Abstract: An authentication system for detecting a phishing attack by a Man in Middle (MIM) on an end-user. The system includes a communicating device of the end-user and an authentication server for determining if a MIM (spoofing) or the end-user is communicating with the authentication server. The communicating device includes a bearer sensitive one-time password (BOTP) generator for generating a specific BOTP specifically associated with the communicating device where the BOTP is derived using a unique differentiating observable attribute (UDOA) of the communicating device. The communicating device sends the BOTP to the authentication server which uses the perceived UDOA of the received BOTP and calculates an authenticator server BOTP. The authentication server also determines if the received BOTP matches the BOTP calculated by the authenticating server and terminates/rejects the session if the BOTPs do not match. A similar system and method may be utilized to authenticate a digital object.

Abstract: An authentication system includes one or more terminals in communication with a server on a network. The server is operable to receive user login information; and generate an authentication data set having: a plurality of decoy data; an anchor data, wherein the anchor data is based on information from a user profile; and target data in a predetermined relationship relative to the anchor data. The server is also operable to generate a decoy data set having: a plurality of second decoy data; and at least one anchor data. The server may then display the authentication data set and decoy data set and determine an authentication result by performing a predetermined manipulation of the target data. The server may receive a user response to an authentication prompt; and authenticate the user if the authentication result and user response are the same.

Abstract: A bridged network system (10, 10?) is described comprising a plurality of nodes (N1-N7). Each node in the plurality of nodes is coupled to communicate with at least one other node in the plurality of nodes. The plurality of nodes comprise a bridge network between external nodes located externally from the plurality of nodes. Each node of the plurality of nodes is operable to perform the steps of receiving a packet (20, 20?), wherein the packet comprises a route indicator field, and responsive to the packet being received prior to a time of failure along a communication link between two of the plurality of nodes, transmitting the packet along a first route in the system to another node in the plurality of nodes.

Abstract: A system for authenticating a user in a network. The authentication system includes a computer resource having secure data, an authentication computing system providing dynamic authentication of a user accessing the computer resource, and a user communication device for communicating between the user and the computer resource. The computing system presents a challenge for which a specified response is required based upon a pre-determined function. Access is then granted by the computing system upon providing the correct response to the presented challenge by the user.

Abstract: An authentication system includes one or more terminals in communication with a server on a network. The server is operable to receive user login information; and generate an authentication data set having: a plurality of decoy data; an anchor data, wherein the anchor data is based on information from a user profile; and target data in a predetermined relationship relative to the anchor data. The server is also operable to generate a decoy data set having: a plurality of second decoy data; and at least one anchor data. The server may then display the authentication data set and decoy data set and determine an authentication result by performing a predetermined manipulation of the target data. The server may receive a user response to an authentication prompt; and authenticate the user if the authentication result and user response are the same.

Abstract: Customer virtual local area networks (C-VLANs) connecting multiple LAN segments are set up through a provider network (12). Provider edge bridges (PEs) are coupled to customer edge bridges (CEs) to provide a transparent link between LAN segments. To determine whether a backdoor link is used in the C-VLAN topology, PEs monitor MAC address from a predetermined time after a TCN is received to determine if there are contradictory addresses or new addresses relative to the existing MAC address tables (or forwarding databases) that are indicative of a backdoor link. If so, an unlearning message is sent to bridges in the provider domain. In another embodiment, CEs set a snoop bit to indicate which TCNs must be snooped.

Abstract: An authentication system includes one or more terminals in communication with a server on a network. The server is operable to receive user login information; and generate an authentication data set having: a plurality of decoy data; an anchor data, wherein the anchor data is based on information from a user profile; and target data in a predetermined relationship relative to the anchor data. The server is also operable to generate a decoy data set having: a plurality of second decoy data; and at least one anchor data. The server may then display the authentication data set and decoy data set and determine an authentication result by performing a predetermined manipulation of the target data. The server may receive a user response to an authentication prompt; and authenticate the user if the authentication result and user response are the same.

Abstract: A bridged network system (10). The system comprises at least one network server (NS) for receiving and responding to authentication session requests. The system also comprises a plurality of bridge nodes (BRNx). Each bridge node in the plurality of bridge nodes is connected to communicate with at least one other neighboring bridge node in the plurality of nodes, and each bridge node comprises at least one port (BPx), circuitry for communicating with at least one of either another bridge node in the plurality of nodes or the at least one network server, and circuitry for limiting (40, 42) a number of authentication sessions active at a same time through the at least one port. The system also comprises a central resource (e.g., BRN0).

Abstract: A packet switch is described. In one embodiment, the packet switch comprises a plurality of ingress ports for receiving packets at the packet switch and for appending a tag to each packet that designates one of the plurality of ingress ports that received the packet; a plurality of egress ports for removing the tag from the packets and transmitting the packets from the packet switch; and switch fabric for switching the packets from one of the plurality of ingress ports to one of the plurality of egress ports.

Abstract: A method of operating a bridge node (B0) in a network system. The bridge node comprises a plurality of ports (BP0.x). The method comprises a step of receiving a frame (240), from a device in the network system and other than the bridge node, at a port in the plurality of ports. The frame comprises a source network address. The method is also responsive to at least one condition (250, 260) associated with the port in that the method stores the source address in a forwarding table associated with the bridge if the at least one condition is satisfied. The at least one condition comprises whether the frame was received within a time window Tw of when a threshold number of previous frames were received at the port and their respective source network addresses were stored in the table.

Abstract: A system for authenticating a user in a network. The authentication system includes a computer resource having secure data, an authentication computing system providing dynamic authentication of a user accessing the computer resource, and a user communication device for communicating between the user and the computer resource. The computing system presents a challenge for which a specified response is required based upon a pre-determined function. Access is then granted by the computing system upon providing the correct response to the presented challenge by the user.

Abstract: A bridged network system (10, 10?). The system comprises a plurality of bridge nodes (BRNx). Each bridge node in the plurality of bridge nodes is connected to communicate with at least one other neighboring bridge node in the plurality of nodes. Each bridge node in the plurality of bridge nodes comprises circuitry (BPy.z) for communicating with at least one of either another bridge node in the plurality of nodes or a network server. Each bridge node in the plurality of bridge nodes further comprises circuitry for storing (neighbor-tracking table), as received from the at least one of another bridge node in the plurality of nodes and the network server, at least one spanning tree parameter of a neighboring bridge node.

Abstract: A method of routing packets in network system where the network system comprises a plurality of edge nodes and a plurality of core nodes. Selected core nodes are coupled to communicate with selected edge nodes. The network system also comprises a plurality of external nodes, with selected external nodes coupled to communicate with selected edge nodes, and where different external nodes are associated with a plurality of different entities sharing resources on the network system. The method comprises proposing a set of entities from the plurality of different entities. The proposed set comprises entities associated with external nodes that share respective connections to a number of edge nodes in the edge nodes such that the shared number is less than a total number of all edge nodes to which each different entity in the set is connected, with other aspects then taken with respect to the proposed set.

Abstract: A network system (10). The system comprises a first network node (N6), and the node comprises an input (30IN) for receiving packets. During operation, the first network node operates as a downstream node when receiving packets at the input from an upstream node (N5). The node also comprises a buffer (30), coupled to the input and for storing received packets, and circuitry (32) for detecting when a number of packets stored in the buffer exceeds a buffer storage threshold. The node also comprises circuitry (32), responsive to a detection by the circuitry for detecting that the number of packets stored in the buffer exceeds the buffer storage threshold, for issuing a message to the upstream node. The message selectively commands the upstream node to reduce a rate of transmission of packets from the upstream node to the downstream node to a non-zero rate.

Abstract: A network (e.g., RSTP-based network) and method are described herein that can selectively eliminate latencies in the exchange of to-be-transmitted control messages (e.g., BPDUs) between bridges during the re/convergence of the network. The method includes a step of classifying to-be-transmitted control messages as either low-priority control messages or high-priority control messages. The method also has a step of limiting the transmission rate of the low-priority control messages in accordance with a traditional IEEE 802.1 RSTP. And, the method also includes a step of immediately transmitting the high-priority control messages that contain information that contributes to the re/convergence of the network.

Abstract: A system and method of implementing Routing Stability-Based Integrated Traffic Engineering (“RITE”) for use in an MPLS/optical network is described. Incoming network traffic is classified as high priority (“HP”), which requires absolute routing stability, or low priority (“LP”), which can tolerate limited rerouting. In accordance with one embodiment, HP traffic trunks are mapped on to direct LCs and are rerouted only in the event of an LC teardown due to poor traffic utilization. LP traffic trunks are mapped on to direct LCs if available; otherwise, they are mapped on to multi-hop LSPs with appropriate O/E/O conversions at the edge nodes serving as intermediate hops. Each LP traffic trunk is associated with a rerouting timer that is set at the time of rerouting so as to prevent another rerouting of the trunk until the timer expires.

Abstract: A bridged network system (10). The system comprises at least one network server (NS) for receiving and responding to authentication session requests. The system also comprises a plurality of bridge nodes (BRNx). Each bridge node in the plurality of bridge nodes is connected to communicate with at least one other neighboring bridge node in the plurality of nodes, and each bridge node comprises at least one port (BPx), circuitry for communicating with at least one of either another bridge node in the plurality of nodes or the at least one network server, and circuitry for limiting (40, 42) a number of authentication sessions active at a same time through the at least one port. The system also comprises a central resource (e.g., BRN0).

Abstract: A bridged network system (10, 10?). The system comprises a plurality of bridge nodes (BRNx). Each bridge node in the plurality of bridge nodes is connected to communicate with at least one other neighboring bridge node in the plurality of nodes. Each bridge node in the plurality of bridge nodes comprises circuitry (BPy.z) for communicating with at least one of either another bridge node in the plurality of nodes or a network server. Each bridge node in the plurality of bridge nodes further comprises circuitry for storing (neighbor-tracking table), as received from the at least one of another bridge node in the plurality of nodes and the network server, at least one spanning tree parameter of a neighboring bridge node.

Abstract: A method of operating a bridge node (B0) in a network system. The bridge node comprises a plurality of ports (BP0.x). The method comprises a step of receiving a frame (240), from a device in the network system and other than the bridge node, at a port in the plurality of ports. The frame comprises a source network address. The method is also responsive to at least one condition (250, 260) associated with the port in that the method stores the source address in a forwarding table associated with the bridge if the at least one condition is satisfied. The at least one condition comprises whether the frame was received within a time window Tw of when a threshold number of previous frames were received at the port and their respective source network addresses were stored in the table.

Abstract: A method (20) of routing packets in network system (10). The network system comprises a plurality of edge nodes (ENx) and a plurality of core nodes (CNx). Selected core nodes are coupled to communicate with selected edge nodes. The network system also comprises a plurality of external nodes (CSTa,b) external from the edge nodes, with selected external nodes coupled to communicate with selected edge nodes in the plurality of edge nodes, and where different external nodes in the plurality of external nodes are associated with a plurality of different entities sharing resources on the network system. The method comprises a step (30) of proposing a set of entities from the plurality of different entities.