Abstract: Embodiments of the claimed subject matter provide a method of controlling access to resources in a social graph. One embodiment of the method includes receiving information for configuring a query in response to a service being invoked. The service is configured to use the query to request access to resources associated with a node in a portion of a social graph associated with a first user. The method also includes associating the query with the node. The query operates on the resources associated with the node and returns information indicating whether a request to access the resources is granted or denied depending on a current state of the social graph.

Abstract: Embodiments of the claimed subject matter provide methods that support extension of web service application programming interfaces using query languages. In one embodiment, a method is provided that includes modifying an interface to a social graph. The social graph includes nodes connected by edges that represent relationships between the nodes, which form a plurality of trees associated with users to the social graph. Modifying the interface includes adding a node to at least one user's tree and attaching one or more queries to the node. The attached queries operate on a sub-tree of the added node. The interface is modified in response to the user(s) invoking a service configured to perform queries on the sub-tree.

Abstract: In one embodiment, a counting method of the invention uses an adaptive sketching-update process to compress an unknown cardinality into a counter value that counts the number of binary ones in a hashed bitmap vector. The sketching-update process is probabilistic in nature and uses bit-flip probabilities that are adaptively decreased as the counter value increases. Parameters of the sketching-update process are selected so that the relative error of cardinality estimates obtained based on the counter values is relatively small and substantially constant over a relatively wide range of cardinalities, e.g., from one to about one million. Due to the latter property, the counting method can advantageously be implemented in the form of embedded software that relies on a relatively small, fixed amount of memory.

Abstract: Embodiments of the claimed subject matter provide methods that support extension of web service application programming interfaces using query languages. In one embodiment, a method is provided that includes modifying an interface to a social graph. The social graph includes nodes connected by edges that represent relationships between the nodes, which form a plurality of trees associated with users to the social graph. Modifying the interface includes adding a node to at least one user's tree and attaching one or more queries to the node. The attached queries operate on a sub-tree of the added node. The interface is modified in response to the user(s) invoking a service configured to perform queries on the sub-tree.

Abstract: Embodiments of the claimed subject matter provide a method of controlling access to resources in a social graph. One embodiment of the method includes receiving information for configuring a query in response to a service being invoked. The service is configured to use the query to request access to resources associated with a node in a portion of a social graph associated with a first user. The method also includes associating the query with the node. The query operates on the resources associated with the node and returns information indicating whether a request to access the resources is granted or denied depending on a current state of the social graph.

Abstract: A method comprises operations for receiving a binary data structure including a portion representing a protocol validation specification expressed in a respective protocol validation specification language and for receiving a security policy rule having an action part specifying that the binary data structure is to be used for verifying that application protocol payload of network packets complies with the protocol validation specification. After receiving the binary data structure and the security policy rule, an operation is performed for verifying that application protocol payload of received network packets complies with the protocol validation specification. Such verifying is initiated in response to determining that the security policy rule applies to the received network packets and such verifying includes validating the application protocol payload of the received network packets against the binary data structure.

Abstract: In one embodiment, the present invention is a technique for processing fragments received at a node (e.g., a router) in a datagram-based communication system in order to provide a wide range of protection against potential fragment-based attacks. Received fragments are examined as they are received to verify that they do not overlap one another and that the fragment sequence does not exploit common weaknesses in IP packet-reassembly algorithms. Valid fragment sequences that represent potential threats to the receiver can be reordered and/or fully or partially re-assembled and re-fragmented into a fragment sequence that eliminates or reduces the threat to the receiver. Fragmented sequences that represent a likely attack are blocked, as are subsequent fragments of the associated packet.

Abstract: A method comprises operations for receiving a binary data structure including a portion representing a protocol validation specification expressed in a respective protocol validation specification language and for receiving a security policy rule having an action part specifying that the binary data structure is to be used for verifying that application protocol payload of network packets complies with the protocol validation specification. After receiving the binary data structure and the security policy rule, an operation is performed for verifying that application protocol payload of received network packets complies with the protocol validation specification. Such verifying is initiated in response to determining that the security policy rule applies to the received network packets and such verifying includes validating the application protocol payload of the received network packets against the binary data structure.

Abstract: In one embodiment, the present invention is a technique for processing fragments received at a node (e.g., a router) in a datagram-based communication system in order to provide a wide range of protection against potential fragment-based attacks. Received fragments are examined as they are received to verify that they do not overlap one another and that the fragment sequence does not exploit common weaknesses in IP packet-reassembly algorithms. Valid fragment sequences that represent potential threats to the receiver can be reordered and/or fully or partially re-assembled and re-fragmented into a fragment sequence that eliminates or reduces the threat to the receiver. Fragmented sequences that represent a likely attack are blocked, as are subsequent fragments of the associated packet.