Abstract: Several features of cybersecurity frameworks are disclosed. In one example, a computing platform receives, from an enterprise user device, cyber threat investigation information indicating actions performed to address an identified threat for a client through an incident response lifecycle of the identified threat. This computing platform receives, from a client user device, a request for the cyber threat investigation information, and generates, using this cyber threat investigation information, a client interface, which includes a time-series graphical representation of the actions performed to address the identified threat and a play button, selection of which may cause automated progression through the time-series graphical representation within the client interface. This computing platform sends, to the client user device, the client interface and commands to display the client interface, which may cause the client user device to display the client interface.

Abstract: Methods, systems, and apparatus for use in a distributed client-side user monitoring and attack system are disclosed herein. An example method includes providing a first set of instructions from a security application server to a target application server, the first set of instructions to, when executed, cause a client device to transmit a request for an image to the security application server. In response to the request for the image, a connection is opened between the client device and the security application server. Via the connection opened in response to the request for the image, a second set of instructions is provided to cause the client device to perform a vulnerability test on the target application server and communicate a result of the vulnerability test via the connection.

Abstract: Methods, apparatus, systems and articles of manufacture to issue digital certificates are disclosed. An example apparatus includes a certificate issuer to communicate, from a first entity, a digital certificate to be signed with a request for identifiers, and a value receiver to receive, at the first entity, a first value uniquely identifying a second value from a second entity and, after a period for accepting identifiers has ended, receiving, at the first entity, the second value from the second entity, the certificate issuer to combine, at the first entity, the second value and a third value to generate a certificate identifier for the digital certificate and to issue the digital certificate with the certificate identifier.

Abstract: Methods, systems, and apparatus for use in a distributed client-side user monitoring and attack system are disclosed herein. An example method includes providing a first set of instructions from a security application server to a target application server, the first set of instructions to, when executed, cause a client device to transmit a request for an image to the security application server. In response to the request for the image, a connection is opened between the client device and the security application server. Via the connection opened in response to the request for the image, a second set of instructions is provided to cause the client device to perform a vulnerability test on the target application server and communicate a result of the vulnerability test via the connection.

Abstract: Virus detection by executing electronic message code in a virtual machine is disclosed. An example method includes detecting that an electronic message includes executable code, the electronic message designating a destination recipient. Two or more destination computing systems are identified for the electronic message corresponding to the destination recipient specified in the electronic message prior to delivery of the electronic message to the two or more destination computing systems, the two or more destination computing systems including a first destination computing system and a second destination computing system different from the first destination computing system. Two or more simulation environments corresponding to the two or more destination computing systems are identified. The executable code is executed in the two or more simulation environments. The two or more simulation environments are monitored for a malicious action.

Abstract: Methods for cryptographic delegation and enforcement of dynamic access to stored data are disclosed. An example method includes generating for a first modified data block, a new per-block hash value using as a hash function input data contained in the first modified data block or a new per-block hash message authentication code (HMAC) using as hash function inputs a new per-block hash key and data contained in the first modified data block, writing the new per-block hash value or the new per-block HMAC to data block metadata associated with the modified data block in the protected data object, and writing the first modified data block to one of the data blocks of the protected data object.

Abstract: An embodiment invention provides a new way of creating a distributed client side user monitoring and attack system for use within the security market. In one embodiment of the invention, a distributed client side user monitoring and attack system, includes: a security application server; a target application server; a target application; and a first code in the target application to permit backchannel communications with the security application server.

Abstract: A system and method for managing logical and physical address state lifecycles. A state of unknown can be assigned to an address when the state has not been assigned. The state of the address is changed when communication is targeted to the address. The state can be changed to unfulfilled when the communication includes an address resolution protocol request sent to a device having the address when a time limit for a response to the address resolution protocol request has not expired. The state can be changed to virtual when the communication is received at the address when the state of the address is unfulfilled, and a time limit for responding to the communication expires before a response is sent. The state can be changed to unknown when the state of the address is not unknown, and the address does not participate in the communication within a time limit.

Abstract: An intermediary isolation server receives electronic messages and isolates any viral behavior from harming its intended destination. After the intermediary receives an electronic message, it determines that the electronic message has associated executable code, and then identifies the environment in which the electronic message code would be executed if delivered. The intermediary then executes the code by emulating how it would be executed in its ultimate environment. If a viral-like behavior is detected, appropriate action is taken to prevent the execution of the code at its intended destination. The attachment is executed in a contained environment that allows for the contained environment to be easily restarted in a clean state.

Abstract: A method of testing a target in a network by fault injection, includes: defining a transaction baseline; modifying at least one of an order and a structure of the transaction baseline to obtain a modified transaction with malformed grammar; and transmitting the modified transaction to a target. The method may further include, receiving a feedback from the target to determine fault occurrence. An apparatus for testing a target in a network by fault injection, includes: a driver configured to generate patterns, where a pattern can generate a plurality of packets for transmission to the target, the pattern being represented by an expression with a literal string and a wild character class; and a network interface coupled to the driver and configured to transmit and receive network traffic.

Abstract: Efficient methods for assigning, revoking, and realizing access to stored data involve a cryptographic key hierarchy and a set of operations performed on cryptographic keys and performed on the data objects to be protected. In addition to providing confidentiality and integrity for data objects, the methods allow access to selected data objects to be permanently revoked for all entities without requiring all instances of the data objects to be destroyed or overwritten. The methods also support access right modifications for a data object without requiring the re-encryption of the entire data object; instead, certain keys are selectively re-encrypted and re-authenticated to implement access control changes. The key hierarchy is parameterized to enable flexible performance tuning, and to provide efficient random access, keying and other security operations are performed for individual blocks within a data object rather than only for the entire data object.

Abstract: In an embodiment of the invention, a system for assessing vulnerabilities includes: a security management system; a network device in a system under test (SUT), wherein the network device is privy to traffic in the SUT; and wherein the SMS is privy to traffic that is known by the network device and/or to one or more traffic observations that is known by the network device.

Abstract: Blocking transmission of tainted data using dynamic data tainting is described. For example, sensitive information is stored on a client device as tainted data. The client device generates a data request for retrieving data from a non-trusted entity via a network. A gateway is communicatively coupled to the client device and the network. The gateway receives computer code from the non-trusted entity via the network. The gateway executes the computer code. The gateway tracks the execution of the computer code to determine whether the computer code attempts to access tainted data and transmit the tainted data to an outside entity. The gateway blocks the transmission of the tainted data to the outside entity responsive to determining that the computer code has attempted to access tainted data and transmit the tainted data to an outside entity.

Abstract: The present invention provides a method for determining the likelihood that an electronic document contains embedded malware. After parsing or sequencing an electronic document, the metadata structures that make up the document are analyzed. A number of pre-established rules are then applied with respect to certain metadata structures that are indicative of embedded malware. The application of these rules results in the generation of a score for the electronic document being tested for embedded malware. The score is then compared to a threshold value, where the threshold value was previously generated based on a statistical model relating to electronic documents having the same format as the document being tested. The result of the comparison can then be used to determine whether the document being tested is or is not likely to contain embedded malware.

Abstract: Methods and apparatus for network communication are disclosed. An example method includes sending an initial packet to a network device, receiving a response packet that is a response to the initial packet and includes a parameter that does not match the initial packet, determining that the response packet is a response to the initial packet, and in response to determining that the response packet is a response, determining that the network device is responsive to network requests.

Abstract: Methods, apparatus, systems and articles of manufacture to detect risks using application protocol headers are disclosed. An example method includes extracting characteristics from a header of a received hypertext transport protocol (HTTP) request, determining a first score corresponding to a first characteristic of the characteristics, determining a second score corresponding to a second characteristic of the characteristics, adding the first score and the second score to determine a combined score, and indicating that the received HTTP request is malware when the combined score meets a threshold.

Abstract: Analyzing computer code using a tree is described. For example, a client device generates a data request for retrieving data from a non-trusted entity via a network. A gateway is communicatively coupled to the client device and to the network. The gateway is configured to receive computer code from the non-trusted entity via the network. The gateway builds a tree representing the computer code. The tree has one or more nodes. A node of the tree represents a statement from the computer code. The gateway analyzes the statement to identify symbol data. The symbol data describes a name of the variable and the value of the variable. The gateway stores the symbol data in a symbol table.

Abstract: A system and method for improving code coverage for web code that is analyzed for security purposes by dynamic code execution are described. A controller receives information, routes the information to the appropriate engine, analyzer or module and provides the functionality for improving code coverage for code analyzed for security purposes. A code rewrite engine rewrites code in such a way that all branches and stray functions will be executed. A dynamic analyzer performs dynamic analysis on web content to detect malicious code. Additionally, a static analyzer performs static analysis on web content. The static analyzer scans web content and detects a style of coding, a style of obfuscation of the code or patterns in the code.

Abstract: Rules describing attributes of malicious data requests, commonly generated by malware, are determined and stored. For example, a behavior server executes different types of malware and analyzes the data requests produced by the malware to identify attributes common to different malicious data requests. The rules describing malicious data request attributes are stored and subsequent data requests are compared to the stored rules to identify malicious data requests. If a data request has one or more attributes in common with attributes of malicious data requests, the data request is blocked. This allows attributes of a data request to be used to prevent malware executing on a client device from communicating with a malicious server.

Abstract: A system and method for detecting malicious code in web content is described. A controller receives information, routes the information to the appropriate module and determines whether a user receives the web content or a report of a detection of malicious code. A vulnerability definition generator generates vulnerability definitions. A parser parses web content into static language constructions. A translation engine translates the static language constructions into trap rules, translates the web content into application programming interface (API) calls and determines whether the API calls trigger any of the trap rules. A sandbox engine generates an environment that mimics a browser and executes dynamic parts of the web content and determines whether a dynamic part triggers a trap rule.