Abstract: A system includes a sensor and a processor. The sensor is configured to passively read data in packets as the packets are in motion on a network. The processor is cooperatively operable with the sensor. The processor is configured to receive the read data from the sensor; and originate map profiles of files and file data, both from the read data from the sensor, as the passively read packets are in motion on the network. The processor is also configured to infer a user role for a user who is using the file and the file data and how the user is transferring or accessing the file and the file data. Inappropriate usage being performed by the user can then be detected from the user role and the read data to control access to particular files.

Abstract: A system includes a sensor and a processor. The sensor is configured to passively read data in packets as the packets are in motion on a network. The processor is cooperatively operable with the sensor. The processor is configured to receive the read data from the sensor; and originate map profiles of files and file data, both from the read data from the sensor, as the passively read packets are in motion on the network. The processor is also configured to infer a user role for a user who is using the file and the file data and how the user is transferring or accessing the file and the file data. Inappropriate usage being performed by the user can then be detected from the user role and the read data to control access to particular files.

Abstract: A system includes a sensor and a processor. The sensor is configured to passively read data in packets as the packets are in motion on a network. The processor is cooperatively operable with the sensor The processor is configured to receive the read data from the sensor; and originate real-time map profiles of files and file data, both from the read data from the sensor, as the passively read packets are in motion on the network.

Abstract: A system includes a sensor and a processor. The sensor is configured to passively read data in packets as the packets are in motion on a network. The processor is cooperatively operable with the sensor The processor is configured to receive the read data from the sensor; and originate real-time map profiles of files and file data, both from the read data from the sensor, as the passively read packets are in motion on the network.

Abstract: A system includes a sensor and a processor. The sensor is configured to passively read data in packets as the packets are in motion on a network. The processor is cooperatively operable with the sensor The processor is configured to receive the read data from the sensor; and originate real-time map profiles of files and file data, both from the read data from the sensor, as the passively read packets are in motion on the network.

Abstract: A system includes a sensor and a processor. The sensor is configured to passively read data in packets as the packets are in motion on a network. The processor is cooperatively operable with the sensor The processor is configured to receive the read data from the sensor; and originate real-time map profiles of files and file data, both from the read data from the sensor, as the passively read packets are in motion on the network.

Abstract: Fragment trains in a communication network are analyzed. A fragment train includes fragments in the same fragment train and associated with the same target system. One or more fragment reassembly policies are identified out of several fragment reassembly policies, where the fragment reassembly policy corresponds to a target system associated with fragments in a fragment train. The data in the fragments in the fragment train are provided in an order indicated by the fragment reassembly policy. The fragment reassembly policy can include determining the order responsive to an offset and a more fragments indication in the fragments, and/or indicating an order specific to overlapped fragments such as comprehensively overlapped fragments.

Abstract: A method performed in an intrusion detection/prevention system, a system or a device for analyzing segments in a transmission in a communication network. The transmission includes segments in the same transmission control protocol (TCP) session. Segments in a transmission are monitored. Data in the segments in the transmission are reassembled in an order indicated by a segment reassembly policy, the segment reassembly policy indicating an order specific to at least comprehensively overlapped segments.

Abstract: A method, computer system and/or computer readable medium, associates attack detection/prevention rules with a target in a communication network. The attack detection/prevention rules are provided for the target without differentiation as to flows. A particular flow is associated with a transmission destination, a port number, a platform, a network service, or a client application on the target. A micro-policy is bound to a target of the particular flow based on monitored transmissions. The micro-policy that was bound to the target of the particular flow, is applied to the target to detect an intrusion in the particular flow. Binding the micro-policy includes selecting, as the micro-policy, only rules in the attack detection/prevention rules that are specific to the port number, the protocol, the family of machine, and the version associated with the particular flow, and associating only the selected rules of the micro-policy with the target of the particular flow.

Abstract: Fragment trains in a communication network are analyzed. A fragment train includes fragments in the same fragment train and associated with the same target system. One or more fragment reassembly policies are identified out of several fragment reassembly policies, where the fragment reassembly policy corresponds to a target system associated with fragments in a fragment train. The data in the fragments in the fragment train are provided in an order indicated by the fragment reassembly policy. The fragment reassembly policy can include determining the order responsive to an offset and a more fragments indication in the fragments, and/or indicating an order specific to overlapped fragments such as comprehensively overlapped fragments.

Abstract: A method performed in an intrusion detection/prevention system, a system or a device for analyzing segments in a transmission in a communication network. The transmission includes segments in the same transmission control protocol (TCP) session. Segments in a transmission are monitored. Data in the segments in the transmission are reassembled in an order indicated by a segment reassembly policy, the segment reassembly policy indicating an order specific to at least comprehensively overlapped segments.