A computer-implemented intrusion detection system and method that monitors a computer system in real-time for activity indicative of attempted or actual access by unauthorized persons or computers. The system detects unauthorized users attempting to enter into a computer system by comparing user behavior to a user profile, detects events that indicate an unauthorized entry into the computer system, notifies a control function about the unauthorized users and events that indicate unauthorized entry into the computer system and has a control function that automatically takes action in response to the event. The user profiles are dynamically constructed for each computer user when the computer user first attempts to log into the computer system and upon subsequent logins, the user's profile is dynamically updated. By comparing user behavior to the dynamically built user profile, false alarms are reduced. The system also includes a log auditing function, a port scan detector and a session monitor function.

A system, method and computer program product are provided for minimizing the duration of a risk-assessment scan. Initially, a plurality of risk-assessment modules are selected each including vulnerability checks associated with a risk-assessment scan. Thereafter, a first set of ports is determined. Such first set of ports is required for communicating with network components subject to the risk-assessment modules associated with the risk-assessment scan. A port scan is subsequently executed on the first set of ports. Based on such port scan, a second set of ports is determined which includes ports unavailable for communicating with the network components subject to the risk-assessment modules associated with the risk-assessment scan. The risk-assessment modules associated with the second set of ports may then be disabled to minimize the duration of the risk-assessment scan.

A system and method for detecting a drone implanted by a vandal in a network connected host device such as a computer, and controlling the output of the drone. The system includes an inbound intrusion detection system (IDS), an outbound IDS, a blocker such as a firewall, an inbound trace log for storing a trace of inbound traffic to the protected device, an outbound trace log for storing a trace of outbound traffic from the protected device, and a correlator. When the outbound IDS detects outbound distributed denial of service (DDoS) traffic, the outbound IDS instructs the blocker to block the outbound DDos traffic. The correlator then recalls the outbound trace log and the inbound trace log, correlates the logs, and deduces the source ID of a message responsible for triggering the drone. The correlator then instructs the blocker to block incoming messages that bear the source ID.

A system and method for communicating information between a first party and a second party, comprising identifying desired information, negotiating, through an intermediary, a comprehension function for obscuring at least a portion of the information communicated between the first party and the second party, communicating the encrypted information to the second party, and decrypting the encrypted information using the negotiated comprehension function. Preferably, the intermediary does not itself possess sufficient information to decrypt the encrypted information, thus allowing use of an "untrusted" intermediary. The comprehension function may be dynamic with respect to its response to the negotiated comprehension function, and thus permit limitations on the use of the information by the second party. For example, the decryption of the encrypted information may be time limited.