Abstract: Technology is described for malware investigation by analyzing computer memory in a computing device. The method can include performing static analysis on code for a software environment to form an extended type graph. A raw memory snapshot of the computer memory can be obtained at runtime. The raw memory snapshot may include the software environment executing on the computing device. Dynamic data structures can be found in the raw memory snapshot using the extended type graph to form an object graph. An authorized memory area can be defined having executable code, static data structures, and dynamic data structures. Implicit and explicit function pointers can be identified. The function pointers can be checked to validate that the function pointers reference a valid memory location in the authorized memory area and whether the computer memory is uncompromised.

Abstract: Embodiments gather historical information about data propagation by monitoring requests to and replies from a server. When a request is received from a client system to upload code onto a web site, a user identity associated with the client system is determined and a tag that uniquely identifies the uploaded data is created and mapped with the user identity into a propagation graph. The propagation graph includes nodes and edges associated with a number of client systems that made similar requests such that each node of the propagation graph corresponds to both a tag and user identity of a client system and edges within the propagation graph represent causality links between the nodes. The propagation graph can then be used for finding long propagation chains, which can be useful for detecting worm-like propagation activity.

Abstract: A system described herein includes a receiver component that receives source code from a computer-readable medium of a computing device and a static analysis component that executes a points-to analysis algorithm over the source code to cause generation of a points-to graph, wherein the points-to graph is a directed graph that comprises a plurality of nodes and a plurality of edges, wherein nodes of the points-to graph represent pointers in the source code and edges represent inclusion relationships in the source code. The system also includes an inference component that infers target types for generic pointers in the source code based at least in part upon known type definitions and global variables in the source code.

Abstract: A system for automatic inference of message formats from network packets is described. Each network message from a set of network messages is split into one or more tokens based on the types of bytes in the network messages. The set of network messages can then be classified into clusters based on token patterns. The network messages in each cluster can then be further sub-clustered recursively based on the message formats. Further, the messages with a similar message format across the sub-clusters can be merged into a cluster. The set of formatted clusters thus obtained correspond to a set of message formats that can be used further for protocol reverse engineering.

Abstract: Systems and methods for automatically reverse engineering an input data format using dynamic data flow analysis. Combining input data with a simulated execution of the binary program using the input data and analyzing the use of the data by the program to generate a BNL-like grammar representing the input data format. The input data can be application level protocols, network protocols or formatted files.

Abstract: The claimed subject matter provides a system and/or method that generates data patches for vulnerabilities. The system can include devices and components that examine exploits received or obtained from data streams, constructs probes and determines whether the probes take advantage of vulnerabilities. Based at least in part on such determinations data patches are dynamically generated to remedy the hitherto vulnerabilities.

Abstract: A system for automatic inference of message formats from network packets is described. Each network message from a set of network messages is split into one or more tokens based on the types of bytes in the network messages. The set of network messages can then be classified into clusters based on token patterns. The network messages in each cluster can then be further sub-clustered recursively based on the message formats. Further, the messages with a similar message format across the sub-clusters can be merged into a cluster. The set of formatted clusters thus obtained correspond to a set of message formats that can be used further for protocol reverse engineering.

Abstract: Embodiments gather historical information about data propagation by monitoring requests to and replies from a server. When a request is received from a client system to upload code onto a web site, a user identity associated with the client system is determined and a tag that uniquely identifies the uploaded data is created and mapped with the user identity into a propagation graph. The propagation graph includes nodes and edges associated with a number of client systems that made similar requests such that each node of the propagation graph corresponds to both a tag and user identity of a client system and edges within the propagation graph represent causality links between the nodes. The propagation graph can then be used for finding long propagation chains, which can be useful for detecting worm-like propagation activity.

Abstract: Methods and compositions for the optimization of production of influenza viruses suitable as influenza vaccines are provided.