公开(公告)号：US07313635B1

公开(公告)日：2007-12-25

申请号：US10104902

申请日：2002-03-21

申请人： Arthur Zavalkovsky

发明人： Arthur Zavalkovsky

IPC分类号： G06F15/16

CPC分类号： H04L12/66

摘要： A method is disclosed for simulating a load on an application server in a network. The method intercepts data packets of a request from a sender to a receiver. The data packets to be intercepted can be selected according to specified criteria, such as communications protocol or port and address information of the sender and/or receiver. A simulation session can begin and end based on a specified period of time or after a specified number of data packets have been received. The intercepted data packets are stored in a buffer and the time of arrival of the data packets is recorded. The data packets are held in the buffer for a user specified delay time. Upon expiration of the delay time, the data packets are forwarded to the receiver. Alternately, the method can operate bi-directionally, or by intercepting and delaying data packets of a response of the receiver sent to the sender.

摘要翻译： 公开了一种用于模拟网络中的应用服务器上的负载的方法。 该方法截取从发送方到接收方的请求的数据包。 可以根据指定的标准来选择要拦截的数据分组，例如通信协议或发送方和/或接收方的端口和地址信息。 模拟会话可以在指定的时间段内或在接收到指定数量的数据包之后开始和结束。 截取的数据包被存储在缓冲器中，并且记录数据包的到达时间。 数据包保存在用户指定的延迟时间的缓冲区中。 延迟时间到期后，数据包将转发给接收方。 或者，该方法可以双向操作，或通过拦截和延迟发送给发送者的接收器的响应的数据分组。

公开(公告)号：US07096260B1

公开(公告)日：2006-08-22

申请号：US09675980

申请日：2000-09-29

申请人： Arthur Zavalkovsky ,  Itzhak Parnafes ,  Shai Mohaban

发明人： Arthur Zavalkovsky ,  Itzhak Parnafes ,  Shai Mohaban

IPC分类号： G06F15/173 ,  G06F15/16 ,  G06F11/00

CPC分类号： H04L47/10 ,  H04L41/0213 ,  H04L47/11 ,  H04L47/2408 ,  H04L47/2458 ,  H04L47/27 ,  H04L47/31 ,  H04L47/41 ,  Y02D50/30

摘要： A method and apparatus for performing load-based packet marking within a network is described. In one aspect, a first group of one or more packets of a data flow are marked with a first behavioral treatment value that directs devices within the network to treat the first group of one or more packets with a first quality of service treatment. The bandwidth that is currently being achieved for the flow within the network is determined based on data traffic within the network. Based on the achieved flow bandwidth within the network a second behavioral treatment value is then determined. Thereafter, a second group of one or more packets of the data flow is marked with a second behavioral treatment value that directs devices within the network to treat the second group of one or more packets with a second quality of service treatment. The process of dynamically marking the packets for a particular data flow may be performed multiple times.

摘要翻译： 描述了一种用于在网络内执行基于负载的分组标记的方法和装置。 在一个方面，数据流的一个或多个数据包的第一组被标记有第一行为治疗值，该第一行为治疗值引导网络内的设备以处理具有第一服务质量治疗的一个或多个分组的第一组。 基于网络内的数据流量来确定当前正在为网络内流量实现的带宽。 基于网络中实现的流量带宽，然后确定第二行为治疗值。 此后，数据流的第二组一个或多个数据包被标记有第二行为治疗值，该第二行为治疗值指导网络内的设备以处理具有第二服务质量治疗的一个或多个分组的第二组。 动态地标记特定数据流的分组的过程可以多次执行。

公开(公告)号：US20050041599A1

公开(公告)日：2005-02-24

申请号：US10938242

申请日：2004-09-09

申请人： Arthur Zavalkovsky ,  Nitsan Elfassy ,  Ron Cohen

发明人： Arthur Zavalkovsky ,  Nitsan Elfassy ,  Ron Cohen

IPC分类号： G01R31/08 ,  G06F11/00 ,  G08C15/00 ,  H04J3/14 ,  H04L12/24 ,  H04L12/26 ,  H04L12/56

CPC分类号： H04L47/10 ,  H04L41/0893 ,  H04L47/17 ,  H04L47/20 ,  H04L47/2408 ,  H04L47/2458 ,  H04L47/30 ,  H04L47/36

摘要： A method, apparatus, and computer-readable medium configured for maintaining consistent per-hop packet forwarding behavior among a plurality of network devices in a network within a Differentiated Services (DS) domain are disclosed. In one aspect, a method involves creating and storing a network-wide PHB definition that associates a PHB with a DS code point (DSCP) value, and with a set of parameters that define the bandwidth and buffer resources allocated to the PHBs on all interfaces of network devices within the DS domain. A mapping of each of the PHBs in the network-wide PHB definition to one or more queues of the network devices is determined. Drain size and queue size values are determined for each of the queues to which PHBs are mapped. A mapping of each of the PHBs to a threshold value associated with the queues is determined. Parameters of fragmentation and interleave mechanisms are determined. Network device configuration parameter values based on the mappings, the drain size, and the queue size, etc. are sent to each of the network devices within the DS domain. As a result, consistent PHB is achieved throughout a network using abstract definitions of PHBs.

摘要翻译： 公开了一种配置用于在区分服务（DS）域内的网络中的多个网络设备之间维持一致的每跳包转发行为的方法，装置和计算机可读介质。 在一个方面，一种方法涉及创建和存储将PHB与DS代码点（DSCP）值相关联的全网PHB定义，以及定义在所有接口上分配给PHB的带宽和缓冲器资源的一组参数 的DS域内的网络设备。 确定网络范围PHB定义中的每个PHB与网络设备的一个或多个队列的映射。 为PHB映射到的每个队列确定排水大小和排队大小值。 确定每个PHB到与队列相关联的阈值的映射。 确定碎片和交织机制的参数。 基于映射，排水大小和队列大小等的网络设备配置参数值被发送到DS域内的每个网络设备。 因此，使用PHB的抽象定义，在整个网络中实现了一致的PHB。

公开(公告)号：US06822940B1

公开(公告)日：2004-11-23

申请号：US09675206

申请日：2000-09-29

申请人： Arthur Zavalkovsky ,  Gilad Zlotkin

发明人： Arthur Zavalkovsky ,  Gilad Zlotkin

IPC分类号： H04L1226

CPC分类号： H04L47/32 ,  H04L47/10 ,  H04L47/11 ,  H04L47/20 ,  H04L47/2408 ,  H04L47/2441 ,  H04L47/2458

摘要： A method and apparatus for adaptively enforcing Quality of Service (QoS) policies for one or more flows of packets in a packet-switched network based on network feedback information. In one aspect, packets of a first group of flows are assigned to a first service level. Then-current interface congestion information for network traffic that is mapped to the first service level and that is passing through an interface of a network device in the network is received. Based on the then-current interface congestion information one or more flows from the first group of flows are selected. Packets from the one or more flows are then assigned to a second service level.

摘要翻译： 一种用于基于网络反馈信息自适应地执行分组交换网络中的一个或多个流分组的服务质量（QoS）策略的方法和装置。 在一个方面，第一组流的分组被分配给第一服务级别。 接收到映射到第一服务级并正在通过网络中的网络设备的接口的网络流量的当前接口拥塞信息。 基于当前的接口拥塞信息，选择来自第一组流的一个或多个流。 然后将来自一个或多个流的分组分配给第二服务级别。

公开(公告)号：US08516576B2

公开(公告)日：2013-08-20

申请号：US12686959

申请日：2010-01-13

申请人： Igal Figlin ,  Arthur Zavalkovsky ,  Lior Arzi ,  Efim Hudis ,  Jennifer R. LeMond ,  Robert Eric Fitzgerald ,  Khaja E. Ahmed ,  Jeffrey S. Williams ,  Edward W. Hardy

发明人： Igal Figlin ,  Arthur Zavalkovsky ,  Lior Arzi ,  Efim Hudis ,  Jennifer R. LeMond ,  Robert Eric Fitzgerald ,  Khaja E. Ahmed ,  Jeffrey S. Williams ,  Edward W. Hardy

IPC分类号： H04L29/06

CPC分类号： H04L63/1441 ,  H04L63/1408 ,  H04L63/1433 ,  H04L63/205

摘要： A network security system employing multiple levels of processing to identify security threats. Multiple host machines may each contain an agent that detects possibilities of security threats based on raw data sensed locally at that host. The hosts may share information obtained from local analysis and each host may use information generated at one or more other hosts, in combination with information generated locally, to identify a security concern, indicating with greater certainty that a security threat exists. Based on security concerns generated by multiple hosts, a security threat may be indicated and protective action may be taken.

摘要翻译： 一种采用多级处理的网络安全系统来识别安全威胁。 多台主机可能每个都包含一个代理，该代理可以根据在该主机本地感测到的原始数据来检测安全威胁的可能性。 主机可以共享从本地分析获得的信息，并且每个主机可以使用在一个或多个其他主机上生成的信息以及本地生成的信息来识别安全性关注，更确定地指出存在安全威胁。 基于多个主机产生的安全问题，可能会指出安全威胁，并可采取保护措施。

公开(公告)号：US07702899B2

公开(公告)日：2010-04-20

申请号：US12356777

申请日：2009-01-21

申请人： Alexey Kobozev ,  Arthur Zavalkovsky ,  Ilan Frenkel

发明人： Alexey Kobozev ,  Arthur Zavalkovsky ,  Ilan Frenkel

IPC分类号： H04L9/00

CPC分类号： H04L9/3263 ,  H04L2209/805

摘要： Verifying revocation status of a digital certificate is provided in part by a receiver verifying a security certificate for a sender. In an embodiment, an approach comprises receiving a first security certificate associated with the sender and storing the security certificate in a location accessible to the receiver; updating the first security certificate in the location accessible to the receiver if the first security certificate is changed or revoked; receiving a second security certificate from the sender when identity of the sender needs to be verified; comparing the second security certificate to the first security certificate; and confirming the sender's identity only if the second security certificate matches the first security certificate for the sender.

摘要翻译： 验证数字证书的撤销状态部分由验证发件人的安全证书的接收方提供。 在一个实施例中，一种方法包括接收与发送者相关联的第一安全证书，并将安全证书存储在接收者可访问的位置; 如果第一安全证书被更改或撤销，则在接收者可访问的位置更新第一安全证书; 当发送方的身份需要被验证时，从发送方接收第二个安全证书; 将第二安全证书与第一安全证书进行比较; 并且仅当第二安全证书与发送者的第一安全证书匹配时才确认发件人的身份。

公开(公告)号：US20080092214A1

公开(公告)日：2008-04-17

申请号：US11962069

申请日：2007-12-20

申请人： Arthur Zavalkovsky ,  John Zamick ,  Yoram Ramberg

发明人： Arthur Zavalkovsky ,  John Zamick ,  Yoram Ramberg

IPC分类号： H04L9/32

CPC分类号： H04L63/08 ,  H04L63/0876 ,  H04L63/1466

摘要： A method is disclosed for authenticating multiple network elements that access a network through a single network switch port. Certain authentication protocols, such as EAPoE, leave a port of a network switch indefinitely opened when one particular host is authenticated and authorized to transmit network frames through the port. In one embodiment of the invention, a network frame from a second host that is received by the open port is not automatically transmitted to the network. Instead, techniques are employed locally by the network switch to grant or deny transmission of the network frame received from the second host. An authentication server is contacted only when the network switch cannot locally employ techniques to authorize the transmission of the network frame received from the second host.

摘要翻译： 公开了一种用于认证通过单个网络交换机端口访问网络的多个网络元件的方法。 某些认证协议（例如EAPoE）在一个特定主机被认证并通过端口授权传输网络帧时，使网络交换机的端口无限期地打开。 在本发明的一个实施例中，来自第二主机的由开放端口接收的网络帧不会自动发送到网络。 相反，网络交换机本地采用技术来授予或拒绝从第二主机接收的网络帧的传输。 只有当网络交换机不能本地采用技术来授权从第二主机接收的网络帧的传输时才联系认证服务器。

公开(公告)号：US20070074049A1

公开(公告)日：2007-03-29

申请号：US11239010

申请日：2005-09-29

申请人： Ilan Frenkel ,  Arthur Zavalkovsky ,  Alexey Kobozev ,  Ilan Bronshtein

发明人： Ilan Frenkel ,  Arthur Zavalkovsky ,  Alexey Kobozev ,  Ilan Bronshtein

IPC分类号： G06F12/14

CPC分类号： H04L63/0846

摘要： A method and system for continuously serving the authentication requests of networked computers is disclosed. The authentication requests of computers are served and the services for the computers are reserved for a predefined time interval. The authentication service for a computer is reserved by an authentication server, which receives authentication requests of the computer.

摘要翻译： 公开了连续服务网络计算机的认证请求的方法和系统。 计算机的认证请求被提供，计算机的服务预定时间间隔。 计算机的认证服务由认证服务器保留，认证服务器接收计算机的认证请求。

公开(公告)号：US08151338B2

公开(公告)日：2012-04-03

申请号：US11239010

申请日：2005-09-29

申请人： Ilan Frenkel ,  Arthur Zavalkovsky ,  Alexey Kobozev ,  Ilan Bronshtein

发明人： Ilan Frenkel ,  Arthur Zavalkovsky ,  Alexey Kobozev ,  Ilan Bronshtein

IPC分类号： H04L29/06

CPC分类号： H04L63/0846

摘要： A method and system for continuously serving the authentication requests of networked computers is disclosed. The authentication requests of computers are served and the services for the computers are reserved for a predefined time interval. The authentication service for a computer is reserved by an authentication server, which receives authentication requests of the computer.

摘要翻译： 公开了连续服务网络计算机的认证请求的方法和系统。 计算机的认证请求被提供，计算机的服务预定时间间隔。 计算机的认证服务由认证服务器保留，认证服务器接收计算机的认证请求。

公开(公告)号：US07992193B2

公开(公告)日：2011-08-02

申请号：US11083855

申请日：2005-03-17

申请人： Fabio Maino ,  Michael Fine ,  Irene Kuffel ,  Arthur Zavalkovsky

发明人： Fabio Maino ,  Michael Fine ,  Irene Kuffel ,  Arthur Zavalkovsky

IPC分类号： G06F7/04 ,  H04L9/32 ,  H04L9/00

CPC分类号： H04L63/0428 ,  H04L9/0841 ,  H04L9/321 ,  H04L9/3273 ,  H04L63/08 ,  H04L63/12 ,  H04L63/20

摘要： A method and an apparatus are disclosed for securing authentication, authorization and accounting (AAA) protocol messages. An encryption key, a device identifier value, and verification data are received and stored at a network device. The verification data comprises in part a copy the encryption key and the device identifier value, and has been encrypted using a private key of a server. A shared secret is generated by applying a computational function to the encryption key and the device identifier value. Based on the shared secret, a first message integrity check value for a message is generated. The message, the first integrity check value, and the verification data are sent to the server. The server decrypts the verification data using the private key, extracts the encryption key and the device identifier value, and generates the same shared secret by applying the same computational function to the extracted encryption key and device identifier value. Based on this generated shared secret, a second message integrity check value is generated and compared to the received first message integrity check value.

摘要翻译： 公开了一种用于保护认证，授权和计费（AAA）协议消息的方法和装置。 加密密钥，设备标识符值和验证数据被接收并存储在网络设备中。 验证数据部分地部分地复制加密密钥和设备标识符值，并且已经使用服务器的专用密钥加密。 通过将计算功能应用于加密密钥和设备标识符值来生成共享秘密。 基于共享密钥，生成消息的第一消息完整性检查值。 消息，第一个完整性检查值和验证数据被发送到服务器。 服务器使用私钥解密验证数据，提取加密密钥和设备标识符值，并通过对提取的加密密钥和设备标识符值应用相同的计算功能来生成相同的共享密钥。 基于此生成的共享密钥，生成第二消息完整性检查值并将其与接收的第一消息完整性校验值进行比较。