Abstract: A method and system for multicast network transmissions dynamically sets response time parameters for handling negative acknowledgments (NAKs). When the sender receives a NAK for a lost packet, it returns an NAK confirmation (NCF), waits for a back-off time before sending requested repair data, and then waits for a “linger time” during which the sender does not respond to other NAKs for the same lost packet. The back-off time and the linger time are dynamically set according to the position of the requested sequence number in the sender's transmit window such that the back-off time is shorter when the requested data is closer to being flushed out of the transmit window. After receiving the NCF, the receiver waits for a timeout period and resends the NAK if no repair data is received. The timeout period for data receipt is dynamically set according to a statistical average time for receiving repair data from the sender and the estimated sender's transmit window size.

Abstract: A novel system and method increase battery life for portable computing devices through intelligent display management. A user interface allows a user to input threshold values and parameters such that power management actions are taken should battery power fall below the thresholds. Such actions include the reduction of size to the projected display, disabling of network activity, and management of intensive CPU processes.

Abstract: To provide enhanced quality of service (QoS) communication capability, a wireless network is implemented in which different channels are used for conveying different types of data and in which wireless devices are selectively operated in either an infrastructure or ad hoc mode automatically selected to make best use of the available communication bandwidth. For example, a wireless device for a computer can be operated selectively as a client wireless device that is in communication with a legacy access point in an infrastructure mode on one channel, while using one or more different channels to communicate selectively in either ad hoc mode or infrastructure mode with client devices. To make efficient use of wireless devices, IEEE 802.11a or 802.11g wireless devices are used for communicating audio/video data on one channel, while an IEEE 802.11b wireless device is used on a different channel for communicating web page data.

Abstract: A protocol and method for establishing wireless data sessions between wireless clients, each of which support multiple wireless protocols is presented. A commonly supported wireless protocol is utilized to share the wireless protocols supported by the clients' circuitry. A wireless data session is then established based on the common capabilities of the wireless clients. Where multiple common protocols are supported, user preferences are utilized to determine which of the commonly supported protocols will be utilized for the wireless data session. Once a data session is established, the control channel may be idled periodically to conserve power. Alternatively, the protocol utilized in the wireless data session may be used to transmit control messages using the protocol of the present invention.

Abstract: A system and method for enabling a zero configuration nomadic wireless and wired computing environment presenting a just works experience is presented. The system examines predefined user preference or profile settings to determine to which of a competing number of wireless networks available it should connect, and what type of authentication should be used for such connection. Nomadic wireless computing between infrastructure wireless networks and ad hoc wireless networks may be accomplished without further user intervention required in an auto mode. Also, both infrastructure only and ad hoc only modes are available through the system of the invention. Further, the user may set a preference for infrastructure or ad hoc modes in the auto mode. With an infrastructure mode preference set, the system will automatically detect and transfer connectivity to a newly available infrastructure wireless network if the user was previously operating off-line or in ad hoc mode.

Abstract: Methods and systems are provided for dynamically subscribing for access to a wireless wide-area network via an online process. Subscription information and user credentials are digitally transmitted by a network carrier to a networking device and is stored locally by the device in a SmartCard, other portable medium, or on the device's hard drive. The locally stored credentials and information may subsequently be updated wirelessly. No human interaction is required to subscribe, and access may be limited by a variety of criteria. A subscription may be used to access networks operated by multiple network carriers.

Abstract: A method and system for enhancing a load balancing network's ability to load balance sessions is presented. A session identifier is placed within the TCP packet to enable a new mechanism of load distribution and connection grouping within a load balancing system. Specifically, TCP is invoked by a user application to obtain a unique session identifier value. TCP places the session identifier as a sender session identifier within the OPTIONS field of the TCP header. As an alternative, a session identifier can be placed within a session header that is attached to the TCP packet. On receiving such a packet, the destination load balancing system hashes over at least the session identifier value, and the node corresponding to the results of the hash algorithm acquires the packet. This method of hashing ensures that the same node acquires all subsequently received TCP packets possessing the same session identifier regardless of the source IP address or source port information.

Abstract: Disclosed are methods for a client, having established one set of security keys, to establish a new set without having to communicate with an authentication server. When the client joins a group, master session security keys are derived and made known to the client and to the group's access server. From the master session security keys, the access server and client each derive transient session security keys, used for authentication and encryption. To change the transient session security keys, the access server creates “liveness” information and sends it to the client. New master session security keys are derived from the liveness information and the current set of transient session security keys. From these new master session security keys are derived new transient session security keys. This process limits the amount of data sent using one set of transient session security keys and thus limits the effectiveness of any statistical attacker.

Abstract: A method and mobile node are disclosed that facilitate persisting virtual private network structures across multiple network addresses assigned to the mobile node. The method includes initially setting up a virtual private network tunnel between a mobile node and a virtual private network tunnel server. Virtual private network structures that support the virtual private network tunnel are based upon a home address specified for the mobile node. When the mobile node changes addresses, the mobile node transmits a binding update to the virtual private network tunnel server specifying the new network address. Thereafter, a mapped relation is created from the new network address to the home address for the mobile node, thereby facilitating continued use of virtual private network structures that are based upon the home address for the mobile node.

Abstract: A Network State Database (NSD) can comprise information regarding the network-centric state of one or more computing devices connected to a network. The information contained in the NSD can be passively received by the NSD, or it can be actively obtained by the NSD. Additionally the NSD can comprise either a centralized collection of information, or a distributed collection of information independently maintained and conceptualized as a single entity. The information of the NSD can be used by a Network Risk Management Service (NRMS) to appropriately respond and protect the network. The NRMS can provide relevant information from the NSD to subscribers, which can independently act to protect the network. The NRMS can likewise itself instruct computing devices regarding an appropriate action, or it can itself instruct the performance of such action.

Abstract: Architecture for facilitating access of remote system software functionality by a host machine for the redirection of incoming and/or outgoing host traffic through the remote system for protection services to the host machine. The host machine can gain the benefits of effective protection software such as firewall, intrusion protection software, and anti-malware services, of the remote machine. The host machine can choose to exercise traffic redirection when there is a risk of being compromised, and then revert back to direct communications when the risk has been averted. The host machine takes advantage of the resources available on the remote machine in substantially realtime with minimal disruption to the host and/or the remote machine operations. This facilitates widespread and temporary protection of network systems for a more secure working environment and improved customer experience.

Abstract: A system and method for wireless network communications provides a “dual-mode” wireless device that operates concurrently as a member of two disjoint wireless networks, such as an infrastructure (“IS”) network and an ad hoc (“AH”) network. The dual-mode device has a wireless controller driver inserted in its networking stack (e.g., the stack comprising of the Network and NDIS drivers) that exposes two virtual wireless network adapters, one for the first wireless network and one for the second wireless network. Each virtual wireless network adapter has an associated queue for queuing packets in the flow for the corresponding wireless network mode. The wireless controller driver controls the switching of the network mode. In one embodiment where the two networks include an IS network and an AH network, the mode switching is triggered by poll signals transmitted by an access point of the IS network.

Abstract: Virtual machine (VM) management using a group name. By associating VM registration information with a group name, all VMs running off a single physical machine image can be managed (e.g., blocked or unblocked) simultaneously. A service component captures registration information (e.g., IP address-VM name pair) between a virtual machine and a name server. The IP address-VM name pair is recorded (or stored) in the name server database. Based on the VM pair, a record component generates a group name, and stores the VM pair in association with the group name in the name server database. Blocking of the group name then blocks all VMs associated with the group name. Moreover, queries against the group name will then expose all operational VMs for that host. Updates to the group name record can be made based on registration and deregistration of VMs for a given host machine.

Abstract: A dynamic risk management system for operating systems that provides monitoring, detection, assessment, and follow-up action to reduce the risk whenever it rises. The system enables an operating system to protect itself automatically in dynamic environments. The risk management system monitors a diverse set of attributes of the system which determines the security state of the system and is indicative of the risk the system is under. Based on a specification of risk levels for the various attributes and for their combinations, the risk management system determines whether one or more actions are required to alleviate the overall risk to the system.

Abstract: A novel system and method increase battery life for portable computing devices through intelligent display management. A user interface allows a user to input threshold values and parameters such that power management actions are taken should battery power fall below the thresholds. Such actions include the reduction of size to the projected display, disabling of network activity, and management of intensive CPU processes.

Abstract: If a service detects that a state of a computer system deviates from an acceptable state, the computer system can be prevented from accessing network resources or locations, except for those network resources or locations that would bring the state into compliance. Monitored states can include whether applications or the operating system have been properly purchased, whether they have been properly updated, and whether they are being properly used given the environment of their usage. Network restrictions can be implemented through a parental control mechanism, a domain name service mechanism, or other like mechanisms, and can include redirection to appropriate network resources or locations.

Abstract: Management of security firewall settings in a networked computing environment is described. One example embodiment includes applying security settings and exceptions to the security settings based on network class for network communication, and upon detection of an event, revoking at least one exception for at least one network in a specified class.

Abstract: A system and method for a network aware firewall is disclosed. The method includes accessing a first network connection from a client computer system and determining whether the first network connection is public or private. The method further includes dynamically modifying security parameters associated with a firewall local to the client computer system in response to determining whether the network connection is public or private.

Abstract: A facility is provided for conditionally reserving resources in an operating system. In various embodiments, the facility receives an indication of a conditional reservation declarator that identifies at least a resource, an action, a condition, and a principal. The conditional reservation declarator can specify a directive that corresponds to the identified resource, action, condition, and principal. The facility configures itself to apply the specified directive in relation to the identified action and resource when the principal attempts to perform the identified action in relation to the identified resource and the condition is met. The facility can apply the specified directive when it determines that the principal is attempting to perform the identified action on the identified resource when the condition is met.

Abstract: A computer system attempts to authenticate with a server to gain authorization to access a first network. It is determined by the server that the computer system is not authorized to access the first network. The computer system is given authorization to access a second network for at least the purpose of downloading files (e.g., signup and configuration files) needed to access the first network. A user-interface for receiving user-entered signup information is automatically presented at the computer system. A first schema-based document including user-entered information is transferred to the server. If the server determines that the user-entered information is appropriate, a second-schema document, which includes an indication of authorization to access the first network (e.g., a user-identifier and password), is received. A third schema-based document is executed at the computer system to compatibly configure the computer system for accessing the first network.