Abstract: After a radio link is established between a mobile subscriber terminal and an access network, to authenticate the subscriber an authentication proxy server of an intermediate network forwards at least one authentication message containing a subscriber identification between the access network and a home network of the subscriber. If authentication is given by an authentication server of the home network, the authentication proxy server of the intermediate network stores the subscriber identification. The home agent receives a registration request message originating from the subscriber terminal and containing a subscriber identification; the home agent transmits a key request message, containing the subscriber identification, for a mobile key to the relevant authentication proxy server.

Abstract: Embodiments of the invention provide methods and systems for implementing service level consolidated user information management. According to one embodiment, a method comprises intercepting, at a policy enforcer, a manipulation request of data. The method may further include analyzing the request to determine which data the manipulation request is associated with and, based on that analysis, selecting a policy from a plurality of policies. Furthermore, the method may execute the selected policy. The policy may be configured to direct the policy enforcer to allow the manipulation request to pass through to the associated destination data system to process the request, delegate processing of the manipulation request to at least one of a plurality of data systems, or process the manipulation request by the policy enforcer.

Abstract: A system, apparatus, computer program product and method for authorizing information flows between devices of a data processing system are provided. In one illustrative embodiment, an information flow request is received from a first device to authorize an information flow from the first device to a second device. The information flow request includes an identifier of the second device. Based on an identifier of the first device and the second device, security information identifying an authorization level of the first device and second device is retrieved. A sensitivity of an information object that is to be transferred in the information flow is determined and the information flow is authorized or denied based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow.

Abstract: The present invention the present invention concerns a method for optimizing a route between a mobile node and a correspondent node in mobile Internet protocol networks. The mobile node is served by an anchor point being a node, e.g. a mobile IP home agent. According to the method the anchor point generates a Multi-key Cryptographically Generated Address (MCGA) for the mobile node. The MCGA is generated using at least the public keys of the mobile node and the anchor point. The anchor point assigns and registers the generated MCGA as a home address for the mobile node and sends a binding update message to the correspondent node on behalf of the mobile node. The binding update message includes at least a signature of the MCGA signed by the anchor point. Thereby route optimization can be performed such that data packets can be exchanged between the mobile node and the correspondent node without routing the packets via the anchor point.

Abstract: A method and apparatus for securing the interface between a Universal Integrated Circuit Card (UICC) and a Terminal in wireless communications is disclosed. The security of Authentication and Key Agreement (AKA) and application level generic bootstrapping architecture (GBA) with UICC-based enhancements (GBA_U) procedures is improved. A secure shared session key is used to encrypt communications between the UICC and the Terminal. The secure shared session key generated using authenticating or non-authenticating procedures.

Abstract: Service provider-independent on-demand distributed denial of service (DDoS) mitigation. A mitigation provider provides a service to customers to remove or reduce DDoS attacks regardless of the customer's relationship with a service provider. Customer profiles about the customers' IP traffics are loaded into mitigation devices. When a DDoS attack occurs, customer profiles are activated in a set of the mitigation devices. Routes are also modified to steer customer traffic to the mitigation devices. DDoS packets are removed at the mitigation devices and the “cleaned” IP traffic is subsequently routed to the destination.

Abstract: A method for generating a cross-site scripting attack is provided. An attack string sample is analyzed for obtaining a token sequence. A string word corresponding to each token is used to replace the token for generating a cross-site scripting attack string. Accordingly, a large number of cross-site scripting attacks are generated automatically, so as to execute a penetration test for a website.

Abstract: A device management system includes a meeting support system that is configured to generate and transmit a plurality of electronic meeting invitations to a plurality of mobile wireless devices that correspond to a plurality of meeting participants and receive responses indicating whether the plurality of participants will attend the electronic meeting. The device management system receives identification data that identifies one or more documents or information that will be made available to the plurality of participants. The meeting support system determines whether the plurality of participants is authorized to access the one or more electronic documents or information. If any of the participants are not authorized to access any of the electronic documents or information, the meeting support system notifies the meeting organizer. The device management system may also include a meeting session management system that is configured to share information among the plurality of mobile wireless devices.

Abstract: A system and method for automated probabilistic planning of network attacks against infrastructures of computer networks and applications is provided. The embodiments automate the analysis and probabilistic planning of multi-step attacks to computer and application networks (in particular in the context of automating penetration tests), optimizing with respect to one of the following metrics: the probability of success of the actions, a numerical parameter that must be minimized (e.g., running time), or the number of logs generated by the control devices in the target network.

Abstract: A method includes receiving a request from a network source to create a logical socket on a logical port. The method includes accessing a structure that indicates a plurality of logical socket allocation policies to select a first of the plurality of socket allocation policies that corresponds to the logical port. Each of the plurality of logical socket allocation policies governs logical socket allocation for one or more ports, wherein logical allocation policies govern at least one of 1) the number of logical sockets that are allocated to the one or more logical ports, 2) a maximum number of logical sockets shared between a grouping of two or more logical ports, and 3) a maximum number of logical sockets. The method includes determining if the first logical socket allocation policy allows for allocation of the logical socket for the network source to communicate. The method includes allocating a logical socket.

Abstract: A method for installing embedded firmware is provided. The method includes generating one or more firmware file instances and generating one or more digital certificate instances that are separate instances from the firmware file instances. The method includes associating the one or more digital certificate instances with the one or more firmware file instances to facilitate updating signature-unaware modules with signature-aware firmware or to facilitate updating signature-aware modules with signature-unaware firmware.

Abstract: Systems and methods for calculating threat scores for individuals within an organization or domain are provided. Aspects of the invention relate to computer-implemented methods that form a predictive threat rating for user accounts. In one implementation, a threat score representing a first time period may be calculated. The first threat score may be calculated from a quantification of a plurality of activity violations across a plurality of control groups. Weighting schemes may be applied to certain activities, controls, and/or user accounts. Further embodiments may be configured to consider additional indicators. Further aspects relate to apparatuses configured to execute methods for ranking individual user accounts. Certain embodiments may not block transmissions that violate predefine rules, however, indications of such improper transmission may be considered when constructing a threat rating.

Abstract: A method for securing a web client against malicious web attacks, the method is performed by a secure gateway deployed between a web client and a web server. The method comprises receiving a uniform resource locator (URL) request from the web client; sending the URL request to the web server for executing server side web application code responsive to the URL request; receiving client side application code from the web server; executing the client side application code on behalf of the web client; and sending the web client user interface updates rendered responsive to the execution of the client side application code.

Abstract: A secure wireless communication link (pairing) between two devices can be established using cleartext wireless transmissions between devices not joined to a network (“probes”). One device can broadcast a first probe indicating that it is seeking to establish a pairing. The other device can respond with a second probe, and the two devices can establish a shared secret, e.g., by exchanging further information using additional probes. Thereafter, either device can send a message to the other by encrypting the message using a cryptographic key derived from the shared secret; encrypted messages can also be sent within probes. The receiving device can extract an encrypted message from a probe and decrypt it using the cryptographic key. The encrypted message can include credentials usable by the receiving device to join a wireless network.

Abstract: This invention provides an option management system, an option management method and a recording medium for a digital device which can charge expenses when an optional function is added, and is superior in the convenience and security. The option management system comprises a user terminal, a client terminal, and a digital device connected via a network to the user terminal and the client terminal, which performs a control process for validation or invalidation if a license key purchased by the user for an optional function of each software for monitoring, controlling and maintaining the device itself is inputted from the user terminal.

Abstract: Unicode character data is received for transcoding. The Unicode character data is transcoded to an intermediate value. The intermediate value is enciphered. The enciphered intermediate value is transcoded back to Unicode-compatible character data. The transcoding includes assembling character values from the Unicode character data into one or more blocks and representing the assembled character values in a compact form.

Abstract: A system and methods of detecting an occurrence of a violation of an email security policy of a computer system. A model relating to the transmission of prior emails through the computer system is defined which is derived from statistics relating to the prior emails. For selected emails to be analyzed, statistics concerning the selected email are gathered. Such statistics may refer to the behavior or other features of the selected emails, attachments to emails, or email accounts. The determination of whether a violation of an email security policy has occurred is performed by applying the model of prior email transmission to the statistics relating to the selected email. The model may be statistical or probabilistic. A model of prior email transmission may include grouping email recipients into cliques. A determination of a violation of a security policy may occur if email recipients for a particular email are in more than one clique.

Abstract: A light-weight resilient mechanism is used to synchronize server secure keying data with member devices in a highly-scalable distributed group virtual private network (VPN). A server device generates an initial secure keying data set, for the VPN, that includes a first version identifier, and sends, to member devices and via point-to-point messages, the secure keying data set. The server device sends, to the member devices, heartbeat push messages including the first version identifier. The server device generates an updated secure keying data set with a second version identifier and sends, to the member devices, a key push message that includes the updated data set. The server device sends, to the member devices, heartbeat push messages including the second version identifier. Member devices may use the first and second version identifiers to confirm that secure keying data sets are current and quickly identify if updates are missed.

Abstract: An electronic terminal performs early detection of unauthorized analysis thereon and prevents unauthorized acquisition and falsification of confidential information that is not to be released to a third party. The electronic terminal stores confidential information that is protected by consecutive application of a plurality of protection measures for defense against an attack from a third party. The electronic terminal monitors for attacks to the protection measures from an external source, and upon detecting an attack on one protection measure, updates a protection state of the confidential information to a new protection state in which either a new protection measure has been added to a protection path from the one attacked protection means to the confidential information, or the one protection measure on the path has been updated to a higher defense level.

Abstract: A method and system for commissioning a wireless connection with a related authentication and the eventual encryption to a remote relay node, whereto an electronic mobile device is connected to a hosting wireless access node for transmitting/receiving data to/from a service provider available on the Internet by means of a commissioned relay access node selected by an authentication and commissioning manager. The data transfer between the mobile device and the service provider is encapsulated into the tunnel between the hosting wireless access node and the commissioned relay access node and is finally forwarded by the commissioned relay access node to the service provider. The service provider thereby is exchanging data with the commissioned relay access node and not directly with the hosting wireless access node.