Abstract: An encrypted-traffic discrimination device includes an input interface, a flow discrimination section, a data accumulation section, a selective data calculation section, a calculation result determination section, and an output interface. The flow discrimination section discriminates the input traffic into separate flows based on at least a transmission origin address and a transmission destination address. The data accumulation section accumulates characteristic amount data of the traffic for each of the separate flows. The selective data calculation section executes an evaluation computation utilizing specific data from the characteristic amount data. The calculation result determination section that, based on a calculated evaluation computation value, executes threshold value determination to determine whether or not the traffic is encrypted, and, if the traffic is determined to be encrypted, which encryption format the traffic is encrypted with.

Abstract: An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies.

Abstract: The present invention relates to key management in a secure microcontroller, and more particularly, to systems, devices and methods of automatically and transparently employing logic or physical address based keys that may also be transferred using dedicated buses. A cryptographic engine translates a logic address to at least one physical address, and processes a corresponding data word based on at least one target key. The target key is selected from a plurality of keys based on the logic or physical address. A universal memory controller stores each processed data word in the corresponding physical address within a memory. Each key is associated with a memory region within the memory, and therefore, the logic or physical address associated with a memory region may be used to automatically identify the corresponding target key. A dedicated secure link may be used to transport key request commands and the plurality of keys.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to security function processing of encrypted data in a security enforcement point and provide a method, system and computer program product for security enforcement point inspection of a traversing encrypted data in a secure, end-to-end communications path. In an embodiment of the invention, a method for security enforcement point inspection of encrypted data in a secure, end-to-end communications path can be provided. The method can include establishing a persistent secure session with a key server holding an SA for an end-to-end secure communications path between endpoints, receiving the SA for the end-to-end secure communications path over the persistent secure session, decrypting an encrypted payload for the end-to-end secure communications path using session key data in the SA, and performing a security function on the decrypted payload.

Abstract: A wide area network using the internet as a backbone utilizing specially selected ISX/ISP providers whose routers route packets of said wide area network along private tunnels through the internet comprised of high bandwidth, low hop-count data paths. Firewalls are provided at each end of each private tunnel which recognize IP packets addressed to devices at the other end of the tunnel and encapsulate these packets in other IP packets which have a header which includes as the destination address, the IP address of the untrusted side of the firewall at the other end of the tunnel. The payload sections of these packets are the original IP packets and are encrypted and decrypted at both ends of the private tunnel using the same encryption algorithm using the same key or keys.

Abstract: A streaming video server includes a virtual file system that stores playlist data corresponding to a plurality of video programs available from at least one video source and that stores at least one initial video program segment for each of the plurality of video segments. The streaming video server receives a request for a selected one of the plurality of video programs from a client device. The selected one of the plurality of video programs is retrieved from the at least one video source in response to the request. A plurality of encoded segments are generated from the selected one of the plurality of video programs, based on rate data. A multiplexer generates a plurality of output segments from the at least one initial video program segment corresponding to the selected one of the plurality of video programs and the plurality of encoded video program segments.

Abstract: A proxy server in a cloud-based proxy service receives a secure session request from a client device for a secure session. The secure session request is received at the proxy server as a result of a Domain Name System (DNS) request for a domain resolving to the proxy server. The proxy server participates in a secure session negotiation with the client device including transmitting a digital certificate to the client device that is bound to domain and multiple other domains. The proxy server receives an encrypted request from the client device for an action to be performed on a resource that is hosted at an origin server corresponding to the domain. The proxy server decrypts the request and participates in a secure session negotiation with the origin server including receiving a digital certificate from the origin server. The proxy server encrypts the decrypted request using the digital certificate from the origin server and transmits the encrypted request to the origin server.

Abstract: An efficient solution for secure implementation of indirect addressing (IA) is described. IA may be used, for example, in networks of which the routing algorithms are not capable of multicast but also contain very constrained devices that, although requiring multicast, are not capable of repeated unicast. This ID is useful in wireless networks containing low-power low-cost devices.

Abstract: Methods and associated systems are disclosed for providing secured data transmission over a data network. Data to be encrypted and encryption information may be sent to a security processor via a packet network so that the security processor may extract the encryption information and use it to encrypt the data. The encryption information may include flow information, security association and/or other cryptographic information, and/or one or more addresses associated with such information. The encryption information may consist of a tag in a header that is appended to packets to be encrypted before the packets are sent to the security processor. The packet and tag header may be encapsulated into an Ethernet packet and routed via an Ethernet connection to the security processor.

Abstract: A data encryption method, adapted to a node computing device in a cloud server system comprises following steps. A primary data is received. A dimension of an encrypted matrix is computed. An encryption length is computed, and data segments matching the encryption length are extracted from the primary data sequentially according to the encryption length. A plurality of encrypted segments is obtained by encrypting the extracted data segments respectively through the encrypted matrix.

Abstract: A HTTP request addressed to a first resource on a second device outside the network is received from a first device within the network. The HTTP request is redirected to a third device within the network. A first encrypted connection is established between the first device and the third device, and a second encrypted connection between the third device and the second device. The third device retrieves the first resource from the second device. The first resource is modified to change pointers within the first resource to point to location in a domain associated with the third device within the network. The third device serves, to the first device, the second resource.

Abstract: A computer or microchip including a system BIOS located in flash memory which is located in a portion of the computer or microchip protected by an inner hardware-based access barrier or firewall, a central controller of the computer or microchip having a connection by a secure control bus with other parts of the computer or microchip, and a volatile random access memory located in a portion of the computer or microchip that has a connection for a network. The secure control bus is isolated from input from the network, and provides and ensures direct preemptive control by the central controller over the volatile random access memory, the control including transmission to or erasure of data and/or code in the volatile random access memory and control of a connection between the central controller, the volatile random access memory and at least one microprocessor having a connection for the network.

Abstract: A computer-implemented method for neutralizing file-format-specific exploits contained within electronic communications may include (1) identifying an electronic communication, (2) identifying at least one file contained within the electronic communication, and then (3) neutralizing any file-format-specific exploits contained within the file. In one example, neutralizing any file-format-specific exploits contained within the file may include applying at least one file-format-conversion operation to the file. Additionally or alternatively, neutralizing any file-format-specific exploits contained within the file may include constructing a sterile version of the file that selectively omits at least a portion of any exploitable content contained within the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method may include allocating a number of public keys, where each respective public key is allocated to a respective entity of a number of entities; storing a number of private keys, where each respective private corresponds to a respective public key; storing one or more decryption algorithms, where each respective decryption algorithm is configured to decrypt data previously encrypted using at least one encryption algorithm of the encryption algorithms. Each respective encryption algorithm may be configured to encrypt data using at least one public key. Each respective decryption algorithm may be configured to decrypt data using at least one private key. The method may include receiving encrypted data, where the encrypted data is encrypted using a first public key and a first encryption algorithm, and the encrypted data is provided over a network.

Abstract: A communication method for a host and a wireless Internet access module, and a data card, are provided so that the host implements wireless Internet access with the wireless Internet access module of a secure digital interface. The method includes simulating each port on a wireless Internet access processing function unit in a wireless Internet access module into a secure digital card partition and reporting the secure digital card partition to a host side; receiving downlink interaction information from the host side encapsulated in a secure digital card interface format, decapsulating the downlink interaction information, and delivering the decapsulated downlink interaction information to a corresponding port; and receiving uplink interaction information reported to the host side from each port, encapsulating the received uplink interaction information in the secure digital card interface format.

Abstract: Secure communication of information over a wireless link with apparatus including a blade management module and a plurality of blade servers, the blade servers connected for data communications with the blade management module through at least one wired link, the blade servers also connected for data communications with the blade management module through at least one wireless link, including sharing an encryption key between the blade management module and one or more of the blade servers only through the at least one wired link connecting the blade management module to the one or more blade servers; encrypting information by the blade management module with the encryption key; transmitting the encrypted information by the blade management module to the one or more blade servers through the at least one wireless link; and decrypting the encrypted information by the blade server with the encryption key.

Abstract: Systems and methods for data encryption and decryption are provided. Packets of a streaming video from a video source are received. A first packet of the streaming video is encrypted with a encryption key and transmitted to a client device. The first packet is encrypted with a reference key and is designated as a reference packet. A number of packets of the encrypted media that follow the first packet are selected. For each of one or more selected packets, an XOR operation is performed on the respective selected packet with the reference packet. Result values of the XOR operation are rearranged by a shuffle key and divided into segments. Each of the segments is assigned to an even list or an odd list, which are combined to form a respective encrypted packet. The respective encrypted packet is designated as a non-reference packet and is transmitted to the client device.

Abstract: When the terminal device attempts to use a special content, which has an attribute including information distinguishing the special content from regular contents and is stored in the recording medium device, the recording medium device refers to the revocation information indicating terminal devices restricted from using the special content. When the recording medium device determines the terminal device as a terminal device to be restricted from using the special content based on the terminal identifying information of the terminal device, the usage information output unit of the recording medium device does not transmit the necessary information for using the special content to the terminal device.

Abstract: A computer or microchip including a network connection for connection to a public network of computers including the Internet, the network connection being located in a public unit; and an additional and separate network connection for connection to a separate, private network of computers, the additional network connection being located in a protected private unit. An inner hardware-based access barrier or firewall is located between and communicatively connects the protected private unit and the public unit; and the private and public units and the two separate network connections are separated by the inner barrier or firewall. The protected private unit includes at least a first microprocessor and a system BIOS located in flash memory. The public unit includes at least a second or many microprocessors separate from the inner barrier or firewall. The inner barrier or firewall comprises a bus with an on/off switch controlling communication input and output.

Abstract: A computer-implemented method, network management system, and network clients are provided for out-of-band network security management. The network management system includes routers, firewalls, and out-of-band interfaces. The out-of-band interface of the network management system transmits access control lists to network clients connected to a trusted network. The trusted network connects the routers, firewalls, and network clients. The firewalls receive access control lists from the network management system to police communications that traverse the trusted network and an untrusted network. The routers receive access control lists from the network management system to police communications that traverse the router within the trusted network. The access control lists for the routers and firewalls are transmitted over a network interface to the trusted network and are transmitted separately from the access control lists for the network clients.

Abstract: Methods and systems for a flexible, scalable hardware and software platform that allows a managed security service provider to easily provide security services to multiple customers are provided. According to one embodiment, a method is provided for delivering customized network services to subscribers of the service provider. A request is received, at a service management system (SMS) of the service provider, to establish an Internet Protocol (IP) connection between a first and second location of a first subscriber of the managed security service provider. Responsive to the request, the SMS causes a tunnel to be established between a first virtual router (VR) and a second VR running on a first and second service processing switch, respectively, of the service provider which are coupled in communication via a public network and associated with the first location and the second location, respectively.

Abstract: A method and system for allowing a single-sign on to access independently purveyed applications with a highly secure single-sign methodology which permits wide area public access, such as through the Internet, to private access weaker credentialed sign-on applications without a need to upgrade the credential requirements for access to the applications.

Abstract: Session-specific information stored to a cookie or other secure token can be selected and/or caused to vary over time, such that older copies will become less useful over time. Such an approach reduces the ability of entities obtaining a copy of the cookie from performing unauthorized tasks on a session. A cookie received with a request can contain a timestamp and an operation count for a session that may need to fall within an acceptable range of the current values in order for the request to be processed. A cookie returned with a response can be set to the correct value or incremented from the previous value based on various factors. The allowable bands can decrease with age of the session, and various parameter values such as a badness factor for a session can be updated continually based on the events for the session.

Abstract: In one embodiment, a method includes initiating integrity monitoring at a network device, continuously monitoring the network device to detect changes at the network device over a period of time, and transmitting information collected during said integrity monitoring to a security device for use in determining if the network device is allowed access to a trusted network. An apparatus and logic are also disclosed.

Abstract: A management device for managing states of components. The management device includes a reading unit to read management information from each of plural components; a determining unit to refer to license information associated with management information of each component stored in a license storage unit, and to determine, based on the referred license information, whether each component is usable or not; and an operation control unit to make a component determined to be usable operate but to inhibit an operation of a component determined to be unusable.

Abstract: Aspects of the present invention provide a mechanism to utilize IMS media security mechanisms in a CS network and, thereby, provide end-to-end media security in the case where the media traffic travels across both a CS network and a PS network.

Abstract: A system for securely transferring information from an industrial control system network, including, within the secure domain, one or more remote terminal units coupled by a first network, one or more client computers coupled by a second network, and a send server coupled to the first and second networks. The send server acts as a proxy for communications between the client computers and the remote terminals and transmits first information from such communications on an output. The send server also transmits a poll request to a remote terminal unit via the first network and transmits second information received in response to the poll on the output. The system also includes, outside the secure domain, a receive server having an input coupled to the output of the send server via a one-way data link. The receive server receives and stores the first and second information provided via the input.

Abstract: Aspects of the present invention provide a mechanism to utilize IMS media security mechanisms in a CS network and, thereby, provide end-to-end media security in the case where the media traffic travels across both a CS network and a PS network.

Abstract: A method and system for consistent format preserving encryption (C-FPE) are provided to protect data while the data is in a domain while allowing encrypted data to be treated inside the domain as if it were the unencrypted data. The method includes inserting a coupling into a data flow at a perimeter of the domain, and translating a data element from an unprotected data element to a protected data element using the coupling such that the data element is a protected data element within the domain.

Abstract: A method, a computer readable medium and a system of multi-domain login and messaging are provided. The method for multi-domain login comprises inputting a local password by an agent, accessing a password vault with the local password, and retrieving at least one hidden password from the password vault, and logging the agent into at least one agent application using the at least one hidden password. The method for multi-domain messaging comprises retrieving information of an agent from a database, retrieving at least one skill group to which the agent belongs from the information, retrieving a message linked to the at least one skill group, and sending the message to the agent.

Abstract: Devices and techniques for controlling disclosure of sensitive information are provided. A request for information may be received through a first communication channel. The request may be provided using an account of a user. First encrypted data, which includes the requested information and has been encrypted with a first asymmetric encryption key, may be decrypted. The decrypted information may be re-encrypted with a second asymmetric encryption key different from the first asymmetric encryption key to obtain second encrypted data comprising the information. The second encrypted data may be sent to the user through a second communication channel different from the first communication channel.

Abstract: Improved access control techniques for use in a service-oriented computing environment are disclosed. For example, one method for authenticating a client in a service-oriented environment, wherein the service-oriented environment includes a plurality of services, includes the following steps. At least one service of the plurality of services is invoked. State information is associated with the at least one service invoked. The state information is used to authenticate a client with at least one service. Further, a method for access control in a service-oriented environment, wherein the service-oriented environment includes a plurality of services, includes the following steps. A rule specification language is provided. At least one rule is specified using the rule specification language. A verification is performed to determine whether or not the client satisfies the at least one rule. The client is granted access to a service when the client satisfies the at least one rule.

Abstract: A system and method for verifying and/or geolocating network nodes in attenuated environments for cyber and network security applications are disclosed. The system involves an origination network node, a destination network node, and at least one router network node. The origination network node is configured for transmitting a data packet to the destination network node through at least one router network node. The data packet contains a security signature portion, a routing data portion, and a payload data portion. The security signature portion comprises a listing of at least one network node that the data packet travelled through from the origination network node to the destination network node. In addition, the security signature portion comprises geolocation information, identifier information, and timing information for at least one network node in the listing.

Abstract: A communication apparatus may include a reception portion, a decision portion, and a transmission portion. The reception portion may receive a first data request transmitted through a first security level communication, and a second data request transmitted through a second security level communication, the second security level being more secure than the first security level. The decision portion may decide whether a specific data request is the first data request or the second data request. The transmission portion may transmit a specific data to an apparatus that is a transmission source of the specific data request if the specific data request is the second data request, and may transmit different data to the apparatus if the specific data request is the first data request. The different data contains display information for causing the apparatus to retransmit the specific data request through the second security level communication.

Abstract: A method for the secure transfer of a digital file from a first computerized system to one second computerized system, the method comprising the following steps: writing the digital file on a first file-management module of a secure transfer device, transferring the digital file to an internal verification module of the secure transfer device, verifying one portion of the transferred digital file in the verification module, and transferring the partially verified digital file to a second file-management module of the secure transfer device according to the result of the verification, in order to allow the file to be read by the one second computerized system according to the result of the verification.

Abstract: Methods, devices, and systems are disclosed for simulating a large, realistic computer network. Virtual actors statistically emulate the behaviors of humans using networked devices or responses and automatic functions of networked equipment, and their stochastic actions are queued in buffer pools by a behavioral engine. An abstract machine engine creates the minimal interfaces needed for each actor, and the interfaces then communicate persistently over a network with each other and real and virtual network resources to form realistic network traffic. The network can respond to outside stimuli, such as a network mapping application, by responding with false views of the network in order to spoof hackers, and the actors can respond by altering a software defined network upon which they operate.

Abstract: The present invention provides a technique for validating TCP communication between a client requesting resources and a server providing requested resources to protect the specified server from a denial of service attack wherein a plurality of clients initiate communication with a server, but do not complete the communication for the purpose of denying service to the server from other legitimate clients. Through systematic transmission regulation of TCP packets, an intermediary apparatus or set of apparatuses, can, to a high degree of certainty, validate client connections to protect the server from this saturated condition. The communication is then reproduced by the apparatus or apparatuses.

Abstract: The present disclosure is directed towards systems and methods for performing multi-level tagging of encrypted items for additional security and efficient encrypted item determination. A device intercepts a message from a server to a client, parses the message and identifies a cookie. The device processes and encrypts the cookie. The device adds a flag to the cookie indicating the device encrypted the cookie. The device re-inserts the modified cookie into the message and transmits the message. The device intercepts a message from a client and determines whether the cookie in the message was encrypted by the device. If the message was not encrypted by the device, the device transmits the message to its destination. If the message was encrypted by the device, the device removes the flag, decrypts the cookie, removes the tag from the cookie, re-inserts the cookie into the message and transmits the message to its final destination.

Abstract: A system and method for providing load balanced secure media content and data delivery (10) in a distributed computing environment is disclosed. Media content is segmented and encrypted into a set of individual encrypted segments on a centralized control center (15). Each individual encrypted segment has the same fixed size. The complete set of individual encrypted segments is staged to a plurality of intermediate control nodes (17, 19). Individual encrypted segments are mirrored from the staged complete set to a plurality of intermediate servers (21a-b, 23a-b). Requests are received from clients (11) for the media content at the centralized control center. Each individual encrypted segment in the set is received from one of an intermediate control node and an intermediate server optimally sited from the requesting client. The individual encrypted segments are reassembled into the media content for media playback.

Abstract: A communication method for a host and a wireless Internet access module, and a data card, are provided so that the host implements wireless Internet access with the wireless Internet access module of a secure digital interface. The method includes simulating each port on a wireless Internet access processing function unit in a wireless Internet access module into a secure digital card partition and reporting the secure digital card partition to a host side; receiving downlink interaction information from the host side encapsulated in a secure digital card interface format, decapsulating the downlink interaction information, and delivering the decapsulated downlink interaction information to a corresponding port; and receiving uplink interaction information reported to the host side from each port, encapsulating the received uplink interaction information in the secure digital card interface format.

Abstract: Computer program products and methods for the secure delivery of a message in a communication system. The method includes identifying a best method for delivery of a message including considering preferences of a sender and a recipient and sending the message from the sender to the recipient using the identified method.

Abstract: A processing unit performs a predetermined process by a remote operation from a client device. A monitoring unit monitors a first port for an unencrypted communication with the processing unit and a second port for an encrypted communication with the processing unit, denies a connection request via the first port, and accepts a connection request via the second port. When a connection request encrypted with either one of the first port and the second port specified as a forwarding destination port is received, an encrypted communication unit decrypts the connection request and transfers decrypted connection request to the monitoring unit via the forwarding destination port.

Abstract: Various exemplary embodiments relate to a method and related network node including one or more of the following: determining by the network device that an S9 session should be audited; determining that the S9 session is a suspect session; transmitting an S9 message to a partner device, wherein the S9 message includes an innocuous instruction; receiving, at the network device, a response message from the partner device; determining, based on the response message, whether the suspect session is orphaned; and if the suspect session is orphaned, removing an S9 session record associated with the suspect session.

Abstract: An authentication apparatus for detecting and preventing a source address spoofing packet, includes a packet reception unit configured to receive a packet from a previous node or a user host; a self-assurance type ID generation unit configured to generate a self-assurance type ID of a source node of the received packet; and a self-assurance type ID verification unit configured to determine whether the source address of the received packet has been spoofed. Further, the authentication apparatus includes a white list storage unit configured to store a reliable source node; a black list storage unit configured to store an unreliable source node; and a packet transmission unit configured to transmit the packet whose source has been verified through the self-assurance type ID verification unit to a next network node.

Abstract: A third party is configured to establish a virtual secure channel between a source SSD and a destination SSD via which the third party reads protected digital data from the source SSD and writes the protected digital data into the destination SSD after determining that each party satisfies eligibility prerequisites. An SSD is configured to operate as a source SSD, from which protected data can be copied to a destination SSD, and also as a destination SSD, to which protected data of a source SSD can be copied.

Abstract: Techniques are provided to append packet handling information “in the clear” ahead of security related information in a packet to be routed over a network to optimize wide area network deployments of security-configured equipment. In one form, at a network device that performs connectionless secure communication and network routing of packets, data is received from a source device to be sent through a network to a destination device. Packet handling information is inserted in a packet that is to be used to transport the data. The packet handling information is configured to enable controlled handling of the packet in the network and is inserted in an unprotected portion of the packet. Encrypted payload data is generated from the data received from the source device. The encrypted payload data and security information are inserted in a protected portion of the packet and the packet is sent to the network.

Abstract: Provided are a method and apparatus for effectively fixing scrambled content. The method includes checking fixing information for a program map table (PMT) packet of packets constituting the content, the fixing information being used to fix a transformed part of the content; extracting location information of a next PMT packet containing fixing data for fixing the transformed part of the content from the fixing information of the PMT packet; and fixing the transformed part of the content by using the fixing data in the next PMT packet indicated by the extracted location information. Accordingly, it is possible to easily detect a location of the content, which stores the fixing information, thereby expediting fixing of the transformed content.

Abstract: An origin server selectively enables an intermediary (e.g., an edge server) to shunt into and out of an active TLS session that is on-going between a client and the origin server. The technique allows for selective pieces of a data stream to be delegated from an origin to the edge server for the transmission (by the edge server) of authentic cached content, but without the edge server having the ability to obtain control of the entire stream or to decrypt arbitrary data after that point. The technique enables an origin to authorize the edge server to inject cached data at certain points in a TLS session, as well as to mathematically and cryptographically revoke any further access to the stream until the origin deems appropriate.

Abstract: A network media gateway is used to bridge trust between a Service Provider network and subscriber devices. The gateway is authenticated by the Service Provider by using knowledge of network topology. Subscriber devices are authenticated in response to subscriber input to the gateway via an interface. Trusted subscriber devices can be tightly coupled with the Service Provider network, thereby facilitating delivery of QoE. Mobile and remote subscriber devices may also be authenticated. The gateway may also facilitate establishment of VPNs for peer-to-peer communications, and dynamically adjustable traffic, policy and queue weightings based on usage patterns.

Abstract: Method for providing a mesh key which can be used to encrypt messages between a first node and a second node of a mesh network, wherein a session key is generated when authenticating the first node in an authentication server, the first node and the authentication server or an authentication proxy server using a predefined key derivation function to derive the mesh key from said session key, which mesh key is transmitted to the second node.