Abstract: A system defines at least one key event to be monitored by at least one agent, and creates a graphical model for the at least one key event. The system observes the at least one key event. The system infers a degree of attack on the computer system based on an observation of the at least one key event in conjunction with a result of an effect the at least one key event has on the graphical model. The system then adjusts a security policy based on an output of the graphical model.

Abstract: A security agent extends the trust barrier, or trust point, from network gateway nodes to end user devices. A security agent operable to scrutinize network traffic executes on the user device and compares QoS marking attempts with the established QoS marking policy in effect. The security agent examines network traffic attributes deterministic of connection attempts by user processes. Attempts to apply inappropriate or disallowed QoS markings, as dictated by the QoS marking policy, are detected and disallowed. Therefore, only user connections consistent with the QoS marking policy are permitted into the network. Network admission control (NAC) mechanisms ensure that the security agent is the only access point from the user device to the secure network, and the security agent communicates the establishment of the trusted access point to the network gateway, thus ensuring that the network gateway may trust service level designations emanating from the user device executing the security agent.

Abstract: A computer-implemented system, method and apparatus for operating a reference monitor simulator is operable to recreate the operations performed by a reference monitor on a computer system. In one configuration, the system defines at least one security rule specifying whether to allow or deny a request to access at least one resource under a given set of circumstances and supplies at least one request to access a resource. The system further applies the at least one security rule in response to the at least one request to access a resource to determine whether to allow or prevent the at least one request.

Abstract: A system controls security during operation of a computerized device by enforcing a first security policy during first operational state of the computerized device. Enforcement of the first security policy provides a first level access to resources within the computerized device by processes operating in the computerized device. The system detects a transition operation of the computerized device that occurs during enforcement of the first security policy indicating that operation of the computerized device is transitioning from the first operational state to a second operational state and in response, enforces a second security policy corresponding to the second operational state to provide a level of access to the resources within the computerized device that corresponds to the second operational state during operation of the second operational state. This can be repeated for many different states including boot time, normal runtime, installation, shutdown, and a compromised state.

Abstract: A system creates a secondary stack containing execution information of at least one function operating on the computer system, and receives an attack notification of an attack on the computer system. The system determines a point in the secondary stack at which a recovery from the attack is possible. In one embodiment, the system then generates a signature of the attack based on the execution information contained within the secondary stack.

Abstract: A trace detector prevents network mapping and tracing by detecting an initial packet containing an initial time to live value that meets a first predetermined threshold range. The trace detector identifies a source address of the initial packet and adjusts a threshold time to live range for detection of at least one subsequent trace route or response packet associated with the source address of the initial packet. In response to detecting the subsequent packet(s), the trace detector processes the subsequent packet(s) associated with the source address of the initial packet according to a security policy to prevent a trace process originating the initial packet from tracing a network using the at least one subsequent packet.

Abstract: An automated method and apparatus for creating a security policy for one or more applications is provided. The method includes exercising the features of the one or more applications to generate behavioral data, applying a heuristic to aggregate the behavioral data into a subset of representative actions, and organizing the representative actions according to a structure defined by a template into a security policy for the one or more applications. The security policy may be downloaded to one or more workstations for deployment, and provides a safeguard to protect a computer system against cyber-terrorism.

Abstract: A Stateful Reference Monitor can be loaded into an existing commercial operating system, and then can regulate access to many different types of resources. The reference monitor maintains an updateable storage area whose contents can be used to affect access decisions, and access decisions can be based on arbitrary properties of the request.

Abstract: A system receives information from at least one security interceptor associated with at least one computer system. The information identifies details associated with a traffic flow in a computer system of the computer networking environment. The system determines a probability that an attack on the computer system is in progress based on a probabilistic link provided by the information. The probabilistic link is determined by attack information associated with previous attacks. Based on the information provided by the at least one security interceptor, the system generates a signature utilized to prevent a similar attack on the computer system.

Abstract: A Stateful Reference Monitor can be loaded into an existing commercial operating system, and then can regulate access to many different types of resources. The reference monitor maintains an updateable storage area whose contents can be used to affect access decisions, and access decisions can be based on arbitrary properties of the request.

Abstract: A system creates a secondary stack containing execution information of at least one function operating on the computer system, and receives an attack notification of an attack on the computer system. The system determines a point in the secondary stack at which a recovery from the attack is possible. In one embodiment, the system then generates a signature of the attack based on the execution information contained within the secondary stack.

Abstract: A system defines at least one key event to be monitored by at least one agent, and creates a graphical model for the at least one key event. The system observes the at least one key event. The system infers a degree of attack on the computer system based on an observation of the at least one key event in conjunction with a result of an effect the at least one key event has on the graphical model. The system then adjusts a security policy based on an output of the graphical model.

Abstract: A system inserts at least one notifying identifier in the computer system. The at least one notifying identifier provides execution information associated with the computer system. The system receives execution information from the at least one notifying identifier, the execution information identifies details associated with a traffic flow on the computer system. The system then generates a signature based on a deterministic link provided by the execution information provided by the at least one notifying identifier. The signature is utilized to prevent further damage caused to the computer system by at least one attack.

Abstract: A system detects an attack on the computer system. The system identifies the attack as polymorphic, capable of modifying itself for every instance of execution of the attack. The modification of the attack is utilized to defeat detection of the attack. In one embodiment, the system determines generation of an effective signature of the attack has failed. The signature is utilized to prevent execution of the attack. The system then adjusts access to an interface to prevent further damage caused to the computer system by the attack.

Abstract: A system for automatically handling requests to grant or deny access to resources in a network or computer system. In a preferred embodiment of the invention a “learning mode” can be designated so that whenever a permission query is detected the system automatically supplies an answer to the query without requiring the user to make a response or take other action. The automated answer can be set so that the permission is always granted or other criteria can be used for the automated answer such as by categorizing the type of access permission and using a default response according to the category.

Abstract: A system controls security during operation of a computerized device by enforcing a first security policy during first operational state of the computerized device. Enforcement of the first security policy provides a first level access to resources within the computerized device by processes operating in the computerized device. The system detects a transition operation of the computerized device that occurs during enforcement of the first security policy indicating that operation of the computerized device is transitioning from the first operational state to a second operational state and in response, enforces a second security policy corresponding to the second operational state to provide a level of access to the resources within the computerized device that corresponds to the second operational state during operation of the second operational state. This can be repeated for many different states including boot time, normal runtime, installation, shutdown, and a compromised state.

Abstract: A system provides security to a computerized device by detecting a sequence of related processing operations within the computerized device and recording the sequence of related processing operations in a security history. The system identifies a security violation when a processing operation performed in the computerized device produces an undesired processing outcome that violates a security policy and subsequently detecting attempted performance of at least one processing operation that attempts to produce the undesired processing outcome that violates the security policy and in response, denies operation of the processing operation(s) within the computerized device to avoid violation of the security policy.

Abstract: A Stateful Reference Monitor can be loaded into an existing commercial operating system, and then can regulate access to many different types of resources. The reference monitor maintains an updateable storage area whose contents can be used to affect access decisions, and access decisions can be based on arbitrary properties of the request.

Abstract: The invention provides method and apparatus for maintaining a networked computer system including first and second nodes and an event processing server, the method comprising the first and second nodes detecting changes in state, the event processing server receiving notification of the changes in state from the first and second nodes, the event processing server correlating changes in state detected in the first and second nodes, and the event processing server executing a maintenance decision which affects the first and second nodes. The detecting, transmitting, correlating, and executing occurs without human intervention.

Abstract: The invention features receiving encrypted network packets sent over a network at a network interface computer, and passing the encrypted network packets to a computer on an internal network.The invention also features receiving encrypted network packets at a first computer over a network from a second computer, examining a field in each network packet to determine which of a plurality of encryption algorithms was used to encrypt the network packet, and decrypting the network packet in accordance with the determined encryption algorithm.The invention further features receiving network packets sent over a network, determining which virtual tunnel each network packet was sent over, and routing each network packet to a destination computer in accordance with the determined virtual tunnel.