Abstract: A computer system may identify a cryptographic application programming interface (API) call for a program. The cryptographic API call may include a first variable. The computer system may determine that the first variable is a static value. The computer system may tag the first variable. The computer system may determine that the cryptographic API call will be executed. The computer system may replace the first variable with a second variable during execution of the program. The computer system may execute the cryptographic API call with the second variable.

Abstract: Preliminary program analysis of an executable may be performed. A security vulnerability level of a portion of the executable may be determined based on the preliminary program analysis. The security vulnerability level of the portion may be compared to a security vulnerability threshold. The precision of runtime monitoring of the portion may be tuned based on the comparison.

Abstract: A processor determines whether a DOM includes a repetitive pattern of a combination, formed by a tag of a leaf node and a tag of a parent node of the leaf node. Determining the repetitive pattern of the combination, the processor identifies a first inner cluster is identified by collapsing multiple instances of the repetitive pattern into a single instance. The processor generates a LSH signature for the single instance of the repetitive pattern. The processor determines an outer cluster, based on grouping one or more inner clusters, as part of a section rooted at a source node of the DOM, in which the source node is a parent node of the one or more inner clusters. Determining that a pair of outer clusters are near repetitive, the processor limits web content exploration to one of the pair of outer clusters.

Abstract: A processor determines whether a DOM includes a repetitive pattern of a combination, formed by a tag of a leaf node and a tag of a parent node of the leaf node. Determining the repetitive pattern of the combination, the processor identifies a first inner cluster is identified by collapsing multiple instances of the repetitive pattern into a single instance. The processor generates a LSH signature for the single instance of the repetitive pattern. The processor determines an outer cluster, based on grouping one or more inner clusters, as part of a section rooted at a source node of the DOM, in which the source node is a parent node of the one or more inner clusters. Determining that a pair of outer clusters are near repetitive, the processor limits web content exploration to one of the pair of outer clusters.

Abstract: A method of classifying privacy relevance of an application programming interface (API) comprises analyzing a set of input applications to identify a plurality of custom APIs and generating a respective taint specification for each identified custom API. The method further comprises generating taint flows based on each taint specification and matching features and associated feature values from the taint flows to a set of feature templates. The method also comprises correlating the matched features and associated feature values with respective privacy relevance of the plurality of custom APIs to identify a set of privacy relevant features. The method further comprises detecting a candidate API, extracting features from the candidate API and comparing the extracted features to the set of privacy relevant features. Based on the comparison, a label is assigned to the candidate API indicating privacy relevance of the candidate API.

Abstract: An attack upon a web interface is detected in real-time. The web interface is one of many web interfaces across many ports across many computer systems within a network. Data on the attack is gathered. The attack data includes traffic data. Variants of the attack are determined based on data of the attack. The variants are selected from a predetermined set of attack variants. The attacked interface is scanned with the selected attack variants. The web interface is identified as vulnerable to at least one variant of the attack. In response to this identification, the attack is responded to without human intervention.

Abstract: An illustrative embodiment of automated application decomposition generates a set of information specific to an application by one or more external tools. Predefined heuristics and corresponding predefined conclusions, categorized corresponding to one or more external tool domains, are applied to the set of information to produce an intermediate result. The intermediate result is converted into a set of conclusions about factors, representative of the application, used in application decomposition. The set of conclusions is exported and used to generate a model of the application. The model is a starting point for identification of threats and weaknesses specific to the application.

Abstract: A method for identifying client states, receives a set of paths representative of a document object model (DOM) associated with a web page of a rich internet application and for each path in the set of paths received, extracts a subtree, as subtree X, for a current path. The method traverses all known sub-paths under the current path and delete corresponding subtrees from subtree X and reads contents of and determines states of subtree X to form a state X. The state X is added to a set of current states and responsive to a determination no more paths exist, returns the set of current states of the rich internet application.

Abstract: A processor determines whether a DOM includes a repetitive pattern of a combination, formed by a tag of a leaf node and a tag of a parent node of the leaf node. Determining the repetitive pattern of the combination, the processor identifies a first inner cluster is identified by collapsing multiple instances of the repetitive pattern into a single instance. The processor generates a LSH signature for the single instance of the repetitive pattern. The processor determines an outer cluster, based on grouping one or more inner clusters, as part of a section rooted at a source node of the DOM, in which the source node is a parent node of the one or more inner clusters. Determining that a pair of outer clusters are near repetitive, the processor limits web content exploration to one of the pair of outer clusters.

Abstract: A processor determines whether a DOM includes a repetitive pattern of a combination, formed by a tag of a leaf node and a tag of a parent node of the leaf node. Determining the repetitive pattern of the combination, the processor identifies a first inner cluster is identified by collapsing multiple instances of the repetitive pattern into a single instance. The processor generates a LSH signature for the single instance of the repetitive pattern. The processor determines an outer cluster, based on grouping one or more inner clusters, as part of a section rooted at a source node of the DOM, in which the source node is a parent node of the one or more inner clusters. Determining that a pair of outer clusters are near repetitive, the processor limits web content exploration to one of the pair of outer clusters.

Abstract: Embodiments relating to a computer-implemented process, an apparatus and a computer program product is provided for crawling rich Internet applications. In one aspect the method includes executing an event in a set of events discovered in a state exploration phase according to a predetermined priority of events in each set of events in the sets of events discovered, wherein the event from a higher priority is exhausted before an event from a lower priority is executed and determining any transitions. Responsive to a determination that there are at least one transition any remaining set of events is executed in a transition exploration phase. In addition the method determines the existence of any new states as a result of executing an event in the set of events and returns to the state exploration phase, responsive to a determination that a new state exists.

Abstract: A mechanism is provided for identifying parameter and name/value pair separators within two or more strings of data. The identifying is performed by selecting at least one name/value pair separator candidate from the two or more strings of data, and filtering the at least one name/value pair separator candidate using one or more rules, thereby removing any of the name/value pair separator candidates that do not conform to any of the one or more rules. The identifying additionally includes selecting at least one parameter separator candidate from the two or more strings of data, and filtering the at least one parameter separator candidate using one or more rules, thereby removing any of the at least one parameter separator candidates that do not conform to any of the one or more rules. The result is a set of tuples that includes a name/value separator candidate, and a parameter separator candidate.

Abstract: An illustrative embodiment of a computer-implemented process for security scanning using entity history responsive to a determination that a set of vulnerabilities exist for a selected security entity, tests the selected entity using a vulnerability set selected from an issues history and responsive to a determination that all vulnerabilities are not found, determining whether more vulnerabilities sets exist. Responsive to a determination that more vulnerabilities sets exist, obtains a next set of vulnerabilities and tests the selected security entity using another vulnerability set selected from the issues history. Responsive to a determination that a set of vulnerabilities does not exist for the selected security entity, performs a full scan of the selected security entity and responsive to a determination that security issues are identified, records the security issues identified in the issues history.

Abstract: An embodiment for tracking JavaScript actions in a rich Internet application, receives a document object model (DOM) representative of a particular page of an application at a particular time and analyzes the DOM received to identify each JavaScript action on the particular page for which each JavaScript action identified, a JavaScript action characteristics ID is calculated and stored. Responsive to a determination multiple instances of a same ID exist, collecting a list of JavaScript actions corresponding to each ID corresponding to a multiple JavaScript action and removing from memory JavaScript action entries for the multiple instances of the same ID. A neighbor influence is computed for a member of the list of JavaScript actions remaining and the JavaScript action ID calculated for the member of the list of JavaScript actions remaining is stored. Responsive to a determination there are no more multiple JavaScript actions, return all JavaScript action IDs stored.

Abstract: Identifying parameter and name/value pair separators within two or more strings of data. The identifying is performed by selecting at least one name/value pair separator candidate from the two or more strings of data, and filtering the at least one name/value pair separator candidate using one or more rules, thereby removing any of the name/value pair separator candidates that do not conform to any of the one or more rules. The identifying additionally includes selecting at least one parameter separator candidate from the two or more strings of data, and filtering the at least one parameter separator candidate using one or more rules, thereby removing any of the at least one parameter separator candidates that do not conform to any of the one or more rules. The result is a set of tuples that includes a name/value separator candidate, and a parameter separator candidate.

Abstract: A computer-implemented method for hybrid task assignment is presented. A working hardware node crawls a particular application and encounters a task. A mapping function is used to determine whether the task encountered is reserved. In response to a determination the task encountered is not reserved, the task is handled by the working node, and in response to a determination the task encountered is reserved, the task encountered is sent to a central unit. A determination is made as to whether the working node is idle. In response to a determination the working node is idle, another task is requested from the central unit by the working node. In response to a determination the working node is not idle, as determination is made as to whether all tasks are complete. In response to a determination all tasks are not complete, the task is handled by the working node.

Abstract: A mechanism is provided for identifying parameter and name/value pair separators within two or more strings of data. The identifying is performed by selecting at least one name/value pair separator candidate from the two or more strings of data, and filtering the at least one name/value pair separator candidate using one or more rules, thereby removing any of the name/value pair separator candidates that do not conform to any of the one or more rules. The identifying additionally includes selecting at least one parameter separator candidate from the two or more strings of data, and filtering the at least one parameter separator candidate using one or more rules, thereby removing any of the at least one parameter separator candidates that do not conform to any of the one or more rules. The result is a set of tuples that includes a name/value separator candidate, and a parameter separator candidate.

Abstract: Embodiments relating to a computer-implemented process, an apparatus and a computer program product is provided for crawling rich Internet applications. In one aspect the method includes executing an event in a set of events discovered in a state exploration phase according to a predetermined priority of events in each set of events in the sets of events discovered, wherein the event from a higher priority is exhausted before an event from a lower priority is executed and determining any transitions. Responsive to a determination that there are at least one transition any remaining set of events is executed in a transition exploration phase. In addition the method determines the existence of any new states as a result of executing an event in the set of events and returns to the state exploration phase, responsive to a determination that a new state exists.

Abstract: Identifying parameter and name/value pair separators within two or more strings of data. The identifying is performed by selecting at least one name/value pair separator candidate from the two or more strings of data, and filtering the at least one name/value pair separator candidate using one or more rules, thereby removing any of the name/value pair separator candidates that do not conform to any of the one or more rules. The identifying additionally includes selecting at least one parameter separator candidate from the two or more strings of data, and filtering the at least one parameter separator candidate using one or more rules, thereby removing any of the at least one parameter separator candidates that do not conform to any of the one or more rules. The result is a set of tuples that includes a name/value separator candidate, and a parameter separator candidate.

Abstract: A computer-implemented process for two-tier deep analysis of hypertext transport protocol data, monitors Web traffic, receives a packet of Web traffic from a network to form a received packet, wherein the received packet represents Web traffic, and stores the Web traffic temporarily to form stored Web traffic. The computer-implemented process further determines whether the Web traffic is suspicious using a first tier analysis and responsive to a determination that the Web traffic is suspicious, consumes the stored Web traffic using a deep analysis module. The computer-implemented process further determines whether the stored Web traffic is a case of misuse using a second tier analysis and responsive to a determination that the stored Web traffic is a case of misuse, feeding back data about a malicious connection to an intrusion protection system before returning to monitor the Web traffic.