Abstract: A method of generating a behavioral model of a computer system. A processor partitions a system log of process events into a plurality of strands sharing common characteristics. The processor selects attributes from the strands and generates first distinct n-grams that include attributes from successive events within a strand. The processor generates a first plurality of n-gram groups, each including a plurality of the first distinct n-grams in which a first one of the plurality of first distinct n-grams coexists in a strand also containing a second one of the plurality of first distinct n-grams. The processor generates a first plurality of n-gram group arrangements, each containing a plurality of n-gram groups, and each of the n-gram groups included, in combination, in at least one strand, and the behavioral model containing the first distinct n-grams, the first plurality of n-gram groups, and the first plurality of n-gram group arrangements.

Abstract: A malware detection method for detecting client participation in malware activity, in respect of a target subjected to a given attack by a client system, which is operable to run a given host application is disclosed a given security service provider is configured, which is operably coupled to the client system, to make accessible given attack information that is reported by a given attack target. An attack status query is transmitted to the security service provider from an agent that is operably coupled to the client system. In response to receiving the attack status query, the security service provider is configured to send attack information reported in respect of a given attack target to the agent, and configuring the agent to diagnose whether its corresponding client system potentially comprises an attack source of the given attack subjected on the attack target, on a basis of the received attack information.

Abstract: Embodiments of the present invention include determining whether a cryptographic certificate can be trusted. A cryptographic certificate is received at a client device. The client device performs a first check on a first set of attributes of the cryptographic certificate. In addition, the client device sends the cryptographic certificate to a central verification server, which performs a second check on a second set of attributes of the cryptographic certificate. In the case that the first set of attributes passes the first check, and the second set of attributes passes the second check, the client device determines that the cryptographic certificate can be trusted.

Abstract: Embodiments of the present invention provide systems and methods for self-certification by a developer that the software components used during development are used in a secure manner, through the use of annotations. Input and return conditions are defined in an annotation for the software components of a system. The input and return conditions are compared for a match and a warning is generated when the input and return conditions do not match.

Abstract: Embodiments of the present invention provide systems and methods for self-certification by a developer that the software components used during development are used in a secure manner, through the use of annotations. Input and return conditions are defined in an annotation for the software components of a system. The input and return conditions are compared for a match and a warning is generated when the input and return conditions do not match.

Abstract: A method and associated systems for isolating a source of an attack that originates from a shared computing environment. A computer-security system tags outgoing packets originating from within the shared computing environment in a tamper-proof manner in order to identify which tenant of the shared environment is the true source of each packet. If one of those tenants transmits malicious packets to an external recipient, either because the tenant has malicious intent or becomes infected with malware, the transmitted malicious packets' tags allow the recipient to determine which tenant is the source of the unwanted transmissions. The recipient may then block further communications from the problematic tenant without blocking communications from other tenants of the shared environment.

Abstract: Embodiments of the present invention include determining whether a cryptographic certificate can be trusted. A cryptographic certificate is received at a client device. The client device performs a first check on a first set of attributes of the cryptographic certificate. In addition, the client device sends the cryptographic certificate to a central verification server, which performs a second check on a second set of attributes of the cryptographic certificate. In the case that the first set of attributes passes the first check, and the second set of attributes passes the second check, the client device determines that the cryptographic certificate can be trusted.

Abstract: A method of generating a behavioral model of a computer system. A processor partitions a system log of process events into a plurality of strands sharing common characteristics. The processor selects attributes from the strands and generates first distinct n-grams that include attributes from successive events within a strand. The processor generates a first plurality of n-gram groups, each including a plurality of the first distinct n-grams in which a first one of the plurality of first distinct n-grams coexists in a strand also containing a second one of the plurality of first distinct n-grams. The processor generates a first plurality of n-gram group arrangements, each containing a plurality of n-gram groups, and each of the n-gram groups included, in combination, in at least one strand, and the behavioral model containing the first distinct n-grams, the first plurality of n-gram groups, and the first plurality of n-gram group arrangements.

Abstract: Embodiments of the present invention include determining whether a cryptographic certificate can be trusted. A cryptographic certificate is received at a client device. The client device performs a first check on a first set of attributes of the cryptographic certificate. In addition, the client device sends the cryptographic certificate to a central verification server, which performs a second check on a second set of attributes of the cryptographic certificate. In the case that the first set of attributes passes the first check, and the second set of attributes passes the second check, the client device determines that the cryptographic certificate can be trusted.

Abstract: A method of generating a behavioral model of a computer system. A processor partitions a system log of process events into a plurality of strands sharing common characteristics. The processor selects attributes from the strands and generates first distinct n-grams that include attributes from successive events within a strand. The processor generates a first plurality of n-gram groups, each including a plurality of the first distinct n-grams in which a first one of the plurality of first distinct n-grams coexists in a strand also containing a second one of the plurality of first distinct n-grams. The processor generates a first plurality of n-gram group arrangements, each containing a plurality of n-gram groups, and each of the n-gram groups included, in combination, in at least one strand, and the behavioral model containing the first distinct n-grams, the first plurality of n-gram groups, and the first plurality of n-gram group arrangements.

Abstract: A method of generating a behavioral model of a computer system. A processor partitions a system log of process events into a plurality of strands sharing common characteristics. The processor selects attributes from the strands and generates first distinct n-grams that include attributes from successive events within a strand. The processor generates a first plurality of n-gram groups, each including a plurality of the first distinct n-grams in which a first one of the plurality of first distinct n-grams coexists in a strand also containing a second one of the plurality of first distinct n-grams. The processor generates a first plurality of n-gram group arrangements, each containing a plurality of n-gram groups, and each of the n-gram groups included, in combination, in at least one strand, and the behavioral model containing the first distinct n-grams, the first plurality of n-gram groups, and the first plurality of n-gram group arrangements.

Abstract: A malware detection method for detecting client participation in malware activity, in respect of a target subjected to a given attack by a client system, which is operable to run a given host application is disclosed a given security service provider is configured, which is operably coupled to the client system, to make accessible given attack information that is reported by a given attack target. An attack status query is transmitted to the security service provider from an agent that is operably coupled to the client system. In response to receiving the attack status query, the security service provider is configured to send attack information reported in respect of a given attack target to the agent, and configuring the agent to diagnose whether its corresponding client system potentially comprises an attack source of the given attack subjected on the attack target, on a basis of the received attack information.

Abstract: Runtime verification of software execution events against a behavioral model. For each event, it is verified whether there is a short range correlation of a sequence of the event and preceding event(s) with the behavioral model, and whether there is a long range correlation of a group of the sequences and of an arrangement of groups of the sequences with the behavioral model. After verifying each long range correlation, the arrangement of groups in the behavioral model event is substituted with an intersection of an arrangement of groups of the sequences with an arrangement of groups of the sequences in the behavioral model. If an event is not covered by a short range correlation or a long range correlation of a group or a long range correlation of an arrangement of groups, the event is indicated as anomalous.

Abstract: A method and associated systems for isolating a source of an attack that originates from a shared computing environment. A computer-security system tags outgoing packets originating from within the shared computing environment in a tamper-proof manner in order to identify which tenant of the shared environment is the true source of each packet. If one of those tenants transmits malicious packets to an external recipient, either because the tenant has malicious intent or becomes infected with malware, the transmitted malicious packets' tags allow the recipient to determine which tenant is the source of the unwanted transmissions. The recipient may then block further communications from the problematic tenant without blocking communications from other tenants of the shared environment.

Abstract: Runtime verification of software execution events against a behavioral model. For each event, it is verified whether there is a short range correlation of a sequence of the event and preceding event(s) with the behavioral model, and whether there is a long range correlation of a group of the sequences and of an arrangement of groups of the sequences with the behavioral model. After verifying each long range correlation, the arrangement of groups in the behavioral model event is substituted with an intersection of an arrangement of groups of the sequences with an arrangement of groups of the sequences in the behavioral model. If an event is not covered by a short range correlation or a long range correlation of a group or a long range correlation of an arrangement of groups, the event is indicated as anomalous.

Abstract: A technique to reassign one or more stored elements of web application client state information is provided in an HTTP-based client upon receipt of an HTTP redirect in response to a request-URI. One or more stored elements associated to the request-URI are saved in or in association with the client. Upon receipt of an HTTP 301 (permanent) redirect, the client automatically reassigns (re-associates) the one or more stored elements to the redirect domain when the redirect can be verified as authentic (e.g., to originate from the application to which the client is attempting to connect).

Abstract: A technique to reassign one or more stored elements of web application client state information is provided in an HTTP-based client upon receipt of an HTTP redirect in response to a request-URI. One or more stored elements associated to the request-URI are saved in or in association with the client. Upon receipt of an HTTP 301 (permanent) redirect, the client automatically reassigns (re-associates) the one or more stored elements to the redirect domain when the redirect can be verified as authentic (e.g., to originate from the application to which the client is attempting to connect).

Abstract: Providing a challenge response test associated with a computer resource includes generating a challenge response test image including providing a first substantially well-formed image, including a first masked image having a visible portion entirely composed of portions of a first well-formed image, and a first plurality of image elements; and providing at least one ill-formed image, each at least one ill-formed image including a second masked image having at least one first ill-formed portion.

Abstract: Embodiments of the present invention include determining whether a cryptographic certificate can be trusted. A cryptographic certificate is received at a client device. The client device performs a first check on a first set of attributes of the cryptographic certificate. In addition, the client device sends the cryptographic certificate to a central verification server, which performs a second check on a second set of attributes of the cryptographic certificate. In the case that the first set of attributes passes the first check, and the second set of attributes passes the second check, the client device determines that the cryptographic certificate can be trusted.

Abstract: Identifying correlations between events recorded in a computer system log, the recorded events are generated by a plurality of processes executing on the computer. A system log is partitioned into a plurality of segments, each segment associated with a characteristic found in an event, each segment including one or more events having a same characteristic value. A plurality of attributes of the events in a segment are selected. The attributes selected do not describe an action of the event. One or more distinct n-grams are generated, each distinct n-gram including the selected attributes from successive events within the segment. A distinct n-gram is distinct from all other generated n-grams. A correlation is identified for each first selected attribute of each successive event of an n-gram with all other second selected attributes from each successive event of the n-gram, and the correlations are recorded for each first selected attribute.