Abstract: A computer implemented method to mitigate a security attack against a target virtual machine (VM) in a virtualized computing environment, the target VM having a target VM configuration including configuration parameters, and the security attack exhibiting a particular attack characteristic, is disclosed.

Abstract: A computer implemented method to mitigate a security attack against a target virtual machine (VM) in a virtualized computing environment, the target VM having a target VM configuration including configuration parameters, and the security attack exhibiting a particular attack characteristic, is disclosed.

Abstract: A computer implemented method to identify one or more parameters of a configuration of a target virtual machine (VM) in a virtualized computing environment used in a security attack against the target VM, the security attack exhibiting a particular attack characteristic, is disclosed.

Abstract: A computer implemented method to determine whether a target virtual machine (VM) in a virtualized computing environment is susceptible to a security attack, the method comprising: training a machine learning algorithm as a classifier based on a plurality of training data items, each training data item corresponding to a training VM and including a representation of parameters for a configuration of the training VM and a representation of characteristics of security attacks for the training VM; generating a data structure for storing one or more relationships between VM configuration parameters and attack characteristics, wherein the data structure is generated by sampling the trained machine learning algorithm to identify the relationships; determining a set of configuration parameters for the target VM; and identifying attack characteristics in the data structure associated with configuration parameters of the target VM as characteristics of attacks to which the target VM is susceptible.

Abstract: Techniques for enforcing a compliance requirement for a software application executing in a virtualized computing environment are disclosed. An identifier identifies a resource instantiated for the application's execution. A retriever retrieves a compliance characteristic for the application. The compliance characteristic is retrieved based on the identified resource and has an associated compliance criterion based on a formal parameter. The compliance criterion defines compliant resource states. A selector selects a software component for providing an actual parameter corresponding to the formal parameter . An evaluator evaluates the compliance criterion using the actual parameter. An application modifier, responsive to the resource lacking a compliant resource state, modifies the software application to have a resource with a compliant state. The identifier, selector, and evaluator respond to resource changes.

Abstract: A malware detection system to detect malware in a virtual machine (VM), the system including a profile generator adapted to generate a profile of a deployment of the VM, the profile including execution characteristics of the deployment; a VM package generator to generate a VM package including: a VM descriptor describing a particular deployment of the VM; and an image of the particular deployment, the image including a representation of data stored for the particular deployment of the VM; and a malware identifier adapted to identify malware in a deployment of the VM responsive to the identification of a difference between profiles of multiple different deployments of the VM.

Abstract: A malware detection system to detect malware in a client computer system includes a behavior profile generator adapted to generate a behavior profile specifying operational behaviors of a computer system indicative of the existence of malware in the computer system; an interface adapted to communicate the behavior profile to the client; and an identifier responsive to a message from the client that the behavior profile is exhibited by the client and adapted to identify a reaction instruction for performance by the client, wherein the interface is further adapted to communicate the reaction instruction to the client.

Abstract: A computer implemented method of deploying a software application in a virtualized computing environment, comprising: receiving a description of the software application including an identification of a set of one or more application software resources; determining one or more types of security facility required for the set of application software resources and determining a security requirement for each of the determined types of security facility; selecting a security software resource for each of the determined types of security facility; determining a security configuration for each of the selected security software resources, the security configuration being based on a security requirement associated with a type of security facility for the security software resource; and generating a deployment specification for the software application specifying the application software resources and the security software resources for deployment of the application in the virtualized computing environment, each of the

Abstract: A computer implemented method of secure communication between a virtual machine in a set of virtual machines in a virtualized computing environment and a shared software service over a network, the method comprising: establishing a network connection between the virtual machine and the software service; communicating data between the virtual machine and the software service; and, establishing a tunneling virtual private network (VPN) connection for communication of encrypted network traffic between the virtual machine and the software service, access to the VPN connection being restricted so as to securely separate communication between the virtual machine and the software service from communication occurring with other virtual machines in the set, and wherein data is communicated between the virtual machine and the software service via the VPN connection.

Abstract: A computer implemented method to execute a software application in a first network attached computing environment comprising: receiving a definition of the application, the definition identifying a set of software components and including configuration information for installing and executing the components in the first environment; installing and configuring the components in the first environment in accordance with the definition, wherein the definition further includes, for an identified component in the set, software agent information about a software agent that implements part of a software feature, the agent being provided by a second network attached computing environment external to and communicatively connected with the first environment, the second environment providing another part of the software feature, the method further comprising obtaining, installing and configuring the agent based on the agent information to provide part of the software feature for the application.

Abstract: A computer implemented method to provide a software feature in a registry of software components for a first network attached computing environment, each software component in the registry having associated deployment information to assemble a software application to be executed by the first environment as a set of software components, and the software feature being provided in part by a second network attached computing environment external to the first environment, the method comprising: for a selected software component in the registry, determining compatibility of the software feature with the software component; and responsive to the determination, adapting a registry entry of the software component in the registry to indicate the availability of the software feature for the software component.

Abstract: A software compliance assessment apparatus for determining a level of compliance of a software application in execution in a virtualized computing environment, the apparatus comprising: an identifier component operable to identify resources instantiated for execution of the application; a retriever component operable to retrieve a compliance characteristic for the application, the compliance characteristic being retrieved based on the identified resources, and the compliance characteristic having associated a compliance criterion based on a formal parameter; a selector component operable to select a software component for providing an actual parameter corresponding to the formal parameter, the actual parameter being based on data concerning at least one of the resources; an evaluator component operable to evaluate the compliance criterion using the actual parameter; and a detector component operable to detect a change to one or more of the resources, wherein the identifier component, selector component and ev

Abstract: A processing device (10) includes a processor (12), an interface (14) and a memory (100). The memory (100) is formed from system Random Access Memory (RAM) and one or more other storage devices. The memory (100) can be considered as comprising working memory (110) and persistent storage (120). The working memory includes the system RAM but may also use memory from one or more other storage devices and when certain suspicious program detection modules are operating also stores a comparison table (112) discussed below. Contained within the persistent storage are several executable program files as follows: an Absolute Memory Address Calculator executable program (121) which is responsible for causing the system (10) to inspect a copy of a persistently stored (and compiled) executable program (e.g. an executable program (125, 126, 127, . . .

Abstract: A method for securely accessing a hardware storage device connected to a computer system, the hardware storage device having a unique hardware identifier and the computer system including a processor, the method comprising: an agent software component receiving the identifier of the storage device to authenticate the storage device, wherein the agent executes in an unrestricted mode of operation of the processor such that the agent is a trusted software component; in response to the authentication, the agent accessing a secure data key for encrypting and decrypting data on the storage device, wherein the data key is accessible only to trusted agents executing in the unrestricted mode of the processor such that software executing in a user mode of the processor stores and retrieves data on the storage device only via the agent.

Abstract: A malicious encrypted traffic inhibitor connected to a computer network is disclosed. A method for inhibiting malicious encrypted network traffic communicated via a computer network also is disclosed.

Abstract: Dynamic Wireless Network Access Point Selection A mobile device having a processor, a memory and a wireless network interface, the processor executing an operating system including a network communication library for providing networking services via the wireless network interface and being further arranged to: receive capability information associated with each of plurality of wireless network access points accessible to the mobile device; identify, for a set of networked applications in execution on the mobile device, one or more applications having associated a wireless network capability requirement; and select an access point from the plurality of access points to provide network communication for the mobile device, the access point being selected based on the identified one or more applications and the received capability information, wherein network communication for applications executed by the mobile device having associated a wireless network capability requirement that is incompatible with a networ

Abstract: A computer system (100) is arranged to run at east one user-oriented operating system (153) (e.g. Windows, LINUX, etc.) on which a plurality of user-oriented applications (152) (e.g. Word processor, web browser, spreadsheet application, etc.) may run, the computer system being further arranged to run a secondary program supporting environment (154), (155) (e.g. computer BIOS, Hypervisor, basic LINUX operating system micro-kernel, etc.). The computer system (100) is arranged to run the secondary program supporting environment (154), when the main user-oriented operating system is not miming in either or both of the following situations: prior to loading the main operating system at boot-up time of the system or when a user wishes to log back into his/her operating system after having previously logged out or having been logged out automatically and/or during a sleep mode of the computer system.

Abstract: Preventing unintentional communication of data over a network by monitoring an outbound memory buffer of a computer system, the outbound memory buffer storing outbound network messages, and in response to a detection of an outbound network message corresponding to a heartbeat response message, overwriting at least a portion of a payload of the heartbeat response message.

Abstract: A malicious encrypted traffic detector connected to a computer network method for identifying malicious encrypted network traffic communicated via a computer network, the method comprising: a storage storing a plurality of network traffic window definitions, each window defining a different subset of network traffic for a network connection; an analyzer adapted to identify characteristics of a network connection to determine a protocol of a network connection; a network traffic recorder adapted to record a subset of network traffic corresponding to a window of network traffic; an entropy estimator adapted to evaluate an estimated measure of entropy for a portion of network traffic of a network connection recorded by the network traffic recorder; and a window selector adapted to identify and store a window as a portion of a network connection for which an estimated measure of entropy is most similar for a plurality of network connections, the identified window being stored in association with an identifier of

Abstract: A malicious encrypted traffic detector connected to a computer network, the detector comprising: a Shannon entropy estimator; an entropy comparator; a store storing a reference measure of Shannon entropy of a portion of network traffic of a malicious encrypted network connection, wherein the estimator is adapted to estimate a measure of entropy for a corresponding portion of network traffic communicated over the computer network, and the entropy comparator is adapted to compare the estimated measure of entropy with the reference measure so as to determine if malicious encrypted network traffic is communicated over the network connection.