Abstract: A data-leakage prevention capability is presented herein. The data-leakage prevention capability prevents leakage of data, of a file set having a plurality of files, from a secure network using online fingerprint checking of data flows at a boundary of the secure network. The online fingerprint checking is performed using a set of data structures configured for the file set. The data structures for the file set are configured based on file set characteristics information of the file set and a target detection lag indicative of a maximum number of bits within which a data leakage event for the file set is to be determined. The data structure configuration is computed for a plurality of data structures configured for use in monitoring the files of the file set. The data structure configuration includes a plurality of data structure locations and data structure sizes for the respective plurality of data structures.

Abstract: Various embodiments provide a method and apparatus of providing a distributed network file system in a cloud network that provides performance guarantees in cloud storage that are independent of the accessed files and the access locations. A client's file system is provisioned using a file placement strategy that is based on client's access locations and determined maximum access bandwidths and does not require knowledge of file access patterns.

Abstract: A data-leakage prevention capability is presented herein. The data-leakage prevention capability prevents leakage of data, of a file set having a plurality of files, from a secure network using online fingerprint checking of data flows at a boundary of the secure network. The online fingerprint checking is performed using a set of data structures configured for the file set. The data structures for the file set are configured based on file set characteristics information of the file set and a target detection lag indicative of a maximum number of bits within which a data leakage event for the file set is to be determined. The data structure configuration is computed for a plurality of data structures configured for use in monitoring the files of the file set. The data structure configuration includes a plurality of data structure locations and data structure sizes for the respective plurality of data structures.

Abstract: Various embodiments provide a method and apparatus of providing a load balancing configuration that adapts to the overall load and scales the power consumption with the load to improve energy efficiency and scalability. The energy efficient distributed and elastic load balancing architecture includes a collection of multi-tiered servers organized as a tree structure. The handling of incoming service requests is distributed amongst a number of the servers. Each server in the virtual load distribution tree accepts handles incoming service requests based on its own load. Once a predetermined loading on the receiving server has been reached, the receiving server passes the incoming requests to one or more of its children servers.

Abstract: A SoftRouter architecture deconstructs routers by separating the control entities of a router from its forwarding components, enabling dynamic binding between them. In the SoftRouter architecture, control plane functions are aggregated and implemented on a few smart servers which control forwarding elements that are multiple network hops away. A dynamic binding protocol performs network-wide control plane failovers. Network stability is improved by aggregating and remotely hosting routing protocols, such as OSPF and BGP. This results in faster convergence, lower protocol messages processed, and fewer route changes following a failure. The SoftRouter architecture includes a few smart control entities that manage a large number of forwarding elements to provide greater support for network-wide control. In the SoftRouter architecture, routing protocols operate remotely at a control element and control one or more forwarding elements by downloading the forwarding tables, etc. into the forwarding elements.

Abstract: A distribution and scheduling system for advertisements that targets ads to users and maximizes service-provider revenue without having full knowledge of user-profile information. Each user device stores a user profile and is pre-loaded with a set of ads that could possibly be shown during a timeslot. Each user device selects and displays an ad based on the user profile but does not identify the selected ad to the service provider. Instead, the user devices provide perturbed user-profile information in the form of Boolean vectors, which the service provider uses in conjunction with a guaranteed-approximation online algorithm to estimate the number of users that saw a particular ad. Thus, the service provider can charge advertisers for the number of times their ads are viewed, without knowing the users' profiles or which ads were viewed by individual users, and users can view the targeted ads while maintaining privacy from the service provider.

Abstract: A capability is provided for providing transparent cloud computing with a virtualized network infrastructure. A method for enabling use of a resource of a data center as an extension of a customer network includes receiving, at a forwarding element (FE), a packet intended for a virtual machine hosted at an edge domain of the data center, determining a VLAN ID of the VLAN for the customer network in the edge domain, updating the packet to include the VLAN ID of the VLAN for the customer network in the edge domain, and propagating the updated packet from the FE toward virtual machine. The edge domain supports a plurality of VLANs for a respective plurality of customer networks. The packet includes an identifier of the customer network and a MAC address of the virtual machine. The VLAN ID of the VLAN for the customer network in the edge domain is determined using the identifier of the customer network and the MAC address of the virtual machine.

Abstract: A manner of providing redundancy protection for a data center network that is both reliable and low-cost. In a data center network where the data traffic between numerous access nodes and a network core layer via primary aggregation nodes, an optical network device such as and OLT (optical line terminal) is provided as a backup aggregation node for one or more of the primary aggregation nodes. When a communication path through a primary aggregation node fails, traffic is routed through the optical network device. In a preferred embodiment, a communication link is formed from a plurality of access nodes to a single port of the OLT or other optical network device via an optical splitter that combines upstream transmissions and distributes downstream transmissions. The upstream transmissions from the plurality of access nodes may occur according to an allocation schedule generated when the backup aggregation node is needed.

Abstract: A SoftRouter architecture deconstructs routers by separating the control entities of a router from its forwarding components, enabling dynamic binding between them. In the SoftRouter architecture, control plane functions are aggregated and implemented on a few smart servers which control forwarding elements that are multiple network hops away. A dynamic binding protocol performs network-wide control plane failovers. Network stability is improved by aggregating and remotely hosting routing protocols, such as OSPF and BGP. This results in faster convergence, lower protocol messages processed, and fewer route changes following a failure. The SoftRouter architecture includes a few smart control entities that manage a large number of forwarding elements to provide greater support for network-wide control. In the SoftRouter architecture, routing protocols operate remotely at a control element and control one or more forwarding elements by downloading the forwarding tables, etc. into the forwarding elements.

Abstract: A lightweight probabilistic mechanism used to estimate the number of active flows, which estimate is used to determine the probability of admitting a new flow into the network. In one embodiment, a method for controlling admission of new flows at a node in a network of nodes interconnected by links includes: (a) for each of a plurality of incoming packets arriving at the node, each incoming packet corresponding to an active flow traversing the node: (a1) randomly selecting a packet from an output buffer of the node; (a2) determining whether the incoming packet is from the same active flow as the randomly-selected packet; and (a3) updating an estimate of the number of active flows traversing the node based on the determination of step (a2); and (b) determining whether to admit or drop part or all of a new flow at the node based on the estimated number of active flows traversing the node.

Abstract: A method and apparatus providing improved set membership determination and group membership identification of candidate data elements using a single Bloom filter programmed to provide a plurality of non-zero f-bit binary vectors, where each of the f-bit binary vectors is associated with a respective group. The Bloom filter is programmed using one or more (but not all) of a plurality of hash filter sets.

Abstract: A variable-stride multi-pattern matching apparatus segments patterns and input streams into variable-size blocks according to a modified winnowing algorithm. The variable-stride pattern segments are used to determine the block-symbol alphabet for a variable-stride discrete finite automaton (VS-DFA) that is used for detecting the patterns in the input streams. Applications include network-intrusion detection and protection systems, genome matching, and forensics. The modification of the winnowing algorithm includes using special hash values to determine the position of delimiters of the patterns and input streams. The delimiters mark the beginnings and ends of the segments. In various embodiments, the patterns are segmented into head, core, and tail blocks. The approach provides for memory, memory-bandwidth, and processor-cycle efficient, deterministic, high-speed, line-rate pattern matching.

Abstract: In one embodiment, a scheme for the display of targeted and personalized advertisements in a packet-based media-delivery system, such as an Internet Protocol Television (IPTV) service. An Internet keyword-based advertisement-bidding model is used to place the most-appropriate IPTV advertisements for viewers depending on their interests as determined through the users' Internet activities, while maximizing advertising revenue for the IPTV service provider. One method for scheduling an advertisement for rendering in one or more time slots in packet-based media programming comprises: (a) obtaining at least one keyword from one or more Internet sessions corresponding to at least one user; (b) receiving a plurality of bid amounts corresponding to a plurality of available advertisements for the one or more time slots; and (c) scheduling, based on the at least one keyword and at least one of the bid amounts, the advertisement to be rendered to the at least one user in the one or more time slots.

Abstract: Method and apparatus using incremental linear regression to derive a traffic flow signature indicative of a particular application within a packet stream.

Abstract: In one embodiment, a method for supporting recovery from failure of a node in a network of nodes interconnected by links A set of two or more intermediate nodes (excluding the failed node) between an ingress point and an egress point is selected. Next, based on available bandwidth of the network, a non-zero fraction of the service level to route from the ingress point to each intermediate node is determined. Packets are then routed in two phases by: (1) determining one or more paths from the ingress point to each intermediate node for routing the corresponding fraction of the service level, and (2) determining one or more paths from each intermediate node to the egress point for routing the corresponding fraction of the service level.

Abstract: Packets are processed (e.g., routed or classified) in accordance with a braided trie, which represents the combination of two or more different original tries (e.g., representing different forwarding/classification tables). The different tries are combined by twisting the mappings for specific trie nodes to make the shapes of the different tries more similar. Each node in the braided trie contains a braiding bit for at least one original trie indicating the mapping for that trie's node. Trie braiding can significantly reduce the number of nodes used to represent the different original tries, thereby reducing memory usage and improving scalability. Braided tries can be used for such applications as virtual routers and packet classification in which different forwarding/classification tables are represented by a single braided trie stored in shared memory.

Abstract: A SoftRouter architecture deconstructs routers by separating the control entities of a router from its forwarding components, enabling dynamic binding between them. In the SoftRouter architecture, control plane functions are aggregated and implemented on a few smart servers which control forwarding elements that are multiple network hops away. A dynamic binding protocol performs network-wide control plane failovers. Network stability is improved by aggregating and remotely hosting routing protocols, such as OSPF and BGP. This results in faster convergence, lower protocol messages processed, and fewer route changes following a failure. The SoftRouter architecture includes a few smart control entities that manage a large number of forwarding elements to provide greater support for network-wide control. In the SoftRouter architecture, routing protocols operate remotely at a control element and control one or more forwarding elements by downloading the forwarding tables, etc. into the forwarding elements.

Abstract: A line-rate, real-time-traffic detector classifies a network traffic flow as real-time when it determines the smoothness of the packet arrival rate of the network traffic flow is bounded by an empirically derived bound. In some embodiments, to improve performance, a tighter smoothness bound is applied to the smoothness calculations performed on a first set of packet arrival times, while a looser smoothness bound is applied to a second set of packet arrival times, the second set inclusive of and larger than the first.

Abstract: Congestion in connection-oriented data networks is alleviated by simulating the rerouting of circuits to uncongested parts of the network and then rerouting such circuits in a manner that causes little, or no, disruption to other parts of the network.

Abstract: In one embodiment, a method for supporting recovery from failure of a path in a network of nodes interconnected by links. An intermediate node between an ingress point and an egress point of the network is selected to minimize the sum of (i) a capacity constraint between the ingress point and the intermediate node and (ii) a capacity constraint between the intermediate node and the egress point. The selection identifies two link-disjoint path sets, each comprising a backup path and at least one primary path, with a first path set between the ingress point and the intermediate node, and a second path set between the intermediate node and the egress point. To maximize network throughput, packets are routed in two phases, first to the intermediate node via the first path set in predetermined proportions, and then from the intermediate node to the final destination via the second path set.