Abstract: Systems and methods for malware containment on connection are provided. Digital devices are quarantined for a predetermined period of time upon connection to the communication network. When a digital device is quarantined, all network data transmitted by the digital device is temporarily directed to a controller which then analyzes the network data to identify unauthorized activity and/or malware within the newly connected digital device. An exemplary method to contain malware comprises detecting a digital device upon connection with a communication network, temporarily redirecting network data from the digital device for a predetermined period of time, and analyzing the network data to identify malware within the digital device.

Abstract: Exemplary systems and methods for detecting a communication channel of a bot. In exemplary embodiments, presence of a communication channel between a first network device and a second network device is detected. Data from the communication channel is scanned and used to determine if a suspected bot communication exists. If a bot communication is detected, then a recovery process may be initiated.

Abstract: Systems and methods for malware containment and security analysis on connection are provided. Digital devices are quarantined for a predetermined period of time upon connection to the communication network. When a digital device is quarantined, all network data transmitted by the digital device is directed to a controller which then analyzes the network data to identify unauthorized activity and/or malware within the newly connected digital device. An exemplary method to contain malware includes detecting a digital device upon connection with a communication network, quarantining network data from the digital device for a predetermined period of time, transmitting a command to the digital device to activate a security program to identify security risks, and analyzing the network data to identify malware within the digital device.

Abstract: A dynamic signature creation and enforcement system can comprise a tap configured to copy network data from a communication network, and a controller coupled to the tap. The controller is configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if the network data is suspicious, flag the network data as suspicious based on the heuristic determination, simulate transmission of the network data to a destination device to identify unauthorized activity, generate an unauthorized activity signature based on the identification, and transmit the unauthorized activity signature to a digital device configured to enforce the unauthorized activity signature.

Abstract: A dynamic signature creation and enforcement system can comprise a tap configured to copy network data from a communication network, and a controller coupled to the tap. The controller is configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if the network data is suspicious, flag the network data as suspicious based on the heuristic determination, simulate transmission of the network data to a destination device to identify unauthorized activity, generate an unauthorized activity signature based on the identification, and transmit the unauthorized activity signature to a digital device configured to enforce the unauthorized activity signature.

Abstract: A suspicious activity capture system can comprise a tap configured to copy network data from a communication network, and a controller. The controller is coupled to the tap and is configured to receive the copy of the network data from the tap, analyze the copy of the network data to flag the network data as suspicious, and simulate transmission of the network data to a destination device.

Abstract: A suspicious activity capture system can comprise a tap configured to copy network data from a communication network, and a controller. The controller is coupled to the tap and is configured to receive the copy of the network data from the tap, analyze the copy of the network data to flag the network data as suspicious, and simulate transmission of the network data to a destination device.

Abstract: Methods and systems for detecting encrypted bot command and control communication channels are provided. In the exemplary method, the presence of a communication channel between a first network device and a second network device is monitored. Active and inactive periods of the network device are detected and a reverse channel is determined based on the detection. The first network device may then be flagged as potentially infected or suspected based on the reverse channel determination.

Abstract: A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.

Abstract: A suspicious activity capture system can comprise a tap configured to copy network data from a communication network, and a controller. The controller is coupled to the tap and is configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to flag the network data as suspicious, and simulate transmission of the network data to a destination device.

Abstract: A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.

Abstract: Malicious network content is identified based on the behavior of one or more virtual environment components which process network content in a virtual environment. Network content can be monitored and analyzed using a set of heuristics. The heuristics identify suspicious network content communicated over a network. The suspicious network content can further be analyzed in a virtual environment that includes one or more virtual environment components. Each virtual environment component is configured to mimic live environment components, for example a browser application component or an operating system component. The suspicious network content is replayed in the virtual environment using one or more of the virtual environment components. The virtual environment component behavior is analyzed in view of an expected behavior to identify malicious network content. The malicious network content is then identified and processed.

Abstract: An approach for provisioning network devices generally involves supplying boot data to network devices over a network so that the network devices can be booted up in an imaging mode or an application mode, depending upon the particular boot data supplied to the network device. When booted up in the imaging mode, imaging data can be downloaded and stored on network devices. When booted up in the application mode, the network devices execute one or more programs contained in the image data stored on the network devices. The first and second boot data may be in the form of boot loader scripts. Furthermore, the first and second boot data may be provided to the network device in the payload of a dynamic host configuration protocol (DHCP) reply. The DHCP reply may be generated and provided by a DHCP server to the network device in response to receiving a DHCP request from the network device. The approach may be implemented using a secure network environment.

Abstract: A method and apparatus for replicating an image from a source to a destination disk are provided. Specific embodiments may be optimized for single source to multiple destination replication requests, for example. In one embodiment, the present invention provides tools and techniques for synchronous data replication responsive to asynchronous same-source-to-different-destination replication requests.

Abstract: A method and apparatus for selectively logically adding storage to a host features dynamically mapping one or more disk volumes to the host using a storage virtualization layer, without affecting an operating system of the host or its configuration. Storage devices participate in storage area networks and are coupled to gateways. A boot port of the host is coupled to a direct-attached storage network that includes a switching fabric. When a host needs storage to participate in a virtual server farm, software elements allocate one or more volumes or concatenated volumes of disk storage, and command the gateways and switches in the storage networks to logically and physically connect the host to the allocated volumes. As a result, the host acquires access to storage without modification to a configuration of the host, and a real-world virtual server farm or data center may be created and deployed substantially instantly.