Abstract: A technique is disclosed for identifying network traffic. The traffic data is converted into a wave vector. The wave vector is compared with a wave template. It is then determined whether the wave vector is substantially similar to the wave template.

Abstract: Detecting network proxies through the observation of symmetric relationships is disclosed. Network transmission data is analyzed to detect symmetric relationships between network data transmissions. A symmetric relationship is detected with respect to a first network data transmission sent by a first node to a second node if the second node is observed to send or have sent to a third node a second network data transmission that satisfies a prescribed first criterion that it is anticipated the second network data transmission would satisfy if it were used to forward to the third node at least part of the data comprising the first network data transmission. For each symmetric relationship found, further analysis is performed to determine if the second node is configured to serve as a proxy.

Abstract: Analyzing security risk in a computer network includes receiving an event associated with a selected object in the computer network, and determining an object risk level for the selected object based at least in part on an event risk level of the event received, wherein the event risk level accounts for intrinsic risk that depends at least in part on the event that is received and source risk that depends at least in part on a source from which the event originated.

Abstract: Method and apparatus for managing digital identities through a single interface is described. One aspect of the invention relates to managing digital identities related to a user. An identity policy of an entity is obtained. At least one relevant digital identity is selected from the digital identities. Each relevant digital identity includes information required by the identity policy. A selected digital identity is obtained from the relevant digital identity or identities. A representation of the selected digital identity is provided to the entity that complies with the identity policy.

Abstract: Method and apparatus for accepting a digital identity of a user based on transitive trust among parties are described. One aspect of the invention relates to managing a digital identity of a user. The digital identity is provided to a first party, where the digital identity includes a self-asserted claim. An acceptance token is obtained from the first party. The acceptance token purports authenticity of the self-asserted claim according to the first party. The digital identity and the acceptance token are provided to a second party to request validation of the self-asserted claim by the second party based on the acceptance token.

Abstract: Evasion detection is disclosed. Techniques are provided for network security, including comparing a received header value to a baseline header value, determining based on the comparison whether a threshold has been satisfied, and generating an alert if the threshold has been satisfied. Header values may be representative of data included in packet headers that, depending upon a data communication protocol in use (e.g., TCP, IP, etc.) may include information such as a time-to-live (TTL) value or IP options. After retrieving a received packet's header value, it is compared to a baseline header value and, in combination with evaluating a flip count threshold, used to detect an evasion attempt.

Abstract: A system and method are disclosed for analyzing security risks in a computer network. The system constructs asset relationships among a plurality of objects in the computer network and receives an event associated with a selected object, where the event has an event risk level. The system also propagates the event to objects related to the selected object if the event risk level exceeds a propagation threshold.

Abstract: Remote activation of covert service channels is provided. A remote host can initiate and establish a connection with a target host without exposing a service channel or communications port to an unauthenticated host. Triggers can be received by and sent to a host and an associated operating system, under direction of a stealth listener. The stealth listener provides can control and direct an operating system to respond to incoming data packets, but can also open and close ports to enable access to services on a host. Using a variety of transport mechanisms, protocols, and triggers to covertly enable a connection to be established between a service and a remote client, the disclosed techniques also enable reduction of processing and storage resources by reducing the amount of host or client-installed software.

Abstract: Remote activation of covert service channels is provided. A remote host can initiate and establish a connection with a target host without exposing a service channel or communications port to an unauthenticated host. Triggers can be received by and sent to a host and an associated operating system, under direction of a stealth listener. The stealth listener provides can control and direct an operating system to respond to incoming data packets, but can also open and close ports to enable access to services on a host. Using a variety of transport mechanisms, protocols, and triggers to covertly enable a connection to be established between a service and a remote client, the disclosed techniques also enable reduction of processing and storage resources by reducing the amount of host or client-installed software.

Abstract: A method and system for detecting suspicious embedded malicious content in benign file formats is disclosed. The method involves loading a benign data file type and performing a sectional disassembly to detect if the file contains any encodings that are machine code instructions that, when executed by a microprocessor, would result in a transfer of process control. The method may be implemented in two stages: in a first stage to detect the presence of any encodings representing logical instructions; and in a second stage to analyze the maliciousness of the detected encodings. In addition to protecting computer systems from a specific exploit, the method may be used for certifying a file clean of malicious code, or for detecting vulnerabilities targeted at application programs.

Abstract: Various embodiments of a method for detecting a trend in a computer network comprising a plurality of nodes are described. According to one embodiment of the method, network admission control is. performed for each node in the network. One or more configuration fingerprints may be created for each node in response to the network admission control for the node, e.g., where the configuration fingerprints for a given node identify selected aspects of the configuration of the node. The method further comprises detecting a trend based on at least a subset of the configuration fingerprints for the nodes. For example, the configuration fingerprints may be analyzed in order to detect trends that indicate security threats.

Abstract: A system and method are disclosed for analyzing security risks in a computer network. The system constructs asset relationships among a plurality of objects in the computer network and receives an event associated with a selected object, where the event has an event risk level. The system also propagates the event to objects related to the selected object if the event risk level exceeds a propagation threshold.