Abstract: A malware detection system configured to detect suspiciousness in obfuscated content. A multi-stage static detection logic is utilized to detect obfuscation, make the obfuscated content accessible, identify suspiciousness in the accessible content and filter non-suspicious non-obfuscated content from further analysis. The multi-stage static detection logic includes a controller, a de-constructor, and a post-processor. The controller is configured to receive content while the de-constructor configured to receive content from the controller and deconstruct the content using the analysis technique selected by the controller. The post-processor is configured to receive the de-constructed content from the de-constructor, determine whether a specimen within the de-constructed content is suspicious, and remove non-suspicious content from further analysis.

Abstract: In an embodiment, a system, device and method for detecting a malicious attack is described. Herein, the system includes a security network device that conducts an analysis on received network traffic to detect a suspicious object associated with the network traffic and determine an identifier associated with a source of the suspicious object. Information associated with the suspicious object and/or ancillary data, including information that identifies a return path for analysis results to a customer, are uploaded to a detection cloud. The detection cloud includes provisioning logic and one or more virtual machines that are provisioned by the provisioning logic in accordance with at least a portion of the ancillary data. The provisioning logic to customize functionality of the detection cloud for a specific customer.

Abstract: A computerized technique wherein a received object is analyzed using a plurality of information sources to determine context information, wherein one information source comprises configuration information determined from a client device. One or more software profiles are generated based on the context information in order to provision one or more virtual machines of a dynamic analysis logic system. One or more work orders are generated based on the one or more software profiles. A priority order is assigned to the one or more software profiles. A dynamic analysis is scheduled based on the work orders and the assigned priority order to determine one or more susceptible software environments, and an alert is generated comprising information to update one or more susceptible environments in real time.

Abstract: A malware detection system configured to detect suspiciousness in obfuscated content. A multi-stage static detection logic is utilized to detect obfuscation, make the obfuscated content accessible, identify suspiciousness in the accessible content and filter non-suspicious non-obfuscated content from further analysis. The system is configured to identify obfuscated content, de-obfuscate obfuscated content, identify suspicious characteristics in the de-obfuscated content, execute a virtual machine to process the suspicious network content and detect malicious network content while removing from further analysis non-suspicious network content.

Abstract: In an embodiment, a system, device and method for detecting a malicious attack is described. Herein, the system includes a security network device that conducts an analysis on received network traffic to detect a suspicious object associated with the network traffic and determine an identifier associated with a source of the suspicious object. Both information associated with the suspicious object and ancillary data, including information that identifies a return path for analysis results to a customer, are uploaded to a detection cloud. The detection cloud includes provisioning logic and one or more virtual machines that are provisioned by the provisioning logic in accordance with at least a portion of the ancillary data. The provisioning logic to customize functionality of the detection cloud for a specific customer.

Abstract: Herein described is a collection of traffic classifiers communicatively coupled to a classification aggregator. Traffic classifiers may use conventional techniques to classify network traffic by application name, and thereafter may construct mappings that are used to more efficiently classify future network traffic. Mappings may associate one or more characteristics of a communication flow with an application name. In a collaborative approach, these mappings are shared among the traffic classifiers by means of the classification aggregator so that one traffic classifier can leverage the intelligence (e.g., mappings) formulated by another traffic classifier.

Abstract: In an embodiment, a threat detection and prevention system comprises a network-traffic static analysis logic and a classification engine. The network-traffic static analysis logic is configured to conduct an analysis of a multi-flow object by analyzing characteristics of the multi-flow object and determining if the characteristics of the multi-flow object is associated with a malicious attack such as being indicative of an exploit for example. The classification engine is configured to receive results of the analysis of the multi-flow object and, based on the results of the analysis of the multi-flow object, determine whether the multi-flow object is associated with a malicious attack.

Abstract: In an embodiment, a dynamic analysis engine is configured to receive an identifier associated with a source for network traffic including at least one object having at least a prescribed probability of being associated with an exploit. Deployed within a detection cloud, the dynamic analysis engine comprises one or more virtual machines and monitoring logic. The virtual machines are adapted to virtually process the identifier by establishing a communication session with a server hosting a website accessible by the identifier. In communication with the virtual machines, the monitoring logic is adapted to detect anomalous behaviors by the virtual machines during the communication session with the server.

Abstract: Herein described is a collection of traffic classifiers communicatively coupled to a classification aggregator. Traffic classifiers may use conventional techniques to classify network traffic by application name, and thereafter may construct mappings that are used to more efficiently classify future network traffic. Mappings may associate one or more characteristics of a communication flow with an application name. In a collaborative approach, these mappings are shared among the traffic classifiers by means of the classification aggregator so that one traffic classifier can leverage the intelligence (e.g., mappings) formulated by another traffic classifier.

Abstract: Improved techniques are disclosed for detecting instability events in data communications systems that support inter-administrative domain (inter-domain) routing. For example, a technique for detecting an instability event in a communications system supporting inter-administrative domain routing includes the following steps. At an inter-domain router, one or more features are extracted from one or more messages obtained from at least another router in the communications system. The one or more extracted features include a path length feature, a path edit distance feature, or a combination thereof. Then, the inter-domain router detects whether an instability event has occurred in the communications system based on the one or more extracted features such that an action can be effectuated. By way of example, the one or more messages may include one or more border gateway protocol update messages and the inter-domain router may be a border gateway protocol router.

Abstract: Methods, apparatuses and systems directed to detecting network applications whose data flows have been encrypted. The present invention extends beyond analysis of explicitly presented packet attributes of data flows and holistically analyzes the behavior of host or end systems as expressed in related data flows against a statistical behavioral model to classify the data flows.

Abstract: Methods, apparatuses and systems directed to detecting network applications whose data flows have been encrypted. The present invention extends beyond analysis of explicitly presented packet attributes of data flows and holistically analyzes the behavior of host or end systems as expressed in related data flows against a statistical behavioral model to classify the data flows.

Abstract: Systems and methods for delayed function activation in a responsive environment are described. A responsive environment includes an intermediary system and notification manager to determine when a responsive environment will launch an application triggered by a sensed event. The environment includes sensor components and transparent software components that reside wholly within the environment for providing responsiveness. The environment also includes interactive software components that give users the means to provide input and/or experience output. Since changes to the interaction components may disrupt the user by requiring the user's attention when it is not convenient, the system helps the user manage the responsive environment by using an application/function delay technique. The environment uses an intelligence and notification mechanism to determine what might be useful and primes the apparatus to provide that functionality. However, the user actually initiates the execution of that function.

Abstract: Improved techniques are disclosed for detecting instability events in data communications systems that support inter-administrative domain (inter-domain) routing. For example, a technique for detecting an instability event in a communications system supporting inter-administrative domain routing includes the following steps. At an inter-domain router, one or more features are extracted from one or more messages obtained from at least another router in the communications system. The one or more extracted features include a path length feature, a path edit distance feature, or a combination thereof. Then, the inter-domain router detects whether an instability event has occurred in the communications system based on the one or more extracted features such that an action can be effectuated. By way of example, the one or more messages may include one or more border gateway protocol update messages and the inter-domain router may be a border gateway protocol router.

Abstract: Systems and methods for delayed function activation in a responsive environment are described. A responsive environment includes an intermediary system and notification manager to determine when a responsive environment will launch an application triggered by a sensed event. The environment includes sensor components and transparent software components that reside wholly within the environment for providing responsiveness. The environment also includes interactive software components that give users the means to provide input and/or experience output. Since changes to the interaction components may disrupt the user by requiring the user”s attention when it is not convenient, the system helps the user manage the responsive environment by using an application/function delay technique. The environment uses intelligence and notification mechanism to determine what might be useful and primes the apparatus to provide that functionality. However, the user actually initiates the execution of that function.