Abstract: A computer system, method, and computer program product for mitigating TOCTOU attacks, which includes: as processor requesting measurements representing operation of a first process on a host that is untrusted and based on the requesting, obtaining the measurements, which include a checksum that is a result of a second process executing checksum code to verify at least one last branch record on the host. A processor also determined, based on the measurements, whether the first process was compromised.

Abstract: An apparatus and method predict and detect network attacks by using a diverse set of indicators to measure aspects of the traffic and by encoding traffic characteristics using these indicators of potential attacks or anomalous behavior. The set of indicators is analyzed by supervised learning to automatically learn a decision rule which examines the temporal patterns in the coded values of the set of indicators to accurately detect and predict network attacks. The rules automatically evolve in response to new attacks as the system updates its rules periodically by analyzing new data and feedback signals about attacks associated with that data. To assist human operators, the system also provides human interpretable explanations of detection and prediction rules by pointing to indicators whose values contribute to a decision that there is an existing network attack or an imminent network attack. When such indictors are detected, an operator can take remediation actions.

Abstract: A computer system, method, and computer program product for mitigating TOCTOU attacks, which includes: as processor requesting measurements representing operation of a first process on a host that is untrusted and based on the requesting, obtaining the measurements, which include a checksum that is a result of a second process executing checksum code to verify at least one last branch record on the host. A processor also determined, based on the measurements, whether the first process was compromised.

Abstract: A virtual ad hoc network testbed provides the capability to instrument a testbed in order to support the execution of network-aware applications “as is.” Network aware applications are a special class of applications that interact with a network not only by using the network for communication purposes, but also configure or read the status of network devices. Local stack management provides the means to automatically construct standard APIs for accessing the information residing in a simulated or emulated network, and instantiate these APIs. The testbed is designed to bridge a standard management module (such as SNMP) and a simulation or emulation model, starting from a MIB module. The testbed uses CORBA as a communication means. The process is divided into two parts, agent side and model side.

Abstract: A system and method for policy based management for a high security MANET comprises policy managers, each performing policy decision-making and policy enforcement using multiple policies, containers, each related to an application and each container having one policy manager, nodes, each having an infrastructure and at least one container, and dynamic community building blocks associating the containers having a same application, the containers being in different nodes, the associated containers maintained by the dynamic community building blocks on a secure network. Each container can define a security boundary around the node. Each container can be a lightweight virtual machine. The system can also have a special container having a policy manager only evaluating policies for conflicts. In one embodiment, a node can consist of multiple network devices and each network device is a container of its own.

Abstract: An apparatus and method predict and detect network attacks by using a diverse set of indicators to measure aspects of the traffic and by encoding traffic characteristics using these indicators of potential attacks or anomalous behavior. The set of indicators is analyzed by supervised learning to automatically learn a decision rule which examines the temporal patterns in the coded values of the set of indicators to accurately detect and predict network attacks. The rules automatically evolve in response to new attacks as the system updates its rules periodically by analyzing new data and feedback signals about attacks associated with that data. To assist human operators, the system also provides human interpretable explanations of detection and prediction rules by pointing to indicators whose values contribute to a decision that there is an existing network attack or an imminent network attack. When such indictors are detected, an operator can take remediation actions.

Abstract: Network management for providing and managing Quality of Service (QoS) in converged networks, and particularly management of bursty, short-lived data loads, in an opaque network where knowledge of or control over network elements is not required. Preferential treatment is provided to some subset of the network users that require better QoS assurances from the underlying network by applying probabilistic admission control decisions in conjunction with estimated network state provides improved performance for high priority data with bursty data loads.

Abstract: The inventive system and method for improving network security, availability, and regulatory compliance, and maximizing a network comprises a network configuration component, a network inventory component, a network monitoring component, and a network assessment component, wherein information is extracted from each of the configuration, inventory, and monitoring components, the extracted information is combined and assessed in the assessment component, and the maximized network is produced using the combined information. In one embodiment, the combined information is stored in a database. In one embodiment, an XML is produced from the extracted inventory information, and this XML is converted to a canonical form.

Abstract: Network management for providing and managing Quality of Service (QoS) in converged networks, and particularly management of bursty, short-lived data loads, in an opaque network where knowledge of or control over network elements is not required. Preferential treatment is provided to some subset of the network users that require better QoS assurances from the underlying network by applying probabilistic admission control decisions in conjunction with estimated network state provides improved performance for high priority data with bursty data loads.

Abstract: A virtual ad hoc network testbed provides the capability to instrument a testbed in order to support the execution of network-aware applications “as is.” Network aware applications are a special class of applications that interact with a network not only by using the network for communication purposes, but also configure or read the status of network devices. Local stack management provides the means to automatically construct standard APIs for accessing the information residing in a simulated or emulated network, and instantiate these APIs. The testbed is designed to bridge a standard management module (such as SNMP) and a simulation or emulation model, starting from a MIB module. The testbed uses CORBA as a communication means. The process is divided into two parts, agent side and model side.

Abstract: Loads for a wireless network having a plurality of end nodes are predicted by constructing a computer data set of end-to-end pairs of the end nodes included in the network using a computer model of the network; constructing a computerized set of observables from social information about users of the network; developing a computerized learned model of predicted traffic using at least the data set and the observables; and using the computerized learned model to predict future end-to-end network traffic.

Abstract: Systems and methods for managing network congestion through detecting the closeness to network congestion. The network includes a plurality of network nodes, where each node has at least one neighboring node and each node has a buffer for a queue of packets from other nodes. The system measures queue length at a node and the node's neighboring nodes, processes the measured queue lengths to obtain patterns of fluctuations for the measured queue length. The system determines if one or more of the measured nodes are in a transition-onset status toward a phase transition point based on the obtained patterns of fluctuation and generates congestion control signals based on the determination to route network traffic away. The phase transition point corresponds to a change from a non-congestive phase of the measured nodes to a congestive phase of the measured nodes.

Abstract: A method and apparatus for controlling ingress to a communications network to control quality of service is described. A request to admit a new communications flow is received. A polynomial and its coefficients representing a state of the network is determined and applied to the network state plus the new communications flow to determine whether admission of the new communications flow would cause the network to operate in a stable or unstable state. In response to determining that the network would operate in the unstable state, a communications flow for the ingress device is downgraded in its quality of service. By another approach, it is determined whether the new communications flow exceeds an allocated quota of bandwidth. Admission or rejection of the communications flow can be determined.

Abstract: A system and method for policy based management for a high security MANET comprises policy managers, each performing policy decision-making and policy enforcement using multiple policies, containers, each related to an application and each container having one policy manager, nodes, each having an infrastructure and at least one container, and dynamic community building blocks associating the containers having a same application, the containers being in different nodes, the associated containers maintained by the dynamic community building blocks on a secure network. Each container can define a security boundary around the node. Each container can be a lightweight virtual machine. The system can also have a special container having a policy manager only evaluating policies for conflicts. In one embodiment, a node can consist of multiple network devices and each network device is a container of its own.

Abstract: An inventive system and method for versioning relational database disjoint records comprises a relational database, configuration files translated into query files, and a version control system, wherein each query file is stored and checked into the version control system, updating a version number of the query file. Each query file comprises a set of query statements. Query files are retrieved from the version control system based on the version number or an independent data item, and put into the database for analysis. In one embodiment, one of the configuration files comprises a configuration of a device, such as a router, a switch, a firewall, or a medical record. The method comprises acquiring configuration files, changing the configuration files into query files and storing the query files, and checking each query file into a version control system, wherein the checking in updates a version number of the query file.

Abstract: Our invention is a method and system for a method of providing Quality of Service (QoS) over networks that do not provide any information and only serve to carry packets. Specifically, as Traffic traverses between various user networks via an opaque network, gateways at the edge of the user networks keep a record of the packets traversing into the opaque networks and packets traversing out of the opaque network. These gateways also know about the traffic classes that each of these packets belong to. The gateways at the ingress points (the user network where the packets originate) and the gateways at the egress points (the user network where the packets terminate) coordinate amongst themselves to exchange information about the number and latency of packets exchanged between the two. This information is used by the gateway at the ingress to estimate the state of the opaque network using dynamic throughput graphs.

Abstract: The inventive system and method for improving network security, availability, and regulatory compliance, and maximizing a network comprises a network configuration component, a network inventory component, a network monitoring component, and a network assessment component, wherein information is extracted from each of the configuration, inventory, and monitoring components, the extracted information is combined and assessed in the assessment component, and the maximized network is produced using the combined information. In one embodiment, the combined information is stored in a database. In one embodiment, an XML is produced from the extracted inventory information, and this XML is converted to a canonical form.

Abstract: Customizable software provides assurances about the ability of an IP network to satisfy security, regulatory and availability requirements by comprehensive vulnerability and compliance assessment of IP networks through automated analysis of configurations of devices such as routers, switches, and firewalls. The solution comprises three main approaches for testing of IP device configurations to eliminate errors that result in vulnerabilities or requirements compliance issues. The first two fall in to the “static constraint validation” category since they do not change significantly for each IP network, while the last approach involves incorporation of each specific IP network's policies/requirements. These approaches are complementary, and may be used together to satisfy all the properties described above. The first approach involves checking the configurations of devices for conformance to Best-Current-Practices provided by vendors (e.g.