Abstract: Network traffic with encrypted packet payloads is classified based on monitored Domain Name System (DNS) query requests and responses. A network appliance, or some other computer, receives a DNS query request for a network name (e.g., host name) of a content server, and starts monitoring for a corresponding DNS query response. The network appliance receives the DNS query response and parses the DNS query response to retrieve an Internet Protocol (IP) address associated with the network name. The network appliance classifies the IP address as belonging to the content server or a network application associated with the content server. When the network appliance subsequently receives packets with a source or destination address that matches the IP address, the network appliance classifies the received packets as belonging to the content server or a network application associated with the content server.

Abstract: Calibration of vehicle and smartphone coordinate systems includes receiving acceleration data from an accelerometer of the smartphone. The smartphone identifies a Y-axis, a Z-axis, and an X-axis of the coordinate system of the vehicle relative to a coordinate system of the smartphone from the raw acceleration data. The smartphone generates processed acceleration data by transforming the raw acceleration data into the coordinate system of the smartphone. The processed acceleration data is used to detect driving conditions of the vehicle.

Abstract: A web document protection module protects web documents against web-injection and other malicious attacks. The web document protection module may be implemented in a user computer, a proxy server computer system, a web server computer system, or other computers. The web document protection module receives a web document, such as a webpage, and alters the web document to change its structure. For example, the web document protection module may obfuscate the web document to make it difficult for malware to find locations in the web document to insert additional program code. The web document protection module provides the obfuscated web document to a web browser for rendering.

Abstract: User authentication is performed using a system that includes a service provider system, a device provisioning system, a user computer, and a portable mobile device. The user computer requests the service provider system for access to a remote online service. The user computer receives sign-in information from the device provisioning system. The sign-in information is transferred from the user computer to the portable mobile device, which provides the sign-in information and a unique device identifier of the portable mobile device to the device provisioning system. The device provisioning system identifies a user associated with the portable mobile device, and informs the service provider system the identity of the user. The service provider system allows the user computer to access the remote online service based on the identity of the user provided by the device provisioning system.

Abstract: Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.

Abstract: A method and apparatus for detecting data modification in a layered operating system is disclosed. Outbound content indicators at different layers are compared to detect potential outbound data modifications. Likewise, inbound content indicators at different layers are compared to detect potential inbound data modifications. Content indicators include checksum, cryptographic hash, signature, and fingerprint indicators. Embodiments of the present invention enable detection of data modifications across an operating system's kernel and user mode spaces, prevention of modified outbound data from reaching a network, prevention of modified input data from reaching a user application, and detection of malware and faults within an operating system.

Abstract: A virtual mobile infrastructure performs client-side rendering by intercepting and redirecting screen data for generating a screen image of a remote mobile operating system from a server computer to a mobile client device. The mobile client device receives the screen data and generates the final screen image of the remote mobile operating system. The screen data include drawing application programming interface (API) calls to generate surfaces for applications running on the remote mobile operating system and data for compositing the surfaces together. The mobile client device makes the drawing API calls to generate the surfaces and generates the final screen image of the remote mobile operating system by compositing the surfaces in accordance with the compositing data.

Abstract: A system for preventing a computer worm from attacking a private computer network through a virtual private network (VPN) connection includes a client computer and a VPN server. The client computer detects connection attempts to the VPN server. The client computer consults application rules to determine whether an application program running in the client computer and connecting to the VPN server is specifically authorized to connect to the VPN server. The client computer can receive the application rule automatically from the VPN server or manually from a user.

Abstract: A cloud access security system provides security to data stored in the cloud. The cloud access security system maintains version service information that indicates servers that service web services calls to particular versions of a cloud application service. Upon detection of a web service call to an unknown version of the cloud application service, the cloud access security system redirects the web service call to a known good server that services web service calls that are made to a previous version of the cloud application service. The cloud access security system may employ an encryption scheme that allows for partial decryption.

Abstract: A countermeasure for a computer security threat to a computer system is administered by establishing a baseline identification of an operating or application system type and an operating or application system release level for the computer system that is compatible with a Threat Management Vector (TMV). A TMV is then received, including therein a first field that provides identification of at least one operating system type that is affected by a computer security threat, a second field that provides identification of an operating system release level for the operating system type, and a third field that provides identification of a set of possible countermeasures for an operating system type and an operating system release level. Countermeasures that are identified in the TMV are processed if the TMV identifies the operating system type and operating system release level for the computer system as being affected by the computer security threat.

Abstract: One embodiment relates to an apparatus configured to match a list of keywords against a target document. The apparatus includes data storage configured to store computer-readable instruction code and data, and a processor configured to access the data storage and to execute said computer-readable instruction code. The apparatus further includes a keyword searcher and a keyword object generator. The keyword searcher is configured to receive the list of keywords and a textual string corresponding to the target document file, and search the textual string for instances of the keywords so as to generate a sequence of keyword instances. The keyword object generator implemented using the instruction code and configured to receive the sequence of keyword instances, and generate a keyword object, wherein the keyword object includes a range-dependent match function. Other embodiments and features are also disclosed.

Abstract: An on-premise computer in the form of an on-premise gateway receives data transmitted by a client to an intended destination server. The on-premise gateway and the client are on-premise within the same private computer network. The on-premise gateway determines whether or not the data is to be scanned for security checks by a cloud scanning service provided by a cloud scanner on the Internet. The on-premise gateway redirects the data to the cloud scanner when the data is to be scanned in the cloud. Otherwise, when the data is not to be scanned in the cloud, the on-premise gateway forwards the data to the destination server without having the data scanned by the cloud scanner.

Abstract: A cloud access security system provides security to data stored in the cloud. The cloud access security system maintains version service information that indicates servers that service web services calls to particular versions of a cloud application service. Upon detection of a web service call to an unknown version of the cloud application service, the cloud access security system redirects the web service call to a known good server that services web service calls that are made to a previous version of the cloud application service. The cloud access security system may employ an encryption scheme that allows for partial decryption.

Abstract: A distributed and coordinated security system providing intrusion-detection and intrusion-prevention for the virtual machines (VMs) in a virtual server is described. The virtualization platform of the virtual server is enhanced with networking drivers that provide a “fast path” firewall function for pre-configured guest VMs that already have dedicated deep packet inspection security agents installed. A separate security VM is deployed to provide virtual security agents providing deep packet inspection for non pre-configured guest VMs. The network drivers are then configured to intercept the data traffic of these guest VMs and route it through their corresponding virtual security agents, thus providing a “slow-path” for intrusion detection and prevention.

Abstract: One embodiment relates to a method for providing a service which matches document fingerprints against a database of document fingerprints. Target text data on a mobile phone device is obtained, and target document fingerprints are generated for the target text data using a fingerprint generator on the mobile phone device. The target document fingerprints are transmitted to a service cloud. A feedback message is received from the service cloud. The feedback message depends on results from matching the target document fingerprints against the database of document fingerprints. Other embodiments, aspects and features are also disclosed.

Abstract: Detection of fake antivirus includes classifying text content of a user interface of an application program and scanning files associated with the application program for suspicious code. The user interface may be a graphical user interface (GUI) window of the application program. The text content may be obtained from a painted portion of the GUI window and by intercepting text changing operations performed on the GUI window. The text content may be input to a learning model to determine whether or not the application program belongs to the antivirus category. The application program is deemed to be fake antivirus when the application program is classified as belonging to the antivirus category and has a file with suspicious code.

Abstract: One embodiment relates to a computer-implemented method of preemptively scanning targets for malicious codes. Input qualities regarding said targets are received. A first computer-implemented procedure is applied to generate a measure of priority for scanning of said targets. Targets are selected for preemptive scanning using said measure of priority. In addition, resource utilization inputs may be received, and a second computer-implemented procedure may be applied to determine a system resource usage level using the resource utilization inputs. In that case, the malware scanning may be performed opportunistically based on the system resource usage level. Other embodiments, aspects and features may also be disclosed.

Abstract: A method for dynamically decoding protocol data on a computer system is provided using a protocol decoder, which inspects and analyzes protocol data received by the computer system. A protocol decoding program controls the decoding and analysis process. The method may be used by an intrusion prevention system to identify anomalous protocol data that may cause harm to applications receiving the data.

Abstract: Difference data is generated between a reference file and a target file that are orderly dependent having common blocks that appear in the same order in both the reference and target files. The difference data is generated by comparing hash values of chunks of the reference file against hash values of parts of the target file to identity copy operations between the reference and target files. Chunks of the reference file and parts of the target file are loaded into main memory to create hashes for comparison and unloaded from the main memory after exhaustion. The difference data is included in a difference file, which is provided to one or more endpoint computers. In an endpoint computer, the target file is reconstructed using a copy of the reference file and the difference data from the difference file.

Abstract: Trap data is stored in a mobile computing device. A lightweight engine monitors outgoing communications in the mobile computing device for the trap data. Data leakage is deemed to have been detected in the mobile computing device when an outgoing communication includes the trap data. A cloud service hosted by a backend system may also be monitoring for the trap data. In the case where the trap data is a trap e-mail address, the cloud service may monitor for an e-mail that is addressed to the trap e-mail address. In response to receiving the e-mail, the cloud service may consult a database to determine that the trap e-mail address is stored in the mobile computing device. Receiving the e-mail indicates that data leakage is occurring in the mobile computing device.