Abstract: Storing events to enhance intrusion detection in networks is described. In one exemplary implementation, an event is received. The event includes a data section containing a set of strings each having an event field. A definition table is referenced to determine locations of event fields in the data section of the event. The event fields are stored in a database record corresponding to event field locations referenced from the definition table.

Abstract: Improved intrusion detection and/or tracking methods and systems are provided for use across various computing devices and networks. Certain methods, for example, form a substantially unique audit identifier during each authentication/logon process. One method includes identifying one or more substantially unique parameters that are associated with the authentication/logon process and encrypting them to form at least one audit identifier that can then be generated and logged by each device involved in the authentication/logon process. The resulting audit log file can then be audited along with similar audit log files from other devices to track a user across multiple platforms.

Abstract: The techniques and mechanisms described herein are directed to a taint mechanism. An object-based command declares a taint directive for a parameter within a command declaration. The taint directive is then associated with that parameter in a manner such that when an engine processes the command, the engine determines whether to process the command based on the taint directive and input for the parameter. The taint directive may specify that the input may be tainted or untainted. The command declaration may also include a taint parameter that specifies a taint characteristic for output from the command. The taint characteristic may be tainted, untainted, or propagated. Any type of object may become tainted. An untaint process may be applied to tainted data to obtain untainted data if an authorization check performed by the engine is successful.

Abstract: The techniques and mechanisms described herein are directed at converting text into objects based on a template that describes the format of the text, where the format of the text is not in a standardized format. The objects then being available for further processing. The conversion mechanism converts the text into a dead object. The template comprises an object header indicator and a corresponding object header pattern. A new object is created based on the object header pattern identified within the text. In addition, the template comprises one or more field indicators each having a corresponding field pattern. The field pattern may be in a format of a regular expression. A field type and associated value are created from a string associated with the field pattern.

Abstract: The Techniques and Mechanisms Described Herein are Directed to an Extensible security architecture that provides a security mechanism for minimizing security problems within interpretive environments. The extensible security architecture comprises a script engine configured to process a script and a security manager configured to monitor the processing of the script based on a security policy. The security manager determines whether to open an assembly associated with a command within the script, whether to process the command, whether to allow certain input to the command, and the like. The security policy may be implemented by overriding one or more methods of a base security class that are called when processing the script. The input may be an object passed via an object-based pipeline.

Abstract: The techniques and mechanisms described herein are directed to a scripting security mechanism that minimizes security risks associated with interpreting a script written with a scripting language. An interpreter recognizes the scripting-language syntax within the script and processes each line that is designated within a data block using a restrictive set of operations. The restrictive set of operations are a subset of the total operations available for processing. If one of the lines within the data block attempts to perform an operation that is not within the restrictive set of operations, the interpreter provides an indication, such as an exception or message explaining the illegal operation. The interpreter also recognizes a list of export variables associated with the data block and exports only the variables identified in the list to an external environment if the export variable meets a constraint identified for it, if any.

Abstract: Improved intrusion detection and/or tracking methods and systems are provided for use across various computing devices and networks. Certain methods, for example, form a substantially unique audit identifier during each authentication/logon process. One method includes identifying one or more substantially unique parameters that are associated with the authentication/logon process and encrypting them to form at least one audit identifier that can then be generated and logged by each device involved in the authentication/logon process. The resulting audit log file can then be audited along with similar audit log files from other devices to track a user across multiple platforms.

Abstract: The techniques and mechanisms described herein are directed at converting text into objects based on a template that describes the format of the text. The objects then being available for further processing. The conversion mechanism converts the text into an object having at least one method that is directly invocable and that is specific to a data type specified for the live object. The template comprises an object header indicator and a corresponding object header pattern. A new object is created whenever the object header pattern is identified within the text. In addition, the template comprises one or more field indicators each having a corresponding field pattern. The field pattern is in a format of a regular expression. A new field is created for the new object whenever a field pattern is identified within the text.

Abstract: Improved intrusion detection and/or tracking methods and systems are provided for use across various computing devices and networks. Certain methods, for example, form a substantially unique audit identifier during each authentication/logon process. One method includes identifying one or more substantially unique parameters that are associated with the authentication/logon process and encrypting them to form at least one audit identifier that can then be generated and logged by each device involved in the authentication/logon process. The resulting audit log file can then be audited along with similar audit log files from other devices to track a user across multiple platforms.

Abstract: The present comparison technique operates on objects having the same type, similar types, or different types. Multiple comparison objects may be compared against one or more reference objects. The comparison objects may be obtained from a prior cmdlet in a pipeline of cmdlets operating in an object-based environment. The reference object and comparison object may be compared in an order-based manner or in a key-based manner. In addition, specific properties may be specified which will identify which properties of the reference object and the comparison object to compare during the comparison. The comparison may generate an output that identifies the difference and/or similarities. The output may be pipelined to another cmdlet for further processing.

Abstract: A method identifies code to be analyzed and analyzes the identified code. The method determines whether the identified code contains a particular function. If the identified code contains the particular function, a determination is made whether the particular function has been properly documented. Additionally, a message is generated indicating improper documentation of the particular function if the particular function has not been documented.

Abstract: Storing events to enhance intrusion detection in networks is described. In one exemplary implementation, an event is received. The event includes a data section containing a set of strings each having an event field. A definition table is referenced to determine locations of event fields in the data section of the event. The event fields are stored in a database record corresponding to event field locations referenced from the definition table.

Abstract: A hashing structure including multiple sub-hashes is used to determine whether an input value matches one or more of multiple target values. These values can be of any form, such as security identifiers in an access control system. To make the determination, a hash key is obtained from the input value and multiple sub-hash indexes (one for each of the multiple sub-hashes) are generated based on the key. Values are identified from the multiple sub-hashes by indexing into the sub-hashes using respective ones of the sub-hash indexes. These values are then combined to generate a resultant hash value. Each of the multiple target values corresponds to one of multiple portions of the resultant hash value. If the portion corresponding to one of the target values has a particular value, then that target value is a likely match and is compared to the input value to determine if indeed the two match.

Abstract: Storing events to enhance intrusion detection in networks is described. In one exemplary implementation, an event is received. The event includes a data section containing a set of strings each having an event field. A definition table is referenced to determine locations of event fields in the data section of the event. The event fields are stored in a database record corresponding to event field locations referenced from the definition table.

Abstract: Improved intrusion detection and/or tracking methods and systems are provided for use across various computing devices and networks. Certain methods, for example, form a substantially unique audit identifier during each authentication/logon process. One method includes identifying one or more substantially unique parameters that are associated with the authentication/logon process and encrypting them to form at least one audit identifier that can then be generated and logged by each device involved in the authentication/logon process. The resulting audit log file can then be audited along with similar audit log files from other devices to track a user across multiple platforms.

Abstract: Storing events to enhance intrusion detection in networks is described. In one exemplary implementation, an event is received. The event includes a data section containing a set of strings each having an event field. A definition table is referenced to determine locations of event fields in the data section of the event. The event fields are stored in a database record corresponding to event field locations referenced from the definition table.