Abstract: An auditable cryptographic protected communication system for connecting an enterprise server to a plurality of industrial devices using messaging protocols for each industrial device enabling the industrial devices to receive commands and transmit status and measurement data using the individual device messaging protocols over a network.

Abstract: Techniques are described for the use of a cryptographic token to authorize a firewall to open a pinhole which permits certain network traffic to traverse firewalls. An initiating endpoint requests a token from a call controller, which authorizes a pinhole though the firewall. In response, the call controller may generate a cryptographic authorization token (CAT) sent towards the destination endpoint. The call controller may generate the token based on an authorization ID associated with the call controller, a shared secret known to both the call controller and the firewall, and data specific to the media flow for which authorization is requested.

Abstract: An embedded communication terminal equipped with an interface device which performs security tasks, driver tasks, power management tasks and handover tasks, and thus relieves the application processor of the embedded communication terminal.

Abstract: A system and method are used to connect an installed device to a local premise network, such as a home network provided by a router in the home. A user may use a host device, such as a mobile telephone that is already connected to the home network to provide the home network credentials to the installed device without having to enter the home network credentials manually into the installed device such as a thermostat.

Abstract: A system and method configured to provide secure Personal Identification Number (PIN) based authentication is disclosed. A passcode or PIN associated with a customer value card can be securely authenticated by an issuer prior to authorizing payment. An Access Control Server (ACS) can receive the PIN or passcode from a customer via a secure connection over a public network. The ACS can generate an encrypted PIN and can communicate the encrypted PIN to a remote issuer for authentication. The ACS can use one or more hardware security modules to generate the encrypted PIN. The hardware security modules can be emulated in software or implemented in hardware. The system can be configured such that the PIN is not exposed in an unencrypted form in a communication link or in hardware other than the originating customer terminal.

Abstract: A quarantine method and system for allowing a client terminal to connect to a user network. An authentication apparatus recognizes that a communication means of the client terminal has been activated. The authentication apparatus is connected to a quarantine network, to the user network, and to the client terminal. The client terminal is permitted to connect to the quarantine network by confirming a common certificate for the client terminal followed by storing the common certificate in the client terminal. The client terminal is security checked to determine whether each check item of a plurality of check items has a violation. For each check item having a violation, a security measure is performed to improve the check item with respect to the violation. The client terminal is allowed to connect to the user network by confirming a user certificate for the client terminal followed by storing the user certificate in the client terminal.

Abstract: According to one embodiment, a secure e-mail messaging system includes an e-mail relay server coupled to a secure client configured on a secure domain and an external client configured on an external domain. The e-mail relay server has a memory for storage of an actual address of the secure client, a first certificate associated with the actual address, an alias address associated with the actual address, and a second certificate associated with the alias address. The e-mail relay server receives an e-mail message that includes the alias address from the external client and decrypts the e-mail message according to the second certificate. The e-mail messaging server then replaces the alias address with the actual address to form a modified e-mail message, encrypts the modified e-mail message according to the first certificate, and transmits the modified e-mail message to the secure client.

Abstract: A method comprises operations for receiving a binary data structure including a portion representing a protocol validation specification expressed in a respective protocol validation specification language and for receiving a security policy rule having an action part specifying that the binary data structure is to be used for verifying that application protocol payload of network packets complies with the protocol validation specification. After receiving the binary data structure and the security policy rule, an operation is performed for verifying that application protocol payload of received network packets complies with the protocol validation specification. Such verifying is initiated in response to determining that the security policy rule applies to the received network packets and such verifying includes validating the application protocol payload of the received network packets against the binary data structure.

Abstract: A method, system, and computer-readable medium are provided for maintaining a network session between a network element and a network despite the need to reauthenticate the network element. A computer-implemented method is provided for authenticating a network element to a network. According to this method, an authentication request is transmitted to the network element. In response, the network element provides identifying information for a home agent that previously routed messages to the network element. The identifying information is then used to generate a mobility key. Later, when a network registration request message is received on behalf of the network element, the generated key is used to validate the request.

Abstract: If the communication partner of a client node (A1a) is an encryption communication target node (C1), a DNS Proxy unit (A12a) in the client node rewrites a response to a name resolution request for the communication partner node of an application from the actual IP address of the communication partner node to a loopback address that changes depending on the communication partner. On the basis of the destination loopback address of a data packet transmitted from the application, a communication encryption module (A13a) in the client node identifies the communication partner and the encryption communication path to be used for communication with the communication partner. Hence, encryption communication can simultaneously be executed directly with a plurality of communication partner nodes by using the communication encryption module that operates as an independent process.

Abstract: A system and method for monitoring secure digital data on a network are provided. An exemplary network monitoring system may include a network device in communication with a user and a network. Further, a server may be in communication with the network. A browser and monitoring program may be stored on the network device, and the network device may receive secure digital data from the network. The browser may convert the secure digital data or a portion thereof into source data, and the monitoring program may transfer the source data or a portion thereof to the server. In an exemplary embodiment, the monitoring program may include a service component and an interface program.

Abstract: An electronic device with a message encryption function includes a configure interface module for setting an encryption code, a storage module, an encryption module, and a message processing module. The message processing module is electrically connected to the configure interface module, the storage module and the encryption module for receiving or sending a message, accessing the encryption code from the configure interface module, and transmitting the message and the encryption code to the encryption module. The encryption module encrypts the message with the encryption code so as to generate an encrypted message and then transmits the encrypted message to the message processing module. The message processing module stores the encrypted message in the storage module.

Abstract: A server includes a scanning module for determining whether an application is free of malware, a module for packaging the application into blocks for delivery via application streaming, a module for providing the blocks to a client on request, and a module for adding to each block an indication of whether the associated application has already been determined to be free of malware. A client includes a module for requesting blocks of a streamed application from the server. When the client receives a block, it employs a module for verifying that the associated applications have been determined to be free of malware by examining the indication provided by the server. If verification is successful, then the block's code is executed without first receiving and scanning any additional blocks from the server.

Abstract: A computer system for hosting computing clusters for clients. The system includes clusters each including a set of computing resources and each implemented in custom or differing configurations. Each of the configurations provides a customized computing environment for performing particular client tasks. The configurations may differ due to configuration of the processing nodes, the data storage, or the private cluster network or its connections. The system includes a monitoring system that monitors the clusters for operational problems on a cluster level and also on a per-node basis such as with monitors provided for each node. The system controls client access to the clusters via a public communications by only allowing clients to access their assigned cluster or the cluster configured per their specifications and performing their computing task. Gateway mechanisms isolate each cluster such that communications within a cluster or on a private cluster communications network are maintained separate.

Abstract: Disclosed is a computer implemented method and apparatus to secure a routing path. A local node receives a request for secure route identification from an upstream node. Responsive to receiving a request for secure route identification, the local node transmits a local node security level and an authentication key to the upstream node. The local node determines whether at least one downstream node is authentic and has sufficient security level from a second-level downstream node. The local node may then establish a socket to the upstream node.

Abstract: A method for transmitting information effectively in a server/client network system is provided, the network system including a client placed behind a firewall and a server that provides the client with a predetermined service. The method includes the client generating a hole packet which is for making a hole in the firewall to allow a packet to pass through the firewall from the server, the hole being maintained for a certain period of time, and transmitting the hole packet to the firewall; and transmitting a packet from the server to the client through the hole made by the hole packet.

Abstract: A system and method comprises receiving a write request from a client to store data at first and second non-sequential locations of a storage medium. The data of the write request is recognized as not being a predefined data pattern, and a first encryption method is applied to the data of the write request before it is stored at the first and second non-sequential locations of the storage medium. Further, a second different encryption method is applied to content of an area between the first and second non-sequential locations, where the content of the area is recognized as being the predefined pattern.

Abstract: A method for using a network appliance to efficiently buffer and encrypt data for transmission includes: receiving, by an appliance via a connection, two or more SSL records comprising encrypted messages; decrypting the two or more messages; buffering, by the appliance, the two ore more decrypted messages; determining, by the appliance, that a transmittal condition has been satisfied; encrypting, by the appliance in response to the determination, the first decrypted message and a portion of the second decrypted message to produce a third SSL record; and transmitting, by the appliance via a second connection, the third record. Corresponding systems are also described.

Abstract: An apparatus is disclosed including one or more security structures. The one or more security structures includes: a weldable frame; a plurality of composite panels, each panel securable to the weldable frame, each composite panel configured to form at least one joint with at least one adjoining composite panel; and a respective security element embedded within each of the composite panels. The security element is configured to detect a breach in the composite panel.

Abstract: The intrusion detection function monitors for and reports detected intrusion signatures. The dynamic intrusion signatures function determines whether reported intrusion signatures exist in a library of signatures associated with a particular intrusion detection function. If the reported signature does not exist in the library, the library is updated. Detected intrusion signatures are reported to similarly enabled devices for library analysis and updating, if necessary. The related method includes the steps of monitoring for intrusion signatures or other triggering events, analyzing the events and updating IDS signature libraries as necessary.

Abstract: A method for translating network data transmissions begins with a data transmission received at a router. An interface identifier is prepended before a first field of the data transmission, forming a prepended field. The data transmission is transmitted to a translation device. The data transmission is translated without altering the prepended field. The translated data transmission is transferred back to the router. The interface identifier is removed. The translated data is transmitted while maintaining adjacency with an adjacent peer using the interface identifier.

Abstract: Systems, methods, and other embodiments associated with processing secure network traffic are described. One example method includes determining whether a device is a preconfigured member of a group key system. If the device is not a preconfigured member then the method selectively establishes membership in the group key system by requesting membership from a group controller. The example method may also include receiving a set of keys from the group controller and being assigned a role by the group controller. The method may further include processing secure network traffic as an inspection point, a rewriting point, and/or a validation point based on the received set of keys and the assigned role(s).

Abstract: Certain exemplary embodiments comprise a method comprising: within a backbone network: for backbone network traffic addressed to a particular target and comprising attack traffic and non-attack traffic, the attack traffic simultaneously carried by the backbone network with the non-attack traffic: redirecting at least a portion of the attack traffic to a scrubbing complex; and allowing at least a portion of the non-attack traffic to continue to the particular target without redirection to the scrubbing complex.

Abstract: A data protector is described. In an implementation, the data protector promotes and enforces a data retention policy of a data consumer. In an implementation, the data protector limits access to sensitive data to the data consumers. A key manager provides a time-limited encryption key to the data protector. Responsive to collection of the time-limited encryption key from the key manager and sensitive data from a data provider, the data protector encrypts the sensitive data with the time-limited encryption key effective to produce encrypted sensitive data. In some embodiments, the data protector' provides a data consumer with access to the encrypted sensitive data and the key manager provides the data consumer with access to the time-limited encryption key to decrypt the encrypted sensitive data. The key manager deletes the time-limited encryption key in compliance with the data retention policy of the data consumer.

Abstract: Methods, systems, and computer-readable media are disclosed for applying information protection. A particular method includes receiving a data file at a gateway coupled to a network. The data file is to be sent to a destination device that is external to the network. The method also includes selectively applying information protection to the data file at the gateway prior to sending the data file to the destination device. The information protection is selectively applied based on information associated with the destination device, information associated with the data file, and information associated with a user of the destination device.

Abstract: Key management and user authentication systems and methods for quantum cryptography networks that allow for users securely communicate over a traditional communication link (TC-link). The method includes securely linking a centralized quantum key certificate authority (QKCA) to each network user via respective secure quantum links or “Q-links” that encrypt and decrypt data based on quantum keys (“Q-keys”). When two users (Alice and Bob) wish to communicate, the QKCA sends a set of true random bits (R) to each user over the respective Q-links. They then use R as a key to encode and decode data they send to each other over the TC-link.

Abstract: Technology for network security is disclosed. In one embodiment, a method of managing network security includes receiving sampled packets. The sampled packets represent packets being sampled from network packet traffic in at least one location in a network. The sampled packets are converted into an appropriate format for analysis to form converted packets. Moreover, the converted packets are sent to a first group including at least one security device for analysis. If an event message is generated by the at least one security device as a result of analysis of the converted packets, the event message is received from the at least one security device. Network security is evaluated based on the event message and security policies and is adjusted based on that evaluation. The method may be implemented with a network manager.

Abstract: A method is provided for inserting signature blocks into a message being transmitted along a communication path between a first client station and a second client station. The method includes a step of receiving, at an intermediate node in the communication path, a message transmitted from the first client station destined for delivery to the second client station. The message bears a sender-identifier (e.g., email address) and a recipient-identifier (e.g., email address). The method further includes a step of selecting, based at least in part on the sender-identifier, a predefined signature block for the message. The method further includes a step of inserting the selected signature block into the message. The signature block to be inserted may be based on both the sender identifier and the recipient identifier.

Abstract: An intelligent shelving system and associated dividing element. One or more dividing elements are arranged to communicate with a controller, each of the one or more dividing elements including an antenna having a detection plane and a base for placement on a shelf. The detection plane of the antenna is configured so as to be substantially parallel to the base. Each of the one or more dividing elements is arranged to identify electronically tagged items falling within the detection plane of its respective antenna and communicate data on said identified items to the controller.

Abstract: A system and methods for facilitating secure communications on a website are presented. The system comprising a security server configured to receive a secure message from a creator device is disclosed. The security server encodes the received message and sends the encoded message or a representation of the encoded message for posting on the website so that one or more users of the website have the ability to request that the security server make the message available after the encoded message has been decoded.

Abstract: Methods and systems for a flexible, scalable hardware and software platform that allows a managed security service provider to easily provide security services to multiple customers is provided. According to one embodiment, a request to establish an IP connection between two locations of a subscriber is received at a service management system (SMS) of the service provider. A tunnel is established between service processing switches coupled in communication through a public network. First and second packet routing nodes within the service processing switches are associated with the first and second locations, respectively. An encryption configuration decision is bound with a routing configuration of the packet routing nodes, by, when the request is to establish a secure IP connection, configuring, the packet routing nodes to cause all packets transmitted to the other location to be encrypted and to cause all packets received from the other location to be decrypted.

Abstract: The present invention relates to a method of authenticating a user in a communication system comprising a user terminal and an authentication server which is capable of storing two types of nonce values, namely dedicated nonce values unique in the system and common nonce values shared between users in the system. In the method the authentication server receives (401) from the user terminal an access request. Then the authentication server uses a predefined criterion for determining the type of a first nonce value to be sent to the user terminal as a response to the access request. In case the predefined criterion is fulfilled, then a dedicated nonce value is sent, otherwise a common nonce value is sent (402). Then the authentication server receives (403) from the user terminal a response comprising a second nonce value and a response code to the first nonce value.

Abstract: A computer-implemented method for using reputation data to detect packed malware may include: 1) identifying a file downloaded from a portal, 2) determining that the file has been packed, 3) obtaining community-based reputation data for the file, 4) determining, by analyzing the reputation data, that instances of the file have been encountered infrequently (or have never been encountered) within the community, and then 5) performing a security operation on the file (by, for example, quarantining or deleting the file).

Abstract: A method and system to increase the security of messages transmitted over an otherwise unsecured network. A secure channel is established in a normal manner over the network. A demodularization module on the sender sends a demodularization method to the intended receiver over the secure channel. The sender encodes a message definition and message data separately consistent with the demodularization method. The message definition and message key is sent over the secure channel as one transmission and the message data with the message key is sent as separate transmissions over the secure channel. Other embodiments are also described and claimed.

Abstract: In one example, a Cable Modem Termination System (CMTS) combines a value identifying itself with a cable modem Media Access Control (MAC) address stored in a provisioning request. The CMTS then relays the modified provisioning request to a provisioning server, which analyzes the value to identify a CMTS associated with the cable modem MAC address. Then, to regulate cable modem cloning or for other reasons, the provisioning server selects provisioning information for the cable modem according to the identified CMTS-MAC address association.

Abstract: A system and method for establishing a virtual private network (VPN) between a client and a private data communication network. An encrypted data communication session, such as a-Secure Sockets Layer (SSL) data communication session, is established between a gateway and the client over a public data communication network. The gateway then sends a programming component to the client for automatic installation and execution thereon. The programming component operates to intercept communications from client applications destined for resources on the private data communication network and to send the intercepted communications to the gateway via the encrypted data communication session instead of to the resources on the private data communication network.

Abstract: A system and method for two devices that communicate via a network, wherein at least one of the devices is a touch sensitive device, the two devices storing a common cryptographic key that enables all communications via the network to be encrypted.

Abstract: A network device negotiates an encryption protocol with another network device, receives data from a trusted client device, encrypts the received data with the negotiated encryption protocol, and applies a label switched path (LSP) label to the encrypted data for transmission to the network device through an untrusted Multiprotocol Label Switching (MPLS) network.

Abstract: A microchip comprising a first internal hardware-based firewall configured to deny access to a first portion of the microchip from a network; a general purpose microprocessor including two general purpose cores or general purpose processing units; at least two dies having been made by a separate fabrication processes and assembled into a package with separate die sections connected directly; and a memory component located inside of a second internal hardware-based firewall that is located between the memory component and one of the cores or processing units with which the memory component is associated. Wherein a first core is located within the first microchip portion protected by the first firewall; a second core is located within a second microchip portion not protected by the first firewall; and the second core is separated from the first core by the first firewall and is located between the first firewall and the network.

Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server based on network information, and using the proxy network address to establish a server side session. The proxy network address is selected such that a same processing element is assigned to process data packets from the server side session and the host side session. The network information includes a security gateway network address and a host network address. By assigning processing elements in this manner, higher capable security gateways are provided.

Abstract: A method, apparatus, and computer readable medium is provided. According to an embodiment, a method includes, receiving a message from a client. The method further includes, forwarding the message to a first service when the message includes an authentication token, where the authentication token indicates that the client can access the first service. The method further includes, forwarding the message to a second service when the message excludes the authentication token. The receiving the message from the client and the forwarding the message to the first service occur over a confidential channel.

Abstract: Networked resources that are not located behind a proxy authentication server may be enabled to use the proxy authentication server for authentication. This may provide one or more of the features associated with a proxy authentication server (e.g., centralized administration of authentication and/or access information, enhancing software security, centralized administration of permission information, and/or other features) for the resources not located behind the proxy authentication server. These features may be provided without requiring substantial modification of the proxy authentication server.

Abstract: An example embodiment of the present invention provides processes relating to self-initiated end-to-end monitoring for an authentication gateway. In one particular implementation, the authentication gateway periodically creates and stores a temporary logon for access to a network and then sends a message including the temporary logon over a secure connection to a client. When the client receives the temporary logon, the client responds to the message by attempting to access a configurable network site. The authentication gateway redirects the client to a captive portal which prompts the client for a logon and the client enters the temporary logon at the captive portal. Then upon validating the temporary logon against the stored temporary logon, the authentication gateway authorizes access to the network. If the client successfully accesses the site, the client sends a verification report to the authentication gateway indicating successful access. Otherwise, the client reports on the failed access.

Abstract: A method for processing packets in a computer undergoing transitioning from a first configuration of a firewall to a second configuration of the firewall is disclosed. Packets arriving in the computer are associated with the first configuration of the firewall existing in the computer, and after a second configuration of the firewall becomes available, the computer starts associating packets arriving in the computer with the second configuration of the firewall, and processing packets associated with the second configuration according to the second configuration of the firewall, while continuing processing the packets associated with the first configuration according to the first configuration of the firewall until all packets associated with the first configuration are processed. Packets are processed by a plurality of firewall processing modules asynchronously. First and second reference counts, counting numbers of packets processed according to respective firewall configuration are conveniently introduced.

Abstract: A proxy server in a cloud-based proxy service receives a secure session request from a client device as a result of a Domain Name System (DNS) request for a domain resolving to the proxy server. The proxy server participates in a secure session negotiation with the client device including transmitting a digital certificate to the client device that is bound to domain and multiple other domains. The proxy server receives an encrypted request from the client device for an action to be performed on a resource that is hosted at an origin server corresponding to the domain. The proxy server decrypts the request and participates in a secure session negotiation with the origin server including receiving a digital certificate from the origin server. The proxy server encrypts the decrypted request using the digital certificate from the origin server and transmits the encrypted request to the origin server.

Abstract: Generally speaking, systems, methods and media for implementing a firewall control system responsive to remote system information are disclosed. Embodiments of a method may include receiving a data request at a firewall where the data request is associated with a program and determining whether a remote system condition exists for the associated program, where the remote system condition includes a condition to be satisfied based on information received from a particular remote system. Embodiments may also include, in response to determining that a remote system condition exists, determining whether the remote system condition is satisfied based on information received from the particular remote system. Embodiments may also include, in response to determining whether the remote system condition is satisfied, performing one or more firewall actions.

Abstract: The present invention discloses a method, an apparatus, and a system for IKE negotiation. One method comprises: upon receiving a data packet, selecting one of multiple service cards according to a pre-configured policy and triggering the service card to send an IKE negotiation packet; and saving the mapping between the IKE negotiation packet and the service card. The other method comprises: upon receiving an IKE negotiation packet, selecting one of multiple service cards according to a pre-configured policy, triggering the service card to perform IKE negotiation, and saving the mapping between of the IKE negotiation packet and the service card. The solution enables a network node a node to distribute IKE negotiations to different service cards to perform IKE negotiation at the same time, improving IKE negotiation speed.

Abstract: Disclosed techniques provide enhanced security for a communications network. Access terminal devices intended for operation via the network are expected to have security agent functionality, e.g. in the form security agent software loaded into or otherwise enabled on each of the access terminal devices. Registration procedures include verification that such an agent is present/enabled on an access terminal and that the agent currently implemented on the terminal device provides adequate security for the communications network against malicious traffic from that device.

Abstract: A software based wireless infrastructure system is provided. The system has a driver that communicates with the network stack and a network interface card (NIC), a station server in communication with the station driver and an 802.1X supplicant or an 802.1X authenticator. Each NIC provides station and/or access point functionality support. The driver drops packets that have been received if the packet has not been authenticated and associated. Packets that have been fragmented or encrypted are unfragmented and decrypted. An association manager is used in conjunction with a configuration table manager to associate stations and access points via management packets. A manager receives 802.1X data packets from the packet processor and sends them up to a station server that communicates with user mode applications and an 802.1X supplicant or an 802.1X authenticator that are used to authenticate and deauthenticate stations and access points. APIs are provided to enable communication between the components.

Abstract: Embodiment of the present invention provides a packet transmission method. The method includes: receiving an encrypted packet sent by a client by using a virtual private network (VPN) tunnel, wherein the encrypted packet is sent by the client after the client determines, according to a preset control policy, that the control policy comprises an Internet Protocol (IP) address and a port number that are the same as a destination IP address and a destination port number of a packet to be sent and encrypts the packet to be sent, and the control policy comprises information about an IP address and a port number of an intranet server that can exchange a packet with a security socket layer protocol (SSL) VPN server; decrypting the encrypted packet; and sending the decrypted packet to a corresponding intranet server, wherein a source IP address of the decrypted packet is an external network IP address.