Abstract: An insider attack resistant system for providing cloud services integrity checking is disclosed. In particular, the system utilizes an automated integrity checking script and virtual machines to check the integrity of a service. The system may utilize the integrity checking script and virtual machines to execute a set of operations associated with the service so as to check the integrity of the service. When executing the set of operations, the system may only have access to the minimum level of access to peripherals that is required for each operation in the set of operations to be executed. After each operation is executed, the system may log each result for each operation, and analyze each result to determine if a failure exists for any of the operations. If a failure exists, the system may determine that a change in an expected system behavior associated with the service has occurred.

Abstract: An insider attack resistant system for providing cloud services integrity checking is disclosed. In particular, the system utilizes an automated integrity checking script and virtual machines to check the integrity of a service. The system may utilize the integrity checking script and virtual machines to execute a set of operations associated with the service so as to check the integrity of the service. When executing the set of operations, the system may only have access to the minimum level of access to peripherals that is required for each operation in the set of operations to be executed. After each operation is executed, the system may log each result for each operation, and analyze each result to determine if a failure exists for any of the operations. If a failure exists, the system may determine that a change in an expected system behavior associated with the service has occurred.

Abstract: An insider attack resistant system for providing cloud services integrity checking is disclosed. In particular, the system utilizes an automated integrity checking script and virtual machines to check the integrity of a service. The system may utilize the integrity checking script and virtual machines to execute a set of operations associated with the service so as to check the integrity of the service. When executing the set of operations, the system may only have access to the minimum level of access to peripherals that is required for each operation in the set of operations to be executed. After each operation is executed, the system may log each result for each operation, and analyze each result to determine if a failure exists for any of the operations. If a failure exists, the system may determine that a change in an expected system behavior associated with the service has occurred.

Abstract: An insider attack resistant system for providing cloud services integrity checking is disclosed. In particular, the system utilizes an automated integrity checking script and virtual machines to check the integrity of a service. The system may utilize the integrity checking script and virtual machines to execute a set of operations associated with the service so as to check the integrity of the service. When executing the set of operations, the system may only have access to the minimum level of access to peripherals that is required for each operation in the set of operations to be executed. After each operation is executed, the system may log each result for each operation, and analyze each result to determine if a failure exists for any of the operations. If a failure exists, the system may determine that a change in an expected system behavior associated with the service has occurred.

Abstract: A system and method for identifying distributed attacks, such as, but not limited to, distributed denial of service attacks and botnet attacks, in a first network serviced by a first carrier and configured to alert a second network serviced by a second carrier that is different from the first carrier is disclosed. Once an attack has been identified, an attack alert is generated and provided to the second network or other aspects of the first network, or both. The attack alerts may be distributed dynamically with the second network via diameter based security protocol Rs. Such system and method may mitigate distributed malicious attacks by sharing destination internet protocol and bad international mobile subscriber identity information across carriers.

Abstract: A method provides for the dynamic traffic prioritization in a communication network. The method electronically monitors traffic in a communication network and determines when traffic exceeds configured thresholds on the links of the communication network. Thus, the method determines a link which is potentially about to be congested in the communication network. The method categorizes the traffic on this link by an end system attached to one end of the potentially congested link into a plurality of priority categories using application layer parameters. Using a re-direct capability of the end system, the method re-directs at least one of the pluralities of priority categories of traffic to an alternate Internet Protocol address. The method uses preconfigured Quality of Service mechanisms on the provider edge router attached to the other end of the potentially congested link to guarantee a predetermined amount of bandwidth capacity of the link to traffic destined to the alternate Internet Protocol address.

Abstract: A method provides for the dynamic traffic prioritization in a communication network. The method electronically monitors traffic in a communication network and determines when traffic exceeds configured thresholds on the links of the communication network. Thus, the method determines a link which is potentially about to be congested in the communication network. The method categorizes the traffic on this link by an end system attached to one end of the potentially congested link into a plurality of priority categories using application layer parameters. Using a re-direct capability of the end system, the method re-directs at least one of the pluralities of priority categories of traffic to an alternate Internet Protocol address. The method uses preconfigured Quality of Service mechanisms on the provider edge router attached to the other end of the potentially congested link to guarantee a predetermined amount of bandwidth capacity of the link to traffic destined to the alternate Internet Protocol address.

Abstract: A computer readable storage medium storing a set of instructions that are executable by a processor, the set of instructions being operable to store a virtual representation of a plurality of physical components, display the virtual representation, receive user interaction with at least one of the virtual representations and send a command to the physical component corresponding to the user interaction.

Abstract: Example methods and apparatus to enhance security in residential networks and residential gateways are disclosed. A disclosed example apparatus includes a transceiver to receive an Internet protocol (IP) packet, a first packet processing module associated with a protected IP address, the first packet processing module to be communicatively coupled to a first network device, a second packet processing module associated with a public IP address, the second packet processing module to be communicatively coupled to a second network device, and a packet diverter to route the received IP packet to the first packet processing module when the IP packet contains the protected IP address and to route the IP packet to the second packet processing module when the IP packet does not contain the protected IP address.

Abstract: An edge monitoring approach can be utilized to detect an attack which includes a plurality of relatively low bandwidth attacks, which are aggregated at a victim sub-network. The aggregated low bandwidth attacks can generate a relatively high bandwidth attack including un-solicited data traffic directed to the victim' so that the aggregated attack becomes more detectable at an edge monitor circuit located proximate to the victim. Related systems, devices, and computer program products are also disclosed.

Abstract: A computer readable storage medium storing a set of instructions that are executable by a processor, the set of instructions being operable to store a virtual representation of a plurality of physical components, display the virtual representation, receive user interaction with at least one of the virtual representations and send a command to the physical component corresponding to the user interaction.

Abstract: A priority server for a provider network includes a traffic volume detection module, a traffic analyzer module, and a rules module. The traffic volume detection module receives operational information from the provider network and determines that a host is experiencing a flash event based upon the operational information. The traffic analyzer module determines that the flash event is not a distributed denial of service attack on the host. When it is determined that the flash event is not a distributed denial of service attack, the rules module provides a priority rule to an access router that is coupled to the host.

Abstract: A computer readable storage medium storing a set of instructions that are executable by a processor, the set of instructions being operable to store a virtual representation of a plurality of physical components, display the virtual representation, receive user interaction with at least one of the virtual representations and send a command to the physical component corresponding to the user interaction.

Abstract: A method includes sending a first redirect instruction to a first client in response to a first session request received at a service address, and establishing a first session with the first client in response to a second session request received at the first redirect address indicated by the first redirect instruction. Additionally, the method includes determining a first service interval has passed, and sending a second redirect instruction to a second client in response to a third session request received at the service address after the first service interval has passed. The method still further includes establishing a second session with the second client in response to the fourth session request received at the second redirect address indicated by the second redirect instruction after the first service interval has passed, and rejecting the fifth session request received from a third client at the first redirect address after the first service interval has passed.

Abstract: A priority server for a provider network includes a traffic volume detection module, a traffic analyzer module, and a rules module. The traffic volume detection module receives operational information from the provider network and determines that a host is experiencing a flash event based upon the operational information. The traffic analyzer module determines that the flash event is not a distributed denial of service attack on the host. When it is determined that the flash event is not a distributed denial of service attack, the rules module provides a priority rule to an access router that is coupled to the host.

Abstract: An edge monitoring approach can be utilized to detect an attack which includes a plurality of relatively low bandwidth attacks, which are aggregated at a victim sub-network. The aggregated low bandwidth attacks can generate a relatively high bandwidth attack including un-solicited data traffic directed to the victim' so that the aggregated attack becomes more detectable at an edge monitor circuit located proximate to the victim. Related systems, devices, and computer program products are also disclosed.

Abstract: A priority server for a provider network includes a traffic volume detection module, a traffic analyzer module, and a rules module. The traffic volume detection module receives operational information from the provider network and determines that a host is experiencing a flash event based upon the operational information. The traffic analyzer module determines that the flash event is not a distributed denial of service attack on the host. When it is determined that the flash event is not a distributed denial of service attack, the rules module provides a priority rule to an access router that is coupled to the host. The priority rule is based upon a characteristic of packets routed in the provider network that are associated with the flash event, and the characteristic is determined not solely by information included in the packets.

Abstract: A method provides for the dynamic traffic prioritization in a communication network. The method electronically monitors traffic in a communication network and determines when traffic exceeds configured thresholds on the links of the communication network. Thus, the method determines a link which is potentially about to be congested in the communication network. The method categorizes the traffic on this link by an end system attached to one end of the potentially congested link into a plurality of priority categories using application layer parameters. Using a re-direct capability of the end system, the method re-directs at least one of the pluralities of priority categories of traffic to an alternate Internet Protocol address. The method uses preconfigured Quality of Service mechanisms on the provider edge router attached to the other end of the potentially congested link to guarantee a predetermined amount of bandwidth capacity of the link to traffic destined to the alternate Internet Protocol address.

Abstract: A method includes sending a first redirect instruction to a first client in response to a first session request received at a service address, and establishing a first session with the first client in response to a second session request received at the first redirect address indicated by the first redirect instruction. Additionally, the method includes determining a first service interval has passed, and sending a second redirect instruction to a second client in response to a third session request received at the service address after the first service interval has passed. The method still further includes establishing a second session with the second client in response to the fourth session request received at the second redirect address indicated by the second redirect instruction after the first service interval has passed, and rejecting the fifth session request received from a third client at the first redirect address after the first service interval has passed.

Abstract: There are provided systems and methods for symmetric bi-directional routing in multi-homed IP networks which includes sending an IP packet having a source address from a first host and substituting the source address with an exterior routing address by a first network address translation gateway or firewall of the first host using conditional substitution. The IP packet, with the exterior routing address, is optionally routed via intermediate networks and firewalls and received by a first gateway or firewall of a second host. The second host responds to the first host along a route which traverses the same set of firewall gateways as the initial IP packet by using the exterior routing address as a destination address. The exterior routing address is converted back to the source address by the first network address translation gateway of the first host.