Abstract: Techniques are described for an IT and security operations application to automatically generate aggregate (or “bulk,” “group,” or “composite”) notable events by identifying notable events sharing common characteristics and aggregating the related notable events into a single aggregate notable event entity that can be displayed and operated upon. The IT and security operations application identifies related notable events based on notable events generated by a common correlation search, notable events having common event attributes, based on user-specified relatedness criteria, or other such criteria. Once identified, in some embodiments, the IT and security operations application displays, in notable event lists and other interfaces, a singular aggregate notable event to users representing each of the identified related notable events.

Abstract: The disclosed computer-implemented method for providing an integrated cyber threat defense exchange platform may include (i) receiving unnormalized security data from a plurality of disparate security data sources that generate security data in differing formats, (ii) normalizing, using a security data schema, the unnormalized security data into normalized security data, (iii) identifying a security action that is responsive to at least one security event identified within the normalized security data, and (iv) coordinating performance of the security action within a plurality of networked computing devices. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for generating a virtual private container (VPC) are disclosed. In one embodiment, the techniques may be realized as a virtual container defining a self-contained software environment, comprising one or more analytic components configured to carry out specified analytic functions on data within the container, wherein the one or more analytic components are isolated to run within the self-contained software environment of the container; an interface configured to identify and authenticate a particular user and provide analysis results generated by the one or more analytic components; and a gateway configured to receive data from one or more secure data sources external to the virtual container and associated with the particular user for use by the one or more analytic components.

Abstract: Techniques for providing data in dynamic account and device management are disclosed. In one particular exemplary embodiment, the techniques may be realized as a system for providing data in dynamic account and device management. The system may comprise one or more processors communicatively coupled to a network. The one or more processors may be configured to identify a user device to be managed. The one or more processors may be configured to transmit a request for delegate authority to manage the user device. The one or more processors may be configured to receive delegate authority to manage the user device. The one or more processors may be configured to provide network access to the user device. The one or more processors may also be configured to manage the user device and monitor data communicated to and from the user device.

Abstract: Techniques for generating a virtual private container (VPC) are disclosed. In one embodiment, the techniques may be realized as a virtual container defining a self-contained software environment, comprising one or more analytic components configured to carry out specified analytic functions on data within the container, wherein the one or more analytic components are isolated to run within the self-contained software environment of the container; an interface configured to identify and authenticate a particular user and provide analysis results generated by the one or more analytic components; and a gateway configured to receive data from one or more secure data sources external to the virtual container and associated with the particular user for use by the one or more analytic components.

Abstract: A computer-implemented method for verifying user identities may include (1) identifying a request to ascertain whether a user account corresponds to a physical person, and, in response to the request, (2) identifying a password vault configured to store login information for at least one third-party Internet site for the user account, the third-party Internet site requiring a physical validation factor to log in to the third-party Internet site, (3) determining, based at least in part on the login information for the third-party Internet site, that the user account corresponds to the physical person, and (4) responding to the request with an indicator that the user account corresponds to the physical person. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for providing data in dynamic account and device management are disclosed. In one particular exemplary embodiment, the techniques may be realized as a system for providing data in dynamic account and device management. The system may comprise one or more processors communicatively coupled to a network. The one or more processors may be configured to identify a user device to be managed. The one or more processors may be configured to transmit a request for delegate authority to manage the user device. The one or more processors may be configured to receive delegate authority to manage the user device. The one or more processors may be configured to provide network access to the user device. The one or more processors may also be configured to manage the user device and monitor data communicated to and from the user device.

Abstract: A computer-implemented method for providing access to data accounts within user profiles via cloud-based storage services may include (1) identifying a user profile associated with a user of a cloud-based storage service, (2) identifying a plurality of data accounts within the user profile associated with the user of the cloud-based storage service, (3) detecting a request from a client-based application associated with the user of the cloud-based storage service to access at least a portion of data stored in a data account within the user profile, (4) locating a unique account name that identifies the data account in the request, and then (5) satisfying the request from the client-based application associated with the user to access the portion of data stored in the data account via the cloud-based storage service. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method and apparatus for mitigating the performance impact of background or idle time processing during interactive computing sessions. One embodiment of the present invention is a method for mitigating performance impact of background or idle time processing on interactive applications comprising identifying executable and data pages in physical memory that are associated with an interactive application that is temporarily unused and preventing any of the identified executable and data pages from paging out.

Abstract: Certificate information associated with a received certificate, such as a Secure Sockets Layer (SSL) certificate is stored in a trusted local cache and/or in one or more remote trusted sources, such as a single remote trusted source and/or a trusted peer network. When a site certificate is received on a host computer system, certificate information associated with the received site certificate is obtained and compared with the stored certificate information to determine whether or not the site certificate indicates malicious activity, such as a malicious DNS redirection or a fraudulent local certificate. When a site certificate is not found indicative of malicious activity, the site certificate is released. Alternatively, when a site certificates is found indicative of malicious activity protective action is taken. In some embodiments, a user's log-in credentials are automatically obtained from a trusted local cache and automatically submitted to a web site.

Abstract: A method and apparatus for mitigating the performance impact of background or idle time processing during interactive computing sessions. One embodiment of the present invention is a method for mitigating performance impact of background or idle time processing on interactive applications comprising identifying executable and data pages in physical memory that are associated with an interactive application that is temporarily unused and preventing any of the identified executable and data pages from paging out.

Abstract: The disclosure is directed to systems, apparatus, and methods for online purchasing. In one example, a system includes a web server that presents purchase options and receives user input. The system may also include an application server that attempts to authenticate users to existing accounts using an account identifier, such as a user ID or email address. If a user does not provide an identifier corresponding to an existing account, the application server may create a new account. If the user provides an identifier corresponding to an existing account, but does not provide a valid password, the application server may create a provisional account. The application server may also associate purchases with the user's account and provide access to the purchased product. Purchases associated with a provisional account may be resolved with an existing or newly-created permanent account when additional user information is received, such when the product is registered.

Abstract: A method includes creating a first virtual machine comprising a remote file system. The method further includes causing all input/output from a second virtual machine to be redirected to the remote file system, the first virtual machine and the second virtual machine being on a single physical computer. The file system is securely protected from any malicious code executing on the second virtual machine by the hardware enforced partitioning between the first virtual machine and the second virtual machine.

Abstract: Events are preprocessed and rulesets are horizontally partitioning among rule computer systems. This allows the event analysis to be horizontally partitioned onto different rule computer systems. Thus, event correlation across large, high-speed networks is readily performed. Further, by increasing or decreasing the granularization of the horizontally partitioning of the rulesets, the event correlation is readily scalable.

Abstract: A method includes running a set of policies simultaneously using two levels of optimizations. After selecting the policies to be run, the number of technical controls performed is minimized by coalescing (unioning) the technical controls of the policies in the first level of optimization. Further, the number of queries performed is minimized by coalescing (unioning) the queries of the technical controls in the second level of optimization. The technical controls and queries performed are determined by the set of polices that are to be run, in a policy driven manner.

Abstract: Information, e.g., a source address, in packets on a network is processed by a geo-location detector The geo-location detector generates a related location identifier, which, for example, is inclusive of one or more source addresses, known or unknown. The location identifier serves as a less precise indicator than the exact location of the system associated with the particular source address of interest, but a more accurate location indicator than was previously available. One of the addresses in a set of source addresses represented by the location identifier is the source address of interest. Although other source addresses represented by the location identifier may not be attacker sources, the location identifier is an identity that can be used as a variable for correlation, trend analysis, or search keys in accessing a network security threat.

Abstract: Certificate information associated with a received certificate, such as a Secure Sockets Layer (SSL) certificate is stored in a trusted local cache and/or in one or more remote trusted sources, such as a single remote trusted source and/or a trusted peer network. When a site certificate is received on a host computer system, certificate information associated with the received site certificate is obtained and compared with the stored certificate information to determine whether or not the site certificate indicates malicious activity, such as a malicious DNS redirection or a fraudulent local certificate. When a site certificate is not found indicative of malicious activity, the site certificate is released. Alternatively, when a site certificates is found indicative of malicious activity protective action is taken. In some embodiments, a user's log-in credentials are automatically obtained from a trusted local cache and automatically submitted to a web site.

Abstract: Packets on a computer network are low pass filtered using a low and slow network reconnaissance detector to generate a spectrum of packets that are anomalous, i.e., are not commonly occurring IP packet traffic on the computer network. The low and slow network reconnaissance detector includes a low-frequency low-amplitude attenuation function module that adjusts an interest level for a particular network event based upon a number of occurrences. The low and slow network reconnaissance detector also includes an update detector output with system compensation function module. The system compensation function is a time dependent function that adjusts the interest level from the low-frequency low-amplitude attenuation function module to compensate for bursts of activity separated by periods of time. To facilitate the use of both modules, a non-uniformly sampled discrete network event time series for the network event is converted into a uniformly sampled network event time series.