Abstract: A link controller that is capable of asymmetric network traffic multiplexing. A typical link controller treats all provisioned links as being equal (i.e., traffic is symmetrically multiplexed or distributed between all provisioned links) except when a link failure is detected. Our link controller is capable of modifying the multiplexing behavior of the link controller based on a wide range of parameters including but not limited to link characteristics, network traffic type, source and/or destination address, link saturation and overall network load.

Abstract: An intrusion protection system that fuses a network instrumentation classification with a packet payload signature matching system. Each of these kinds of systems is independently capable of being effectively deployed as an anomaly detection system. By employing sensor fusion techniques to combine the instrumentation classification approach with the signature matching approach, the present invention provides an intrusion protection system that is uniquely capable of detecting both well known and newly developed threats while having an extremely low false positive rate.

Abstract: A unified memory architecture IP packet processing platform (e.g., IPv4) that is designed to execute on a standard general purpose computer. Unlike the traditional packet processing paradigm, our platform is software pluggable and can integrate all of the functionality that is typically only available by chaining a series of discrete devices. The present invention uses a unified memory architecture that precludes the need to transfer packets between modules that implement processing functionality.

Abstract: An out-of-order network packet analysis architecture that decouples deep packet inspection from the packet forwarding process. Rather than placing the packet inspection engine inline into the packet forwarding pipeline, the packet forwarding and packet inspection processes operate asynchronously on a single unified packet buffer. Furthermore, the present invention reduces the load on the packet inspection engine by employing a packet marking preprocessor to designate appropriate packets for inspection.

Abstract: A method of network provisioning where a profile is associated with a specific end-user node and policies are enforced via a unified network provisioning appliance. Unlike traditional back-ends where multiple discrete devices are deployed to provision a network, the present invention can be implemented as a single unified device with all of the functionality implemented as software plug-ins. In accordance with embodiments of the present invention, features execute on the same device and share a common provisioning profile. Hence, the present invention features unbounded interoperability between what are normally considered separate sets of functionality. This capability allows provisioning services such as bandwidth shaping, identity manager, content filter and the like to enforce policies that are defined for the user of a node. Furthermore, our system is capable of dynamically changing policies enforced on a node to reflect a change in the user who is operating the node.

Abstract: A quarantine filesystem driver having a first interface for communicating with an operating system library, a second interface for communicating with a primary filesystem, and a third interface for communicating with a secondary filesystem. Preferably the secondary filesystem is a delta filesystem that records a log of changes to data recorded in the primary filesystem. The primary filesystem couples to a primary mass storage device or devices that may be internal to (i.e., closely coupled to) the computing system in which the quarantine filesystem is implemented. The secondary filesystem couples to a mass storage system such as a hard disk drive that is independent of the primary mass storage device or devices. Most preferably the secondary mass storage device or devices is/are implemented externally to the system in which the quarantine filesystem is implemented.

Abstract: Systems, methods, software and data structures that facilitate the trusted, secure data exchange of data over networks, including open networks such as the Internet.

Abstract: A distributed computer system having a server and remote client for executing an application on the server. A remote-capable user interface toolkit resides on the server and has remote-capable components that correspond to components of a user interface toolkit which resides on the remote client. The remote-capable components are substantially the same as corresponding components of the user interface toolkit, and interact with the application according to the same application programming interface. However, when invoked by the application, the remote-capable components issue a message to the component on the remote client to perform the corresponding function on the client A network communication protocol of sending messages between the remote-capable user interface toolkit on the server and the user interface toolkit on the client is thereby generated.

Abstract: A distributed computer system having a server and remote client for executing an application on the server. A remote-capable user interface toolkit resides on the server and has remote-capable components that correspond to components of a user interface toolkit which resides on the remote client. The remote-capable components are substantially the same as corresponding components of the user interface toolkit, and interact with the application according to the same application programming interface. However, when invoked by the application, the remote-capable components issue a message to the component on the remote client to perform the corresponding function on the client. A network communication protocol of sending messages between the remote-capable user interface toolkit on the server and the user interface toolkit on the client is thereby generated.