Abstract: A method and apparatus for monitoring data traffic in a communication network are provided. A router connected to the communication network monitors information contained in the data traffic, and based on the information determines whether data in the traffic is indicative of a malicious threat to one or more resources connected to the network. Parameters which control monitoring of traffic at the router, such as the sampling rate and what information is to be extracted from the data is varied according to the condition of the network so that the monitoring can be adapted to focus on traffic which relates to a particular suspected or detected threat.

Abstract: Service-centric communication network monitoring apparatus and methods are provided. Service traffic, associated with a third-party service provided by an external service provider that is controlled independently of a communication network, is identified in communication traffic that is being transferred through that communication network. The identified service traffic is monitored, for example, to compile service usage statistics, to police usage of the service, to generate billing records for usage of the service, and/or to mirror the identified service traffic. A registry in which the service is registered may interact with a monitoring system of the communication network so as to establish monitoring for the service traffic.

Abstract: Secure communication network user mobility apparatus and methods are disclosed. A mobile user that is locally connected to a first communication network in which a service is provided, but is associated with an independently controlled second secure communication network, may be authenticated for access to the service by the second communication network. This allows seamless user mobility between networks in a partner extranet or other collection of trusted networks based on existing inter-network user mobility relationships. Access control, monitoring, and reporting, for example, and possibly other functions, may also be provided.

Abstract: Service-centric communication network monitoring apparatus and methods are provided. Service traffic, associated with a third-party service provided by an external service provider that is controlled independently of a communication network, is identified in communication traffic that is being transferred through that communication network. The identified service traffic is monitored, for example, to compile service usage statistics, to police usage of the service, to generate billing records for usage of the service, and/or to mirror the identified service traffic. A registry in which the service is registered may interact with a monitoring system of the communication network so as to establish monitoring for the service traffic.

Abstract: Service-centric communication network monitoring apparatus and methods are provided. Service traffic, associated with a third-party service provided by an external service provider that is controlled independently of a communication network, is identified in communication traffic that is being transferred through that communication network. The identified service traffic is monitored, for example, to compile service usage statistics, to police usage of the service, to generate billing records for usage of the service, and/or to mirror the identified service traffic. A registry in which the service is registered may interact with a monitoring system of the communication network so as to establish monitoring for the service traffic.

Abstract: Network service operational status monitoring methods and apparatus are disclosed. Responsive to a service status request associated with a network service, an operational status of the network service is determined by an intermediary between a service status requester and the network service. The operational status is a service-specific operational status of the network service in some embodiments. Operational status may be determined through a multi-level procedure in which subsequent levels after a first level of the multi-level procedure are or are not performed depending on a result of a preceding level of the procedure. A multi-level procedure may involve a service connectivity check and a service operational check, for instance.

Abstract: Methods and systems are presented for controlling application layer message traffic at a central web services resource in which a web services gateway associated with the central resource sends a backoff message to a gateway associated with a remote web service client, which in turn slows the application layer message traffic to the central resource.

Abstract: The WS-Mobile Gateway is the interworking gateway between users of a mobile network and a WS extranet. The mobile gateway comprises a mobile end-user interface on the side of the mobile network, for user authentication and for separating the web services (WS) traffic from the non-WS traffic. A logic unit performs protocol conversion, address resolution, policy enforcement/definition and publishing operations on the WS traffic. An extranet interface processor routes the WS packets carrying control messages between the gateway and a WS controller which maintains the services registry, while the WS packets carrying data are routed between the mobile gateway and the WS provider.

Abstract: Methods and systems are presented for controlling application layer message traffic at a central web services resource in which a web services gateway associated with the central resource sends a backoff message to a gateway associated with a remote web service client, which in turn slows the application layer message traffic to the central resource.

Abstract: A system for service access exception tracking and related method including an exception detection engine that receives a web services request message, the web services request message associated with at least one web service and a controller that sends a script to the exception detection engine, the script comprising a set of rules for the at least one web service. In various exemplary embodiments, the exception detection engine detects at least one exception in the web services request message by applying the set of rules and drops the web services request message.

Abstract: A selective, flow-based datapath architecture is described. A Flow Control Block Manager (FCBM) is located in a flow-based datapath for selectively and intelligently processing packets in the Flow Path. If, according to the FCBM, efficiency gains can be achieved by creating a flow control block and employing flow-based processing on a packet stream, the packets are processed accordingly. If, however, insufficient gains are anticipated the packets are processed in a flow-unaware manner. The FCBM determines the manner in which to process packets based on a set of criteria.

Abstract: A method of web services replica management and associated web service gateways, the method including one or more of the following: sending a web service request from a client application through a local web service gateway; discovering a plurality of remote web service gateways offering replicas of the requested web service; determining a communication delay between the discovered plurality of remote web service gateways and the local web service gateway; creating a cluster manager in a local web service gateway; creating a cluster for a replica web services composite client application; adding a plurality of replica web services to the cluster; adding at least one policy to the cluster; calculating a community of web service replicas based on the at least one policy, such as a replica selection policy that may include an information policy and a load estimation method; and determining an optimum web service replica among the discovered plurality of remote web service gateways.

Abstract: Network service operational status monitoring methods and apparatus are disclosed. Responsive to a service status request associated with a network service, an operational status of the network service is determined by an intermediary between a service status requester and the network service. The operational status is a service-specific operational status of the network service in some embodiments. Operational status may be determined through a multi-level procedure in which subsequent levels after a first level of the multi-level procedure are or are not performed depending on a result of a preceding level of the procedure. A multi-level procedure may involve a service connectivity check and a service operational check, for instance.

Abstract: Network service usage management systems and methods are disclosed. Associations between network services and network service user groups are used to enable usage of network services by members of the network service user groups. The network service user groups are independently and separately manageable, to form respective virtual extranets for instance. Actual usage of the network services may be controlled in accordance with the associations, and possibly also in accordance with respective group policies for the network service user groups. Network service user groups may be self-managed within an administrative domain in which service provider systems supporting the network services are located, or externally managed. Group and service information for externally managed groups may be exchanged between equipment that is within and outside an administrative domain.

Abstract: Publication subscription service apparatus and methods are disclosed. Restricted forwarding of an electronic publication that is made available to a publication subscription service by a publishing entity may be provided by determining, based on a forwarding restriction established for the electronic publication by the publishing entity, whether the electronic publication is to be forwarded to subscriber systems that are associated with respective subscriptions to the publication subscription service. In a distributed publication subscription service, electronic publication forwarding decisions are independently made at gateway devices or access points that provide access to the service for subscriber systems.

Abstract: Service-centric communication network monitoring apparatus and methods are provided. Service traffic, associated with a third-party service provided by an external service provider that is controlled independently of a communication network, is identified in communication traffic that is being transferred through that communication network. The identified service traffic is monitored, for example, to compile service usage statistics, to police usage of the service, to generate billing records for usage of the service, and/or to mirror the identified service traffic. A registry in which the service is registered may interact with a monitoring system of the communication network so as to establish monitoring for the service traffic.

Abstract: Communication network application activity monitoring and control apparatus, methods, and data structures are disclosed. A communication network user that initiates access to an application provided in a communication network is identified. Records are dynamically created and maintained to reflect accesses by the user to the application and other applications that are provided in the communication network. The records track application activity by the user. Policies may be established and enforced to control application activity that the user may conduct in the communication network. Conformance with application access restrictions and regulations may be verified or demonstrated by reporting the records, and ensured through policy enforcement.

Abstract: Secure communication network user mobility apparatus and methods are disclosed. A mobile user that is locally connected to a first communication network in which a service is provided, but is associated with an independently controlled second secure communication network, may be authenticated for access to the service by the second communication network. This allows seamless user mobility between networks in a partner extranet or other collection of trusted networks based on existing inter-network user mobility relationships. Access control, monitoring, and reporting, for example, and possibly other functions, may also be provided.

Abstract: Secure domain information protection apparatus and methods are disclosed. Service access information associated with access, by an external user that is outside a secure domain, to a service that is provided in the secure domain is processed to determine whether it includes sensitive information. If so, a protection action is performed on the service access information, on an entire service message or to one or more portions thereof, for example, to protect the sensitive information. A specification language and execution environment are also proposed to provide for high speed processing. Sensitive information detection criteria, protection actions, and possibly targets on which the protection actions are to be performed, may be identified in a data structure stored on a machine-readable medium.

Abstract: The WS-Mobile Gateway is the interworking gateway between users of a mobile network and a WS extranet. The mobile gateway comprises a mobile end-user interface on the side of the mobile network, for user authentication and for separating the web services (WS) traffic from the non-WS traffic. A logic unit performs protocol conversion, address resolution, policy enforcement/definition and publishing operations on the WS traffic. An extranet interface processor routes the WS packets carrying control messages between the gateway and a WS controller which maintains the services registry, while the WS packets carrying data are routed between the mobile gateway and the WS provider.