Abstract: Classification of network data packets includes a determination sets of one or more filter-identifiers where each set is associated with a respective data-packet classifier field. A result-set of filter-identifiers may be derived based on an intersection of the filter-identifier sets.

Abstract: Systems and methods for detecting and tracing a denial-of-service attack are disclosed. One aspect of the systems and methods includes providing a plurality of attack detection modules and a plurality of broker modules operable to communicably couple to a network. The attack detection modules operate to detect a potential denial-of-service attack on network segment. An attack signature for the potential denial of service attack may be forwarded to one or more broker modules on the network segment. The broker modules collectively analyze the data in order to determine a source or sources for the attack.

Abstract: A method and apparatus are provided that allow the automatic discovery of the topology of a network. In one embodiment, the invention includes identifying a second network device at a first network device, sending a message from the first network device to the second network device, the message establishing the identity of any network device between the first network device and the second network device, and compiling the established identities to determine the topology of the network. The invention can use PING and Traceroute utilities to find nodes and identify network devices.

Abstract: Denial of service type attacks are attacks where the nature of a system used to establish communication sessions is exploited to prevent the establishment of sessions. For example, to establish a Transmission Control Protocol (TCP)/Internet Protocol (IP) communication session, a three-way handshake is performed between communication endpoints. When a connection request is received, resources are allocated towards establishing the communication session. Malicious entities can attack the handshake by repeatedly only partially completing the handshake, causing the receiving endpoint to run out of resources for allocating towards establishing sessions, thus preventing legitimate connections. Illustrated embodiments overcome such attacks by delaying allocating resources until after the three-way handshake is successfully completed.

Abstract: A method for platform independent management of devices using option ROMs. Under one embodiment of the method, manageability data is stored in an option ROM of a peripheral device of a computer platform. The manageability data includes a descriptor that provides an identity, data type, access method and potentially other data to discover, access, and control the device. An embedded instance of the Sensor/Effector Interface (SEI) subsystem is provided by a management engine (ME) implementation via execution of corresponding firmware by the ME. Via the use of an out-of-band communication channel facilitated by the ME or other means (e.g., LAN microcontroller), management data retrieved from option ROMs, and the SEI, a remote management server is enabled to remotely manage various devices and/or the computer platform.

Abstract: According to some embodiments, a first resource data record is discovered, the first resource data record indicating a first memory location of first executable program code, a second resource data record indicating a second memory location of first managed resource data of a first manageable resource, and a third resource data record indicating a third memory location of second managed resource data of a second manageable resource. The first program code is retrieved from the memory location, and is executed to retrieve the first managed resource data from the second memory location, to retrieve the second managed resource data from the third memory location, and to perform an operation on the first managed resource data and the second managed resource data.

Abstract: A tamper-proof access monitor monitors accesses by software executing on a host processor to memory-mapped regions of memory that control input/output resources.

Abstract: Provided are a method, system and article of manufacture for adjusting interrupt levels. A current system interrupt rate at a computational device is determined, wherein the current system interrupt rate is a sum of interrupt rates from a plurality of interrupt generating agents. The current system interrupt rate is compared with at least one threshold interrupt rate associated with the computational device. Based on the comparison, an interrupt moderation level is adjusted at an interrupt generating agent of the plurality of interrupt generating agents.

Abstract: Method, apparatus, and system for isolating potentially vulnerable nodes of a network. In one embodiment a network is partitioned into subnets of varying levels of security. A client device may be assigned a network access assignment through one of the subnets based on a level of vulnerability assessed for the client device. The level of vulnerability may be determined based on compliance of the client device with available upgrades and/or patches.

Abstract: In order to prevent, or at least reduce, attacks on a computing device, such as denial of service attacks against a computer, or other attempts to compromise computing device security, when desired, presence of a person or properly configured response unit may be determined prior to fully-establishing a network connection between the computer device and a connecting device. While one goal is to allow determining a person is directing the actions of the connecting device before fully establishing the network connection, it will be appreciated that in certain circumstances it may be desirable to allow automated connection obtained by the response unit, such to allow diagnostics, backups, updates, etc. to be performed with the computing device.

Abstract: Systems and methods for detecting and tracing a denial-of-service attack are disclosed. One aspect of the systems and methods includes providing a plurality of attack detection modules and a plurality of broker modules operable to communicably couple to a network. The attack detection modules operate to detect a potential denial-of-service attack on network segment. An attack signature for the potential denial of service attack may be forwarded to one or more broker modules on the network segment. The broker modules collectively analyze the data in order to determine a source or sources for the attack.

Abstract: Provided are a method, system and article of manufacture for adjusting interrupt levels. A current system interrupt rate at a computational device is determined, wherein the current system interrupt rate is a sum of interrupt rates from a plurality of interrupt generating agents. The current system interrupt rate is compared with at least one threshold interrupt rate associated with the computational device. Based on the comparison, an interrupt moderation level is adjusted at an interrupt generating agent of the plurality of interrupt generating agents.

Abstract: Classification of network data packets includes a determination sets of one or more filter-identifiers where each set is associated with a respective data-packet classifier field. A result-set of filter-identifiers may be derived based on an intersection of the filter-identifier sets.

Abstract: Denial of service type attacks are attacks where the nature of a system used to establish communication sessions is exploited to prevent the establishment of sessions. For example, to establish a Transmission Control Protocol (TCP)/Internet Protocol (IP) communication session, a three-way handshake is performed between communication endpoints. When a connection request is received, resources are allocated towards establishing the communication session. Malicious entities can attack the handshake by repeatedly only partially completing the handshake, causing the receiving endpoint to run out of resources for allocating towards establishing sessions, thus preventing legitimate connections. Illustrated embodiments overcome such attacks by delaying allocating resources until after the three-way handshake is successfully completed.

Abstract: A system and method for determining the source, on a network, of unwanted messages generated by a malicious agent, toward a target device such as a web server. The malicious agent directs one or more computers on a sub network to direct a flood of communications toward the server on a second sub network designed to substantially reduce the ability of the server to respond to other communications. Messages passing through points on a path between the malicious agent computers and the server are monitored for indicia of messages uncharacteristic of normal network communication. The first point along the path that the unwanted messages pass through is identified. A network device at that point is instructed to block portion of communications passing through that point.

Abstract: A method and apparatus are provided that allow the automatic discovery of the topology of a network. In one embodiment, the invention includes identifying a second network device at a first network device, sending a message from the first network device to the second network device, the message establishing the identity of any network device between the first network device and the second network device, and compiling the established identities to determine the topology of the network. The invention can use PING and Traceroute utilities to find nodes and identify network devices.