Abstract: Temporary access is provided to enable a service provider to service a customer's system resource such as data processing or communication equipment. A prearranged but dormant user account for the service provider is automatically activated in response to a trigger event such as the opening of a trouble ticket. The account is automatically deactivated upon detecting a closure event associated with the trigger event, such as the closing of the trouble ticket, expiration of a predetermined time interval following detection of the trigger event, or occurrence of a predetermined time. This provides a timely yet secure way for a customer to allow a service provider access to system resources which requires neither a standing open account nor manual opening and closing of a user account for the service provider.

Abstract: Performance of a pattern-matching intrusion detection system (IDS) is improved by ranking signatures in its signature table by likelihood of occurrence, so that the table may be searched efficiently. Occurrence data associated with signatures is kept, and the ranking adaptively revised according to updates of the data. When the IDS detects a system event, the signature table is searched. If the search does not find a signature matching the event, thereby suggesting that the event poses no threat, a null signature is added to the signature table in a strategic location to terminate future searches early. In one embodiment, null signatures may be stored in a cache. When a system event is detected, the cache is searched. If a match is not found, the signature table is searched. If a match is not found in the signature table, a null signature is cached.

Abstract: A defense against spoofing vandals is provided, where the defense enlists the network-addressable device whose identity is used by the vandal. A network-addressable device checks incoming messages for communication protocol violations that indicate that a spoofer is using the identity of the network-addressable device. When such a protocol violation is detected, the network-addressable device records attributes of the incoming message in a spoofing logbook database. Further, the network-addressable device increments a counter associated with the identity of the spoofer's target. The value of the counter is compared with a predetermined threshold, in order to determine if the supposed spoofing is an isolated incident or part of a persistent attack. When the value of the counter exceeds the threshold, the network-addressable device constructs a spoofing alert, and sends the spoofing alert to a network administrator. The network-addressable device then rejects the message associated with the protocol violation.

Abstract: Temporary access is provided to enable a service provider to service a customer's system resource such as data processing or communication equipment. A prearranged but dormant user account for the service provider is automatically activated in response to a trigger event such as the opening of a trouble ticket. The account is automatically deactivated upon detecting a closure event associated with the trigger event, such as the closing of the trouble ticket, expiration of a predetermined time interval following detection of the trigger event, or occurrence of a predetermined time. This provides a timely yet secure way for a customer to allow a service provider access to system resources which requires neither a standing open account nor manual opening and closing of a user account for the service provider.

Abstract: Performance of a pattern-matching intrusion detection system (IDS) is improved by ranking signatures in its signature table by likelihood of occurrence, so that the table may be searched efficiently. Occurrence data associated with signatures is kept, and the ranking adaptively revised according to updates of the data. When the IDS detects a system event, the signature table is searched. If the search does not find a signature matching the event, thereby suggesting that the event poses no threat, a null signature is added to the signature table in a strategic location to terminate future searches early. In one embodiment, null signatures may be stored in a cache. When a system event is detected, the cache is searched. If a match is not found, the signature table is searched. If a match is not found in the signature table, a null signature is cached.

Abstract: A defense against spoofing vandals is provided, where the defense enlists the network-addressable device whose identity is used by the vandal. A network-addressable device checks incoming messages for communication protocol violations that indicate that a spoofer is using the identity of the network-addressable device. When such a protocol violation is detected, the network-addressable device records attributes of the incoming message in a spoofing logbook database. Further, the network-addressable device increments a counter associated with the identity of the spoofer's target. The value of the counter is compared with a predetermined threshold, in order to determine if the supposed spoofing is an isolated incident or part of a persistent attack. When the value of the counter exceeds the threshold, the network-addressable device constructs a spoofing alert, and sends the spoofing alert to a network administrator. The network-addressable device then rejects the message associated with the protocol violation.