Abstract: Embodiments determine event, e.g., performance degradation, security breach, etc., occurrence based on telemetry data. An embodiment receives telemetry data, e.g., data based on an HTTP transaction, and a rule associated with the telemetry data. The rule defines one or more filters for processing the telemetry data. In turn, a rule engine is modified in accordance with the received rule. The received telemetry data is processed with the modified rule engine to determine event occurrence.

Abstract: Embodiments assess security vulnerability of an application. An embodiment identifies one or more executables associated with an application and identifies one or more libraries associated with the application. In turn, based on the identified one or more executables and identified one or more libraries, static vulnerability of the application and dynamic vulnerability of the application are determined. Then, an indication of security vulnerability of the application is generated based on the determined static vulnerability and the determined dynamic vulnerability.

Abstract: Embodiments protect computer applications from memory deserialization attacks. An example embodiment receives a data object at a server hosting a software application. In turn, an aspect of the received data object is compared with a representation of an expected data object. If the comparison identifies a difference between the aspect of the received data object and the representation of the expected data object, a protection action is executed to limit a property of the received data object, thus protecting the software application from a memory deserialization attack.

Abstract: Embodiments identify vulnerabilities in, e.g., a web application. An embodiment first, searches a database to identify payload characteristics for a Hypertext Transfer Protocol (HTTP) request associated with a uniform resource locator (URL) of a web application. In turn, one or more payloads with characteristics corresponding to the identified payload characteristics are obtained. Next, the HTTP request with the obtained one or more payloads is sent to the URL. Then, one or more responses to the HTTP request sent with the obtained one or more payloads are observed to determine if the web application includes one or more vulnerabilities.

Abstract: Embodiments provide improved functionality to monitor processes. One such embodiment is directed to a system that includes a centralized database storing approved file signatures. The system also includes a processor that is configured, in response to a user request to run an executable file, to suspend a process implementing execution of the executable file. In turn, the processor determines a signature of the executable file and compares the determined signature of the executable file to the approved file signatures stored in the centralized database. Then, the processor maintains or stops suspension of the process based on the comparison. In an embodiment, the processor stops suspension if the signatures match and takes a protection action if the signatures do not match.

Abstract: Embodiments detect security vulnerabilities, e.g., backdoors, in applications. An embodiment reverses object code of a computer application to generate source code of the computer application. In turn, the generated source code is compared to trusted source code of the computer application to detect a security vulnerability in the object code of the computer application. Embodiments can take one or more protection actions, e.g., sending a notification or preventing execution of the object code, amongst other examples, in response to detecting the security vulnerability.

Abstract: Embodiments protect a computer application from being exploited by an attacker, while the application code is executed by a speculative execution engine having vulnerabilities. Embodiments are directed to systems that, prior to execution of the application by a speculative execution engine, locate a sequence of instructions of the application in which the speculative execution engine executes the instructions out of sequence. For example, the sequence of instructions may be an “if-then” code block. The systems determine a disposition that forces the speculative execution engine to execute the instructions in sequence. For example, the disposition may be adding a fence instruction to the sequence of instructions. During execution of the application code by the speculative execution engine, the systems change the sequence of instructions based on the disposition. The systems execute the changed sequence of instructions in place of the located sequence of instructions to prevent an attack on the application.

Abstract: Embodiments protect computer applications from code injection attacks. An example embodiment includes a runtime memory protection (RMP) user endpoint agent and an RMP kernel driver component. The RMP user endpoint agent receives, from the RMP kernel driver component, representations of events occurring with respect to memory locations associated with a computer application and processes the received representations to determine if a given event includes at least one of a memory permissions change request, a memory write request, and a thread create request. If the given event is determined to include at least one of a memory permissions change request, a memory write request, and a thread create request, the RMP user endpoint agent declares a code injection attack and sends an alarm indication to the RMP kernel driver component. In response to receiving the alarm indication, the RMP kernel driver component implements a protection action.

Abstract: Embodiments assess security vulnerability of an application. An embodiment runs one or more static and dynamic analysis tools on the application to generate a static vulnerability report and a dynamic vulnerability report. In turn, code of the application is decompiled to identify code of the application that accepts user input. One or more vulnerabilities of the application are determined using the identified code of the application that accepts user input and a vulnerability report is generated that indicates the one or more vulnerabilities of the application determined using the identified code of the application that accepts user input. A final static vulnerability report and a final dynamic vulnerability report are generated based on the static and dynamic vulnerability reports and the generated vulnerability report indicating the one or more vulnerabilities of the application determined using the identified code of the application that accepts user input.

Abstract: Embodiments are directed to systems that attempt to establish trust in relation to operations on a customer endpoint of a computer network. The systems monitor, in real-time, operations to file systems, registries, application processes and threads, and OS kernels at the customer endpoint. The systems maintain compute components affected by the operation in a quarantine state. The systems then attempt to establish trust in the affected compute components (e.g., by applying rule-based policies). The systems remove the affected compute components from the quarantine state, if trust of the one or more affected compute components is established. The systems execute callback routines to mitigate results of the operation, if trust of the affected compute components is not established.

Abstract: A method or apparatus detects a memory corruption of at least one portion of memory during run-time and corrects the memory corruption of the at least one portion of memory by replacing the at least one portion of memory with a backup of the at least one portion of memory. In this way, memory corruption can be corrected in a timely fashion while minimizing security risks.

Abstract: In example embodiments, systems and methods extract a model of a computer application during load time and store the model in memory. Embodiments may insert instructions into the computer application at run time to collect runtime state of the application, and analyze the collected data against the stored model to perform detection of security events. Embodiments may also instrument an exception handler to detect the security events based on unhandled memory access violations. Embodiments may, based upon the detection of the security events, dynamically respond, such as by modify a computer routine associated with an active process of the computer application. Modification may include installing or verifying an individual patch in memory associated with the computer application.

Abstract: One example method and correspond apparatus extracts a model of a computer application during load time and stores the model of the computer application in a database. This example method and corresponding apparatus also inserts instructions into the computer application to collect data at runtime. This example method and corresponding apparatus then analyzes the data collected at runtime against the stored model of the computer application to detect one or more security events and tracks the one or more security events using a state machine.

Abstract: In an example embodiment, a system analyzes a set of computer routines. The system may perform an analysis including a determination of a likelihood of vulnerability to unexpected behavior for one or more computer routines of the set. Based upon the analysis, the system may identify one or more computer routines of the set having the likelihood of vulnerability. The system may asynchronously and dynamically manipulate at least one of the one or more computer routines through a testing technique. The system may determine unexpected behavior of at least one of the one or more computer routines.

Abstract: In an example embodiment, a system determines a set of instructions from the available instructions for a computer application. The determined set of instructions provides specific functionality of the computer application. The system may determine the set of instructions by performing functional testing and negative testing on the specific functionality. The system may reorganize and randomize the set of instructions in memory and write the reorganized set of instructions to a smaller memory space. For each available instruction not in the set of instructions, the system changes the respective instruction to inoperative to prevent execution of the respective instruction. The system may change the respective instruction to inoperative by overwriting the instruction with a NOP instruction. The system then captures a memory address of the computer application being accessed at runtime.

Abstract: In an example embodiment, a system detects unauthorized database queries made by a maliciously formed web request. The system captures a web request for a web application and one or more database queries triggered in response to the web request during runtime. If the captured web request matches a valid web request in a table of valid web requests for the web application, the system checks if each captured database query matches a valid database query mapped to the valid web request in the table. The system may declare an injection attack if at least one captured database query does not match a valid database query mapped to the valid web request, or may perform additional validation of the captured request and the at least one captured database query prior to declaring the attack. The system may form the table of valid web requests using a dynamic simulation process, using static code analysis, or a combination of both.

Abstract: Example systems generate a dataset for tuning an analyzer to probe activities related to a web facing application. The systems capture data streams received at a framework of the application. The systems also capture a first set of functions, a second set of functions, and database queries triggered by the framework processing the data streams. The systems match: (i) the first set of functions to packets of the data streams and (ii) the second set of functions to the database queries. For example, the systems may pattern match: (i) data in parameters of the first set of functions to data in fields of the packets and (ii) data in parameters of the second set of functions to data in expressions of the database queries. The systems extract matched functions and database queries into the dataset and probe activities of the application based on the dataset to detect security attacks.

Abstract: In an example embodiment, a system analyzes a set of computer routines. The system may perform an analysis including a determination of a likelihood of vulnerability to unexpected behavior for one or more computer routines of the set. Based upon the analysis, the system may identify one or more computer routines of the set having the likelihood of vulnerability. The system may asynchronously and dynamically manipulate at least one of the one or more computer routines through a testing technique. The system may determine unexpected behavior of at least one of the one or more computer routines.

Abstract: A method or apparatus detects a memory corruption of at least one portion of memory during run-time and corrects the memory corruption of the at least one portion of memory by replacing the at least one portion of memory with a backup of the at least one portion of memory. In this way, memory corruption can be corrected in a timely fashion while minimizing security risks.

Abstract: In an example embodiment, a system may facilitate a root cause analysis associated with one or more computer applications. The system may receive a global time reference at the one or more computer applications. Each computer application may have a corresponding local time reference. Each computer application may synchronize its local time reference with the global time reference. The system may monitor at least one computer instructions of the computer applications with respect to the corresponding local time reference. The system may retrieve information associated with the at least one computer instruction. The system may forward at least a portion of the retrieved computer instruction information to a validation engine. The system may facilitate the root cause analysis using the at least a portion of the retrieved computer instruction information.