Abstract: Unauthorized and fraudulent use of a cloud computing system may be reduced or mitigated using a multi-threshold based method to identify fraudulent subscribers of the cloud. The multi-threshold based method may assign a fraud threshold to each resource of the cloud. The fraud thresholds of the multi-threshold based method may be adjusted based on one or more characteristics associated with one or more of the plurality of resources in the cloud. The one or more characteristics may include a capacity percentage associated with the plurality of resources, fraud distribution among the plurality of resources, cost of operation associated with the plurality of resources, anticipated or actual subscriber growth rate associated with the plurality of resources and/or anticipated or actual subscriber fraud risk associated with the plurality of resources.

Abstract: Using a set of anomalies indicative of a malicious pattern of behavior collected from data to determine new alerts for anomalies included in subsequently collected data. A set of anomalies found in data collected from data sources is accessed. The set of anomalies is determined by a prior analysis to be indicative of a malicious pattern of behavior by entities associated with the set of anomalies. Data that is subsequently collected from the data sources is searched to determine if any of the data includes the set of anomalies. Alerts are generated for any of the subsequently collected data that includes the set of anomalies.

Abstract: Using a set of anomalies indicative of a malicious pattern of behavior collected from data to determine new alerts for anomalies included in subsequently collected data. A set of anomalies found in data collected from data sources is accessed. The set of anomalies is determined by a prior analysis to be indicative of a malicious pattern of behavior by entities associated with the set of anomalies. Data that is subsequently collected from the data sources is searched to determine if any of the data includes the set of anomalies. Alerts are generated for any of the subsequently collected data that includes the set of anomalies.

Abstract: A process to detect intrusions with an intrusion detection system is disclosed. The intrusion detection system identifies instance types, and each instance type includes an instance. A know compromised instance is identified from the plurality of instances. A link between the plurality instance types is traversed from the compromised instance to discover an additional compromised instance.

Abstract: A process to investigate intrusions with an investigation system is disclosed. The process receives forensic facts from a set of forensic events on a system or network. A suspicious fact is identified from the forensic facts. A related fact from the forensic facts is identified based on the suspicious fact.

Abstract: Security risks associated with scanning a computer are at least mitigated by performing the scanning off node. State data of a target node, or computer, can be acquired in various ways. The acquired state data can be subsequently employed to generate a virtual replica of the target computer or portion thereof on a second computer isolated from the target computer. The virtual replica of the target computer provides a scanner access to the data needed to perform a scan on the second computer without accessing or being able to impact the target computer.

Abstract: Unauthorized and fraudulent use of a cloud computing system may be reduced or mitigated using a multi-threshold based method to identify fraudulent subscribers of the cloud. The multi-threshold based method may assign a fraud threshold to each resource of the cloud. The fraud thresholds of the multi-threshold based method may be adjusted based on one or more characteristics associated with one or more of the plurality of resources in the cloud. The one or more characteristics may include a capacity percentage associated with the plurality of resources, fraud distribution among the plurality of resources, cost of operation associated with the plurality of resources, anticipated or actual subscriber growth rate associated with the plurality of resources and/or anticipated or actual subscriber fraud risk associated with the plurality of resources.

Abstract: A process to investigate intrusions with an investigation system is disclosed. The process receives forensic facts from a set of forensic events on a system or network. A suspicious fact is identified from the forensic facts. A related fact from the forensic facts is identified based on the suspicious fact.

Abstract: A process to detect intrusions with an intrusion detection system is disclosed. The intrusion detection system identifies instance types, and each instance type includes an instance. A know compromised instance is identified from the plurality of instances. A link between the plurality instance types is traversed from the compromised instance to discover an additional compromised instance.

Abstract: Security risks associated with scanning a computer are at least mitigated by performing the scanning off node. State data of a target node, or computer, can be acquired in various ways. The acquired state data can be subsequently employed to generate a virtual replica of the target computer or portion thereof on a second computer isolated from the target computer. The virtual replica of the target computer provides a scanner access to the data needed to perform a scan on the second computer without accessing or being able to impact the target computer.

Abstract: Embodiments described herein are directed to preventing development of insecure web pages, preventing deployment of insecure web pages and to preventing access to insecure web pages. In one embodiment, a computer system accesses a web page that includes one or more web elements. The computer system then determines that the web page includes at least one element that requests user authentication and determines whether various specified secure protocols have been implemented on the web page. Then, if the specified secure protocols have not been implemented on the web page, the computer system displays a warning or error indicating that the web page is insecure.

Abstract: Embodiments described herein are directed to preventing development of insecure web pages, preventing deployment of insecure web pages and to preventing access to insecure web pages. In one embodiment, a computer system accesses a web page that includes one or more web elements. The computer system then determines that the web page includes at least one element that requests user authentication and determines whether various specified secure protocols have been implemented on the web page. Then, if the specified secure protocols have not been implemented on the web page, the computer system displays a warning or error indicating that the web page is insecure.