Abstract: A security server renders a plurality of web pages. The security server logs script operations of the plurality of web pages that are performed when the web pages are rendered. Sequences of script data values that result from the script operations are determined. The sequences of script data values are tagged as either malicious or non-malicious based on whether the script operations associated with the sequence of script data values resulted in abnormal behavior in the computer. A statistical analysis is performed on the malicious and non-malicious script data values to determine likelihoods that identified sequences of script data values represent malicious behavior. The security server generates security data based on the statistical analysis. The security data are provided to clients. The clients monitor script operations of web pages accessed by the clients, and use the security data to identify malicious script operations.

Abstract: An endpoint on a network uses detection data to detect a malicious software attack. The endpoint identifies content associated with the attack, such as a component of a web page, and generates a description of the content. The endpoint sends the description to a security server. The security server analyzes the content and identifies characteristics of the content that are present when the content is carried by network traffic. The security server generates a traffic signature that specifies the identified characteristics and provides the traffic signature to inspection points. The inspection points, in turn, use the traffic signature to examine network traffic passing through the inspection points to detect network traffic carrying the content. The attack detection at the endpoint thus informs the traffic signature-based detection at the inspection points and reduces the spread of malicious software.

Abstract: The execution of a software application is diverted to detect software object corruption in the software application. Software objects used by the software application are identified and their pointers are inspected. One or more tests are applied to pointers pointing to the virtual method tables of the software objects, addresses (or pointers) in the virtual method tables, and memory attributes or content of the memory buffer identified by the addresses for inconsistencies that indicate corruption. A determination of whether the software objects are corrupted is made based on the outcome of the tests. If software object corruption is detected, proper corrective actions are applied to prevent malicious exploitation of the corruption.