Abstract: A secure messaging system and method. The method can include the steps of receiving an encrypted message, the message having been encrypted using a token of a corresponding pervasive device; wirelessly verifying the presence of the pervasive device; and, if the presence can be verified, decrypting the message using the token. The verification step can include the steps of establishing a wireless link with the pervasive device; and, querying the pervasive device over the wireless link. In particular, the establishing step can include the step of establishing a Bluetooth link with the pervasive device. Furthermore, the querying step can include the step of requesting geographic coordinates which locate the pervasive device.

Abstract: A flow-based intrusion detection system for detecting intrusions in computer communication networks. Data packets representing communications between hosts in a computer-to-computer communication network are processed and assigned to various client/server flows. Statistics are collected for each flow. Then, the flow statistics are analyzed to determine if the flow appears to be legitimate traffic or possible suspicious activity. A concern index value is assigned to each flow that appears suspicious. By assigning a value to each flow that appears suspicious and adding that value to the total concern index of the responsible host, it is possible to identify hosts that are engaged in intrusion activity. When the concern index value of a host exceeds a preset alarm value, an alert is issued and appropriate action can be taken.

Abstract: System, method and computer program for authenticating a user of a client computer to a remote server computer. A client computer initially sends a userID but not a password of the user to the remote server computer. In response to the userID, the server computer determines a subsequent time window during which the server computer will consider for authentication submission of a combination of the userID and a password. The server computer notifies the client computer of the time window. After receipt of the notification from the server computer, during the time window, the client computer sends the userID and a corresponding password to the server computer. In response to receipt of the userID and the corresponding password from the client computer, the server computer determines if the combination of the userID and the corresponding password is valid.

Abstract: Parental controls for entertainment digital media are provided that allow a parent to restrict multiple user's access to entertainment content. One or more updatable rating definition files with dynamic data are used to define rating levels and content descriptors for a regional rating system. Entertainment content definition files define the rating level and content descriptors for entertainment content. User permission settings define a particular user's access rating level and content descriptors. The rating definition file can be used to compare the entertainment content definition file and user permission settings in determining if a user is allowed access to particular entertainment content.

Abstract: A sending apparatus generates a first initial vector, a second initial vector, and an encryption key in response to a pseudo random number. Original information is encrypted into cipher information in response to the encryption key and the second initial vector. The cipher information and the first initial vector are transmitted from the sending apparatus to a receiving apparatus. The receiving apparatus generates a first initial vector, a second initial vector, and an encryption key in response to a pseudo random number equal to that in the sending apparatus. The cipher information is decrypted back to the original information in response to the generated encryption key and the generated second initial vector. The receiving apparatus compares the received first initial vector and the generated first initial vector to check whether or not encryption/decryption-related synchronization between the sending apparatus and the receiving apparatus is normally maintained.

Abstract: In a portable device connectable to a network system, an access right information acquisition unit acquires access right information of a computer resource assigned to a user temporarily registered to the network system from a computer which manages the computer resource in the network system. An access right information preservation unit preserves the access right information acquired by the access right information acquisition unit. A network access unit accesses the network system using the access right information preserved in the access right information preservation unit.

Abstract: In a portable device connectable to a network system, an access right information acquisition unit acquires access right information of a computer resource assigned to a user temporarily registered to the network system from a computer which manages the computer resource in the network system. An access right information preservation unit preserves the access right information acquired by the access right information acquisition unit. A network access unit accesses the network system using the access right information preserved in the access right information preservation unit.

Abstract: A system for processing wireless data packets allows for processing packets allows consolidation of security processing. Security processing is performed in accordance with multiple security policies. This processing is done in a single front end processing block. Different security processes can be performed in parallel. Processing overhead is reduced by eliminating the need to redundantly check packet characteristics to assess the different security requirements imposed by security policies. Further, the present invention also substantially reduces the CPU cycles required to transport data back and forth from memory to a cryptographic coprocessor.

Abstract: The invention provides a method and system for monitoring a computer network and determining whether the network faces a threat from users. In the event that the existence of a threat is determined, the system in accordance with the invention provides a real-time assessment of the threat to the network and responds to prevent damage to the network.

Abstract: An active network defense system is provided that is operable to monitor and block traffic in an automated fashion. This active network defense system is placed in-line with respect to the packet traffic data flow as a part of the network infrastructure. In this configuration, inspection and manipulation of every passing packet is possible. An algorithmic filtering operation applies statistical threshold filtering to the data flow in order to identify threats existing across multiple sessions. A trigger filtering operation applies header and content match filtering to the data flow in order to identify threats existing within individual sessions. Threatening packet traffic is blocked and threatening sessions are terminated. Suspicious traffic is extracted from the data flow for further examination with more comprehensive content matching as well as asset risk analysis. A flow control mechanism is provided to control passage rate for packets passing through the data flow.

Abstract: Controlling access to information in a distributed data processing system. The distributed data processing system has a server, which stores the information and also further comprises a logging tool for creating a log file. The distributed data processing system also has a client computer comprising an application program for controlling a software agent. When the software agent requests information from the server, a process to identify the software agent is invoked. In response to the identification, all the requests from the identified software agent are stored in the log file and this data in the log file is analyzed. The data is also utilized in the process of monitoring the behavior of the identified software agent. In response to the monitoring process, at least one of a plurality of pre-defined rules is invoked, in order to control the behavior of the identified software agent.

Abstract: Disclosed is apparatus for processing an encrypted data stream within a computer system adapted to receive the encrypted data stream from a data storage device. A data output device is coupled to a computer system and has a plurality of data output areas. An encrypted data stream is transferred from a data storage device to the data output device, the encrypted data stream being for output to one of the plurality of data output areas. The encrypted data stream is received and decrypted to produce a clear data stream for output to one of the plurality of data output areas. A decryption means receives a decryption key from the computer system, the decryption key relating only to the encrypted stream associated with the one of the plurality of data output areas.

Abstract: Method and apparatus for fault tolerant TCP handshaking that includes a first node and a second node both connected in a network where the second node is one of at least two nodes in a cluster of nodes. The second node receives a first message from the first node where the first message includes a sequence number. The second node generates a fingerprint and replaces a portion of the sequence number with the fingerprint to form a cryptographic sequence number. The cryptographic sequence number is sent from the second node to the first node. A second message that includes the cryptographic sequence number is received from the first node at the second node. Any node in the cluster can verify that the cryptographic sequence number sent by the first node was created by one of the nodes in the cluster thereby providing fault tolerant TCP handshaking.

Abstract: Existing key encryption approaches are extended by using overlapping portions of encrypted information. Another provision inserts one or more bits of data to ensure correct encryption/decryption. The inserted data can also be used for authentication.

Abstract: A services delivery element (26) forms an interface between an external element (such as an external end user's network feature server) and a communication network including both a core network (10) and an access network (12). The services delivery element (26) provides access to the core network (10) and access networks (12) to which the external element is interfaced.

Abstract: An active network defense system is provided that is operable to monitor and block traffic in an automated fashion. This active network defense system is placed in-line with respect to the packet traffic data flow as a part of the network infrastructure. In this configuration, inspection and manipulation of every passing packet is possible. An algorithmic filtering operation applies statistical threshold filtering to the data flow in order to identify threats existing across multiple sessions. A trigger filtering operation applies header and content match filtering to the data flow in order to identify threats existing within individual sessions. Threatening packet traffic is blocked and threatening sessions are terminated. Suspicious traffic is extracted from the data flow for further examination with more comprehensive content matching as well as asset risk analysis. A flow control mechanism is provided to control passage rate for packets passing through the data flow.

Abstract: A user has two asymmetric crypto-keys, the first having a first private key and the second having a second private key, both of which are split into a first private key portion corresponding to a password of the user and to a computation. However, the computation of the first private key portion of the first and the second private keys have different levels of complexity. First and second messages from the user encrypted with the first private key portion of, respectively, the first private key and the second private key, are received centrally. A second private key portion of, respectively, the first private key and the second private key is applied to the received first and the received second messages, as applicable, to authenticate the user at, respectively, a first level of authentication security and a second level of authentication security which is greater than the first level.

Abstract: A method for processing wireless data packets allows for processing packets allows consolidation of security processing. Security processing is performed in accordance with multiple security policies. This processing is done in a single front end processing block. Different security processes can be performed in parallel. Processing overhead is reduced by eliminating the need to redundantly check packet characteristics to assess the different security requirements imposed by security policies. Further, the present invention also substantially reduces the CPU cycles required to transport data back and forth from memory to a cryptographic coprocessor.

Abstract: Oblivious checking of a digital good is performed by identifying a plurality of key instructions within a function of a digital good. Each key instruction is an instruction that possibly modifies a register or a flag. An extra instruction is then inserted into the function for each of the key instructions. The extra instructions each correspond to one of the key instructions and modify a register in a deterministic fashion based on the corresponding key instruction. A set of inputs to the function are then identified that result in different valid computation paths in the function being taken. A checksum for the function is then generated by using a mapping function which maps the contents of the register to the set of inputs.

Abstract: A system, method and computer program product for providing unified authentication services in an Application Service Provider (ASP) setting to a registered end-user of one or more online (or web) applications. The system includes client side components, a user management component coupled to the client side components and server side components coupled to the user management component. The client side components include an authentication control component that manages the process of capturing a user-determined policy for a first account and user credentials. This allows the user to define the level of protection to access the first account. This includes, but is not limited to, accounts/applications that have been configured specifically for used with the system and particular user credentials and accounts that have been subsequently set up but configured to use the same user credentials.