Abstract: Mechanisms for defending a computing system from attack are provided. The mechanisms include: maintaining a round counter that tracks a round number for a local host; determining a location in a graph for each of a plurality of hosts including the local host; determining monitor hosts of the plurality of hosts that are monitoring the local host; determining monitoree hosts of the plurality of hosts that are being monitored by the local host; sending a message to each of the monitor hosts identifying a value of the round counter; forwarding a first set of heartbeat messages from previous monitoree hosts to the monitor hosts; attempting to receive messages from the monitoree hosts; determining whether any messages were not received from the monitoree hosts; and in response to determining that one or more messages were not received from the monitoree hosts, generating an alert.

Abstract: Disclosed are devices, systems, apparatus, methods, products, and other implementations, including a method that includes determining whether an operation to access a memory location containing executable code comprises a general-purpose memory access operation, and changing content of the memory location in response to a determination that the operation to access the memory location containing the executable code comprises the general-purpose memory access operation to the memory location.

Abstract: Mechanisms for defending a computing system from attack are provided. The mechanisms include: maintaining a round counter that tracks a round number for a local host; determining a location in a graph for each of a plurality of hosts including the local host; determining monitor hosts of the plurality of hosts that are monitoring the local host; determining monitoree hosts of the plurality of hosts that are being monitored by the local host; sending a message to each of the monitor hosts identifying a value of the round counter; forwarding a first set of heartbeat messages from previous monitoree hosts to the monitor hosts; attempting to receive messages from the monitoree hosts; determining whether any messages were not received from the monitoree hosts; and in response to determining that one or more messages were not received from the monitoree hosts, generating an alert.

Abstract: Mechanisms for defending a computing system from attack, comprising: maintaining a round counter that tracks a round number for a local host; determining a location in a graph for each of a plurality of hosts including the local host; determining monitor hosts of the plurality of hosts that are monitoring the local host; determining monitoree hosts of the plurality of hosts that are being monitored by the local host; sending a message to each of the monitor hosts identifying a value of the round counter; forwarding a first set of heartbeat messages from previous monitoree hosts to the monitor hosts; attempting to receive messages from the monitoree hosts; determining whether any messages were not received from the monitoree hosts; and in response to determining that one or more messages were not received from the monitoree hosts, generating an alert.

Abstract: Disclosed are devices, systems, apparatus, methods, products, and other implementations, including a method that includes determining whether an operation to access a memory location containing executable code comprises a general-purpose memory access operation, and changing content of the memory location in response to a determination that the operation to access the memory location containing the executable code comprises the general-purpose memory access operation to the memory location.

Abstract: Mechanisms for defending a computing system from attack are presented. The mechanisms include: maintaining a round counter that tracks a round number for a local host; determining a location in a graph for each of a plurality of hosts including the local host; determining monitor hosts of the plurality of hosts that are monitoring the local host; determining monitoree hosts of the plurality of hosts that are being monitored by the local host; sending a message to each of the monitor hosts identifying a value of the round counter; forwarding a first set of heartbeat messages from previous monitoree hosts to the monitor hosts; attempting to receive messages from the monitoree hosts; determining whether any messages were not received from the monitoree hosts; and in response to determining that one or more messages were not received from the monitoree hosts, generating an alert.

Abstract: Disclosed are devices, systems, apparatus, methods, products, and other implementations, including a method that includes determining whether an operation to access a memory location containing executable code comprises a general-purpose memory access operation, and changing content of the memory location in response to a determination that the operation to access the memory location containing the executable code comprises the general-purpose memory access operation to the memory location.

Abstract: Mechanisms for defending a computing system from attack, comprising: maintaining a round counter that tracks a round number for a local host; determining a location in a graph for each of a plurality of hosts including the local host; determining monitor hosts of the plurality of hosts that are monitoring the local host; determining monitoree hosts of the plurality of hosts that are being monitored by the local host; sending a message to each of the monitor hosts identifying a value of the round counter; forwarding a first set of heartbeat messages from previous monitoree hosts to the monitor hosts; attempting to receive messages from the monitoree hosts; determining whether any messages were not received from the monitoree hosts; and in response to determining that one or more messages were not received from the monitoree hosts, generating an alert.

Abstract: Disclosed are devices, systems, apparatus, methods, products, media and other implementations, including a method that includes obtaining current hardware performance data, including hardware performance counter data, for a hardware device executing a first process associated with pre-recorded hardware performance data representative of the first process' normal behavior, and determining whether a malicious process is affecting performance of the first process based on a determination of an extent of deviation of the obtained current hardware performance data corresponding to the first process from the pre-recorded hardware performance data representative of the normal behavior of the first process.

Abstract: Disclosed are devices, systems, apparatus, methods, products, and other implementations, including a method that includes determining whether an operation to access a memory location containing executable code comprises a general-purpose memory access operation, and changing content of the memory location in response to a determination that the operation to access the memory location containing the executable code comprises the general-purpose memory access operation to the memory location.

Abstract: Disclosed are devices, systems, apparatus, methods, products, media and other implementations, including a method that includes obtaining current hardware performance data, including hardware performance counter data, for a hardware device executing a first process associated with pre-recorded hardware performance data representative of the first process' normal behavior, and determining whether a malicious process is affecting performance of the first process based on a determination of an extent of deviation of the obtained current hardware performance data corresponding to the first process from the pre-recorded hardware performance data representative of the normal behavior of the first process.

Abstract: Disclosed are devices, systems, apparatus, methods, products, media and other implementations, including a method that includes obtaining current hardware performance data, including hardware performance counter data, for a hardware device executing a first process associated with pre-recorded hardware performance data representative of the first process' normal behavior, and determining whether a malicious process is affecting performance of the first process based on a determination of an extent of deviation of the obtained current hardware performance data corresponding to the first process from the pre-recorded hardware performance data representative of the normal behavior of the first process.

Abstract: A system and methods for detecting intrusions in the operation of a computer system comprises a sensor configured to gather information regarding the operation of the computer system, to format the information in a data record having a predetermined format, and to transmit the data in the predetermined data format. A data warehouse is configured to receive the data record from the sensor in the predetermined data format and to store the data in a SQL database. A detection model generator is configured to request data records from the data warehouse in the predetermined data format, to generate an intrusion detection model based on said data records, and to transmit the intrusion detection model to the data warehouse according to the predetermined data format. A detector is configured to receive a data record in the predetermined data format from the sensor and to classify the data record in real-time as one of normal operation and an attack based on said intrusion detection model.

Abstract: Systems and methods are presented for content extraction from markup language text. The content extraction process may parse markup language text into a hierarchical data model and then apply one or more filters. Output filters may be used to make the process more versatile. The operation of the content extraction process and the one or more filters may be controlled by one or more settings set by a user, or automatically by a classifier. The classifier may automatically enter settings by classifying markup language text and entering settings based on this classification. Automatic classification may be performed by clustering unclassified markup language texts with previously classified markup language texts.

Abstract: E-commerce which secures private and personal information of purchaser/users. E-commerce which may include delivery of a good ordered or purchased over a network (e.g., the Internet) to a purchaser/user, and/or arranging for electronic payment of the good is accomplished while securing private and personal information of purchaser/users, which may include the user's identity and address (and those of the user's computer), and financial information. E-commerce transactions include the purchasing or otherwise ordering of goods electronically by user, who may be a consumer or retail customer, and for delivery of goods to a shipping or electronic address designated by the user or to a physical or virtual depot for pick-up by the user, while providing complete anonymity of the user with respect to an electronic vendor, who may be a merchant or retailer.

Abstract: A method and system for private shipping to anonymous users purchasing goods on a computer or communications network linking users with merchant web-sites for electronic commerce. In a preferred embodiment, a user is issued a proxy identity and the user's mailing address is received and encrypted. The proxy identity and encrypted mailing address are transmitted to a merchant, and decryption information is provided to a shipper. Upon receipt of the encrypted shipping address from the merchant, the shipper can use the decryption information to decrypt the address and generate a package label bearing the true shipping address of the user so that the merchant is prevented from electronically capturing the true identity of the user. The present invention provides for anonymity of a user when browsing and shopping, and integrates easily and simply with existing online infrastructures of banks or credit card issuers, and delivery companies.

Abstract: A method, apparatus, and medium are provided for identifying files. Files are received from various sources, and a statistical distribution is generated for data contained in each file. The statistical distribution is compared to model distributions that are representative of known files or file types. Based on the comparison, file types can be verified or detected. Known file types can also be used to generate representative statistical distributions for the type. The invention can also detect malicious programs such as viruses or worms, and generate signatures that can be used to filter such programs.

Abstract: A method, apparatus and medium are provided for detecting anomalous payloads transmitted through a network. The system receives payloads within the network and determines a length for data contained in each payload. A statistical distribution is generated for data contained in each payload received within the network, and compared to a selected model distribution representative of normal payloads transmitted through the network. The model payload can be selected such that it has a predetermined length range that encompasses the length for data contained in the received payload. Anomalous payloads are then identified based on differences detected between the statistical distribution of received payloads and the model distribution. The system can also provide for automatic training and incremental updating of models.

Abstract: A method, apparatus, and medium are provided for tracing the origin of network transmissions. Connection records are maintained at computer system for storing source and destination addresses. The connection records also maintain a statistical distribution of data corresponding to the data payload being transmitted. The statistical distribution can be compared to that of the connection records in order to identify the sender. The location of the sender can subsequently be determined from the source address stored in the connection record. The process can be repeated multiple times until the location of the original sender has been traced.

Abstract: Systems and methods for correlating and distributing intrusion alert information among collaborating computer systems are provided. These systems and methods provide an alert correlator and an alert distributor that enable early signs of an attack to be detected and rapidly disseminated to collaborating systems. The alert correlator utilizes data structures to correlate alert detections and provide a mechanism through which threat information can be revealed to other collaborating systems. The alert distributor uses an efficient technique to group collaborating systems and then pass data between certain members of those groups according to a schedule. In this way data can be routinely distributed without generating excess traffic loads.