Abstract: An inventive system and method for creating source profiles to detect spoofed traffic comprises obtaining a routing path for data to traverse nodes using traffic profiles, each routing path comprising at least a target AS, initializing one or more AS sets with last hop ASes, enhancing the AS sets by connecting the AS sets to routers, for each enhanced AS set, filtering observed traffic flows, and using the filtered flows to associate enhanced AS sets with network monitoring points to create the source profiles. In one aspect, filtering flows comprise TCP session filtering and/or destination bogon filtering. In one aspect, the routers are border gateway protocol routers. In one aspect, the last hop ASes are one hop away from the target AS.

Abstract: A method, an apparatus and a program for detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of autonomous systems (AS) is provided. The method comprises receiving an incoming packet through an AS, the incoming packet containing a source IP address and a destination IP address, acquiring a corresponding source and destination IP address prefixes, converting the corresponding source and destination IP address prefixes into a source AS number and a destination AS number, determining if the incoming packet arrived from an unexpected source based upon the corresponding destination IP address prefix and the converted source and destination AS number using an unexpected pair tuple table generated from network routing information and generating an alert indicating that the incoming packet is not allowed to enter the network.

Abstract: An inventive system and method for creating source profiles to detect spoofed traffic comprises obtaining a routing path for data to traverse nodes using traffic profiles, each routing path comprising at least a target AS, initializing one or more AS sets with last hop ASes, enhancing the AS sets by connecting the AS sets to routers, for each enhanced AS set, filtering observed traffic flows, and using the filtered flows to associate enhanced AS sets with network monitoring points to create the source profiles. In one aspect, filtering flows comprise TCP session filtering and/or destination bogon filtering. In one aspect, the routers are border gateway protocol routers. In one aspect, the last hop ASes are one hop away from the target AS.

Abstract: A method for controlling network access comprises receiving a request to allow a communication flow over a network and temporarily allowing the communication flow over the network before a response to the request is transmitted. Further, the availability of one or more network resources may be determined and compared with resources required for the requested communication flow. Priority of the communication flow may also be determined, and the temporarily allowed communication flow may be responded to based on the available resources, the requested resources, and the priority.

Abstract: A method, an apparatus and a program for detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of autonomous systems (AS) is provided. The method comprises receiving an incoming packet through an AS, the incoming packet containing a source IP address and a destination IP address, acquiring a corresponding source and destination IP address prefixes, converting the corresponding source and destination IP address prefixes into a source AS number and a destination AS number, determining if the incoming packet arrived from an unexpected source based upon the corresponding destination IP address prefix and the converted source and destination AS number using an unexpected pair tuple table generated from network routing information and generating an alert indicating that the incoming packet is not allowed to enter the network.

Abstract: A method and apparatus for detecting spoofed IP network traffic is presented. A mapping table is created to indicate correlations between IP address prefixes and AS numbers, based on routing information collected from a plurality of data sources. At each interface of a target network, IP address prefixes from a training traffic flow are acquired and further converted into AS numbers based on the mapping table. An EAS (Expected Autonomous System) table is populated by the AS numbers collected for each interface. The EAS table is used to determine if an operation traffic flow is allowed to enter the network.

Abstract: Routing and connectivity in the Internet is largely governed by the dynamics and configuration of the Border Gateway Protocol (BGP). A configuration analysis toolkit enables network operators to discover, analyze and diagnose their BGP configuration, policies and peering relationships. Statistical variance analysis in such a toolkit exploits the recurrence of policies in large networks for analysis. In a large network, policies that have similar functions are examined, e.g. all inbound route maps associated with customer autonomous systems. For n occurrences of similar policy P, it is possible to flag k deviant configurations, and evaluate the probability that the deviant configurations are in error.

Abstract: A method and apparatus for detecting spoofed IP network traffic is presented. A mapping table is created to indicate correlations between IP address prefixes and AS numbers, based on routing information collected from a plurality of data sources. At each interface of a target network, IP address prefixes from a training traffic flow are acquired and further converted into AS numbers based on the mapping table. An EAS (Expected Autonomous System) table is populated by the AS numbers collected for each interface. The EAS table is used to determine if an operation traffic flow is allowed to enter the network.

Abstract: An autonomous management cluster of network elements serves as a distributed configuration repository. Network elements sharing a common pre-determined shared identifier autonomously form themselves as a management cluster. The network elements in the cluster exchange configuration files. In the event of a loss, destruction, or corruption of one of the network element's configuration file, the network element recovers its configuration file from its closest neighbor in its management cluster. The management cluster can also be used to efficiently disseminate configuration changes by simply communicating the changes to one or more elements in the cluster, and allowing the other nodes in the cluster to discover and retrieve their updated configuration files.

Abstract: A method for controlling network access comprises receiving a request to allow a communication flow over a network and temporarily allowing the communication flow over the network before a response to the request is transmitted. Further, the availability of one or more network resources may be determined and compared with resources required for the requested communication flow. Priority of the communication flow may also be determined, and the temporarily allowed communication flow may be responded to based on the available resources, the requested resources, and the priority.

Abstract: Aspects of the invention provide a method and system for managing or coordinating data transmission in a Local Area Network (LAN) such that Quality of Service (QoS) concerns are met. A LAN resource manager (LRM) is provided for managing the LAN resources by providing solutions for providing users with several levels of QoS. Once the LRM admits a user at a certain QoS level, the level is assured within the LAN for as long as the user is in the LAN. A user may submit a request to transmit data to the LRM. The LRM may determine if time allocation is possible and allocate the time slots for data transmission. The LRM may send time slot allocation information to an Access Server in a LAN, which may inform the user of the time slot allocation and prepare a queue according to the slot allocation information.

Abstract: Routing and connectivity in the Internet is largely governed by the dynamics and configuration of the Border Gateway Protocol (BGP). A configuration analysis toolkit enables network operators to discover, analyze and diagnose their BGP configuration, policies and peering relationships. Statistical variance analysis in such a toolkit exploits the recurrence of policies in large networks for analysis. In a large network, policies that have similar functions are examined, e.g. all inbound route maps associated with customer autonomous systems. For n occurrences of similar policy P, it is possible to flag k deviant configurations, and evaluate the probability that the deviant configurations are in error.

Abstract: Aspects of the invention provide a method and system for managing or coordinating data transmission in a Local Area Network (LAN) such that Quality of Service (QoS) concerns are met. A LAN resource manager (LRM) is provided for managing the LAN resources by providing solutions for providing users with several levels of QoS. Once the LRM admits a user at a certain QoS level, the level is assured within the LAN for as long as the user is in the LAN. A user may submit a request to transmit data to the LRM. The LRM may determine if time allocation is possible and allocate the time slots for data transmission. The LRM may send time slot allocation information to an Access Server in a LAN, which may inform the user of the time slot allocation and prepare a queue according to the slot allocation information.