Abstract: A system comprises a first computer which has a unique processor identification. Additionally, a first application is operatively coupled to the first computer across a network. The first computer provides the unique processor identification to the first application with the first application identifying the first computer based on the unique processor identification.

Abstract: Authentication of a request by a computer for access to a resource is accomplished by means of a randomly generated password that can only be used a limited number of times. In a disclosed embodiment of the invention, a network computer sends a boot request to a network server. In response, the network server generates a random password, and sets a use counter to a value which indicates the number of times that the password can be used for access to network resources. This password is transmitted to the network computer, which uses it to initiate a session with a network file server, and access network resources. The network server then invalidates the password, by decrementing the use counter to zero. As a result, even if the password becomes known to an unauthorized user as it is being transmitted from the network server to the network computer, it cannot be improperly employed to gain access to any network resources.

Abstract: A data processing system and method are disclosed for authenticating a client computer system to a secure network prior to permitting the client computer system to attempt to log-on to the network. The secure network is controlled by a server computer system. A unique identifier is established which identifies the client computer system. The unique identifier is encrypted. Prior to permitting the client computer system to attempt to log-on to the secure network, the client computer system transmits the encrypted identifier to the server computer system. Also prior to permitting the client computer system to attempt to log-on to the network, the server computer system utilizes the unique identifier to determine whether to permit the client computer system to attempt to log-on to the network. The client computer system is authenticated prior to permitting the client computer system to attempt to log-on to the network.

Abstract: A security enhanced computer system arrangement includes a coprocessor and a multiprocessor logic controller inserted into the architecture of a conventional computer system. The coprocessor and multiprocessor logic controller is interposed between the CPU of the conventional computer system to intercept and replace control signals that are passed over certain of the critical control signal lines associated with the CPU. The multiprocessor logic controller arrangement thereby isolates the CPU of the conventional computer system from the remainder of the conventional computer system, permitting separate control over the CPU and separate control over the remainder of the computer system. By controlling the control signals that are normally passed between the CPU and the remainder of the computer system, the multiprocessor logic controller permits the coprocessor to perform highly secure operations.

Abstract: A method of and system for controlling access to the Internet by members of an organization that includes at least one supervisor and at least one non-supervisor for which limited Internet access is desired. The system maintains for each member of the organization a session identifier. When the system establishes an Internet session between a member of the organization and the Internet, the system initially sets a user session identifier for said Internet session to a default session identifier, which is the session identifier for the lowest access level member of the organization. When the member requests a resource, the system determines if an access level rating for requested resource is greater than the value of the access level field of the user session identifier. If so, the system blocks the resource and presents member with choices of logging on to the system as a specific member of the organization with a higher access level, or appealing the blocking to a supervisor.

Abstract: A method for enforcing a security policy for selectively preventing the downloading and execution of undesired Executable Objects in an individual workstation, comprising the steps of, (1) providing a security agent suitable to be installed in an individual workstation, said security agent being provided with means for introducing at least one marker in one or more data packet transmitted by a workstation to a server through a gateway, said at least one marker indicating that a security agent is installed in the transmitting workstation; (2) providing means in or coupled to the gateway for analyzing the first one or more data packet(s) received from a transmitting workstation initiating communication to a remote server, to determine whether said first one or more data packet(s) comprise at least one marker indicating that a suitable security agent is installed in the transmitting workstation; (3) If at least one marker indicating that a suitable security agent is installed in the transmitting workstation is d

Abstract: A system, method and computer program product are provided for scanning a source of suspicious network communications. Initially, network communications are monitored for violations of policies. Then, it is determined whether the network communications violate at least one of the policies. Further, a source of the network communications that violate at least one of the policies is identified. Upon it being determined that the network communications violate at least one of the policies, the source of the network communications is automatically scanned.

Abstract: An authentication checking server makes user authentication checking when an access is made to an individual in-house server. A resource managing server receives a resource request corresponding to the resource of the individual server, calculates the access right to the corresponding resource based on the resource request and the result of the authentication checking, and relays the calculated access right and the resource request to the individual server. Upon receipt of the access right and the resource request, the individual server transmits the resource as a mobile code. A client machine receives and executes the mobile code, whereby an encryption access is made to the resource of the individual server included in an in-house network via the relay agent generated within the client machine.

Abstract: A system and method for managing security incidents in a computing environment uses adaptive feedback to update security procedures in response to detected security incidents. Accordingly, the system and method is capable of defining security procedures, which can include one or more policies, and implementing these security procedures on one or more computing systems in the computing environment. The system and method monitors activities in the environment and detects security incidents using the implemented security procedures. When a security incident is detected, the security procedures are updated in response to said detected security incident and implemented on one or more systems in the computing environment.

Abstract: A “Selective Undo Function” for computer programs allows a user to select any single specific action that was previously recorded by the computer, and undo only that selected action, rather than every action that chronologically follows the specific action. Specifically, the computer program may undo just the selected action, even if the selected action is not the last action taken by the user, if that is possible; or the computer program may perform some analysis and undo other actions that are deemed prerequisites to undoing the selected action, upon user confirmation; or if the analysis performed by the computer program cannot determine what these prerequisites are or cannot perform the undo function, then the computer program may take a default action, e.g., undo the selected action as well as all actions that follow the selected action, in chronological order.

Abstract: A system for limiting security attacks on a computer system that operate by executing computer instructions embedded in data received from an external source. The system receives the data from the external source and performs a transformation on the data that causes any computer instructions encoded in the data to be unexecutable. After the data is transformed, the system stores the data in the computer system's memory. When the data is needed, the system retrieves the data and reverses the transformation. In this way, data from an external source is stored in memory in an unexecutable form, thereby making it impossible to execute malicious code embedded in the data. According to one aspect of the present invention, the data is transformed using a random number, so that the data can only be converted back to its original form with an inverse transformation using the same random number.

Abstract: A data processing system 100 is provided which includes a memory 104, an array 204 of memory cells arranged in rows and columns, each row being addressable by an address. Address generation circuitry 201/202 is provided for generating ones of the addresses for accessing selected ones of the rows in the array 204. An associative memory 203 is coupled to the address generation circuitry 201/202 for translating a first address, received from the address generation circuitry 201/202 and addressing a defective one of the rows of the array 204, into a second address addressing an operative one of the rows in array 204, the second address being sent to the memory.

Abstract: A network system has a plurality of networks. A first internetwork apparatus has a plurality of first ports each connected to the plurality of networks and a second internetwork apparatus has a plurality of second ports each connected to the plurality of networks. A data transmission path is connected to the first and second internetwork apparatuses to transmit data therebetween. In the normal state, each of the plurality of first ports is able to transmit and receive data to and from one of the plurality of networks while the plurality of second ports are able to transmit, but not receive data from the plurality of networks. A failure occurring in one of the plurality of first ports and a route therefrom to one of the plurality of networks is detected.

Abstract: A system, method and article of manufacture are provided for minimizing the amount of changes that need to be made to exception handling logic when new exceptions are added. Exceptions are organized into hierarchies in a polymorphic exception handler. A root of one of the hierarchies in which an exception occurs is caught. The exception is instructed to rethrow itself. The rethrown exception is caught and identified. A type of the rethrown exception is determined and a message is outputted indicating the type of the rethrown exception.

Abstract: A system, a device and a method for accelerating packet filtration by supplementing a firewall with a pre-filtering module. The pre-filtering module performs a limited set of actions with regard to the packets, according to whether the packets are received from a connection which has been previously permitted by the firewall. If the packets are received from such a permitted connection, then the pre-filtering module forwards the packets to their destination, optionally performing one or more actions on the packets. Otherwise, the packets are forwarded to the firewall for handling. Preferably, once the firewall has transferred responsibility for the connection to the pre-filtering module, or “off-loaded” the connection, the firewall does not receive further packets from this connection until a timeout occurs for the connection, or a packet is received with particular session-control field values, such that the connection is closed.

Abstract: A combination mode a data transfer for a transfer source and a transfer destination is previously defined by a value of resource select information of a control register (CHCRn). An address comparator circuit (SACn, DACn) has judging logic specified by the defined contents and detects, depending on its logical structure, a data transfer address error in the a data transfer controller (8) on the basis of such logical structure, in accordance with resource select information and the transfer source address and transfer destination address of the address registers (SARn, DARn). Since the data transfer is started only when the resource select information matches with the setting information of both address registers, high reliability can be assured for memory protection in the data transfer operation by the data transfer controller.

Abstract: A fault-tolerant transaction processing system and method stores records associated with operations of the system in order to permit recovery in the event of a need to roll back a transaction or to restart the system. At least some of the operational records are stored as a recovery log in low-speed non-volatile storage and at least some are stored as a recovery list in high speed volatile storage. Rollback of an individual transaction is effected by reference to the recovery list whereas restart of the system is effected by reference to the recovery log.

Abstract: A method and apparatus for restricting privileged access to distributed content information, (e.g., audio data stored on a compact disk, audiocassette, etc., and video and/or audio data stored on a DVD disk, video cassette, etc.) begins by extracting a privileged indicator from the distributed content information to produce an extractive privilege indicator. The privileged indicator indicates whether the content data of the distributed content information can be displayed, displayed without copying, displayed with a single copy, displayed with multi-copies, copied once, or copied multiple times. The extracted privilege indicator is transmitted to a distributed content device (e.g., a monitor, a projector, a high definition television, a DVD recorder, a server, and/or a personal computer) via a control channel. Upon receiving the extracted privilege indicator, the distributed content device interprets it to determine the privileged access restrictions.

Abstract: An object-based security framework provides for intra-process security boundaries. An application developer can define security settings declaratively at the object, interface, and method level using a graphical interface. When the application is deployed, the settings are placed into a central store and can be modified at a later time. At runtime, logic outside the application objects enforces the security boundaries, relieving the developer of having to incorporate security logic into the application. Changes to the security can be implemented by changing the settings without having to change the application objects. In addition to checking for identity, the security framework supports roles and enforces specified authentication levels. The integrity of an application's security scheme is retained when the application is combined with another application in the framework.

Abstract: Disclosed is a system and method for accessing password-protected Web sites through Web browsers without manually supplying username and password by users. A browser maintains, for each user, one user security profile which stores the URLs and the corresponding login username and password. When the browser receives a username-password challenge from a Web server, instead of immediately prompting the user for such information, the browser first searches the user security profile for the URL the challenge is received from. If a match is found, the browser sends the challenging Web server the username and password that is associated with the matched URL. Thus the user does not have to manually supply the username and password once the triple of (URL, username, password) is stored in the user security profile. This feature is especially valuable for users of voice browsers and phone browsers.