Abstract: A method for increasing the capacity of a connection table in a firewall accelerator by means of mapping packets in one session with some common security actions into one table entry. For each of five Network Address Translation (NAT) configurations, a hash function is specified. The hash function takes into account which of four possible arrival types a packet at a firewall accelerator may have. When different arrival types of packets in the same session are processed, two or more arrival types may have the same hash value.

Abstract: The amount of chip power that is consumed for cache storage size maintenance is optimized by the close monitoring and control of frequency of missed requests, and the proportion of frequently recurring items to all traffic items. The total number of hit slots is measured per interval of time and is compared to the theoretical value based on random distribution. If the missed rate is high, then the observed effect and value of increasing cache size are deduced by observing how this increase affects the distribution of hits on all cache slots. As the number of frequently hit items in proportion to the total traffic items increases, the benefits of increasing the cache size decreases.

Abstract: A method, apparatus, and computer instructions for providing a current and complete security compliance view of an enterprise system. The present invention provides the ability to gain a real-time security posture and security compliance view of an enterprise and to assess the risk impact of known threats and attacks to continued business operations at various levels is provided. Responsive to a change to an enterprise environment, a request, or an external threat, an administrator loads or updates at least one of a Critical Application Operations database, a Historical database, an Access Control database, a Connectivity database, and a Threat database. Based on a comparison of information in the databases against similar security data elements from company or external policies, the administrator may generate a Security Compliance view of the enterprise. A Security Posture view may also be generated by comparing the Security Compliance view against data in the Threat database.

Abstract: A kernel based detection of keyboard logger applications is achieved by configuring a call interface to the kernel to characterize a system call pattern for processes accessing a keyboard. A monitor thread iteratively examines a plurality of threads to test open( ), read( ), write( ), and syscall( ) system routines for conditions indicative of presence of a keyboard logger application. A thread whose system call pattern is characterized by such conditions is marked as a keyboard logger.

Abstract: A method of, system for, and product for managing a denial of service attack in a multiprocessor environment comprising. The first step is establishing normal traffic usage baselines in the multiprocessor environment. Once the baseline is established the next step is monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline. Next is monitoring ports and protocols to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port. If there is such consistent use of a protocol for all packets for that port as to evidence a denial of service attack, blocking measures are started to mitigate the apparent denial of service attack.

Abstract: A technique for tracking one or more thresholds relating to the blocking of a particular screen name used on an IM system is disclosed. If the number of people who have blocked a particular screen name reaches a threshold amount, a determination is made that the screen name is being used by a spimmer or other bothersome person, and disciplinary action can be taken. In a preferred embodiment, the email address associated with a user name of a suspected spimmer is identified and all screen names associated with that email address are also subjected to disciplinary action, if desired. Thus, an IM company can suspend all screen names of a spimmer that are tied to the same email address, even though not all (or even none) of the screen names individually have reached a threshold level for discipline/suspension.

Abstract: A method of progressive response for invoking and suspending blocking measures that defend against network anomalies such as malicious network traffic so that false positives and false negatives are minimized. When a truncated secure session attack is detected, the detector notifies protective equipment such as a firewall or a router to invoke a blocking measure. The blocking measure is maintained for an initial duration, after which it is suspended while another test for the anomaly is made. If the attack is no longer evident, the method returns to the state of readiness. Otherwise, a loop is executed to re-applying the blocking measure for a specified duration, then suspend the blocking measure and test again for the attack. If the attack is detected, the blocking measure is re-applied, and its duration is adapted. If the attack is no longer detected, the method returns to the state of readiness.

Abstract: The present invention provides for protecting against denial of service attacks. A request is sent by a client, the request comprises client indicia. The request is received at a server. A request count is incremented by the server. A sequence number is assigned as a function of the client indicia. A problem is selected by the server. The problem is sent by the server to the client. A solution to the problem is sent to the server. It is determined if the solution by client is correct. If the solution is correct, a session is performed. If the solution is not correct, the request is discarded. This can substantially decrease the amount of attacks performed by a rogue client, as the session set-up time can be substantial.

Abstract: A system, method and program product for managing e-mails from a source suspected of sending spam. The e-mails are received at a firewall or router en route to a mail server. A determination is made whether a source has sent an e-mail which exhibits characteristics of spam. In response, subsequent e-mails from the source destined for the mail server are rate-limiting at the firewall or router such that the firewall or router limits a rate at which the subsequent e-mails are forwarded from the firewall or router to the mail server. The rate is predetermined and less than a maximum rate at which the firewall or router can physically forward e-mails to the mail server absent the rate limit. A determination is made whether another source has sent another e-mail which exhibits more characteristics of spam than the first said e-mail. In response, subsequent e-mails from this other source are blocked at the firewall or router.

Abstract: System, method and computer program for authenticating a user of a client computer to a remote server computer. A client computer initially sends a userID but not a password of the user to the remote server computer. In response to the userID, the server computer determines a subsequent time window during which the server computer will consider for authentication submission of a combination of the userID and a password. The server computer notifies the client computer of the time window. After receipt of the notification from the server computer, during the time window, the client computer sends the userID and a corresponding password to the server computer. In response to receipt of the userID and the corresponding password from the client computer, the server computer determines if the combination of the userID and the corresponding password is valid.

Abstract: A method of blocking spam at a firewall involves applying blocking measures for an adaptively determined duration. The blocking measure is then suspended while determining whether the spam has ended. If so, the method resets to an initial state. Otherwise, the blocking measure is re-applied for a second duration.

Abstract: The present invention relates to a method and computer system device for applying a plurality of rules to data packets within a network computer system. A filter rule decision tree is updated by adding or deleting a rule. If deleting a filter rule then the decision tree is provided to a network data plane processor with an incremental delete of the filter rule. If adding a filter rule then either providing an incremental insertion of the filter rule to the decision tree or rebuilding the first decision tree into a second decision tree responsive to comparing a parameter to a threshold. In one embodiment the parameter and thresholds relate to depth values of the tree filter rule chained branches. In another the parameter and thresholds relate to a total count of rule additions since a building of the relevant tree.

Abstract: A detection and response system including a set of algorithms for detecting within a stream of normal computer traffic a subset of (should focus on network traffic eliciting a response) TCP or UDP packets with one IP Source Address (SA) value, one or a few Destination Address (DA) values, and a number exceeding a threshold of distinct Destination Port (DP) values. A lookup mechanism such as a Direct Table and Patricia search tree record and trace sets of packets with one SA and one DA as well as the set of DP values observed for the given SA, DA combination. The detection and response system reports the existence of such a subset and the header values including SA, DA, and multiple DPs of the subset. The detection and response system also includes various administrative responses to reports.

Abstract: A detection and response system including a set of algorithms for detection within a stream of normal computer traffic a subset of TCP packets with one IP Source Address (SA), one Destination Port (DP), and a number exceeding a threshold of distinct Destination Addresses (DA). There is efficient use of a lookup mechanism such as a Direct Table and Patricia search tree to record sets of packets with one SA and one DP as well as the set of DA values observed for the given SA, DP combination. The existence of such a subset and the header values including SA, DP, and multiple DAs of the subset are reported to a network administrator. In addition, various administrative responses to reports are provided.

Abstract: An intrusion event detection system, method, and program product with an enumeration of specific known benign intrusion events, and performing a vulnerability test on specific elements of the computer system for the particular known benign intrusion event. These vulnerability tests are performed at predetermined time intervals measured from a previous test or previous intrusion event of the known benign intrusion event. The predetermined time interval is increased based on various attributes, passage of time since the last intrusion event of either the specific known benign intrusion event or another known benign intrusion event, or even a an undetermined or harmful intrusion event, or the present detection of an intrusion even; or the vulnerability of a specific element in the computer system to a specific intrusion event.

Abstract: A method and system for controlling a plurality of pipes in a computer system including at least one central system is disclosed. The pipes provide traffic from a plurality of distributed systems. The method and system include providing a first plurality of data packets from a pipe of the plurality of pipes to a fast path or a slow path during a time interval such that none of the first plurality of data packets is dropped. The first plurality of data packets arrive in a time interval. The fast path includes a fast storage, while the slow path includes a bulk storage. The method and system also include providing a second plurality of data packets from the fast storage or the bulk storage to the central system in a first in first out order during the time interval.

Abstract: A system, method and program product for blocking unwanted e-mails. An e-mail is identified as unwanted. A source IP address of the unwanted e-mail is determined. Other source IP addresses owned or registered by an owner or registrant of the source IP address of the unwanted e-mail are determined. Subsequent e-mails from the source IP address and the other IP addresses are blocked. This will thwart a spammer who shifts to a new source IP address when its spam is blocked from one source IP address.

Abstract: The present invention provides for a computer network method and system that applies “hysteresis” to an active queue management algorithm. If a queue is at a level below a certain low threshold and a burst of packets arrives at a network node, then the probability of dropping the initial packets in the burst is recalculated, but the packets are not dropped. However, if the queue level crosses beyond a hysteresis threshold, then packets are discarded pursuant to a drop probability. Also, according to the present invention, queue level may be decreased until it becomes less than the hysteresis threshold, with packets dropped per the drop probability until the queue level decreases to at least a low threshold. In one embodiment, an adaptive algorithm is also provided to adjust the transmit probability for each flow together with hysteresis to increase the packet transmit rates to absorb bursty traffic.

Abstract: Communication traffic is processed by detecting an anomaly in the communication traffic. A first blocking measure A is applied to the anomalous traffic that stops the anomalous traffic. A second blocking measure is determined such that application of a logical combination of the first blocking measure A and the second blocking measure to the anomalous traffic stops the anomalous traffic.

Abstract: A communication network is operated by detecting an anomaly in the communication traffic at a plurality of nodes in a communication network. A first blocking measure A is independently applied at respective ones of the plurality of nodes to the anomalous traffic that stops the anomalous traffic. A second blocking measure B is independently determined at the respective ones of the plurality of nodes such that application of a logical combination of the first blocking measure A and the second blocking measure B to the anomalous traffic stops the anomalous traffic.