Abstract: A method and system for detecting an anomaly relating to resource access comprising logging in to a website using identity information, storing a current login time in an access time database, accessing a last local login time for the resource from the access time database, determining a last resource login time from the resource and comparing the last local login time to the last resource login time, wherein a result of the comparison indicates resource access anomaly.

Abstract: A method and system for protecting users from accidentally disclosing personal information in an insecure environment. In one embodiment, the method includes monitoring I/O device input data associated with a guest operating system on a virtualization platform. The guest operating system has less privilege than a privileged operating system on the virtualization platform. The method further includes determining whether the I/O device input data corresponds to personal information of a user, and delaying or blocking the transfer of the I/O device input data to the guest operating system if the I/O device input data corresponds to the personal information of the user.

Abstract: A callback component embedded on a web site determines a current location of the web site. The current location is compared to a known legitimate location of the web site to determine if the web site has been copied to a different host location. Responsive to determining that the web site has been copied to a different location, the callback component alerts a central authority that the web site may be a fraudulent web site set up to launch phishing attacks. If the central authority determines that the web site is fraudulent, the central authority alerts appropriate entities to take down the fraudulent web site. The callback component generates a visual component viewable on the web site to deter phishing attackers from removing the callback component when the web site is copied.

Abstract: Various methods and systems for scoring applications are disclosed. One method involves generating a baseline measuring a parameter of a computer system. The parameter is related, directly or indirectly, to the energy consumption of the computer system. The method next involves installing and running an application on the computer system. The previously measured parameter is measured with the application running. Next, a score is calculated for the application based on the two measurements. This score indicates how green the application is.

Abstract: A computer-implemented method for defragmenting virtual machine prefetch data. The method may include obtaining prefetch information associated with prefetch data of a virtual machine. The method may also include defragmenting, based on the prefetch information, the prefetch data on physical storage. The prefetch information may include a starting location and length of the prefetch data on a virtual disk. The prefetch information may include a geometry specification of the virtual disk. Defragmenting on physical storage may include placing the prefetch data contiguously on physical storage, placing the prefetch data in a fast-access segment of physical storage, and/or ordering the prefetch data according to the order in which it is accessed at system or application startup.

Abstract: A computer-implemented method for detecting data-stealing malware may include: 1) detecting an attempt by an untrusted application to access a storage location that is known to be used by a legitimate application when storing potentially sensitive information, 2) determining that the legitimate application is not installed on the computing device, 3) determining that the untrusted application represents a potential security risk, and then 4) performing a security operation on the untrusted application. Corresponding systems and computer-readable instructions embodied on computer-readable media are also disclosed.

Abstract: Zone breakout detection is disclosed. A system call is monitored. It is determined if the system call stays within a zone in which a process associated with the system call was started. If it is determined the system call does not stay within the zone in which the process associated with the system call was started, appropriate action is taken.

Abstract: Controlling identity disclosures is disclosed. A difference between a site policy as received at a first time and the site policy as received at a second time is detected through at least partially automated processing. The existence of the difference is indicated before disclosing to a relying party associated with the site policy, at or subsequent to the second time, an identity information.

Abstract: A computer-implemented method for looking up anti-malware metadata may include identifying a plurality of executable objects to be scanned for malware before execution. The computer-implemented method may also include, for each executable object within the plurality of executable objects, assessing an imminence of execution of the executable object. The computer-implemented method may further include prioritizing, based on the assessments, a retrieval order for anti-malware metadata corresponding to the plurality of executable objects. The computer-implemented method may additionally include retrieving anti-malware metadata corresponding to an executable object within the plurality of executable objects based on the retrieval order. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: One or more behavior-based features describing an execution of an application on a client are generated. One or more client-specific features are generated, wherein the client-specific features describe aspects of the client. A malware score is generated based on the behavior-based features and the client-specific features. Whether the application is a malware threat is determined based on the malware score and a result of the determination is stored.

Abstract: Computer implemented methods, apparati, and computer-readable media for empirically adjusting access to a database (1). An apparatus embodiment comprises: coupled to the database (1), a database discovery module (11) for determining authorized accesses to the database (1); coupled to the database (1), a command monitoring module (12) for monitoring actual accesses to the database (1); and coupled to the database discovery module (11) and to the command monitoring module (12), an analysis module (13) for comparing actual accesses with authorized accesses.

Abstract: A method, system and computer-readable medium for securing access between a mobile computing device and a network computer is described. The method comprises upon a connection by the mobile computing device to a network or a device, recording the connection in a history database and processing the history database to assign a risk level to the mobile computing device. The system comprises the mobile computing device comprising a connection history collection agent for collecting information about a computing environment and the host computer comprising wireless environment data derived from the collected information where the host computer uses the wireless environment data to grant or deny a connection to the mobile computing device.

Abstract: A computer-implemented method for determining whether an application impacts the health of a system may comprise detecting an application, performing a first system-health evaluation, allowing the application to install on the system, performing a second system-health evaluation after the application is installed on the system, and comparing the second system-health evaluation with the first system-health evaluation to determine whether the application impacted the health of the system. Exemplary methods for determining the potential impact of an application on the health of a system and for calculating a system-health-impact score for an application based on information gathered from a plurality of systems are also disclosed. Corresponding systems and computer-readable media are also disclosed.

Abstract: A method and apparatus for dynamically generating a persona is provided. In one embodiment, the method includes receiving an identity policy, determining a required identity information data set based on the policy, requesting a site reputation, receiving the site reputation, determining a set of site reputation parameters, and generating a persona based on the required identity information data set and the site reputation parameters.

Abstract: A method and system for improving data loss prevention via cross leveraging fingerprints of protected data is described. In one embodiment, fingerprints of sensitive data of multiple organizations are shared across data loss prevention (DLP) systems of these organizations. A DLP system of each organization monitors information content associated with this organization to detect sensitive data of other organizations, and notifies one or more users within the organization upon detecting sensitive data of other organizations. In addition, a report of external data loss detection is provided to users within an organization whose sensitive data is detected in information content of the other organizations.

Abstract: Techniques are disclosed for implementing dynamic endpoint management. In accordance with one embodiment, whenever an endpoint joins a managed network for the first time, or rejoins that network, a local security module submits a list of applications (e.g., all or incremental) to a security server. The server validates the list and sends back a rule set (e.g., allow/block rules and/or required application security settings) for those applications. If the server has no information for a given application, it may further subscribe to content from a content provider or service. When the server is queried regarding an unknown application, the server sends a query to the service provider to obtain a trust rating for that unknown application. The trust rating can then be used to generate a rule set for the unknown application. Functionality can be shifted from server to client, and vice-versa if so desired.

Abstract: A system and method for compiling part of the bytecode for a software application into native code at install time when the software application is installed on a particular computer are described. According to one embodiment of the method, usage information for the software application may be received. The usage information may indicate how frequently or commonly each of a plurality of features of the software application is used. The usage information may be analyzed to determine a rank ordering of the features. The method may further comprise installing the software application on the particular computer. Installing the software application may comprise compiling one or more bytecode modules of the software application into native code, where the one or more bytecode modules are selected from a plurality of bytecode modules depending upon the rank ordering of the features.

Abstract: A security module manages differences in hygiene by applying differing levels of security policy to interactions of users with clients according to separate hygiene of the users and the clients. The module monitors computer security practices of clients and users in an environment, and uses this to client a machine hygiene score for a given client and a user hygiene score for a given user. The scores represent an assessment of the trustworthiness of the client and of the user. The module dynamically combines the scores computed for an interaction between the given user and given client, and applies a level of security policy to the interaction accordingly, determining what activities can be performed on the client based on the level of policy applied.

Abstract: An execution environment of a computer computes an initial effective permissions set for managed code based on user identity evidence, code evidence and/or a security policy and executes the code with this permissions set. If the managed code requests a data access, the execution environment considers data evidence that indicates the trustworthiness of the requested data. The data evidence can be based on the source of the data, the location of the data, the content of the data itself, or other factors. The execution environment computes a new effective permissions set for the managed code based on the data evidence and the security policy. This new effective permissions set is applied to the managed code while the code accesses the data. The execution environment restores the initial permissions set once the managed code completes the data access.

Abstract: A computer-implemented method for detecting man-in-the-browser attacks may include identifying a transaction fingerprint associated with a web site. The method may also include tracking a user's input to the web site. The user's input may be received through a web browser. The method may further include intercepting an outgoing submission to the web site. The method may additionally include determining whether, in light of the transaction fingerprint, the user's input generated the outgoing submission. Various other methods, systems, and computer-readable media are also disclosed.