Abstract: The present disclosure is directed to systems, methods, and computer-readable storage media for anonymizing data over multiple temporal releases. Data is received, and nodes and connections in the data are identified. The data also is analyzed to identify predicted connections. The nodes, the connections, and the predicted connections are analyzed to determine how to group the nodes in the data. The data is published, and the grouping of the nodes is extended to subsequent temporal releases of the data, the nodes of which are grouped in accordance with the grouping used with the data.

Abstract: A method and system for distributing content on a network through network-wide transactions is disclosed. The method and system monitors the network using triggered measurement of the performance of an element of the network, dynamically computing, based on the monitoring, the regions of the network with available performance capacity for the transaction to proceed at a given time, determining, based on the computing, a scheduled time for the transaction to proceed, and distributing the content according to a schedule related to the scheduled time.

Abstract: A user is prevented from being identified at each of a plurality of sites. An indication to sell access to the user at one of the plurality of sites is received. A personal information marketplace is provided to run an auction to sell the access to the user at the one of the plurality of sites. In response to a sale of the access to the user at the one of the plurality of sites to an aggregator, access to track the user at the one of the plurality of sites while maintaining anonymity of the user is provided to the aggregator.

Abstract: Disclosed are method and apparatus for identifying members of a social network who have a high likelihood of providing a useful response to a query. A query engine examines the personal pages of a set of members and automatically gleans semantic information relevant to the query. From the automatically-gleaned semantic information, a score indicative of the likelihood that the member may provide a useful response is calculated.

Abstract: Described is a method of assigning a network address to a trap, the network address being a dark address of a virtual private network. The network traffic destined for the network address is monitored and a classification of the network traffic is determined. After the classification, a predetermined response is executed based on the classification of the traffic.

Abstract: According to an aspect of this invention, a method to detect phishing URLs involves: creating a whitelist of URLs using a first regular expression; creating a blacklist of URLs using a second regular expression; comparing a URL to the whitelist; and if the URL is not on the whitelist, comparing the URL to the blacklist. False negatives and positives may be avoided by classifying Internet domain names for the target organization as “legitimate”. This classification leaves a filtered set of URLs with unknown domain names which may be more closely examined to detect a potential phishing URL. Valid domain names may be classified without end-user participation.

Abstract: Narrowcast communication to one or more narrowcast communication recipients is provided through the use of an extensible method and apparatus. A narrowcast communication sender determines a set of attributes that define who will be eligible to receive a narrowcast communication. The set of attributes characterize potential recipients according to qualities such as interests, location, or another descriptor of a potential narrowcast communication recipient. Through the use of a privacy sphere, attributes associated with the narrowcast communication are matched to the qualities of potential recipients to identify the network addresses of the narrowcast communication recipients. The narrowcast communication is then transmitted to those network addresses. The narrowcast communication can be then expired from recipients who are no longer eligible to receive it and transmitted to recipients who become eligible to receive the narrowcast communication.

Abstract: Traffic flow from a traffic source with a source IP address to a customer system with a destination IP address is filtered by comparing the source IP address to a customer blacklist. If the source IP address is on the customer blacklist, then traffic to the customer system is blocked; else, traffic to the customer system is allowed. The customer blacklist is generated from a network blacklist, comprising IP addresses of unwanted traffic sources, and a customer whitelist, comprising IP addresses of wanted traffic sources. The customer blacklist is generated by removing from the network blacklist any IP address also on the customer whitelist. The network blacklist is generated by acquiring raw blacklists from reputation systems. IP addresses on the raw blacklists are sorted by prefix groups, which are rank ordered by traffic frequency. Top prefix groups are selected for the network blacklist.

Abstract: A method and apparatus for detecting an originator of traffic of interest is provided. One or more honeypots are established. Mobility is then provided to the one or more honeypots. In one embodiment, mobility is provided by communicating information associated with one or more dark prefixes. In another embodiment, mobility is provided by varying information related to the one or more dark prefixes.

Abstract: A module is configured to identify a phishing Web site. The module identifies email associated with a Web site and transmitted to a plurality of recipients. The module then determines that the Web site has received less than a first threshold amount of traffic before a first time. The module then determines that the Web site has received more than a second threshold amount of traffic between the first time and a second time (i.e., a spike in traffic between the first time and the second time). The module then determines that at least a portion of the more than a second threshold amount of traffic is received as a result of the email associated with the Web site being sent to the plurality of recipients.

Abstract: A method and apparatus for providing an application utility metric for an application by taking into account of multiple protocols used by the application as well as at least one interaction of the application at the application-level that is deemed to be useful are disclosed. For example, the method computes a protocol overhead of one or more underlying Internet Protocol suite protocols supporting the application. The method also computes an application-level overhead based on at least one application-level interaction. Finally, the method computes the application-level utility metric in accordance with the protocol overhead and the application-level overhead.

Abstract: The present disclosure is directed to systems, methods, and computer-readable storage media for anonymizing data over multiple temporal releases. Data is received, and nodes and connections in the data are identified. The data also is analyzed to identify predicted connections. The nodes, the connections, and the predicted connections are analyzed to determine how to group the nodes in the data. The data is published, and the grouping of the nodes is extended to subsequent temporal releases of the data, the nodes of which are grouped in accordance with the grouping used with the data.

Abstract: Disclosed is a system and method for the sharing of intrusion-related information. The sharing of intrusion-related information occurs via a peering relationship between a first Internet Service Provider (ISP) and a second ISP. A first node associated with a first ISP transmits intrusion-related information to a second node associated with a second ISP. The first node identifies intrusion-related information meeting a first criteria. The first node then transmits the intrusion-related information to the second node. The intrusion-related information includes one or more of a list of attackers that previously probed the first node, the protocol used, the time of the probes, and the individual alarms raised.

Abstract: A request is received at a resource server for a first resource, the request accompanied by a proxy filter. A second resource is identified based on the proxy filter and based on a relationship between the first resource and the second resource. The first resource and information regarding the second resource is provided to a network interface for communication to a proxy server.

Abstract: A disclosed method for implementing anti-tracking measures for a web browser includes refreshing anti-tracking data structure responsive to satisfying at least one of a set of anti-tracking refresh criteria. The anti-tracking data structure may include opt-out cookie data indicative of a set of opt-out cookies, uniform resource locator (URL) anti-tracking data indicative of a set of URLs associated with URL tracking, and Referer header field anti-tracking data indicative of a set of URLs susceptible to Referer header field tracking. Responsive to a web browser of a user device generating a request for a third-party web page specified by a browser URL, at least a portion of the browser URL is compared against the anti-tracking data structure. If a match in the URL anti-tracking data or the Referer header field anti-tracking data is detected, the browser URL may be modified. The refreshing of anti-tracking data may include pulling a current anti-tracking data structure from an anti-tracking server.

Abstract: In accordance with an aspect of the invention, a method and system are disclosed for constructing an embedded signature in order to facilitate post-facto detection of leakage of sensitive data. The leakage detection mechanism involves: 1) identifying at least one set of words in an electronic document containing sensitive data, the set of words having a low frequency of occurrence in a first collection of electronic documents; and, 2) transmitting a query to search a second collection of electronic documents for any electronic document that contains the set of words having a low frequency of occurrence.

Abstract: A technique for examining the relationships of autonomous systems (ASes) participating in an Internet Exchange Point (IXP) utilizes packet tracing servers proximate the IXPs. Where such packet tracing servers cannot be found in the participating ASes, the methodology identifies additional vantage points by looking at a list of ASes that are one hop away from the ASes at the IXP. The choice of one-hop away ASes is made judiciously by picking ones that have better connectivity, based on past-data. Plural-hop ASes may also be used where necessary.

Abstract: A method includes identifying at a gateway device of a network a plurality of devices connected to the network. The method includes monitoring network traffic at the gateway device and determining that a particular traffic flow associated with one of the plurality of devices violates a privacy constraint. The method also includes providing a risk assessment associated with the privacy constraint violation. The risk assessment is at least partially based on terms and conditions associated with a particular device of the plurality of devices.

Abstract: The disclosed technology provides a negotiation-based mechanism for a user to share personally identifiable information with a requesting website, for example, a third party website such as an aggregator website that might be gathering information about the user. The user, rather than being limited to a pre-set collection of privacy options, is free to agree to share more or less of their privacy with any website or subset of websites based on the user's trust of the requesting website.

Abstract: Disclosed is a method and system for determining one or more performance characteristics of a target server. A command is transmitted from a coordinator to a plurality of clients. The command instructs the plurality of clients to each transmit a request targeting a sub-system of said target server. A response time is then received from each client and a performance characteristic is determined from the received response times.