Abstract: A remote user, two-way authentication and password change protocol that also allows parties to optionally establish a session key which can be used to protect subsequent communication. In a preferred embodiment, a challenge token is generated and exchanged which is a onetime value that includes a random value that changes from session to session. The construction and use of the challenge token avoids transmission of the password or even the transmission of a digest of the password itself. Thus the challenge token does not reveal any information about a secret password or a digest of the password.

Abstract: A method for increasing the capacity of a connection table in a firewall accelerator by means of mapping packets in one session with some common security actions into one table entry. For each of five Network Address Translation (NAT) configurations, a hash function is specified. The hash function takes into account which of four possible arrival types a packet at a firewall accelerator may have. When different arrival types of packets in the same session are processed, two or more arrival types may have the same hash value.

Abstract: A method and system for encoding a set of range labels for each parameter field in a packet classification key in such a way as to require preferably only a single entry per rule in a final processing stage of a packet classifier. Multiple rules are sorted accorded to their respective significance. A range, based on a parameter in the packet header, is previously determined. Multiple rules are evaluated according to an overlapping of rules according to different ranges. Upon a determination that two or more rules overlap, each overlapping rule is expanded into multiple unique segments that identify unique range intersections. Each cluster of overlapping ranges is then offset so that at least one bit in a range for the rule remains unchanged. The range segments are then converted from binary to Gray code, which results in the ability to determine a CAM entry to use for each range.

Abstract: A method for increasing the capacity of a connection table in a firewall accelerator by means of mapping packets in one session with some common security actions into one table entry. For each of five Network Address Translation (NAT) configurations, a hash function is specified. The hash function takes into account which of four possible arrival types a packet at a firewall accelerator may have. When different arrival types of packets in the same session are processed, two or more arrival types may have the same hash value.

Abstract: A method of progressive response for invoking and suspending blocking measures that defend against network anomalies such as malicious network traffic so that false positives and false negatives are minimized. When an anomaly is detected, the detector notifies protective equipment such as a firewall or a router to invoke a blocking measure. The blocking measure is maintained for an initial duration, after which it is suspended while another test for the anomaly is made. If the anomaly is no longer evident, the method returns to the state of readiness. Otherwise, a loop is executed to re-apply the blocking measure for a specified duration, then suspend the blocking measure and test again for the anomaly. If the anomaly is detected, the blocking measure is re-applied, and its duration is adapted. If the anomaly is no longer detected, the method returns to the state of readiness.

Abstract: A remote user, two-way authentication and password change protocol that also allows parties to optionally establish a session key which can be used to protect subsequent communication. In a preferred embodiment, a challenge token is generated and exchanged which is a one-time value that includes a random value that changes from session to session. The construction and use of the challenge token avoids transmission of the password or even the transmission of a digest of the password itself. Thus the challenge token does not reveal any information about a secret password or a digest of the password.

Abstract: A detection and response system including a set of algorithms for detection within a stream of normal computer traffic a subset of TCP packets with one IP Source Address (SA), one Destination Port (DP), and a number exceeding a threshold of distinct Destination Addresses (DA). There is efficient use of a lookup mechanism such as a Direct Table and Patricia search tree to record sets of packets with one SA and one DP as well as the set of DA values observed for the given SA, DP combination. The existence of such a subset and the header values including SA, DP, and multiple DAs of the subset are reported to a network administrator. In addition, various administrative responses to reports are provided.

Abstract: A method, apparatus, and computer instructions for providing a current and complete security compliance view of an enterprise system. The present invention provides the ability to gain a real-time security posture and security compliance view of an enterprise and to assess the risk impact of known threats and attacks to continued business operations at various levels is provided. Responsive to a change to an enterprise environment, a request, or an external threat, an administrator loads or updates at least one of a Critical Application Operations database, a Historical database, an Access Control database, a Connectivity database, and a Threat database. Based on a comparison of information in the databases against similar security data elements from company or external policies, the administrator may generate a Security Compliance view of the enterprise. A Security Posture view may also be generated by comparing the Security Compliance view against data in the Threat database.

Abstract: The decision within a packet processing device to transmit a newly arriving packet into a queue to await processing or to discard the same packet is made by a flow control method and system. The flow control is updated with a constant period determined by storage and flow rate limits. The update includes comparing current queue occupancy to thresholds and also comparing present queue occupancy to previous queue occupancy. The outcome of the update is a new transmit probability value. The value is stored for the subsequent period of flow control and packets arriving during that period are subject to a transmit or discard decision that uses that value.

Abstract: A method of blocking spam at a firewall involves applying blocking measures for an adaptively determined duration. The blocking measure is then suspended while determining whether the spam has ended. If so, the method resets to an initial state. Otherwise, the blocking measure is re-applied for a second duration.

Abstract: System and method for recording temperature on an RFID tag. A first RFID tag is attached to a container. The first RFID tag includes a temperature sensor. The container contains a multiplicity of packages. A multiplicity of second RFID tags are attached to the multiplicity of packages, respectively. The first RFID tag transmits temperature information to the multiplicity of second RFID tags. In response, the multiplicity of second RFID tags record the temperature information. Consequently, there is no need for expensive temperature sensors on the multiplicity of RFID tags on the packages. According to features of the present invention, the first RFID tag is an active RFID tag, and the multiplicity of second RFID tags are passive RFID tags. The first RFID tag also transmits other information to the multiplicity of second RFID tags to enable the second RFID tags to authenticate the temperature information.

Abstract: A method and system for encoding a set of range labels for each parameter field in a packet classification key in such a way as to require preferably only a single entry per rule in a final processing stage of a packet classifier. Multiple rules are sorted accorded to their respective significance. A range, based on a parameter in the packet header, is previously determined. Multiple rules are evaluated according to an overlapping of rules according to different ranges. Upon a determination that two or more rules overlap, each overlapping rule is expanded into multiple unique segments that identify unique range intersections. Each cluster of overlapping ranges is then offset so that at least one bit in a range for the rule remains unchanged. The range segments are then converted from binary to Gray code, which results in the ability to determine a CAM entry to use for each range.

Abstract: System, method and computer program for authenticating a user of a client computer to a remote server computer. A client computer initially sends a userID but not a password of the user to the remote server computer. In response to the userID, the server computer determines a subsequent time window during which the server computer will consider for authentication submission of a combination of the userID and a password. The server computer notifies the client computer of the time window. After receipt of the notification from the server computer, during the time window, the client computer sends the userID and a corresponding password to the server computer. In response to receipt of the userID and the corresponding password from the client computer, the server computer determines if the combination of the userID and the corresponding password is valid.

Abstract: A method and system for encoding a set of range labels for each parameter field in a packet classification key in such a way as to require preferably only a single entry per rule in a final processing stage of a packet classifier. Multiple rules are sorted accorded to their respective significance. A range, based on a parameter in the packet header, is previously determined. Multiple rules are evaluated according to an overlapping of rules according to different ranges. Upon a determination that two or more rules overlap, each overlapping rule is expanded into multiple unique segments that identify unique range intersections. Each cluster of overlapping ranges is then offset so that at least one bit in a range for the rule remains unchanged. The range segments are then converted from binary to Gray code, which results in the ability to determine a CAM entry to use for each range.

Abstract: A method of progressive response for invoking and suspending blocking measures that defend against network anomalies such as malicious network traffic so that false positives and false negatives are minimized. When a truncated secure session attack is detected, the detector notifies protective equipment such as a firewall or a router to invoke a blocking measure. The blocking measure is maintained for an initial duration, after which it is suspended while another test for the anomaly is made. If the attack is no longer evident, the method returns to the state of readiness. Otherwise, a loop is executed to re-applying the blocking measure for a specified duration, then suspend the blocking measure and test again for the attack. If the attack is detected, the blocking measure is re-applied, and its duration is adapted. If the attack is no longer detected, the method returns to the state of readiness.

Abstract: The decision within a packet processing device to transmit a newly arriving packet into a queue to await further processing or to discard the same packet is made by a flow control method and system. The flow control is updated with a constant period determined by storage and flow rate limits. The update includes comparing current queue occupancy to a threshold. The outcome of the update is adjustment up or down of the transmit probability value. The value is stored for the subsequent period of flow control and packets arriving during that period are subject to a transmit or discard decision that uses that value.

Abstract: A remote user, two-way authentication and password change protocol that also allows parties to optionally establish a session key which can be used to protect subsequent communication. In a preferred embodiment, a challenge token is generated and exchanged which is a one-time value that includes a random value that changes from session to session. The construction and use of the challenge token avoids transmission of the password or even the transmission of a digest of the password itself. Thus the challenge token does not reveal any information about a secret password or a digest of the password.

Abstract: The decision within a packet processing device to transmit a newly arriving packet into a queue to await further processing or to discard the same packet is made by a flow control method and system. The flow control is updated with a constant period determined by storage and flow rate limits. The update includes comparing current queue occupancy to a threshold. The outcome of the update is adjustment up or down of the transmit probability value. The value is stored for the subsequent period of flow control and packets arriving during that period are subject to a transmit or discard decision that uses that value.

Abstract: A method and system for transmitting packets in a packet switching network. Packets received by a packet processor may be prioritized based on the urgency to process them. Packets that are urgent to be processed may be referred to as real-time packets. Packets that are not urgent to be processed may be referred to as non-real-time packets. Real-time packets have a higher priority to be processed than non-real-time packets. A real-time packet may either be discarded or transmitted into a real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time queue congestion conditions. A non-real-time packet may either be discarded or transmitted into a non-real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time and non-real-time queue congestion conditions.

Abstract: A remote user, two-way authentication and password change protocol that also allows parties to optionally establish a session key which can be used to protect subsequent communication. In a preferred embodiment, a challenge token is generated and exchanged which is a one-time value that includes a random value that changes from session to session. The construction and use of the challenge token avoids transmission of the password or even the transmission of a digest of the password itself. Thus the challenge token does not reveal any information about a secret password or a digest of the password.