Abstract: On start up of a process, a critical imported functions table including resolved addresses of critical imported functions that an application, such as a host intrusion detection system application depends upon to have data integrity, is dynamically allocated and marked read only to impede modification by malicious code. The critical imported functions are hooked so that execution of a call to a critical imported function is made using a corresponding entry in the critical imported functions table rather than an entry in a current process IAT, which may have been modified by malicious code. The current process IAT is evaluated to determine whether it has changed from an initial start up state, in a way that is indicative of an evasion attempt by malicious code. If an evasion attempt is detected, a notification is provided to a user and/or system administrator. Optionally, protective action is taken, such as saving a copy of the current process IAT to permit later analysis of the change.

Abstract: A method, computer program product, computer system and system that enable symmetrical data change tracking with respect to a set of data and a copy of the set of data, referred to as a snapshot or a second set of data. The data and the copy may be independently updated after the two sides are “split.” A join may be performed of the two sides of the split to resynchronize the data. For the first set of data, an accumulator map tracks changes to the first set of data and a volume map tracks changes to the first set of data with respect to a second set of data. For the second set of data (the snapshot), a second accumulator map tracks changes to the second set of data and a second volume map tracks changes to the second set of data with respect to the first set of data.

Abstract: A method of automating an authentication sequence for accessing a computer resource comprising processing form information associated with the authentication sequence, wherein the authentication sequence comprises a plurality of queries associated with a plurality of web pages; and communicating a response to a portion of the authentication sequence using form information that corresponds to a query upon recognition of indicia of the portion of the plurality of web pages where the portion comprises the query.

Abstract: The inventions relate generally to protection of computing systems by isolating intrusive attacks into layers, those layers containing at least file objects and being accessible to applications, those layers further maintaining potentially intrusive file objects separately from regular file system objects such that the regular objects are protected and undisturbed. Also disclosed herein are computing systems which use layers and/or isolation layers, and various systems and methods for using those systems. Detailed information on various example embodiments of the inventions are provided in the Detailed Description below, and the inventions are defined by the appended claims.

Abstract: An apparatus and method implemented by a computer system of using data copies of a volume for redundancy when data of the volume is rendered corrupted or inaccessible. In one embodiment of the method a data volume is created. The data volume comprises a plurality of data blocks including a first data block. After creation of the data volume, a point-in-time (PIT) copy or a replica copy of the data volume is created, and a redirection map is created. The redirection map comprises a plurality of entries, wherein each entry of the map indicates whether memories allocated to store data of respective data blocks of the data volume and the PIT copy or the replica copy, contain identical data. Data of the data volume may become corrupt or inaccessible after creation of the PIT copy or replica copy.

Abstract: A method, system, computer system, and computer-readable medium that enable a secondary host that is not the file system host to create a backup of a clone file set that shares at least one data block on a storage device with an active file set. Start and end locations are identified for a set of contiguous storage locations (referred to as a “chunk”) on the storage device. Physical location information is obtained for each portion of a file contained in the chunk. The start and end locations and physical location information for portions of files contained in the chunk are provided to the secondary host, which sequentially reads data from the set of contiguous storage locations and constructs a copy of the file(s) making up the clone file set. The file(s) are written by the secondary host to a storage device to create a backup of the clone file set.

Abstract: A method includes generating new update name lists and providing malicious code protection update information including the new update name lists to host computer systems. In one embodiment, the new update name lists are generated by registering domain names, and only a subset of the registered domain names are used to create an update name list provided to any one of the host computer systems.

Abstract: Information, e.g., a source address, in packets on a network is processed by a geo-location detector The geo-location detector generates a related location identifier, which, for example, is inclusive of one or more source addresses, known or unknown. The location identifier serves as a less precise indicator than the exact location of the system associated with the particular source address of interest, but a more accurate location indicator than was previously available. One of the addresses in a set of source addresses represented by the location identifier is the source address of interest. Although other source addresses represented by the location identifier may not be attacker sources, the location identifier is an identity that can be used as a variable for correlation, trend analysis, or search keys in accessing a network security threat.

Abstract: Methods, apparatuses, and computer-readable media for automatically generating disposable e-mail addresses. A method embodiment for generating disposable e-mail addresses comprises: monitoring (310) network traffic; detecting (320) the submission of a un-aliased e-mail address to a network destination; seeking (460) authorization to create a disposable e-mail address; creating (375) a disposable e-mail address; associating (380) the newly created disposable e-mail address with the corresponding network destination; and replacing (385) the un-aliased e-mail address with the disposable e-mail address.

Abstract: A first read request is received from a computer system. Data from one mirror of a data volume is returned to the computer system in response to receiving the first read request. The computer system may check the returned data to determine whether it is corrupted. If corrupted, the computer system sends a second read request for the same data. Rather than returning the same corrupted data stored in the one mirror, a copy of the requested data is returned from an alternate mirror of the data volume.

Abstract: A method for increasing the QoS in a data center. The method can be employed in first and second components of the data center. In one embodiment, the method includes a first component of the data center receiving first and second requests. The first component generates first and second priority values corresponding to the first and second requests, respectively. The first component processes the first and second requests to generate third and fourth requests, respectively, wherein the first request is processed before the second request if the first priority value is numerically greater than the second priority value, or the first request is processed after the second request if the first priority value is numerically less than the second priority value. A second component of the data center receives the third and fourth requests. The second component generates third and fourth priority values corresponding to the third and fourth requests, respectively.

Abstract: Malicious computer code (101) is automatically cleaned-up from a target computer (103). An operating system (109) automatically boots (201) in the computer memory (105) of the target computer (103). The booted operating system (109) automatically runs (203) a malicious code processing script (113) in the computer memory (105) of the target computer (103), under control of the booted operating system (109). The malicious code processing script (113) automatically copies (205) and runs (207) at least one malicious code clean-up script (115). At least one malicious code clean-up script (115) automatically cleans-up (209) malicious code (101) from the target computer (103).

Abstract: In one embodiment, a method includes detecting that an application in a first node is to failover; provisioning a second node to execute the application responsive to the detecting; and failing the application over from the first node to the second node. Additionally, embodiments comprising computer accessible media encoded with instructions which, when executed, implement the method are contemplated. In another embodiment, a system comprising a plurality of nodes. A first node of the plurality of nodes is configured to monitor performance of an application executing on a second node of the plurality of nodes during use. In response to a detection that the application is to failover from the first node, a third node is configured to be provisioned to execute the application. The application is failed over to the third node during use.

Abstract: The inventions relate generally to layered computing systems that provide public access to the content of the layers. Also disclosed herein are prioritization schemes usable in a layered computing system, including prioritization by layer type, by assigned priority weights, by access type, by sub-layers and by read-write indicators. Processes may further be associated to layers from which they originate, and priority given to associated layers thereby. Association may also be provided for installer services, thereby depositing an applications updates into its layer. Layers may also contain file reference information including exclusion or inclusion entries indicating what files may be written thereto. Paths recorded in layers may also embed variables to true paths on a layered system. Detailed information on various example embodiments of the inventions are provided in the Detailed Description below, and the inventions are defined by the appended claims.

Abstract: A method for controlling distribution of network communications (messages). An incoming message either carries priority information, or is assigned priority information based on a shared characteristic with other messages. The priority information is used to determine how and/or when to deliver the message, e.g. by delaying the message for a fixed time. Preferences for receipt of messages by priority level may be communication to upstream hosts along a network path. Accordingly, an intermediary host may reject and/or delay messages that the intended recipient does not wish to receive. This pushes the burden of low-priority messages back to the sender, thereby reducing or eliminating burdens on network/system resources of the recipient and/or intermediaries between the recipient and the sender. Accordingly, it can “squelch” spam messages at or close to their source. Trusted senders complying with prescribed practices may include priority information allowing for delivery of their messages with higher priority.

Abstract: A program execution data trace is created by instrumenting a program to record value sets during execution and an instruction trace. By simulating instructions either backward or forward from a first instruction associated with a recorded value set to a second instruction according to the instruction trace, a value set is determined for the second instruction. Backward and forward simulation can be combined to complement each other. For backward simulation, a table of simulation instructions is preferably maintained, which associates program instructions encountered in the instruction trace with simulation instructions which reverse the operation of the associated program instructions. Preferably, one or more probes is inserted into the program to save values of particular variables whose value may be difficult to determine. Preferably, the instruction trace is displayed alongside and correlated with the data trace.

Abstract: A method includes stalling execution of a model specific register write function to write to a model specific register of a processor having a no-execute processor feature enabled, determining that the model specific register is a no-execute model specific register of the processor, and determining whether a no-execute field in the no-execute model specific register is being altered. Upon a determination that the no-execute field is being altered, the method further includes taking protective action to prevent disabling of the no-execute processor feature.

Abstract: System and method for data storage management. Embodiments may be used to perform analysis of disk-based data storage. Embodiments may provide a storage analysis mechanism for estimating storage inventory/availability risk tradeoff for data storage media for an application or group of applications. Embodiments may be used to generate storage inventory information and recommendations or requirements for pooled and/or non-pooled storage. Embodiments may be used to compare pooled storage to non-pooled storage for a plurality of applications in a storage system.

Abstract: A technique for timeline compression in a data store is disclosed. In one particular exemplary embodiment, the technique may be realized as a method for timeline compression in a storage system, wherein digital content of the storage system is backed up to enable restoration of the digital content to one or more points in a timeline. The method may comprise selecting a time interval in the timeline. The method may also comprise identifying one or more sets of backup data recorded for the selected time interval, wherein the identified one or more sets of backup data represent at least a portion of old data overwritten during the selected time interval. The method may further comprise discarding other backup data recorded for the selected time interval, thereby reducing a granularity level of the timeline in the selected time interval.

Abstract: Risk profiling in order to optimize the deployment of security measures such as behavior-blocking, hardening, or securing techniques is disclosed. Risk profiling includes evaluating a risk to a host service based on communication with a remote system, creating a risk profile for the host service, and deploying a security measure to protect the host service based on the risk profile. Risk profiling enables optimization of deployment of security measures to protect a host service that is either directly or indirectly communicating with a remote system. Using a risk profile enables the optimal deployment of security measures while preventing host system performance degradation and increased system requirements (e.g., increased memory and processor usage).