Abstract: Network evasion and misinformation detection are disclosed. Techniques are provided for network security, including determining whether a particular packet, segment, frame, or other data encapsulation has been retransmitted. By detecting and tracking retransmits, the packet may be compared to the original packet to determine whether an attack exists. By evaluating the original data stream and a copy of the original data stream modified with the retransmitted packet, an evasion or misinformation attempt may be detected, invoking pattern or signature matching to determine whether an attack is attempted against a target host.

Abstract: A technique is disclosed for identifying network traffic. The traffic data is converted into a wave vector. The wave vector is compared with a wave template. It is determined whether the wave vector is substantially similar to the wave template. If it is determined that the wave vector is substantially similar to the wave template, the traffic data is identified as being associated with a protocol with which the wave template is associated.

Abstract: Detecting network threats through dynamic depth inspection is disclosed. A mandatory threat detection procedure is performed on data received via a network. It is determined probabilistically whether to perform an optional threat detection procedure on at least a portion of the data. The optional threat detection procedure is then performed if it is determined that it should be performed.

Abstract: Determining reputation information is disclosed. A honey token is included in an online identity data. The honey token is to monitor for misuse of all or part of the online identity data. Optionally, information associated with at least one use of the honey token is aggregated with other reputation information.

Abstract: A local computing endpoint (e.g., a desktop computer, a notebook computer) is used to detect the presence of and record information about one or more wireless access point within range of the local computing endpoint. The recorded information is processed by a centralized computing endpoint to determine whether any of the one or more wireless access points is a rogue wireless access point.

Abstract: Correlating network DNS data to filter content is disclosed. In one embodiment, a DNS request made by an internal host in a network to obtain an IP address and the corresponding response from a DNS server are intercepted and cached. By caching the DNS request and the corresponding response, the IP address the host thinks is associated with the domain name, URI, or other identifier for which the corresponding IP address was requested from the DNS server is known. When the host subsequently uses the IP address to open a TCP (or TCP/IP) connection, the IP address is mapped to the corresponding domain name in the cache and it is determined whether the domain name is in a block list.

Abstract: Optimizing data security using fragment assembly is described. Additionally, optimizing security in data traffic is also described, including reassembling data traffic using a fragment, scanning a datagram in the data traffic in accordance with a protocol, and detecting an anomaly in the data traffic based on evaluating the datagram. By scanning and detecting an anomaly contained in a data fragment, packet, segment, stream or other encapsulation technique, further processing may be invoked in order to determine whether a threat or attack to an end host exists.

Abstract: Providing network security is disclosed. If it is determined that a next portion of a data stream being reconstructed has more than one possible data value, each possible data value for the next portion is stored in a corresponding storage location associated with the data stream. Each storage location in which a possible data value for the next portion is stored as a next location with respect to a storage location in which a previous data value for a previous portion that immediately precedes the next portion in the data stream is stored is identified.

Abstract: An anti-spyware manager uses domain name service resolution queries to combat spyware. The anti-spyware manager maintains a list of domain names associated with spyware, monitors domain name service queries, and detects queries on domain names on the list. Responsive to detecting a domain name service query on a domain name associated with spyware, the anti-spyware manager forces the domain name service query to resolve to an address not associated with the domain name. Because attempts by spyware to communicate with its home server are now routed to the forced address, the spyware is unable to communicate with its homer server, and thus can neither steal information nor download updates of itself. Additionally, the anti-spyware manager can identify computers that are infected with spyware and clean or quarantine them.

Abstract: Profiling a user is disclosed. The user's behavior with respect to specially designed content comprised of one or more units of content is monitored. The specially designed content is designed such that one or more characteristics of the user may be inferred based at least in part on the user's behavior with respect to the content. One or more characteristics of the user is/are inferred based at least in part on the user's behavior with respect to the specially designed content.

Abstract: Reputations of domain registrars are calculated based on the hosting of risky domains. The more undesirable domains a registrar hosts, the lower is its reputation. The risk level of the hosted domains is also a factor in determining the reputation. When a user attempts to access a hosted domain, the calculated reputation of the hosting domain registrar is used in determining what security steps to apply to the access attempt. The worse the reputation of the hosting registrar, the more security is applied, all else being equal.

Abstract: Knowledge of a module's behavior when the module's reputation is formed is obtained. If the module's behavior changes, this change is detected. In one embodiment, upon a determination that the module's behavior has changed, the module's original reputation is lost. In this manner, malicious trusted modules are detected and defeated.

Abstract: A system and method are disclosed for providing network traffic identification. In one embodiment, the method comprises receiving pattern matching data; comparing the pattern matching data with a pattern; and determining whether the pattern matching data matches the pattern. In one embodiment, the system comprises an interface configured to receive pattern matching data and a processor configured to: compare the pattern matching data with a pattern and determine whether the pattern matching data matches the pattern.

Abstract: Mitigating network security threats through a self-quarantining network is disclosed. Traffic received from a local source via a physical port is monitored. If a threat is detected, traffic associated with the physical port is restricted. In some embodiments, the monitoring includes one or more of performing a signature check on the traffic, applying statistical analysis to the traffic, performing protocol analysis on the traffic, and aggregating information about the traffic with information about traffic from an outside source.

Abstract: Successful logins are distinguished from unsuccessful logins, and only when a login is successful are the user's login credentials stored and associated with the appropriate login page. Attempts by a user to login to a login page with a set of login credentials are identified. It is determined whether an attempt to login to a given login page with a set of login credentials is successful. If the attempt by the user to login to the login page with the set of login credentials is successful, the set of login credentials can be stored and associated with the login page. If the attempt fails, the credentials are not saved.

Abstract: Network evasion and misinformation detection are disclosed. Techniques are provided for network security, including determining whether a particular packet, segment, frame, or other data encapsulation has been retransmitted. By detecting and tracking retransmits, the packet may be compared to the original packet to determine whether an attack exists. By evaluating the original data stream and a copy of the original data stream modified with the retransmitted packet, an evasion or misinformation attempt may be detected, invoking pattern or signature matching to determine whether an attack is attempted against a target host.

Abstract: Visual images of computer components are provided to remotely guide users through the process of setting up physical connections. Component identifying information is automatically gleaned and provided from a user's computer to a remote administrator. The administrator provides visual images of the components to the user, and remotely annotates them to guide the user through the configuration process. Image annotation can include pointing to a specific section of the image (e.g., the plug into which a cable is to be inserted) and/or drawing or writing on or otherwise marking-up the image to direct the user's attention. The visual image-based guidance can be supplemented by voice communication with the user.

Abstract: A technique is disclosed for identifying network traffic. The traffic data is converted into a wave vector. The wave vector is compared with a wave template. It is determined whether the wave vector is substantially similar to the wave template. If it is determined that the wave vector is substantially similar to the wave template, the traffic data is identified as being associated with a protocol with which the wave template is associated.

Abstract: Network evasion and misinformation detection are disclosed. Techniques are provided for network security, including determining whether a particular packet, segment, frame, or other data encapsulation has been retransmitted. By detecting and tracking retransmits, the packet may be compared to the original packet to determine whether an attack exists. By evaluating the original data stream and a copy of the original data stream modified with the retransmitted packet, an evasion or misinformation attempt may be detected, invoking pattern or signature matching to determine whether an attack is attempted against a target host.

Abstract: Various embodiments of a method for detecting a trend in a computer network comprising a plurality of nodes are described. According to one embodiment of the method, network admission control is performed for each node in the network. One or more configuration fingerprints may be created for each node in response to the network admission control for the node, e.g., where the configuration fingerprints for a given node identify selected aspects of the configuration of the node. The method further comprises detecting a trend based on at least a subset of the configuration fingerprints for the nodes. For example, the configuration fingerprints may be analyzed in order to detect trends that indicate security threats.