Abstract: A plurality of queuing components each monitor an incoming email stream, and identify incoming email messages with suspicious attachments. Each queuing component generates signatures of the suspicious attachments, and submits periodic reports to a correlation component. The reports list signatures and receipt times for suspicious attachments received since a last submitted report. The queuing component queues the suspicious attachments for a specified hold time, and further processes queued attachments based upon information concerning attachment acceleration rates received from the correlation component. The correlation component receives reports from the plurality of queuing components, and uses information in the submitted reports to maintain a system wide receipt history for each suspicious attachment.

Abstract: A hygiene-based determination of legitimacy of activities performed by applications on clients is performed. A receiving module receives, from a client, information regarding an application that is performing an activity on the client. A hygiene score module determines a score distribution for hygiene scores of other clients on which the same type of application has performed the same activity. A correlation module correlates the activity being performed by the application on the client with the score distribution for hygiene scores. A reputation computation module computes, based on the correlation, a reputation score for the activity with respect to the application performing the activity. Finally, a legitimacy identification module identifies, based on the reputation score, whether the activity is an illegitimate activity for the application.

Abstract: A method includes determining whether a transaction request has occurred during a transaction session. Upon a determination that a transaction request has occurred, the method includes parsing critical values from the transaction request and determining whether the critical values are legitimate. If the critical values are found to be suspicious instead of legitimate, the method further includes seeking approval of the transaction request from the user of the host computer system. Upon approval of the transaction request, the transaction request is allowed. Conversely, upon denial of the transaction request, the transaction request is determined to be malicious, and protective action is taken including terminating the transaction request.

Abstract: Techniques are disclosed that enable extrusion detection (i.e., outgoing confidential information from an enterprise or other entity). The techniques operate to detect outgoing confidential information at the gateway and/or the client, even if that confidential information is encrypted, compressed, or otherwise obfuscated before transmission (e.g., via email or to a portable storage media such as a memory stick).

Abstract: A method, system and computer-readable medium for encrypting a file on a computer system based on the content of the file. The method is setting an encryption policy, wherein the encryption policy is at least one attribute related to content of at least one file, scanning at least one file on a computer system for content, matching the content of the scanned at least one file to the at least one attribute set in the encryption policy and encrypting the scanned at least one file with a key in response to a match between the content of the scanned at least one file and the at least one attribute set in the encryption policy. The system is a computer system that includes policy-based encryption software that performs the steps embodied by the method.

Abstract: A method and apparatus for preventing leakage of sensitive information from a computer is described. The method includes identifying data entered into the computer system as sensitive data, tainting the sensitive data with at least one taint bit to form a tainted data, tracking the tainted data within the computer system and identifying at least one condition that compromises the security of the tainted data. The system is a computer system including taint analysis software for identifying data entered into the computer system as sensitive data, tainting the sensitive data with at least one taint bit to form a tainted data, tracking the tainted data within the computer system and identifying at least one condition that compromises the security of the tainted data.

Abstract: Attempts by a user to download executable files with unacceptable reputations are detected, and recommendations for similar files with good reputations are made to the user. More specifically, a user's web browsing is tracked, and terms describing software applications are extracted from browsed pages. When a user attempts to download an executable file, a corresponding notification including recently extracted terms is transmitted to a categorization component, which receives such information from many users. The categorization component stores the received information in a database. This maintained database identifies files that are available for download, as well as corresponding extracted terms and reputational scores. If a user initiates a download of an executable file with an unacceptable score, the categorization component identifies executable files in the database with related extracted terms, but with acceptable reputations, to recommend to the user as alternatives.

Abstract: Evaluating a data transmission is disclosed. In various embodiments evaluating the data transmission may include transforming a parameter associated with the data transmission into an augmented parameter wherein the augmented parameter represents a plurality of binned parameters. The augmented parameter is matched to a scaled parameterized rule set wherein the scaled parameterized rule set references the augmented parameter. The scaled parameterized rule set is applied to the data transmission.

Abstract: To prevent gaming of a reputation system, a security token is generated for a security module using metadata about the client observed during the registration of the security module. The registration server selects metadata for use in generating the security token. The generated security token is provided to identify the client in later transactions. A security server may conduct a transaction with the client and observe metadata about the client during the transaction. The security server also extracts metadata from the security token. The security server correlates the observed metadata during the transaction with the extracted metadata from the security token. Based on the result of the correlation, a security policy is applied. As a result, the metadata in the security token enables stateless verification of the client.

Abstract: Reputations of objects are determined by a reputation system using reports from clients identifying the objects. Confidence metrics for the clients are generated using information determined from the reports. Confidence metrics indicate the amounts of confidence in the veracity of the reports. Reputation scores of objects are calculated using the reports from the clients and the confidence metrics for the clients. Confidence metrics and reputation scores are stored in correlation with identifiers for the objects. An object's reputation score is provided to a client in response to a request.

Abstract: Computer-implemented methods, systems, and computer-readable media for determining (200) an action time when an action is taken regarding an executable content; storing (205) the action time with an indication of the executable content; storing (215) an entry time and an indication of the entered data source when the data processing system enters one of the plurality of data sources; receiving (220) an indication that the executable content is infected with a malicious code; receiving (225) an indication of a data source targeted by the malicious code; scanning the data processing system for the malicious code at a scan time; storing (230) the scan time; determining (245) whether one of the plurality of data sources corresponds to the targeted data source; and when it is determined that one of the plurality of data sources corresponds to the targeted data source, determining (255) whether the entry time occurs after the action time and before the scan time; and when it is determined that the entry time occurs

Abstract: Methods, apparati, and computer-readable media for matching patterns of symbols within computer systems. A method embodiment of the present invention comprises composing (11) a pattern matching expression; and embedding (12) a function using storage means within the expression to form a character matching string. The expression may be a regular expression. The character matching string is compared (13) against a target string. The target string may be one that is suspected to contain malicious computer code.

Abstract: Policy-based performance of continuous data protection on protected data. A write request targeted to a portion of the protected data is detected. In addition, a journaling policy data structure(s) is accessed. The journaling policy data structure represents policy for how frequently to journal write request to a backup medium and/or what backup medium to journal write requests to depending on one or more characteristics of write request targets. The journaling policy data structure is then used to determine whether the write request should be presently journaled and/or to identify the backup medium that the write request should be journaled to based on the one or more characteristics of the portion of the protected data targeted by the write request. The journaling policy may, but need not, be selected so as to preserve storage and/or network bandwidth associated with the journaling process.

Abstract: An incident managing module aggregates related database intrusion incidents and presents them in a manageable manner. A receiving module receives an anomalous query requesting data from a database and a type-identification module identifies anomaly type for the query received. A conversion module converts the anomalous query into a characteristic representation. In some embodiments, this is done by replacing literal field values in the query with representative values. In other embodiments, this is done by creating a tuple describing anomaly parameters for the anomalous query. In still other embodiments, the query is converted into a characteristic representation that distinguishes between injected and non-injected portions of the query. An aggregation module then aggregates into a group the anomalous queries with substantially similar characteristic representations according to anomaly type and a generation module generates a database intrusion incident report describing the group of anomalous queries.

Abstract: A polymorphic threat manager monitors an incoming email stream, and identifies incoming email messages to which executable files are attached. The polymorphic threat manager characterizes incoming executable files according to at least one metric. For example, the polymorphic threat manager can decompose an executable file into fragments, hash some or all of these, and use the hashes as characterization metrics. The polymorphic threat manager subsequently de-obfuscates executable files, and creates corresponding characterization metrics for the de-obfuscated images. The characterizations of executable files before and after de-obfuscation are compared, and if they differ sufficiently, the polymorphic threat manager determines that the file in question is polymorphic. The characterization metrics of such an executable file after de-obfuscation can be used as a signature for that file.

Abstract: Privacy preservation for voice over internet protocol calling is disclosed. A request is received to associate with a current or potential call participant a temporary privacy address that is valid for a prescribed period or until the occurrence of a prescribed event or condition. A request is received to process a call using the temporary privacy address. A determination is made as to whether the temporary privacy address is currently valid, and if it is currently valid, the call is processed using the temporary privacy address.

Abstract: An outgoing e-mail manager inserts headers into outgoing e-mail messages originating from at least one source on a computer. Each header includes data concerning the source of the e-mail. An e-mail header manager monitors an e-mail stream, and reads headers inserted into e-mail messages. The e-mail header manager applies a security policy to e-mail messages, responsive to the contents of the inserted headers.

Abstract: Methods, apparatuses, and computer-readable media protect sensitive data from being submitted in response to malicious e-mail. Responsive to initiating interaction with a remote site by clicking on a link, a method for protecting sensitive data from being submitted to a suspicious remote site responsive to a malicious e-mail comprises the steps of determining whether each remote target site a user attempts to access requests input of sensitive data; monitoring transmissions between a user's computer and remote target sites; and determining that a suspicious remote site is attempting to glean sensitive data from the user, responsive to a condition from a group of conditions consisting of: determining that a remote target site the user is attempting to access requests input of sensitive data; and detecting an attempt to transmit sensitive data between the user's computer and a remote target site.

Abstract: Systems, methods, and computer-readable media for training a computer code intrusion detection system in real time. A method embodiment of the present invention comprises the steps of observing (22), in real time, commands (5) that are accessing the computer code (1); and deriving (23) from said commands (5), in real time, a set (6) of acceptable commands.

Abstract: Methods, apparatuses, and computer-readable media for detecting bulk electronic messages using header similarity analysis. Bulk electronic messages can be detected by parsing (115) header fields of an electronic message; associating (120) at least one constituent unit with each header field defining a set of constituent units for each header field; ascertaining (230) a feature vector for each set of constituent units; forming (240) a collection of feature vectors; and computing (250) an inner product from a set of constituent units from an additional electronic message and the collection of feature vectors from the initial electronic message resulting in a measure of similarity between the initial electronic message and the additional electronic message.