Abstract: A method for detecting malicious network content comprises inspecting one or more packets of network content, identifying a suspicious characteristic of the network content, determining a score related to a probability that the network content includes malicious network content based on at least the suspicious characteristic, identifying the network content as suspicious if the score satisfies a threshold value, executing a virtual machine to process the suspicious network content, and analyzing a response of the virtual machine to detect malicious network content.

Abstract: Techniques for handling a file associated with a program are described herein. According to an aspect of the invention, in response to a request for accessing a file received through a first program, the file is stored in a first sandboxed storage area, where the file is to be accessed by a second program. An atomic move operation is then performed on the file that atomically moves the file from the first sandboxed storage area to a second sandboxed storage area, where the first sandboxed storage area is not accessible to the first program and second program. The second program is launched to access the file stored in the second sandboxed storage area, where the second sandboxed storage area is a part of a sandbox associated with the second program.

Abstract: Methods and apparatus for executing untrusted application code are disclosed. An example apparatus includes an execution mode state indicator with a plurality of states. In the example apparatus, the execution mode state indicator is configured such that placing the execution mode state indicator in a first state causes the processor to operate in a first execution mode and placing the execution mode state indicator in a second state causes the processor to operate in a second execution mode. The example apparatus also includes an instruction processing module that is configured to implement a set of instructions in the first execution mode and designate one or more instructions of the set of instructions as illegal instructions in the second execution mode. The example apparatus further includes a memory system that, in the second execution mode, is configured to restrict access to a set of memory addresses accessible by the processor in the first execution mode to a subset of the set of memory addresses.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for runtime language-independent sandboxing of software. In one aspect, a system implements an extended Software Fault Isolation (SFI) software sandboxing system configured to provide a user-mode program interface for receiving runtime requests for modifying verifiably safe executable machine code. Requests can include dynamic code creation, dynamic code deletion, and atomic modification of machine code instructions. A runtime modification of a verifiably safe executable memory region is made in response to each received runtime request, and code within the modified memory region has a guarantee of safe execution.

Abstract: An improved technique tracks errors in collecting geolocation data associated with a transaction. Along these lines, an adaptive authentication engine stores information indicative of a failure to collect geolocation data associated with the transaction. In particular, this information takes the form of a geolocation collection state; the adaptive authentication engine stores such a state in a field of a database that contains historical transaction information. If a service provider failed to collect geolocation information for a transaction, the adaptive authentication engine stores a “Fail” value in the geolocation collection state field of the database entry associated with the transaction. Adaptive authentication techniques may then correlate such “Fail” values with other field values such as time of submission and device type. The result of such a correlation is to build a risk model based on geolocation collection error which the risk engine may then use to compute risk score.

Abstract: Disclosed are methods and media for inspecting security certificates. Methods include the steps of: scanning, by a network security device, messages of a security protocol between a server and a client system; detecting the messages having a security certificate; detecting suspicious security certificates from the messages; and aborting particular sessions of the security protocol associated with the suspicious certificates. Preferably, the step of scanning is performed only on messages of server certificate records. Preferably, the method further includes the step of sending an invalid-certificate notice to the server and the client system. Preferably, the step of detecting the suspicious certificates includes detecting a use of an incorrectly-generated private key for the certificates. Preferably, the step of detecting the suspicious certificates includes detecting an unavailability of revocation information for the certificates.

Abstract: A method and apparatus for preventing an IDT-based security sandbox from causing a kernel panic when using a call gate is disclosed. The method comprises receiving a request from an application to create a secure sandbox, wherein epilog code is mapped into the application upon receiving the request; enabling a call gate, wherein the call gate defines a location of call gate target code for enabling the secure sandbox; executing the epilog code to facilitate an interrupt disable instruction; jumping through the call gate; and enabling the secure sandbox.

Abstract: A method of detecting network communications includes monitoring network devices for communication data; generating an output file including the communication data correlated with a communication type; computing network metrics based on the correlated data; comparing the network metrics with a policy threshold; and determining a network violation event based on the comparing.

Abstract: A system, method and computer program product for implementing dynamic behavior rules for malware detection. A method of heuristic analysis of computer program execution is used. A behavior of a computer program is monitored, analyzed and blocked in runtime. Actions performed or triggered by each executable component are compared against a set of behavioral rules. The behavioral rules determine wherever the requested action is allowed or blocked, and which new behavioral rules are needed to be applied to future actions. Executed actions (allowed or blocked) introduce new dynamic behavioral rules to the computer system, which in turn can apply these rules for analyzing behavior of subsequent components executed on the computer system.

Abstract: A validating server receives from a client device a first request that does not include a cookie for a validating domain that resolves to the validating sever. The first request is received at the validating server as a result of a proxy server redirecting the client device to the validating domain upon a determination that a visitor belonging to the client device is a potential threat based on an IP (Internet Protocol) address assigned to the client device used for a second request to perform an action on an identified resource hosted on an origin server for an origin domain. The validating server sets a cookie for the client device, determines a set of characteristics associated with the first client device, and transmits the cookie and a block page to the client device that has been customized based on the set of characteristics, the block page indicating that the second request has been blocked.

Abstract: A region of HTML or PDF file bytecode run on a virtual machine is identified as possible malware, allowing a detection signature to be generated. A determination is made, based on code behavior, that malware may be present. Variables visible in this identification start state can be found by mapping the start state to scopes in an abstract syntax data structure. Searching previously executed states of the virtual machine for any assignment of a variable that belongs to the set of variables of interest provides a set of assignments of interest, even in obfuscated code. Nonterminated assignments of interest will lead in turn to other variables of interest and assignments of interest, until all assignments of interest are terminated. At that point, a region of code defined by the assignments of interest is identified as a malware detection signature generation candidate, and submitted to a human or automated analyst.

Abstract: The objective of the present invention is to provide a security monitoring system and a security monitoring method which is capable of a quick operation when an unauthorized access, a malicious program, and the like are detected, while the normal operation of the control system is not interrupted by an erroneous detection. The security monitoring system 100 obtains communication packets in segments 3 which constitutes a control system 1, and extracts a communication packet which has a characteristic value different from a normal value among the obtained communication packets to generate communication event information 150. The security monitoring system 100 predicts a degree of influence on the control system 1 by the communication packet extracted as the communication event information 150 by verifying the communication event information 150 with event patterns which indicate characteristics of the unauthorized access and the like.

Abstract: A method and device for intrusion detection using secure signatures comprising capturing network data. A search hash value, value employing at least one one-way function, is generated from the captured network data using a first hash function. The presence of a search hash value match in a secure signature table comprising search hash values and an encrypted rule is determined. After determining a search hash value match, a decryption key is generated from the captured network data using a second hash function, a hash function different form the first hash function. One or more of the encrypted rules of the secure signatures table having a hash value equal to the generated search hash value are then decrypted using the generated decryption key. The one or more decrypted secure signature rules are then processed for a match and one or more user notifications are deployed if a match is identified.

Abstract: Various embodiments include a computer system comprising a computer network including at least one client computer, the at least one client computer operable to generate a request, and an anti-malware engine coupled to the computer system and operable to provide anti-malware protection for the computer network, wherein the anti-malware engine is operable to receive the request generated by the at least one client, and to determine if the request is classified as malware by determining whether the request includes one or more valid tags.

Abstract: An automated malware analysis method is disclosed which can perform receiving a first universal resource locator identifying a first intermediate network node, accessing the first intermediate network node to retrieve a first malware artifact file, storing the malware artifact file in a data storage device, analyzing the malware artifact file to identify a second universal resource locator within the malware artifact file, and accessing a second intermediate network node to retrieve a second malware artifact file.

Abstract: Circuits and methods are provided for detecting, identifying and/or removing undesired content. According to one embodiment, a content object is stored by a general purpose processor to a system memory. The memory has stored therein a page directory containing information for translating virtual addresses to physical addresses. Multiple most recently used entries of the page directory are cached, by a virus co-processor, within translation lookaside buffers (TLBs) implemented within an on-chip cache of the co-processor. Instructions are read by the co-processor, from a virus signature memory of the co-processor. The instructions contain op-codes of a first and second instruction type. Instructions of the first type are assigned to a first instruction pipe of the co-processor. An instruction assigned to the first instruction pipe is executed including accessing the content object by performing direct virtual memory addressing of the system memory and comparing the content object against a string.

Abstract: A method of monitoring levels of security conformity and preparedness of a plurality of network connected computing machines, obtains a report by remotely scanning the machines in segments. The machines might already be connected to commercial security software and a patch dispenser. The report includes definition dates and any files quarantined by the commercial security software, patch-management-software communication present and the patches received. The method uses the report and software (not installed on the scanned machines) to produce a Network Security Scanner for Enterprise Protection output to perform a security-preparedness audit of the scanned machines. The audit non-intrusively ascertains. If the scanned machines conform to user-defined fields and policies, and assists in selective security updating of the machines. The scanning, unrecognized by the scanned machines may be configured to suit their OS, and done periodically as desired. A computer readable medium executing the method is included.

Abstract: Instrumented networks, machines and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects (including mobile devices) and applications on the instrumented target platform. Methods and systems are disclosed for dynamic attestation of mobile device integrity based upon subject reputation scores. In an embodiment, a method scores trustworthiness of a mobile device based on reputation scores for users associated with the device and/or a device reputation score. The method generates runtime integrity alerts regarding execution anomalies for applications executing on the device, calculates risks based on a ruleset, and determines a calculus of risk for the device.

Abstract: Methods for training a static security analysis classifier include running an initial security analysis on a training codebase to generate a set of vulnerabilities associated with the training codebase; analyzing the program with a feature set that limits a number of detected vulnerabilities to generate a limited set of vulnerabilities associated with the feature set; comparing the limited set of vulnerabilities to a known vulnerability distribution to generate an accuracy score; and iterating the steps of analyzing and comparing using different feature sets to find a feature set having a highest accuracy score.

Abstract: Apparatus and methods for indicating the identity of a device for receiving and retransmitting programming information. The device, which may be a set-top box or suitable communication network receiver, may be configured to receive a broadcast signal from an antenna, which may be a satellite, a cable, an electronic communication network or any other suitable source. The programming information may be any type of audio or video data, or any other suitable type of data. The broadcast signal may have multiple channels that include the programming information. Each of the channels may include a distinct watermark. The device may splice between the channels to generate a signature that the device may embed in an output data stream that may be used to display or perform the programming information.

Abstract: A method is provided in one example embodiment and it includes identifying a root term and determining one or more other terms belonging to a group associated with the root term. The method also includes selecting one or more of the terms from the group and generating a concept based on the selected terms from the group, wherein the concept is applied to a rule that affects data management for one or more documents that satisfy the rule. In more specific embodiments, the root term is identified via a search or via an incident list. In other embodiments, a collection of meaningful terms is provided to assist in determining the other terms for the group, the collection of meaningful terms being generated based on the root term. The concept can be used to automatically mark one or more documents that relate to the concept.

Abstract: The content of operations is identified and an alert is generated to an operation having a high risk of information leakage. An agent monitors, for example, operations performed with respect to a dialogue displayed on a client PC. If a file is selected by an operation performed with respect to the displayed dialogue, the agent assigns an identifier indicating a source for the file to the file. If the file is sent as an attached file, the agent identifies an output destination for the attached file as well as the source for the attached file; and if the output destination for the attached file is an external Web server and the source for the attached file is a mail server, the agent generates an alert by determining that an unauthorized operation has been executed; and then sends the generated alert to a management server.

Abstract: In one implementation, encrypted data and a virtual machine are stored together as a virtual machine-data image, wherein the virtual machine is configured to EXERT management control over the data based on policies set by an owner of the data. In another implementation, metadata defining or tagging policies for usage of data is associated with the data. Control capabilities of service providers are mapped to the policies, wherein those service provider environments that best satisfy the controls mapped to the policies are identified.

Abstract: A certification is received from a user stating that captured content does not comprise a particular restricted element and a request from the user for an adjustment of a digital rights management rule identified for the captured content based on the captured content comprising the particular restricted element. At least one term of the digital rights management rule is adjusted to reflect that the captured content does not comprise the particular restricted element. The usage of the captured content by the user is monitored to determine whether the usage matches the certification statement.

Abstract: Private anonymous electronic messaging between a message originator and a message recipient within an organization encourages open communication which can provide information to the organization that might otherwise be secreted from the organization, and can allow the message originator to obtain desired help (e.g., counseling). By profiling of the message originator based on current and previous electronic messaging within the system as well as external organizational information (e.g., behavioral or financial information), the system can assess concerns yet act as a gateway to protect the message originator's true identity through escalating levels of concern unless a genuine concern about the health, well-being, and/or safety of the message originator, others, or the organization is indicated, in which case the system can reveal the true identity of the message originator as appropriate.

Abstract: Embodiments relate to a process for identifying data leakage in a data storage system. A table is created with multiple units. Each unit in the table has a unique identifier as a leading key in a schema. Two partitions are set in the table, and one of the partitions is set as unavailable. One or more queries are run on the table. Any queries that attempt to access the unavailable partition are identified through an error message or other alert.

Abstract: Methods for preventing the transmission of sensitive information to locations outside of a secure network by a person who has legitimate access to the sensitive information are described. In some embodiments, in order for an end user of a computing device to establish a secure connection with a secure network and access data stored on the secure network, a client application running on the computing device may be required by the secure network. The client application may monitor visual cues (e.g., facial expressions and gestures) associated with the end user, detect suspicious activity performed by the end user based on the visual cues, and in response to detecting suspicious activity may perform mitigating actions to prevent the transmission of sensitive information such as alerting human resources personnel or requiring authorization prior to sending information to locations outside of the secure network.

Abstract: A service management system and a method of executing a policy. In one embodiment, the service management system includes: (1) a repository configured to contain device, system, subscriber and service descriptions that define services in terms of a set of systems and devices that assume roles based on at least one of capabilities and attributes thereof and (2) a policy engine coupled to the repository and configured to employ the repository to identify end points relevant to a policy, identify services in which any of the end points play a role, identify subscribers having an identified device of the end points and a subscription to an identified service and cause the policy to be executed with respect to identified devices of identified subscribers and identified systems.

Abstract: A method and system process a document having attached thereto a set of digital rights specifications, the digital rights specifications specifying constraints on the processing of the document. A workflow controller selects candidate devices, for processing the document, from a plurality of devices and determines, for each candidate device, that the device meets the digital rights specifications requirements. A set of devices are assigned to process the document from the set of devices that meet the digital rights specifications constraints. The workflow controller detects a failed device included in the assigned set of devices to process the document and determines potential candidate devices to replace the failed device. For each potential candidate device, it is determined if the potential candidate device meets the digital rights specifications requirements. A device that meets the digital rights specifications constraints is assigned to replace the failed device.

Abstract: A data storage device protecting security code stored therein and a data storage system including same are disclosed. The data storage device efficiently prevents unauthorized access to the security code by allowing command descriptor block (CDB) information to be read using only a read-only memory (ROM).

Abstract: Systems and methods of determining a trust level from system management mode are disclosed. One such method includes: responsive to a system management mode interrupt (SMI), determining a trust level associated with code invoking the SMI; and responsive to determining that the trust level is untrusted, granting or denying a request made by the code invoking the SMI based at least in part on a type of the request.

Abstract: An application protection method and an application execution method using the same are provided. The application protection method generates a key needed to execute the application which is provided to a user terminal using information on the user terminal, information on the application, and a part of text; and transmits the generated key to the user terminal. Therefore, the application is executed on the device which has a legal right for the application, thereby preventing the illegal use of the application.

Abstract: A method for entering a passcode within a mobile device begins with receiving an indication of a user attempt to access the mobile device. A passcode entry display including a plurality of touch points is generated responsive to the indication. Each of the plurality of touch points includes at least two visual identifiers associated therewith. The passcode entry display is displayed on an interface of the mobile device and the passcode is received responsive to user selection of a sequences of the plurality of touch points associated with a predetermined sequence of at least one of the visual identifiers. The arrangement of the at least two visual identifier associated with the plurality of touch points of each passcode entry display differs from an arrangement of the at least two visual identifiers in a previous and a subsequent passcode entry display.

Abstract: A license receiver comprises a viewing license invalidating unit which invalidates a viewing license of a content a viewing time limit of which is not determined, and a first control unit. When the first control unit reproduces the content, (i) if the viewing license is valid, the first control unit determines the viewing time limit, and (ii) if the viewing license is invalid, the first control unit transmits a viewing license request including a request of determining viewing time limit, to the license server, and receives the determined viewing time from the license server. When the first control unit writes out the content to an exchangeable medium before reproducing the content, if the viewing license is valid, the first control unit invalidates the viewing license and writes out the non-determined viewing time limit to the exchangeable medium.

Abstract: A method and system for capacity licensing are disclosed. According to one embodiment, a computer implemented method comprises receiving a capability request from a device, sending a capability response to the device, the capability response comprising a serving of license rights. A deduction record is stored, the deduction record deducting a license from a license pool. An information request is received from the device, and an information response is sent.

Abstract: A computer readable medium storing a program causing a computer to execute a process for information processing, the process includes: receiving a first characteristic value calculated on the basis of first document information for use in detecting whether the first document information is tampered with or not; receiving a second characteristic value calculated on the basis of second document information for use in detecting whether the second document information is tampered with or not; and calculating a third characteristic value for use in detecting whether third document information is tampered with or not on the basis of the first characteristic value, the second characteristic value and the third document information related to integration of the first document information and the second document information.

Abstract: A method and system for capacity licensing are disclosed. According to one embodiment, a computer implemented method comprises receiving a capability request from a device, sending a capability response to the device, the capability response comprising a serving of license rights. A deduction record is stored, the deduction record deducting a license from a license pool. An information request is received from the device, and an information response is sent.

Abstract: Aspects of the disclosure relate to combining on-chip structure with external current measurements for threat detection in an integrated circuit. This method considers Trojans' impact on neighboring cells and on the entire IC's power consumption, and effectively localizes the measurement of dynamic power. An on-chip structure can permit threat detections. In one aspect, the on-chip structure can comprise a plurality of sensors distributed across the entirety of the IC, with each sensor of the plurality of sensors being placed in different rows of a standard-cell design. In another aspect, data analysis can permit separating effect of process variations on transient power usage of the IC from effects of a hardware threat such power usage. The on-chip structure also can be employed for implementation of a PE-PUF.

Abstract: A processing device comprising a processor coupled to a memory is configured to determine a risk of simultaneous theft of a primary device and at least one satellite device associated with the primary device, and to identify said at least one satellite device as an appropriate authentication factor for use in an authentication process involving the primary device, based at least in part on the determined risk. The identified satellite device may serve as an additional or alternative authentication factor relative to one or more other authentication factors. The processing device may comprise the primary device itself, or another separate device, such as an authentication server that also participates in the authentication process. Information associated with the identified satellite device is utilized in the authentication process to authenticate a user of the primary device.

Abstract: A device and system for management of and access to externally connected peripheral devices by mobile devices. User and/or application data on a mobile device is sent to externally connected peripheral devices. External peripheral devices includes, but are not limited to, printers, scanners, displays, audio interfaces, speakers, network adapters, storage drives, hard drives, and the like. An end user mobile device application interface is installed as an application on a mobile device. Data may be sent directly to a peripheral device, or to a peripherals aggregation device, which may be active or passive.

Abstract: A method and system for performing simultaneous topographic and elemental chemical and magnetic contrast analysis in a scanning, tunneling microscope. The method and system also includes nanofabricated coaxial multilayer tips with a nanoscale conducting apex and a programmable in-situ nanomanipulator to fabricate these tips and also to rotate tips controllably.