Abstract: A system is disclosed for protecting a network against malicious attacks or attempts for unauthorized access. A network is connected to an external network by a number of firewalls. Inspectors detect packets blocked by the firewalls and some or all of the packets are detected to a labyrinth configured to emulated an operational network and response to the packets in order to engage an attacker. Blocked packets may be detected by comparing packets entering and exiting a firewall. Packets for which a corresponding packets are not received within a transit delay may be identified as blocked. Entering and exiting packets may be compared by comparing only header information. A central module may receive information from the inspectors and generate statistical information and generate instructions for the inspectors, such as blacklists of addresses known to be used by attackers.

Abstract: Concepts and technologies are described herein for providing status of site access requests. In accordance with the concepts and technologies disclosed herein, a user attempts to access functionality of a server application that is limited to authorized users. In response to the access attempt, the server application determines if the user is authorized to access the functionality and if the user has previously requested access to the functionality. If the user has not previously requested access to the application, the server application can present a user interface to the user for requesting access to the server application. If the user has previously requested access to the application, the server application can present an indication that an access request already exists, history and status information associated with the access request, and/or an interface for submitting messages to the site owner or other entity.

Abstract: A method of controlling the sharing of data between entities that are in electronic communication with each other may include generating an authentication credential comprising an identifier for the target service and a unique signature, attenuating the authentication credential, and determining whether a client device is authorized to access the target service, and, only if so, providing the authentication credential to the client device. In an embodiment, the method may include receiving an access request from the client device, identifying that the authentication credential includes the unique signature and a third party caveat that is associated with a third party authentication service, in response to the identifying, determining whether the request also comprises a discharge credential for the third party caveat, and if the request includes the discharge credential, providing the client device with the requested service, otherwise denying the request.

Abstract: Secrets data representing one or more secrets required to access associated resources is provided along with secrets distribution policy data representing one or more secrets distribution factors used to control the distribution of the secrets. When a requesting virtual asset submits secrets request data, virtual asset profile data associated with the requesting virtual asset is obtained. The requesting virtual asset profile data is then analyzed using at least one of the secrets distribution factors to authenticate the requesting virtual asset. The requesting virtual asset profile data is then analyzed using one or more of secrets distribution factors to determine what secrets the requesting virtual asset legitimately needs. Authorized secrets data for the requesting virtual asset representing one or more authorized secrets is then generated. The requesting virtual asset is then provided access to the authorized secrets data.

Abstract: Transponder (104), comprising a storage unit (106) having stored a number of different applications, a processing unit (108) which, on request of a reader (102), is adapted to generate a response interpretable using an encryption scheme known by both the transponder (104) and the reader (102) so that the reader (102) is capable of determining whether an application is supported by the transponder (104) by analyzing the response using the encryption scheme, and a transmission unit (110) adapted to send the response to said reader (102).

Abstract: A method for processing and verifying remote dynamic data is provided. The method includes providing a radix tree structure having N levels, obtaining and recording N initial values for representing the empty radix tree structure, wherein all nodes at the same level are assigned an identical initial value. When performing a data processing operation to the radix tree structure, determining a first leaf node and calculating and recording the value of each node in a shortest path from the first leaf node to the root node. When performing a verification of a specific data, obtaining a second leaf node corresponding to the specific data, a sibling node of each node in a shortest path from the second leaf node to the root node, and generating a verification result according to a digital signature for verifying the root node, the value of each obtained sibling node, and the specific data.

Abstract: A method of detecting malware is provided. The method includes (a) from a database of historic network traffic, identifying a suspect file that traveled through a network as being suspected malware, (b) deriving a distinctive signature based on contents of the suspect file, and (c) scanning a computerized device of the network for the distinctive signature to detect whether the suspect file is present on the computerized device. Embodiments directed to analogous computer program products and apparatuses are also provided.

Abstract: A method of accepting a remote access at a target machine from a source machine may include receiving a login request at the target machine from the source machine, wherein the login request includes a user identification for the target machine. Responsive to accepting the login request, a session may be provided between the source and target machines using the user identification for the target machine. In addition, a user identification for the source machine may be received, and the user identification for the source machine may be locked at the target machine so that the user identification for the source machine is associated with target machine actions relating to the session between the source and target machines. For example, the user identification for the source machine may be received as an environment variable.

Abstract: The present invention is directed towards systems and methods for providing multiple modes of a zone for DNSSEC by an intermediary device. The method includes providing, by a device intermediary to a plurality of clients and a plurality of servers, a plurality of modes of a zone for Domain Name Service. The device receives a selection of a first mode of the zone of the plurality of modes of the zone. The device receives information identifying to enable DNS Security for the selected first mode. The device establishes the zone for DNS in accordance with the selected first mode and with DNS Security enabled.

Abstract: To securely transmit content through remote access via an external network, such as a WAN, while exceeding restrictions of an RTT and a TTL. A way of handling a flag for controlling remote access of content is explicitly defined, and an authentication method is explicitly defined when a content using device performs remote access. Thus, also in remote access, similarly to access of the related art in a household, a copyright protection environment of content based on the DTCP-IP is constructed.

Abstract: Embodiments of the present disclosure include systems and methods for secure release of secret information over a network. The server can be configured to receive a request from a client to access the deposit of secret information, send an authorization request to at least one designated trustee in the set of designated trustees for the deposit of secret information, receive responses over the network from one or more of the designated trustees in the set of designated trustees and apply a trustee policy to the responses from the one or more designated trustees in the set of trustees to determine if the request is authorized. If the request is authorized, the server can send the secret information to the client. If the request is not authorized, the server denies access by the client to the secret information.

Abstract: A security trimming system disclosed herein uses intelligent caching of the security trimming information received from a security datastore. The security trimming system uses an access cache to store the security trimming information received from the access datastore together with other parameters associated with such security trimming information. Subsequently, in responding to a request for the security trimming information, the security trimming system uses the cached value of the security trimming information together with the other associated parameters to determine a response to the request from the content providers. In one implementation, if the other parameters associated with a particular security trimming information imply that the security trimming information in the cache is still valid, the cached security trimming information is used in the request response. Otherwise, a new request is sent to the security datastore for an updated value of the security trimming information.

Abstract: The present invention discloses a method and a system for performing scanning and killing on browser bookmarks, the method comprising: receiving, by a browser background server, a synchronization request that includes a user account and bookmark web addresses from a browser client; storing, by the browser background server, the bookmark web addresses correspondingly to the user account; and receiving a cloud scanning and killing instruction that includes the user account from the browser client, performing risk scanning and killing on the bookmark web addresses which the user account corresponds to, determining a risky web address, and feeding back a scanning and killing result that includes the risky web address to the browser client, by the browser background server. The solutions of the present invention can improve security of the browser bookmarks, and save storage spaces of a terminal device where the browser client resides.

Abstract: A process for identifying potentially harmful malware, comprises the steps of: a) identifying an executable that is about to run; b) providing a monitoring agent that monitors all threads that are descendent of a thread initiated by the process of said executable; and c) configuring said monitoring agent to conclude that a high probability of malware presence exists, if one of said descendent threads reaches a target process in which suspicious patches are created.

Abstract: Exemplary methods for performing authentication by a first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, includes in response to determining to transmit an ICR message to the second network device, generating the ICR message by generating a first and second authentication digest. In one embodiment, the methods include encrypting a payload of the ICR message, and transmitting the ICR message that includes the first and second authentication digest to the second network device. In another aspect of the invention, the methods include receiving an ICR message from the second network device and performing a first level authentication of the received ICR message. The methods further include in response to determining the first level authentication is successful, performing a second level authentication of the received ICR message.

Abstract: A computationally implemented method includes, but is not limited to: acquiring one or more indicators that suggest that a computing device has been transferred to a first user from a second user, the first user having at least greater accessing rights than the second user to one or more items via the computing device; detecting, in response to said acquiring, input that verifies that the computing device has been transferred to the first user; and providing at least greater access via the computing device to the one or more items in response to detecting the input verifying that the computing device has been transferred to the first user. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: A method and system for authenticating a user at a first computer to first and second applications installed in a second computer. The second computer receives from the user a first request to access the first application, and in response, the second computer redirects the first request to a third computer, and in response, the third computer determines that the user was previously authenticated and so notifies the second computer, and in response, the second computer returns a first session key to the third computer. The first session key enables a session with the first application but not with the second application. The second computer receives from the user a second request with a second session key to access the first and/or second application, and in response the second computer determines that the user is authentic and notifying the first and/or second application that the user is authentic.

Abstract: A method of unified content scanning in which content is deconstructed into base formats so as to be presented to content filters in a common format. The base formats include text, image and audio. The invention also includes a system of unified content scanning and a gateway appliance embodying the method of unified content scanning.

Abstract: In an embodiment of the invention, a method includes: determining, in a computer, an area where an undesired computer program will reside; and providing a data object in the area, so that the data object is an antibody that provides security to the computer and immunity against the undesired program. Another embodiment of the invention also provides an apparatus (or system) that can be configured to perform at least some of the above functionalities.

Abstract: A method and system for generating and processing an authenticity certificate. A request for a step certificate is received from a requester entity. The step certificate authenticates an involvement of the requester entity about an object. The request includes an object identifier, a requester entity type of the requester entity, and a requester identity certificate of the requester entity. The object identifier is hashed. A signature is created and includes the hashed object identifier, the requester entity type, a certifier identity certificate, and the requester identity certificate. A hashing result is generated by hashing a concatenation of the object identifier, the requester entity type, the certifier entity certificate, the requester identity certificate, and the signature. The step certificate is generated and includes the hashing result. The step certificate is encrypted. The encrypted step certificate is sent to the requester entity for subsequently storing the step certificate on a media.