Abstract: A computer implemented method and system for analysing a first set of data records where each data record comprises attribute values for one or more attributes, by expanding the first set of data records into a second set of data records by creating for at least one of the attributes of the first set of data records at least two redundant attributes with corresponding redundant attribute values, assigning different generalization rules to the at least two redundant attributes, and performing a generalization of the second set of data records by means of an attribute-oriented induction (AOI)-algorithm.

Abstract: Described is apparatus for testing an intrusion detection system in a data processing system. The apparatus comprises an attack generator for generating attack traffic on a communications path in the data processing system. A collector receives responses generated by the intrusion detection system on receipt of the attack traffic. A controller coupled to the attack generator and the collector varies the attack traffic generated by the attack generator in dependence on the response received from the intrusion detection system by the collector.

Abstract: A method and apparatus for facilitating reduction in successful attacks on a monitored data processing system, such as a host computer. An intrusion detection system comprises a host or application based sensor for detecting code based intrusions with a relatively low false-positive rate. Malicious code strings related to a detected intrusion are identified, extracted and forwarded to a pattern filter located in the monitored data processing system to prevent further intrusions using said malicious code strings. The malicious code strings may be forwarded to a response server for assembling sets of similar malicious code strings for which signatures are generated to permit identification of all malicious code strings contained in a set. The generated signatures are then distributed to monitored and/or monitoring systems of a protected network to prevent further intrusions using the malicious code strings and variations thereof.

Abstract: A computer implemented method and system for analysing a first set of data records where each data record comprises attribute values for one or more attributes, by expanding the first set of data records into a second set of data records by creating for at least one of the attributes of the first set of data records at least two redundant attributes with corresponding redundant attribute values, assigning different generalization rules to the at least two redundant attributes, and performing a generalization of the second set of data records by means of an attribute-oriented induction (AOI)-algorithm.

Abstract: An event handler is provided that associates events from heterogeneous data sources. In a first phase, incoming events are translated to vectors of event attributes. Based on the data source, implicit information about the event and its attributes may be available. This information is used to normalize the information provided by the event. Normalization actions may include renaming the attributes, deriving new attributes from given attributes, and transforming attribute value ranges. In a second phase, a determination is made as to whether two or more events are considered to be associated based on the vectors. Different vectors of core attributes may be created in order to create associations with different semantics.

Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations” are established from groups whose severity exceeds a threshold value. These groups and situations are then propagated up a hierarchical arrangement of systems and further aggregated so as to provide summary information over a larger group of systems. This hierarchical scheme allows for scalability of the event correlation process across larger networks of systems.

Abstract: A method and apparatus for facilitating reduction in successful attacks on a monitored data processing system, such as a host computer. An intrusion detection system comprises a host or application based sensor for detecting code based intrusions with a relatively low false-positive rate. Malicious code strings related to a detected intrusion are identified, extracted and forwarded to a pattern filter located in the monitored data processing system to prevent further intrusions using said malicious code strings. The malicious code strings may be forwarded to a response server for assembling sets of similar malicious code strings for which signatures are generated to permit identification of all malicious code strings contained in a set. The generated signatures are then distributed to monitored and/or monitoring systems of a protected network to prevent further intrusions using the malicious code strings and variations thereof.

Abstract: Methods, apparatus and systems for controlling access to an object in a data processing system comprises: receiving a request to access the object from a task; classifying the access request into one of critical and non-critical classes in dependence on stored access control data associated with the object and the task; granting the task access to the object and storing data indicative of the access in an access log if the access is classified into the non-critical class; and in the event that the access is classified into the critical class, granting or denying the task access to the object in dependence on the contents of the access log and the stored access control data.

Abstract: An event handler is provided that associates events from heterogeneous data sources. In a first phase, incoming events are translated to vectors of event attributes. Based on the data source, implicit information about the event and its attributes may be available. This information is used to normalize the information provided by the event. Normalization actions may include renaming the attributes, deriving new attributes from given attributes, and transforming attribute value ranges. In a second phase, a determination is made as to whether two or more events are considered to be associated based on the vectors. Different vectors of core attributes may be created in order to create associations with different semantics.

Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations” are established from groups whose severity exceeds a threshold value. These groups and situations are then propagated up a hierarchical arrangement of systems and further aggregated so as to provide summary information over a larger group of systems. This hierarchical scheme allows for scalability of the event correlation process across larger networks of systems.

Abstract: Described is apparatus for testing an intrusion detection system in a data processing system. The apparatus comprises an attack generator for generating attack traffic on a communications path in the data processing system. A collector receives responses generated by the intrusion detection system on receipt of the attack traffic. A controller coupled to the attack generator and the collector varies the attack traffic generated by the attack generator in dependence on the response received from the intrusion detection system by the collector.