Abstract: The present disclosure describes storing backup images in backup storage using snapshots. In response to receipt of a backup image that includes a complete copy of client data, a storage unit is generated and the backup image is stored in the storage unit. In response to receipt of a streamlined backup image that includes changed client data and metadata identifying unchanged client data in a base backup image, a base storage unit that includes the base backup image is identified, a snapshot is taken of the base storage unit (which generates a snapshot), and the streamlined backup image is stored on the snapshot. The metadata of the streamlined backup image is analyzed to identify portions of the base backup image that are not referenced by the streamlined backup image, which are removed from the snapshot.

Abstract: A method for grouping backup images in deduplication groups is described. In one embodiment, the method includes identifying a new backup image, obtaining metadata from one or more nodes in the new backup image, and comparing the metadata from the one or more nodes in the new backup image with information from one or more nodes in a backup image from a first deduplication group. Each of the one or more nodes include at least in part a file or a directory. The first deduplication group is one group from a plurality of deduplication groups.

Abstract: A computer-implemented method for increasing restore speeds of backups stored in deduplicated storage systems may include (1) identifying a backup that includes data stored in at least one data container within a deduplicated storage system, (2) detecting a subsequent backup that includes additional data, (3) calculating an amount of duplication between the additional data included in the subsequent backup and the data stored in the data container, (4) determining that the amount of duplication between the additional data and the data stored in the data container is below a predetermined threshold, (5) identifying at least one additional data container to store the additional data instead of deduplicating the additional data with respect to the data container, and then (6) storing the additional data in the additional data container to facilitate increasing a restore speed of the subsequent backup. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for determining types of malware infections on computing devices may include (1) identifying multiple types of security events generated by a group of endpoint devices that describe suspicious activities on the endpoint devices, each of the endpoint devices having one or more types of malware infections, (2) determining correlations between each type of security event generated by the group of endpoint devices and each type of malware infection within the group of endpoint devices, (3) identifying a set of security events generated on a target endpoint device that potentially has a malware infection, and (4) detecting, based on both the set of security events generated on the target endpoint device and the correlations between the types of malware infections and the types of security events, at least one type of malware infection likely present on the target endpoint device.

Abstract: The disclosed computer-implemented method for monitoring encrypted data transmission may include (1) detecting a data transmission session between an application running on a first device and an application running on a second device, (2) identifying a shared library loaded by the application running on the first device to establish encryption for the data transmission session, (3) retrieving, from the shared library, a symmetric session key designated for the data transmission session, (4) intercepting data transmitted during the data transmission session, the data having been encrypted using the symmetric session key, and (5) decrypting the data utilizing the symmetric session key retrieved from the shared library. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for detecting anomalous network traffic are disclosed. In one particular embodiment, the techniques may be realized as a method for detecting anomalous network traffic comprising the steps of receiving a list including a plurality of processes and, for each process, a list of approved types of network traffic; monitoring network traffic of each process on the list of processes; upon detecting network traffic for a process on the list of processes, determining that the type of network traffic detected is not on the list of approved types for that process; and identifying the process as infected based on determining that the type of network traffic detected is not on the list of approved types for that process.

Abstract: The disclosed computer-implemented method for connecting purpose-built appliances to secure wireless networks may include (1) receiving, via an unsecured wireless network, an identifier from a network device that is not connected to a secure wireless network associated with the computing device, (2) sending, via the unsecured wireless network, a token to the network device, (3) receiving confirmation from a user of the network device that the network device correctly displayed the token and that the user would like to connect the network device to the secure wireless network, and (4) in response to the confirming that the user would like to connect the network device to the secure wireless network, sending, via the unsecured wireless network, network credentials for the secure wireless network to the network device to enable the network device to connect to the secure wireless network. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for healing infected document files may include (1) receiving an electronic message directed to a target client computing system, the electronic message including a document file, (2) in response to receiving the electronic message, discovering, by a security program, that the document file is infected with potentially malicious content by, parsing the document file into separate objects and detecting that one of the separate objects is infected with potentially malicious content, (3) healing, by the security program, the infected object by removing the potentially malicious content from the object, (4) reconstructing, by the security program, the document file by reuniting the healed separate object with a remainder of the separate objects in a manner that preserves readability of the document, and (5) providing access to the readable reconstructed document file at the target client computing system. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for performing lookups on distributed deduplicated data systems may include (1) identifying a collection of deduplicated data stored within a plurality of nodes, (2) identifying a request to locate a deduplicated object of the collection within the plurality of nodes, (3) identifying a fingerprint of the deduplicated object, the fingerprint being generated using an algorithm that maps deduplicated objects onto a fingerprint space, (4) directing the request, based on a partitioning scheme that divides the fingerprint space among the plurality of nodes, to a first node within the plurality of nodes that is responsible for forwarding requests pertaining to a partition of the fingerprint space that includes the fingerprint, and (5) forwarding the request from the first node to a second node identified by the first node as corresponding to the fingerprint. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting malware-induced crashes may include (1) identifying, by analyzing a health log associated with a previously stable computing device, the occurrence of an unexpected stability problem on the previously stable computing device, (2) identifying, by analyzing an event log associated with the previously stable computing device, an event that is potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device, (3) determining, due at least in part to the event being potentially responsible for the occurrence of the unexpected stability problem on the previously stable computing device, that the event is potentially malicious, and (4) performing a security action in response to determining that the event is potentially malicious. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for protecting data files may include (1) identifying a data file to be protected against data loss, (2) identifying a set of software programs permitted to open the data file by (a) identifying a format of the data file and (b) identifying at least one software program capable of opening files of the format of the data file, (3) detecting an attempt to open the data file by a software program not included in the set of software programs, and (4) performing a security action in response to detecting the attempt to open the data file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for decreasing RAID rebuilding time may include (1) identifying data for which there is a need for physical integrity and high availability, (2) segmenting the data sequentially into a plurality of groups of chunks, with each group of chunks including redundant data sufficient to rebuild a lost chunk within the group of chunks, (3) storing the groups of chunks on a storage array according to a four-cycle-free bipartite storage map that, for each group of chunks, stores each chunk on a different device set within the storage array and, when a chunk within a group of chunks is lost, enables all other chunks within the group to be read in parallel from different devices within the storage array. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for improving performance of a backup system are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for improving performance of a backup system. The method may comprise performing a backup of a client device, tracking, using at least one computer processor, references to data segments that are located outside of a unit of storage associated with the backup, calculating utilization of the unit of storage associated with the backup based on the tracked references, determining if the calculated utilization meets a specified parameter, and determining one or more responsive actions in the event the calculated utilization meets the specified parameter.

Abstract: The disclosed computer-implemented method for dynamic load balancing on disks may include (1) calculating the spare throughput for each disk, (2) identifying a lightly loaded disk and a heavily loaded disk, (3) identifying a set of workloads to be transferred from the heavily loaded disk to the lightly loaded disk by: (a) beginning with the set empty, (b) identifying candidate workloads on the heavily loaded disk, (c) adding a new workload from the candidate workloads to the set when the new workload would not reduce the spare throughput on the lightly loaded disk below a threshold if both the set and the workload were transferred to the lightly loaded disk, and (d) considering each workload for transfer in order from most throughput consumed to least throughput consumed, and (4) transferring the set of workloads. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for monitoring programs may include (1) placing a program within an enclave that includes a protected address space that code outside of the protected address space is restricted from accessing, (2) hooking an application programming interface call within the program in the enclave to monitor the behavior of the program, (3) inserting an enclave entry instruction into code outside of the protected address space that the program accesses through the hooking of the application programming interface call, and (4) monitoring the behavior of the program by executing the program within the enclave in an attempt to force the program to use the hooked application programming interface call in order to access data outside the enclave. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for optimizing disk access are disclosed. In one particular exemplary embodiment, the techniques may be realized as a system for optimizing disk access comprising a module for reading files in a filesystem, the files comprising one or more file fragments, a module for determining a relative location of the one or more file fragments on a disk, a module for sorting an index of the one or more file fragments on the disk in one or more fragment tables according to the relative location of the one or more file fragments on the disk, a module for reading the one or more file fragments from the disk, a module for assembling one or more of the files from the one or more file fragments.

Abstract: A computer-implemented method for anomaly-based detection of compromised information technology (IT) administration accounts may (1) include establishing a set of permissible IT administration tasks for an IT administration account, (2) monitoring the IT administration account for activities outside the set of permissible IT administration tasks, (3) detecting a suspicious activity by identifying an activity that is outside the set of permissible IT administration tasks and therefore indicative of the IT administration account being compromised, and (4) in response to detecting the suspicious activity, performing a security action with respect to the potentially compromised IT administration account. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for increasing restore speeds of backups stored in deduplicated storage systems may include (1) identifying a backup that includes data stored in at least one data container within a deduplicated storage system, (2) detecting a subsequent backup that includes additional data, (3) calculating an amount of duplication between the additional data included in the subsequent backup and the data stored in the data container, (4) determining that the amount of duplication between the additional data and the data stored in the data container is below a predetermined threshold, (5) identifying at least one additional data container to store the additional data instead of deduplicating the additional data with respect to the data container, and then (6) storing the additional data in the additional data container to facilitate increasing a restore speed of the subsequent backup. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting security threats based on user profiles may include 1) identifying behavior on a computing system that is potentially indicative of a security threat, 2) identifying a user profile for a user of the computing system that estimates a level of the user's technical sophistication, 3) comparing the identified behavior with the estimated level of the user's technical sophistication, and 4) determining whether the identified behavior indicates a security threat based at least in part on the comparison of the identified behavior with the estimated level of the user's technical sophistication. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for increasing restore speeds of backups stored in deduplicated storage systems may include (1) identifying a backup that includes data stored in at least one data container within a deduplicated storage system, (2) detecting a subsequent backup that includes additional data, (3) calculating an amount of duplication between the additional data included in the subsequent backup and the data stored in the data container, (4) determining that the amount of duplication between the additional data and the data stored in the data container is below a predetermined threshold, (5) identifying at least one additional data container to store the additional data instead of deduplicating the additional data with respect to the data container, and then (6) storing the additional data in the additional data container to facilitate increasing a restore speed of the subsequent backup. Various other methods, systems, and computer-readable media are also disclosed.