Abstract: A method for detecting intrusions that employ messages of two or more protocols is disclosed. Such intrusions might occur in Voice over Internet Protocol (VoIP) systems, as well as in systems in which two or more protocols support some service other than VoIP. In the illustrative embodiment of the present invention, a stateful intrusion-detection system is capable of employing rules that have cross-protocol pre-conditions. The illustrative embodiment can use such rules to recognize a variety of VoIP-based intrusion attempts, such as call hijacking, BYE attacks, etc. In addition, the illustrative embodiment is capable of using such rules to recognize other kinds of intrusion attempts in which two or more protocols support a service other than VoIP. The illustrative embodiment also comprises a stateful firewall that is capable of employing rules with cross-protocol pre-conditions.

Abstract: An apparatus and method for detecting potentially-improper call behavior (e.g., SPIT, etc.) are disclosed. The illustrative embodiment of the present invention is based on finite-state machines (FSMs) that represent the legal states and state transitions of a communications protocol at a node during a Voice over Internet Protocol (VoIP) call. In accordance with the illustrative embodiment, a library of FSM execution profiles associated with improper call behavior is maintained. When there is a match between the behavior of a finite-state machine during a call and an execution profile in the library, an alert is generated.

Abstract: An apparatus and method for detecting potentially-improper call behavior (e.g., SPIT, etc.) are disclosed. The illustrative embodiment of the present invention is based on finite-state machines (FSMs) that represent the legal states and state transitions of communications protocols at nodes during Voice over Internet Protocol (VoIP) calls. In accordance with the illustrative embodiment, a library of FSM execution profiles associated with improper call behavior and a set of rules (or rule base) associated with improper FSM behavior over one or more calls are maintained. When the behavior of one or more finite-state machines during one or more calls matches either an execution profile in the library or a rule in the rule base, an alert is generated.

Abstract: The present invention is directed to the use of a multi-tiered security architecture that includes vendor-operated global security services and policy servers able to exchange security events and mitigation measures.

Abstract: An out-space actuator is selected to access an out-space user interface for a document editor program. An out-space actuator is associated with an in-space user interface having a displayed document. When the out-space actuator is selected, an out-space user interface is displayed that includes an expanded feature selection surface. The out-space user interface may be used to display one or more status panes for providing status information about a document being edited in the in-space user interface. Application features for affecting changes to a given document's status may be exposed in the out-space interface in proximity to associated status information. An out-space communication user interface (UI) component may be temporarily displayed in the document in-space user interface to communicate document status information that is presently available in the out-space user interface. A message bar may be displayed in the in-space user interface for communicating information from the out-space user interface.

Abstract: A method is disclosed that enables the screening of unwanted telephone calls, such as voice or video calls, for one or more called parties. In accordance with the illustrative embodiment of the present invention, an anti-SPAM system receives signaling information for one or more telephone calls made to one or more called parties by a calling party. Although the calling party can be a human caller, in a SPAM-over-Internet-Telephony context the calling party can alternatively be a server or other network element that originates SPAM voice calls for advertising purposes; both possibilities are accounted for in the illustrative embodiment. The anti-SPAM system then observes the behavior of the called party or parties that is exhibited in response to receiving the telephone calls. Based on the observed behavior, the anti-SPAM system then updates one or more rules for handling future telephone calls made to the protected called parties.

Abstract: An apparatus and method are disclosed for detecting intrusions in Voice over Internet Protocol systems without an attack signature database. The illustrative embodiment is based on two observations: (1) various VoIP-related protocols are simple enough to be represented by a finite-state machine (FSM) of compact size, thereby avoiding the disadvantages inherent in signature-based intrusion-detection systems.; and (2) there exist intrusions that might not be detectable locally by the individual finite-state machines (FSMs) but that can be detected with a global (or distributed) view of all the FSMs. The illustrative embodiment maintains a FSM for each session/node/protocol combination representing the allowed (or “legal”) states and state transitions for the protocol at that node in that session, as well as a “global” FSM for the entire session that enforces constraints on the individual FSMs and is capable of detecting intrusions that elude the individual FSMs.

Abstract: An apparatus and method are disclosed for detecting intrusions in Voice over Internet Protocol systems, without the use of an attack signature database. In particular, the illustrative embodiment is based on the observation that some VoIP-related protocols (e.g., the Session Initiation Protocol [SIP], etc.) are simple enough to be represented by a finite-state machine (FSM) of compact size. A finite-state machine is maintained for each session/node/protocol combination, and any illegal state or state transition—which might be the result of a malicious attack—is flagged as a potential intrusion.

Abstract: A method and apparatus for automatically determining whether a security vulnerability alert is relevant to a device (e.g., personal computer, server, personal digital assistant [PDA], etc.), and automatically retrieving the associated software patches for relevant alerts, are disclosed. The illustrative embodiment intelligently determines whether the software application specified by a security vulnerability alert is resident on the device, whether the version of the software application on the device matches that of the security vulnerability alert, and whether the device's hardware platform and operating system match those of the security vulnerability alert.

Abstract: A method and apparatus for automatically determining whether a security vulnerability alert is relevant to a device (e.g., personal computer, server, personal digital assistant [PDA], etc.), and automatically retrieving the associated software patches for relevant alerts, are disclosed. The illustrative embodiment intelligently determines whether the software application specified by a security vulnerability alert is resident on the device, whether the version of the software application on the device matches that of the security vulnerability alert, and whether the device's hardware platform and operating system match those of the security vulnerability alert.

Abstract: A technique is disclosed that enables the run-time behavior of a data-processing system to be analyzed and, in many cases, to be predicted. In particular, the illustrative embodiment of the present invention comprises i) transforming the messages that constitute an unstructured log into a numerical series and ii) applying a time-series analysis on the resultant series for the purpose of pattern detection. Indeed, it is recognized in the illustrative embodiment that the problem really is to detect patterns that depict aspects of system behavior, regardless of the textual content of the individual log messages. In other words, by analyzing the totality of the messages in the log or logs—as opposed to looking for pre-defined patterns of the individual messages—system behavior can be mapped and understood. The mapping helps in characterizing the system for the purposes of predicting failure, determining the time required to reach stability during failure recovery, and so forth.

Abstract: A method for detecting intrusions that employ messages of two or more protocols is disclosed. Such intrusions might occur in Voice over Internet Protocol (VoIP) systems, as well as in systems in which two or more protocols support some service other than VoIP. In the illustrative embodiment of the present invention, a stateful intrusion-detection system is capable of employing rules that have cross-protocol pre-conditions. The illustrative embodiment can use such rules to recognize a variety of VoIP-based intrusion attempts, such as call hijacking, BYE attacks, etc. In addition, the illustrative embodiment is capable of using such rules to recognize other kinds of intrusion attempts in which two or more protocols support a service other than VoIP. The illustrative embodiment also comprises a stateful firewall that is capable of employing rules with cross-protocol pre-conditions.

Abstract: A method for detecting intrusions that employ messages of two or more protocols is disclosed. Such intrusions might occur in Voice over Internet Protocol (VoIP) systems, as well as in systems in which two or more protocols support some service other than VoIP. In the illustrative embodiment of the present invention, a stateful intrusion-detection system is capable of employing rules that have cross-protocol pre-conditions. The illustrative embodiment can use such rules to recognize a variety of VoIP-based intrusion attempts, such as call hijacking, BYE attacks, etc. In addition, the illustrative embodiment is capable of using such rules to recognize other kinds of intrusion attempts in which two or more protocols support a service other than VoIP. The illustrative embodiment also comprises a stateful firewall that is capable of employing rules with cross-protocol pre-conditions.

Abstract: A method is disclosed that enables the transmission of a digital message along with a corresponding media information signal, such as audio or video. A telecommunications device that is processing the information signal from its user, such as a speech signal, encodes the information signal by using a model-based compression coder. One such device is a telecommunications endpoint. Then, based on an evaluation of the perceptual significance of each encoded bit, or on some other meaningful characteristic of the signal, the endpoint's processor: (i) determines which encoded bits can be overwritten; and (ii) intersperses the digital message bits throughout the encoded signal in place of the overwritten bits. The endpoint then transmits those digital message bits as part of the encoded information signal. In this way, no additional bits are appended to the packet to be transmitted, thereby addressing the issue of compatibility with existing protocols and firewalls.

Abstract: A method is disclosed that enables the transmission of a digital message along with a corresponding information signal, such as audio or video. The supplemental information contained in digital messages can be used for a variety of purposes, such as enabling or enhancing packet authentication. In particular, a telecommunications device that is processing an information signal from its user, such as a speech signal, encrypts the information signal by performing a bitwise exclusive-or of an encryption key stream with the information signal stream. The device, such as a telecommunications endpoint, then intersperses the bits of the digital message throughout the encrypted signal in place of those bits overwritten, in a process referred to as “watermarking.” The endpoint then transmits the interspersed digital message bits as part of a composite signal that also comprises the encrypted information bits. No additional bits are appended to the packet to be transmitted, thereby addressing compatibility issues.

Abstract: A method is disclosed that enables the avoidance of a processor overload of a telecommunications endpoint device that is susceptible to traffic floods. An enhanced network switch sets the speed on one of its data ports as a specific function of the speeds of the devices that are connected to one or more of its other data ports. This behavior is different from that of network switches in the prior art, in which the data rate of a port in the prior art is auto-negotiated to the highest speed that can be supported by the network elements at either end of the port's connection, regardless of the other devices present. By considering the specific devices that are connected, the enhanced network switch is able to limit the amount of traffic that is directed by an upstream device, such as a router, towards a device with limited processor capability, such as a packet-based phone.

Abstract: A method is disclosed that enables the implementation of an embedded firewall at a telecommunications endpoint. In particular, the illustrative embodiment of the present invention addresses the relationship between the application, firewall engine, and packet-classification rules database that are all resident at the endpoint. In the variations of the illustrative embodiment that are described herein, the application: (i) directly communicates with the co-resident firewall engine such as through local message passing, (ii) shares memory with the firewall engine, and (iii) makes socket calls to the operating system that are intercepted by a middleware layer that subsequently modifies the rules database, depending on the socket call. The common thread to these techniques is that the application, firewall engine, and rules database are co-resident at the endpoint, which is advantageous in the implementation of the embedded firewall.

Abstract: A method is disclosed that enables mitigating at least some of the problems caused by a packet attack. When a first Internet Protocol (IP)-capable device is subjected to a packet attack, it indicates periodically to a second IP-capable device that certain communications with the first device are to be suspended. The periodic transmitting of the indication is performed at a slower rate than the keep-alive mechanism that is normally used to detect loss of connectivity. When the second device receives the transmitted indication, it refrains from transmitting keep-alive messages to the first device for a predetermined interval. Meanwhile, the first device also refrains from transmitting keep-alive messages to the second device for a similar interval. In transmitting the suspend indication, the illustrative embodiment seeks to prevent pairs of communicating devices that are experiencing packet attacks from continuing their operation under the erroneous assumption that each device is unavailable.

Abstract: A method for Real-time Transport Protocol (RTP) packet authentication on a packet data network. In particular, the invention relates to a method for preventing toll fraud, privacy compromise, voice quality degradation, or denial of service (DoS) on Voice over IP networks. The Real-time Transport Protocol (RTP) is susceptible to several security attacks, including thirdparty snooping of private conversations, injection of forged content, and introduction or modification of packets to degrade voice quality. The Secure Real-time Transport Protocol (SRTP) provides confidentiality, message authentication, and replay protection for RTP traffic. However, SRTP incurs an additional overhead to verify the HMAC-SHA1 message authentication code for each packet. SRTP+ significantly decrease the verification overhead compared to SRTP and thereby increases the number of faked packets required to mount a successful denial of service attack. SRTP+ provides packet authentication but not integrity.

Abstract: A method of transporting authentication information in a media stream packet includes embedding the authentication information in one of a heading and a payload of the media stream packet.