Abstract: A new Transmission Control Protocol (TCP) Enhanced Authentication Option is described. An administrator configures sending and receiving devices to maintain lists of authentication elements for each protected TCP connection. Each authentication element includes an authentication element identifier, a key, a hash algorithm, and a start time. A sending device calculates a security portion, updates the new TCP option to include the security portion, calculates a checksum, and forwards the TCP segment to the receiving device. Having received the authenticated TCP segment, the receiving device scans its list of authentication elements, searching for an authentication element whose identifier matches that of the incoming TCP option. If the receiving device finds such an authentication element, the receiving device uses a key from the authentication element to calculate a security portion.

Abstract: A data storage device is disclosed comprising a non-volatile memory, a logical block address (LBA) table for storing plaintext data used to access the non-volatile memory, and control circuitry including a secure processor and a device processor. The secure processor is operable to initialize the LBA table with at least one authentication code over the plaintext data, and verify the authentication code over the plaintext data. The device processor is operable to receive an access command from a host, evaluate the plaintext data in the LBA table to determine whether to allow the access command, and when the access command is allowed, execute the access command.

Abstract: In one aspect, a method to assess information security vulnerability of an enterprise includes storing enterprise objectives in a computer system, storing enterprise resources determined using a value criterion, a rareness criterion, an inimitability criterion and a non-substitutability criterion in the computer system and storing enterprise information assets in the computer system. The method also includes mapping the enterprise objectives with the enterprise resources and mapping the enterprise information assets with the enterprise resources. The method further includes determining a threat analysis using an attack tree using the enterprise resources and the information assets and determining a risk value using the attack tree.

Abstract: The present invention provides systems and methods for maintaining stateful interactions between clients and servers. Furthermore, the invention provides systems and methods for maintaining stateful interactions between clients and load balancers. In one embodiment, the present invention provides systems and methods for maintaining statefulness without the need for the server to query and/or store information on the client.

Abstract: A digital escrow pattern is provided for network data services including searchable encryption techniques for data stored in a cloud, distributing trust across multiple entities to avoid a single point of data compromise. In one embodiment, a key generator, a cryptographic technology provider and a cloud services provider are each provided as separate entities, enabling a publisher of data to publish data confidentially (encrypted) to a cloud services provider, and then expose the encrypted data selectively to subscribers requesting that data based on subscriber identity information encoded in key information generated in response to the subscriber requests, e.g., a role of the subscriber.

Abstract: A method and system for automatically collecting information in messaging system. A method in accordance with an embodiment includes: setting a flag indicating an information collection and an initiation flag for a message for requesting information collection by an information requestor; generating a unique identifier for identifying a task for the information collection, and sending the message; when replying to the message for requesting information collection, setting a reply flag for a replied message and sending the replied message, wherein information required to be collected is included in the replied message; and extracting the information required to be collected by the task for the information collection identified by the unique identifier from the replied message in accordance with the flag indicating an information collection and the reply flag, consolidating the information into a single summary document, and providing the summary document to the information requester.

Abstract: According to one embodiment of the present invention, the first authentication context includes the template certificate indicative of the validity of a template and the first apparatus evaluation certificate indicative of the validity of the first apparatus evaluating information while the second authentication context includes the second apparatus evaluating certificate indicative of the validity of the second apparatus evaluating information. And the template certificate and the first and second evaluation certificates are verified when verifying the first and second authentication contexts. Thus, the validity of the template used for authentication or the apparatus evaluating information included in the authentication context can be verified.

Abstract: A malware-protection method and a malware-protection system for protecting a computer from malware infection by preventing infected files from executing on the computer before they can do harm. The malware-protection method employs a number of techniques and relies on multiple layers of protection to identify trusted files, prevent execution of untrustworthy files, accurately detect corrupted files, analyze questionable files, and quarantine files. The malware-protection system includes a client-based verification, detection, blocking, and quarantine application that interacts and coordinates protection methods with application-verification servers, scan servers, definition-update servers, and policy servers to deliver intelligent malware protection as a Software-as-a-Service (SaaS) service. All users of the malware-protection system benefit from the detection of malicious files by any other user.

Abstract: A network-accessible memory (NAM) element comprises a substrate, a memory mounted to the substrate, network interface circuitry and logic circuitry. The network interface circuitry implements a network physical layer and is mounted to the substrate. The logic circuitry is mounted to the substrate and is coupled to the network interface circuitry and the memory, and is configured to operate as a memory controller to control access to the memory by a host processor which is external to the NAM element through the network interface circuitry. The NAM element can be interconnected with other NAM elements to form a larger NAM storage device.

Abstract: An MPLS-aware firewall allows firewall security policies to be applied to MPLS traffic. The firewall, which may be integrated within a routing device, can be configured into multiple virtual security systems. The routing device provides a user interface by which a user specifies one or more zones to be recognized by the integrated firewall when applying stateful firewall services to the packets. The user interface allows the user to define different zones and policies for different ones of the virtual security systems. In addition, the user interface supports a syntax that allows the user to define the zones for the firewall by specifying the customer VPNs as interfaces associated with the zones. The routing device generates mapping information for the integrated firewall to map the customer VPNs to specific MPLS labels for the MPLS tunnels carrying the customer's traffic.

Abstract: A computer system detects and selectively blocks a cookie associated with a website. The system monitors a network traffic stream directed to a client from a website and detects presence of a cookie associated with the website in the network traffic stream. The system detects the cookie in the network traffic stream by analyzing the network stream using a network traffic filtering scheme, such as a deep packet inspection engine. The system further determines a reputation of the website in response to detecting the cookie in the network traffic stream. A reputation of a website represents an assessment of whether the website is trustworthy. Based on the determined reputation of the website, the system selectively blocks the cookie from being stored in the client if the reputation of the website is bad.

Abstract: The system and method for enabling remote registry service security audits described herein may include scanning a network to construct a model or topology of the network. In particular, the model or topology of the network may include characteristics describing various devices in the network, which may be analyzed to determine whether a remote registry service has been enabled on the devices. For example, the security audits may include performing one or more credentialed policy scans to enable the remote registry service for certain devices that have disabled the remote registry service, auditing the devices in response to enabling the remote registry service, and then disabling the remote registry service on the devices. Thus, the system and method described herein may enable remotely scanning information contained in device registries during a security audit without exposing the device registries to malicious activity.

Abstract: Techniques for relaying presence information of an entity to a user, wherein the entity is known to the user via one or more communications networks, are provided. At least one portion of the presence information of the entity is obtained from one or more servers associated with the one or more communications networks. An image is generated in accordance with the at least one portion of the presence information of the entity. The image summarizes the presence information of the entity. Further, the image assists the user in the selection of a communication option when contacting the entity from a plurality of communication options of the entity.

Abstract: A method of performing a multimedia communication session over a communication link using Transmission Control Protocol (TCP) and over a communication link using User Datagram Protocol (UDP), including the acts of: receiving a request, over the TCP link, to register from a client terminal located within a private network; a probe data packet to the client terminal, over the TCP link, requesting to send a data packet over the UDP link; and receiving a data packet from the client terminal that contains information relating to an address of the client terminal and a dynamic port over which the multimedia communication session is to be established.

Abstract: Automatic subscription to presence services is achieved using a communications manager within a presence system. The communications manager is capable of detecting the occurrence of an event associated with at least one of a presentity and a watcher. The communications manager automatically subscribes or unsubscribes the watcher to receive presence information of the presentity in response to detection of the event.

Abstract: A database system for processing a query includes at least one master node that is operable to communicate a multicast signal over a plurality of communication channels. The multicast signal includes a request to perform an action associated with a pre-compiled query. In one particular embodiment, the at least one master node communicates the multicast signal over a first communication channel. The system also includes a plurality of slave nodes that are coupled to the at least one master node. Each of the plurality of slave nodes is operable to receive the multicast signal from the first communication channel. In this particular embodiment, at least one of the plurality of slave nodes provides access to at least one key part that is also accessible through another one of the plurality of slave nodes.

Abstract: A computer-implemented method for determining file classifications. The method may include determining identification information of a first file stored on a first computing system. The method may also include querying a second computing system for classification information by sending the identification information of the first file to the second computing system. The first computing system may receive, in response to the query, identification information of a second file. The first computing system may also receive the classification information. The classification information may indicate that the first file and second file are trusted. The first computing system may use the identification information of the second file to determine that the second file is stored on the first computing system. The first computing system may also apply the classification information to the first and second files by excluding the first and second files from a security scan.

Abstract: A system, method and computer program product for communicating with a private network are described. An application of a client is monitored for communications intended for a node coupled to a private network. A communication from the monitored application of the client that is intended for the node may then be intercepted before the communication can be received by the transport layer of the client, the intercepted communication may then be sent with a connection identifier to an interface unit coupled to the private network via an established network connection over a public network. The connection identifier also associated with a communication link that is established over the private network between the interface unit and the node. The interface unit uses the connection identifier that is received with the communication to identify the associated communication link over the private network.

Abstract: A presence-based transaction tracking method and system for communicating transaction information over a data network in which a sensing device in a host network associated with a transaction publishes presence information associated with a sensed transaction state to a server. A watcher subscribes to the server for receiving the presence information in which a middleware application can enable a watcher access across disparate client messaging systems.

Abstract: A server receives a request and identifies a corresponding task with core and peripheral components. The server performs the core components and collects relevant context data. The server returns a result to the requester based on having performed the core components, and constructs a message including the collected context data and sends same to an asynchronous message collector. An asynchronous message processor takes up and processes the message from the collector to perform the peripheral components. Thus, the message processor performs less-time-sensitive peripheral work independent of the server and allows the server to attend to more-time-sensitive core work.