Abstract: A method for reducing the size of the AV database on a user computer by dynamically generating an AV database according to user parameters is provided. Critical user parameters that affect the content of the AV database required for this user are determined. The AV database for the single user is generated based on the user parameters. When the parameters of the user computer change or when new malware threats are detected, the user AV database is dynamically updated according to the new parameters and the new malware threats. The update procedure becomes more efficient since a need of updating large volumes of data is eliminated. The AV system, working with a small AV database, finds malware objects more efficiently and uses less of computer system resources.

Abstract: A method for preventing unauthorized use of software may be achieved by executing computer-readable code with instructions for recording an indication of at least one selected file of a software application in a memory location accessible to a security component of the software application, in which software application the security component is configured to cause a hash signature of the at least one selected file to be generated in response to a signal arising from use of the software application, hashing the at least one selected file to generate a first file signature, transmitting the first file signature to a secure network-accessible computer memory for storage and subsequent comparison to at least one subsequent file signature generated via operation of the security component on a client device, comparing the first file signature to a second file signature generated by the security component in response to a signal arising from use of the software application on the client device, and disabling the so

Abstract: Methods, systems, and media for masquerade attack detection by monitoring computer user behavior are provided. In accordance with some embodiments, a method for detecting masquerade attacks is provided, the method comprising: monitoring a first plurality of user actions and access of decoy information in a computing environment; generating a user intent model for a category that includes at least one of the first plurality of user actions; monitoring a second plurality of user actions; comparing the second plurality of user actions with the user intent model by determining deviation from the generated user intent model; identifying whether the second plurality of user actions is a masquerade attack based at least in part on the comparison; and generating an alert in response to identifying that the second plurality of user actions is the masquerade attack and in response to determining that the second plurality of user actions includes accessing the decoy information in the computing environment.

Abstract: Disclosed are systems, methods and computer program products for protecting cloud security services from unauthorized access and malware attacks. In one example, a cloud server receives one or more queries from security software of the user device. The server analyzes a system state and configuration of the user device to determine the level of trust associated with the user device. The server also analyzes the one or more queries received from the security software to determine whether to update the level of trust associated with the user device. The server determines, based on the level of trust, how to process the one or more queries. Finally, the server provides responses to the one or more queries from the security software based on the determination of how to process the one or more queries.

Abstract: In an advanced metering infrastructure environment, software program statements and/or data may be encrypted. A microcontroller unit may include a first cache configured to store a block of encrypted data obtained from an external memory device. A decryption engine may decrypt the block of encrypted data for storage in a second cache. An address alignment module may be configured to receive input from a program counter and to calculate an offset pointer. The offset pointer may indicate a particular word in the block of decrypted data within the second cache for transmission to an instruction register for use by an application program. An address generator may be configured to receive input from the address alignment module and to indicate a block of data in the external memory device to be loaded into the first cache, to thereby replace the encrypted data sent to the decryption engine.

Abstract: The security or other attributes of mobile applications may be assessed and assigned a security score. In one implementation, a device may obtain information relating to the mobile applications, and may determine, for each of the mobile applications, a number of security scores. Each of the security scores may define a level of risk for a security category relating to a mobile application. The device may further combine the security scores, for each of the mobile applications, to obtain, for each of the mobile applications, a final security score.

Abstract: Compiled computer code comprising computer code instructions organized in a plurality of basic blocks is obfuscated by replacing a jump instruction in a first basic block with a function call with at least one parameter, wherein the function call when executed determines the address of the next function to execute in dependence on the parameter; inserting into the compiled computer code an instruction that allocates a value to the parameter, the value being such that the address determined by the function call corresponds to the address of the replace jump instruction. The allocation function is inserted into the computer code in a second basic block, different from the first basic block, preferably using information from a control flow graph. This can ensure that the obfuscated code cannot be disassembled without information from the CFG, while the CFG cannot be generated from the obfuscated code. Also provided is a device for code obfuscation.

Abstract: A method of identifying a potential attack in network traffic includes payload data transmitted to a host entity in the network. The method includes: performing a first data-check on one or more data bytes of the payload data at the host entity; performing a second data-check, equivalent to the first data-check, on data of the network equivalent to the one or more bytes of payload data; and comparing the results of the first and second data-checks to determine if there is a mismatch, the mismatch being an indication of a potential attack.

Abstract: A computer-implemented method for detecting malicious digitally-signed applications. The method may include 1) identifying an application package file that has been digitally signed, wherein the application package file is used to distribute an application, 2) comparing the application package file to a set of known application package files, 3) determining that the application package file has been repackaged from a known application package file, 4) comparing a public key associated with a digital signature of the application package file to a public key associated with a digital signature of the known application package file, 5) determining that the public key associated with the digital signature of the application package file and the public key associated with the digital signature of the known application package file are different, and 6) performing a security action on the application. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system and method of guaranteeing the presence of secure and tamper-proof remote files over a distributed communication medium, such as the Internet, is provided. The system and method automatically detects, and then self-repairs corrupt, modified or non-existent remote files. The method first performs an integrity check on a remote file and then determines whether the integrity check passed. If the integrity check passed, then the user goes through the authentication process as normal. If the integrity check fails, then the present invention redirects to an install module in order to prepare to reinstall the remote file. Via the install module, the present invention then reinstalls the remote file and the user is then taken through the authentication process as normal.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for executing encrypted computer code. A system configured to practice the method receives a request to execute encrypted computer code. In response to the request, the system identifies a portion of the encrypted computer code for execution and decrypts the portion to yield decrypted computer code. Then the system stores the decrypted computer code in a pool of memory and executes the decrypted computer code from the pool of memory. The system can store the decrypted computer code in the pool of memory based on a randomization algorithm so that identical executions of the encrypted computer code result in selections of different available memory locations within the pool of memory. Related portions can be stored non-consecutively in the pool of memory. The pool of memory can store different portions of decrypted computer code over time.

Abstract: Independent verification of user profile attributes that are stored on third-party community-based web sites is provided. A user request indicates target profile attributes to verify. Profile attribute data concerning a profile owner is collected from a plurality of community sites. The collected data is verified, and results of the verification process are stored in a database. When a user views verified profile attributes on a page on a community site, the corresponding stored verification status is retrieved, and an indication of the trust status of the profile is output to the user, for example by modifying the displayed web page to display the trust status.

Abstract: The detection of web browser-based attacks using browser tests launched from a remote source is described. In one example, a digest is computed based on the content of an HTTP response message. The message is modified and sent to a client device that also computes a digest. The digests are compared to determine whether content has been modified by malware on the HTTP client. The results of the test are analyzed and defensive measures are taken.

Abstract: A build process management system can acquire data pertaining to a software build process that is currently being executed by an automated software build system. The software build process can include executable process steps, metadata, and/or environmental parameter values. An executable process step can utilize a build artifact, representing an electronic document that supports the software build process. The acquired data can then be synthesized into an immutable baseline build process and associated baseline artifact library. The baseline artifact library can store copies of the build artifacts. The immutable baseline build process can include baseline objects that represent data values and dependencies indicated in the software build process. In response to a user-specified command, an operation can be performed upon the baseline build process and associated baseline artifact library.

Abstract: A data processing apparatus includes a ROM (Read Only Memory) having a validity verification program stored therein, an auxiliary storage device including a plurality of storage areas having a plurality of target verification data stored therein, an execution unit configured to perform a validity verification process on the plural target verification data in accordance with the validity verification program. An order of priority is assigned to the plural target verification data. The plural storage areas have addresses that is recognizable by the execution unit. The execution unit is configured to determine validity of each of the plural target verification data based on the order of priority until one of the plural target verification data is determined to be valid.

Abstract: A system and method to prevent the installation by a hacker of malicious software onto networked electronic systems, computers, and the like, by removing the read, write and execute administrator permission files of a system's OS, and placing them in a in a separate, protected server in the cloud. The secure cloud server records the system's unique ID(s). After relocation of the authorized administrator's permissions files, a strong password is requested from the authorized administrator. Thereafter, the network path to the secure cloud server files is encrypted and recorded on the protected system. This path change replaces the former local path in the computer system to those files. The result of these changes to the OS on a protected system eliminates the hacker's access to the system from a network to illicitly become an administrator of the hacked system.

Abstract: Techniques for securing a client. An operating system agent is one or more software modules that execute in an operating system of a client, such as a portable computer. Portions of the operating system agent may monitor resources of the client. The operating system agent sends a message, which describes an operational state of the operating system agent, to a BIOS agent. The BIOS agent is one or more software modules operating in a BIOS of the client. The BIOS agent performs an action based on a policy that is described by policy data stored within the BIOS of the client. The BIOS agent performs the action in response to either (a) the operational state described by the message, or (b) the BIOS agent not receiving the message after an expected period of time.

Abstract: To aim to provide a monitoring system and a program execution apparatus that are capable of maintaining the security intensity even in the case where an unauthentic install module is invalidated. Install modules included in an apparatus each monitor an install module, which is a monitoring target indicated by a monitoring pattern included therein, as to whether the install module performs malicious operations. An install module that performs malicious operations is invalidated in accordance with an instruction from an update server. The monitoring patterns are restructured by the update server such that the install modules except the invalidated install module are each monitored by at least another one of the install modules. The restructured monitoring patterns are distributed to the install modules except the invalidated install module.

Abstract: An electronic system is provided, in which a smart chip, a smart chip controller, a processor, a system memory, and an access management module is provided. The smart chip controller communicates with the smart chip. The processor performs a mutual authentication with the smart chip. The system memory is accessible to the smart chip and the processor. The access management module is coupled between the processor and the smart chip controller. The access management module prevents the processor accessing a certain range of the system memory according to a block command from the smart chip controller, in response of that the mutual authentication between the processor and the smart chip is failed.

Abstract: The memory controller writes and reads data in and from a nonvolatile memory. The nonvolatile memory has a plurality of memory cell blocks, each memory cell block includes a plurality of multi-level cells each capable of storing m-bit data (m is a natural number of two or more), a first page to a m-th page are allocated to the respective m bits of the multi-level cell, the memory controller sequentially writes the data to the memory cells from the first page in ascending order, and comprises a backup unit, and when a write command is received from the outside of the memory controller, in a case where a data write destination of the data in the nonvolatile memory is a n-th (n is a natural number of two to m) page of the multi-level cell, and data is already written in the first to (n-1)th pages, the backup unit copies the already written data to a nonvolatile storable backup region.

Abstract: Differential scanning is disclosed. A scan collection period is determined. A system is monitored to detect object events during the scan collection period, and a scan list may be updated with information regarding objects to be scanned, based on some of the object events. Objects are scanned based on the information in the scan list. Information regarding objects associated with object events occurring outside the scan collection period may be removed from the scan list.

Abstract: Embodiments are directed towards mobile application development in a cloud-based architecture. Mobile applications may be designed to communicate with a cloud platform over a network. Mobile application developers may be enabled to submit cloud code to cloud platforms for use by mobile applications. If cloud code is provided to a cloud platform, the cloud platform may perform one or more actions to authenticate the cloud code, such as, ensuring that that the user providing the cloud code is authorized to provide the cloud code. If the cloud code is authenticated the cloud platform may perform one or more actions to validate the cloud code. If validated, the cloud code may be activated for use by mobile applications and/or mobile application developers. Activation of the cloud code may include associating the cloud code with one or more function calls and/or with one or more trigger points.

Abstract: Systems and methods are disclosed for allowing security features to be selectively enabled during device configuration. For example, a programmable integrated circuit device is provided that receives configuration data and security requirement data. Control circuitry compares enabled security features in the device against the security requirements, and can configure the programmable integrated circuit device with the configuration data or prevent such configuration. Control circuitry may also use the security requirement data to set security features within the device.

Abstract: A semantics engine is described that produces a semantically-impaired but equivalent version of the original source code that can be compiled and executed using conventional tools for commonly used programming languages. This semantically-impaired source code and the compiled assemblies it produces are incomprehensible to anyone who would attempt to read them. The semantics-impairing process is irreversible both at the source and the assembly levels and the machine code generated by the semantically-impaired source code is exactly the same as that produced by the original source code. The semantics engine achieves confidentiality without using encryption or compression. All protective modifications are made directly to copies of the original source code thereby introducing no intermediate forms of the code.

Abstract: A method of controlling an apparatus including a display and a sensor for obtaining biometric data of a user, the sensor being movable to take a plurality of angular positions with respect to the apparatus, includes storing a plurality of sets of reference information in association with the positions of the sensor, respectively, determining which one of the angular positions which the sensor is currently taking, displaying on the display a direction as to which one of bodily parts is to be used in accordance with the current angular position of the sensor to urge a user to input biometric data of the one of the bodily parts by the sensor, and carrying out authentication of the user by comparing the inputted biometric data with one of the sets of reference information corresponding to the current angular position of the sensor.

Abstract: Embodiments of the invention provide a method and a system of detecting source code in a message being sent over a digital communication network to secure against unauthorized leakage of source code. The message is intercepted on a network device, placed into a memory on the network device, and divided into one or more segments, wherein each segment includes a predetermined number of lines of text from the message. For each segment, one or more syntax rules of a programming language is applied to the segment and a predetermined number of context lines of text before the segment and/or after the segment, to determine which of the syntax rules of the programming language are matched in the segment. A determination of whether the text message includes source code is provided based on the syntax rules that were matched.

Abstract: A system, method, and computer program product are provided for redirecting internet relay chat (IRC) traffic identified utilizing a port-independent algorithm and controlling IRC based malware. In use, IRC traffic communicated via a network is identified utilizing a port-independent algorithm. Furthermore, the IRC traffic is redirected to a honeypot.

Abstract: The invention described herein provides a method and system for foiling a keylogger by creating a custom keyboard driver and passing the keystrokes directly to the browser in an encrypted format. The browser (which is used to access the Internet) has a component that decrypts the keystroke before it is sent to the website. Thus the present invention enables the user to go to any website and enter sensitive information (passwords, credit card numbers, etc.) without the keystrokes being intercepted by Keyloggers. In general terms, the invention described herein provides a method and system for (1) modifying the keyboard driver, (2) encrypting the keystrokes between the keyboard driver and the browser, and (3) notifying the user if the invention has been compromised.

Abstract: A method for preventing Domain Name System (DNS) spoofing includes: performing uppercase/lowercase conversion for letters of a DNS question field in a DNS request packet according to a preset rule; sending the DNS request packet; receiving a DNS response packet; obtaining uppercase/lowercase distribution of the letters of the DNS question field in the DNS response packet; and forwarding the DNS response packet to a target DNS client if the uppercase/lowercase distribution of the letters of the DNS question field in the DNS response packet complies with the preset rule. Corresponding to the method, a device for preventing DNS spoofing is disclosed. The method and device reduce occupation of storage resources of the device.

Abstract: Disclosed herein are techniques for detecting possible security intrusions in a computer network. The security intrusion detection may be based on analyzing patterns of how transactions flow through one or more software applications. For example, patterns of transaction flows are determined for an initial time period to establish a baseline of normal flow patterns. These normal flow patterns may be compared with patterns for transaction flows for a later time period. Deviations in the patterns of transaction flow may indicate a possible security intrusion.

Abstract: An anti-keylogger computer network system includes a servo-side host computer, with a servo software which requires the user to enter confidential data. An application-side host computer is provided and a keyboard is connected to the application-side host computer. The keys on the keyboard are divided into a data key and control key. An application software is installed in the application-side host computer to receive the instructions from the servo software, and to determine when the anti-keylogger function of the keyboard module shall be started and closed. A connection network is provided for connecting the servo-side host computer to the application-side host computer. A Translate Table program is installed in the application-side host computer and a Translate Table translation program is installed in the servo software of servo-side host computer.

Abstract: Techniques for securely updating a boot image without knowledge of a secure key used to encrypt the boot image.

Abstract: The invention relates to a computer implemented method for generating a pseudonym for a user comprising entering a user-selected secret, storing the user-selected secret in memory, computing a private key by applying an embedding and randomizing function onto the secret, storing the private key in the memory, computing a public key using the private key, the public key and the private key forming an asymmetric cryptographic key, erasing the secret and the private key from the memory, and outputting the public key for providing the pseudonym.

Abstract: This disclosure describes systems and associated processes that provide digital rights management for applications. In some embodiments, these system and processes couple DRM protection with individual applications, rather than with a centralized service. For instance, these systems and processes can be implemented in the context of an application store or distribution service that distributes applications for purchase or for free to user devices. Developers can submit applications to the application distribution service for distribution to end users. In response to receiving an application from a developer, the application distribution service can modify the application to include DRM features. The application distribution service can accomplish this modification without input from or the knowledge of the developer. The DRM features included in the modified application can prevent or otherwise reduce copying or modifying of the application.

Abstract: Software self-checking mechanisms are described for improving software tamper resistance and/or reliability. Redundant tests are performed to detect modifications to a program while it is running. Modifications are recorded or reported. Embodiments of the software self-checking mechanisms can be implemented such that they are relatively stealthy and robust, and so that it they are compatible with copy-specific static watermarking and other tamper-resistance techniques.

Abstract: Systems and methods provide a gaming machine that is protected from the introduction of rogue code. One aspect of the systems and methods includes disabling a user access feature, such as a login or network access feature of an operating system executing on the gaming machine. A further aspect of the systems and methods includes removing debuggers and debugging information from an operating system or application executing on the gaming machine.

Abstract: An embodiment of the invention provides an apparatus and method for online data conversion. The apparatus and method are configured to read data that is overlapped by a window in a first position in a volume, convert the data into a converted text, write the converted text into the volume, and slide the window to a second position in the volume.

Abstract: Systems and methods for anti-phishing are disclosed. At a computing device: identifying, from a user input data stream, a first set of one or more characters, and a second set of one or more characters. The first set of characters represents a portion of first private information, and the second set of characters represents a portion of second private information. In accordance with a determination that the first set of characters and second set of characters are identified in accordance with a predefined sequential relationship, taking a protective action, prior to transmitting at least a subset of the characters of the first or second private information to a server remotely located from the computing device, to protect the first or second private information. In some implementations, the first private information includes a username, and the second private information includes a password corresponding to the username.

Abstract: This document describes techniques for detection of code-based malware. According to some embodiments, the techniques utilize a collection of known malicious code and know benign code and determine which features of each type of code can be used to determine whether unclassified code is malicious or benign. The features can then be used to train a classifier (e.g., a Bayesian classifier) to characterize unclassified code as malicious or benign. In at least some embodiments, the techniques can be used as part of and/or in cooperation with a web browser to inspect web content (e.g., a web page) to determine if the content includes code-based malware.

Abstract: Detecting executable machine instructions in a data is accomplished by accessing a plurality of values representing data contained within a memory of a computer system and performing pre-processing on the plurality of values to produce a candidate data subset. The pre-processing may include determining whether the plurality of values meets (a) a randomness condition, (b) a length condition, and/or (c) a string ratio condition. The candidate data subset is inspected for computer instructions, characteristics of the computer instructions are determined, and a predetermined action taken based on the characteristics of the computer instructions.

Abstract: A method for detecting a malicious program infection includes scanning data to determine whether the data exhibits one or more particular symptoms of being infected with a malicious program and, in response to determining that the scanned data exhibits the symptoms of being infected with a malicious program, comparing the scanned data to known-good data. The method also includes initiating remedial action in response to determining that the scanned data does not match the known-good data.

Abstract: Security arrangements for a universal serial bus (USB) protocol stack of a USB host system are provided. The security arrangements prevent an unauthorized or suspicious USB device from communicating with the host system, detect suspicious activity originating from a device which is already communicating with the host system and may provide notification to a user.

Abstract: A disc stores therein a computer program and encrypted information. A BIOS is executed at the time of start-up and starts the computer program. A TPM is connected to the BIOS by a low-speed bus. The TPM includes a register for storing data. A blob stores therein true hash values of the computer program and the BIOS in advance. The BIOS includes a hash value calculating unit that calculates hash values of the computer program and the BIOS and stores those hash values in the register. The TPM compares the hash values stored in the register with the hash values stored in the blob and decrypts information in the blob if the hash values agree with each other.

Abstract: A configuration for achieving efficient content verification processing based on hash values is provided. Hash values of hash units set as segmented data of a content stored on an information storage medium are recorded in a content hash table and are stored on the information storage medium together with the content. An information processing apparatus for executing content playback executes hash-value comparison processing based on one or more randomly selected hash values. Regardless of the data amount of content, the configuration can perform hash-value determination and comparison processing based on hash units having a small amount of data, so that user equipment for executing content playback can perform efficient content verification.

Abstract: The present application provides a subscription interface positioned between client devices and third-party digital subscription providers. The subscription interface allows multiple different publication-related applications (e.g., Sports Illustrated, Time magazine, etc.) running on different client devices (e.g., tablets, desktop computers, laptop computers, smart phones, etc.) to obtain a list of digital issues available from an associated third-party digital subscription provider based on entitlements of the user of the client device. The subscription interface ensures that the application receives the list and associated metadata in a desired format for that particular application on a particular client device.

Abstract: A method for making secure execution of a computer program includes the following steps: stacking a predetermined value in a pile of instructions of the program; and stack popping the pile, the stack popping step being adapted, as the case may be, to enable detection of an anomalous execution.

Abstract: A method of running an application in a process virtual machine (PVM) on a computing device using a dynamically-linked module (DLM) with an integrity self-check feature is provided. The DLM is written in PVM-native bytecode, and the PVM is configured to execute applications stored as PVM-native bytecode within a single code file associated with that application. The method includes (a) dynamically linking the application to the DLM by loading the PVM-native bytecode of the DLM from a resource file separate from the single code file of the application, (b) performing the integrity self-check feature on the DLM to ensure the integrity of the PVM-native bytecode of the DLM, and (c) in response to the DLM passing the integrity self-check, calling functions of the DLM from within the application. Embodiments directed to analogous computer program products and apparatuses are also provided.

Abstract: Systems and methods enabling parallel processing of hash functions are provided. A data string including a plurality of pieces arranged in an order is hashed using a hash function to determine a plurality of authentication checkpoint hashes associated with the pieces. To authenticate the data string, the pieces are grouped into sets, and the authentication checkpoint hash associated with the piece following all other pieces of that set in the order is associated with that set. The system simultaneously performs a separate hash process on each set. That is, the system hashes the pieces of that set using the hash function to determine a result hash, and compares that result hash with the authentication checkpoint hash associated with that set. The initial input to the hash function for the hash process for each set includes one of the pieces and either a default seed or an authentication checkpoint hash.

Abstract: A method and system for verifying authenticity of at least part of an execution environment for executing a computer module is provided. The computer program module is operative to cause processing of digital input data in dependence on a plurality of predetermined digital parameters. At least part of one of the plurality of predetermined digital parameters is driven from the at least part of the execution environment.

Abstract: A method for protecting a privilege level of a system management mode (SMM) of a computer system is disclosed. A SMM program is loaded into a special memory (SMRAM) area within a system memory of a computer. A first program, a second program, and a vector table are loaded into a general area of the system memory. Before the booting process of the computer has been completed, a reference hash value of the first program is determined by the SMM program, and the reference hash value is stored in the SMRAM area. A hash value of the first program is the computed by the SMM program. After the computer has been operating under an operating environment of an operating system, the computed hash value is compared to the reference hash value. When the computed hash value matches the reference hash value, the first program is called by the SMM program.