Abstract: A building system includes heating ventilation or air conditioning (HVAC) devices configured for communication on a building automation network and a communication engine. The communication engine is configured to provide a diagnostic attribute. The diagnostic attribute indicates communications with the HVAC devices as being according to a first communication protocol or at least one different communication protocol. Systems and methods may detect insecure communications and/or upgrade in secure communication protocols in wireless or wired networks, such as, BACnet systems and/or subsystems.

Abstract: According to one embodiment, a method detecting and mitigating a privilege escalation attack on an electronic device is described. The method involves operations by a user agent mode operating within a user space and a kernel driver mode operating within a kernel space. The kernel driver mode, in response to detecting an initial activation of a process being monitored, stores metadata associated with an access token. This metadata includes the initial token state information. Responsive to detecting an event associated with the process being monitored, the kernel mode driver extracts a portion of current state information for the access token for comparison to a portion of the stored token state information. Differences between content within the current state information and the stored token state information are used, at least in part, by the user agent mode to detect a privilege escalation attack.

Abstract: A building system includes heating ventilation or air conditioning (HVAC) devices configured for communication on a building automation network and a communication engine. The communication engine is configured to provide a diagnostic attribute. The diagnostic attribute indicates communications with the HVAC devices as being according to a first communication protocol or at least one different communication protocol.

Abstract: A building automation system includes a plurality of subnets, an active broadcast management device configured on at least one of the subnets, a pool of virtual devices communicably connected to the active broadcast management device, each of the virtual devices in the pool of virtual devices configured to store a broadcast distribution table (BDT), one or more processors, and memory coupled to the one or more processors and storing instructions. When executed by the one or more processors, the instructions cause the one or more processors to transmit a health status message to each available virtual device in the pool of virtual devices, receive a health status response from each of the available virtual devices, and select, according to the health status responses, at least one of the virtual devices from among the available virtual devices as a backup virtual broadcast management device to the active broadcast management device.

Abstract: A building automation system includes a plurality of subnets, an active broadcast management device configured on at least one of the subnets, a pool of virtual devices communicably connected to the active broadcast management device, each of the virtual devices in the pool of virtual devices configured to store a broadcast distribution table (BDT), one or more processors, and memory coupled to the one or more processors and storing instructions. When executed by the one or more processors, the instructions cause the one or more processors to transmit a health status message to each available virtual device in the pool of virtual devices, receive a health status response from each of the available virtual devices, and select, according to the health status responses, at least one of the virtual devices from among the available virtual devices as a backup virtual broadcast management device to the active broadcast management device.

Abstract: According to one embodiment, a virtualized malware detection system is integrated with a virtual machine host including a plurality of virtual machines and a security virtual machine. Logic within the virtual machines are configured to perform a dynamic analysis of an object and monitor for the occurrence of a triggering event. Upon detection of a triggering event within a virtual machine, the logic within the virtual machine provides the security virtual machine with information associated with the triggering event for further analysis. Based on the further analysis, the object may then be classified as “non-malicious,” or “malicious.

Abstract: A computerized method for detecting and mitigating a ransomware attack is described. The method features (i) a kernel mode agent that intercepts an initiation of a process, intercepts one or more system calls made by the process when the process is determined to be suspicious and copies at least a portion of a protected file to a secure storage location when a request to open a protected file by the process is intercepted when the process is determined to be suspicious, and (ii) a user mode agent that determines whether the process is a suspicious process, monitors processing of the suspicious process and determines whether the suspicious process is associated with a ransomware attack. Additionally, in order to mitigate effects of a ransomware attack, the kernel mode agent may restore the protected file with a copy stored in the secure storage location when a ransomware attack is detected.

Abstract: According to one embodiment, a virtualized malware detection system is integrated with a virtual machine host including a plurality of virtual machines and a security virtual machine. Logic within the virtual machines are configured to perform a dynamic analysis of an object and monitor for the occurrence of a triggering event. Upon detection of a triggering event within a virtual machine, the logic within the virtual machine provides the security virtual machine with information associated with the triggering event for further analysis. Based on the further analysis, the object may then be classified as “non-malicious,” or “malicious.

Abstract: According to one embodiment, a virtualized malware detection system is integrated with a virtual machine host including a plurality of virtual machines and a security virtual machine. Logic within the virtual machines are configured to perform a dynamic analysis of an object and monitor for the occurrence of a triggering event. Upon detection of a triggering event within a virtual machine, the logic within the virtual machine provides the security virtual machine with information associated with the triggering event for further analysis. Based on the further analysis, the object may then be classified as “non-malicious,” or “malicious.