Abstract: A method for providing status information to a device attached to an information technology infrastructure utilizing a device monitoring application resident at the device is disclosed. The device monitoring application utilizes signature data to monitor data associated with a device and selectively provide messages based on a correspondence between signature data and data associated with the device. A message signature is incorporated within the signature data. The data associated with the device is monitored by utilizing the device monitoring application so as to detect a presence of the message signature in the monitored data. A status message is provided by utilizing the device monitoring application if the presence of the message signature is detected in the monitored data. The signature data includes computer virus signatures and the message signature is not related to a computer virus.

Abstract: System method and program for controlling access to a VLAN via a port of a VLAN switch system. In response to receipt of a message packet at the port, the switch system determines if a MAC address of the packet matches a MAC address for which the port has been programmed to recognize as a MAC address of a device authorized to communicate with the port. The MAC address of the packet does not match a MAC address for which the port has been programmed to recognize as a MAC address of a device authorized to communicate with the port. In response, the switch system blocks the packet if a rate of ill-formed packets and/or packets from an unrecognized MAC address exceeds a threshold pass rate. The threshold pass rate can be adjusted based on the rate of change of receipt of ill-formed packets and/or packets from an unrecognized MAC address.

Abstract: Computer system, method and program product for facilitating a chat session. An icon or a definition of the icon and a corresponding intelligent agent program are received at a workstation. In response, the workstation displays the icon in a chat session window. A selection of the icon is received during the chat session. In response, the workstation invokes the intelligent agent program. In response, the intelligent agent program obtains information about the workstation or information about a participant in the chat session at the workstation and automatically renders the information in the chat session at the workstation. In response to a request to send the rendered information to other participants in the chat session at other workstations, the rendered information is automatically sent to the other participants in the chat session at the other workstations.

Abstract: An intrusion detection system is improved by altering its signatures and thresholds during a denial of service attack, in order to decrease the rate at which an intrusion detection sensor sends alerts to an intrusion detection server. A governor within the sensor is associated with each signature. The governor may include an alert log, a timer, an alert-generation-rate threshold, and rules that prescribe actions to be taken when the alert-generation-rate threshold is exceeded. The governor records the generation time of each alert by the sensor, and determines the rate at which the sensor is presently generating alerts. When the present alert-generation rate exceeds the alert-generation-rate threshold, the governor alters the associated signature threshold to decrease the alert generation rate of the intrusion detection sensor.

Abstract: A method, apparatus, computer product and structure is presented for representing and managing large amounts of information concerning networks of elements. While being useful for communication networks, it can be also usefully deployed in the context of other networks such as distribution and transportation networks. The method uses a hierarchical construct called “catalog”—a set of elements (which could be “atomic” elements or catalogs themselves)—to organize information about physical or abstract entities relevant for modeling the network. A matrix construct whose rows and columns constitute such elements are used to model connections at different levels of abstraction. A common framework and representation provided using these two constructs is shown to be useful for visualization, administration, configuration, modeling, monitoring and manipulation of the network.

Abstract: Method and apparatus for protecting a data processing system such as an Internet server from attack by a vandal who uses an offensive vulnerability scanner to find an externally visible vulnerability of the data processing system. The method includes determining an externally visible vulnerability using a defensive vulnerability scanner, configuring an intrusion detection system to detect a network flow associated with the vulnerability, and blocking that flow by a firewall or a router. The apparatus includes a defensive vulnerability scanner that finds an externally visible vulnerability and provides a description of the vulnerability, an intrusion detection system that detects a network flow that satisfies the description, and a firewall or a router that blocks the flow responsive to detection of the flow by the intrusion detection system.

Abstract: A method and system for detecting attempted intrusions into a network, including: providing a network processor for monitoring packets transmitted over a communications link of the network; receiving a plurality of packets from the communications link by the network processor; and pre-filtering the plurality of packets by the network processor to identify packets potentially with patterns of interest. These packets are forwarded to a NIDS. The NIDS then examines the forwarded packets to identify the packets that have the pattern of interest. By using the network processor to pre-filter the packets, the number of packets examined by the NIDS is significantly reduced. Also, the capacity of the NIDS can be increased without requiring changes in the NIDS.

Abstract: To prevent system crashes, as by denial-of-service attacks, of TCP/IP (Transmission Control Protocol/Internet Protocol) networks, this invention regulates the volume of TCP connection requests that await service at a TCP/IP connection control table. For this purpose, the usage of the system is monitored on a dynamic basis, the time-out value Tho is dynamically computed, and requests that have been awaiting service for a period of time that exceeds Tho are removed from the TCP/IP connection control table.

Abstract: A method, system and computer program product for detecting the dissemination of malicious programs. The degree of randomness in the Internet Protocol (IP) destination addresses of received IP packets to be forwarded to an external network may be detected by performing a hash function on the IP destination addresses thereby generating one or more different hash values. If a high number of different hash values were generated for a small number of IP packets examined, then random IP destination addresses may be detected. By detecting random destination IP addresses, the dissemination of a malicious program, e.g., virus, worm program, may be detected.

Abstract: A network processor is used for the routing of objects in non-data networking applications. The processor utilizes the Open Shortest Path First (OSPF) algorithm to capitalize on the benefits of data control for object traffic control and costs. A network processor is used at each point in a grid represented by intersecting paths. One or more routing tables are embedded in each network processor. Each routing table describes links with other network processors in the grid to which the network processor is interconnected. A cost factor is associated with each link and is constantly updated by the OSPF as new information becomes available. If a link or route becomes unavailable, the cost is set at infinity. The system then creates an alternative path for the object between a source and the desired destination that bypasses the unavailable link or route.

Abstract: A system and method for detecting a drone implanted by a vandal in a network connected host device such as a computer, and controlling the output of the drone. The system includes an inbound intrusion detection system (IDS), an outbound IDS, a blocker such as a firewall, an inbound trace log for storing a trace of inbound traffic to the protected device, an outbound trace log for storing a trace of outbound traffic from the protected device, and a correlator. When the outbound IDS detects outbound distributed denial of service (DDoS) traffic, the outbound IDS instructs the blocker to block the outbound DDos traffic. The correlator then recalls the outbound trace log and the inbound trace log, correlates the logs, and deduces the source ID of a message responsible for triggering the drone. The correlator then instructs the blocker to block incoming messages that bear the source ID.

Abstract: A system comprising a network resource server or a server farm formed by a plurality of computer systems and a network processor which transfers data exchanged with an external network supported by the server farm at a data rate substantially the same as the data flow rate of the network and related method. The network processor protects the network resource server against attacks such as a denial of service attack by monitoring data flow, computing a derivative of the data flow over time to determine the rate of change of data flow, and modifying instructions for the discarding of packets in response to rates of change which are outside predetermined boundaries.

Abstract: An application specific integrated circuit (ASIC) is disclosed. The ASIC includes a standard cell. The standard cell includes a plurality of logic functions. The ASIC also includes at least one bus coupled to at least a portion of the logic functions and a plurality of internal signals from the plurality of logic functions. Finally, the ASIC includes a field programmable (FP) function coupled to the at least one bus and at least a portion of the plurality of internal signals. The FP function provides access to internal signals for observation and control. An ASIC using a field programmable gate array (FPGA) function within a standard cell design is utilized to create an internal-to-the-ASIC bridging of internal signals to observe and control of the internal signals of the ASIC. By the placement of logic, which expresses a test program, into the FPGA function that manipulates the I/O pins and/or other functional entities of interest, the ASIC function and/or surrounding logic can be easily verified.

Abstract: A defense against spoofing vandals is provided, where the defense enlists the network-addressable device whose identity is used by the vandal. A network-addressable device checks incoming messages for communication protocol violations that indicate that a spoofer is using the identity of the network-addressable device. When such a protocol violation is detected, the network-addressable device records attributes of the incoming message in a spoofing logbook database. Further, the network-addressable device increments a counter associated with the identity of the spoofer's target. The value of the counter is compared with a predetermined threshold, in order to determine if the supposed spoofing is an isolated incident or part of a persistent attack. When the value of the counter exceeds the threshold, the network-addressable device constructs a spoofing alert, and sends the spoofing alert to a network administrator. The network-addressable device then rejects the message associated with the protocol violation.

Abstract: An intrusion detection system checks a list of business rules at predetermined update times, and determines whether any provision of the business rules has become newly operative since the last update time. Provisions of the business rules prescribe alterations to intrusion signatures, thresholds, actions, or weights that are appropriate to broader circumstances evident at the update time. Whenever a new provision is found to be operative, the effected signatures, thresholds, actions, or weights are altered accordingly.

Abstract: This invention makes use of the capability of a network processor (as described more fully herein) to perform software directed tree searches. Pattern recognition data processing, as expanded upon in the detailed description, opens possibilities for data mining, virus protection, security and other functions. As realized in accordance with the varying embodiments of this invention, significant performance improvements are obtained and highly scaleable systems are created which are capable of examining large amounts of data, both in real time and in batch modes.

Abstract: An intrusion detection security system (IDSS) guards a server against vandals' attacks such as denial of service, distributed denial of service, and common gateway interface attacks. An incoming source address is compared with the contents of a database of privileged addresses. If the incoming address is present in the database, the IDSS instructs protective equipment such as a firewall or router to allow the incoming message to pass to the web server despite any ongoing attack, thus allowing messages from customers or suppliers, for example, through. Otherwise, the IDSS checks a database of blocked addresses. When the incoming address is absent, the IDSS writes the address to the database of blocked addresses and instructs the protective equipment to block subsequent messages from the incoming address.

Abstract: An intrusion detection system monitors for signature events, which are part of base intrusion sets that include signature event counters, signature thresholds, and base actions. Associated with each base intrusion set is an action set including an action counter, an action threshold, and an action variable. The associated action counter is updated when the base action of the base intrusion set is invoked responsive to the count of associated signature events meeting the associated signature threshold. The action counter is compared with an action threshold. If the action counter meets the threshold, the associated action variable is updated. The action variable is then passed to an analysis engine comprising a set of rules, which analyses the action variable either in isolation or together with other action variables associated with other base intrusion sets. According to the analysis, an element of a base intrusion set or an action set may be changed.

Abstract: A method and system for verifying the availability of a back-up virtual private network IP security (IPSec) tunnel between two network elements by originating a plurality of connection tests between the network elements. The first network element transmits a backup tunnel verification test message to the second network element over the back-up secure tunnel upon receipt of a backup tunnel verification test command. The back-up secure tunnel includes two unidirectional tunnels. The second network element receives the back-up tunnel verification test message over the first back-up unidirectional secure tunnel and transmits a response back to the first network element over the second back-up unidirectional secure tunnel.

Abstract: Methods, systems and computer program products provide status information to a device attached to an information technology infrastructure utilizing a device monitoring application resident at the device. The device monitoring application utilizes signature data to monitor data associated with the device and selectively provide messages based on a correspondence between signature data and data associated with the device. A message signature is incorporated in the signature data. Data associated with the device is monitored utilizing the device monitoring application so as to detect a presence of the message signature in the monitored data. A status message is provided utilizing the device monitoring application if the presence of the message signature is detected in the monitored data.