Abstract: Event-triggered forensics capture technologies balance security incident data availability against data processing and storage costs. A forensic correlation engine receives basic status data of a monitored computing system. A forensic computing system detects a trigger event in the basic status data, and starts capturing extended status data per a corresponding capture specification. Captured data is submitted to a forensic analysis tool. Different trigger events may cause different data captures. A query specifying which data to capture from a live stream or from virtual machines may operate as a capture trigger start event. Extended status data capture activity may be stopped by a change in the basic status data being received, by a timeout, or by forensic analysis that finds no vulnerability or threat based on captured data. Data transfers and storage may be restricted to comply with privacy regulations or policies.

Abstract: Disclosed herein is a system for facilitating fast and intuitive investigations of security incidents by responding to physical gestures performed by security analysts within a virtual scene. A query triggers an alert for detecting security incidents that occur with respect to computing resources. Following the alert, the security analyst dons a Near-Eye-Display (NED) device and is presented with a virtual scene having control elements representing various data sets and/or data analysis operations relevant to a security incident. The security analyst investigates the security incident by performing hand motions to “grab-and-drag” control elements representing data sets. The security analyst may also perform hand motions to “tap on” control elements that represents a data analysis operation. Responsive to the hand motions, the system performs data analysis operations and displays a result within the virtual scene.

Abstract: Disclosed herein is a system for facilitating fast and intuitive investigations of security incidents by responding to physical gestures performed by security analysts within a virtual scene. A query triggers an alert for detecting security incidents that occur with respect to computing resources. Following the alert, the security analyst dons a Near-Eye-Display (NED) device and is presented with a virtual scene having control elements representing various data sets and/or data analysis operations relevant to a security incident. The security analyst investigates the security incident by performing hand motions to “grab-and-drag” control elements representing data sets. The security analyst may also perform hand motions to “tap on” control elements that represents a data analysis operation. Responsive to the hand motions, the system performs data analysis operations and displays a result within the virtual scene.

Abstract: A process to detect intrusions with an intrusion detection system is disclosed. The intrusion detection system identifies instance types, and each instance type includes an instance. A know compromised instance is identified from the plurality of instances. A link between the plurality instance types is traversed from the compromised instance to discover an additional compromised instance.

Abstract: A process to investigate intrusions with an investigation system is disclosed. The process receives forensic facts from a set of forensic events on a system or network. A suspicious fact is identified from the forensic facts. A related fact from the forensic facts is identified based on the suspicious fact.

Abstract: Security risks associated with scanning a computer are at least mitigated by performing the scanning off node. State data of a target node, or computer, can be acquired in various ways. The acquired state data can be subsequently employed to generate a virtual replica of the target computer or portion thereof on a second computer isolated from the target computer. The virtual replica of the target computer provides a scanner access to the data needed to perform a scan on the second computer without accessing or being able to impact the target computer.

Abstract: A process to investigate intrusions with an investigation system is disclosed. The process receives forensic facts from a set of forensic events on a system or network. A suspicious fact is identified from the forensic facts. A related fact from the forensic facts is identified based on the suspicious fact.

Abstract: A process to detect intrusions with an intrusion detection system is disclosed. The intrusion detection system identifies instance types, and each instance type includes an instance. A know compromised instance is identified from the plurality of instances. A link between the plurality instance types is traversed from the compromised instance to discover an additional compromised instance.

Abstract: Security risks associated with scanning a computer are at least mitigated by performing the scanning off node. State data of a target node, or computer, can be acquired in various ways. The acquired state data can be subsequently employed to generate a virtual replica of the target computer or portion thereof on a second computer isolated from the target computer. The virtual replica of the target computer provides a scanner access to the data needed to perform a scan on the second computer without accessing or being able to impact the target computer.

Abstract: Embodiments are directed to establishing a secure connection between computing systems and to providing computer system virtualization on a secure computing device. In one scenario, a computer system receives a request that at least one specified function be initiated. The request includes user credentials and a device claim that identifies the computing device. The computer system authenticates the user using the received user credentials and determines, based on the device claim, that the computing device is an approved computing device that has been approved to initiate performance of the specified function. Then, upon determining that the user has been authenticated and that the computing device is approved to initiate performance the specified function, the computer system initiates performance of the specified function.

Abstract: Embodiments are directed to establishing a secure connection between computing systems and to providing computer system virtualization on a secure computing device. In one scenario, a computer system receives a request that at least one specified function be initiated. The request includes user credentials and a device claim that identifies the computing device. The computer system authenticates the user using the received user credentials and determines, based on the device claim, that the computing device is an approved computing device that has been approved to initiate performance of the specified function. Then, upon determining that the user has been authenticated and that the computing device is approved to initiate performance the specified function, the computer system initiates performance of the specified function.

Abstract: Embodiments are directed to establishing a secure connection between computing systems and to providing computer system virtualization on a secure computing device. In one scenario, a computer system receives a request that at least one specified function be initiated. The request includes user credentials and a device claim that identifies the computing device. The computer system authenticates the user using the received user credentials and determines, based on the device claim, that the computing device is an approved computing device that has been approved to initiate performance of the specified function. Then, upon determining that the user has been authenticated and that the computing device is approved to initiate performance the specified function, the computer system initiates performance of the specified function.

Abstract: Described is a technology in which a set of objects represent educational entities of an educational model, with relationships between objects. For example, a course object instance may have a relationship with a task instance and a user instance (such as representing a student). Other objects may include user credentials objects, group objects, degree program objects, course plan objects, institution objects, school objects, and/or department objects. The set of objects may be pre-defined and maintained in a persistent storage; this pre-defined set may be extended with an extended object that has relationships with pre-defined objects. The educational entities of an object model may be maintained in rows of a table, with each row having a field that identifies which entity is represented by that row. The table is accessed to determine relationships between an instantiated object for an entity and at least one other instantiated object for another entity.

Abstract: The educational adaptive provider architecture described herein provides a way for an educational services framework to be built on varying underlying existing technologies without any changes in the object model and services. The provider framework supports the ability to have multiple types of providers for various services, such as, for example, for authorization, authentication, communication, grouping, scoring, social-networking, storage and user functions. The educational adaptive provider architecture provides easy integration of existing institutional and educational service deployments.

Abstract: The educational adaptive provider architecture described herein provides a way for an educational services framework to be built on varying underlying existing technologies without any changes in the object model and services. The provider framework supports the ability to have multiple types of providers for various services, such as, for example, for authorization, authentication, communication, grouping, scoring, social-networking, storage and user functions. The educational adaptive provider architecture provides easy integration of existing institutional and educational service deployments.

Abstract: Described is a technology in which a set of objects represent educational entities of an educational model, with relationships between objects. For example, a course object instance may have a relationship with a task instance and a user instance (such as representing a student). Other objects may include user credentials objects, group objects, degree program objects, course plan objects, institution objects, school objects, and/or department objects. The set of objects may be pre-defined and maintained in a persistent storage; this pre-defined set may be extended with an extended object that has relationships with pre-defined objects. The educational entities of an object model may be maintained in rows of a table, with each row having a field that identifies which entity is represented by that row. The table is accessed to determine relationships between an instantiated object for an entity and at least one other instantiated object for another entity.

Abstract: Described is a technology in which an educational service provides contracts (an interface set) for calling functions that allow management of educational-related data. The interface set may be divided as interfaces to various services; roles associated with users of the educational service determine which interfaces/functions each user can call. The interfaces may include interfaces for calling course-related functions (e.g., of a course service), profile-related functions (e.g., of a profile service), membership-related functions (e.g., of a membership service) and task-related functions (e.g., of a task service).