Abstract: One embodiment of the present invention provides a system that facilitates accessing a network management protocol table. The system operates by first collecting a network management protocol tuple that includes data related to a network connection. Next, the system creates a hash index from the network management protocol tuple. This network management protocol tuple is inserted into the network management protocol table. The system then saves a pointer to the row indexed by the hash index in a hash table. The system also forms a search index using data within the network management protocol tuple that identifies the data pointed to by the hash index in the hash table. This search index is inserted into a search tree, so that the hash index provides fast insertion into the network management protocol table and the search index in the search table provides fast ordered retrieval from the network management protocol table.

Abstract: A system and a method for performing partitioned scanning of a dataset for malware in a distributed computing environment is disclosed. A dataset is maintained in a plurality of structured databases in the distributed computing environment. Each database stores a plurality of data item groups which each include a plurality of individual data items. Each such data item is uniquely identified within the dataset by a data item identifier. A set of indices is stored in a centralized database. The set of indices includes a list of scanned data item identifiers for each data item within the dataset scanned for malware and a list of last entry numbers for each data item group stored in each database. Each last entry number corresponds to one such data item within the data item group last scanned for malware. A plurality of malware scanners are executed in substantial concurrency.

Abstract: A system and method for providing a multi-tiered hierarchical transient message store accessed using multiply hashed unique filenames is described. A hierarchical message store is maintained. The hierarchical message store is logically structured with a plurality of storage nodes. Each storage node is dependently linked to one of a plurality of index nodes. Each index node is dependently linked to a root node. An incoming message is intercepted at a network domain boundary and assigning a unique filename. An index hash of the unique filename, corresponding to one such index node, and a storage hash of the unique filename, corresponding to one such storage node, are generated. The message is stored in the hierarchical message store at the one such index node and the one such storage node.

Abstract: The present invention is a method of allocating clusters of a disk or other computer readable medium containing a plurality of clusters to minimize fragmentation. To accomplish this, at least one available block is identified in the computer readable medium. Each block includes one or more contiguous available clusters, where each cluster comprises one or more units of storage space. A request is received to allocate one or more clusters to a file. At least one of the available blocks is selected based on a location of the available block. At least some of the clusters are allocated, and the file is written to the allocated clusters.

Abstract: A real-time sequence-based anomaly detection system is disclosed. In a preferred embodiment, the intrusion detection system is incorporated as part of a software wrapper. Event abstraction in the software wrapper enables the intrusion detection system to apply generically across various computing platforms. Real-time anomaly detection is enabled through the definition of a distance matrix that defines allowable separation distances between pairs of system calls. The distance matrix indirectly specifies known sequences of system calls and can be used to determine whether a sequence of system calls in an event window represents an anomaly. Anomalies that are detected are further analyzed through levenshtein distance calculations that also rely on the contents of the distance matrix.

Abstract: A system, method and computer program product are provided for assessing threats to a network utilizing a plurality of data sources. Initially, network data is collected from a plurality of different network data sources. Such data is then aggregated and correlated, after which it is stored. Threats to a network are then assessed utilizing the aggregated and correlated network data.

Abstract: In a probe system for monitoring and analyzing data flow and associated activities between devices connected in common to a point in a network, in the mode of operation, the probe's driver runs in a “Kernel mode” on Windows NT for analyzing in relatively low detail packets of data retrieved from the network, whereby programming is provided for operating the Kernel mode driver to monitor the rate of traffic or data packets entering an NIC card buffer, for causing the CPU to respond to an interrupt issued by the NIC everytime a data packet is received at a traffic rate below a predetermined threshold to access data packets entering the NIC card buffer, and to cause the CPU to respond to polling pulses at regular predetermined intervals to access data packets, when the traffic rate exceeds the predetermined threshold, for providing more CPU cycles to analyze the data packets.

Abstract: A real-time sequence-based anomaly detection system is disclosed. In a preferred embodiment, the intrusion detection system is incorporated as part of a software wrapper. Event abstraction in the software wrapper enables the intrusion detection system to apply generically across various computing platforms. Real-time anomaly detection is enabled through the definition of a distance matrix that defines allowable separation distances between pairs of system calls. The distance matrix indirectly specifies known sequences of system calls and can be used to determine whether a sequence of system calls in an event window represents an anomaly. Anomalies that are detected are further analyzed through levenshtein distance calculations that also rely on the contents of the distance matrix.

Abstract: A unique session key is created for each execution of anti-virus software and is used to create a session stamp for each file scanned during that execution. The session stamp is stored in the directory entry for the file. When a request for the file is made, the anti-virus software uses the current session key to validate the session stamp. An invalid or absent session stamp indicates that the file needs to be scanned.

Abstract: A system, method and computer program product are provided for filtering unwanted electronic mail messages. After receiving electronic mail messages, the electronic mail messages that are unwanted are filtered utilizing a combination of techniques including: compound filters, paragraph hashing, and Bayes rules. The electronic mail messages that are filtered as being unwanted are then categorized.

Abstract: A graphical user interface is provided for displaying network analysis including a window including a plurality of gauges selected from the group consisting of a first gauge for indicating a number of packets specified by the network analysis, a second gauge for indicating a network utilization specified by the network analysis, and a third gauge for indicating a number of errors specified by the network analysis.

Abstract: A method, system and computer program for providing multilevel security to a computer network. The method comprises the step of receiving a first communication packet on at least one network interface port from an outside network. The method further includes the steps of filtering the first packet in one of at least two levels of security comprising a first level of security which examines the content information of the packet and a second level of security which examines the first packet excluding the content information of the packet. The system includes a first packet filter configured to filter its input packets by examining content information of its packets and a second packet filter configured to filter its input packets by examining the header information without examining the content information of its packets. The system further includes a third filter which is configured to forward a number of packets to one of the first and second filters, thereby providing security to the computer network.

Abstract: A method and system for updating anti-intrusion software is provided. In a preferred embodiment, a computer program product updates anti-intrusion software on a computer network which has an anti-intrusion monitor server. The anti-intrusion monitor server recognizes attacks on the computer network in accordance with attack pattern information contained in the anti-intrusion software. The computer program product includes computer code that installs modified attack pattern information onto a central anti-intrusion server, and computer code that transfers the modified attack pattern information from the central anti-intrusion server to the anti-intrusion monitor server using push technology. The result is that newly discovered attack patterns are capable of being rapidly communicated from the central anti-intrusion server to the computer network.

Abstract: An application program (6) may issue a file access request to an operating system (4) accompanied by a caching hint. This caching hint may be selected in dependence upon the file type and file size of the computer file to which access has been requested. The data defining which hint type is to be used for each combination of file type and file size may be adaptively updated depending upon measured performance for the different hint types. The hint defining data may be initialised in dependence upon the operating system version and the installed memory size of the computer system concerned.

Abstract: A system and method for executing computer virus definitions containing general purpose programming language extensions is described. One or more virus definition records are stored in a computer virus data file. Each virus definition record includes an identifier, a virus detection section and an extension sentence. The identifier uniquely identifies a computer virus. The virus detection section includes object code providing operations to detect the identified computer virus within a computer system. The extension sentence includes object code providing reusable operations implemented in a general purpose computing language. For each virus definition record, at least one of the object code of the virus detection section and the extension sentence is interpreted.

Abstract: A system, method and computer program product are provided for analyzing a network utilizing an agent. Initially, a signal is sent from a computer to a host controller utilizing a network. Next, a response to the signal is received from the host controller. Information is then collected relating to network traffic involving the computer based on the response. The information is subsequently sent to the host controller on a periodic basis.

Abstract: A method and system for gathering data by monitoring data packets on a network. At least some of the packets are captured in a data buffer. Each captured packet is classified according to a preselected classification system and each captured packet is marked with an indicia of its classification. An analysis program is executed on a network coupled computer. The analysis program displays data about the buffer contents including the indicia before transferring the buffer contents to the analysis program.

Abstract: A system and method for a remote or network-based application service offering virus scanning, sniffing, or detecting of e-mail viruses prior to the e-mail messages arriving at the destination system or server are disclosed. The method protects a computer system that is configured to receive an e-mail message addressed to a destination e-mail address from viruses in an incoming e-mail message. The method generally includes receiving the incoming e-mail message at a remote e-mail receiving server, scanning the e-mail message for virus, forwarding the e-mail message if it is clean to a remote e-mail sending server, attempting to clean the e-mail message if it is infected to generate a cleaned e-mail message, forwarding the cleaned e-mail message, if any, to the remote e-mail sending server, and forwarding the clean or cleaned e-mail message, if any, to the destination e-mail address from the remote e-mail sending server.

Abstract: A system, method, and computer program product for delivery and automatic execution of security, management, or optimization software over an Internet connection to a user computer responsive to a user request entered via a web browser on the user computer. In a preferred embodiment, the user directs the Internet browser to a Internet clinical services provider web site computer and logs in to the site using an identifier and a secure password and optionally makes a selection of the type of servicing desired, wherein an automatically-executing software package encapsulated within a markup language communication unit deliverable across the Internet is delivered, to the user computer, the automatically-executing software package being adapted to perform security, management, or optimization functions on the user computer. User identifiers and passwords enabling the downloads may be provided on a per-download basis or on a subscription basis.

Abstract: A system and method for the efficient encoding and decoding of protocol messages is described. In one embodiment, an offset from a beginning of a memory buffer is calculated based upon a maximum size of a header portion of the message. A variable length portion of the message is encoded beginning at the offset, and the header portion of the message is encoded based upon an encoded size of the variable portion and a size of the header portion. The encoding of the header portion begins at the offset less the encoded size of the header portion. Further, a set of object identifiers are decoded into a data structure. If a value portion corresponding to an object identifier of the set of object identifiers is variable in length, the value portion is decoded into the data structure.