Abstract: Fragment trains in a communication network are analyzed. A fragment train includes fragments in the same fragment train and associated with the same target system. One or more fragment reassembly policies are identified out of several fragment reassembly policies, where the fragment reassembly policy corresponds to a target system associated with fragments in a fragment train. The data in the fragments in the fragment train are provided in an order indicated by the fragment reassembly policy. The fragment reassembly policy can include determining the order responsive to an offset and a more fragments indication in the fragments, and/or indicating an order specific to overlapped fragments such as comprehensively overlapped fragments.

Abstract: A method performed in an intrusion detection/prevention system, a system or a device for analyzing segments in a transmission in a communication network. The transmission includes segments in the same transmission control protocol (TCP) session. Segments in a transmission are monitored. Data in the segments in the transmission are reassembled in an order indicated by a segment reassembly policy, the segment reassembly policy indicating an order specific to at least comprehensively overlapped segments.

Abstract: A packet transmitted on a network is read and decoded. A network device and its operating system are identified by analyzing the decoded packet. If more than one operating system is identified from the decoded packet, the operating system is selecting by comparing confidence values assigned to the operating systems identified. A service running on the network device is identified from the decoded packet or subsequent packets that are read, decoded and analyzed. The network topology of a network is determined by reading, decoding, and analyzing a plurality of packets. A flow between two network devices is determined by reading, decoding, and analyzing a plurality of packets. Vulnerabilities are assigned to operating systems and services identified by reading, decoding, and analyzing packets. Network configuration policy is enforced on operating systems and services identified by reading, decoding, and analyzing packets.

Abstract: The threat probability of events generated by a security device on a computer network is assessed by comparing the threat probability to a global threat probability. An abstract data type is used to describe how the events are combined to form a threat. If an event matches an unpopulated member of an instance of an abstract data type, the event is added to the instance and the probability of the instance is computed. If the probability of the instance is greater than a global threat probability, a dynamic threat assessment event is generated. A system for dynamically assessing threats to computers and computer networks system includes at least one security device that generates events, an event collection database, policy configuration information, and a dynamic threat assessment engine.

Abstract: Performance of an intrusion detection system is enhanced with the addition of rule optimization, set-based rule inspection, and protocol flow analysis. During rule optimization, rule sets are created and selected in such a way that for every incoming packet only a single rule set has to be searched. Set-based rule inspection divides rules into content and non-content type rules. Only search patterns of content type rules are initially compared to a packet. Rules containing matched search patterns are validated with a parameterized search against the packet. Matches are recorded as events. Non-content rules are searched against a packet using a parameterized search. These matches are also recorded as an event. At least one event is selected per packet for logging. Protocol flow analysis determines the direction of flow of network traffic. Based on the direction of flow and the protocol, portions of packets can be eliminated from rule inspection.

Abstract: Embodiments of the present invention relate to systems and methods for optimizing and reducing the memory requirements of state machine algorithms in pattern matching applications. Memory requirements of an Aho-Corasick algorithm are reduced in an intrusion detection system by representing the state table as three separate data structures. Memory requirements of an Aho-Corasick algorithm are are also reduced by applying a banded-row sparse matrix technique to the state transition table of the state table. The pattern matching performance of the intrusion detection system is improved by performing a case insensitive search, where the characters of the test sequence are converted to uppercase as the characters are read. Testing reveals that state transition table with sixteen bit elements outperform state transition table with thirty-two bit elements and do not reduce the functionality of intrusion detection systems using the Aho-Corasick algorithm.