries are created for both the backup data set and the harvested data. The computer system allows a user to browse the backup catalog, including the logical structure of the content of a particular backup data set. The user may select particular items for restoration from the catalog. In response, the server restores the backup data set and harvested data to a temporary location, identifies data in the harvested data which corresponds to the user's selections, searches the backup data set for the selected items, and initiates restoration of the selected items.

Abstract: Computer-implemented methods for delegating access to online accounts and for facilitating delegates' access to these online accounts are disclosed. In one embodiment, a method for delegating access to an online account comprises receiving a request to delegate access to a first online account to a first delegate, identifying the first online account, identifying a contact record for the first delegate, and delegating access to the first online account to the first delegate by associating the contact record for the first delegate with the first online account. Corresponding systems and computer-readable media are also disclosed.

Abstract: A system and method for efficiently linking together replicas of a storage object. The location of a first replica of the storage object may be stored on a node in a network. When new replicas of the storage object are created, the node that stores the new replica may efficiently lookup the location of the first replica and utilize the location information to perform an efficient process to link the new replica to the first replica and any other existing replicas by causing routing information to be created on various nodes.

Abstract: The present invention discloses an improved information security system and method. A polymorphic engine is used to enhance the security features of a software application and the data generated by or made available to the application and/or the operating system. The polymorphic engine operates to randomly alter the standard executable code of the original application while preserving its functional characteristics. Each polymorphed instance of the application differs from any other instance of the same application in form only. Various other security features operate to protect the polymorphic engine itself and/or the polymorphed code generated therefrom. These other security features include: just-in-time instruction code decryption; virtual CPU instruction code pre-processing; call mutation; stack manipulation; secure hook-capture of device input; secure display device output; application level decryption of encrypted hardware data streams; and a dynamic, randomly configured graphical keypad interface.

Abstract: In the method of the present invention, spam is detected by extracting generalized Ngrams from a section of an e-mail (104). A spam manager (101) extracts (502) a sequence of characters from a section of an email. The spam manager (101) iterates (504) subsequences within the sequence. The spam manager (101) compares (506) subsequences to collections of spam-distinguishing subsequences to identify spam e-mail (104) messages.

Abstract: Methods, apparatuses, and computer-readable media for detecting bulk electronic messages using header similarity analysis. Bulk electronic messages can be detected by parsing (115) header fields of an electronic message; associating (120) at least one constituent unit with each header field defining a set of constituent units for each header field; ascertaining (230) a feature vector for each set of constituent units; forming (240) a collection of feature vectors; and computing (250) an inner product from a set of constituent units from an additional electronic message and the collection of feature vectors from the initial electronic message resulting in a measure of similarity between the initial electronic message and the additional electronic message.

Abstract: Risk of inadvertent introduction of software bugs to a large number of users during a software update is minimized using an automatic mechanism controlling update release. A value-generating module generates a value for a computer, the value falling within a population range of values. A specification module receives update information in an update deployment specification. The information specifies an eligibility window during which a specified portion of the population range is eligible to retrieve an update. The specification can include fields, such as a code selector, a value offset, a start time, etc. An eligibility determination module applies rules to automatically determine eligibility of the computer to retrieve the software update. The computer is determined eligible when the value for the computer falls within the specified portion of the population range for the eligibility window. An update module permits the computer to retrieve the software update based on the eligibility determination.

Abstract: A method, system, and computer program product to enable other nodes in a cluster to resume operations of a failed node. These operations include storage management services that allow configuration changes to be made dynamically to storage resources. Resource configuration data are synchronized on a set of nodes in a cluster immediately when a resource configuration change is made. If a node that has made a resource configuration change fails, the resource configuration change is available for use by other nodes in the set, each of which can resume operations of the failed node.

Abstract: A method for efficient backup and restore using metadata mapping comprises maintaining a first backup aggregation associated with a primary data object of a primary host at a secondary host, wherein the first backup aggregation includes a first backup version of the primary data object stored within a secondary data object at the secondary host. The method further comprises generating a second backup aggregation, wherein the second backup aggregation includes a second backup version of the primary data object and a backup metadata object corresponding to the secondary data object. The backup metadata object includes a pointer to the second backup version. The method may further comprise restoring the secondary data object, wherein said restoring comprises using the pointer to access the second backup version of the primary data object to restore at least a portion of the secondary data object.

Abstract: A method makes use of the fact that call modules, such as APIS, making calls to a critical operating system (OS) function are typically called by a call instruction while, in contrast, a RLIBC attack typically uses call modules that are jumped to, returned to, or invoked by some means other than a call instruction. The method includes stalling a call to critical OS function and checking to ensure that the call module making the call to the critical OS function was called by a call instruction. If it is determined that the call module making the call to the critical OS function was not called by a call instruction, the method further includes taking protective action to protect a computer system.

Abstract: On start up of a process, a critical imported functions table including resolved addresses of critical imported functions that an application, such as a host intrusion detection system application depends upon to have data integrity, is dynamically allocated and marked read only to impede modification by malicious code. The critical imported functions are hooked so that execution of a call to a critical imported function is made using a corresponding entry in the critical imported functions table rather than an entry in a current process IAT, which may have been modified by malicious code. The current process IAT is evaluated to determine whether it has changed from an initial start up state, in a way that is indicative of an evasion attempt by malicious code. If an evasion attempt is detected, a notification is provided to a user and/or system administrator. Optionally, protective action is taken, such as saving a copy of the current process IAT to permit later analysis of the change.