Abstract: A method is disclosed for enabling stateless server-based pre-shared secrets. Based on a local key that is not known to a client, a server encrypts the client's state information. The client's state information may include, for example, the client's authentication credentials, the client's authorization characteristics, and a shared secret key that the client uses to derive session keys. By any of a variety of mechanisms, the encrypted client state information is provided to the client. The server may free memory that stored the client's state information. When the server needs the client's state information, the client sends, to the server, the encrypted state information that the client stored. The server decrypts the client state information using the local key. Because each client stores that client's own state information in encrypted form, the server does not need to store any client's state information permanently.

Abstract: Techniques are described for identifying one or more “interest twins” of a user. An interest twin of a user in another user that has demonstrated interests in items that are the same as or similar to the items in which the user has demonstrated an interest. Various techniques are described for reducing the overhead in interest twin determination operations. Once the interest twins for a user have been identified, the knowledge of the interest twins may be used in a variety of ways to enhance to experience of the user. For example, a mechanism may be provided which allows the user to see a list of items in which the user's interest twins have indicated an interest.

Abstract: A method and apparatus for providing access to resources of a network device is provided. A user instructs a network device to generate a user password that is concealed from the user of the network device. The network device generates the user password based on, at least in part, public input provided by the user, and an algorithm which is concealed from the user, but known to a support service provider. The user communicates the public input to the support service provider. The support service provider uses the public input to generate a provider password based on, at least in part, the algorithm. The support service provider may access the network device via a network by providing the provider password to the network device. If the provider password matches the user password generated, then the support service provider is granted access to resources of the network device.

Abstract: A system includes a control source that is provided on a server and control logic that executes on a terminal. The control logic executes on a terminal to (i) identify a plurality of attributes on the terminal, the attributes including an identifier for each of a plurality of terminal assets that include one or more of a hardware fixture, firmware, or operating system; and (ii) generate signature data from the plurality of attributes. The control source is configured to make a determination from the signature data as to whether the terminal is known or unknown.

Abstract: Techniques are provided for automatically creating style sheet animations including keyframe information. In some embodiments, a style sheet animation creation tool with a timeline-based interface is provided. By interacting with the user-interface, the user can select a point on a timeline for an animation object to add a keyframe to an animation of the animation object. In response to the user's selection of the keyframe time point, the style sheet animation creation tool displays an interactive keyframe indicator on the timeline to indicate the selected time point. With the style sheet animation creation tool, a user can generate a style sheet animation without having to author style sheet language text statements by hand.

Abstract: Approaches described herein may be used for provisioning of databases that requires a bulk transfer of data within a distributed computing environment, such as a grid. The approaches do not require the manual intervention of a DBA to, for example, transfer a tablespace between the file systems of operating systems. Instead, the tablespaces may be provisioned automatically and dynamically by a grid computing system whenever it determines the need to dynamically provision a database. In addition, as copies of tablespaces are provisioned, synchronization mechanisms can also be automatically provisioned to keep the tablespaces and their copies in sync.

Abstract: A modular repository is described, where operational features may be implemented without the need to scan every resource included in the modular repository. A modular repository includes a dedicated set of database objects containing all information needed to access the resources in the repository. For example, the database objects of a modular repository may include those user identifier mappings and ACL mappings, etc., to which metadata in the modular repository refers. A database system may also include a mechanism through which a modular repository may be mounted under a subdirectory of a common directory in the database system. The resources of a modular repository that are mounted under the common directory may be accessed through the common directory. Further, a client may query the resources of any modular repository mounted under the common directory by making the federated repository, represented by the common directory, the context of the query.

Abstract: The approaches described herein provide an efficient way for a database server to process certain kinds of queries over XML data stored in an object-relational database that require the evaluation of a predicate expression with one or more path-based operands. A predicate expression part of a XQuery or SQL WHERE clause that returns a boolean value. A database server first determines whether the query qualifies for this particular kind of optimization, then rewrites the query using an enhanced query operator syntax for specifying the predicate expression to be evaluated. The enhanced query operator subsumes the work of a second path-based query operator, resulting in the suppression of the WHERE EXISTS subquery. The rewritten query operator is used to generate a query execution plan that provides for several query execution optimizations.

Abstract: A method and apparatus are provided for determining that problems have occurred within a complex multi-host system and for identifying for each problem, sequences of causes and effects called a fault cause path, starting with a root cause. A probabilistic model representing the cause/effect relationships among potential system problems identifies the probability that a problem occurred in the system. Such failure probabilities may be determined based on aggregating, over a recent time interval, probability of failure values determined by the probabilistic model. Each fault cause path may have an associated probability of accuracy value reflecting the expected accuracy of the fault cause path relative to other fault cause paths. When more than one fault cause path is identified, the number and order of the fault cause paths may be ranked and displayed based on their probability of accuracy value.

Abstract: Generating a binding between a source address and one or more roles of a user accessing the network and distributing the binding to a filter node. The source address is currently assigned to the device. The binding may be generated by one or more nodes on an ingress path used during authentication of the user. The binding may be distributed to the filter node on demand or without any request from the filter node. Responsive to a determination that the user is associated with a new source address, a new binding is generated to associate a new source address with the one or more roles for the user. The new binding is distributed to the filter node. Another aspect is a method of enforcing a role based security policy at a filter node, using bindings of source addresses to roles.

Abstract: A method and apparatus for self-monitoring to identify an occurrence of a threshold and rebooting in response to the occurrence of the threshold is provided. In an embodiment, a data processing apparatus comprises one or more processors; logic coupled to the one or more processors and comprising one or more stored sequences of instructions which, when executed by one or more processors, cause the one or more processors to obtain a threshold associated with the apparatus; self-monitor the apparatus to identify an occurrence of the threshold; and self-reboot the apparatus responsive to the occurrence of the threshold.

Abstract: A method for processing queries is provided. A database server receives and executes a query to generate a relation. The query comprises first one or more clauses and a model clause. The model clause comprises a rule that has a left-side expression and a right-side expression. In one embodiment, the right-side expression of the rule includes a window function, which specifies one or more partition columns. In an embodiment, the left-side expression comprises a for-loop predicate. The for-loop predicate is unfolded after the database server compiles the query. In one embodiment, the left-side expression of the rule comprises one or more existential predicates, where each existential predicate evaluates to a Boolean value.

Abstract: A checkpointing approach enables BGP peers to reduce the number of UPDATE messages that are exchanged and processed after a router restarts and to pause and suspend BGP sessions when mobile nodes leave a BGP domain. In an embodiment, a router is configured for receiving a BGP pause message from a mobile node; suspending interaction with the mobile node using BGP, including suspension of expiration of BGP sessions for lack of keepalive messages; receiving a BGP resume message from the mobile node, wherein the resume message comprises a checkpoint marker that identifies a last route update that the mobile node received before the suspending; resuming interaction with the mobile node using BGP; and determining and sending to the mobile node all BGP routes that originated after the checkpoint marker.

Abstract: Techniques for secure communication in a tunnel-less VPN are provided. A key server generates and provides, to each VPN gateway, different, yet mathematically-related keying material. A VPN gateway receives distinct keying material for each designated address block (e.g., subnet) behind the VPN gateway. In response to receiving a packet from one a source host whose address falls within one of the designated address blocks, the VPN gateway identifies the appropriate keying material. The VPN gateway determines an identifier for the address block that includes the destination address. The identifier and the identified keying material are used to generate a key. The VPN gateway encrypts the packet with the key and forwards the encrypted packet to the destination host.

Abstract: Techniques for implementing a scalable DOM and a pluggable DOM are provided. A scalable DOM implementation manages a DOM tree in memory to free unreferenced nodes, avoid generating nodes unnecessarily, and avoid storing multiple versions of the same data on disk. A pluggable DOM implementation includes an abstract interface that is defined between the API layer and the data layer of a DOM implementation. An implementation of the abstract interface is defined for each data source that is plugged in to the pluggable DOM implementation and that stores XML data in a different format.

Abstract: The present invention generally relates to computer software, and more specifically, to a computerized utility for analysis of optimized program files. A method and apparatus for optimized program analysis is disclosed.

Abstract: An apparatus for offloading network, block and file functions from an operating system comprises a network interface coupled to a network for receiving packet flows; one or more processors each having one or more processor cores; a computer-readable medium carrying one or more operating systems and an input/output networking stack which are hosted in one or more of the processor cores. The networking stack is shared among the operating systems. The networking stack comprises instructions which when executed cause receiving a request for data transfer from one of the operating systems at internal network, block and file system interfaces, and permitting data to be transferred between the internal interfaces and a plurality of external interfaces by preventing the operating systems from performing the data transfer and performing the data transfer on behalf of the operating systems.

Abstract: An envelope for conveying an item from a sender to a recipient and back with a window and unique identifying indicia. The envelope comprises a base panel with a window, a sender address panel, and a recipient address panel. The sender address panel is affixed to the base panel by an adhesive region, which defines a pocket sized to accept an item. The adhesive region extends laterally on the base panel to ensure that a postal cancellation is not applied to an area overlying the item. The recipient address panel is joined to the base panel by a detachable joint. A fragile item may be conveyed from the sender to the recipient and back without damage to the item. The base panel includes indicia that uniquely identify the envelope among a plurality of envelopes. Reading the indicia assists in resolving inventory problems, for example, when unknown items are returned.

Abstract: A network device is allowed to transmit only authentication protocol traffic and no other traffic on an interface that is coupled to a port using port-based authentication until after authentication succeeds. If the network device is using a switch port that does not have authentication enabled, or if an authentication protocol client in the network device is disabled, then the device bypasses a delay and test process, which is otherwise used to allow the authentication to succeed before other packets are sent from the device.

Abstract: An image enhancement circuit (26, 60, 190, 260) includes an input interface (64, 262), which is operative to accept a stream of input pixel values belonging to pixels (32) of an input image. The input image includes a plurality of different input sub-images including respective subsets of the pixels, such that the input pixel values of the pixels in the different input sub-images are interleaved in the stream. A plurality of filter cells (92, 144, 206, 222, 238, 364) are connected in a two-dimensional array configuration and are arranged to separately filter the input pixel values of each of the input sub-images with respective two-dimensional deconvolution kernels so as produce respective output sub-images that include output pixel values. A multiplexer (88, 332) is coupled to multiplex together the output pixel values of the output sub-images so as to produce a filtered output image.