Abstract: A data collection procedure is described, which can be performed automatically for each subject of a study as the participant produces the data being collected. In one case, the procedure transforms the data matrix X (of the participants' data) to AXB, where matrix A is a row operator that transforms data records (cases) in X and matrix B is a column operator that transforms data attributes (variables) in X, and the keys to generate these random operators are held separately by different parties. In another case, each participant's data is decomposed into a sum of k vectors before being collected and variously transformed by a plurality of masking service providers.

Abstract: A data collection procedure is described, which can be performed automatically for each subject of a study as the participant produces the data being collected. In one case, the procedure transforms the data matrix X (of the participants' data) to AXB, where matrix A is a row operator that transforms data records (cases) in X and matrix B is a column operator that transforms data attributes (variables) in X, and the keys to generate these random operators are held separately by different parties. In another case, each participant's data is decomposed into a sum of k vectors before being collected and variously transformed by a plurality of masking service providers.

Abstract: A data structure is provided for storing network contact information based on an array of physical memory locations. Virtual vectors are constructed for each source, wherein each element in each virtual vector is assigned to a corresponding physical memory location within the array. The physical memory locations are shared between the virtual vectors uniformly at random so that the noise introduced by sharing can be predicted and removed. A method for storing network contact information is also provided in which a hash function is performed using the address of a source host to find a virtual vector for holding information about the source host. A second hash function is performed using the address of a destination host to find a virtual memory location, within the virtual vector, for holding information about the destination host. Finally, information is stored at a physical memory location assigned to the virtual memory location.

Abstract: A data structure is provided for storing network contact information based on an array of physical memory locations. Virtual vectors are constructed for each source, wherein each element in each virtual vector is assigned to a corresponding physical memory location within the array. The physical memory locations are shared between the virtual vectors uniformly at random so that the noise introduced by sharing can be predicted and removed. A method for storing network contact information is also provided in which a hash function is performed using the address of a source host to find a virtual vector for holding information about the source host. A second hash function is performed using the address of a destination host to find a virtual memory location, within the virtual vector, for holding information about the destination host. Finally, information is stored at a physical memory location assigned to the virtual memory location.

Abstract: A method is disclosed for creating a network topograph that includes all select objects that are in a network. A set of one or more non-select objects in the network is determined. A network topograph is created. Each select object in the network is included in the network topograph. Elements of the set are collectively represented as a single non-select object.

Abstract: Two or more access control lists that are syntactically or structurally different may be compared for functional or semantic equivalence in order to configure a security policy on a network. A first access control list is programmatically determined to be functionally equivalent to a second access control list for purpose of configuring or validating security policies on a network. In one embodiment, a box data representation facilitates comparing entries and sub-entries of the lists.

Abstract: Security policies that regulate communication packets on a network may be segmented into independent sets, where each security policy of an independent set does not regulate communication packets other than those defined for that set. A management algorithm is performed separately for each independent set, rather than for all of the security policies together.

Abstract: A device for mitigating data flooding in a data communication network. The device can include a first module and a second module. The first module can identify flooding data transmitted from at least one offending host and intended for at least one threatened host. The second module can generate a data rate limit that is communicated to at least one of the plurality of edge nodes defining an entry node. The data rate limit can be based upon an observed rate of transmission of flooding data transmitted from the offending host to the entry node and a desired rate of transmission of flooding data transmitted to the threatened host from at least one other of the plurality of edge nodes defining an exit node.

Abstract: A plurality of logical nodes are identified from a plurality of elements on a network, where the plurality of elements include security devices. One or more path entries may be determined for at least some of the logical nodes. Each path entry is associated with one of the logical nodes and specifies a set of communication packets, as well as a next node to receive the communication packets from the associated node. The path entries are used to characterize at least a substantial portion of a network path that is to carry communication packets in the set of communication packets.

Abstract: According to one embodiment, the number of tunnels on a network may be reduced. A set of tunnels are selected which exchange data packets between a first security device and a second security device. Each tunnel in the set of tunnels specify a dimensional range for data packets that are subject to that tunnel. A super tunnel is determined to replace the set of tunnels, so that a dimensional range of the data packets that are made subject to the super tunnel encompass a dimensional range of the data packets that were made subject to the set of tunnels. A determination is made as to whether the super tunnel excludes data packets that are permitted by the first security device and the second security device, but not subject to any one of the tunnels other than tunnels in the set of tunnels.

Abstract: A method and apparatus for negotiating a shared secret among members of a multicast group are disclosed. A tree that represents the group is created and stored in a memory. Each node of the tree is associated with a group member. The shared secret is generated by traversing the tree in post-order, and at each node of the tree, recursively generating a partial key value for use in the shared secret and a base value for use in subsequent recursive partial key value generation. At each node, a partial key value is computed by accumulating the exponent portion of the Diffie-Hellman key equation and computing a new base value for use in subsequent computations. If a particular node has a left or right child sub-tree, each sub-tree is also recursively traversed in post-order fashion. When traversal of the entire tree is complete, all nodes have the shared secret key.

Abstract: A method and apparatus for deploying configuration instructions to security devices in order to implement a security policy on a network are disclosed. An address translation alteration performed on packets communicated between a management source and a plurality of security devices, resulting from implementation of a proposed new network security policy, is detected. One or more sets of security devices are identified that would each have one or more configuration dependencies as a result of the address translation alteration. Configuration instructions are sent from the management source to each of the one or more sets of security devices using an order determined by the identified configuration dependencies. The configuration instructions are used to implement the security policy on the network. As a result, firewalls and similar devices are properly configured for a new policy without inadvertently causing traffic blockages arising from configuration dependencies.

Abstract: Enforcement firewalls and other security devices are located on a network for a given source node and destination node. Nodes in the network topology are programmatically identified as being part of a non-looping communication path between the source node and the destination node. These nodes may be part of a path closure set. Security devices that are part of the path closure set are identified as the enforcement security devices for the given source and destination node.

Abstract: A method is disclosed for creating a network topograph that includes all select objects that are in a network. A set of one or more non-select objects in the network is determined. A network topograph is created. Each select object in the network is included in the network topograph. Elements of the set are collectively represented as a single non-select object.

Abstract: A method is disclosed for creating a network topograph that includes all select objects that are in a network. A set of one or more non-select objects in the network is determined. A network topograph is created. Each select object in the network is included in the network topograph. Elements of the set are collectively represented as a single non-select object.

Abstract: A method is disclosed for removing redundancies from a list of data structures. A list of data structures is sorted by first attribute into sub-lists having a common first attribute. Each of these sub-lists is sorted by second attribute into sub-lists having a common first attribute and a common second attribute. Each of these sub-lists is combined into a single combined data structure that includes a third attribute set. Each third attribute set includes third attributes of the data structures in the sub-list from which the combined data structure including that set was formed.

Abstract: A method and apparatus for implementing network management policies is provided. A communication path is determined that passes through a domain of a network. The communication path characterizes the first domain as a node, but does not lose information. A management policy is then implemented using the communication path. Another aspect of the invention provides a method implementing a management policy using topology reduction. A network is abstracted into domains, and each domain may be cloudified if that domain is determined to have a cloudification characteristic. Domains that are cloudified are subsequently represented as having reduced topology and internal connectivity, but this representation does not incur information loss when management policies are implemented using the cloudified domains. In other aspects, the invention provides a computer-readable medium and system configured to carry out the foregoing.

Abstract: A device for mitigating data flooding in a data communication network. The device can include a first module and a second module. The first module can identify flooding data transmitted from at least one offending host and intended for at least one threatened host. The second module can generate a data rate limit that is communicated to at least one of the plurality of edge nodes defining an entry node. The data rate limit can be based upon an observed rate of transmission of flooding data transmitted from the offending host to the entry node and a desired rate of transmission of flooding data transmitted to the threatened host from at least one other of the plurality of edge nodes defining an exit node.