Abstract: Various systems and methods for configuring a duplication operation. For example, a method involves specifying a duplication window, a source storage device, and a target storage device. When a duplication operation is executed, data is copied from the source storage device to the target storage device during the duplication window. The method also involves calculating a predicted duplication rate, where the predicted duplication rate is an estimate of a rate at which data can be copied from the source storage device to the target storage device.

Abstract: An efficient partitioning scheme is provided to improve efficiency of updating a reference list database of a deduplication engine. Transaction objects of a transaction log can be divided into a number of partitioned log files, based on criteria. The transaction objects within each partitioned log file are then sorted in parallel, while maintaining time order of the transaction objects. The present disclosure also provides for dividing database records of a reference list database into multiple tables, such as a master database table and a number of child database tables. The efficient partitioning scheme also provides for processing the transaction objects of each partitioned log file against a respective child table of the reference list database in parallel, such as by updating temporary child tables with information from the transaction objects in parallel. The temporary database tables then replace (the previous version of) the reference list database tables.

Abstract: A method and apparatus for detecting violations of data loss prevention (DLP) policies based on reputation scores. The DLP agent monitors outbound data transfers performed by a computing system. The DLP agent classifies the outbound data transfers based on data types. The DLP agent determines reputations source for the outbound data transfers to a destination entity based on the classifying and the destination entity, the first outbound data transfer being a first data type and the second outbound data transfer being a second data type. The DLP agent compares the first reputation score and the second reputation score against a reputation threshold to detect violations of a DLP policy. At least one of remedial operations or reporting operations is performed in response to the detected violations.

Abstract: Techniques for sensor based attack reflection are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for sensor based attack reflection comprising detecting an attack at a sensor, identifying a portion of memory associated with the attack, redirecting at least the identified portion of memory to a secure network using an access point, extracting data associated with the attack on the secure network, redirecting a response to the attack from the secure network to the sensor, transmitting the response from the sensor to a network location associated with the attack, receiving a subsequent attack communication based on the response at the access point, redirecting the subsequent attack communication to the secure network, and analyzing the subsequent attack communication.

Abstract: A method and apparatus for automatically training a data loss prevention (DLP) agent deployed on an endpoint device is described. In one embodiment, the method includes monitoring information content on a client computer system for violations of a policy. The method further includes determining, with the client computer system, whether a violation of the policy has occurred for the information content based on a classifier. The method may also include transmitting monitored data indicative of a policy decision and the information content to a remote system and receiving a response from the remote system including an updated classifier, wherein the updated classifier was automatically generated by the remote system utilizing fingerprint matching.

Abstract: Techniques for creating an encrypted hard disk are disclosed. In one particular embodiment, the techniques may be realized as a method for encrypting a virtual hard disk comprising creating a volume of data for the virtual hard disk and encrypting the volume of data using a predetermined encryption algorithm. The method may also comprise mounting, via at least one computer processor, the encrypted volume of data onto the virtual hard disk.

Abstract: A computer system identifies a request to place a workload in a hypervisor-based host. The computer system identifies a security level of the workload. The computer system identifies a security level of a storage device associated with the hypervisor-based host. If the security level of the workload corresponds to the security level of the storage device, the computer system grants the request to place the workload in the hypervisor-based host. If the security level of the workload does not correspond to the security level of the storage device, the computer system denies the request to place the workload in the hypervisor-based host.

Abstract: A computing device receives a training data set that includes a plurality of positive examples of sensitive data and a plurality of negative examples of sensitive data. The computing device analyzes the training data set using machine learning to generate a machine learning-based detection (MLD) profile that can be used to classify new data as sensitive data or as non-sensitive data. The computing device computes a quality metric for the MLD profile.

Abstract: A system or method for granular application data lifecycle sourcing from a single backup is disclosed. In one embodiment of the method, a computer system periodically creates a primary backup copy of data stored on a storage system in order to create a plurality of primary backup copies. The computer system also periodically creates a secondary backup copy of data stored on the storage system in order to create a first plurality of secondary backup copies, wherein each of the secondary backup copies of the first plurality is created in part by copying data from a respective one of the primary backup copies. The periodicity of creating the primary backup copies, however, is distinct from the periodicity of creating the secondary backup copies of the first plurality.

Abstract: A computer-implemented method for detecting malicious browser-based scripts may include (1) identifying an attempt by a web browser to access sensitive information stored on a server, (2) identifying a web browser script installed in the web browser, (3) calculating a signature hash for the web browser script, (4) querying, using the signature hash, a browser script signature database that associates web browser script signature hashes with script security indicators, (5) receiving, in response to querying the browser script signature database, a script security indicator associated with the signature hash, and (6) applying, based on the script security indicator associated with the web browser script, a script security policy associated with the web browser script. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A security module detects and remediates malware from suspicious hosts. A file arrives at an endpoint from a host. The security module detects the arrival of the file and determines the host from which the file arrived. The security module also determines whether the host is suspicious. If the host is suspicious, the security module observes the operation of the file and identifies a set of files dropped by the received file. The security module monitors the files in the set using heuristics to detect whether any of the files engage in malicious behavior. If a file engages in malicious behavior, the security module responds to the malware detection by remediating the malware, which may include removing system changes caused by the set.

Abstract: A system and method for anomaly detection and presentation. The method of anomaly detection and presentation comprises receiving information for a plurality of traits from a plurality of servers. A first server has fewer of the plurality of traits than a second server. A first trait is on fewer of the plurality of servers than a second trait. The plurality of servers is rendered in a graphical display wherein the first server is positioned to one side of the second server based on respective numbers of traits had by the first and second servers. The first trait is rendered in the graphical display to one side of the second trait based on respective numbers of systems having the first and second traits. A table may be displayed in a cell in response to a user request. Anomalous traits may be displayed in an anomaly table.

Abstract: A computer-implemented method for securing storage space may include 1) identifying a block map that indicates whether each of a plurality of blocks within a storage system is to return zeroed data in response to read operations, 2) identifying a read operation directed to a block of the storage system that includes non-zeroed data, 3) determining, in response to identifying the read operation, that the block map indicates that the block is to return zeroed data in response to the read operation, and 4) returning zeroed data in response to the read operation based on determining that the block map indicates that the block is to return zeroed data. Various other methods, systems, and computer-readable media are also described.

Abstract: An attempt to write to a block of data in a main volume of data is detected. An indicator associated with the block of data is accessed before a copy-on-write operation to a snapshot volume is performed for the block of data. The indicator is used to determine whether the copy-on-write operation is to be performed for the block of data.

Abstract: Techniques are presented herein for classifying a variety of enterprise computing resources based on asset characteristics. In particular, a computing asset, e.g., a server, may be classified based on any digital certificates provisioned on that server. That is, the properties of a digital certificate may be used to determine a measure of business value or importance of a server (or data hosted on that server). Once classified, a monitoring system may use the assigned classifications to prioritize security incidents for review.

Abstract: A computer-implemented method for optimizing security controls for virtual data centers may include 1) identifying a security policy that applies to at least one workload configured to store data on a first storage appliance, 2) identifying at least one storage-appliance functionality capable of implementing at least a part of the security policy, 3) identifying a second storage appliance that possesses the storage-appliance functionality, and 4) migrating the data from the first storage appliance to the second storage appliance in response to identifying the security policy and the storage-appliance functionality. Variants include methods, systems, and computer-readable media.

Abstract: A method and apparatus for facilitating application recovery using configuration information is described. In one embodiment, a method for facilitating application recovery using configuration information includes accessing information in memory associated with an application configuration that correlates with source computer hardware for operating an application using at least one processor, identifying at least one portion that is to be restored of the application configuration using the at least one processor and applying the at least one portion of the application configuration in the memory to destination computer hardware using the at least one processor.

Abstract: A plurality of classifiers is identified. A set of test cases is selected based on time. The set of test cases are grouped into a plurality of datasets based on time where each of the plurality of datasets is associated with a corresponding interval of time. Each of the plurality of classifiers is applied to each of the plurality of datasets to generate classifications for test cases in each of the plurality of datasets. For each of the plurality of classifiers, a classification performance score is determined for each of the plurality of datasets based on the classifications generated for the test cases of each dataset. A classifier is selected from among the plurality of classifiers for production based on the classification performance scores of each of the plurality of classifiers across the plurality of datasets.

Abstract: A computer-implemented method for managing malware signatures. The method may include maintaining a set of active malware signatures and maintaining a set of dormant malware signatures. The method may also include providing the set of active malware signatures for use in malware detection more frequently than the set of dormant malware signatures and determining that a first malware signature from the set of dormant malware signatures triggers one or more positive malware detection responses. The method may further include, in response to the determination, moving the first malware signature from the set of dormant malware signatures to the set of active malware signatures. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for scanning packed programs in response to detecting suspicious behaviors may include (1) executing a packed program that may include (i) malicious code that has been obfuscated within the packed program and (ii) unpacking code that deobfuscates and executes the malicious code when the packed program is executed, (2) monitoring, while the packed program is executing, how the packed program behaves, (3) detecting, while monitoring how the packed program behaves, a suspicious behavior of the malicious code that indicates that the unpacking code has deobfuscated and executed the malicious code, and (4) performing a security operation on the packed program in response to detecting the suspicious behavior of the malicious code. Various other methods, systems, and computer-readable media are also disclosed.