Abstract: Improvements in intrusion detection are disclosed by providing intrusion event filtering and/or generic attack signature processing. These services may be integrated into a system or server that is the potential target of attack, or alternatively may be implemented in a network device. Filtering may be provided using sensitivity levels and suspicion levels. Generic attack signatures describe relatively broad classes of intrusions. Intrusion detection policy information may be used to direct the actions to be taken upon detecting an attack.

Abstract: Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing.

Abstract: Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing.

Abstract: Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing.

Abstract: Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing.

Abstract: Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing.

Abstract: IPSec rules are searched in an improved manner to reduce processing overhead. For selected connectionless protocols, packets are treated as if they were part of a simulated connection. A pseudo-connection memory block is allocated with the creation of each socket and IPSec security binding information is stored in the pseudo-connection memory block on a first packet. Thereafter, as long as the source address and port in incoming packets on the same socket or destination address and port in outgoing packets on the same socket remain the same, the packets are treated as part of a simulated connection. The security rules are not searched again until the simulated connection terminates or the static rule table is modified. In the preferred embodiment, security binding is made only to the static rule or placeholder.

Abstract: Ipsec rules are searched in order from rules containing the most specificity of attributes to those containing the least specificity of attributes. The static rules include placeholders for sets of dynamic rules. The placeholders in the static table immediately precede and point to an associated set of dynamic rules. Dynamic rules are searched only if a placeholder is found to be the first matching rule in the static table. Sets of dynamic rules are partitioned into separate groups. Within each group there is no rule order dependence. Each such group is searched with an enhanced search mechanism, such as a search tree. Searching is further improved by searching at layers higher than the IP layer.

Abstract: Methods, systems (apparatus) and computer program products are provided which control access to a shared resource in a data processing system by predicting utilization of the shared resource based upon historical utilization of the shared resource. Users of the shared resource are then notified of a potential shortage of the shared resource if the prediction predicts that the shared resource will be over-utilized. The prediction may utilize a linear extrapolation to predict future utilization of the share resource. Furthermore, the interval between predictions of the future utilization may be based on time, number of utilization events or a combination of the two.

Abstract: Management of datastream construction prior to transmission of the datastream across a channel of a communications system by providing for data blocking while reducing movement or copying of the data improves the performance in a communications system. Multiple header segments received from a higher layer in the communications stack are copied into the datastream header area of a datastream such that the header segments are sequentially stored in the datastream header area. A datastream buffer list having entries referencing the datastream header area is generated. Buffer list entries referencing data segments received from higher layers in the communications stack are also stored in the datastream buffer list. The data segments are not physically moved or copied into the datastream during processing by the communications stack. Rather, a "virtual" datastream is generated by the communications stack for transmission without physically moving or copying the data segment.

Abstract: Management of the processing of relatively large data objects in a communications stack having multiple layers improves the performance in a communications system in preparing relatively large data objects for transmission across a communications network. This reduces or eliminates data movement and copying during segmentation of the relatively large data objects into relatively small data objects, and appendage of headers to the relatively small data object segments during processing in the communications stack. A shared storage manager creates and controls multiple tokens representing multiple images of portions of the relatively large data objects to enable separate scheduling of the multiple images from the same storage unit or buffer to be passed from one layer in a communications stack to the next lower layer in the communications stack. The large data object is segmented into a plurality of relatively small data object segments at one or more of the layers in the communications stack.

Abstract: Transmission control improves the performance in a communications system relating to transferring large data objects between domains or applications. This reduces or eliminates data movement between domains by transferring ownership of the "container" containing the data as opposed to moving the contents of the container from one domain to another domain resulting in copying the large data object. Thus, transmission control provides for control of the transmission of relatively large data objects between domains in a communications system which otherwise only allows efficient transmission of relatively small data objects between domains in a communications system. Tokens are assigned and associated with buffers containing the data to be shared. The token is not an address, but rather an identifier for the buffer which can be transferred from one domain to a second domain without requiring the copying of the data.

Abstract: Effective memory management maximizes the use of main memory in a computing system by avoiding the issuance of operating system primitives which result in overhead and increased processing time. This allows an applications program to change the state of a storage unit such as a buffer or page without requiring the issuance of an operating system primitive to change the physical state of the storage unit. A storage manager is provided for controlling the movement of data between storage units in secondary storage and storage units in main memory. A storage unit state indicator or flag is associated with each storage unit in main memory. In addition, a system state indicator for indicating the physical state of a storage unit is also associated with each storage unit. The system state indicator may be set to one of the states of fixed or pageable while the storage unit state indicator may be set to one of the states of fixed, pageable or don't care.