Abstract: According to one embodiment of the invention, a method for reducing the false alarm rate of network intrusion detection systems includes receiving an alarm indicating a network intrusion may have occurred, identifying characteristics of the alarm, including at least an attack type and a target address, querying a target host associated with the target address for an operating system fingerprint, receiving the operating system fingerprint that includes the operating system type from the target host, comparing the attack type to the operating system type, and indicating whether the target host is vulnerable to the attack based on the comparison.

Abstract: According to one embodiment of the invention, a computerized method for reducing the false alarm rate of network intrusion detection systems includes receiving, from a network intrusion detection sensor, one or more data packets associated with an alarm indicative of a potential attack on a target host and identifying characteristics of the alarm from the data packets. The characteristics include at least an attack type and an operating system fingerprint of the target host. The method further includes identifying the operating system type from the operating system fingerprint, comparing the attack type to the operating system type, and indicating whether the target host is vulnerable to the attack based on the comparison.

Abstract: The present invention provides a generic distributed command, control, and communication framework that allows computer systems, devices, and operational personnel to interact with the network as a unified entity. The present invention provides these services by building upon a core communication architecture that permits local or remote execution of mobile program code, static execution of program code, flexible communication formats, self-healing network techniques, and expansion by the addition of new system modules, software handlers, or mobile autonomous agents.

Abstract: According to one embodiment of the invention, a method for reducing the false alarm rate of network intrusion detection systems includes receiving an alarm indicating a network intrusion may have occurred, identifying characteristics of the alarm, including at least an attack type and a target address, querying a target host associated with the target address for an operating system fingerprint, receiving the operating system fingerprint that includes the operating system type from the target host, comparing the attack type to the operating system type, and indicating whether the target host is vulnerable to the attack based on the comparison.

Abstract: According to one embodiment of the invention, a method for analyzing and addressing alarms from network intrusion detection systems includes receiving an alarm indicating an attack on a target host may have occurred, automatically accessing the target host in response to the alarm, and identifying the presence of the attack on the target host.

Abstract: The present invention provides a generic distributed command, control, and communication framework that allows computer systems, devices, and operational personnel to interact with the network as a unified entity. The present invention provides these services by building upon a core communication architecture that permits local or remote execution of mobile program code, static execution of program code, flexible communication formats, self-healing network techniques, and expansion by the addition of new system modules, software handlers, or mobile autonomous agents.

Abstract: A computer-implemented intrusion detection system and method that monitors a computer system in real-time for activity indicative of attempted or actual access by unauthorized persons or computers. The system detects unauthorized users attempting to enter into a computer system by comparing user behavior to a user profile, detects events that indicate an unauthorized entry into the computer system, notifies a control function about the unauthorized users and events that indicate unauthorized entry into the computer system and has a control function that automatically takes action in response to the event. The user profiles are dynamically constructed for each computer user when the computer user first attempts to log into the computer system and upon subsequent logins, the user's profile is dynamically updated. By comparing user behavior to the dynamically built user profile, false alarms are reduced. The system also includes a log auditing function, a port scan detector and a session monitor function.