Abstract: The present invention provides a system and method of managing traffic traversing an intermediary based on a result of end point auditing. An authentication virtual server of an intermediary may determine a result of an end point analysis scan of a client. Responsive to the determination, the traffic management virtual server can obtain the result from the authentication virtual server. Further, the traffic management virtual server may apply the result in one or more traffic management policies to manage network traffic of a connection of the client traversing the intermediary. In some embodiments, the authentication virtual server may receive one or more expressions evaluated by the client. The one or more expressions identifies one or more attributes of the client. The traffic management virtual server can also determine a type of compression or encryption for the connection based on applying the one or more traffic management policies using the result.

Abstract: Techniques involving migrating authenticated content on a network towards the consumer of the content. One representative technique includes a network node receiving an encrypted seed having at least a location of the user data at a network service that stores the user data, and a cryptographic key to access the user data. The seed is received in response to a user login attempt to the network service. The user data is requested from the location using at least the received cryptographic key. The method further includes receiving and storing the user data at the network node, where the network node is physically closer to a location of the user than is the location of the network service. If the user is successfully authenticated, user access is provided to the stored user data at the network node rather than from the network service.

Abstract: In one embodiment the present invention includes a method of performing a secure transaction in a software system, such as a software service system, for example. Embodiments of the invention include encoding symmetric keys for securing transactions between a service consumer and service provider. Asymmetric keys are also used for providing additional security during transactions. In one embodiment, license tokens and capability tokens are encoded and passed between a service consumer and service provider for allowing a consumer secure access to authorized services.

Abstract: A method and system is provided for assessing the cumulative set of access entitlements to which an entity, of an information system, may be implicitly or explicitly authorized, by virtue of the universe of authorization intent specifications that exist across that information system, or a specified subset thereof, that specify access for that entity or for any entity collectives with which that entity may be directly or transitively affiliated. The effective system-level access granted to the user based upon operating system rules or according to access check methodologies is determined and mapped to administrative tasks to arrive at the cumulative set of access entitlements authorized for the user.

Abstract: A method for using a network appliance to efficiently buffer and encrypt data for transmission includes: receiving, by an appliance via a connection, two or more SSL records comprising encrypted messages; decrypting the two or more messages; buffering, by the appliance, the two or more decrypted messages; determining, by the appliance, that a transmittal condition has been satisfied; encrypting, by the appliance in response to the determination, the first decrypted message and a portion of the second decrypted message to produce a third SSL record; and transmitting, by the appliance via a second connection, the third record. Corresponding systems are also described.

Abstract: A system is configured to receive a list of applications installed on a user device; obtain application profiles that identify risk levels associated with the applications; obtain a user profile that identifies a job level, security risk level, or an access level to confidential information associated with the user of the user device; identify a highest risk level authorized for the user device based on whether the job level is greater than a first threshold, the security risk level is greater than a second threshold, or the access level is greater than a third threshold; determine whether any of the risk levels are greater than the highest risk level; and transmit a notification that one of the applications is to be removed from the user device when one of the risk levels, associated with the one of the applications, is greater than the highest risk level.

Abstract: In embodiments of the present invention improved capabilities are described for runtime additive disinfection of malware. Runtime additive disinfection of malware may include performing the steps of identifying, based at least in part on its type, an executable software application that is suspected of being infected with malware, wherein the malware is adapted to perform a function during the execution of the executable software application, predicting the malware function based on known patterns of malware infection relating to the type of the executable software application, and in response to the prediction, adding a remediation software component to the executable software application that disables the executable software component from executing code that performs the predicted malware function.

Abstract: A private document delivery system and method includes a sending computer configured to transmit an electronic document over a computer network, a dynamically established encrypted line to traverse the computer network from a receiving computer to the sending computer where the delivery address of the receiving computer is resolved at the time of transmission of the private message such that no third parties to the message receive a permanent copy of the message. The system and method also includes a signaling mechanism configured to notify the receiving computer that the electronic document is waiting for delivery. The system and method includes a verification agent configured to verify the receiving computer's identity with a protocol specified by the sending computer and to provide access instructions to the receiving computer with which the receiving computer locates the sending computer via the dynamically established encrypted line and receives the transmitted electronic document.

Abstract: Network interoperability is presently limited due to the existence of many different and often incompatible hardware implementations and communication protocols, where products from competing manufacturers are often not interoperable; and due to the number of protocols already in existence, there is little hope that standards can fully solve the problem in a reasonable time span. Vast potential benefits could be reaped if networks of various types could be accessed and shared regardless of their underlying network protocols and/or physical media, and also increased or unlimited interconnectivity would greatly increase the value of networks. The present invention proposes a novel method to achieve network protocol independence, consisting of a protocol-independent network communications model, that allows communication between device nodes belonging in networks based on diverse physical architectures and protocols, which can therefore be regarded together as hybrid networks.

Abstract: A method and system for providing security to a Network Job Entry (NJE) network. A first NJE node and a third NJE node are connected by a second NJE node. The second NJE node conducts a security check of NJE packets traveling between the first and third NJE nodes. The security check performed by the second NJE node includes checking the userid of the person or job that sent the NJE packet, as well as the NJE data type. The NJE data type may be classified by the type of operation being performed, such as a batch job, sysout, command, message, as well as what application is being used. In one preferred embodiment, the security check includes checking the security level of the source of the data being transferred, such as a sensitive application. The security check can be based on the size of the data packet, such that excessively large data packets from a particular user are not permitted to be transmitted outside a secure NJE network.

Abstract: A policy manager generates a uniform cloud service and information security policy based on a plurality of access contexts. The policy manager distributes the uniform cloud service and information security policy to a plurality of security blades, the security blades located within a plurality of cloud services and configured to control access for a user device to the cloud services and the information contained therein based on the uniform cloud service and information security policy.

Abstract: An authentication method of a first module by a second module includes the steps of generating a first random datum by the second module to be sent to the first module, generating a first number by the first module starting from the first datum and by way of a private key, and generating a second number by the second module to be compared with the first number, so as to authenticate the first module. The step of generating the second number is performed starting from public parameters and is independent of the step of generating the first number.

Abstract: Encoding and/or decoding of messages. On the encoding end, a composite encoder encodes message from an internal format that is used by internal system components into an external format. However, the composite encoder may encode the outgoing messages into different external formats on a per-message basis. For incoming message, a composite decoder decodes incoming messages from any one of a plurality of external formats into the internal format also on a per-message basis. A per-message report mechanism permits internal system components and the encoding/decoding components to communicate information regarding the encoding or decoding on a per message basis. XML messages can be converted automatically into Binary messages.

Abstract: An e-mail firewall applies policies to e-mail messages between a first site and second sites in accordance with administrator selectable policies. The firewall includes a simple mail transfer protocol relay for causing the e-mail messages to be transmitted between the first site and selected ones of the second sites. Policy managers enforce-administrator selectable policies relative to one or more of encryption and decryption, signature, source/destination, content and viruses.

Abstract: A system that incorporates teachings of the present disclosure may include, for example, a non-transitory computer-readable storage medium operating in a mobile device server that has computer instructions to execute a web server application at the mobile device server. The web server application can be operable to detect a media resource center while roaming in a communication zone of the media resource center and to transmit a pairing key to the media resource center responsive to acquiring communication access to the communication zone. The web server application can be further operable to receive from the media resource center an indication that a roaming charge will be applied to a subscriber account associated with the mobile device responsive to the media resource center identifying from the pairing key that the mobile device server is a guest device. Other embodiments are disclosed.

Abstract: An apparatus for analyzing traffic is provided. The apparatus may precisely identify and analyze web traffic through 5 tuple-, HTTP-, and request/response pair-based packet analysis by monitoring the correlation between sessions.

Abstract: Techniques for managing a secure communication session are provided. A non-browser application utilizes a browser to establish a secure communication session with a server. The session cookie set in the browser is mapped by the server to a secret token that is supplied via the browser to the non-browser application. The browser is then closed and the secure communication session between the server and the non-browser application continues unabated via the secret token.

Abstract: An image processing apparatus includes: an acquisition unit configured to acquire data targeted for image processing; a memory unit configured to store the acquired data; an output unit configured to output the data; and an access-right controller configured to provide the data with pre-defined access right when the data are stored by the memory unit, and configured to change the access right when the data are output by the output unit.

Abstract: One embodiment of the present invention provides a system that converts authentication-tokens to facilitate interactions between applications. During operation, the system receives a command-execution request from a first application, wherein the command-execution request specifies a command to execute on a second application. Subsequently, the system verifies a first authentication-token included with the command-execution request. Next, the system translates the first authentication-token into a form associated with the second application to produce a second authentication-token. The system then modifies the command-execution request by replacing the first authentication-token with the second-authentication-token to create a modified command-execution request. Then, the system sends the modified command-execution request to the second application.

Abstract: In one embodiment, the method performed by mobile equipment to authenticate communication with a network includes generating keys using cellular authentication and voice encryption, and then generating an authentication key based on these keys. The authentication key is used to generate an expected message authentication code used in authenticating the network according to authentication and key agreement security protocol.

Abstract: A method for buffering SSL handshake messages prior to computing a message digest for the SSL handshake includes: conducting, by an appliance with a client, an SSL handshake, the SSL handshake comprising a plurality of SSL handshake messages; storing, by the appliance, the plurality of SSL handshake messages; providing, by the appliance to a message digest computing device in response to receiving a client finish message corresponding to the SSL handshake, the plurality of SSL handshake messages; receiving, by the appliance from the message digest computing device, a message digest corresponding to the provided messages; determining by the appliance, the message digest matches a message digest included in the SSL client finish message; and completing, by the appliance with the client, the SSL handshake. Corresponding systems are also described.

Abstract: Managed real-time communications between user devices may be provided. Upon receiving a request to instantiate a communication connection from an application, a secure session may be established between the application and a remote application. Input from a user of the application may be received, subjected to at least one management policy, and transmitted to the remote application.

Abstract: A method for providing control plane encryption in layer 3 networks is disclosed. The method for providing control plane encryption in layer 3 networks includes for a network having a subset of network elements forming a secured domain; the steps of at a network element which is in the secured domain, encrypting all unencrypted Layer 3 packets as they egress an encryption enable egress interface; unencrypting all encrypted Layer 3 packets as they egress an egress interface is not enabled for encryption; and leaving encrypted all encrypted Layer 3 packets as they egress an encryption enable egress interface. A system and machine readable storage media are also disclosed.

Abstract: According to one embodiment, an apparatus may store a plurality of token-based rules that facilitate access to a resource, and a plurality of tokens indicating a user is using a device to request access to a resource over a network. The apparatus may receive a risk token indicating the risk associated with granting at least one of the user and the device access to the resource. The risk token may be computed from a set of tokens in the plurality of tokens. The apparatus may determine at least one token-based rule based at least in part upon the plurality of tokens and the risk token. The apparatus may then make an access decision based upon the at least one token-based rule, and communicate a decision token representing the access decision.

Abstract: Systems and methods for handling messages on a mobile device. A system and method could be configured to receive at a mobile device a message that is associated with a message expiry indicator. If a message expiry indicator is determined to be associated with the received message, then the received message is removed from the mobile device.

Abstract: A system for enabling communication between a first domain and a second domain is disclosed. At least the first domain is protected by a firewall. A first data-processing system is provided in the first domain and a second data-processing system provided in second domain. The second domain hosts an application that the first domain desires to access. To enable the communication between the two domains a tunnel is established through the firewall. The tunnel runs from the first data-processing system to the second data-processing system. The second data-processing system provides a web-proxy interface to interface to the application and also acts as a tunnel gateway.

Abstract: A network device receives TCP segments of a flow via a first SSL session and transmits TCP segments via a second SSL session. Once a TCP segment has been transmitted, the TCP payload need no longer be stored on the network device. Substantial memory resources are conserved, because the device may have to handle many retransmit TCP segments at a given time. If the device receives a retransmit segment, then the device regenerates the retransmit segment to be transmitted. A data structure of entries is stored, with each entry including a decrypt state and an encrypt state for an associated SSL byte position. The device uses the decrypt state to initialize a decrypt engine, decrypts an SSL payload of the retransmit TCP segment received, uses the encrypt state to initialize an encrypt engine, re-encrypts the SSL payload, and then incorporates the re-encrypted SSL payload into the regenerated retransmit TCP segment.

Abstract: A network is protected from e-mail viruses through the use of a sacrificial server. Any executable programs or other suspicious parts of incoming e-mail messages are forwarded to a sacrificial server, where they are converted to non-executable format such as Adobe Acrobat PDF and sent to the recipient. The sacrificial server is then checked for virus activity. After the execution is completed, the sacrificial server is rebooted.

Abstract: Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A breakout component in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. The breakout component includes a service interface that performs primary control by one system, and backup control by a different system.

Abstract: A method for generating e-mail messages with increased security includes receiving an e-mail message at a control system. The e-mail message has recipients, a security level, control attributes, and e-mail message contents. Moreover, the method includes verifying the recipients at the control system, and storing the recipients, security level, control attributes, and e-mail message contents in the control system when each of the recipients is verified. Furthermore, the method includes generating modified e-mail messages from the e-mail message, transmitting each of the modified e-mail messages to a respective recipient, and capturing authentication data from one of the recipients when the one recipient indicates a desire to view the e-mail message contents with a communications device operated by the one recipient. When the one recipient is successfully authenticated, the method includes permitting the one recipient to view the e-mail message contents in accordance with the control attributes.

Abstract: There can be problems with the security of social networking communications. For example, there may be occasions when a number of friends wish to communicate securely through a social network infrastructure, such that non-trusted 3rd-party entities, such as a Social Network Operator or host that provides the application infrastructure, does not overhear the communication. In response to the above problems, embodiments presented propose a set of innovative, lightweight solutions, considering that in certain scenarios the Social Network Operator may not be a trusted entity. Embodiments of the present invention are directed to methods and apparatuses for secure information sharing in social networks using random keys.

Abstract: Mobile network services are performed in a mobile data network in a way that is transparent to most of the existing equipment in the mobile data network. The mobile data network includes a radio access network and a core network. A breakout component in the radio access network breaks out data coming from a basestation, and performs one or more mobile network services at the edge of the mobile data network based on the broken out data. The breakout component includes a service interface that performs primary control by one system, and backup control by a different system.

Abstract: A data security manager in a multi-nodal environment enforces processing constraints stored as security relationships that control how different pieces of a multi-nodal application (called execution units) are allowed to execute to insure data security. The security manager preferably checks the security relationships for security violations when new execution units start execution, when data moves to or from an execution unit, and when an execution unit requests external services. Where the security manager determines there is a security violation based on the security relationships, the security manager may move, delay or kill an execution unit to maintain data security.

Abstract: The present invention concerns a system (10) and a process for authenticating a PIN code of a user in an interactive information system in order to run an application. It comprises input means (15) for PIN code entry, security manager means (13) for comparing the PIN code of the user upon a request for user authentication from the application, with a registered PIN code, and giving authorization to run said application if the PIN code of the user matches with the registered PIN code, and display means (17) for displaying any graphics including a PIN entry field. The request for user authentication is provided on the display means via the Pin entry field with the look and feel of said application. The system further comprises emitting means for entering crypted digits, the security manager means (13) being arranged to give authorization to run the application after full entry of said crypted digits and if the PIN code of the user is identical to the registered PIN code.

Abstract: Systems, methods and a computer program product for facilitating multi-level communications within a computer system provide for generating while using a first network component a network data packet including a code within a field other than a payload field. The code corresponds with a coded communication within a library of coded communications. The network data packet is transmitted from the first network component to a designated second network component connected to the first network component that reads the code and selects the coded communication from the library of coded communications that corresponds with the code. The selected coded communication is then transmitted from the designated second network component to an intended recipient. The systems, methods and computer program product are applicable within the context of generalized computer systems, as well as restricted access computer systems.

Abstract: Embodiments provide an application layer security proxy that protects substation automation systems. The application layer security proxy inspects a received, inbound data packet at the application layer, and either drops the data packet, forwards the data packet, or processes the data packet rather than dropping it in order to maintain the communications network connection, the later two according to a predefined role-based access control policy. The application layer security proxy calculates a round trip time for each reply to a received, inbound data packet and observes the bandwidth usage from the amount of bytes transmitted. Round trip time and bandwidth usage are used to detect abnormal communication traffic.

Abstract: Embodiments of the disclosure relate to proxying one or more email resources in transit to the client devices from the email services, removing one or more email attachments from the email resources, and encoding the stripped email attachments based at least in part on one or more cryptographic keys.

Abstract: Embodiments of the invention provide a system for encrypting web session data which may include a session management module adapted to receive data from a web application module and provide a token that represents the data in encrypted form to the web application, wherein the web application is adapted to use the token to represent the data. The system may also include a tokenizer module communicably coupled to the session management module, wherein the tokenizer module is adapted to receive the data and generate the token. Further, the system may include a database communicably coupled to the session management module, wherein the database is adapted to receive the token and the data, associate the token with the data, and store the token and the data.

Abstract: A method and device for integrating multiple threat security services are disclosed. The method may comprise parsing an incoming packet at a current layer and analyzing the packet with respect to multiple threat security services and so that one or more threat security services needed by the packet may be determined. According to an exemplary embodiment, the current layer may be a layer in a protocol stack constructed based on the multiple threat security services. With this method, integrated multiple threat security services may filter application data and parse network packet data via a single integrated entity, and thus the efficacy of filtering application data may be improved while computation overhead may be reduced.

Abstract: A client device hosts a behavioral engine. Using the behavioral engine, the client device analyzes behavior of a client application with respect to confidential information. The client device assigns a rating indicative of risk to the client application based on the behavior of the client application. The client device performs an action to mitigate risk of data loss if the rating exceeds a threshold.

Abstract: VoIP systems often use multiple ciphers for different components. The present invention includes a system and method for early detection of encrypted signals in packet networks that may be encrypted using any of a multitude of ciphers.

Abstract: A device that implements a method for performing integrated caching in a data communication network. The device is configured to receive a packet from a client over the data communication network, wherein the packet includes a request for an object. At the operating system/kernel level of the device, one or more of decryption processing of the packet, authentication and/or authorization of the client, and decompression of the request occurs prior to and integrated with caching operations. The caching operations include determining if the object resides within a cache, serving the request from the cache in response to a determination that the object is stored within the cache, and sending the request to a server in response to a determination that the object is not stored within the cache.

Abstract: A persistent connection is used for real-time or near real-time data transfer from a push platform on a network to a mobile station. To establish and maintain the persistent connection between the mobile station and push platform on the network, various protocols are defined over a packet connection between the mobile station and push platform. The real-time or near real-time data is pushed or sent by the push platform to the mobile station, as the data becomes available from a data source. In particular, heartbeat messages are used to determine whether or not the persistent connection is alive and available for real-time or near real-time data transfer. When the persistent connection is lost, the mobile station uses a retry connection scheme based on the number of connection attempts made by the mobile station for establishing a new persistent connection to the push platform.

Abstract: Various embodiments include at least one of systems, methods, software, and data structures to evaluate function calls within a host, such as a scripting or application programming interface (API) host, prior to execution. Such embodiments may determine if a called function is authorized for execution. When the function is not authorized for execution, the function is not executed. Authorized and unauthorized functions may be set in a representation including one or both of authorized and unauthorized function functions. The representation may be stored external to the host so as to be modifiable.

Abstract: As provided herein, when using an untrusted network connection, a secure online environment can be created for a remote machine by connecting to a trusted computer with a trusted network connection. A proxy server is installed on a first computing device and shared encryption keys are generated for the first device and a portable storage device. A connection is initiated between a second computing device (e.g., remote device), connected to an untrusted network, and the first computing device, comprising initiating a proxy server protocol from the portable storage device (e.g., attached to the second device), using the second computing device. A secure connection between the first and second devices is created using the encryption keys.

Abstract: Techniques for packet processing with removal of Internet Protocol (IP) layer routing dependencies are presented. Encrypted packets associated with network communications occurring via a VPN and IP tunnel are grabbed off the network stack before being processed by an IP layer of the network stack. Next, an IP header is generated for the encrypted packets and the encrypted packets are sent to a socket application. The socket application provides the encrypted packets back to the network stack at the data link layer for delivery to the VPN over the IP tunnel.

Abstract: A telematics system that includes a security controller is provided. The security controller is responsible for ensuring secure access to and controlled use of resources in the vehicle. The security measures relied on by the security controller can be based on digital certificates that grant rights to certificate holders, e.g., application developers. In the case in which applications are to be used with vehicle resources, procedures are implemented to make sure that certified applications do not jeopardize vehicle resources' security and vehicle users' safety. Relationships among interested entities are established to promote and support secure vehicle resource access and usage. The entities can include vehicle makers, communication service providers, communication apparatus vendors, vehicle subsystem suppliers, application developers, as well as vehicle owners/users.

Abstract: Embodiments associated with enabling Quality of Service (QoS) for MACsec protected frames are described. One example method includes identifying a security indicator in an encrypted network communication and selectively forwarding the encrypted network communication according to a QoS policy. The example method may also include selectively storing a control packet security indicator sniffed from a control packet network communication in response to determining that a match exists between a control packet identification field and a QoS database entry.

Abstract: A secure collaboration mechanism between two organizations may be created based on a set of security system definitions provided by a receiving organization to a providing organization. The providing organization may create a shared portal that has a federated access between both organizations and has access and other security functions. The data collection process may be automated using digitally signed forms or other documents to analyze the security practices of the receiving organization and create a shared portal that has increased or decreased security provisions compared to the providing organization's standard procedures. The collaboration mechanism may be implemented in a bilateral arrangement, a hub and spoke arrangement, and a multilateral arrangement.

Abstract: A method and system for controlling a firewall for a user computer system. One or more processors of the user computer system receive a control request to control a program of the user computer system by the firewall. The control request includes a condition pertaining to at least one process of a remote computer system. The at least one process is configured to be executed on the remote computer system. The firewall protects the user computer system from external threats. The processors store a remote system condition associated with the program of the user computer system. The remote system condition includes the condition pertaining to the at least one process. The processors ascertain whether the remote system condition is satisfied. The processors direct the firewall to block or allow the transmission of data if it is ascertained that the remote system condition is not satisfied or satisfied, respectively.