Abstract: A control device, method and system for controlling data exchange between entities and item identification devices associated with said control device; said entities having an associated data exchange means for exchanging data with item identification devices; said data exchange means being arranged to provide authentication data indicative of the entity with which they are associated; and said control device comprising means for enabling exchange of data between said item identification devices and the entity with which said data exchange means is associated in accordance with an applicable access policy for that entity.

Abstract: A Denial of Service attack received at a network node from a packet data communications network is managed by tracing the path of predominantly malicious data packets arriving at the network node. The attack may be mitigated by selecting a router along the detected path and requesting the router to alter its handling of the data traffic. In one embodiment, the selected router installs a filter for data directed at the network node. In a different embodiment, the router alters a Quality of Service setting for the data directed at the network node. The network node may also request the router to mark all data being forwarded to it, to allow the network to characterize the data and determine to what extent it consists of malicious data.

Abstract: A processing node for processing data items in a data network, comprising means for receiving data items, means for receiving characterisation metrics associated with the data items and identifying characteristic values in respect thereof, and a process selection means, said process selection means comprising means for deriving a collective value from characteristic values associated with a plurality of the data items, means for comparing characteristic values associated with a plurality of the data items with a predetermined target value, means for subjecting data items in respect of which the characteristic values are on a first side of the predetermined target value to a first process, means for selecting at least some of the data items in respect of which the characteristic values are on a second side of the predetermined target value, and means for subjecting the selected data items to a second process which is different from the first process.

Abstract: The invention relates to data networks, and to nodes making up parts of data networks, arranged to derive information relating to the characterisation of paths taken by data travelling between nodes in the networks. Path characterisation information is fed back from a receiver of data to a provider of data, and informs nodes subsequently forwarding data of characteristics of the downstream path. Also described are routing and related controlling nodes and methods for using such path characterisation information to make informed routing and other decisions when forwarding data in a data network.

Abstract: An announcement thread addressing format which comprises a first sub-part concatenated with a second sub-part is described. The first sub-part is preferably the address of the party which generates the addressing identifier, whereas the second sub-part may be random data. An announcer apparatus may then use these address formats by including only those parts of an announcement thread address which render the address unique within the particular index message in which it is to be included, but not necessarily globally unique.

Abstract: The method involves transmitting to receivers receiving a multicast a plurality of requests for feedback (3), each request including a probability parameter (P). Each terminal replies to this (or not) with a corresponding probability (4). One then counts the number (r) of replies to each request (5); determines, from the counts and parameters, estimates of the number of receivers (6); and filters the estimates (7). The method further includes repeatedly computing a new probability parameter to be included in a subsequent feedback request, by forecasting, from the counts and parameters, a upper bound for the number of receivers (9, 10, 11) and determining from this the new probability parameter (12) such that the risk that the number of replies exceeds a predefined threshold is kept below a predefined value.

Abstract: The invention provides the concept of a network channel which is used as a waiting channel, wherein members of a group other than a first member join the waiting channel whilst performing an action or process, and then leave the waiting channel once the action or process has been performed. Once all of the members have left the waiting channel the first member of the group then performs an action or process. In order to indicate to the first member that all of the other members have left the waiting channel, a protocol such as the Multicast Source Notification of Interest Protocol (MSNIP) may be used.

Abstract: A key distribution server maintains a tree of nodes. Members of a group who are allowed access to information are associated with respective leaf nodes of the tree. The information is encrypted with a key comprising a join key field and a leave field, and these are associated with the root node of the tree. The join key is updated each time a member joins the group and the leave field is updated each time a member leaves. Further respective leave keys are associated with the other nodes of the tree. The leave keys of the tree are related so that a member knowing the leave key of its node can work out the leave key of the root node and hence decrypt the information. The key distribution server transmits offset messages to the members to allow them so to calculate the root node leave key. The system of offset messages reduces the amount of communication required between the key distribution server and the group members.

Abstract: An authentication method for linked data is provided, which does away with the conventional requirement for secure authentication of every item of data using public key encryption or Message Access Codes. A subscriber to an indexed event announcement channel can access a first item of information which contains pointers to other items of information in which the user might be interested. A hash value of the pointed-to information is also provided in addition to the pointers themselves. In order to provide for authentication of the pointed-to information, the user authenticates the first item of information using a secure heavyweight authentication technique, and then uses the hash values of the pointed-to information contained in the first item of information to authenticate the pointed-to information when the user accesses it.

Abstract: A method for notifying one or more users of a present state of at least one property of an entity, the method comprising the steps of: a) receiving a request message from a user over a first communications channel, the message containing information indicative of at least one property of an entity in which the user is interested; b) determining the present state of said at least one property; c) determining an identifier of a second communications channel onto which future messages containing information relating to future changes of state of the at least one property of the entity will be transmit; and d) transmitting a reply message to the user, the reply message containing information indicative of the present state of the at least one property and of the identifier of the second communications channel.

Abstract: A network includes a server 1 and a number of clients 2, which will in operation of the network require authentication by the server 1. The server 1 distributes authentication information to other clients 3 when a session is initialised. When the server 1 needs to authenticate a client 2, it hands out a server request to the client 2 which asks client 2 for authentication information which it must obtain from other clients 3. The client to be authenticated 2 then sends these requests to the clients 3 specified in the authentication request to obtain the authentication information from those clients. Once the client to be authenticated 2 has received the relevant authentication information from the other clients 3, it returns it to the server 1 and is authenticated or not accordingly.

Abstract: A method of managing a Denial of Service attack received at a network node from a packet data communications network, by tracing the path of predominantly malicious data packets arriving at the network node. The attack may be mitigated by selecting a router along the detected path and requesting the router to alter its handling of the data traffic. In one embodiment, the selected router installs a filter for data directed at the network node. In a different embodiment, the router alters a Quality of Service setting for the data directed at the network node. The network node may also request the router to mark all data being forwarded to it, to allow the network to characterise the data and determine to what exten it consists of malicious data.