Abstract: A system and method are disclosed which may include entering a secure mode by a processor, whereby the processor may initiate a transfer of information into or out of the processor, but no external device may initiate a transfer of information into or out of the processor; sending a DMA (direct memory access) command including at least one authorization code from the processor to at least one trusted data storage region external to the processor; evaluating the authorization code; and enabling the processor to access at least one trusted data storage location within the trusted data storage region if the authorization code is valid.

Abstract: A method and an apparatus for transmitting a message to a plurality of wireless devices that are classified into units of groups are provided. The method includes operations of: (a) determining whether the message is a predetermined message for detecting a device in a network; (b) encrypting the message with one of a plurality of keys respectively corresponding to a plurality of groups according to a determination result obtained in operation (a), each group comprising one or more devices in the network; and (c) transmitting the encrypted message. Accordingly, it is possible to prevent a guest wireless device that is unknown to a user from detecting a home wireless device of the user and controlling the detected home wireless device without authorization from the user.

Abstract: An improved network protocol for mitigating network amplification attacks is provided. The absolute network load that any transient distributed attack can cause is bounded based on a resource crediting scheme. The protocol accumulates “credit” upon reception and detection of candidate attack request packets, and draws against that credit when transmitting responsive packets. In some implementations, the time frame of such an attack is also bounded using time limits applied to a resource crediting scheme. Other resources may also be bounded by the resource crediting scheme, including without limitation CPU utilization, storage capacity, power, etc.

Abstract: Encryption-based design obfuscation for an integrated circuit includes creating multiple functional circuit paths for an integrated circuit design and selecting among the multiple functional circuit paths during scan testing. Encrypting selection data corresponding to an intended function of the integrated circuit design avoids revealing the intended function as a result of the scan testing.

Abstract: In one embodiment, a hybrid backplane coding scheme transmits data using lengthy sequences of scrambled data, separated by 8b/10b control character sequences that prepare the receiver for the next scrambled sequence and permit realignment if necessary. Several lanes are coded separately in this manner, and then multiplexed on a common channel. Alignment sequences in the control character sequences, as well as scrambler seeds, are set to avoid synchronization of patterns generated among all lanes, which would tend to confuse a receiving serdes and/or phase-locked loop that recovers timing from the multiplexed scrambled signals.

Abstract: A system and method for peer-to-peer communication between a slave device and network resources wherein the slave device, for example, a smart card, communicates using a protocol designed to allow the smart card to communicate over a half-duplex serial communications link while appearing to applications and network nodes as being a full-fledged network node in a manner that conserves power so as to be suitable for deployment on small portable devices.

Abstract: Systems and methods to manage multiple vulnerability scanners distributed across one or more networks using a distributed security management system, herein called a Lightning Console. By distributing multiple scanners across a network, the work load of each scanner may be reduced to significantly reduce the impact on the network routing and switching infrastructure. In addition, scanners may be placed directly behind firewalls for more thorough scanning. Further, scanners may be placed closer to their scanned networks. By placing vulnerability scanners closer, the actual scanning traffic does not cross the core network switch and routing fabric, thereby avoiding potential network outages due to scanning activity. In addition, the closer distance of the scanners to the scanned targets speeds scan times by reducing the distance that the packets must traverse.

Abstract: A system and method to enable an access point to dynamically provision a WLAN client with a new wireless profile once an association is established based on the infrastructure policy. A client can be directed to use a new profile without the need for pre-configuration and going through another authentication process. The new wireless profile can be provided to the client either during or after association, with or without the protection of link layer security key.

Abstract: Systems and methods which may be implemented as software to control access to content streams transmitted from a service provider's server. A software solution forces each set top box (STB) to periodically uplink to the server and to receive authentication from that server. To prevent spoofing, the server periodically loads to each STB at least one unique key that is required to access the content stream or that is required for authentication. The key or keys may be periodically revoked and/or replaced by the server. The frequency of the revocation and/or replacement of the key is ideally not fixed. Also, the server may periodically upgrade the decoding and/or authentication software on the STBs via the uplink.

Abstract: A system, method, computer program product, and data management service that allows any comparison operation to be applied on encrypted data, without first decrypting the operands. The encryption scheme of the invention allows equality and range queries as well as the aggregation operations of MAX, MIN, and COUNT. The GROUPBY and ORDERBY operations can also be directly applied. Query results produced using the invention are sound and complete, the invention is robust against cryptanalysis, and its security strictly relies on the choice of a private key. Order-preserving encryption allows standard database indexes to be built over encrypted tables. The invention can easily be integrated with existing systems.

Abstract: A computer-implemented method is provided for processing access requests in an AAA network. The method includes receiving an access request from a network device, identifying, based upon the access request, an authentication mechanism for facilitating AAA services for the network device and selecting, based on the identified authentication mechanism, a particular server from a plurality of servers that is compatible with the identified authentication mechanism.

Abstract: A system and method for authenticating users against an external directory service. A client device issues an LDAP (Lightweight Directory Access Protocol) request (e.g., a login request) to a local or native directory server (e.g., an Oracle Internet Directory server) configured to authenticate users for access to a resource (e.g., an Oracle database, an Oracle application server). The native directory server does not maintain or synchronize user passwords, and forwards the request (or details of the request) to a plug-in residing in the resource. The plug-in forwards or issues the request to an external or third-party directory server or service, which attempts to authenticate the user and returns a result indicating success or failure. The plug-in returns the result to the local server, which responds to the client.

Abstract: Systems and methods provide a mechanism for wireless stations and access points to negotiate security parameters for protecting management frames. The access point and station determine which management frames they are capable of and desire to protect. Data indicating protected frames are then exchanged between the station and access point to select which management frames are to be protected and a protection mechanism to be used for protecting the management frames.

Abstract: A method for processing a communication data item. The communication data item is divided into at least two unencrypted packets to be encrypted. Each encrypted packet is generated from a corresponding unencrypted packet. Each unencrypted packet has a packet header and plaintext data. The packet header has an identifier field that includes a packet identifier. The packet identifier is identical for all unencrypted packets. Generating an encrypted packet for each unencrypted packet includes: determining a vector identifier from the identical packet identifier, wherein the vector identifier is associated with the identical packet identifier; ascertaining an initial vector from the vector identifier; and forming an encrypted packet header by inserting the vector identifier into a first portion of the packet header and encrypting a second portion of the packet header through use of the initial vector. The encrypted packets are subsequently decrypted and combined to reconstruct the communication data item.

Abstract: A method and system is provided for detecting correlated connections in an extended connection. A plurality of stepping stone detection algorithms are executed in parallel (400), each of the plurality of stepping stone detection algorithms generating a result. The results are scored for each of the plurality of stepping stone detection algorithms (402). A consensus attack path is generated based upon the scored results (404).

Abstract: A relay adapter, a method for processing communication data through use of a relay adapter, and a process for leasing the relay adapter to a user by a service provider. The relay adapter includes: an authentication information storage section that stores authentication information of the relay adapter; a power plug; a power socket; and a push switch within the power plug or power socket. The push switch may be depressed. The power plug is detected to be plugged into a power socket of the user. The power socket is connected to a control server by a power line carrying a power signal. Responsive to ascertaining that the push switch is not depressed, mutual authentication is enabled between the relay adapter and the control server. After the mutual authentication, communication data is relayed from an information processing device of the user to a service provider server via the control server.

Abstract: A system and method for determining the point of entry of a malicious packet into a network is disclosed. An intrusion detection system detects entry of the malicious packet into the network (500). A stepping stone detection system identifies stepping stones in extended connections within the network (524). A traceback engine isolates the malicious packet in response to operation of the intrusion detection system (528), wherein the traceback engine utilizes the identified stepping stones to determine the point of entry of the malicious packet.

Abstract: Information on whether a prefix is distributable to a MN is held by a CA. The server section of the HA allots prefix information to a MN approved by the CA. When the server section of the HA receives an IKE packet from the MN, the server section generates an IPsec SA after checking the prefix information in the server section. The server section allows an MN location registration request to fulfill the IPsec SA. The CA approves distribution of a prefix to the MN and verifies that the MN is genuine by generating an IPsec SA with the HA by utilizing the prefix distributed by the MN.

Abstract: A wireless ad-hoc communication system in which an attribute certificate can be independently and dispersedly issued is provided. A terminal (B200) transmits a beacon (2011) for participating in a network in the wireless ad-hoc communication system. The beacon (2011) indicates whether or not the terminal (B200) has an attribute certificate. Upon receiving the beacon (2011), a terminal (A100) checks the beacon. If it is determined that the terminal (B200) does not have an attribute certificate, the terminal (A100) transmits an attribute-certificate issuance suggestion message (1032) for suggesting an attribute-certificate issuing request to the terminal (B200). When the terminal (B200) transmits an attribute-certificate issuance request message (2041) in response to this message, the terminal (A100) transmits an attribute-certificate issuance message (1052) to the terminal (B200).

Abstract: As computer programs grow more complex, extensible, and connected, it becomes increasingly difficult for users to understand what has changed on their machines and what impact those changes have. An embodiment of the invention is described via a software tool, called AskStrider, that answers those questions by correlating volatile process information with persistent-state context information and change history. AskStrider scans a system for active components, matches them against a change log to identify recently updated and hence more interesting state, and searches for context information to help users understand the changes. Several real-world cases are provided to demonstrate the effectiveness of using AskStrider to quickly identify the presence of unwanted software, to determine if a software patch is potentially breaking an application, and to detect lingering components left over from an unclean uninstallation.