.jpg)
180 Park Ave - Building 103
Florham Park, NJ
http://www.research.att.com/~kobus
I am a networking systems researcher with a broad interest in all aspects of networking including network management, control and operation, network evolution, network security, content distribution and cloud computing.
AT&T Science & Technology Medal, 2009.
For technical innovation and leadership in furthering AT&T's competitive edge by creating and deploying intelligent network controls for AT&T's IP/MPLS networks.
Intelligent Computer Network Routing Using Logically Centralized, Physically Distributed Servers Distinct From Network Routers,
April 24, 2012
A route control architecture allows a network operator to flexibly control routing between the traffic ingresses and egresses in a computer network, without modifying existing routers. An intelligent route service control point (IRSCP) replaces distributed BGP decision processes of conventional network routers with a route computation that is flexible and logically centralized but physically distributed. One embodiment supplements the traditional BGP decision process with a ranking decision process that allows route-control applications to explicitly rank traffic egresses on a per-destination, per-router basis. A straightforward set of correctness requirements prevents routing anomalies in implementations that are scalable and fault-tolerant.
Progressive Wiretap,
April 17, 2012
Disclosed is a method and system for identifying a controller of a first computer transmitting a network attack to an attacked computer. To identify an attacker implementing the attack on the attacked computer, the present invention traces the attack back to the controller one hop at a time. The invention examines traces of the attacked computer to identify the first computer. Traffic transmitted to the first computer is redirected through a monitoring complex before being transmitted to the first computer. The controller is then detected from traffic monitoring by the monitoring complex.
Systems, Devices, And Methods For Network Routing,
April 17, 2012
Certain exemplary embodiments comprise a method, which can comprise providing a preferred route for a predetermined block of traffic to a router. The predetermined block of traffic can be destined for a predetermined destination. The predetermined destination can be coupled to a network via a plurality of routers. The preferred route can be adapted to override an initial route.
Construction Of A Per-Customer Blacklist To Filter Unwanted Traffic,
April 17, 2012
Traffic flow from a traffic source with a source IP address to a customer system with a destination IP address is filtered by comparing the source IP address to a customer blacklist. If the source IP address is on the customer blacklist, then traffic to the customer system is blocked; else, traffic to the customer system is allowed. The customer blacklist is generated from a network blacklist, comprising IP addresses of unwanted traffic sources, and a customer whitelist, comprising IP addresses of wanted traffic sources. The customer blacklist is generated by removing from the network blacklist any IP address also on the customer whitelist. The network blacklist is generated by acquiring raw blacklists from reputation systems. IP addresses on the raw blacklists are sorted by prefix groups, which are rank ordered by traffic frequency. Top prefix groups are selected for the network blacklist.
Method, System, And Device For Sending Data In A Cable Data Service,
August 2, 2011
A method of sending data from a transmit site to a receive device includes dividing a first transmit data stream having a first bit rate into multiple data streams with each of the multiple data streams having a bit rate that is lower than the first bit rate. Each of the multiple data streams is transmitted over a cable network having multiple radio frequency channels. The multiple data streams are recombined at the receive device to provide a receive data stream having a bit rate equal to the first bit rate. A second transmit data stream is transmitted over one of the radio frequency channels to a legacy user connected to the one radio frequency channel between the transmit site and the receive device.
Automated Disambiguation Of Fixed-Serverport-Based Applications From Ephemeral Applications,
July 5, 2011
Provided are methods for partitioning communication data in a network and disambiguating fixed or non-ephemeral communication data from ephemeral communication data and services. In one example, kmeans data clustering is used to partition or cluster server ports based on a location of the server ports in a 2-dimensional space. The location of the server ports may be based on a number of connections per server port and the number of servers using that port.
Method For Applying Macro-Controls Onto IP Networks Using Intelligent Route Indexing,
March 29, 2011
Systems and methods are described that manage routing information in an IP network using extensible indexing and use the indexing to control the network. The indexing and associated controls apply to any router within the routing domain.
Intelligent Computer Network Routing Using Logically Centralized, Physically Distributed Servers Distinct Form Network Routers,
March 8, 2011
A route control architecture allows a network operator to flexibly control routing between the traffic ingresses and egresses in a computer network, without modifying existing routers. An intelligent route service control point (IRSCP) replaces distributed BGP decision processes of conventional network routers with a route computation that is flexible and logically centralized but physically distributed. One embodiment supplements the traditional BGP decision process with a ranking decision process that allows route-control applications to explicitly rank traffic egresses on a per-destination, per-router basis. A straightforward set of correctness requirements prevents routing anomalies in implementations that are scalable and fault-tolerant.
System And Method For Avoiding And Mitigating A DDoS Attack,
September 14, 2010
Described is a system and method for receiving a data packet including a destination address and a source address, the data packet corresponding to a port number, assigning an address risk value for the data packet based on the source address and a port risk value for the data packet based on the port number. The data packet is categorized into a community based on the source address, wherein the community is predefined by a user corresponding to the destination address, the community includes a utility value. The address risk value and the port risk value are compared to the utility value to yield a benefit coefficient and the data packet is treated based on the benefit coefficient.
Unifying Web Hosting And Content Distribution System And Method For Assuring Predetermined Performance Levels,
February 2, 2010
A service model, integrated system, and method for enabling a service provider to deliver an integrated web hosting and content distribution service offering, which affords assured operational performance service levels, regardless of whether the customer's web site is served by the service provider's hosting center, the service provider's content distribution network (CDN), by a third party web host, or by a third party CDN. A monitoring system of the primary service provider receives detailed capacity and health statistics from any CDN under the operational control of the primary service provider, receives aggregate capacity and health statistics from other CDNs not under the operational control of the primary service provider. A redirection system then decides to which web host, content distribution network, or combination thereof, user requests for content are directed in order that operational performance service levels are maintained.
Virtual private network,
March 27, 2007
The invention provides apparatus and methods for a Virtual Private Network (VPN) in a network that offers a simple user interface for efficient utilization of network resources. The VPN is defined for a specified set of endpoints each of which is associated with a single hose. A hose provides access to the VPN through an access point which may be a node of the network, for example. The hose is a single interface to the VPN for communication to all other endpoints of the VPN. The VPN achieves network resource allocation efficiency by exploiting resource sharing possibilities via multiplexing routing paths between endpoints and dynamic resource allocation techniques that permit real time resource allocation resizing. When a VPN is established with a VPN service provider, the routing paths between the endpoints of the VPN is optimized for multiplexing opportunities so that resource allocations between nodes along routing paths within the IP network is reduced to a minimum.
Cable data service method,
January 31, 2006
A method for sending data from a transmit site to a receive site which includes dividing a transmit data stream having a first bit rate into multiple data streams with each of the multiple data streams having a bit rate which is lower than the first bit rate, transmitting each of the multiple data streams over a plurality of RF channels and recombining the multiple data streams at the receive site to provide a receive data stream having a bit rate equal to the first bit rate.
Transmit and receive system for cable data service,
January 31, 2006
A transmit and receive system for transmitting data between a transmit site and a receive site. The system includes a tunnel source, router and modulator for dividing a transmit data stream having a first bit rate into multiple data streams with each of the multiple data streams having a bit rate which is lower than the first bit rate, transmitting each of the multiple data streams over a plurality of RF channels. The system further includes a demodulator and destination source for recombining the multiple data streams at the receive site to provide a receive data stream having a bit rate equal to the first bit rate.
Method For Content-Aware Redirection And Content Renaming,
October 11, 2005
The present invention is directed to mechanisms for content-aware redirection and content exchange/content discovery that permit a request for content to be redirected to a particular advantageous server that can serve the content.
Virtual Private Network,
June 28, 2005
The invention provides apparatus and methods for a Virtual Private Network (VPN) in a network that offers a simple user interface for efficient utilization of network resources. The VPN is defined for a specified set of endpoints each of which is associated with a single hose. A hose provides access to the VPN through an access point which may be a node of the network, for example. The hose is a single interface to the VPN for communication to all other endpoints of the VPN. The VPN achieves network resource allocation efficiency by exploiting resource sharing possibilities via multiplexing routing paths between endpoints and dynamic resource allocation techniques that permit real time resource allocation resizing. When a VPN is established with a VPN service provider, the routing paths between the endpoints of the VPN is optimized for multiplexing opportunities so that resource allocations between nodes along routing paths within the IP network is reduced to a minimum.
