Abstract: A system and method for identifying anomalies in information requests. The information requests are modeled into a plurality of basic elements and association among the basic elements are tracked. The association of one information request is compared with a plurality of bitmap tables and counters representing a baseline information from a historical behavior information. If the association of this information request differs from the baseline information, an alert is issued. The system responds dynamically to changing baselines in assessment of which behaviors constitute an anomaly.

Abstract: The present invention provides a monitoring device and method for identifying the identity of users requesting database accesses. The data request from application servers to an application server are monitored and parsed. The SQL statements associated with the data request from the application server are also monitored and parsed, so are the SQL responses from the database server. The SQL responses are sent back to the user as data responses. The data responses are also monitored and parsed. The monitoring device matches the parsed data request with the parsed SQL statements, the parsed SQL responses, and the parsed data responses. By matching the string portion of these parsed data, the monitoring device can then identity the identity of the user making such data base quest.

Abstract: The present invention provides a system and method for evaluating risk associated with information access requests. The information access requests are collected, assigned a risk level according to user defined policies, a total risk is calculated and presented to user. The user can select a high risk event for further analysis. The system will break down the event into basic elements, so the user can ascertain the risk. The system allows a user to customize a report and the customized report can be saved as a template for future use.

Abstract: A method for generating an auto-adaptive baseline model for profiling individual and collective behavior of a plurality of network users. The method comprises the steps of creating a model, defining a plurality of members and a plurality of collective variables, each member corresponding to a user, and including a plurality of individual variables, defining conditions for each collective variable and individual variable, upon detecting an activity by a user, updating corresponding individual variables and collective variables, and comparing updated individual variables and collective variables against corresponding conditions. If a condition is met, an alert event is issued to notify designated personnel; otherwise, returning to the step of upon detecting activity. Finally, upon receiving an alert event, the designated personnel decides whether to manually redefine the conditions or to ignore the alert event.

Abstract: The present invention provides a system and method for identifying anomaly in information requests. The information requests are modeled into a plurality of basic elements and association among the basic elements are tracked. The association of one information request is compared with a plurality of bitmap tables and counters representing a baseline information from a historical behavior information. If the association of this information request differs from the baseline information, an alert is issued.

Abstract: A method for generating an auto-adaptive baseline model for profiling individual and collective behavior of a plurality of network users. The method comprises the steps of creating a model, defining a plurality of members and a plurality of collective variables, each member corresponding to a user, and including a plurality of individual variables, defining conditions for each collective variable and individual variable, upon detecting an activity by a user, updating corresponding individual variables and collective variables, and comparing updated individual variables and collective variables against corresponding conditions. If a condition is met, an alert event is issued to notify designated personnel; otherwise, returning to the step of upon detecting activity. Finally, upon receiving an alert event, the designated personnel decides whether to manually redefine the conditions or to ignore the alert event.

Abstract: A method for generating an auto-adaptive baseline model for profiling the individual and collective behavior of a plurality of users in a network is provided. The method comprises the steps of creating a model, defining a plurality of members and a plurality of collective variables, each member corresponding to a user, and including a plurality of individual variables, defining conditions for each collective variable and individual variable, upon detecting an activity by a user, updating corresponding individual variables and collective variables, comparing updated individual variables and collective variables against corresponding conditions. If condition is met, an alert event is issued to notify designated personnel; otherwise, returning to the step of upon detecting activity. Finally, upon receiving an alert event, the designated personnel decides whether to manually redefine the conditions or to ignore the alert event.

Abstract: A system and method are provided to couple tunnel servers to tunnel clients executing host applications for use in a virtual private network (VPN) environment. A receiver receives requests from host applications executing on the tunnel clients. The requests are addressed to the tunnel coupling system to establish a VPN tunnel. A processor processes the requests and an indication of loads on the tunnel servers to establish the VPN tunnels by designating at least one of the tunnel servers to each requested tunnel. A tunnel traffic distributor distributes tunnel traffic to the tunnel servers based at least part on the designations. In additional aspects, an evaluation processor evaluates the tunnel traffic before the tunnel traffic distributor distributes the tunnel traffic to the tunnel servers. For example, the evaluation performed by the evaluation processor includes at least performing security functions on the tunnel traffic.

Abstract: A hardware-based policy engine that employs a policy cache to process packets of network traffic. The policy engine includes a stream classifier that associates each packet with at least one action processor based on data in the packet, and the action processor further acts on the packets based on the association determined by the stream classifier.

Abstract: The present invention provides a monitoring device and method for consolidating data collected by the monitoring device. The data collected are labeled with an identification and stored in a flat file. The collected data are then filtered and the filtered data are saved as events in an event database. These events are the reduced by grouping similar events together. The reduction is performed periodically and at different levels. The reduced set of data is presented to the user and each individual collected datum behind the reduced data may be retrieved.

Abstract: The present invention provides a monitoring device and method for identifying the identity of users requesting database accesses. The data request from application servers to an application server are monitored and parsed. The SQL statements associated with the data request from the application server are also monitored and parsed, so are the SQL responses from the database server. The SQL responses are sent back to the user as data responses. The data responses are also monitored and parsed. The monitoring device matches the parsed data request with the parsed SQL statements, the parsed SQL responses, and the parsed data responses. By matching the string portion of these parsed data, the monitoring device can then identity the identity of the user making such data base quest.

Abstract: A method for generating an auto-adaptive baseline model for profiling the individual and collective behavior of a plurality of users in a network is provided. The method comprises the steps of creating a model, defining a plurality of members and a plurality of collective variables, each member corresponding to a user, and including a plurality of individual variables, defining conditions for each collective variable and individual variable, upon detecting an activity by a user, updating corresponding individual variables and collective variables, comparing updated individual variables and collective variables against corresponding conditions. If condition is met, an alert event is issued to notify designated personnel; otherwise, returning to the step of upon detecting activity. Finally, upon receiving an alert event, the designated personnel decides whether to manually redefine the conditions or to ignore the alert event.

Abstract: The present invention provides a monitoring device and method for supplying timing information for a data stream assembled from data packets and also for assembling a replacement data packet when a data packet is missing. The data packets received from a data network and the start time and the end time of each data packet are recorded. After assembling a data stream from the data packets, the start time of the data stream is the first start time of the first data packet and the end time of the data stream is the last end time of the last data packet. When a data packet is missing, a replacement data packet is assembled with a predefined value and the timing information is copied from the timing information from the data packet that follows the missing data packet.

Abstract: The present invention provides a system and method for evaluating risk associated with information access requests. The information access requests are collected, assigned a risk level according to user defined policies, a total risk is calculated and presented to user. The user can select a high risk event for further analysis. The system will break down the event into basic elements, so the user can ascertain the risk. The system allows a user to customize a report and the customized report can be saved as a template for future use.

Abstract: The present invention provides a system and method for identifying anomaly in information requests. The information requests are modeled into a plurality of basic elements and association among the basic elements are tracked. The association of one information request is compared with a plurality of bitmap tables and counters representing a baseline information from a historical behavior information. If the association of this information request differs from the baseline information, an alert is issued.

Abstract: A system and method according to the invention provide an efficient resource allocation when receiving connection requests from different servers for data transfer and the efficient resource allocation is achieved by identifying and assigning a quality factor to each originating server. When an originating server presents an abusive behavior, it may be assigned to a state that has a low quality factor, thus receiving little resource from the system.

Abstract: A hardware-based policy engine that employs a policy cache to process packets of network traffic. The policy engine includes a stream classifier that associates each packet with at least one action processor based on data in the packet, and the action processor further acts on the packets based on the association determined by the stream classifier.

Abstract: A system and method for processing data streams is disclosed. The system receives data packets for data streams, screen the data packets for searched patterns, and forward the data packets for their respective stream processing. Generally, the data packet is scanned for viruses before being forwarded for further processing. When an out-of-order data packet is received, a copy is made and the data packet is forwarded without being scanned. When a delayed data packet is received, it is scanned for virus along with the saved copy of the out-of-order data packet. If a virus is detected, the delayed packet is dropped and its connection reset. If no virus is found, the delayed packet is forwarded for further processing.

Abstract: A hardware-based policy engine that employs a policy cache to process packets of network traffic. The policy engine includes a stream classifier that associates each packet with at least one action processor based on data in the packet, and the action processor further acts on the packets based on the association determined by the stream classifier.

Abstract: A system and method are provided to couple tunnel servers to tunnel clients executing host applications for use in a virtual private network (VPN) environment. A receiver receives requests from host applications executing on the tunnel clients. The requests are addressed to the tunnel coupling system to establish a VPN tunnel. A processor processes the requests and an indication of loads on the tunnel servers to establish the VPN tunnels by designating at least one of the tunnel servers to each requested tunnel. A tunnel traffic distributor distributes tunnel traffic to the tunnel servers based at least part on the designations. In additional aspects, an evaluation processor evaluates the tunnel traffic before the tunnel traffic distributor distributes the tunnel traffic to the tunnel servers. For example, the evaluation performed by the evaluation processor includes at least performing security functions on the tunnel traffic.