Abstract: A method and apparatus provide improved cache coherency and more effective caching operations without placing an undue burden on network links. A proxy receives a request for a resource and then, depending on information in the proxy cache, generates a resource request for transmission to a resource server. The proxy appends a proxy filter to the request. The resource server maintains one or more volumes of resources based on some predetermined criterion that can be either static or dynamic in nature. Upon receipt of the request and the proxy filter the resource server generates a request response and a piggybacked list of additional resources selected from the volume with which the requested resource is associated.

Abstract: Described is a method of assigning a network address to a trap, the network address being a dark address of a virtual private network. The network traffic destined for the network address is monitored and a classification of the network traffic is determined. After the classification, a predetermined response is executed based on the classification of the traffic.

Abstract: According to an aspect of this invention, a method to detect phishing URLs involves: creating a whitelist of URLs using a first regular expression; creating a blacklist of URLs using a second regular expression; comparing a URL to the whitelist; and if the URL is not on the whitelist, comparing the URL to the blacklist. False negatives and positives may be avoided by classifying Internet domain names for the target organization as “legitimate”. This classification leaves a filtered set of URLs with unknown domain names which may be more closely examined to detect a potential phishing URL. Valid domain names may be classified without end-user participation.

Abstract: In accordance with an aspect of the invention, a method and system are disclosed for constructing an embedded signature in order to facilitate post-facto detection of leakage of sensitive data. The leakage detection mechanism involves: 1) identifying at least one set of words in an electronic document containing sensitive data, the set of words having a low frequency of occurrence in a first collection of electronic documents; and, 2) transmitting a query to search a second collection of electronic documents for any electronic document that contains the set of words having a low frequency of occurrence.

Abstract: In accordance with an aspect of the invention, leakage prevention is implemented by: a) associating—within a network—a unique identifier with a packet transmitted by a process which has previously accessed data containing sensitive information, and b) searching a packet before it exits a network for the unique identifier. This mechanism provides a strong guarantee against leakage of sensitive data out of a network by facilitating the monitoring of packets which potentially contain the sensitive information. The unique identifier may be located in the header of the packet, which is detectable without requiring a heavy investment of network resources. Additionally, a packet's movement within a network may be tracked by analyzing trapped system calls. Furthermore, an exiting packet may be analyzed by a network firewall, the firewall utilizing various policies to determine how to proceed when a packet containing a unique identifier is located.

Abstract: A method for clustering together network IP addresses is disclosed. A number of IP addresses are received and processed to determine which IP addresses share a longest prefix matching. The longest prefix matching process is performed according to radix encoded trie which facilitates on-line clustering of the IP addresses. Client and/or server IP addresses may be clustered in accordance with the teachings herein.

Abstract: In accordance with an exemplary embodiment of the present invention, a method is provided that includes maintaining a plurality of identification bits associated with a user and a minimum personal privacy level identifying if any of the plurality of identification bits are authorized for disclosure, and receiving a request for one or more identification bits of the plurality of identification bits. The method also includes determining whether the identification bits of the request exceed the minimum personal privacy level, and if the identification bits of the request exceed the minimum personal privacy level, identifying to the user the identification bits of the request that exceed the minimum personal privacy level. A computer-readable recording medium having stored thereon computer-executable instructions is provided, and an exemplary system is provided.

Abstract: Disclosed is a method and system for determining one or more performance characteristics of a target server. A command is transmitted from a coordinator to a plurality of clients. The command instructs the plurality of clients to each transmit a request targeting a sub-system of said target server. A response time is then received from each client and a performance characteristic is determined from the received response times.

Abstract: A method and apparatus for tracking communications in a network are disclosed. For example, the method receives a subscription from a customer for a service to track at least one variable associated with a plurality of communicants of the customer. The method identifies a plurality of members of a social network of the customer, and gathers communication data associated with the plurality of members for tracking the at least one variable. The method then displays at least one result derived from the communication data to the customer.

Abstract: Disclosed is a method and apparatus for compensating for a performance degradation of an application session in a plurality of application sessions associated with a network link. The performance of each application session in the plurality of application sessions associated with the network link is determined. The performance of each application session in the plurality is then compared. From this comparison, a lowest performance application session in the plurality of application sessions is identified. Corrective action is performed on packets scheduled to be transmitted over the lowest performance application session.

Abstract: Systems and methods of processing database search queries are provided. A method of processing database search queries includes receiving a database query from a query source. The method also includes determining location information associated with the query source based at least partially on an Internet Protocol (IP) address associated with the database query. The method further includes determining, based at least partially on the location information, whether the query source satisfies a required source attribute. The method also includes withholding information requested by the database query when the required source attribute is not satisfied.

Abstract: A method and system for distributing content on a network through network-wide transactions is disclosed. The method and system monitors the network using triggered measurement of the performance of an element of the network, dynamically computing, based on the monitoring, the regions of the network with available performance capacity for the transaction to proceed at a given time, determining, based on the computing, a scheduled time for the transaction to proceed, and distributing the content according to a schedule related to the scheduled time.

Abstract: The present invention is a method for improving delivery of content to a client communicating with a server on the Web. Groups or clusters of clients are formed by processing the IP addresses of the clients according to a network-aware, radix-encoded trie classification process. The groups of clients are categorized based on information about one or more clients in each group that can be determined by the server. That information is used to help drive tailored actions on the part of Web servers. Users with poor connectivity may choose not to spend much time at a Web site if it takes a long time to receive a page, even if the Web server at the site is not the bottleneck. Retaining such clients may be of interest to a Web site. Better-connected clients may be able to receive enhanced representations of Web pages such as with higher quality images.

Abstract: The present invention is a method for improving delivery of content to a client communicating with a server on the Web. Groups or clusters of clients are formed by processing the IP addresses of the clients according to a network-aware, radix-encoded trie classification process. The groups of clients are categorized based on information about one or more clients in each group that can be determined by the server. That information is used to help drive tailored actions on the part of Web servers. Users with poor connectivity may choose not to spend much time at a Web site if it takes a long time to receive a page, even if the Web server at the site is not the bottleneck. Retaining such clients may be of interest to a Web site. Better-connected clients may be able to receive enhanced representations of Web pages such as with higher quality images.

Abstract: A method for clustering together network IP addresses is disclosed. A number of IP addresses are received and processed to determine which IP addresses share a longest prefix matching. The longest prefix matching process is performed according to radix encoded trie which facilitates on-line clustering of the IP addresses. Client and/or server IP addresses may be clustered in accordance with the teachings herein.

Abstract: The present invention increases the efficiency of performing longest prefix matching operations by selecting a radix-encoded trie structure optimized with respect to memory cost. The structure is optimized by determining memory costs for retrie structures indexed on different numbers of high-order characters, and then selecting the structure corresponding to the lowest memory cost. The optimization improves performance in IP look-up operations as well as longest-prefix matching operations performed on general alphabets.

Abstract: Disclosed is an informed sampling technique for biasing a sample data set toward network data of interest for a particular application. Network data received at a network node (for example at a rate which is greater than a sampling rate for which the network node is configured) is chosen to be included in a sample set based on one or more predetermined signatures which are chosen to bias the sample set toward network data of interest for a particular application. For example, the sample set may be biased to include data of interest for fraud detection, spam detection, and intrusion detection. The particular signature(s) may be predefined by a user, or may be automatically generated by another network application. The invention may be implemented at various levels and nodes of a network. For example, the informed sampling may be implemented at a traffic monitoring function of a network router, a flow collector which receives network flow data from the router, or both.

Abstract: Disclosed is a system and method for the sharing of intrusion-related information. The sharing of intrusion-related information occurs via a peering relationship between a first Internet Service Provider (ISP) and a second ISP. A first node associated with a first ISP transmits intrusion-related information to a second node associated with a second ISP. The first node identifies intrusion-related information meeting a first criteria. The first node then transmits the intrusion-related information to the second node. The intrusion-related information includes one or more of a list of attackers that previously probed the first node, the protocol used, the time of the probes, and the individual alarms raised.

Abstract: Described is a method of assigning a network address to a trap, the network address being a dark address of a virtual private network. The network traffic destined for the network address is monitored and a classification of the network traffic is determined. After the classification, a predetermined response is executed based on the classification of the traffic.

Abstract: A method and apparatus for detecting an originator of traffic of interest is provided. One or more honeypots are established. Mobility is then provided to the one or more honepots. In one embodiment, mobility is provided by communicating information associated with one or more dark prefixes. In another embodiment, mobility is provided by varying information related to the one or more dark prefixes.