Abstract: In a premises gateway device that performs encryption or decryption under the IPsec, the throughput of a processor is varied depending on a type of data to be treated in order to realize reduction in power consumption. In the premises gateway device to which a telephone, PCs, and a home appliance that are pieces of home network equipment are connected and which transmits or receives data using an ISP and an IPsec tunnel via an ONU, an OLT, and a carrier network, relevant home network equipment and a data rate are decided based on the data to be treated. The frequency of a clock to be fed to the processor is varied depending on the information.

Abstract: A networking method, microchip, and device are described in which a first security engine may be associated with a chaining port and configured to perform an inner processing for an inner layer of encryption for a frame of data, while a second security engine may be associated with an external port and configured to perform an outer processing for an outer layer of encryption for the frame of data. Control logic may be configured to instruct the first security engine to execute both a transmit operation and a receive operation of the frame of data in association with the inner processing.

Abstract: Machine, method for use and method for making, and corresponding products produced thereby, as well as data structures, computer-readable media tangibly embodying program instructions, manufactures, and necessary intermediates of the foregoing, each pertaining to digital aspects of a computerized aggregation system. The system can include a user computer system interposed between a segment of a network allowing communication between the user computer system and at least one server system, and other segments allowing communication between the user computer system and a plurality of third party server systems. The one server system enables the user computer system to access the plurality of other servers. The access permits forming an aggregation of information obtained from the third party server systems.

Abstract: A system and method for monitoring a network and detecting network vulnerabilities is provided. A communication associated with one or more programs is issued to one or more devices in a network and the response from the devices is detected and analyzed. Based on the analysis, a device response is identified as a threat response if it represents at least an alert, an unexpected response or a response time-out indicating that the device did not response to the communication. The vulnerability of the network is determined based on the threat responses of the devices.

Abstract: An agent on a network is preconfigured to automatically respond to neighborhood discovery by sending an advertisement having a spoof IPv6 address. A spoof IPv6 address includes a spoof NIC value that is a value that identifies a network interface card not being used on the network. Thus, upon receipt of the advertisement by the infected host computer system, malicious code on the infected host computer system probes the spoof IPv6 address space defined by a network section value of the spoof IPv6 address, the spoof NIC value, and the range of possible values of the assigned host ID value of the spoof IPv6 address. As there are no interfaces within the spoof IPv6 address space except that associated with the agent, propagation of the malicious code is slowed or defeated and connections are directed to the agent.

Abstract: A network extension device comprising a CPU, memory, protected I/O connectable to local controls and peripherals, external communications port, a trusted device connected to the CPU such that it can provide attestation of the network extension device's trusted operation to a connected known external network, and a protected interface connected to at least one network extension module that includes a local network communications port. Optionally, a traffic encryption module may be provided, and the trusted device's attestation may include a check of its operation. Also, a method comprising connecting the network extension device to an external network, performing an operating mode check, causing the network extension device to operate in a mode and perform a security check that correspond to the result, causing the trusted device to attest trusted operation to the external network and thereafter causing the CPU to function fully and permitting access to the external network.

Abstract: Machine, method for use and method for making, and corresponding products produced thereby, as well as data structures, computer-readable media tangibly embodying program instructions, manufactures, and necessary intermediates of the foregoing, each pertaining to digital aspects of a computerized aggregation system. The system can include a user computer system interposed between a segment of a network allowing communication between the user computer system and at least one server system, and other segments allowing communication between the user computer system and a plurality of third party server systems. The one server system enables the user computer system to access the plurality of other servers. The access permits forming an aggregation of information obtained from the third party server systems.

Abstract: Methods and apparatus for enabling a Pervasive Authentication Domain. A Pervasive Authentication Domain allows many registered Pervasive Devices to obtain authentication credentials from a single Personal Authentication Gateway and to use these credentials on behalf of users to enable additional capabilities for the devices. It provides an arrangement for a user to store credentials in one device (the Personal Authentication Gateway), and then make use of those credentials from many authorized Pervasive Devices without re-entering the credentials. It provides a convenient way for a user to share credentials among many devices, particularly when it is not convenient to enter credentials as in a smart wristwatch environment. It further provides an arrangement for disabling access to credentials to devices that appear to be far from the Personal Authentication Gateway as measured by metrics such as communications signal strengths.

Abstract: A collaborative data transferring process can combine segments from all known servers and peer-to-peer (P2P) sources simultaneously, regardless of their native protocols. The process uses variable data block size that can be dynamically selected according to sizes provided by sources, e.g., according to the protocol of the source, and can generate hash values or validation codes on the fly so that compliance with validation techniques (if any) of other protocols is not required. The process may be classified as a P2P protocol, although it also contains centralized elements. Machine language implementations and low syntax overhead allow file exchanges over a homogeneous network with high throughput and low bandwidth consumption.

Abstract: In some networking situations, securing an inner packet of a tunnel packet requires an intermediary networking device knowing a destination address of the secured inner packet. Consequently, an identity of a secured network is known to others and presents a security risk. The provided technique addresses this risk by: i) establishing at a first security interface a first secured network connection between a first and second secured network, the connection established for a first packet addressed to a virtual security interface and destined for the second secured network; and ii) responding to a network condition by establishing at a second security interface at least one second secured network connection between the first and second secured network, the connection established for a second packet addressed to the virtual security interface and destined for the second secured network.

Abstract: An apparatus for relaying a hashed message from a first node to a second node, comprising an inlet interface for receiving a message from the first node, a hash number calculator for hashing the message from the inlet interface, an outlet interface for sending the hashed message to the second node, a first one-way data link for unidirectional transfer from the inlet interface to the hash number calculator, and a second one-way data link for unidirectional transfer from the hash number calculator to the outlet interface, is provided. While the apparatus is capable of bidirectional communications with either or both of the first and second nodes through the respective interfaces, the unidirectionality of data flow through the apparatus is strictly enforced by the hardware of the apparatus.

Abstract: A method and system for consistent format preserving encryption (C-FPE) are provided to protect sensitive data while the sensitive data is in a domain while allowing encrypted sensitive data to be treated inside the domain as if it were the unencrypted sensitive data. The method includes inserting a transparent coupling into a data flow at a perimeter of the domain, and translating a sensitive data element from an unprotected data element to a protected data element using the transparent coupling such that the sensitive data element is a protected data element within the domain.

Abstract: A system and method for controlling data communications between a server and a client device, such as a mobile device. Embodiments relate generally to a technique where stop data is provided to the client device. This stop data can be transmitted (e.g. by the client device) to the server. When processed by the server, the stop data indicates to the server that at least some of the encrypted data received by the client device from the server was not decrypted using the second key (e.g. as may be the case when the second key has been deleted). Upon receiving the stop data, the server may, for example, withhold the transmission of data encrypted with the first key to the client device until the second key is restored on the client device. In one embodiment, the stop data is provided to the client device in an encoded (e.g. encrypted) form.

Abstract: Methods and apparatus for providing remote administration and delegation rights for a computing system are disclosed. An example method for facilitating remote administration of a first computing device includes receiving, by a second computing device, an administrator name and a username for a user account for a cloud-based computing service, where the user account is assigned to a user of the first computing device. The example method further includes transmitting, from the second computing device to a server, the username for the user account and the administrator name and receiving, by the second computing device, a control panel transmitted from the server, where the control panel accepting inputs to change user preferences for the user account and system settings for the first computing device.

Abstract: A method for performing unidirectional proxy re-encryption includes generating a first key pair comprising a public key (pk) and a secret key (sk) and generating a re-encryption key that changes encryptions under a first public key pka into encryptions under a second public key pkb as rkA?B. The method further includes performing one of the group consisting of encrypting a message m under public key pka producing a ciphertext ca, re-encrypting a ciphertext ca using the re-encryption key rkA?B that changes ciphertexts under pka into ciphertexts under pkb to produce a ciphertext cb under pkb, and decrypting a ciphertext ca under pka to recover a message m. The method also includes encrypting a message m under a public key pk producing a first-level ciphertext c1 that cannot be re-encrypted, and decrypting a first-level ciphertext c1 using secret key sk.

Abstract: Machine, method for use and method for making, and corresponding products produced thereby, as well as data structures, computer-readable media tangibly embodying program instructions, manufactures, and necessary intermediates of the foregoing, each pertaining to digital aspects of a computerized aggregation system. The system can include a user computer system interposed between a segment of a network allowing communication between the user computer system and at least one server system, and other segments allowing communication between the user computer system and a plurality of third party server systems. The one server system enables the user computer system to access the plurality of other servers. The access permits forming an aggregation of information obtained from the third party server systems.

Abstract: The disclosed embodiments relate to a system and method of applying policies. The method may include identifying a first entity and a first relationship, the first relationship defining an attribute related to the first entity. Additionally, the method may include identifying a policy associated with the first entity and the first relationship and applying semantics to determine a degree of relatedness between the first entity and a second entity. Further, the method may include applying the policy to a second relationship that defines an attribute related to the second entity if the degree of relatedness between the entity and the second entity is within a range of values.

Abstract: A streaming media system employs dynamic rate adaptation. The method includes a file format compatible with legacy HTTP infrastructure to deliver media over a persistent connection. The method further includes the ability for legacy client media players to dynamically change the encoded delivery rate of the media over a persistent connection. The method provided works transparently with standard HTTP servers, requiring no modification and leverages standard media players embedded in mobile devices for seamless media delivery over wireless networks with high bandwidth fluctuations. A system is also specified for implementing a client and server in accordance with the method.

Abstract: An integrated, multi-service virtual private network (VPN) network client for cellular mobile devices is described. The multi-service network client can be deployed as a single software package on cellular mobile network devices to provide integrated services including secure enterprise VPN connectivity, acceleration, security management including monitored and enforced endpoint compliance, and collaboration services. The multi-service client integrates with an operating system of the device to provide a VPN handler to establish a VPN connection with a remote VPN security device. The VPN network client includes to data acceleration module exchange network packets with the VPN handler and apply at least one acceleration service to the network packets, and a VPN control application that provides a unified user interface that allows a user to configure both the VPN handler and the data acceleration module.

Abstract: An integrated, multi-service network client for cellular mobile devices is described. The multi-service network client can be deployed as a single software package on cellular mobile network devices to provide integrated services including secure enterprise virtual private network (VPN) connectivity, acceleration, security management including monitored and enforced endpoint compliance, and collaboration services. Once installed on the cellular mobile device, the multi-service client establishes the VPN connection to concurrently include both a layer three (L3) tunnel that uses a first type of transport layer protocol of the operating system and a layer four (L4) tunnel that uses a second type of transport layer protocol of the operating system. The VPN handler determines whether network ports associated with the L3 tunnel are unblocked by an operating system and, when the network ports are unblocked, automatically transitions from the L4 tunnel to the L3 tunnel without terminating the VPN connection.

Abstract: A distributed system for analyzing traffic flow on a communications network architecture where a computer provides information over a data network to a concentrator, which provides a bridge between the computer and the end user terminals. The interface between the terminals and the concentrator is provided through access points for each workstation. The system to analyze the traffic is distributed into three components that perform, respectively, classification of the traffic flow, processing of the results of the classification, and handling of the processed results.

Abstract: A method, system, and computer program product for broadcast encryption key management. The invention eliminates the need for pre-specification of a maximum number of keys that can be employed in a given broadcast encryption system by enabling an initial key to be extended by a link key. New receiver devices are modified to validate the extended keys, while older devices ignore them and process initial keys as usual. Compromised link keys can be revoked, though revocation preferably uses a unique.

Abstract: A system consisting of a memory storage unit in which the licensed audio files are stored. The function of this device is to recognize the requested data and thereby allow the audio file contents from the memory storage unit according to the instructions set to this device. It is an effective means for protecting the audio files in the device from duplication.

Abstract: A system and method for securing a personal device that includes a device core and a peripheral device from unauthorized access or operation. The system and method use a switch, included fully or partially within an envelope of the device and which cannot be affected in its operation by either the device core or the peripheral device. The switch may be activated by an authorized user of the personal device either preemptively or in response to a detected threat.

Abstract: A system, method, and program product is provided that communicates virus information between a computer that detects a virus in a file (the detecting computer system) and the computer that sent the infected file (the infected computer system). When the infected computer system sends an infected file to the detecting computer system the detecting computer system detects the virus in the infected file, retrieves virus information corresponding to the virus (such as the name of the infected file, the identifier, or name, of the virus, the virus definitions used to identify the virus, and any instructions needed to eradicate the virus), and automatically sends the virus information back to the infected computer system over the network.

Abstract: Systems and methods for processing encoded messages at a message receiver. A received encoded message is decoded and stored in a memory. The stored decoded message can subsequently be displayed or otherwise processed without repeating the decoding operations. Decoding operations may include signature verification, decryption, other types of decoding, or some combination thereof.

Abstract: Secure message transfer of at least one message from a sender to a receiver within a network system may be provided. For example, a message structure information regarding the at least one message may be computed on a sender-side and according to a pre-given scheme. The computed message structure information may be added as message account information into the at least one message to be sent. The message account information may be protected by a signature. The at least one message may be transferred through the network system to the receiver. On a receiver-side, the message account information may be validated after reception of the at least one message and according to the pre-given scheme.

Abstract: An online trusted platform module (TPM) in communication with a security module that can be located elsewhere in the network in a server machine. In an embodiment, the online TPM is connected directly to a network interface card (NIC) that is also resident at the client. This allows the online TPM to communicate directly to the network, and therefore to the security module (without having to deal with the TCP/IP stack at the client machine in some circumstances, e.g., the boot process). In an embodiment, the communications channel between the online TPM and the security module is implemented using the transport layer security (TLS) protocol. A secure boot process is performed in advance of security processing. Typical security processing includes receipt, by the online TPM, of one or more commands from an application. The online TPM then proxies out the commands to the security module.

Abstract: Provided is a method for setting a security channel between an OLT and at least one ONU in an EPON. In detail, a channel is generated by which the OLT makes a reciprocal security capability agreement with the ONU that wants to set a security channel in a discovery interval and then automatically registers the ONU with the security capability agreement. The security channel is set by which the OLT distributes an encryption key for the security with the ONU completed with the security capability agreement. A renewal point of the encryption key is shared by transmitting a message indicative of a time to change the encryption key between the OLT and the ONU both completed with the encryption key distribution.

Abstract: A device (110) records traffic in a communications network. The device (110) monitors traffic received by the device (110) and determines whether the received traffic is unexpected. The device (110) records the traffic when the traffic is determined to be unexpected.

Abstract: A system and method for uploading data from a customer system to a hosted system is disclosed. A stub is integrated with a firewall between the customer system and the hosted system. The stub includes an inbound layer on the customer system side of the firewall and an outbound layer on the hosted system side of the firewall, and the inbound layer includes a write-only directory. A demon is connected between the inbound layer and the outbound layer of the stub. The demon is configured to recognize newly received data in the write-only directory of the inbound layer, encrypt the newly received data to generate encrypted data, and move the encrypted data to the outbound layer for access by the hosted system.

Abstract: A data grading transmission method includes steps of enabling a transmitting terminal to grade data according to a preset data security rule and to mark the data with labels; designating transmission routes of the data according to levels of the graded data; and enabling the data to be transmitted from the transmitting terminal to the receiving terminal through the designated transmission routes, and cascading the data having the same label according to the labels of the data. Thereby, grading data according to privacy and designating transmission routes of data reduce network establishment cost and effectively regulate data transmission rate through the data grading transmission method.

Abstract: A method for data integrity protection includes arranging in an integrity hierarchy a plurality of data blocks, which contain data. The integrity hierarchy includes multiple levels of signature blocks containing signatures computed respectively over lower levels in the hierarchy, wherein the levels culminate in a top-level block containing a top-level signature computed over the hierarchy. A modification to be made in the data stored in a given data block is received. One or more of the signatures is recomputed in response to the modification, including the top-level signature. Copies of the given data block, and of the signature blocks, including a copy of the top-level block, are stored in respective locations in a storage medium. An indication that the copy is a valid version of the top-level block is recorded in the copy of the top-level block.

Abstract: A mechanism is provided for identifying a snooping device in a network environment. A snoop echo response extractor generates an echo request packet with a bogus MAC address that will only be received by a snooping device. The snoop echo response extractor also uses an IP address that will cause the snooping device to respond to the echo request. Non-snooping devices discard the echo request packet. Upon receiving the response packet, the snooping device is identified.

Abstract: Vehicle internetworks provide for communications among diverse electronic devices within a vehicle, and for communications among these devices and networks external to the vehicle. The vehicle internetwork comprises specific devices, software, and protocols, and provides for security for essential vehicle functions and data communications, ease of integration of new devices and services to the vehicle internetwork, and ease of addition of services linking the vehicle to external networks such as the Internet.

Abstract: In a hitless manual cryptographic key refresh scheme, a state machine is independently maintained at each network node. The state machine includes a first state, a second state, and a third state. In the first state, which is the steady state, a current cryptographic key is used both for generating signatures for outgoing packets and for authenticating signatures of incoming packets. In the second state, which is entered when a new cryptographic key is provisioned, the old (i.e. formerly current) key is still used for generating signatures for outgoing packets, however one or, if necessary, both of the old key and the newly provisioned key is used for authenticating signatures of incoming packets. In the third state, the new key is used for generating signatures for outgoing packets and either one or both of the old key and new key are used for authenticating signatures of incoming packets.

Abstract: A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator's parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.

Abstract: An encryption apparatus capable of effectively preventing encryption data from being illegally generated is provided. Based on apparatus identification data of an integrated circuit (IC), which is input from a computer, a secure application module (SAM) selects an encryption method from among a plurality of different encryption methods. Based on the code of the IC, the SAM selects plaintext data to be encrypted from among the plurality of different pieces of plaintext data. The SAM outputs encryption data such that the selected plaintext data is encrypted by the selected encryption method.

Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.

Abstract: Methods, computer products, and systems are described for providing terminal view access of a client device in a secure enterprise network. One method includes receiving a request from a first client device within the secure enterprise network and/or a second client device for providing terminal view access of the first and/or second client device to the second and/or first client device respectively. A security check on the request is performed to enforce a security policy of the secure enterprise network. When the security policy is satisfied, a secure data transport channel is established between the first client device and the second client device. Terminal view data corresponding to a desktop associated with the first and/or second client device is received from the first and/or second client device respectively via the data transport channel and is provided to the second and/or first client device respectively via the data transport channel.

Abstract: A method, a computer readable medium and a system of multi-domain login and messaging are provided. The method for multi-domain login comprises inputting a local password by an agent, accessing a password vault with the local password, and retrieving at least one hidden password from the password vault, and logging the agent into at least one agent application using the at least one hidden password. The method for multi-domain messaging comprises retrieving information of an agent from a database, retrieving at least one skill group to which the agent belongs from the information, retrieving a message linked to the at least one skill group, and sending the message to the agent.

Abstract: A method of granting access to resources includes the step of receiving a request from a node to access a resource. A scanning agent is generated to gather information about the node. A key is generated and embedded in the scanning agent. The scanning agent is transmitted to the node and gathers information regarding the node. The scanning agent encrypts the gathered information using the at least one generated key. The encrypted gathered information is received from the scanning agent and decrypted.

Abstract: In par, the invention relates to a secure communication system. The system includes a voice call processing server; a user database in communication with the server; and a security gateway in communication with the server and the database, wherein the gateway transmits an encrypted signaling key and at least one encrypted media key in response to validating a mobile device using configuration data stored in the database, wherein the server tracks call traffic encrypted using the at least one media key, the call traffic routed using the Internet.

Abstract: Detecting an unauthorized wireless access point in a network uses a detector. A rogue access point detector receives an incoming data packet which is scanned for a time expiration value. The time expiration value may be a Time To Live (TTL) value as used in Internet Protocol data packet headers. It is determined whether the time expiration value is the same as a threshold time expiration value. If the time expiration value is not the same as the threshold value, it is determined whether the incoming data packet was routed through an authorized access point in the network. If it is determined that the packet is not being routed from an authorized access point, a security component in the network, such as a network administrator's workstation, is notified. During this process the time expiration value remains unchanged.

Abstract: Communication is facilitated between a plurality of servers (101,102,103) and a plurality of local devices (204,206,207,208,210). An apparatus comprises a first network interface for communicating with the servers, a second network interface for communicating with the local devices, and a microcontroller having a processor, memory, a cryptographic engine for carrying out cryptographic calculations, and a tamper-resistance element configured to resist tampering with the apparatus. A plurality of programs, each comprising instructions and data, are stored in the memory. The processor is configured to, for a first local device, identify a first program which is associated with the first local device, and using the first program, provide a secure communications channel between the first local device and a first server.

Abstract: A TCP communication scheme which ensures safe communication up to the communication path near a terminal and eliminates direct attacks from hackers, etc. A terminal (A) and terminal (B) are connected to a relay apparatus (X) and relay apparatus (Y), where the terminal (A) and the terminal (B) are the endpoint terminals positioned at the two ends of a TCP communication connection. The relay apparatuses (X, Y) are each connected to a network (NET). The relay apparatuses (X and Y) are provided so as to be between the terminals (A and B) which had been performing conventional TCP communication, and neither of the relay apparatuses (X and Y) have IP addresses. The relay apparatuses (X and Y) take over the TCP connection between the terminal (A) and the terminal (B), divide the connection into three TCP connections, and establish TCP communication.

Abstract: In one embodiment, a method comprises detecting, by a router, an unsolicited first router advertisement message from an attachment router that provides an attachment link used by the router, the first router advertisement message specifying a first IPv6 address prefix owned by the attachment router and usable for address autoconfiguration on the attachment link; detecting, by the router, an unsolicited delegated IPv6 address prefix from the attachment router and that is available for use by the router; and automatically selecting by the router a second IPv6 address prefix based on concatenating a suffix to the delegated IPv6 address prefix, including dynamically generating the suffix based on a prescribed distributed hash operation executed by the router, the second IPv6 address prefix for use on at least one ingress link of the router.

Abstract: To provide a center device for accommodating a variety of situations which may occur when a home-use game machine, or the like, is used, in which a plurality of users use their own controller devices such as an input device. A center device communicates between a plurality of controller devices, receives an instructing operation carried out by the user of each controller device, and executes processing according to the instructing operation. The center device selects at least one of the controller devices as a controller device to be authenticated from among the plurality of controller devices by utilizing communication with each of the plurality of controller devices, and conducts authentication processing relative to each of the controller devices while communicating with each of the selected controller device.

Abstract: An embodiment of the invention includes a secure server. A user at a terminal, communicatively coupled to the secure server by a secure link, can obtain web pages from web sites in a network, in encrypted form, via the secure link. Addresses associated with the web pages are altered to make it appear as if the web pages come from the secure server rather than from the web sites. Spoofing units may be used as alternative access points to the secure server, with the secure server sending the requested web pages directly to the terminal. In general, address rewriting and other manipulation can be performed on the requested web pages, such that the true sources of the web pages are disguised and such that subsequent communications from the terminal are directed to the secure server and/or spoofing unit, rather than to the true source of the web pages. Components of the user's privacy may be sold, or advertisements may be provided, in exchange for protection of the user's identity.

Abstract: Systems and methods for an information system security infrastructure are described. One embodiment of the present invention comprises global Internet-scale defense infrastructure, referred to as the Intrusion Detection Force (IDF). The IDF comprises a virtual infrastructure implemented on top of an existing network, such as the Internet. The IDF enables secure information sharing and intelligent data analysis and response. The node (e.g. 102 of FIG. 1) is the most primitive entity in the IDF architecture, and may be a switch, router, server, or workstation. The IDF may be implemented in small networks of computers or may be utilized by millions of hosts throughout the Internet, spanning different organizations, countries, and continents.