Abstract: In accordance with a particular embodiment of the present invention, a method using presence information to manage network access includes maintaining presence information for an end user. When a remote access request is received from the end user at a remote endpoint, the presence information for the end user is updated to identify the presence of the end user at one or more network endpoints associated with a private network. An access point to the private network is then automatically configured to allow any communications addressed to an IP address associated with the one or more network endpoints to pass through the access point.

Abstract: The disclosed embodiments support proxy Mobile IP registration for nodes that do not implement CHAP. This is accomplished, in part, through the generation of a CHAP challenge and response by either a AAA server or a network device such as a PDSN or Foreign Agent. If the CHAP challenge and response is generated by the AAA server, the AAA server provides the CHAP challenge and response to the network device. In this manner, the network device may generate a Mobile IP registration request based upon the CHAP challenge and response.

Abstract: A method for authentication of elements of a group, especially for authentication of sensor nodes in a preferably wireless sensor network is disclosed. The group has one specific element—leading element—with which each of the group elements can exchange information and wherein the authentication of the group elements takes place with regard to the leading element. The leading element sends an authentication request to the group elements wherein the authentication request is the same for all the group elements. The group elements each send authentication responses—based on the authentication request—to the leading element, with the authentication responses being different for each group element.

Abstract: A privilege elevation flaw detection analysis is performed on a host system on a network. In addition, accounts on the host system are identified that have access to, or corresponding accounts on, other systems on the network. Privilege elevation analyses are performed on one or more of the network systems corresponding to the identified accounts. A privilege elevation graph is generated of the host system from the privilege elevation analysis. The graph includes account nodes and edges illustrating the detected privilege elevations between the accounts on the host system. In addition, nodes for the network systems are added to the graphs along with edges connecting to the nodes corresponding to the accounts identified as having access to the particular network systems. The user may then select a particular network system node and view its detected privilege elevations in relation to the host system.

Abstract: Methods to detect rogue access points (APs) and prevent unauthorized wireless access to services provided by a communication network are provided. A mobile station (MS) reports to a serving AP the received signal strength (RSS) for all APs in the area it travels. The serving AP detect a rogue AP based on inconsistencies perceived in the RSS reports, assessed during the handover phase or whilst the communication is active.

Abstract: A content delivery system, enabling a ciphertext to be reduced in size when using the ElGamal cipher, includes a content delivery device performing elliptic curve encryption on a content key, generating an encrypted content key that includes an x coordinate of an elliptic curve point obtained by the elliptic curve encryption, and outputting the encrypted content key. Further, the content delivery system includes content reception device receiving the encrypted content key, calculating a y coordinate of the elliptic curve point using the x coordinate included in the encrypted content key, and performing elliptic curve decryption using the elliptic curve point and other information included in the encrypted content key, to generate a decrypted content key.

Abstract: Detecting a variant of a known threat is disclosed. A portion of network traffic is matched with at least a portion of a signature associated with the known threat. If the portion of network traffic being matched with the signature does not exactly match the signature, the extent of match between the portion of network traffic and the signature is determined. If the extent of match satisfies a threshold, a security response is triggered based upon the extent of match.

Abstract: A selectively encrypted data unit is generated from an unencrypted data unit. This is accomplished by accessing a list of attributes related to the unencrypted data unit that identify classifications of sensitive information within the unencrypted data unit. In addition, a protection key that is responsive to a random number is selected and auxiliary values computed from the attributes of the sensitive information and the random number are produced. The sensitive information is encrypted with the protection key to create an encrypted version of the sensitive information. The encrypted version is associated with the auxiliary values and linked to an attribute vector that classifies the sensitive information in the encrypted version. Data from the unencrypted data unit and the encrypted version of the sensitive information is stored as the selectively encrypted data unit.

Abstract: A capability key is generated that provides access to sensitive information within a selectively encrypted data unit created from an unencrypted data unit. A user specifies access rights as a monotone boolean relationship between a selection of a list of attributes related to the unencrypted data unit. This relationship is used to compute a key descriptor. Next one or more shares of a master secret is generated responsive to the monotone boolean relationship and a random number. Next a unique capability key is computed from one or more cryptosystem parameters, the one or more shares and the random number. The unique capability key and the key descriptor together enable decryption of sensitive information within a selectively encrypted data unit created from an unencrypted data unit. Finally, the unique capability key and the key descriptor are provided to allow decryption of sensitive information within the selectively encrypted data unit.

Abstract: A selectively encrypted data unit includes an encrypted version of sensitive information (capable of being decrypted to reveal the sensitive information), a plurality of auxiliary values, and an attribute vector associated with the encrypted version of the sensitive information. The selectively encrypted data unit and a unique capability key are accessed. The unique capability key is associated with a key descriptor and is responsive to one or more cryptosystem parameters, one or more random numbers and one or more shares of a master secret. Next the technology determines whether the attribute vector is filtered or enabled by the key descriptor. If so, a protection key is acquired that is responsive to the one or more cryptosystem parameters, the plurality of auxiliary values, the key descriptor and the unique capability key. Once acquired, the protection key is used to decrypt the encrypted version to generate the sensitive information which is presented.

Abstract: Method and apparatus for providing computer security is provided. Subscriber information is stored in a repository and an exploit probe is sent to a subscriber's computer system. A probe message based on the computer system's response to the exploit probe is generated.

Abstract: Provided are a key establishment method and system using commutative linear functions. In the method, a server defines a set of linear functions that use elements of a first finite field as coefficients and satisfy a commutative rule, selects a first linear function from the set, and selects a predetermined element from a second finite field. Next, the server selects a second linear function corresponding to each of nodes from the set, generates a predetermined combination function based on the first and second linear functions, generates a value of the second linear function using the selected element as a factor, and transmits the combination function and the value of the second linear function to a corresponding node. Each node receives the value of the second linear function from a server, exchanges the received values with the other nodes, computes a value using the exchanged value as a factor of the combination function, and establishes the computed value as a shared key between the nodes.

Abstract: Methods to detect rogue access points (APs) and prevent unauthorized wireless access to services provided by a communication network are provided. A mobile station (MS) reports to a serving AP the received signal strength (RSS) for all APs in the area it travels. The serving AP detect a rogue AP based on inconsistencies perceived in the RSS reports, assessed during the handover phase or whilst the communication is active.

Abstract: We develop a system consisting of a neural architecture resulting in classifying regions corresponding to users' keystroke patterns. We extend the adaptation properties to classification phase resulting in learning of changes over time. Classification results on login attempts of 43 users (216 valid, 657 impersonation samples) show considerable improvements over existing methods.