Abstract: Methods and systems for operation upon one or more data processors for detecting image spam by detecting an image and analyzing the content of the image to determine whether the incoming communication comprises an unwanted communication.

Abstract: A network security modeling system which simulates a network and analyzes security vulnerabilities of the network. The system includes a simulator which includes a network vulnerabilities database and a network configuration module having network configuration data. The simulator determines vulnerabilities of the simulated network based on the network configuration data and the vulnerabilities database.

Abstract: The present invention is directed to systems and methods for detecting unsolicited and threatening communications and communicating threat information related thereto. Threat information is received from one or more sources; such sources can include external security databases and threat information data from one or more application and/or network layer security systems. The received threat information is reduced into a canonical form. Features are extracted from the reduced threat information; these features in conjunction with configuration data such as goals are used to produce rules. In some embodiments, these rules are tested against one or more sets of test data and compared against the same or different goals; if one or more tests fail, the rules are refined until the tests succeed within an acceptable margin of error. The rules are then propagated to one or more application layer security systems.

Abstract: Systems and methods for an associative policy model are provided. One embodiment of the present invention provides a method for implementing an associative policy. In this embodiment, the method includes providing a policy on a policy server, the policy having a service definition that contains first and second relational components, providing first and second network entities, operatively coupling the first and second network entities to the policy server, dynamically associating the first network entity with the second network entity (wherein such associating includes binding the first relational component of the service definition in the policy to the first network entity, and binding the second relational component of the service definition in the policy to the second network entity), and enforcing the policy on the first and second network entities.

Abstract: A system and method for defining and enforcing a security policy. Security mechanism application specific information for each security mechanism is encapsulated as a key and exported to a semantic layer. Keys are combined to form key chains within the semantic layer. The key chains are in turn encapsulated as keys and passed to another semantic layer. A security policy is defined by forming key chains from keys and associating users with the key chains. The security policy is translated and exported to the security mechanisms. The security policy is then enforced via the security mechanisms.

Abstract: An inventive security framework for supporting kernel-based hypervisors within a computer system. The security framework includes a security master, one or more security modules and a security manager, wherein the security master and security modules execute in kernel space.

Abstract: A novel system and method for transmitting and receiving secure data in a virtual private group (VPG). In one embodiment, a method for transmitting secure data from a first node to a second node includes accessing a group membership table on the first node, the group membership table having group membership information for each group, including a first group, to which the first node belongs and group security information associated with each group, wherein the first group has two or more members, and checking the group membership table to determine if the second node is a member of the first group. If the second node is a member of the first group, the method further includes encrypting a data packet using the group security information associated with the first group, processing the encrypted data packet, and transmitting the encrypted data packet from the first node to the second node.

Abstract: The present invention is directed to systems and methods for detecting unsolicited and threatening communications and communicating threat information related thereto. Threat information is received from one or more sources; such sources can include external security databases and threat information data from one or more application and/or network layer security systems. The received threat information is reduced into a canonical form. Features are extracted from the reduced threat information; these features in conjunction with configuration data such as goals are used to produce rules. In some embodiments, these rules are tested against one or more sets of test data and compared against the same or different goals; if one or more tests fail, the rules are refined until the tests succeed within an acceptable margin of error. The rules are then propagated to one or more application layer security systems.

Abstract: The present invention is directed to systems and methods for detecting and preventing the delivery of unsolicited communications. A communication transmitted over a communications network is received and analyzed by a system processor. The system processor can extract attributes from the communication and compare extracted attributes to information stored in a system data store. In processing the communication, the system processor may assign a confidence level) a trust level, or other indicia of content. The results of that processing, analysis, and comparison can be propagated to one or more upstream computers in the path from the communication's origin to its destination. Such one or more upstream computers are identified from within the content of the communication, the header of the communication and/or the transfer protocol interactions in receiving the communication. The identified computers are authenticated to limit forgery.

Abstract: A system, method and computer program product for providing authentication to a firewall using a lightweight directory access protocol (LDAP) directory server is disclosed. The firewall can be configured through a graphical user interface to implement an authentication scheme. The authentication scheme is based upon a determination of whether at least part of one or more LDAP entries satisfy an authorization filter.

Abstract: A system and method for the secure transfer of data between a workstation connected to a private network and a remote computer connected to an unsecured network. A secure computer is inserted into the private network to serve as the gateway to the unsecured network and a client subsystem is added to the workstation in order to control the transfer of data from the workstation to the secure computer. The secure computer includes a private network interface connected to the private network, an unsecured network interface connected to the unsecured network, wherein the unsecured network interface includes means for encrypting data to be transferred from the first workstation to the remote computer and a server function for transferring data between the private network interface and the unsecured network interface.

Abstract: A mechanism that enables flexible expansion of proxy firewall services is disclosed. In accordance with the present invention, the firewall system can be configured to include a dispatch host computer and one or more load host computers. Proxy firewall services can be provided by proxy applications that reside on either the dispatch host computer and/or the load host computers. In one embodiment, a load host computer can be configured to support multiple proxy applications. In other embodiments, a load host computer can be dedicated to a single resource intensive application. In this framework, a network administrator can flexibly decide how to accommodate the demand for proxy firewall services. Load hosts can be added or removed from the firewall system without disrupting ongoing security services. In one embodiment, this feature is enabled through the inclusion of a configuration file on the dispatch host computer that stores information relating to the load host computers in the firewall system.

Abstract: A public key authentication system and method for use in a computer system having a plurality of users. The system includes a virtual smart card server, storage connected to the virtual smart card server, and a virtual smart card agent connected to the virtual smart card server. The storage includes a plurality of virtual smart cards, wherein each virtual smart card is associated with a user and wherein each smart card includes a private key. The virtual smart card agent authenticates the user and accesses the authenticated user's virtual smart card to obtain the user's private key.

Abstract: A system and method for the secure transfer of data between a workstation connected to a private network and a remote computer connected to an unsecured network. A secure computer is inserted into the private network to serve as the gateway to the unsecured network and a client subsystem is added to the workstation in order to control the transfer of data from the workstation to the secure computer. The secure computer includes a private network interface connected to the private network, an unsecured network interface connected to the unsecured network, wherein the unsecured network interface includes means for encrypting data to be transferred from the first workstation to the remote computer and a server function for transferring data between the private network interface and the unsecured network interface.

Abstract: An inventive security framework for supporting kernel-based hypervisors within a computer system. The security framework includes a security master, one or more security modules and a security manager, wherein the security master and security modules execute in kernel space.

Abstract: A system and method for the secure transfer of data between a workstation connected to a private network and a remote computer connected to an unsecured network. A secure computer is inserted into the private network to serve as the gateway to the unsecured network and a client subsystem is added to the workstation in order to control the transfer of data from the workstation to the secure computer. The secure computer includes a private network interface connected to the private network, an unsecured network interface connected to the unsecured network, wherein the unsecured network interface includes means for encrypting data to be transferred from the first workstation to the remote computer and a server function for transferring data between the private network interface and the unsecured network interface.

Abstract: Systems and methods for an associative policy model are provided. One embodiment of the present invention provides a method for implementing an associative policy. In this embodiment, the method includes providing a policy on a policy server, the policy having a service definition that contains first and second relational components, providing first and second network entities, operatively coupling the first and second network entities to the policy server, dynamically associating the first network entity with the second network entity (wherein such associating includes binding the first relational component of the service definition in the policy to the first network entity, and binding the second relational component of the service definition in the policy to the second network entity), and enforcing the policy on the first and second network entities.

Abstract: A novel system and method for transmitting and receiving secure data in a virtual private group (VPG). In one embodiment, a method for transmitting secure data from a first node to a second node includes accessing a group membership table on the first node, the group membership table having group membership information for each group, including a first group, to which the first node belongs and group security information associated with each group, wherein the first group has two or more members, and checking the group membership table to determine if the second node is a member of the first group. If the second node is a member of the first group, the method further includes encrypting a data packet using the group security information associated with the first group, processing the encrypted data packet, and transmitting the encrypted data packet from the first node to the second node.