Abstract

A method and apparatus for detecting data modification in a layered operating system is disclosed. Outbound content indicators at different layers are compared to detect potential outbound data modifications. Likewise, inbound content indicators at different layers are compared to detect potential inbound data modifications. Content indicators include checksum, cryptographic hash, signature, and fingerprint indicators. Embodiments of the present invention enable detection of data modifications across an operating system's kernel and user mode spaces, prevention of modified outbound data from reaching a network, prevention of modified input data from reaching a user application, and detection of malware and faults within an operating system.

IPC Classes  ?

• G06F 21/00 - Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
• G06F 11/30 - Monitoring

Abstract

Method and system using a designated known secure computer for real time classification of change events in a computer integrity system are disclosed. In the embodiment of the invention, the known secure computer is dedicated for providing permissible change events, which are compared with change events generated on client operational computers. An alert is raised when the change event at the client operational computer and the respective permissible change event provided by the known secure computer differ.

IPC Classes  ?

• G06F 11/30 - Monitoring
• G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Abstract

Exploit nonspecific host intrusion prevention/detection methods, systems and smart filters are described. Portion of network traffic is captured and searched for a network traffic pattern, comprising: searching for a branch instruction transferring control to a first address in the memory; provided the first instruction is found, searching for a subroutine call instruction within a first predetermined interval in the memory starting from the first address and pointing to a second address in the memory; provided the second instruction is found, searching for a third instruction at a third address in the memory, located at a second predetermined interval from the second address; provided the third instruction is a fetch instruction, indicating the presence of the exploit; provided the third instruction is a branch instruction, transferring control to a fourth address in the memory, and provided a fetch instruction is located at the fourth address, indicating the presence of the exploit.

IPC Classes  ?

• G06F 21/55 - Detecting local intrusion or implementing counter-measures

Abstract

A distributed and coordinated security system providing intrusion-detection and intrusion-prevention for the virtual machines (VMs) in a virtual server is described. The virtualization platform of the virtual server is enhanced with networking drivers that provide a "fast path" firewall function for pre-configured guest VMs that already have dedicated deep packet inspection security agents installed. A separate security VM is deployed to provide virtual security agents providing deep packet inspection for non pre-configured guest VMs. The network drivers are then configured to intercept the data traffic of these guest VMs and route it through their corresponding virtual security agents, thus providing a "slow- path" for intrusion detection and prevention.

IPC Classes  ?

• G06F 21/55 - Detecting local intrusion or implementing counter-measures

Abstract

A method for protecting a computer system from malicious network traffic is provided using a driver which inspects network packets. A security profile comprising packet inspection rules is compiled and stored on the computer system. During the startup or boot operation of an operating system, the driver loads the compiled security profile and inspects network packets using the inspection rules.

IPC Classes  ?

• G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Abstract

A method and a system for efficient search of string patterns characterized by positional relationships in a character stream are disclosed. The method is based on grouping string patterns of a dictionary into at least two string sets and performing string search processes of a text of the character stream based on individual string sets with the outcome of a search process influencing a subsequent search process. A system implementing the method comprises a dictionary processor for generating string sets with corresponding text actions and search actions, a conditional search engine for locating string patterns belonging to at least one string set in a text according to a current search state, a text operator for producing an output text according to search results, and a search operator for determining a subsequent search state.

IPC Classes  ?

• G06F 16/903 - Querying
• G06F 40/20 - Natural language analysis

Abstract

An intrusion prevention/detection system filter (IPS filter) performance evaluation is provided. The performance evaluation is performed at both the security center and at the customer sites to derive a base confidence score and local confidence scores. Existence of new vulnerability is disclosed and its attributes are used in the generation of new IPS filter or updates. The generated IPS filter is first tested to determine its base confidence score from test confidence attributes prior to deploying it to a customer site. A deep security manager and deep security agent, at the customer site, collect local confidence attributes that are used for determining the local confidence score. The local confidence score and the base confidence score are aggregated to form a global confidence score. The local and global confidence scores are then compared to deployment thresholds to determine whether the IPS filter should be deployed in prevention or detection mode or sent back to the security center for improvement.

IPC Classes  ?

• G06F 11/34 - Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation
• G06F 21/56 - Computer malware detection or handling, e.g. anti-virus arrangements
• H04L 12/22 - Arrangements for preventing the taking of data from a data transmission channel without authorisation

Abstract

Method and system for determining protection-software configurations for a plurality of hosts are disclosed. Descriptors relevant to host types are defined, and a set of intrusion-detection rules applicable to each host type is devised. A target host is selected, and a first subset of intrusion-detection rules is formulated including rules that have been added and rules that have been modified since a previous protection-software configuration of the target host. Queries are sent to the target host, and values of current descriptors are received from the target host, followed by identifying updated descriptors that have changed since previous protection-software configuration. A second subset of intrusion-detection rules is also formulated including rules which depend on the updated descriptors, followed by executing the intrusion-detection rules which belong to the first and second subset of rules and installing new filters at the target host based on the first and second subset of rules.

IPC Classes  ?

• G06F 21/57 - Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
• G06F 21/55 - Detecting local intrusion or implementing counter-measures

Abstract

Methods and apparatus for dynamically revising host-intrusion-protection configurations according to varying host state and changing intrusion patterns are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the hosts, maintains and updates protection software containing filters and rules for deploying each filter. A local server cyclically monitors each host of its subset of hosts at time instants separated by adjustable monitoring periods to acquire host-characterizing data and determine an optimal set of filters. The local server maintains a profile for each host and determines a current monitoring period for a host according to the host's current profile. The processing effort is reduced by judicial adjustment of successive monitoring periods and selectively tailoring the host-characterizing data to the conditions of each host.

IPC Classes  ?

• G06F 21/55 - Detecting local intrusion or implementing counter-measures

Abstract

Method and system for determining current protection-software configurations for a plurality of hosts are disclosed A current time indicator, and a host type for a target host are determined, followed by identifying a set of host descriptors corresponding to each host type A set of queries corresponding to the set of host descriptors is sent to the target host to acquire current characterizing data elements from the target host, and the current characterizing data elements are compared with prior characterizing data elements. If current characterizing data elements differ from prior characterizing data elements, a current protection-software configuration for the target host is updated. If the current protection-software configuration differs from a prior protection-software configuration, a host-reconfiguration time indicator is set as the current time indicator, and the current protection-software configuration is transmitted to the target host The current characterizing data elements and protection-software configuration are retained for subsequent use.

IPC Classes  ?

• G06F 21/55 - Detecting local intrusion or implementing counter-measures
• H04L 12/22 - Arrangements for preventing the taking of data from a data transmission channel without authorisation

Abstract

A method for dynamically decoding protocol data on a computer system is provided using a protocol decoder, which inspects and analyzes protocol data received by the computer system. A protocol decoding program controls the decoding and analysis process. The method may be used by an intrusion prevention system to identify anomalous protocol data that may cause harm to applications receiving the data.

Abstract

A method and system for managing multiple firewall configurations are disclosed. The method uses a pointer on a packet object representing a packet to reference a configuration object representing a configuration of the firewall which is assigned to the packet. By using a pointer to link each packet entering a computer system to the most recent configuration, the method can maintain multiple configurations and enable the firewall processing modules to process each packet according to its assigned configuration even if new configurations are released during the transition of the packet through the system. A reference count is also used as a variable by the configuration object to track the number of packets assigned to the configuration. A corresponding system is also provided.

IPC Classes  ?

• H04L 41/0803 - Configuration setting
• H04L 69/22 - Parsing or analysis of headers

Abstract

A method and system for managing multiple firewall configurations are disclosed. The method uses a pointer an a packet object representing a packet to reference a configuration object representing a configuration of the firewall which is assigned to the packet. By using a pointer to link each packet entering a computer system to the most recent configuration, the method can maintain multiple configurations and enable the firewall processing modules to process each packet according to its assigned configuration even if new configurations are released during the transition of the packet through the system. A reference count is also used as a variable by the configuration object to track the number of packets assigned to the configuration. A corresponding system is also provided.

IPC Classes  ?

• H04L 41/0803 - Configuration setting
• G06F 21/55 - Detecting local intrusion or implementing counter-measures
• H04L 69/22 - Parsing or analysis of headers

Abstract

A method for assembling an update for a software release is described, including defining classes of software components, having a plurality of instances, each instance having a plurality of versions of the software components. A correspondence is established between a version of an instance of a first class and a second class for conditionally assigning indicators to the version of the instance of the first class based on indicators assigned to versions of the second class, and vice versa. Time stamps are assigned to each version of a software component of each instance of each class, and indicators identifying a release status of said each version are assigned to each version of a software component of each instance of each class. Rules are defined for processing the time stamps and the indicators. A single version of a software component of each instance of each class is selected based on processing of the time stamps and the indicators according to the rules. The update of the software release is assembled from selected versions of software components. A corresponding system is also provided.

Abstract

A method for efficiently decrypting asymmetric SSL pre-master keys is divided into a key agent component that runs in user mode, and an SSL driver running in kernel mode. The key agent can take advantage of multiple threads for decoding keys in a multi- processor environment, while the SSL driver handles the task of symmetric decryption, of the SSL encrypted data stream. The method is of advantage in applications such as firewalls with deep packet inspection in which all encrypted data traffic passing through the firewall must be decrypted for inspection.

IPC Classes  ?

• H04L 9/28 - Arrangements for secret or secure communications; Network security protocols using particular encryption algorithm

Abstract

A method for detecting and locating occurrence in a data stream of any complex string belonging to a predefined complex dictionary is disclosed. A complex string may comprise an arbitrary number of interleaving coherent strings and ambiguous strings. The method comprises a first process for transforming the complex dictionary into a simple structure to enable continuously conducting computationally efficient search, and a second process for examining received data in real time using the simple structure. The method may be realized by an article of manufacture comprising at least one processor-readable medium and instructions carried on the at least one medium. The instructions causes a processor to match examined data to an object complex string belonging to the complex dictionary, where the matching process is based on equality to constituent coherent strings, and congruence to ambiguous strings, of the object complex string.

IPC Classes  ?

• G06F 40/20 - Natural language analysis
• G06F 7/00 - Methods or arrangements for processing data by operating upon the order or content of the data handled

Abstract

A method for detecting and locating occurrence in a data stream of any complex string belonging to a predefined complex dictionary is disclosed. A complex string may comprise an arbitrary number of interleaving coherent strings and ambiguous strings. The method comprises a first process for transforming the complex dictionary into a simple structure to enable continuously conducting computationally efficient search, and a second process for examining received data in real time using the simple structure. The method may be realized by an article of manufacture comprising at least one processor-readable medium and instructions carried on the at least one medium. The instructions causes a processor to match examined data to an object complex string belonging to the complex dictionary, where the matching process is based on equality to constituent coherent strings, and congruence to ambiguous strings, of the object complex string.

IPC Classes  ?

• G06F 40/20 - Natural language analysis
• G06F 7/00 - Methods or arrangements for processing data by operating upon the order or content of the data handled

Abstract

A method for detecting and locating occurrence in a data stream of any complex string belonging to a predefined complex dictionary is disclosed. A complex string may comprise an arbitrary number of interleaving coherent strings and ambiguous strings. The method comprises a first process for transforming the complex dictionary into a simple structure to enable continuously conducting computationally efficient search, and a second process for examining received data in real time using the simple structure. The method may be realized by an article of manufacture comprising at least one processor-readable medium and instructions carried on the at least one medium. The instructions causes a processor to match examined data to an object complex string belonging to the complex dictionary, where the matching process is based on equality to constituent coherent strings, and congruence to ambiguous strings, of the object complex string.

IPC Classes  ?

• G06F 40/20 - Natural language analysis
• G06F 16/903 - Querying

Abstract

A method for detecting and locating occurrence in a data stream of any complex string belonging to a predefined complex dictionary is disclosed. A complex string may comprise an arbitrary number of interleaving coherent strings and ambiguous strings. The method comprises a first process for transforming the complex dictionary into a simple structure to enable continuously conducting computationally efficient search, and a second process for examining received data in real time using the simple structure. The method may be realized by an article of manufacture comprising at least one processor-readable medium and instructions carried on the at least one medium. The instructions causes a processor to match examined data to an object complex string belonging to the complex dictionary, where the matching process is based on equality to constituent coherent strings, and congruence to ambiguous strings, of the object complex string.

IPC Classes  ?

• G06F 40/20 - Natural language analysis
• G06F 16/33 - Querying

Abstract

A method for detecting and locating occurrence in a data stream of any complex string belonging to a predefined complex dictionary is disclosed. A complex string may comprise an arbitrary number of interleaving coherent strings and ambiguous strings. The method comprises a first process for transforming the complex dictionary into a simple structure to enable continuously conducting computationally efficient search, and a second process for examining received data in real time using the simple structure. The method may be realized by an article of manufacture comprising at least one processor-readable medium and instructions carried on the at least one medium. The instructions causes a processor to match examined data to an object complex string belonging to the complex dictionary, where the matching process is based on equality to constituent coherent strings, and congruence to ambiguous strings, of the object complex string.

IPC Classes  ?

• G06F 40/20 - Natural language analysis
• G06F 7/00 - Methods or arrangements for processing data by operating upon the order or content of the data handled

Abstract

A method for detecting and locating occurrence in a data stream of any complex string belonging to a predefined complex dictionary is disclosed. A complex string may comprise an arbitrary number of interleaving coherent strings and ambiguous strings. The method comprises a first process for transforming the complex dictionary into a simple structure to enable continuously conducting computationally efficient search, and a second process for examining received data in real time using the simple structure. The method may be realized by an article of manufacture comprising at least one processor-readable medium and instructions carried on the at least one medium. The instructions causes a processor to match examined data to an object complex string belonging to the complex dictionary, where the matching process is based on equality to constituent coherent strings, and congruence to ambiguous strings, of the object complex string.

IPC Classes  ?

• G06F 40/20 - Natural language analysis
• G06F 16/332 - Query formulation
• G06F 7/00 - Methods or arrangements for processing data by operating upon the order or content of the data handled

Abstract

An intrusion-prevention server supporting a set of hosts comprises data filters and an engine which uses a set of encoded rules for assigning data filters to hosts according to metadata characterizing the hosts. Each data filter corresponds to at least one intrusion pattern from among a set of intrusion patterns and the data filters are continuously updated as intrusion patterns change. Metadata acquired from a host varies with a changing state of the host. Acquisition of metadata from each host is streamlined to reduce communications between the server and the hosts and to minimize processing effort for both the server and the hosts.

IPC Classes  ?

• G06F 21/55 - Detecting local intrusion or implementing counter-measures

Abstract

An intrusion-prevention server supporting a set of hosts comprises data filters and an engine which uses a set of encoded rules for assigning data filters to hosts according to metadata characterizing the hosts. Each data filter corresponds to at least one intrusion pattern from among a set of intrusion patterns and the data filters are continuously updated as intrusion patterns change. Metadata acquired from a host varies with a changing state of the host. Acquisition of metadata from each host is streamlined to reduce communications between the server and the hosts and to minimize processing effort for both the server and the hosts.

IPC Classes  ?

• G06F 21/55 - Detecting local intrusion or implementing counter-measures
• H04L 12/22 - Arrangements for preventing the taking of data from a data transmission channel without authorisation

Abstract

Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep- security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.

IPC Classes  ?

• G06F 21/55 - Detecting local intrusion or implementing counter-measures

Abstract

Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep- security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.

IPC Classes  ?

• G06F 21/55 - Detecting local intrusion or implementing counter-measures
• H04L 12/22 - Arrangements for preventing the taking of data from a data transmission channel without authorisation

Abstract

Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep- security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.

IPC Classes  ?

• G06F 21/55 - Detecting local intrusion or implementing counter-measures