Abstract: In one embodiment, a profiling engine analyzes DNS transaction data that is logged by a recursive resolver to generate profiling results that are used to manage network activity. In operation, the profiling engine computes scores based on the DNS transaction data and scoring criteria. The profiling engine may compute any number of scores at any level of granularity. For example, the profiling engine may compute a score for each source IP address that is associated with the DNS transaction data. Subsequently, the profiling engine generates profiling results based on the scores and profiling criteria. Notably, DNS queries are typically the first step of longer transaction chains that result in the transfer of data to and from the network. Consequently, the profiling engine may provide more timely and comprehensive insight into network activities than conventional network management tools that analyze data at layers that are further down transaction chains.

Abstract: A proxy apparatus for analyzing database queries in a secure network using a valid-query library that is constructed during an initial period following the deployment of an application. The proxy apparatus receives, in an operational mode, an operational database query from the secure network, generates an identifier for the received operational database query based at least upon a query code of the received operational database query; identifies a source and a destination of the received operation database query and compares the generated identifier, the identified source, and the identified destination to the valid-query library. When the comparing fails to match any entries in the valid-query library, the proxy apparatus terminates the operational database query; and when the comparing step matches an entry in the valid-query library, the proxy apparatus relays the received operational database query based on the destination identification.

Abstract: A link-analyzing system (LAS) extracts information from a markup language (ML) document associated with a web page link. In some implementations, the information that is extracted includes at least: a) address content that is part of the link's destination address; and b) text that is associated with the link but that is not part of the destination address itself. The LAS generates feature information based on the address content and the text, and then uses a classification model to make a classification assessment for the link based on the feature information. In some implementations, the LAS can control a crawling engine based on the classification assessment. In some implementations, the LAS can revise a low-confidence classification assessment based on an examination of the classification assessments of a group of similar links described by the ML document. Other implementations use the above-described functionality to classify other parts of an ML document.

Abstract: A log generation method for generating a log of communication on an in-vehicle network includes: performing a plurality of determination processes for determining, by using different methods, whether or not a message sent to the in-vehicle network is anomalous; generating a log in accordance with results of the plurality of determination processes; and transmitting the generated log. In the generating, information items to be included in the log are determined in accordance with a combination of the results of the plurality of determination processes so that the log does not include identical information items.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for suppressing search results to personally objectionable content. One of the methods includes receiving an identifier of a resource that has image content. A first classifier classifies the image content as including objectionable content or not including objectionable content. A second classifier classifies the image content as including professionally produced content or not including professionally produced content. Whenever the image content is classified as including objectionable content and as not including professionally produced content, the resource is designated as having personally objectionable content.

Abstract: A method and apparatus where the method includes detecting a plurality of events related to the activities of users within a security system wherein the events are defined by a plurality of attributes, wherein at least one attribute is categorical and wherein a data distance between events is a function of event attributes, evaluating the detected events using a density based anomaly detection method f(r), where r is a size of a neighborhood around a data point, comparing a value of the evaluated expression with a margin threshold value (msg(r)) and setting an alarm upon detecting that the value exceeds the threshold value.

Abstract: A reliable automated malware classification approach with substantially low false positive rates is provided. Graph-based local and/or global file relationships are used to improve malware classification along with a feature selection algorithm. File relationships such as containing, creating, copying, downloading, modifying, etc. are used to assign malware probabilities and simultaneously reduce the false positive and false negative rates on executable files.

Abstract: A cleaning application that can clean at least one of one or more files and a registry of a computer is provided. The cleaning application can be remotely deployed over a network to one or more computers. The cleaning application can include an administrator cleaning module and a user cleaning module. The administrator cleaning module can automatically scan a network and detect one or more computers. The administrator cleaning module can then remotely deploy the user cleaning module to one or more selected computers of the network. Once the user cleaning module is deployed on a computer, the administrator cleaning module can remotely manage the user cleaning module over the network. In particular, the administrator cleaning module can instruct the user cleaning module to clean at least one of one or more files and a registry of the computer.

Abstract: A method for implementing network security access control is provided, including: receiving and decrypting terminal identity information that is encrypted in a bi-directional encryption mode and forwarded by a switch, and authenticating the decrypted terminal identity information; returning an authentication result to the switch so that the switch controls access of a terminal to a network according to the authentication result; encrypting the decrypted terminal identity information in a solo-directional encryption mode and authenticating the encrypted terminal identity information; returning an authentication result to a security access control gateway so that the security access control gateway controls access of the terminal to network resources according to the authentication result; delivering a security policy to a security control module on the terminal so that the security control module controls the terminal according to the security policy.

Abstract: A method and system for detecting and removing a hidden pestware file is described. One illustrative embodiment detects, using direct drive access, a file on a computer storage device; determines whether the file is also detectable by the operating system by attempting to access the file using a standard file Application-Program-Interface (API) function call of the operating system; identifies the file as a potential hidden pestware file, when the file is undetectable by the operating system; confirms through an automated pestware-signature scan of the potential hidden pestware file that the potential hidden pestware file is a hidden pestware file; and removes automatically, using direct drive access, the hidden pestware file from the storage device.

Abstract: A method for training a system to specifically react on a specific input. The method can include defining a set of binary data structures, each representing a real-world component, item, or virtual object; storing each data structure as a binary pattern; creating uniquely identifiable copies of the data structures to represent individual instances of the components, items, or virtual objects; creating a virtual state space of the components, items, or virtual objects by grouping them as relevant for a specific situation; receiving an input to change a status or an attribute value of at least one of the components, items, or virtual objects; storing the received changes in a new version of the applicable data structure instance; analyzing similarities of the stored binary patterns related to a particular action performed; and if a matched binary pattern is identified, proposing at least one possible action related to the matched binary pattern.

Abstract: A method of downloading a file from a Web application to a client computer equipped with a Web browser including: the Web browser sending an original request to download the file to a first front server, the original request being addressed to a URL comprising a hostname portion that is independent of the file, the first front server sending a redirection response to the original request, the response specifying a URL comprising a hostname portion that is dependent on the file, the Web browser sending a follow-up request to download the file to a second front server, the follow-up request being addressed to the URL specified in the redirection response, and the second front server downloading the requested file in response to the follow-up request.

Abstract: Disclosed are systems and methods for use in filtering electronic messages using business heuristics. In one aspect, a method includes determining whether the electronic message is associated with a desirable business, and adjusting the likelihood of delivering the electronic message to an intended recipient of the message if the electronic message is determined to be associated with the desirable business. In a more specific embodiment, the method further includes assigning a spam-score to the electronic message based on a likelihood that the electronic message is not unwanted by the intended recipient, blocking delivery of the electronic message to the intended recipient when the spam-score does not cross an overall threshold, and delivering the electronic message to the intended recipient based on the adjusted likelihood when the electronic message is determined to be associated with the desirable business.

Abstract: Various exemplary embodiments disclose an apparatus and method for generating a database that maps metadata to peer-to-peer (P2P) content and, more particularly, to a database that an Internet Service Provider (ISP) can build to correlate metadata with P2P traffic. The database may collect metadata having a key that uniquely corresponds to particular P2P content. An ISP may use the database to identify malware in P2P files and tag P2P traffic that seeks to exchange material in violation of applicable copyright laws.

Abstract: Information collections defining a common subject such as a codified or uncodified body of law are stored on a computer readable medium in association with temporal information indicating the state or status with respect to time of parts of the information collection, including different versions of the same part. Parts that are different versions of each other have different temporal information associated therewith and can be accessed based on the temporal information. Thus, the temporal information may be used to control access to and display of parts of the subject in a computer system based on time as a search or request parameter. Parts of the common subject may be organized and stored according to various schemes, including hierarchical schemes such as topic trees, a relational database, a file system or a structured document system (e.g., using XML). Parts of the common subject and temporal and other information may be associated in various ways, including linking (e.g.

Abstract: Content may be categorized by accessing a URL associated with the content, determining a set of n-grams contained in the URL, and determining a category of the content based on the set of n-grams.

Abstract: A database intrusion detection system (DIDS) automatically trains itself to account for changes to the database. The DIDS monitors upstream queries sent to the database and downstream data provided in response to the queries. The DIDS classifies an upstream query as legitimate or anomalous. If the query is anomalous, the DIDS determines whether the anomaly resulted from a change in the database by performing one or more tests. One test determines whether the query references new fields or tables. Another test determines the frequency at which the query is received, and/or whether the query is received from multiple sources. A third test determines whether the query accesses sensitive information. Together, the results of these tests describe whether the query should be classified as anomalous or legitimate.

Abstract: Techniques for monitoring abnormalities in a data stream are provided. A plurality of objects are received from the data stream and one or more clusters are created from these objects. At least a portion of the one or more clusters have statistical data of the respective cluster. It is determined from the statistical data whether one or more abnormalities exist in the data stream.

Abstract: A method for training a system to specifically react on a specific input. The method can include defining a set of binary data structures, each representing a real-world component, item, or virtual object; storing each data structure as a binary pattern; creating uniquely identifiable copies of the data structures to represent individual instances of the components, items, or virtual objects; creating a virtual state space of the components, items, or virtual objects by grouping them as relevant for a specific situation; receiving an input to change a status or an attribute value of at least one of the components, items, or virtual objects; storing the received changes in a new version of the applicable data structure instance; analyzing similarities of the stored binary patterns related to a particular action performed; and if a matched binary pattern is identified, proposing at least one possible action related to the matched binary pattern.

Abstract: The present invention enables a large number of files to be processed for evidence of malicious content, independently of the file system that maintains the files. The processed files can be obtained from live data or a point-in-time copy (e.g., a snapshot) of the data, based on mapping information that maps the files to the physical storage device. In one embodiment, a method involves accessing mapping information corresponding to a set of data. The mapping information maps at least a portion of a file to a physical storage location. The portion of the file can be read from the physical storage location using the mapping information, without accessing a file system. The portion of the file can then be analyzed for evidence of malicious content.

Abstract: An incident managing module aggregates related database intrusion incidents and presents them in a manageable manner. A receiving module receives an anomalous query requesting data from a database and a type-identification module identifies anomaly type for the query received. A conversion module converts the anomalous query into a characteristic representation. In some embodiments, this is done by replacing literal field values in the query with representative values. In other embodiments, this is done by creating a tuple describing anomaly parameters for the anomalous query. In still other embodiments, the query is converted into a characteristic representation that distinguishes between injected and non-injected portions of the query. An aggregation module then aggregates into a group the anomalous queries with substantially similar characteristic representations according to anomaly type and a generation module generates a database intrusion incident report describing the group of anomalous queries.

Abstract: A system, apparatus, method, and computer program product for electronically stored file profiling and conversion including converting printable files to images, supported by meta-data, and one or more searchable master text files.

Abstract: A method and a device for managing a computer network, especially a technique for ensuring the security of a network. A computer network system in which computers are connected to each other through transmission lines, each computer stores the data which constitutes a moving type software exclusively used for security and transmitted together with a message when the computer transmits the message to another computer of the system, and executes the moving type software by using the stored data upon receiving a message from another computer.