Abstract: A security infrastructure and methods are presented that inhibit the ability of a malicious node from disrupting the normal operations of a peer-to-peer network. The methods of the invention allow both secure and insecure identities to be used by nodes by making them self-verifying. When necessary or opportunistic, ID ownership is validated by piggybacking the validation on existing messages. The probability of connecting initially to a malicious node is reduced by randomly selecting to which node to connect. Further, information from malicious nodes is identified and can be disregarded by maintaining information about prior communications that will require a future response. Denial of service attacks are inhibited by allowing the node to disregard requests when its resource utilization exceeds a predetermined limit. The ability for a malicious node to remove a valid node is reduced by requiring that revocation certificates be signed by the node to be removed.

Abstract: A method for ensuring valid and secure peer-to-peer communications in a group structure. Specifically, the system of the present invention presents a method of ensuring secure peer-to-peer group formation, group member addition, group member eviction, group information distribution, etc. Such functionality may be distributed to the individual peers in the group to further enhance the overall security of the group while enhancing flexibility. The P2P group security allows every peer who is a valid member of the group to invite new members. The recipients of these invitations are then able to contact any member of the group to join the group, not only the inviter. Further, groups may function when the group creator is not online. Likewise, the method allows the creation of secure groups with users from different security domains, relying on their security credentials in those domains for initial authentication.

Abstract: A security infrastructure and methods are presented that inhibit the ability of a malicious node from disrupting the normal operations of a peer-to-peer network. The methods of the invention allow both secure and insecure identities to be used by nodes by making them self-verifying. When necessary or opportunistic, ID ownership is validated by piggybacking the validation on existing messages. The probability of connecting initially to a malicious node is reduced by randomly selecting to which node to connect. Further, information from malicious nodes is identified and can be disregarded by maintaining information about prior communications that will require a future response. Denial of service attacks are inhibited by allowing the node to disregard requests when its resource utilization exceeds a predetermined limit. The ability for a malicious node to remove a valid node is reduced by requiring that revocation certificates be signed by the node to be removed.

Abstract: Enumeration requests are sent from a node in a network. Each node that receives an enumeration request sends an enumeration response at a time determined by the node receiving the enumeration request.

Abstract: An object model is provided as a general framework for managing network services, such as firewall services. A user or an administrator of a computer may utilize the object model to manage and configure the firewall services. The object model isolates a user and/or an administrator from having to deal with the many possible issues involved in configuring the services. The object model includes two main name spaces: a policy engine platform and a policy object model. The policy engine platform is the central point for interacting with the policy for the services and the kernel components that actually perform the services. The policy object model is used to specify policies that the services support.

Abstract: Cobrowsing web sites by two or more users is disclosed. For a cobrowsing session between a first client of a first user and a second client of a second user, the cobrowsing session is first initiated. The first user browses a web site on the first client. The first client sends to the second client a synchronization message. The synchronization message indicates one or more commands reflecting the browsing performed by the first user. The second client receives the synchronization message, and cobrowses the web site in accordance with the message and its included commands. Cobrowsing continues until the cobrowsing session is terminated. The commands of the synchronization message allow for fine granularity of cobrowsing.

Abstract: Disclosed are peer-to-peer computer program products, methods, and systems in which a remote peer on a peer-to-peer network is granted or denied access to a resource based on the credentials presented by the remote peer. In accordance with the disclosed subject matter, an access token that includes one or more security identification values which represent respectively one or more access rights in an access control system is generated. An execution thread that is associated with the access token thus generated attempts to access the resource on behalf of the remote peer. In some embodiments, the access control system includes a generic user account, and the access token that is generated for the remote peer includes the security identification value associated with the generic user account in the access control system.

Abstract: A method for a firewall-aware application to communicate its expectations to a firewall without requiring the firewall to change its policy or compromise network security. An application API is provided for applications to inform a firewall or firewalls of the application's needs, and a firewall API is provided that informs the firewall or firewalls of the application's needs. An interception module watches for connect and listen attempts by applications and services to the network stack on the local computer. The interception module traps these attempts and determines what user is making the attempt, what application or service is making the attempt, and conducts a firewall policy look-up to determine whether the user and/or application or service are allowed to connect to the network. If so, the interception module may instruct the host and/or edge firewall to configure itself for the connection being requested.

Abstract: A system and method for providing security to a graph of interconnected nodes includes a grouping multiplexing layer configured to monitor calls to the system, a graphing dynamic link layer configured to transmit and receive data to and from the graph, and a group security manager coupled to the grouping multiplexing layer and coupled to the graphing dynamic link layer; the group security manager is configured to perform security-related acts via interacting with a group database to propagate security-related information to members of a group within the graph. The group security manager is configured to provide role-based authorization on publication of one or more records and provide membership control for admission to a graph of interconnected nodes. The group security manager provides membership control by providing credentials to potential members of the graph to enable a connection and by providing a governed system for renewal and revocation of members.

Abstract: The invention provides an apparatus and method to establish media sessions for media streams crossing a network boundary. The system includes a media relay controlled by a media configurator control module. The media relay reserves media paths (that include ports in the network boundary), opens the media paths, closes the media paths, and provides information about the media paths. A media configurator is adapted to communicate with the media configurator control module and the media relay. The control module has an event handler handling multimedia session events, a local address resolver that determines if an address identifier of the media session belongs to a private address space and a control element used to establish the media path. The control element manages resources for the media relay. A state-refresh timer is used to maintain state consistency between all media relays controlled by a proxy engine and control elements.

Abstract: A security infrastructure and methods are presented that inhibit the ability of a malicious node from disrupting the normal operations of a peer-to-peer network. The methods of the invention allow both secure and insecure identities to be used by nodes by making them self-verifying. When necessary or opportunistic, ID ownership is validated by piggybacking the validation on existing messages. The probability of connecting initially to a malicious node is reduced by randomly selecting to which node to connect. Further, information from malicious nodes is identified and can be disregarded by maintaining information about prior communications that will require a future response. Denial of service attacks are inhibited by allowing the node to disregard requests when its resource utilization exceeds a predetermined limit. The ability for a malicious node to remove a valid node is reduced by requiring that revocation certificates be signed by the node to be removed.

Abstract: A system for conveniently extending the capabilities of network systems to support telephony is presented. Also, a method and system for preventing message looping within network devices that support telephony is presented. A network system, such as a proxy server, executes one or more executable service modules having instructions for performing a specific telephony service. A dispatcher operating upon the network device dispatches messages to the service modules according to a set of resource data provided by the service modules. To prevent message looping, the dispatcher executes logical instructions that restrict the service modules from routing messages to each other indefinitely.

Abstract: A method for use in a peer-to-peer communication system to ensure valid connections are made in a secure manner includes the steps of receiving an address record for a peer node which includes an ID certificate. The ID certificate is validated and checked to verify that the ID certificate has not expired. Further, the method determines if the node from whom the address record was received is to be trusted, and the number of instances of the IP address included in the certificate is already stored in cache. When the foregoing are completed successfully, i.e. the certificate is valid, not expired, has been supplied by a trusted neighbor, and does not point to an IP address that already exists for different ID's multiple times, the method opportunistically verifies ownership of the ID certificate at the peer node's IP address. That is, the verification of ownership only occurs when the advertiser of the ID is the owner of that ID (or when the ID is to be used).

Abstract: A system and method of serverless peer-to-peer group management and maintenance is presented. Group formation and discovery of private, public, and enumerated groups are provided, as is a method of joining such a peer-to-peer group. Group information management provided by the present invention ensures that each node maintains a current database from the initial joining of the group through the run phase of membership. Group graph maintenance utilizes a group signature to ensure that partitions in a graph may be detected and repaired. The utility of connections within the graph are also monitored so that non-productive connections may be dropped to increase the efficiency of the group. The diameter of the graph is also monitored and adjusted to ensure rapid information transfer throughout the group. A disconnect procedure is used to maintain the graph integrity and prevent partitions resulting from the departure of a group member.

Abstract: A method for ensuring valid and secure peer-to-peer communications in a group structure. Specifically, the system of the present invention presents a method of ensuring secure peer-to-peer group formation, group member addition, group member eviction, group information distribution, etc. Such functionality may be distributed to the individual peers in the group to further enhance the overall security of the group while enhancing flexibility. The P2P group security allows every peer who is a valid member of the group to invite new members. The recipients of these invitations are then able to contact any member of the group to join the group, not only the inviter. Further, groups may function when the group creator is not online. Likewise, the method allows the creation of secure groups with users from different security domains, relying on their security credentials in those domains for initial authentication.

Abstract: Cobrowsing web sites by two or more users is disclosed. For a cobrowsing session between a first client of a first user and a second client of a second user, the cobrowsing session is first initiated. The first user browses a web site on the first client. The first client sends to the second client a synchronization message. The synchronization message indicates one or more commands reflecting the browsing performed by the first user. The second client receives the synchronization message, and cobrowses the web site in accordance with the message and its included commands. Cobrowsing continues until the cobrowsing session is terminated. The commands of the synchronization message allow for fine granularity of cobrowsing.