Abstract: A system for providing application services in a computing environment having both user-mode processes and privileged-mode processes. An agent executes in privileged mode and exposes an interface to user-mode processes. A user-mode component is provided with an interface configured to access the agent's exposed interface. A configuration component specifies a list of installable code components that are authorized for installation, wherein the agent will only execute privilege mode functions in response to accesses by the user-mode code component when the installable code component is represented on the list.

Abstract: A system and method for detecting network intrusions using a protocol stack multiplexor is described. A network protocol stack includes a plurality of hierarchically structured protocol layers. Each such protocol layer includes a read queue and a write queue for staging transitory data packets and a set of procedures for processing the transitory data packets in accordance with the associated protocol. A protocol stack multiplexor is interfaced directly to at least one such protocol layer through a set of redirected pointers to the processing procedures of the interfaced protocol layer. A data packet collector references at least one of the read queue and the write queue for the associated protocol layer. A data packet exchanger communicates a memory reference to each transitory data packet from the referenced at least one of the read queue and the write queue for the associated protocol layer. An analysis module receives the communicated memory reference and performs intrusion detection based thereon.

Abstract: A method of providing a set of desired application functions to a plurality of network-coupled computing appliances. A set of code resident on a network-connected application management server is identified that when executed in a network appliance provide the desired application functions. A first application management agent in a first of the network-coupled computing appliances and a second application management agent in a second of the network-coupled computing appliances are executed. The first application management agent repetitively checks for updates of the identified code. Updates of the identified code are downloaded from the application management server into the first network-coupled computing appliance as the updates become available. Updates of the identified code are downloaded from the first network-coupled computing device into the second network-coupled computing appliance.

Abstract: A system and a method for preventing a spoofed denial of service attack in a networked computing environment is described. A hierarchical protocol stack is defined. The hierarchical protocol stack includes a plurality of communicatively interfaced protocol layers with at least one session-oriented protocol layer. A packet requesting a session with the session-oriented protocol layer is received from the networked computing environment. The request packet includes headers containing a source address of uncertain trustworthiness. The request packet is acknowledged by performing the following operations. First, a checksum is calculated from information included in the request packet headers. A request acknowledgement packet is generated. The request acknowledgement packet includes headers containing the checksum as a pseudo sequence number and the source address in the request packet headers as a destination address. Finally, the request acknowledgement packet is sent into the networked computing environment.

Abstract: A method and system for gathering data by monitoring data packets on a network. At least some of the packets are captured in a data buffer. Each captured packet is classified according to a preselected classification system and each captured packet is marked with an indicia of its classification. An analysis program is executed on a network coupled computer. The analysis program displays data about the buffer contents including the indicia before transferring the buffer contents to the analysis program.

Abstract: A system and method for providing a network host decoy on a virtual host using a pseudo implementation of a network protocol stack are described. A hierarchical network protocol stack is functionally defined and includes a plurality of communicatively interfaced protocol layers. A request frame originating from a remote host is received. The request frame includes a plurality of recursively encapsulated data segments which each correspond to a successive protocol layer in the network protocol stack. At each protocol layer, processing a header associated with the encapsulated data segment demultiplexs each encapsulated data segment in the request frame. Any requested network service is performed and any recursively encapsulated portion is forwarded to the next successive protocol layer. A plurality of pseudo data segments corresponding to each of the protocol layers in the network protocol stack is formed. Each pseudo data segment includes a header and data portion.

Abstract: A system and method for dynamically processing a network event using an action set in a distributed computing environment are described. The occurrence of a network event is sensed via a sensor thread through receipt of a message indicating a network event occurrence, the message including event data pertinent to the network event. A generate daemon via a generate thread is launched responsive to a notification from the sensor process. An event mapping is retrieved by the generate daemon. The event mapping corresponds to the network event and identifies an action set. A generated action set is generated from the event mapping by the generate daemon and the generated action set is enqueued onto an event queue within which can be queued a plurality of generated action sets which each correspond to an instance of an action set. A process daemon is launched via a process thread responsive to a notification from the generate daemon.

Abstract: A system and a method for providing trustworthy network security concern communication in an active security management environment are described. A digital certificate including a validated server identifier for a server system is stored on a client system. A digital certificate including a validated client identifier for the client system is stored on the server system. A communications session between the client system and the server system is established. The communications session includes a secure socket connection authenticating each of the client system and the server system using the stored client digital certificate and the stored server digital certificate. A certogram is generated upon the occurrence of a network security concern on the client system. The certogram encloses a notification of the network security concern occurrence and a suggested action responsive thereto within the certogram. The certogram is processed on the server system.

Abstract: A system and process for brokering a plurality of security applications using a centralized broker in a distributed computing environment is described. A centralized broker is executed on a designated system within the distributed computing environment. A set of snap-in components are provided with each performing a common management task sharable by a plurality of security applications. A console interface is exposed from the centralized broker. The console interface implements a plurality of browser methods which each define an browser function which can be invoked by each snap-in component. A set of snap-in interfaces are exposed from each snap-in component. Each snap-in interface implements a plurality of service methods which each define a user-interface function which can be invoked by the centralized broker. One or more security applications are brokered through the centralized broker. Each security application is interfaced to the centralized broker through the snap-in components.

Abstract: A system and a process for maintaining a plurality of remote security applications using a centralized broker in a distributed computing environment are described. A centralized broker is executed on a designated system within the distributed computing environment. A console interface from the centralized broker is exposed. The console interface implements a plurality of browser methods which each define a browser function which can be invoked by a plurality of snap-in components. A namespace snap-in component is defined and includes a logical grouping identifying at least one remote security application being executed on a remote system within the distributed computing environment. A namespace interface from the namespace snap-in component is exposed. The namespace interface implements a plurality of namespace methods each defining a storage function which can be invoked by the centralized broker. A repository including a plurality of storages corresponding to each remote system is formed.

Abstract: A system and a process for reporting network events using hierarchically-structured event databases in a distributed computing environment are disclosed. A centralized broker is executed on a designated system within the distributed computing environment. At least one security application is provided as a plug-in component on a client system interfaced remotely to the centralized broker. A local event database is maintained on the client system. The local event database includes a set of entries in which network events generated by the at least one security application are transitorily stored. Network events forwarded from the local event database are received via a communications server service. The communications server service exposes a set of communication interfaces implementing a plurality of event methods. Each communication interface defines an event management function which can be invoked by the centralized broker.

Abstract: System and methodology providing automated or “proactive” network security (“active” firewall) are described. The system implements methodology for verifying or authenticating communications, especially between network security components thereby allowing those components to share information. In one embodiment, a system implementing an active firewall is provided which includes methodology for verifying or authenticating communications between network components (e.g., sensor(s), arbiter, and actor(s)), using cryptographic keys or digital certificates. Certificates may be used to digitally sign a message or file and, in a complementary manner, to verify a digital signature. At the outset, particular software components that may participate in authenticated communication are specified, including creating a digital certificate for each such software component.

Abstract: A system and a method for dynamically sensing an asynchronous network event within a modular framework for network event processing are described. An occurrence of asynchronous network events is sensed on one or more network event sensors. Each such sensor implements a common interface via which the sensor can be connected to the modular framework. At least one port over which can be received a message from a network agent indicating the occurrence of a network event is passively monitored. The message includes event data pertinent to the network event. The message is received over the at least one port via a listener thread and staged into a holding structure within which can be placed a plurality of received messages. Each received message is iteratively removed from the holding structure via a handler thread. An action set mapping corresponding to each received message is retrieved and an action set is generated from the action set mapping via a generator process.

Abstract: A system and a method for configuring an action set for use in dynamically processing network events in a distributed computing environment are described. A graphical user interface associated with an action set is presented. An action set is stored into a database. At least one network event and at least one sensor are associated responsive to a user selection indicated on the graphical user interface. At least one action is embedded into the action set responsive to a user selection indicated on the graphical user interface. The association for the at least one network event and the embedding of the at least one action are stored into a mapping table.

Abstract: A device that passively monitors arriving and departing data packets on one or more networks, correlates arriving data packets with departing data packets, and calculates a latency estimate based on the confidence of the correlation. The device detects and copies data packets arriving at a network device and the data packets departing from the same network device. A timestamp is stored for each arriving or departing data packet. Latency across a network device can be determined based on the timestamps for correlating data packets. Additionally, latency across a network device per protocol layer can also be calculated. Varying levels of confidence of a latency estimation depend on the operation necessarily performed on the data packet by the network device and the protocol level at which correlation between the arriving and departing data packets can be achieved.

Abstract: One embodiment of the present invention provides a system that retrieves metadata from a memory within a server, so that the server does not have to access a database in order to retrieve the metadata. The system operates by receiving a request from a client, which causes an operation to be performed on data within the database. In response to the request, the system retrieves the metadata through a metadata object, which retrieves the metadata from a random access memory in the server. Note that this metadata specifies how the data is stored within the database. The system then performs the operation on the data within the database by using the metadata to determine how the data is stored within the database. Note that this metadata object can be used to service requests from a plurality of clients. Hence, client sessions can share the same metadata, which can greatly reduce the amount of memory used by client sessions.

Abstract: A computer program product for assisting a service person in managing an enterprise network is described, wherein a browser-based help desk window may be invoked by the service person at any user computer on the enterprise network that is equipped with a web browser. The browser-based help desk window is customizable to each service person, allowing the service person to embed a network visibility link on an application launch toolbar contained in the browser-based help desk window. The service person may then subsequently log into a help desk server from any user computer equipped with a browser, and then launch a browser-based network visibility session upon activation of the embedded network visibility link. The user is permitted to embed the network visibility link onto the application toolbar, and to perform other browser-based help desk window customization tasks, using simple menu selection and drag-and-drop commands.

Abstract: A system and method for managing scarce computer system memory resources has three aspects. A first aspect allows large data structures to be replaced by a pointer that causes an intentional fault to occur. The fault is trapped, and the invention interposes the required data. A second aspect associates data structures with both the task and the module that own the structure. The structure can be eliminated from memory when both the owning task and the owning module have terminated. A third aspect utilizes swapping techniques to maintain multiple local data areas for multiple tasks.

Abstract: A development system providing a Custom Attack Simulation Language (CASL) for testing networks is described. In particular, the development system implements methodology for facilitating development of network attack simulations. The system includes an editor or authoring system for creating a source code description or Scripts (i.e., CASL-syntax Script) of the simulation program under development. The Scripts, in turn, are “compiled” by a CASL compiler into a compiled CASL program, that may then be used to simulate attacks against a network. CASL makes it easier for users, particularly network and system administrators, to experiment with and learn about the way their networks operate. Since networks work by exchanging packets of information, CASL focuses on allowing users to read and write packets directly to and from the network using a high level programming language.

Abstract: A method for caching virtual memory paging requests and disk input/output requests utilizes a portion of the video memory as a location for paged memory as well as an alternative location for a disk cache system; the disk cache system is also capable of placing compressed data in a cache buffer. The portion of the video memory employed is off screen memory (OSM), access to which is controlled to make OSM available for paging or caching requirements. System operators may be monitored on a continuing basis to provide for a dynamic allocation of QSM.