Abstract: A user of a computer system is provided with warning of unexpected or covert installation attempts using a malware or anti-virus detection engine. Even though the files that are unexpectedly attempted to be installed may be legitimate, rather than malware, the malware detection software is modified or configured to detect the unexpected installation and provide the user with an opportunity to abort the installation. A method of controlling installation of software in a computer system comprises detecting an attempt to install software on the computer system, identifying the software that was attempted to be installed, taking an action in response to identifying the software that was attempted to be installed.

Abstract: An arrangement for dynamically identifying and intercepting potential software threats before they execute on a computer system is provided in which a file system filter driver (called a “mini-filter”) interfaces with an anti-malware service to selectively generate an alert event and allow the threat to run, in addition to generating an alert event and suspending the threat. The decision to suspend the threat or allow it to run is made through application of a cascading logic hierarchy that includes respective policy-defined actions, user-defined actions, and signature-defined actions. The mini-filter generates the alert event to the anti-malware service whenever a file is opened, or modified and closed. The service uses an engine to scan the file to identify potential threats which are handled though application of the logic hierarchy which provides for configurations defined in a lower tier of the hierarchy to be overridden by those contained in a higher tier.

Abstract: A method and system for monitoring the behavior of at least one observable object, e.g. a network element, of a network, wherein at least one parameter of the observable object is repeatedly detected. An actually detected parameter is input to a learning process and to an analyzing process, wherein the learning process forms a reference, based on at least two detected parameter values, for describing the behavior of the observable object. The analyzing process compares the input parameter and the reference for detecting an anomal behavior. The parameter preferably is a vector which includes several values describing properties or functioning of the observable object, and is formed based on events and/or reports from the object.

Abstract: Method and apparatus that enable secure transmission of data in a scalable private network are described. Each station that is to be part of a private network registers with a key table. A group security association associated with the private network is forwarded to each trusted ingress and egress point that communicates with each member of the private network. When a member of the private network seeks to communicate with another member, it simply forwards the communication to the trusted ingress point. The trusted ingress point uses the security association associated with the private network to transform the communication and forwards the transformed communication through other intermediate stations in the network until it reaches a trusted egress point. The trusted egress point uses the stored security association to decode the transformed communication and forwards the communication to the appropriate destination.

Abstract: A method of detecting malicious binary executable files is accomplished by inputting a binary executable file; converting the binary executable file to byte hexadecimal text strings; calculating the frequency of each byte pattern in the byte hexadecimal text strings; selecting characteristic byte pattern frequencies as discriminating features; classifying the discriminating features as malicious or benign; labeling the binary executable file as malicious or benign; and outputting the labeled malicious or benign binary executable file.

Abstract: A security intrusion mitigation system and method are presented. In one embodiment a security intrusion mitigation method includes utilizing network spanning tree configuration information to determine an action for mitigating diffusion of intrusive attacks. The spanning tree information can include an indication of an internal diffusion risks. An action for mitigating diffusion of intrusive attacks is automatically performed. The action for mitigating diffusion of the intrusive attacks includes compensation for functional support of prioritized applications.

Abstract: One example creates an application specific credential vault manager for templated applications. This credential vault manager would be associated with the portlets requiring the use of the credential vault and allow the user to configure the credential vault access at a composite application scope instead of at the portlet scope or the portlet application scope.

Abstract: Landing pages associated with advertisements are partitioned into training landing pages and testing landing pages. Iterative training and testing of a classification mode on intrusion features of the partitioned landing pages is conducted until the occurrence of a cessation event. Feature weights are derived from the iterative training and testing, and are associated with the intrusion features. The associated feature weights and intrusion features can be used to classify other landing pages.

Abstract: An electronic message manager (100) examines (210) incoming electronic messages and determines (220) whether an incoming electronic message comprises at least one suspect link associated with a remote system. In response to the determination (220) that the incoming message comprises at least one suspect link, the electronic message manager (100) replaces (230) each suspect link with a redirection link. In response to a user attempting (240) to connect to the remote system by clicking on the redirection link, the electronic message manager directs the user to a remote analysis site for deciding (260) whether that incoming message comprises a phishing message.

Abstract: A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets. Further, the system and method provide for validating initially learned source IP addresses, and for determining whether the number of unsuccessful attempts to validate new source IP addresses exceeds a threshold level, and where the number does exceed the threshold number the system and method can provide for operation in a possible attack mode.

Abstract: The present invention provides a log file protection system which makes it difficult for computer log information to be altered or deleted. A log information reception process includes receiving log information output from an original application process 210, and storing it in an internal cache 232 in a NIGELOG processing module 230. A hiding directory information gathering process scans a file system 300 to collect information on directories in which hiding is possible. This information constitutes a list of directories 233 in which hiding is possible, and is stored as a variable in the NIGELOG processing module 230. This variable is used by the NIGELOG process whenever files are generated or moved. An alteration detection and log information writing process detects alterations in log files, automatically restores these when alteration is detected, and periodically re-hides log files.

Abstract: Methods and systems for remotely configuring and monitoring a communication device are provided, especially useful in a computer network environment such as the Internet. A communication device or network appliance compares communications entering the communication device to a list of communication types established as known security risks, for example hacker attacks, unauthorized attempted access to network resources, or similar network security threats. If the received communication corresponds to a known security risk, the communication is classified as either a high security risk or low security risk, and an alert signal is transmitted to a remote monitoring center. Upon receiving the alert signal, the remote monitoring center assigns a priority to the alert signal based upon the type of the communication that triggered the transmission of the alert signal. Based on the assigned priority, the prioritized alert signal is then forwarded to a remote monitoring agent for resolution.

Abstract: The inventions relate generally to protection of computing systems by isolating intrusive attacks into layers, those layers containing at least file objects and being accessible to applications, those layers further maintaining potentially intrusive file objects separately from regular file system objects such that the regular objects are protected and undisturbed. Also disclosed herein are computing systems which use layers and/or isolation layers, and various systems and methods for using those systems. Detailed information on various example embodiments of the inventions are provided in the Detailed Description below, and the inventions are defined by the appended claims.

Abstract: A flow-based intrusion detection system for detecting intrusions in computer communication networks. Data packets representing communications between hosts in a computer-to-computer communication network are processed and assigned to various client/server flows. Statistics are collected for each flow. Then, the flow statistics are analyzed to determine if the flow appears to be legitimate traffic or possible suspicious activity. A concern index value is assigned to each flow that appears suspicious. By assigning a value to each flow that appears suspicious and adding that value to the total concern index of the responsible host, it is possible to identify hosts that are engaged in intrusion activity. When the concern index value of a host exceeds a preset alarm value, an alert is issued and appropriate action can be taken.

Abstract: The detection of devices with duplicate media access controller (MAC) addresses in a cable network. A cable network device (CND) having a MAC address is connected by the cable network to a cable modem termination system (CMTS) having a gateway interface address. A centralized storage of historical cable modem MAC address/giaddr tuple data is used to identify CNDs that report duplicate MAC addresses. The cable network tracks the CND MAC address/giaddr tuple data of all CND requests that it receives and stores the MAC address/giaddr tuple data into a datastore (such as a database). When a CND seeks to access the network, the cable network looks into the datastore to determine whether the CND MAC address of the CND has previously been stored with a different associated giaddr, which would imply that there are multiple CNDs attached to different CMTSs where the CNDs share the same MAC address. If such duplication is detected, an appropriate remedial response is taken.

Abstract: A security analysis methodology is used to analyze the security of a device-under-analysis (DUA) with respect to a particular protocol message exchange. First, the mutation points that exist in the message exchange are determined. Then, the message exchange is executed multiple times—once for each mutation point. Each execution applies the mutation associated with that particular mutation point (e.g., a particular message during the exchange is modified in a particular way) to create a mutated message exchange. In other words, each message exchange with an applied mutation point corresponds to a test case.

Abstract: In one embodiment, a system comprises debug functionality, a debug interface communicatively coupled to the debug functionality, and a hardware key interface. Communication with the debug functionality over the debug interface is not permitted if an authorized hardware key is not communicatively coupled to the hardware key interface.

Abstract: One aspect of the invention is a method for restricting access to an enterprise network that includes determining whether a computer that may be connected to an enterprise network on a temporary basis has one or more malicious code items where the computer accompanies a visitor to a facility associated with the enterprise network. An indication is provided to a human if it is determined that the computer has one or more malicious code items.

Abstract: Patterns can be discovered in security events collected by a network security system. In one embodiment, the present invention includes collecting and storing security events from a variety of monitor devices. In one embodiment, a subset of the stored security events is provided to a manager as an event stream. In one embodiment, the present invention further includes the manager discovering one or more previously unknown event patterns in the event stream.

Abstract: The present invention allows for remotely and securely configuring settings for targeted devices within a network with multiple security-trust boundaries. Configuration information is encoded in messages that are digitally signed to ensure the integrity of the configuration information and sent in accordance with a standard messaging transport protocol. By utilizing an already existing port of the standard messaging transport protocol, e.g., SMTP, the number of open ports for configuration purposes is minimized. Further, example embodiments take advantage of hidden fields, i.e., machine readable fields that contain metadata that by default are not presented at a client user interface, for encoding the configuration or command/control information within the messages.

Abstract: A system in accordance with an embodiment of the invention includes a vulnerability detection system (VDS) and an intrusion detection system (IDS). The intrusion detection system leverages off of information gathered about a network, such as vulnerabilities, so that it only examines and alerts the user to potential intrusions that could actually affect the particular network. In addition, both the VDS and IDS may use rules in performing their respective analyses that are query-based and that are easy to construct. In particular, these rules may be based on a set of templates, which represent various entities or processes on the network.

Abstract: Systems for the non-invasive monitoring of the effectiveness of a customer's electronic security services include a test generation engine for generating and launching a denatured attack towards a customer's network. A monitoring and evaluation agent is operatively coupled to the test generation engine and is adapted to monitor and evaluate the denatured attack. A recording and analysis engine is adapted to record and analyze the results of the denatured attack. Other systems and methods are also provided.

Abstract: A score-based method of preventing intrusion, and related apparatus and systems, including one or more of the following: receiving traffic including new packets; decoding a protocol for same; determining that no session exists to which the packets are associated; creating a session entry for a session corresponding to the packets; setting a total score for the session to zero; performing an anomaly analysis on the packets identifying an anomaly; adding an anomaly score for the anomaly to the total score for the session; determining that the total score for the session does not exceed a threshold; determining that the anomaly analysis is finished; determining that the signature of the received new packets matches a threat signatures; adding a score assigned to the threat signature to the total score for the session; determining that the total score for the session exceeds the threshold; and triggering a threat response action.

Abstract: Apparatus and methods for intrusion protection in safety instrumented process control systems are disclosed. An example method of protecting a safety instrumented system includes receiving legitimate information from a component of a process control system wherein the legitimate information is intended for delivery to a safety instrumented system, determining if a signature at least substantially matches the legitimate information, and preventing the legitimate information from reaching the safety instrumented system when it is determined that the signature at least substantially matches the legitimate information.

Abstract: A system and method for tracking communication for determining device states. Communication between devices is observed and a respective state of at least one device is inferred. The inference is formed without directly communicating with the device. Various states of the devices include unknown, used, unfulfilled, virtual, omitted, and automatic. The respective state of a device is unknown when the observation shows that the device fails to respond to communication. The respective state of the device is unfulfilled when an ARP request comprising a destination address for the device is observed, and the device does not respond to the ARP request prior to expiration of a time limit. The respective state of a device is determined to be virtual when the observation shows that the device received a packet when its respective state was unfulfilled, and the device did not send a reply to the packet within a time limit.

Abstract: A method of automatically classifying alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) for producing collated alerts, each alert being defined by a plurality of qualitative attributes (a1, . . . , an) belonging to a plurality of attribute domains (A1, . . . , An). Attributes belonging to each attribute domain are organized into a hierarchical structure. For each alert issued by the intrusion detection sensors (11a, 11b, 11c), a trellis specific to that alert is constructed by generalizing each alert in accordance with each of its attributes and at all the levels of the hierarchical structure. Each specific trellis is iteratively merged into a general trellis. Collated alerts in the general trellis are identified by selecting the alerts that are simultaneously the most pertinent and the most general. The collated alerts are supplied to an output unit (23) of an alert management system (13).

Abstract: A system is described for providing safe web based interactions. The system may include a memory, an interface, and a processor. The memory may store a request and a web page. The interface may be operative to communicate with a user and a third party server. The processor may be operatively connected to the memory and the interface and may receive a request from the user for a web page provided by the third party server. The processor may retrieve the web page and determine if malicious data is associated with the web page. If malicious data is determined to be associated with the web page the processor may disable the malicious data. The processor may modify the web page so that subsequent interactions with the web page are redirected to the processor, through the interface. The processor may provide the web page to the user, via the interface.

Abstract: An apparatus and method are disclosed for detecting intrusions in Voice over Internet Protocol systems, without the use of an attack signature database. In particular, the illustrative embodiment is based on the observation that some VoIP-related protocols (e.g., the Session Initiation Protocol [SIP], etc.) are simple enough to be represented by a finite-state machine (FSM) of compact size. A finite-state machine is maintained for each session/node/protocol combination, and any illegal state or state transition—which might be the result of a malicious attack—is flagged as a potential intrusion.

Abstract: A method of and apparatus for securing against an unauthorized transmission within an authorized transmission from a sending data processor to a receiving data processor. The transmission is stimulated to elicit a predictable response from the receiving data processor. Upon the observance or absence of the predictable response, the transmission is determined as being potentially unauthorized. The method of this invention can be implemented in network administrator middleboxes such as firewalls.

Abstract: Provided are an apparatus and method for detecting a malicious process. The apparatus includes: a process monitoring unit for monitoring a process generated in a computing environment; a target process setting unit for previously setting a test target process among the processes confirmed by the process monitoring unit; a process generation time change monitoring unit for monitoring if the target process set by the target process setting unit requests to change a generation time; a generation time change preventing unit for preventing a change in the generation time of the target process when the target process requests to change the generation time; and a malicious process detecting unit for determining that a child process of the target process set by the target process setting unit is a malicious process if the child process is generated within a predetermined reference time.

Abstract: Systems and methods for filtering spam messages utilizing a URL filtering module are described. In one embodiment, the method includes detecting, in an incoming message, data indicative of a URL and comparing the URL from the incoming message with URLs characterizing spam. The method further includes determining whether the incoming message is spam based on the comparison of the URL from the incoming message with the URLs characterizing spam.

Abstract: An apparatus and method are disclosed for detecting intrusions in Voice over Internet Protocol systems without an attack signature database. The illustrative embodiment is based on two observations: (1) various VoIP-related protocols are simple enough to be represented by a finite-state machine (FSM) of compact size, thereby avoiding the disadvantages inherent in signature-based intrusion-detection systems.; and (2) there exist intrusions that might not be detectable locally by the individual finite-state machines (FSMs) but that can be detected with a global (or distributed) view of all the FSMs. The illustrative embodiment maintains a FSM for each session/node/protocol combination representing the allowed (or “legal”) states and state transitions for the protocol at that node in that session, as well as a “global” FSM for the entire session that enforces constraints on the individual FSMs and is capable of detecting intrusions that elude the individual FSMs.

Abstract: A technique is disclosed for identifying network traffic. The traffic data is converted into a wave vector. The wave vector is compared with a wave template. It is then determined whether the wave vector is substantially similar to the wave template.

Abstract: In one embodiment, the present invention is a method and apparatus for generating highly predictive blacklists. One embodiment of a method for generating a blacklist of network addresses for a user of a network includes collecting security log data from users of the network, the security log data identifying observed attacks by attack sources, assigning the attack sources to the blacklist based on a combination of the relevance each attack source to the user and the maliciousness of the attack source, and outputting the blacklist.

Abstract: Patterns can be discovered in events collected by a network system. In one embodiment, the present invention includes collecting and storing events from a variety of monitor devices. In one embodiment, a subset of the stored events is provided to a manager as an event stream. In one embodiment, the present invention further includes the manager discovering one or more previously unknown event patterns in the event stream.

Abstract: A device (120) processes traffic in a network. The device (120) obtains information corresponding to an activity between a group of source devices and one or more services of destination devices, measures, for each of the group of source devices, a behavior of the source activity in terms of independence and uniformity of access to the one or more services, and determines, for each of the group of source devices, whether the source activity includes probing based on the measured behavior. The device (120) also determines, for each of the group of source devices, a similarity factor representing a similarity between the source activity of one of the group of source devices and another of the group of source devices, compares the similarity factors for each pair of source devices to a threshold, and groups source devices when the similar factor for those source devices are below the threshold.

Abstract: A method and apparatus to identity SPAM emails is disclosed. The method sets a misspelling rejection ratio. Upon receipt of an email comprising (X) words, the method determines the number (Y) of misspelled words comprising that email. The method then calculates a misspelling ratio by dividing (Y) by (X), and then determines if the misspelling ratio is greater than or equal to the misspelling rejection ratio. If the method determines that the misspelling ratio is greater than or equal to the misspelling rejection ratio, then the method reports the email as SPAM. In certain embodiments, the detection of words used to trigger the rejection of SPAM is based on a fuzzy search of alternate spellings. These alternate spellings may come from a spell checker.

Abstract: Provided is a local domain name system for querying an external server for a client-requested domain name and providing desired data to a user. A determination is made as to whether a special policy is to be applied to a client-input query through a test task. When a special policy is to be applied to the query, the special policy is performed to provide additional service to the client.

Abstract: A security switch detects whether requested content is either trusted content or non-trusted content. In case of network content being trusted content, network traffic bypasses the inspection gateway and goes directly to the user. If network content is non-trusted content, network traffic passes through to the inspection gateways for inspection. Additionally, when the security switch receives a reply for “trusted” content requests, it parses the reply information to verify that the content-type of the file is indeed “trusted”. If the file doesn't prove to be “trusted”, the security switch drops the connection and stops the suspected content from reaching the client.

Abstract: Methods and apparatus to provide network traffic support and physical security support are described herein. In an example method, a virtual machine monitor (VMM) in a processor system is initialized. At least one of a network traffic intrusion event and a physical security intrusion event is identified by the VMM. At least one of a network traffic support and a physical security support is implemented in response to at least one of the network traffic intrusion event and the physical security intrusion event.

Abstract: A hypertext transport protocol (HTTP) inspection engine for an intrusion detection system (IDS) includes an HTTP policy selection component, a request universal resource identifier (URI) discovery component, and a URI normalization module. The HTTP policy selection component identifies an HTTP intrusion detection policy using a packet. The request URI discovery component locates a URI within the packet. The URI normalization module decodes an obfuscation within the URI. In another embodiment, a packet transmitted on the network is intercepted. The packet is parsed. An Internet protocol (IP) address of the packet is identified. An HTTP intrusion detection policy for a network device is determined. A URI is located in the packet. A pattern from an intrusion detection system rule is compared to the located URI. In another embodiment, an IDS includes a packet acquisition system, network and transport reassembly modules, an HTTP inspection engine, a detection engine, and a logging system.

Abstract: A method and apparatus for monitoring a code to detect intrusion code is used to monitor target code to determine whether the target code is a resident code in a system or an intrusion code into the system. A first code pattern is extracted from the target code and a second code pattern is loaded from a storage unit, and a distance between the first code pattern and the second code pattern is calculated. The calculated distance is compared to a threshold to determine whether the target code is an intrusion code.

Abstract: A method of detecting and blocking malicious activity of processes in computer memory during unpacking of a file after the code and data contained in the file are unpacked is described. The method includes inserting a hook function into one or more un-assessed processes running in the computer memory. A hook Is then placed on one or more system calls carried out by the one or more un-assessed processes; the one or more system calls determining an optimal time period in which to detect malicious activity in the un-assessed processes. During the optimal time period the one or more system calls carried out by the one or more un-assessed processes are suspended and attributes of the one or more un-assessed processes are detected and the likely maliciousness of the one or more un-assessed processes is determined from the attributes.

Abstract: A computer system having at least one CPU has as its only interface with the Internet and other external sources a virtual machine that contains a browser and/or other communications programs, so that e-mail and other external communications are opened within the virtual machine and stored within a virtual storage. The virtual machine is erased at frequent intervals, taking with it any changes made by virus or other hostile programs.

Abstract: Systems and methods that mitigate affects of malware and facilitate remediation processes. An analysis engine generates a list of actions for resources associated with the malware, and prioritizes/sorts the actions for execution. Such list of actions can be generated automatically via an action list generation component associated with the analysis engine. Likewise, a sorting component as part of the analysis engine can prioritize operations between detected malware to typically ensure a smooth operation during remediation processes (e.g., avoid conflicts).

Abstract: Systems and methods for validating integrity of an executable file are described. In one aspect, the systems and methods determine that an executable file is being introduced into a path of execution. The executable file is then automatically evaluated in view of multiple malware checks to detect if the executable file represents a type of malware. The multiple malware checks are integrated into an operating system trust verification process along the path of execution.

Abstract: Methods, apparatuses, and computer-readable media for preventing the spread of malicious computer code. An embodiment of the inventive method comprises the steps of: identifying (110) a computer application that is data mining an e-mail address; determining (130) whether the computer application associates at least one executable application and the data mined e-mail address with an e-mail message (120); and blocking (140) the transmission of the e-mail message when the e-mail message is associated with the at least one executable application and the data mined e-mail address.

Abstract: A flexible, efficient and easy-to-use computer security management system effectively evaluates and responds to informational risks on a wide variety of computing platforms and in a rapidly changing network environment. An individual computer system dynamically monitors its end user, without regard to network connectivity, in order to calculate a risk score and to ensure that the end user's behavior does not put corporate information or other assets at risk. Data regarding such risks and responses are analyzed and stored in real-time.

Abstract: A method that in an embodiment counts the number of times that a file or registry entry is added, changed, or deleted at clients in a network. If the count exceeds a threshold, then a warning is sent to the clients. The warning may prompt the clients to delete or rename the file or registry entry, run an anti-virus program, quarantine the file or registry entry, or issue a message. In this way, viruses may be detected at clients.

Abstract: Embodiments are provided to monitor aspects of a process, such as an automation process. In an embodiment, a system includes a number of components configured to monitor and validate operational aspects of a test automation process. In one embodiment, a monitoring application can be used to detect test automation issues, such as file related issues, registry related issues, network related issues, and other operational issues for example. The monitoring application can include a number of rule sets which may be tailored to identify and detect new types of exceptions and other conditions associated with an automation process or some other process. Other embodiments are available.