Oliver Friedrichs

A system for retroactively detecting malicious software on an end user system without performing expensive cross-referencing directly on the endpoint device. A client provides a server with information about files that are on it together with what it knows about these files. The server tracks this information and cross-references it against new intelligence it gathers on clean or malicious files. If a discrepancy is found (i.e., a file that had been called malicious, but that is actually benign… Show more

A system for retroactively detecting malicious software on an end user system without performing expensive cross-referencing directly on the endpoint device. A client provides a server with information about files that are on it together with what it knows about these files. The server tracks this information and cross-references it against new intelligence it gathers on clean or malicious files. If a discrepancy is found (i.e., a file that had been called malicious, but that is actually benign or vice versa), the server informs the client, which in turn takes an appropriate action based on this information. Show less

Novel methods, components, and systems for detecting malicious software in a proactive manner are presented. More specifically, we describe methods, components, and systems that leverage machine learning techniques to detect malicious software. The disclosed invention provides a significant improvement with regard to detection capabilities compared to previous approaches.

A method and apparatus for monitoring communications from a communications device comprising monitoring communications from a communications device by storing a data acquisition address in a contact list of the communications device that identifies a location of a monitoring device. Further, when malicious software uses the contact list to send messages, a message is sent using the malicious software to the monitoring device using the data acquisition address.

A callback component embedded on a web site determines a current location of the web site. The current location is compared to a known legitimate location of the web site to determine if the web site has been copied to a different host location. Responsive to determining that the web site has been copied to a different location, the callback component alerts a central authority that the web site may be a fraudulent web site set up to launch phishing attacks. If the central authority determines… Show more

A callback component embedded on a web site determines a current location of the web site. The current location is compared to a known legitimate location of the web site to determine if the web site has been copied to a different host location. Responsive to determining that the web site has been copied to a different location, the callback component alerts a central authority that the web site may be a fraudulent web site set up to launch phishing attacks. If the central authority determines that the web site is fraudulent, the central authority alerts appropriate entities to take down the fraudulent web site. The callback component generates a visual component viewable on the web site to deter phishing attackers from removing the callback component when the web site is copied. Show less

Methods, systems, and products for detecting phishing attempts through fingerprinting are provided. In an embodiment, there is a computer program product that comprises a computer-readable medium and computer program instructions encoded on the medium for deterring fraud perpetrated through an incoming electronic message containing an address for responding to the incoming electronic message. The instructions are for extracting the address from the incoming electronic message and generating a… Show more

Methods, systems, and products for detecting phishing attempts through fingerprinting are provided. In an embodiment, there is a computer program product that comprises a computer-readable medium and computer program instructions encoded on the medium for deterring fraud perpetrated through an incoming electronic message containing an address for responding to the incoming electronic message. The instructions are for extracting the address from the incoming electronic message and generating a fingerprint based on the extracted address. It is then determined whether the generated fingerprint matches a plurality of stored legitimate fingerprints. When there is a lack of a match, an action is taken to prevent use of the address. Show less

A system is provided for performing penetration testing of a target computer network by installing a remote agent in the target computer network. The system includes a local agent provided in a computer console and configured to receive and execute commands. A user interface is provided in the console and configured to send commands to and receive information from the local agent, process the information, and present the processed information. A database is configured to store the information… Show more

A system is provided for performing penetration testing of a target computer network by installing a remote agent in the target computer network. The system includes a local agent provided in a computer console and configured to receive and execute commands. A user interface is provided in the console and configured to send commands to and receive information from the local agent, process the information, and present the processed information. A database is configured to store the information received from the local agent. A network interface is connected to the local agent and configured to communicate with the remote agent installed in the target computer network via a network. Security vulnerability exploitation modules are provided for execution by the local agent and/or the remote agent. Show less

A system and method for building an executable script for performing a network security audit is described. A source program expressed in a network packet simulation language is stored. The same program includes a plurality of statements encoding logic to simulate an exchange of network protocol compliant-packets. Each statement is scanned into a sequence of individual tokens. Each token is parsed into grammatical phrases comprising at least one of an expression and a control construct. Each… Show more

A system and method for building an executable script for performing a network security audit is described. A source program expressed in a network packet simulation language is stored. The same program includes a plurality of statements encoding logic to simulate an exchange of network protocol compliant-packets. Each statement is scanned into a sequence of individual tokens. Each token is parsed into grammatical phrases comprising at least one of an expression and a control construct. Each expression evaluates a data value. Each control construct defines a process flow. The grammatical phrases are compiled into program instructions to execute the logic on a target machine. Show less

A development system providing a Custom Attack Simulation Language (CASL) for testing networks is described. In particular, the development system implements methodology for facilitating development of network attack simulations. The system includes an editor or authoring system for creating a source code description or Scripts (i.e., CASL-syntax Script) of the simulation program under development. The Scripts, in turn, are "compiled" by a CASL compiler into a compiled CASL program, that may… Show more

A development system providing a Custom Attack Simulation Language (CASL) for testing networks is described. In particular, the development system implements methodology for facilitating development of network attack simulations. The system includes an editor or authoring system for creating a source code description or Scripts (i.e., CASL-syntax Script) of the simulation program under development. The Scripts, in turn, are "compiled" by a CASL compiler into a compiled CASL program, that may then be used to simulate attacks against a network. CASL makes it easier for users, particularly network and system administrators, to experiment with and learn about the way their networks operate. Since networks work by exchanging packets of information, CASL focuses on allowing users to read and write packets directly to and from the network using a high level programming language. Unlike general-purpose scripting languages, CASL is designed specifically to make it easy to construct, read, and write raw network packets. In this manner, the system provides an extremely flexible and general way to manipulate networks and allows one to create simulation programs in just a few lines of CASL code, instead of hundreds of lines of code typically required when using conventional programming language environments. Show less