Abstract: A digital security threat management system is disclosed. The system detects the presence of a computing system, on a network, that has been compromised by an undetected and/or unknown digital security threat. The digital security threat management system recognizes characteristic emanations from a computer system that has been compromised. Because the characteristic emanations that result from a known threat can be the same as the characteristic emanations that result from an undetected and/or unknown threat, the digital security threat management system can learn to detect a computing system that has been compromised by an unknown threat if the security threat management system recognizes characteristic emanations from a previous attack, based on a known threat, of the computing system. In this way, the system can detect the presence of a compromised computing system, even if the cause of the compromise remains undetected and/or unknown. Appropriate remedial action may be taken upon detection.

Abstract: A digital security threat management system is disclosed. The system detects the presence of a computing system, on a network, that has been compromised by an undetected and/or unknown digital security threat. The digital security threat management system recognizes characteristic emanations from a computer system that has been compromised. Because the characteristic emanations that result from a known threat can be the same as the characteristic emanations that result from an undetected and/or unknown threat, the digital security threat management system can learn to detect a computing system that has been compromised by an unknown threat if the security threat management system recognizes characteristic emanations from a previous attack, based on a known threat, of the computing system. In this way, the system can detect the presence of a compromised computing system, even if the cause of the compromise remains undetected and/or unknown. Appropriate remedial action may be taken upon detection.

Abstract: A network activity detection system is trained to detect network activities of interest such as threats by malicious computer data. The training involves distilling the characteristics of known network activities of interest (e.g., intrusion by computer viruses, exploits, worms, or the like) into a minimal set of meta-expressions. At run-time, the network activity detection system combines the minimal set of meta-expressions with efficient computer algorithms for evaluating meta-expressions to detect known network activities of interest, as well as their unknown variants, among an unknown set of network activity. The network activity detection system may produce appropriate responses upon the detection of network activities of interest.

Abstract: Network activity detectors, such as firewalls, communicate with one another to form a Unified Threat Management System. A first network activity detector sends a request for configuration settings to a second network activity detector. The second network activity detector sends a set of configuration settings in response to the request. The configuration settings include information for detecting digital security threats and/or for responding to detected digital security threats. In this way, configuration settings are propagated from one network activity detector to another so that network activity detectors within a UTMS system are configured consistently, e.g., have up-to-date information for detecting and/or responding to digital security threats.

Abstract: A digital security threat management system is disclosed. The system detects the presence of a computing system, on a network, that has been compromised by an undetected and/or unknown digital security threat. The digital security threat management system recognizes characteristic emanations from a computer system that has been compromised. Because the characteristic emanations that result from a known threat can be the same as the characteristic emanations that result from an undetected and/or unknown threat, the digital security threat management system can learn to detect a computing system that has been compromised by an unknown threat if the security threat management system recognizes characteristic emanations from a previous attack, based on a known threat, of the computing system. In this way, the system can detect the presence of a compromised computing system, even if the cause of the compromise remains undetected and/or unknown. Appropriate remedial action may be taken upon detection.

Abstract: A digital security threat management system is disclosed. The system detects the presence of a computing system, on a network, that has been compromised by an undetected and/or unknown digital security threat. The digital security threat management system recognizes characteristic emanations from a computer system that has been compromised. Because the characteristic emanations that result from a known threat can be the same as the characteristic emanations that result from an undetected and/or unknown threat, the digital security threat management system can learn to detect a computing system that has been compromised by an unknown threat if the security threat management system recognizes characteristic emanations from a previous attack, based on a known threat, of the computing system. In this way, the system can detect the presence of a compromised computing system, even if the cause of the compromise remains undetected and/or unknown. Appropriate remedial action may be taken upon detection.

Abstract: A network activity detection system is trained to detect network activities of interest such as threats by malicious computer data. The training involves distilling the characteristics of known network activities of interest (e.g., intrusion by computer viruses, exploits, worms, or the like) into a minimal set of meta-expressions. At run-time, the network activity detection system combines the minimal set of meta-expressions with efficient computer algorithms for evaluating meta-expressions to detect known network activities of interest, as well as their unknown variants, among an unknown set of network activity. The network activity detection system may produce appropriate responses upon the detection of network activities of interest.

Abstract: A network activity detection system is trained to detect network activities of interest such as threats by malicious computer data. The training involves distilling the characteristics of known network activities of interest (e.g., intrusion by computer viruses, exploits, worms, or the like) into a minimal set of meta-expressions. At run-time, the network activity detection system combines the minimal set of meta-expressions with efficient computer algorithms for evaluating meta-expressions to detect known network activities of interest, as well as their unknown variants, among an unknown set of network activity. The network activity detection system may produce appropriate responses upon the detection of network activities of interest.

Abstract: A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attack signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities.

Abstract: A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attack signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities.

Abstract: A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attack signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities.

Abstract: The present invention is directed to systems and methods for encoding and retrieving information from a variety of sources using novel search techniques. The systems and methods of the invention are capable of extracting all types of structural and relational information from a query or a source data allowing for the recognition of subtle differences in meaning. The capability of discerning subtle differences in meaning that are beyond the search systems and methods presently available, the invention described herein is capable of repeatedly providing accurate and meaningful responses to a diverse set of queries.

Abstract: A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attack signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities.

Abstract: A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attack signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities.

Abstract: There is provided a sentence module that handles pronouns in sentences. Each pronoun is replaced by one or more nouns. These replaced nouns are used to form statements that populate the structured representation, in order to produce precise answers to queries, as part of a search engine application.

Abstract: A system in accordance with an embodiment of the invention includes a vulnerability detection system (VDS) and an intrusion detection system (IDS). The intrusion detection system leverages off of information gathered about a network, such as vulnerabilities, so that it only examines and alerts the user to potential intrusions that could actually affect the particular network. In addition, both the VDS and IDS may use rules in performing their respective analyses that are query-based and that are easy to construct. In particular, these rules may be based on a set of templates, which represent various entities or processes on the network.

Abstract: The present invention is directed to systems and methods for encoding and retrieving information from a variety of sources using novel search techniques. The systems and methods of the invention are capable of extracting all types of structural and relational information from a query or a source data allowing for the recognition of subtle differences in meaning. The capability of discerning subtle differences in meaning that are beyond the search systems and methods presently available, the invention described herein is capable of repeatedly providing accurate and meaningful responses to a diverse set of queries.

Abstract: There is provided a search engine or other electronic search application that receives an inputted query in natural language. The search engine then analyzes the query in accordance with the syntactic relationships of the natural language in which it was presented, weights the syntactic relationships, and generates a result to the query as output, corresponding to the syntactic relationship of the greatest weight. The outputted result is typically an answer, in the form of a sentence or a phrase, along with the document from which the sentence or phrase is taken, including a hypertext link for the document.

Abstract: A system and method for providing distributed security of a network. Several device profilers are placed at different locations of a network to assess vulnerabilities from different perspectives. The device profiler identifies the hosts on the network, and characteristics such as operating system and applications running on the hosts. The device profiler traverses a vulnerability tree having nodes representative of characteristics of the hosts, each node having an associated set of potential vulnerabilities. Verification rules can verify the potential vulnerabilities. A centralized correlation server, at a centrally accessible location in the network, stores the determined vulnerabilities of the network and associates the determined vulnerabilities with attach signatures. Traffic monitors access the attack signatures and monitor network traffic for attacks against the determined vulnerabilities.

Abstract: A system in accordance with an embodiment of the invention includes a vulnerability detection system (VDS) and an intrusion detection system (IDS). The intrusion detection system leverages off of information gathered about a network, such as vulnerabilities, so that it only examines and alerts the user to potential intrusions that could actually affect the particular network. In addition both the VDS and IDS use rules in performing their respective analyses that are query-based and that are easy to construct. In particular these rules are based on a set of templates, which represent various entities or processes on the network.