Abstract: Systems and methods are provided for resolving Internet Protocol (IP) address conflicts using agents in the zero configuration network. Agent's originate at respective nodes on the zero configuration network. Each agent and each node logs a localized shared memory table (SMT) providing identifying information pertaining to other nodes on the network. When a sending node transmits an SMT to one or more target nodes on the network, it is analyzed by the target node to ascertain whether a localized IP address conflict exists involving the target node and a remote node. If it is deemed appropriate to resolve the conflict, the target node resolves the conflict by selecting a new IP address for itself.

Abstract: Various embodiments are provided relating to security of a computer, namely, a security software product, a computer-readable medium, a computerized method, and a computer security system. Illustrative is one embodiment of a security software product for use on a host computer to monitor for, and respond to, activity corresponding to a rootkit exploitation which renders the host computer's operating system insecure. The security software product comprises computer readable media having a suite of interfaced software components, such as loadable kernel modules. An exploitation detection component detects the activity corresponding to the rootkit exploitation. A forensics data collection component collects forensics data characteristic of the rootkit exploitation so that it may be transferred to a removable storage device. An OS restoration component restores the operating system to a secure condition in response to detection of the exploit.

Abstract: A system, computerized method and computer-readable medium are provided for the detection of an operating system exploitation, such as a rootkit install. The operating system is monitored to ascertain an occurrence of anomalous activity resulting from operating system behavior which deviates from any one of a set of pre-determined operating system parameters. Each parameter corresponds to a dynamic characteristic associated with an unexploited operating system. Output can then be generated to indicate any anomalous activity that is ascertained. The computer-readable medium may comprise a loadable kernel module for detecting hidden patches, processes, files or other kernel modules.

Abstract: A computerized method for collecting suspected data of interest from a computer comprises searching the computer's shot-term memory to locate at least one target memory range containing the suspected data of interest, and copying the suspected data of interest within the target memory range to an alternate data storage location in a manner which avoids writing the suspected data to the computer's long-term memory. Alternatively, the suspected data of interest can be copied to a previously unused data storage location while preserving integrity of non-volatile memory resources. A computer-readable medium and a system for collecting target forensics data are also provided.

Abstract: Methods, systems and computer-readable media are provided for recovery from an operating system (OS) exploit so that the OS can be returned to a pre-exploit condition. Recovery involves restoration of each system call table modification which has been identified, the termination of each hidden process which has been identified, and the removal from the OS of each hidden file which has been identified.