US20110066841A1 - Platform for policy-driven communication and management infrastructure - Google Patents

Platform for policy-driven communication and management infrastructure Download PDF

Info

Publication number
US20110066841A1
US20110066841A1 US12/881,995 US88199510A US2011066841A1 US 20110066841 A1 US20110066841 A1 US 20110066841A1 US 88199510 A US88199510 A US 88199510A US 2011066841 A1 US2011066841 A1 US 2011066841A1
Authority
US
United States
Prior art keywords
client
relay
server
programmed
content
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/881,995
Inventor
Dennis Sidney Goodrow
Peter Benjamin Loer
Christopher Jacob Loer
Jonathan Shih-Shuo Fan
Gregory Mitchell Toto
Amrit Tsering Williams
John Edward Firebaugh
Jeremy Scott Spiegel
Jesse WARD-KARET
Benjamin John KUS
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to US12/881,995 priority Critical patent/US20110066841A1/en
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: TOTO, GREGORY MITCHELL, WARD-KARET, JESSE, FAN, JONATHAN SHIH-SHUO, FIREBAUGH, JOHN EDWARD, GOODROW, DENNIS SIDNEY, LOER, CHRISTOPHER JACOB, LOER, PETER BENJAMIN, WILLIAMS, AMRIT TSERING, KUS, BENJAMIN JOHN, SPIEGEL, JEREMY SCOTT
Publication of US20110066841A1 publication Critical patent/US20110066841A1/en
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BIGFIX, INC.
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • H04L43/106Active monitoring, e.g. heartbeat, ping or trace-route using time related information in packets, e.g. by adding timestamps
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/25Flow control; Congestion control with rate being modified by the source upon detecting a change of network conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/12Arrangements for remote connection or disconnection of substations or of equipment thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/12Shortest path evaluation
    • H04L45/122Shortest path evaluation by minimising distances, e.g. by selecting a route with minimum of number of hops
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/64Routing or path finding of packets in data switching networks using an overlay routing layer

Definitions

  • the invention relates to management of enterprise-scale networks of computational devices. More particularly, the invention relates to a Platform for a policy-driven communication and management infrastructure.
  • IT Information technology
  • Maintaining such a state of readiness may require an IT manager to understand the configuration of the hardware and software in a given network, to keep track of policy advisories, updates, incompatibilities and patches relevant to the specific enterprise, and to match those policy advisories, updates, and patches with the specific equipment in the enterprise.
  • management tasks involve monitoring of and policy dissemination to, perhaps, hundreds of thousands of computational devices by an administrator.
  • management Platforms in such large enterprises employ a communication infrastructure that is conducive mainly to coarse-grained, one-to-many interaction, typically involving large numbers of devices, occasionally even the entire network rather than a fine-grained, per-endpoint policy determination.
  • a policy-driven communication and management infrastructure may include components such as Agent, Server and Console, policy messages, and Relays to deliver security and system management to networked devices.
  • An Agent resides on a Client, acting as a universal policy engine for delivering multiple management services.
  • Relays are Clients additionally configured to each behave as though they were a proxy for the root Server, Relaying information to and from other Clients, permitting Clients to interact with the root Server through the Relay, and facilitating information exchange between Client and Server.
  • Such information exchange allows Clients to gather information, such as new policy messages, from the Server, to pass status messages to the Server and to register their network address so that they can be readily located.
  • Automatic Relay selection enables Clients and Relays to select their own parent Relays, thus allowing Clients and Relays to discover routing paths through the existing network without administrator input.
  • FIG. 1 provides a diagram of a machine in the exemplary form of a computer system within which a set of instructions, for causing the machine to perform any one of the methodologies discussed herein below, may be executed;
  • FIG. 2 provides a block diagram of a Relay hierarchy in a Platform for a policy-driven communication and management infrastructure
  • FIG. 2A provides a block diagram of a proxy agent according to the invention
  • FIG. 3 provides a flow diagram of a process for manual Relay selection in the Platform of FIG. 2 ;
  • FIG. 4 provides a flow diagram of a process for automated Relay selection in the Platform of FIG. 2 ;
  • FIG. 5 provides a flow diagram of a Relay selection failover process in the Platform of FIG. 2 ;
  • FIG. 6 provides a flow diagram of a Relay reselection process in the Platform of FIG. 2 ;
  • FIG. 7 provides a flow diagram of a process for Dynamic download of untrusted content in the Platform of FIG. 2 ;
  • FIG. 8 provides state a transition diagram for a Relay in the Platform of FIG. 2
  • FIG. 9 provides a state transition diagram for a Server in the Platform of FIG. 2
  • FIG. 10 provides a schematic of a process for Client registration in the Platform of FIG. 2 ;
  • FIG. 11 provides a schematic of a process for non-repudiation in the Platform of FIG. 2 ;
  • FIG. 12 provides a schematic of a process for secure data distribution in the Platform of FIG. 2 ;
  • FIG. 13 provides a schematic of a direct connection process between a Console and a Client in the Platform of FIG. 2 ;
  • FIG. 14 provides a schematic of a direct connection process between a first Client and a second Client in the Platform of FIG. 2 ;
  • FIG. 15 provides a diagram of a Network Asset Map in the Platform of FIG. 2 ;
  • FIG. 16 provides a screen shot of a Console Operator interface from the Platform of FIG. 2 .
  • a policy-driven communication and management infrastructure may include components such as Agent, Server and Console, policy messages, and Relays to deliver security and system management to networked devices.
  • An Agent resides on a Client, acting as a universal policy engine for delivering multiple management services.
  • Relays Clients additionally configured to each behave as though they were a root Server, Relaying information to and from other Clients, permit Clients to interact with the root Server through the Relay, enabling information exchange between Client and Server.
  • Such information exchange allows Clients to gather information, such as new policy messages, from the Server, to pass status messages to the Server and to register their network address so that they can be readily located.
  • Automatic Relay selection enables Clients and Relays to select their own parent Relays, thus allowing Clients and Relays to discover new routing paths through the network without manual administrator input.
  • Action actions are typically scripts that can customize a specific solution for each Client, using a series of scripting commands and Relevance expressions. Although the Relevance language itself can't alter a Client, it can be used to direct actions in a way that parallels the original trigger. For instance, a Fixlet might use the Relevance language to inspect a file in the system folder. Using a similar Relevance clause, the Action can then target that same file without knowing explicitly where that folder resides. This allows the Action author (and issuer) to concentrate on the issue at hand without worrying about the vagaries of each individual computer system.
  • ActionID a unique identifier for an Action Agent: Software that resides on Client and acts as a universal policy engine capable of delivering multiple management services.
  • a single Agent can execute a diverse and extensible array of management services ranging from real-time Client status reporting, to patch and software distribution, to security policy enforcement. By assigning responsibility for reporting and management actions to endpoints themselves, the Platform enables visibility and management of IT infrastructures ranging from hundreds to hundreds of thousands of desktop, mobile and Server computers.
  • Client an endpoint device in a network under management by a Platform for policy-driven communication and management infrastructure.
  • Console an operations control center for administrators, which connects to the Server, that includes graphical displays of device, group, and enterprise-wide device status and dashboards for executing management actions through the infrastructure.
  • the Console also includes reporting functions and templates that enable graphical and tabular views of infrastructure status.
  • Dashboard Dashboard documents pop up in the main window of the Console when selected from a ‘Dashboards’ icon in a Domain Panel navigation tree. Dashboards tap into the Platform Database to provide the Operator with timely and compact high-level views of the network and allow an administrator to take action based on those views.
  • Download Request In an embodiment, a download request may include a hash and a size that uniquely identify the file being requested, along with the information on how to retrieve the file. If a Client wants multiple files for an Action, it submits a set of DownLoadRequests in one interaction with the Relay. Although the interaction is batched, each request is handled individually by both Relays and the Server.
  • Dynamic Download aka “Client-initiated Download”: In an embodiment, a download whose hash, size and URL are not known at the time an Action is issued. Instead, the Client determines this information and then provides it to the Server, which fetches the file for the Client.
  • FileID A FileID is a pair combination of (SHA-1, file size (bytes)) used to uniquely identify a file
  • Fixlet or Fixlet message Instructions disseminated to the Agent to perform a management or reporting Action. Fixlet messages can be programmed to target specific groups of devices to perform management actions.
  • Hash-based Download In an embodiment, a download that is requested or referred to by a “HashSizePair”.
  • this type of download is requested by a Client using a “DownloadRequest” plug-in, rather than the magic URLs that index-based downloads rely on.
  • a hash-based download can be either static or dynamic.
  • Index-based Download aka “Legacy Download”:
  • a download that is referred to by a Client using an ActionID/Index pair where the index is generated at the time the Action is issued.
  • an “indexed download” is a species of static download, because it is difficult to accommodate in the indexing strategy the case where the index is unknown at the time an Action is created.
  • indexed downloads can be requested without providing a hash, in which case the download represents whatever the URL happens to contain at the time an Action is created.
  • Relay is a software module that executes as a shared service on non-dedicated hardware.
  • Relay can refer to the hardware on which Relay software is running.
  • Relays act as concentration points for Fixlet messages on network infrastructures and help reduce network bandwidth requirements for distribution of Fixlets and content such as software, patches, updates, and other information. Relays also offer a failover mechanism to keep managed Clients in touch with the Console should normal communications channels go dark or become overloaded with other traffic.
  • Server Software that provides a control center and repository for managed system configuration data, software updates and patches, and other management information.
  • “Server” can denote a computing machine running such software within a network under management.
  • Sites are collections of Fixlet messages and other content to which an Operator of a Platform deployment may subscribe one or more Clients in the Operator's network. Sites may be created by the Platform manufacturer or by one or more third parties. Additionally, deployment Operators may create custom sites that contain internally generated content. Furthermore, the Operator may create sites, Integrations, which integrate internally- and externally-sourced content. Static Download aka “Server-initiated Download”: In an embodiment, a download requested by the Console at the time an Action is taking place.
  • FIG. 1 shown is a diagrammatic representation of a machine in the exemplary form of a computer system 100 within which a set of instructions for causing the machine to perform any one of the methodologies discussed herein below may be executed.
  • the machine may comprise a network router, a network switch, a network bridge, personal digital assistant (PDA), a cellular telephone, a web appliance or any machine capable of executing a sequence of instructions that specify actions to be taken by that machine.
  • PDA personal digital assistant
  • the computer system 100 includes a processor 102 , a main memory 104 and a static memory 106 , which communicate with each other via a bus 108 .
  • the computer system 100 may further include a display unit 110 , for example, a liquid crystal display (LCD) or a cathode ray tube (CRT).
  • the computer system 100 also includes an alphanumeric input device 112 , for example, a keyboard; a cursor control device 114 , for example, a mouse; a disk drive unit 116 , a signal generation device 118 , for example, a speaker, and a network interface device 128 .
  • the disk drive unit 116 includes a machine-readable medium 124 on which is stored a set of executable instructions, i.e. software, 126 embodying any one, or all, of the methodologies described herein below.
  • the software 126 is also shown to reside, completely or at least partially, within the main memory 104 and/or within the processor 102 .
  • the software 126 may further be transmitted or received over a network 130 by means of a network interface device 128 .
  • a different embodiment of the invention uses logic circuitry instead of computer-executed instructions to implement processing offers.
  • this logic may be implemented by constructing an application-specific integrated circuit (ASIC) having thousands of tiny integrated transistors.
  • ASIC application-specific integrated circuit
  • Such an ASIC may be implemented with CMOS (complimentary metal oxide semiconductor), TTL (transistor-transistor logic), VLSI (very large scale integration), or another suitable construction.
  • DSP digital signal processing chip
  • FPGA field programmable gate array
  • PLA programmable logic array
  • PLD programmable logic device
  • a machine readable medium includes read-only memory (ROM); random access memory (RAM); magnetic disk storage media; optical storage media; flash memory devices; electrical, optical, acoustical or other form of propagated signals, for example, carrier waves, infrared signals, digital signals, etc.; or any other type of media suitable for storing or transmitting information.
  • ROM read-only memory
  • RAM random access memory
  • magnetic disk storage media includes magnetic disk storage media; optical storage media; flash memory devices; electrical, optical, acoustical or other form of propagated signals, for example, carrier waves, infrared signals, digital signals, etc.; or any other type of media suitable for storing or transmitting information.
  • components of the Platform may include at least one Client 202 running an Agent, at least one Server and Console 204 , Fixlet messages (indicated by the arrows showing data flow between elements), and zero or more Relays 206 .
  • the Server and Console are shown as the same machine in FIG. 2 , but many embodiments of the invention the Server and Console are separate machines.
  • the Server 204 in FIG. 2 may comprise only the server function and a separate computer, connected to the Server, would be provided to implement the Console function.
  • the Relay hierarchy typically includes a top-level Relay 208 that directly interacts with the Server 204 .
  • the Platform creates a lightweight communications and management infrastructure for delivery of security and system management services to networked desktop, laptop/notebook and Server computers. By assigning responsibility for reporting and management actions on endpoints themselves, the Platform enables visibility and management of IT infrastructures ranging from hundreds to hundreds of thousands of desktop, mobile and Server computers.
  • the Agent 202 resides on managed devices and acts as a universal policy engine capable of delivering multiple management services.
  • a single Agent 202 can execute a diverse and extensible array of management services that range from real-time Client status reporting, to patch and software distribution, to security policy enforcement.
  • the Agent's role in the Platform may be described as that of a Policy Engine: a piece of software and a computational context for evaluating content.
  • the Agent constitutes a computational resource that uses one or more inspectors to examine its context, decide what is relevant, report properties, take Action in that environment, and report on the success or failure of the actions.
  • the Agent gives an administrator visibility into the context and controls it.
  • the motivation for provision of a policy engine thus may be the realization that any computing resource, including physical or virtual machines, or a machine, that is a delegate for another machine or a piece of hardware can benefit from management by having a policy engine that can inspect properties of the entity that is being managed, apply changes to the environment and report on the fact that those changes were effective or not.
  • the Agent also automatically notifies the Server and Console 204 of changes in managed device configuration, providing a real-time view of device status.
  • customers and developers can create custom policies and services using a published authoring language.
  • the Agent runs on all versions of the MICROSOFT WINDOWS (Microsoft Corporation, Redmond Wash.) operating system since WINDOWS 95, UNIX, LINUX and MAC OS (APPLE COMPUTER, INC., Cupertino Calif.) operating systems, as well WINDOW MOBILE and POINT-OF-SALE variants of the Windows operating system, enabling administrators to consolidate management of heterogeneous infrastructures from the Console.
  • the invention herein extends the notion of an Agent beyond a computer to devices or logical structures, such as proxy-agents (also referred to as pseudo-agents), that are physically or logically proximate to a computer, and that are used to give visibility and control of assets that cannot, for technical or policy reasons, have a native agent installed.
  • Proxy-agents are disclosed, for example, in co-assigned patent application to Lippincott, L. E., et al, Pseudo-Agents, U.S. patent application Ser. No. 12/044,614 (filed Mar. 7, 2008), and is incorporated herein in its entirety by this reference thereto.
  • Proxy-agents can be understood by reference to FIG. 2A .
  • a proxy-agent 50 is deployed to manage each of one or more different devices, for example physical machine 1 ( 54 ) and physical machine 2 ( 56 ) via a virtual machine management system 52 .
  • a router can have a proxy-agent.
  • the physical device so managed for example physical machine 1 ( 54 ), can itself serve as a natural agent for one or more virtual machines, e.g. VM 1 and VM 2 , which machines can themselves include an agent A.
  • FIG. 2 thus provides a virtual management system 52 , for example a Blackberry enterprise server, which is a management system that manages a collection of Blackberry devices.
  • a proxy-agent manages those devices by interacting with the Blackberry enterprise server.
  • the Server 204 is a software-based package that provides a control center and repository for managed system configuration data, software updates and patches, and other management information.
  • the Console 204 which runs from the Server 204 , provides an operations control center for administrators that includes graphical displays of device, group, and enterprise-wide device status and dashboards for executing management actions through the management infrastructure.
  • the Console may also include reporting functions and templates that enable graphical and tabular views on infrastructure status.
  • Fixlet messages are instructions to the Agent 202 to perform a management or reporting Action.
  • Fixlet messages can be programmed to target specific groups of devices to perform management actions. As noted above, in an embodiment, users have the option of writing custom Fixlet messages.
  • Relays 206 , 208 act as concentration points for Fixlet messages on network infrastructures. Relays are a software module that execute as a shared service on non-dedicated hardware. Relays help reduce network bandwidth requirements for distribution of Fixlets and content such as software, patches, updates, and other information.
  • Relays 206 , 208 include a failover mechanism to keep managed Clients in touch with the Console should normal communications channels go dark or become overloaded with other traffic.
  • Relays allow an N-tier hierarchy to be created for the transmission of information from the Clients to the Server in the enterprise.
  • Relays are included as network components to significantly improve the performance of an installation. Downloads and patches, which are often large files, represent, by far the greatest fraction of bandwidth. Relays are designed to take over the bulk of the download burden from the Server. Rather than downloading patches directly from a Server, Clients can instead be instructed to download from designated Relays, significantly reducing both Server load and network traffic. Relays help in the upstream direction as well, compiling and compressing data received from the Clients before passing it on the Server. As above, any Client can be programmed to serve as a Relay.
  • the Server has many duties, among them, the taxing job of distributing patches and other files.
  • a Relay can be set up to ease this burden, so that the Server does not need to distribute the same files to every Client. Instead, the file is sent once to the Relay, which in turn distributes it to other Clients.
  • the overhead on the Server is reduced by the ratio of Relays to Clients. If one has a hundred Clients and one Relay, the Server need only process one percent of the downloads.
  • Reducing Congestion on Low-Bandwidth Connections If, for example, one has a Server communicating with a dozen computers in a remote office over a slow VPN (virtual private network), one of those computers may be designated as a Relay. Then, instead of sending patches over the VPN to every Client independently, the Server need only send a single copy to the Relay. That Relay, in turn, distributes the file to the other computers in the remote office over its own fast LAN (local area network). This effectively removes the VPN bottleneck for remote groups on the network.
  • VPN virtual private network
  • Relays also function to reduce total the network usage when used on subnets connected through switches on a LAN.
  • a Relay takes over most of the download duties of the Server. If several Clients simultaneously request files from a Relay, a significant amount of the computer's resources may be used to serve those files. Other than that, the duties of the Relay are relatively undemanding.
  • the requirements for a Relay computer vary widely depending on or more of the following: (1) The number of connected Clients that are downloading files: (2) the size of each download; and (3) the period of time allotted for the downloads.
  • a Relay can be installed on any ordinary workstation, but if several Clients simultaneously download files, it may slow the computer down. Workgroup file Servers and other Server-quality computers that are always turned on may be good candidates for installing a Relay.
  • Clients can automatically seek out and connect to the available Relay, one may want to control the process manually. If so, for each Client in the network, one may specify both a primary and secondary Relay. The Client first attempts to download any patches from its primary Relay. However, if the primary Relay is unavailable (because the computer has crashed, the hard drive has run out of space, the computer is off, etc.), the Clients can download files from the secondary Relay.
  • Relays have failover capability.
  • the Client connects to the second Relay.
  • the secondary also fails (or if no secondary has been designated) then the Client automatically reverts to downloading files directly from the Server.
  • one or more tertiary Relays can be designated for a Client.
  • one can optimize a pair of Relays by splitting the connected Clients into two groups of roughly equal size. One group designates computer A as primary and B as secondary. The other group reverses the order, thus cutting the overhead of each Relay by two, while still providing a backup.
  • configuring a Client computer as a Relay may involve using the Console to edit settings for the Client computer to run a Relay Server on the Client.
  • FIG. 16 shows a screen shot of an Operator Interface 1600 to a Console.
  • a Client can automatically discover it and connect to it by seeking the Relay that is the fewest hops distant from the Client. If there is a need to manually configure Clients, one must notify each computer that it should use a specific Relay to point to, as described herein below.
  • Manual configuration of Relay assignment can be defined by policy such that a computer or group of computers can be configured to use a specific set of manual primary, secondary, and failover Relays.
  • the Client behaves in the same manner as a Root Server, so that other Clients can do all the interactions they would do with a Root Server through the Relay.
  • Relays significantly reduces the Client/Server communication necessary for patch application and management.
  • Clients may start to download from designated Relays, minimizing the load on thin connections to the Server.
  • the Clients may also upload their status information to the Relay, which compiles it and compresses it before passing it up to the Server.
  • Relays may help enormously to spread out and optimize network traffic, ensuring maximum responsiveness with minimum bandwidth. Relays are especially attractive with remote offices connected by relatively slow VPNs.
  • the Server sends a single download to the remote Relay, which can then distribute it to the Clients over a faster local subnet.
  • Manual Relay Selection 300 (shown in FIG. 3 ):
  • Console UI 1600 for each Client or for groups of Clients:
  • Agent Autoselection Algorithm 400 (shown in FIG. 4 ):
  • Failover Behavior 500 (shown in FIG. 5 )
  • FIG. 6A Automatic Selection
  • Intervals are configurable by settings
  • Relays are usually Clients that have that have been specially configured to function as a Server does, in addition to their normal functioning as a Client.
  • Relays themselves can be configured, as described above, to automatically seek out and connect to the nearest Relay.
  • the connecting Relay is choosing its parent in a Relay hierarchy.
  • automatic Relay selection provides for a Relay that determines its parent Relay dynamically, so that as the state of the network changes, different hierarchies and routing paths through the network are constantly being discovered by Clients and Relays without any modification of the hardware or the network topology and without any input from an administrator.
  • the ability of Clients and Relays to discover routings through the network enables a multitude of use cases all based on the establishment of dedicated pathways through the network for particular purposes.
  • Fixlet messages can download and run specified payloads whose SHA-1 checksums have been captured at the time the Fixlet is created.
  • actions created from such Fixlets will run only the specific executable that was referred to by the source Fixlet.
  • a Fixlet message is authored and deployed that instructs a Client to trust an arbitrary piece of content to run, delegating the responsibility for knowing that the content is safe to run to a piece of trusted logic on the Client.
  • the Client need only supply certain information about the object, for example, a unique identifier for the object such as a hash of the object.
  • any Client in the system can be configured for this interaction wherein untrusted content is downloaded to the Client.
  • Any Client can ask the Relay to retrieve a particular file by providing the file size and the hash of the file.
  • the Relay can mirror the file through, from the Root Server, from the Internet and back down through the Relay hierarchy.
  • the Client knows in advance what it is asking for.
  • Dynamic downloading provides the ability to use relevance clauses to specify URLs.
  • An embodiment makes use of the Platform's site-signing and distribution capability to flow untrusted content, such as antivirus definitions, with the ability to merge the untrusted content from other sources with the assurance to users that the particular untrusted content can be trusted.
  • untrusted content such as antivirus definitions
  • An embodiment makes use of the Platform's site-signing and distribution capability to flow untrusted content, such as antivirus definitions, with the ability to merge the untrusted content from other sources with the assurance to users that the particular untrusted content can be trusted.
  • an object or an item of content may need to flow down to the Clients in order to be processed.
  • Trusted software on a Client evaluates the content and decides the URL, the SHA-1 and size of the file necessary to update the Client. Then, the URL, the SHA-1 and file size flow back up from the Clients to the Server. The Server is then able to produce the specified file, whereupon the file flows down through the Relays and is executed in the context of Clients that have been configured to automatically apply an update policy whenever the SHA-1 changed.
  • a single piece of content may contain the information necessary for a piece of antivirus software to update itself.
  • it could also contain antivirus definitions, such that a combined Agent could say, “yes, I need these three files” or a antivirus Agent could say “I only need this one file.” They could then both derive the information necessary to specify what file to download from the same content feed—the same piece of data that flowed down from the Server. The choice would then be conveyed back through the hierarchy to the Server to collect the appropriate file.
  • an Operator inspects ActionScripts and approves them for execution on the Client.
  • ActionScripts may be static, in which case it is a fairly simple task to inspect them to see which steps will be executed on the Client.
  • the ActionScript uses variables to refer to the dynamic content.
  • the foregoing approach protects the confidentiality of customers of the Platform vendor, reassuring them that an excessive amount of control has not been surrendered to, for example, a software vendor who is producing the virus definition file.
  • the Client is enabled to look up the dynamic information indirectly and fill it into the variables.
  • the Operator is able to inspect the sequence of instructions as they are to be executed on the Client, allowing the Operator to better decide whether or not to trust the content and to approve the ActionScript.
  • One embodiment enables performance of dependency resolution, in order to install various pieces of software and to update that software.
  • Dependency resolution is useful in the case of an arbitrary collection of software, at least some items of which depend on other software being installed. Any particular piece of software might have incompatibilities with other pieces of installed software. There may exist requirements such as if a first piece of software is updated another piece will need to be updated. It becomes a quite complicated process to resolve all those dependencies.
  • An embodiment of the Dynamic Download application provides data in the form of a set of packages to a process on the machine itself that is able to analyze the set of packages.
  • the process produces a list of URLs, SHA1 checksums, and sizes that need to be downloaded for the particular machine in order for it to update to a new version of a package. That same set of information can be processed by different computers, and each may arrive at a different answer because of the software already installed on the machine.
  • the Action is rolled out to a number of machines.
  • Each machine may have thereon a data file that defines the set of URLs, SHA1 checksums and sizes that contains specific versions of other packages upon which that version of the Web Server depended for use in extracts the set of other packages needed to be applied to that machine in order to update it to the newest version of that Web Server.
  • the ActionScript is written such that it may use one or both of relevance substitution and some local processing of the Client, to look through a large list of URLs, SHA1 checksums, sizes and dependency information about what each one of the package requires and is compatible with, to determine the set of downloads needed to be pulled down to this particular machine to execute just that set.
  • a common feature of the foregoing embodiments of the Dynamic Download Application is that they are based on knowledge of the context of the item or items sought. Thus, a requestor doesn't provide just an address. Instead, the requestor is asked to describe, through a SHA1 checksums, exactly what is sought, in order for a Relay to pull it by specifying, at least, the size of the file and the hash of the file.
  • An additional common feature is the evaluation of relevance for a particular Client, because each Client may have different update requirements or download requirements.
  • a Site is a collection of Fixlets and other content. Custom sites may contain only internally-sourced content or a combination of internally- and externally-sourced content.
  • an Integration 705 is a site that may integrate content from a number of sources or providers. For example, an integration may contain Fixlets from one or more anti-virus software manufacturers for downloading anti-virus updates.
  • a process 700 for implementing the Dynamic Download application may include at least one of the following steps:
  • Dynamic Downloads must specify files with the confirmation of a size or SHA-1.
  • the URL, size, and SHA-1 are allowed to come from a source outside of the ActionScript. This outside source may be a manifest containing a changing list of new downloads. This technique makes it easy to access files that change quickly or on a schedule, such as antivirus or security monitors.
  • Dynamic Downloading uses a White-list. Any request to download from a URL (that is not explicitly authorized by use of a literal URL in the ActionScript) must meet one of the criteria specified in a White-list of URLs on the Server.
  • the White-list may contain one or more regular expressions in, for example, a Perl regex format, separated by newlines, such as shown in Table 1, below:
  • the first line is the least restrictive, allowing any file at the entire site-a domain to be downloaded.
  • the second line requires a specific domain host, while the third expression is most restrictive, limiting the URL to a single file named “JustThisOneFile.qfx”.
  • the foregoing description of the White-list is illustrative only and is not intended to be limiting. If a requested URL fails to match an entry in the White-list, the download immediately fails, with status NotAvailable. A note may be made in a Relay log of the URL that failed to pass. In an embodiment, an empty or non-existent White-list causes all URL downloads to fail. In the other hand, a White-list entry of “.*” (dot star) allows any URL to be downloaded.
  • Other methods of composing and formatting a White-list are consistent with the spirit and scope of the subject matter described in the attached Claims.
  • status reporting for Dynamic Downloads is integrated with reporting for static downloads, being displayed side-by-side.
  • reporting on any given Action is limited to a configurable number of Dynamic Downloads, for example, the twenty most recent, in order to avoid overwhelming an Action document and the connection between Server and Console.
  • the primary key or download request is the hash and the file size.
  • the second URL is ignored.
  • a request for the second URL may succeed by changing the URL of the file recorded on the system.
  • the Client may re-try the download by resubmitting the request.
  • failures may not be propagated down to the network. Instead, Console status reporting is operative to alert the Console Operator of the failure, so that it can issue a notification to the Client to discontinue sending a request that has failed a number of times.
  • Consoles are discouraged from making frequent retry requests by configuring a long delay interval between retries.
  • DownloadRequests may have a serialization format as shown below in Table 2:
  • DownloadResponses may have a serialization format as shown below in Table 3:
  • Clients and Relays may request a download from their parents by providing, for example:
  • the file size and the URL are not technically necessary.
  • the file size reinforces the SHA-1 mechanism and the URL allows the Server to fetch the file directly from the Internet without having to check a local index.
  • the file size/SHA-1 uniquely identifies a download request. If the Server has a matching entry in its cache, the provided URL does not need to be used. As above, the URL, in fact may not even match the original URL used to request the file.
  • Clients are provided with the ability to request an arbitrary URL.
  • a record of file downloads and progress is stored in a table that uses FileID as the primary key.
  • FileID the primary key.
  • the URL, the file location and the status are stored as values.
  • FIGS. 8 and 9 show state transition diagrams for Relay ( 800 ) and Server ( 900 ), respectively.
  • a Client issues a download request
  • the request goes to the Client's Relay, which then checks the cache for the file.
  • the cache is implemented using SQLITE.
  • Other embodiments may employ other database engines that support in-memory databases and triggers.
  • a download triple consists of SHA-1, filesize and URL.
  • the URL describes the location of the file and the SHA-1 and filesize function to verify the file.
  • a Client may send a download notification that includes a list of download triples.
  • the Relay evaluates the triples and signals the Client when to start the download. This may be either immediately, if the file is present on the Client's Relay parent or after the download to the Relay is complete.
  • C 1 and C 2 request the same file.
  • a lock may be held so that only one download request is processed at a time.
  • failures are not propagated to children.
  • Clients do not need to be responsible for a retry, eliminating the necessity for a Client that switches to another Relay to check an additional state for a file. Instead, the Client can just do a re-try after a timeout.
  • Such a practice also aids in Relay failure; thus, if a Relay state is lost, the default is that the Client eventually requests a re-try.
  • the cache In order to keep the Relay cache synchronized with the actual files located on the Relay, on a Relay reboot, all states mapping to a file download request are removed. Thus, the cache can rebuild itself by checking what files are actually on the Relay.
  • the Relay mailbox contains response and requests that map to files in the cache with the states NEW and REQUEST_SUBMITTED, respectively.
  • the cache may either remove partially downloaded files or make a list of them and add them as files in the cache with state DOWNLOADING.
  • DSA Distributed Server Architecture
  • An embodiment incorporates a Distributed Server Architecture.
  • Distributed Servers do not download from each other because all Servers are assumed to have the same level of network connectivity. Additionally, there is no replication of the Servers' download caches. In an embodiment, download White-lists are not replicated. Thus, they may be manually configured on each Server.
  • Download Requests may succeed and fail completely independently on different Servers. Because all of the necessary logic is stored on the Clients and in the White-list, exchange of information between Servers is rendered unnecessary.
  • the Dynamic Download feature can render the limitation that URLs and SHA-1s be known at Action creation time unnecessary. With Dynamic Downloads it is sufficient that URLs and SHA-1s be computable by the Clients prior to Action execution. Client processing may be impacted in at least the following ways:
  • a Client can identify files to be downloaded to a Relay by providing the URL/checksum of each file.
  • multiple requests are consolidated by a Relay into single requests to a parent Relay.
  • the Root Server verifies the URLs through the White-list, and provides the file, either from its cache or by attempting to download the file. If the URL produces the appropriate SHA-1 file, the Relays are then notified of the availability of the files, and they pull them down if they have descendants that have requested the file. Agents are notified of the availability of these files, via a Notification message, which they pull them down if they are interested.
  • the Action language provides an explicit pre-fetch block of ActionScript to be used to identify pre-fetch downloads.
  • Actions triggering the dynamic download feature may be authored with the pre-fetch block, thus making it easier to identify pre-fetch Action activity.
  • Action language commands identify the boundaries of the pre-fetch block:
  • pre-fetching specifications may be placed at the top of the ActionScript, thus making it easier for readers to understand which files are being collected.
  • Presence identifies new style Action; One allowed per Action; Comments and blank lines may precede this command; and Paired with a matching ‘end pre-fetch block’ command.
  • the Client uses the request mechanism without URL/SHA-1. If there are any URL/SHA-1 downloads present, it uses the URL/SHA-1-based request mechanism, which allows for ActionID/ordinal requests and URL/SHA-1 requests to be co-mingled.
  • the Client verifies the signature of the Action before it does any download pre-fetching calculations from the ActionScript. If a Relay or Server do not support the URL/SHA-1 based request mechanism, the Client blocks the Action from executing.
  • Pre-fetch files are collected to a per-Action-pre-fetch-folder until the Action is ready to run. They exist in the per-Action-pre-fetch-folder with various names that indicate the progress of the pre-fetch activities. At various stages in processing these files may be renamed to the names specified in the pre-fetch commands. The named versions of the files when the Action is inactive after every ‘collect pre-fetch items’ may be placed into a ‘named’ folder.
  • the pre-fetch files are moved from the ‘named’ folder to a ‘Download’ folder of the Action site.
  • any files remaining in the ‘Download’ folder are moved into the download cache or utility cache and renamed to their SHA-1.
  • One or more of the following inspectors can be used to locate files during the pre-fetch processing or while the Action is running:
  • the Client asks for a ‘0’ file. Once the ‘0’ file is available, Clients calculate their time to start, causing the Relays to collect the file as soon as the first Client requests it, so that all of the Clients are not downloading at the same time.
  • a set of pre-fetch files identified by a first ‘collect pre-fetch items’ statement is requested. If no ‘collect pre-fetch items’ statement is used, the full set is requested.
  • the Clients calculate their time to start. Once that time to run is reached, the Client sees if there are more files it needs; if so it requests them, then it runs. It will not pick a different time to run. The effect of this is that the Clients that choose an early distribution time trigger any additional files to be downloaded. Thus, the later Clients do not have to wait for them.
  • Clients go to their caches before they ask the Relay if the files are available.
  • Clients run the Action with the last file with that name in place, regardless of how many other downloads have the same name.
  • This example assumes a version comparison can be used to detect that the update is necessary.
  • the values are substituted from a server configuration file when the Fixlet is authored by an on-demand wizard.
  • Server_bf.ini.PatternVersion for example, is read from the Server initialization file when the wizard is used to create an on-demand update Fixlet.
  • the name of the custom site must be known.
  • the Client may be configured to know where the auto-update Server_bf.ini and Server_bf.ini come from.
  • the Platform provides a security model having at least the following capabilities:
  • Clients are assigned unique identifiers when they register. Any entity, such as a machine or network, that requests a registration interaction with the Server is issued a unique identifier and is trusted. Many of the properties associated with a particular Client that can be viewed by an operator by way of the UI to the Console are aligned with that Client based on that identifier that was handed out at the time of registration. Accordingly, the foregoing approach provides strong authentication of the Server and the Administrators by the endpoints (Clients). That is, whenever a Client receives a command from an Administrator, the Client knows exactly who issued it by virtue of the strong cryptographic mechanisms. Additionally, the channel can be encrypted through strong cryptographic mechanisms.
  • endpoints Clients
  • information flowing in the opposite directions, from endpoints (Clients) into the system is not authenticated because there previously has not existed a reliable way to authenticate the endpoints.
  • Not being able to reliably authenticate an endpoint may provide an opportunity for such attacks as spoofing, in which a person or program successfully masquerades as another by falsifying data and thereby gaining some illegitimate advantage.
  • a Client authentication mechanism in which a cryptographic credential is established on each Client (endpoint), provides a much stronger, more robust security model that greatly minimizes the risk of spoofing attacks.
  • the Client Authentication mechanism extends the previous security model to include a mirror image of the above-mentioned capabilities:
  • a solution to the above challenges allows anyone to enter the system and generate a new identity and builds trust from that starting point, unlike conventional security systems, which specifically require that a new resource be explicitly joined to the system by an Administrator.
  • a Client produces a public/private key pair.
  • the Server then grants a unique Computer ID which the Server associates to public key.
  • the Computer ID and the public key are associated to the particular unique Client.
  • the private key created on the Client is not distributed to any other devices, it can authenticate content coming from that Client, making it possible to verify any messages sent from the Client.
  • a cryptographic protocol such as OPENSSL is employed to create public/private key pairs for each new Client in a deployment.
  • OPENSSL When a Client initially registers, it submits a public key with a request that the key be associated to a new computer ID. The response to the Client request, in turn, is signed with a key that can be authenticated by the Client.
  • the Client may not be deceived, thinking that it has registered with the root directly with a Root Server when it has, in fact, registered through a malicious middleman who has switched the public key submitted to the Root.
  • the Root Server stores the Client's public key in a map of computer IDs to public keys. The key remains associated with the ID for the life of the ID.
  • the Client signs the interaction with its private key.
  • the Root Server receives a report, before updating the data for the computer ID provided, it verifies that the report is signed by a key that matches the public key on file for that ID.
  • the Root Server exposes APIs, for example, by way of the database or SOAP (simple object access protocol), that allow lookup of public keys given a computer ID.
  • the data is trusted, to assure that the data gets encrypted against the intended target, and not a maliciously-inserted target.
  • database security and/or signing the data provide a sufficient degree of trust. Given the public key, any program can encrypt data and provide to the Client however it wishes.
  • the foregoing model also provides a mechanism for doing clone detection, in the event that a key does become compromised.
  • the cloning detection when it detects a cloned key during a registration attempt, invalidates the Computer ID associated with the cloned key. Subsequently, the Client must generate a new key pair and begin the registration process anew, thus enabling the detection of key reuse by a different party.
  • the level of trust established by the foregoing Client Authentication model may be raised through combination with other authentication mechanisms.
  • a higher level of trust may be achieved by establishing a second data pathway to secure a confirmation; for example, by requiring the registering party to confirm that they, in fact, are the registering party by email.
  • a higher level of trust may be established if a Client is able to authenticate through a Server's active directory, or if the Client and Server can exchange keys via a protocol such as SSH (secure shell).
  • a still higher level of trust may be achieved through by physically verifying that the machine's credentials can be trusted; for example by having an operator access the machine and verify the public key.
  • Clients accorded varying levels of trust may be identified in the Console interface. For example, Clients accorded the primary trust level are grouped together in one region of the display, while Clients accorded the highest trust level are grouped together in another region of the display.
  • Client Authentication model has been discussed primarily in connection with Client/Server interactions, the model also finds application in interactions between Client, for example a clustering relationship involving a number of endpoints.
  • the Client Authentication model has been discussed primarily in connection with Client/Server interaction, in an embodiment, it may also play a role in interactions between a Relay and a Client.
  • Relays are typically Clients that have been additionally configured to behave as a Server. Accordingly, because a Relay is also a Client, the Relay can also be issued authentication credentials like a Client. By authenticating the Relay, a Client knows that it is talking to a Relay, thus providing additional protection against Snooping attacks, such as man-in-the-middle attacks.
  • An embodiment of the Client Authentication model finds application in the sending of a password down the hierarchy to a Client from the Server. It is a common IT management task to reset the password on a Client.
  • a password when it is sent to a Client is scrambled. The Client is then given a utility to unscramble the password.
  • giving the Client the unscramble utility in essence, gives it to the rest of the world.
  • the scrambled password is not plaintext, it is not secure. There exists, therefore a great need for a secure way to send a password down to a Client.
  • the Client Authentication model includes a key pair for the Client, the password can be encrypted using the Client's public key, which is then pushed to the Client. Because only the Client has the private key, only the Client can decrypt the password.
  • an embodiment of the Platform provides the ability to facilitate a connection between a Console operator and a remote computer, as shown in FIG. 13 , where a Console 1301 is connected to Client A 1304 through the Root Server 3102 and Relay A 1303 .
  • This capability enables a multitude of use cases, many of which fall into one of the below categories:
  • the Relay hierarchy readily allows penetration of NAT (network address translation) protocols—a technique that allows a number of machines to share a single IP address from the outside world's perspective—so that it is possible, assuming that a Relay exists behind the NAT, to communicate with Clients behind the NAT.
  • NAT network address translation
  • One embodiment enables routing through the infrastructure into a Relay inside a subnet and then allowing the last leg of communication to take place over an IP address that can directly connect to the target machine.
  • the present Direct Connect methodology uses the pathway to establish a connection.
  • a rendezvous technique may wake up the target machine, inform it that a direct connection is requested and inform the target of the network topology or pathway to use to connect.
  • the Relay infrastructure may be used as a communication mechanism to trigger a rendezvous, and subsequently to facilitate communications by keeping sockets open in both directions with all of the internet Relays handing off traffic in both connections as packets flow between the two.
  • the Relay infrastructure can be used with certain distributed computing applications wherein a connection is opened up between two ports that wouldn't otherwise be able to connect; the connecting Server can then step out of the middle, so there is no longer any Server involvement.
  • a direct connection 1400 between two Clients may involve two points ( 1402 , 1403 ) in the Relay hierarchy, without involving the Server at all.
  • two points 1402 , 1403
  • the machines it is possible to allow then for the machines to interact with each other.
  • the user by means of a user interface displayed on the desktop of each Client in the network, the user is able to specify a machine that the user would like to connect to and initiate a connection, for example, with a simple mouse click, triggering an activity that, behind the seasons, makes the connection available to the Client.
  • a Relay may be used to provide an execution environment for other functions inside a container, thus providing a place in which Server functionalities can be made more widely available to Clients on the network.
  • Relays may be used to host software depositories, for example software updates, so that the updates could be readily flowed to any Relay that has been configured to host the updates.
  • Relays may be used to host computational entities such as distributed pattern databases that ideally are scattered throughout the enterprise.
  • Relays may be used to host computational entities such as virtual environments to give the Relay cross-Platform capability, allowing it to run software for any operating system.
  • Relays can be designated as processing points for a variety of computational tasks.
  • Relays can provide a direct connection from a management point to an end point, thus enabling management technologies such as VPRO.
  • Wake-on-LAN is a computer networking standard that allows a computer to be turned on or woken up by a network message.
  • the wake-up message is referred to as a “magic packet”, for example, a broadcast frame containing within its payload 6 bytes of 255 with all bits set to the ‘on’ position, followed by sixteen repetitions of the target computer's MAC address.
  • the challenge is to direct a magic packet down to a target computer to wake it up.
  • the magic packets used by Wake-on-LAN have the special property that they only work if they are broadcast within a subnet. Additionally, most networks do not permit sending a broadcast packet to other subnets because they can be easily abused to launch, for example, SMURF attacks.
  • the Relay infrastructure herein described is used to find a way to route a broadcast packet down from any central point within the system, from the management Console, from within an integration point, to any computer that exists within the system by taking advantage of the fact that, when a Client registers with its Relay, up to the root Server, the Client sends up a list of the interfaces that it knows it has to communicate with, what subnets they're in, and what their MAC addresses are.
  • the MAC (media access control) address is the address used for these wakeup commands.
  • the Relay retains this information, passing it up through the hierarchy all the way to the root, so that at the root of the deployment, an Administrator is able to readily determine what subnet a target computer occupies. The administrator next needs to find some other computer that is awake in the target computer's subnet that can broadcast the magic packet to the target computer. Because the Relay hierarchy has collected all of the necessary information for the Administrator, he/she knows of, for example, eighty computers that are all on the same subnet as the target computer, and they may be reporting in to, for example, two different Relays.
  • the administrator may then send a message down through the Relays, to reach the two target Relays which know how to contact the target's subnet, and they both then send out messages to all of the target's peers, requesting that the target be woken up.
  • the Clients are configured to listen for the UDP messages sent out by the Relays asking that the target be woken up. When a Client hears one, it immediately broadcasts one of these Wake-on-LAN messages to the target computer.
  • the Clients send out the magic packet on the same interface they're already listening on and they see when other Clients start sending out the same packet.
  • the Clients stop sending immediately when they see this duplicate traffic, so there is a likelihood of a small amount of duplicate traffic, but in the event of duplicate traffic, the Clients elect among themselves which Client will broadcast the magic packet. All Clients that elect to wait a while are silent the next time they see a forwarding request until, a period of time elapses, for example, a second. If they see that Client queried hasn't responded, for example, because it was powered-off, the next Client in line will try.
  • the election process uses a technique that relies on a unique computer ID and a comparison operation that each computer can use to decide whether or not it should take precedence over the other computers. Any individual computer observing all the UDP traffic to wake up a particular machine in the subnet can decide whether or not it should take precedence. That is, it should be the one who should take precedence in that subnet versus the other ones. Thus, the Client that takes precedence prevails and takes over. The other Clients stay out of the way unless they detect that the designated computer isn't performing its tasks, in which case they also chime in again and again. Whoever becomes dominant is controlled by the ordering of the individual machines according to the machines' unique identities. Thus, there is a built-in technique where the Clients do this election process based on a unique identifier and a colation order for determining precedence.
  • a Relay is generally a Client also, so that, as long as it fulfills the requirement of being in the same subnet as the target computer, a Relay could be the one to wake-up the target computer.
  • the broadcast packet within the context of the subnet, is actually a broadcast type of communication.
  • the other messages that are actually happening inside of the system are directed messages. So what's flowing down through the Relay hierarchy after some user says “I want to wake up Bob's machine”, is not a broadcast. It is instead directed to the particular machines that are in that subnet that this particular machine reported that it was a member of.
  • the target machine resides inside a particular subnet; and so its peers within the subnet are notified through directed mechanisms saying “if you're in this subnet—you should wake up Bob (the target machine)”, with his MAC address and so on.
  • Each peer constructs the magic packet with that information, and they tag it with the unique identifier that allows them and their peers to coordinate who's in charge of that subnet and delivering that message. And then they transform it into a broadcast message within the subnet
  • a fundamental advantage of the Relays and the Relay hierarchy herein described is that any computer in the system can be contacted through the Relay hierarchy.
  • Unlike conventional network topologies of for example, 100,000 machines, wherein each computer has an IP address and routes may exist between all of them, but many of those machines are not allowed to contact each other, or they are prevented from contacting each other because of the presence of firewalls, network segmenting, and so on.
  • the Platform in addition to providing the one-to-many communication of a broadcast system, allows direct one-to-one communication between any two machines within a network topology under management via the Platform.
  • an Asset Network Map aggregates information, collected by the Relay selection algorithm, revealing the gateways between a computer and the Relay it talks to, the number of hops, along with information it has about the bandwidth between those links, and creates a visual mapping of the information.
  • hundreds of thousands of lines of data are aggregated to form a map that gives the Operator a visual representation of his/her network.
  • the information comprises a multitude of points, representing gateways and lines, representing routes.
  • the aggregated data is rendered as a human readable graph using, for example, a force-directed algorithm, such as a spring algorithm.
  • the Operator can apply various filters to the data in order to create a map that highlights particular aspects of the data. For example, the Operator may specify that the link between a Relay and a Client should be 300 kilobytes/second.
  • Network Asset map can display historical data, in an embodiment it can be updated in real-time as the network infrastructure changes.
  • the Network Asset Map can function to display data even as it is being generated. In this way, network traffic can be depicted visually, in real-time, so that the Operator, can, for example, detect, even as it is happening, that a particular area of the network is becoming overloaded.

Abstract

A policy-driven communication and management infrastructure may include components such as Agent, Server and Console, policy messages, and Relays to deliver security and system management to networked devices. An Agent resides on a Client, acting as a universal policy engine for delivering multiple management services. Relays, Clients additionally configured to each behave as though they were a root Server, Relaying information to and from other Clients, permit Clients to interact with the root Server through the Relay, enabling information exchange between Client and Server. Such information exchange allows Clients to gather information, such as new policy messages, from the Server, to pass status messages to the Server and to register their network address so that they can be readily located. Automatic Relay selection enables Clients and Relays to select their own parent Relays, thus allowing Clients and Relays to discover new routing paths through the network without administrator input.

Description

    CROSS REFERENCE TO RELATED APPLICATIONS
  • This application claims benefit of U.S. provisional patent application No. 61/242,278, filed Sep. 14, 2009, the entirety of which is incorporated herein by this reference thereto. This application is related to U.S. patent application Ser. No. 10/804,799, now U.S. Pat. No. 7,398,272, filed Mar. 19, 2004, the entirety of which is incorporated herein by this reference thereto.
  • BACKGROUND OF THE INVENTION
  • 1. Field of the Invention
  • Generally, the invention relates to management of enterprise-scale networks of computational devices. More particularly, the invention relates to a Platform for a policy-driven communication and management infrastructure.
  • 2. Background Discussion
  • Information technology (IT) administrators in enterprises everywhere face a daunting task of managing the software and hardware on tens, hundreds, or thousands of machines in their domains. With many incompatibilities, patches, and policy advisories being announced every day, the management task involves much more than just acquisition and installation of updates and patches, for example. Simply keeping aware of all potentially problematic situations on hardware and software products used in an enterprise is more than a full-time job. Dealing with user requests and complaints adds still further to the demands of the job. Thus, it is required that IT managers be able to anticipate situations which may arise in a specific enterprise and address them proactively. Maintaining such a state of readiness may require an IT manager to understand the configuration of the hardware and software in a given network, to keep track of policy advisories, updates, incompatibilities and patches relevant to the specific enterprise, and to match those policy advisories, updates, and patches with the specific equipment in the enterprise. In a large enterprise, such management tasks involve monitoring of and policy dissemination to, perhaps, hundreds of thousands of computational devices by an administrator. Conventionally, management Platforms in such large enterprises employ a communication infrastructure that is conducive mainly to coarse-grained, one-to-many interaction, typically involving large numbers of devices, occasionally even the entire network rather than a fine-grained, per-endpoint policy determination.
  • SUMMARY
  • A policy-driven communication and management infrastructure may include components such as Agent, Server and Console, policy messages, and Relays to deliver security and system management to networked devices. An Agent resides on a Client, acting as a universal policy engine for delivering multiple management services. Relays are Clients additionally configured to each behave as though they were a proxy for the root Server, Relaying information to and from other Clients, permitting Clients to interact with the root Server through the Relay, and facilitating information exchange between Client and Server. Such information exchange allows Clients to gather information, such as new policy messages, from the Server, to pass status messages to the Server and to register their network address so that they can be readily located. Automatic Relay selection enables Clients and Relays to select their own parent Relays, thus allowing Clients and Relays to discover routing paths through the existing network without administrator input.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 provides a diagram of a machine in the exemplary form of a computer system within which a set of instructions, for causing the machine to perform any one of the methodologies discussed herein below, may be executed;
  • FIG. 2 provides a block diagram of a Relay hierarchy in a Platform for a policy-driven communication and management infrastructure;
  • FIG. 2A provides a block diagram of a proxy agent according to the invention;
  • FIG. 3 provides a flow diagram of a process for manual Relay selection in the Platform of FIG. 2;
  • FIG. 4 provides a flow diagram of a process for automated Relay selection in the Platform of FIG. 2;
  • FIG. 5 provides a flow diagram of a Relay selection failover process in the Platform of FIG. 2;
  • FIG. 6 provides a flow diagram of a Relay reselection process in the Platform of FIG. 2;
  • FIG. 7 provides a flow diagram of a process for Dynamic download of untrusted content in the Platform of FIG. 2;
  • FIG. 8 provides state a transition diagram for a Relay in the Platform of FIG. 2
  • FIG. 9 provides a state transition diagram for a Server in the Platform of FIG. 2
  • FIG. 10 provides a schematic of a process for Client registration in the Platform of FIG. 2;
  • FIG. 11 provides a schematic of a process for non-repudiation in the Platform of FIG. 2;
  • FIG. 12 provides a schematic of a process for secure data distribution in the Platform of FIG. 2;
  • FIG. 13 provides a schematic of a direct connection process between a Console and a Client in the Platform of FIG. 2;
  • FIG. 14 provides a schematic of a direct connection process between a first Client and a second Client in the Platform of FIG. 2;
  • FIG. 15 provides a diagram of a Network Asset Map in the Platform of FIG. 2; and
  • FIG. 16 provides a screen shot of a Console Operator interface from the Platform of FIG. 2.
  • DETAILED DESCRIPTION
  • A policy-driven communication and management infrastructure may include components such as Agent, Server and Console, policy messages, and Relays to deliver security and system management to networked devices. An Agent resides on a Client, acting as a universal policy engine for delivering multiple management services. Relays, Clients additionally configured to each behave as though they were a root Server, Relaying information to and from other Clients, permit Clients to interact with the root Server through the Relay, enabling information exchange between Client and Server. Such information exchange allows Clients to gather information, such as new policy messages, from the Server, to pass status messages to the Server and to register their network address so that they can be readily located. Automatic Relay selection enables Clients and Relays to select their own parent Relays, thus allowing Clients and Relays to discover new routing paths through the network without manual administrator input.
  • DEFINITIONS
  • Action: actions are typically scripts that can customize a specific solution for each Client, using a series of scripting commands and Relevance expressions. Although the Relevance language itself can't alter a Client, it can be used to direct actions in a way that parallels the original trigger. For instance, a Fixlet might use the Relevance language to inspect a file in the system folder. Using a similar Relevance clause, the Action can then target that same file without knowing explicitly where that folder resides. This allows the Action author (and issuer) to concentrate on the issue at hand without worrying about the vagaries of each individual computer system. AKA “ActionScript”.
    ActionID: a unique identifier for an Action
    Agent: Software that resides on Client and acts as a universal policy engine capable of delivering multiple management services. A single Agent can execute a diverse and extensible array of management services ranging from real-time Client status reporting, to patch and software distribution, to security policy enforcement. By assigning responsibility for reporting and management actions to endpoints themselves, the Platform enables visibility and management of IT infrastructures ranging from hundreds to hundreds of thousands of desktop, mobile and Server computers.
    Client: an endpoint device in a network under management by a Platform for policy-driven communication and management infrastructure.
    Console: an operations control center for administrators, which connects to the Server, that includes graphical displays of device, group, and enterprise-wide device status and dashboards for executing management actions through the infrastructure. The Console also includes reporting functions and templates that enable graphical and tabular views of infrastructure status.
    Dashboard: Dashboard documents pop up in the main window of the Console when selected from a ‘Dashboards’ icon in a Domain Panel navigation tree. Dashboards tap into the Platform Database to provide the Operator with timely and compact high-level views of the network and allow an administrator to take action based on those views.
    Download Request: In an embodiment, a download request may include a hash and a size that uniquely identify the file being requested, along with the information on how to retrieve the file. If a Client wants multiple files for an Action, it submits a set of DownLoadRequests in one interaction with the Relay. Although the interaction is batched, each request is handled individually by both Relays and the Server.
    Dynamic Download aka “Client-initiated Download”: In an embodiment, a download whose hash, size and URL are not known at the time an Action is issued. Instead, the Client determines this information and then provides it to the Server, which fetches the file for the Client.
    FileID: A FileID is a pair combination of (SHA-1, file size (bytes)) used to uniquely identify a file
    Fixlet or Fixlet message: Instructions disseminated to the Agent to perform a management or reporting Action. Fixlet messages can be programmed to target specific groups of devices to perform management actions.
    Hash-based Download: In an embodiment, a download that is requested or referred to by a “HashSizePair”. In an embodiment, this type of download is requested by a Client using a “DownloadRequest” plug-in, rather than the magic URLs that index-based downloads rely on. A hash-based download can be either static or dynamic.
    Index-based Download aka “Legacy Download”: In an embodiment, a download that is referred to by a Client using an ActionID/Index pair, where the index is generated at the time the Action is issued. In an embodiment, an “indexed download” is a species of static download, because it is difficult to accommodate in the indexing strategy the case where the index is unknown at the time an Action is created. In an embodiment, indexed downloads can be requested without providing a hash, in which case the download represents whatever the URL happens to contain at the time an Action is created.
    Relay: A Relay is a software module that executes as a shared service on non-dedicated hardware. Alternatively, “Relay” can refer to the hardware on which Relay software is running. Relays act as concentration points for Fixlet messages on network infrastructures and help reduce network bandwidth requirements for distribution of Fixlets and content such as software, patches, updates, and other information. Relays also offer a failover mechanism to keep managed Clients in touch with the Console should normal communications channels go dark or become overloaded with other traffic.
    Server: Software that provides a control center and repository for managed system configuration data, software updates and patches, and other management information. In the alternative, “Server” can denote a computing machine running such software within a network under management.
    Site: Sites are collections of Fixlet messages and other content to which an Operator of a Platform deployment may subscribe one or more Clients in the Operator's network. Sites may be created by the Platform manufacturer or by one or more third parties. Additionally, deployment Operators may create custom sites that contain internally generated content. Furthermore, the Operator may create sites, Integrations, which integrate internally- and externally-sourced content.
    Static Download aka “Server-initiated Download”: In an embodiment, a download requested by the Console at the time an Action is taking place.
  • Referring now to FIG. 1, shown is a diagrammatic representation of a machine in the exemplary form of a computer system 100 within which a set of instructions for causing the machine to perform any one of the methodologies discussed herein below may be executed. In alternative embodiments, the machine may comprise a network router, a network switch, a network bridge, personal digital assistant (PDA), a cellular telephone, a web appliance or any machine capable of executing a sequence of instructions that specify actions to be taken by that machine.
  • The computer system 100 includes a processor 102, a main memory 104 and a static memory 106, which communicate with each other via a bus 108. The computer system 100 may further include a display unit 110, for example, a liquid crystal display (LCD) or a cathode ray tube (CRT). The computer system 100 also includes an alphanumeric input device 112, for example, a keyboard; a cursor control device 114, for example, a mouse; a disk drive unit 116, a signal generation device 118, for example, a speaker, and a network interface device 128.
  • The disk drive unit 116 includes a machine-readable medium 124 on which is stored a set of executable instructions, i.e. software, 126 embodying any one, or all, of the methodologies described herein below. The software 126 is also shown to reside, completely or at least partially, within the main memory 104 and/or within the processor 102. The software 126 may further be transmitted or received over a network 130 by means of a network interface device 128.
  • In contrast to the system 100 discussed above, a different embodiment of the invention uses logic circuitry instead of computer-executed instructions to implement processing offers. Depending upon the particular requirements of the application in the areas of speed, expense, tooling costs, and the like, this logic may be implemented by constructing an application-specific integrated circuit (ASIC) having thousands of tiny integrated transistors. Such an ASIC may be implemented with CMOS (complimentary metal oxide semiconductor), TTL (transistor-transistor logic), VLSI (very large scale integration), or another suitable construction. Other alternatives include a digital signal processing chip (DSP), discrete circuitry (such as resistors, capacitors, diodes, inductors, and transistors), field programmable gate array (FPGA), programmable logic array (PLA), programmable logic device (PLD), and the like. It is to be understood that embodiments of this invention may be used as or to support software programs executed upon some form of processing core (such as the Central Processing Unit of a computer) or otherwise implemented or realized upon or within a machine or computer readable medium. A machine-readable medium includes any mechanism for storing or transmitting information in a form readable by a machine, e.g. a computer. For example, a machine readable medium includes read-only memory (ROM); random access memory (RAM); magnetic disk storage media; optical storage media; flash memory devices; electrical, optical, acoustical or other form of propagated signals, for example, carrier waves, infrared signals, digital signals, etc.; or any other type of media suitable for storing or transmitting information.
  • Referring now to FIG. 2, shown is a Relay hierarchy in a Platform 200 for creating a policy-driven, communications and management infrastructure for delivery of security and management services to networked computational devices, such as desktop, laptop/notebook and Server computers. In an embodiment, components of the Platform may include at least one Client 202 running an Agent, at least one Server and Console 204, Fixlet messages (indicated by the arrows showing data flow between elements), and zero or more Relays 206. The Server and Console are shown as the same machine in FIG. 2, but many embodiments of the invention the Server and Console are separate machines. Thus, the Server 204 in FIG. 2 may comprise only the server function and a separate computer, connected to the Server, would be provided to implement the Console function. In addition to the Relays 206, the Relay hierarchy typically includes a top-level Relay 208 that directly interacts with the Server 204.
  • Key components of the Platform include the Agent 202, the Server and Console 204, the Fixlet messages, and the Relays 206, 208. The Platform creates a lightweight communications and management infrastructure for delivery of security and system management services to networked desktop, laptop/notebook and Server computers. By assigning responsibility for reporting and management actions on endpoints themselves, the Platform enables visibility and management of IT infrastructures ranging from hundreds to hundreds of thousands of desktop, mobile and Server computers.
  • The Agent 202 resides on managed devices and acts as a universal policy engine capable of delivering multiple management services. A single Agent 202 can execute a diverse and extensible array of management services that range from real-time Client status reporting, to patch and software distribution, to security policy enforcement.
  • The Agent's role in the Platform may be described as that of a Policy Engine: a piece of software and a computational context for evaluating content. Thus, the Agent constitutes a computational resource that uses one or more inspectors to examine its context, decide what is relevant, report properties, take Action in that environment, and report on the success or failure of the actions. Thus, the Agent gives an administrator visibility into the context and controls it. The motivation for provision of a policy engine thus may be the realization that any computing resource, including physical or virtual machines, or a machine, that is a delegate for another machine or a piece of hardware can benefit from management by having a policy engine that can inspect properties of the entity that is being managed, apply changes to the environment and report on the fact that those changes were effective or not.
  • The Agent also automatically notifies the Server and Console 204 of changes in managed device configuration, providing a real-time view of device status. In addition to a standard array of management services, customers and developers can create custom policies and services using a published authoring language. In various embodiments, the Agent runs on all versions of the MICROSOFT WINDOWS (Microsoft Corporation, Redmond Wash.) operating system since WINDOWS 95, UNIX, LINUX and MAC OS (APPLE COMPUTER, INC., Cupertino Calif.) operating systems, as well WINDOW MOBILE and POINT-OF-SALE variants of the Windows operating system, enabling administrators to consolidate management of heterogeneous infrastructures from the Console.
  • The invention herein extends the notion of an Agent beyond a computer to devices or logical structures, such as proxy-agents (also referred to as pseudo-agents), that are physically or logically proximate to a computer, and that are used to give visibility and control of assets that cannot, for technical or policy reasons, have a native agent installed. Proxy-agents are disclosed, for example, in co-assigned patent application to Lippincott, L. E., et al, Pseudo-Agents, U.S. patent application Ser. No. 12/044,614 (filed Mar. 7, 2008), and is incorporated herein in its entirety by this reference thereto.
  • Proxy-agents can be understood by reference to FIG. 2A. A proxy-agent 50 is deployed to manage each of one or more different devices, for example physical machine 1 (54) and physical machine 2 (56) via a virtual machine management system 52. For example, a router can have a proxy-agent. There can be a proxy-agent for such devices as a network printer on the file server, or a mobile device that resides most of its time in the local office, but that has a logical presence is over a cell network and that is in touch with a mobile enterprise server back in the central office. The physical device so managed, for example physical machine 1 (54), can itself serve as a natural agent for one or more virtual machines, e.g. VM1 and VM2, which machines can themselves include an agent A.
  • Another important variant is a proxy-agent that indirectly manages a set of devices by way of one or more other management systems. The example shown in FIG. 2 thus provides a virtual management system 52, for example a Blackberry enterprise server, which is a management system that manages a collection of Blackberry devices. In this example, a proxy-agent manages those devices by interacting with the Blackberry enterprise server.
  • The Server 204 is a software-based package that provides a control center and repository for managed system configuration data, software updates and patches, and other management information. In an embodiment, the Console 204, which runs from the Server 204, provides an operations control center for administrators that includes graphical displays of device, group, and enterprise-wide device status and dashboards for executing management actions through the management infrastructure. The Console may also include reporting functions and templates that enable graphical and tabular views on infrastructure status.
  • Fixlet messages are instructions to the Agent 202 to perform a management or reporting Action. Fixlet messages can be programmed to target specific groups of devices to perform management actions. As noted above, in an embodiment, users have the option of writing custom Fixlet messages.
  • Relays 206, 208 act as concentration points for Fixlet messages on network infrastructures. Relays are a software module that execute as a shared service on non-dedicated hardware. Relays help reduce network bandwidth requirements for distribution of Fixlets and content such as software, patches, updates, and other information. In an embodiment, Relays 206, 208 include a failover mechanism to keep managed Clients in touch with the Console should normal communications channels go dark or become overloaded with other traffic. In an embodiment, Relays allow an N-tier hierarchy to be created for the transmission of information from the Clients to the Server in the enterprise.
  • In an embodiment, Relays are included as network components to significantly improve the performance of an installation. Downloads and patches, which are often large files, represent, by far the greatest fraction of bandwidth. Relays are designed to take over the bulk of the download burden from the Server. Rather than downloading patches directly from a Server, Clients can instead be instructed to download from designated Relays, significantly reducing both Server load and network traffic. Relays help in the upstream direction as well, compiling and compressing data received from the Clients before passing it on the Server. As above, any Client can be programmed to serve as a Relay.
  • Relays simultaneously mitigate at least two bottlenecks:
  • Relieving the Load on Servers
  • The Server has many duties, among them, the taxing job of distributing patches and other files. A Relay can be set up to ease this burden, so that the Server does not need to distribute the same files to every Client. Instead, the file is sent once to the Relay, which in turn distributes it to other Clients. The overhead on the Server is reduced by the ratio of Relays to Clients. If one has a hundred Clients and one Relay, the Server need only process one percent of the downloads.
  • Reducing Congestion on Low-Bandwidth Connections If, for example, one has a Server communicating with a dozen computers in a remote office over a slow VPN (virtual private network), one of those computers may be designated as a Relay. Then, instead of sending patches over the VPN to every Client independently, the Server need only send a single copy to the Relay. That Relay, in turn, distributes the file to the other computers in the remote office over its own fast LAN (local area network). This effectively removes the VPN bottleneck for remote groups on the network.
  • Relays also function to reduce total the network usage when used on subnets connected through switches on a LAN.
  • Relay Characteristics
  • In an embodiment, a Relay takes over most of the download duties of the Server. If several Clients simultaneously request files from a Relay, a significant amount of the computer's resources may be used to serve those files. Other than that, the duties of the Relay are relatively undemanding. The requirements for a Relay computer vary widely depending on or more of the following: (1) The number of connected Clients that are downloading files: (2) the size of each download; and (3) the period of time allotted for the downloads.
  • A Relay can be installed on any ordinary workstation, but if several Clients simultaneously download files, it may slow the computer down. Workgroup file Servers and other Server-quality computers that are always turned on may be good candidates for installing a Relay.
  • Relay Selection
  • Although Clients can automatically seek out and connect to the available Relay, one may want to control the process manually. If so, for each Client in the network, one may specify both a primary and secondary Relay. The Client first attempts to download any patches from its primary Relay. However, if the primary Relay is unavailable (because the computer has crashed, the hard drive has run out of space, the computer is off, etc.), the Clients can download files from the secondary Relay.
  • In an embodiment, Relays have failover capability. Thus, if the primary Relay fails, the Client connects to the second Relay. If the secondary also fails (or if no secondary has been designated) then the Client automatically reverts to downloading files directly from the Server. In an embodiment, one or more tertiary Relays can be designated for a Client. In an embodiment, one can optimize a pair of Relays by splitting the connected Clients into two groups of roughly equal size. One group designates computer A as primary and B as secondary. The other group reverses the order, thus cutting the overhead of each Relay by two, while still providing a backup.
  • Setting Up A Relay
  • In an embodiment, configuring a Client computer as a Relay may involve using the Console to edit settings for the Client computer to run a Relay Server on the Client. FIG. 16, shows a screen shot of an Operator Interface 1600 to a Console. After a Relay is created, a Client can automatically discover it and connect to it by seeking the Relay that is the fewest hops distant from the Client. If there is a need to manually configure Clients, one must notify each computer that it should use a specific Relay to point to, as described herein below. Manual configuration of Relay assignment can be defined by policy such that a computer or group of computers can be configured to use a specific set of manual primary, secondary, and failover Relays.
  • Once a Relay has been set up on a Client, in addition to functioning as a Client, the Client behaves in the same manner as a Root Server, so that other Clients can do all the interactions they would do with a Root Server through the Relay.
  • The use of Relays significantly reduces the Client/Server communication necessary for patch application and management. Clients may start to download from designated Relays, minimizing the load on thin connections to the Server. The Clients may also upload their status information to the Relay, which compiles it and compresses it before passing it up to the Server.
  • In an embodiment, Relays may help enormously to spread out and optimize network traffic, ensuring maximum responsiveness with minimum bandwidth. Relays are especially attractive with remote offices connected by relatively slow VPNs. The Server sends a single download to the remote Relay, which can then distribute it to the Clients over a faster local subnet.
  • Manual Relay Selection 300 (shown in FIG. 3):
  • By way of the Console UI 1600, for each Client or for groups of Clients:
      • Start (302);
      • Select a primary Relay (304);
      • Select a secondary Relay (306);
      • Select at least one tertiary Relay (308; and
      • End (310).
  • Agent Autoselection Algorithm 400 (shown in FIG. 4):
      • Determine if any Relay is in my subnet by pinging Relays with a TTL (time to live) of 1. If so, try to register with the Relay. The registration interaction checks to see if the Relay can communicate with the Server. If registration completes, the Agent uses the Relay as normal. If registration fails, the Agent continues its autoselection algorithm (401);
      • Ping each Relay with TTL of 2. If any Relay responds, attempt registration. If successful, then done. Otherwise, continue Autoselection (402);
      • Continue incrementing TTL and pinging each Relay until a max TTL value is reached. In an embodiment, Max TTL is configured by way of the Console (403);
      • If no Relays are found that accept registration, try to register with “Failover Relay” (404);
      • If Failover Relay is unavailable, then try to register with the Server (405);
      • If Server is unavailable, Autoselection has failed and Client waits for a minimum time period and tries Autoselection again. In an embodiment, “MinRetry” is configurable by way of the Console (406);
      • After “MinRetry has elapsed, try Autoselection again. Double “MinRetry, wait and try again, doubling “MinRetry” each time (407);
      • After a maximum retry time “MaxRetry”, for example, has been reached, continue to retry Autoselection (408).
  • Failover Behavior 500 (shown in FIG. 5)
      • Agent posts/gathers/registers to the Relay (501);
      • If Agent has a posting issue (or if gathering or registration fails), it notes the failure time (502);
      • Agent tries again to post or gather or register on the normal schedule. If there is another failure, the Agent considers the Relay to be down (503);
      • At this point, the Agent enters into a failure waiting state for “ResistFailure” time period starting at the failure time (504);
      • After the “ResistFailure” time expires, the Agent tries again to post to the Relay. If it fails again, it begins Autoselection (505).
  • Relay Reselection Strategy (shown in FIG. 6)
  • Automatic Selection (FIG. 6A)
  • While Relay selection is in progress (601):
      • Get a candidate host from the Relay selection algorithm (602);
      • Try to register with that host. If registration succeeds, a new Relay has been selected, If registration fails, continue (603);
      • Attempt Failover selection (604); and
      • Attempt root Server selection (605).
  • Manual Selection (FIG. 6B)
      • Attempt primary selection (606);
      • Attempt secondary selection (607);
      • Attempt tertiary selection if one or more tertiary Relays have been designated (608);
      • Attempt failover selection (609); and
      • Attempt root Server selection (610).
  • Triggers for Relay Selection
      • A pre-configured validity interval for Relay selection expires;
      • A Client sets itself up to perform Relay selection when if resets itself, for example, at startup when the Client detects that the Action site masthead points to a different deployment than the one in the data folder;
      • If the Action site epoch changes;
      • If the clock leaps backward by more than a permissible time interval, for example, five minutes;
      • If the IP address table changes;
      • If the last Relay selection failed and the retry interval has elapsed.
  • Intervals are configurable by settings;
      • When Relay selection has failed and pending retries are outstanding, if the IP address table changes, it accelerates a Relay selection retry. If this fails, it goes back to the prior Relay selection retry interval;
      • Client is unable to post report to its selected Relay for a configured time interval. Once the interval elapses, the Client tries to register. If registration fails, the Client tries to Relay select;
      • A ‘Relay Select’ command is executed, for example by an administrator by way of the Console;
      • If any of the RelayServer Automatic setting for any designated Relays are changed or deleted by a ‘setting’ or ‘setting delete’ Action command;
      • If the registration interval has elapsed and the Client tries to register but registration fails.
      • If the Agent on a Client is stopped and the Relay selection(s) is cleared, and the Client is restarted, the Client will begin Relay selection.
  • Typical Relay Functions
      • Relays “Relay” information to and from the Client and another Relay or the Server;
      • Relays may enable Clients to gather the latest information about new Fixlet messages, new actions, or new downloads;
      • Relays may enable Clients to pass status messages to the Server including Action results, retrieved properties, and relevant Fixlet messages.
      • Relays may enable Clients to register their last known IP address so they can be “pinged” later if there is new information to gather.
      • Relays may enable BigFix Clients to download patches and other files.
  • As above, Relays are usually Clients that have that have been specially configured to function as a Server does, in addition to their normal functioning as a Client. Thus, like Clients, Relays themselves can be configured, as described above, to automatically seek out and connect to the nearest Relay. In effect, the connecting Relay is choosing its parent in a Relay hierarchy. Thus, in an embodiment, automatic Relay selection provides for a Relay that determines its parent Relay dynamically, so that as the state of the network changes, different hierarchies and routing paths through the network are constantly being discovered by Clients and Relays without any modification of the hardware or the network topology and without any input from an administrator. As will be described in greater detail herein below, the ability of Clients and Relays to discover routings through the network enables a multitude of use cases all based on the establishment of dedicated pathways through the network for particular purposes.
  • Dynamic Download
  • In an embodiment, Fixlet messages can download and run specified payloads whose SHA-1 checksums have been captured at the time the Fixlet is created. Thus, actions created from such Fixlets will run only the specific executable that was referred to by the source Fixlet.
  • Certain applications, however, may involve objects, updates for which need to be downloaded regularly. In particular, vendors of antivirus software update their antivirus definitions, occasionally as often as several times per day. There exists, however, a significant possibility of damage or attack when downloading a file without knowing exactly what it is.
  • While it would be possible to manually download and deploy the object, manual download would be time- and labor-intensive to most users of the Platform. What is needed is a trustworthy way to deploy the latest version of the object, for example, the latest version of an antivirus engine to Clients that request it. It would be desirable to offer providers of anti-virus and of spyware, for example, the ability to deploy a policy Action to tell Agents to periodically update the anti-virus definitions on the Client to the latest version, while taking advantage of the Relay distribution infrastructure.
  • Furthermore, it would be desirable to be able to configure a Client to automatically apply all critical updates in a particular site. Additionally if would be desirable to automatically push updated sales lists to field sales laptops, or to push to push data files to retail locations.
  • In an embodiment, a Fixlet message is authored and deployed that instructs a Client to trust an arbitrary piece of content to run, delegating the responsibility for knowing that the content is safe to run to a piece of trusted logic on the Client. In order to request the arbitrary piece of content, the Client need only supply certain information about the object, for example, a unique identifier for the object such as a hash of the object. Thus, by means of the Fixlet message, any Client in the system can be configured for this interaction wherein untrusted content is downloaded to the Client. Any Client can ask the Relay to retrieve a particular file by providing the file size and the hash of the file. After the information is provided, the Relay can mirror the file through, from the Root Server, from the Internet and back down through the Relay hierarchy. In an embodiment, the Client knows in advance what it is asking for. Thus, Dynamic downloading provides the ability to use relevance clauses to specify URLs.
  • An embodiment makes use of the Platform's site-signing and distribution capability to flow untrusted content, such as antivirus definitions, with the ability to merge the untrusted content from other sources with the assurance to users that the particular untrusted content can be trusted. When the content flows down through the Relay infrastructure to the Client, it may be merged with an Action instructing the Client to run whatever the content tells the Client to run.
  • Thus, in an embodiment, an object or an item of content may need to flow down to the Clients in order to be processed. Trusted software on a Client evaluates the content and decides the URL, the SHA-1 and size of the file necessary to update the Client. Then, the URL, the SHA-1 and file size flow back up from the Clients to the Server. The Server is then able to produce the specified file, whereupon the file flows down through the Relays and is executed in the context of Clients that have been configured to automatically apply an update policy whenever the SHA-1 changed.
  • Thus, it could be that a single piece of content may contain the information necessary for a piece of antivirus software to update itself. In addition to that, it could also contain antivirus definitions, such that a combined Agent could say, “yes, I need these three files” or a antivirus Agent could say “I only need this one file.” They could then both derive the information necessary to specify what file to download from the same content feed—the same piece of data that flowed down from the Server. The choice would then be conveyed back through the hierarchy to the Server to collect the appropriate file.
  • It will be apparent, that, at the time when a policy is published, at least some of the information that the policy concerns itself with may not be static. For example, in the case of a virus definition file, the information changes whenever a new version of the virus definition file is published, perhaps as often as several times per day.
  • In an embodiment, an Operator inspects ActionScripts and approves them for execution on the Client. ActionScripts may be static, in which case it is a fairly simple task to inspect them to see which steps will be executed on the Client. In the case of dynamic content, however, where dynamic elements change in an ActionScript, the ActionScript uses variables to refer to the dynamic content.
  • Additionally, the foregoing approach protects the confidentiality of customers of the Platform vendor, reassuring them that an excessive amount of control has not been surrendered to, for example, a software vendor who is producing the virus definition file.
  • In an embodiment, the Client is enabled to look up the dynamic information indirectly and fill it into the variables. In this way, the Operator is able to inspect the sequence of instructions as they are to be executed on the Client, allowing the Operator to better decide whether or not to trust the content and to approve the ActionScript.
  • One embodiment enables performance of dependency resolution, in order to install various pieces of software and to update that software. Dependency resolution is useful in the case of an arbitrary collection of software, at least some items of which depend on other software being installed. Any particular piece of software might have incompatibilities with other pieces of installed software. There may exist requirements such as if a first piece of software is updated another piece will need to be updated. It becomes a quite complicated process to resolve all those dependencies.
  • An embodiment of the Dynamic Download application provides data in the form of a set of packages to a process on the machine itself that is able to analyze the set of packages. The process produces a list of URLs, SHA1 checksums, and sizes that need to be downloaded for the particular machine in order for it to update to a new version of a package. That same set of information can be processed by different computers, and each may arrive at a different answer because of the software already installed on the machine.
  • As an example, one could author and rollout an Action to install the newest version of the [Apache] Web Server, for example.
  • The Action is rolled out to a number of machines. Each machine may have thereon a data file that defines the set of URLs, SHA1 checksums and sizes that contains specific versions of other packages upon which that version of the Web Server depended for use in extracts the set of other packages needed to be applied to that machine in order to update it to the newest version of that Web Server.
  • Thus, in this case, the ActionScript is written such that it may use one or both of relevance substitution and some local processing of the Client, to look through a large list of URLs, SHA1 checksums, sizes and dependency information about what each one of the package requires and is compatible with, to determine the set of downloads needed to be pulled down to this particular machine to execute just that set.
  • It will be appreciated that a common feature of the foregoing embodiments of the Dynamic Download Application is that they are based on knowledge of the context of the item or items sought. Thus, a requestor doesn't provide just an address. Instead, the requestor is asked to describe, through a SHA1 checksums, exactly what is sought, in order for a Relay to pull it by specifying, at least, the size of the file and the hash of the file. An additional common feature is the evaluation of relevance for a particular Client, because each Client may have different update requirements or download requirements.
  • An embodiment implements the Dynamic Download application as shown in FIG. 7. As described above, a Site is a collection of Fixlets and other content. Custom sites may contain only internally-sourced content or a combination of internally- and externally-sourced content. Additionally, an Integration 705, as shown in FIG. 7 is a site that may integrate content from a number of sources or providers. For example, an integration may contain Fixlets from one or more anti-virus software manufacturers for downloading anti-virus updates. Referring now to the drawing, a process 700 for implementing the Dynamic Download application may include at least one of the following steps:
      • Integration (705) pulls data (1) from the cloud (702);
      • Integration (705) modifies (2) the White-list (706) on disk;
      • Integration (705) adds meta-file (3) to custom site (704) via Server API;
      • Server propagates custom sites (4) to Clients (710, 711);
      • Based on Action and meta file, Client 1 (710) submits request (5, 12) for files with hash “aqz24” and bgf39″ to Download request plug-in. Relay (709) has “aqz24” in cache, but does not have “bgf39”, so it initiates a download request (7) for that file and returns (4) “aqz24 available, bgf39 not yet available”;
      • Client 2 (711) simultaneously submits a request (8) for file with hash “bgf39”. “bgf39” is already pending, so the Relay (709) simply returns (4) “not yet available”;
      • Relay (709) submits request (7) for “bgf39” to Root Server (703). Server (703) checks submitted URL against White-list (706) and determines that the URL is acceptable. Server initiates download request (8) and returns “not yet available”.
      • Server (703) fetches (9) “bgf39” from the Internet;
      • Server (703) sends (4) “bgf39 available” notification to all children;
      • Relay (709) receives “bgf39 available” and begins fetching (10) “bgf39” from cache of parent;
      • Relay (709) sends (4) “bgf39 available” notification to all children (711, 710); a
      • Both Clients download (11) “bgf39” directly frndom parent's cache, and if all Action requirements are now satisfied, begin running the Action.
  • As with static downloads, Dynamic Downloads must specify files with the confirmation of a size or SHA-1. However, the URL, size, and SHA-1 are allowed to come from a source outside of the ActionScript. This outside source may be a manifest containing a changing list of new downloads. This technique makes it easy to access files that change quickly or on a schedule, such as antivirus or security monitors.
  • This flexibility entails extra scrutiny. Because any Client can use Dynamic Downloading to request a file, it creates an opportunity for people to use the Server to host files indiscriminately. To prevent this, in an embodiment, Dynamic Downloading uses a White-list. Any request to download from a URL (that is not explicitly authorized by use of a literal URL in the ActionScript) must meet one of the criteria specified in a White-list of URLs on the Server. In an embodiment, the White-list may contain one or more regular expressions in, for example, a Perl regex format, separated by newlines, such as shown in Table 1, below:
  • TABLE 1
    http://.*\.site-a\.com/.*
    http://software\.site-b\.com/.*
    http://download\.site-c\.com/patches/JustThisOneFile\.qfx
  • The first line is the least restrictive, allowing any file at the entire site-a domain to be downloaded. The second line requires a specific domain host, while the third expression is most restrictive, limiting the URL to a single file named “JustThisOneFile.qfx”. The foregoing description of the White-list is illustrative only and is not intended to be limiting. If a requested URL fails to match an entry in the White-list, the download immediately fails, with status NotAvailable. A note may be made in a Relay log of the URL that failed to pass. In an embodiment, an empty or non-existent White-list causes all URL downloads to fail. In the other hand, a White-list entry of “.*” (dot star) allows any URL to be downloaded. Other methods of composing and formatting a White-list are consistent with the spirit and scope of the subject matter described in the attached Claims.
  • While the foregoing embodiments describe Dynamic Downloads either from the Server or from a Relay, an embodiment permits Relays to download directly from the Internet. In such a case, a file that the Root Server has already told the Relay is available can be downloaded directly by the Relay.
  • In an embodiment, status reporting for Dynamic Downloads is integrated with reporting for static downloads, being displayed side-by-side. In an embodiment, reporting on any given Action is limited to a configurable number of Dynamic Downloads, for example, the twenty most recent, in order to avoid overwhelming an Action document and the connection between Server and Console.
  • As described above, the primary key or download request is the hash and the file size. Thus, in a case of different download requests for the same hash/file size, with each request naming a different URL, the second URL is ignored. Alternatively, if the first URL fails, a request for the second URL may succeed by changing the URL of the file recorded on the system.
  • In the event that a request fails, the Client may re-try the download by resubmitting the request.
  • In an embodiment, failures may not be propagated down to the network. Instead, Console status reporting is operative to alert the Console Operator of the failure, so that it can issue a notification to the Client to discontinue sending a request that has failed a number of times. In an embodiment, Clients are discouraged from making frequent retry requests by configuring a long delay interval between retries.
  • “DownloadRequest” Serialization
  • In an embodiment, DownloadRequests may have a serialization format as shown below in Table 2:
  • TABLE 2
    <response format version number>
    aid=<Action id or “null”>, hash=<hash as hex or “null”>,
    status=<”Available” or . . .>
  • “DownloadResponse” Serialization
  • In an embodiment, DownloadResponses may have a serialization format as shown below in Table 3:
  • TABLE 3
    <response format version number>
    Aid=<Action id or “null”>, index=<download index or “null”>,
    hash=<hash as hex or “null”, status=<“Available” or . . .
  • Requesting Downloads
  • In an embodiment, Clients and Relays may request a download from their parents by providing, for example:
      • SHA-1 of the file;
      • File size; and
      • URL of the file.
  • In an embodiment, the file size and the URL are not technically necessary. However, the file size reinforces the SHA-1 mechanism and the URL allows the Server to fetch the file directly from the Internet without having to check a local index.
  • The file size/SHA-1 uniquely identifies a download request. If the Server has a matching entry in its cache, the provided URL does not need to be used. As above, the URL, in fact may not even match the original URL used to request the file.
  • In an embodiment, Clients are provided with the ability to request an arbitrary URL.
  • Dynamic Download Cache Model
  • In an embodiment, a record of file downloads and progress is stored in a table that uses FileID as the primary key. In an embodiment, the URL, the file location and the status are stored as values.
  • FIGS. 8 and 9 show state transition diagrams for Relay (800) and Server (900), respectively. When a Client issues a download request, the request goes to the Client's Relay, which then checks the cache for the file.
      • If the file exists in the cache (if the state of the FileID in question is AVAILABLE, the Client is then instructed to download the file from the FileID's file location)
      • If the Relay does not have the file:
        • The Relay creates an entry for the file in the table, with the state NEW
        • The Relay then proceeds to make the request to its parent about the file and changes the state to REQUEST_SUBMITTED;
        • The Relay informs the Client that the file is not yet available;
        • The Relay passes on the download request to its ancestor. When bytes of the file start arriving at the local Relay, it changes the state to DOWNLOADING.
          When the file is finally on the leaf Relay, the state is then changed to AVAILABLE.
      • The download request may pass through the White-list screening at the Server level.
        The failure state:
      • can be reach from the REQUEST_SUBMITTED state for reasons such as the link being down, and so on;
      • can be reached from the DOWNLOADING state for reasons such as the connection dropping;
      • means ‘nothing is happening.
        • In an embodiment, a timeout is configured and the FAILURE state reverts to a NOT STARTED state for that file request. Clients then may retry the request normally.
  • In an embodiment, the cache is implemented using SQLITE. Other embodiments may employ other database engines that support in-memory databases and triggers.
  • Sending Download Notifications
  • As above, a download triple consists of SHA-1, filesize and URL. The URL describes the location of the file and the SHA-1 and filesize function to verify the file. In an embodiment, a Client may send a download notification that includes a list of download triples. The Relay evaluates the triples and signals the Client when to start the download. This may be either immediately, if the file is present on the Client's Relay parent or after the download to the Relay is complete.
  • State Serialization
  • Given two Clients, C1 and C2 and one Relay, R, it may occur that C1 and C2 request the same file. When the download request comes into Relay R, and is processed, a lock may be held so that only one download request is processed at a time.
  • Example:
      • C1 requests a file from R;
      • C2 requests the same file;
      • R grabs lock, processes C1's request first:
        • if the file is AVAILABLE, R notifies C1 that it is and begins download;
        • if not, R makes an entry, marks the file IN_TRANSIT, and passes the download request up to R′s parent;
      • R releases lock
      • R grabs the lock to process C2's request;
      • R sees that C2 is requesting the same file as C1 and checks the cache to see if it is AVAILABLE. If Cis request has been filled, the file is already there. If the file is still IN_TRANSIT based on Cis request, R notifies C1 and C2 when the file is available.
      • R releases lock
        In this way, a request lock avoids multiple downloads being passed up the hierarchy for the same file.
    Download Status Reporting
  • In an embodiment, failures are not propagated to children. Thus, Clients do not need to be responsible for a retry, eliminating the necessity for a Client that switches to another Relay to check an additional state for a file. Instead, the Client can just do a re-try after a timeout. Such a practice also aids in Relay failure; thus, if a Relay state is lost, the default is that the Client eventually requests a re-try.
  • In order to keep the Relay cache synchronized with the actual files located on the Relay, on a Relay reboot, all states mapping to a file download request are removed. Thus, the cache can rebuild itself by checking what files are actually on the Relay. Typically, the Relay mailbox contains response and requests that map to files in the cache with the states NEW and REQUEST_SUBMITTED, respectively. The cache may either remove partially downloaded files or make a list of them and add them as files in the cache with state DOWNLOADING.
  • Distributed Server Architecture (DSA)
  • An embodiment incorporates a Distributed Server Architecture. In an embodiment, Distributed Servers do not download from each other because all Servers are assumed to have the same level of network connectivity. Additionally, there is no replication of the Servers' download caches. In an embodiment, download White-lists are not replicated. Thus, they may be manually configured on each Server.
  • Additionally, Download Requests may succeed and fail completely independently on different Servers. Because all of the necessary logic is stored on the Clients and in the White-list, exchange of information between Servers is rendered unnecessary.
  • Client Implementation
  • As described above, the Dynamic Download feature can render the limitation that URLs and SHA-1s be known at Action creation time unnecessary. With Dynamic Downloads it is sufficient that URLs and SHA-1s be computable by the Clients prior to Action execution. Client processing may be impacted in at least the following ways:
      • Security: The Platform is capable of making changes to all machines in a deployment in a very short period of time. With the new ability for Clients to request arbitrary downloads, it is up to the ActionScript author to protect users of his actions and to ensure that the downloads and their SHA-1's have not been compromised. An end-to-end authentication mechanism, as described herein below, which is resistant to man-in-the-middle attacks, is an effective defense. In an embodiment, authoring a Dynamic Download ActionScript includes crafting the Action such that it authenticates information before using it, explicitly identifying those steps in the ActionScript that perform the authentication so that users of the Action can audit the mechanism before deciding to trust it.
        • To facilitate authentication and allow custom logic to be used to compute download URLs before the Action becomes active, an embodiment includes the ability to execute short-lived applications to perform these functions.
        • An embodiment includes a trusted software component to perform the authentication as an integrated part of the update process. An embodiment includes the ability for an ActionScript author to specifically call out the reliance on the trusted software component, in a comment, for example.
    Download Requests
  • When processing an ActionScript containing the begin pre-fetch block/end pre-fetch block commands, as shown herein below, a Client can identify files to be downloaded to a Relay by providing the URL/checksum of each file. In an embodiment, multiple requests are consolidated by a Relay into single requests to a parent Relay. Ultimately the requests arrive at the Root Server. The Root Server then verifies the URLs through the White-list, and provides the file, either from its cache or by attempting to download the file. If the URL produces the appropriate SHA-1 file, the Relays are then notified of the availability of the files, and they pull them down if they have descendants that have requested the file. Agents are notified of the availability of these files, via a Notification message, which they pull them down if they are interested.
  • If a URL/SHA-1 is not available, Agents continue to request it, until (1) the Action that drove the request is stopped or (2) the URL/SHA-1 becomes available, or (3) the request has been made a number of times.
  • Action Processing Logic
  • In an embodiment, the Action language provides an explicit pre-fetch block of ActionScript to be used to identify pre-fetch downloads. Actions triggering the dynamic download feature may be authored with the pre-fetch block, thus making it easier to identify pre-fetch Action activity.
  • Action Language
  • The following Action language commands identify the boundaries of the pre-fetch block:
  • TABLE 4
    begin pre-fetch block
    end pre-fetch block

    A number of commands are allowed within the pre-fetch block:
  • TABLE 5
    // comment lines and blank lines
    if/elseif/else/endif - properly nested within the pre-fetch
    block.
    parameter
    Action parameter query - treated as a comment by the Client

    Commands allowed within the pre-fetch block that are not allowed outside it:
  • TABLE 6
    add nohash pre-fetch item [name=<n>] [size=<s>] url=<url>
    add pre-fetch item [name=<n>] sha1=<sha1> size=<size> url=<url>
    [; ...]
    add pre-fetch item {[name=<n>] sha1=<sha1> size=<size> url=<url>
    [; ...]}
    collect pre-fetch items
    execute pre-fetch plug-in

    When processing actions with pre-fetch blocks, certain commands should not be used, such as:
  • TABLE 7
    download as
    pre-fetch
    download (other than download now, which must appear outside the
    pre-fetch block)
  • Command Placement
  • In addition to the above, when processing actions with pre-fetch blocks, downloading that is permitted during Action execution may be triggered by a ‘download now’ command. In an embodiment, pre-fetching specifications may be placed at the top of the ActionScript, thus making it easier for readers to understand which files are being collected.
  • Syntax Error Messages
  • For example:
    “Only a single begin pre-fetch block is allowed”;
    “Only comments and blank lines are allowed before pre-fetch block”;
    “End pre-fetch block found before begin pre-fetch block”;
    “Command invalid inside pre-fetch block”;
    “Command invalid outside pre-fetch block”;
    “Relevance substitution missing trailing ‘}’”;
    “Relevance substitution is not allowed”;
    “Missing required argument url=”;
    “Missing required argument size=”;
    “Missing required argument sha1=”;
    “Argument not allowed sha1=”; and
    “Argument is not recognized”.
  • Command Processing Notes
  • For example:
  • TABLE 8
    begin pre-fetch block

    Presence identifies new style Action;
    One allowed per Action;
    Comments and blank lines may precede this command; and
    Paired with a matching ‘end pre-fetch block’ command.
  • TABLE 9
    end pre-fetch block

    Paired with a ‘begin pre-fetch block’ command
  • TABLE 10
    if/elseif/else/endif

    Only commands inside true condition pathways are performed.
  • TABLE 11
    add nohash pre-fetch item [name=<n>] [size=<s>] url=<u>
      • ‘name=’ is optional;
        • when specified, <n> is limited to 32 alphanumeric, ‘-’, ‘_’ and non-leading ‘.’;
        • when not specified, name is taken from last component of URL (after last ‘/’);
      • ‘size=’ is optional. When specified, progress information can be more meaningful;
      • ‘URL’ is required;
      • ‘SHA-1=’ is NOT allowed;
      • ‘keyword=<v>’ can be in any order, unrecognized keywords are a syntax error;
      • Clients and Relays collect these files by ActionID/ordinal number;
      • Relevance substitution not allowed;
      • Not plural-can specify only a single download;
      • Server caches download at Action creation time;
      • Relays collect all these if Client requests any ordinal files; and
      • Client will download if command is inside a true condition block.
  • add pre-fetch item [name=<n>] sha1=<h> size=<s> url=<u> [; ...]
      • ‘name=’ is optional (same handling as in ‘add nohash pre-fetch item’ above);
      • ‘SHA-1’, ‘size=’, and ‘URL=’ are required;
      • ‘keyword=<v>’ can be in any order and unrecognized keywords are ignored;
      • Clients and Relays collect files by URL/SHA-1;
      • Relevance substitution is allowed;
        • When used, files are NOT cached on Server at Action creation time;
        • When used WITHOUT substitution, files are cached on Server at Action creation time;
      • Plural-can specify 0 or more pre-fetch items, each separated by a ‘;’;
      • Relays only collect files that Clients request;
      • Clients will only request if inside a true condition block;
      • When download items are in a file, one download item per line, use {concatenation “;” of lines of file <your file>}; and
      • In cases where a file in a Fixlet site holds the download information, this command can specify the file(s) to download.
  • TABLE 12
    execute pre-fetch plug-in “full path to executable to launch”
    <rest of line>
      • This command requires the first argument to be the full path to plug-in that should return very quickly;
      • Relevance substitution can be specified on this command;
      • The remainder of the command line is passed as arguments to the executable;
      • If the command takes longer than 2 seconds to execute, the Client will log a message;
      • The main thread of the Agent will block for up to 60 seconds while it waits for the command to complete. The only thing that will interrupt this waiting is a shutdown service request;
      • If the command takes longer than 60 seconds to execute, the Client will log a message and disable the ‘execute pre-fetch plug-in’ command;
      • When disabled, all actions that use this command will not execute until after the Client is restarted;
      • This command can be used to authenticate content;
      • This command can be used to execute custom logic that can leave behind an artifact for subsequent ‘add pre-fetch items’ commands;
      • In the trend integration, this command is used to execute a program that processes a Server_bf.ini file, and produces a file containing the set of URLs to be downloaded;
      • The exit code of the execute pre-fetch plug-in application is important as it informs the Client of failure or success:
        • 0=success; and
        • all other exit codes are treated as failures and result in a failed Action attempt. For debugging purposes, the exit code is logged to the Client log.
  • TABLE 13
    collect pre-fetch items
      • Client interacts with the Relay to request the set of files specified thus far in the pre-fetch definition block;
      • Use this command when a downloaded file is needed in order to compute what additional files should be downloaded;
      • Subsequent lines in the ActionScript will not be executed until all files in the pre-fetch list are collected and given the names specified;
      • Each instance of ‘collect download items’ serves as a synchronization point to make the Client get all the files specified so far;
      • Any files not yet on the Client are requests from its parent and the Action will wait until those files are available;
      • When they are all available and have been downloaded, the Client re-processes the pre-fetch block again from the beginning to refresh the set of files it needs;
      • Any files needed by pre-fetch logic are available after the ‘collect pre-fetch items’ command and can be referenced in their pre-fetch location using the download inspectors identified below; and
      • When the Client processes the ‘end pre-fetch block’ command, it collects all files in the pre-fetch items list before starting the Action.
    Client Download Request Mechanics
  • When a Client builds a download list, if there are ActionID/ordinal downloads but no URL/SHA-1 downloads, the Client uses the request mechanism without URL/SHA-1. If there are any URL/SHA-1 downloads present, it uses the URL/SHA-1-based request mechanism, which allows for ActionID/ordinal requests and URL/SHA-1 requests to be co-mingled. The Client verifies the signature of the Action before it does any download pre-fetching calculations from the ActionScript. If a Relay or Server do not support the URL/SHA-1 based request mechanism, the Client blocks the Action from executing.
  • Inspectors
  • Several inspectors allow an ActionScript to be written in a consistent manner that refers to files in the pre-fetch folder when an Action is not active, and to files in the download folder when the Action is active. In an embodiment, Pre-fetch files are collected to a per-Action-pre-fetch-folder until the Action is ready to run. They exist in the per-Action-pre-fetch-folder with various names that indicate the progress of the pre-fetch activities. At various stages in processing these files may be renamed to the names specified in the pre-fetch commands. The named versions of the files when the Action is inactive after every ‘collect pre-fetch items’ may be placed into a ‘named’ folder. Before an Action is run, the pre-fetch files are moved from the ‘named’ folder to a ‘Download’ folder of the Action site. When the Action completes, any files remaining in the ‘Download’ folder are moved into the download cache or utility cache and renamed to their SHA-1.
  • One or more of the following inspectors can be used to locate files during the pre-fetch processing or while the Action is running:
      • download folder
        • When the Action is active, this inspector returns a folder object of the location of the ‘Download’ folder;
        • When the Action is not active, this inspector returns a folder object of the location of the named per-action-prefetch-folder;
      • download path “myfile”
        • This inspector returns a string containing the full path to the named file, the file need not exist.
      • download file “name”
        • This inspector returns a file object of the specified name in the named folder or the download folder.
    Client Behavior
  • Temporal Distribution with Downloads
  • In an embodiment, the Client asks for a ‘0’ file. Once the ‘0’ file is available, Clients calculate their time to start, causing the Relays to collect the file as soon as the first Client requests it, so that all of the Clients are not downloading at the same time.
  • In dynamic download situations, a set of pre-fetch files identified by a first ‘collect pre-fetch items’ statement is requested. If no ‘collect pre-fetch items’ statement is used, the full set is requested. When they become available, the Clients calculate their time to start. Once that time to run is reached, the Client sees if there are more files it needs; if so it requests them, then it runs. It will not pick a different time to run. The effect of this is that the Clients that choose an early distribution time trigger any additional files to be downloaded. Thus, the later Clients do not have to wait for them.
  • Client Requests Files when All Files Already Available in Cache
  • In an embodiment, Clients go to their caches before they ask the Relay if the files are available.
  • Name Collisions
  • In an embodiment, Clients run the Action with the last file with that name in place, regardless of how many other downloads have the same name.
  • Sample On-Demand Update Action
  • This example assumes a version comparison is used to detect that a change (upgrade or rollback) is necessary. Other techniques might use Dates, or compute SHA-1's of saved versions of a server configuration file to trigger the update. This is formatted in a fashion that assumes the wizard constructing it has access to key pieces of information required to generate the Action.
  • TABLE 14
    Subject: Update Trend AV pattern files to version
    <Server_bf.ini.PatternVersion>
    Date: <Server_bf.ini.ReleaseDate>
    x-relevant-when: name of operating system starts with “Win”
    x-relevant-when: exists service “TMAUClient.exe” and version of
    service “TMAUClient.exe” >= 2
    x-relevant-when: version of Client >= “7.1.5”
    x-relevant-when: setting “TMAVAUEnabled” of site = “0”
    x-relevant-when: <Server_bf.ini.PatternVersion> is greater than
    <VersionInstalledExpression>
    // ActionScript to update to pattern files to version
    <Server_bf.ini.PatternVersion>
    begin pre-fetch block
    // pre-fetch the Server_bf.ini
    add pre-fetch item name=ini sha1=<Server_bf.ini.Sha1>
    size=<Server_bf.ini.Size> url=<Server_bf.ini.URL>
    // pre-fetch the trend component that produces the download list
    and updates the pattern files
    add pre-fetch item name=tmdl.exe sha1=123 size=12
    url=http://trend/downloads/tmav_get_dl_list.exe
    // collect above pre-fetch files (needed to compute the url
    list)
    collect pre-fetch items
    // execute trend component: given ini data file, it produces a
    file of pre-fetch items.
    execute pre-fetch plug-in “{download path “tmdl.exe”}”
    /downloads “{download path “ini”}” “{download path // urllist
    assumed to be formatted as lines, each containing name=<n>
    sha1=<h> size=<s> url=<u>
    add pre-fetch item {concatenation ″ ; ″ of lines of download
    file “urllist”}
    end pre-fetch block
    // Action is now active, update the pattern files now
    waithidden “{download path “tmdl.exe”}” /update “{download path
    “ini”}” “{location of download folder”}”
  • Sample Auto-Update Action
  • This example assumes a version comparison can be used to detect that the update is necessary. This arrives as a Fixlet. The values are substituted from a server configuration file when the Fixlet is authored by an on-demand wizard. In this situation, Server_bf.ini.PatternVersion, for example, is read from the Server initialization file when the wizard is used to create an on-demand update Fixlet. To build this expression, the name of the custom site must be known. The Client may be configured to know where the auto-update Server_bf.ini and Server_bf.ini come from.
  • TABLE 15
    Subject: Update Trend AV pattern files to newest version
    x-relevant-when: name of operating system starts with “Win”
    x-relevant-when: exists service “TMAUClient.exe” and version of
    service “TMAUClient.exe” >= 2
    x-relevant-when: version of Client >= “7.1.5”
    x-relevant-when: value of setting “TMAVAUEnabled” of site = “1”
    x-relevant-when: <Server_bf.ini.PatternVersion> is greater than
    <VersionInstalledExpression>
    // ActionScript to update automatically to whatever ini file in
    custom site specifies
    begin pre-fetch block
    parameter “ini”={pathname of file “Server_bf.ini” of Client
    folder of site (value of setting “TMAVCustomSite”) // pre-fetch
    the trend component that provides the download list
    add pre-fetch item name=tmdl.exe sha1=123 size=12
    url=http://trend/downloads/tmav_get_dl_list.exe
    // collect above pre-fetch files (needed to compute the url
    list)
    collect pre-fetch items
    // execute trend component that given the ini data file,
    produces a list pre-fetch items
    execute pre-fetch plug-in ″{download path ″tmdl.exe″}″
    /downloads “{parameter “ini”}” “{download path “urllist”}”
    // urllist assumed to be formatted as lines, each containing
    name=<n> sha1=<h> size=<s> url=<url>
    add pre-fetch item {concatentation ″ ; ″ of lines of download
    file “urllist”}
    end pre-fetch block
    // Action is now active, update the pattern files now
    waithidden “{download path “tmdl.exe”}” /update “{parameter
    “ini”}” “{location of download folder}”
  • Client Credential Security Model
  • In an embodiment, the Platform provides a security model having at least the following capabilities:
      • Clients can trust content received from the Server. All commands and questions that Clients receive are signed by a key that can ultimately be verified against a public key that is distributed to all Clients at install time; and
      • Clients can submit reports to the Server without risk of snooping. The Client can choose to encrypt the reports it sends up to the Server, so that no attacker can see what the report contains.
  • In the foregoing approach, Clients are assigned unique identifiers when they register. Any entity, such as a machine or network, that requests a registration interaction with the Server is issued a unique identifier and is trusted. Many of the properties associated with a particular Client that can be viewed by an operator by way of the UI to the Console are aligned with that Client based on that identifier that was handed out at the time of registration. Accordingly, the foregoing approach provides strong authentication of the Server and the Administrators by the endpoints (Clients). That is, whenever a Client receives a command from an Administrator, the Client knows exactly who issued it by virtue of the strong cryptographic mechanisms. Additionally, the channel can be encrypted through strong cryptographic mechanisms. However, information flowing in the opposite directions, from endpoints (Clients) into the system, is not authenticated because there previously has not existed a reliable way to authenticate the endpoints. Not being able to reliably authenticate an endpoint may provide an opportunity for such attacks as spoofing, in which a person or program successfully masquerades as another by falsifying data and thereby gaining some illegitimate advantage.
  • There exist, for example, simple techniques that attackers use to spoof information, such that the Console would display the spoofed information as if it were genuine—as if it was coming from the particular Client associated to a particular Client identifier. A Client authentication mechanism, in which a cryptographic credential is established on each Client (endpoint), provides a much stronger, more robust security model that greatly minimizes the risk of spoofing attacks.
  • In an embodiment, the Client Authentication mechanism extends the previous security model to include a mirror image of the above-mentioned capabilities:
      • Clients sign every report submitted to the Server, which is able to verify that the report does not come from an attacker; and
      • Servers can send data to Clients without risk of snooping. The Server can encrypt data that it sends to a Client so that no attacker can see what data is being sent to the Client.
        While such a model is well-suited to a use case in which Clients send reports to the Server, it is also applicable to various use cases in which Clients authenticate each other in a similar way.
  • The foregoing embodiments of the security model present complementary challenges:
      • The first approach involves generation of a single private/public key pair and distribution of many copies of the public key. Additionally, at install time, the installer naturally has the right to tell a Client to trust a Server because the installer has control over the Client; and
      • The Client Authentication mechanism involves generation of many private/public key pairs and wide distribution of each of the many public keys. Additionally, there exists no immediate way to prove that an installer has the right to tell the Server to trust the Client, because the installer may be unknown. For example, the installer may be an attacker installing a new Client on his/her own machine, pretending to be some other resource.
  • A solution to the above challenges allows anyone to enter the system and generate a new identity and builds trust from that starting point, unlike conventional security systems, which specifically require that a new resource be explicitly joined to the system by an Administrator. Referring now to FIG. 10, at Initial Registration, a Client produces a public/private key pair. The Server then grants a unique Computer ID which the Server associates to public key. Thus, after registration, the Computer ID and the public key are associated to the particular unique Client.
  • Assuming that the private key created on the Client is not distributed to any other devices, it can authenticate content coming from that Client, making it possible to verify any messages sent from the Client.
  • Overview
  • In an embodiment, a cryptographic protocol, such as OPENSSL is employed to create public/private key pairs for each new Client in a deployment. When a Client initially registers, it submits a public key with a request that the key be associated to a new computer ID. The response to the Client request, in turn, is signed with a key that can be authenticated by the Client. Thus, the Client may not be deceived, thinking that it has registered with the root directly with a Root Server when it has, in fact, registered through a malicious middleman who has switched the public key submitted to the Root. The Root Server stores the Client's public key in a map of computer IDs to public keys. The key remains associated with the ID for the life of the ID.
  • On subsequent interactions, reports or file uploads, for example, the Client signs the interaction with its private key. When the Root Server receives a report, before updating the data for the computer ID provided, it verifies that the report is signed by a key that matches the public key on file for that ID.
  • To send secure data to a Client, the Root Server exposes APIs, for example, by way of the database or SOAP (simple object access protocol), that allow lookup of public keys given a computer ID. In an embodiment, the data is trusted, to assure that the data gets encrypted against the intended target, and not a maliciously-inserted target. In an embodiment, database security and/or signing the data provide a sufficient degree of trust. Given the public key, any program can encrypt data and provide to the Client however it wishes.
  • Details of the Client Authentication Mechanism: Client Data:
      • Public key;
      • Private key;
      • Computer ID;
      • Registration interaction number; and
      • Report number.
  • Server Data (per Client):
      • Public key;
      • Computer ID;
      • Registration interaction number;
      • Report number; and
      • Reject this Computer ID.
      • Shown in FIG. 10, if Client Computer ID=0 or if Client public/private key pair is missing or non-functional:
        • Begin registration;
        • Create public/private key pair;
        • Set registration interaction number to 0;
        • Send computer ID=0, public key, registration interaction number;
        • Receive computer ID;
          • Registration success, begin normal processing;
        • Receive public key in use;
          • Go back to begin registration.
  • If Client Computer ID !=0, and public/private key pair is functional:
      • Subsequent registration;
        • Increment registration interaction number;
          • Send computer ID, Public key, and encrypted registration number;
          • Receive computer ID;
            • Registration success begin normal processing;
            • Receive clone detected, set computer ID to 0, go to Begin Registration.
  • If Server Registration Request with Computer ID=0:
      • If Public key already in use, reject registration by telling Client ‘public key is in use’;
      • Otherwise:
        • Allocate a new Computer ID that is unique;
        • Store a new computer record containing Computer ID, Public key, Registration interaction number=0, report number=0, reject this computer ID=false;
        • Send Computer ID.
  • If Subsequent Server Registration Request with Computer ID!=0 (FIG. 11):
      • Receive Computer ID, Public key and encrypted Registration interaction number;
      • Reject if cannot decrypt Registration interaction number with Public key provided;
      • Look up Computer ID record;
        • If not found:
          • Store a new computer record containing the Computer ID, Public key, Registration interaction number decrypted, report number=0, reject this computer ID=false;
          • Send Computer ID;
        • else
          • if (decrypted Registration interaction number>stored value);
          • This is a valid subsequent Registration attempt;
        • else
          • this is a clone or replay attack;
          • send back a message encrypted with public key provided;
          • Receive response proving it is a clone (it has the private key);
          • If it is a clone:
            • Set ‘reject this Computer ID’=true;
            • Tell clone to reset itself (use a Computer ID=0);
          • Else:
            • inform sender that Registration failed.
  • Client report
      • After preparing report (with report number and Computer ID embedded):
        • Compute SHA-1 of report;
        • Encrypt SHA-1 of report using private key;
        • Tack encrypted SHA-1 to end of report.
  • Server Report
      • When receiving report:
        • Compute SHA-1 of report;
        • Read Computer ID from report headers;
        • Look up public key of this Client;
        • If not found, reject report;
        • Decrypt SHA-1;
        • if SHA-1s match, process report into database.
  • The person of ordinary skill will notice that the foregoing embodiments employ the SHA-1 cryptographic hash algorithm. Other embodiments may incorporate other cryptographic hash algorithms such as MD4, MD5, SHA-0, SHA-2 or SHA-3.
  • As shown in FIG. 12, it is apparent that, after a Client registers, barring the circumstance that the Client's private key is somehow installed on another machine, the foregoing Client Authentication model provides a high degree of certainty in subsequent interactions that the Client is authentic, that it is who it says it is.
  • In addition, the foregoing model also provides a mechanism for doing clone detection, in the event that a key does become compromised. The cloning detection, when it detects a cloned key during a registration attempt, invalidates the Computer ID associated with the cloned key. Subsequently, the Client must generate a new key pair and begin the registration process anew, thus enabling the detection of key reuse by a different party.
  • It will be appreciated that the level of trust established by the foregoing Client Authentication model may be raised through combination with other authentication mechanisms. For example, a higher level of trust may be achieved by establishing a second data pathway to secure a confirmation; for example, by requiring the registering party to confirm that they, in fact, are the registering party by email. Alternatively, a higher level of trust may be established if a Client is able to authenticate through a Server's active directory, or if the Client and Server can exchange keys via a protocol such as SSH (secure shell). A still higher level of trust may be achieved through by physically verifying that the machine's credentials can be trusted; for example by having an operator access the machine and verify the public key. Additionally, Clients accorded varying levels of trust may be identified in the Console interface. For example, Clients accorded the primary trust level are grouped together in one region of the display, while Clients accorded the highest trust level are grouped together in another region of the display.
  • While the foregoing Client Authentication model has been discussed primarily in connection with Client/Server interactions, the model also finds application in interactions between Client, for example a clustering relationship involving a number of endpoints.
  • Additionally, while the Client Authentication model has been discussed primarily in connection with Client/Server interaction, in an embodiment, it may also play a role in interactions between a Relay and a Client. As described above, Relays are typically Clients that have been additionally configured to behave as a Server. Accordingly, because a Relay is also a Client, the Relay can also be issued authentication credentials like a Client. By authenticating the Relay, a Client knows that it is talking to a Relay, thus providing additional protection against Snooping attacks, such as man-in-the-middle attacks.
  • An embodiment of the Client Authentication model finds application in the sending of a password down the hierarchy to a Client from the Server. It is a common IT management task to reset the password on a Client. Conventionally, a password, when it is sent to a Client is scrambled. The Client is then given a utility to unscramble the password. However, giving the Client the unscramble utility, in essence, gives it to the rest of the world. Thus, even though the scrambled password is not plaintext, it is not secure. There exists, therefore a great need for a secure way to send a password down to a Client. Because the Client Authentication model includes a key pair for the Client, the password can be encrypted using the Client's public key, which is then pushed to the Client. Because only the Client has the private key, only the Client can decrypt the password.
  • Direct Connect
  • As above, an embodiment of the Platform provides the ability to facilitate a connection between a Console operator and a remote computer, as shown in FIG. 13, where a Console 1301 is connected to Client A 1304 through the Root Server 3102 and Relay A 1303. This capability enables a multitude of use cases, many of which fall into one of the below categories:
      • Remote control involves leveraging the infrastructure to reach out and establish a synchronous encrypted tunnel between a Console operator and an endpoint, even across NAT (network address translation) translation, personal firewalls, and so on;
      • Mailboxing: Building a secured channel for asynchronously sending messages to individual machines.
  • Among the use cases are:
      • Remote “QnA”: using the connection as a remote Fixlet debugger;
      • Remote Desktop: remote Shell/SSH (secure shell)/VNC (virtual network computing);
      • Password mailboxing;
      • VPRO (INTEL Corporation, Santa Clara Calif.) tunneling;
      • File discovery/sharing; and
      • On-the-fly VPN (virtual private network): allowance for SMB (Server message block) sharing;
      • Connecting “Users” and “Computer IDs” to automatically provide privileges to connect to a set of other computers;
      • Anti-virus management: a Console plug-in synchronously opens a connection to a Client (endpoint) and transfers the log from the Client up to the Console.
  • Using the Platform to establish either synchronous or asynchronous one-to-one connections between the Console and a Client readily circumvents a host of restrictions imposed by network topology. For example, the Relay hierarchy readily allows penetration of NAT (network address translation) protocols—a technique that allows a number of machines to share a single IP address from the outside world's perspective—so that it is possible, assuming that a Relay exists behind the NAT, to communicate with Clients behind the NAT.
  • One embodiment enables routing through the infrastructure into a Relay inside a subnet and then allowing the last leg of communication to take place over an IP address that can directly connect to the target machine.
  • The Relay hierarchy and the Relay hierarchy discovery mechanisms that employ hop count as a measure of Relay suitability for a machine to connect to greatly simplifies the configuration of routes through the hierarchy. Upon registering with the most suitable Relay by a Client, not only is a connection established with the Relay, but through the Relay all the way up to the Server, such that messages can then be forwarded down the pathway to the particular Client.
  • In an embodiment, the present Direct Connect methodology uses the pathway to establish a connection. For example, a rendezvous technique may wake up the target machine, inform it that a direct connection is requested and inform the target of the network topology or pathway to use to connect. In an embodiment, it is possible to directly connect across a network.
  • In an embodiment, the Relay infrastructure may be used as a communication mechanism to trigger a rendezvous, and subsequently to facilitate communications by keeping sockets open in both directions with all of the internet Relays handing off traffic in both connections as packets flow between the two. For example, the Relay infrastructure can be used with certain distributed computing applications wherein a connection is opened up between two ports that wouldn't otherwise be able to connect; the connecting Server can then step out of the middle, so there is no longer any Server involvement.
  • In an embodiment, as shown in FIG. 14, a direct connection 1400 between two Clients (1401, 1404) may involve two points (1402, 1403) in the Relay hierarchy, without involving the Server at all. For example, in the case of a user who is logged into the same network in two different parts of the world, via direct connection between the two machines, it is possible to allow then for the machines to interact with each other.
  • In an embodiment, by means of a user interface displayed on the desktop of each Client in the network, the user is able to specify a machine that the user would like to connect to and initiate a connection, for example, with a simple mouse click, triggering an activity that, behind the seasons, makes the connection available to the Client.
  • In an embodiment, a Relay may be used to provide an execution environment for other functions inside a container, thus providing a place in which Server functionalities can be made more widely available to Clients on the network.
  • In an embodiment, Relays may be used to host software depositories, for example software updates, so that the updates could be readily flowed to any Relay that has been configured to host the updates.
  • In an embodiment, Relays may be used to host computational entities such as distributed pattern databases that ideally are scattered throughout the enterprise.
  • Additionally, Relays may be used to host computational entities such as virtual environments to give the Relay cross-Platform capability, allowing it to run software for any operating system.
  • In an embodiment Relays can be designated as processing points for a variety of computational tasks.
  • In an embodiment, Relays can provide a direct connection from a management point to an end point, thus enabling management technologies such as VPRO.
  • Wake-on-LAN
  • Wake-on-LAN is a computer networking standard that allows a computer to be turned on or woken up by a network message. Conventionally, the wake-up message is referred to as a “magic packet”, for example, a broadcast frame containing within its payload 6 bytes of 255 with all bits set to the ‘on’ position, followed by sixteen repetitions of the target computer's MAC address. Thus, the challenge is to direct a magic packet down to a target computer to wake it up. However, the magic packets used by Wake-on-LAN have the special property that they only work if they are broadcast within a subnet. Additionally, most networks do not permit sending a broadcast packet to other subnets because they can be easily abused to launch, for example, SMURF attacks.
  • To circumvent the limitations involved in using a magic packet to wake up a computer, the Relay infrastructure herein described is used to find a way to route a broadcast packet down from any central point within the system, from the management Console, from within an integration point, to any computer that exists within the system by taking advantage of the fact that, when a Client registers with its Relay, up to the root Server, the Client sends up a list of the interfaces that it knows it has to communicate with, what subnets they're in, and what their MAC addresses are. As above, the MAC (media access control) address is the address used for these wakeup commands. Thus, whenever a Client talks to a Relay, it sends up information saying “Here's where I am and here's how you can get in contact with me.”
  • The Relay retains this information, passing it up through the hierarchy all the way to the root, so that at the root of the deployment, an Administrator is able to readily determine what subnet a target computer occupies. The administrator next needs to find some other computer that is awake in the target computer's subnet that can broadcast the magic packet to the target computer. Because the Relay hierarchy has collected all of the necessary information for the Administrator, he/she knows of, for example, eighty computers that are all on the same subnet as the target computer, and they may be reporting in to, for example, two different Relays.
  • The administrator may then send a message down through the Relays, to reach the two target Relays which know how to contact the target's subnet, and they both then send out messages to all of the target's peers, requesting that the target be woken up. The Clients are configured to listen for the UDP messages sent out by the Relays asking that the target be woken up. When a Client hears one, it immediately broadcasts one of these Wake-on-LAN messages to the target computer.
  • Thus, unlike the conventional approach, which usually requires that a computer be designated in each subnet that must be powered-on at all times to provide a point of communication, all of the computers in the target subnet are told to wake-up the target machine. It is highly likely, that out of all of the computers in the target subnet, at least one will be found that is powered-on and can issue a Wake-on-LAN message to the target computer. Because the requirement of a single point of communication has been eliminated, the network is considerably more robust, and easier to consider.
  • The Clients send out the magic packet on the same interface they're already listening on and they see when other Clients start sending out the same packet. The Clients stop sending immediately when they see this duplicate traffic, so there is a likelihood of a small amount of duplicate traffic, but in the event of duplicate traffic, the Clients elect among themselves which Client will broadcast the magic packet. All Clients that elect to wait a while are silent the next time they see a forwarding request until, a period of time elapses, for example, a second. If they see that Client queried hasn't responded, for example, because it was powered-off, the next Client in line will try.
  • The election process uses a technique that relies on a unique computer ID and a comparison operation that each computer can use to decide whether or not it should take precedence over the other computers. Any individual computer observing all the UDP traffic to wake up a particular machine in the subnet can decide whether or not it should take precedence. That is, it should be the one who should take precedence in that subnet versus the other ones. Thus, the Client that takes precedence prevails and takes over. The other Clients stay out of the way unless they detect that the designated computer isn't performing its tasks, in which case they also chime in again and again. Whoever becomes dominant is controlled by the ordering of the individual machines according to the machines' unique identities. Thus, there is a built-in technique where the Clients do this election process based on a unique identifier and a colation order for determining precedence.
  • It should be noted that a Relay is generally a Client also, so that, as long as it fulfills the requirement of being in the same subnet as the target computer, a Relay could be the one to wake-up the target computer.
  • In view of the foregoing discussion, it will be apparent that the broadcast packet, within the context of the subnet, is actually a broadcast type of communication. The other messages that are actually happening inside of the system are directed messages. So what's flowing down through the Relay hierarchy after some user says “I want to wake up Bob's machine”, is not a broadcast. It is instead directed to the particular machines that are in that subnet that this particular machine reported that it was a member of.
  • The target machine resides inside a particular subnet; and so its peers within the subnet are notified through directed mechanisms saying “if you're in this subnet—you should wake up Bob (the target machine)”, with his MAC address and so on. Each peer constructs the magic packet with that information, and they tag it with the unique identifier that allows them and their peers to coordinate who's in charge of that subnet and delivering that message. And then they transform it into a broadcast message within the subnet
  • Thus, a fundamental advantage of the Relays and the Relay hierarchy herein described is that any computer in the system can be contacted through the Relay hierarchy. Unlike conventional network topologies, of for example, 100,000 machines, wherein each computer has an IP address and routes may exist between all of them, but many of those machines are not allowed to contact each other, or they are prevented from contacting each other because of the presence of firewalls, network segmenting, and so on.
  • The discovered routing that is established as a result of Relays and the automatic Relay selection makes it possible to reuse that routing to get a message back down to the computer. In fact, it is possible to find a routing between any two computers the administrator might want to talk to. By starting with a Relay and forwarding from one machine to a next until a message reaches the target, the Administrator can get a message through. Thus, it is to be appreciated that the Platform, in addition to providing the one-to-many communication of a broadcast system, allows direct one-to-one communication between any two machines within a network topology under management via the Platform.
  • Asset Network Mapping
  • In an embodiment, an Asset Network Map, as shown in FIG. 15, aggregates information, collected by the Relay selection algorithm, revealing the gateways between a computer and the Relay it talks to, the number of hops, along with information it has about the bandwidth between those links, and creates a visual mapping of the information. In some cases, hundreds of thousands of lines of data are aggregated to form a map that gives the Operator a visual representation of his/her network. In its basic form, the information comprises a multitude of points, representing gateways and lines, representing routes.
  • The aggregated data is rendered as a human readable graph using, for example, a force-directed algorithm, such as a spring algorithm. Additionally, the Operator can apply various filters to the data in order to create a map that highlights particular aspects of the data. For example, the Operator may specify that the link between a Relay and a Client should be 300 kilobytes/second.
  • While the Network Asset map can display historical data, in an embodiment it can be updated in real-time as the network infrastructure changes. Thus, the Network Asset Map can function to display data even as it is being generated. In this way, network traffic can be depicted visually, in real-time, so that the Operator, can, for example, detect, even as it is happening, that a particular area of the network is becoming overloaded.
  • In the foregoing specification, the invention has been described with reference to specific exemplary embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention as set forth in the appended claims. The specification and drawings are, accordingly, to be regarded in an illustrative sense rather than a restrictive sense.

Claims (56)

1. In a policy-based network management and communication infrastructure, a computer-implemented method of providing one-to-one communication between networked computational devices comprising the steps of:
at least one computational device automatically discovering at least one parent computational device and registering at least its location with said discovered parent computational device to form a discovered hierarchy of computational devices;
a first computational device automatically discovering at least one routing path through said discovered hierarchy to a second computational device; and
said first and second computational devices communicating with each other via said discovered routing path.
2. The method of claim 1, wherein said infrastructure includes at least one of:
at least one Root Server;
at least one Console;
zero or more Relays; and
zero or more proxy agents; and
at least one Client.
3. The method of claim 2, wherein said at least one Root Server comprises a computational device programmed to provide a control center and repository for system configuration data, software updates and patches and other management information;
wherein said Console comprises an operations control center for administrators that runs from the Server wherein said console includes graphical displays of device, group, and enterprise-wide device status and dashboards for executing management actions through the infrastructure and wherein said Console includes reporting functions and templates that enable graphical and tabular views of infrastructure status;
wherein said at least one Relay comprises a non-dedicated computational device running Relay software as a shared service that acts as a concentration point for Fixlet messages on said infrastructure and reduces network bandwidth requirements for distribution of at least one of software, patches, updates and said Fixlet messages;
wherein said at least one Client comprises an endpoint device in said network executing an Agent, said Agent comprising software that acts as a universal policy engine capable of delivering multiple management services that includes at least one of Client status reporting, patch and software distribution, and security policy enforcement.
4. The method of claim 3, wherein said step of at least one computational device automatically discovering at least one parent computational device and registering at least its location with said discovered parent computational device to form a discovered hierarchy of computational devices comprises the steps of:
a Client determining if a Relay is in said Client's subnet by pinging Relays having a TTL (time-to-live) of 1 and, responsive to no detection of a Relay, incrementing the TTL value and pinging until at least on Relay is detected;
responsive to detection of a Relay, said Client attempting registration with said detected Relay;
responsive to successful registration with said detected Relay, said Client using said Relay as a parent device;
responsive to unsuccessful registration with said detected Relay, said Client continuing to increment TTL and pinging until a Relay is detected and registration is successful or until TTL is incremented to a predetermined value;
responsive to no Relay being detected, said Client attempting to register with a Failover Relay;
responsive to unsuccessful registration with said Failover Relay, said Client attempting to Register with a Server; and
responsive to unsuccessful registration with said Server, said Client attempting detection of a Relay again after elapse of a predetermined MinRetry period.
5. The method of claim 4, wherein said step of attempting to register with a Failover Relay comprises the steps of:
said Client attempting to interact with a Relay;
responsive to a failure of said interaction, said Client saving time of said failure and attempting said interaction a second time;
responsive to said second failure, attempting said interaction after a predetermined ResistFailure time elapses, said ResistFailure time starting at said saved time of Failure;
responsive to a failure following said ResistFailure time expiration, said Client initiating an automatic Relay selection procedure.
6. The method of claim 3, further comprising the step of:
said infrastructure providing means for credentialing a Client using a symmetric key pair in order to protect said Client and its parents from snooping attacks;
a Server signing and sending content down said hierarchy to a predetermined Client;
a predetermined Client encrypting and sending content up said hierarchy to a Server;
a predetermined Client signing and sending content to a Server; and
a Server encrypting and sending content down said hierarchy to said predetermined Client;
a first predetermined Client and a second predetermined Client exchanging content that has been one or both of signed and encrypted.
7. The method of claim 6, wherein the step of said infrastructure providing means for credentialing a Client using a symmetric key pair comprises the steps of:
a Server generating a private/public key pair and distributing copies of said public key to a plurality of Clients in said network;
a plurality of Clients each generating a public/private key pair and distributing a plurality of copies of said Client generated key to parent devices and peer devices on said network.
8. The method of claim 7, further comprising the steps of:
A Server granting a predetermined Client a unique ComputerID and associating said unique ComputerID to said public key generated and distributed by said predetermined Client;
said Client signing content originating from said Client with said private key generated by said predetermined Client;
responsive to a Server receiving said signed content from said predetermined Client, prior to update of said content, said Server verifying that said signed content is signed by a key that matches a public key associated to a ComputerID granted to said predetermined Client.
9. The method of claim 7, further comprising the steps of:
a Server looking up a public key associated with a predetermined ComputerID; and one or both of the steps of:
said Server signing content to be sent to the Client corresponding to said predetermined ComputerID; and
said Server using said public key associated with said predetermined ComputerID to encrypt said signed content for sending to said Client corresponding to said predetermined ComputerID.
10. The method of claim 7, further comprising the steps of;
A Client registering with a Server, wherein said Client sends said public key to its Server;
responsive to detection of a cloned key, said Server invalidating a ComputerID associated to said cloned key; and
said Server requiring said Client granted said ComputerID to generate a new key pair.
11. The method of claim 7, further comprising either of the steps of:
a first Client and a second Client authenticating content exchanged with each other;
and a Client and a Relay authenticating content exchanged with each other.
12. The method of claim 7, further comprising the step of:
a Server sending an encrypted password down said hierarchy to a Client, wherein said Client decrypts said password prior to use.
13. The method of claim 3, wherein said step of either of said first and second computational devices establishing communication with the other of said first and second computational devices via said discovered routing path comprises the step of:
said Console connecting to a predetermined Client via one or both of at least one Server and at least one Relay.
14. The method of claim 13, further comprising any of the steps of:
establishing a synchronous encrypted tunnel between said Console and said Client;
building a secured channel for asynchronously sending messages to individual Clients from said Console;
creating an on-the-fly VPN (virtual private network);
enabling one or both of file discovery and file sharing over a synchronous connection;
mailboxing passwords over an asynchronous connection;
establishing a remote desktop on a Client from a Console;
remotely debugging Actions;
connecting Users and ComputerIDs to automatically provide privileges to connect to a set of other computers;
synchronously opening a connection to a Client and transferring logs from the Client up to the Console;
routing through the infrastructure into a Relay inside a subnet and then allowing the last leg of communication to take place over an IP address that can directly connect to the target machine; and
establishing a direct connection between a first Client and a second Client.
15. The method of claim 13, further comprising the steps of:
routing a broadcast packet from said Console to a target computer in said network in order to wake-up said target computer.
16. The method of claim 15, said step of routing a broadcast packet from said Console to a predetermined computer in said network in order to wake-up said computer comprising at least one of the following steps:
said Console using Client MAC (media access control) addresses provided at registration to identify Clients occupying the same subnet as said target Client;
said Console sending at least one message down through said hierarchy to contact at least one Relay that is able to contact said target's subnet;
said at least one contacted Relay broadcasting messages to peers of said target, requesting that said target be woken up;
at least one of said peers listening for messages sent out by said Relays and detecting said request messages and said sending wake-up message to said target;
each of said Peers listening for duplicate traffic and suspending broadcast upon detection of said duplicate traffic.
17. The method of claim 16, wherein said step of each of said Peers listening for duplicate traffic and suspending broadcast upon detection of said duplicate traffic comprises the step of:
said peers deciding which peer should take precedence over the remaining peers based a unique computer ID and a coalition order for determining precedence.
18. The method of claim 3, wherein said step of either of said first and second computational devices establishing communication with the other of said first and second computational devices via said discovered routing path comprises the steps of:
deploying at least one Fixlet message to at least one Client that instructs said at least one Client to trust an arbitrary piece of content to run, so that responsibility for knowing that the content is safe to run is delegated to a trusted piece of software on said at least one Client;
said Client identifying said arbitrary piece of content according to file size and hash;
said Client requesting a Relay to provide said identified piece of content by providing said file size and said hash; and
said Relay mirroring said requested piece of content back down through said hierarchy to said Client.
19. The method of claim 18, further comprising the step of: merging said mirrored content with an Action instructing said Client to run whatever the content tells said Client to run.
20. The method of claim 18, wherein said content comprises dynamic content that changes and is updated frequently so that it is not known at the time of policy creation.
21. The method of claim 20, wherein said dynamic content comprises updates to anti-virus and spyware definitions.
22. The method of claim 18, comprising the steps of:
using variables to refer to said content in ActionScripts, wherein said Client is enable to look up dynamic information indirectly and fill it into said variables.
23. The method of claim 20, further comprising the step of determining dependency resolution in order to install various pieces of software in an arbitrary collection of software, at least some items of which depend on other software being installed.
24. The method of claim 20, further comprising the step of providing data in the form of a set of packages to a process on a Client itself that is able to analyze the set of packages, wherein said process produces a list of URLs, hashes, and sizes that need to be downloaded for the particular machine in order for it to update to a new version of a package.
25. The method of claim 24, wherein any request to download from a URL that is not explicitly authorized is checked against a white-list of URLs and must meet at least one of the criteria specified in said white-list.
26. A platform for providing one-to-one communication between networked computational devices in a policy-based network management and communication infrastructure, comprising:
at least one computational device programmed for automatically discovering at least one parent computational device and registering at least its location with said discovered parent computational device to form a discovered hierarchy of computational devices;
a first computational device programmed for automatically discovering at least one routing path through said discovered hierarchy to a second computational device; and
said first and second computational devices programmed for establishing communication with the other of said first and second computational devices via said discovered routing path.
27. The platform of claim 26, wherein said infrastructure includes at least one of:
at least one Root Server;
at least one Console;
at least one Relay; and
at least one Client.
28. The platform of claim 27, wherein said at least one Root Server comprises a computational device programmed to provide a control center and repository for system configuration data, software updates and patches and other management information;
wherein said Console comprises an operations control center for administrators that runs from the Server wherein said console includes graphical displays of device, group, and enterprise-wide device status and dashboards for executing management actions through the infrastructure and wherein said Console includes reporting functions and templates that enable graphical and tabular views of infrastructure status;
wherein said at least one Relay comprises a non-dedicated computational device running Relay software as a shared service that acts as a concentration point for Fixlet messages on said infrastructure and reduces network bandwidth requirements for distribution of at least one of software, patches, updates and said Fixlet messages;
wherein said at least one Client comprises an endpoint device in said network executing an Agent, said Agent comprising software that acts as a universal policy engine capable of delivering multiple management services that includes at least one of Client status reporting, patch and software distribution, and security policy enforcement.
29. The platform of claim 28, wherein said at least one computational device programmed for automatically discovering at least one parent computational device and registering at least its location with said discovered parent computational device to form a discovered hierarchy of computational devices comprises:
a Client programmed for determining if a Relay is in said Client's subnet by pinging Relays having a TTL (time-to-live) of 1 and, responsive to no detection of a Relay, incrementing the TTL value and pinging until at least on Relay is detected;
responsive to detection of a Relay, said Client programmed for attempting registration with said detected Relay;
responsive to successful registration with said detected Relay, said Client programmed for using said Relay as a parent device;
responsive to unsuccessful registration with said detected Relay, said Client programmed for continuing to increment TTL and pinging until a Relay is detected and registration is successful or until TTL is incremented to a predetermined value;
responsive to no Relay being detected, said Client programmed for attempting to register with a Failover Relay;
responsive to unsuccessful registration with said Failover Relay, said Client programmed for attempting to Register with a Server;
responsive to unsuccessful registration with said Server, said Client programmed for attempting detection of a Relay again after elapse of a predetermined MinRetry period.
30. The method of claim 29, wherein said Client programmed for attempting to register with a Failover Relay comprises
said Client programmed for attempting to interact with a Relay;
said Client programmed for, responsive to a failure of said interaction, saving time of said failure and attempting said interaction a second time;
said Client programmed for, responsive to said second failure, attempting said interaction after a predetermined ResistFailure time elapses, said ResistFailure time starting at said saved time of Failure;
said Client programmed for, responsive to a failure following said ResistFailure time expiration, initiating an automatic Relay selection procedure.
31. The platform of claim 28, further comprising:
at least one computational device programmed for credentialing a Client using a symmetric key pair in order to protect said Client and its parents from snooping attacks;
a Server programmed for signing and sending content down said hierarchy to a predetermined Client;
a predetermined Client programmed for encrypting and sending content up said hierarchy to a Server;
a predetermined Client programmed for signing and sending content to a Server; and
a Server programmed for encrypting and sending content down said hierarchy to said predetermined Client;
a first predetermined Client and a second predetermined Client programmed for exchanging content that has been one or both of signed and encrypted.
32. The platform of claim 31, wherein said at least one computational device programmed for credentialing a Client using a symmetric key pair comprises;
a Server programmed for generating a private/public key pair and distributing copies of said public key to a plurality of Clients in said network;
a plurality of Clients each programmed for generating a public/private key pair and distributing a plurality of copies of said Client generated key to parent devices and peer devices on said network.
33. The platform of claim 32, further comprising:
a Server programmed for granting a predetermined Client a unique ComputerID and associating said unique ComputerID to said public key generated and distributed by said predetermined Client;
said Client programmed for signing content originating from said Client with said private key generated by said predetermined Client;
a Server programmed for verifying that said signed content is signed by a key that matches a public key associated to a ComputerID granted to said predetermined Client responsive to said Server receiving said signed content from said predetermined Client, prior to update of said content.
34. The platform of claim 32, further comprising:
a Server programmed for looking up a public key associated with a predetermined ComputerID; and one or both of the steps of:
said Server programmed for signing content to be sent to the Client corresponding to said predetermined ComputerID; and
said Server programmed for using said public key associated with said predetermined ComputerID to encrypt said signed content for sending to said Client corresponding to said predetermined ComputerID.
35. The platform of claim 32, further comprising:
a Client programmed for registering with a Server, wherein said Client sends said public key to its Server;
said Server for invalidating a ComputerID associated to a cloned key, responsive to detection of said cloned key, and
said Server programmed for requiring said Client granted said ComputerID to generate a new key pair.
36. The platform of claim 32, further comprising either of:
a first Client and a second Client programmed for authenticating content exchanged with each other;
and a Client and a Relay programmed for authenticating content exchanged with each other.
37. The platform of claim 32, further comprising a Server programmed for sending an encrypted password down said hierarchy to a Client, wherein said Client is programmed for decrypting said password prior to use.
38. The platform of claim 28, wherein either of said first and second computational devices being programmed for establishing communication with the other via said discovered routing path comprise:
said Console programmed for connecting to a predetermined Client via one or both of at least one Server and at least one Relay.
39. The platform of claim 38, further comprising any of:
a computational device programmed for establishing a synchronous encrypted tunnel between said Console and said Client;
a computational device programmed for building a secured channel for asynchronously sending messages to individual Clients from said Console;
a computational device programmed for creating an on-the-fly VPN (virtual private network);
a computational device programmed for enabling one or both of file discovery and file sharing over a synchronous connection;
a computational device programmed for mailboxing passwords over an asynchronous connection;
a computational device programmed for establishing a remote desktop on a Client from a Console;
a computational device programmed for remotely debugging Actions;
a computational device programmed for connecting Users and ComputerIDs to automatically provide privileges to connect to a set of other computers;
a computational device programmed for synchronously opening a connection to a Client and transferring logs from the Client up to the Console;
a computational device programmed for routing through the infrastructure into a Relay inside a subnet and then allowing the last leg of communication to take place over an IP address that can directly connect to the target machine; and
a computational device programmed for establishing a direct connection between a first Client and a second Client.
40. The platform of claim 38, further comprising:
a computational device programmed for routing a broadcast packet from said Console to a target computer in said network in order to wake-up said target computer.
41. The platform of claim 41, said computational device programmed for routing a broadcast packet from said Console to a predetermined computer in said network in order to wake-up said computer comprising at least one of the following:
said Console programmed for using Client MAC (media access control) addresses provided at registration to identify Clients occupying the same subnet as said target Client;
said Console programmed for sending at least one message down through said hierarchy to contact at least one Relay that is able to contact said target's subnet;
said at least one contacted Relay programmed for broadcasting messages to peers of said target, requesting that said target be woken up;
at least one of said peers programmed for listening for messages sent out by said Relays and detecting said request messages and said sending wake-up message to said target;
each of said Peers programmed for listening for duplicate traffic and suspending broadcast upon detection of said duplicate traffic.
42. The platform of claim 41, wherein each of said peers programmed for listening for duplicate traffic and suspending broadcast upon detection of said duplicate traffic are programmed for:
deciding which peer should take precedence over the remaining peers based a unique computer ID and a coalition order for determining precedence.
43. The platform of claim 28, wherein said first and second computational devices programmed for establishing communication with the other of said first and second computational devices via said discovered routing path are programmed for:
deploying at least one Fixlet message to at least one Client that instructs said at least one Client to trust an arbitrary piece of content to run, so that responsibility for knowing that the content is safe to run is delegated to a trusted piece of software on said at least one Client;
said Client identifying said arbitrary piece of content according to file size and hash;
said Client requesting a Relay to provide said identified piece of content by providing said file size and said hash; and
said Relay mirroring said requested piece of content back down through said hierarchy to said Client.
44. The platform of claim 43, further comprising a computational device programmed for merging said mirrored content with an Action instructing said Client to run whatever the content tells said Client to run.
45. The platform of claim 43, wherein said content comprises dynamic content that changes and is updated frequently so that it is not known at the time of policy creation.
46. The platform of claim 45, wherein said dynamic content comprises updates to anti-virus and spyware definitions.
47. The platform of claim 43, further comprising a computational device programmed for:
using variables to refer to said content in ActionScripts, wherein said Client is enable to look up dynamic information indirectly and fill it into said variables.
48. The platform of claim 45, further comprising a computational device programmed for determining dependency resolution in order to install various pieces of software in an arbitrary collection of software, at least some items of which depend on other software being installed.
49. The platform of claim 45, further comprising a computational device programmed for providing data in the form of a set of packages to a process on a Client itself that is able to analyze the set of packages, wherein said process produces a list of URLs, hashes, and sizes that need to be downloaded for the particular machine in order for it to update to a new version of a package.
50. The platform of claim 49, wherein any request to download from a URL that is not explicitly authorized is checked against a white-list of URLs and must meet at least one of the criteria specified in said white-list.
51. In a platform providing one-to-one communication between networked computational devices, a method for at least one computational device to automatically discover at least one parent computational device comprising the steps of:
a Client determining if a Relay is in said Client's subnet by pinging Relays having a TTL (time-to-live) of 1 and, responsive to no detection of a Relay, incrementing the TTL value and pinging until at least on Relay is detected;
responsive to detection of a Relay, said Client attempting registration with said detected Relay;
responsive to successful registration with said detected Relay, said Client using said Relay as a parent device;
responsive to unsuccessful registration with said detected Relay, said Client continuing to increment TTL and pinging until a Relay is detected and registration is successful or until TTL is incremented to a predetermined value;
responsive to no Relay being detected, said Client attempting to register with a Failover Relay;
responsive to unsuccessful registration with said Failover Relay, said Client attempting to Register with a Server; and
responsive to unsuccessful registration with said Server, said Client attempting detection of a Relay again after elapse of a predetermined MinRetry period.
52. A computer program product method for at least one computational device to automatically discover at least one parent computational device in a platform for providing one-to-one communication between networked computational devices, comprising a tangible computer-readable storage medium having embodied thereon computer-readable instructions for:
a Client determining if a Relay is in said Client's subnet by pinging Relays having a TTL (time-to-live) of 1 and, responsive to no detection of a Relay, incrementing the TTL value and pinging until at least on Relay is detected;
responsive to detection of a Relay, said Client attempting registration with said detected Relay;
responsive to successful registration with said detected Relay, said Client using said Relay as a parent device;
responsive to unsuccessful registration with said detected Relay, said Client continuing to increment TTL and pinging until a Relay is detected and registration is successful or until TTL is incremented to a predetermined value;
responsive to no Relay being detected, said Client attempting to register with a Failover Relay;
responsive to unsuccessful registration with said Failover Relay, said Client attempting to Register with a Server; and
responsive to unsuccessful registration with said Server, said Client attempting detection of a Relay again after elapse of a predetermined MinRetry period.
53. In a platform providing one-to-one communication between networked computational devices, a method for credentialing a Client using a symmetric key pair in order to protect said Client and its parents from snooping attacks comprising the steps of:
a Server signing and sending content down said hierarchy to a predetermined Client;
a predetermined Client encrypting and sending content up said hierarchy to a Server;
a predetermined Client signing and sending content to a Server; and
a Server encrypting and sending content down said hierarchy to said predetermined Client;
a first predetermined Client and a second predetermined Client exchanging content that has been one or both of signed and encrypted.
54. A computer program product for credentialing a Client using a symmetric key pair in order to protect said Client and its parents from snooping attacks in a platform providing one-to-one communication between networked computational devices, comprising a tangible computer-readable storage medium having embodied thereon computer-readable instructions for:
a Server signing and sending content down said hierarchy to a predetermined Client;
a predetermined Client encrypting and sending content up said hierarchy to a Server;
a predetermined Client signing and sending content to a Server; and
a Server encrypting and sending content down said hierarchy to said predetermined Client;
a first predetermined Client and a second predetermined Client exchanging content that has been one or both of signed and encrypted.
55. In a platform providing one-to-one communication between networked computational devices, a method for either of first and second computational devices establishing communication with the other via a discovered routing path comprises the steps of;
deploying at least one Fixlet message to at least one Client that instructs said at least one Client to trust an arbitrary piece of content to run, so that responsibility for knowing that the content is safe to run is delegated to a trusted piece of software on said at least one Client;
said Client identifying said arbitrary piece of content according to file size and hash;
said Client requesting a Relay to provide said identified piece of content by providing said file size and said hash; and
said Relay mirroring said requested piece of content back down through said hierarchy to said Client.
56. A computer program product for first and second computational devices establishing communication with each other via a discovered routing path in a platform providing one-to-one communication between networked computational devices, comprising a tangible computer-readable storage medium having embodied thereon computer-readable instructions for:
deploying at least one Fixlet message to at least one Client that instructs said at least one Client to trust an arbitrary piece of content to run, so that responsibility for knowing that the content is safe to run is delegated to a trusted piece of software on said at least one Client;
said Client identifying said arbitrary piece of content according to file size and hash;
said Client requesting a Relay to provide said identified piece of content by providing said file size and said hash; and
said Relay mirroring said requested piece of content back down through said hierarchy to said Client.
US12/881,995 2009-09-14 2010-09-14 Platform for policy-driven communication and management infrastructure Abandoned US20110066841A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/881,995 US20110066841A1 (en) 2009-09-14 2010-09-14 Platform for policy-driven communication and management infrastructure

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US24227809P 2009-09-14 2009-09-14
US12/881,995 US20110066841A1 (en) 2009-09-14 2010-09-14 Platform for policy-driven communication and management infrastructure

Publications (1)

Publication Number Publication Date
US20110066841A1 true US20110066841A1 (en) 2011-03-17

Family

ID=43731574

Family Applications (3)

Application Number Title Priority Date Filing Date
US12/878,881 Active 2032-12-21 US8966110B2 (en) 2009-09-14 2010-09-09 Dynamic bandwidth throttling
US12/882,023 Expired - Fee Related US9294377B2 (en) 2004-03-19 2010-09-14 Content-based user interface, apparatus and method
US12/881,995 Abandoned US20110066841A1 (en) 2009-09-14 2010-09-14 Platform for policy-driven communication and management infrastructure

Family Applications Before (2)

Application Number Title Priority Date Filing Date
US12/878,881 Active 2032-12-21 US8966110B2 (en) 2009-09-14 2010-09-09 Dynamic bandwidth throttling
US12/882,023 Expired - Fee Related US9294377B2 (en) 2004-03-19 2010-09-14 Content-based user interface, apparatus and method

Country Status (1)

Country Link
US (3) US8966110B2 (en)

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100332640A1 (en) * 2007-03-07 2010-12-30 Dennis Sidney Goodrow Method and apparatus for unified view
US20110066752A1 (en) * 2009-09-14 2011-03-17 Lisa Ellen Lippincott Dynamic bandwidth throttling
US20120239757A1 (en) * 2011-03-17 2012-09-20 Microsoft Corporation Messaging for notification-based clients
US20130130615A1 (en) * 2009-11-17 2013-05-23 Thales Method and system for distributing content with guarantees of delivery timescales in hybrid radio networks
US8495157B2 (en) 2007-03-07 2013-07-23 International Business Machines Corporation Method and apparatus for distributed policy-based management and computed relevance messaging with remote attributes
US8756696B1 (en) * 2010-10-30 2014-06-17 Sra International, Inc. System and method for providing a virtualized secure data containment service with a networked environment
CN103975568A (en) * 2011-12-06 2014-08-06 李青锺 Security management system having multiple relay servers, and security management method
US20140310618A1 (en) * 2012-06-29 2014-10-16 Ramanujam Kaniyar Venkatesh Flash redirection with caching
US20140366120A1 (en) * 2013-06-06 2014-12-11 Apple Inc. Systems and Methods for Application-Specific Access to Virtual Private Networks
US9015531B2 (en) 2011-12-14 2015-04-21 International Business Machines Corporation Preventing distribution of a failure
US9152602B2 (en) 2007-03-07 2015-10-06 International Business Machines Corporation Mechanisms for evaluating relevance of information to a managed device and performing management operations using a pseudo-agent
US20150286648A1 (en) * 2014-04-07 2015-10-08 Konan Technology Inc. User terminal for searching multi data and searching method thereof
US9256644B1 (en) * 2013-03-15 2016-02-09 Ca, Inc. System for identifying and investigating shared and derived content
US20160134463A1 (en) * 2014-11-12 2016-05-12 International Business Machines Corporation Management of a Computing System with Dynamic Change of Roles
US20160156590A1 (en) * 2014-11-28 2016-06-02 Qip Solutions Limited Method and system for configuring and securing a device or apparatus, a device or apparatus, and a computer program product
US9626450B2 (en) 2012-06-29 2017-04-18 Dell Products L.P. Flash redirection with browser calls caching
US9665445B1 (en) * 2014-12-23 2017-05-30 EMC IP Holding Company LLC Virtual proxy based backup
US9667708B1 (en) 2015-12-30 2017-05-30 International Business Machines Corporation Boost orchestrator for client-server architectures
US20170237768A1 (en) * 2016-02-15 2017-08-17 Verizon Digital Media Services Inc. Origin Controlled Attack Protections in a Distributed Platform
US20180013738A1 (en) * 2016-07-07 2018-01-11 Samsung Sds Co., Ltd. Method for authenticating client system, client device, and authentication server
US20180046653A1 (en) * 2016-08-11 2018-02-15 Beijing Xiaomi Mobile Software Co., Ltd. Data clearing method, apparatus and storage medium
CN108322325A (en) * 2017-06-27 2018-07-24 新华三云计算技术有限公司 A kind of virtual machine management method and device
US20180309745A1 (en) * 2009-12-18 2018-10-25 Google Llc Method, device, and system of accessing online accounts
US10200325B2 (en) * 2010-04-30 2019-02-05 Shazzle Llc System and method of delivering confidential electronic files
US10365781B2 (en) 2012-06-29 2019-07-30 Dell Products L.P. Flash redirection proxy plugin to support functionality of a flash player at a client
US10599662B2 (en) 2015-06-26 2020-03-24 Mcafee, Llc Query engine for remote endpoint information retrieval
US10721267B1 (en) * 2014-07-18 2020-07-21 NortonLifeLock Inc. Systems and methods for detecting system attacks
CN113360324A (en) * 2021-08-10 2021-09-07 北京华科海讯科技有限公司 Data backup device based on distributed file data
US11227221B2 (en) * 2018-12-27 2022-01-18 Shenzhen Intellifusion Technologies Co., Ltd. Framework management method and apparatus

Families Citing this family (123)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8326814B2 (en) 2007-12-05 2012-12-04 Box, Inc. Web-based file management system and service
US8504555B2 (en) * 2008-06-25 2013-08-06 Microsoft Corporation Search techniques for rich internet applications
JP5352852B2 (en) * 2010-03-19 2013-11-27 株式会社日立製作所 Mobile communication system and communication method
US9258231B2 (en) * 2010-09-08 2016-02-09 International Business Machines Corporation Bandwidth allocation management
WO2012099617A1 (en) 2011-01-20 2012-07-26 Box.Net, Inc. Real time notification of activities that occur in a web-based collaboration environment
DE102011100793A1 (en) * 2011-05-06 2012-11-08 Vodafone Holding Gmbh Determining the transmission power in data networks
US9015601B2 (en) 2011-06-21 2015-04-21 Box, Inc. Batch uploading of content to a web-based collaboration environment
US9063912B2 (en) 2011-06-22 2015-06-23 Box, Inc. Multimedia content preview rendering in a cloud content management system
EP2729877A4 (en) 2011-07-08 2015-06-17 Box Inc Desktop application for access and interaction with workspaces in a cloud-based content management system and synchronization mechanisms thereof
US9978040B2 (en) 2011-07-08 2018-05-22 Box, Inc. Collaboration sessions in a workspace on a cloud-based content management system
US8819303B2 (en) 2011-07-25 2014-08-26 General Instrument Corporation Deferred transfer of content to optimize bandwidth usage
US8812661B2 (en) * 2011-08-16 2014-08-19 Facebook, Inc. Server-initiated bandwidth conservation policies
US9197718B2 (en) * 2011-09-23 2015-11-24 Box, Inc. Central management and control of user-contributed content in a web-based collaboration environment and management console thereof
US10739932B2 (en) * 2011-10-11 2020-08-11 Semi-Linear, Inc. Systems and methods for interactive mobile electronic content creation and publication
US8515902B2 (en) 2011-10-14 2013-08-20 Box, Inc. Automatic and semi-automatic tagging features of work items in a shared workspace for metadata tracking in a cloud-based content management system with selective or optional user contribution
US9098474B2 (en) 2011-10-26 2015-08-04 Box, Inc. Preview pre-generation based on heuristics and algorithmic prediction/assessment of predicted user behavior for enhancement of user experience
US11210610B2 (en) 2011-10-26 2021-12-28 Box, Inc. Enhanced multimedia content preview rendering in a cloud content management system
US8990307B2 (en) 2011-11-16 2015-03-24 Box, Inc. Resource effective incremental updating of a remote client with events which occurred via a cloud-enabled platform
GB2500152A (en) 2011-11-29 2013-09-11 Box Inc Mobile platform file and folder selection functionalities for offline access and synchronization
US10015083B2 (en) 2011-12-22 2018-07-03 Amazon Technologies, Inc. Interfaces to manage inter-region connectivity for direct network peerings
US8495199B2 (en) 2011-12-22 2013-07-23 Amazon Technologies, Inc. Interfaces to manage service marketplaces accessible via direct network peerings
US9106469B1 (en) 2011-11-29 2015-08-11 Amazon Technologies, Inc. Interfaces to manage last-mile connectivity for direct network peerings
US8724642B2 (en) 2011-11-29 2014-05-13 Amazon Technologies, Inc. Interfaces to manage direct network peerings
US9692732B2 (en) 2011-11-29 2017-06-27 Amazon Technologies, Inc. Network connection automation
US9141947B1 (en) 2011-12-19 2015-09-22 Amazon Technologies, Inc. Differential bandwidth metering for networks with direct peerings
US8959203B1 (en) 2011-12-19 2015-02-17 Amazon Technologies, Inc. Dynamic bandwidth management using routing signals in networks with direct peerings
US9019123B2 (en) 2011-12-22 2015-04-28 Box, Inc. Health check services for web-based collaboration environments
US9904435B2 (en) 2012-01-06 2018-02-27 Box, Inc. System and method for actionable event generation for task delegation and management via a discussion forum in a web-based collaboration environment
EP2801040B1 (en) * 2012-01-08 2018-04-11 Teknision Inc. Method and system for dynamically assignable user interface
US11232481B2 (en) 2012-01-30 2022-01-25 Box, Inc. Extended applications of multimedia content previews in the cloud-based content management system
US20130219156A1 (en) * 2012-02-22 2013-08-22 Sungard Availability Services Lp Compliance aware change control
US9965745B2 (en) 2012-02-24 2018-05-08 Box, Inc. System and method for promoting enterprise adoption of a web-based collaboration environment
US9195636B2 (en) 2012-03-07 2015-11-24 Box, Inc. Universal file type preview for mobile devices
US9054919B2 (en) 2012-04-05 2015-06-09 Box, Inc. Device pinning capability for enterprise cloud service and storage accounts
US9575981B2 (en) 2012-04-11 2017-02-21 Box, Inc. Cloud service enabled to handle a set of files depicted to a user as a single file in a native operating system
US9027125B2 (en) * 2012-05-01 2015-05-05 Taasera, Inc. Systems and methods for network flow remediation based on risk correlation
US9413587B2 (en) 2012-05-02 2016-08-09 Box, Inc. System and method for a third-party application to access content within a cloud-based platform
US9691051B2 (en) 2012-05-21 2017-06-27 Box, Inc. Security enhancement through application access control
US8914900B2 (en) 2012-05-23 2014-12-16 Box, Inc. Methods, architectures and security mechanisms for a third-party application to access content in a cloud-based platform
US9027108B2 (en) 2012-05-23 2015-05-05 Box, Inc. Systems and methods for secure file portability between mobile applications on a mobile device
US9015073B2 (en) * 2012-06-06 2015-04-21 Addepar, Inc. Controlled creation of reports from table views
US9021099B2 (en) 2012-07-03 2015-04-28 Box, Inc. Load balancing secure FTP connections among multiple FTP servers
GB2505072A (en) 2012-07-06 2014-02-19 Box Inc Identifying users and collaborators as search results in a cloud-based system
US9712510B2 (en) 2012-07-06 2017-07-18 Box, Inc. Systems and methods for securely submitting comments among users via external messaging applications in a cloud-based platform
US9792320B2 (en) 2012-07-06 2017-10-17 Box, Inc. System and method for performing shard migration to support functions of a cloud-based service
US9237170B2 (en) 2012-07-19 2016-01-12 Box, Inc. Data loss prevention (DLP) methods and architectures by a cloud service
US9451393B1 (en) 2012-07-23 2016-09-20 Amazon Technologies, Inc. Automated multi-party cloud connectivity provisioning
US9794256B2 (en) 2012-07-30 2017-10-17 Box, Inc. System and method for advanced control tools for administrators in a cloud-based service
US8868574B2 (en) 2012-07-30 2014-10-21 Box, Inc. System and method for advanced search and filtering mechanisms for enterprise administrators in a cloud-based environment
US8745267B2 (en) 2012-08-19 2014-06-03 Box, Inc. Enhancement of upload and/or download performance based on client and/or server feedback information
US9369520B2 (en) 2012-08-19 2016-06-14 Box, Inc. Enhancement of upload and/or download performance based on client and/or server feedback information
US9558202B2 (en) 2012-08-27 2017-01-31 Box, Inc. Server side techniques for reducing database workload in implementing selective subfolder synchronization in a cloud-based environment
US9135462B2 (en) 2012-08-29 2015-09-15 Box, Inc. Upload and download streaming encryption to/from a cloud-based platform
US9311071B2 (en) 2012-09-06 2016-04-12 Box, Inc. Force upgrade of a mobile application via a server side configuration file
US9195519B2 (en) 2012-09-06 2015-11-24 Box, Inc. Disabling the self-referential appearance of a mobile application in an intent via a background registration
US9117087B2 (en) 2012-09-06 2015-08-25 Box, Inc. System and method for creating a secure channel for inter-application communication based on intents
JP2015531503A (en) * 2012-09-10 2015-11-02 テクニジョン インコーポレイテッド Method and system for transferable customized contextual user interface
US9292833B2 (en) 2012-09-14 2016-03-22 Box, Inc. Batching notifications of activities that occur in a web-based collaboration environment
US10200256B2 (en) 2012-09-17 2019-02-05 Box, Inc. System and method of a manipulative handle in an interactive mobile user interface
US9553758B2 (en) 2012-09-18 2017-01-24 Box, Inc. Sandboxing individual applications to specific user folders in a cloud-based service
US10915492B2 (en) 2012-09-19 2021-02-09 Box, Inc. Cloud-based platform enabled with media content indexed for text-based searches and/or metadata extraction
US9959420B2 (en) 2012-10-02 2018-05-01 Box, Inc. System and method for enhanced security and management mechanisms for enterprise administrators in a cloud-based environment
US9705967B2 (en) 2012-10-04 2017-07-11 Box, Inc. Corporate user discovery and identification of recommended collaborators in a cloud platform
US9495364B2 (en) 2012-10-04 2016-11-15 Box, Inc. Enhanced quick search features, low-barrier commenting/interactive features in a collaboration platform
US9665349B2 (en) 2012-10-05 2017-05-30 Box, Inc. System and method for generating embeddable widgets which enable access to a cloud-based collaboration platform
US9756022B2 (en) 2014-08-29 2017-09-05 Box, Inc. Enhanced remote key management for an enterprise in a cloud-based environment
US9628268B2 (en) 2012-10-17 2017-04-18 Box, Inc. Remote key management in a cloud-based environment
US8819587B1 (en) * 2012-10-30 2014-08-26 Google Inc. Methods of managing items in a shared workspace
US9600351B2 (en) 2012-12-14 2017-03-21 Microsoft Technology Licensing, Llc Inversion-of-control component service models for virtual environments
US10235383B2 (en) 2012-12-19 2019-03-19 Box, Inc. Method and apparatus for synchronization of items with read-only permissions in a cloud-based environment
US9396245B2 (en) 2013-01-02 2016-07-19 Box, Inc. Race condition handling in a system which incrementally updates clients with events that occurred in a cloud-based collaboration platform
US9953036B2 (en) 2013-01-09 2018-04-24 Box, Inc. File system monitoring in a system which incrementally updates clients with events that occurred in a cloud-based collaboration platform
EP2755151A3 (en) 2013-01-11 2014-09-24 Box, Inc. Functionalities, features and user interface of a synchronization client to a cloud-based environment
CN112130874A (en) * 2013-01-11 2020-12-25 辛纳科尔股份有限公司 Method and system for background control panel configuration selection
EP2757491A1 (en) 2013-01-17 2014-07-23 Box, Inc. Conflict resolution, retry condition management, and handling of problem files for the synchronization client to a cloud-based platform
US10599850B1 (en) 2013-03-15 2020-03-24 Tripwire, Inc. Distributed security agent technology
US10725968B2 (en) 2013-05-10 2020-07-28 Box, Inc. Top down delete or unsynchronization on delete of and depiction of item synchronization with a synchronization client to a cloud-based platform
US10846074B2 (en) 2013-05-10 2020-11-24 Box, Inc. Identification and handling of items to be ignored for synchronization with a cloud-based platform by a synchronization client
EP2808833A1 (en) * 2013-05-30 2014-12-03 Siemens Aktiengesellschaft A method for restricting specific users from accessing predetermined portions of MES screens depending on the state of the web screen page
US9749039B1 (en) 2013-06-10 2017-08-29 Amazon Technologies, Inc. Portable connection diagnostic device
GB2515192B (en) 2013-06-13 2016-12-14 Box Inc Systems and methods for synchronization event building and/or collapsing by a synchronization component of a cloud-based platform
US9805050B2 (en) 2013-06-21 2017-10-31 Box, Inc. Maintaining and updating file system shadows on a local device by a synchronization client of a cloud-based platform
US10229134B2 (en) 2013-06-25 2019-03-12 Box, Inc. Systems and methods for managing upgrades, migration of user data and improving performance of a cloud-based platform
US10110656B2 (en) 2013-06-25 2018-10-23 Box, Inc. Systems and methods for providing shell communication in a cloud-based platform
US9535924B2 (en) 2013-07-30 2017-01-03 Box, Inc. Scalability improvement in a system which incrementally updates clients with events that occurred in a cloud-based collaboration platform
US9535909B2 (en) 2013-09-13 2017-01-03 Box, Inc. Configurable event-based automation architecture for cloud-based collaboration platforms
US8892679B1 (en) 2013-09-13 2014-11-18 Box, Inc. Mobile device, methods and user interfaces thereof in a mobile device platform featuring multifunctional access and engagement in a collaborative environment provided by a cloud-based platform
GB2518298A (en) 2013-09-13 2015-03-18 Box Inc High-availability architecture for a cloud-based concurrent-access collaboration platform
US9704137B2 (en) 2013-09-13 2017-07-11 Box, Inc. Simultaneous editing/accessing of content by collaborator invitation through a web-based or mobile application to a cloud-based collaboration platform
US9213684B2 (en) 2013-09-13 2015-12-15 Box, Inc. System and method for rendering document in web browser or mobile device regardless of third-party plug-in software
US10158660B1 (en) 2013-10-17 2018-12-18 Tripwire, Inc. Dynamic vulnerability correlation
US10866931B2 (en) 2013-10-22 2020-12-15 Box, Inc. Desktop application for accessing a cloud collaboration platform
US9781046B1 (en) 2013-11-19 2017-10-03 Tripwire, Inc. Bandwidth throttling in vulnerability scanning applications
US20150212700A1 (en) * 2014-01-28 2015-07-30 Microsoft Technology Licensing, Llc Dashboard with panoramic display of ordered content
US9471947B2 (en) * 2014-02-07 2016-10-18 Resource International Inc. Data collection system and method
US10217145B1 (en) 2014-02-18 2019-02-26 Amazon Technologies, Inc. Partitioned private interconnects to provider networks
US10789300B2 (en) 2014-04-28 2020-09-29 Red Hat, Inc. Method and system for providing security in a data federation system
US10530854B2 (en) 2014-05-30 2020-01-07 Box, Inc. Synchronization of permissioned content in cloud-based environments
US9696920B2 (en) 2014-06-02 2017-07-04 Micron Technology, Inc. Systems and methods for improving efficiencies of a memory system
US10313257B1 (en) 2014-06-12 2019-06-04 Tripwire, Inc. Agent message delivery fairness
US9634951B1 (en) 2014-06-12 2017-04-25 Tripwire, Inc. Autonomous agent messaging
US9602514B2 (en) 2014-06-16 2017-03-21 Box, Inc. Enterprise mobility management and verification of a managed application by a content provider
US9886565B2 (en) * 2014-06-20 2018-02-06 Microsoft Technology Licensing, Llc User-specific visualization of display elements
US10038731B2 (en) 2014-08-29 2018-07-31 Box, Inc. Managing flow-based interactions with cloud-based shared content
US10574442B2 (en) 2014-08-29 2020-02-25 Box, Inc. Enhanced remote key management for an enterprise in a cloud-based environment
US9894119B2 (en) 2014-08-29 2018-02-13 Box, Inc. Configurable metadata-based automation and content classification architecture for cloud-based collaboration platforms
US9424333B1 (en) 2014-09-05 2016-08-23 Addepar, Inc. Systems and user interfaces for dynamic and interactive report generation and editing based on automatic traversal of complex data structures
US10432497B2 (en) * 2014-09-19 2019-10-01 Splunk Inc. Injecting custom classes in application code to facilitate network traffic monitoring
US9244899B1 (en) 2014-10-03 2016-01-26 Addepar, Inc. Systems and user interfaces for dynamic and interactive table generation and editing based on automatic traversal of complex data structures including time varying attributes
US10630553B2 (en) 2015-08-18 2020-04-21 Walmart Apollo, Llc Bandwidth throttling
CA3001335A1 (en) 2015-10-16 2017-04-20 Shuvro CHAKROBARTTY Sensor data analytics and alarm management
US10732810B1 (en) 2015-11-06 2020-08-04 Addepar, Inc. Systems and user interfaces for dynamic and interactive table generation and editing based on automatic traversal of complex data structures including summary data such as time series data
CA2954037A1 (en) 2016-01-21 2017-07-21 Wal-Mart Stores, Inc. Codeless information service for abstract retrieval of disparate data
MX2018013369A (en) 2016-05-05 2019-03-28 Walmart Apollo Llc Engine-agnostic event monitoring and predicting systems and methods.
US10623330B2 (en) * 2016-09-23 2020-04-14 Google Llc Distributed bandwidth allocation and throttling
US10719611B2 (en) 2017-09-27 2020-07-21 Servicenow, Inc. Static security scanner for applications in a remote network management platform
US10834003B2 (en) * 2018-01-17 2020-11-10 Druva Inc. Systems and methods for adaptive bandwidth throttling
US11218297B1 (en) 2018-06-06 2022-01-04 Tripwire, Inc. Onboarding access to remote security control tools
US10666565B2 (en) * 2018-06-08 2020-05-26 Citrix Systems, Inc. Method to measure relative QOS gains and to reduce the variance in QOS for similar connections for during bandwidth contention
CN108845806B (en) * 2018-07-03 2022-03-11 百度在线网络技术(北京)有限公司 Applet distributing method, device, server and storage medium
US11861015B1 (en) 2020-03-20 2024-01-02 Tripwire, Inc. Risk scoring system for vulnerability mitigation
US20220083399A1 (en) * 2020-09-11 2022-03-17 Dell Products L.P. Systems and methods for adaptive wireless forward and back channel synchronization between information handling systems
CN113992548B (en) * 2021-10-27 2023-08-08 北京达佳互联信息技术有限公司 Bandwidth speed measuring method and device

Citations (93)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5010571A (en) * 1986-09-10 1991-04-23 Titan Linkabit Corporation Metering retrieval of encrypted data stored in customer data retrieval terminal
US5586304A (en) * 1994-09-08 1996-12-17 Compaq Computer Corporation Automatic computer upgrading
US5649099A (en) * 1993-06-04 1997-07-15 Xerox Corporation Method for delegating access rights through executable access control program without delegating access rights not in a specification to any intermediary nor comprising server security
US5732137A (en) * 1994-06-03 1998-03-24 Sun Microsystems, Inc. Method and apparatus for secure remote authentication in a public network
US5751967A (en) * 1994-07-25 1998-05-12 Bay Networks Group, Inc. Method and apparatus for automatically configuring a network device to support a virtual network
US5958050A (en) * 1996-09-24 1999-09-28 Electric Communities Trusted delegation system
US6123737A (en) * 1997-05-21 2000-09-26 Symantec Corporation Push deployment of software packages using notification transports
US6128738A (en) * 1998-04-22 2000-10-03 International Business Machines Corporation Certificate based security in SNA data flows
US6151643A (en) * 1996-06-07 2000-11-21 Networks Associates, Inc. Automatic updating of diverse software products on multiple client computer systems by downloading scanning application to client computer and generating software list on client computer
US6161218A (en) * 1996-01-16 2000-12-12 Sun Microsystems Inc. Software patch architecture
US6192404B1 (en) * 1998-05-14 2001-02-20 Sun Microsystems, Inc. Determination of distance between nodes in a computer network
US6233612B1 (en) * 1998-08-31 2001-05-15 International Business Machines Corporation Dynamic network protocol management information base options
US6233449B1 (en) * 1998-08-24 2001-05-15 Telefonaktiebolaget L M Ericsson (Publ) Operation and maintenance control point and method of managing a self-engineering telecommunications network
US6237144B1 (en) * 1998-09-21 2001-05-22 Microsoft Corporation Use of relational databases for software installation
US6240451B1 (en) * 1995-05-25 2001-05-29 Punch Networks Corporation Method and apparatus for automatically disseminating information over a network
US6240390B1 (en) * 1998-05-18 2001-05-29 Winbond Electronics Corp. Multi-tasking speech synthesizer
US6240394B1 (en) * 1996-12-12 2001-05-29 Catalina Marketing International, Inc. Method and apparatus for automatically generating advisory information for pharmacy patients
US6256668B1 (en) * 1996-04-18 2001-07-03 Microsoft Corporation Method for identifying and obtaining computer software from a network computer using a tag
US6256664B1 (en) * 1998-09-01 2001-07-03 Bigfix, Inc. Method and apparatus for computed relevance messaging
US6263362B1 (en) * 1998-09-01 2001-07-17 Bigfix, Inc. Inspector for computed relevance messaging
US6289510B1 (en) * 1998-03-12 2001-09-11 Fujitsu Limited Online program-updating system and computer-readable recording medium storing a program-updating program
US6289394B1 (en) * 1994-03-04 2001-09-11 Mitsubishi Denki Kabushiki Kaisha Agent management system capable of readily monitoring and controlling agent
US20010032091A1 (en) * 1999-12-16 2001-10-18 Schultz Michael A. Method and apparatus for providing intranet/web based programs
US6321258B1 (en) * 1997-12-11 2001-11-20 Hewlett-Packard Company Administration of networked peripherals using particular file system
US6324693B1 (en) * 1997-03-12 2001-11-27 Siebel Systems, Inc. Method of synchronizing independently distributed software and database schema
US6324691B1 (en) * 1998-11-12 2001-11-27 Hewlett-Packard Company Manufacture of software distribution media packages from components resident on a remote server source
US6327617B1 (en) * 1995-11-27 2001-12-04 Microsoft Corporation Method and system for identifying and obtaining computer software from a remote computer
US6330715B1 (en) * 1998-05-19 2001-12-11 Nortel Networks Limited Method and apparatus for managing software in a network system
US6345386B1 (en) * 1998-09-21 2002-02-05 Microsoft Corporation Method and system for advertising applications
US6347396B1 (en) * 1998-03-12 2002-02-12 Telefonaktiebolaget Lm Ericsson (Publ) Disturbance free update of data
US6347398B1 (en) * 1996-12-12 2002-02-12 Microsoft Corporation Automatic software downloading from a computer network
US6351536B1 (en) * 1997-10-01 2002-02-26 Minoru Sasaki Encryption network system and method
US6353902B1 (en) * 1999-06-08 2002-03-05 Nortel Networks Limited Network fault prediction and proactive maintenance system
US6353928B1 (en) * 1999-01-04 2002-03-05 Microsoft Corporation First run installer
US6353926B1 (en) * 1998-07-15 2002-03-05 Microsoft Corporation Software update notification
US6360366B1 (en) * 1996-09-05 2002-03-19 Managesoft Corporation Systems and methods for automatic application version upgrading and maintenance
US6363524B1 (en) * 1999-09-10 2002-03-26 Hewlett-Packard Company System and method for assessing the need for installing software patches in a computer system
US6378128B1 (en) * 1998-10-08 2002-04-23 Microsoft Corporation System and method for dynamically modifying an install-set
US6381742B2 (en) * 1998-06-19 2002-04-30 Microsoft Corporation Software package management
US6389589B1 (en) * 1998-09-21 2002-05-14 Microsoft Corporation Class store schema
US6398464B1 (en) * 1999-12-27 2002-06-04 Kabushiki Kaisha Watanabe Shoko Air stream transfer apparatus
US6405250B1 (en) * 1999-01-25 2002-06-11 Lucent Technologies Inc. Network management system based on passive monitoring and proactive management for formulation behavior state transition models
US6407988B1 (en) * 1998-10-06 2002-06-18 At&T Corp. Mobility support services using mobility aware access networks
US6418554B1 (en) * 1998-09-21 2002-07-09 Microsoft Corporation Software implementation installer mechanism
US6418478B1 (en) * 1997-10-30 2002-07-09 Commvault Systems, Inc. Pipelined high speed data transfer mechanism
US20020112200A1 (en) * 2001-02-12 2002-08-15 Hines George W. Automated analysis of kernel and user core files including searching, ranking, and recommending patch files
US6449642B2 (en) * 1998-09-15 2002-09-10 Microsoft Corporation Method and system for integrating a client computer into a computer network
US20020152384A1 (en) * 2001-04-12 2002-10-17 Microsoft Corporation Methods and systems for unilateral authentication of messages
US6516316B1 (en) * 1998-02-17 2003-02-04 Openwave Systems Inc. Centralized certificate management system for two-way interactive communication devices in data networks
US20030033394A1 (en) * 2001-03-21 2003-02-13 Stine John A. Access and routing protocol for ad hoc network using synchronous collision resolution and node state dissemination
US6526507B1 (en) * 1999-02-18 2003-02-25 International Business Machines Corporation Data processing system and method for waking a client only in response to receipt of an authenticated Wake-on-LAN packet
US20030041167A1 (en) * 2001-08-15 2003-02-27 International Business Machines Corporation Method and system for managing secure geographic boundary resources within a network management framework
US6535977B1 (en) * 1999-09-30 2003-03-18 Microsoft Corporation Replacing a unique identifier in a cloned computer system using program module that runs only once during the next boot sequence
US20030074321A1 (en) * 2001-10-15 2003-04-17 Vidius Inc. Method and system for distribution of digital media and conduction of electronic commerce in an un-trusted environment
US20030187868A1 (en) * 2002-03-29 2003-10-02 Fujitsu Limited Data acquisition system
US20030233645A1 (en) * 2002-06-12 2003-12-18 Microsoft Corporation Application imaging infrastructure
US20030233646A1 (en) * 2002-06-12 2003-12-18 Microsoft Corporation Image based installation
US6745224B1 (en) * 1996-12-06 2004-06-01 Microsoft Corporation Object framework and services for periodically recurring operations
US20040174904A1 (en) * 2003-03-04 2004-09-09 Samsung Electronics Co., Ltd. Method of allocating IP address and detecting duplication of IP address in an ad-hoc network environment
US20040187105A1 (en) * 2003-01-06 2004-09-23 Brother Kogyo Kabushiki Kaisha Driver software installing system
US20040213211A1 (en) * 2003-04-23 2004-10-28 Marconi Communications, Inc. Method and apparatus for determining shared broadcast domains of network switches, ports and interfaces
US20040230644A1 (en) * 2001-11-22 2004-11-18 Tatsuo Aratake E-mail transfer server apparatus and e-mail transfer system
US20040246975A1 (en) * 2003-06-06 2004-12-09 Meshnetworks, Inc. System and method to improve the overall performance of a wireless communication network
US20040260949A1 (en) * 2003-06-20 2004-12-23 Aoki Norihiro Edwin Chaining of services
US20050005026A1 (en) * 2003-07-03 2005-01-06 International Business Machines Corporation Method and apparatus for managing a remote data processing system
US20050002408A1 (en) * 2003-06-20 2005-01-06 Lg Electronics Inc. Home appliance network system and method for operating the same
US20050054327A1 (en) * 2003-09-04 2005-03-10 David Johnston System and associated methods to determine authentication priority between devices
US6871281B2 (en) * 2001-02-23 2005-03-22 Thomas J. Schwab Method and system for sending data between computers using a secure pipeline
US20050086477A1 (en) * 2003-10-16 2005-04-21 Taiwan Semiconductor Manufacturing Co. Integrate PGP and Lotus Notes to encrypt / decrypt email
US20050091501A1 (en) * 2002-01-18 2005-04-28 Harro Osthoff Loading data into a mobile terminal
US20050180326A1 (en) * 2004-02-13 2005-08-18 Goldflam Michael S. Method and system for remotely booting a computer device using a peer device
US6954790B2 (en) * 2000-12-05 2005-10-11 Interactive People Unplugged Ab Network-based mobile workgroup system
US20060095388A1 (en) * 2004-10-29 2006-05-04 Research In Motion Limited System and method for verifying digital signatures on certificates
US20060253446A1 (en) * 2005-05-03 2006-11-09 E-Lock Corporation Sdn. Bhd.. Internet security
US7185229B2 (en) * 2003-12-04 2007-02-27 International Business Machines Corporation Method and system for performing remote maintenance operations on a battery powered computer
US20070050645A1 (en) * 2005-08-23 2007-03-01 Siegmund Dieter W Method and apparatus for waking up a sleeping system
US20070280253A1 (en) * 2006-05-30 2007-12-06 Mo Rooholamini Peer-to-peer connection between switch fabric endpoint nodes
US20070288914A1 (en) * 2001-09-28 2007-12-13 Brannock Kirk D System for atomically updating a plurality of files
US20080016335A1 (en) * 2006-06-13 2008-01-17 Aya Takahashi Attribute Certificate Verification Method and System
US20080192695A1 (en) * 2007-02-09 2008-08-14 Telefonaktiebolaget Lm Ericsson (Publ) Enhancing protection of a mobile node's home address in a visited network
US20090019525A1 (en) * 2007-07-13 2009-01-15 Dachuan Yu Domain-specific language abstractions for secure server-side scripting
US7620816B1 (en) * 2001-04-06 2009-11-17 Mcafee, Inc. System and method for automatic selection of service provider for efficient use of bandwidth and resources in a peer-to-peer network environment
US20100017494A1 (en) * 2001-11-09 2010-01-21 Bigfix, Inc. Formalizing, diffusing and enforcing policy advisories and monitoring policy compliance in the management of networks
US7668938B1 (en) * 2000-01-14 2010-02-23 Microsoft Corporation Method and system for dynamically purposing a computing device
US20100228947A1 (en) * 2006-03-31 2010-09-09 Kyushu Institute Of Technology Address generator
US20100332640A1 (en) * 2007-03-07 2010-12-30 Dennis Sidney Goodrow Method and apparatus for unified view
US20110029626A1 (en) * 2007-03-07 2011-02-03 Dennis Sidney Goodrow Method And Apparatus For Distributed Policy-Based Management And Computed Relevance Messaging With Remote Attributes
US20110066951A1 (en) * 2004-03-19 2011-03-17 Ward-Karet Jesse Content-based user interface, apparatus and method
US7962632B2 (en) * 2002-10-01 2011-06-14 Nokia Corporation Hybrid networks
US20110222691A1 (en) * 2010-03-11 2011-09-15 Takahiro Yamaguchi Recording system, playback system, key distribution server, recording device, recording medium device, playback device, recording method, and playback method
US8055617B2 (en) * 2003-03-24 2011-11-08 International Business Machines Corporation Enterprise console
US8161149B2 (en) * 2007-03-07 2012-04-17 International Business Machines Corporation Pseudo-agent
US8171364B2 (en) * 2007-11-25 2012-05-01 Trilliant Networks, Inc. System and method for power outage and restoration notification in an advanced metering infrastructure network

Family Cites Families (113)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5694546A (en) 1994-05-31 1997-12-02 Reisman; Richard R. System for automatic unattended electronic information transport between a server and a client by a vendor provided transport software with a manifest list
US6769009B1 (en) 1994-05-31 2004-07-27 Richard R. Reisman Method and system for selecting a personalized set of information channels
US5917913A (en) 1996-12-04 1999-06-29 Wang; Ynjiun Paul Portable electronic authorization devices and methods therefor
US6802061B1 (en) 1996-12-12 2004-10-05 Microsoft Corporation Automatic software downloading from a computer network
US6532491B1 (en) 1997-03-24 2003-03-11 Novell, Inc. Processes and apparatuses for managing network devices
US6389464B1 (en) 1997-06-27 2002-05-14 Cornet Technology, Inc. Device management system for managing standards-compliant and non-compliant network elements using standard management protocols and a universal site server which is configurable from remote locations via internet browser technology
US6460175B1 (en) 1997-07-18 2002-10-01 International Business Machines Corporation Program product for modular, parallel, remote software installation with repeatable, externally-invocable steps
US6175871B1 (en) * 1997-10-01 2001-01-16 3Com Corporation Method and apparatus for real time communication over packet networks
US6434606B1 (en) * 1997-10-01 2002-08-13 3Com Corporation System for real time communication buffer management
US6151708A (en) 1997-12-19 2000-11-21 Microsoft Corporation Determining program update availability via set intersection over a sub-optical pathway
US6654714B1 (en) 1998-05-22 2003-11-25 Micron Technology, Inc. Method and system for selecting compatible processors to add to a multiprocessor computer
US6922831B1 (en) 1998-06-04 2005-07-26 Gateway Inc. Method and system for providing software utilizing a restore medium and a network
US6564369B1 (en) 1998-08-20 2003-05-13 Pearson Technical Software, Inc. Conflict checking using configuration images
JP2000076150A (en) 1998-08-31 2000-03-14 Fujitsu Ltd System management method and system management device
US6378127B1 (en) 1998-09-21 2002-04-23 Microsoft Corporation Software installation and validation using custom actions
US6523166B1 (en) 1998-09-21 2003-02-18 Microsoft Corporation Method and system for on-demand installation of software implementations
US6804663B1 (en) 1998-09-21 2004-10-12 Microsoft Corporation Methods for optimizing the installation of a software product onto a target computer system
US6836794B1 (en) 1998-09-21 2004-12-28 Microsoft Corporation Method and system for assigning and publishing applications
US6851115B1 (en) 1999-01-05 2005-02-01 Sri International Software-based architecture for communication and cooperation among distributed electronic agents
US6735766B1 (en) 1999-03-03 2004-05-11 Microsoft Corporation Method and computer-readable medium for installing an upgrade to an application program
US7277919B1 (en) 1999-03-19 2007-10-02 Bigfix, Inc. Relevance clause for computed relevance messaging
US6493594B1 (en) 1999-06-04 2002-12-10 Lucent Technologies Inc. System and method for improved software configuration and control management in multi-module systems
US6477703B1 (en) 1999-06-29 2002-11-05 Hewlett-Packard Company Software patch selection tool
US6681243B1 (en) 1999-07-27 2004-01-20 Intel Corporation Network environment supporting mobile agents with permissioned access to resources
CA2315417A1 (en) 1999-08-11 2001-02-11 Hiroshi Une Electret capacitor microphone
US6996819B1 (en) 1999-09-10 2006-02-07 Unisys Corporation Method for efficiently downloading SCSI and SERVO firmware to SCSI target controllers
US6571186B1 (en) 1999-09-14 2003-05-27 Textronix, Inc. Method of waveform time stamping for minimizing digitization artifacts in time interval distribution measurements
US6496977B1 (en) 1999-10-21 2002-12-17 International Business Machines Corporation Method and system for implementing network filesystem-based aid for computer operating system upgrades
US7231327B1 (en) 1999-12-03 2007-06-12 Digital Sandbox Method and apparatus for risk management
US7523190B1 (en) 1999-12-23 2009-04-21 Bickerstaff Cynthia L Real-time performance assessment of large area network user experience
GB2359154B (en) 2000-02-11 2003-10-22 Int Computers Ltd Data processing
US6971094B1 (en) 2000-02-22 2005-11-29 Hewlett-Packard Development Company, L.P. Deployed agent used in the installation and maintenance of software
IT1318430B1 (en) 2000-03-29 2003-08-25 Mallinckrodt Holdings B V DEVICE FOR PASSIVE HUMIDIFICATION OF TRACHEOSTOMIZED OR INTUBATED PATIENTS.
US6975656B1 (en) * 2000-03-29 2005-12-13 Microsoft Corporation Method and system for accurately calculating latency variation on an end-to-end path in a network
US6658489B1 (en) 2000-03-29 2003-12-02 International Business Machines Corporation Method for replacing a device driver during system operation
US6678889B1 (en) * 2000-05-05 2004-01-13 International Business Machines Corporation Systems, methods and computer program products for locating resources within an XML document defining a console for managing multiple application programs
US6725452B1 (en) 2000-06-01 2004-04-20 Aduoa, Inc. Method for resolving dependency conflicts among multiple operative entities within a computing environment
US6751661B1 (en) 2000-06-22 2004-06-15 Applied Systems Intelligence, Inc. Method and system for providing intelligent network management
US7278103B1 (en) 2000-06-28 2007-10-02 Microsoft Corporation User interface to display and manage an entity and associated resources
US7536686B2 (en) * 2000-09-08 2009-05-19 Oracle International Corporation Techniques for automatically installing and configuring database applications
US6996815B2 (en) 2000-11-29 2006-02-07 Microsoft Corporation Method and software tools for intelligent service pack installation
US7584278B2 (en) * 2000-12-11 2009-09-01 Microsoft Corporation Method and system for task based management of multiple network resources
US6904457B2 (en) 2001-01-05 2005-06-07 International Business Machines Corporation Automatic firmware update of processor nodes
US7430594B2 (en) 2001-01-26 2008-09-30 Computer Associates Think, Inc. Method and apparatus for distributed systems management
US6574537B2 (en) 2001-02-05 2003-06-03 The Boeing Company Diagnostic system and method
JP3744361B2 (en) 2001-02-16 2006-02-08 株式会社日立製作所 Security management system
JP2001318814A (en) 2001-03-21 2001-11-16 Sanyo Electric Co Ltd Computer readable recording medium
WO2003007148A1 (en) 2001-07-13 2003-01-23 Cadessa, L.L.C. System and method for managing networks using local intelligent agents
EP1563389A4 (en) 2001-08-01 2008-06-25 Actona Technologies Ltd Virtual file-sharing network
US7054822B2 (en) 2001-08-06 2006-05-30 Ecolab, Inc. Notification of time-critical situations occurring at destination facilities
JP2003076434A (en) 2001-08-31 2003-03-14 Mitsubishi Electric Corp Security update monitor device
US7219034B2 (en) 2001-09-13 2007-05-15 Opnet Technologies, Inc. System and methods for display of time-series data distribution
US20030074358A1 (en) 2001-09-24 2003-04-17 Siamak Sarbaz Integration, management and processing of network data from disparate sources
US7275048B2 (en) 2001-10-30 2007-09-25 International Business Machines Corporation Product support of computer-related products using intelligent agents
JP3879594B2 (en) 2001-11-02 2007-02-14 日本電気株式会社 Switch method, apparatus and program
CA2463753A1 (en) 2001-11-09 2003-05-15 Bigfix, Inc. Formalizing, diffusing, and enforcing policy advisories and monitoring policy compliance in the management of networks
US20030126256A1 (en) 2001-11-26 2003-07-03 Cruickshank Robert F. Network performance determining
US7580972B2 (en) * 2001-12-12 2009-08-25 Valve Corporation Method and system for controlling bandwidth on client and server
US7171479B2 (en) * 2002-04-26 2007-01-30 International Business Machines Corporation Efficient delivery of boot code images from a network server
US7283469B2 (en) * 2002-04-30 2007-10-16 Nokia Corporation Method and system for throughput and efficiency enhancement of a packet based protocol in a wireless network
US6998819B2 (en) 2002-05-28 2006-02-14 Ford Global Technologies, Llc Current leakage detection in high voltage battery pack
AU2003247635A1 (en) * 2002-06-24 2004-01-06 Paradyne Corporation Determination of network performance characteristics
EP2469716B1 (en) * 2002-06-26 2013-12-04 Yahoo! Inc. System and method for communicating images between intercommunicating users
US20040039816A1 (en) 2002-08-23 2004-02-26 International Business Machines Corporation Monitoring method of the remotely accessible resources to provide the persistent and consistent resource states
AU2003279118A1 (en) 2002-10-03 2004-04-23 Donna Billera Telephony-based inventory access system especially well suited to accessing of inventories in the travel industry
US6941453B2 (en) 2003-02-11 2005-09-06 Bitfone Corporation System and method for determining if a device needs to be updated and locating and invoking an update agent to update the firmware or software in the device
US7137040B2 (en) 2003-02-12 2006-11-14 International Business Machines Corporation Scalable method of continuous monitoring the remotely accessible resources against the node failures for very large clusters
US20040215781A1 (en) 2003-03-27 2004-10-28 Pulsipher Eric A. Techniques for determining device connectivity in a network using protocol-specific connectivity information
WO2004088858A2 (en) * 2003-03-29 2004-10-14 Regents Of University Of California Method and apparatus for improved data transmission
KR20040096363A (en) * 2003-05-09 2004-11-16 삼성전자주식회사 Traffic Scheduling Apparatus and Method in Base Station of Wireless Communication System
US7058837B2 (en) * 2003-05-12 2006-06-06 International Business Machines Corporation Method and system for providing a message-time-ordering facility
US8776050B2 (en) 2003-08-20 2014-07-08 Oracle International Corporation Distributed virtual machine monitor for managing multiple virtual resources across multiple physical nodes
US7668201B2 (en) * 2003-08-28 2010-02-23 Symbol Technologies, Inc. Bandwidth management in wireless networks
US7493563B2 (en) * 2004-03-05 2009-02-17 International Business Machines Corporation Using content aggregation to build administration consoles
US7586848B1 (en) * 2004-06-07 2009-09-08 Nortel Networks Limited Elastic traffic marking for multi-priority packet streams in a communications network
US20080144493A1 (en) * 2004-06-30 2008-06-19 Chi-Hsiang Yeh Method of interference management for interference/collision prevention/avoidance and spatial reuse enhancement
JP4184373B2 (en) * 2004-10-29 2008-11-19 シャープ株式会社 COMMUNICATION DEVICE, COMMUNICATION METHOD, COMMUNICATION PROGRAM, RECORDING MEDIUM CONTAINING COMMUNICATION PROGRAM, AND COMMUNICATION SYSTEM
WO2006051519A2 (en) * 2004-11-12 2006-05-18 Passave Ltd. Dynamic bandwidth allocation processor
US20060168291A1 (en) * 2005-01-05 2006-07-27 Van Zoest Alexander Interactive multichannel data distribution system
EP1679835A1 (en) * 2005-01-07 2006-07-12 Koninklijke KPN N.V. Method, device and system for predicting a data session time
US7577097B2 (en) * 2005-03-22 2009-08-18 Microsoft Corporation Compound transmission control protocol
US7630401B2 (en) * 2005-04-28 2009-12-08 Sony Corporation Bandwith management in a network
US8503299B2 (en) * 2005-05-12 2013-08-06 Apple, Inc. Method and system for packet scheduling
US7872972B2 (en) * 2005-05-27 2011-01-18 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for improving scheduling in packet data networks
US8429630B2 (en) 2005-09-15 2013-04-23 Ca, Inc. Globally distributed utility computing cloud
GB0519521D0 (en) * 2005-09-24 2005-11-02 Ibm A dynamic bandwidth manager
US20070204078A1 (en) 2006-02-09 2007-08-30 Intertrust Technologies Corporation Digital rights management engine systems and methods
US7474614B2 (en) * 2005-10-21 2009-01-06 International Business Machines Corporation Method and apparatus for adaptive bandwidth control with user settings
US7558271B2 (en) * 2005-10-21 2009-07-07 International Business Machines Corporation Method and apparatus for adaptive bandwidth control with defined priorities for different networks
US7558604B2 (en) * 2005-11-25 2009-07-07 Lenovo (Singapore) Pte. Ltd. Method and apparatus for remote discovery of client and access point settings in a wireless LAN
US7760633B2 (en) * 2005-11-30 2010-07-20 Cisco Technology, Inc. Transmission control protocol (TCP) congestion control using transmission delay components
US20070147435A1 (en) * 2005-12-23 2007-06-28 Bruce Hamilton Removing delay fluctuation in network time synchronization
US8149771B2 (en) * 2006-01-31 2012-04-03 Roundbox, Inc. Reliable event broadcaster with multiplexing and bandwidth control functions
US8832045B2 (en) * 2006-04-07 2014-09-09 Data Storage Group, Inc. Data compression and storage techniques
US8165088B2 (en) * 2006-09-13 2012-04-24 Toshiba America Research, Inc. MIH protocol state machine
US7634562B2 (en) * 2006-10-27 2009-12-15 Cyscape, Inc. Method and apparatus for determining application responsiveness over a network
ES2545776T3 (en) 2007-02-15 2015-09-15 Tyco Electronics Subsea Communications Llc System and distributed network management method
CN101595681A (en) * 2007-03-08 2009-12-02 Lm爱立信电话有限公司 The passive monitoring of network performance
US8543682B2 (en) * 2007-05-02 2013-09-24 Spirent Communications, Inc. Quality of experience indicator for network diagnosis
US7830816B1 (en) * 2007-08-13 2010-11-09 Sprint Communications Company L.P. Network access and quality of service troubleshooting
US8315262B2 (en) * 2007-09-21 2012-11-20 Telefonaktiebolaget L M Ericsson (Publ) Reverse timestamp method and network node for clock recovery
US7990909B2 (en) * 2007-11-02 2011-08-02 Ciena Corporation Synchronization of network nodes
US8194556B2 (en) * 2007-12-10 2012-06-05 Motorola Mobility, Inc. Latency-aware adaptive bandwidth request mechanism for real-time communication in WiMAX
WO2009105431A2 (en) * 2008-02-20 2009-08-27 Novatel Wireless, Inc. System and method for traffic prioritization
US7991881B2 (en) * 2008-02-29 2011-08-02 Microsoft Corporation Monitoring network performance to identify sources of network performance degradation
US8719398B2 (en) * 2008-02-29 2014-05-06 Microsoft Corporation Network performance monitor
US7787379B2 (en) * 2008-06-03 2010-08-31 Cisco Technology, Inc. Integrated flow control
US8296376B2 (en) * 2009-03-26 2012-10-23 International Business Machines Corporation Utilizing E-mail response time statistics for more efficient and effective user communication
US8775658B2 (en) * 2009-03-27 2014-07-08 Wyse Technology L.L.C. Apparatus and method for transparent communication architecture in remote communication
US8284778B2 (en) * 2009-11-19 2012-10-09 At&T Intellectual Property I, L.P. Method, device, and computer program product for detecting and encoding states for accurate measurement
US20110250982A1 (en) * 2010-04-09 2011-10-13 Romano Edward A Near zero inertia pendulum golf swing trainer Swinky™
US8522292B2 (en) * 2011-06-15 2013-08-27 Microsoft Corporation Streaming media bandwidth reduction
US8660006B2 (en) * 2011-11-29 2014-02-25 Hughes Network Systems, Llc Method and system for traffic management and resource allocation on a shared access network

Patent Citations (99)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5010571A (en) * 1986-09-10 1991-04-23 Titan Linkabit Corporation Metering retrieval of encrypted data stored in customer data retrieval terminal
US5649099A (en) * 1993-06-04 1997-07-15 Xerox Corporation Method for delegating access rights through executable access control program without delegating access rights not in a specification to any intermediary nor comprising server security
US6289394B1 (en) * 1994-03-04 2001-09-11 Mitsubishi Denki Kabushiki Kaisha Agent management system capable of readily monitoring and controlling agent
US5732137A (en) * 1994-06-03 1998-03-24 Sun Microsystems, Inc. Method and apparatus for secure remote authentication in a public network
US5751967A (en) * 1994-07-25 1998-05-12 Bay Networks Group, Inc. Method and apparatus for automatically configuring a network device to support a virtual network
US5586304A (en) * 1994-09-08 1996-12-17 Compaq Computer Corporation Automatic computer upgrading
US6240451B1 (en) * 1995-05-25 2001-05-29 Punch Networks Corporation Method and apparatus for automatically disseminating information over a network
US6327617B1 (en) * 1995-11-27 2001-12-04 Microsoft Corporation Method and system for identifying and obtaining computer software from a remote computer
US6161218A (en) * 1996-01-16 2000-12-12 Sun Microsystems Inc. Software patch architecture
US6256668B1 (en) * 1996-04-18 2001-07-03 Microsoft Corporation Method for identifying and obtaining computer software from a network computer using a tag
US6151643A (en) * 1996-06-07 2000-11-21 Networks Associates, Inc. Automatic updating of diverse software products on multiple client computer systems by downloading scanning application to client computer and generating software list on client computer
US6360366B1 (en) * 1996-09-05 2002-03-19 Managesoft Corporation Systems and methods for automatic application version upgrading and maintenance
US5958050A (en) * 1996-09-24 1999-09-28 Electric Communities Trusted delegation system
US6745224B1 (en) * 1996-12-06 2004-06-01 Microsoft Corporation Object framework and services for periodically recurring operations
US6347398B1 (en) * 1996-12-12 2002-02-12 Microsoft Corporation Automatic software downloading from a computer network
US6240394B1 (en) * 1996-12-12 2001-05-29 Catalina Marketing International, Inc. Method and apparatus for automatically generating advisory information for pharmacy patients
US6324693B1 (en) * 1997-03-12 2001-11-27 Siebel Systems, Inc. Method of synchronizing independently distributed software and database schema
US6123737A (en) * 1997-05-21 2000-09-26 Symantec Corporation Push deployment of software packages using notification transports
US6351536B1 (en) * 1997-10-01 2002-02-26 Minoru Sasaki Encryption network system and method
US6418478B1 (en) * 1997-10-30 2002-07-09 Commvault Systems, Inc. Pipelined high speed data transfer mechanism
US6321258B1 (en) * 1997-12-11 2001-11-20 Hewlett-Packard Company Administration of networked peripherals using particular file system
US6516316B1 (en) * 1998-02-17 2003-02-04 Openwave Systems Inc. Centralized certificate management system for two-way interactive communication devices in data networks
US6289510B1 (en) * 1998-03-12 2001-09-11 Fujitsu Limited Online program-updating system and computer-readable recording medium storing a program-updating program
US6347396B1 (en) * 1998-03-12 2002-02-12 Telefonaktiebolaget Lm Ericsson (Publ) Disturbance free update of data
US6128738A (en) * 1998-04-22 2000-10-03 International Business Machines Corporation Certificate based security in SNA data flows
US6192404B1 (en) * 1998-05-14 2001-02-20 Sun Microsystems, Inc. Determination of distance between nodes in a computer network
US6240390B1 (en) * 1998-05-18 2001-05-29 Winbond Electronics Corp. Multi-tasking speech synthesizer
US6330715B1 (en) * 1998-05-19 2001-12-11 Nortel Networks Limited Method and apparatus for managing software in a network system
US6381742B2 (en) * 1998-06-19 2002-04-30 Microsoft Corporation Software package management
US6353926B1 (en) * 1998-07-15 2002-03-05 Microsoft Corporation Software update notification
US6233449B1 (en) * 1998-08-24 2001-05-15 Telefonaktiebolaget L M Ericsson (Publ) Operation and maintenance control point and method of managing a self-engineering telecommunications network
US6233612B1 (en) * 1998-08-31 2001-05-15 International Business Machines Corporation Dynamic network protocol management information base options
US6256664B1 (en) * 1998-09-01 2001-07-03 Bigfix, Inc. Method and apparatus for computed relevance messaging
US6604130B2 (en) * 1998-09-01 2003-08-05 Bigfix, Inc. Relevance clause for computed relevance messaging
US6263362B1 (en) * 1998-09-01 2001-07-17 Bigfix, Inc. Inspector for computed relevance messaging
US20010042104A1 (en) * 1998-09-01 2001-11-15 Donoho David Leigh Inspector for computed relevance messaging
US6356936B1 (en) * 1998-09-01 2002-03-12 Bigfix, Inc. Relevance clause for computed relevance messaging
US6449642B2 (en) * 1998-09-15 2002-09-10 Microsoft Corporation Method and system for integrating a client computer into a computer network
US6345386B1 (en) * 1998-09-21 2002-02-05 Microsoft Corporation Method and system for advertising applications
US6418554B1 (en) * 1998-09-21 2002-07-09 Microsoft Corporation Software implementation installer mechanism
US6237144B1 (en) * 1998-09-21 2001-05-22 Microsoft Corporation Use of relational databases for software installation
US6389589B1 (en) * 1998-09-21 2002-05-14 Microsoft Corporation Class store schema
US6407988B1 (en) * 1998-10-06 2002-06-18 At&T Corp. Mobility support services using mobility aware access networks
US6378128B1 (en) * 1998-10-08 2002-04-23 Microsoft Corporation System and method for dynamically modifying an install-set
US6324691B1 (en) * 1998-11-12 2001-11-27 Hewlett-Packard Company Manufacture of software distribution media packages from components resident on a remote server source
US6353928B1 (en) * 1999-01-04 2002-03-05 Microsoft Corporation First run installer
US6405250B1 (en) * 1999-01-25 2002-06-11 Lucent Technologies Inc. Network management system based on passive monitoring and proactive management for formulation behavior state transition models
US6526507B1 (en) * 1999-02-18 2003-02-25 International Business Machines Corporation Data processing system and method for waking a client only in response to receipt of an authenticated Wake-on-LAN packet
US6353902B1 (en) * 1999-06-08 2002-03-05 Nortel Networks Limited Network fault prediction and proactive maintenance system
US6363524B1 (en) * 1999-09-10 2002-03-26 Hewlett-Packard Company System and method for assessing the need for installing software patches in a computer system
US6535977B1 (en) * 1999-09-30 2003-03-18 Microsoft Corporation Replacing a unique identifier in a cloned computer system using program module that runs only once during the next boot sequence
US20010032091A1 (en) * 1999-12-16 2001-10-18 Schultz Michael A. Method and apparatus for providing intranet/web based programs
US6398464B1 (en) * 1999-12-27 2002-06-04 Kabushiki Kaisha Watanabe Shoko Air stream transfer apparatus
US7668938B1 (en) * 2000-01-14 2010-02-23 Microsoft Corporation Method and system for dynamically purposing a computing device
US6954790B2 (en) * 2000-12-05 2005-10-11 Interactive People Unplugged Ab Network-based mobile workgroup system
US20020112200A1 (en) * 2001-02-12 2002-08-15 Hines George W. Automated analysis of kernel and user core files including searching, ranking, and recommending patch files
US6871281B2 (en) * 2001-02-23 2005-03-22 Thomas J. Schwab Method and system for sending data between computers using a secure pipeline
US20030033394A1 (en) * 2001-03-21 2003-02-13 Stine John A. Access and routing protocol for ad hoc network using synchronous collision resolution and node state dissemination
US7620816B1 (en) * 2001-04-06 2009-11-17 Mcafee, Inc. System and method for automatic selection of service provider for efficient use of bandwidth and resources in a peer-to-peer network environment
US7134019B2 (en) * 2001-04-12 2006-11-07 Microsoft Corporation Methods and systems for unilateral authentication of messages
US20020152384A1 (en) * 2001-04-12 2002-10-17 Microsoft Corporation Methods and systems for unilateral authentication of messages
US20030041167A1 (en) * 2001-08-15 2003-02-27 International Business Machines Corporation Method and system for managing secure geographic boundary resources within a network management framework
US20070288914A1 (en) * 2001-09-28 2007-12-13 Brannock Kirk D System for atomically updating a plurality of files
US20030074321A1 (en) * 2001-10-15 2003-04-17 Vidius Inc. Method and system for distribution of digital media and conduction of electronic commerce in an un-trusted environment
US20100017494A1 (en) * 2001-11-09 2010-01-21 Bigfix, Inc. Formalizing, diffusing and enforcing policy advisories and monitoring policy compliance in the management of networks
US20040230644A1 (en) * 2001-11-22 2004-11-18 Tatsuo Aratake E-mail transfer server apparatus and e-mail transfer system
US20050091501A1 (en) * 2002-01-18 2005-04-28 Harro Osthoff Loading data into a mobile terminal
US7558953B2 (en) * 2002-01-18 2009-07-07 Telefonaktiebolaget L M Ericsson (Publ) Loading data into a mobile terminal
US20030187868A1 (en) * 2002-03-29 2003-10-02 Fujitsu Limited Data acquisition system
US20030233645A1 (en) * 2002-06-12 2003-12-18 Microsoft Corporation Application imaging infrastructure
US20030233646A1 (en) * 2002-06-12 2003-12-18 Microsoft Corporation Image based installation
US7962632B2 (en) * 2002-10-01 2011-06-14 Nokia Corporation Hybrid networks
US20040187105A1 (en) * 2003-01-06 2004-09-23 Brother Kogyo Kabushiki Kaisha Driver software installing system
US20040174904A1 (en) * 2003-03-04 2004-09-09 Samsung Electronics Co., Ltd. Method of allocating IP address and detecting duplication of IP address in an ad-hoc network environment
US8055617B2 (en) * 2003-03-24 2011-11-08 International Business Machines Corporation Enterprise console
US20040213211A1 (en) * 2003-04-23 2004-10-28 Marconi Communications, Inc. Method and apparatus for determining shared broadcast domains of network switches, ports and interfaces
US20040246975A1 (en) * 2003-06-06 2004-12-09 Meshnetworks, Inc. System and method to improve the overall performance of a wireless communication network
US20050002408A1 (en) * 2003-06-20 2005-01-06 Lg Electronics Inc. Home appliance network system and method for operating the same
US20040260949A1 (en) * 2003-06-20 2004-12-23 Aoki Norihiro Edwin Chaining of services
US20050005026A1 (en) * 2003-07-03 2005-01-06 International Business Machines Corporation Method and apparatus for managing a remote data processing system
US20050054327A1 (en) * 2003-09-04 2005-03-10 David Johnston System and associated methods to determine authentication priority between devices
US20050086477A1 (en) * 2003-10-16 2005-04-21 Taiwan Semiconductor Manufacturing Co. Integrate PGP and Lotus Notes to encrypt / decrypt email
US7185229B2 (en) * 2003-12-04 2007-02-27 International Business Machines Corporation Method and system for performing remote maintenance operations on a battery powered computer
US20050180326A1 (en) * 2004-02-13 2005-08-18 Goldflam Michael S. Method and system for remotely booting a computer device using a peer device
US20110066951A1 (en) * 2004-03-19 2011-03-17 Ward-Karet Jesse Content-based user interface, apparatus and method
US20060095388A1 (en) * 2004-10-29 2006-05-04 Research In Motion Limited System and method for verifying digital signatures on certificates
US20060253446A1 (en) * 2005-05-03 2006-11-09 E-Lock Corporation Sdn. Bhd.. Internet security
US20070050645A1 (en) * 2005-08-23 2007-03-01 Siegmund Dieter W Method and apparatus for waking up a sleeping system
US20100228947A1 (en) * 2006-03-31 2010-09-09 Kyushu Institute Of Technology Address generator
US20070280253A1 (en) * 2006-05-30 2007-12-06 Mo Rooholamini Peer-to-peer connection between switch fabric endpoint nodes
US20080016335A1 (en) * 2006-06-13 2008-01-17 Aya Takahashi Attribute Certificate Verification Method and System
US20080192695A1 (en) * 2007-02-09 2008-08-14 Telefonaktiebolaget Lm Ericsson (Publ) Enhancing protection of a mobile node's home address in a visited network
US20100332640A1 (en) * 2007-03-07 2010-12-30 Dennis Sidney Goodrow Method and apparatus for unified view
US20110029626A1 (en) * 2007-03-07 2011-02-03 Dennis Sidney Goodrow Method And Apparatus For Distributed Policy-Based Management And Computed Relevance Messaging With Remote Attributes
US8161149B2 (en) * 2007-03-07 2012-04-17 International Business Machines Corporation Pseudo-agent
US20120203818A1 (en) * 2007-03-07 2012-08-09 International Business Machines Corporation Pseudo-agent
US20090019525A1 (en) * 2007-07-13 2009-01-15 Dachuan Yu Domain-specific language abstractions for secure server-side scripting
US8171364B2 (en) * 2007-11-25 2012-05-01 Trilliant Networks, Inc. System and method for power outage and restoration notification in an advanced metering infrastructure network
US20110222691A1 (en) * 2010-03-11 2011-09-15 Takahiro Yamaguchi Recording system, playback system, key distribution server, recording device, recording medium device, playback device, recording method, and playback method

Non-Patent Citations (31)

* Cited by examiner, † Cited by third party
Title
"1E WakeUp". Published by 1E. Archived Jul. 24, 2008. 10 pages. Available online: http://web.archive.org/web/20080724185718/http://www.1e.com/SoftwareProducts/1EWakeUp/faq.aspx *
Alfred J . Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press 1996. Chapter 8: Public Key Cryptography. *
APT Team. Manpage of APT-GET. Dated 12 March, 2001. Available http://web.archive.org/web/20041027155110/http://linuxreviews.org/man/apt-get/ *
arnaud et al. "How to disable security warning popup about message containing script" Accessed July 12, 2012. Available online http://forum.bigfix.com/viewtopic.php?id=1519 *
Ben Kus. "BigFix 7.1 Released." Dated August 5, 2008. Viewed online July 11, 2012. Available http://forum.bigfix.com/viewtopic.php?id=2258 *
BigFix, Inc. "BES Console Context Menu Wake-on LAN." Archived October 26, 2006. Available http//web.archive.org/web/20061026092909/http://support.bigfix.com/bes/misc/bes-wol.html *
Bigfix, Inc. "BigFix® Remote Desktop for Windows." Version 1.0, dated 9/13/2007. Viewed online July 11, 2012. Available http://support.bigfix.com/product/documents/BigFixRemoteDesktopGuide-v1.pdf *
BigFix, Inc. "Wake on LAN with a alteration." Dated May 14-18, 2009. Viewed online July 11, 2012. Available http://forum.bigfix.com/viewtopic.php?id=3248 *
BigFix. "BigFix Action Language Reference: A Guide to the BigFix® Action Shell Commands for the BigFix Enterprise Suite (BES)" dated December 6, 2006. *
BigFix. "New Features in BES 4.0". Available online: http://web.archive.org/web/20061026095436/http://support.bigfix.com/bes/changes/changes_4_0.html . Archived Oct. 26, 2006. *
BigFix. BigFix Client ICMP Traffic Technical Details. Accessed June 16, 2012. Available online http://support.bigfix.com/bes/misc/besclient_icmp.html *
BigFix. BigFix Enterprise Suite (BES) Administrator's Guide. Version 7.1. July 25, 2008. *
BigFix. BigFix Enterprise Suite (BES) Console Operator's Guide. Version 7.1. July 26, 2008. *
Configuring the Cisco IOS DHCP Relay Agent. November 17, 2006. Cisco Systems, Inc. *
Daniel Burrows. "Modelling and Resolving Software Dependencies." June 15, 2005. *
David B. Johnson, David A. Maltz, and Josh Broch. "DSR: The Dynamic Source Routing Protocol for Multi-Hop Wireless Ad Hoc Networks." 2001. *
Dobromir Todorov. Mechanics of User Identification and Authentication: Fundamentals of Identity Management. 2007. Auerbach Publications. Chapter 1: User Identification and Authentication Concepts *
Donald E. Knuth. The Art of Computer Programming. 1998. Addison Wesley Longman Publishing Co., Inc. 2nd Edition, Volume 3: Sorting and Searching. p. 514. *
Gary C. Kessler. Network Design: Principles and Applications. Edited by Gilbert Held. Auerbach Publications 2000. Chapter 51: An Overview of Cryptographic Methods. Pages 679-691. *
Harold F. Tipton and Micki Krause. Information Security Management Handbook on CD-ROM, 2006 Edition. Auerbach Publications: 2006. Glossary *
Hong Tang, Huaglory TIanfield. "Self-Organizing Networks of Communications and Computing." November 6, 2006. International Transactions on Systems Science and Applications, Volume 1, Number 4. 421-431 *
jreinec et al. "Using a DOS variable in action script" Accessed July 12, 2012. Available online http://forum.bigfix.com/viewtopic.php?id=1867 *
Last Man Standing. October 27, 2011. IBM. Available online: http://www-01.ibm.com/support/docview.wss?uid=swg21506077 *
mgoodnow et al. Relay on the DMZ. Accessed July 23, 2012. Available online http://forum.bigfix.com/viewtopic.php?id=428 *
Mostafa Hashem Sherif. Chapter 3: "Algorithms and Architectures for Security". Published in "Protocols for Secure Electronic Commerce, Second Edition". CRC Press: September 2003. 101 pages. *
National Institute of Standards and Technology. Entity Authentication Using Public Key Cryptography (FIPS PUB 196). US Department of Commerce. 1997 February 18. *
NHolmes et al. BES Automatic Relay Settings. Accessed July 11, 2012. Available online http://forum.bigfix.com/viewtopic.php?id=182 *
Open Web Application Security Project. Positive security model. Available online: http://web.archive.org/web/20060821235729/http://www.owasp.org/index.php/Positive_security_model *
Paul J. Leach, Dilip C. Naik. CIFS/E Browser Protocol. Dated January 10, 1997. Internet Engineering Task Force. *
Peter Firstbrook, Arabella Hallawell, John Girard, and Neil MacDonald. Magic Quadrant for Endpoint Protection Platforms, 2007. December 21, 2007. Gartner, Inc. *
The ABCs of TCP/IP, Gilbert Held, Auerbach Publications 2002, Chapter 4: The Internet Protocol and Related Protocols. *

Cited By (48)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9294377B2 (en) 2004-03-19 2016-03-22 International Business Machines Corporation Content-based user interface, apparatus and method
US20100332640A1 (en) * 2007-03-07 2010-12-30 Dennis Sidney Goodrow Method and apparatus for unified view
US8495157B2 (en) 2007-03-07 2013-07-23 International Business Machines Corporation Method and apparatus for distributed policy-based management and computed relevance messaging with remote attributes
US9152602B2 (en) 2007-03-07 2015-10-06 International Business Machines Corporation Mechanisms for evaluating relevance of information to a managed device and performing management operations using a pseudo-agent
US20110066752A1 (en) * 2009-09-14 2011-03-17 Lisa Ellen Lippincott Dynamic bandwidth throttling
US8966110B2 (en) 2009-09-14 2015-02-24 International Business Machines Corporation Dynamic bandwidth throttling
US8862125B2 (en) * 2009-11-17 2014-10-14 Thales Method and system for distributing content with guarantees of delivery timescales in hybrid radio networks
US20130130615A1 (en) * 2009-11-17 2013-05-23 Thales Method and system for distributing content with guarantees of delivery timescales in hybrid radio networks
US10742641B2 (en) * 2009-12-18 2020-08-11 Google Llc Method, device, and system of accessing online accounts
US20180309745A1 (en) * 2009-12-18 2018-10-25 Google Llc Method, device, and system of accessing online accounts
US10200325B2 (en) * 2010-04-30 2019-02-05 Shazzle Llc System and method of delivering confidential electronic files
US8756696B1 (en) * 2010-10-30 2014-06-17 Sra International, Inc. System and method for providing a virtualized secure data containment service with a networked environment
US9438552B2 (en) 2011-03-17 2016-09-06 Microsoft Technology Licensing, Llc Messaging for notification-based clients
US9137191B2 (en) * 2011-03-17 2015-09-15 Microsoft Technology Licensing, Llc Messaging for notification-based clients
US20120239757A1 (en) * 2011-03-17 2012-09-20 Microsoft Corporation Messaging for notification-based clients
CN103975568A (en) * 2011-12-06 2014-08-06 李青锺 Security management system having multiple relay servers, and security management method
US9608973B2 (en) * 2011-12-06 2017-03-28 Chung Jong Lee Security management system including multiple relay servers and security management method
US20140337951A1 (en) * 2011-12-06 2014-11-13 Chung Jong Lee Security management system including multiple relay servers and security management method
US9015531B2 (en) 2011-12-14 2015-04-21 International Business Machines Corporation Preventing distribution of a failure
US20140310618A1 (en) * 2012-06-29 2014-10-16 Ramanujam Kaniyar Venkatesh Flash redirection with caching
US10365781B2 (en) 2012-06-29 2019-07-30 Dell Products L.P. Flash redirection proxy plugin to support functionality of a flash player at a client
US9489471B2 (en) * 2012-06-29 2016-11-08 Dell Products L.P. Flash redirection with caching
US9626450B2 (en) 2012-06-29 2017-04-18 Dell Products L.P. Flash redirection with browser calls caching
US9256644B1 (en) * 2013-03-15 2016-02-09 Ca, Inc. System for identifying and investigating shared and derived content
US20140366120A1 (en) * 2013-06-06 2014-12-11 Apple Inc. Systems and Methods for Application-Specific Access to Virtual Private Networks
US20150286648A1 (en) * 2014-04-07 2015-10-08 Konan Technology Inc. User terminal for searching multi data and searching method thereof
US10721267B1 (en) * 2014-07-18 2020-07-21 NortonLifeLock Inc. Systems and methods for detecting system attacks
GB2532229A (en) * 2014-11-12 2016-05-18 Ibm Management of a computing system with dynamic change of roles
US20160134463A1 (en) * 2014-11-12 2016-05-12 International Business Machines Corporation Management of a Computing System with Dynamic Change of Roles
US10257260B2 (en) * 2014-11-12 2019-04-09 International Business Machines Corporation Management of a computing system with dynamic change of roles
US9473462B2 (en) * 2014-11-28 2016-10-18 Qip Solutions Limited Method and system for configuring and securing a device or apparatus, a device or apparatus, and a computer program product
US20160156590A1 (en) * 2014-11-28 2016-06-02 Qip Solutions Limited Method and system for configuring and securing a device or apparatus, a device or apparatus, and a computer program product
US9665445B1 (en) * 2014-12-23 2017-05-30 EMC IP Holding Company LLC Virtual proxy based backup
US10922191B2 (en) 2014-12-23 2021-02-16 EMC IP Holding Company LLC Virtual proxy based backup
US10191820B2 (en) * 2014-12-23 2019-01-29 EMC IP Holding Company LLC Virtual proxy based backup
US11429625B2 (en) 2015-06-26 2022-08-30 Musarubra Us Llc Query engine for remote endpoint information retrieval
US10599662B2 (en) 2015-06-26 2020-03-24 Mcafee, Llc Query engine for remote endpoint information retrieval
US9667708B1 (en) 2015-12-30 2017-05-30 International Business Machines Corporation Boost orchestrator for client-server architectures
US10021131B2 (en) * 2016-02-15 2018-07-10 Verizon Digital Media Services Inc. Origin controlled attack protections in a distributed platform
US20170237768A1 (en) * 2016-02-15 2017-08-17 Verizon Digital Media Services Inc. Origin Controlled Attack Protections in a Distributed Platform
US20180013738A1 (en) * 2016-07-07 2018-01-11 Samsung Sds Co., Ltd. Method for authenticating client system, client device, and authentication server
US10728232B2 (en) * 2016-07-07 2020-07-28 Samsung Sds Co., Ltd. Method for authenticating client system, client device, and authentication server
US20180046653A1 (en) * 2016-08-11 2018-02-15 Beijing Xiaomi Mobile Software Co., Ltd. Data clearing method, apparatus and storage medium
US10810172B2 (en) * 2016-08-11 2020-10-20 Beijing Xiaomi Mobile Software Co., Ltd. Data clearing method, apparatus and storage medium
CN108322325A (en) * 2017-06-27 2018-07-24 新华三云计算技术有限公司 A kind of virtual machine management method and device
US11687354B2 (en) 2017-06-27 2023-06-27 New H3C Cloud Technologies. Ltd. Virtual machine management using onboarding operations and openstack control
US11227221B2 (en) * 2018-12-27 2022-01-18 Shenzhen Intellifusion Technologies Co., Ltd. Framework management method and apparatus
CN113360324A (en) * 2021-08-10 2021-09-07 北京华科海讯科技有限公司 Data backup device based on distributed file data

Also Published As

Publication number Publication date
US20110066951A1 (en) 2011-03-17
US20140223324A9 (en) 2014-08-07
US9294377B2 (en) 2016-03-22
US20110066752A1 (en) 2011-03-17
US8966110B2 (en) 2015-02-24

Similar Documents

Publication Publication Date Title
US20110066841A1 (en) Platform for policy-driven communication and management infrastructure
US11632392B1 (en) Distributed malware detection system and submission workflow thereof
US10693916B2 (en) Restrictions on use of a key
EP3399716B1 (en) Network security threat intelligence sharing
US11777865B2 (en) Discovery and adjustment of path maximum transmission unit
US10601863B1 (en) System and method for managing sensor enrollment
US11663030B2 (en) Extending expiration of user sessions with authentication refresh
US10819562B2 (en) Cloud services management systems utilizing in-band communication conveying situational awareness
JP2020512732A (en) Virtual private networking based on peer-to-peer communication
Lee et al. A comprehensive security assessment framework for software-defined networks
JP2023541599A (en) Service communication methods, systems, devices and electronic equipment
US10193907B2 (en) Intrusion detection to prevent impersonation attacks in computer networks
AU2019401568B2 (en) Secure offline streaming of content
CN112261172A (en) Service addressing access method, device, system, equipment and medium
US11784993B2 (en) Cross site request forgery (CSRF) protection for web browsers
US8560732B2 (en) Peer-to-peer object distribution
Tsai et al. An efficient blockchain-based firmware update framework for iot environment
WO2022166166A1 (en) Function verification method and apparatus for security component
Secci et al. ONOS Security & Performance Analysis (Report No. 1)
US20050015435A1 (en) Method for detecting, reporting and responding to network node-level events and a system thereof
WO2023069129A1 (en) Network appliances for secure enterprise resources
Reynolds et al. Using External Security Monitors to Secure BGP

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GOODROW, DENNIS SIDNEY;LOER, PETER BENJAMIN;LOER, CHRISTOPHER JACOB;AND OTHERS;SIGNING DATES FROM 20110304 TO 20110310;REEL/FRAME:025958/0297

AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:BIGFIX, INC.;REEL/FRAME:026115/0369

Effective date: 20110223

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION