Abstract: A service selection gateway (SSG) which permits multiple access quotas associated with a pre-paid service accessed by a user. For example, the user's access may be terminated if the usage exceeds a specified time or volume of data transferred (examples of access quotas). According to another aspect, access of a service is permitted based on different tariffs. Thus, a user may be charged differently depending on the applicable tariff. In an embodiment implemented in the context of pre-paid tariffs, multiple access quotas may be received associated with the same resource, and each quota may be computed according to a corresponding tariff.

Abstract: An end machine (connected to one end of secure connection) may reliably continue to use the security association (SA) even if the self_address (usually the address of the interface) of the end machine changes. The end machine includes the new IP address in the payload of a packet (e.g., an address update message) sent to another end machine at the other end of the connection. The payload can be encrypted and authenticated to avoid third party attacks. As a result, connectivity can restored for user applications reliably and quickly without requiring substantial computations and/or data exchanges.

Abstract: A method is described to maintain (including generate) an inventory of a system of a plurality of containers accessible by a computer system. At least one container is considered to determine whether the container is executable in at least one of a plurality of execution environments characterizing the computer system. Each execution environment is in the group comprising a native binary execution environment configured to execute native machine language instructions and a non-native execution environment configured to execute at least one program to process non-native machine language instructions to yield native machine language instructions. The inventory is maintained based on a result of the considering step. The inventory may be used to exercise control over what executables are allowed to execute on the computer system.

Abstract: Techniques for detecting loops in routes that cross route information boundaries include receiving a control message at a first edge node on one side of the boundary that is connected to a different second edge node on another side of the boundary. The control message indicates a particular network address of a particular node that is reachable from the first edge node. Distinguisher data is determined that indicates if a node in the first collection can reach the first edge node without leaving the first collection. An advertising message is sent from the first edge node to the second edge node that includes route data that indicates the particular network address and the distinguisher data. Based on the distinguisher data, a testing edge node in the first collection can determine whether there is a loop comprising both an internal path and an external path to the first edge node.

Abstract: In one embodiment, a network application may offload stateful operations to a user-plane application. In one embodiment, the network application receives state information for a user device. The network application then sends the state information to a user-plane application, which can maintain the state information. The network application may then offload a stateful operation to the user-plane application. For example, the network application may have the user-plane application perform stateful operations. Also, the network application may use the state information maintained at the user-plane application for error recovery after the network application fails. For example, the network application may recover the state information from the user-plane application after failure.

Abstract: A tool for managing a network of interconnected devices. The tool may provide a user with an interface that allows the user to view the type and status of each network device (that is, each device connected to the network), and even the status of the network itself. The tool may alternately or additionally provide a user with services related to the network. such as allowing a user to perform one or more tasks associated with devices in the network.

Abstract: A network access server (NAS) determines the status of availability (e.g., how much more quota is unused) of an access resource, and sends a notification embedded in a point-to-point protocol (PPP) packet. The format of the packet is chosen such that definition/use of higher layers (e.g., HTTP) is not required to communicate the status to a client system. As a result, the user may be notified even if software such as web browser is not being executed on the client system.

Abstract: System and method for solidifying (or “freezing”) the set of software and configuration data available for execution on a computer. Any additional software installed on the computer after the solidification process will not execute, regardless of whether the installation is initiated or otherwise performed by a person with administrative privilege. The ability to allow new or modified software to execute on the computer rests with an integrity server separate from and outside of the solidified computer. The solidification of software and configuration data proceeds on a level of granularity selectable by the integrity server and any operators thereof.

Abstract: Techniques which allow definition and enforcement of program-based action authorization policies. On a computer, an action or execution attempt is intercepted in real-time. The subject process, the program file of the subject process, the attempted action and the object of the attempted action are determined. An authorization policy considering the program file indicates whether the attempted action is authorized or not. In a tracking mode, the attempted action and its authorization are logged and the attempted action is allowed to proceed. In an enforcement mode, unauthorized attempts are blocked and logged, thereby enforcing the authorization policy.

Abstract: A system and method for securing data in mobile devices (104) includes a computing mode (102) and a plurality of mobile devices (104). A node security program (202) executed in the computing node (102) interfaces with a device security program (204) executed at a mobile device (104). The computing node (102) is responsible for managing the security based on a node security profile (208) interpreted by a node security program (202) executed in the computing node (102). A device discovery method and arrangement (106) also detects and locates various information (120) about the mobile devices (104) based on a scan profile (206).

Abstract: A method and apparatus create a bundle of soft permanent virtual circuits (SPVCs) coupling form a source end to a destination end via a communications network. The SPVC bundle includes a plurality of member SPVCs, each member SPVC including a permanent virtual circuit (PVC) and a switched virtual circuit (SVC). The SPVC bundle creation includes (a) creating the SPVC bundle for the source end, each of the member SPVCs being associated with a respective connection characteristic and coupling to the same destination, and (b) transmitting, from the source end to the destination end, an SPVC setup message containing configuration information of the SPVC bundle. The SPVC bundle creation may further includes automatically creating, at the destination end, in response to the SPVC setup message, the SPVC bundle for the destination end in accordance with the configuration information.

Abstract: A method and apparatus for providing an aggregated account metering system to a computer network service provider resulting in comprehensive detailed subscriber accounting records. Accounting start-stop event data is retrieved from accounting servers. The accounting records are parsed to a first adapter where they are then published on an active information bus. Network flow data is collected from routers throughout the packet switch network environment by network flow collectors. The collectors serve to aggregate and, optionally, filter the flow data. The network flow data is parsed to a second adapter where it is then published on an active information bus. An integrating accounting adapter subscribes to and collects accounting event data and network flow data and correlates this data into a detailed call record that is formatted as desired.

Abstract: In one embodiment, a method includes receiving, at a local node of a network, a sequenced data packet of a flow made up of multiple sequenced data packets from a source node directed toward a destination node. The flow is to be parsed by the local node to describe the flow for administration of the network. Based on sequence data in the sequenced data packet, it is determined whether the sequenced data packet is out of order in the flow. If it is determined that the sequenced data packet is out of order, then the sequenced data packet is forwarded toward the destination node before parsing the sequenced data packet. The out of order sequenced data packet is also stored for subsequent parsing at the local node.

Abstract: A method for a computer system includes receiving an identifier from a user, initiating a user session in response to the identifier, determining a social map for the user in response to the identifier and in response to a plurality of social network relationships, receiving a first change to the plurality of social network relationships from the user, receiving a second change to the plurality of network relationships from another user, determining a revised social map for the user during the user session in response to receiving the first change, but not in response to receiving the second change, wherein the revised social map for the user reflects the first change and the second change, and storing the revised social map for the user during the user session in a cache.

Abstract: A method and system for the classification of software in networked systems, includes: determining a software received by a sensor is attempting to execute on a computer system of the sensor; classifying the software as authorized or unauthorized to execute, and gathering information on the software by the sensor if the software is classified as unauthorized to execute. The sensor sends the information on the software to one or more actuators, which determine whether or not to act on one or more targets based on the information. If so, then the actuator sends a directive to the target(s). The target(s) updates its responses according to the directive. The classification of the software is definitive and is not based on heuristics or rules or policies and without any need to rely on any a priori information about the software.

Abstract: A computer system includes a database configured to store a plurality of social network relationships, a graphing system coupled to a database, wherein the graphing system includes a processor and random access memory, wherein the random access memory is configured to store at least a portion of the plurality of social network relationships from the database, wherein the processor is configured to determine a social map for a user in response to at least the portion of the plurality of social network relationships in the random access memory, and wherein the random access memory is configured to store the social map for the user, and a server coupled to the database and the graphing system, wherein the server is configured to receive an indication of the user, and wherein the server is configured to provide the indication of the user to the graphing system.

Abstract: Techniques for providing remote access to a service provider network include exchanging multiple Dynamic Host Configuration Protocol (DHCP) formatted messages instead of any Point to Point Protocol (PPP) message to provide all PPP functions for accessing a service provider network from a customer node. The service provider network is on provider premises and the customer node is on customer premises different from the provider premises. The DHCP format is used to exchange authentication messages, user profile data on Authentication, Authorization and Accounting (AAA) servers, or session keep-alive echo messages, alone or in some combination. When all are message types are combined, these techniques provide a remote access server (RAS) with the capability to perform all functions presently provided by PPP processes. In some combinations, these techniques allow a modified DHCP server to replace a legacy AAA server.

Abstract: A system for diagnosing the configuration and use of devices in an interconnected network. The system may be used to analyze a network and/or discrete network devices, and then suggest steps that a user may take to improve the performance or usability of the network and/or device.