Abstract: Provided is a method for recognizing a weak point in an original program using a test program, the original program being configured to perform a predetermined function on input data when executed in a predetermined runtime environment and the test program being configured to execute the same predetermined function on the input data when executed in the predetermined runtime environment, including: executing the original program and the test program in parallel on identical input data in the predetermined runtime environment; obtaining a test information characterizing the execution of the test program; and determining whether the original program has a weak point based on a comparison of the test information with a predetermined weak point information indicating conditions for recognizing weak points. Weak points of a program can be determined dynamically, without having to perform a time consuming testing in an artificial test environment.

Abstract: A device, computer program product and method for detecting a deviation of a security state of a computing device from a desired security state, wherein the computing device is emulated by a virtual machine, where the includes the creation of a virtual copy of the virtual machine, the creation occurring during runtime of the virtual machine with operation of the computing device continuing unimpaired, the automatic start of operation of the virtual copy, automatic performance of a security check on the virtual copy with operation of the computing device continuing unimpaired, automatic generation of a result of the security check which describes a security state of the virtual copy, and includes creation of a threat indication for the computing device if the result indicates a deviation of the security state of the virtual copy from the desired security state of the computing device.

Abstract: A computing device is proposed for detecting attacks on a technical system based on events of an event sequence is provided. The computing device has a receiving unit for receiving the event sequence which includes a plurality of events, wherein an attack is determined by a specific sequence in the events in the received event sequence, and a checking unit for checking the received event sequence based on a main event which is contained in the specific sequence in events, wherein the checking unit is additionally designed to carry out a pattern recognition in the received event sequence based on the specific sequence in events if the main event has occurred. As the checking unit merely checks the received event sequence for the occurrence of a main event, and the more exact pattern recognition is only carried out after the main event occurs, the necessary computing expense can be reduced.

Abstract: Provided is a method for recognizing a weak point in an original program using a test program, the original program being configured to perform a predetermined function on input data when executed in a predetermined runtime environment and the test program being configured to execute the same predetermined function on the input data when executed in the predetermined runtime environment, including: executing the original program and the test program in parallel on identical input data in the predetermined runtime environment; obtaining a test information characterizing the execution of the test program; and determining whether the original program has a weak point based on a comparison of the test information with a predetermined weak point information indicating conditions for recognizing weak points. Weak points of a program can be determined dynamically, without having to perform a time consuming testing in an artificial test environment.

Abstract: A device, computer program product and method for detecting a deviation of a security state of a computing device from a desired security state, wherein the computing device is emulated by a virtual machine, where the includes the creation of a virtual copy of the virtual machine, the creation occurring during runtime of the virtual machine with operation of the computing device continuing unimpaired, the automatic start of operation of the virtual copy, automatic performance of a security check on the virtual copy with operation of the computing device continuing unimpaired, automatic generation of a result of the security check which describes a security state of the virtual copy, and includes creation of a threat indication for the computing device if the result indicates a deviation of the security state of the virtual copy from the desired security state of the computing device.

Abstract: A system for obtaining and analyzing forensic data in a distributed computer infrastructure. The system includes a plurality of computing devices and at least one monitoring unit, which are connected to each other via a communication network. Every computing device is configured to detect security events and send same to the monitoring unit. The monitoring unit is configured to evaluate the received security events and assign same to a danger category, wherein if there is a lack of information for assigning a danger category, the computing device is configured in such a manner as to receive instructions for gathering additional forensic data and to send the additional data via an analysis unit to the monitoring unit. The monitoring unit is configured in such a manner as to transmit instructions to the computing device for gathering additional data and to use same for re-evaluation and assigning of a danger category.

Abstract: A method for identifying manipulation of data records in a system including a computation apparatus and an external security apparatus, wherein the data records are stored in the computation apparatus, having the method steps of: allocation of a secret to a computation apparatus, generation of a first cryptographic key by a one-way function on the basis of the secret, storage of the secret on a security apparatus that is different from the computation apparatus, use of the first cryptographic key for the purpose of protecting a first data record, and generation of a respective next cryptographic key by the same one-way function on the basis of the respectively preceding cryptographic key for the purpose of protecting a next data record on the computation apparatus and simultaneous erasure or overwriting of the respectively preceding cryptographic key.

Abstract: A computing device is proposed for detecting attacks on a technical system based on events of an event sequence is provided. The computing device has a receiving unit for receiving the event sequence which includes a plurality of events, wherein an attack is determined by a specific sequence in the events in the received event sequence, and a checking unit for checking the received event sequence based on a main event which is contained in the specific sequence in events, wherein the checking unit is additionally designed to carry out a pattern recognition in the received event sequence based on the specific sequence in events if the main event has occurred. As the checking unit merely checks the received event sequence for the occurrence of a main event, and the more exact pattern recognition is only carried out after the main event occurs, the necessary computing expense can be reduced.

Abstract: A system for obtaining and analyzing forensic data in a distributed computer infrastructure. The system includes a plurality of computing devices and at least one monitoring unit, which are connected to each other via a communication network. Every computing device is configured to detect security events and send same to the monitoring unit. The monitoring unit is configured to evaluate the received security events and assign same to a danger category, wherein if there is a lack of information for assigning a danger category, the computing device is configured in such a manner as to receive instructions for gathering additional forensic data and to send the additional data via an analysis unit to the monitoring unit. The monitoring unit is configured in such a manner as to transmit instructions to the computing device for gathering additional data and to use same for re-evaluation and assigning of a danger category.