Abstract: A method of preserving privacy and confidentiality in a system where information is associated with an existing web page having an address. The method includes receiving a store command from a first user system, the store command including at least a database key and information to be associated with the web page, wherein the database key was created by performing a cryptographic hash function on the address of the web page; storing the information at a location in a storage database; associating the location with the database key; receiving a retrieve command from a second user system, the retrieve command including the database key calculated by the second user system; retrieving stored information from one or more locations in the database associated with the database key; and transmitting the stored information to the second user system.

Abstract: A method of acquiring tags using web search includes receiving a search query in a search engine, processing the search query and returning a list of candidate resources corresponding to the search query, determining a candidate resource out of the list of candidate resources, extracting tags from the search query, and tagging the candidate resource with the extracted tags.

Abstract: Described is a technique for detecting attacks on a data communications network having a plurality of addresses for assignment to data processing systems in the network. The technique involves identifying data traffic on the network originating at any assigned address and addressed to any unassigned address. Any data traffic so identified is inspected for data indicative of an attack. On detection of data indicative of an attack, an alert signal is generated.

Abstract: A method and apparatus are provided for detecting peer-to-peer communication on a data communication network, between an internal client machine within an internal address space and an external client machine. The method includes routing all messages addressed to internal client machines to an analysis device. The analysis device identifies messages pertaining to peer-to-peer communication and identifies the internal client machine to which the messages of a specified nature were addressed. The analysis device terminates the connection with the external client machine if the establishing of the peer-to-peer communication is in violation of a pre-determined internal network rule.

Abstract: A method is provided for adding intended meaning to digital signatures. A message, being base content, is received to be signed. Assertions, ontologies, and description of a reasoner are adjoined to the message. Ontologies are a formal specification of vocabulary and rules used to state the assertions. The reasoner validates the assertions against the corresponding ontologies. A compound message is formed including the message, the assertions, the ontologies, and the reasoner. The compound message is signed using a cryptographic digital signature, where the assertions indicate an intended meaning of the digital signature. During verification of semantic signatures, a digital signature is received for a compound message, where the compound message includes assertions, ontologies, and reasoner. The digital signature is verified, and the compound message structure is checked for semantic signature conformance.

Abstract: A method and apparatus are provided for detecting attacks on a data communication network. The apparatus includes a router with a mechanism for monitoring return messages addressed to an originating user system local to the router. The mechanism includes a message checker for identifying a return message of a specified nature and a rerouter for temporarily routing subsequent messages from the originating user system to the intrusion detection sensor.

Abstract: Methods and apparatus are provided for managing an IP network interconnecting a plurality of network hosts (2). Status information, indicative of status of a host, is automatically acquired from each host (2). The status information, such as MAC address, security and/or operational information, acquired from a host (2) is automatically recorded in at least one DNS record, associated with the IP address of that host (2), of a DNS server (4). The host status information in the DNS records can then be accessed for network management operations. The automatic acquisition and recording of the status information may be performed by a DHCP server (3) of the network on allocation of dynamic IP addresses to hosts (2).

Abstract: The invention relates to a method for operating virtual networks.

Abstract: A method of acquiring tags using web search includes receiving a search query in a search engine, processing the search query and returning a list of candidate resources corresponding to the search query, determining a candidate resource out of the list of candidate resources, extracting tags from the search query, and tagging the candidate resource with the extracted tags.

Abstract: A method is provided for adding intended meaning to digital signatures. A message, being base content, is received to be signed. Assertions, ontologies, and description of a reasoner are adjoined to the message. Ontologies are a formal specification of vocabulary and rules used to state the assertions. The reasoner validates the assertions against the corresponding ontologies. A compound message is formed including the message, the assertions, the ontologies, and the reasoner. The compound message is signed using a cryptographic digital signature, where the assertions indicate an intended meaning of the digital signature. During verification of semantic signatures, a digital signature is received for a compound message, where the compound message includes assertions, ontologies, and reasoner. The digital signature is verified, and the compound message structure is checked for semantic signature conformance.

Abstract: A method is provided for referencing content by generating a bound uniform resource locator. Content is selected, a fragment identifier is calculated for the content, and the content is normalized. A content digest of the normalized content is calculated. A content binding document is assembled in which the content binding document comprises: an original URL to the content, the fragment identifier, the name of a method for normalizing the content, the name of a method for calculating the content digest, and the content digest. A content binding document digest is calculated. A bound universal resource locator is generated that contains the content binding document digest and the name of the method that was used to calculate the content binding document digest. The content binding document is stored using its digest as a file name or database key, and the content binding document can be retrieved using the bound universal resource locator.

Abstract: An apparatus and method are disclosed for enabling controlled access to resources at a resource provider server. The invention may encrypt or decrypt a portion of a uniform resource identifier (URI), according to a stateless method for hiding resources and/or providing access control support. Upon receipt of a URI having an encrypted portion, the invention decrypts the encrypted portion using a predetermined key to obtain a decrypted segment, extracts additional information from the decrypted segment and forms a decrypted URI, before the decrypted URI is forwarded to a resource producer server. The invention may also encrypt a URI from a resource provider server before it is sent to a client in response to a client request.

Abstract: A method of preserving privacy and confidentiality in a system where information is associated with an existing web page having an address. The method includes receiving a store command from a first user system, the store command including at least a database key and information to be associated with the web page, wherein the database key was created by performing a cryptographic hash function on the address of the web page; storing the information at a location in a storage database; associating the location with the database key; receiving a retrieve command from a second user system, the retrieve command including the database key calculated by the second user system; retrieving stored information from one or more locations in the database associated with the database key; and transmitting the stored information to the second user system.

Abstract: Described is apparatus for testing an intrusion detection system in a data processing system. The apparatus comprises an attack generator for generating attack traffic on a communications path in the data processing system. A collector receives responses generated by the intrusion detection system on receipt of the attack traffic. A controller coupled to the attack generator and the collector varies the attack traffic generated by the attack generator in dependence on the response received from the intrusion detection system by the collector.

Abstract: Detection of an attack on a data processing system. An example method comprising, in the data processing system: providing an initial secret; binding the initial secret to data indicative of an initial state of the system via a cryptographic function; recording state changing administrative actions performed on the system in a log; prior to performing each state changing administrative action, generating a new secret by performing the cryptographic function on a combination of data indicative of the administrative action and the previous secret, and erasing the previous secret; evolving the initial secret based on the log to produce an evolved secret; comparing the evolved secret with the new secret; determining that the system is uncorrupted if the comparison indicates a match between the evolved secret and the new secret; and, determining that the system in corrupted if the comparison indicate a mismatch between the evolved secret and the new secret.

Abstract: Methods and apparatus are provided for managing an IP network interconnecting a plurality of network hosts (2). Status information, indicative of status of a host, is automatically acquired from each host (2). The status information, such as MAC address, security and/or operational information, acquired from a host (2) is automatically recorded in at least one DNS record, associated with the IP address of that host (2), of a DNS server (4). The host status information in the DNS records can then be accessed for network management operations. The automatic acquisition and recording of the status information may be performed by a DHCP server (3) of the network on allocation of dynamic IP addresses to hosts (2).

Abstract: The invention provides a form of reacting on security or vulnerability information relevant for a system comprising computer software and/or hardware or electronics, wherein a service provider with a first subsystem (1) is providing activation tokens to be received by a customer with a second subsystem (2). The activation tokens including activation information and naming of system characteristics in machine readable and filterable manner. The second subsystem (2) comprises receiving means (11) for controlling the receiving of the activation tokens, checking means (12) for automatically determining whether the activation information is relevant for the second subsystem (2) by checking whether the second subsystem has characteristics corresponding to the naming of an activation token, and transforming means (13) for transforming relevant activation information into at least one activation measure for the second subsystem (2). The activation measures will reduce the vulnerability of the second subsystem.

Abstract: Described is a technique for detecting attacks on a data communications network having a plurality of addresses for assignment to data processing systems in the network. The technique involves identifying data traffic on the network originating at any assigned address and addressed to any unassigned address. Any data traffic so identified is inspected for data indicative of an attack. On detection of data indicative of an attack, an alert signal is generated.

Abstract: A method and apparatus are provided for detecting peer-to-peer communication on a data communication network, between an internal client machine within an internal address space and an external client machine. The method includes routing all messages addressed to internal client machines to an analysis device. The analysis device identifies messages pertaining to peer-to-peer communication and identifies the internal client machine to which the messages of a specified nature were addressed. The analysis device terminates the connection with the external client machine if the establishing of the peer-to-peer communication is in violation of a pre-determined internal network rule.