Abstract: A method for analyzing computer network security has been developed. The method first establishes multiple nodes, where each node represents an actor, an event, a condition, or an attribute related to the network security. Next, an estimate is created for each node that reflects the case of realizing the event, condition, or attribute of the node. Attack paths are identified that represent a linkage of nodes that reach a condition of compromise of network security. Next, edge probabilities are calculated for the attack paths. The edge probabilities are based on the estimates for each node along the attack path. Finally, an attack graph is generated that identifies the easiest conditions of compromise of network security and the attack paths to achieving those conditions.

Abstract: A method includes receiving a connection request at a connection server port via a network from a client, the connection request directed to an application server, duplicating a socket for the communication and passing the socket to the application server, and replying to the network client connection request to establish a direct connection between the client and the application server via the passed socket, and this method support SSL protocol via passed socket.

Abstract: A physical layer device provides both timestamp processing and security processing. The timestamp processing may be PTP processing according to IEEE Std. 1588 and/or OAM processing according to ITU-T Recommendation Y.1731. The security processing may be MACsec processing according to IEEE Std. 802.1AE. The timestamp processing may delay some packets to avoid impairing accuracy of timing information. For example, the accuracy of timing information could be impaired when a packet containing the timing information is delay due to additional bits added to a preceding packet to include a security tag and integrity check value.

Abstract: The present disclosure describes methods and systems for enabling a migration of network elements from a first location to a second location remote from the first location without changing the Internet Protocol (IP) addresses, subnet mask, and/or default gateway of the network elements. The first location has a first Locator/Identifier Separation Protocol (LISP) router configured on a stick and the second location having a second LISP router configured on a stick. Both the first LISP router and the second LISP router are on the same subnet. Effectively, LISP provides a Layer 3 extension stretching a subnet across the first location and the second location (Stretched Subnet Mode (SSM)). By implementing LISP routers in this manner, system engineers can migrate network elements easily between two locations.

Abstract: A system and method is disclosed for generating a user profile. The method discloses: receiving a user profile request from a profile requester; identifying profile fragments with a profile mediator, from existing profiles in a profile corpus which are responsive to the user profile request; aggregating the identified profile fragments into the user profile response; and transmitting the user profile response to the profile requestor. The system discloses various means and modules for effecting the method.

Abstract: A secure software update provides an update utility with an update definition, a private encryption key and a public signature key to a target device. A software update package is prepared on portable media that includes an executable update program, a checksum for the program that is encrypted with a symmetrical key, an encrypted symmetrical key that is encrypted with a public encryption key and a digital signature prepared with a private signature key. The update process authenticates the digital signature, decrypts the symmetrical key using the private encryption key, and decrypts the checksum using the symmetrical key. A new checksum is generated for the executable update program and compared to the decrypted checksum. If inconsistencies are detected during the update process, the process is terminated. Otherwise, the software update can be installed with a relatively high degree of assurance against corruption, viruses and third party interference.

Abstract: A mobile terminal in a wireless communication network may be one of several modes of operation. When in an idle mode, the mobile terminal may avoid a lengthy random access procedure normally associated with responding to a page from a base station, if the base station includes in the page an indication of a resource that the mobile terminal may utilize when responding to the page. Additionally, the mobile terminal may transmit an efficient location update MAC header to a base station, whether prompted to by a page from the base station or not. Furthermore, without leaving the idle mode or a sleep mode, the mobile terminal may exchange short data burst messages with a base station.

Abstract: Technologies for monitoring data storage location for cloud data include a cloud monitoring server configured to communicate with one or more cloud customer computing devices and cloud service providers. The cloud monitoring server receives monitoring requests from the cloud customer computing devices and retrieves provider information from the cloud service providers. The cloud monitoring server compiles response data based on the monitoring requests and the provider information, and sends response data to the cloud customer computing devices. Cloud customer computing devices may send on-demand monitoring requests and/or continuous, policy-based monitoring requests. For policy-based monitoring, the cloud monitoring server continually monitors the provider information and provides response data when one or more conditions specified in the policy are satisfied. The cloud monitoring server may also make recommendations and provide feedback based on the monitoring requests or the provider information.

Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.

Abstract: Embodiments of methods and network devices for securing data within a network are generally described herein. One such method includes a key aggregation server receiving a request for an encryption key to secure the data. The server may query a plurality of network devices for a respective key from each queried network device. The server may then receive the respective key from each of the plurality of network devices and select a key element from each of the plurality of keys. An encryption key may be constructed from the key elements and transmitted to a client.

Abstract: In one embodiment, a Fibre Channel over Ethernet (FCoE) proxy point (FPP) that is connected to one or more end-point devices is coupled to one or more other FPPs, and to a FCoE control and management plane (F-CMP) server. The FPP provides data plane functionality. The F-CMP server provides control plane functionality. At least some control and management traffic received at the FPP is proxied between the F-CMP server and the one or more end point devices connected to the FPP. FCoE traffic received at the FPP from the one or more end point devices connected to the FPP is transmitted to the one or more other FPPs without the FCoE traffic traversing the F-CMP server. The transmitting is performed by data plane functionality of the FPP operating under directions from the control plane functionality of the F-CMP server.

Abstract: Disclosed herein are methods and systems for flexible fast network switching. In an embodiment, a wireless-communication device has a first chipset compatible with first and second bands and a second chipset compatible with the first band and a third band. The device selects a mode for switching among two or more of the bands. In a first mode with respect to the first and second bands, the device obtains service on the first band via the first chipset. In the first mode with respect to the first and third bands, the device obtains service on the first band via the second chipset. In a second mode with respect to the first and second bands, the device obtains service on the first band via the second chipset. In the second mode with respect to the first and third bands, the device obtains service on the first band via the first chipset.

Abstract: A system that incorporates the subject disclosure may perform, for example, receiving an over-the-air programming message that is utilizing a hypertext transfer protocol where the over-the-air programming message including programming data for use by the mobile communication device, converting the over-the-air programming message to a short message service transport protocol to generate an adjusted message that includes the programming data, and providing the adjusted message to a universal integrated circuit card of the mobile communication device via a baseband proxy operating in a device processor of the mobile communication device. Other embodiments are disclosed.

Abstract: Systems and methods for improving data transmission rates in communication networks are disclosed. In an 802.11 wireless communication network, where a source node of the wireless network transmits TCP data to a destination node of the wireless network, the destination node does not transmit TCP acknowledgments (ACKs) for the TCP data if 802.11 ACKs indicate that the destination node received the TCP data. If a source outside the wireless network transmits TCP data to the destination node within the wireless network through an intermediate device, such as an access point, the destination node suppresses transmitting TCP ACKs. The intermediate device transmits TCP ACKs as proxy for the destination node to the source. The intermediate device also suppresses TCP ACKs where a source node within the wireless network sends the TCP data to a destination node outside of the wireless network.

Abstract: Systems, methods, and devices for associating an image forming device and a mobile device receive, at a first device, a request to establish a connection with a second device; generating an optically-readable code that encodes a first set of data, wherein the first set of data includes first key-derivation data; display the optically-readable code of the first set of data; establish a communication channel with the second device; receiving a second set of data from the second device via the established communication channel, wherein the second set of data includes second key-derivation data, and wherein the second key-derivation data is generated in response to receiving the first key-derivation data at the second device; and determine the common key from the first key-derivation data and the second key-derivation data.

Abstract: The present invention relates to a method and system for performing deep packet inspection of messages transmitted through a network switch in a Software Defined Network (SDN). Embodiments of the invention include a network switch, a controller, and a firewall in a software defined networking environment. In the present invention, the network switch is a simple network switch that is physically separate from the controller and the firewall. The invention may include a plurality of physically distinct network switches communicating with one or more controllers and firewalls. In certain instances, communications between the network switch, the controller, and the firewall are performed using the Open Flow standard communication protocol.

Abstract: Techniques are provided herein for enabling a virtual private network (VPN) using a bidirectional, full duplex transport channel configured to send and receive application layer data packets. At a source network device that hosts a VPN client, the VPN client is configured with a bidirectional, full duplex transport channel that is configured to send and receive Open Systems Interconnection application layer data packets. The VPN client is also configured with a virtual network interface that operates to virtually link the VPN client with the transport channel.

Abstract: A computer-implemented method for blocking flanking attacks on computing systems may include (1) detecting a denial-of-service attack targeting a computing network, (2) inferring, based at least in part on detecting the denial-of-service attack, a secondary attack targeting at least one computing resource within the computing network, (3) determining that the computing resource is subject to additional protection based on inferring the secondary attack targeting the computing resource, and (4) protecting the computing resource against the secondary attack by adding an authentication requirement for accessing the computing resource. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method includes mapping, based on a first mapping from possible security findings to possible configuration-related sources of imprecision, actual security findings from a static analysis of a program to corresponding configuration-related sources of imprecision, the mapping of the actual security findings creating a second mapping. A user is requested to configure selected ones of the configuration-related sources of imprecision from the second mapping. Responsive to a user updating configuration corresponding to the selected ones of the configuration-related sources of imprecision, security analysis results are updated for the static analysis of the program at least by determining whether one or more security findings from the security analysis results are no longer considered to be vulnerable based on the updated configuration by the user. The updated security analysis results are output. Apparatus and program products are also disclosed.

Abstract: Various of the disclosed embodiments concern efficiency improvements in wireless products. For example, some embodiments specify profiles for regional and custom-specified operational constraints. The profiles may be retrieved from across a network or stored locally upon the device. The profiles may specify various configuration adjustments that optimize the system's performance. For example, when possible, some embodiments may allow the system to operate at a lower power level and to thereby save energy. Various factors and conditions may be assessed in some embodiments prior to adjusting the existing power configuration.

Abstract: A system authenticates in-vehicle electronic devices having unequal capabilities such as having varying different communication and processing capabilities. A Connected Vehicle Gateway portion of a selected in-vehicle device acts as an onboard authentication proxy and onboard key server functionality for other in-vehicle devices, and serves as an interface between an in-vehicle network and one or more associated external networks, thereby eliminating the need for explicit peer discovery protocol and the requirement of devices to perform key establishment with each individual communication peer. Instead, each in-vehicle device establishes the group keys as a result of its authentication with the onboard key server and uses the group keys to locally generate and update its session keys. The onboard key server selectively obtains the keys from one or more off-board authentication servers and distributes them to selected in-vehicle devices.

Abstract: A system and method for providing persistence in a secure network access by using a client certificate sent by a client device to maintain the identity of a target. A security handshake is performed with a client device to establish a secure session. A target is determined. A client certificate is associated with the target. During subsequent secure sessions, the client certificate is used to maintain persistent communications between the client and a target. A session ID can be used in combination with the client certificate, by identifying the target based on the session ID or the client certificate, depending on which one is available in a client message.

Abstract: A system and method for processing messages received at a vehicle. The method carried by the system involves wirelessly receiving at a vehicle a first communication message having secure credentials and a message signature for a second communication message. Then, the vehicle authenticates the first communication message via its secure credentials. Later, the vehicle wirelessly receives the second communication message and validates this second message using the message signature from the first message. In response to the validation, the second message is processed at the vehicle.

Abstract: A source device that plans to participate in one or more encrypted communication sessions with a destination device sends a discovery message towards the destination device. An intermediary device that processes this discovery message requests a master key from the source device. The source verifies that the intermediary device is a trusted device and then sends the intermediary device the requested master key. Prior to transmitting encrypted messages to the destination device, the source device sends session key information, encrypted using the master key, to the intermediary device. The intermediary device uses this session key information to decrypt and process encrypted messages sent as part of the encrypted communication session between the source device and the destination device.

Abstract: Leveraging a persistent connection to provide a client access to a secured service may include establishing a persistent connection with a client in response to a first request from the client, and brokering a connection between the client and a secured service based on a second request from the client by leveraging the persistent connection with the client. The brokering may occur before the client attempts to connect to the secured service directly and the connection may be established between the client and the secured service without provision by the client of authentication information duplicative or additional to authentication information provided by the client to establish the persistent connection.

Abstract: A device possessing a secure multifunctional authentication service integrated with data storage capability, wherein the device is a multifunctional intelligent peripheral or accessory device, which, upon implementation into a system, is disposed to control a set of transactions that the system is designated to perform by the device, in conjunction with a data transfer medium which is under the control of the device.

Abstract: The disclosure describes embodiments of a distributed caching system that are configured to store handshake data between client devices and servers, enabling handshake transaction to be resumed in case of interruption. Client devices can resume the handshake transaction even if assigned to new servers as the new servers can obtain the handshake data identifiers from the distributed caching system.

Abstract: Disclosed are various embodiments of techniques that may be used to improve the reliability of network authentication. A communication session is established between a server computing device and a client computing device. The communication session is established via a network using a credential for a network site. A verifier for the credential is generated, which may be used to confirm the authenticity of the credential. The verifier is provided to the client computing device via the network.

Abstract: Embodiments of the invention include systems and methods that enable the association and aggregation of consumer data gathered from online and offline sources. In particular, several embodiments are directed to linking consumer data in a data source controlled by an entity (e.g., such as a company's CRM (customer relationship management) database) to offline data sources such as demographic data, and/or online data sources such as online interaction data. The linking may be based on several identifiers (IDs) associated with the data sources. The systems and methods disclosed herein thus facilitate the association of these disparate data sources and enable various entities to better tailor interactions with the consumers. In other embodiments, a shared cookie data management system and method is disclosed. The shared cookie serves as a vehicle through which entities can selectively share consumer information with other entities in a system with uniform format and technical infrastructure.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to network security and provide a method, system and computer program product for centralized secure offload of key exchange services for distributed security enforcement points. In one embodiment, a data processing system for centralized secure offload of key exchange services for distributed security enforcement points can be provided. The system can include a security enforcement point controlling communication flows between devices in different less trusted zones of protection, and a security server communicatively coupled to the security enforcement point and hosting key exchange services disposed in a more trusted zone of protection. The security enforcement point can include an interface to the key exchange services and program code enabled to offload at least one portion of a key exchange through the interface to the key exchange services disposed in the more trusted zone of protection.

Abstract: A wireless device access system employs short-range wireless communication to require the proximity of a user device to a structure prior to communicating an unlock request. The access system authenticates the unlock request and the proximity of the user to the structure prior to transmitting an unlock command to the structure. Additionally, the wireless device may require the proximity of a user token prior to operation and/or the access system may include an override within the structure blocking any unlock command.

Abstract: Key exchange methods, apparati, and computer-readable media for a cryptographic communication system. The system, which employs a novel combination of multiple channel communication, symmetric cryptography, and asymmetric cryptography, allows an entity A to bootstrap the exchange of cryptographic secrets EQB to a second entity B through an alternate communication channel 30 for the transmission of a cryptographically secure message M. The system is secure against various passive and active attacks. The encryption key transfer is briefly vulnerable to man-in-the-middle attacks, but this can be prevented in preferred embodiments.

Abstract: Techniques for managing network connections are described. An apparatus may comprise a communications component operative to manage a connection for a client, the connection routed over a network and a traffic analysis component operative to determine one or more characteristics of the routing of the connection. Other embodiments are described and claimed.

Abstract: Techniques and tools are described for performing distributed authentication using persistent stateless credentials. Distributed authentication can be performed during egress by obtaining a principal identifier, generating an expiration time, obtaining a secret key identifier that identifies a secret key, generating an initialization vector, encrypting the principal identifier and the expiration time to produce a ciphertext, creating a credential, and providing the credential for persistence at a client device. The credential comprises the ciphertext, the initialization vector, the secret key identifier.

Abstract: An approach for reutilizing transport layer security (TLS) connections among separate application is provided. In one aspect, a computing system establishes a a transmission control program/Internet protocol (TCP/IP) connection between a first application of a first endpoint and a second application on a second endpoint. The computing system further performs a TLS handshake over the established TCP/IP connection. The computing system also transmits a request from a third application of the second endpoint to transfer a TLS context from the second application on the second endpoint. In response to the second application on the second endpoint accepting the transfer request, the second application utilizing via the one or more computer processors, a predetermined method of providing a TLS context to the third application, wherein the third application of the second endpoint and the first application of the first endpoint communicate securely.

Abstract: An approach for reutilizing transport layer security (TLS) connections among separate application is provided. In one aspect, a computing system establishes a a transmission control program/Internet protocol (TCP/IP) connection between a first application of a first endpoint and a second application on a second endpoint. The computing system further performs a TLS handshake over the established TCP/IP connection. The computing system also transmits a request from a third application of the second endpoint to transfer a TLS context from the second application on the second endpoint. In response to the second application on the second endpoint accepting the transfer request, the second application utilizing via the one or more computer processors, a predetermined method of providing a TLS context to the third application, wherein the third application of the second endpoint and the first application of the first endpoint communicate securely.

Abstract: A physical layer device provides security processing on communication frames that may include tags or headers that are for use in a wide area network. As frames pass through the physical layer device, the frames are classified for a type of security processing. Depending on the classification a cipher is applied to the frames for integrity checking of data in the frames. Some frames are also encrypted. The security processing may exclude some of the tags or headers. The frames may also be filtered and buffered.

Abstract: Methods and apparatus relating to processor extensions for execution of secure embedded containers are described. In an embodiment, a scalable solution for manageability function is provided, e.g., for UMPC environments or otherwise where utilizing a dedicated processor or microcontroller for manageability is inappropriate or impractical. For example, in an embodiment, an OS (Operating System) or VMM (Virtual Machine Manager) Independent (generally referred to herein as “OI”) architecture involves creating one or more containers on a processor by dynamically partitioning resources (such as processor cycles, memory, devices) between the HOST OS/VMM and the OI container. Other embodiments are also described and claimed.

Abstract: The present invention involves providing secure Voice Over IP (VOIP) communications to a mobile communications device. Specifically, the disclosed systems and methods enable a standard remote communications device (e.g., a cellular telephone) to utilize the Secure Communications Interoperability Protocol (SCIP) as designed by the U.S. Department of Defense. The invention provides SCIP access to users without requiring specific hardware configurations to be built into, or added to, the remote communications device. The remote communications device is equipped with software that emulates what was previously accomplished through a hardware configuration in order to facilitate secure VOIP communications over standard mobile communication devices.

Abstract: This disclosure is directed to systems and methods for handling the processing of a next protocol negotiation extension for a transport layer security (TLS) session. A device, intermediary to a client and a server, may receive a client hello message from the client in a handshake to establish a transport layer security (TLS) session with the server. The client hello message may include a next protocol negotiation extension. The device may include a first TLS processor that is software based and a second TLS processor that is hardware based. The device may determine that the client hello message includes the next protocol negotiation extension. The device may establish, responsive to the determination, the TLS session using the first TLS processor. The device may process, upon establishment of the TLS session using the first TLS processor, encrypted data for the TLS session using the second TLS processor.

Abstract: A communication game system includes a plurality of game apparatuses which are able to wirelessly communicate with each other. Each of the game apparatus registers identifying information of an opponent obtained by a short-distance wireless communication or by user's manual input in a friend list. Thereafter, the game apparatus connects to the Internet, and inquires whether it is possible to communicate with an opponent in the friend list over the network. If it is possible to communicate, the game apparatus obtains an address of the opponent to make a network communication. Even if a user makes a short distance wireless communication with a friend to exchange and register the identifying information or registers the friend by hand and then is parted from the friend, the user can safely communicate with the friend across the network without being exposed to unknown players.

Abstract: Embodiments of the present invention include a system and method for wirelessly identifying and validating an electronic device in order to initiate a communication process with another device or a service. In an embodiment, the system includes a portable biometric monitoring device that is identified by a client device or a server for the purpose of initiating a pairing process. In an embodiment, pairing implies pairing the portable device to an online user account with minimal user interaction. After pairing, the portable device and appropriate client devices and servers communicate with little or no user interaction, for example to upload sensor data collected by the portable device.

Abstract: According to an embodiment, a communication apparatus includes a finding unit; a negotiating unit; and a communicating unit. The finding unit is configured to, in response to a request from an application that makes use of key information, find out a key generating device that generates the key information. The negotiating unit is configured to perform a negotiation operation with respect to the key generating device to determine conditions for key information that is to be generated. The communicating unit is configured to receive, from the key generating device, the key information that is generated based on the conditions determined in the negotiation operation, and send the received key information to the application.

Abstract: An access rights management system is presented in which a mobile device may be allowed to access corporately held data in a flexible manner but in which the security and integrity of the data is maintained. The mobile device is provided with a rights adjustment module which modifies the access rights for locally stored corporate data in dependence on the connectivity of the mobile device with a corporate server.

Abstract: Provided are a system and method for protecting data in an electronic communications environment. An interested entity establishes one or more controls for a received unit of data. At a source device in the electronic communications network, the unit of data is encapsulated with self-protection security data that includes the one or more controls. The encapsulated unit of data is delivered from the source device to a destination device in the electronic communications network. A data broker facilitates the delivery of the data to the destination device according to the controls. Facilitating the delivery of the data includes: identifying for the receiving device a collection of services corresponding to the controls independently of the network.

Abstract: Various embodiments provide a method and apparatus of providing accelerated encrypted connections in a cloud network supporting transmission of data including per-user encrypted data. Transmission of encrypted data from an application server uses an encryption scheme that encrypts static data using a first encryption scheme that derives keys from the content itself and encrypts dynamic data, such as dynamic website content with personalized user data, using a second encryption scheme.

Abstract: Methods are provided for tracking data corresponding to a mobile device that accesses a web page. Once a mobile device is registered with a network, the mobile device is instructed to request permission before accessing a web page. An access request is received, and based on a user profile, the access request is approved such that the mobile device may access the web page. Access data that corresponds to the mobile device accessing the web page is collected so that it can be added to and stored in a database.

Abstract: Keying materials used for providing security in a platform are securely provisioned both online and offline to devices in a remote platform. The secure provisioning of the keying materials is based on a revision of firmware installed in the platform.

Abstract: Implementations of the present invention efficiently establish secure connections between a client and server, at least in part by authenticating the client and server early on in the connection setup phases. A client initiating a connection with a server identifies the secure communication protocols enabled at the client, and identifies these protocols in a connection request it sends to the server. The server processes the message and responds with a communication protocol it deems appropriate for the connection. The client and server then exchange appropriate authentication information, and then establish a connection session that implements the chosen communication protocol, and encrypts messages using the negotiated communication protocol. Additional implementations relate to reestablishing dropped connections behind virtual Internet Protocol addresses, without necessarily having to recommit much connection resource overhead.

Abstract: A method of ensuring secure and cost effective communication of aeronautical data to and from an aircraft is provided. The method includes uplinking air-ground aircraft data communications via an aeronautical safety data link and downlinking air-ground aircraft data communications via a consumer data link separated from the aeronautical safety data link by a one-way firewall.