Abstract: In example embodiments, systems and methods extract a model of a computer application during load time and store the model in memory. Embodiments may insert instructions into the computer application at run time to collect runtime state of the application, and analyze the collected data against the stored model to perform detection of security events. Embodiments may also instrument an exception handler to detect the security events based on unhandled memory access violations. Embodiments may, based upon the detection of the security events, dynamically respond, such as by modify a computer routine associated with an active process of the computer application. Modification may include installing or verifying an individual patch in memory associated with the computer application.

Abstract: In an example embodiment, a system analyzes a set of computer routines. The system may perform an analysis including a determination of a likelihood of vulnerability to unexpected behavior for one or more computer routines of the set. Based upon the analysis, the system may identify one or more computer routines of the set having the likelihood of vulnerability. The system may asynchronously and dynamically manipulate at least one of the one or more computer routines through a testing technique. The system may determine unexpected behavior of at least one of the one or more computer routines.

Abstract: In an example embodiment, a system analyzes a set of computer routines. The system may perform an analysis including a determination of a likelihood of vulnerability to unexpected behavior for one or more computer routines of the set. Based upon the analysis, the system may identify one or more computer routines of the set having the likelihood of vulnerability. The system may asynchronously and dynamically manipulate at least one of the one or more computer routines through a testing technique. The system may determine unexpected behavior of at least one of the one or more computer routines.

Abstract: In an example embodiment, a system determines a set of instructions from the available instructions for a computer application. The determined set of instructions provides specific functionality of the computer application. The system may determine the set of instructions by performing functional testing and negative testing on the specific functionality. The system may reorganize and randomize the set of instructions in memory and write the reorganized set of instructions to a smaller memory space. For each available instruction not in the set of instructions, the system changes the respective instruction to inoperative to prevent execution of the respective instruction. The system may change the respective instruction to inoperative by overwriting the instruction with a NOP instruction. The system then captures a memory address of the computer application being accessed at runtime.

Abstract: In an example embodiment, a system detects unauthorized database queries made by a maliciously formed web request. The system captures a web request for a web application and one or more database queries triggered in response to the web request during runtime. If the captured web request matches a valid web request in a table of valid web requests for the web application, the system checks if each captured database query matches a valid database query mapped to the valid web request in the table. The system may declare an injection attack if at least one captured database query does not match a valid database query mapped to the valid web request, or may perform additional validation of the captured request and the at least one captured database query prior to declaring the attack. The system may form the table of valid web requests using a dynamic simulation process, using static code analysis, or a combination of both.

Abstract: Example systems generate a dataset for tuning an analyzer to probe activities related to a web facing application. The systems capture data streams received at a framework of the application. The systems also capture a first set of functions, a second set of functions, and database queries triggered by the framework processing the data streams. The systems match: (i) the first set of functions to packets of the data streams and (ii) the second set of functions to the database queries. For example, the systems may pattern match: (i) data in parameters of the first set of functions to data in fields of the packets and (ii) data in parameters of the second set of functions to data in expressions of the database queries. The systems extract matched functions and database queries into the dataset and probe activities of the application based on the dataset to detect security attacks.

Abstract: In an example embodiment, a system analyzes a set of computer routines. The system may perform an analysis including a determination of a likelihood of vulnerability to unexpected behavior for one or more computer routines of the set. Based upon the analysis, the system may identify one or more computer routines of the set having the likelihood of vulnerability. The system may asynchronously and dynamically manipulate at least one of the one or more computer routines through a testing technique. The system may determine unexpected behavior of at least one of the one or more computer routines.

Abstract: In example embodiments, systems and methods extract a model of a computer application during load time and store the model in memory. Embodiments may insert instructions into the computer application at nm time to collect runtime state of the application, and analyze the collected data against the stored model to perform detection of security events. Embodiments may also instrument an exception handler to detect the security events based on unhandled memory access violations. Embodiments may, based upon the detection of the security events, dynamically respond, such as by modify a computer routine associated with an active process of the computer application. Modification may include installing or verifying an individual patch in memory associated with the computer application.

Abstract: In an example embodiment, a system may facilitate a root cause analysis associated with one or more computer applications. The system may receive a global time reference at the one or more computer applications. Each computer application may have a corresponding local time reference. Each computer application may synchronize its local time reference with the global time reference. The system may monitor at least one computer instructions of the computer applications with respect to the corresponding local time reference. The system may retrieve information associated with the at least one computer instruction. The system may forward at least a portion of the retrieved computer instruction information to a validation engine. The system may facilitate the root cause analysis using the at least a portion of the retrieved computer instruction information.

Abstract: One example method and correspond apparatus extracts a model of a computer application during load time and stores the model of the computer application in a database. This example method and corresponding apparatus also inserts instructions into the computer application to collect data at runtime. This example method and corresponding apparatus then analyzes the data collected at runtime against the stored model of the computer application to detect one or more security events and tracks the one or more security events using a state machine.

Abstract: In an example embodiment, a system determines a set of instructions from the available instructions for a computer application. The determined set of instructions provides specific functionality of the computer application. The system may determine the set of instructions by performing functional testing and negative testing on the specific functionality. The system may reorganize and randomize the set of instructions in memory and write the reorganized set of instructions to a smaller memory space. For each available instruction not in the set of instructions, the system changes the respective instruction to inoperative to prevent execution of the respective instruction. The system may change the respective instruction to inoperative by overwriting the instruction with a NOP instruction. The system then captures a memory address of the computer application being accessed at runtime.

Abstract: In an example embodiment, a system determines a set of instructions from the available instructions for a computer application. The determined set of instructions provides specific functionality of the computer application. The system may determine the set of instructions by performing functional testing and negative testing on the specific functionality. The system may reorganize and randomize the set of instructions in memory and write the reorganized set of instructions to a smaller memory space. For each available instruction not in the set of instructions, the system changes the respective instruction to inoperative to prevent execution of the respective instruction. The system may change the respective instruction to inoperative by overwriting the instruction with a NOP instruction. The system then captures a memory address of the computer application being accessed at runtime.

Abstract: In an example embodiment, systems and methods generate a dataset for tuning an analyzer to probe activities related to a particular web facing application. The systems and methods capture data streams received at a framework of a web facing application. The systems and methods further capture a first set of functions, a second set of functions, and database queries triggered by the framework processing the data streams. The systems and methods match the first set of functions to data packets of the data streams and match the second set of functions to the database queries. In some embodiments, matching the first set of functions includes pattern matching data in parameters of the first set of functions to data in fields of the data packets and matching data in parameters of the second set of functions to data in expressions of the database queries.

Abstract: In an example embodiment, a system analyzes a set of computer routines. The system may perform an analysis including a determination of a likelihood of vulnerability to unexpected behavior for one or more computer routines of the set. Based upon the analysis, the system may identify one or more computer routines of the set having the likelihood of vulnerability. The system may asynchronously and dynamically manipulate at least one of the one or more computer routines through a testing technique. The system may determine unexpected behavior of at least one of the one or more computer routines.

Abstract: In an example embodiment, a system may facilitate a root cause analysis associated with one or more computer applications. The system may receive a global time reference at the one or more computer applications. Each computer application may have a corresponding local time reference. Each computer application may synchronize its local time reference with the global time reference. The system may monitor at least one computer instructions of the computer applications with respect to the corresponding local time reference. The system may retrieve information associated with the at least one computer instruction. The system may forward at least a portion of the retrieved computer instruction information to a validation engine. The system may facilitate the root cause analysis using the at least a portion of the retrieved computer instruction information.

Abstract: In an example embodiment, a system detects unauthorized database queries made by a maliciously formed web request. The system captures a web request for a web application and one or more database queries triggered in response to the web request during runtime. If the captured web request matches a valid web request in a table of valid web requests for the web application, the system checks if each captured database query matches a valid database query mapped to the valid web request in the table. The system may declare an injection attack if at least one captured database query does not match a valid database query mapped to the valid web request, or may perform additional validation of the captured request and the at least one captured database query prior to declaring the attack. The system may form the table of valid web requests using a dynamic simulation process, using static code analysis, or a combination of both.

Abstract: In an example embodiment, a system determines a set of instructions from the available instructions for a computer application. The determined set of instructions provides specific functionality of the computer application. The system may determine the set of instructions by performing functional testing and negative testing on the specific functionality. The system may reorganize and randomize the set of instructions in memory and write the reorganized set of instructions to a smaller memory space. For each available instruction not in the set of instructions, the system changes the respective instruction to inoperative to prevent execution of the respective instruction. The system may change the respective instruction to inoperative by overwriting the instruction with a NOP instruction. The system then captures a memory address of the computer application being accessed at runtime.

Abstract: One example method and correspond apparatus extracts a model of a computer application during load time and stores the model of the computer application in a database. This example method and corresponding apparatus also inserts instructions into the computer application to collect data at runtime. This example method and corresponding apparatus then analyzes the data collected at runtime against the stored model of the computer application to detect one or more security events and tracks the one or more security events using a state machine.