Abstract: Caller name is authenticated using authentication certificates issued by a registration authority that registers callers who wish to terminate calls to callers subscribed to the registration authority. In one embodiment, the authentication certificates are sent to a called device or a proxy for the called device via a path that is separate from the call setup path. An indication is conveyed to the called party to indicate whether the caller name was successfully authenticated.

Abstract: Security vulnerability information aggregation techniques are disclosed. Vulnerability information associated with one or more security vulnerabilities is obtained from multiple sources and aggregated into respective unified vulnerability definitions for the one or more security vulnerabilities. Aggregation may involve format conversion, content aggregation, or both in some embodiments. Unified vulnerability definitions may be distributed to vulnerability information consumers in accordance with consumer-specific policies. Storage of vulnerability information received from the sources may allow the aggregation process to be performed on existing vulnerability information “retro-actively”. Related data structures and Graphical User Interfaces (GUIs) are also disclosed.

Abstract: Information system service-level security risk analysis systems, methods, and Graphical User Interfaces are disclosed. Assets of an information system that have relationships with a service provided by the information system are identified, and at least one security risk to the service is determined by analyzing security vulnerabilities associated with the identified assets. A consolidated representation of the service is provided, and includes an indication of the determined security risk(s) and an indication of a relationship between the service and at least one of the identified assets. The security risk indication may include indications of multiple security parameters. Security risks may be represented differently depending on whether they arise from a security vulnerability of an asset that has a relationship with the service or a security vulnerability of an asset that has a relationship with the service only through a relationship with an asset that has a relationship with the service.

Abstract: Transparent caller name authentication is provided to authorized third parties by creating an Public Key Infrastructure (PKI) certificate chain. An owner of a registered caller name can authorize third parties to use the caller name by issuing a PKI sub-certificate to each authorized third party. An authenticated caller name displays the owner's name to the called party. Outsourcing and mobile employment is thereby facilitated, and called party confusion is reduced.

Abstract: A method of automatically aggregating an online user community, and graphical user interface for same, the method including one or more of the following: a user creating the online community; the user defining an aggregation policy for the online user community; a service provider retrieving the aggregation policy; the service provider applying the aggregation policy to an other user; determining whether the other user fits the aggregation policy; adding the other user to the online user community; the user defining an anti-aggregation policy; the service provider retrieving the anti-aggregation policy; determining whether the other user fits the anti-aggregation policy; and removing the other user from the online user community when the other user fits the anti-aggregation policy.

Abstract: Graph-based modeling apparatus and techniques are disclosed. Based on a model including model nodes that represent components of a modeled system, operational dependencies between model nodes, and model edges that interconnect the nodes and represent relationships between the components in the modeled system, subset computations are performed to compute subsets of the model nodes that can impact operational dependencies between other model nodes. When the model changes, a determination is made as to whether an incremental subset computation should be performed for one or more particular operational dependencies between model nodes in the changed model, and if so, an incremental subset computation is performed. Otherwise, a full subset computation or no subset computation might be performed. In this manner, model changes are considered on a case-by-case basis to determine an extent, if any, to which subsets should be re-computed.

Abstract: A method of detecting malware may include: a) examining header data in each PDU transferred by a port of an access switch to identify PDUs transferred from a local network device, b) extracting a far-end device address for PDUs based at least in part on examination of an address portion of the corresponding header data, c) maintaining fan-out information indicative of a quantity of unique far-end device addresses extracted from the PDUs during consecutive time windows, d) determining a current trend based on the fan-out information for a current time window, e) comparing the current trend to an expected trend, and f) identifying a suspected malware infection in the local network device when the current trend exceeds the expected trend by a trend threshold. A network element that may implement the method may include a header data processing unit, data storage logic, data processing logic, and malware identification logic.

Abstract: The invention detects stealth worm propagation by comparing the repeat elements in sets of destinations of a source in multiple time windows to a fitted distribution of same, stored as a benchmark plot. Measurements are performed over N time windows, wherein a representation of the set of destinations to which a respective source has sent packets is determined for each source, in each time window. The counting is performed using a hash table. Once N such sets of destinations have been obtained, the number Xk of destinations that are common to N, N?1, N?2, . . . , 2, 1 windows is determined. Thus Xk is the number of destinations that a particular source sent packets to in k time windows. Xk is then compared to the corresponding value on the plot; anomalies indicate an attack from the respective source.

Abstract: A malware detection and response system based on traffic pattern anomalies detection is provided, whereby packets associated with a variety of protocols on each port of a network element are counted distinctly for each direction. Such packets include: ARP requests, TCP/SYN requests and acknowledgements, TCP/RST packets, DNS/NETBEUI name lookups, out-going ICMP packets, UDP packets, etc. When a packet causes an individual count or combination of counts to exceed a threshold, appropriate action is taken. The system can be incorporated into the fast path, that is, the data plane, enabling communications systems such as switches, routers, and DSLAMs to have built-in security at a very low cost.

Abstract: A malware detection and response system based on traffic pattern anomalies detection is provided, whereby packets associated with a variety of protocols on each port of a network element are counted distinctly for each direction. Such packets include: ARP requests, TCP/SYN requests and acknowledgements, TCP/RST packets, DNS/NETBEUI name lookups, out-going ICMP packets, UDP packets, etc. When a packet causes an individual count or combination of counts to exceed a threshold, appropriate action is taken. The system can be incorporated into the fast path, that is, the data plane, enabling communications systems such as switches, routers, and DSLAMs to have built-in security at a very low cost.

Abstract: Packets of a certain type from a certain source are directed to a system that estimates the set of destinations and the number of new destinations for which that source has sent packets during a time window Ti. Instead of maintaining tables with the complete destination addresses for each source, the destination addresses are hashed and stored in a small bit array. The sets of destinations for a number of successive time windows are OR'ed for building cumulative tables Ci, where Ci includes all destinations that have been seen between T0 and Ti. The new destinations are determined by counting the destinations set in Ti but not in Ci-1. Any change from the typical patterns can be suspected as being a slow scan.

Abstract: Various embodiments of a method and associated equipment for enhancing security in a network-based data communication are provided. In one embodiment, the method includes: a) maintaining at least access to data which a transmitting user may selectively transmit, b) providing a submit control associated with a recipient user to which the data may be selectively transmitted, c) in response to the transmitting user activating the submit control, presenting information to the transmitting user that identifies the recipient user to which the data is about to be sent, and d) in response to the transmitting user activating a verification control, transmitting the data to the recipient user. In one embodiment, the associated equipment includes a first computing device associated with a transmitting user, a second computing device associated with a recipient user; and a communication network through which the first computing device can operatively communicate with the second computing device.

Abstract: A method comprising a plurality of operations. An operation is provided for receiving an authentication certificate of a called party. Telephony apparatus of a party calling the called party performs receiving the authentication certificate. An operation is provided for facilitating authentication of the authentication certificate and called party identification information thereof in response to receiving the authentication certificate. An operation is provided for providing an authentication notification in response to facilitating the authentication of the authentication certificate and the called party identification information. The authentication notification indicates successful authentication in response to the authentication being successful and wherein the authentication notification indicates non-successful authentication in response to the authentication not being successful.

Abstract: A method of detecting malware may include: a) examining header data in each PDU transferred by a port of an access switch to identify PDUs transferred from a local network device, b) extracting a far-end device address for PDUs based at least in part on examination of an address portion of the corresponding header data, c) maintaining fan-out information indicative of a quantity of unique far-end device addresses extracted from the PDUs during consecutive time windows, d) determining a current trend based on the fan-out information for a current time window, e) comparing the current trend to an expected trend, and f) identifying a suspected malware infection in the local network device when the current trend exceeds the expected trend by a trend threshold. A network element that may implement the method may include a header data processing unit, data storage logic, data processing logic, and malware identification logic.

Abstract: A method of automatically aggregating an online user community, and graphical user interface for same, the method including one or more of the following: a user creating the online community; the user defining an aggregation policy for the online user community; a service provider retrieving the aggregation policy; the service provider applying the aggregation policy to an other user; determining whether the other user fits the aggregation policy; adding the other user to the online user community; the user defining an anti-aggregation policy; the service provider retrieving the anti-aggregation policy; determining whether the other user fits the anti-aggregation policy; and removing the other user from the online user community when the other user fits the anti-aggregation policy.

Abstract: A method comprises a plurality of operations. An operation is performed for requesting authentication of a target call session party during a call session between the target party and a call session party requesting said authentication. An operation is performed for receiving authentication information of the target call session party during the call session in response to requesting said authentication. An operation is performed for facilitating authentication of said authentication information during the call session in response to receiving said authentication information.

Abstract: A conference call server comprises a collection of computer-executable instructions for facilitating conference call authentication functionality. Computer-executable instructions are provided for authenticating a plurality of invitees to a conference call session during the conference call session. Authenticating the plurality of conference call invitees includes cryptographically verifying an identity of each one of the conference call invitees using information associated with a respective authentication certificate. Computer-executable instructions are provided for outputting identification information contained in the authentication certificate of each one of the conference call invitees in response to successful authentication thereof. The identification information is outputted to at least one of the conference call invitees.

Abstract: When the processing resources of a host system are occupied beyond a trigger point by incoming requests, that host system issues a cool-it message that is broadcast throughout the network, eventually reaching edge routers that, in response to the message, throttle the traffic that they pass into the network. The throttling is applied in increasing amounts with increasing traffic volumes received at the edge routers. The cool-it messages are authenticated to ensure that they are not being used as instruments of a DoS attack. This mechanism also works to control legitimate network congestion, and it does not block users from a host system that is under attack.

Abstract: Packets of a certain type from a certain source are directed to a system that estimates the set of destinations and the number of new destinations for which that source has sent packets during a time window Ti. Instead of maintaining tables with the complete destination addresses for each source, the destination addresses are hashed and stored in a small bit array. The sets of destinations for a number of successive time windows are OR'ed for building cumulative tables Ci, where Ci includes all destinations that have been seen between T0 and Ti. The new destinations are determined by counting the destinations set in Ti but not in Ci-1. Any change from the typical patterns can be suspected as being a slow scan.

Abstract: Graph-based modeling apparatus and techniques are disclosed. Based on a model including model nodes that represent components of a modeled system, operational dependencies between model nodes, and model edges that interconnect the nodes and represent relationships between the components in the modeled system, subset computations are performed to compute subsets of the model nodes that can impact operational dependencies between other model nodes. When the model changes, a determination is made as to whether an incremental subset computation should be performed for one or more particular operational dependencies between model nodes in the changed model, and if so, an incremental subset computation is performed. Otherwise, a full subset computation or no subset computation might be performed. In this manner, model changes are considered on a case-by-case basis to determine an extent, if any, to which subsets should be re-computed.