Abstract: A system and method for specification of a policy to trigger automatic signature generation, refinement, and confidence characterization is provided. The system monitors incoming payloads and identifies untrusted payloads based on specified characteristics of the process including process name, triggering action, prior actions and/or state and/or conditions. Signatures are automatically generated for untrusted payloads and stored. Additionally, the system enables denial-of-service (DoS) protection based on the number of signature-generation attempts that allows the server process to continue providing service on unaffected interfaces.

Abstract: Techniques are disclosed for verifying whether payload signatures correspond to a vulnerability or exploit. Generally a security system may be configured to detect an attack on a server while the server is processing a payload. The security system generates (or obtains) a provisional signature corresponding to the vulnerability. For example, a provisional signature may be generated for a vulnerability from a group of payloads determined to correspond to that vulnerability. The effects of subsequent payloads which match the provisional signature may be monitored. If the effects of a payload duplicate the attack symptoms, a confidence metric for provisional signature may be increased. Once the confidence metric exceeds a predetermined threshold, then the provisional signature may be made active and used to block traffic from reaching an intended destination.

Abstract: Techniques are disclosed for verifying whether payload signatures correspond to a vulnerability or exploit. Generally a security system may be configured to detect an attack on a server while the server is processing a payload. The security system generates (or obtains) a provisional signature corresponding to the vulnerability. For example, a provisional signature may be generated for a vulnerability from a group of payloads determined to correspond to that vulnerability. The effects of subsequent payloads which match the provisional signature may be monitored. If the effects of a payload duplicate the attack symptoms, a confidence metric for provisional signature may be increased. Once the confidence metric exceeds a predetermined threshold, then the provisional signature may be made active and used to block traffic from reaching an intended destination.

Abstract: A system detects an application attempting to invoke an administrative utility on a target application for installation of software. In response, the system identifies the administrative utility as an installer launcher. The system then detects the installer launcher invoking execution of the target application, and in response, identifies the target application as an installation application. The system allows classification of applications as installer launchers and installation applications and in response to detecting operation of such programs, enforces installation security profiles during their operations that apply varying levels of access to certain system resources that differ from a level of access normally applied during non-installation activities.

Abstract: A computer-implemented system, method and apparatus for operating a reference monitor simulator is operable to recreate the operations performed by a reference monitor on a computer system. In one configuration, the system defines at least one security rule specifying whether to allow or deny a request to access at least one resource under a given set of circumstances and supplies at least one request to access a resource. The system further applies the at least one security rule in response to the at least one request to access a resource to determine whether to allow or prevent the at least one request.

Abstract: A method and apparatus for securing executables and processes having setuid/gid permissions and privileges is presented. A mechanism is provided to track and control operations for files and processes having setuid/gid privileges. A policy rule is defined for controlling the operations on the files and processes. The policy rule is then used to control operations involving the files and processes.

Abstract: A method and computer program product for providing enforcement of security policies for kernel module loading is presented. File paths for shared library executable files opened by user processes are cached. When a request to load a kernel loadable module (KLM) is received, a previously cached file path for said KLM is retrieved, said file path mapping a location of an executable file from which said KLM was produced. A security policy is applied to said file path, wherein when said file path triggers a security policy rule then an action associated with a triggered rule is taken, and wherein when said file path does not trigger a security policy rule then said KLM request is allowed to proceed.

Abstract: A method and apparatus for securing executables and processes having setuid/gid permissions and privileges is presented. A mechanism is provided to track and control operations for files and processes having setuid/gid privileges. A policy rule is defined for controlling the operations on the files and processes. The policy rule is then used to control operations involving the files and processes.