Abstract: Example embodiments disclosed herein relate to a network security system. The network security system intercepts inline DNS requests. It is determined whether a domain name associated with one of the inline DNS requests corresponds with one or more domain names. A security action is performed based on the determination.

Abstract: A virtual mobile infrastructure for mobile devices includes mobile client devices and a server computer running remote mobile operating systems. The remote mobile operating systems share the same kernel, and are each implemented on a container. A mobile client device running a mobile operating system, which may be the same as or different from the remote mobile operating systems, may access one of the many remote mobile operating systems on the server computer.

Abstract: One embodiment relates to a computer-implemented process for detecting malicious scripts at a client computer using a malicious script detector. A web page interceptor intercepts an access of web page data at a universal resource locator address. A script preprocessor determines script fragments embedded in the web page data and extracts variable and function names from the script fragments. A context analyzer determines whether the script fragments reference known-good scripts. The context analyzer may check variable and function names in the script fragment against a database of known-good contexts. Those script fragments which were determined to reference known-good scripts may be categorized as non-malicious. An emulator may perform emulation on remaining script fragments which were not determined to reference known-good scripts and not perform emulation on the script fragments which were determined to reference known-good scripts. Other embodiments, aspects and features are also disclosed.

Abstract: Method and system using a designated known secure computer for real time classification of change events in a computer integrity system are disclosed. In the embodiment of the invention, the known secure computer, having only inbound connection, is dedicated for providing permissible change events, which are compared with change events generated on client operational computers. An alert is generated when the change event at the client operational computer and the respective permissible change event provided by the known secure computer mismatch.

Abstract: Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.

Abstract: A software defined networking (SDN) computer network includes an SDN controller and an SDN switch. The SDN controller inserts flow rules in a flow table of the SDN switch to create an SDN pipe between a sender component and a security component. A broadcast function of the SDN switch to the ports that form the SDN pipe may be disabled. The SDN pipe allows outgoing packets sent by the sender component to be received by the security component. The security component inspects the outgoing packets for compliance with security policies and allows the outgoing packets to be forwarded to their destination when the outgoing packets pass inspection. The SDN controller may also insert a flow rule in the flow table of the SDN switch to bypass inspection of specified packets.

Abstract: A host machine hosts virtual machines on a first logical layer, and a multi-tenant cloud computing environment on a second logical layer running on top of the first logical layer. An anti-malware provides an anti-malware service to virtual machines on the first logical layer. A tenant of the multi-tenant cloud computing environment may lease a virtual machine, and select the virtual machine for subscription to the anti-malware service. A second identifier of the selected virtual machine on the second logical layer is used to determine a first identifier of the selected virtual machine on the first logical layer. The selected virtual machine is identified to the anti-malware using the first identifier. The anti-malware provides anti-malware service to the selected virtual machine. An anti-malware broker may be employed to facilitate selection of the selected virtual machine, and to allow the anti-malware to identify virtual machines subscribed to the anti-malware service.

Abstract: A backup and restore module allows for block level cloud-based back up and restore of a storage volume of a computer. Original content of a block of a disk volume that is being modified by a write operation is stored in a point-in-time snapshot in a cloud storage. The original content may be stored in a hidden volume in the computer prior to being stored in the cloud storage. The original content may be encrypted for storage. To roll back the computer by restoring the disk volume, the snapshot is retrieved from the cloud storage. The original content is copied from the snapshot back to the block to restore the disk volume. The hidden volume may be searched for other original contents yet to be included in the snapshot in the cloud storage, and the original contents may be copied back to corresponding blocks to restore the disk volume.

Abstract: A system for scanning a file for malicious codes may include a client agent running in a client computer and a scan server running in a server computer, the client computer and the server computer communicating over a computer network. The client agent may be configured to locally receive a scan request to scan a target file for malicious codes and to communicate with the scan server to scan the target file using a scan engine running in the server computer. The scan server in communication with the client agent allows the scan engine to scan the target file by issuing file I/O requests to access the target file located in the client computer. The client agent may be configured to check for digital signatures and to maintain a file cache of previously scanned files to minimize network traffic.

Abstract: One embodiment relates to a computer-implemented method for detecting malicious scripts in web pages. A local engine and an application are executed at a client computer. The local engine intercepts an access by the application to a web page at a universal resource locator (URL) under a domain. The local engine determines scripts at the URL and scripts at other URLs under the domain. Using that information, the local engine determines if the scripts at the URL include one or more unique script(s). The local engine sends the unique script(s), if any, via a network to a script analyzer. The script analyzer may then perform emulation of the unique script(s) to detect malicious code therein. Other embodiments, aspects and features are also disclosed.

Abstract: A method for dynamically decoding protocol data on a computer system is provided using a protocol decoder, which inspects and analyzes protocol data received by the computer system. A protocol decoding program controls the decoding and analysis process. The method may be used by an intrusion prevention system to identify anomalous protocol data that may cause harm to applications receiving the data.

Abstract: File modifications performed by malicious codes are detected by detecting a file modification for an original file before the file modification is performed on the original file. In response to detecting the file modification, a corresponding shadow file is created. The shadow file represents the original file as modified by the file modification. Before allowing the file modification to be performed on the original file, the original file is compared to the shadow file to determine if the file modification is being performed by malicious codes. The file modification may be deemed to be performed by malicious codes when the file modification involves, for example, entry point append, entry point prepend, entry point obfuscation, cavity, overwriting, or mal-tattoo.

Abstract: Malicious code is detected in binary data by disassembling machine language instructions of the binary data into assembly language instructions. Opcodes of the assembly language instructions are normalized and formed into groups, with each group being a subsequence of a sequence of machine language instructions of the binary data. The subsequence is delimited by a predetermined machine language instruction. Locality-sensitive hashes are calculated for each group and compared to locality-sensitive hashes of known malicious machine language instructions to detect malicious code in the binary data.

Abstract: One embodiment relates to an apparatus for creating and managing security policies for data leakage prevention. The apparatus includes a database which stores three layers of objects comprising digital assets, content templates, and security policies, and a user interface configured to access said database so as to provide for input and editing of said three layers of objects. The security policies may include at least a target element, an action element, and a condition element. A content template may be used to form the condition element. Content templates may include compliance templates which are configured to satisfy specific regulatory requirements and other templates to protect specified types of information. Other embodiments, aspects and features are also disclosed.

Abstract: A network device includes an execution engine having an implementation of a network device component to process data received by the network device, and a compiler to dynamically generate the implementation of the network device component through compilation of a general representation using network device data for compiler optimization.

Abstract: An electronic communication network includes a connectivity subsystem. The connectivity subsystem registers a control subsystem with the connectivity subsystem. The control subsystem requests that network traffic be redirected from the connectivity subsystem to the control subsystem. In response to the request, the connectivity subsystem redirects network traffic from the connectivity subsystem to the control subsystem.

Abstract: A repackaged mobile app that has been unpacked and repackaged back is detected based on similarity of app labels of a target mobile app being evaluated and a reference mobile app. The similarity of the sound of the app label of the target mobile app to the sound of the app label of the reference mobile app may be determined. The similarity of the appearance of the app label of the target mobile app to the appearance of the app label of the reference mobile app may also be determined. The target mobile app may be deemed to be a repackaged mobile app when the app labels of the target and reference mobile apps are deemed to be similar (which may include being the same) but the target and reference mobile apps have different identifiers.

Abstract: A virtual mobile infrastructure includes a mobile client device running a local mobile operating system and a server computer running a remote mobile operating system. The mobile client device displays a screen image of the remote mobile operating system. User text inputs for a remote application running on the remote mobile operating system are received by way of a touchscreen keyboard of a local input method editor (IME) of the local mobile operating system. The user text inputs are transmitted from the mobile client device to the server computer, where the text inputs are provided to the remote application by a virtual IME of the remote mobile operating system.

Abstract: A file or other data unit may be scanned for malicious code by calculating a hash value of a portion of the file or data unit and transmitting the hash value of the portion over a computer network to a remotely located server computer. In the server computer, the hash value of the portion may be compared to hash values of malicious codes. The server computer may send the result of the comparison over the computer network to the client computer. The client computer may send one or more additional hash values of other portions of the file or data unit when the result indicates that the hash value of the portion matches a hash value of malicious code. Otherwise, the client computer may deem the file or data unit to be free of malicious code.

Abstract: A cloud security service is made available to endpoint computers. Network traffic from originating application programs running on endpoint computers are redirected to the cloud security service based on characteristics of the originating application programs. Network traffic from an originating application program may be redirected to the cloud security service by way of a virtual private network (VPN) tunnel or generic routing encapsulation (GRE) tunnel between an endpoint computer and a cloud computing system hosting the cloud security service, for example. Network traffic from an originating application program may also be routed from an endpoint computer to a gateway system, and then redirected from the gateway system to the cloud computing system. The cloud security service may drop or forward network packets of the network traffic depending on a result of scanning the network packets.