Abstract: A method and system of identifying an attacker device attempting an intrusion into a network. At least one managed device of the network detects an incoming TCP/IP connection by the attacker device to the network. It is determined that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the NetBIOS TCP/IP connection, retrieving event log information from a security event log of the network, and determining (i) that a userid of the invalid logon is a local userid defined on a local device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid nor is in the list of userids. The retrieved event log information is stored in a central violation database.

Abstract: A method and system of identifying an attacker device attempting an intrusion into a network. At least one managed device of the network detects an incoming TCP/IP connection by the attacker device to the network. It is determined that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device, linking the invalid logon with the NetBIOS TCP/IP connection, retrieving event log information from a security event log of the network, and determining (i) that a userid of the invalid logon is a local userid defined on a local device, (ii) that the userid of the invalid logon is a userid in a list of userids used by viruses, or (iii) that the userid of the invalid logon is neither the local userid nor is in the list of userids. The retrieved event log information is stored in a central violation database.

Abstract: A method and system for identifying an attacker device attempting an intrusion into a TCP/IP protocol based network that includes a managed device and a security event log. The managed device detects an incoming TCP/IP connection by the attacker device to the network. TCP/IP information relating to the attacker device is extracted from a TCP/IP stack of the managed device. It is ascertained that a port number of the incoming TCP/IP connection is identical to a predefined port number. A performed process includes determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device. Event log information, which is associated with the detected incoming TCP/IP connection, is retrieved from the security event log. A generated report is generated and stored in a database of the network. The report includes the extracted TCP/IP information and the retrieved event log information.

Abstract: A method for detecting the invalid access to a computer network is disclosed. The method preferably operates in a computer network having computer servers operating on different operating systems and a plurality of computer devices. Each computer device is managed by a computer server at the operating system level. The computer network includes a plurality of information databases that contain information associated with the users and with the computer devices of the computer network. On each computer server, the method, system, and program generates a set of identifying files for each computer device managed by the computer server. All sets of identifying files from the plurality of computer servers are next gathered into a unique central violation database. Links are created between each set of identifying files and the plurality of information databases in order to determine a level of network access violation for each computer device.

Abstract: A method and system for identifying an attacker device attempting an intrusion into a TCP/IP protocol based network that includes a managed device and a security event log. The managed device detects an incoming TCP/IP connection by the attacker device to the network. TCP/IP information relating to the attacker device is extracted from a TCP/IP stack of the managed device. It is ascertained that a port number of the incoming TCP/IP connection is identical to a predefined port number. A performed process includes determining that the incoming TCP/IP connection is a Net BIOS connection that has created an invalid logon by the attacker device. Event log information, which is associated with the detected incoming TCP/IP connection, is retrieved from the security event log. A generated report is generated and stored in a database of the network. The report includes the extracted TCP/IP information and the retrieved event log information.

Abstract: A method for detecting the invalid access to a computer network is disclosed. The method preferably operates in a computer network having computer servers operating on different operating systems and a plurality of computer devices. Each computer device is managed by a computer server at the operating system level. The computer network includes a plurality of information databases that contain information associated with the users and with the computer devices of the computer network. On each computer server, the method, system, and program generates a set of identifying files for each computer device managed by the computer server. All sets of identifying files from the plurality of computer servers are next gathered into a unique central violation database. Links are created between each set of identifying files and the plurality of information databases in order to determine a level of network access violation for each computer device.