Abstract: A communication network is operated by detecting an anomaly in the communication traffic at a plurality of nodes in a communication network. A first blocking measure A is independently applied at respective ones of the plurality of nodes to the anomalous traffic that stops the anomalous traffic. A second blocking measure B is independently determined at the respective ones of the plurality of nodes such that application of a logical combination of the first blocking measure A and the second blocking measure B to the anomalous traffic stops the anomalous traffic.

Abstract: Communication traffic is processed by detecting an anomaly in the communication traffic. A first blocking measure A is applied to the anomalous traffic that stops the anomalous traffic. A second blocking measure is determined such that application of a logical combination of the first blocking measure A and the second blocking measure to the anomalous traffic stops the anomalous traffic.

Abstract: A kernel based detection of keyboard logger applications is achieved by configuring a call interface to the kernel to characterize a system call pattern for processes accessing a keyboard. A monitor thread iteratively examines a plurality of threads to test open( ), read( ), write( ), and syscall( ) system routines for conditions indicative of presence of a keyboard logger application. A thread whose system call pattern is characterized by such conditions is marked as a keyboard logger.

Abstract: System and method for tracking inventory of a multiplicity of products. First RFID tags are associated with respective products or groups of products. Second Active RFID tags are associated with respective first containers for the multiplicity products. A third Active RFID tag is associated with a second container for the first containers. First RFID tags broadcast their respective identifications. Second Active RFID tags hash the identities of the first RFID tags within their respective first containers and broad their hashed values. Third Active RFID tag hash the hashed values broadcast by the second Active RFID tags. An expected value is compared to a result of the third Active RFID tag hashing the hashed values broadcast by the second Active RFID tags.

Abstract: System and method for recording temperature on an RFID tag. A first RFID tag is attached to a container. The first RFID tag includes a temperature sensor. The container contains a multiplicity of packages. A multiplicity of second RFID tags are attached to the multiplicity of packages, respectively. The first RFID tag transmits temperature information to the multiplicity of second RFID tags. In response, the multiplicity of second RFID tags record the temperature information. Consequently, there is no need for expensive temperature sensors on the multiplicity of RFID tags on the packages. According to features of the present invention, the first RFID tag is an active RFID tag, and the multiplicity of second RFID tags are passive RFID tags. The first RFID tag also transmits other information to the multiplicity of second RFID tags to enable the second RFID tags to authenticate the temperature information.

Abstract: System and method for tracking inventory of a multiplicity of products. First RFID tags are associated with respective products or groups of products. Second Active RFID tags are associated with respective first containers for the multiplicity products. A third Active RFID tag is associated with a second container for the first containers. First RFID tags broadcast their respective identifications. Second Active RFID tags hash the identities of the first RFID tags within their respective first containers and broad their hashed values. Third Active RFID tag hash the hashed values broadcast by the second Active RFID tags. An expected value is compared to a result of the third Active RFID tag hashing the hashed values broadcast by the second Active RFID tags.

Abstract: System, method and program product for reporting status of a process. A flow chart illustrates steps of the process and an order for performance of the steps. Then, a determination is made whether any of the steps has been performed. In response to a determination that any of the steps has been performed, graphically representing on the flow chart that the step has been performed. The graphical representation can be color-coding of the step. The determination that a step has been performed can be made based on user input that the step has been performed, or automatically by a program checking a record indicating that the step has been performed. Also, a program can automatically determine that a deadline for performing one of the steps has passed without performance of the one step. In response, the program initiates a graphical representation on the one step in the flowchart that the deadline has passed without performance of the one step.

Abstract: A router includes a relatively low bandwidth communication connection to a small computer, a relatively high bandwidth communication connection to a communication network; and a processing unit for executing in the router a set of permit rules for permitting flow of communication packets with respect to the connections for user initiated sessions, the permit rules including a default rule for discarding all packets with respect to the small computer in traffic not pertaining to sessions initiated by the small computer.

Abstract: A method, apparatus, and computer instructions for providing a current and complete security compliance view of an enterprise system. The present invention provides the ability to gain a real-time security posture and security compliance view of an enterprise and to assess the risk impact of known threats and attacks to continued business operations at various levels is provided. Responsive to a change to an enterprise environment, a request, or an external threat, an administrator loads or updates at least one of a Critical Application Operations database, a Historical database, an Access Control database, a Connectivity database, and a Threat database. Based on a comparison of information in the databases against similar security data elements from company or external policies, the administrator may generate a Security Compliance view of the enterprise. A Security Posture view may also be generated by comparing the Security Compliance view against data in the Threat database.

Abstract: A kernel based detection of keyboard logger applications is achieved by configuring a call interface to the kernel to characterize a system call pattern for processes accessing a keyboard. A monitor thread iteratively examines a plurality of threads to test open( ), read( ), write( ), and syscall( ) system routines for conditions indicative of presence of a keyboard logger application. A thread whose system call pattern is characterized by such conditions is marked as a keyboard logger.

Abstract: A method of, system for, and product for managing a denial of service attack in a multiprocessor environment comprising. The first step is establishing normal traffic usage baselines in the multiprocessor environment. Once the baseline is established the next step is monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline. Next is monitoring ports and protocols to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port. If there is such consistent use of a protocol for all packets for that port as to evidence a denial of service attack, blocking measures are started to mitigate the apparent denial of service attack.

Abstract: A technique for tracking one or more thresholds relating to the blocking of a particular screen name used on an IM system is disclosed. If the number of people who have blocked a particular screen name reaches a threshold amount, a determination is made that the screen name is being used by a spimmer or other bothersome person, and disciplinary action can be taken. In a preferred embodiment, the email address associated with a user name of a suspected spimmer is identified and all screen names associated with that email address are also subjected to disciplinary action, if desired. Thus, an IM company can suspend all screen names of a spimmer that are tied to the same email address, even though not all (or even none) of the screen names individually have reached a threshold level for discipline/suspension.

Abstract: A method of progressive response for invoking and suspending blocking measures that defend against network anomalies such as malicious network traffic so that false positives and false negatives are minimized. When a truncated secure session attack is detected, the detector notifies protective equipment such as a firewall or a router to invoke a blocking measure. The blocking measure is maintained for an initial duration, after which it is suspended while another test for the anomaly is made. If the attack is no longer evident, the method returns to the state of readiness. Otherwise, a loop is executed to re-applying the blocking measure for a specified duration, then suspend the blocking measure and test again for the attack. If the attack is detected, the blocking measure is re-applied, and its duration is adapted. If the attack is no longer detected, the method returns to the state of readiness.

Abstract: A system, method and program product for managing e-mails from a source suspected of sending spam. The e-mails are received at a firewall or router en route to a mail server. A determination is made whether a source has sent an e-mail which exhibits characteristics of spam. In response, subsequent e-mails from the source destined for the mail server are rate-limiting at the firewall or router such that the firewall or router limits a rate at which the subsequent e-mails are forwarded from the firewall or router to the mail server. The rate is predetermined and less than a maximum rate at which the firewall or router can physically forward e-mails to the mail server absent the rate limit. A determination is made whether another source has sent another e-mail which exhibits more characteristics of spam than the first said e-mail. In response, subsequent e-mails from this other source are blocked at the firewall or router.

Abstract: A method of blocking spam at a firewall involves applying blocking measures for an adaptively determined duration. The blocking measure is then suspended while determining whether the spam has ended. If so, the method resets to an initial state. Otherwise, the blocking measure is re-applied for a second duration.

Abstract: A detection and response system including a set of algorithms for detection within a stream of normal computer traffic a subset of TCP packets with one IP Source Address (SA), one Destination Port (DP), and a number exceeding a threshold of distinct Destination Addresses (DA). There is efficient use of a lookup mechanism such as a Direct Table and Patricia search tree to record sets of packets with one SA and one DP as well as the set of DA values observed for the given SA, DP combination. The existence of such a subset and the header values including SA, DP, and multiple DAs of the subset are reported to a network administrator. In addition, various administrative responses to reports are provided.

Abstract: A detection and response system including a set of algorithms for detecting within a stream of normal computer traffic a subset of (should focus on network traffic eliciting a response) TCP or UDP packets with one IP Source Address (SA) value, one or a few Destination Address (DA) values, and a number exceeding a threshold of distinct Destination Port (DP) values. A lookup mechanism such as a Direct Table and Patricia search tree record and trace sets of packets with one SA and one DA as well as the set of DP values observed for the given SA, DA combination. The detection and response system reports the existence of such a subset and the header values including SA, DA, and multiple DPs of the subset. The detection and response system also includes various administrative responses to reports.

Abstract: An intrusion event detection system, method, and program product with an enumeration of specific known benign intrusion events, and performing a vulnerability test on specific elements of the computer system for the particular known benign intrusion event. These vulnerability tests are performed at predetermined time intervals measured from a previous test or previous intrusion event of the known benign intrusion event. The predetermined time interval is increased based on various attributes, passage of time since the last intrusion event of either the specific known benign intrusion event or another known benign intrusion event, or even a an undetermined or harmful intrusion event, or the present detection of an intrusion even; or the vulnerability of a specific element in the computer system to a specific intrusion event.

Abstract: A system, method and program product for blocking unwanted e-mails. An e-mail is identified as unwanted. A source IP address of the unwanted e-mail is determined. Other source IP addresses owned or registered by an owner or registrant of the source IP address of the unwanted e-mail are determined. Subsequent e-mails from the source IP address and the other IP addresses are blocked. This will thwart a spammer who shifts to a new source IP address when its spam is blocked from one source IP address.

Abstract: A communication network is operated by detecting an anomaly in the communication traffic at a plurality of nodes in a communication network. A first blocking measure A is independently applied at respective ones of the plurality of nodes to the anomalous traffic that stops the anomalous traffic. A second blocking measure B is independently determined at the respective ones of the plurality of nodes such that application of a logical combination of the first blocking measure A and the second blocking measure B to the anomalous traffic stops the anomalous traffic.