Abstract: Techniques are disclosed for hiding sensitive information from a provider of support services. In one embodiment, a first network device determines that network device information includes non-sensitive data and sensitive data. In response to the determining, the first network device generates mapping data that maps dummy information to the sensitive data. The first network device generates output data that comprises the non-sensitive data and the dummy data and sends the output data to a second network device. In other embodiments, the user may select the network parameters that are sensitive. The first network device may also receive first report data from the second network device that identifies a network problem and includes the dummy data and generate second report data by using the mapping data to replace the dummy information with the sensitive data.

Abstract: A method is provided in one example and includes verifying a storage capacity of a network element coupled to an end device over a network connection. The method also includes executing script provided in the network element, which is configured for exchanging packets in a network environment. The script initiates a collection of data being retrieved from the end device. The data can be Fault, Configuration, Accounting, Performance, and Security (FCAPS) data associated with the end device. The data collected from the end device is communicated to a next destination.

Abstract: A method is provided in one example and includes verifying a storage capacity of a network element coupled to an end device over a network connection. The method also includes executing script provided in the network element, which is configured for exchanging packets in a network environment. The script initiates a collection of data being retrieved from the end device. The data can be Fault, Configuration, Accounting, Performance, and Security (FCAPS) data associated with the end device. The data collected from the end device is communicated to a next destination.

Abstract: Techniques are disclosed for preventing malicious attacks or other exploits on a computer server. A network manager may be configured to determine a topology of a plurality of network devices and deploy an intrusion prevention system in one or more of the network devices to mitigate attacks against the vulnerable servers. The one or more network devices may be identified based on the topology and one or more constraints for optimizing the deployment of the intrusion prevention systems.

Abstract: The real time availability of a group of network elements is determined based upon both a real time availability value for each of the network elements and cooperation relationships between the network elements. The cooperation relationships reflect both the topological relationships between the network elements, i.e., how the network elements are connected, and the extent to which network elements interact with each other effectively. For relatively small groups of network elements, where the cooperation relationships are not overly complex, the real time availability is determined directly from the real time availability value for each of the network elements and cooperation relationships between the network elements. Decomposition and recombination are used to determine the real time availability of large groups of network elements based on specific formulas for basic network element topology models.

Abstract: Techniques are disclosed for preventing malicious attacks or other exploits on a computer server. A network manager may be configured to determine a topology of a plurality of network devices and deploy an intrusion prevention system in one or more of the network devices to mitigate attacks against the vulnerable servers. The one or more network devices may be identified based on the topology and one or more constraints for optimizing the deployment of the intrusion prevention systems.

Abstract: A system, method and application for facilitating network support for an install-base network is provided. The method includes performing, at an access node of the install-base network, network discovery to discover one or more nodes of the install-base network. The method also includes collecting, at the nodes, their respective inventories (“network-node inventories”). The method further includes collecting the network-node inventories at the access node, and sending the network-node inventories from the access node to a back-office system external to the install-base network. The method may, optionally, include the access node aggregating the network-node inventories to form aggregate information, and sending the aggregate information to the back-office system in addition to or in lieu of the of network-node inventories.

Abstract: A method is disclosed for a method for measuring the availability of a network element or service. For each network element N, a current real availability value CRAVN and a current time value CTVN are associated with network element N. Additionally, for each network element N, an operational state value OSVN is associated with network element N. At a later time, indicated by a new time value NTVN, a new real availability value NRAVN for network element N is determined based on the current availability value CRAVN, the current time value CTVN, the new time value NTVN, and the operational state value OSVN. The new real availability value NRAVN is stored. Thus, each separate network element N may be associated with a separate real availability value that accurately reflects the availability of network element N specifically, regardless of any availability approximated for network element N's type.

Abstract: An isolation approach for network users associated with elevated risk is disclosed for protecting networks. In one approach a method comprises the computer-implemented steps of determining a user identifier associated with a network device that has caused a security event in a network; causing the network device to receive a network address that is selected from a subset of addresses within a specified pool associated with suspected malicious network users; and configuring one or more security restrictions with respect to the selected network address.

Abstract: A method of determining an amount of bandwidth needed on a communication link is disclosed. According to one aspect of the method, instead of considering only user behavior or only traffic characteristics, the amount of bandwidth needed on the link is determined based on both user behavior and traffic characteristics. The determined amount is stored in memory. By accounting for both user behavior and traffic characteristics, the method determines the amount of bandwidth needed on a communication link more accurately.

Abstract: A method and apparatus is disclosed for security-management of IP TV subscribers across a network comprising: receiving and storing at an access network element, a plurality of requests to connect to one or more multicast groups from a plurality of ports; retrieving, the plurality of requests from the access network element; generating, from the plurality of requests a first profile associated with a first port, wherein the profile includes multicast group request information associated with the first port; and detecting one or more anomalies based on the first profile and subscriber information and generating a notification if one or more anomalies are detected.

Abstract: A policy-based network security management system is disclosed. In one embodiment, the system comprises a security management controller comprising one or more processors; a computer-readable medium carrying one or more sequences of instructions for policy-based network security management, wherein execution of the one or more sequences of instructions by the one or more processors causes the one or more processors to perform the steps of receiving a set of data regarding a user of a computer network; automatically deciding on a course of action based on the set of data, wherein the course of action may be adverse to the user although the set of data is insufficient to establish whether the user is performing a malicious action; and sending signals to one or more network elements in the computer network to implement the decision.

Abstract: A method is disclosed for preventing spoofing of network addresses. A binding is established between an Internet Protocol (IP) address, a Media Access Control (MAC) address, and a port. An Address Resolution Protocol (ARP) table is updated based on the binding.

Abstract: A method and a system for re-establishing the connection of a network device with a network, using viral communication, are provided. According to the various embodiments, a disconnected network device acts as a simple wireless device and contacts a neighboring network device to obtain configuration information. The request can be forwarded to a network management station (NMS) through one or more neighbors of the disconnected network device. Connectivity is obtained by executing the configuration instructions obtained from the NMS.

Abstract: A policy-based network security management system is disclosed. In one embodiment, the system comprises a security management controller comprising one or more processors; a computer-readable medium carrying one or more sequences of instructions for policy-based network security management, wherein execution of the one or more sequences of instructions by the one or more processors causes the one or more processors to perform the steps of receiving a set of data regarding a user of a computer network; automatically deciding on a course of action based on the set of data, wherein the course of action may be adverse to the user although the set of data is insufficient to establish whether the user is performing a malicious action; and sending signals to one or more network elements in the computer network to implement the decision.

Abstract: Methods and systems are provided for estimating the source-destination traffic in a packet-switched network. Source-destination traffic is critical input to a variety of network engineering and planning functions. However, it is difficult and prohibitively expensive to directly measure source-destination traffic in a packet-switched network. Channel link measurements are more readily available for packet-switched networks. Thus, methods and systems in accordance with the present invention use channel link measurements, along with knowledge of traffic paths through the network for source-destination pairs, to estimate source-destination traffic.

Abstract: In communication network, the network blocking probability can be efficiently calculated by applying a Gaussian approximation to a fixed point algorithm. Gaussian curves are approximated to represent state probability distributions of the network links. By efficiently calculating the network blocking probability, the network can be optimally designed by lowering the network blocking probability below a threshold at the least cost.