Abstract: Described are techniques used in defining and maintaining group data used by multiple host systems. Group data is stored in a distributed fashion on one or more data storage systems. If a device of a data storage system belongs to a group, group data for that group is stored on that data storage system. Group data changes made by one host are communicated to the other hosts by accessing a common data area on each data storage system using a daemon executing on each host. Remotely mirrored groups may be defined on a remote data storage system. A remote mirror of a group includes group data modified in accordance with a point of view of the remote data storage system and a remote host.

Abstract: A method and system for leaking routes between routing engines in a communication network. The method and system includes a route distribution service that receives and stores routing information from one or more exporting routers. The stored routing information includes the identity of one or more shared routes and may also include related route exportation criteria such as restrictions on which importing routers may receive shared routes. The route distribution service receives from one or more importing routers a request for one or more shared routes and provides one or more shared routes to the importing router. Importing routers can register with the service in order to receive shared routes or be notified when shared routes become available.

Abstract: One embodiment of the present invention provides a system for identifying undesirable features in a network of computers. During operation, the system detects an anomaly associated with a node in the network. Next, the system identifies one or more features which are associated with the anomaly. The system then updates the identified features. Next, the system communicates the information corresponding to updated features to at least one other node in the network. The system then receives information indicating a correlation between the updated features and the anomaly from at least one other node in the network. Next, the system correlates the updated features with the anomaly based on the received information. The system subsequently produces a result which indicates a correlation between the updated features and the anomaly.

Abstract: A computer or microchip including one or more microprocessors or processing units, at least one network communication component, and an internal hardware firewall. located on a microchip and configured to separate a protected side of the computer or microchip from an unprotected side of the computer or microchip, the unprotected side being configured to connect to a network. The hardware protected side of the computer or microchip includes at least one microprocessor or processing unit. The unprotected network side of the computer or microchip is located between the internal hardware firewall and the network and includes the at least one unprotected microprocessors or processing units and network communications components. The unprotected microprocessors or processing units and network communications components are separate components and both are separate from the internal hardware firewall. The computer or microchip can be actively configured, including using microchips with field programmable gate arrays.

Abstract: A method is provided for performing control functions in a secure network where security prohibits the transmission of control information beyond secure networks and/or their associated systems. A method is provided for permitting proxy servers to communicate within full DBRA schemes without compromising security. According to various embodiments, methods for IPsec communication are provided that permit systems to move information across secure gateways. In one embodiment, IPsec communication and full DBRA bandwidth/QoS control is provided without compromising security. Although various aspects relate to satellite networks, it should be appreciated that aspects relate to other types of secure networks.

Abstract: A traffic generator is disclosed which generates a first type of traffic in accordance with a given distribution, and generates a second type of traffic that includes at least one traffic burst. The traffic burst is generated based at least in part on an amount of the first type of traffic generated over one or more time intervals. For example, in an illustrative embodiment, generation of the second type of traffic involves accumulating traffic over one or more of the time intervals for which the first type of traffic is generated, and generating the traffic burst based at least in part on the accumulated traffic.

Abstract: Systems, methods and apparatus for a distributed security that monitors communications to identify access attempts to/from darknet addresses. Such attempts can be inferred to be associated with malicious activity and a notification or other corrective action can be provided identifying such potentially malicious activity.

Abstract: A method and system for detecting and managing potential malware utilizes a preliminary signature to scan content and detect potential malware content based upon characteristics that match the preliminary signature. The detected content is detained for a predetermined period of time. If an updated signature is not received, the detained content may be purged, released or quarantined, based upon predetermined content policy. If an updated signature is received, the detained content is released from detention and rescanned with the updated signature. The content is then treated in accordance with the content policy, and again, can be purged, released, or quarantined.

Abstract: A method and apparatus to associate incoming emails to a customer relationship management (CRM) object is disclosed. The method may include creating a user configurable tracking token that relates an email to a CRM object, attaching the tracking token to an outgoing email, sending the outgoing email to recipients, receiving an incoming email, determining whether the incoming email has a tracking token and if the incoming email has a tracking token, associating the incoming email with the matching CRM object.

Abstract: According to one embodiment, a secure e-mail messaging system includes an e-mail relay server coupled to a secure client configured on a secure domain and an external client configured on an external domain. The e-mail relay server has a memory for storage of an actual address of the secure client, a first certificate associated with the actual address, an alias address associated with the actual address, and a second certificate associated with the alias address. The e-mail relay server receives an e-mail message that includes the alias address from the external client and decrypts the e-mail message according to the second certificate. The e-mail messaging server then replaces the alias address with the actual address to form a modified e-mail message, encrypts the modified e-mail message according to the first certificate, and transmits the modified e-mail message to the secure client.

Abstract: A block cipher ARIA substitution apparatus, the apparatus includes a first Sbox operation unit for performing operations of a substitution box S1 and a substitution box S1?1; a second Sbox operation unit for performing operations of a substitution box S2 and a substitution box S2?1; and a control unit for determining modes of the first Sbox operation unit and the second Sbox operation unit. The first Sbox operation unit has a first inverse affine transformation unit for performing an inverse affine operation for obtaining S1?1; a finite field inverse element operation unit for computing an inverse element of GF(28) or a result value of the first inverse affine transformation unit; a first affine transformation unit for performing an affine operation for obtaining S1; and a first and a second multiplexer.

Abstract: An electronic device and a method implemented within the electronic device for disambiguating email recipient fields by extracting sufficient information from the domain portion of an intended recipient's email address to disambiguate between a personal and a business email address. An exemplary method includes parsing at least one of said multiple addresses in a recipient field of the email to extract information capable of distinguishing the at least one of said multiple addresses from at least another of the multiple addresses, and displaying the information in the recipient field of the email.

Abstract: A system and method for performing various operations on group policy objects, by manipulating group policy objects as a single entity to perform backup, restore, import and copy operations. The backup operation transfers the various subparts of a selected group policy object to a file system. A restore operation restores a backed-up group policy object to its domain, in the same state as when the backup was performed. An import operation transfers the settings within a backed-up source group policy object to a destination group policy object, erasing its previous settings. A copy operation transfers the settings from a source group policy object to a new group policy object. Copy and import operations can be cross-domain, and a migration table can be used to convert security group and UNC pathnames as appropriate for the destination domain. Backup management, rollback of incomplete operations, and support for application deployment are also provided.

Abstract: Systems and methods are described for improved authentication of subscribers wishing to connect to a wireless network using the EAP-AKA protocol. Embodiments exploit the requirement that the client store and transmit the Pseudonym and Fast Re-authentication Identities upon request. By using the Fast Re-authentication Identity to store session state key information, the need for the AAA server to store and replicate the EAP-AKA key information for every session is eliminated.

Abstract: A location tracking system for building a geographic location database of network nodes in a computer network includes a trace engine module configured to send trace Id commands to a plurality of user terminals. The user terminals are actively coupled to a server node so that the trace engine module is able to obtain IP address of each of the user terminals and its corresponding geographic location. A first database is configured to store IP addresses obtained by the trace engine module and their corresponding geographical locations. A second database is configured to store a set of physical connections between IP addresses obtained by the trace engine module. The system can then determine the geographical location of end user terminals who employ the database as previously populated.

Abstract: A system for managing an instant messaging conversation in a persistent context is provided. The system has an archiving feature for convenient access to the conversation, even after the conversation has ceased.

Abstract: In one embodiment, a method includes receiving a request from a processing device to send a widget to a handheld mobile device. The request can be defined after at least a portion of an instance of the widget has been processed at the processing device. The request can be associated with a widget identifier. The method can also include defining a widget precursor at a widget-sharing server in response to the request from the processing device. The widget precursor can be associated with the widget identifier and a placement identifier.

Abstract: A method is provided to allow for encryption keys to be safely vaulted and for restarts after system failures, even when an external key server is not accessible. In one embodiment, the encryption keys are stored in memory in an encrypted format, the encryption keys being encrypted with a key encryption key (KEK). The data stored in a write cache may be encrypted and written to a vault, protecting it from unauthorized access, but the key table may be written directly to the data vault without need for any further encryption. Because the encryption keys are themselves encrypted, the encryption keys are protected from unauthorized access, ensuring the security of all the encrypted data stored on disk. This embodiment allows the data storage system to be restarted without accessing an external key server. In another embodiment, the KEK is stored in persistent storage within the data storage system, allowing for unattended restart. To enhance security, the KEK may be stored in ROM in a hardened location.

Abstract: An exemplary method involves creating a master session over a first connection through a server; and creating a virtual channel over the connection, the virtual channel operable to communicate a feature session. The method may involve establishing a direct connection that bypasses the server, and switching communication of the feature session to the direct connection. A system for network communication includes a plurality of transport bridges, each transport bridge corresponding to an active network device configuration, and a switching module operable to choose one of the transport bridges to form a connection between two computing devices based on the active network device configuration.

Abstract: Systems and methods providing users with a rich web experience are disclosed. In one embodiment, a client and at least one server are in communication using a dual communication link. In another embodiment, a markup language based instant messaging application is disclosed. The instant messaging application may include group instant messaging. The instant messaging application may also provide group member persistence and message persistence at the server. In another embodiment, a card based web application is disclosed, where the card information and character may be shared with other users or within a group. The cards may also be configurable by users.