Abstract: An apparatus and method for authenticating users on a data processing system is implemented. The present invention provides for aggregating authenticated identities and related authorization information. A security context created in response to a first user logon is saved in response to a second logon. A composite or aggregate security context is created based on the identity passed in the second logon. Access may then be granted (or denied) based on the current, aggregated security context. Upon logout of the user based on the second identity, the aggregate security context is destroyed, and the security context reverts to the context previously saved.

Abstract: An event handler is provided that associates events from heterogeneous data sources. In a first phase, incoming events are translated to vectors of event attributes. Based on the data source, implicit information about the event and its attributes may be available. This information is used to normalize the information provided by the event. Normalization actions may include renaming the attributes, deriving new attributes from given attributes, and transforming attribute value ranges. In a second phase, a determination is made as to whether two or more events are considered to be associated based on the vectors. Different vectors of core attributes may be created in order to create associations with different semantics.

Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations”—are presented to a user or administrator.

Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations” are established from groups whose severity exceeds a threshold value. These groups and situations are then propagated up a hierarchical arrangement of systems and further aggregated so as to provide summary information over a larger group of systems. This hierarchical scheme allows for scalability of the event correlation process across larger networks of systems.

Abstract: A method, apparatus, and computer implemented instructions for handling a situation in a data processing system. In response to detecting a situation, an aging function is applied to the situation. Alerts regarding the situation based on the aging function are presented.

Abstract: Methods, systems and computer program products are provided which provide cryptographic services to an application by incorporating in the application an indication of at least one authorized cryptographic function for the application. The indication of at least one authorized cryptographic function for the application is communicated to a cryptographic library that supports a plurality of cryptographic functions. The at least one authorized cryptographic function corresponding to the indication of at least one authorized cryptographic function is then identified as a valid cryptographic function for the application.

Abstract: A method, system, apparatus, or computer program product is presented for morphing a honeypot system on a dynamic and configurable basis. The morphing honeypot emulates a variety of services while falsely presenting information about potential vulnerabilities within the system that supports the honeypot. The morphing honeypot has the ability to dynamically change its personality or displayed characteristics using a variety of algorithms and a database of known operating system and service vulnerabilities. The morphing honeypot's personality can be changed on a timed or scheduled basis, on the basis of activity that is generated by the presented honeypot personality, or on some other basis.

Abstract: A method, system, apparatus, or computer program product is presented for morphing a honeypot system on a dynamic and configurable basis. The morphing honeypot emulates a variety of services while falsely presenting information about potential vulnerabilities within the system that supports the honeypot. The morphing honeypot has the ability to dynamically change its personality or displayed characteristics using a variety of algorithms and a database of known operating system and service vulnerabilities. The morphing honeypot's personality can be changed on a timed or scheduled basis, on the basis of activity that is generated by the presented honeypot personality, or on some other basis. The morphing honeypot can also be integrated with intrusion detection systems and other types of computer security incident recognition systems to correlate its personality with detected nefarious activities.

Abstract: A motorcycle assembly affords a motorcycle rider with the easy accessibility to various personal items. A substantially planar structure is affixed either to a windshield support structure or to a rider's handlebars, such planar structure having at least one cup holder and at least one compartment, preferably a covered and latchable/lockable compartment, to facilitate storage of a rider's personal items.

Abstract: A system and method for developing network policy document and assuring up-to-date monitoring and automated refinement and classification of the network policy. The system administrator defines an initial policy document that is provided as the initial symbolic classifier. The classification rules remain in human readable form throughout the process. Network system data is fed through the classifier, which labels the data according to whether a policy constraint is violated. The labels are tagged to the data. The user then reviews the labels to determine whether the classification is satisfactory. If the classification of the data is satisfactory, the label is unaltered; However, if the classification is not satisfactory, the data is re-labeled. The re-labeled data is then introduced into a refinement algorithm, which determines what policy must be modified to correct classification of network events in accordance with the re-labeling.

Abstract: A system and method for utilizing data mining to generate a policy document or to revise theory within a policy document. A data base of unknown events is mined for application to the development of a system management policy document. The results of the data mining of the database of unknown events are automatically incorporated into a policy document, subject to user approval, to produce a new policy document or an updated version of an existing policy document.

Abstract: An event handler is provided that associates events from heterogeneous data sources. In a first phase, incoming events are translated to vectors of event attributes. Based on the data source, implicit information about the event and its attributes may be available. This information is used to normalize the information provided by the event. Normalization actions may include renaming the attributes, deriving new attributes from given attributes, and transforming attribute value ranges. In a second phase, a determination is made as to whether two or more events are considered to be associated based on the vectors. Different vectors of core attributes may be created in order to create associations with different semantics.

Abstract: A method and system for handling a malicious intrusion to a machine in a networked group of computers. The malicious intrusion is an unauthorized access to the machine, such as a server in a server farm. When the intrusion is detected, the machine is isolated from the rest of the server farm, and the machine is reprovisioned as a decoy system having access to only data that is ersatz or at least non-sensitive. If the intrusion is determined to be non-malicious, then the machine is functionally reconnected to the server farm, and the machine is reprovisioned to a state held before the reprovisioning of the machine as a decoy machine.

Abstract: A method and system for managing an intrusion on a computer by graphically representing an intrusion pattern of a known past intrusion, and then comparing the intrusion pattern of the known intrusion with a current intrusion. The intrusion pattern may either be based on intrusion events, which are the effects of the intrusion or activities that provide a signature of the type of intrusion, or the intrusion pattern may be based on hardware topology that is affected by the intrusion. The intrusion pattern is graphically displayed with scripted responses, which in a preferred embodiment are presented in pop-up windows associated with each node in the intrusion pattern. Alternatively, the response to the intrusion maybe automatic, based on a pre-determined percentage of common features in the intrusion pattern of the known past intrusion and the current intrusion.

Abstract: A method for providing access control to a single sign-on computer network is disclosed. A user is assigned to multiple groups within a computer network. In response to an access request by the user, the computer network determines a group pass count based on a user profile of the user. The group pass count is a number of groups in which the access request meets all their access requirements. The computer network grants the access request if the group pass count is greater than a predetermined high group pass threshold value.

Abstract: A trusted process for use with a hierarchical directory service such as LDAP for enabling different security systems to store and retrieve unique identifiers that are shared or common to the entire directory. The trusted process allows LDAP users to store and to retrieve unique identifiers on LDAP using standard LDAP interfaces. It also allows security systems to share unique identifier information. The trusted process generates or verifies a unique identifier, guarantees the uniqueness of a unique identifier within the entire directory (rather than just within a single security system), and guarantees that any unique identifier returned to an LDAP user is a trusted unique identifier.

Abstract: A process for maintaining authentication information in a distributed network of servers generates and maintains a non-local access server list, queries non-local servers using a Lightweight Directory Access Protocol (LDAP) search request, caches responses to queries from non-local servers, updates the cached directory entries and applies an LDAP operation to the cached directory entries and the local access control data. A variety of techniques are used to update cache information. When a request to authenticate a user with a distinguished name is received, the cached directory entries and the local access control data are searched for the distinguished name and, once the distinguished name is located, the user is authenticated with each server in the non-local access server list.

Abstract: A method, system, apparatus, and computer program product are presented for load balancing amongst a set of processors within a distributed data processing system. To accomplish the load balancing, a modulo arithmetic operation is used to divide a set of data elements from a data source substantially equally among the processors. Each of the processors performs the modulo arithmetic operation substantially independently. At a particular processor, a data element is retrieved from a data source, and the processor calculates a representational integer value for the data element. The processor then calculates a remainder value by dividing the representational integer value by the number of processors in the distributed data processing system. If the remainder value is equal to a predetermined value associated with the processor, then the data element is processed further by the processor.

Abstract: A method, apparatus, and computer implemented instructions for handling a situation in a data processing system. In response to detecting a situation, an aging function is applied to the situation. Alerts regarding the situation based on the aging function are presented.