Abstract: There are provided measures for satellite coverage change handling. Such measures exemplarily include, at a network entity managing a first cell of a mobile network and a second cell of said mobile network, the first cell covering a geographical area, and the second cell covering said geographical area, maintaining assignment of a first satellite beam corresponding to a first passing satellite to said first cell, a first satellite beam coverage of said first satellite beam overlapping with said geographical area, determining entrance of a second satellite beam coverage of a second satellite beam corresponding to a second passing satellite into said geographical area, assigning said second satellite beam to said second cell, and deciding to trigger handover of a terminal located within said second satellite beam coverage within said geographical area and served by said first cell to said second cell.

Abstract: According to one embodiment, a malware detection software being loaded into non-transitory computer readable medium for execution by a processor. The malware detection software comprises exploit detection logic, rule-matching logic, reporting logic and user interface logic. The exploit detection logic is configured to execute certain event logic with respect to a loaded module. The rule-matching logic includes detection logic that is configured to determine whether an access source is attempting to access a protected region and determine whether the access source is from a dynamically allocated memory. The reporting logic includes alert generating logic that is configured to generate an alert while the user interface logic is configured to notify a user or a network administrator of a potential cybersecurity attack.

Abstract: A malware detection system configured to detect suspiciousness in obfuscated content. A multi-stage static detection logic is utilized to detect obfuscation, make the obfuscated content accessible, identify suspiciousness in the accessible content and filter non-suspicious non-obfuscated content from further analysis. The multi-stage static detection logic includes a controller, a de-constructor, and a post-processor. The controller is configured to receive content while the de-constructor configured to receive content from the controller and deconstruct the content using the analysis technique selected by the controller. The post-processor is configured to receive the de-constructed content from the de-constructor, determine whether a specimen within the de-constructed content is suspicious, and remove non-suspicious content from further analysis.

Abstract: Systems, computer readable media, apparatuses, and methods are disclosed for segregating executable files exhibiting network activity. An example apparatus includes at least one processor and memory including instructions which, when executed, cause the at least one processor to launch an executable file in a segmented portion of a computing system to load one or more dynamically linked libraries (DLLs) associated with the executable file into a process environment block (PEB) of the segmented portion, enumerate the PEB to generate an address list of the one or more DLLs, scan the one or more DLLs to determine whether the one or more DLLs are to perform network activity, and perform malware analysis on the executable file when at least one of the one or more DLLs are to perform network activity.

Abstract: By hooking application programming interfaces in an execution environment, the return address for hooked application programming interface calls can be logged and used to determine when a packed binary has been unpacked. In one approach, memory allocations are detected and the return address is checked against the memory regions allocated. In another approach, the contents of memory at the return address in a pre-execution copy of the executable binary is compared with the contents of memory at the return address in the executing copy of the binary. This allows efficient detection of the completion of unpacking without knowledge of the unpacking technique. The unpacked binary may then be analyzed for possible malware.

Abstract: According to one embodiment, a system comprising a dynamic analysis server comprising one or more virtual machines is disclosed, wherein the one or more virtual machines may be configured to execute certain event logic with respect to a loaded module. The virtual machines may be communicatively coupled to a virtual machine manager and a database; and rule-matching logic comprising detection logic, wherein the detection logic is configured to determine (1) whether an access source is attempting to access a protected region such as a page guarded area; and (2) determine whether the access source is from the heap. The system further comprises reporting logic that is configured to generate an alert so as to notify a user and/or network administrator of a probable application-execution hijacking attack.

Abstract: Systems, computer readable media, apparatuses, and methods are disclosed for segregating executable files exhibiting network activity. An example apparatus includes at least one processor and memory including instructions which, when executed, cause the at least one processor to launch an executable file in a segmented portion of a computing system to load one or more dynamically linked libraries (DLLs) associated with the executable file into a process environment block (PEB) of the segmented portion, enumerate the PEB to generate an address list of the one or more DLLs, scan the one or more DLLs to determine whether the one or more DLLs are to perform network activity, and perform malware analysis on the executable file when at least one of the one or more DLLs are to perform network activity.

Abstract: An executable file is loaded into memory. The executable file is analyzed to determine whether one or more dynamically linked libraries are referenced in an import table of the file. It can then be determined whether one or more dynamically linked libraries is adapted to contact a network.

Abstract: A malware detection system configured to detect suspiciousness in obfuscated content. A multi-stage static detection logic is utilized to detect obfuscation, make the obfuscated content accessible, identify suspiciousness in the accessible content and filter non-suspicious non-obfuscated content from further analysis. The system is configured to identify obfuscated content, de-obfuscate obfuscated content, identify suspicious characteristics in the de-obfuscated content, execute a virtual machine to process the suspicious network content and detect malicious network content while removing from further analysis non-suspicious network content.

Abstract: An executable file is loaded into memory. The executable file is analyzed to determine whether one or more dynamically linked libraries are referenced in an import table of the file.

Abstract: A method is disclosed that includes selecting at an apparatus a user equipment for an automatic neighbor relations measurement based on a determination one or more parameters associated with the user equipment meet one or more scenarios. The method includes initiating by the apparatus an automatic neighbor relations measurement procedure for the selected user equipment. The method includes awaiting at the apparatus for a conclusion of the initiated automatic neighbor relations measurement procedure. Apparatus and program products are also disclosed.

Abstract: By hooking application programming interfaces in an execution environment, the return address for hooked application programming interface calls can be logged and used to determine when a packed binary has been unpacked. In one approach, memory allocations are detected and the return address is checked against the memory regions allocated. In another approach, the contents of memory at the return address in a pre-execution copy of the executable binary is compared with the contents of memory at the return address in the executing copy of the binary. This allows efficient detection of the completion of unpacking without knowledge of the unpacking technique. The unpacked binary may then be analyzed for possible malware.

Abstract: Systems and techniques for improved mobility robustness optimization. A user device experiencing a radio link failure sends a radio link failure report upon successfully connecting to a cell. The radio link failure report is routed to an appropriate cell, such as the cell where the radio link failure occurred. Radio conditions measurement information appearing in the radio link failure report is compared against each possible applicable threshold that might have been used by the user device, and a failure event is recorded for each comparison that indicates a failure, such as a radio link failure or handover failure. The failure event information is forwarded to suitable network elements for analysis and improvement of mobility robustness optimization operations.

Abstract: Systems and techniques for improved mobility robustness optimization. A user device experiencing a radio link failure sends a radio link failure report upon successfully connecting to a cell. The radio link failure report is routed to an appropriate cell, such as the cell where the radio link failure occurred. Radio conditions measurement information appearing in the radio link failure report is compared against each possible applicable threshold that might have been used by the user device, and a failure event is recorded for each comparison that indicates a failure, such as a radio link failure or handover failure. The failure event information is forwarded to suitable network elements for analysis and improvement of mobility robustness optimization operations.

Abstract: A method is disclosed that includes selecting at an apparatus a user equipment for an automatic neighbor relations measurement based on a determination one or more parameters associated with the user equipment meet one or more scenarios. The method includes initiating by the apparatus an automatic neighbor relations measurement procedure for the selected user equipment. The method includes awaiting at the apparatus for a conclusion of the initiated automatic neighbor relations measurement procedure. Apparatus and program products are also disclosed.

Abstract: A system includes an access network and an authentication server. The access network: requests and receives a hardware ID for a terminal attempting access to a network that provides access to a service; constructs a user ID that includes the hardware ID; forwards the user ID for use in a first authentication process for the terminal; and receives a response that indicates an authorization status for the terminal. The authentication server: receives the user ID; determines, from the user ID, the authorization status for the terminal, which identifies at least one of whether the terminal is authorized to use the service and whether the terminal is local or roaming; and provides the response to the access network, which indicates the authorization status.