Abstract: To provide a center device for accommodating a variety of situations which may occur when a home-use game machine, or the like, is used, in which a plurality of users use their own controller devices such as an input device. A center device communicates between a plurality of controller devices, receives an instructing operation carried out by the user of each controller device, and executes processing according to the instructing operation. The center device selects at least one of the controller devices as a controller device to be authenticated from among the plurality of controller devices by utilizing communication with each of the plurality of controller devices, and conducts authentication processing relative to each of the controller devices while communicating with each of the selected controller device.

Abstract: Systems and methods for an information system security infrastructure are described. One embodiment of the present invention comprises global Internet-scale defense infrastructure, referred to as the Intrusion Detection Force (IDF). The IDF comprises a virtual infrastructure implemented on top of an existing network, such as the Internet. The IDF enables secure information sharing and intelligent data analysis and response. The node (e.g. 102 of FIG. 1) is the most primitive entity in the IDF architecture, and may be a switch, router, server, or workstation. The IDF may be implemented in small networks of computers or may be utilized by millions of hosts throughout the Internet, spanning different organizations, countries, and continents.

Abstract: An embodiment of the invention includes a secure server. A user at a terminal, communicatively coupled to the secure server by a secure link, can obtain web pages from web sites in a network, in encrypted form, via the secure link. Addresses associated with the web pages are altered to make it appear as if the web pages come from the secure server rather than from the web sites. Spoofing units may be used as alternative access points to the secure server, with the secure server sending the requested web pages directly to the terminal. In general, address rewriting and other manipulation can be performed on the requested web pages, such that the true sources of the web pages are disguised and such that subsequent communications from the terminal are directed to the secure server and/or spoofing unit, rather than to the true source of the web pages. Components of the user's privacy may be sold, or advertisements may be provided, in exchange for protection of the user's identity.

Abstract: A state store having state information therein is stored on a computing device. Information at least nearly unique to the computing device is obtained, and a number of locations at which at least a portion of the state store is to be stored at is determined. Pseudo-random file names and corresponding paths are generated based at least in part on the obtained information, whereby the generated file names and corresponding paths are likewise at least nearly unique to the computing device, and the generated file names and path are paired to form the locations. Thereafter, the state store is stored according to the generated locations.

Abstract: A secure server may be utilized to support watermark embedding in multimedia system-on-chips, by generating an encrypted and signed watermarking signal for use in each particular system-on-chip. The encrypted and signed watermarking signal is generated based on a unique per-chip ID associated with the particular system-on-chip. The watermarking signal may be signed by the secure server utilizing a random number generated in and/or provided by the particular system-on-chip. The watermarking signal may be encrypted by the secure server based on a secret encryption key associated with the particular system-on-chip. The secret encryption key may be determined based on the unique per-chip ID associated with the particular system-on-chip. The secure server may store information, received from various system-on-chips, for use during generation of watermarking signals.

Abstract: An apparatus and method for providing a security service is provided. The apparatus includes a reception module which receives first data including a first public key and marked with a security ID, the first public key being one of a pair of public keys necessary for providing a security service to a home server and the security ID indicating that the first data needs to be encrypted; a response generation module which generates second data by encrypting part of a response message for the first data; and a transmission module which transmits the second data to a home server in a home network.

Abstract: Techniques are provided for securely managing and accelerating the delivery of data associated with remote sites. A client desires to establish secure communications with a remote site. Requests made from the client to the remote site are intercepted or forwarded to a proxy, which locates a local managing service associated with handling the requests. The local managing service acts as an intermediary between the client and the remote site and communicates securely with the client. Data associated with the client's requests is at least partially cached by the local managing service for purposes of accelerating the delivery of that data to the client.

Abstract: Query processing system and method by query transformation transform a user request query based on an original DB structure, destined to a DBMS of a DB with some columns encrypted, into a query based on an encrypted DB structure so that the DBMS processes the query. The query is processed irrespective of whether or not the query includes an encryption-related item, and query-processing performance is remarkably improved.

Abstract: Apparatus, methods and articles of manufacture are disclosed for intercepting, examining and controlling proscribed or predetermined code, data and files and their transfers. A preprocessing component, code decomposition component, valuation component and comparison component are used to process code. The methods of valuation used include numerical valuation so as to obtain a numerical value for the code. Additional features may include a decryption feature, code alteration component and other components.

Abstract: There is disclosed a process for encrypting a data stream to secure the data stream for single viewing and to protect copyrights of the data stream. Specifically, there is disclosed a process for protecting streaming multimedia, entertainment and communications in an Internet-type transmission. There is further disclosed a streaming server component operably connected with a streaming server that interacts with a client system to affect the inventive process.

Abstract: Methods and associated systems provide secured data transmission over a data network. A security device provides security processing in the data path of a packet network. The device may include at least one network interface to send packets to and receive packets from a data network and at least one cryptographic engine for performing encryption, decryption and/or authentication operations. The device may be configured as an in-line security processor that processes packets that pass through the device as the packets are routed to/from the data network.

Abstract: A method and system for creating security policies for firewall and connection policies in an integrated manner is provided. The security system provides a user interface through which a user can define a security rule that specifies both a firewall policy and a connection policy. After the security rule is specified, the security system automatically generates a firewall rule and a connection rule to implement the security rule. The security system provides the firewall rule to a firewall engine that is responsible for enforcing the firewall rules and provides the connection rule to an IPsec engine that is responsible for enforcing the connection rules.

Abstract: Described are computer-based methods and apparatuses, including computer program products, for loosely-coupled encryption functionality for operating systems. A data packet is processed through one or more internet protocol stack layers to generate a processed data packet. Encryption information is determined that includes parameters for encrypting and decrypting data packets transmitted between the first computing device and the remote computer. A message comprising data indicative of the encryption information is transmitted to a second computing device, wherein an operating system being executed is unaware of a security nature of the transmission. A bypass encryption routine is executed to generate a unencrypted data packet, wherein the bypass encryption routine does not encrypt the processed data packet. The unencrypted data packet is transmitted to the second computing device.

Abstract: Consumers may utilize computing devices to assist in the purchase and/or loyalty process, and in particular, the consumer may utilize a PDA to facilitate the purchase and/or loyalty process. During the purchase and/or loyalty process, the consumer may need to insure that any content downloaded or used in association with the PDA is secure in how it is collected, assembled, and delivered to the PDA device. This system and method secures the data from its source to when it is actually viewed or used by the authorized user. The exemplary system and method may establish a PDA portal link to the web site for collecting specified information for a user and transmitting the information to the remote device. To receive the information, the PDA contacts the portal and establishes a connection, authenticates itself to the network and allows the user to complete secured transactions or transmissions over the network.

Abstract: Described are computer-based methods and apparatuses, including computer program products, for loosely-coupled encryption functionality for operating systems. A data packet is processed through one or more internet protocol stack layers to generate a processed data packet. Modified encryption information is determined that does not comprise a desired security policy for the data packet and comprises null parameter(s) and is based on encryption information that comprises the desired security policy. A message comprising data indicative of the encryption information is transmitted. An operating system is unaware of a security nature of the transmission. A null-encryption routine is executed to generate an unencrypted data packet, wherein the null-encryption routine does not encrypt the processed data packet. The unencrypted data packet is transmitted to the second computing device.

Abstract: A method and system for providing communication over arbitrary distances with a desired probability of security is disclosed. In accordance with one embodiment of the invention shares of a random key are encoded, the random key for effecting communication of a message through a network employing a cryptographically strong forward security system having a limited effective communications distance. A distributed re-randomization of the encoded shares is then effected at a plurality of intermediate network nodes.

Abstract: Method for exchanging information between heterogeneous secured networks. Method supports synchronous communications across security domains including text chat, instant messaging, audio applications, video applications, and whiteboard collaboration. The invention intercepts incoming information traffic on either side and employs a guard for filtering information traffic between security domains according to a policy engine.

Abstract: Methods and systems are disclosed for personalization and identity management. In one embodiment, the method comprises receiving, from an access provider, a message for a service provider, the message associated with a first identifier of a user of the access provider. A second identifier is obtained, the first identifier is disassociated from the message, and the second identifier is associated with the message. The message associated with the second identifier is then sent to the service provider.

Abstract: A method for identifying alternative end-to-end media paths through Internet protocol realms using substitute session description protocol parameters is disclosed. The method includes receiving a session description protocol offer, including a list of internet protocol realms. The list may include any number of previously traversed through internet protocol realms and/or secondary internet protocol realms. The method continues with determining the outgoing internet protocol realm for a media path based on unspecified signaling criteria. Finally, the method includes that if the outgoing internet protocol realm to be traversed through is on the list of previously traversed through and/or secondary internet protocol realms, bypassing at least one border gateway associated with the incoming and previously traversed through internet protocol realms.

Abstract: A method for preventing network attacks is provided, which includes: obtaining a data packet, where a source address of the data packet is a cryptographically generated address (CGA); determining that the obtained data packet includes a CGA parameter and signature information; authenticating the CGA parameter; authenticating the signature information according to the authenticated CGA parameter; and sending the data packet to a destination address when the signature information is authenticated. Accordingly, a device for preventing network attacks is also provided. A CGA parameter used by a data packet is directly used to ensure authenticity of a source address of the data packet, thus preventing network attacks performed by counterfeiting the address. In addition, by authenticating signature information, authenticity of identification of a sender of the data packet and bound address of the sender of the data packet are further ensured.

Abstract: A mobile node, a gateway node and methods are provided for securely storing a content into a remote node. The mobile node, or a gateway node of a network providing access to the mobile node, applies a content key to the content prior to sending the content for storage in the remote node. The content key is generated at the mobile node, based on a random value obtained from an authentication server, or directly at the authentication server if applied by the gateway node. The content key is not preserved in the mobile node or in the gateway node, for security purposes. When the mobile node or the gateway node fetches again the content from the remote node, the same content key is generated again for decrypting the content. The remote node does not have access to the content key and can therefore no read or modify the content.

Abstract: Embodiments of the invention provide a solution for securing information within a Cloud computing environment. Specifically, an encryption service/gateway is provided to handle encryption/decryption of information for all users in the Cloud computing environment. Typically, the encryption service is implemented between Cloud portals and a storage Cloud. Through the use of a browser/portal plug-in (or the like), the configuration and processing of the security process is managed for the Cloud computing environment user by pointing all traffic for which security is desired to this encryption service so that it can perform encryption (or decryption in the case of document retrieval) as needed (e.g., on the fly) between the user and the Cloud.

Abstract: Systems and methods for managing multiple keys for file encryption and decryption may provide an encrypted list of previously used keys. The list itself may be encrypted using a current key. To decrypt files that are encrypted in one or more of the previous keys, the list can be decrypted, and the appropriate previous key can be retrieved. To re-key files, an automated process can decrypt any files using previous keys and encrypt them using the current key. If a new current key is introduced, the prior current key can be used to decrypt the list of keys, the prior current key can be added to the list, and the list can be re-encrypted using the new current key.

Abstract: A method and apparatus is provided for consolidating cryptographic key updates, the consolidated update information enabling, for example, a returning member of a secure group who has been offline, to recover the current group key, at least in most cases. The unconsolidated key updates each comprise an encrypted key, corresponding to a node of a key hierarchy, that has been encrypted using a key which is a descendant of that node. The key updates are used to maintain a key tree with nodes in this tree corresponding to nodes in the key hierarchy. Each node of the key tree is used to store, for each encrypting key used in respect of the encrypted key associated with the node, the most up-to-date version of the encrypted key with any earlier versions being discarded. The key tree, or a subset of the tree, is then provided to group members.

Abstract: A method includes synchronizing a first gateway with information from a second gateway. The second gateway operates in a primary role with at least one primary network address. The second gateway communicates with at least one wireless device that uses at least one encryption key during at least one secure communication session. The information includes the at least one encryption key. The method also includes detecting a switchover event at the first gateway. The method further includes, in response to detecting the switchover event, switching the first gateway to the primary role, communicating using the at least one primary network address, and maintaining the at least one secure communication session at the first gateway after the first gateway switches to the primary role.

Abstract: A system for generating new identity data for network-enabled devices includes a whitelist reader configured to extract attributes from a whitelist. The whitelist includes, for each device specified in the whitelist, a previously assigned identifier of the first type. The previously assigned identifiers of the first type are linked to identity data previously provisioned in each of the respective devices. A data retrieval module is configured to receive the identifiers of the first type from the whitelist reader and, based on each of the identifiers, retrieve each of the previously provisioned identity data records linked thereto.

Abstract: A secure network server wherein both the forwarding process and the receiving process are created upon connection initialization, and the receiving process is held off from communicating with the source host until the forwarding process has created a connection with the destination host. This solves the problem of message loss when the destination host is unreachable.

Abstract: Methods, systems, and computer program products for firewall policy optimization are disclosed. According to one method, a firewall policy including an ordered list of firewall rules is defined. For each rule, a probability indicating a likelihood of receiving a packet matching the rule is determined. The rules are sorted in order of non-increasing probability in a manner that preserves the firewall policy.

Abstract: A system for providing intrusion detection in a network wherein data flows are exchanged using associated network ports and application layer protocols. The system includes a monitoring module configured for monitoring data flows in the network, a protocol identification engine configured for detecting information on the application layer protocols involved in the monitored data flows, and an intrusion detection module configured for operating based on the information on application layer protocols detected. Intrusion detection is thus provided independently of any predefined association between the network ports and the application layer protocols.

Abstract: In one aspect, a method to offload encryption processing in a storage area network (SAN) system includes determining whether a host is performing at a first performance level, offloading encryption processing at a processor if the host is not performing at a first performance level and performing encryption processing at the host if the host is performing at a first performance level.

Abstract: An information processing system in which information transfers between communication devices through a network is limited within a prescribed range by registering unique information obtainable within the prescribed range into each device and permitting information transfer between devices which share common unique information, where the unique information is formed by a pair of public and secret unique information, a bridge device is controlled such that, upon receiving a proxy check request from a reception device, whether a transmission device is another bridge device or not is judged when the public unique information registered by the reception device is registered in the bridge device and one public unique information registered in the bridge device is registered by the transmission device. Then, the secret unique information registered by the reception device is transmitted to the transmission device when the transmission device is not another bridge device.

Abstract: Systems and methods for managing email are provided. Some of the email may be encrypted using identity-based-encryption (IBE) techniques. When an incoming IBE-encrypted message for a recipient in an organization is received by a gateway at the organization, the gateway may request an IBE private key from an IBE private key generator. The IBE private key generator may generate the requested IBE private key for the gateway. The gateway may use an IBE decryption engine to decrypt the incoming message. The decrypted message can be scanned for viruses and spam and delivered to the recipient. Outgoing email messages can also be processed. If indicated by message attributes or information provided by a message sender, an outgoing message can be encrypted using an IBE encryption engine and the IBE public key of a desired recipient.

Abstract: The capability to encrypt or compress the traffic over network links, thus improving the security of the link on the performance of the links, and the capability to encrypt/decrypt data stored on the storage devices without requiring specialized hosts or storage devices. In a first embodiment, traffic to be routed over a selected link needing encryption and/or compression is routed to hardware which performs the encryption and/or compression and returned for transmission over the link. A complementary unit at the second end of the link routes the received frames to complementary hardware to perform the decryption and/or decompression. The recovered frames are then routed to the target device in a normal fashion. In a variation of this first embodiment the hardware is developed using an FPGA. This allows simple selection of the desired feature or features present in the switch. The switch can be easily configured to perform encryption, compression or both, allowing great flexibility to a system administrator.

Abstract: A method for managing the computer systems of a private network from a remote physical location in a manner that does not require the installation of agents on the computer systems of the private network, or the reconfiguration of the firewall of the private network to permit access into the private network.

Abstract: An apparatus and method for ensuring distributed packet transmission security are provided. In an embodiment of the present invention, a main control board allocates SA information to multiple processing boards according to a pre-defined criterion, so that each processing board which receives and stores the SA information may implement IPSec processing. As such, the IPSec processing is shared by the multiple processing boards. Accordingly, when there are a large number of IPSec tunnels on one interface, the IPSec processing to the packets passing the IPSec tunnels will not completely rely on only the processing board where the interface is located. Instead, the IPSec processing is allocated to different processing boards. Therefore, the multiple processing boards effectively share the IPSec processing corresponding to multiple SAs. The efficiency of the IPSec processing is increased.

Abstract: Limiting traffic in a communications system is based on monitoring data packets traversing a first network node and determining whether at least one first data packet originating from a source node fulfills a predefined criterion. When the predefined criterion is fulfilled, a second network node is instructed to change processing of at least one second data packet originating from said source node.

Abstract: In one embodiment, a technique for enhancing the inspection of data sent from a server is provided. By modifying a client request in an effort to prevent the transformation (e.g., encoding and/or compression) of data by the server, unencoded data may be received, which can be inspected without the overhead associated with first decoding the data. Further, in the event the data is encoded despite modifying the client request to prevent such encoding, the server may be untrustworthy and one or more appropriate actions may be taken.

Abstract: According to the present invention a telecommunication network with a first domain (PLMN-A) comprising at least one mobile application part protocol instance is connected to a gateway node (MSEGA) which is adapted to send and receive mobile application part messages and which is connectable to a second domain. The telecommunication network is remarkable in that the gateway node (MSEGA) is adapted to receive a mobile application part message from the first domain, to convert the received mobile application part message obtaining a secured mobile application part message, and to send the obtained message to the second domain. The gateway node (MSEGA) is further adapted to receive a secured mobile application part message from the second domain, to extract an unsecured mobile application part message from the received secured mobile application part message and to send the extracted message to the first domain.

Abstract: Methods, systems, and computer program products for providing function-parallel firewalls are disclosed. According to one aspect, a function-parallel firewall includes a first firewall node for filtering received packets using a first portion of a rule set including a plurality of rules. The first portion includes less than all of the rules in the rule set. At least one second firewall node filters packets using a second portion of the rule set. The second portion includes at least one rule in the rule set that is not present in the first portion. The first and second portions together include all of the rules in the rule set.

Abstract: A translator is provided for translating predetermined portions of packet header information including an address of a data packet according to a cipher algorithm keyed by a cipher key derived by a key exchanger. A mapping device is also provided for mapping the address to a host table stored in memory. If the address does not match an entry in the host table, a security device is triggered.

Abstract: A method and logic encoded in tangible media and apparatus for securing links between a mesh point and one or more identities of one or more parent mesh points of a wireless mesh network in order to secure the links. A first association is carried out to one of the identities of one of the parent mesh points. The first mesh point undergoes a mutual authentication with an authenticator and announces the possibility of multiple links and/or multiple paths. The authentication generates a first master key from which the root master key of the key hierarchy is derived so that other master keys for different identities are derivable using a hierarchy. The mesh point undergoes a 4-way handshake to derive a first transient key. Other transient keys are obtained by a fast roaming method without having to re-undergo a backend authentication, the other transient keys being for other links and/or paths and derived using the hierarchy.

Abstract: The present invention discloses a network security system including a firewall arranged between the internal network and the external network, and a trusted node arranged between the firewall and the external network, which is used to provide a data channel between the internal network and the external network, and forward the data transported between the internal network and the external network; the firewall includes a first port configured at the internal network oriented side of the firewall and a second port configured at the external network oriented side of the firewall; and the trusted node includes a media-stream receiving port used to converge the data from the second port. The present invention also discloses a network security method.

Abstract: A worm is a malicious process that autonomously spreads itself from one host to another. To infect a host, a worm must somehow copy itself to the host. The method in which a worm transmits a copy of itself produces network traffic patterns that can be generalized as a traffic behavior. As a worm spreads itself across the network, the propagation of the traffic behavior can be witnessed as hosts are infected, one after another. By monitoring the network traffic for propagations of traffic behaviors, a presence of a worm can be detected.

Abstract: This application generally describes techniques for dynamically updating trusted certificates and CRLs, generally referred to herein as certificate information. That is, techniques are described for updating trusted certificates and CRLs without terminating existing communication sessions. An exemplary method includes the steps of receiving an initial configuration that includes a trusted certificate authority, receiving certificate information that includes a certificate revocation list (CRL) and a first certificate from the trusted certificate authority, storing the certificate information in the configuration, initiating a communication session for an application, receiving an update to the certificate information, and updating the configuration to reflect the update to the certificate information without terminating the communication session.

Abstract: A device to prevent, detect and respond to one or more security threats between one or more controlled hosts and one or more services accessible from the controlled host. The device determines the authenticity of a user of a controlled host and activates user specific configurations under which the device monitors and controls all communications between the user, the controlled host and the services. As such, the device ensures the flow of only legitimate and authorized communications. Suspicious communications, such as those with malicious intent, malformed packets, among others, are stopped, reported for analysis and action. Additionally, upon detecting suspicious communication, the device modifies the activated user specific configurations under which the device monitors and controls the communications between the user, the controlled host and the services.

Abstract: A method for verifying electronic software code integrity may comprise providing a list of encryption keys to a client, encrypting a software code packet using one of the plurality of encryption keys, delivering the encrypted software code packet to the client, and informing the client to choose an encryption key for decryption based on the specific time factor. Each encryption key on the list may correlate to a respective time factor. The one of the plurality of encryption keys may be chosen from the list based at least in part on a specific time factor.

Abstract: A messaging system and method are associated with a first device. The messaging system includes a plurality of credentials and a plurality of authorities. Each authority associates at least one of a plurality of protocol operations with at least one of the plurality of credentials. The messaging system is adapted to receive an initiating message from a second device, which identifies at least one of the authorities, and responsively implements a security protocol for further messages between the first and second devices in accordance with the identified authority.

Abstract: A traffic management device (TMD), system, and processor-readable storage medium directed towards re-establishing an encrypted connection of an encrypted session, the encrypted connection having initially been established between a client device and a first server device, causing the encrypted connection to terminate at a second server device. As described, a traffic management device (TMD) is interposed between the client device and the first server device. In some embodiments, the TMD may request that the client device renegotiate the encrypted connection. The TMD may redirect the response to the renegotiation request towards a second server device, such that the renegotiated encrypted connection is established between the client device and the second server device. In this way, a single existing end-to-end encrypted connection can be used to serve content from more than one server device.

Abstract: A traffic management device (TMD), system, and processor-readable storage medium are directed to monitoring an encrypted session between a client and a server, determining that the session identifier is unknown, and requesting a renegotiation of the session to acquire a session identifier for the renegotiated session. Determination that the session identifier is unknown may be based on interception and analysis of handshake messages sent by the client and/or the server. Following such determination, a renegotiation of the encrypted session may be triggered by sending a renegotiation request to the client, and a session identifier for the renegotiated session may be determined based on information extracted from subsequent handshake messages exchanged between the client and server during the renegotiation. Determination of the session identifier may enable decryption, encryption and modification of subsequent communications traffic, for example insertion of third party content into traffic sent to the client.

Abstract: Methods and apparatus for automatically providing secure network infrastructure over non-secure network infrastructure such as by automatically generating IPSec tunnels through non-secure networks, terminating the IPSec tunnels at a boundary device and creating appropriate services to bridge traffic between the IPSec tunnels and a secure network. Various embodiments provide rapid provisioning of secure network infrastructure, a Secure Gateway (SEG) embodiment adapted to particular customer requirements and various business methodologies.