180 Park Ave - Building 103
Florham Park, NJ
http://www2.research.att.com/~bala/papers/
Balachander Krishnamurthy has been with AT&T Labs--Research since his PhD. His main focus of research of late is in the areas of Internet privacy, Online Social Networks, and Internet measurements. He has authored and edited ten books, published over 80 technical papers, holds twenty patents, and has given invited talks in over thirty countries.
He co-founded the successful Internet Measurement Conference and Steps to Reducing Unwanted Traffic on the Internet workshop. In 2008 he co-founded the ACM SIGCOMM Workshop on Online Social Networks. He has been on the thesis committee of several PhD students, collaborated with over seventy researchers worldwide, and given tutorials at several industrial sites and conferences.
His most recent book "Internet Measurements: Infrastructure, Traffic and Applications" (525pp, John Wiley & Sons, with Mark Crovella), was published in July 2006 and is the first book focusing on Internet Measurement. His previous book 'Web Protocols and Practice: HTTP/1.1, Networking Protocols, Caching, and Traffic Measurement' (672 pp, Addison-Wesley, with Jennifer Rexford) is the first in-depth book on the technology underlying the World Wide Web, and has been translated into Portuguese, Japanese, Russian, and Chinese.
Internet-Wide Scheduling Of Transactions,
Tue May 07 17:26:16 EDT 2013
A method and system for distributing content on a network through network-wide transactions is disclosed. The method and system monitors the network using triggered measurement of the performance of an element of the network, dynamically computing, based on the monitoring, the regions of the network with available performance capacity for the transaction to proceed at a given time, determining, based on the computing, a scheduled time for the transaction to proceed, and distributing the content according to a schedule related to the scheduled time.
Anonymization Of Data Over Multiple Temporal Releases,
Tue May 07 17:26:15 EDT 2013
The present disclosure is directed to systems, methods, and computer-readable storage media for anonymizing data over multiple temporal releases. Data is received, and nodes and connections in the data are identified. The data also is analyzed to identify predicted connections. The nodes, the connections, and the predicted connections are analyzed to determine how to group the nodes in the data. The data is published, and the grouping of the nodes is extended to subsequent temporal releases of the data, the nodes of which are grouped in accordance with the grouping used with the data.
Automatic Gleaning Of Semantic Information In Social Networks,
Tue Feb 26 17:25:14 EST 2013
Disclosed are method and apparatus for identifying members of a social network who have a high likelihood of providing a useful response to a query. A query engine examines the personal pages of a set of members and automatically gleans semantic information relevant to the query. From the automatically-gleaned semantic information, a score indicative of the likelihood that the member may provide a useful response is calculated.
System And Method For Monitoring Network Traffic,
Tue Feb 12 17:25:05 EST 2013
Described is a method of assigning a network address to a trap, the network address being a dark address of a virtual private network. The network traffic destined for the network address is monitored and a classification of the network traffic is determined. After the classification, a predetermined response is executed based on the classification of the traffic.
Method And Apparatus For Identifying Phishing Websites In Network Traffic Using Generated Regular Expressions,
Tue Nov 06 16:12:14 EST 2012
According to an aspect of this invention, a method to detect phishing URLs involves: creating a whitelist of URLs using a first regular expression; creating a blacklist of URLs using a second regular expression; comparing a URL to the whitelist; and if the URL is not on the whitelist, comparing the URL to the blacklist. False negatives and positives may be avoided by classifying Internet domain names for the target organization as "legitimate". This classification leaves a filtered set of URLs with unknown domain names which may be more closely examined to detect a potential phishing URL. Valid domain names may be classified without end-user participation.
Method And Apparatus For Providing Mobile Honeypots,
Tue Apr 10 16:09:54 EDT 2012
A method and apparatus for detecting an originator of traffic of interest is provided. One or more honeypots are established. Mobility is then provided to the one or more honeypots. In one embodiment, mobility is provided by communicating information associated with one or more dark prefixes. In another embodiment, mobility is provided by varying information related to the one or more dark prefixes.
Method And Apparatus For Automatic Identification Of Phishing Sites From Low-Level Network Traffic,
Tue Mar 20 16:09:34 EDT 2012
A module is configured to identify a phishing Web site. The module identifies email associated with a Web site and transmitted to a plurality of recipients. The module then determines that the Web site has received less than a first threshold amount of traffic before a first time. The module then determines that the Web site has received more than a second threshold amount of traffic between the first time and a second time (i.e., a spike in traffic between the first time and the second time). The module then determines that at least a portion of the more than a second threshold amount of traffic is received as a result of the email associated with the Web site being sent to the plurality of recipients.
Method And Apparatus For Providing An Application-Level Utility Metric,
Tue Jan 17 16:08:59 EST 2012
A method and apparatus for providing an application utility metric for an application by taking into account of multiple protocols used by the application as well as at least one interaction of the application at the application-level that is deemed to be useful are disclosed. For example, the method computes a protocol overhead of one or more underlying Internet Protocol suite protocols supporting the application. The method also computes an application-level overhead based on at least one application-level interaction. Finally, the method computes the application-level utility metric in accordance with the protocol overhead and the application-level overhead.
Method And Apparatus For Communicating Intrusion-Related Information Between Internet Service Providers,
Tue Jan 03 16:08:52 EST 2012
Disclosed is a system and method for the sharing of intrusion-related information. The sharing of intrusion-related information occurs via a peering relationship between a first Internet Service Provider (ISP) and a second ISP. A first node associated with a first ISP transmits intrusion-related information to a second node associated with a second ISP. The first node identifies intrusion-related information meeting a first criteria. The first node then transmits the intrusion-related information to the second node. The intrusion-related information includes one or more of a list of attackers that previously probed the first node, the protocol used, the time of the probes, and the individual alarms raised.
Automatic Generation Of Embedded Signatures For Duplicate Detection On A Public Network,
Tue Jul 12 16:02:10 EDT 2011
In accordance with an aspect of the invention, a method and system are disclosed for constructing an embedded signature in order to facilitate post-facto detection of leakage of sensitive data. The leakage detection mechanism involves: 1) identifying at least one set of words in an electronic document containing sensitive data, the set of words having a low frequency of occurrence in a first collection of electronic documents; and, 2) transmitting a query to search a second collection of electronic documents for any electronic document that contains the set of words having a low frequency of occurrence. This leakage detection mechanism has at least the following advantages: a) it is tamper-resistant; b) it avoids the need to add a watermark to the sensitive data, c) it can be used to locate the sensitive data even if the leakage occurred before the embedded signature was ever identified; and, d) it can be used to detect an embedded signature regardless of whether the data is being presented statically or dynamically.
System And Method For Profiling Resource Constraints Of Web Servers,
Tue Apr 26 16:02:05 EDT 2011
Disclosed is a method and system for determining one or more performance characteristics of a target server. A command is transmitted from a coordinator to a plurality of clients. The command instructs the plurality of clients to each transmit a request targeting a sub-system of said target server. A response time is then received from each client and a performance characteristic is determined from the received response times.
Reverse Engineering Peering At Internet Exchange Points,
Tue Mar 29 16:02:00 EDT 2011
A technique for examining the relationships of autonomous systems (ASes) participating in an Internet Exchange Point (IXP) utilizes packet tracing servers proximate the IXPs. Where such packet tracing servers cannot be found in the participating ASes, the methodology identifies additional vantage points by looking at a list of ASes that are one hop away from the ASes at the IXP. The choice of one-hop away ASes is made judiciously by picking ones that have better connectivity, based on past-data. Plural-hop ASes may also be used where necessary.
Method And Apparatus For Sketch-Based Detection Of Changes In Network Traffic,
Tue Jul 06 15:50:33 EDT 2010
A sketch-based change detection technique is introduced for anomaly detection. The technique is capable of detecting significant changes in massive data streams with a large number of network time series. As part of the technique, we designed a variant of the sketch data structure, called k-ary sketch, uses a constant, small amount of memory, and has constant per-record update and reconstruction cost. A variety of time series forecast models are implemented on top of such summaries and detect significant changes by looking for flows with large forecast errors. Heuristics for automatically configuring the forecast model parameters are presented. Real Internet traffic data is used to demonstrate and validate the effectiveness of sketch-based change detection method for utilization as a building block for network anomaly detection and traffic measurement in large computer networks.
Method And Apparatus For Compensating For Performance Degradation Of An Application Session,
Tue Jun 22 15:50:28 EDT 2010
Disclosed is a method and apparatus for compensating for a performance degradation of an application session in a plurality of application sessions associated with a network link. The performance of each application session in the plurality of application sessions associated with the network link is determined. The performance of each application session in the plurality is then compared. From this comparison, a lowest performance application session in the plurality of application sessions is identified. Corrective action is performed on packets scheduled to be transmitted over the lowest performance application session.
System And Method For Monitoring Network Traffic,
Tue Feb 02 15:50:21 EST 2010
Described is a method of assigning a network address to a trap, the network address being a dark address of a virtual private network. The network traffic destined for the network address is monitored and a classification of the network traffic is determined. After the classification, a predetermined response is executed based on the classification of the traffic.
Method And Apparatus For Improving End To End Performance Of A Data Network,
Tue Feb 02 15:50:20 EST 2010
A method and apparatus provide improved cache coherency and more effective caching operations without placing an undue burden on network links. A proxy receives a request for a resource and then, depending on information in the proxy cache, generates a resource request for transmission to a resource server. The proxy appends a proxy filter to the request. The resource server maintains one or more volumes of resources based on some predetermined criterion that can be either static or dynamic in nature. Upon receipt of the request and the proxy filter the resource server generates a request response and a piggybacked list of additional resources selected from the volume with which the requested resource is associated.
System And Method For Inferring Traffic Legitimacy Through Selective Impairment,
Tue Dec 08 15:38:56 EST 2009
Described is a system and method for determining a classification of an application that includes initiating a stress test on the application, the stress test including a predetermined number of stress events, wherein the stress events are based on a network impairment. A response by the application to each stress event is identified and the application is classified as a function of the response into one of a first classification and a second classification, the first classification indicative of a normal application and the second classification indicative of an undesired application. If, the application is in the second classification, a network response procedure is executed.
Method For Fast Network-Aware Clustering,
Tue Dec 01 15:38:53 EST 2009
A method for clustering together network IP addresses is disclosed. A number of IP addresses are received and processed to determine which IP addresses share a longest prefix matching. The longest prefix matching process is performed according to radix encoded trie which facilitates on-line clustering of the IP addresses. Client and/or server IP addresses may be clustered in accordance with the teachings herein.
Method for improving web performance by adapting servers based on client cluster characterization,
Tue Nov 13 18:12:26 EST 2007
The present invention is a method for improving delivery of content to a client communicating with a server on the Web. Groups or clusters of clients are formed by processing the IP addresses of the clients according to a network-aware, radix-encoded trie classification process. The groups of clients are categorized based on information about one or more clients in each group that can be determined by the server. That information is used to help drive tailored actions on the part of Web servers. Users with poor connectivity may choose not to spend much time at a Web site if it takes a long time to receive a page, even if the Web server at the site is not the bottleneck. Retaining such clients may be of interest to a Web site. Better-connected clients may be able to receive enhanced representations of Web pages such as with higher quality images.
Method for fast network-aware clustering,
Tue May 15 18:12:02 EDT 2007
A method for clustering together network IP addresses is disclosed. A number of IP addresses are received and processed to determine which IP addresses share a longest prefix matching. The longest prefix matching process is performed according to radix encoded trie which facilitates on-line clustering of the IP addresses. Client and/or server IP addresses may be clustered in accordance with the teachings herein.
Fast prefix matching of bounded strings,
Tue Mar 13 01:05:25 EDT 2007
The present invention increases the efficiency of performing longest prefix matching operations by selecting a radix-encoded trie structure optimized with respect to memory cost. The structure is optimized by determining memory costs for retrie structures indexed on different numbers of high-order characters, and then selecting the structure corresponding to the lowest memory cost. The optimization improves performance in IP look-up operations as well as longest-prefix matching operations performed on general alphabets.
Method For Network-Aware Clustering Of Clients In A Network,
Tue Aug 09 18:10:29 EDT 2005
A method for clustering together network clients for guiding of placement of network servers is disclosed. A number of routing table prefix/netmask entries are aggregated and unified into a tubular format. The routing table entries may be converted into a singular format. A network server log is used to extract a number of client IP addresses which are compared to the entries within the unified routing table. A common prefix shared by a number of the client IP addresses and an entry in the unified routing table is determined and used to cluster the clients together in a client cluster. Network servers, such as proxy server, cache servers, content distribution servers and mirror server may be placed in the network according to the client clusters.
Cache Invalidation Technique With Spurious Resource Change Indications,
Tue Jun 28 18:10:25 EDT 2005
A Web server maintains, for one or more resources, a respective list of clients who requested that resource. The server takes on the responsibility of notifying all of those clients on when the resource in question changes, thereby letting them know that if the resource is again asked for by a user, an updated copy will have to be requested from the origin server. The server thereupon purges the client list, and then begins rebuilding it as subsequent requests come in for the resource in question. Invalidation messages are sent to selected victim clients on the client list, independent of whether the resource in question has changed, when the list meets a predetermined criterion, such as becoming too large. The victim clients may include clients who access the server less frequently than others, clients who have accessed the server in the more distant past than other clients, i.e., using a first-in-first methodology, or clients who have not subscribed to a service that keeps them from being victim clients. Review of a client list to determine whether it meets the selected criterion can be invoked every time a client gets added to a client list or on a scheduled basis.
Method and apparatus for improving end to end performance of a data network,
Tue Jun 15 18:09:52 EDT 2004
A method and apparatus provide improved cache coherency and more effective caching operations without placing an undue burden on network links. A proxy receives a request for a resource and then, depending on information in the proxy cache, generates a resource request for transmission to a resource server. The proxy appends a proxy filter to the request. The resource server maintains one or more volumes of resources based on some predetermined criterion that can be either static or dynamic in nature. Upon receipt of the request and the proxy filter the resource server generates a request response and a piggybacked list of additional resources selected from the volume with which the requested resource is associated.
Method For Effective Indexing Of Partially Dynamic Documents,
Tue Aug 12 18:08:49 EDT 2003
A method more efficiently indexes dynamic documents. The method adjusts the frequency with which dynamic documents are retrieved taking into account the extent to which the document varies between its most recent retrievals. Furthermore, the method selects portions of the document to be indexed based on the substance of the differences between recently retrieved copies.
Method For Cache Validation For Proxy Caches,
Tue Jun 10 18:08:45 EDT 2003
A proxy cache maintains a copy of multiple resources from various servers in a network. When the proxy cache must generate a validation request for at least one resource at one of the servers, the proxy cache piggybacks one or more additional cache validation requests related to documents presently stored in the cache but originating from or associated with the server in question. Upon receipt of an indication of the freshness or validity of the cached copy of the document, the proxy cache can then make a determination as to whether to request an update of the document.
Method for effective indexing of partially dynamic documents,
Tue Aug 13 18:08:24 EDT 2002
A method more efficiently indexes dynamic documents. The method adjusts the frequency with which dynamic documents are retrieved taking into account the extent to which the document varies between its most recent retrievals. Furthermore, the method selects portions of the document to be indexed based on the substance of the differences between recently retrieved copies.
Method of clustering electronic documents in response to a search query,
Tue Mar 26 18:07:36 EST 2002
A method of presenting clusters of documents in response to a search query where the documents within a cluster are determined to be related to one another. This relationship is assessed by comparing documents which match one or more terms in the query to determine the extent to which the documents have commonality with respect to terms appearing infrequently in the collection of documents. As a consequence, the cluster of documents represents a response or query result that is split across multiple documents. In a further variation the cluster can be constituted by a structured document and an unstructured document.
Method for providing more informative results in response to a search of electronic documents,
Tue Jan 08 18:07:20 EST 2002
A method provides a more informative result to a user in connection with the search for documents in a database. In particular, the method provides augmented addresses, in the Internet environment augmented universal resource locators, which include an indication of a document attribute which may be of interest to the user. Such attributes may include an indication of the language of the document (e.g., English or Japanese) or the popularity of the document.
Method and apparatus for improving end to end performance of a data network,
Tue Dec 11 18:07:18 EST 2001
A method and apparatus provide improved cache coherency and more effective caching operations without placing an undue burden on network links. A proxy receives a request for a resource and then, depending on information in the proxy cache, generates a resource request for transmission to a resource server. The proxy appends a proxy filter to the request. The resource server maintains one or more volumes of resources based on some predetermined criterion that can be either static or dynamic in nature. Upon receipt of the request and the proxy filter the resource server generates a request response and a piggybacked list of additional resources selected from the volume with which the requested resource is associated.
Method of clustering electronic documents in response to a search query,
Tue Dec 26 18:06:00 EST 2000
A method of presenting clusters of documents in response to a search query where the documents within a cluster are determined to be related to one another. This relationship is assessed by comparing documents which match one or more terms in the query to determine the extent to which the documents have commonality with respect to terms appearing infrequently in the collection of documents. As a consequence, the cluster of documents represents a response or query result that is split across multiple documents. In a further variation the cluster can be constituted by a structured document and an unstructured document.
Method for using region-sets to focus searches in hierarchical structures,
Tue Oct 17 18:06:52 EDT 2000
A method improves a search in a hierarchical structure by focusing the search to selected regions within the structure. The method defines one or more region-sets and uses the region-set(s) as either a filter for the results of a key-word search or an integrated part of a search engine to increase the efficiency of the search engine. The method also provides for dynamic creation of new region-sets from existing region-sets using a prescribed set of operators.
Method for improving the results of a search in a structured database,
Tue Jun 06 18:05:32 EDT 2000
A method enhances the presentation of search results from a structured database. In accordance with the method, a search query including two or more attribute/value pairs is presented to a system. The system then identifies a plurality of records which each minimally match the search query. Each document or record in the plurality of identified records is assigned a weight based on at least two factors: the extent to which the record matches the entire search query; and the relative frequency with which the attribute/value pair that matches the given record matches the records of the remainder of the structured database. The plurality of records that minimally match the search query are then identified to the requester in ranked order based on the assigned weights.
Method for providing more informative results in response to a search of electronic documents,
Tue May 30 18:05:32 EDT 2000
A method provides a more informative result to a user in connection with the search for documents in a database. In particular, the method provides augmented addresses, in the Internet environment augmented universal resource locators, which include an indication of a document attribute which may be of interest to the user. Such attributes may include an indication of the language of the document (e.g., English or Japanese) or the popularity of the document.
Method for using region-sets to focus searches in hierarchical structures,
Tue Oct 19 18:05:24 EDT 1999
A method improves a search in a hierarchical structure by focusing the search to selected regions within the structure. The method defines one or more region-sets and uses the region-set(s) as either a filter for the results of a key-word search or an integrated part of a search engine to increase the efficiency of the search engine. The method also provides for dynamic creation of new region-sets from existing region-sets using a prescribed set of operators.
Method and apparatus for sharing a web page,
Tue Sep 21 18:05:16 EDT 1999
A method and apparatus for one user of the World Wide Web (WWW) to share an interesting WWW page with other users who have interest in the subject matter thereof. The user offers to share this WWW page by transmitting an announcement thereof. The other users have pre-arranged specifications stored in memory of their server(s) of what subject matter announcements will be accepted from which announcing users. Thus, the recipients can limit or filter the announcements of the URL's that they receive from others. If there is a match between the announcer's subject matter, perhaps the announcer's identity and/or employer's identity, and the recipient's specified acceptance criteria, then the server performing match up will take the action specified by the other user to be taken. Actions to be taken include load URL into WWW browser and download announced WWW page immediately for viewing, and store URL for later review.
Method for effective indexing of partially dynamic documents,
Tue Sep 21 01:05:24 EDT 1999
A method more efficiently indexes dynamic documents. The method adjusts the frequency with which dynamic documents are retrieved taking into account the extent to which the document varies between its most recent retrievals. Furthermore, the method selects portions of the document to be indexed based on the substance of the differences between recently retrieved copies.
