The disclosed computer-implemented method for monitoring virtual networks includes (1) an identification module 104 identifying a virtual network 204 containing at least one virtualized switching device 202 that routes network traffic from a source port 210 within the virtual network to a destination port 206, (2) a providing module 106 providing within the virtualized switching device, a set of software-defined network rules 212 containing criteria for identifying packets having at least one predetermined property associated with a security policy, (3) an intercepting module 108 intercepting, at the source port 210, a packet destined for the destination port 206, (4) a determination module 110 determining that at least one characteristic of the packet satisfies at least one of the rules 212, and (5) in response to determining that the characteristic of the packet satisfies at least one of the rules, a forward module 112 forwarding a copy of the packet to a virtual tap port 208 that analyzes the packet for security threats. By identifying (via, e.g., a set of OPENFLOW rules) packets having properties indicative of potential security threats, the methods may forward copies of suspicious packets to a virtual tap port to analyze the packet copies for malware attacks, data leaks, etc. In addition, by implementing a set of software-defined network rules based on any type of physical wiretap mechanism, the method may efficiently monitor virtual networks using techniques proven to be effective within physical networks. Furthermore, by implementing virtual wiretaps within portions of cloud-based computing platforms dedicated to cloud-based applications of various tenants, the method may provide the tenants with granular and customizable network monitoring services.
The disclosed computer-implemented method for handling fraudulent uses of brands may include (1) enabling a subscriber of a brand-protection service to select an action to perform when a fraudulent use of a brand is detected in Internet traffic that is transmitted via any of a plurality of Internet-traffic chokepoints that are managed by the brand-protection service, (2) monitoring, at each of the plurality of Internet-traffic chokepoints, Internet traffic for fraudulent uses of brands, (3) detecting, while monitoring the Internet traffic, the fraudulent use of the brand, and (4) performing the action in response to detecting the fraudulent use of the brand. Various other methods, systems, and computer-readable media are also disclosed.
A computer-implemented method for updating system-level services within read-only system images may include (1) executing, during initialization of a mobile computing device, an update service stored within a read-only system image located on the mobile computing device, (2) identifying, via the update service, a writable partition located on the mobile computing device, (3) identifying, via the update service, a digitally signed update within the writable partition for at least one system-level service stored within the read-only system image, and (4) executing, via the update service, the digitally signed update within the writable partition instead of the system-level service stored within the read-only system image. Various other methods, systems, and computer-readable media are also disclosed.
A query is received from a client device regarding an object. The query includes an identifier of the object and a set of associated usage attributes describing a usage of the object on the client device. A set of usage facts associated with the identified object is identified. The set of usage facts describe typical usages of the object on a plurality of client devices. A determination is made whether the usage of the object on the client device is suspicious based on the set of usage facts associated with the object and the set of usage attributes included in the query. A report is provided to the client device based on the determination.
A computer-implemented method for directing application updates may include (1) identifying information that indicates a rate at which an earlier version of an application is exploited in attacks on computing system security, (2) identifying additional information that indicates a rate at which a later version of the application is exploited in attacks on computing system security, (3) determining how updating the application from the earlier version to the later version will impact computing system security by comparing the rate the earlier version of the application is exploited with the rate at which the later version of the application is exploited, and (4) directing a computing system with a determination about updating an installation of the earlier version of the application to the later version of the application based on determining how updating the application will impact computing system security. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
6.
SYSTEMS AND METHODS FOR IDENTIFYING A SECURE APPLICATION WHEN CONNECTING TO A NETWORK
A computer system receives, from a user device, a request to access a resource within a network of an organization and receives access credentials associated with an application, a user and the user device. The computer system identifies an application identifier, a user identifier and a device identifier and determines whether the combination of these identifiers satisfies an access policy. If the combination of application identifier, user identifier and device identifier satisfies the access policy, then the computer system grants the application access to the resource within the network of the organization.
A computer-implemented method for enforcing data-loss-prevention policies using mobile sensors may include (1) detecting an attempt by a user to access sensitive data on a mobile computing device, (2) collecting, via at least one sensor of the mobile computing device, sensor data that indicates an environment in which the user is attempting to access the sensitive data, (3) determining, based at least in part on the sensor data, a privacy level of the environment, and (4) restricting, based at least in part on the privacy level of the environment, the attempt by the user to access the sensitive data according to a DLP policy. Various other methods, systems, and computer-readable media are also disclosed.
A computer-implemented method for secure third-party data storage may include 1) identifying, at a server-side computing device, a request from a client system to access an encrypted file stored under a user account, 2) identifying, in response to the request, an asymmetric key pair designated for the user account that includes an encryption key and a decryption key that has been encrypted with a client-side key, 3) receiving, from the client system, the client-side key, 4) decrypting the decryption key with the client-side key, and 5) using the decryption key to access an unencrypted version of the encrypted file. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/78 - Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
A computer-implemented method for using property tables to perform non-iterative malware scans may include (1) obtaining at least one malware signature from a security software provider that identifies at least one property value for an item of malware, (2) accessing a property table for a computing device that identifies property values shared by one or more application packages installed on the computing device and, for each property value, each application package that shares the property value in question, and (3) determining, by comparing each property value identified in the malware signature with the property table, whether any of the application packages match the malware signature without having to iterate through the individual property values of each application package. Various other methods, systems, and computer-readable media are also disclosed.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
G06F 15/16 - Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
10.
SYSTEM AND METHOD OF SORT-ORDER PRESERVING TOKENIZATION
An intercepting proxy server processes traffic between an enterprise user and a cloud application. The intercepting proxy server provides interception of real data elements in communications from the enterprise to the cloud and replacing them with obfuscating tokens. Tokens included in results returned from the cloud, are intercepted by the intercepting proxy server, and replaced with the corresponding real data elements. In order for the sort order of the tokens to correspond to the sort order of the corresponding real data elements, a sort order preserving data compression is performed on parts of the real data elements, and the compressed values concatenated with the obfuscated tokens, thus producing sortable tokens which, even though they are obfuscated, appear in the correct sort order in the cloud application.
Cloud service providers provide resources on a plurality of hosts some of which furthermore reside in different domains. An enhanced Reverse Proxy server is described which is configured to access hosts of multiple domains, handling client requests transparently. A request from a client to any of the supported service provider target hosts is addressed to a path in the domain of the reverse proxy server, and is formatted to include the target host domain coded as a short form name which is inserted in the path component of the request. Arguments in JavaScript calls of the response from the target host to the client are modified to ensure that future JavaScript operations generate similarly formatted requests. The enhanced Reverse Proxy translates Universal Resource Locators (URLs) of traffic between hosts of the service provider and the client in both directions accordingly.
A Security Assertion Markup Language (SAML) conversation is intercepted in an enhanced Reverse Proxy server computer located in the path between a user and a server computer that provide cloud application services to the user. During authentication, the SAML assertion signature is modified in the enhanced Reverse Proxy such that the enhanced Reverse Proxy and the user can share an encryption key. The modified assertion signature permits a common session key to be shared by the enhanced. Reverse Proxy and a targeted application in the server, thus enabling the user to be authenticated, and subsequently to communicate via the enhanced Reverse Proxy in a secure session with an application in the server.
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
H04L 9/14 - Arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
13.
SYSTEM AND METHOD FOR TOKENIZATION OF DATA FOR STORAGE IN A CLOUD
An intercepting proxy server processes traffic between an enterprise user and a cloud application. The intercepting proxy server provides interception of real data elements in communications from the enterprise to the cloud and replacing them with obfuscating tokens which are randomly generated. To the cloud application real data are only visible as tokens. Tokens included in results returned from the cloud, are intercepted by the intercepting proxy server, and replaced with the corresponding real data elements. The obfuscating tokens are not computationally related to the original sensitive value. Each intercepted real data element is stored in a local persistent storage layer, and indexed by the corresponding obfuscating token, allowing the real data element to be retrieved when the token is returned from the cloud, for delivery to the user.
A computing device receives a training data set that includes a plurality of positive examples of sensitive data and a plurality of negative examples of sensitive data via a user interface. The computing device analyzes the training data set using machine learning to generate a machine learning-based detection (MLD) profile that can be used to classify new data as sensitive data or as non-sensitive data. The computing device displays a quality metric for the MLD profile in the user interface.
A request from a software developer is received to digitally sign software included in the request. A security policy associated with the software developer is accessed where the security policy describes criteria for valid request by the software developer. A determination is made whether the request is valid based at least in part on the security policy. The software is digitally signed responsive to the determination indicating that the request is valid. The digitally signed software is provided to the software developer.
A computer-implemented method for alternating malware classifiers in an attempt to frustrate brute-force malware testing may include (1) providing a group of heuristic-based classifiers for detecting malware, wherein each classifier within the group differs from all other classifiers within the group but has an accuracy rate that is substantially similar to all other classifiers within the group, (2) including the group of classifiers within a security-software product, and (3) alternating the security-software product's use of the classifiers within the group in an attempt to frustrate brute-force malware testing by (a) randomly selecting and activating an initial classifier from within the group and then, upon completion of a select interval, (b) replacing the initial classifier with an additional classifier randomly selected from within the group. Various other methods, systems, and computer-readable media are also disclosed.
A behavioral signature for detecting malware is generated. A computer is used to collect behavior traces of malware in a malware dataset. The behavior traces describe sequential behaviors performed by the malware. The behavior traces are normalized to produce malware behavior sequences. Similar malware behavior sequences are clustered together. The malware behavior sequences in a cluster describe behaviors of a malware family. The cluster is analyzed to identify a behavior subsequence common to the cluster's malware family. A behavior signature for the malware family is generated using the behavior subsequence. A trace of new malware is normalized and aligned with an existing cluster, if possible. The behavioral signature for that cluster is generated based on the behavior sequence of the new malware and the other sequences in the cluster.
A secure appliance for use within a multi-tenant cloud computing environment which comprises: a) a policy enforcement point (PEP); b) a hardened Operating System (OS) capable of deploying applications; and c) at least one application capable of hosting services and application program interfaces (APIs).
The prevalence rate of a file to be subject to behavior based heuristics analysis is determined, and the aggressiveness level to use in the analysis is adjusted, responsive to the prevalence rate. The aggressiveness is set to higher levels for lower prevalence files and to lower levels for higher prevalence files. Behavior based heuristics analysis is applied to the file, using the set aggressiveness level. In addition to setting the aggressiveness level, the heuristic analysis can also comprise dynamically weighing lower prevalence files as being more likely to be malicious and higher prevalence files as being less likely. Based on the applied behavior based heuristics analysis, it is determined whether or not the file comprises malware. If it is determined that the file comprises malware, appropriate steps can be taken, such as blocking, deleting, quarantining and/or disinfecting the file.
To prevent gaming of a reputation system, a security token is generated for a security module using metadata about the client observed during the registration of the security module. The registration server selects metadata for use in generating the security token. The generated security token is provided to identify the client in later transactions. A security server may conduct a transaction with the client and observe metadata about the client during the transaction. The security server also extracts metadata from the security token. The security server correlates the observed metadata during the transaction with the extracted metadata from the security token. Based on the result of the correlation, a security policy is applied. As a result, the metadata in the security token enables stateless verification of the client.
G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
21.
INDIVIDUALIZED TIME-TO-LIVE FOR REPUTATION SCORES OF COMPUTER FILES
An individualized time -to-live (TTL) is determined for a reputation score of a computer file. The TTL is determined based on the reputation score and the confidence in the reputation score. The confidence can be determined based on attributes such as the reputation score, an age of the file, and a prevalence of the file. The reputation score is used to determine whether the file is malicious during a validity period defined by the TTL, and discarded thereafter.
Reputations of objects are determined by a reputation system using reports from clients identifying the objects. Confidence metrics for the clients are generated using information determined from the reports. Confi-dence metrics indicate the amounts of confidence in the veracity of the re-ports. Reputation scores of objects are calculated using the reports from the clients and the confidence metrics for the clients. Confidence metrics and reputation scores are stored in correlation with identifiers for the objects. An object's reputation score is provided to a client in response to a request.
A cryptographic key management system includes executable instructions to control access to keys based on permissions for users and groups. Executable instructions support cryptographic operations on the keys through a network application program interface. The cryptographic operations are controlled by the permissions. The cryptographic operations are distributed between the servers and the clients in accordance with criteria specifying optimal execution of cryptographic operations between the servers and the clients.
A method and apparatus for blocking messages containing pre-selected data is described. In one embodiment, the method includes determining that a message transmitted to a recipient via a network includes pre-selected data. The pre- selected data contains information from at least one random row within the tabular structure of source data. The method further includes preventing an unauthorized transmission of the pre-selected data to the recipient.
This is invention comprises a method an apparatus for Infinite Network Packet Capture System (INPCS). The INPCS is a high performance data capture recorder capable of capturing and archiving all network traffic present on a single network or multiple networks. This device can be attached to Ethernet networks via copper or SX fiber via either a SPAN port (101) router configuration or via an optical splitter (102). By this method, multiple sources or network traffic including gigabit Ethernet switches (102) may provide parallelized data feeds to the capture appliance (104), effectively increasing collective data capture capacity. Multiple captured streams are merged into a consolidated time indexed capture stream to support asymmetrically routed network traffic as well as other merged streams for external consumption.
A system for bridging user identities between at least a first and a second security domain, comprising a bridge associated with the first security domain for intercepting messages for service in the second domain from users in the first domain. The bridge authenticates the user identities against a local authentication source by using an established key relationship and binds a security token with the message. A gateway is associated with the second domain for gating inbound access and outbound communication with a service in the second domain and for receiving the authenticated message and verifying the authenticity of the security token by using a certificate of the trusted authentication source and authorising access to the service upon confirmation of the authorisation, such that the authorisation is independent of the identity of the user.
H04L 9/32 - Arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system
H04L 12/16 - Arrangements for providing special services to substations
A method for provisioning a device such as a token (101). The device issues a certificate request to a Certification Authority (102). The request includes a public cryptographic key uniquely associated with the device. The Certification Authority generates a symmetric cryptographic key for the device (106), encrypts it using the public key (108), and creates a digital certificate that contains the encrypted symmetric key as an attribute. The Certification Authority sends the digital certificate to the device, which decrypts the symmetric key using the device's private key (107), and stores the decrypted symmetric key.
A method and system for securing web services on one or more server computers by one or more client computers, the computers connected to one or more networks through one or more network interfaces, each computer having one or more memories and one or more central processing units (CPUs), the system comprising one or more logical expressions that define constraints on one or more service releases; a gateway process receiving service request messages from one or more of the clients for i) identifying the service request message, ii) processing the service request message in accordance with one or more of the logical expressions associated with the requested service and iii) providing access to the requested service if the constraints are satisfied. The system includes an agent process associated with one or more the clients, for receiving service request messages from an associated client, the message destined for a requested service and applying to the received request message one or more of a subset of the logical expressions associated with the requested service for forwarding to the gateway process.