Abstract: A method and apparatus for detecting data modification in a layered operating system is disclosed. Outbound content indicators at different layers are compared to detect potential outbound data modifications. Likewise, inbound content indicators at different layers are compared to detect potential inbound data modifications. Content indicators include checksum, cryptographic hash, signature, and fingerprint indicators. Embodiments of the present invention enable detection of data modifications across an operating system's kernel and user mode spaces, prevention of modified outbound data from reaching a network, prevention of modified input data from reaching a user application, and detection of malware and faults within an operating system.

Abstract: Email synchronization between a mobile device and a messaging server may be performed through a mobile email protection system. The mobile email protection system may parse network traffic for the email synchronization to retrieve an email element of an email. The mobile email protection system may scan the email element for protected content indicated in preconfigured compliance templates. The mobile email protection system may also scan the email element for prohibited content to prevent the prohibited content from being received by the messaging server.

Abstract: A method for dynamically decoding protocol data on a computer system is provided using a protocol decoder, which inspects and analyzes protocol data received by the computer system. A protocol decoding program controls the decoding and analysis process. The method may be used by an intrusion prevention system to identify anomalous protocol data that may cause harm to applications receiving the data.

Abstract: Detection of an encryption or compression application program may be based on similarity between read files read by a process of the application program and write files written by the process. Read fingerprints of the read files and write fingerprints of the write files are generated. A listing of the read fingerprints is searched for presence of matching write fingerprints to find matched fingerprints. The similarity is calculated based on the read fingerprints and matched fingerprints.

Abstract: An endpoint computer in an enterprise network is configured to detect computer security threat events, such as presence of a computer virus. Upon detection of a threat event, the endpoint computer generates computer security threat data for the threat event. The threat data may include user identifiable data that can be used to identify a user in the enterprise network. The endpoint computer encrypts the user identifiable data prior to sending the threat data to a smart protection network or to an enterprise server where threat data from various enterprise networks are collected for analysis. The endpoint computer may also encrypt an identifier for the threat data and provide the encrypted identifier to the smart protection network and to an enterprise server in the enterprise network. The enterprise server may use the encrypted identifier to retrieve the threat data from the smart protection network to generate user-specific reports.

Abstract: Exploit nonspecific host intrusion prevention/detection methods, systems and smart filters are described. Portion of network traffic is captured and searched for a network traffic pattern, comprising: searching for a branch instruction transferring control to a first address in the memory; provided the first instruction is found, searching for a subroutine call instruction within a first predetermined interval in the memory starting from the first address and pointing to a second address in the memory; provided the second instruction is found, searching for a third instruction at a third address in the memory, located at a second predetermined interval from the second address; provided the third instruction is a fetch instruction, indicating the presence of the exploit; provided the third instruction is a branch instruction, transferring control to a fourth address in the memory, and provided a fetch instruction is located at the fourth address, indicating the presence of the exploit.

Abstract: Uniform resource locators (URLs) that include strings matching known malicious budget codes are deemed to be malicious URLs. Compromised websites and compromised IP addresses are identified from the malicious URLs. URLs obtained from network traffic to compromised domain names or compromised IP addresses are inspected to identify candidate budget codes. Candidate budget codes that are confirmed to be malicious budget codes are included in a watch list, which may be distributed to endpoint computers to detect phishing attacks.

Abstract: A method for encrypting a file using a combination of an electronic device and a protection communication-enabled (PCE) wireless device is provided. The method includes using an encryption/decryption engine executing on the electronic device to encrypt a first flag string, which is a binary string stored in a header of the file, with a digest value to create an encrypted flag string. The digest value is associated with the PCE wireless device, which is a device having a transmission application program installed thereon for enabling interaction between the PCE wireless device and the encryption/decryption engine. The method also includes encrypting at least a portion of the file using the digest value and a first password provided by a user, thereby generating an encrypted file that includes an encrypted version of at least a portion of the file, the encrypted flag string, and the first flag string.

Abstract: A secure real-time data replication system includes a key management server that provides keys to hosts that store encrypted data. Data to be written in one host is encrypted using a key received from the key management server; the encrypted data is stored in the host. A copy of the data is provided to another host for real-time data replication. In the other host, the copy of the data is encrypted using another key received from the key management server; the encrypted copy of the data is stored in the other host. Keys are provided by the key management server based on policy rules governing the keys.

Abstract: A technique for web filtering includes monitoring and recording completed DNS (domain name service) transactions involving a user computer. The user computer may thereafter issue an HTTP (hypertext transport protocol) request to a remote server computer, with the HTTP request including an IP address of the server computer instead of its domain name. The HTTP request may be correlated with the recorded completed DNS transactions to obtain the domain name of the server computer. The domain name of the server computer may be employed to determine the reputation of the domain name for web filtering purposes.

Abstract: A computer system includes a data collector and an anomaly detector. The data collector monitors network traffic/event log and sends monitoring data to the anomaly detector. The anomaly detector extracts values for a category of measure from the monitoring data and processes the values to generate a processed value. The anomaly detector predicts an expectation value of the category of measure based at least on time decayed residual processed values. The anomaly detector determines a deviation of the processed value from the expectation value to detect an anomaly event, and applies a security rule to the anomaly event to detect a security event.

Abstract: Phishing is detected by creating a message transfer agent (MTA) map, with each point on the MTA map referencing an MTA. Points on the MTA map are connected based on a number of emails with same signature sent by MTAs represented on the MTA map. Reference MTA groups are identified from the map. Phishing is detected when an MTA sent an email with the same signature as that of emails sent by MTAs belonging to a reference MTA group but the MTA is not a member of the reference MTA group.

Abstract: A method and apparatus for detecting data modification in a layered operating system is disclosed. Outbound content indicators at different layers are compared to detect potential outbound data modifications. Likewise, inbound content indicators at different layers are compared to detect potential inbound data modifications. Content indicators include checksum, cryptographic hash, signature, and fingerprint indicators. Embodiments of the present invention enable detection of data modifications across an operating system's kernel and user mode spaces, prevention of modified outbound data from reaching a network, prevention of modified input data from reaching a user application, and detection of malware and faults within an operating system.

Abstract: Techniques for replacing ROM-based (Read-Only Memory) DLLs (Dynamic Link Libraries) in a Windows CE type embedded operating system such that the target DLL is replaceable by the hook DLL, and the target DLL is callable by the hook DLL but not callable directly by any other applications after loading of the hook DLL. The techniques enable replacement irrespective whether the hook DLL and the target DLL have the same name and irrespective of which DLL is loaded first. The techniques change the file name of the target DLL in a list of loaded DLL modules by a trusted program that executes in the full kernel mode.

Abstract: A recommendation engine coupled to a server computer in communication with a plurality of hosts is described. The recommendation engine includes computer readable intrusion-protection instructions stored in a memory device, which cause a processor of said server computer to determine a current host-protection configuration for a target host; detect discrepancy between said current host-protection configuration and a prior host-protection configuration; install said current host-protection configuration in said target host upon detecting said discrepancy; record successive host-reconfiguration periods, a host reconfiguration period being a difference between successive instants of time at which a current host-protection configuration differs from a prior host-protection configuration; determine a monitoring period according to a value of at least one of said successive host-reconfiguration periods; and a scheduler for activating said intrusion-protection instructions according to said monitoring period.

Abstract: A low resource mobile device, such as a smart phone or a tablet running a mobile operating system, requests a cloud computer system to inspect a mobile application for malicious content. The cloud computer system downloads the mobile application from a mobile application source, and installs the mobile application in a virtual machine sandbox. The cloud computer system inspects the mobile application for malicious content while the mobile application executes in the virtual machines sandbox. The result of the inspection is sent to the user in accordance with a setting that may be indicated in a cloud sandbox agent running on the mobile device.

Abstract: An end user navigates to a website using a web browser running in a personal computer. A web application in the personal computer retrieves a uniform resource locator (URL) of the website and wirelessly transmits the URL to a smartphone that is proximate to and in wireless communication with the personal computer by near field communication (NFC). A smartphone app in the smartphone retrieves a password of the end user based on the URL of the website, and wirelessly transmits the password to the personal computer by NFC. In the personal computer, the web application uses the password to login to the website. The password may be automatically entered into a corresponding input field of a login webpage.

Abstract: Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.

Abstract: Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.

Abstract: A distributed and coordinated security system providing intrusion-detection and intrusion-prevention for the virtual machines (VMs) in a virtual server is described. The virtualization platform of the virtual server is enhanced with networking drivers that provide a “fast path” firewall function for pre-configured guest VMs that already have dedicated deep packet inspection security agents installed. A separate security VM is deployed to provide virtual security agents providing deep packet inspection for non pre-configured guest VMs. The network drivers are then configured to intercept the data traffic of these guest VMs and route it through their corresponding virtual security agents, thus providing a “slow-path” for intrusion detection and prevention.