Abstract: A mechanism for detecting denial of service attacks in a digital communications system is described. A probabilistically determined portion of input packets of a connection are processed using a hash function to determine whether the packets belong to the flow initiated by a TCP SYN packet. The hash function includes a secret key for additional security. The result of the hash function is added to a value which is dependent on the sequence number of a packet being processed.

Abstract: An implant for occluding a passage in a circulatory system of a human body comprises elongate members (1) which can be twisted into fixation structures and at least two occluding bodies (2, 2?) being attached to the elongate members (1) and being arranged at a distance to each other. This implant combines the advantages of a single occluding body implant with the advantages of a double occluding body implant.

Abstract: A method and system for routing traffic in a communication network is disclosed that may include assigning each node in a network a first subset of route repository nodes and a second subset of route repository nodes, querying the second subset of route repository nodes in order to obtain route information that is stored in the second subset of route repository nodes, computing route information by applying a route computation algorithm to the first subset of route repository nodes, and routing traffic in the communication network based on the route information obtained from the second subset of route repository nodes and the route information computed using the first subset of route repository nodes.

Abstract: A method and apparatus for monitoring a communication network is provided. The network includes a plurality of node electronics units communicatively coupled to at least one central control processing unit through at least one network wherein each network includes a network switch. The method includes coupling a monitoring domain to the network, and receiving at least one of network traffic transmitted on at least one of the monitored links, and network traffic received on at least one of the monitored links through at least one monitoring link. The apparatus includes a plurality of node electronics units communicatively coupled to at least one central control processing unit through at least one network wherein each network includes a network switch, and wherein the apparatus comprises a monitoring domain.

Abstract: Methods of preventing flooding-type denial-of-service attacks in a computer-based network are described. Connection establishing messages known as SYN packets are matched with connection terminating messages (FIN packets) by using a hash algorithm. The hash algorithm or message digest uses source and destination IP addresses, port numbers, and a secret key as input parameters. The SYN packets and FIN packets are mapped to buckets using the hash algorithm and statistics are maintained for each bucket. A correspondence between SYN packets and FIN packets is maintained to close a security hole.

Abstract: A system and method are provided for key-based network equipment remote access authentication. A remote client machine and a piece of network equipment perform client-server authentication while the network equipment employs an access validation server to perform access validation for key-based authentication.

Abstract: A method and system for filtering malicious packets received at the edge of a service provider (SP) domain is provided. A protocol aware border element identifies the protocol used by any ingress packet, and then determines which domain-specific information is used in the application payload of the packet to form the source identity. If this packet pretends to come from the SP domain, and no domain entity is allowed to roam, the packet is identified as illegitimate and is subjected to a given security policy. The border element also identifies as legitimate the SP domain entities that are allowed to roam, and legitimate sources outside said SP domain that communicates customary with entities in the SP domain.

Abstract: Methods to detect rogue access points (APs) and prevent unauthorized wireless access to services provided by a communication network are provided. A mobile station (MS) reports to a serving AP the received signal strength (RSS) for all APs in the area it travels. The serving AP detect a rogue AP based on inconsistencies perceived in the RSS reports, assessed during the handover phase or whilst the communication is active.

Abstract: The invention is directed to providing threat and risk analysis for a network that has a high degree of inter-relationships and interdependencies among the assets comprising it, using a “cut set” enumeration method. The identified cut sets are used as the basis to the threat and risk analysis, since each cut set may affect the traffic between two dependent assets in the network, and thereby affect the security state of the dependent assets themselves. The affected security state may be confidentiality, integrity, availability, or other network or security relevant parameter.

Abstract: This method and system for detecting abnormal traffic in a communications network is based on classifying the traffic in risk and status categories and maintaining a service status table with this information for each service at a respective node. The risk categories are initially established based on known software vulnerabilities recognized for the respective service. An early notifier enables further processing of services suspected of malware propagation. Status categories enable segregating the traffic with a “under attack status” from the “non under attack” status, so that the intrusion detection system at the respective node only processes the “under attack” traffic. In this way, the time and amount of processing performed by the intrusion detection system is considerably reduced.

Abstract: A method and system for monitoring and controlling a power distribution system is provided. The system includes a plurality of circuit breakers and a plurality of node electronic units. Each node electronic unit is mounted remotely from an associated circuit breaker that is electrically coupled with one of the node electronic units. The system also includes a first digital network, and a first central control unit. The first central control unit and the plurality of node electronic units are communicatively coupled to the first digital network. The method includes receiving digital signals from each node electronic unit at the central control unit, determining an operational state of the power distribution system from the digital signal, and transmitting digital signals to the plurality of node electronic units such that the circuit breakers are operable from the first central control unit.

Abstract: Methods of detecting TCP SYN flooding attacks at a router located between a LAN and a network such as the Internet are described. The methods rely on a counting arrangement in which SYN and Fin packets are counted on both the LAN side and the network or Internet side of the router during a time interval. Weighting factors are applied to each count, the factor for the LAN side count having the opposite polarity to the factor for the network side count. The absolute values of the sums of the weighting factors of like polarity are equal. An abnormal number of unsuccessful connection attempts are determined based on a parameter calculated using the weighting factors in conjunction with the respective counts.

Abstract: A method for synchronizing a plurality of processors within a computer system is provided. The computer system includes a plurality of processors that are each communicatively coupled to a respective network wherein each network is independent of each other network. The method includes receiving a plurality of input signals at a first rate from at least one source, transmitting the input signals to a reference object, and transforming the input signal to a known temporal reference. The apparatus is configured to receive a plurality of input signals at a first rate from at least one source, transmit the input signals to a reference object, and transform the input signal to a known temporal reference.

Abstract: A method for communicating information bundled in digital message packets via a digital network communication system is provided. The digital network communication system a sample source and each packet includes a header and a communication payload area. The method includes sampling the source at a first sample rate, selecting at least one decimation of the samples based on at least one of a plurality of algorithmic data rates and a channel bandwidth, determining a packet rate based on a plurality of algorithmic latency requirements, and transmitting the digital message packet containing decimated data on the digital network.

Abstract: A protection system for a power distribution system is provided. The protection system includes a central computer, a plurality of data modules, and a data network. The data modules are each in communication with a different circuit breaker of the power distribution system. The data network communicates between the central computer and the plurality of data modules. The central computer sends an instruction to the plurality of data modules over the data network to aid in synchronization of sampling of a power condition at the plurality of data modules.

Abstract: Methods and apparatus for improving the resilience of wireless packet-switched networks to Layer-2 attacks is provided via a lightweight mechanism for detecting spoofed frames. The mechanism enables a receiving node to detect spoofed frames from information contained in cookies sent with frames. A first cookie, containing initial information, is sent to the receiving station from the transmitting node along with the first frame of a frame set. For each received frame, spoofing detection includes applying a function to information received via a corresponding cookie received with the subject frame, the result of which function is compared with information received via a previous cookie. The validity of the subject frame is asserted if the result of applying the function to information received in the corresponding subject cookie correlates with previous or initial information received in a previous or the first cookie, respectively. An exemplary implementation includes using a one-way hashing function.

Abstract: A method and apparatus for operating a power distribution system circuit breaker is provided. The circuit breaker includes an associated node electronics unit wherein a node electronics unit redundancy requirement is predetermined. The method includes monitoring electrical system parameters associated with the circuit breaker with the node electronics unit, communicating the electrical system parameters over a digital network to at least one central control processing unit, receiving commands and actions from the at least one central control processing unit over the digital network, determining circuit breaker actuation commands based at least partially on the received commands and actions, and operating the circuit breaker based on the circuit breaker actuation commands.

Abstract: A dispenser of single-use portions of preparations for beverages, comprising a structure that supports at least one storage assembly for single-use portions provided with a discharge outlet for the discharge of the portions, at least one distribution assembly for the portions which is provided with an outlet for dispensing said portions and with a device for transferring the portions from the discharge outlet to the dispensing outlet, which are interposed between the storage assembly and the distribution assembly.

Abstract: A system for improving security of management and control functions at a network element in a communications network is described. The control card of the network element is configured to function in association with an execution device such as a smartcard. The execution device has embedded thereon one or several processors each implementing specific security related operations. This limits access to the network element which, in turn, minimizes access to sensitive and confidential information.

Abstract: A method for operating a power distribution system is provided. The power distribution system includes a plurality of components, and at least one node electronics unit coupled to at least one control processing unit. The method includes associating a unique identifier with at least one component class of the power distribution system, identifying each component based on the identifier, determining a specification associated with each identifier, and operating at least one of the node electronics unit and the control processing unit based on the determined specification.