Abstract: A method for enforcing network bandwidth partitioning. The method includes verifying that a guest driver in a guest operating system (OS) is configured to enforce a resource usage policy, wherein the guest OS resides on a host, mapping a hardware receive ring (HRR) residing on a physical network interface card (NIC) operatively connected to the host to the guest OS, wherein after the mapping the guest OS is configured to receive packets directly from the HRR, determining, using monitoring information, that the guest OS should not receive packets directly from the HRR, and in response to the determination, creating a data path from the HRR to a host OS executing on the host, receiving packets for the guest OS from the HRR by the host OS over the data path, and forwarding the packets from the host OS to the guest OS.

Abstract: A method for enforcing network bandwidth partitioning. The method includes verifying that a guest driver in a guest operating system (OS) is configured to enforce a resource usage policy, wherein the guest OS resides on a host, mapping a hardware receive ring (HRR) residing on a physical network interface card (NIC) operatively connected to the host to the guest OS, wherein after the mapping the guest OS is configured to receive packets directly from the HRR, determining, using monitoring information, that the guest OS should not receive packets directly from the HRR, and in response to the determination, creating a data path from the HRR to a host OS executing on the host, receiving packets for the guest OS from the HRR by the host OS over the data path, and forwarding the packets from the host OS to the guest OS.

Abstract: Techniques have been developed whereby dynamic kernel/user-level tracing may be employed to efficiently characterize runtime behavior of production code. Using dynamic tracing techniques, user space or kernel instruction sequences between system calls may be instrumented without access to source code. In some realizations, instrumentation may be interactively specified on a host system. In some realizations, instrumentation specifications may be supplied as functional definitions (e.g., as scripts and/or probe definitions) for installation on a host system. Using the developed techniques, data states, parameters passed and/or timing information may be sampled to provide more detailed insight into actual program behavior. In signature-oriented exploitations, more powerful intrusion signatures are possible. In anomaly-oriented exploitations, a more detailed “sense of self” may be developed to discriminate between normal and anomalous program behavior.

Abstract: A patch or set of patches may be deployed, often to a subset of potentially vulnerable systems, to address a particular vulnerability while providing a facility to monitor and, in some cases, characterize post-patch exploit attempts. Often, such a patch will check for an exploit signature and, if an exploit attempt is detected or suspected, take an appropriate action. For example, the patch may include code to log indicative data or trigger such logging. In some exploitations, the patch may generate or contribute to a warning or advisory regarding an additional target (or targets) of the exploit and, if appropriate, initiate a patch or protective measure for the additional target(s). In some exploitations, the patch may simulate responses or behaviors suggestive (to an attacker) of unpatched code.

Abstract: Methods and systems consistent with the present invention establish a virtual network on top of current IP network naming schemes. The virtual network uses a separate layer to create a modification to the IP packet format that is used to separate network behavior from addressing. As a result of the modification to the packet format, any type of delivery method may be assigned to any address or group of addresses. The virtual network also maintains secure communications between nodes, while providing the flexibility of assigning delivery methods independent of the delivery addresses.

Abstract: A flow manager may receive packet flow rules from one or more network services and may generate a unified rule set according to the received packet flow rules. A flow manager may additionally split the unified rule set into subsets for enforcement by one or more flow enforcement devices and may install the rule subsets onto the flow enforcement devices. When splitting the unified rule set into subsets, a flow manager may analyze a network topology connecting the flow enforcement devices. A flow manager may also receive additional packet flow rules, integrate them into the unified rule set, update the rule subsets according to the additional rules, and install the updated subsets onto the flow enforcement devices.

Abstract: A flow manager may receive prioritized packet flow rules from one or more network services where each rule may include a packet filter and prioritized actions. Each action of a packet flow rule may be either terminating or non-terminating. A flow manager may generate a unified rule set according to the received packet flow rules and may additionally validate the unified rule set to identity errors. When validating the unified rule set, a flow manager may compare the unified rule set against one or more defined policies. Alternatively, a flow manager may apply the unified rule set to either captured or manually specified simulated network packets. A flow manager may also identity extraneous rules or actions. Further, a flow manager may present the unified rule set for manual verification and may receive input identifying errors and specifying modification to correct the errors.

Abstract: A flow manager may receive prioritized packet flow rules from multiple prioritized network services where each flow rule may comprise a packet filter and a prioritized action list. The priority for the flow rules from each network service may be expressed as either longest prefix or ordered precedence. The flow manager may generate a unified rule set according to the received packet flow rules by identifying conflict between pairs of rules and resolving the identified conflicts according the priority relationship two rules of each pair. When resolving conflicts between rules, the flow manager may append the action list of one rule to the action list of another rule, and may also create a new rule by combining the packet filters and actions lists of the conflicting rules.

Abstract: The invention is a method and apparatus for determining an approximate network distance using one or more reference points. In accordance with an embodiment of the invention, the method comprises the steps of selecting at least one reference point positioned along a path between first and second points of a network, generating first distance metric information associated with at least one path associating a first point and the at least one reference point, generating second distance metric information associated with at least one path associating a second point and the at least one reference point, and determining a total approximate distance between the first point and the second point along one or more paths based on the first and second distance metric information.

Abstract: A method and apparatus for encoding characteristics for the retrieval of information. Depending on the characteristics, some methods for retrieving information may be preferred. If information is too large to utilize UDP, then TCP may be preferred. In addition, if information is not cacheable, then it is preferable to retrieve the information directly from the server instead of searching the cache first. A URL (Uniform Resource Locator) is utilized on the internet to specify the application protocol (e.g., http), the domain name (e.g., www.sun.com), and file location (e.g., /users/hcn/index.html). The suffix of a file indicator is utilized to identify how to process the data or information subsequent to retrieval. One or more embodiments of the invention provide for encoding characteristics of data to be transferred that indicates or hints at an optimal method to retrieve the data. For example, the URL may specify that TCP is the preferred transfer protocol, thereby avoiding an attempted transfer using UDP.