Abstract: A zone locking system detects unauthorized network usage internal to a firewall. The system determines unauthorized network usage by classifying internal hosts inside a firewall into zones. Certain specified zones are unauthorized to initiate client communications with other selected zones. However, zone override services can be designated for each associated internal zone, and thus, authorizing selected network services. An alarm or other appropriate action is taken upon the detection of unauthorized network usage.

Abstract: A port profiling system detects unauthorized network usage. The port profiling system analyzes network communications to determine the service ports being used. The system collects flow data from packet headers between two hosts or Internet Protocol (IP) addresses. The collected flow data is analyzed to determine the associated network service provided. A host data structure is maintained containing a profile of the network services normally associated with the host. If the observed network service is not one of the normal network services performed as defined by the port profile for that host, an alarm signal is generated and action can be taken based upon the detection of an Out of Profile network service. An Out of Profile operation can indicate the operation of a Trojan Horse program on the host, or the existence of a non-approved network application that has been installed.

Abstract: A zone locking system detects unauthorized network usage internal to a firewall. The system determines unauthorized network usage by classifying internal hosts inside a firewall into zones. Certain specified zones are unauthorized to initiate client communications with other selected zones. However, zone override services can be designated for each associated internal zone, and thus, authorizing selected network services.

Abstract: A flow-based intrusion detection system for detecting intrusions in computer communication networks. Data packets representing communications between hosts in a computer-to-computer communication network are processed and assigned to various client/server flows. Statistics are collected for each flow. Then, the flow statistics are analyzed to determine if the flow appears to be legitimate traffic or possible suspicious activity. A concern index value is assigned to each flow that appears suspicious. By assigning a value to each flow that appears suspicious and adding that value to the total concern index of the responsible host, it is possible to identify hosts that are engaged in intrusion activity. When the concern index value of a host exceeds a preset alarm value, an alert is issued and appropriate action can be taken.

Abstract: A port profiling system detects unauthorized network usage. The port profiling system analyzes network communications to determine the service ports being used. The system collects flow data from packet headers between two hosts or Internet Protocol (IP) addresses. The collected flow data is analyzed to determine the associated network service provided. A host data structure is maintained containing a profile of the network services normally associated with the host. If the observed network service is not one of the normal network services performed as defined by the port profile for that host, an alarm signal is generated and action can be taken based upon the detection of an Out of Profile network service. An Out of Profile operation can indicate the operation of a Trojan Horse program on the host, or the existence of a non-approved network application that has been installed.

Abstract: A flow-based intrusion detection system for detecting intrusions in computer communication networks. Data packets representing communications between hosts in a computer-to-computer communication network are processed and assigned to various client/server flows. Statistics are collected for each flow. Then, the flow statistics are analyzed to determine if the flow appears to be legitimate traffic or possible suspicious activity. A concern index value is assigned to each flow that appears suspicious. By assigning a value to each flow that appears suspicious and adding that value to the total concern index of the responsible host, it is possible to identify hosts that are engaged in intrusion activity. When the concern index value of a host exceeds a preset alarm value, an alert is issued and appropriate action can be taken.

Abstract: A data flow controller (150) for monitoring and automatically controlling the flow of serial data from a remote transmitter to a host device. A serial communications card (11) provides an interface between a remote transmitter connected to a serial port connector (20) and a host device (10). The card (11) contains a UART (14) which has a buffer. A counter (151) counts the number of bytes received by the UART (14) since the last time that the host (10) read all the data in the buffer. If the number exceeds a predetermined portion of the buffer capacity the counter output (Q11) will go high, thereby disabling the counter and sending a control signal (DTR, RTS) to the remote transmitter to stop sending data. Once the host (10) has read all the data in the buffer the UART (14) provides a signal (-RXREADY) which resets the counter (151), thereby causing the output (Q11) to go low, thereby allowing the remote transmitter to resume sending data.

Abstract: A method for communicating with a plurality of hosts connected to an X.25 network and for selectably using a character as a control character or a data character. Each character received from the X.25 network is inspected to determine if it is one of a set of reserved characters. If so, the character is encoded before being sent to its final destination. Data intended for the X.25 network is inspected for the presence of a predetermined control character. If the control character is present, the next character is inspected to determine whether it is a command character or an encoded data character. If this next character is an encoded data character, it is decoded and provided to the X.25 network. If this next character is a command character, then the command is executed. The method allows the use of any character as either a command character or data character. Data transfer between the DTE and DCE is assigned a PAD and a virtual channel number which corresponds to a particular host on the X.25 network.

Abstract: A method and apparatus for compressing data, particularly useful in a modem. The preferred method is implemented in a microprocessor within a modem, and dynamically adapts to changing data statistics. Parallel encoding and decoding tables are provided at the encoder and the decoder, and are updated for each character processed. Each table has a plurality of digital compression codes associated with characters of an alphabet. In response to an item of data presented for encoding, a compression code which corresponds to the character presented for encoding is selected using the encoding table. The selected compression code is provided as an output. Periodically, the association between the codes and the characters of the alphabet in the table is adjusted as a function of the frequency of occurrence of characters of the alphabet, over a plurality of characters.

Abstract: The preferred embodiment (11) of the modem comprises a control unit (13), a memory (27), a switch (14), and a modem engine (17). The modem engine (17) establishes communications with a modem (30) using conventional handshake methods. The control unit (13) then initiates a special handshake sequence composed of nonprintable, opposing characters to the modem (30) via the switch (14) and the modem engine (17). If the modem (30) completes the special handshake sequence then the control unit (13) and the modem (30) exchange the desired information. If the modem (30) does not complete the special handshake sequence then the preferred embodiment (11) functions as a conventional modem. The use of nonprinting, opposing characters for the special handshake sequence prevents the special handshake sequence from adversely affecting the external devices (10) (34).

Abstract: An electro-optic integrated circuit is disclosed wherein the long electrical connections normally present on a large scale integrated circuit are replaced by an optical waveguide layer. A plurality of epitaxial layers are grown on a single substrate and at least three of the plurality of epitaxial layers are grown with bandgaps that are suitable for optical sources, detectors and waveguiding. These primary layers are separated from each other by a barrier layer having a bandgap greater than either of the adjacent primary layers. Two of the layers adjacent to the substrate are grown to accommodate electrical devices that can be used to couple electrical signals to the optical source layers and to amplify electrical signals provided by the optical detection layer.

Abstract: Large current gains and high degrees of sensitivity to impinging primary photons are realized in photon feedback photodetectors embodying the invention. A photocurrent generated by an internal photodiode (10, 11) in response to the primary photons (6) causes secondary photons to be emitted by internal serially connected luminescence diodes (12, 13; 14, 15). Secondary photons traveling away from the photodiode are redirected by a reflector (16) to impinge on the photodiode and thereby sustain the photocurrent. Gains of the order of 100 are realized by these photodetectors.

Abstract: Longitudinal mode control is achieved in a heterojunction semiconductor laser (201-208) by doping the active region (203) of the laser with a deep level electron or hole trap. The trap is chosen to have a carrier capture cross section .sigma..sub.e and an optical cross section .sigma..sub.o such that the ratio of P, the average number of photons per cubic centimeter, to P.sub.s is between 0.1 and 100 where P.sub.s is equal to (N.sigma..sub.e V/.sigma..sub.o C.sub.o), N is the carrier density, V is the carrier thermal velocity, and C.sub.o is the speed of light in the material. In a specific embodiment the active region is bombarded by photons to achieve deep level electron traps in the active region.

Abstract: A semiconductor laser is disclosed wherein the active region has been doped with deep-level electron traps either by proton bombarding the active region or by doping with an impurity, such as oxygen, iron, or chromium. The density of traps is such that an optical absorption parameter of greater than 30 cm.sup.-1 is achieved. This laser, when combined with an ordinary photodiode, exhibits overall optical gain thereby permitting an array of optical logic circuits.

Abstract: An input voltage overload protection semiconductor structure useful with MOS circuitry consists of a p-region in an n-substrate with p+ type regions formed on both sides of the p-region and an n+ type region centrally located in the p-region. Input signals are applied to the first p+ region. The gate of an MOS structure to be protected from voltage overload is connected to the second p+ type region. A power supply used with the MOS structure is connected to the n+ region. This structure provides significantly greater load protection than the standard resistor-diode-resistor circuit.

Abstract: A light-activated light-emitting device has at least one p-n junction provided with electrodes for confining light-emission to an area of the junction. It has been determined that light-emission can be activated by light impinging on the junction outside this confined area, so two optical fibers are provided, one being an input fiber for bringing activating light to the nonemitting sensitive part of the junction and the other fiber being an output fiber coupled to the light-emitting area. When the device is a p-n-p-n light-activated light-emitting switch provided with an RCL reset control circuit, a very inexpensive unidirectional optical pulse regenerator is obtained. The device in its various forms is advantageously suited for use in each of many stations along optical fiber data busses or in optical logic arrays because the unidirectional feature prevents light feedback between adjacent devices and consequently avoids spurious switching of a preceding device.