Abstract: To achieve end-to-end security, traditional machine-to-machine security measures are insufficient if the integrity of the graphical user interface (GUI) is compromised. GUI logic flaws are a category of software vulnerabilities that result from logic flaws in GUI implementation. The invention described here is a technology for uncovering these flaws using a systematic reasoning approach. Major steps in the technology include: (1) mapping a visual invariant to a program invariant; (2) formally modeling the program logic, the user actions and the execution context, and systematically exploring the possibilities of violations of the program invariant; (3) finding real spoofing attacks based on the exploration.

Abstract: System events preceding occurrence of a problem are likely to be similar to events preceding occurrence of the same problem at other times or on other systems. Thus, the cause of a problem may be identified by comparing a trace of events preceding occurrence of the problem with previously diagnosed traces. Traces of events preceding occurrences of a problem arising from a known cause are reduced to a series of descriptive elements. These elements are aligned to correlate differently timed but otherwise similar traces of events, converted into symbolic representations, and archived. A trace of events leading to an undiagnosed a problem similarly is converted to a symbolic representation. The representation of the undiagnosed trace is then compared to the archived representations to identify a similar archived representation. The cause of the similar archived representation is presented as a diagnosis of the problem.

Abstract: A network can be explored to investigate exploitive behavior. For example, network sites may be actively explored by a honey monkey system to detect if they are capable of accomplishing exploits, including browser-based exploits, on a machine. Also, the accomplishment of exploits may be detected by tracing events occurring on a machine after visiting a network site and analyzing the traced events for illicit behavior. Alternatively, site redirections between and among uniform resource locators (URLs) may be explored to discover relationships between sites that are visited.

Abstract: A system arid method for enabling highly scalable multi-node event distribution networks through the use of summary-based routing, particularly event distribution networks using a content-based publish/subscribe model to distribute information. By allowing event routers to use imprecise summaries of the subscriptions hosted by matcher nodes, an event router can eliminate itself as a bottleneck thus improving overall event distribution network throughput even though the use of imprecise summaries results in some false positive event traffic. False positive event traffic is reduced by using a filter set partitioning that provides for good subscription set locality at each matcher node, while at the same time avoiding overloading any one matcher node. Good subscription set locality is maintained by routing new subscriptions to a matcher node with a subscription summary that best covers the new subscription.

Abstract: A system and method for enabling highly scalable multi-node event distribution networks through the use of summary-based routing, particularly event distribution networks using a content-based publish/subscribe model to distribute information. By allowing event routers to use imprecise summaries of the subscriptions hosted by matcher nodes, an event router can eliminate itself as a bottleneck thus improving overall event distribution network throughput even though the use of imprecise summaries results in some false positive event traffic. False positive event traffic is reduced by using a filter set partitioning that provides for good subscription set locality at each matcher node, while at the same time avoiding overloading any one matcher node. Good subscription set locality is maintained by routing new subscriptions to a matcher node with a subscription summary that best covers the new subscription.

Abstract: System events preceding occurrence of a problem are likely to be similar to events preceding occurrence of the same problem at other times or on other systems. Thus, the cause of a problem may be identified by comparing a trace of events preceding occurrence of the problem with previously diagnosed traces. Traces of events preceding occurrences of a problem arising from a known cause are reduced to a series of descriptive elements. These elements are aligned to correlate differently timed but otherwise similar traces of events, converted into symbolic representations, and archived. A trace of events leading to an undiagnosed a problem similarly is converted to a symbolic representation. The representation of the undiagnosed trace is then compared to the archived representations to identify a similar archived representation. The cause of the similar archived representation is presented as a diagnosis of the problem.

Abstract: System events preceding occurrence of a problem are likely to be similar to events preceding occurrence of the same problem at other times or on other systems. Thus, the cause of a problem may be identified by comparing a trace of events preceding occurrence of the problem with previously diagnosed traces. Traces of events preceding occurrences of a problem arising from a known cause are reduced to a series of descriptive elements. These elements are aligned to correlate differently timed but otherwise similar traces of events, converted into symbolic representations, and archived. A trace of events leading to an undiagnosed a problem similarly is converted to a symbolic representation. The representation of the undiagnosed trace is then compared to the archived representations to identify a similar archived representation. The cause of the similar archived representation is presented as a diagnosis of the problem.

Abstract: A method and system for determining whether resources of a computer system are being hidden is provided. The security system invokes a high-level function of user mode that is intercepted and filtered by the malware to identify resources. The security system also directly invokes a low-level function of kernel mode that is not intercepted and filtered by the malware to identify resources. After invoking the high-level function and the low-level function, the security system compares the identified resources. If the low-level function identified a resource that was not identified by the high-level function, then the security system may consider the resource to be hidden.

Abstract: A technique for identifying dependencies of an application upon a given security context includes monitoring security checks generated by the application. The security checks requiring elevated rights are identified and the state of execution of the application corresponding to the identified security checks may be logged. The security checks requiring elevated rights may be identified by monitoring access checks, monitoring privilege checks, checking user/group identifiers against a list of known identifiers associated with elevated rights, or the like.

Abstract: A technique for identifying dependencies of an application upon a given security context includes monitoring security checks generated by the application. The security checks requiring elevated rights are identified and the state of execution of the application corresponding to the identified security checks may be logged. The security checks requiring elevated rights may be identified by monitoring access checks, monitoring privilege checks, checking user/group identifiers against a list of known identifiers associated with elevated rights, or the like.

Abstract: A technique for identifying dependencies of an application upon a given security context includes monitoring security checks generated by the application. The security checks requiring elevated rights are identified and the state of execution of the application corresponding to the identified security checks may be logged. The security checks requiring elevated rights may be identified by monitoring access checks, monitoring privilege checks, checking user/group identifiers against a list of known identifiers associated with elevated rights, or the like.

Abstract: Embodiments of a RootKit detector are directed to identifying a RootKit on a computer that is designed to conceal malware. Aspects of the RootKit detector leverage services provided by kernel debugger facilities to automatically obtain data in specified data structures that are maintained by an operating system. Then the data obtained from the kernel debugger facilities is processed with an integrity checker that determines whether the data contains properties sufficient to declare that a RootKit is resident on the computer.

Abstract: System events preceding occurrence of a problem are likely to be similar to events preceding occurrence of the same problem at other times or on other systems. Thus, the cause of a problem may be identified by comparing a trace of events preceding occurrence of the problem with previously diagnosed traces. Traces of events preceding occurrences of a problem arising from a known cause are reduced to a series of descriptive elements. These elements are aligned to correlate differently timed but otherwise similar traces of events, converted into symbolic representations, and archived. A trace of events leading to an undiagnosed a problem similarly is converted to a symbolic representation. The representation of the undiagnosed trace is then compared to the archived representations to identify a similar archived representation. The cause of the similar archived representation is presented as a diagnosis of the problem.

Abstract: A weak leader election approach to determine which of a number of redundant nodes is the leader node is disclosed. The redundant nodes exchange information particular to them, such as age information. Based on the information received from the other nodes, each node determines whether it is the leader. Where the information is age information, a criteria that can be used to make this determination is that the oldest node is the leader. Each redundant node knows only whether it is the leader node. Redundant nodes that are not the leader do not know which node is the leader node.

Abstract: Power line monitoring is disclosed. The monitoring can be performed in conjunction with an automation system designed to control and monitor devices and sensors. Model-based power line monitoring uses a model of acceptable power line activity. Activity that does not conform to the model is tagged as indicating a potential problem. Pattern-based power line monitoring uses patterns of unacceptable power line activity. Activity that matches one of the patterns is also tagged as indicating a potential problem.

Abstract: A system and method is provided for evaluating the effectiveness of data encryption for hiding the identity of the source of Web traffic. A signature is constructed from encrypted Web traffic for a Web page sent by a target Web site, and the signature is compared with archived traffic signatures obtained by accessing various Web pages of interest in advance. If the signature of the detected encrypted Web traffic matches a stored traffic signature beyond a pre-set statistical threshold, a positive match is found, and the source of the traffic is identified. Countermeasures for reducing the reliability of source identification based on traffic signature matching are provided.

Abstract: A method and system for improving reliability and availability in distributed computer applications. The method and system may be used in the context of primary-backup, failover recovery. The method involves software-fault tolerance using technique of structured storage; referral components; and wrappers. The method and system exploit the platform and operating system independence of component object models to allow the dynamic linkage of different component objects, the objects being resident on different inter-linked machines, based on the application requirements at any given point in time.

Abstract: A spiral inductor is provided including a substrate and an inductor dielectric layer over the substrate having a spiral opening provided therein. The spiral inductor is in the spiral opening with the spiral inductor including a plurality of parallel spiral vias connected together at center proximate and center distal ends of the spiral inductor.

Abstract: A method and system for analyzing the impact on software of an update to a software system is provided. The impact analysis system identifies resources that are affected by an update to the software system and identifies resources that are accessed by various software components during execution of the software components. To analyze the effects of an update, the impact analysis system identifies those accessed resources of the software components that are affected by the update as being impacted resources. The impact analysis system considers those software components that access the impacted resources to be impacted software components. The impact analysis system provides a user interface through which a user can view and analyze the impact of an update.

Abstract: A system and method is provided for evaluating the effectiveness of data encryption for hiding the identity of the source of Web traffic. A signature is constructed from encrypted Web traffic for a Web page sent by a target Web site, and the signature is compared with archived traffic signatures obtained by accessing various Web pages of interest in advance. If the signature of the detected encrypted Web traffic matches a stored traffic signature beyond a pre-set statistical threshold, a positive match is found, and the source of the traffic is identified. Countermeasures for reducing the reliability of source identification based on traffic signature matching are provided.