Abstract: A network security system implements connectivity policies of a network environment. The network security system may use a network topology mapping to implement connectivity policies, where the network topology mapping includes sets of security zones, security devices, and zone paths between the security zones via the one or more security devices. The network security system can generate a universal representation of a connectivity policy for the network environment using a universal syntax. Using the network topology mapping, the network security system can identify zone paths between the security zones for implementing the connectivity policy. The network security system can configure security devices along the zone paths in accordance with the connectivity policies. Configuring security devices may include converting some or all of the universal representation of the connectivity policy into a device-specific representation in a native syntax of the security device.

Abstract: The present invention provides a cable TV broadband access system with distributed deployment and centralized control, which comprises: a system terminal end, configured to receive and transmit uplink and downlink service data, and receive and respond to access control data and management control data; a system access end, configured to implement data format transformation and data forwarding or processing for said uplink and downlink service data, said access control data and said management control data of said system terminal end, and transmit, receive and respond to management control data of said system access end; a system head end, configured to implement management control and access control for said system access end and said system terminal end, and process, converge and forward said uplink and downlink service data.

Abstract: The system receives a list of one or more name prefixes associated with an original name, wherein the original name corresponds to an original root manifest that indicates a set of original content objects and includes a set of content object hash (COH) values for the indicated set of original content objects, and wherein the original root manifest is registered with a tracking service. Based on a name prefix from the list, the system receives the original root manifest and selects a peer node that stores one or more of the original content objects. The system determines which original content objects are stored at the selected peer node and generates an interest for an original content object, wherein the name for the interest includes the name prefix, and wherein the third interest includes a COH value for an original content object stored at the selected peer node.

Abstract: An object-forwarding device can block a malicious Content Object from being inserted into an Interest's reverse path over a named data network. During operation, the device can receive a Content Object via a first interface, and can perform a lookup operation in a Pending Interest Table (PIT) to identify a PIT entry for an Interest associated with the Content Object. The device then determines, from the PIT entry, an egress interface used to forward the Interest. If the device determines that the egress interface of the PIT entry matches the first interface for the Content Object, the device forwards the Content Object via a return interface specified in the PIT entry. On the other hand, if the egress interface of the PIT entry does not match the first interface for the Content Object, the device can block the Content Object.

Abstract: One embodiment provides a system that facilitates forwarding of packets with variable length names. During operation, the system receives a packet with a hierarchically structured variable length identifier (HSVLI) which comprises contiguous name components ordered from a most general level to a most specific level. The system performs a longest prefix match lookup by selecting an entry from a first data structure of entries. The entries indicate a name component, forwarding information for the name component, and a plurality of entry identifiers that chain an entry to another entry. If a size of the name component is less than or equal to a predetermined threshold, the system selects an entry based on the name component. If the size is greater, the system selects an entry based on a compressed key which can be a hash of the name component. The system also resolves collisions associated with the selected entry.

Abstract: One embodiment provides a system that facilitates a content requesting device to handle a potential timeout event. During operation, the system receives, by a content producing device, a packet that corresponds to a first Interest message from a content requesting device, where the first Interest includes a name. Responsive to determining that additional time is required to generate a matching Content Object for the first Interest, the system generates a notification message which indicates a time period after which a second Interest is to be sent out by the content requesting device. The name for the second Interest can be the same as the name for the first Interest or a new name as indicated in the notification message. The system transmits the notification message to the content requesting device, thereby facilitating the content requesting device to handle a potential timeout event.

Abstract: One embodiment of the present invention provides a system for ranking content popularity in a content-centric network (CCN) content cache. During operation, the system receives an interest in a piece of content stored in the content cache, services the interest by accessing the piece of content, updates a service rate associated with the piece of content, updates system-wide service rate statistics, and determines a popularity level associated with the piece of content based on the updated service rate and the updated system-wide service rate statistics.

Abstract: One embodiment of the present invention provides a system for delivering a content piece over a network using a set of reconstructable objects. During operation, the system obtains a metadata file that includes a set of rules; generates the set of reconstructable objects for the content piece based on the set of rules included in the metadata file; cryptographically signs the set of reconstructable objects to obtain a set of signed reconstructable objects; and delivers, over the network, the set of signed reconstructable objects along with the metadata file to a recipient, thereby enabling the recipient to extract and store a copy of the content piece and then to reconstruct the set of signed reconstructable objects from the stored copy of the content piece and the metadata file.

Abstract: An object-forwarding device can block a malicious Content Object from being inserted into an Interest's reverse path over a named data network. During operation, the device can receive a Content Object via a first interface, and can perform a lookup operation in a Pending Interest Table (PIT) to identify a PIT entry for an Interest associated with the Content Object. The device then determines, from the PIT entry, an egress interface used to forward the Interest. If the device determines that the egress interface of the PIT entry matches the first interface for the Content Object, the device forwards the Content Object via a return interface specified in the PIT entry. On the other hand, if the egress interface of the PIT entry does not match the first interface for the Content Object, the device can block the Content Object.

Abstract: The system receives a list of one or more name prefixes associated with an original name, wherein the original name corresponds to an original root manifest that indicates a set of original content objects and includes a set of content object hash (COH) values for the indicated set of original content objects, and wherein the original root manifest is registered with a tracking service. Based on a name prefix from the list, the system receives the original root manifest and selects a peer node that stores one or more of the original content objects. The system determines which original content objects are stored at the selected peer node and generates an interest for an original content object, wherein the name for the interest includes the name prefix, and wherein the third interest includes a COH value for an original content object stored at the selected peer node.

Abstract: One embodiment provides a system that facilitates forwarding of packets with variable length names. During operation, the system receives a packet with a hierarchically structured variable length identifier (HSVLI) which comprises contiguous name components ordered from a most general level to a most specific level. The system performs a longest prefix match lookup by selecting an entry from a first data structure of entries. The entries indicate a name component, forwarding information for the name component, and a plurality of entry identifiers that chain an entry to another entry. If a size of the name component is less than or equal to a predetermined threshold, the system selects an entry based on the name component. If the size is greater, the system selects an entry based on a compressed key which can be a hash of the name component. The system also resolves collisions associated with the selected entry.

Abstract: One embodiment provides a system that facilitates a content requesting device to handle a potential timeout event. During operation, the system receives, by a content producing device, a packet that corresponds to a first Interest message from a content requesting device, where the first Interest includes a name. Responsive to determining that additional time is required to generate a matching Content Object for the first Interest, the system generates a notification message which indicates a time period after which a second Interest is to be sent out by the content requesting device. The name for the second Interest can be the same as the name for the first Interest or a new name as indicated in the notification message. The system transmits the notification message to the content requesting device, thereby facilitating the content requesting device to handle a potential timeout event.

Abstract: Apparatus, methods and logic for vehicles to determine vehicle to vehicle (V2V) safety message transmission rates for transmitting V2V safety messages based on how frequently the vehicles actually need to exchange safety messages, including factors such as vehicle velocities, distances among vehicles, and on how quickly the inter-vehicle distances are closing up. The determined V2V safety message transmission rates are selectively dynamically adjusted in accordance with detected significant changes in one or more of the inter-vehicle distances or inter-vehicle speeds. To avoid needless frequent changes to the transmission rate, statistical modeling techniques including hypothesis testing and sequential change detection are selectively used to more accurately detect significant changes in inter-vehicle distances or inter-vehicle speeds that warrant a change to the message transmission rate.

Abstract: The trustworthiness of vehicle-to-vehicle (V2V) messages received from one or more associated vehicles in the vicinity of a subject vehicle is determined autonomously by a false signal detection system of the subject vehicle. Physical evidence relating to the associated vehicles is collected, and a statistical model is used to perform an analysis of the collected data. A V2V message is received by the system from a first one of the associated vehicles and a trustworthiness level of the message is determined in accordance with a correlation between the received V2V message and the result of the analyzed physical data relating to the first associated vehicle. The correlation may be a comparison of data contained in the received V2V message relative to a result of a stochastic analysis of the physical data. The received V2V message may be any V2V safety message including Emergency Electronic Brake Light (EEBL) messages.

Abstract: A filter in a DOCSIS bridge performs IP Filtering of incoming Ethernet packets in hardware. The filter includes a parser circuit which, in hardware, parses each of the incoming Ethernet packets and then utilizes the parsed information in combination with a content-addressable memory (CAM) that stores filtering information, to filter and route the incoming Ethernet packets. Detailed statistical data may also be generated to provide information on the type of filtering being performed by the DOCSIS bridge.

Abstract: A load balancer or other network device in a server farm acts as a web services proxy and performs service orchestration among servers and other resources within the server farm. The load balancer receives an initial service request from a client and is able to optimize orchestration by assigning component operations of the service to multiple different servers. In this manner, a one-to-many allocation of resources can be mapped whereby a single client service request can result in multiple physical servers or other devices, processes or resources being used to handle the service request while maintaining a single back-end flow per multiple transactions.

Abstract: A method and an apparatus for the identification of the mode of a telephony device in a network are provided. A call initiation signal is received from a mode-identifying telephony device. The call initiation signal is used to communicate with a mode-selecting telephony device. Thereafter, the mode at the mode-selecting telephony device is detected and an answer mode signal, including the information regarding the answering mode of the mode-selecting telephony device, is sent to the mode-identifying telephony device.

Abstract: A cable has an integrated cable management system for organizing multiple cables. The body of the cable has a first mating surface with a first interlocking element disposed thereon and a second mating surface with a second interlocking element disposed thereon the second mating surface, where the first interlocking element is configured as a complementary interlocking element for the second interlocking element, so that multiple cables may be joined without the use of additional cable-organizing devices. The first interlocking element may include at least one coupling recess formed in the first mating surface and configured to engage with an interlocking element having the same configuration as the second interlocking element.