Abstract: A computer-implemented system and method for providing secure remote document access is provided. An index is created for the documents in a local document store. The resulting index is provided to a remote search server that operates independently of the local document store. Each document in the document store is also encrypted and provided to a remote document server that operates independently of the local document store. The encrypted documents can be located using the index on the remote search server and can be retrieved from the remote document server using an identifier obtained from the remote search server.

Abstract: Methods and systems for disrupting potential attacks on a wireless network through transmission of random data are disclosed. Specifically, this disclosure relates to systems and methods for disrupting the breaking of the secret key or passphrase by an adversary or rogue device for Wi-Fi networks using wired equivalent privacy (WEP) and Wi-Fi protected access (WPA).

Abstract: Embodiments of the invention relate to systems and methods for securing data transmission in networks. Embodiments of the invention further relate to encryption methods that dynamically adjust during the course of data transmission. Further, the encryption methods can adapt dynamically without user intervention. In one embodiment, an encryption scheme can be established, controlled, and monitored via out-of-band communication between transceiver modules.

Abstract: A system and method for managing private information while using semi-trusted interfaces is described. In an embodiment, an intermediate node may receive a first and second communication between a semi-trusted node and a trusted node. In managing private information, the intermediate node may append private information to the first communication sent from the semi-trusted node to the trusted node, and remove private information from the second communication sent from the trusted node to the semi-trusted node.

Abstract: An optical network system including an OLT and ONUs is provided that can prevent the loss of a multicast signal. When receiving an encryption key generation request from the OLT, the ONU generates an encryption key, and transmits the generated encryption key to the OLT. When receiving a notice of timing from the OLT, the ONU updates the encryption key of a belonging group. When receiving a report message from a STB through the ONU, the OLT analyzes the report message, stores a group that the STB belongs to as well as the ONU in a second table, and transmits the encryption key generation request to the ONU. When receiving the encryption key from the ONU, the OLT further stores the encryption key in the second table, and transmits to the ONU a notice of the timing in which the encryption key is valid.

Abstract: A method for generating a group key are provided in the field of network communications. The method includes the following steps: Group members select DH secret values and generate DH public values. An organizer generates an intermediate message and broadcasts a DH public value and the intermediate message. The group members generate a group key according to a DH secret value selected by the organizer and DH public values of the other group members except the organizer. A system for generating a group key and communication devices are also disclosed in the present invention.

Abstract: A network apparatus which is connected to a network is disclosed. The network apparatus includes a managing unit which manages an address range in which addresses to be allocated to a destination network apparatus are registered and encryption parameters for encrypting data to be transmitted to the destination network apparatus so that the address range and the encryption parameters are related to each other, an address generating unit which generates an address for the destination network apparatus by selecting an address in the address range, and an encryption unit which encrypts the data to be transmitted to the address generated by the address generating unit based on the encryption parameters.

Abstract: A method is provided for both layer 2 (L2) and layer 3 (L3) security in the context, for example, of a WISP-e protocol. An AES algorithm in CBC mode is used for encryption and decryption of the control frames. The session keys (e.g., 128-bit session keys) are derived from a pre-shared secret configured on both communicating wireless termination points.

Abstract: A method of providing transparent encryption for a web resource includes a key manager receiving an encryption key policy; receiving user identifiers and resource locators; defining an access control list based the user identifiers; generating an encryption key and a key identifier for a first resource locator; and establishing a secure communication channel between first and second watchdog modules. The method also includes the watchdog sending encryption information using the secure communication channel. The method also includes a transparent encryption module storing the encryption key and the access control list in protected memory; receiving an input comprising a request to access the first resource stored in the web resource; determining that the user identifier is included in the access control list; encrypting data using the encryption key; and decrypting data using the encryption key.

Abstract: The invention describes a method for transmission of a DHCP message between a telecommunication network, especially a telecommunication network according to the WiMAX-standard, and an Internet Protocol (IP) subscriber (SS/MS; MN) to the telecommunication network. Therein, an information secured with an encryption key is added to the DHCP message. The encryption key is derived from a basic key being provided by a network component of the telecommunication network.

Abstract: An apparatus relays packets transferred over a network and discards an attack packet detected among the packets. The apparatus includes: an inspection-packet outputting unit that outputs, when detecting the attack packet, an inspection packet in which a transmission-source address contained in the attack packet is set as a destination address and a destination address contained in the attack packet is set as a transmission-source address; a filter table storing unit that stores, when acquiring a response packet for the inspection packet, a transmission-source address, a destination address, and identification information of an interface, which has received the response packet, that are contained in the response packet, in a filter table in an associated manner; and a transfer control unit that determines whether to transfer a packet as a transfer object based on the filter table.

Abstract: A method of activating a wireless IP device by providing access to an installer to a customer's personal router or modem/router combination and providing access to the installer to a wireless Access Point which is supplied by the installer where the Access Point has a first slot for a default SSID2 password for a first wireless IP device and a second slot for an SSID1 password for a second wireless IP device. Connecting a first wireless IP device while in its initial or default state to the first slot where the first device and the wireless Access Point have a common default SSID2 code and factory preprogrammed public key and where, as soon as the device is powered up, the IP device immediately begins communicating through the wireless access point and the customer's router or modem/router to the internet, checking into a control server.

Abstract: A method for secure communication of a message. The method includes providing a message including a plurality of message packets, providing a nodal network including a plurality of nodes, where nodal operations are capable of execution on the message packets at the nodes, gaining, by a first node of the network, a first message packet, processing the first message packet by the first node, relinquishing the first message packet as processed by the first node, gaining, by any other node of the network, at least one other message packet, processing the other message packet by the other node, relinquishing the other message packet as processed by the other node, receiving, by a message destination node of the network, a first message packet, receiving, by the message destination node, at least a second message packet, and processing the first message packet and the second message packet to provide a reproduced message.

Abstract: This invention provides for progressive processing of biometric samples to facilitate user verification. A security token performs initial processing. Due to storage and processing limitations, false rejections may occur. To overcome this, the biometric sample is routed to a stateless server with greater processing power and data enhancement capabilities. The stateless server processes and returns an enhanced biometric sample to the security token for another attempt at verification. In another embodiment, the security token may have a second failure when verifying the enhanced biometric sample. It can then send the enhanced or raw biometric sample to a stateful server. The stateful server processes the biometric sample and performs a one to many search of a biometric database having a master set of enrolled authorized user biometric templates. The security token uses signals from the stateful server to grant or deny access. In both embodiments, heuristics remain with the security token.

Abstract: In a method for mobile printing, a mobile device generates a symmetrical pair of encryption keys and transmits the first encryption key and a print request to an imaging device. When the mobile device receives a request from the imaging device for the second encryption key, the mobile device transmits the second encryption key to the imaging device. The imaging device then uses the second encryption key to decrypt encrypted rendered content and prints the content.

Abstract: A process of information leakage prevention for sensitive information in a database table. Content to be inspected is extracted at a deployment point. The content is processed by a first fingerprinting module to determine if the content matches fingerprint signatures generated from database cells between a first threshold size and a second threshold size which is larger than the first threshold size. The content is also processed by a second fingerprinting module to determine if the content matches fingerprint signatures generated from database cells larger than the second threshold size. The content may also be filtered, and the filtered content processed with an exact match module to determine if the filtered content exactly matches data from cells smaller than the first threshold size. Other embodiments, aspects and features are also disclosed.

Abstract: The present patent disclosure describes a system and method for maintaining persistent secure connections between a terminal and a host. The system comprises a session manager component for storing session information associated with a terminal identifier (ID) of the terminal, the session information comprising a client connection ID for identifying a persistent secure client connection and a terminal connection ID for identifying a secure terminal connection. The system also comprises a connection manager component for establishing communication between the persistent secure client connection, identified by the client connection ID, and the secure terminal connection, identified by the terminal connection ID.

Abstract: A system, method, and computer program product are provided for isolating a device associated with at least potential data leakage activity, based on user input. In operation, at least potential data leakage activity associated with a device is identified. Furthermore, at least one action is performed to isolate the device, based on user input received utilizing a user interface.

Abstract: Generally speaking, systems, methods and media for implementing a firewall control system responsive to process interrogations are disclosed. Embodiments of a method may include receiving a data request at a firewall where the data request is associated with a program and determining whether a process rule exists for the associated program, where the process rule includes a condition to be satisfied for a process of the user computer system. Embodiments may also include, in response to determining that a process rule does exist, determining a method for evaluating a status of the process and determining a current status of the process. Embodiments may also include determining whether the process rule is satisfied based on the current status of the process and using the determined evaluation method. Embodiments may also include, in response to determining whether the condition of the process rule is satisfied, performing one or more firewall actions.

Abstract: A relay device includes a first communication unit that receives a request including processing object data from a client device; a data processing unit that obtains a first processing result by performing a relay-device-side process of equivalent algorithm to that of a server-side process, which is performed by a server, on the processing object data; a second communication unit that transmits the request to the server, and receives a second processing result, which corresponds to the first processing result and is obtained by performance of the server-side process on the processing object data, from the server as a response; and a control unit that determines whether the second processing result has been transmitted to the client device. When the second processing result has not been transmitted to the client device, the first communication unit transmits the first processing result to the client device.

Abstract: Generally speaking, systems, methods and media for implementing a firewall control system responsive to user authentications are disclosed. Embodiments of a method may include receiving a data request at a firewall where the data request is associated with a program. Embodiments may include determining whether an authentication plan is required to be matched for the associated program and, if so, accessing a stored authentication plan associated with the program and having one or more authentication records each having expected information relating to user access to a particular server. Embodiments may include accessing a current authentication plan from an authentication store, the current authentication plan having one or more authentication records each having information relating to user access to a particular server.

Abstract: A system and method for real-time network communications provides a session identifier as a public key for group communication between clients, and provides a channel identifier representing a private key for each of a plurality of clients. The channel identifier includes client-specific attributes, which function to indicate grouping criteria for the group communication. A dynamic communication link is created over a network between a client and a service based upon the public and private key combination such that group communication is enabled based upon the attributes of the private key and the public key. Communications are translated using a translation service which employs the attributes associated with the private key and the public key combination to provide response information in a designated language to enable multi-lingual real-time communications.

Abstract: A network interface includes at least one physical memory, at least one client port, at least one processor accessing the at least one physical memory, and at least one network port. The client port receives data blocks which contain a quantity of bits from at least one first client computer system. The processor temporarily stores the data blocks in the at least one physical memory. The processor interacts with the physical memory and compresses the data blocks to reduce the quantity of bits. The processor further interacts with the physical memory such that the compressed data blocks are encrypted to produce encrypted frames. The at least one network port transmits the encrypted frames across a communication network.

Abstract: A technique to mitigate low rate Denial-of-Service (DoS) attacks at routers in the Internet is described. In phase 1, necessary flow information from the packets traversing through the router is stored in fast memory; and in phase 2, stored flow information is periodically moved to slow memory from the fast memory for further analysis. The system detects a sudden increase in the traffic load of expired flows within a short period. In a network without low rate DoS attacks, the traffic load of all the expired flows is less than certain thresholds which are derived from real Internet traffic analysis. The system can also include a filtering solution to drop attack packets. The filtering scheme treats the long-lived flows in the Internet preferentially, and drops the attack traffic by monitoring the queue length if the queue length exceeds a threshold percent of the queue limit.

Abstract: An Internet Protocol version 4/Internet Protocol version 6 (IPv4/IPv6) integrated network system includes at least one first node for creating identification information capable of identifying each secret key shared with at least one second node, and for exchanging the created identification information with each second node in a secure negotiating process. Each second node creates identification information capable of identifying each secret key shared with each first node, and performs the secure negotiating process based on the secret keys corresponding to the identification information exchanged through the secure negotiating process. Thereby, secure communication complying with Security Architecture for the Internet Protocol (IPSec) can be implemented based on the secret keys in the IPv4/IPv6 integrated network system of a Network Address Translation-Protocol Translation (NAT-PT) environment.

Abstract: Methods and apparatuses for private electronic information exchange are described herein. In one embodiment, when electronic information is received to be delivered to a recipient, the electronic information is transmitted over an electronic network with a private routing address. The private routing address is routable within a private domain, which is a subset of the electronic network. Other methods and apparatuses are also described.

Abstract: Various systems and methods for providing a policy realization framework for a communications network are disclosed. The policy realization framework can be an application and service layer policy framework that is separate and distinct from the network layer policy framework. As such, policy decisions can be made remote from the network layer, and common policies across multiple networks are possible. Methods and systems for providing these and other features are disclosed. An intelligent security gateway and a method for implementing an intelligent security gateway with the policy realization framework are also disclosed.

Abstract: Embodiments of the invention are directed to a firewall installer that receives a set of configuration instructions for configuring a firewall in a declarative format that describes one or more rules to be implemented by the firewall, and that automatically configures the firewall. Providing a firewall installer that is capable of configuring a firewall based upon declarative input rather than procedural process-oriented input facilitates administration of a firewall by allowing an administrator to specify desired firewall configuration at a higher, declarative level and frees the administrator from the need to specify procedures for implementing configuration changes in the firewall. In one embodiment of the invention, the firewall installer can receive and store input for configuring a firewall even when the firewall is not running, such that the firewall executes on those configuration changes when it next comes online.

Abstract: An apparatus for generating a key for access control of content in a distributed environment network is provided. The apparatus includes a first key distributor configured to generate first encrypted keys by encrypting a first key corresponding to a key for write authorization using each public key of members having write authorization among members included in an access control list including information of at least one user and distribute the access control list and information about access authorization and the first encrypted keys to the members having write authorization, and a second key distributor configured to generate second encrypted keys by encrypting a second key corresponding to a key for read authorization using the first key using each public key of members having read authorization among members included in the access control list and distribute the access control list and second encrypted keys to the members having read authorization.

Abstract: A method and arrangement is disclosed for providing a user, not previously having an individual subscription with a network operator, with credentials for secure access to network services. The arrangement includes a gateway, associated with a subscription for network services, having means for generating and exporting to a user entity personalized user security data derived from security data related to the subscription. In particular, the derivation of credentials is based on a function that is shared between network and gateway and further conveniently makes use of bootstrapping on keying material from the subscription authentication. Pre-registered user identities are assigned trusted users who, thereafter, can download credentials and authenticate for service access. The invention may be implemented at a public place for providing temporary visitors network access whereby trust may exemplary be established by presenting a credit card.

Abstract: Techniques for passing security configuration information between a security policy server and a client includes the client forming a request for security configuration information that configures the client for secure communications. The client is separated by an untrusted network from a trusted network that includes the security policy sever. A tag is generated that indicates a generic security configuration attribute. An Internet Security Association and Key Management Protocol (ISAKMP) configuration mode request message is sent to a security gateway on an edge of the trusted network connected to the untrusted network. The message includes the request in association with the tag. The gateway sends the request associated with the tag to the security policy server on the trusted network and does not interpret the request. The techniques allow client configuration extensions to be added by modifying the policy server or security client, or both, without modifying the gateway.

Abstract: A content transmitting apparatus, includes: an acquisition device configured to acquire content data distributed in streaming mode; a temporary storage device configured to store temporarily the content data acquired by the acquisition device; a data control device configured to read the content data from the temporary storage device on a first-in first-out basis; an encryption device configured to encrypt in units of a predetermined amount the content data read out by the data control device; and a transmission device configured to transmit the content data encrypted by the encryption device to a predetermined receiving apparatus via a network. If the remaining capacity of the temporary storage device becomes smaller than a predetermined threshold value depending on status of the network, then the data control device discards the content data read from the temporary storage device.

Abstract: A security device may be interconnected, via multiple links, between multiple network devices in a network. The firewall device may include multiple input interfaces that receive data units from a first network device destined for a second network device of the multiple network devices, identify a session associated with each of the data units, and process the data units in accordance with the identified sessions and a security policy.

Abstract: An encrypted file transfer system allows for the platform independent transfer of files and encrypting/decrypting in an integrated solution. Furthermore, the exchange of encryption keys can be handled through, for example, a secure socket connection between the client and a server thus removing the requirement of the user manually decrypting the transferred file(s).

Abstract: A first information processing apparatus encrypts data that it receives from a second information processing apparatus, and transmits the data thus encrypted to an external device. The second information processing apparatus transmits the data to the first information processing apparatus according to a data size that results after a data size being necessary for communication of the encrypted data is subtracted from a specified data size.

Abstract: Described is a technique for detecting attacks on a data communications network having a plurality of addresses for assignment to data processing systems in the network. The technique involves identifying data traffic on the network originating at any assigned address and addressed to any unassigned address. Any data traffic so identified is inspected for data indicative of an attack. On detection of data indicative of an attack, an alert signal is generated.

Abstract: A transcribing method may include receiving an audio message from a customer via a telephone, determining whether one of the agent transcribers is available, storing the audio message when an agent transcriber is not available, continuing to determine whether a transcriber is available, streaming in real time a streamed portion of the audio message to a first available agent transcriber for facilitating the transcription of the streamed portion of the audio message into a first portion of a transcription text file, providing subsequently a pre-streamed recorded portion of the audio message to a subsequently available second agent transcriber for facilitating the transcription of the pre-streamed recorded portion of the audio message into a second portion of the transcription text file while the streaming in real time is continuing with the first agent transcriber, and combining the first and second portions of the transcription text file into a consolidated text file.

Abstract: Embodiments are directed towards providing protection to DNS servers against DNS flood attacks by causing a requesting device to perform multiple DNS lookup requests for resolving a resource record. A request from a network device for a resolution of a domain name may be received by a device interposed between the requesting network device and a DNS server. Upon receiving the request to resolve the domain name, the interposed device may respond with a CNAME that includes a cookie. The requesting device may then send another request that includes the cookie preceded CNAME. The interposed device may then validate the returned cookie returned in the CNAME and if valid, forward the domain name resolution request on to a DNS server. The response may then be forwarded to the requesting device.

Abstract: A system and method for creating a virtual private network through a VPN gateway configuration service. The VPN gateway configuration service inherits UPnP zero-configuration characteristics and also provides an interface for configuring the VPN gateway that enables the configuration of any VPN gateway device, regardless of manufacturer. Additionally, the device control protocol defined by the VPN gateway configuration service can provide client provisioning, as well as enabling the configuration of gateway-to-gateway virtual private networks.

Abstract: A secure, open-air communication system utilizes a plurality of “decoy” data signals to hide one or more true data signals. The true data signal(s) are channel hopped with the plurality of decoy data signals to form a multi-channel “scrambled” output signal that is thereafter transmitted in an open-air communication system. The greater the number of decoy signals, the greater the security provided to the open-air system. Further security may be provided by encrypting both the true and decoy signals prior to scrambling and/or by utilizing a spatially diverse set of transmitters and receivers. Without the knowledge of the channel assignment(s) for the true signal(s), an eavesdropper may be able to intercept (and, with time, perhaps descramble) the open-air transmitted signals, will not be able to distinguish the true data from the decoys without also knowing the channel assignment(s).

Abstract: A client device includes a network interface that transmits a request for the media content to the sanction server, receives second sanction data from the sanction server, transmits second cryptographic data to the caching server, receives first cryptographic data from the caching server and that receives scrambled media content from the caching server. A random number generator generates a random number. A client processing module, in response to the second sanction data, generates the second cryptographic data based on the random number and the second sanction data, generates a scrambling control word based on the second sanction data and the first cryptographic data and descrambles the scrambled media content based on the scrambling control word.

Abstract: A content source includes a random number generator that generates scrambling control word based on at least one random number. A source processing module generates proxy data that includes cryptographic parameters that are based on the scrambling control word, generates cryptographic data and generates scrambled media content based on the scrambling control word. A network interface sends the proxy data to a sanction server, and sends the cryptographic data and the scrambled content to a caching server.

Abstract: A sanction server includes a network interface that receives a request for media content from a client device and transmits first sanction data to a caching server and second sanction data to the client device. A sanction processing module generates the first sanction data based on a random number and generates the second sanction data based on the random number. The caching server generates first cryptographic data based on the first sanction data and sends the first cryptographic data to the client device. The client device generates second cryptographic data based on the first sanction data and sends the second cryptographic data to the caching server. The caching server generates a scrambling control word based on the first sanction data and the second cryptographic data. The client device generates the scrambling control word based on the second sanction data and the first cryptographic data.

Abstract: A system that eliminates some of the security vulnerabilities in the prior art systems by using a new sequence of steps to perform initialization of the cable modem: Instead of performing authentication after the cable modem has been registered, the cable modem authentication step is performed immediately after the cable modem completes ranging. Thus an early authentication method and system are provided. The control of authentication is shifted from the cable modem to the CMTS. Instead of the CMTS relying on a Registration Request message (REG-REQ) to determine whether a cable modem must perform authentication (that is to determine if BPI+ is enabled) the CMTS configuration is what determines whether a cable modem must perform authentication.

Abstract: An e-mail firewall applies policies to e-mail messages between a first site and second sites in accordance with administrator selectable policies. The firewall includes a simple mail transfer protocol relay for causing the e-mail messages to be transmitted between the first site and selected ones of the second sites. Policy managers enforce-administrator selectable policies relative to one or more of encryption and decryption, signature, source/destination, content and viruses.

Abstract: A method and system for performing a distributed verification with respect to measurement data in a sensor network. The method of performing the distributed verification with respect to measurement data in a sensor network includes: verifying, by an aggregator, the measurement data received from each of a plurality of sensors; generating, by the aggregator, verification request data by using the verified measurement data; transmitting the verification request data to a verifier; and verifying, by the verifier, the aggregator via a predetermined number of sensors of the plurality of sensors and the verification request data. The method of performing a distributed verification with respect to measurement data in a sensor network further includes transmitting, by the aggregator, an aggregation result with respect to the measurement data to a base station when the aggregator is verified; and verifying, by the base station, the aggregation result.

Abstract: Recommending a security policy to a firewall, includes receiving a request from a firewall for a recommendation as to whether the firewall should allow or block a detected present communication for which the firewall does not have an existing security policy. Information about past blocked and allowed communications at other firewalls on a network is searched to identify past communications that are similar to the present communication. The identified past communications are assigned a respective positive or negative vote. A positive vote indicates a past communication was allowed and a negative vote indicates a past communication was not allowed. A positive recommendation is sent to the requesting firewall to allow the present communication if the positive votes outnumber the negative votes, and a negative recommendation is sent to the requesting firewall to block the present communication if the negative votes outnumber the positive votes.

Abstract: A method, system, and medium are provided for suppressing a Short Message Service (SMS) induced Denial of Service (DoS) attack on a telecommunications network. A register is updated to include information relevant to SMS messages that are requested to be communicated by way of a wireless telecommunications network. The register includes information of the location where the target devices of SMS messages are located. The register is utilized to detect an SMS induced DoS attack. A trigger is communicated to an SMS router to enable a DoS mode that restricts the communication of SMS messages. In an exemplary embodiment, only those SMS messages identified as part of the DoS attack are restricted.

Abstract: A method for securely communicating sensed data over a network that includes receiving sensed data from a sensor, dynamically switching through a plurality of multi-cast group addresses as destinations for sending the received sensed data to a client device based on time measurements, encryption keys, or pseudorandom numbers, and transmitting the sensed data to each of the plurality of multi-cast group addresses through the dynamic switching of the plurality of multi-cast group addresses for receipt by the client device.

Abstract: A network and associated methods and apparatus are described. The network includes a wireless access node which is operable to receive first packets from a plurality of wireless computing devices attempting to access the network. Each of the first packets corresponds to one of a plurality of traffic types. At least one of the traffic types corresponds to an encrypted wireless protocol. The wireless access node is configured to associate one of a plurality of identifiers with each of the first packets. Each of the plurality of identifiers corresponds to one of the plurality of traffic types. The wireless access node is further configured to transmit all first packets received from the wireless computing devices to a gateway on the network regardless of destination addresses associated with the first packets. The gateway is operable to determine that a particular one of the first packets from a first one of the wireless computing devices is directed to a second computing device on the network.