Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for distributed forensics analysis. In one aspect, a method includes sending one or more requests to a client as part of a serialized flow for performing forensics analysis associated with the client; suspending the serialized flow at a first state; receiving responses to the one or more requests; resuming the flow at the first state to process the received responses; and advancing the serialized flow to a second state.

Abstract: A method for re-routing a request in a distributed system, that includes sending the request for an originating object, receiving the request at a root node of the originating object, determining whether the root node comprises a first forwarding pointer associated with the originating object, determining a first target object using the first forwarding pointer, if the first forwarding pointer is associated with the originating object, and re-routing the request to the first target object, wherein the distributed system implements an overlay network for message delivery.

Abstract: A method of associating a range of destination IP addresses with a real IP address for use with the Virtual Address Resolution Protocol is disclosed. The destination addresses may be a range of virtual IP addresses in a virtual network or a range of real IP addresses in a physical network. A record of the association of the range of destination addresses with a single real IP address is stored in a Virtual Address Resolution Protocol lookup table which is utilized when sending messages from a virtual IP address. The ability to assign a range of destination addresses to a single real IP address represents an extension of the use of VARP. The association of multiple destination addresses to a single real IP address allows an electronic device to function as a router to a widely distributed real or virtual network. The virtual network of the present invention adds a layer of encryption to the originating virtual network by sending encrypted data packets between the origin and destination addresses.

Abstract: A method of extending the functionality of a virtual network is disclosed. Messages intended for a virtual destination address located on a network equipped with a device performing packet filtering, network address translation or a similar function on the edge of the network (an “edge device”), are encapsulated in higher level protocols prior to being sent to the edge device. The virtual destination address may be associated with a process on the edge device or a process on another device in the interior of the network. Higher level protocol designations, including transport protocol designations accompanied by a port number and application protocol designations, are retrieved from an extended virtual address registration. Messages arriving at the edge device are determined by the Network layer to contain a higher level protocol and are passed up the Internet Protocol model stack to a higher layer.

Abstract: A method for re-encrypting encrypted data in a secure storage file system, including obtaining selected data to re-encrypt from the secure storage file system using a user data access record and the encrypted data, decrypting the selected data using a symmetric key, re-encrypting the selected data using a new symmetric key to obtain new encrypted data, encrypting the new symmetric key using a public key to obtain a new encrypted symmetric key, storing the new encrypted data and the new encrypted symmetric key if the public key is associated with a file system user having read permission, and storing an encrypted hash data if the file system user has write permission.

Abstract: A method for managing object evolution in a distributed object store (DOS) involving requesting an update of an object, wherein the object includes an active globally unique identifier (AGUID) object and at least one version globally unique identifier (VGUID) object, wherein the at least one VGUID object includes a first generation number and a first serializer name, locating a first serializer using the first serializer name, wherein the first serializer is associated with the first generation number, obtaining an order of the update using the first serializer, and creating a new VGUID object, wherein the new VGUID object includes a new version number, the first generation number, and the first serializer name.

Abstract: Methods and systems consistent with the present invention provide dynamic security policies that change the granularity of the security at the node level, process level, or socket level. Specifically, a channel number and virtual address are associated with various processes included in a process table. Since a security policy is required for all processes, secure and insecure processes located on the same channel may communicate with one another. Moreover, processes located on different channels may communicate with one another by a gateway that connects both channels. This scalable blanketing security approach provides an institutionalized method for securing any process, node or socket by providing a unique mechanism for policy enforcement at runtime or by changing the security policies.

Abstract: The present invention uses a group key management scheme for admission control while enabling various conventional approaches toward establishing peer-to-peer security. Various embodiments of the invention can provide peer-to-peer confidentiality and authenticity, such that other parties, such as group members, can not understand communications not intended for them. A group key may be used in combination with known unicast security protocols to establish, implicitly or explicitly, proof of group membership together with bi-lateral secure communication.

Abstract: A method for locating a resource involves maintaining a capacity object configured to store server information for a plurality of servers, transmitting a resource request from a client to an indirection server comprising the capacity object, selecting one of the plurality of servers to service the resource request using server associated with the capacity object to obtain a selected server, and redirecting the resource request from the indirection server to the selected server.

Abstract: Methods and systems consistent with the present invention establish a virtual network on top of current IP network naming schemes. The virtual network uses a separate layer to create a modification to the IP packet format that is used to separate network behavior from addressing. As a result of the modification to the packet format, any type of delivery method may be assigned to any address or group of addresses. The virtual network also maintains secure communications between nodes, while providing the flexibility of assigning delivery methods independent of the delivery addresses.

Abstract: A method for locating a free resource involves maintaining an address space containing a plurality of regions, wherein each of the plurality of regions is mapped with a server to obtain a mapping, transmitting a request for the free resource from a client to a request address that belongs to one of the plurality of regions, determining a selected server using the mapping, and directing the request for the free resource to the selected server.

Abstract: A method for storing a first copy of an object, including obtaining the object including a globally unique identifier (GUID), generating a first derived GUID using the GUID of the object, storing the first copy of the object identified by the first derived GUID in a root node of the object, publishing possession of the first copy of the object identified by the first derived GUID by the root node of the object, associating a first shadow root with the first copy of the object, and storing the first copy of the object identified by the GUID in the first shadow root.

Abstract: A method for monitoring a target node in a distributed system, that includes determining a plurality of neighbor nodes of the target node, determining a plurality of neighbor watch nodes, wherein the plurality of neighbor watch nodes are selected from the plurality of neighbor nodes, monitoring at least one selected from the group consisting of data sent by the target node and data received by the target node, using at least one of the plurality of neighbor watch nodes to obtain tracking information, and determining, using at least one the plurality of neighbor watch nodes, an action to perform using the tracking information and a response policy, wherein the action is specified in the response policy, wherein the distributed system implements an overlay network for message delivery.

Abstract: A method for approving a response or a decision of an observed node in a distributed system that includes generating at least one selected from the group consisting of the response and the decision by the observed node, forwarding the at least one selected from the group consisting of the response and the decision to at least one of the plurality of chaperones associated with the observed node based on a chaperone scheme, and approving the least one selected from the group consisting of the response and the decision by the plurality of chaperones using a chaperone voting policy and a chaperone approval policy to obtain at least one selected from the group consisting of a approved response and a approved decision, wherein the distributed system implements an overlay network for message delivery, and wherein the observed node and the plurality of chaperones communicate using the overlay network.

Abstract: A method for serializer maintenance and coalescing in a distributed object store (DOS) including a first partition and a second partition, involving requesting an update of an object, wherein the object includes an active globally unique identifier (AGUID) object and at least one version globally unique identifier (VGUID) object, wherein the least one VGUID object includes a first generation number and a first serializer name, determining whether a first serializer is located in the first partition using the first serializer name, wherein the first serializer is associated with the first generation number, if the first serializer is not located in the first partition, constructing a second serializer using the first serializer name, assigning a second generation number to the second serializer, obtaining an order of the update to the object using the second serializer, and creating a new VGUID object.

Abstract: The invention involves a method for aggregating data in a distributed system. The method includes specifying an aggregation scope including a plurality of nodes, where the plurality of nodes includes a destination node and a plurality of non-destination nodes. The method also includes defining an aggregation tree for the plurality of nodes using at least one Distributed Hash Table, where the destination node is the root of the aggregation tree and where each of the plurality of non-destination nodes is one selected from a group of an interior node and a leaf node in the aggregation tree. The method also includes determining a final aggregation result for the aggregation tree using an aggregation function and aggregation data stored on the destination node and the plurality of non-destination nodes.

Abstract: Methods and systems consistent with the present invention provide a Supernet, a private network constructed out of components from a public-network infrastructure. Supernet nodes can be located on virtually any device in the public network (e.g., the Internet), and both their communication and utilization of resources occur in a secure manner. As a result, the users of a Supernet benefit from their network infrastructure being maintained for them as part of the public-network infrastructure, while the level of security they receive is similar to that of a private network. The Supernet has an access control component and a key management component which are decoupled. The access control component implements an access control policy that determines which users are authorized to use the network, and the key management component implements the network's key management policies, which indicate when keys are generated and what encryption algorithm is used.

Abstract: A system for group key management including a keying material infrastructure including a root portion configured to store a root public key, a key encryption key portion operatively connected to the root portion configured to store a traffic encryption key encrypted using a symmetric key encryption key, and a public key encryption key, and a first client operatively connected the key encryption key portion configured to store the symmetric key encryption key encrypted using a first client symmetric key, and a first group member configured to access the traffic encryption key using the first client symmetric key.

Abstract: A method for generating a secure storage file system, including encrypting data using a symmetric key to obtain encrypted data, encrypting the symmetric key using a public key to obtain an encrypted symmetric key, storing the encrypted data and the encrypted symmetric key if the public key is associated with a user who only has read permission, generating an encrypted hashed data if the public key is associated with a user who has write permission, and storing the encrypted data, the encrypted symmetric key, and the encrypted hash data if the public key is associated with the user who has write permission.

Abstract: A method for conveying a security context, including creating and assigning a virtual address to a client process, issuing a first Internet Protocol version compliant packet wherein the first Internet Protocol version compliant packet comprises a security context, prepending an issued packet with a second Internet Protocol version header producing a second Internet Protocol version compliant packet, forwarding the second Internet Protocol version compliant packet to a recipient, stripping away the second Internet Protocol version compliant header from the second Internet Protocol version compliant packet producing a stripped packet at the recipient, decrypting and authenticating the stripped packet using a particular method as indicated by the security context producing a decrypted and authenticated packet, and routing the decrypted and authenticated packet to a recipient process using the virtual address.