Yuri Pikover

Abstract: A user authentication service for a communication network authenticates local users before granting them access to personalized sets of network resources. Authentication agents on intelligent edge devices present users of associated end systems with log-in challenges. Information supplied by the users is forwarded to an authentication server for verification. If successfully verified, the authentication server returns to the agents authorized connectivity information and time restrictions for the particular authenticated users. The agents use the information to establish rules for filtering and forwarding network traffic originating from or destined for particular authenticated users during authorized time periods. An enhanced authentication server may be engaged if additional security is desired. The authorized connectivity information preferably includes identifiers of one or more virtual local area networks active in the network. Log-in attempts are recorded so that the identity and whereabouts of network users may be monitored from a network management station.

Abstract: An architecture and methodology for designing, deploying, and managing a distributed application onto a distributed computing system is described.

Abstract: The specification discloses a method of doing business over the public Internet, particularly, a method which enables access to legacy management tools used by a telecommunications enterprise in the management of the enterprise business to the enterprise customer, to enable the customer to more effectively manage the business conducted by the customer through the enterprise, this access being provided over the public Internet. This method of doing business is accomplished with one or more secure web servers which manage one or more secure client sessions over the Internet, each web server supporting secure communications with the client workstation; a web page backplane application capable of launching one or more management tool applications used by the enterprise. Each of the management tool applications provide a customer interface integrated within said web page which enables interactive Web/Internet based communications with the web servers; each web server supports communication of messages entered via the integrated customer interface to one or more remote enterprise management tool application servers which interact with the enterprise management tool applications to provide associated management capabilities to the customer.

Abstract: A single secure sign-on gives a user access to authorized Web resources, based on the user's role in the organization that controls the Web resources. The information resources are stored on a protected Web server. A user of a client or browser logs in to the system. A runtime module on the protected server receives the login request and intercepts all other request by the client to use a resource. The runtime module connects to an access server that can determine whether a particular user is authentic and which resources the user is authorized to access. User information is associated with roles and functional groups of an organization to which the user belongs; the roles are associated with access privileges. The access server connects to a registry server that stores information about users, roles, functional groups, resources, and associations among them. The access server and registry server exchange encrypted information that authorized the user to use the resource. The user is presented with a customized Web page showing only those resources that the user may access. Thereafter, the access server can resolve requests to use other resources without contacting the registry server. The registry server controls a flexible, extensible, additive data model stored in a database that describes the user, the resources, roles of the user, and functional groups in the enterprise that are associated with the user.

Abstract: Methods, devices, and systems are provided in a multi-level computer architecture which provides improved capabilities for managing courseware and other content in a shared use operating environment such as a computer network. In particular, the invention provides a commercial networked instruction content delivery method and system which does not exclude synchronous sharing but is focused on asynchronous sharing. Security means in the architecture provide content property holders with the ability to know how many minutes of use an individual made of licensed material and with increased certainty that their material cannot be used, copied, or sold in usable form unless and until a user site is connected or reconnected to a minute-by-minute counter which is located off the premises of the user. This security link helps protect software and other works which are being sold or licensed to an individual, organization, or entity, and creates income opportunities for owners of such content.

Abstract: A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets. Further, the system and method provide for validating initially learned source IP addresses, and for determining whether the number of unsuccessful attempts to validate new source IP addresses exceeds a threshold level, and where the number does exceed the threshold number the system and method can provide for operation in a possible attack mode.