Abstract: Methods and systems are presented for detection of malware such as worms in which a network switch entices the malware into sending scan packets by allocating one or more ports as bait addresses, sending outgoing bait packets, and identifying compromised hosts that send unexpected incoming packets to a bait address.

Abstract: Malicious sources within networks are identified using bait traffic, including mobile IP messages, transmitted between a collaborating network device and a collaborating mobile client that has a fixed connection to the network. The bait traffic entices a malicious source to transmit malicious packets towards the collaborating mobile client and/or the network device. Upon receiving a malicious packet, the collaborating mobile client or the network device is able to identify the source of the packet as a malicious source and report the presence of the malicious source within the network.

Abstract: Malicious clients within a wireless access network are identified using bait traffic transmitted between a collaborating wireless access point and a collaborating client. The bait traffic entices a malicious client to transmit malicious traffic towards the collaborating wireless access point. Upon receiving the malicious traffic, the collaborating wireless access point is able to identify the malicious client and report the presence of the malicious client within the wireless access network.

Abstract: Malware detection systems are presented in which a list is constructed of enterprise hosts to or from which each given enterprise network host sends or receives packets within a current measurement period and statistics are accumulated based on two or more measurement period lists, with a count value being derived from the statistics to indicate the number of other hosts to or from which each monitored host sent or received packets, and one or more monitored hosts may be identified as suspected of being infected with slow and/or distributed scanning malware for which the count value exceeds a threshold value.

Abstract: Malware detection systems and methods are presented in which header data of protocol data units (PDUs) are examined at a wireless access switch shared by multiple clients, and the PDU type and client are used to establish counters, with the count values being analyzed to identify clients suspected of being infected with malware.

Abstract: Methods and systems are presented for detection of malware such as worms in which a network switch entices the malware into sending scan packets by allocating one or more ports as bait addresses, sending outgoing bait packets, and identifying compromised hosts that send unexpected incoming packets to a bait address.

Abstract: Methods and systems are presented for detection of malware such as worms in which a network switch entices the malware into sending scan packets by allocating one or more ports as bait addresses, sending outgoing bait packets, and identifying compromised hosts that send unexpected incoming packets to a bait address.

Abstract: A method of detecting malware may include: a) examining header data in each PDU transferred by a port of an access switch to identify PDUs transferred from a local network device, b) extracting a far-end device address for PDUs based at least in part on examination of an address portion of the corresponding header data, c) maintaining fan-out information indicative of a quantity of unique far-end device addresses extracted from the PDUs during consecutive time windows, d) determining a current trend based on the fan-out information for a current time window, e) comparing the current trend to an expected trend, and f) identifying a suspected malware infection in the local network device when the current trend exceeds the expected trend by a trend threshold. A network element that may implement the method may include a header data processing unit, data storage logic, data processing logic, and malware identification logic.

Abstract: The invention detects stealth worm propagation by comparing the repeat elements in sets of destinations of a source in multiple time windows to a fitted distribution of same, stored as a benchmark plot. Measurements are performed over N time windows, wherein a representation of the set of destinations to which a respective source has sent packets is determined for each source, in each time window. The counting is performed using a hash table. Once N such sets of destinations have been obtained, the number Xk of destinations that are common to N, N?1, N?2, . . . , 2, 1 windows is determined. Thus Xk is the number of destinations that a particular source sent packets to in k time windows. Xk is then compared to the corresponding value on the plot; anomalies indicate an attack from the respective source.

Abstract: Packets of a certain type from a certain source are directed to a system that estimates the set of destinations and the number of new destinations for which that source has sent packets during a time window Ti. Instead of maintaining tables with the complete destination addresses for each source, the destination addresses are hashed and stored in a small bit array. The sets of destinations for a number of successive time windows are OR'ed for building cumulative tables Ci, where Ci includes all destinations that have been seen between T0 and Ti. The new destinations are determined by counting the destinations set in Ti but not in Ci-1. Any change from the typical patterns can be suspected as being a slow scan.

Abstract: A method for establishing a pseudo-wire connection between first and second switches in a packet switched network, the method comprising: sending a label mapping message to the second switch requesting that the pseudo-wire connection be established with the first switch; reserving resources for the pseudo-wire connection at the first switch; receiving a label withdraw message from the second switch if the second switch has insufficient resources for the pseudo-wire connection and, in response to the label withdraw message, releasing the resources for the pseudo-wire connection at the first switch; and, activating the pseudo-wire connection if the second switch has sufficient resources for the pseudo-wire connection, thereby optimizing resources for establishing pseudo -wire connections of each of the first and second switches.

Abstract: Infiltration of malware communications. Malicious programs infecting individual devices within a network oftentimes communicate with another infected device (e.g., a master device by which the infection was established on a slave device in the first place). During this call home to a master device (or receiving a call from the master device), vital information about the attack, target, master device, etc. may be transmitted. The call home may include information acquired/retrieved from the infected device, or it may request additional information from the infecting device. By monitoring the network messages associated with such call home attempts (including any errors associated therewith), an infected device may be identified and appropriate action be taken (e.g., continue monitoring, isolate infected device from network, generate call to network help desk, etc.). This approach may be implemented at a network level to help prevent further promulgation of the malicious program to other devices.

Abstract: Malicious clients within a wireless access network are identified using bait traffic transmitted between a collaborating wireless access point and a collaborating client. The bait traffic entices a malicious client to transmit malicious traffic towards the collaborating wireless access point. Upon receiving the malicious traffic, the collaborating wireless access point is able to identify the malicious client and report the presence of the malicious client within the wireless access network.

Abstract: Malicious sources within networks are identified using bait traffic, including mobile IP messages, transmitted between a collaborating network device and a collaborating mobile client that has a fixed connection to the network. The bait traffic entices a malicious source to transmit malicious packets towards the collaborating mobile client and/or the network device. Upon receiving a malicious packet, the collaborating mobile client or the network device is able to identify the source of the packet as a malicious source and report the presence of the malicious source within the network.

Abstract: Malware detection systems and methods are presented in which header data of protocol data units (PDUs) are examined at a wireless access switch shared by multiple clients, and the PDU type and client are used to establish counters, with the count values being analyzed to identify clients suspected of being infected with malware.

Abstract: Malware detection systems are presented in which a list is constructed of enterprise hosts to or from which each given enterprise network host sends or receives packets within a current measurement period and statistics are accumulated based on two or more measurement period lists, with a count value being derived from the statistics to indicate the number of other hosts to or from which each monitored host sent or received packets, and one or more monitored hosts may be identified as suspected of being infected with slow and/or distributed scanning malware for which the count value exceeds a threshold value.

Abstract: Methods and systems are presented for detection of malware such as worms in which a network switch entices the malware into sending scan packets by allocating one or more ports as bait addresses, sending outgoing bait packets, and identifying compromised hosts that send unexpected incoming packets to a bait address.

Abstract: A system and method of authenticating the identity of a remote fax machine during a faxing operation is provided. An X.509-type Certificate received from the remote fax machine is validated to affirm it can be properly associated with the remote machine. The Certificate's public key is used to verify the remote fax machine has the corresponding private key. A Certificate's Common Name then compared to an Expected Name to authenticate the identity of the remote fax machine prior to sending a fax to prevent an unwanted misdirection of faxed information and to screen incoming faxes for unwanted spam.

Abstract: A method of detecting malware may include: a) examining header data in each PDU transferred by a port of an access switch to identify PDUs transferred from a local network device, b) extracting a far-end device address for PDUs based at least in part on examination of an address portion of the corresponding header data, c) maintaining fan-out information indicative of a quantity of unique far-end device addresses extracted from the PDUs during consecutive time windows, d) determining a current trend based on the fan-out information for a current time window, e) comparing the current trend to an expected trend, and f) identifying a suspected malware infection in the local network device when the current trend exceeds the expected trend by a trend threshold. A network element that may implement the method may include a header data processing unit, data storage logic, data processing logic, and malware identification logic.

Abstract: A conference call server comprises a collection of computer-executable instructions for facilitating conference call authentication functionality. Computer-executable instructions are provided for authenticating a plurality of invitees to a conference call session during the conference call session. Authenticating the plurality of conference call invitees includes cryptographically verifying an identity of each one of the conference call invitees using information associated with a respective authentication certificate. Computer-executable instructions are provided for outputting identification information contained in the authentication certificate of each one of the conference call invitees in response to successful authentication thereof. The identification information is outputted to at least one of the conference call invitees.