Abstract: A method for setting up and managing secure data/audio/video links with secure key exchanges, authentication and authorization is described. An embodiment of the invention enables establishment of a secure link with limited privileges using the machine identifier of a trusted machine. This is particularly useful if the user of the machine does not have a user identifying information suitable for authentication. Furthermore, the presentation of a default user identifying information by a user advantageously initiates intervention by a system administrator instead of a blanket denial. This decentralized procedure allows new users access to the network without having to physically access a centralized facility to present their credentials. Another embodiment of the invention enables a remote user to connect to a secure network with limited privileges.

Abstract: A system and method is provided for coordinating wireless bandwidth usage of a common frequency band by wireless nodes in two disjoint networks, such as an infrastructure (“IS”) network and an ad hoc (“AH”) network. When AH nodes move into the transmission range of an access point of the IS network, they register with the access point and listen to the access point to tell them when they are allowed to transmit data over a given transmission channel. The access point coordinates the bandwidth usage by broadcasting ad hoc mode poll signals to indicate that the ad hoc nodes may transmit over the channel, and sending infrastructure mode poll signals to indicate that a wireless node in the IS network can transmit over the given channel. The access point makes a fraction of the bandwidth available for communications by the wireless AH nodes in its transmission range, while guaranteeing the rest of the bandwidth for wireless nodes in the IS network.

Abstract: Techniques for reserving resources in an operating system are provided. The techniques include receiving an indication of an authorization setting specifying a directive and identifying at least a resource, an action, and a principal, configuring to apply the specified directive in relation to the identified action and resource when the principal attempts to perform the identified action in relation to the indicated resource, determining that the principal is attempting to perform the identified action on the identified resource, and applying the specified directive. The techniques function whether or not the resources or principals exist when the resources are reserved.

Abstract: A computer-readable medium bearing computer-executable instructions which, when executed on a computer, carry out a method for handling a request for an operating system service is presented. The method comprises receiving a request for execution of an operating system service. The corresponding operating system service is then identified. A unique service identifier that corresponds to the requested operating system service is obtained. A service thread is generated, the thread being associated with an executing process. Storage associated with the service thread is initialized with the unique service identifier. Thereafter, the execution of the service thread is initiated.

Abstract: A system and method for wireless network communications provides a “dual-mode” wireless device that operates concurrently as a member of two disjoint wireless networks, such as an infrastructure (“IS”) network and an ad hoc (“AH”) network. The dual-mode device has a wireless controller driver inserted in its networking stack (e.g., the stack comprising of the Network and NDIS drivers) that exposes two virtual wireless network adapters, one for the first wireless network and one for the second wireless network. Each virtual wireless network adapter has an associated queue for queuing packets in the flow for the corresponding wireless network mode. The wireless controller driver controls the switching of the network mode. In one embodiment where the two networks include an IS network and an AH network, the mode switching is triggered by poll signals transmitted by an access point of the IS network.

Abstract: A method and system for creating security policies for firewall and connection policies in an integrated manner is provided. The security system provides a user interface through which a user can define a security rule that specifies both a firewall policy and a connection policy. After the security rule is specified, the security system automatically generates a firewall rule and a connection rule to implement the security rule. The security system provides the firewall rule to a firewall engine that is responsible for enforcing the firewall rules and provides the connection rule to an IPsec engine that is responsible for enforcing the connection rules.

Abstract: A computer system having secured network services is presented. The computer system comprises a processor, a memory, and a network action processing module. The network action processing module processes network actions from one or more network services executing on the computer system. The computer system is further configured to execute at least network service performing network actions in conjunction with the network action processing module. Upon receiving a network action from a network service, the network action processing module determines whether the network action is a valid network action according to a network action control list. If the network action is determined to not be a valid network action, the network action is blocked. Alternatively, if the network action is determined to be a valid network action, the network action is permitted to be completed.

Abstract: A wireless technology (e.g., Wi-Fi) coexistence architecture and method are disclosed for managing potential conflicts between wireless technology interference sources. A coexistence driver maintains a conflict map identifying potentially conflicting wireless technologies on a computing device. Such technologies, due to their use of overlapping transmission frequency spectra, potentially create signal interference with one another while transmitting. Managing such conflict is carried out by initially identifying conflicts arising from wireless technology interference sources based on entries within the conflict map for a set of currently installed wireless technology interfaces. Thereafter the coexistence driver creates a virtual coexistence driver to manage an identified set of conflicting wireless technology interference sources, wherein the coexistence driver regulates transmission of data sets by wireless technology interfaces according to a coexistence scheme including priority-based data transmissions.

Abstract: A system and method for providing transparent mobility support employs a mobile service in an API layer of an operating system to leverage the capability of a session establishment service that implements the Session Initiation Protocol or the like for locating a remote node for session setup and detecting address change of the remote node. When an application on a correspondent host (CH) wants to communicate with a second application on a mobile host (MH), the mobility service of the CH uses the session establishment service to locate the mobile host and set up a session with it, and then sets up a transport data channel for the session. When the MH changes its network address, the session establishment service of the CH finds out the new address through the operation of the session establishment protocol and reestablishes the session with the MH.

Abstract: In accordance with the present invention, a system, method, and computer-readable medium for sharing information between computers, computing devices, and computing systems in a networking environment to determine whether a network is under attack by malware is provided. In instances when the network is under attack, one or more restrictive security policies that protect computers and/or resources available from the network are implemented.

Abstract: A system and method for enabling a zero configuration nomadic wireless and wired computing environment presenting a just works experience is presented. The system examines predefined user preference or profile settings to determine to which of a competing number of wireless networks available it should connect, and what type of authentication should be used for such connection. Nomadic wireless computing between infrastructure wireless networks and ad hoc wireless networks may be accomplished without further user intervention required in an auto mode. Also, both infrastructure only and ad hoc only modes are available through the system of the invention. Further, the user may set a preference for infrastructure or ad hoc modes in the auto mode. With an infrastructure mode preference set, the system will automatically detect and transfer connectivity to a newly available infrastructure wireless network if the user was previously operating off-line or in ad hoc mode.

Abstract: In accordance with the present invention, a system, method, and computer-readable medium for aggregating the knowledge base of a plurality of security services or other event collection systems to protect a computer from malware is provided. One aspect of the present invention is a method that proactively protects a computer from malware. More specifically, the method comprises: using anti-malware services or other event collection systems to observe suspicious events that are potentially indicative of malware; determining if the suspicious events satisfy a predetermined threshold; and if the suspicious events satisfy the predetermined threshold, implementing a restrictive security policy designed to prevent the spread of malware.

Abstract: A system and method for enabling a zero configuration nomadic wireless and wired computing environment presenting a just works experience is presented. The system examines predefined user preference or profile settings to determine to which of a competing number of wireless networks available it should connect, and what type of authentication should be used for such connection. Nomadic wireless computing between infrastructure wireless networks and ad hoc wireless networks may be accomplished without further user intervention required in an auto mode. Also, both infrastructure only and ad hoc only modes are available through the system of the invention. Further, the user may set a preference for infrastructure or ad hoc modes in the auto mode. With an infrastructure mode preference set, the system will automatically detect and transfer connectivity to a newly available infrastructure wireless network if the user was previously operating off-line or in ad hoc mode.

Abstract: A method and system for selectively excluding a program from a security policy is provided. The security system receives from a user an indication of a program with a problem that is to be excluded from the security policy. When the program executes and a security enforcement event occurs, the security system does not apply the security policy. If the problem appears to be resolved as a result of excluding the program from the security policy, then the user may assume that the security policy is the cause of the problem.

Abstract: A protocol and method for establishing wireless data sessions between wireless clients, each of which support multiple wireless protocols is presented. A commonly supported wireless protocol is utilized to share the wireless protocols supported by the clients' circuitry. A wireless data session is then established based on the common capabilities of the wireless clients. Where multiple common protocols are supported, user preferences are utilized to determine which of the commonly supported protocols will be utilized for the wireless data session. Once a data session is established, the control channel may be idled periodically to conserve power. Alternatively, the protocol utilized in the wireless data session may be used to transmit control messages using the protocol of the present invention.

Abstract: The present invention relates to a system for automatic detection and configuration of network parameters. The system includes a first computer system for communicating to a network and at least a second computer system for providing network information. The first computer system queries the network and receives network information from the at least a second computer system before a network identification has been established for the first computer system. The system further includes a storage for storing at least one configuration associated with a network interface. The first computer system configures the network interface based upon the network information received from the at least a second computer system. Also, the first computer system may configure the network interface by determining a network identification associated with the network information and matching the at least one configuration with the network identification.

Abstract: A method and system for multicast network transmissions dynamically sets response time parameters for handling negative acknowledgments (NAKs). When the sender receives a NAK for a lost packet, it returns an NAK confirmation (NCF), waits for a back-off time before sending requested repair data, and then waits for a “linger time” during which the sender does not respond to other NAKs for the same lost packet. The back-off time and the linger time are dynamically set according to the position of the requested sequence number in the sender's transmit window such that the back-off time is shorter when the requested data is closer to being flushed out of the transmit window. After receiving the NCF, the receiver waits for a timeout period and resends the NAK if no repair data is received. The timeout period for data receipt is dynamically set according to a statistical average time for receiving repair data from the sender and the estimated sender's transmit window size.

Abstract: A method and system for enhancing a load balancing network's ability to load balance sessions is presented. A session identifier is placed within the TCP packet to enable a new mechanism of load distribution and connection grouping within a load balancing system. Specifically, TCP is invoked by a user application to obtain a unique session identifier value. TCP places the session identifier as a sender session identifier within the OPTIONS field of the TCP header. As an alternative, a session identifier can be placed within a session header that is attached to the TCP packet. On receiving such a packet, the destination load balancing system hashes over at least the session identifier value, and the node corresponding to the results of the hash algorithm acquires the packet. This method of hashing ensures that the same node acquires all subsequently received TCP packets possessing the same session identifier regardless of the source IP address or source port information.

Abstract: A system and method for mobility support handles address changes of a mobile host to provide transparent session continuity without packet overhead or the need for assistance of an agent on the network. When the mobile host changes to a new address, its old address is deprecated. The mobile host sends an address change message to each of its correspondent hosts over a secured control channel and preferably through a tunnel created based on the old and new addresses. Upon receiving the notification, the correspondent host returns an acknowledgment through the control channel and modifies its security filters and transport control parameters corresponding to the connection with the mobile host to use the new address. After receiving the acknowledgment, the mobile host modifies its security filters and transport control parameters for the connection to use the new address. As a result, the connection between the mobile host and the correspondent host has migrated to the new mobile host address.

Abstract: Presented is a system and method for providing centralized address management of static IP addresses through the dynamic host control protocol. Static or permanent IP addresses are those addresses assigned by DHCP having an infinite lease time. The assignment of such static IP addresses follows the conventional DHCP mechanism for the assignment of other IP addresses. However, the centralized reclamation of a statically or permanently assigned IP address by a network administrator through the DHCP server presents novel aspects of the invention heretofore unknown. Specifically, through the system and method of the present invention, the DHCP server is capable of reclaiming at any point in time, a statically or permanently assigned IP address by transmitting a DHCP RECLAIM command to the DHCP client, or through its relay agent. In the normal situation, the DHCP client acknowledges the RECLAIM command, allowing the IP address to be placed in the FREE state.