Abstract: An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.

Abstract: A method and a system of protecting a target computer server system from packet data communication exploits are described. Such a method may include: identifying as being anomalous a first data processing request, and in response: (1) directing the first data processing request to a first diagnostic instrumented module that provides virtualization of a target server or request handling interface and determines an anomaly severity of the first data processing request, and (2) transmitting to the sender of the first data processing request a packet data protocol redirect request for accessing the target computer server system or slow walks a response to the sender. A packet data communication exploit suspect may be determined based on processing of the first data processing request by the first diagnostic instrumented module. The first diagnostic instrumented module may be a virtual server or container virtualizing the server.

Abstract: Systems and methods for detecting malicious content are provided. In an exemplary embodiment, a method for detecting malicious content is described that detects when a client device has access to a remote network server of a communication network. The client device includes one or more processors. Thereafter, a controller being a device separate from the client device, activates one or more security programs within the remote network server. The security programs enable the controller to analyze data stored within or transmitted from the remote network server. Lastly, the controller analyzing the data to determine whether the data includes malware.

Abstract: An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.

Abstract: An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.

Abstract: A method and a system of protecting a target computer server system from packet data communication exploits are described. Such a method may include: identifying as being anomalous a first data processing request, and in response: (1) directing the first data processing request to a first diagnostic instrumented module that provides virtualization of a target server or request handling interface and determines an anomaly severity of the first data processing request, and (2) transmitting to the sender of the first data processing request a packet data protocol redirect request for accessing the target computer server system or slow walks a response to the sender. A packet data communication exploit suspect may be determined based on processing of the first data processing request by the first diagnostic instrumented module. The first diagnostic instrumented module may be a virtual server or container virtualizing the server.

Abstract: Described is a method and system for determining a suspect in a resource exhaustion attack, for example DDoS (Distributed Denial of Service Attack), against a target processor using transitions between data processing requests. For example, a first website request followed by a second website request received from a remote sender at a server is determined to be statistically unusual transition and thus may raise suspicion about the remote sender. Such transitions for the remote sender can be cumulatively evaluated.

Abstract: An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.

Abstract: An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.

Abstract: An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.

Abstract: A method and system are provided that enable the processing of security event data is provided. In a first version, instructions for processing security event data are software encoded in separate modules. The software is organized into discrete modules and executed by an information technology system. The software as executed identifies the computational engines of the information technology available for processing the security event data and assigns modules to specific computational engines. A plurality of events stored in a buffer are processed sequentially through two or more modules. The results of each processing of an event by a module are recorded in an extended event structure and made accessible to a successive module. The location of the buffer storing an event is available for overwriting after the event has been fully processed.

Abstract: A method and information technology system are provided that enable a one-pass automated selection of memory locations of a table to be made available for storing new data may be applied to clear memory space of the table as the table approaches an overload condition. A fraction of the memory locations of the table to be made available for overwriting is established. The memory locations store a formatted record, and a parameter of the records stored in the memory locations is chosen for use in processing the table. In one example, a time parametric value of the records is chosen, and the memory locations holding records having time values older than a G value are released for overwriting, where G is a variable that is iteratively calculated. The records are analyzed serially in pluralities or blocks and the G value is examined after each block is processed for recalculation in order to more closely achieve the removal of the established fraction of records from the remaining unexamined blocks.

Abstract: A method and system are provided that prioritizes and presents data for review by a sys admin. The system receives a high volume of intrusion event data, the intrusion event data (“event”) selected as matching at least one of a library of signatures. Significance of particular types of signature match events is determined by one or more of the following statistical methods for detecting signature match types of lesser significance: matches which appear in very large numbers; matches which appear over an extended period of time; and matches which come from many sources or go to many destinations. Signature matches may be presented to a sys admin in a descending order of likelihood of significance, as determined by the Method of the Present Invention. Signature matches determined to be unlikely to be significant might optionally not be automatically presented to the sys admin, archived, and/or accessible by request by the sys admin.

Abstract: A system and method are provided for associating and storing data in contiguous memory locations of a secondary memory to enable efficient searching of the archived data. Current events are organized in a main memory within a data structure, e.g., an R-tree, chosen to increase the likelihood that data clustered together are more likely to relate to a same query. Most recent data is temporarily stored in the main memory to ensure that most additions of new data occur initially into the main memory, thereby enabling very high rates of data addition. The incidence of successive reads of data from a same disk memory block is increased and the length of time spent in seeking data on the disk is thereby reduced. Segments may be selected for serialization and transfer to the secondary memory without regard to age range of the data or minimal size of the block when main memory is approaching overload.

Abstract: The methods and systems described herein provide for the detection of a software worm in a computer network, such as the Internet, and/or a limitation of the rate of infection of a software worm within a computer network. In a preferred embodiment, a worm detector software module observes the behavior of, and optionally inspects the electronic messages sent from, a particular computer system, network address, virtual machine, and/or cluster. A worm screen software program edits the flow of traffic from the network address when a possibility of a worm infection achieves a certain level. This editing may include the discarding or rerouting for storage or analysis of messages prepared for transmission by a particular computer system, network address, virtual machine, and/or cluster monitored by the worm screen. The worm screen may be co-located with the worm detector, or comprised within a same software program.