Abstract: Incoming files are examined to detect abnormal files. The incoming files may be examined for a weak file structure, such as a weak file format structure or a weak file data structure, to detect abnormal files. A weak file structure includes file structures that do not conform to the file format of the file yet still loadable by a file loader of the file format. The incoming files may also be examined for suspicious loading in memory to detect abnormal files.

Abstract: A mobile computing device includes a roaming bandwidth advisor for determining size information of web data (e.g., webpage, streaming media) before the web data is received in the mobile computing device. The mobile computing device may cooperatively work with a cloud computing system to obtain size information of the web data. Roaming fee information (e.g., the size of the web data and/or associated roaming fee) for receiving the web data is displayed on the mobile computing device before a request for the web data is sent out of the mobile computing device.

Abstract: One embodiment relates to an apparatus for in-the-cloud identification of spam and/or malware. The apparatus includes computer-readable code configured to be executed by the processor so as to receive queries, the queries including hash values embedded therein. The apparatus further includes computer-readable code configured to be executed by the processor so as to detect a group of hash codes which are similar and to identify the group as corresponding to an undesirable network outbreak. Another embodiment relates to an apparatus for in-the-cloud detection of spam and/or malware. The apparatus includes computer-readable code configured to be executed by the processor so as to receive an electronic message, calculate a locality-sensitive hash based on the message, embed the locality-sensitive hash into a query, and send the query to a central analysis system via a network interface. Other embodiments, aspects and features are also disclosed.

Abstract: A method and a system for efficient search of string patterns characterized by positional relationships in a character stream are disclosed. The method is based on grouping string patterns of a dictionary into at least two string sets and performing string search processes of a text of the character stream based on individual string sets with the outcome of a search process influencing a subsequent search process. A system implementing the method comprises a dictionary processor for generating string sets with corresponding text actions and search actions, a conditional search engine for locating string patterns belonging to at least one string set in a text according to a current search state, a text operator for producing an output text according to search results, and a search operator for determining a subsequent search state.

Abstract: A method for efficiently decrypting asymmetric SSL pre-master keys is divided into a key agent component that runs in user mode, and an SSL driver running in kernel mode. The key agent can take advantage of multiple threads for decoding keys in a multi-processor environment, while the SSL driver handles the task of symmetric decryption of the SSL encrypted data stream. The method is of advantage in applications such as firewalls with deep packet inspection in which all encrypted data traffic passing through the firewall must be decrypted for inspection.

Abstract: An ANDROID application package (APK) file for an application is repackaged into a secured APK file to protect a Dalvik executable (DEX) file of the application. The DEX file is encrypted to generate an encrypted DEX file that is included in the secured APK file along with a stub DEX file. The secured APK file is received in a mobile computing device where the stub DEX file is started to start a wrapper Activity. The wrapper Activity replaces an APK class loader of a mobile operating system of the mobile computing device with a decryptor class loader. The decryptor class loader decrypts the encrypted DEX file to recover the DEX file, and loads classes of the DEX file into a Dalvik virtual machine. The original Activity of the application is then started to provide the functionality of the application in the mobile computing device.

Abstract: A server computer provides centralized key management services to several computers having encrypted files or file systems. The server computer receives key requests from the computers. The server computer issues a key to a computer that passes an integrity check. The key is used to unlock an encrypted file or file system in the computer. When the computer fails another integrity check after receiving the key, indicating a change in the security posture of the computer, the server computer may revoke the key automatically or upon receipt of an instruction from a key administrator.

Abstract: An intrusion prevention/detection system filter (IPS filter) performance evaluation is provided. The performance evaluation is performed at both the security center and at the customer sites to derive a base confidence score and local confidence scores. Existence of new vulnerability is disclosed and its attributes are used in the generation of new IPS filter or updates. The generated IPS filter is first tested to determine its base confidence score from test confidence attributes prior to deploying it to a customer site. A deep security manager and deep security agent, at the customer site, collect local confidence attributes that are used for determining the local confidence score. The local confidence score and the base confidence score are aggregated to form a global confidence score. The local and global confidence scores are then compared to deployment thresholds to determine whether the IPS filter should be deployed in prevention or detection mode or sent back to the security center for improvement.

Abstract: Methods and apparatus for detecting cross-site request forgery (CSRF) attacks include a CSRF detector that analyzes HTTP communications for information indicative of a CSRF attack. The CSRF detector may analyze HTTP responses from a website for CSRF code that automatically performs unauthorized access of an online account of a user of a user computer upon receipt and execution of the CSRF code in the user computer. The CSRF detector may also analyze HTTP requests from a web browser for information indicative of a CSRF attack.

Abstract: Virtual machine images in a cloud computing environment may be certified using a validator machine image. The validator machine image is configured to boot a validator virtual machine, which boots a virtual machine off a virtual machine image from among virtual machine images available in the catalog of the cloud computing environment. The validator virtual machine may scan the virtual machine for malware, including computer viruses. A virtual machine image from among the virtual machine images may be packaged to include a certifier agent that verifies the virtual machine image upon execution. Reputation of virtual machine images may be stored in a virtual machine image reputation database and made available by way of a portal.

Abstract: A cloud security service is made available to endpoint computers. Network traffic from originating application programs running on endpoint computers are redirected to the cloud security service based on characteristics of the originating application programs. Network traffic from an originating application program may be redirected to the cloud security service by way of a virtual private network (VPN) tunnel or generic routing encapsulation (GRE) tunnel between an endpoint computer and a cloud computing system hosting the cloud security service, for example. Network traffic from an originating application program may also be routed from an endpoint computer to a gateway system, and then redirected from the gateway system to the cloud computing system. The cloud security service may drop or forward network packets of the network traffic depending on a result of scanning the network packets.

Abstract: A client computer runs a communicator employed to connect to a server computer in a cloud. The communicator is updated on a regular basis to update its algorithms for processing raw data into secured data. The server computer receives and validates the secured data, and attempts to update the communicator if the secured data is invalid. The server computer may deem the client computer as being infected when the update is reinitiated a predetermined number of times. The raw data may be restructured, or encrypted using an encryption scheme where the key used for the encryption is not provided to the receiver of the data. The algorithm for data restructuring and encryption may be included in the update to the communicator. Communication between the client computer and the server computer may be on a dynamically selected channel indicated in a previous communication.

Abstract: A client computer runs a communicator employed to connect to a server computer in a cloud. The communicator is updated on a regular basis to update its algorithms for processing raw data into secured data. The server computer receives and validates the secured data, and attempts to update the communicator if the secured data is invalid. The server computer may deem the client computer as being infected when the update is reinitiated a predetermined number of times. The raw data may be restructured, or encrypted using an encryption scheme where the key used for the encryption is not provided to the receiver of the data. The algorithm for data restructuring and encryption may be included in the update to the communicator. Communication between the client computer and the server computer may be on a dynamically selected channel indicated in a previous communication.

Abstract: A method for detecting and locating occurrence in a data stream of any complex string belonging to a predefined complex dictionary is disclosed. A complex string may comprise an arbitrary number of interleaving coherent strings and ambiguous strings. The method comprises a first process for transforming the complex dictionary into a simple structure to enable continuously conducting computationally efficient search, and a second process for examining received data in real time using the simple structure. The method may be implemented as an article of manufacture having a processor-readable storage medium having instructions stored thereon for execution by a processor, causing the processor to match examined data to an object complex string belonging to the complex dictionary, where the matching process is based on equality to constituent coherent strings, and congruence to ambiguous strings, of the object complex string.

Abstract: A method for detecting and locating occurrence in a data stream of any complex string belonging to a predefined complex dictionary is disclosed. A complex string may comprise an arbitrary number of interleaving coherent strings and ambiguous strings. The method comprises a first process for transforming the complex dictionary into a simple structure to enable continuously conducting computationally efficient search, and a second process for examining received data in real time using the simple structure. The method may be implemented as an article of manufacture having a processor-readable storage medium having instructions stored thereon for execution by a processor, causing the processor to match examined data to an object complex string belonging to the complex dictionary, where the matching process is based on equality to constituent coherent strings, and congruence to ambiguous strings, of the object complex string.

Abstract: A method for detecting and locating occurrence in a data stream of any complex string belonging to a predefined complex dictionary is disclosed. A complex string may comprise an arbitrary number of interleaving coherent strings and ambiguous strings. The method comprises a first process for transforming the complex dictionary into a simple structure to enable continuously conducting computationally efficient search, and a second process for examining received data in real time using the simple structure. The method may be implemented as an article of manufacture having a processor-readable storage medium having instructions stored thereon for execution by a processor, causing the processor to match examined data to an object complex string belonging to the complex dictionary, where the matching process is based on equality to constituent coherent strings, and congruence to ambiguous strings, of the object complex string.

Abstract: A method for detecting and locating occurrence in a data stream of any complex string belonging to a predefined complex dictionary is disclosed. A complex string may comprise an arbitrary number of interleaving coherent strings and ambiguous strings. The method comprises a first process for transforming the complex dictionary into a simple structure to enable continuously conducting computationally efficient search, and a second process for examining received data in real time using the simple structure. The method may be implemented as an article of manufacture having a processor-readable storage medium having instructions stored thereon for execution by a processor, causing the processor to match examined data to an object complex string belonging to the complex dictionary, where the matching process is based on equality to constituent coherent strings, and congruence to ambiguous strings, of the object complex string.

Abstract: Visualization for presenting event information indicative of a computer security threat is automatically selected from available visualizations. Event information received from data sources is assigned a category prior to being stored in an event log. The event log may be searched for relevant event information using the assigned categories. Visualizations applicable to the relevant event information are retrieved and given an importance score, which may be based on execution of prioritization algorithms using corresponding relevant event information. The retrieved visualizations are ranked based on their importance scores. One or more retrieved visualizations that have the best importance scores relative to other retrieved visualization are selected for rendering.

Abstract: An application-based routing arrangement for routing a plurality of data packets associated with a set of applications partially through a network is provided. The application based policy includes the first set of rules associated with the first application of the set of applications, which includes the first routing specification for routing the first set of data packets. The application routing table is configured to dynamically update the first set of parameters when the first application is connected to the network. The application routing table also includes a hook module to configure the matching of the first data packet associated with the first application against the application routing table to determine the first routing specification using the first routing specification if a match is found.

Abstract: One embodiment relates to a computer-implemented method for generating difference data between reference and target files. A difference engine performs a first procedure to generate difference data representing the difference between the reference and target files if the reference and target files are sequences of sorted data records. The first procedure may compare a lexical order of a record from the reference file against a lexical order of a record from the target file. An entry may be added to a copy list if the records are the same, and an entry may be added to an add list if that the record from the reference file is lexically greater than the record from the target file. Another embodiment relates to an apparatus for generating difference data.