Abstract: According to at least one aspect of the present disclosure, a method for grouping constituent flows of a multiplexed or tunneled flow is provided. The method comprises receiving one or more packets of the multiplexed flow; responsive to receiving the one or more packets, determining one or more attributes of the one or more packets of the multiplexed flow; determining, based on the one or more attributes, a predicted state of a next packet of the multiplexed flow; receiving the next packet; responsive to receiving the next packet, determining whether the next packet has an observed state that is similar to the predicted state; and responsive to determining that the observed state is similar to the predicted state, grouping the packet with the constituent flow.

Abstract: A system for performing packet based data communications over a parallel set of sublinks is provided. A transmitter unit separates the sublinks into an available set of sublinks and a busy set of sublinks. This transmitter avoids processing delays by utilizing sublinks in the available sublink set and not waiting for sublinks in the busy sublink set to be released. To receive the packets, a receiver unit utilizes a sequence number associated with each packet. Accordingly, the receiver extracts the one or more packets of data received in parallel over the set of sublinks in sequential order. A packet window buffer is used to store packets in sequence if they are initially received out of order. The receiver utilizes a sliding window to provide packets in continuous sequential order and transmits the packets serially over a single communication link.

Abstract: Embodiments of the invention reduce the probability of success of a DOS attack on a node receiving packets by decreasing the probability of random collisions of packets sent by a malicious user with those sent by honest users. The probability of random collisions may be reduced in one class of embodiments of the invention by supplementing the identification field of the IP header of each transmitted packet with at least one bit from another field of the header. The probability of random collisions may be reduced in another class of embodiments of the invention by ensuring that packets sent from a transmitting IPsec node to a receiving IPsec node are not fragmented.

Abstract: Systems, methods, and devices for decoy routing and covert channel bonding are described. The decoy routing system includes a client computing device, a decoy router, and a decoy proxy such that packets addressed to a decoy destination are re-routed by the decoy router to a covert destination via the decoy proxy. The decoy routing method may be applied to a covert channel bonding process, in which a plurality of packet data streams are sent to one or more decoy destinations, re-routed appropriately via one or more decoy routers and/or decoy proxies, and assembled together into a single packet data stream at either a decoy proxy, or a final covert destination.

Abstract: Systems and methods are disclosed for determining whether a mission has occurred. The disclosed systems and methods utilize event models that represent a sequence of tasks that an entity could or must take in order to successfully complete the mission. As a specific example, an event model may represent the sequence of tasks a malicious insider may complete in order to exfiltrate sensitive information. Most event models include certain tasks that must be accomplished in order for the insider to successfully exfiltrate an organization's sensitive information. Many of the observable tasks in the attack models can be monitored using relatively little information, such as the source, time, and type of the communication. The monitored information is utilized in a traceback search through the event model for occurrences of the tasks of the event model to determine whether the mission that the event model represents occurred.

Abstract: A system (200) detects transmission of potentially malicious packets. The system (200) receives, or otherwise observes, packets and generates hash values based on variable-sized blocks of the packets. The system (200) then compares the generated hash values to hash values associated with prior packets. The system (200) determines that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.

Abstract: Systems, methods, and devices for decoy routing and covert channel bonding are described. The decoy routing system includes a client computing device, a decoy router, and a decoy proxy such that packets addressed to a decoy destination are re-routed by the decoy router to a covert destination via the decoy proxy. The decoy routing method may be applied to a covert channel bonding process, in which a plurality of packet data streams are sent to one or more decoy destinations, re-routed appropriately via one or more decoy routers and/or decoy proxies, and assembled together into a single packet data stream at either a decoy proxy, or a final covert destination.

Abstract: A system (200) detects transmission of potentially malicious packets. The system (200) receives, or otherwise observes, packets and generates hash values based on variable-sized blocks of the packets. The system (200) then compares the generated hash values to hash values associated with prior packets. The system (200) determines that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.

Abstract: A system (200) detects transmission of potentially malicious packets. The system (200) receives, or otherwise observes, packets and generates hash values based on variable-sized blocks of the packets. The system (200) then compares the generated hash values to hash values associated with prior packets. The system (200) determines that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.

Abstract: An arithmetic logic unit (140) improves the processing of information. The arithmetic logic unit (140) includes a register unit (250), a ternary content addressable memory (260), and an operations unit (270).

Abstract: Embodiments of the invention reduce the probability of success of a DOS attack on a node receiving packets by decreasing the probability of random collisions of packets sent by a malicious user with those sent by honest users. The probability of random collisions may be reduced in one class of embodiments of the invention by supplementing the identification field of the IP header of each transmitted packet with at least one bit from another field of the header. The probability of random collisions may be reduced in another class of embodiments of the invention by ensuring that packets sent from a transmitting IPsec node to a receiving IPsec node are not fragmented.

Abstract: Systems and methods are disclosed for collecting data from cores of a multi-core processor using collection packets. A collection packet can traverse through cores of the multi-core processor while accumulating requested data. Upon completing the accumulation of the requested data from all required cores, the collection packet can be transmitted to a system operator for system maintenance and/or monitoring.

Abstract: The invention relates to a transport protocol and associated methods and stack architectures for improving the energy efficiency of transmitting packets through an ad hoc network. The protocol controls transmissions by taking into account per-packet energy limits, per-node loss tolerances, and/or minimum availability rates determined based on path quality measurements collected by packets traversing the network and application reliability requirements associated with various applications.

Abstract: Embodiments of the invention reduce the probability of success of a DOS attack on a node receiving packets by decreasing the probability of random collisions of packets sent by a malicious user with those sent by honest users. The probability of random collisions may be reduced in one class of embodiments of the invention by supplementing the identification field of the IP header of each transmitted packet with at least one bit from another field of the header. The probability of random collisions may be reduced in another class of embodiments of the invention by ensuring that packets sent from a transmitting IPsec node to a receiving IPsec node are not fragmented.

Abstract: A system (200) detects transmission of potentially malicious packets. The system (200) receives, or otherwise observes, packets and generates hash values based on variable-sized blocks of the packets. The system (200) then compares the generated hash values to hash values associated with prior packets. The system (200) determines that one of the received packets is a potentially malicious packet when one or more of the generated hash values associated with the received packet match one or more of the hash values associated with the prior packets.

Abstract: A system (126-129) detects transmission of potentially malicious packets. The system (126-129) receives packets and generates hash values corresponding to each of the packets. The system (126-129) may then compare the generated hash values to hash values corresponding to prior packets. The system (126-129) determines that one of the packets is a potentially malicious packet when the generated hash value corresponding to the one packet matches one of the hash values corresponding to one of the prior packets and the one prior packet was received within a predetermined amount of time of the one packet. The system (126-129) may also facilitate the tracing of the path taken by a potentially malicious packet. In this case, the system (126-129) may receive a message that identifies a potentially malicious packet, generate hash values from the potentially malicious packet, and determine whether one or more of the generated hash values match hash values corresponding to previously-received packets.

Abstract: A system and method for performing source path isolation in a network. The system comprises an intrusion detection system (IDS), a source path isolation server (SS1) and at least one router configured to operate as a source path isolation router (SR1) operating within an autonomous system. When IDS detects a malicious packet, a message is sent to SS1. SS1 in turn generates a query message (QM) containing at least a portion of the malicious packet. Then, QM is sent to participating routers located one hop away. SR1 uses the query message to determine if it has observed the malicious packet by comparing it with locally stored information about packets having passed through SR1. SR1 sends a reply to SS1, and SS1 uses the reply to identify the ingress point into the network of the malicious packet.

Abstract: An arithmetic logic unit (140) improves the processing of information. The arithmetic logic unit (140) includes a register unit (250), a ternary content addressable memory (260), and an operations unit (270).

Abstract: A system acquires information about communication among wired or wireless nodes [110, 210] in a network [100, 200] by intercepting chunks of data in the network by a wired or wireless tap [120, 220] located among the wired or wireless nodes [110, 210] in the network. Characteristic information [400] about the intercepted chunks of data may be obtained. The characteristic information may include times of arrival [410] of the chunks of data at the wired or wireless tap [120, 220] and identifiers of wired or wireless source nodes [420] that sent the chunks of data. At least one signal may be constructed to represent the characteristic information over time.

Abstract: A system and method for identifying target packets in a network. The invention identifies packets by computing a hash value over at least a portion of a packet passing through a network device such as a router. The hash value is used as an address, or index, into a memory. The hash value identifies a unique memory address and a flag is set at the respective memory location. When a target packet is detected elsewhere in a network, the network device receives a query message containing a hash value of the target packet. The network device compares the target packet to the hash values in memory. A match between the hash value in memory and the hash value in the query message indicates the target packet was observed by the network device. After a match is detected, the network device makes a reply available to the network.