Abstract: A message processor accesses an electronic message. The message processor identifies from within the electronic message any schema-based time markers including time related message data associated with the message processor. The message processor determines if a schema-based time marker within the electronic message should be modified. This can include signing a portion of time related message data to indicate to a subsequent message processor that the time related message data can be trusted. The message processor routes the message (either directly or through one or more intermediary message processors) to a destination message processor. The destination message process receives the message and processes the electronic message according to time related message data included in the message. This can include trusting the portion time related data that was singed by the message processor.

Abstract: Moving replicas in a cryptographically secure manner such that the target location and timing of the movements are completely hidden from any user, or is kept as a secret by a limited number of users who have been given advanced notice of the new location and relocation time for a replica. A catalog of replica locations that describe the current location of the replicas is stored in encrypted form so as to prevent individuals from determining the exact location of the replicas. Since the location of the replicas is hidden at any given moment, attackers may not use the location of the replicas in order to attack all of the replicas at the same time. Accordingly, recovery mechanisms may have an opportunity to recover from any given attack by once again creating replicas from those replicas that had not been attacked.

Abstract: A group identifier represents an association between each of a number of different abbreviated namespace identifiers with a corresponding hierarchical namespace (e.g., an XML namespace). A hierarchically-structured document (e.g., an XML document) is accessed by a computing system that determines that the group identifier is associated with the hierarchically-structured document. Hence, when using the abbreviated namespace identifiers in the hierarchically-structured document, the computing system knows that the corresponding namespace is associated with the designated portions of the hierarchically-structured document. Also, a schema description language document (e.g., an XSD document) may specify multiple target namespaces for a single element. Accordingly, groupings of elements may be included in different namespaces to creating overlapping or even nested namespaces.

Abstract: A method and apparatus for analyzing the performance of a data processing system, particularly a distributed data processing system, provide a system user with tools for analyzing an application running thereon. Information about the flow and performance of the application can be specified, captured, and analyzed, without modifying it or degrading its performance or data security characteristics, even if it is distributed across multiple machines. The user interface permits the system user to filter the performance information, to set triggers which the performance analyzer is able to reduce and/or combine, to observe multiple time-synchronized displays of performance data either in real time or post mortem, and to play and re-play the operation of an automatically generated application model. The invention is implemented in part by providing suitable Application Program Interfaces (APIs) in the operating system of the data processing system.

Abstract: A method and system are provided such that a universal license may be used for authentication and authorization purposes and may include one or more cryptographic keys as well as assertions and related indications of authenticity. In an aspect of the invention, a license may be presented that includes access information, such that authentication and authorization decisions may be made based only on the access information. In other aspects of the invention, rights may be delegated and a trusted party may assert that another party can be trusted.

Abstract: A method and apparatus for analyzing the performance of a data processing system, particularly a distributed data processing system, provide a system user with tools for analyzing an application running thereon. Information about the flow and performance of the application can be specified, captured, and analyzed, without modifying it or degrading its performance or data security characteristics, even if it is distributed across multiple machines. The user interface permits the system user to filter the performance information, to set triggers which the performance analyzer is able to reduce and/or combine, to observe multiple time-synchronized displays of performance data either in real time or post mortem, and to play and re-play the operation of an automatically generated application model. The invention is implemented in part by providing suitable Application Program Interfaces (APIs) in the operating system of the data processing system.

Abstract: A method and system are provided for delivering event messages in a secure scalable manner. A network includes an event distribution device serving as an event generation device for generating and disseminating an event message through the network to event distribution devices serving as edge event delivery devices having recipient devices connected thereto. Event messages may be encrypted at the event generation device for each of the destination recipient devices or event messages may be encrypted at each of the edge event delivery devices for delivery to respective recipient devices connected thereto. A signing key may also be included with the encrypted message such that the respective recipient devices may authenticate a sender of the encrypted message based on the signing key. Encryption keys may be established based on policies of the network of event distribution devices or based on policies of the respective recipient devices.

Abstract: Profile controls for profiling a distributed application are included in messages that are also used by the distributed application to transport data. A profile initiator causes profile controls to be inserted in the header portion of a message that is being transported across a distributed system. The profile initiator may insert profile controls directly or may cause a message router that receives the message to merge profile controls into the message. The message router may receive profile controls from the profile initiator or from computer-readable media that are maintained at the message router. The message, which now includes distributed application data and profile controls, is routed to a message recipient. The message recipient accesses the message to identify profile actions that are to be performed at the message recipient. The message recipient performs at least one of the identified profile actions.

Abstract: Debug controls for debugging a distributed application are included in messages that are also used by the distributed application to transport data. A debug initiator causes debug controls to be inserted in the header portion of a message that is being transported across a distributed system. The debug initiator may insert debug controls directly or may cause a message router that receives the message to merge debug controls into the message. The message router may receive debug controls from the debug initiator or from configuration files that are maintained at the message router. The message, which now includes distributed application data and debug controls, is routed to a message recipient. The message recipient accesses the message to identify debug functions that are to be performed at the message recipient. The message recipient performs at least one of the identified debug functions.

Abstract: A method and system are provided for managing a security threat in a distributed system. A distributed element of the system detects and reports suspicious activity to a threat management agent. The threat management agent determines whether an attack is taking place and deploys a countermeasure to the attack when the attack is determined to be taking place. Another method and system are also provided for managing a security threat in a distributed system. A threat management agent reviews reported suspicious activity including suspicious activity reported from at least one distributed element of the system, determines, based on the reports, whether a pattern characteristic of an attack occurred, and predicts when a next attack is likely to occur. Deployment of a countermeasure to the predicted next attack is directed in a time window based on when the next attack is predicted to occur.

Abstract: A method and apparatus for analyzing the performance of a data processing system, particularly a distributed data processing system, provide a system user with tools for analyzing an application running thereon. Information about the flow and performance of the application can be specified, captured, and analyzed, without modifying it or degrading its performance or data security characteristics, even if it is distributed across multiple machines. The user interface permits the system user to filter the performance information, to set triggers which the performance analyzer is able to reduce and/or combine, to observe multiple time-synchronized displays of performance data either in real time or post mortem, and to play and re-play the operation of an automatically generated application model. The invention is implemented in part by providing suitable Application Program Interfaces (APIs) in the operating system of the data processing system.

Abstract: A method and apparatus for analyzing the performance of a data processing system, particularly a distributed data processing system, provide a system user with tools for analyzing an application running thereon. Information about the flow and performance of the application can be specified, captured, and analyzed, without modifying it or degrading its performance or data security characteristics, even if it is distributed across multiple machines. The user interface permits the system user to filter the performance information, to set triggers which the performance analyzer is able to reduce and/or combine, to observe multiple time-synchronized displays of performance data either in real time or post mortem, and to play and re-play the operation of an automatically generated application model. The invention is implemented in part by providing suitable Application Program Interfaces (APIs) in the operating system of the data processing system.

Abstract: Testing information for testing a distributed application is included in messages that are also used by the distributed application to transport data. A test initiator causes test information to be inserted in the header portion or a header element of a message that is being transported across a distributed system. The test initiator may insert test information directly or may cause a message router that receives the message to merge test information into the message. The message, which now includes distributed application data and test information, is routed to a message recipient. The message recipient accesses the message to identify tests that are to be performed at the message recipient. The message recipient performs at least one of the identified tests. Inserting and routing test information, as well as, performing tests may be done in a transport-independent manner.

Abstract: A method and apparatus for analyzing the performance of a data processing system, particularly a distributed data processing system, provide a system user with tools for analyzing an application running thereon. Information about the flow and performance of the application can be specified, captured, and analyzed, without modifying it or degrading its performance or data security characteristics, even if it is distributed across multiple machines. The user interface permits the system user to filter the performance information, to set triggers which the performance analyzer is able to reduce and/or combine, to observe multiple time-synchronized displays of performance data either in real time or post mortem, and to play and re-play the operation of an automatically generated application model. The invention is implemented in part by providing suitable Application Program Interfaces (APIs) in the operating system of the data processing system.

Abstract: A method and apparatus for analyzing the performance of a data processing system, particularly a distributed data processing system, provide a system user with tools for analyzing an application running thereon. Information about the flow and performance of the application can be specified, captured, and analyzed, without modifying it or degrading its performance or data security characteristics, even if it is distributed across multiple machines. The user interface permits the system user to filter the performance information, to set triggers which the performance analyzer is able to reduce and/or combine, to observe multiple time-synchronized displays of performance data either in real time or post mortem, and to play and re-play the operation of an automatically generated application model. The invention is implemented in part by providing suitable Application Program Interfaces (APIs) in the operating system of the data processing system.

Abstract: A method and apparatus for analyzing the performance of a data processing system, particularly a distributed data processing system, provide a system user with tools for analyzing an application running thereon. Information about the flow and performance of the application can be specified, captured, and analyzed, without modifying it or degrading its performance or data security characteristics, even if it is distributed across multiple machines. The user interface permits the system user to filter the performance information, to set triggers which the performance analyzer is able to reduce and/or combine, to observe multiple time-synchronized displays of performance data either in real time or post mortem, and to play and re-play the operation of an automatically generated application model. The invention is implemented in part by providing suitable Application Program Interfaces (APIs) in the operating system of the data processing system.

Abstract: A method and apparatus for analyzing the performance of a data processing system, particularly a distributed data processing system, provide a system user with tools for analyzing an application running thereon. Information about the flow and performance of the application can be specified, captured, and analyzed, without modifying it or degrading its performance or data security characteristics, even if it is distributed across multiple machines. The user interface permits the system user to filter the performance information, to set triggers which the performance analyzer is able to reduce and/or combine, to observe multiple time-synchronized displays of performance data either in real time or post mortem, and to play and re-play the operation of an automatically generated application model. The invention is implemented in part by providing suitable Application Program Interfaces (APIs) in the operating system of the data processing system.

Abstract: Methods and systems for providing a virtual network are disclosed. At least one layer of abstraction is created between network service applications and conventional network protocols by inserting an adaptive dispatcher between applications and network transport services on each machine in a network. The message protocol in the virtual network is extensible, allowing application programs to create new headers within any message as needed. The adaptive dispatcher contains handlers that route and dispatch messages within the virtual network based on arbitrary content within each message, including any combination of headers and/or data content. Each device on the virtual network has a virtual address to which messages are directed, allowing devices to move within the network without reconfiguring routing tables.

Abstract: Multiple different credentials and/or signatures based on different credentials may be included in a header portion of a single electronic message. Different recipients of intermediary computing systems may use the different credentials/signatures to identify the signer. The electronic message may include an encoding algorithm and a type identification of a credential included in the electronic message, allowing the recipient to decode and process the credential as appropriate given the type of credential. Also, the electronic message may include a pointer that references a credential associated with a signature included in the electronic message. That referenced credential may be accessed from the same electronic message, or from some other location. The recipient may then compare the references credential from the credentials used to generate the signature. If a match occurs, the integrity of the electronic message has more likely been preserved.

Abstract: Methods, systems, and data structures for communicating object metadata are provided. A generic metadata container is presented that allows object metadata to be described in an extensible manner using protocol-neutral and platform-independent methodologies. A metadata scope refers to a dynamic universe of targets to which the included metadata statements correspond. Metadata properties provide a mechanism to describe the metadata itself, and metadata security can be used to ensure authentic metadata is sent and received. Mechanisms are also provided to allow refinement and replacement of metadata statements. The generic metadata container can be adapted to dynamically define access control rights to a range of objects by a range of users, including granted and denied access rights.