Abstract: Caller name is authenticated using authentication certificates issued by a registration authority that registers callers who wish to terminate calls to callers subscribed to the registration authority. In one embodiment, the authentication certificates are sent to a called device or a proxy for the called device via a path that is separate from the call setup path. An indication is conveyed to the called party to indicate whether the caller name was successfully authenticated.

Abstract: A method and apparatus are provided for suppressing display of advertisements within a video over IP stream provided by a content provider. Metadata is prepended to advertisements within the stream. When the stream is received by an access aggregation point, the access aggregation point compares the metadata of an advertisement with preset criteria provided by an enterprise subscriber, and suppresses the advertisement if a comparison of the metadata and the preset criteria indicate that the advertisement is undesirable to the enterprise subscriber. The access aggregation point suppresses the advertisement by switching to a second video channel within the stream for the duration of the advertisement.

Abstract: A system and method are provided for management of access security by user and device. A security policy enforcement point is provided with a user policy module to receive user credentials from an access device of the user and a point for setting device dependent security policy to receive device credentials from the access device. A user policy is retrieved from a user database with use of the user credentials while a device policy is retrieved from a device database with use of the device credentials. The user policy and device policy are combined and used in the SPEP to enforce a user and device based security policy.

Abstract: A system and method are provided for supporting storage and analysis by law enforcement agency premises equipment of intercepted network traffic. The system and method provide integrity of the intercepted network traffic stored in an archive in accordance with lawful intercept requirements by storing all of the intercepted traffic, both benign and malicious, in the archive in its original form. The system and method furthermore provide for security from any malicious data packets of the archive by separating the malicious packets from the benign packets and forwarding only the benign packets to analysis applications of the law enforcement agency premises equipment.

Abstract: A soft-denial system for client-server networks is disclosed for translating server authorization denials into responses that are known to be innocuous to the client application. The soft-denial system includes a client-application which originates a service request across a network to a server-application which rejects the request due to lack of authorization and subsequently provides a denial response. A soft-denial application intercepts the denial response, translates the response into a response known to be innocuous to the client-application, and forwards the innocuous response to the client-application. The soft-denial system is particularly useful for overcoming client-application failures due to authorization expectation mismatches.

Abstract: Transparent caller name authentication is provided to authorized third parties by creating an Public Key Infrastructure (PKI) certificate chain. An owner of a registered caller name can authorize third parties to use the caller name by issuing a PKI sub-certificate to each authorized third party. An authenticated caller name displays the owner's name to the called party. Outsourcing and mobile employment is thereby facilitated, and called party confusion is reduced.

Abstract: A system and method are provided for management of access security for access by a multimodal device to a converged fixed/mobile network. An inter-technology change-off monitoring entity (ICME) is provided to monitor an inter-technology change-off of the multimodal device and to notify a policy manager of the inter-technology change-off. The policy manager looks up in a policy database, security policies applicable to the user of the multimodal device and the particular technology being used by the multimodal device. The policy manager conveys to various policy enforcement points throughout the converged fixed/mobile network the applicable security policies which take into account the user's identity and the access technology being used.

Abstract: A system and method are provided for providing multiple aliases and associated policy profiles for a user of a VoIP communication system. The user configures a multitude of aliases by the user wishes to be contacted, and associates with each alias a policy stored at a user terminal. The aliases are stored within the network so as to be associated with contact information for the user terminal. A proxy processes call requests by determining the contact information associated with an alias entered by a caller, and forwards the call request to the user terminal associated with the contact information. The user terminal determines the alias used by the caller, and processes the connection request in accordance with the policy. The invention allows users to add and delete aliases in order to effect temporary and private contact information. Calls can be handled depending on which alias was used by a caller, rather than on an identification of the device used by the caller.

Abstract: A method and system for filtering malicious packets received at the edge of a service provider (SP) domain is provided. A protocol aware border element identifies the protocol used by any ingress packet, and then determines which domain-specific information is used in the application payload of the packet to form the source identity. If this packet pretends to come from the SP domain, and no domain entity is allowed to roam, the packet is identified as illegitimate and is subjected to a given security policy. The border element also identifies as legitimate the SP domain entities that are allowed to roam, and legitimate sources outside said SP domain that communicates customary with entities in the SP domain.

Abstract: A soft-denial system for client-server networks is disclosed for translating server authorization denials into responses that are known to be innocuous to the client application. The soft-denial system includes a client-application which originates a service request across a network to a server-application which rejects the request due to lack of authorization and subsequently provides a denial response. A soft-denial application intercepts the denial response, translates the response into a response known to be innocuous to the client-application, and forwards the innocuous response to the client-application. The soft-denial system is particularly useful for overcoming client-application failures due to authorization expectation mismatches.

Abstract: A method and apparatus are provided for suppressing display of advertisements within a video over IP stream provided by a content provider. Metadata is prepended to advertisements within the stream. When the stream is received by an access aggregation point, the access aggregation point compares the metadata of an advertisement with preset criteria provided by an enterprise subscriber, and suppresses the advertisement if a comparison of the metadata and the preset criteria indicate that the advertisement is undesirable to the enterprise subscriber. The access aggregation point suppresses the advertisement by switching to a second video channel within the stream for the duration of the advertisement.

Abstract: A method and apparatus directed to detecting DoS (denial of service) attacks against SIP enabled devices. A substantial imbalance between an accounting of SIP INVITE (INV) and SIP 180 Ringing (N180) messages indicates a DoS attack. Preferably the number (H) of INVITE messages including credentials (INVc) that are sent from a user client in response to a 407 Authentication Required message from a proxy server are removed from the accounting before the balance is tested. If the equation INVo+INVc?H=N180 (where INVo is the number of INVITE messages without credentials) is not true within a small margin of error then the presence of a current DoS attack on the proxy server is indicated by the inequality.

Abstract: A method of network-based digital rights enforcement, and related enforcement device, the method including one or more of the following: embedding information into digital content requested by an end user; providing a signature for the digital content to a service provider; providing a key to the service provider, the key being necessary for reading the information embedded into the digital content; providing an algorithm to the service provider for extracting the information embedded into the digital content; providing an identification to the service provider of a content provider that provides the digital content; extracting the signature from the digital content requested by the end user; analyzing the signature to determine whether a signature match exists; and determining whether the end user is a legitimate authorized user of the requested digital content or capable of distributing content.

Abstract: A method comprising a plurality of operations. An operation is provided for receiving an authentication certificate of a called party. Telephony apparatus of a party calling the called party performs receiving the authentication certificate. An operation is provided for facilitating authentication of the authentication certificate and called party identification information thereof in response to receiving the authentication certificate. An operation is provided for providing an authentication notification in response to facilitating the authentication of the authentication certificate and the called party identification information. The authentication notification indicates successful authentication in response to the authentication being successful and wherein the authentication notification indicates non-successful authentication in response to the authentication not being successful.

Abstract: A method comprises a plurality of operations. An operation is performed for requesting authentication of a target call session party during a call session between the target party and a call session party requesting said authentication. An operation is performed for receiving authentication information of the target call session party during the call session in response to requesting said authentication. An operation is performed for facilitating authentication of said authentication information during the call session in response to receiving said authentication information.

Abstract: A system, device and method for providing data availability for a portable communication device, including various combinations of the following steps: notifying an operator that the portable communication device is missing; triggering encryption of data on the portable communication device; sending a data retrieval command to the portable communication device; authenticating the data retrieval command; retrieving data from the portable communication device; identifying a portion of the data retrieved from the portable communication device that is confidential; encrypting the identified confidential data on the portable communication device; and erasing the identified confidential data from the portable communication device or recovering the portable communication device and decrypting the confidential data on the portable communication device.

Abstract: A system and method are provided for management of access security for access by a multimodal device to a converged fixed/mobile network. An inter-technology change-off monitoring entity (ICME) is provided to monitor an inter-technology change-off of the multimodal device and to notify a policy manager of the inter-technology change-off. The policy manager looks up in a policy database, security policies applicable to the user of the multimodal device and the particular technology being used by the multimodal device. The policy manager conveys to various policy enforcement points throughout the converged fixed/mobile network the applicable security policies which take into account the user's identity and the access technology being used.

Abstract: A method of detecting a campaign of unwanted telephone calls in a converged telephone network, including populating a first set of caller identifications where no call has been initiated to the caller identification during a predetermined period of time, populating a second set of caller identifications where a call has been initiated to the caller identification during the predetermined period of time, performing a homogeneity statistical test analysis of the first set and the second set, and interpreting the statistical analysis results in order to detect the campaign of unwanted telephone calls in the converged telephone network. Some embodiments include analyzing log messages to determine a source of the most telephone call traffic, and blocking the completion of telephone calls subsequently initiated by the determined source of the most telephone call traffic.

Abstract: A system and method are provided for management of access security by user and device. A security policy enforcement point is provided with a user policy module to receive user credentials from an access device of the user and a point for setting device dependent security policy to receive device credentials from the access device. A user policy is retrieved from a user database with use of the user credentials while a device policy is retrieved from a device database with use of the device credentials. The user policy and device policy are combined and used in the SPEP to enforce a user and device based security policy.

Abstract: Transparent caller name authentication is provided to authorized third parties by creating an Public Key Infrastructure (PKI) certificate chain. An owner of a registered caller name can authorize third parties to use the caller name by issuing a PKI sub-certificate to each authorized third party. An authenticated caller name displays the owner's name to the called party. Outsourcing and mobile employment is thereby facilitated, and called party confusion is reduced.