Abstract: The present solution provides systems and methods for generating DNS queries that are more resistant to being compromised by attackers. To generate the transaction identifier, the DNS resolver uses a cryptographic hash function. The inputs to the hash function may include a predetermined random number, the destination IP address of the name server to be queried, and the domain name to be queried. Because of the inclusion of the name server's IP address in the formula, queries for the same domain name to different name servers may have different transaction identifiers, preventing an attacker from observing a query and predicting the identifiers for other queries. Additional entropy may be provided for generating transaction identifiers by including the port number of the name server and/or a portion of the domain name as inputs to the hash function.

Abstract: A computer assigns networks to network zones based on predefined properties for each zone and/or the properties of the networks. An application program installed on the computer provides the computer with preference information that indicates the network zone whose network policies or properties are best suited for the application program. Thereafter, when executing the application program, the computer limits network contact for the application program to the network(s) that is assigned to the network zone(s) identified as a preferred network zone(s) or identified by a preferred network property or properties by the preference information from the application program.

Abstract: Disclosed is an authentication mechanism that enables an information recipient to ascertain that the information comes from the sender it purports to be from. This mechanism integrates a private/public key pair with selection by the sender of a portion of its address. The sender derives its address from its public key, for example, by using a hash of the key. The recipient verifies the association between the address and the sender's private key. The recipient may retrieve the key from an insecure resource and know that it has the correct key because only that key can produce the sender's address in the message. The hash may be made larger than the sender-selectable portion of the address. The recipient may cache public key/address pairs and use the cache to detect brute force attacks and to survive denial of service attacks. The mechanism may be used to optimize security negotiation algorithms.

Abstract: A system and method for protecting a computer system connected to a communication network from a potential vulnerability. The system and method protects a computer system that is about to undergo or has just undergone a change in state that may result in placing the computer system at risk to viruses, and the like, over a communication network. The system and method first detect an imminent or recent change in state. A security component and a fixing component react to the detection of the change in state. The security component may raise the security level to block incoming network information, other than information from a secure or known location, or information requested by the computer system. The fixing component implements a fixing routine, such as installing missing updates or patches, and on successfully completing the fixing routine, the security level is relaxed or lowered.

Abstract: The present solution provides systems and methods for generating DNS queries that are more resistant to being compromised by attackers. To generate the transaction identifier, the DNS resolver uses a cryptographic hash function. The inputs to the hash function may include a predetermined random number, the destination IP address of the name server to be queried, and the domain name to be queried. Because of the inclusion of the name server's IP address in the formula, queries for the same domain name to different name servers may have different transaction identifiers, preventing an attacker from observing a query and predicting the identifiers for other queries. Additional entropy may be provided for generating transaction identifiers by including the port number of the name server and/or a portion of the domain name as inputs to the hash function.

Abstract: A method to negotiate computer settings in advance is presented. A prediction is made to determine if the computer setting will be needed, and if needed, whether a value outside of a normal range of values will be needed. A value for the computer setting that is outside of the normal range of values is determined and the value is set to the outside value. A value within the normal range of values is used if it was predicted that there is no need for a value outside of the normal range of values.

Abstract: A method and system for selectively excluding a program from a security policy is provided. The security system receives from a user an indication of a program with a problem that is to be excluded from the security policy. When the program executes and a security enforcement event occurs, the security system does not apply the security policy. If the problem appears to be resolved as a result of excluding the program from the security policy, then the user may assume that the security policy is the cause of the problem.

Abstract: Technology for applying a communications traffic security policy in which a distinct communications traffic flow is segregated based upon a security value; whereby the communications traffic security policy include one or both of a detection and an enforcement policy. The detection policy may include determining whether the segregated communications traffic flow involves malware; and, the enforcement policy may include a malware policy.

Abstract: A system and method that utilizes clean groups for reducing security management complexity. The system reduces the complexity of managing security technologies by automatically assigning objects such as computers or persons to clean groups which are defined by existing management infrastructure. In an embodiment where members are computers, ongoing automatic efforts ensure that clean groups include only computers that satisfy specified security principles, which allows administrators to treat all computers that are in compliance as a group. Separately, the members of the clean group are required to implement self-governance, which is an ability to detect being compromised and to take steps to remove themselves from the clean group when they are compromised. In addition to attempting to remove itself from the clean group, a compromised computer may take additional steps aimed at minimizing further damage, such as erasing or hiding computer domain credentials, hiding/protecting/disabling cryptographic (e.g.

Abstract: A method and system for obfuscating computer code of a program to protect it from the adverse effects of malware is provided. The obfuscation system retrieves an executable form of the computer code. The obfuscation system then selects various obfuscation techniques to use in obfuscating the computer code. The obfuscation system applies the selected obfuscation techniques to the computer code. The obfuscation system then causes the obfuscated computer code to execute.

Abstract: A conditional activation system distributes a security policy to the computer systems of an enterprise. Upon receiving a security policy at a computer system, the computer system may install the received security policy without activation. When a security policy is installed without activation, it is loaded onto a computer system but is not used to process security enforcement events. The computer system may then determine whether a security policy activation criterion has been satisfied and, if so, activate the security policy.

Abstract: A method and system that enables a security policy to separate developer-provided detection criteria from an administrator-provided custom policy is provided. The security system allows a developer of detection criteria to provide a signature file containing the signatures that are available for use by a security policy. The security system also allows an administrator of a computer system to specify a custom policy that uses the signatures of the signature file. The developer may distribute the signature file to host computer systems independently of the administrator's distribution of the rules of the custom policy to the host computer systems. When a security enforcement event occurs at the host computer system, the security system applies the rules of the security policy to the event.

Abstract: A method for a firewall-aware application to communicate its expectations to a firewall without requiring the firewall to change its policy or compromise network security. An application API is provided for applications to inform a firewall or firewalls of the application's needs, and a firewall API is provided that informs the firewall or firewalls of the application's needs. An interception module watches for connect and listen attempts by applications and services to the network stack on the local computer. The interception module traps these attempts and determines what user is making the attempt, what application or service is making the attempt, and conducts a firewall policy look-up to determine whether the user and/or application or service are allowed to connect to the network. If so, the interception module may instruct the host and/or edge firewall to configure itself for the connection being requested.

Abstract: An intrusion detection system for customizing a security policy that detects an attempt to exploit a vulnerability is provided. A security policy contains criteria and a procedure. The criteria specify attributes of a security event that may be an exploitation, and the procedure specifies instructions to be performed that indicate when a security event may be an exploitation. When the criteria and the procedure both indicate that a security event may be an exploitation, then the security event matches the security policy and an appropriate action is taken. The intrusion detection system allows a user to modify the criteria to customize the security policy.

Abstract: An application contacts the Application Specific Integrated Circuit (ASIC) with a request for a job, along with the name or identifier of a data stream to pattern match against, the name or identifier of the pattern set to use, and whether the job is partial or full. Depending on the priority rules set by the ASIC administrator, the ASIC may stop the job it is currently doing and begin work on the new job, or wait until the current job is finished before starting the new job. The ASIC determines if the pattern set for the new job is already stored in the cache, and contacts the calling application if it is not. Once the correct pattern set is loaded, the ASIC begins pattern matching on the requested data stream. The data stream is compared byte by byte with the each of the patterns in the loaded set. The ASIC will return a match to the calling application if a match has been made with one of the patterns in the pattern set.

Abstract: An initial sequence number generator is provided that prevents the local server from being attacked while maintaining reliable data transfer. A random intermediate value is created that is unique to each connection identifier and is combined with a random value created from a global counter to generate the initial sequence number. The counter capable of monotonically increasing by both a fixed and variable amount for ensuring that the same connection identifier does not have data collisions from competing sequence numbers within a predetermined period of time, and also to ensures randomness of the initial sequence number on a per connection basis for preventing attacks on the local server.

Abstract: A method to negotiate computer settings in advance is presented. A prediction is made to determine if the computer setting will be needed, and if needed, whether a value outside of a normal range of values will be needed. A value for the computer setting that is outside of the normal range of values is determined and the value is set to the outside value. A value within the normal range of values is used if it was predicted that there is no need for a value outside of the normal range of values.

Abstract: A method and system are directed at automatically tuning a TCP receive window (RWIN). The size of the RWIN may be determined by attributes of a network card. One attribute used to size the RWIN is the speed of the adapter card. The adapter speed is readily available by polling the network card. Once the speed is known, the size of the RWIN is selected from a table and is automatically set. Alternatively, the size of the RWIN may be determined by a formula.

Abstract: A firewall acts as a transparent gateway to a server within a private network by initiating an unsolicited challenge to a client to provide authentication credentials. After receiving the client's credentials, the firewall verifies the authentication credentials and establishes a secure channel for accessing the server. Data destined for the server from the client may be forwarded through the firewall using the secure channel. The firewall may sign, or otherwise indicate that data forwarded to the server is from a client that the firewall has authenticated. The firewall also may provide some level of authentication to the client. While connected to the server, the client may access other servers external to the private network without having the data associated with the other servers pass through the private network. The firewall reduces configuration information that a client otherwise must maintain to access various private network servers.

Abstract: Methods, systems, and computer program products for resolving domain name system records based on client authentication. Basing domain name resolution on client authentication provides remote clients with the convenience of domain names, without sacrificing the security of keeping potentially sensitive domain names private. An authoritative name server receives requests for domain name resolution from clients. For requests without client authentication, the authoritative name server responds that the domain name cannot be found. This response identifies the authoritative name server to the client so that the client can submit subsequent requests with client authentication. For requests with client authentication, the authoritative name server responds with the corresponding domain name addresses. Client may communicate domain name resolution requests directly to the authoritative name server or indirection, through one or more intermediate domain name servers.