Abstract: A security system and method secures and responds to security threats in a computer having a CPU, a Kernel/OS, and software applications. A data collector intercepts a selection of first tier calls between the CPU and Kernel/OS and/or second tier calls between the Kernel/Operating System and the applications, and stores information pertaining thereof. An Analytic Engine maps the stored first and second tier call information to a rulebase containing patterns of security threats, to generate a threat analysis, and then responds to the threat analysis. The Analytic Engine enlarges or contracts the selection of first and second tier calls to increase or decrease specificity of the threat analysis. A Management Module generates user interfaces accessible remotely by a user device, to update the rulebase and configure the collector, the Kernel module, and the Analytic Engine.

Abstract: A security system and method efficiently monitors and secures a computer to defend against malicious intrusions, and includes an in-band software monitor disposed within a kernel in communication with an operating system (OS) of the computer. The monitor intercepts system calls made from an MSR (Model Specific Register), to execute monitoring operations, and subsequently returns execution to the OS. An out-of-band hypervisor communicably coupled to the OS, has read shadow means for trapping read requests to the MSR, and write mask means for trapping write requests to the MSR. The hypervisor includes means for responding to the trapped read and write requests so that presence of the monitor is obscured.

Abstract: A security system and method secures and responds to security threats in a computer having a CPU, a Kernel/OS, and software applications. A data collector intercepts a selection of first tier calls between the CPU and Kernel/OS and/or second tier calls between the Kernel/Operating System and the applications, and stores information pertaining thereof. An Analytic Engine maps the stored first and second tier call information to a rulebase containing patterns of security threats, to generate a threat analysis, and then responds to the threat analysis. The Analytic Engine enlarges or contracts the selection of first and second tier calls to increase or decrease specificity of the threat analysis. A Management Module generates user interfaces accessible remotely by a user device, to update the rulebase and configure the collector, the Kernel module, and the Analytic Engine.

Abstract: A security system and method secures and responds to security threats in a computer having a CPU, a Kernel/OS, and software applications. A low-level data collector intercepts a selection of first tier calls between the CPU and Kernel/OS, and stores associated first tier call IDs. A Kernel module intercepts a selection of second tier calls between applications and the Kernel/OS, and stores associated second tier call IDs. An Analytic Engine maps the stored first and second tier call IDs to a rulebase containing patterns of security threats, to generate a threat analysis, and then responds to the threat analysis. The Analytic Engine enlarges or contracts the selection of first and second tier calls to increase or decrease specificity of the threat analysis. A Management Module generates user interfaces accessible remotely by a user device, to update the rulebase and configure the low-level collector, the Kernel module, and the Analytic Engine.

Abstract: A security system and method secures and responds to security threats in a computer having a CPU, a Kernel/OS, and software applications. A low-level data collector intercepts a selection of first tier calls between the CPU and Kernel/OS, and stores associated first tier call IDs. A Kernel module intercepts a selection of second tier calls between applications and the Kernel/OS, and stores associated second tier call IDs. An Analytic Engine maps the stored first and second tier call IDs to a rulebase containing patterns of security threats, to generate a threat analysis, and then responds to the threat analysis. The Analytic Engine enlarges or contracts the selection of first and second tier calls to increase or decrease specificity of the threat analysis. A Management Module generates user interfaces accessible remotely by a user device, to update the rulebase and configure the low-level collector, the Kernel module, and the Analytic Engine.

Abstract: A security system and method secures and responds to security threats in a computer having a CPU, a Kernel/OS, and software applications. A low-level data collector intercepts a selection of first tier calls between the CPU and Kernel/OS, and stores associated first tier call IDs. A Kernel module intercepts a selection of second tier calls between applications and the Kernel/OS, and stores associated second tier call IDs. An Analytic Engine maps the stored first and second tier call IDs to a rulebase containing patterns of security threats, to generate a threat analysis, and then responds to the threat analysis. The Analytic Engine enlarges or contracts the selection of first and second tier calls to increase or decrease specificity of the threat analysis. A Management Module generates user interfaces accessible remotely by a user device, to update the rulebase and configure the low-level collector, the Kernel module, and the Analytic Engine.

Abstract: A security system and method efficiently monitors and secures a computer to defend against malicious intrusions, and includes an in-band software monitor disposed within a kernel in communication with an operating system (OS) of the computer. The monitor intercepts system calls made from an MSR (Model Specific Register), to execute monitoring operations, and subsequently returns execution to the OS. An out-of-band hypervisor communicably coupled to the OS, has read shadow means for trapping read requests to the MSR, and write mask means for trapping write requests to the MSR. The hypervisor includes means for responding to the trapped read and write requests so that presence of the monitor is obscured. Sysret monitoring means intercepts calls to a sysret instruction, executes sysret monitoring operations, and subsequently returns execution to an application running on the computer.

Abstract: A security system and method efficiently monitors and secures a computer to defend against malicious intrusions, and includes an in-band software monitor disposed within a kernel in communication with an operating system (OS) of the computer. The monitor intercepts system calls made from an MSR (Model Specific Register), to execute monitoring operations, and subsequently returns execution to the OS. An out-of-band hypervisor communicably coupled to the OS, has read shadow means for trapping read requests to the MSR, and write mask means for trapping write requests to the MSR. The hypervisor includes means for responding to the trapped read and write requests so that presence of the monitor is obscured.

Abstract: A security system and method efficiently monitors and secures a computer to defend against malicious intrusions, and includes an in-band software monitor disposed within a kernel in communication with an operating system (OS) of the computer. The monitor intercepts system calls made from an MSR (Model Specific Register), to execute monitoring operations, and subsequently returns execution to the OS. An out-of-band hypervisor communicably coupled to the OS, has read shadow means for trapping read requests to the MSR, and write mask means for trapping write requests to the MSR. The hypervisor includes means for responding to the trapped read and write requests so that presence of the monitor is obscured. Sysret monitoring means intercepts calls to a sysret instruction, executes sysret monitoring operations, and subsequently returns execution to an application running on the computer.

Abstract: A security system and method efficiently monitors and secures a computer to defend against malicious intrusions, and includes an in-band software monitor disposed within a kernel in communication with an operating system (OS) of the computer. The monitor intercepts system calls made from an MSR (Model Specific Register), to execute monitoring operations, and subsequently returns execution to the OS. An out-of-band hypervisor communicably coupled to the OS, has read shadow means for trapping read requests to the MSR, and write mask means for trapping write requests to the MSR. The hypervisor includes means for responding to the trapped read and write requests so that presence of the monitor is obscured.

Abstract: A security system and method efficiently monitors and secures a computer to defend against malicious intrusions, and includes an in-band software monitor disposed within a kernel in communication with an operating system (OS) of the computer. The monitor intercepts system calls made from an MSR (Model Specific Register), to execute monitoring operations, and subsequently returns execution to the OS. An out-of-band hypervisor communicably coupled to the OS, has read shadow means for trapping read requests to the MSR, and write mask means for trapping write requests to the MSR. The hypervisor includes means for responding to the trapped read and write requests so that presence of the monitor is obscured.

Abstract: A security system and method secures and responds to security threats in a computer having a CPU, a Kernel/OS, and software applications. A low-level data collector intercepts a selection of first tier calls between the CPU and Kernel/OS, and stores associated first tier call IDs. A Kernel module intercepts a selection of second tier calls between applications and the Kernel/OS, and stores associated second tier call IDs. An Analytic Engine maps the stored first and second tier call IDs to a rulebase containing patterns of security threats, to generate a threat analysis, and then responds to the threat analysis. The Analytic Engine enlarges or contracts the selection of first and second tier calls to increase or decrease specificity of the threat analysis. A Management Module generates user interfaces accessible remotely by a user device, to update the rulebase and configure the low-level collector, the Kernel module, and the Analytic Engine.