Abstract: A computer system, method, and computer program product for mitigating TOCTOU attacks, which includes: as processor requesting measurements representing operation of a first process on a host that is untrusted and based on the requesting, obtaining the measurements, which include a checksum that is a result of a second process executing checksum code to verify at least one last branch record on the host. A processor also determined, based on the measurements, whether the first process was compromised.

Abstract: An apparatus and method predict and detect network attacks by using a diverse set of indicators to measure aspects of the traffic and by encoding traffic characteristics using these indicators of potential attacks or anomalous behavior. The set of indicators is analyzed by supervised learning to automatically learn a decision rule which examines the temporal patterns in the coded values of the set of indicators to accurately detect and predict network attacks. The rules automatically evolve in response to new attacks as the system updates its rules periodically by analyzing new data and feedback signals about attacks associated with that data. To assist human operators, the system also provides human interpretable explanations of detection and prediction rules by pointing to indicators whose values contribute to a decision that there is an existing network attack or an imminent network attack. When such indictors are detected, an operator can take remediation actions.

Abstract: A computer system, method, and computer program product for mitigating TOCTOU attacks, which includes: as processor requesting measurements representing operation of a first process on a host that is untrusted and based on the requesting, obtaining the measurements, which include a checksum that is a result of a second process executing checksum code to verify at least one last branch record on the host. A processor also determined, based on the measurements, whether the first process was compromised.

Abstract: A system and a method for detecting anomalous attacks in Internet network flow operate by counting a number of Internet traffic messages that are detected as anomalous attacks to provide a count; computing a running average of the number of messages that are detected as anomalous attacks; and comparing the count to the running average to provide an anomalous attack alarm if the count is greater than a multiple of the running average. The attacks can include at least one of spoofing attacks or denial of service attacks. A computer readable storage medium stores instructions of a computer program, which when executed by a computer system, results in performance of steps of the method.

Abstract: A mechanism by which handoff delay can be minimized while not compromising the IMS/MMD security and also protecting the media if required by certain applications is presented. Methods for mitigating delay during SA re-association and mitigating the IPSec tunnel overhead for signaling and media at the Mobile Node are given. In one embodiment, SA keys can be transferred from the old P-CSCF to new P-CSCF, enabling the establishment of SAs before Mobile Node physically moves to the new subnet in a network. Proactive handover is used. In another embodiment, SA keys are transferred from S-CSCF to new P-CSCF. In this case, the SA keys are transferred to the new P-CSCF by S-CSCF through a context transfer mechanism well in advance so that SAs may be established before Mobile Node physically moves to new subnet. In another embodiment, methods for mitigating IPSec tunnel overhead are presented.

Abstract: A mechanism by which handoff delay can be minimized while not compromising the IMS/MMD security and also protecting the media if required by certain applications is presented. One proactive method includes proactive authentication. Another proactive method includes proactive security association, such as transferring SA keys from old proxy to new proxy, or transferring keys through serving signal entities. Reactive methods include transferring SA keys from old proxy to new proxy, using either push or pull technology. Other reactive methods include transferring keys through serving signal entities using either push or pull technology.

Abstract: An inventive system and method for creating source profiles to detect spoofed traffic comprises obtaining a routing path for data to traverse nodes using traffic profiles, each routing path comprising at least a target AS, initializing one or more AS sets with last hop ASes, enhancing the AS sets by connecting the AS sets to routers, for each enhanced AS set, filtering observed traffic flows, and using the filtered flows to associate enhanced AS sets with network monitoring points to create the source profiles. In one aspect, filtering flows comprise TCP session filtering and/or destination bogon filtering. In one aspect, the routers are border gateway protocol routers. In one aspect, the last hop ASes are one hop away from the target AS.

Abstract: A method, an apparatus and a program for detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of autonomous systems (AS) is provided. The method comprises receiving an incoming packet through an AS, the incoming packet containing a source IP address and a destination IP address, acquiring a corresponding source and destination IP address prefixes, converting the corresponding source and destination IP address prefixes into a source AS number and a destination AS number, determining if the incoming packet arrived from an unexpected source based upon the corresponding destination IP address prefix and the converted source and destination AS number using an unexpected pair tuple table generated from network routing information and generating an alert indicating that the incoming packet is not allowed to enter the network.

Abstract: A system and method for spammer host detection from network flow data profiles comprises constructing one or more cluster profiles and detecting spammer hosts. Construction cluster profiles comprises observing network flow data from one or more hosts; for each host, representing the network flow data associated with the host as a multidimensional vector; clustering the vectors of the hosts into the plurality of cluster profiles; annotating each cluster profile using at least one of black lists and white lists; and calculating a confidence in each cluster profile annotation. Detecting spammer hosts comprises observing the network flow data from a new host; representing the network flow data associated with the new host as a multidimensional vector, and placing the new multidimensional vector of the new host into one cluster profile of the one or more cluster profiles.

Abstract: An apparatus and method predict and detect network attacks by using a diverse set of indicators to measure aspects of the traffic and by encoding traffic characteristics using these indicators of potential attacks or anomalous behavior. The set of indicators is analyzed by supervised learning to automatically learn a decision rule which examines the temporal patterns in the coded values of the set of indicators to accurately detect and predict network attacks. The rules automatically evolve in response to new attacks as the system updates its rules periodically by analyzing new data and feedback signals about attacks associated with that data. To assist human operators, the system also provides human interpretable explanations of detection and prediction rules by pointing to indicators whose values contribute to a decision that there is an existing network attack or an imminent network attack. When such indictors are detected, an operator can take remediation actions.

Abstract: Network management for providing and managing Quality of Service (QoS) in converged networks, and particularly management of bursty, short-lived data loads, in an opaque network where knowledge of or control over network elements is not required. Preferential treatment is provided to some subset of the network users that require better QoS assurances from the underlying network by applying probabilistic admission control decisions in conjunction with estimated network state provides improved performance for high priority data with bursty data loads.

Abstract: A system and method for spammer host detection from network flow data profiles comprises constructing one or more cluster profiles and detecting spammer hosts. Construction cluster profiles comprises observing network flow data from one or more hosts; for each host, representing the network flow data associated with the host as a multidimensional vector; clustering the vectors of the hosts into the plurality of cluster profiles; annotating each cluster profile using at least one of black lists and white lists; and calculating a confidence in each cluster profile annotation. Detecting spammer hosts comprises observing the network flow data from a new host; representing the network flow data associated with the new host as a multidimensional vector, and placing the new multidimensional vector of the new host into one cluster profile of the one or more cluster profiles.

Abstract: An inventive system and method for creating source profiles to detect spoofed traffic comprises obtaining a routing path for data to traverse nodes using traffic profiles, each routing path comprising at least a target AS, initializing one or more AS sets with last hop ASes, enhancing the AS sets by connecting the AS sets to routers, for each enhanced AS set, filtering observed traffic flows, and using the filtered flows to associate enhanced AS sets with network monitoring points to create the source profiles. In one aspect, filtering flows comprise TCP session filtering and/or destination bogon filtering. In one aspect, the routers are border gateway protocol routers. In one aspect, the last hop ASes are one hop away from the target AS.

Abstract: A system and a method for detecting anomalous attacks in Internet network flow operate by counting a number of Internet traffic messages that are detected as anomalous attacks to provide a count; computing a running average of the number of messages that are detected as anomalous attacks; and comparing the count to the running average to provide an anomalous attack alarm if the count is greater than a multiple of the running average. The attacks can include at least one of spoofing attacks or denial of service attacks. A computer readable storage medium stores instructions of a computer program, which when executed by a computer system, results in performance of steps of the method.

Abstract: The present invention advantageously provides several systems and methods for solving the trombone routing issues within an IMS/MMD network. These approaches avoid trombone routing, speed up handoff, and increase the efficiency of signaling and overall performance of an IMS/MMD network. These solutions can broadly be divided into the following categories. Piggy-backing SIP registration over MIP (Split at FA); Selective Reverse Tunneling and Tunneling between FA and P-CSCF; the SIP-based mobility protocol; use of CoA during SIP registration and call up in MIPv6; Piggy-backing SIP registration when HA and S-CSCF Co-exist; Using Dynamic Home Agents in MIPv4 FA-CoA; and the Interceptor-Caching Approach.

Abstract: A method, an apparatus and a program for detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of autonomous systems (AS) is provided. The method comprises receiving an incoming packet through an AS, the incoming packet containing a source IP address and a destination IP address, acquiring a corresponding source and destination IP address prefixes, converting the corresponding source and destination IP address prefixes into a source AS number and a destination AS number, determining if the incoming packet arrived from an unexpected source based upon the corresponding destination IP address prefix and the converted source and destination AS number using an unexpected pair tuple table generated from network routing information and generating an alert indicating that the incoming packet is not allowed to enter the network.

Abstract: A system and method of managing multicast key distribution that includes associating a multicast address with each internal node of the key tree, wherein the key tree is created based on the last hop topology.

Abstract: Network management for providing and managing Quality of Service (QoS) in converged networks, and particularly management of bursty, short-lived data loads, in an opaque network where knowledge of or control over network elements is not required. Preferential treatment is provided to some subset of the network users that require better QoS assurances from the underlying network by applying probabilistic admission control decisions in conjunction with estimated network state provides improved performance for high priority data with bursty data loads.

Abstract: A method and apparatus for detecting spoofed IP network traffic is presented. A mapping table is created to indicate correlations between IP address prefixes and AS numbers, based on routing information collected from a plurality of data sources. At each interface of a target network, IP address prefixes from a training traffic flow are acquired and further converted into AS numbers based on the mapping table. An EAS (Expected Autonomous System) table is populated by the AS numbers collected for each interface. The EAS table is used to determine if an operation traffic flow is allowed to enter the network.

Abstract: A mechanism by which handoff delay can be minimized while not compromising the IMS/MMD security and also protecting the media if required by certain applications is presented. One proactive method includes proactive authentication. Another proactive method includes proactive security association, such as transferring SA keys from old proxy to new proxy, or transferring keys through serving signal entities. Reactive methods include transferring SA keys from old proxy to new proxy, using either push or pull technology. Other reactive methods include transferring keys through serving signal entities using either push or pull technology.