Abstract: Methods, systems, and computer program products are included for loading a code module. A method includes verifying, by a guest, a digital signature of a code module stored in an initial guest memory buffer. The guest copies the verified code module stored at the initial guest memory buffer into a target guest memory buffer and applies, using one or more symbol entries, one or more relocations to the verified code module stored at the target guest memory buffer. The guest sends a request to a hypervisor to set the target guest memory buffer to a write-protect mode. In response to a determination that first content stored in the initial guest memory buffer corresponds to second content stored in the target guest memory buffer, the guest sends a request to the hypervisor to set the target guest memory buffer to an executable mode.

Abstract: Systems and methods may provide for detecting a browser request for web content. Additionally, interaction information associated with a plurality of sources may be determined in response to the browser request, and a risk profile may be generated based on the interaction. The risk profile may include at least a portion of the interaction information as well as recommended control actions to mitigate the identified risk. In one example, the risk profile is presented to a user associated with the browser request as well as to a security control module associated with the platform.

Abstract: A scoring server for assessing technical skills in a practical environment. A client application acts as a middle man between a terminal and an operating system to capture and forward all input from and output to students to the scoring server. The scoring server compares recorded student activity against a list of tasks deemed capable of accomplishing course objectives assigned to students. As objectives are met by a student, the students' grade is updated in real-time. Each student passes or fails an exam based on tasks performed and skills employed. The client application exists for two operating system types: WINDOWS® and LINUX®. A LINUX® client employs a pseudoterminal to permit access to terminal input/output and communication through stdin, stdout, and stderr channels. A windows client (WC) comprises a WC command line activity logger and a WC monitor process to intercept all communication through stdin, stdout, and stderr communication channels.

Abstract: Systems and methods of detecting an unauthorized data insertion into a stream of data segments extending between electronic modules or between electronic components within a module, wherein a data stream is encrypted with a secure encryption key for transmission, then decrypted upon receipt using a corresponding secure decryption key to confirm data transmission integrity.

Abstract: There are disclosed devices, system and methods for detecting malicious code existing in an internet advertisement (ad) requested by a published webpage viewed by a user. First, receipt of malicious code of the ad is detected, where that code may be malicious code that causes a browser unwanted action without user action. If the internet ad is an SCR type document, the malicious code may be wrapped in a java script (JS) closure to detect an unwanted action requested by the malicious code. The malicious code is executed a browser sandbox that activates the unwanted action, that displays execution of the internet ad and that allows execution of the unwanted action. When a security error resulting from the unwanted action is detected, executing the malicious code in the browser sandbox is discontinued, displaying of the internet ad on the display is discontinued, and execution of the unwanted action is stopped.

Abstract: A cryptographic ASIC and method for enforcing a derivative key hierarchy for managing an information stream. A programming user provides a user passphrase that is used to generate a transform key and is then deleted. The transform key is inaccessibly, invisibly, and indelibly generated and stored in a one-time programmable memory with externally generated programming pulses during or after manufacture, without being reported out to the user who provided the user passphrase. A transform-enabled cryptographic circuit or method customized with the transform key processes a predetermined input message to obtain a predetermined output message indicating an identity of a particular information stream. Other input messages may also be processed, such as for verifying a blockchain, but replication requires knowledge of the transform key. Only a programming user with knowledge of the user passphrase is capable of creating an information stream, such as a blockchain.

Abstract: There is provided a method for detecting a malicious attempt to access a service providing server using credentials of a client terminal in a network, the method performed by a malicious event detection server analyzing packets transmitted over the network, comprising: analyzing at least one login-credential associated with an attempt to obtain authentication to access the service providing server to determine whether the login-credential matches an invalid login-credential included in a set of honeytoken-credentials, wherein the set of honeytoken-credentials is stored on a local memory of the client terminal, wherein the set of honeytoken-credentials includes the invalid login-credential and a valid login-credential, wherein the invalid login-credential is invalid for authentication of the client terminal to access the service providing server and the valid login-credential is valid for authentication of the client terminal to access the service providing server; and identifying a malicious event when the lo

Abstract: Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application and the command is a write or delete command, the command is ignored and a simulated acknowledgment is sent. If the command is a read command, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source.

Abstract: A computer system is rebooted upon crash without running platform firmware and without retrieving all of the modules included in a boot image from an external source and reloading them into system memory. The reboot process includes the steps of stopping and resetting all of the processing units, except one of the processing units that detected the crash event, selecting the one processing unit to execute a reboot operation, and executing the reboot operation to reboot the computer system.

Abstract: Example implementations relate to operational verification. In an example, operational verification includes a processor, a shared non-volatile memory storing updated system, and an embedded controller (EC) to operationally verify the updated system instructions based on comparison of a length of time associated with a BIOS boot of the computing system using the updated system instructions to a boot time threshold.

Abstract: The disclosed computer-implemented method for identifying malicious file droppers may include (1) detecting a malicious file on the computing device, (2) constructing an ordered list of files that resulted in the malicious file being on the computing device where the malicious file is the last file in the ordered list of files and each file in the ordered list of files placed the next file in the ordered list of files on the computing device, (3) determining that at least one file prior to the malicious file in the ordered list of files comprises a malicious file dropper, and (4) performing a security action in response to determining that the file prior to the malicious file in the ordered list of files comprises the malicious file dropper. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Systems and methods for the mitigation of return-oriented programming are disclosed. A return address for a function is encrypted to generate an encrypted return address. The encrypted return address is stored as the return address for the function. The encrypted return address can be decrypted prior to a return instruction of the function.

Abstract: A method includes receiving a first file attribute from a computing device. The method also includes determining whether a classification for a file is available from a first cache of the server based on the first file attribute. The method includes sending the first file attribute from the server to a second server to determine whether the classification for the file is available at a base prediction cache of the second server. The method includes receiving a notification at the server from the second server that the classification for the file is unavailable at the base prediction cache. The method includes, in response to receiving the notification, determining the classification for the file by performing an analysis of a second file attribute based on a trained file classification model. The method includes sending the classification to the computing device and sending at least the classification to the base prediction cache.

Abstract: A method of detecting malware in Linux platform through the following steps: use objdump-D command to disassemble ELF format benign software and malware samples to generate assembly files; traverse the generated assembly files one by one, read the ELF files' code segment and meanwhile identify whether the code segment contains main( ) function; analyze the code segment read. Divide assembly code into different basic blocks. Each basic block is marked by its lowest address. Add control flow graph's vertex to the adjacency linked list; establish the relation between basic blocks, add control flow graph's edges to the adjacency linked list and generate a basic control flow graph; extract control flow graph's features and write them into ARFF files; take ARFF files as the data set of a machine learning tool named weka to carry out data mining and construct classifier; classify the ELF samples to be tested by using the classifier.

Abstract: A device may receive a digital voucher, a customer certificate, and configuration information for automatically configuring the device. The digital voucher may include a first customer identifier that identifies a customer associated with the device and a device identifier that identifies the device. The customer certificate may include a second customer identifier that identifies the customer and a customer public key associated with the customer. The configuration information may include information that identifies a configuration for automatically configuring the device. The device may validate at least one of the digital voucher, the customer certificate, or the configuration information. The device may configure the device, using the configuration, based on validating at least one of the digital voucher, the customer certificate, or the configuration information.

Abstract: Embodiments of the present disclosure monitor certificates or other credentials loaded to various components and systems of a vehicle. A set of information identifying credentials that are expected to be present and/or in use can be saved. Periodically, on request, or upon the occurrence of an event or condition, checks can be performed on the credentials individually or in the aggregate using the saved information to determine whether the certificates present and/or in use are those expected or if a change has occurred. If a change is detected, i.e., a difference between the current set of certificates and the saved set of information, the network security system can take some action. The action, depending on the nature of the change detected, can vary from recording and/or reporting the condition up to and including isolating or even disabling a particular component or system on which the changed certificate is used.

Abstract: According to one embodiment, a system of detecting malware in a specimen of computer content or network traffic comprises a processor and a memory. The memory includes a first analysis logic and a second analysis logic that may be executed by the processor. Upon execution, the first analysis logic performs a static analysis in accordance with an analysis plan to identify one or more suspicious indicators associated with malware and one or more characteristics related to processing of the specimen. The second analysis logic performs a second analysis in accordance with the analysis plan by processing of the specimen in a virtual machine and monitoring for one or more unexpected behaviors during virtual processing of the specimen in the virtual machine. The analysis plan may be altered based on the results of one of the analyzes.

Abstract: Embodiments are disclosed for managing interactions between a server application and an external environment while limiting an attack surface of the server application. An example method includes receiving, by communications circuitry of a gateway integration server (GIS) and from a source device in the external environment, a message including an application programming interface (API) call. The example method further includes evaluating, by authentication circuitry of the GIS, whether the API call is authorized. If so, the example method further includes generating, by response circuitry of the GIS, a response to the API call, and transmitting, by the communications circuitry of the GIS and to the source device, the response to the API call. However, if not, the example method includes transmitting, by the communications circuitry of the GIS, an error message to the source device. Corresponding apparatuses and computer program products are also provided.

Abstract: A computerized method for detecting and mitigating a ransomware attack is described. The method features (i) a kernel mode agent that intercepts an initiation of a process, intercepts one or more system calls made by the process when the process is determined to be suspicious and copies at least a portion of a protected file to a secure storage location when a request to open a protected file by the process is intercepted when the process is determined to be suspicious, and (ii) a user mode agent that determines whether the process is a suspicious process, monitors processing of the suspicious process and determines whether the suspicious process is associated with a ransomware attack. Additionally, in order to mitigate effects of a ransomware attack, the kernel mode agent may restore the protected file with a copy stored in the secure storage location when a ransomware attack is detected.

Abstract: In remediating a computer vulnerability, operations to be performed to correct the vulnerability are identified. Remediation processors are scheduled to perform the operations. Whether the vulnerability has been corrected is determined by: determining whether the operations have been performed successfully; and determining whether the operations have been performed by authorized remediation processors.

Abstract: This application is directed to an integrity monitoring method performed at a computational machine in a linear communication orbit. The computational machine receives a watch list through the linear communication orbit. The watch list identifies objects for which events are to be monitored at the computational machine. While a plurality of events are occurring locally at the computational machine, the computational machine identifies the plurality of events in real-time. The identified events include events for the objects identified by the watch list, and event information for these identified events is stored in a local database of the computational machine. In response to an integrity reporting request received through the linear communication orbit, the computational machine identifies event information for at least some of the objects identified by the watch list in the local database, and returns the identified event information to a server system through the linear communication orbit.

Abstract: A memory check ASIC for fuzes and safety and arming (S&A) devices. The memory check ASIC may comprise: an ASIC, data line, clock line, shutdown line, and reset line. The ASIC may operatively couple to a microcontroller having a flash-based memory and may comprise: a digital logic for verifying a calculated checksum based on contents of the flash-based memory. A clock signal along with the calculated checksum may be transmitted to the ASIC via the clock line and data line, respectively. A shutdown signal may be transmitted from the ASIC to the microcontroller via the shutdown line in response to the verification of the calculated checksum by the digital logic. A reset signal may synchronize sampling of the calculated checksum and may be latched by flip-flop circuits of the digital logic for a predetermined number of clock cycles.

Abstract: A method, system, and computer program product for security scanning of advertisements displayed inside software applications. First, it is automatically detected that the software application has received from a server, over a network, advertising code that is configured to display an advertisement within the software application. Then, the received advertising code is intercepted, and is wrapped with program code that is configured to: scan the advertising code for malicious content, and allow or prevent the display of the advertisement within the software application based on the scanning. Finally, the wrapped advertising code is delivered to the software application as if the wrapped advertising code was received directly from the server, such that, when the wrapped advertising code is executed in the software application: the advertising code is scanned, and the display of the advertisement is allowed or prevented based on the scanning.

Abstract: In general, in one aspect, an installation file digitally signed with a first package signature is received. It is determined whether the received installation file includes a migration signature that covers the first package signature and that matches a second signature associated with an installed software application, to confirm that the received installation file includes a valid update related to the installed software application. The installed software application is updated from the received installation file when the migration signature is included.

Abstract: A method and apparatus for identifying computer virus variants are disclosed to improve the accuracy of virus identification and removal, and may relate to the field of internet technology. The method includes running a virus sample to be tested and recording an API call sequence produced during running of the virus sample. The method further includes obtaining a characteristic API call sequence for each one of a plurality of virus families, matching the API call sequence produced during running of the virus sample to be tested with the characteristic API call sequences of the virus families, and obtaining a matching result. The method also includes determining the virus sample to be tested is a virus variant by extent of a match between the API call sequence produced by the virus sample and any characteristic API call sequence of any one of the virus families.

Abstract: A system for managing attacker incidents, including a mobile device manager (MDM) receiving instructions to deploy deceptions on a mobile device used by an employee of an organization in conjunction with a network of the organization and, in response to the instructions, running a dedicated agent on the mobile device, wherein the dedicated agent is configured to register the mobile device and its current deceptions state, and install deceptions in the mobile device, a trap server triggering an incident in response to an attacker attempting to use deceptive data that was installed in the mobile device, and a deception management server sending instructions to the MDM to deploy deceptions on the mobile device, registering the mobile device and its deceptions state, receiving the notification from the trap server that an incident has occurred, and in response thereto instructing the MDM to run forensics on the mobile device.

Abstract: A hardware processor of an image forming apparatus is able to obtain saving target information from a time of a power-off operation to a time of power supply interruption and to save the saving target information, in a nonvolatile storage of the image forming apparatus, as first snapshot data (for restoring a state at a predetermined time after firmware is activated). When a power-on operation is performed after the time of the power-off operation, the hardware processor determines whether to perform a first high-speed startup process using the first snapshot data as an apparatus startup process with respect to the image forming apparatus.

Abstract: In accordance with one embodiment of the present disclosure, a method for determining the similarity between a first data set and a second data set is provided. The method includes performing an entropy analysis on the first and second data sets to produce a first entropy result, wherein the first data set comprises data representative of a first one or more computer files of known content and the second data set comprises data representative of a one or more computer files of unknown content; analyzing the first entropy result; and if the first entropy result is within a predetermined threshold, identifying the second data set as substantially related to the first data set.

Abstract: A method for sharing documents between on-demand services is provided. In an embodiment, a user of a first on-demand service may be able to view a list of content that includes content stored at the first on-demand service and content stored at a second on-demand service. The content of the second on-demand service may be associated with information about the content, allowing the content to be shared among multiple users of the first on-demand service. The user wanting to view the content, select or click on an indicator identifying the content, a connection to the second on-demand service is established, and images of the content are sent from the second on-demand service to the first on-demand service.

Abstract: The disclosed technology is generally directed to updating of applications, firmware and/or other software on IoT devices. In one example of the technology, a request that is associated with a requested update is communicated from a normal world of a first application processor to a secure world of the first application processor. The secure world validates the requested update. Instructions associated with the validated update are communicated from the secure world to the normal world. Image requests are sent from the normal world to a cloud service for image binaries associated with the validated update. The secure world receives the requested image binaries from the cloud service. The secure world writes the received image binaries to memory, and validates the written image binaries.

Abstract: Bots are detected real-time by correlating activity between users using a lag-sensitive hashing technique that captures warping-invariant correlation. Correlated users groups in social media may be found that represent bot behavior with thousands of bot accounts detected in a couple of hours.

Abstract: Aspects of the present disclosure involve systems and methods computing devices to access a public network posing as a user to the network to detect one or more malware programs available for downloading through the network. More particularly, a malware detection control system utilizes a browser executed on a computing device to access a public network, such as the Internet. Through the browser, sites or nodes of the public network are accessed by the control system with the interactions with the sites of the public network designed to mimic or approximate a human user of the browser. More particularly, the control system may apply the one or more personality profiles to the browser of the computing device to access and interact with the nodes of the public network. Further, the control system may monitor the information retrieved from the network sites to detect the presence of malware within the nodes.

Abstract: Collecting nodes receive data from multiple data sources via a communication structure. The data is processed to generate at least one meta data block reflecting information about objects of interest represented by the data content. The at least one meta data block is encrypted. The data is divided into data chunks of a respective predefined size, and encrypted. The encrypted data chunks and meta blocks are sent over the communication structure to fusion nodes, where, after decryption, meta data blocks are fused into a new meta data block if an object-of-interest criterion is fulfilled. The new meta data blocks are encrypted and sent over the communication structure. Data storage nodes store copies of the encrypted data chunks and meta data blocks in an information structure of block chains of encrypted meta data blocks organized in one chain per object of interest.

Abstract: A lineage-based trust for machine images that are derived from another may be established to validate a machine within the lineage before it is used to launch a virtual machine. An offspring machine image may be derived from a parent machine image through modifications made to the parent machine. Further, an integrity metric may be computed for each such modification and a data structure may be provided through which the parent and offspring machine images can be linked. When a customer of a provider network requests a virtual machine to be launched using a specified machine image, the specified machine image is loaded on to a host computer and validated using the associated integrity metrics before the virtual machine is launched.

Abstract: In one embodiment, a device in a network constructs a graph based on Domain Name System (DNS) traffic in which vertices of the graph correspond to client addresses from the DNS traffic and domains from DNS traffic. The device uses stacked autoencoders to determine priors for the domains and client addresses. The device assigns the determined priors to the corresponding vertices of the graph. The device uses belief propagation on the graph to determine a malware inference from the graph. The device causes performance of a mitigation action when the malware inference from the graph indicates the presence of malware.

Abstract: A system for generating and deploying custom deceptions for a network, including an administrator computer for generating custom deception entities (CDEs), each CDE including parameters including inter alia (i) a type of entity, (ii) conditions for deployment of the CDE, and (iii) a deception type, and a management server, comprising an application programming interface for use by the administrator computer to generate CDEs through the medium of a formal language for specifying deceptions, and a translator for translating formal language CDEs to deceptions that are installable in network endpoint computers, wherein the management computer receives a request from a network endpoint computer to retrieve CDEs, selects CDEs that are relevant to the requesting network endpoint computer based on the parameters of the CDE, translates the requested CDEs to installable deceptions, and transmits the installable deceptions to the network endpoint computer for installation thereon.

Abstract: In one embodiment, a device in a network places a path of a service function chain into a testing state. The device causes a self-assessment instruction to be propagated along the path while the path is in the testing state. The device analyzes self-assessment results from nodes along the path. The device adjusts a state of the path based on the analyzed self-assessment results.

Abstract: Disclosed are systems and method for detecting a malicious computer system. An exemplary method comprises: collecting, via a processor, characteristics of a computer system; determining relations between collected characteristics of the computer system; determining a time dependacy of at least one state of the computer system based on determined relations; determining the at least one state of the computer system based at least on determined time dependacy; and analyzing the at least one state of the computer system in connection with selected patterns representing a legal or malicious computer system to determine a degree of harmfulness of the computer system.

Abstract: A method for evaluating indicators of compromise (IOCs) is performed at a device having one or more processors and memory. The method includes receiving respective specifications of a plurality of IOCs, wherein the respective specifications of each IOC of the plurality of IOCs includes a respective cost associated with evaluating the IOC. The method further includes dynamically determining an order for evaluating the plurality of IOCs based on the respective costs associated with the plurality of IOCs, and determining whether a threat is present based on results for evaluating one or more of the plurality of IOCs in accordance with the dynamically determined order, instead of an order by which the plurality of IOCs have been received at the device.

Abstract: This document discusses designing and managing medical devices that are equipped with software, including a variety of ways of managing the public interest in safety and effectiveness of medical devices that are preferably implemented with open-source software. In one general aspect, a method of updating a medical device is disclosed. The method includes storing a vendor certificate in the device, and receiving and storing a licensed prescriber certificate in the device. A signed request to update code in the medical device can then be received and this request can be authenticated with one of the certificates, and the code can be updated in the medical device with code from the authenticated update request.

Abstract: Disclosed herein are an apparatus and method for detecting abnormal behavior in a main device and a terminal device, included in a control network, using a whitelist. The apparatus for detecting abnormal behavior includes an information collection unit for collecting system information about the main device and system information about the terminal device and a detection unit for detecting abnormal behavior in the main device and the terminal device by comparing a whitelist with system information that includes the system information about the main device and the system information about the terminal device, wherein the whitelist includes a process whitelist, a file whitelist, and a network whitelist.

Abstract: A system for deceiving an attacker who harvests credentials within an enterprise network, including a management server deploying a deceptive agent on an endpoint computer of the enterprise network, the deceptive agent including a hook manager creating system hooks on resources in the endpoint computer that holds valuable credentials, which would be desired by attackers, and a deceptive content provider, generating deceptive content and returning the deceptive content to a malicious process run by an attacker on the endpoint computer, the malicious process making a read request directed to a resource in the endpoint computer that holds valuable credentials, thus making it appear to the attacker that a response is coming from the resource whereas in fact the response is coming from the deceptive agent, when the hook manager hooks the read request.

Abstract: In one embodiment, a device in a network determines a first set of domain generation algorithm (DGA) predictions for a particular domain name by analyzing one or more extracted lexical features of the particular domain name using a first ensemble of decision trees. The device determines a second set of DGA predictions for the particular domain name by analyzing one or more extracted cluster features of a cluster of related domain names to which the particular domain name belongs using a second ensemble of decision trees. The device predicts a DGA associated with the particular domain name based on the first and second sets of DGA predictions. The device causes performance of a security action based on the predicted DGA associated with the particular domain.

Abstract: According to one or more embodiments, a system and method for authorizing a user securing an elevator call in a building is provided. For example, the method includes receiving, at a mobile device, a secure authorization token that includes an expiration time, connecting the mobile device to a backend system using the secure authorization token from the mobile device, verifying, using the backend system, an authenticity of the secure authorization token from the mobile device based on at least the expiration time, generating, at the backend system, a secure access token and a random number in response to the authenticity of the secure authorization token being verified, and receiving, at the mobile device, the secure access token and the random number for use making elevator call requests.

Abstract: A System, Computer Program Product, and Computer-executable method for testing a production system, the System, Computer Program Product, and Computer-executable method including receiving information related to the production system, receiving production data from the production system, creating a virtual production system based off the production system using the received information and the received production data, and analyzing the production system by performing tests on the virtual production system.

Abstract: An apparatus and method of an attachment device for interfacing with an on-board diagnostic system of a vehicle is provided. The device includes an application processor configured to receive input from a terminal, control processing of the input by the on-board diagnostic system, transmit a result of the processing of the input by the on-board diagnostic system to the terminal, and a secure element interposed in the communication path between the application processor and the on-board diagnostic system, the secure element configured to filter the input of an on-board diagnostic operation that is untrusted.

Abstract: Disclosed are systems, methods and computer program products for antivirus checking of files based on level of trust of their digital certificates. An example method includes obtaining a digital certificate of a digital signature of a file; determining validity of the obtained digital certificate; assigning a level of trust to the digital certificate based on the determined validity or invalidity of the digital certificate of the file; based on the assigned level of trust of the digital certificate of the file, determining what antivirus checking method to perform on the file; and performing the determined antivirus checking method on the file.

Abstract: Systems, apparatuses, and methods for performing secure system memory training are disclosed. In one embodiment, a system includes a boot media, a security processor with a first memory, a system memory, and one or more main processors coupled to the system memory. The security processor is configured to retrieve first data from the boot media and store and authenticate the first data in the first memory. The first data includes a first set of instructions which are executable to retrieve, from the boot media, a configuration block with system memory training parameters. The security processor also executes a second set of instructions to initialize and train the system memory using the training parameters. After training the system memory, the security processor retrieves, authenticates, and stores boot code in the system memory and releases the one or more main processors from reset to execute the boot code.

Abstract: A method for emulating at least one resource in a host computer to a querying hosted code. The method comprises monitoring a plurality of operating system (OS) queries received from a plurality of code executed on a monitored computing unit, the plurality of OS queries are designated to an OS of the monitored computing unit, detecting among the plurality of OS queries at least one query for receiving at least one characteristic of at least one resource of the monitored computing unit among the plurality of OS queries, the at least one query is received from querying code of the plurality of code, preparing a response of the OS to the at least one query, the response comprising a false indication at least one false characteristic of the at least one resource, and sending the response to the querying code in response to the at least one query.

Abstract: A technology for providing a test environment is provided. In one example, a method may include defining a macro task for an unstructured lab in a service provider environment, the macro task including a task definition and expected values for a plurality of sub-tasks within the macro task. A request to participate in the unstructured lab may be received from a client device and the macro task may be provided to the client device in response to the request. Metrics may be collected from the unstructured lab using a metrics collector. Completion of the macro task may be analyzed by comparing the metrics to the expected values and a report indicative of performance of the macro task may be provided.