1965 results about "System call" patented technology

Techniques for detecting unauthorized use (e.g., malicious attacks) of the computing systems (e.g., computing devices) are disclosed. Unauthorized use can be detected based on patterns of use (e.g., behavioral patterns of use typically associated with a human being) of the computing systems. Acceptable behavioral pattern data can be generated for a computing system by monitoring the use of a support system (e.g., an operating system, a virtual environment) operating on the computing system. For example, a plurality of system support provider components of a support system (e.g., system calls, device drivers) can be monitored in order to generate the acceptable behavioral pattern data in a form which effectively defines an acceptable pattern of use (usage pattern) for the monitored system support provider components, thereby allowing detection of unauthorized use of a computing system by detecting any deviation from the acceptable pattern of use of the monitored system support provider components.

A virtualization infrastructure that allows multiple guest partitions to run within a host hardware partition. The host system is divided into distinct logical or virtual partitions and special infrastructure partitions are implemented to control resource management and to control physical I/O device drivers that are, in turn, used by operating systems in other distinct logical or virtual guest partitions. Host hardware resource management runs as a tracking application in a resource management “ultravisor” partition, while host resource management decisions are performed in a higher level command partition based on policies maintained in a separate operations partition. The conventional hypervisor is reduced to a context switching and containment element (monitor) for the respective partitions, while the system resource management functionality is implemented in the ultravisor partition. The ultravisor partition maintains the master in-memory database of the hardware resource allocations and serves a command channel to accept transactional requests for assignment of resources to partitions. It also provides individual read-only views of individual partitions to the associated partition monitors. Host hardware I/O management is implemented in special redundant I/O partitions. Operating systems in other logical or virtual partitions communicate with the I/O partitions via memory channels established by the ultravisor partition. The guest operating systems in the respective logical or virtual partitions are modified to access monitors that implement a system call interface through which the ultravisor, I/O, and any other special infrastructure partitions may initiate communications with each other and with the respective guest partitions. The guest operating systems are modified so that they do not attempt to use the “broken” instructions in the x86 system that complete virtualization systems must resolve by inserting traps.

Selected system calls are monitored to generate frequency data that is input to a probabilistic intrusion detection analyzer which generates a likelihood score indicative of whether the system calls being monitored were produced by a computer system whose security has been compromised. A first Bayesian network is trained on data from a compromised system and a second Bayesian network is trained on data from a normal system. The probabilistic intrusion detection analyzer considers likelihood data from both Bayesian networks to generate the intrusion detection measure.

One embodiment of the present invention provides a system for determining whether software is likely to exhibit malicious behavior by analyzing patterns of system calls made during emulation of the software. The system operates by emulating the software within an insulated environment in a computer system so that the computer system is insulated from malicious actions of the software. During the emulation process, the system records a pattern of system calls directed to an operating system of the computer system. The system compares the pattern of system calls against a database containing suspect patterns of system calls. Based upon this comparison, the system determines whether the software is likely to exhibit malicious behavior. In one embodiment of the present invention, if the software is determined to be likely to exhibit malicious behavior, the system reports this fact to a user of the computer system. In one embodiment of the present invention, the process of comparing the pattern of system calls is performed on-the-fly as the emulation generates system calls.

According to some embodiments, a multithreaded microcontroller includes a thread control unit comprising thread control hardware (logic) configured to perform a number of multithreading system calls essentially in real time, e.g. in one or a few clock cycles. System calls can include mutex lock, wait condition, and signal instructions. The thread controller includes a number of thread state, mutex, and condition variable registers used for executing the multithreading system calls. Threads can transition between several states including free, run, ready and wait. The wait state includes interrupt, condition, mutex, I-cache, and memory substates. A thread state transition controller controls thread states, while a thread instructions execution unit executes multithreading system calls and manages thread priorities to avoid priority inversion. A thread scheduler schedules threads according to their priorities. A hardware thread profiler including global, run and wait profiler registers is used to monitor thread performance to facilitate software development.

A virtual machine monitor (VMM) is included in a computer system that has a protected host operating system (HOS). A virtual machine running at least one application via a virtual operating system is connected to the VMM. Both the HOS and the VMM have separate operating contexts and disjoint address spaces, but are both co-resident at system level. A driver that is downloadable into the HOS at system level forms a total context switch between the VMM and HOS contexts. A user-level emulator accepts commands from the VMM via the system-level driver and processes these commands as remote procedure calls. The emulator is able to issue host operating system calls and thereby access the physical system devices via the host operating system. The host operating system itself thus handles execution of certain VMM instructions, such as accessing physical devices.

One embodiment of the present invention provides a system that facilitates invoking a command. During operation, the system suggests with a graphic element a gesture to use to invoke a command. The system then receives the gesture from a user at a device. Note that the gesture is received via an input mechanism, and also note that the gesture is a predetermined manipulation of the input mechanism. The system then determines a graphic element within the user interface that is associated with the gesture. Finally, upon determining the object associated with the gesture, the system invokes the command associated with the graphic element.

A smart controlling method applied to a smart home system for controlling a number of home appliances which may detect and act upon the approach of a user to the smart home. The smart home system learns the habits of a user from repeated inputs at repeated times by the same user to determine that a control command is a habit. When the user arrives at home or is discovered in proximity to the smart home, the smart home system calls a control command to control a relevant home appliance to execute certain operations. A smart gateway and a smart home system are also provided.

A method and system for managing a large number of servers and their server components distributed throughout a heterogeneous computing environment is provided. In one embodiment, an authenticated user, such as a IT system administrator, can securely and simultaneously control and configure multiple servers, supporting different operating systems, through a "virtual server." A virtual server is an abstract model representing a collection of actual target servers. To represent multiple physical servers as one virtual server, abstract system calls that extend execution of operating-system-specific system calls to multiple servers, regardless of their supported operating systems, are used. A virtual server is implemented by a virtual server client and a collection of virtual server agents associated with a collection of actual servers.

The present invention provides a most efficient, automated, fast and least expensive method and apparatus for processing the dig ticket alerts to prevent damage of underground facilities. All the functions required to process the ticket alerts are handled by one system called the geolink (geographical link to data) fiber integrity, i.e. GFI. The processing includes checking the ticket alerts for a dig location, automatically closing the ticket alerts if the dig location is not touching a cable buffer and forwarding the ticket alerts to the technician responsible for the ticket alert if the dig location is touching the cable buffer. The GFI system will receive and process thousands of dig ticket alerts on a daily basis without depending on any other system.

A method and apparatus for debugging of OS kernel and applications software that does not require use of a hardware probe; can debug both user-mode programs and a significant body of the OS kernel code; allows the OS to continue servicing exceptions while debugging; leverages OS built-in device drivers for communicating devices to communicate with the host debugger; and can debug a production version of the OS kernel. When debugging is required, the running OS kernel dynamically loads a software-based debug agent on demand whereby such debug agent dynamically modifies the running production OS kernel code and data to intercept debugging traps and provide run-control. To provide debugging of loadable module, the debug agent implement techniques to intercept the OS module loading system call; set breakpoints in the loaded module initialization function; calculate the start address of the debugged module in memory; and asynchronously put the system under debug. By structuring command loop to execute in non-exception mode, and devising a process to transfer execution from the debug agent exception handler to the debug agent command loop and back, the debug agent can communicate with the host debugger using interrupt-driven input/output devices as well as allowing the system to service interrupts while under debug.

A computing device is described that comprises one or more hardware processors and a memory communicatively coupled to the one or more hardware processors. The memory comprises software that, when executed by the processors, operates as (i) a virtual machine and (ii) a hypervisor. The virtual machine includes a guest kernel that facilitates communications between a guest application being processed within the virtual machine and one or more virtual resources. The hypervisor configures a portion of the guest kernel to intercept a system call from the guest application and redirect information associated with the system call to the hypervisor. The hypervisor enables logic within the guest kernel to analyze information associated with the system call to determine whether the system call is associated with a malicious attack in response to the system call being initiated during a memory page execution cycle. Alternatively, the hypervisor operates to obfuscate interception of the system call in response to the system call being initiated during memory page read cycle.

According to one embodiment of the invention, a computerized method is described for improved efficiency in malware detection. The method comprises detecting a system call initiated by a virtual machine and determining a class assigned to the detected system call. In response to determining that the system call is associated with a first class of system calls, providing information associated with the system call to virtualized device hardware. In contrast, in response to determining that the system call is associated with a second class of system calls, which is different from the first class of system calls, the virtual machine resumes virtual processing of an object without providing information to the virtualized device hardware.

A method of detecting and blocking malicious activity of processes in computer memory during unpacking of a file after the code and data contained in the file are unpacked is described. The method includes inserting a hook function into one or more un-assessed processes running in the computer memory. A hook Is then placed on one or more system calls carried out by the one or more un-assessed processes; the one or more system calls determining an optimal time period in which to detect malicious activity in the un-assessed processes. During the optimal time period the one or more system calls carried out by the one or more un-assessed processes are suspended and attributes of the one or more un-assessed processes are detected and the likely maliciousness of the one or more un-assessed processes is determined from the attributes.

A flexible system capable of utilizing data from different monitoring techniques and capable of providing assistance to patients with diabetes at several scalable levels, ranging from advice about long-term trends and prognosis to real-time automated closed-loop control (artificial pancreas). These scalable monitoring and treatment strategies are delivered by a unified system called the Diabetes Assistant (DiAs) platform. The system provides a foundation for implementation of various monitoring, advisory, and automated diabetes treatment algorithms or methods. The DiAs recommendations are tailored to the specifics of an individual patient, and to the patient risk assessment at any given moment.

A secure process may be created which does not allow code to be injected into it, does not allow modification of its memory or inspection of its memory. The resources protected in a secure process include all the internal state and threads running in the secure process. Once a secure process is created, the secure process is protected from access by non-secure processes. Process creation occurs atomically in kernel mode. Creating the infrastructure of a process in kernel mode enables security features to be applied that are difficult or impossible to apply in user mode. By moving setup actions previously occurring in user mode (such as creating the initial thread, allocating the stack, initialization of the parameter block, environment block and context record) into kernel mode, the need of the caller for full access rights to the created process is removed. Instead, enough state is passed from the caller to the kernel with the first system call so that the kernel is able to perform the actions previously performed using a number of calls back and forth between caller and kernel. When the kernel returns the handle to the set-up process, some of the access rights accompanying the handle are not returned. Specifically, those access rights that enable the caller to inject threads, read/write virtual memory, and interrogate or modify state of the threads of the process are not returned to the caller.

Described are techniques used in dynamically modifying RDF groups. A system call is issued by a host computer system to execute a remote system call on a first data storage system to create, remove, or modify an RDF group between the first data storage system and another data storage-system-that is remotely connected to the first data storage system in an RDF switched environment. As part of executing the remote system call, data is pushed from the first to the second data storage systems without having an established link between the data storage systems. Each data storage system performs processing to make the necessary modifications in all directors in accordance with the dynamic RDF group. A status indicating success or failure of the remote system call is returned to the host computer system.

Method and a device are disclosed for a fast performance of network operations via a network with high delay times by means of a module for processing system calls of an application layer and for initiating network operations of a network layer. In the module a differentiation between a blocking and non-blocking implementation mode is made. A non-blocking execution mode means that the considered system call returns a logical value as a result to the application, which signals whether the system call was successfully executed. In this case it is provided by the method and device to directly send a logical value to the application when a non-blocking system call is called, without having waited for the actual result of the operation executed in the communicating partner instance and corresponding to the system call. The handling of the results of the actually executed operations takes place at a later time. With this modification, the network operations, which are derived from the system calls, are executed faster, as the actual result is not waited for at each call, which also implies the reduction of the number of required RTTs (Round Trip Time).

The present invention provides a system and method for providing computer network attack simulation. The method includes the steps of: receiving a network configuration and setup description; simulating the network configuration based on the received network configuration; receiving at least one confirmed vulnerability of at least one computer, machine, or network device in the simulated network; receiving a method for compromising the confirmed vulnerability of the at least one computer, machine, or network device; and virtually installing a network agent on the at least one computer, machine, or network device, wherein the network agent allows a penetration tester to execute arbitrary operating system calls on the at least one computer, machine, or network device.