Michael Ray Walter

US Patent:

7308716, Dec 11, 2007

Filed:

May 20, 2003

Appl. No.:

10/442008

Inventors:

Robert William Danford - Ashburn VA, US
Kenneth M. Farmer - Manitou Springs CO, US
Clark Debs Jeffries - Chapel Hill NC, US
Robert B. Sisk - Chapel Hill NC, US
Michael A. Walter - Denver CO, US

Assignee:

International Business Machines Corporation - Armonk NY

International Classification:

G06F 15/08
G08B 23/00

US Classification:

726 23, 726 25, 709224

Abstract:

A method of progressive response for invoking and suspending blocking measures that defend against network anomalies such as malicious network traffic so that false positives and false negatives are minimized. When an anomaly is detected, the detector notifies protective equipment such as a firewall or a router to invoke a blocking measure. The blocking measure is maintained for an initial duration, after which it is suspended while another test for the anomaly is made. If the anomaly is no longer evident, the method returns to the state of readiness. Otherwise, a loop is executed to re-applying the blocking measure for a specified duration, then suspend the blocking measure and test again for the anomaly. If the anomaly is detected, the blocking measure is re-applied, and its duration is adapted. If the anomaly is no longer detected, the method returns to the state of readiness.

US Patent:

7707633, Apr 27, 2010

Filed:

Oct 12, 2007

Appl. No.:

11/871188

Inventors:

Robert William Danford - Ashburn VA, US
Kenneth M. Farmer - Manitou Springs CO, US
Clark Debs Jeffries - Chapel Hill NC, US
Robert B. Sisk - Chapel Hill NC, US
Michael A. Walter - Denver CO, US

Assignee:

International Business Machines Corporation - Armonk NY

International Classification:

G06F 11/30
G08B 23/00
G06F 11/18

US Classification:

726 23, 726 25, 709224

Abstract:

A method of progressive response for invoking and suspending blocking measures that defend against network anomalies such as malicious network traffic so that false positives and false negatives are minimized. When an anomaly is detected, the detector notifies protective equipment such as a firewall or a router to invoke a blocking measure. The blocking measure is maintained for an initial duration, after which it is suspended while another test for the anomaly is made. If the anomaly is no longer evident, the method returns to the state of readiness. Otherwise, a loop is executed to re-apply the blocking measure for a specified duration, then suspend the blocking measure and test again for the anomaly. If the anomaly is detected, the blocking measure is re-applied, and its duration is adapted. If the anomaly is no longer detected, the method returns to the state of readiness.

US Patent:

8127356, Feb 28, 2012

Filed:

Aug 27, 2003

Appl. No.:

10/650440

Inventors:

Frederic G. Thiele - Broomfield CO, US
Michael A. Walter - Longmont CO, US

Assignee:

International Business Machines Corporation - Armonk NY

International Classification:

H04L 29/14
H04L 29/02

US Classification:

726 23, 726 22

Abstract:

A computer system and program product for automatically determining if a packet is a new, exploit candidate. First program instructions determine if the packet is a known exploit or portion thereof. Second program instructions determine if the packet is network broadcast traffic presumed to be harmless. Third program instructions determine if the packet is network administration traffic. If the packet is a known exploit or portion thereof, network broadcast traffic, or network administration traffic, the packet is not considered a new, exploit candidate. If the packet is not a known exploit or portion thereof, network broadcast traffic, or network administration traffic, the packet is an exploit candidate. Alternately, the first program instructions determine if the packet is a known exploit or portion thereof. The second program instructions determine if the packet is network broadcast traffic presumed to be harmless.

US Patent:

20060294588, Dec 28, 2006

Filed:

Jun 24, 2005

Appl. No.:

11/166550

Inventors:

Jeffrey Lahann - Erie CO, US
Frederic Thiele - Broomfield CO, US
Michael Walter - Longmont CO, US

Assignee:

INTERNATIONAL BUSINESS MACHINES CORPORATION - ARMONK NY

International Classification:

G06F 12/14
G06F 11/00
G06F 12/16
G06F 15/18
G08B 23/00
G06F 15/16
G06F 17/00
G06F 9/00

US Classification:

726023000, 726011000

Abstract:

Computer system, method and program product for identifying a malicious intrusion. A first number of different destination IP addresses, a second number of different destination ports and a third number of different signatures of messages, are identified from a source IP address during a predetermined period. A determination is made that in one or more other such predetermined periods the source IP address sent messages having the first number of different destination IP addresses, the second number of different destination ports and the third number of different signatures. Based on the determination that in the one or more other such predetermined periods the source IP address sent messages having the first number of different destination IP addresses, the second number of different destination ports and the third number of different signatures, a determination is made that the messages are characteristic of a malicious intrusion.

US Patent:

20130333036, Dec 12, 2013

Filed:

Aug 13, 2013

Appl. No.:

13/965303

Inventors:

FREDERIC G. THIELE - NIWOT CO, US
MICHAEL A. WALTER - ATLANTA GA, US

Assignee:

International Business Machines Corporation - Armonk NY

International Classification:

G06F 21/56

US Classification:

726 23

Abstract:

Computer system, method and program product for identifying a malicious intrusion. A first number of different destination IP addresses, a second number of different destination ports and a third number of different signatures of messages, are identified from a source IP address during a predetermined period. A determination is made that in one or more other such predetermined periods the source IP address sent messages having the first number of different destination IP addresses, the second number of different destination ports and the third number of different signatures. Based on the determination that in the one or more other such predetermined periods the source IP address sent messages having the first number of different destination IP addresses, the second number of different destination ports and the third number of different signatures, a determination is made that the messages are characteristic of a malicious intrusion.