Patent Grant
8701189
The invention relates to computer software. Specifically, the invention relates to methods of and systems for providing denial-of-service protection. Protection is provided through the analysis of data including network, application, or process data to identify a network source of a detected exploitation, and processing the network data associated with exploitation to block, neutralize, and prevent a denial-of-service.
Networked servers can provide services to other networked hosts. Some of these networked hosts attempt to exploit a server by taking advantage of security loopholes. One exploitation method uses a security hole to inject malicious code into the server memory, which executes the malicious code to exploit the server. This malicious code, also known as malware, can search the data structures of an application, a library, or an operating system component to find and utilize server system resources for the purpose of interrupting these services (such as denial-of-service attacks), to access sensitive information residing on the server, or to perform other malicious steps. Further, malware can by design or as a side effect disable a server resulting in a denial-of-service.
Another challenge presented by malicious code is to prevent reinfection of a server. While the objective of the malicious code is typically to exploit the server often, intentionally or unintentionally, the server's capability of providing services can be effected resulting in a denial-of-service. Further, prior art methods of detecting and neutralizing malicious code could leave a server unable to provide services and again resulting in a denial-of-service. Thus, while repetitive attempts to exploit a system might be unsuccessful, through prior art detection and neutralization means, the server is rendered unable to provide network services resulting in a denial-of-service.
In accordance with the present invention a method of and system for denial-of-service protection of a computer system comprises receiving an exploitation indication, analyzing data including network data, application data, and process data to identify a malicious source, and processing subsequently received network data identified as originating from the malicious source to prevent a denial-of-service. Preferably, the method of and system for denial-of-service protection blocks the identified source mounting a denial-of-service attack or any other identified source of malware. However, other network data processing options are contemplated including redirecting the network data from a malicious source or flow controlling network data received from the network source mounting a denial-of-service attack.
In a first aspect of the present invention, a method of denial-of-service protection for a computer system is provided. The method comprises the steps of collecting network data from an interface receiving network data from one or more sources, analyzing the network data identifying the source of the system exploitation upon receiving an indication of a system exploitation, and processing subsequently received network data to prevent a denial-of-service. In one embodiment, application information, process information, or a combination thereof collected is used in the analysis identifying the malicious source. In one embodiment, the source is client computers requesting services from the computer system or server. Once an indication of system exploitation is received, the collected data which includes network data, application data, or any combination thereof is analyzed to determine the network source that caused the denial-of-service attack. In one embodiment, network data received subsequent to the exploitation indication is also used in the analysis. The analysis includes statistical techniques, heuristic techniques, or a combination thereof to determine the source of a malicious host mounting the denial-of-service attack or the source of malware.
While denial-of-service attacks are one type of system exploitation, in some embodiments the method is used to protect against other system exploitations. The indication of system exploitation includes the detection of a virus or a rogue programs externally injected into the computer system. Once the malicious source is identified, received network data is processed to prevent or limit an exploitation by means including blocking data from the malicious source, redirecting the malicious source data to another interface or computing system to study the method of exploitation, or flow controlling the malicious source to limit the effect of the exploitation.
In accordance with another embodiment of the present invention, the network data includes, times a service connection was made, connection durations, a time a packet was received, host identifiers, a number of connections from a host, number of packets from a host, protocol identifier, port number, packet payloads, assembled packet data, or any combination thereof. Further, any other data that identifies the source of the network data can be included. Network data can include reassembling packets and inspecting the packet headers and content.
In accordance with one embodiment of the present invention, the processing of the network data from the malicious source comprises one or more of blocking, redirecting, and flow controlling the network data associated with the malicious source. Each network packet is checked for its origin. If the origin of the network data does not match an identified malicious source, then the packet is passed unimpeded to the destination requesting the data. If the packet source matches an identified malicious source, as determined from the analysis of the data, then the data packet is blocked. In one embodiment, a blocked packet is dropped and not delivered to the requesting application. In an alternative embodiment, the packet redirected for later analysis the network data from the malicious source is stored or analyzed by a different system. In another embodiment, the processing of the network data flow controls the data from the malicious source. A denial-of-service attack sends an excessive number of service requests to a server. Flow control of requests originating from a network source identified as malicious reduces the frequency of these requests and thus reduce load on the computer system providing services. In a further embodiment, the collected application information, process information, or a combination thereof is used to selectively process the network data.
In another embodiment in accordance with the present invention, the method further comprises collecting application information, process information, or both. The information collected is associated with the network data and used in the identification of processing the network data. In a further embodiment, the application information, the process information, or the combination thereof is used to selectively processing the network data.
In accordance with another embodiment of the present invention, the step of processing of the network data from the malicious source is performed as part of a Transport Data Interface (TDI) filter that is added to the execution path of a TDI networking stack. The TDI networking stack receives the network data and implements the networking protocols with the computer interface. Further, in one embodiment analyzing the network data information is executed by a Transport Data Interface (TDI) filter. The analyzing utilizes one or more of the network data information, the application information, and the process information to identify the source of the malicious code or the source of the denial-of-service attack.
In accordance with a further embodiment of the present invention, the invention includes detecting a system exploitation using a predetermined address protection, which detects malicious code loaded into writable memory which accesses data structures describing an application, a library, or an operating system component or their associated data.
In a second aspect of the present invention, a denial-of-service protection system comprises a storage component containing network data, a network interface component configured to collect network data from one or more sources and store this information in the storage component, an analysis component configured to identify a malicious source from the network data upon receiving an system exploitation indication, and a processing component configured to process network data from the malicious source to prevent a denial-of-service. In one embodiment, the system identifies the malicious source processing the network data using statistical techniques, heuristic techniques, or a combination thereof.
In accordance to one embodiment of the present invention, the network data information includes connection times, host identifiers, number of connections from a host, protocol identifier, port number, packet data, assembled packet data, or any combination thereof. In response to an exploitation indication, the processing component is configured to block, redirect, flow control, or any combination thereof of the network data from the malicious source. In one embodiment, the processing component includes in a Transport Data Interface (TDI) filter added to the execution path of the TDI networking stack. In a further embodiment, the analysis component is incorporated into the Transport Data Interface (TDI) filter. The analysis component utilizes one or more of the network data information, the application information, and the process information to identify the source of the malicious code or the source of the denial-of-service attack.
In accordance with another embodiment, the processing component of the system further comprises collecting application information, processing information, or a combination thereof, wherein the application information and the process information are associated with the network data, and used by the analysis component in the identification of the malicious source. In a further embodiment of the system, the application information, the process information, or the combination thereof is used by the processing component to selectively process the network data.
In a further embodiment, the system includes a malicious detection component configured to detect malicious code executing in writable memory when the code accesses a predetermined address. The detection generates the system exploitation indication but other exploitation detection methods are contemplated.
In another aspect to of the present invention, a computer device comprising a computer readable storage medium having computer executable instructions thereon for denial-of-service protection, the steps comprising: collecting network data, analyzing network data identifying a malicious source, and processing the network data from the identified malicious source to prevent a denial-of-service to block, redirect, or flow control the network data. In one embodiment, the computer device includes collecting network data from an interface receiving network data from one or more sources and analyzing the network data to identify a malicious source from the one or more sources upon receiving a system exploitation indication. Further the steps include processing network data, origination from the malicious source. In one embodiment, the analysis of the network data utilizes statistical and heuristic techniques.
In accordance with another embodiment of the present invention, the processor readable code is configured to analyze the network data comprising one or more of a time the connection was made, a time a packet was received, a connection duration, host identifiers, a number of connections from a host, a protocol identifier, a port number, packet data, assembled packet data, or any combination thereof. Further, any other data that identifies directly or indirectly identifies the source of the network data can be use. This can include inspecting the packet headers, and reassembling packets to inspect the content.
In accordance with another embodiment of the present invention, the processor readable code includes processing the network data from the malicious source. The processing includes blocking, redirecting, or flow controlling of the network data from the malicious source. Each network packet is checked for its source. If the source of the network data does not match the an identified malicious source, including a source implementing a denial-of-service exploitation, then the packet is passed unimpeded to the computer application or component requesting the data. If the packet source matches the source identified as malicious by the analysis of the network data, then the data packet is blocked. A blocked packet is dropped and not delivered to the destination specified within the packet. Alternatively, the packet can be redirected for later analysis. The data from the malicious source can be stored or analyzed by a different machine or processor. Another approach to processing network data is to flow control data from the malicious source.
In a further embodiment, the computer device also collects application information, process information, or both. The application information and the process information are associated with the network data, and used by the computer device to selectively process network data. In a further embodiment, the computer device the application information, the process information, or both is used in selecting the network data to process.
In accordance with one embodiment of the present invention, the processor readable code, configured to process the network data from a malicious source, is part of a Transport Data Interface (TDI) filter. The processor readable code is added to the executions path of a TDI networking stack. The TDI networking stack receives the network data and implements the networking protocols associated with the computer interface. In a further embodiment, the processor readable code, includes a Transport Data Interface (TDI) filter configured to analyze one or more of the network data information, application information, and process information to identify the malicious source or the source of the denial-of-service attack.
In accordance with a further embodiment of the present invention, the processor readable code includes the detection of a system exploitation. In one embodiment, the system exploitation includes malicious code injected into writeable memory of the computer system and accesses a predetermined address.
The invention is better understood by reading the following detailed description of exemplary embodiments in conjunction with the accompanying drawings.
The following description of the invention is provided as an enabling teaching of the invention. Those skilled in the relevant art will recognize that many changes can be made to the embodiment described, while still obtaining the beneficial results of the present invention. It will also be apparent that some of the desired benefits of the present invention can be obtained by selecting some of the features of the present invention without utilizing other features. Accordingly, those who work in the art will recognize that many modifications and adaptations to the present invention are possible and can even be desirable in certain circumstances, and are a part of the present invention.
In accordance with the invention, system exploitations resulting in a denial-of-service are blocked or limited. These exploitations can include networked sources of malware or network sources directly mounting a denial-of-service attack. One form of a denial-of-service attack is for a networked host to make excessive requests for services that result in overloading a server. Alternatively, a malicious client makes service requests that injects malicious code or malware into server memory. This malware can intentionally or unintentionally interfere with the server's operation resulting in a denial-of-service. Further, prior art methods of blocking or neutralizing malicious code might leave a server unable to provide services, resulting in a denial of services.
In one embodiment, processing of the network data prevents a denial-of-service by blocking or neutralizing malware that is issuing excessive service requests that would overload the server. Blocking data from a source identified as launching a denial-of-service attack or other type of exploitation, prevents further attempts which may overload the server. Blocking a network source identified as injecting malware that interferes or disables server services also prevents denial-of-service. For denial-of-service attacks, flow controlling the network data from an identified malicious host is an effective technique for mitigating the effect of a denial-of-service attack. An additional approach to prevent a denial-of-service is to redirect to another processing system to analyze the associated network data from the source identified as overloading the server or the network source of malware. This technique is also effective in gathering information regarding the structure and from of a denial-of-service or other malware exploitation.
In an exemplary embodiment, the TDI filter 242 is configured to monitor and collect the network data 265 received from network sources including a malicious client 260 launching a denial-of-service attack or being the source of other malware. The monitoring includes network level packet monitoring or monitoring at the connection level. Packet data can include time-based statistics, the number of packets or bytes received from a network address or source, or the monitoring of packet data. Host-based information can include the time a host connection is made, number of connections make within a time period, the host name, the host address, or any other parameters that identifies the TDI client 225, and the protocols being used, the client computer 260 name, or client computer 260 address.
Further, the collection of information, before or subsequent to receiving an exploitation indiction, can include information related to applications or processes related to network data being received. This data can include process identifiers, applications names, time the process or application started, CPU time used, or any combination thereof. The collection of process and application data is executed by the TDI filter 242, the analysis program 250 or another application, or process (not shown).
Additionally, in one configuration, the TDI filter 242 selectively processes network data identified as originating from a malicious source and based on an application of process identification information such as the TDI client 225 application identifier or process identifier. The processing can include blocking, redirecting, or flow controlling the network data. Each technique is useful in countering a denial-of-service attack or other malware exploitation.
A denial-of-service can be caused by a malicious host making excessive requests for services that overloads a computer system, by the infection of a computer with malicious code that either intentionally or unintentionally disables server services, or by the detection, disabling or neutralizing of the malicious code, which results in the disabling of server services an thereby results in a denial-of-services. A malicious client 260 can reinfect a server even after the infection is detected and neutralized or the server rebooted. Blocking a host identified as the source launching a denial-of-service attack has the benefit of preventing reinfection of the server and the resulting denial-of-service. Flow controlling the network data from a network source identified as overloading the system is an effective way of minimizing the effect of a denial-of-service attack. This approach is useful where a source of requests might not be mounting a denial-of-service attack or other exploitation, but the behavior of the source is suspicious. Flow controlling the requests reduces the level of service provided to the source but does not completely exclude the source from obtaining services. In accordance with another embodiment, the associated network data is from a network source originating malicious code or a denial-of-service attack is redirected to storage or to another system for analysis. This technique is used to gather data on a denial-of-service attack or information about malware or other exploitations.
Alternatively, the processing of the network data is executed outside the TDI filter 242 or TDI Driver Stack 240. In an alternative embodiment, the processing is performed by another program such as a firewall (not shown). The configuration of the firewall, to block or otherwise process the data can be by either the analysis component 250 or by the TDI filter 242 when configured to analyzed the network data information to identify the malicious source.
The collected network data is stored in either kernel memory 232, user memory 257, on a non-volatile storage device 270, or any combination thereof. The kernel memory 232 and user memory 257 are part of an analysis program 250 for identifying malicious sources. The collected network data is processed by the analysis component 250 when an indication of a system exploitation 255 is received. The analysis component can execute out of user memory 220, kernel memory 230, or a combination of both. The denial-of-service or system exploitation can include all forms of malicious code, often referred to as malware including computer viruses, worms, trojan horses, rootkits, spyware, dishonest adware, criminalware, or a host overloading a server with a flood of services requests. The analysis component 250 processes the network data using statistical and heuristic algorithms. Further, the analysis component can use the collected application information, process information, or both in the determination of the malicious source.
Alternatively, the analysis of one or more of the collected network data information, the application information, and the process information is executed by the TDI filter 242 to determined the malicious source or the source of a denial-of-service attack. The detected malicious source can be used to configure the TDI filter 242 in the processing of data from the malicious source or the source of a denial-of-service attack.
In the shown embodiment, the system includes a detection component 280 that reports or indicates a system exploitation. The detected component 280 provides a system exploitation indication 255 to the analysis component 250, which will subsequently determine the malicious source. Further, the detection component 280 can include the detection of malicious code executing out of writable memory using predetermined address protection as described in the copending and co-owned U.S. patent application Ser. No. 12/322,220, filed Jan. 29, 2009, entitled “METHOD OF AND SYSTEM FOR MALICIOUS SOFTWARE DETECTION USING CRITICAL ADDRESS SPACE PROTECTION,” which is herein incorporated by reference in its entirety. Other applications describing malware protection and identification techniques include co-owned and copending U.S. patent application Ser. No. 10/651,588, filed Aug. 29, 2003 and entitled “DAMAGE CONTAINMENT BY TRANSLATION,” which is herein incorporated by reference in its entirety; and U.S. patent application Ser. No. 11/122,872, filed May 4, 2005 and entitled “PIRACY PREVENTION USING UNIQUE MODULE TRANSLATION,” which is herein incorporated by reference in its entirety. The system detection component 280 can execute out of user memory 220, kernel memory 230, or a combination of both.
In an optional step 310, an exploitation of the system is detected. In one embodiment, the step 310 includes the detection of excessive service requests over the network from a malicious client implementing a denial-of-service attack or other malware exploitation. The detection includes a virus loaded into the computer system, or malicious code injected into and executed out of writable memory and accessing a predetermined address. Details of the detection of code executing out of writable memory can be found in the U.S. patent application Ser. No. 12/322/220, filed Jan. 29, 2009, entitled “METHOD OF AND SYSTEM FOR MALICIOUS SOFTWARE DETECTION USING CRITICAL ADDRESS SPACE PROTECTION,” which is incorporated by reference in its entirety. Other applications describing malware protection and identification techniques include the above mentioned co-owned and copending U.S. patent application Ser. No. 10/651,588, filed Aug. 29, 2003 and U.S. patent application Ser. No. 11/122,872, filed May 4, 2005. Upon detecting a system exploitation, a system exploitation indication is generated. The system exploitation indication invokes the step 320 of analyzing the network data, application data, and process data to identify a malicious source.
In the step 320 the data is analyzed to identify a malicious source. In one embodiment, the identification of the malicious source utilizes network data that includes a time the connection was made, a connection duration, a time that a packet was received, a host identifiers, a number of connections from a host, a number of packets from a host, a protocol identifier, port number, packet data, and assembled packet data. In a further embodiment, the analysis utilizes application data, process data, or a combination thereof. Further, in another embodiment the analysis uses statistical techniques, heuristics techniques, or a combination thereof in the identification of the malicious source. Once the malicious source is identified, the process continues to the step 330 in which malicious source information is received an processed.
Exemplary heuristics and statistical techniques used to identify a malicious host include but are not limited to, choosing all connected hosts, the last host to connect, the last host to send data, the last host to receive data, the last host to send and receive data within a time window, the last connected host to send data, the last connected host to receive data, the connected host that has sent the most data, the connected host that has received the most data, and the connected host that has received and sent the most data. The above mentioned techniques can incorporate additional parameters such as all hosts connected to a specific port.
Further, the techniques can include using collected information about the applications, processes, or combination thereof as part of the input to the heuristic and statistical techniques for identifying the malicious host. For example, the collected network data could include choosing all connected hosts to a specific application or process, the last host to connect to a specific application or process, the last host to send data to a specific application or process, the last host to receive data from a specific application or process, the last host to send and receive data within a time window to a specific application or process, the last connected host to send data to a specific application or process, the last connected host to receive data to a specific application or process, the connected host that has sent the most data to a specific application or process, the connected host that has received the most data from a specific application or process, and the connected host that has received and sent the most data to a specific application or process.
Statistical techniques for identifying a malicious host include but are not limited to statistical deviation of the number of connections or packets from a host that exceeds a threshold, an amount of data sent by a host within a time interval, or an amount of data received by a host within a time interval. In one embodiment, the statistics are calculated over a time period that includes multiple system re-boots or system exploitations. Further, in another embodiment a running average of the above statistics can be used to adapt to time varying statistical variations.
In the step 330, received network data identify as originating from the malicious source is further processed. If a originating source is not identified as malicious, then network data is passed to the destination unimpeded. The data identified as originating from a malicious source is processed to prevent or diminish a denial-of-service attack or other malware exploitation that can result in a denial of service. In one embodiment, the processing includes blocking the network data and/or connection from the identified malicious source. In another embodiment, the processing includes modifying packets or data streams from the malicious source. Another method of processing data includes redirecting data to another processing system or storage device for later analysis. In a further embodiment, the processing of network data includes flow controlling the data by means including delaying the delivery of the data. The process can further be limited to data packets or streams associated with an application or process or using attributes associated with an application or attribute. The processing ends in the step 399.
Network data is processed by a software component hooked or linked into a network stack. In an embodiment that uses Windows Server®, the network stack is called a Transport Data Interface (TDI) driver stack 240. A TDI filter 242 is coupled into the execution path for the TDI driver 240. The TDI filter 242 collects network data, network information, and statistics on received network data. Additionally, the TDI filter 242 processes the network data packets and data streams received from the network interface for blocking, redirecting, or flow controlling the identified malicious network data. Further, some embodiments, the TDI filter 242 is configured to analyze the collected network data, network information and statistics to determine the source of the malicious host or the source of the denial-of-service attack. The identified malicious source is used to configure the blocking, or flow controlling the network data. In other embodiments, the TDI filter configures an external component, such as a firewall, to block the detected malicious source or source of the denial-of-service attack.
The storage device 412 can include a hard drive, tape, CDROM, CDRW, DVD, DVDRW, flash memory card or any other storage device. An example of the network interface 402 includes a network card coupled to an Ethernet or other type of LAN. The I/O device(s) 408 can include one or more of the following: keyboard, mouse, monitor, display, printer, modem, touchscreen, button interface and other devices including remote systems. The code for the denial-of-service protection (DOSP) 440 can be configured into the OS (operating system) 430 and is part of the OS 430 initialization. The analysis code 450 for the analyzing the network data and identifying the malicious host or client are a component separate from the OS 430. Additionally, in one embodiment code 460 for the detection of a system exploitation is found on the storage. More or fewer components shown in
Reference has been made in detail to the preferred and alternative embodiments of the invention, examples of which are illustrated in the accompanying drawings. It will be readily apparent to one skilled in the art that other modifications may be made to the embodiment without departing from the spirit and scope of the invention as defined by the appended claims. On the contrary, the invention is intended to cover alternatives, modifications and equivalents, which can be included within the spirit and scope of the invention. Furthermore, in the detailed description of the present invention, numerous specific details have been set forth in order to provide a thorough understanding of the present invention. However, it should be noted that the present invention can be practiced without these specific details. In other instances, well known methods, procedures and components have not been described in detail so as not to unnecessarily obscure aspects of the present invention.
This application claims priority under 35 U.S.C. §119(e) of the co-owned U.S. Provisional Patent Application Ser. No. 61/063,224 filed Jan. 31, 2008, and entitled “AUTONOMIC NETWORK RESPONSE TO PROCESS HIJACKING,” which is hereby incorporated by reference in its entirety.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4688169 | Joshi | Aug 1987 | A |
| 4982430 | Frezza et al. | Jan 1991 | A |
| 5155847 | Kirouac et al. | Oct 1992 | A |
| 5222134 | Waite et al. | Jun 1993 | A |
| 5390314 | Swanson | Feb 1995 | A |
| 5521849 | Adelson et al. | May 1996 | A |
| 5560008 | Johnson et al. | Sep 1996 | A |
| 5699513 | Feigen et al. | Dec 1997 | A |
| 5778226 | Adams et al. | Jul 1998 | A |
| 5778349 | Okonogi | Jul 1998 | A |
| 5787427 | Benantar et al. | Jul 1998 | A |
| 5842017 | Hookway et al. | Nov 1998 | A |
| 5907709 | Cantey et al. | May 1999 | A |
| 5907860 | Garibay et al. | May 1999 | A |
| 5926832 | Wing et al. | Jul 1999 | A |
| 5974149 | Leppek | Oct 1999 | A |
| 5987610 | Franczek et al. | Nov 1999 | A |
| 5987611 | Freund | Nov 1999 | A |
| 5991881 | Conklin et al. | Nov 1999 | A |
| 6064815 | Hohensee et al. | May 2000 | A |
| 6073142 | Geiger et al. | Jun 2000 | A |
| 6141698 | Krishnan et al. | Oct 2000 | A |
| 6192401 | Modiri et al. | Feb 2001 | B1 |
| 6192475 | Wallace | Feb 2001 | B1 |
| 6256773 | Bowman-Amuah | Jul 2001 | B1 |
| 6275938 | Bond et al. | Aug 2001 | B1 |
| 6321267 | Donaldson | Nov 2001 | B1 |
| 6338149 | Ciccone, Jr. et al. | Jan 2002 | B1 |
| 6356957 | Sanchez, II et al. | Mar 2002 | B2 |
| 6393465 | Leeds | May 2002 | B2 |
| 6442686 | McArdle et al. | Aug 2002 | B1 |
| 6449040 | Fujita | Sep 2002 | B1 |
| 6453468 | D'Souza | Sep 2002 | B1 |
| 460050 | Pace et al. | Oct 2002 | A1 |
| 6587877 | Douglis et al. | Jul 2003 | B1 |
| 6611925 | Spear | Aug 2003 | B1 |
| 6662219 | Nishanov et al. | Dec 2003 | B1 |
| 6748534 | Gryaznov et al. | Jun 2004 | B1 |
| 6769008 | Kumar et al. | Jul 2004 | B1 |
| 6769115 | Oldman | Jul 2004 | B1 |
| 6795966 | Lim et al. | Sep 2004 | B1 |
| 6832227 | Seki et al. | Dec 2004 | B2 |
| 6834301 | Hanchett | Dec 2004 | B1 |
| 6847993 | Novaes et al. | Jan 2005 | B1 |
| 6907600 | Neiger et al. | Jun 2005 | B2 |
| 6918110 | Hundt et al. | Jul 2005 | B2 |
| 6930985 | Rathi et al. | Aug 2005 | B1 |
| 6934755 | Saulpaugh et al. | Aug 2005 | B1 |
| 6988101 | Ham et al. | Jan 2006 | B2 |
| 6988124 | Douceur et al. | Jan 2006 | B2 |
| 7007302 | Jagger et al. | Feb 2006 | B1 |
| 7010796 | Strom et al. | Mar 2006 | B1 |
| 7024548 | O'Toole, Jr. | Apr 2006 | B1 |
| 7039949 | Cartmell et al. | May 2006 | B2 |
| 7065767 | Kambhammettu et al. | Jun 2006 | B2 |
| 7069330 | McArdle et al. | Jun 2006 | B1 |
| 7082456 | Mani-Meitav et al. | Jul 2006 | B2 |
| 7093239 | van der Made | Aug 2006 | B1 |
| 7124409 | Davis et al. | Oct 2006 | B2 |
| 7139916 | Billingsley et al. | Nov 2006 | B2 |
| 7152148 | Williams et al. | Dec 2006 | B2 |
| 7159036 | Hinchliffe et al. | Jan 2007 | B2 |
| 7177267 | Oliver et al. | Feb 2007 | B2 |
| 7203864 | Goin et al. | Apr 2007 | B2 |
| 7251655 | Kaler et al. | Jul 2007 | B2 |
| 7290266 | Gladstone et al. | Oct 2007 | B2 |
| 7302558 | Campbell et al. | Nov 2007 | B2 |
| 7330849 | Gerasoulis et al. | Feb 2008 | B2 |
| 7346781 | Cowle et al. | Mar 2008 | B2 |
| 7349931 | Horne | Mar 2008 | B2 |
| 7350204 | Lambert et al. | Mar 2008 | B2 |
| 7353501 | Tang et al. | Apr 2008 | B2 |
| 7363022 | Whelan et al. | Apr 2008 | B2 |
| 7370360 | van der Made | May 2008 | B2 |
| 7406517 | Hunt et al. | Jul 2008 | B2 |
| 7441265 | Staamann et al. | Oct 2008 | B2 |
| 7464408 | Shah et al. | Dec 2008 | B1 |
| 506155 | Stewart et al. | Mar 2009 | A1 |
| 7506170 | Finnegan | Mar 2009 | B2 |
| 7546333 | Alon et al. | Jun 2009 | B2 |
| 7546594 | McGuire et al. | Jun 2009 | B2 |
| 7552479 | Conover et al. | Jun 2009 | B1 |
| 7607170 | Chesla | Oct 2009 | B2 |
| 7657599 | Smith | Feb 2010 | B2 |
| 7669195 | Qumei | Feb 2010 | B1 |
| 7685635 | Vega et al. | Mar 2010 | B2 |
| 7698744 | Fanton et al. | Apr 2010 | B2 |
| 7703090 | Napier et al. | Apr 2010 | B2 |
| 7757269 | Roy-Chowdhury et al. | Jul 2010 | B1 |
| 7765538 | Zweifel et al. | Jul 2010 | B2 |
| 7783735 | Sebes et al. | Aug 2010 | B1 |
| 7809704 | Surendran et al. | Oct 2010 | B2 |
| 7818377 | Whitney et al. | Oct 2010 | B2 |
| 7823148 | Deshpande et al. | Oct 2010 | B2 |
| 7836504 | Ray et al. | Nov 2010 | B2 |
| 7840968 | Sharma et al. | Nov 2010 | B1 |
| 7849507 | Bloch et al. | Dec 2010 | B1 |
| 7856661 | Sebes et al. | Dec 2010 | B1 |
| 7865931 | Stone et al. | Jan 2011 | B1 |
| 7870387 | Bhargava et al. | Jan 2011 | B1 |
| 7873955 | Sebes et al. | Jan 2011 | B1 |
| 7895573 | Bhargava et al. | Feb 2011 | B1 |
| 7908653 | Brickell et al. | Mar 2011 | B2 |
| 7937455 | Saha et al. | May 2011 | B2 |
| 7966659 | Wilkinson et al. | Jun 2011 | B1 |
| 7996836 | McCorkendale et al. | Aug 2011 | B1 |
| 8015388 | Rihan et al. | Sep 2011 | B1 |
| 8015563 | Araujo et al. | Sep 2011 | B2 |
| 8028340 | Sebes et al. | Sep 2011 | B2 |
| 8074276 | Beloussov et al. | Dec 2011 | B1 |
| 8195931 | Sharma et al. | Jun 2012 | B1 |
| 8234713 | Roy-Chowdhury et al. | Jul 2012 | B2 |
| 8307437 | Sebes et al. | Nov 2012 | B2 |
| 8321932 | Bhargava et al. | Nov 2012 | B2 |
| 8332929 | Bhargava et al. | Dec 2012 | B1 |
| 8341627 | Mohinder | Dec 2012 | B2 |
| 8381284 | Dang et al. | Feb 2013 | B2 |
| 8515075 | Saraf et al. | Aug 2013 | B1 |
| 20020056076 | van der Made | May 2002 | A1 |
| 20020069367 | Tindal et al. | Jun 2002 | A1 |
| 20020083175 | Afek et al. | Jun 2002 | A1 |
| 20020099671 | Mastin Crosbie et al. | Jul 2002 | A1 |
| 20030014667 | Kolichtchak | Jan 2003 | A1 |
| 20030023736 | Abkemeier | Jan 2003 | A1 |
| 20030033510 | Dice | Feb 2003 | A1 |
| 20030073894 | Chiang et al. | Apr 2003 | A1 |
| 20030074552 | Olkin et al. | Apr 2003 | A1 |
| 20030120601 | Ouye et al. | Jun 2003 | A1 |
| 20030120811 | Hanson et al. | Jun 2003 | A1 |
| 20030120935 | Teal et al. | Jun 2003 | A1 |
| 20030145232 | Poletto et al. | Jul 2003 | A1 |
| 20030163718 | Johnson et al. | Aug 2003 | A1 |
| 20030167292 | Ross | Sep 2003 | A1 |
| 20030167399 | Audebert et al. | Sep 2003 | A1 |
| 20030200332 | Gupta et al. | Oct 2003 | A1 |
| 20030212902 | van der Made | Nov 2003 | A1 |
| 20030220944 | Schottland et al. | Nov 2003 | A1 |
| 20030221190 | Deshpande et al. | Nov 2003 | A1 |
| 20040003258 | Billingsley et al. | Jan 2004 | A1 |
| 20040015554 | Wilson | Jan 2004 | A1 |
| 20040051736 | Daniell | Mar 2004 | A1 |
| 20040054928 | Hall | Mar 2004 | A1 |
| 20040143749 | Tajalli et al. | Jul 2004 | A1 |
| 20040167906 | Smith et al. | Aug 2004 | A1 |
| 20040230963 | Rothman et al. | Nov 2004 | A1 |
| 20040243678 | Smith et al. | Dec 2004 | A1 |
| 20040255161 | Cavanaugh | Dec 2004 | A1 |
| 20050018651 | Yan et al. | Jan 2005 | A1 |
| 20050086047 | Uchimoto et al. | Apr 2005 | A1 |
| 20050108516 | Balzer et al. | May 2005 | A1 |
| 20050108562 | Khazan et al. | May 2005 | A1 |
| 20050114672 | Duncan et al. | May 2005 | A1 |
| 20050132346 | Tsantilis | Jun 2005 | A1 |
| 20050228990 | Kato et al. | Oct 2005 | A1 |
| 20050235360 | Pearson | Oct 2005 | A1 |
| 20050257207 | Blumfield et al. | Nov 2005 | A1 |
| 20050257265 | Cook et al. | Nov 2005 | A1 |
| 20050260996 | Groenendaal | Nov 2005 | A1 |
| 20050262558 | Usov | Nov 2005 | A1 |
| 20050273858 | Zadok et al. | Dec 2005 | A1 |
| 20050283823 | Okajo et al. | Dec 2005 | A1 |
| 20050289538 | Black-Ziegelbein et al. | Dec 2005 | A1 |
| 20060004875 | Baron et al. | Jan 2006 | A1 |
| 20060015501 | Sanamrad et al. | Jan 2006 | A1 |
| 20060037016 | Saha et al. | Feb 2006 | A1 |
| 20060080656 | Cain et al. | Apr 2006 | A1 |
| 20060085785 | Garrett | Apr 2006 | A1 |
| 20060101277 | Meenan et al. | May 2006 | A1 |
| 20060133223 | Nakamura et al. | Jun 2006 | A1 |
| 20060136910 | Brickell et al. | Jun 2006 | A1 |
| 20060136911 | Robinson et al. | Jun 2006 | A1 |
| 20060195906 | Jin et al. | Aug 2006 | A1 |
| 20060200863 | Ray et al. | Sep 2006 | A1 |
| 20060230314 | Sanjar et al. | Oct 2006 | A1 |
| 20060236398 | Trakic et al. | Oct 2006 | A1 |
| 20060259734 | Sheu et al. | Nov 2006 | A1 |
| 20060282892 | Jonnala et al. | Dec 2006 | A1 |
| 20070011746 | Malpani et al. | Jan 2007 | A1 |
| 20070028303 | Brennan | Feb 2007 | A1 |
| 20070039049 | Kupferman et al. | Feb 2007 | A1 |
| 20070050579 | Hall et al. | Mar 2007 | A1 |
| 20070050764 | Traut | Mar 2007 | A1 |
| 20070074199 | Schoenberg | Mar 2007 | A1 |
| 20070083522 | Nord et al. | Apr 2007 | A1 |
| 20070101435 | Konanka et al. | May 2007 | A1 |
| 20070136579 | Levy et al. | Jun 2007 | A1 |
| 20070143851 | Nicodemus et al. | Jun 2007 | A1 |
| 20070169079 | Keller et al. | Jul 2007 | A1 |
| 20070192329 | Croft et al. | Aug 2007 | A1 |
| 20070220061 | Tirosh et al. | Sep 2007 | A1 |
| 20070220507 | Back et al. | Sep 2007 | A1 |
| 20070253430 | Minami et al. | Nov 2007 | A1 |
| 20070256138 | Gadea et al. | Nov 2007 | A1 |
| 20070271561 | Winner et al. | Nov 2007 | A1 |
| 20070300215 | Bardsley | Dec 2007 | A1 |
| 20070300241 | Prakash et al. | Dec 2007 | A1 |
| 20080005737 | Saha et al. | Jan 2008 | A1 |
| 20080005798 | Ross | Jan 2008 | A1 |
| 20080010304 | Vempala et al. | Jan 2008 | A1 |
| 20080022384 | Yee et al. | Jan 2008 | A1 |
| 20080034416 | Kumar et al. | Feb 2008 | A1 |
| 20080052468 | Speirs et al. | Feb 2008 | A1 |
| 20080082977 | Araujo et al. | Apr 2008 | A1 |
| 20080120499 | Zimmer et al. | May 2008 | A1 |
| 20080163207 | Reumann et al. | Jul 2008 | A1 |
| 20080163210 | Bowman et al. | Jul 2008 | A1 |
| 20080165952 | Smith et al. | Jul 2008 | A1 |
| 20080184373 | Traut et al. | Jul 2008 | A1 |
| 20080235534 | Schunter et al. | Sep 2008 | A1 |
| 20080294703 | Craft et al. | Nov 2008 | A1 |
| 20080301770 | Kinder | Dec 2008 | A1 |
| 20090006805 | Anderson et al. | Jan 2009 | A1 |
| 20090007100 | Field et al. | Jan 2009 | A1 |
| 20090038017 | Durham et al. | Feb 2009 | A1 |
| 20090043993 | Ford et al. | Feb 2009 | A1 |
| 20090055693 | Budko et al. | Feb 2009 | A1 |
| 20090113110 | Chen et al. | Apr 2009 | A1 |
| 20090144300 | Chatley et al. | Jun 2009 | A1 |
| 20090150639 | Ohata | Jun 2009 | A1 |
| 20090172822 | Sahita et al. | Jul 2009 | A1 |
| 20090249053 | Zimmer et al. | Oct 2009 | A1 |
| 20090249438 | Litvin et al. | Oct 2009 | A1 |
| 20100071035 | Budko et al. | Mar 2010 | A1 |
| 20100100970 | Chowdhury et al. | Apr 2010 | A1 |
| 20100114825 | Siddegowda | May 2010 | A1 |
| 20100250895 | Adams et al. | Sep 2010 | A1 |
| 20100281133 | Brendel | Nov 2010 | A1 |
| 20100293225 | Sebes et al. | Nov 2010 | A1 |
| 20100332910 | Ali et al. | Dec 2010 | A1 |
| 20110029772 | Fanton et al. | Feb 2011 | A1 |
| 20110035423 | Kobayashi et al. | Feb 2011 | A1 |
| 20110047543 | Mohinder | Feb 2011 | A1 |
| 20110077948 | Sharma et al. | Mar 2011 | A1 |
| 20110078550 | Nabutovsky | Mar 2011 | A1 |
| 20110093842 | Sebes | Apr 2011 | A1 |
| 20110093950 | Bhargava et al. | Apr 2011 | A1 |
| 20110113467 | Agarwal et al. | May 2011 | A1 |
| 20110119760 | Sebes et al. | May 2011 | A1 |
| 20110138461 | Bhargava et al. | Jun 2011 | A1 |
| 20120030731 | Bhargava et al. | Feb 2012 | A1 |
| 20120030750 | Bhargava et al. | Feb 2012 | A1 |
| 20120179874 | Chang et al. | Jul 2012 | A1 |
| 20120204263 | Jonnala et al. | Aug 2012 | A1 |
| 20120278853 | Chowdhury et al. | Nov 2012 | A1 |
| 20120290827 | Bhargava et al. | Nov 2012 | A1 |
| 20120297176 | Bhargava et al. | Nov 2012 | A1 |
| 20120331464 | Saito et al. | Dec 2012 | A1 |
| 20130024934 | Sebes et al. | Jan 2013 | A1 |
| 20130091318 | Bhattacharjee et al. | Apr 2013 | A1 |
| 20130097355 | Dang et al. | Apr 2013 | A1 |
| 20130097356 | Dang et al. | Apr 2013 | A1 |
| 20130117823 | Dang et al. | May 2013 | A1 |
| Number | Date | Country |
|---|---|---|
| 1 482 394 | Dec 2004 | EP |
| 2 037 657 | Mar 2009 | EP |
| WO 9844404 | Oct 1998 | WO |
| WO 0184285 | Nov 2001 | WO |
| WO 2006012197 | Feb 2006 | WO |
| WO 2006124832 | Nov 2006 | WO |
| WO 2008054997 | May 2008 | WO |
| WO 2011059877 | May 2011 | WO |
| WO 2012015485 | Feb 2012 | WO |
| WO 2012015489 | Feb 2012 | WO |
| WO 2013055498 | Apr 2013 | WO |
| WO 2013055499 | Apr 2013 | WO |
| WO 2013055502 | Apr 2013 | WO |
| Entry |
|---|
| A Linear-Time Heuristic for Improving Network Partitions|http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1585498|Fiduccia et al. |pp. 175-181|1982. |
| U.S. Appl. No. 12/615,521, entitled “System and Method for Preventing Data Loss Using Virtual Machine Wrapped Applications,” filed Nov. 10, 2009, Inventor(s): Sonali Agarwal, et al. |
| Desktop Management and Control, Website: http://www.vmware.com/solutions/desktop/, printed Oct. 12, 2009, 1 page. |
| Secure Mobile Computing, Website: http://www.vmware.com/solutions/desktop/mobile.html, printed Oct. 12, 2009, 2 pages. |
| U.S. Appl. No. 12/636,414, entitled “System and Method for Managing Virtual Machine Configurations,” filed Dec. 11, 2009, Inventor(s): Harvinder Singh Sawhney, et al. |
| Kurt Gutzmann, “Access Control and Session Management in the HTTP Environment,” Jan./Feb. 2001, pp. 26-35, IEEE Internet Computing. |
| U.S. Appl. No. 11/379,953, entitled “Software Modification by Group to Minimize Breakage,” filed Apr. 24, 2006, Inventor(s): E. John Sebes et al. |
| U.S. Appl. No. 11/277,596, entitled “Execution Environment File Inventory,” filed Mar. 27, 2006, Inventor(s): Rishi Bhargava et al. |
| U.S. Appl. No. 10/651,591, entitled “Method and System for Containment of Networked Application Client Software by Explicit Human Input,” filed Aug. 29, 2003, Inventor(s): Rosen Sharma et al. |
| U.S. Appl. No. 10/806,578, entitled Containment of Network communication, filed Mar. 22, 2004, Inventor(s): E. John Sebes et al. |
| U.S. Appl. No. 10/739,230, entitled “Method and System for Containment of Usage of Language Interfaces,” filed Dec. 17, 2003, Inventor(s): Rosen Sharma et al. |
| U.S. Appl. No. 10/935,772, entitled “Solidifying the Executable Software Set of a Computer,” filed Sep. 7, 2004, Inventor(s): E. John Sebes et al. |
| U.S. Appl. No. 11/060,683, entitled “Distribution and Installation of Solidified Software on a Computer,” Filed Feb. 16, 2005, Inventor(s): Bakul Shah et al. |
| U.S. Appl. No. 11/122,872, entitled “Piracy Prevention Using Unique Module Translation,” filed May 4, 2005, Inventor(s): E. John Sebes et al. |
| U.S. Appl. No. 11/346,741, entitled “Enforcing Alignment of Approved Changes and Deployed Changes in the Software Change Life-Cycle,” filed Feb. 2, 2006, Inventor(s): Rahul Roy-Chowdhury et al. |
| U.S. Appl. No. 11/182,320, entitled “Classification of Software on Networked Systems,” filed Jul. 14, 2005, Inventor(s): E. John Sebes et al. |
| U.S. Appl. No. 11/400,085, entitled “Program-Based Authorization,” filed Apr. 7, 2006, Inventor(s): Rishi Bhargava et al. |
| U.S. Appl. No. 11/437,317, entitled “Connectivity-Based Authorization,” filed May 18, 2006, Inventor(s): E. John Sebes et al. |
| U.S. Appl. No. 12/290,380, entitled “Application Change Control,” filed Oct. 29, 2008, Inventor(s): Rosen Sharma et al. |
| U.S. Appl. No. 12/008,274, entitled Method and Apparatus for Process Enforced Configuration Management, filed Jan. 9, 2008, Inventor(s): Rishi Bhargava et al. |
| U.S. Appl. No. 12/291,232, entitled “Method of and System for Computer System State Checks,” filed Nov. 7, 2008, inventor(s): Rishi Bhargava et al. |
| U.S. Appl. No. 12/322,220, entitled “Method of and System for Malicious Software Detection Using Critical Address Space Protection,” filed Jan. 29, 2009, Inventor(s): Suman Saraf et al. |
| U.S. Appl. No. 12/426,859, entitled “Method of and System for Reverse Mapping Vnode Pointers,” filed Apr. 20, 2009, Inventor(s): Suman Saraf et al. |
| U.S. Appl. No. 12/545,609, entitled “System and Method for Enforcing Security Policies in a Virtual Environment,” filed Aug. 21, 2009, Inventor(s): Amit Dang et al. |
| U.S. Appl. No. 12/545,745, entitled “System and Method for Providing Address Protection in a Virtual Environment,” filed Aug. 21, 2009, Inventor(s): Preet Mohinder. |
| Eli M. Dow, et al., “The Xen Hypervisor,” InformIT, dated Apr. 10, 2008, http://www.informit.com/articles/printerfriendly.aspx?p=1187966, printed Aug. 11, 2009 (13 pages). |
| “Xen Architecture Overview,” Xen, dated Feb. 13, 2008, Version 1.2, http://wiki.xensource.com/xenwiki/XenArchitecture?action=AttachFile&do=get&target=Xen+architecture—Q1+2008.pdf, printed Aug. 18, 2009 (9 pages). |
| U.S. Appl. No. 12/551,673, entitled “Piracy Prevention Using Unique Module Translation,” filed Sep. 1, 2009, Inventor(s): E. John Sebes et al. |
| Barrantes et al., “Randomized Instruction Set Emulation to Dispurt Binary Code Injection Attacks,” Oct. 27-31, 2003, ACM, pp. 281-289. |
| Check Point Software Technologies Ltd.: “ZoneAlarm Security Software User Guide Version 9”, Aug. 24, 2009, XP002634548, 259 pages, retrieved from Internet: URL:http://download.zonealarm.com/bin/media/pdf/zaclient91—user—manual.pdf. |
| Gaurav et al., “Countering Code-Injection Attacks with Instruction-Set Randomization,” Oct. 27-31, 2003, ACM, pp. 272-280. |
| Notification of Transmittal of the International Search Report and the Written Opinion of the International Searching Authority (1 page), International Search Report (4 pages), and Written Opinion (3 pages), mailed Mar. 2, 2011, International Application No. PCT/US2010/055520. |
| Tal Garfinkel, et al., “Terra: A Virtual Machine-Based Platform for Trusted Computing,” XP-002340992, SOSP'03, Oct. 19-22, 2003, 14 pages. |
| U.S. Appl. No. 12/844,892, entitled “System and Method for Protecting Computer Networks Against Malicious Software,” filed Jul. 28, 2010, Inventor(s) Rishi Bhargava, et al. |
| U.S. Appl. No. 12/844,964, entitled “System and Method for Network Level Protection Against Malicious Software,” filed Jul. 28, 2010, Inventor(s) Rishi Bhargava, et al. |
| U.S. Appl. No. 12/880,125, entitled “System and Method for Clustering Host Inventories,” filed Sep. 12, 2010, Inventor(s) Rishi Bhargava, et al. |
| U.S. Appl. No. 12/903,993, entitled “Method and System for Containment of Usage of Language Interfaces,” filed Oct. 13, 2010, Inventor(s) Rosen Sharma, et al. |
| U.S. Appl. No. 12/946,344, entitled “Method and System for Containment of Usage of Language Interfaces,” filed Nov. 15, 2010, Inventor(s) Rosen Sharma, et al. |
| U.S. Appl. No. 13/012,138, entitled “System and Method for Selectively Grouping and Managing Program Files,” filed Jan. 24, 2011, Inventor(s) Rishi Bhargava, et al. |
| U.S. Appl. No. 13/037,988, entitled “System and Method for Botnet Detection by Comprehensive Email Behavioral Analysis,” filed Mar. 1, 2011, Inventor(s) Sven Krasser, et al. |
| Notification of Transmittal of the International Search Report and the Written Opinion of the International Searching Authority, or the Declaration (1 page), International Search Report (6 pages), and Written Opinion of the International Searching Authority (10 pages) for International Application No. PCT/US2011/020677 mailed Jul. 22, 2011. |
| Notification of Transmittal of the International Search Report and Written Opinion of the International Searching Authority, or the Declaration (1 page), International Search Report (3 pages), and Written Opinion of the International Search Authority (6 pages) for International Application No. PCT/U52011/024869 mailed Jul. 14, 2011. |
| IA-32 Intel® Architecture Software Developer's Manual, vol. 3B; Jun. 2006; pp. 13, 15, 22 and 145-146. |
| “What's New: McAfee VirusScan Enterprise, 8.8,” copyright 2010, retrieved on Nov. 23, 2012 at https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT—DOCUMENTATION/22000/PD22973/en—US/VSE%208.8%20-%20What's%20New.pdf, 4 pages. |
| “McAfee Management for Optimized Virtual Environments,” copyright 2012, retrieved on Nov. 26, 2012 at AntiVirushttp://www.mcafee.com/us/resources/data-sheets/ds-move-anti-virus.pdf, 2 pages. |
| Rivest, R., “The MD5 Message-Digest Algorithm”, RFC 1321, Apr. 1992, retrieved on Dec. 14, 2012 from http://www.ietf.org/rfc/rfc1321.txt, 21 pages. |
| Hinden, R. and B. Haberman, “Unique Local IPv6 Unicast Addresses”, RFC 4193, Oct. 2005, retrieved on Nov. 20, 2012 from http://tools.ietf.org/pdf/rfc4193.pdf, 17 pages. |
| “Secure Hash Standard (SHS)”, Federal Information Processing Standards Publication, FIPS PUB 180-4, Mar. 2012, retrieved on Dec. 14, 2012 from http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf, 35 pages. |
| U.S. Appl. No. 13/728,705, filed Dec. 27, 2012, entitled “Herd Based Scan Avoidance System in a Network Environment,” Inventor(s) Venkata Ramanan, et al. |
| An Analysis of Address Space Layout Randomization on Windows Vista™, Symantec Advanced Threat Research, copyright 2007 Symantec Corporation, available at http://www.symantec.com/avcenter/reference/Address—Space—Layout—Randomization.pdf, 19 pages. |
| Bhatkar, et al., “Efficient Techniques for Comprehensive Protection from Memory Error Exploits,” USENIX Association, 14th USENIX Security Symposium, Aug. 1-5, 2005, Baltimore, MD, 16 pages. |
| Dewan, et al., “A Hypervisor-Based System for Protecting Software Runtime Memory and Persistent Storage,” Spring Simulation Multiconference 2008, Apr. 14-17, 2008, Ottawa, Canada, (available at website: www.vodun.org/papers/2008—secure—locker—submit—v1-1.pdf, printed Oct. 11, 2011), 8 pages. |
| Shacham, et al., “On the Effectiveness of Address-Space Randomization,” CCS'04, Oct. 25-29, 2004, Washington, D.C., Copyright 2004, 10 pages. |
| International Search Report and Written Opinion mailed Dec. 14, 2012 for International Application No. 04796-1087WO, 9 pages. |
| “Shadow Walker” Raising the Bar for Rootkit Detection by Sherri Sparks and Jamie Butler, Black Hat Japan 2005, Tokyp, Japan, Oct. 17-18, 2005, 55 pages. |
| Countering Kernel Rootkits with Lightweight Hook Protection, available at http://research.microsoft.com/en-us/um/people/wdcui/papers/hooksafe-ccs09.pdf, 16th ACM Conference on Computer and Communications Security (CCS 2009) Chicago, IL, Nov. 2009, 10 pages. |
| Detecting Kernel Rootkits, by Rainer Whichmann, available at http://www.la-samhna.de/library/rootkits/detect.html, copyright 2006, 2 pages. |
| Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing, 11th International Symposium on Recent Advances in Intrusion Detection, Cambridge, Massachusetts (Sep. 15-17, 2008), 20 pages. |
| McAfee Proven Security, Rootkits, Part 1 of 3: The Growing Threat (Apr. 2006), available at www.mcafee.com, 8 pages. |
| Multi-Aspect Profiling of Kernel Rootkit Behavior, Eurosys Conference 2009, Nuremberg, Germany, Mar. 30-Apr. 3, 2009, 14 pages. |
| Rootkits Part 2: A Technical Primer, available at www.mcafee.com (http://www.mcafee.com/cf/about/news/2007/20070418—174400—d.aspx) Apr. 18, 2007, 16 pages. |
| SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes, Proceedings of the 21st ACM SIGOPS Symposium on Operating Systems Principles, Stevenson, WA (Oct. 14-17, 2007), 16 pages. |
| Stopping Rootkits at the Network Edge (Jan. 2007) http://www.trustedcomputinggroup.org/files/resource—files/C2426F48-1D09-3519-AD02D13C711B888A6/Whitepaper—Rootkit—Strom—v3.pdf, 3 pages. |
| Transparent Protection of Commodity OS Kernels Using Hardware Virtualization, 6th International ICST Conference on Security and Privacy in Communication Networks, Singapore, Sep. 7-9, 2010, 18 pages, 18 pages. |
| International Search Report and Written Opinion mailed Jan. 25, 2013 for International Application No. PCT/US2012/055670 (7 pages). |
| International Search Report and Written Opinion, International Application No. PCT/US2012/055660, mailed Feb. 18, 2013, 10 pages. |
| Lecture Embedded System Security, Chapter 6: Return-oriented Programming, Prof. Dr.-Ing. Ahmad-Reza Sadeghi, et al., Technische Universitat Damstadt (CASED), Germany, Summer Term 2011, http://www.trust.informatik.tu-darmstadt.de/fileadmin/user—upload/Group—TRUST/LectureSlides/ESS-SS2011/rop-grayscale.pdf[Background on Butter Overflow Attacks/Sadeghi et al./2011, 51 pages. |
| Notification of International Preliminary Report on Patentability and Written Opinion mailed May 24, 2012 for International Application No. PCT/US2010/055520, 5 pages. |
| Sailer et al., sHype: Secure Hypervisor Approach to Trusted Virtualized Systems, IBM research Report, Feb. 2, 2005, 13 pages. |
| U.S. Appl. No. 13/558,181, entitled “Method and Apparatus for Process Enforced Configuration Management,” filed Jul. 25, 2012, Inventor(s) Rishi Bhargava et al. |
| U.S. Appl. No. 13/558,227, entitled “Method and Apparatus for Process Enforced Configuration Management,” filed Jul. 25, 2012, Inventor(s) Rishi Bhargava et al. |
| U.S. Appl. No. 13/558,277, entitled “Method and Apparatus for Process Enforced Configuration Management,” filed Jul. 25, 2012, Inventor(s) Rishi Bhargava et al. |
| Myung-Sup Kim et al., “A load cluster management system using SNMP and web”, [Online], May 2002, pp. 367-378, [Retrieved from Internet on Oct. 24, 2012], <http://onlinelibrary.wiley.com/doi/10.1002/nem.453/pdf>. |
| G. Pruett et al., “BladeCenter systems management software”, [Online], Nov. 2005, pp. 963-975, [Retrieved from Internet on Oct. 24, 2012], <http://citeseexIst.psu.edu/viewdoc/download?doi=10.1.1.91.5091&rep=rep1&type=pdf>. |
| Philip M. Papadopoulos et al., “NPACI Rocks: tools and techniques for easily deploying manageable Linux clusters” [Online], Aug. 2002, pp. 707-725, [Retrieved from internet on Oct. 24, 2012], <http://onlinelibrary.wiley.com/doi/10.1002/cpe.722/pdf>. |
| Thomas Staub et al., “Secure Remote Management and Software Distribution for Wireless Mesh Networks”, [Online], Sep. 2007, pp. 1-8, [Retrieved from Internet on Oct. 24, 2012], <http://cds.unibe.ch/research/pub—files/B07.pdf>. |
| Notice of Allowance received for U.S. Appl. No. 12/322,220, mailed on Apr. 17, 2013, 15 pages. |
| Final Office Action received for U.S. Appl. No. 12/545,745, mailed on Jun. 7, 2012, 14 pages. |
| Non Final Office Action received for U.S. Appl. No. 12/545,745, mailed on Jan. 5, 2012, 12 pages. |
| Notice of Allowance received for U.S. Appl. No. 12/545,745, mailed on Aug. 29, 2012, 8 pages. |
| Response to Final Office Action and RCE for U.S. Appl. No. 12/545,745, filed Jul. 31, 2012, 15 pages. |
| Response to Non Final Office Action for U.S. Appl. No. 12/545,745, filed Mar. 28, 2012, 12 pages. |
| International Search Report received for PCT Application No. PCT/US2012/055674, mailed on Dec. 14, 2012, 2 pages. |
| Nonfinal Office Action for U.S. Appl. No. 13/273,002, mailed on Oct. 4, 2013, 17 pages. |
| Grace, Michael, et al., “Transparent Protection of Commodity OS Kernels Using Hardware Virtualization,” 2010, SecureComm 2010, LNICST 50, pp. 162-180, 19 pages. |
| Riley, Ryan, et al., “Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing,” 2008, RAID 2008, LNCS 5230, pp. 1-20, 20 pages. |
| Milos, Grzegorz, et al., “Satori: Enlightened page sharing,” Proceedings of the 2009 conference on USENIX Annual technical conference, 14 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 20130247181 A1 | Sep 2013 | US |
| Number | Date | Country | |
|---|---|---|---|
| 61063224 | Jan 2008 | US |
