Abstract: A containerisation orchestrator (26) is controlled by an analysis system (20, 21, 22) which assesses an application and a device for compatibility to have a candidate application installed on the device using the orchestrator. The analysis includes an assessment of the vulnerability of the installed application to failure or malicious attack, and a risk assessment of the consequences of such an event. The candidate containerised configuration (20) for the application is also assessed for compatibilities and vulnerabilities.

Abstract: A computer-implemented method of analysing anomalous network traffic in a telecommunications network, said telecommunications network comprising a plurality of network entities (120, 110) and a security analyser (130-3), wherein the method comprises the steps of: receiving at the security analyser a network communication from a first network entity; identifying the first network entity; by means of the security analyser: analysing the network communication and/or a performance of the first network entity thereby to identify the network communication as an anomalous communication (310); in response to identifying the network communication as an anomalous communication, communicating an instruction to the identified first network entity to respond with origin information regarding the anomalous communication, wherein the origin information identifies a preceding network entity from which the anomalous communication was directly received by the first network entity (320, 330); and commencing with the preceding n

Abstract: Containerised computing processes are generated by an orchestration processor interpreting user commands and user profile data to build a deployment specification specifying functions to be run by a containerised process, using a shell script run on a host virtualisation container. External events such as security threats and computing resource overloads can be used to generate the virtualised process, allowing vulnerability detection, and apply countermeasures such as deployment or migration of containers during attacks to lesser prone infrastructure, and allows the orchestration of non-container tools to provide security and resilience.

Abstract: A web server operating in a container has resource and network limits applied to add an extra layer of security to the web server. If a monitor detects that the container's resource usage is approaching one or more of these limits, which may be indicative of a DDoS attack, (step 210) or identifies traffic sources exhibiting suspicious behaviour, such as frequently repeated requests from the same address, or from a related set of addresses, a restrictor function caps the resources allowed by the original Webserver container to allow it to recover from buffer overflow and protect servers running in other containers from overwhelming any shared resources. A duplicator function starts up replica containers with the same resource limits to take overflow traffic, and a load balancing function then directs incoming traffic to these overflow containers etc.

Abstract: Actuators and sensors in an intelligent system are controlled by setting encryption types and key lengths to individual applications based on the type of device and application being run. A server system (1) running in a communications gateway, selects an encryption policy for one or more devices under its control. This selection is controlled by an analysis function (11) using data relating to the type of device (13), and the applications to be run on the device (14), to generate an appropriate encryption policy (12) which can be deployed to the device (37). Controlling the analysis and deployment in a gateway device allows co-ordination between devices, and reduces processor time in the devices. An agent is sent to the device alongside the encryption policy data, to control the device according to the encryption policy.

Abstract: An intermediate data transmission device arranges for mutual authentication between itself and a remote terminal to allow data to be exchanged between the remote terminal and a server through the device. The server sends first and second key codes to the intermediate device, the key codes both being derived from a shared secret known to the server and remote terminal but not to the intermediate device. In response to a challenge from the intermediate device the remote terminal uses the shared secret to generate a duplicate of the first key code and transmits the duplicate to the intermediate device. The intermediate device compares the first key code and the duplicate of the first key code received respectively from the server and the remote terminal to verify the authenticity of the remote terminal.

Abstract: Actuators and sensors in an intelligent system are controlled by setting encryption types and key lengths to individual applications based on the type of device and application being run. A server system 1 running in a communications gateway, selects an encryption policy for one or more devices under its control. This selection is controlled by an analysis function 11 using data relating to the type of device 13, and the applications to be run on the device 14, to generate an appropriate encryption policy 12 which can be deployed to the device (37). Controlling the analysis and deployment in a gateway device allows co-ordination between devices, and reduces processor time in the devices. An agent is sent to the device alongside the encryption policy data, to control the device according to the encryption policy.

Abstract: Network-based applications and virtualized components are deployed according to a security analysis of the infrastructure to be used and applications to be run on it. A specification of requirements (201) is analysed (211), together with potential devices (212) and network nodes (213), to determine an appropriate level of security to be applied, and a deployment specification of applications, services, security countermeasures, and networks is prepared that will satisfy the customer requirement and with known characteristics and vulnerabilities of the services. This analysis is used to generate a deployment specification (22), and finally the actual control of an orchestrator (23) to deliver the service. The deployed system can be continually monitored to ensure that the service continues to operate within requirements. Should an incident such as a network attack or failure occur the system is re-analysed against the original requirements and re-configured or repaired.

Abstract: A containerisation orchestrator (26) is controlled by an analysis system (20, 21, 22) which assesses an application and a device for compatibility to have a candidate application installed on the device using the orchestrator. The analysis includes an assessment of the vulnerability of the installed application to failure or malicious attack, and a risk assessment of the consequences of such an event. The candidate containerised configuration (20) for the application is also assessed for compatibilities and vulnerabilities.

Abstract: A web server operating in a container has resource and network limits applied to add an extra layer of security to the web server. If a monitor detects that the container's resource usage is approaching one or more of these limits, which may be indicative of a DDoS attack, (step 210) or identifies traffic sources exhibiting suspicious behaviour, such as frequently repeated requests from the same address, or from a related set of addresses, a restrictor function caps the resources allowed by the original Webserver container to allow it to recover from buffer overflow and protect servers running in other containers from overwhelming any shared resources. A duplicator function starts up replica containers with the same resource limits to take overflow traffic, and a load balancing function then directs incoming traffic to these overflow containers etc.

Abstract: A method for controlling payment in a communications system including the steps of providing a service accessing a service provider from the or one user device, selecting a product for purchase from the service provider, the service agent receiving a request for payment from the service provider via a payment operator and the service agent issuing a payment authorisation to a payment provider via the payment operator. The service agent is installable in a variety of user devices and provides a uniform interface to the payment system from a plurality of the user devices. The service agent may also provide a uniform interface to an ordering system from a plurality of the user devices.

Abstract: Containerised computing processes are generated by an orchestration processor interpreting user commands and user profile data to build a deployment specification specifying functions to be run by a containerised process, using a shell script run on a host virtualisation container. External events such as security threats and computing resource overloads can be used to generate the virtualised process, allowing vulnerability detection, and apply countermeasures such as deployment or migration of containers during attacks to lesser prone infrastructure, and allows the orchestration of non-container tools to provide security and resilience.

Abstract: An intermediate data transmission device arranges for mutual authentication between itself and a remote terminal (4) to allow data to be exchanged between the remote terminal (4) and a server (1) through the device. The server (1) sends first and second key codes (CK, RK) to the intermediate device (step 105), the key codes both being derived from a shared secret known to the server and remote terminal but not to the intermediate device. In response to a challenge (107) from the intermediate device the remote terminal (4) uses the shared secret to generate a duplicate (CK*) of the first key code and transmits the duplicate to the intermediate device (step 109). The intermediate device compares the first key code and the duplicate of the first key code (CK, CK*) received respectively from the server (1) and the remote terminal (4) to verify the authenticity of the remote terminal (4).

Abstract: A method of determining the topology of at least part of a network comprising the steps of: monitoring traffic to and/or from a plurality of computers in the network; storing information relating to the monitored traffic for each of the plurality of computers, the information including an identifier of a requested service; selecting a first computer of the plurality of computers; reading the stored information related to the first computer and identifying, using the stored identifier of the requested service, at least one traffic flow to or from the first computer that corresponds to the requested service; using the stored information to identify the destination or origin of the identified traffic flow for the first computer, which traffic flow information includes the identifier of the requested service; using the identified destination or origin to identify one or more computers that are immediately upstream or downstream of the first computer, and determining a topology based on the identified one or more

Abstract: A client server system uses a client subsystem, a server subsystem and an interconnecting data network. The client subsystem client application initiates a secure connection over the network with the server subsystem which includes a server application cooperating with the client application to complete a secure connection with the client application and which transmits output data over such a connection in response to requests for service by the client application. The server subsystem additionally generates a notification, in response to detecting an event in the absence of a secure connection between the server and the client, and transmits the notification to the notification server which forwards the notification over the interconnecting network to the client application.

Abstract: A method of determining the topology of at least part of a network comprising the steps of: monitoring traffic to and/or from a plurality of computers in the network; storing information relating to the monitored traffic for each of the plurality of computers, the information including an identifier of a requested service; selecting a first computer of the plurality of computers; reading the stored information related to the first computer and identifying, using the stored identifier of the requested service, at least one traffic flow to or from the first computer that corresponds to the requested service; using the stored information to identify the destination or origin of the identified traffic flow for the first computer, which traffic flow information includes the identifier of the requested service; using the identified destination or origin to identify one or more computers that are immediately upstream or downstream of the first computer, and determining a topology based on the identified one or more

Abstract: A method and system for controlling service requests from a client to a server involves intercepting and controlling the transmission of service requests from the client to the server. The service requests are queued at the client and the transmission of the queued service requests are delayed to smooth the frequency of service requests transmitted to the server.

Abstract: A system for providing tickets to a user terminal (4), comprising a network interface (6) for communicating with the user terminals (4), a ticketing module (5) and a application interface to enable a number of ticket issuers and service providers to access the ticketing module.

Abstract: Apparatus for delivering a message to a user comprising means for communicating with service providers and means for communicating with device agents operating on respective user devices, wherein the service provider communicating means is configured to receive a request to communicate with a specified user and to selectively output a message for the user to said device agent communicating means and wherein the device agent communicating means is configured to maintain a list of connected device agents, to receive said message and to transmit said message to a selected device agent dependent upon a routing policy for said user.

Abstract: A method for controlling payment in a communications system including the steps of providing a service accessing a service provider from the or one user device, selecting a product for purchase from the service provider, the service agent receiving a request for payment from the service provider via a payment operator and the service agent issuing a payment authorisation to a payment provider via the payment operator. The service agent is installable in a variety of user devices and provides a uniform interface to the payment system from a plurality of the user devices. The service agent may also provide a uniform interface to an ordering system from a plurality of the user devices.