Abstract: Described is a technology by which a signature used by network traffic intrusion prevention/detection systems includes logic that helps a prevention/detection engine detect that signature. A signature to detect is compiled into executable logic that is executed to communicate with an engine that evaluates network traffic. The signature logic provides an expression set (such as group of regular expressions) for the engine to match against a token corresponding to the network traffic. When matched, the engine notifies the logic and receives a further expression set to match, or a communication indicative that that the signature was detected. The signature thus directs the analysis, facilitating a lightweight, generic engine. Safety of the signature logic is described as being accomplished through layers, including by publisher signing, and by compilation and execution (e.g., interpretation) in safe environments.

Abstract: Described is a generic protocol decoder that analyzes network traffic or file data to look for a signature, and signals an intrusion prevention mechanism/system if the signature is matched. In one aspect, the generic decoder is built using generic application-level protocol analysis language (GAPAL) primitives. These primitives provide various capabilities, including pattern matching, skipping, reading data, copying variable data and comparing data. The generic decoder may be coupled to a pre-developed protocol parser that provides the decoder with the data to analyze.

Abstract: Described is a technology by which a signature used by network traffic intrusion prevention/detection systems includes logic that helps a prevention/detection engine detect that signature. A signature to detect is compiled into executable logic that is executed to communicate with an engine that evaluates network traffic. The signature logic provides an expression set (such as group of regular expressions) for the engine to match against a token corresponding to the network traffic. When matched, the engine notifies the logic and receives a further expression set to match, or a communication indicative that that the signature was detected. The signature thus directs the analysis, facilitating a lightweight, generic engine. Safety of the signature logic is described as being accomplished through layers, including by publisher signing, and by compilation and execution (e.g., interpretation) in safe environments.

Abstract: Described is a technology by which a signature used by network traffic intrusion prevention/detection systems includes logic that helps a prevention/detection engine detect that signature. A signature to detect is compiled into executable logic that is executed to communicate with an engine that evaluates network traffic. The signature logic provides an expression set (such as group of regular expressions) for the engine to match against a token corresponding to the network traffic. When matched, the engine notifies the logic and receives a further expression set to match, or a communication indicative that that the signature was detected. The signature thus directs the analysis, facilitating a lightweight, generic engine. Safety of the signature logic is described as being accomplished through layers, including by publisher signing, and by compilation and execution (e.g., interpretation) in safe environments.

Abstract: A method for capturing breakpoint information from a debuggee software process includes generating a breakpoint condition based upon a breakpoint request received from a user computing device corresponding to a user and transmitting the generated breakpoint condition to debuglets, each corresponding to a software process executed by a debuggee service. The debuggee service executes on a distributed system, and each debuglet translates the generated breakpoint condition to a physical breakpoint condition set to the respective software process. The method also includes receiving a request from one of the debuglets to update active breakpoint information captured by the debuglet upon the physical breakpoint condition being hit by one of the software processes and transmitting a notification from the processing device indicating the physical breakpoint condition being hit to the user computing device.

Abstract: Described is a technology by which an engine parses data based upon modules arranged in a tree-like model structure. Only those modules that meet a condition with respect to the data are invoked for processing the data. Each child module specifies a parent module and specifies a condition for when the parent is to invoke the child module. As a module processes the data, if a child module's specified condition is met, it invokes the corresponding child module, (which in turn may invoke a lower child if its condition is met, and so on). When the data corresponds to protocols, the model facilitates protocol layering. A top level parent may represent one protocol (e.g., TCP), a child beneath may represent a lower-layer protocol (e.g., HTTP), whose children may handle certain types of HTTP commands, or correspond to a signature that the child module is programmed to detect.

Abstract: A method of operating a computing device that allows inspecting data that the device attempts to transmit over a network in an encrypted form for presence of malware, viruses or confidential information. The method includes intercepting a request from an application to an encryption component of an operating system to encrypt the data and acquiring encrypted data generated by the encryption component in response to the request. SSL or TLS protocol may be used for encryption. The request may be intercepted using API hooking. The data in an unencrypted form and an identifier of the encrypted data may be provided to a data inspection facility for establishing a correspondence between the unencrypted and encrypted data, using the identifier. The data inspection facility performs inspection of the unencrypted data to determine whether to allow transmission of the encrypted data over the network.

Abstract: A method of operating a computing device that allows inspecting data that the device attempts to transmit over a network in an encrypted form for presence of malware, viruses or confidential information. The method includes intercepting a request from an application to an encryption component of an operating system to encrypt the data and acquiring encrypted data generated by the encryption component in response to the request. SSL or TLS protocol may be used for encryption. The request may be intercepted using API hooking. The data in an unencrypted form and an identifier of the encrypted data may be provided to a data inspection facility for establishing a correspondence between the unencrypted and encrypted data, using the identifier. The data inspection facility performs inspection of the unencrypted data to determine whether to allow transmission of the encrypted data over the network.

Abstract: A method of operating a computing device that allows inspecting data that the device attempts to transmit over a network in an encrypted form for presence of malware, viruses or confidential information. The method includes intercepting a request from an application to an encryption component of an operating system to encrypt the data and acquiring encrypted data generated by the encryption component in response to the request. SSL or TLS protocol may be used for encryption. The request may be intercepted using API hooking. The data in an unencrypted form and an identifier of the encrypted data may be provided to a data inspection facility for establishing a correspondence between the unencrypted and encrypted data, using the identifier. The data inspection facility performs inspection of the unencrypted data to determine whether to allow transmission of the encrypted data over the network.

Abstract: A method of operating a computing device that allows inspecting data that the device attempts to transmit over a network in an encrypted form for presence of malware, viruses or confidential information. The method includes intercepting a request from an application to an encryption component of an operating system to encrypt the data and acquiring encrypted data generated by the encryption component in response to the request. SSL or TLS protocol may be used for encryption. The request may be intercepted using API hooking. The data in an unencrypted form and an identifier of the encrypted data may be provided to a data inspection facility for establishing a correspondence between the unencrypted and encrypted data, using the identifier. The data inspection facility performs inspection of the unencrypted data to determine whether to allow transmission of the encrypted data over the network.

Abstract: Described is a generic protocol decoder that analyzes network traffic or file data to look for a signature, and signals an intrusion prevention mechanism/system if the signature is matched. In one aspect, the generic decoder is built using generic application-level protocol analysis language (GAPAL) primitives. These primitives provide various capabilities, including pattern matching, skipping, reading data, copying variable data and comparing data. The generic decoder may be coupled to a pre-developed protocol parser that provides the decoder with the data to analyze.

Abstract: Described is a technology by which a signature used by network traffic intrusion prevention/detection systems includes logic that helps a prevention/detection engine detect that signature. A signature to detect is compiled into executable logic that is executed to communicate with an engine that evaluates network traffic. The signature logic provides an expression set (such as group of regular expressions) for the engine to match against a token corresponding to the network traffic. When matched, the engine notifies the logic and receives a further expression set to match, or a communication indicative that that the signature was detected. The signature thus directs the analysis, facilitating a lightweight, generic engine. Safety of the signature logic is described as being accomplished through layers, including by publisher signing, and by compilation and execution (e.g., interpretation) in safe environments.

Abstract: Described is a technology by which an engine parses data based upon modules arranged in a tree-like model structure. Only those modules that meet a condition with respect to the data are invoked for processing the data. Each child module specifies a parent module and specifies a condition for when the parent is to invoke the child module. As a module processes the data, if a child module's specified condition is met, it invokes the corresponding child module, (which in turn may invoke a lower child if its condition is met, and so on). When the data corresponds to protocols, the model facilitates protocol layering. A top level parent may represent one protocol (e.g., TCP), a child beneath may represent a lower-layer protocol (e.g., HTTP), whose children may handle certain types of HTTP commands, or correspond to a signature that the child module is programmed to detect.