Abstract: System and methods for communicating with a contact center are disclosed. A method includes: receiving a first message from a user equipment (UE), wherein the first message is received via a first communications protocol; transmitting a second message to a computing device of a contact center, wherein the second message is transmitted via a second communications protocol and optionally includes location information for the UE; and receiving a reply message from the computing device of the contact center.

Abstract: A first communication device having a secure access to a security module establishes a collaborative network by forming a collaborative security association with a second communication device associated with a user of the first communication device. The first communication device (a) sends an advertisement of services associated with the security module to the second communication device and receives an advertisement response from the second communication device or (b) receives a solicitation request for services associated with the security module from the second communication device. Responsive to receiving one of the advertisement response and the solicitation request, the first communication device determines whether the second communication device is authorized to access the security module.

Abstract: A system and method for calculating a risk assessment for an electronic file is described. A database of checks, organized into categories, can be used to scan electronic files. The categories of checks can include weights assigned to them. An analyzer can analyze electronic files using the checks. Issues identified by the analyzer can be weighted using the weights to determine a risk assessment for the electronic file.

Abstract: Unattended secure device authorization techniques are provided. An operating system (OS) module, which is responsible for device validation when that device is interfaced to a host device, is enhanced. The enhanced OS module silently checks the peripheral device's identifier against a white list and if a match occurs, the enhanced OS module grants permission to the host device applications; if no match occurs, the enhanced OS module silently rejects application access to the device. In an embodiment, the enhanced OS module interacts with the device to determine whether the device is to be authorized or rejected.

Abstract: A web application user is authenticated directly upon selecting a link in a notification email. In this approach, the user's web browser stores a first data string provided by the web application (e.g., in a cookie) during a prior session. The first data string encodes first data about the user that can be verified by the application. Later, the user receives the notification email that includes the link. The link encodes a second data string from which second data about the user can be verified by the application. When the end user selects the link, an authentication request is transmitted to the application. The authentication request includes both the first and second data strings. If both the first data and the second data (as obtained from their respective data strings) can be verified, the user is authenticated without having to perform any additional steps (e.g., manual entry of credentials).

Abstract: A method and system for anonymizing data to be transmitted to a destination computing device is disclosed. Data to be transmitted is received from a user computer. The data includes a plurality of fields of data. One or more fields of data are selected for anonymization. The selected one or more fields are anonymized. The data with one or more fields anonymized is transmitted to the destination computing device.

Abstract: Methods, systems, and apparatus that enable identification of network attacks such as denial of service attacks are disclosed. A network attack may be identified by monitoring packets received for delivery to devices on a network, and developing a historic packet profile by examining the monitored packets received during a number of time periods preceding an instant time period. An instant packet profile is developed by examining the monitored packets during the instant time period. The instant packet profile is compared to the historic packet profile to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant packet profile and the historic packet profile is present. The existence of a network attack is identified in response to determining that the deviation exceeds the predetermined statistical threshold deviation.

Abstract: The invention relates to a communication device (1) comprising a processor configured to create a client handshake message in order to negotiate security settings for a network connection between the device and a network node (2) of the telecommunication network using a transport layer security protocol. The client handshake message comprises a first encryption algorithm indicator indicative of a first encryption algorithm proposed by the communication device for communication from the communication device (1) to the network node (2), and a second encryption algorithm indicator indicative of a second encryption algorithm proposed by the communication device for communication from the network node to the communication device (1). Only one of the first and second encryption algorithm indicator indicates that communication is non-encrypted while the other of the first and second encryption algorithm indicator is indicating that communication is encrypted. This enables e.g.

Abstract: The disclosure concerns methods of playback of a video stream comprising: receiving from a first user device (102) first media content associated with said video stream; associating with said first media content a time stamp indicating the time at which said first media content is received with respect to a reference time associated with said video stream; and during delayed playback of said video stream on a second user device (104), transmitting, at the time indicated by said time stamp, said first media content for display by said second user device.

Abstract: A system and method for domain control validation is presented. At a certificate authority a request is received. The request includes a certificate signing request and a first Internet protocol address. The certificate signing request identifies a domain and a certificate. A second Internet protocol address for the domain is retrieved from a domain name system. When the first Internet protocol address is the same as the second Internet protocol address, the certificate is signed, and the signed certificate is transmitted to a requester of the request. When the first Internet protocol address is not the same as the second Internet protocol address, the certificate signing request is rejected.

Abstract: In accordance with some embodiments of the disclosed subject matter, systems, methods, and media for protecting a digital data processing device from attack are provided. For example, in some embodiments, a method for protecting a digital data processing device from attack is provided, that includes, within virtual environment: receiving at least one attachment to an electronic mail; and executing the at least one attachment; and based on the execution of the at least one attachment, determining whether anomalous behavior occurs.

Abstract: A memory device includes a plurality of memory cells, a token input interface, a token output interface and control circuitry. The control circuitry is configured to accept a storage command, to condition execution of at least a part of the storage command on a presence of a token pulse on the token input interface, to execute the storage command, including the conditioned part, in the memory cells upon reception of the token pulse on the token input interface, and to reproduce the token pulse on the token output interface upon completion of the execution.

Abstract: An encrypted database management system includes: a client terminal which includes a column encrypting unit that uses an encrypting key and a group generator to encrypt data of columns indicated by specific labels of externally input tables, and output it, an intra-label projection request unit that generates an intra-label key from encrypting key and label, and outputs it, and an inter-label projection request unit that generates an inter-label projection key from encrypted key, label, and intra-label key; and a database server which includes an intra-label projection unit that generates an intra-label comparison value by the action of label and intra-label key on data of columns of specific labels of encrypted tables, an inter-label projection unit that generates an inter-label comparison value by the action of the inter-label projection key on intra-label comparison value, and an encrypted table natural join unit that conducts natural joining using intra-label comparison value.

Abstract: Malware beaconing activity detection is disclosed, including: monitoring a plurality of conversations between an internal device and one or more external destinations; extracting feature sets based at least in part on the plurality of conversations; and determining that a conversation of the plurality of conversations is anomalous based at least in part on the extracted feature sets.

Abstract: A system administrator of a wireless LAN 100 manipulates a personal computer PC1 to change a WEP key. The personal computer PC1 authenticates a memory card MC as genuine under management of the system administrator. In the case of the authenticated memory card MC, changed setting information, as well as a previous WEP key before the change of the setting information, is written into the memory card MC. The system administrator then inserts this memory card MC into a memory card slot of a printer PRT1. The printer PRT1 authenticates the memory card MC as genuine under management of the system administrator. In the case of the authenticated memory card MC, the setting information is updated. This arrangement effectively relieves the user's workload in setting wireless communication devices, while ensuring the sufficiently high security.

Abstract: A network security system having a hierarchical configuration is provided. In one embodiment the present invention includes a plurality of subsystems, where each subsystem includes a plurality of distributed software agents configured to collect base security events from monitor devices, and a local manager module coupled to the plurality of distributed software agents to generate correlated events by correlating the base security events. Each subsystem can also include a filter coupled to the manager module to select which base security events are to be processed further. The selected base security events are passed to a global manager module coupled to the plurality of subsystems that generates global correlated events by correlating the base security events selected for further processing by each filter of each subsystem.

Abstract: The present invention relates to key management in a secure microcontroller, and more particularly, to systems, devices and methods of automatically and transparently employing logic or physical address based keys that may also be transferred using dedicated buses. A cryptographic engine translates a logic address to at least one physical address, and processes a corresponding data word based on at least one target key. The target key is selected from a plurality of keys based on the logic or physical address. A universal memory controller stores each processed data word in the corresponding physical address within a memory. Each key is associated with a memory region within the memory, and therefore, the logic or physical address associated with a memory region may be used to automatically identify the corresponding target key. A dedicated secure link may be used to transport key request commands and the plurality of keys.

Abstract: The invention relates to a method for granting an inquirer querying a repository access to the repository, a communication protocol between a client and a server, and a system for controlling access of at least one inquirer to a repository. The repository typically stores event data relating to traceable products. The aspects according to teaching disclosed herein may be for example implemented as security extensions for existing repositories providing a finer granularity of access rights and means to prevent an exposure of data sets considered sensitive. The security extensions disclosed herein may be implemented to protect access to any kind of client/server application wherein the server is exposing sensitive data.

Abstract: A computer or microchip including a system BIOS located in flash memory which is located in a portion of the computer or microchip protected by an inner hardware-based access barrier or firewall, a central controller of the computer or microchip having a connection by a secure control bus with other parts of the computer or microchip, and a volatile random access memory located in a portion of the computer or microchip that has a connection for a network. The secure control bus is isolated from input from the network, and provides and ensures direct preemptive control by the central controller over the volatile random access memory, the control including transmission to or erasure of data and/or code in the volatile random access memory and control of a connection between the central controller, the volatile random access memory and at least one microprocessor having a connection for the network.

Abstract: In one embodiment, apparatus and methods for a rekey process are disclosed. In certain rekey embodiments, when a key-generation protocol exchange is executed, instead of generating a single new security relationship, such as a Security Association or SA, a multiple set (e.g., 10) of new security relationships (e.g., SAs) are generated. An authorized device can then individually use these security relationships (e.g., SAs) as needed to securely communicate with each other. For example, a set of SAs can be efficiently programmed into an 802.1ae protocol ASIC for handling transmitted and received data packets. In the description herein, embodiments of the invention are described with respect to SA's, and this “SA” term is generally defined as any type of security relation that can be formed to allow a particular node to securely transmit packets or frames to another receiving node.

Abstract: A computer-implemented method, network management system, and network clients are provided for out-of-band network security management. The network management system includes routers, firewalls, and out-of-band interfaces. The out-of-band interface of the network management system transmits access control lists to network clients connected to a trusted network. The trusted network connects the routers, firewalls, and network clients. The firewalls receive access control lists from the network management system to police communications that traverse the trusted network and an untrusted network. The routers receive access control lists from the network management system to police communications that traverse the router within the trusted network. The access control lists for the routers and firewalls are transmitted over a network interface to the trusted network and are transmitted separately from the access control lists for the network clients.

Abstract: A computer or microchip including a network connection for connection to a public network of computers including the Internet, the network connection being located in a public unit; and an additional and separate network connection for connection to a separate, private network of computers, the additional network connection being located in a protected private unit. An inner hardware-based access barrier or firewall is located between and communicatively connects the protected private unit and the public unit; and the private and public units and the two separate network connections are separated by the inner barrier or firewall. The protected private unit includes at least a first microprocessor and a system BIOS located in flash memory. The public unit includes at least a second or many microprocessors separate from the inner barrier or firewall. The inner barrier or firewall comprises a bus with an on/off switch controlling communication input and output.

Abstract: In one embodiment, source data for a communication session may be split into an audio portion for transmission on a phone channel and a non-audio portion for transmission on a data channel. A server and a phone may accordingly establish an audio portion of a communication session on the phone channel. In response to a trigger, the server may provide a push notification on the data channel to the phone, where the push notification is associated with an application executing on the phone that is configured to participate in the non-audio portion of the communication session on the data channel with the server. Upon obtaining the push notification on the data channel during the audio portion on the phone channel, the application may correspondingly activate on the phone to participate in the non-audio portion of the communication session during the phone's participation in the audio portion (e.g., merging the portions).

Abstract: An encrypted cached content system includes a user IHS, a content provider IHS, and a caching IHS. The caching IHS includes a caching engine that is configured to receive a content request from the user IHS. The caching engine generates a user-side key using content identifying information in the content request, and forwards the content request to the content provider IHS over a network as a content partial information request. In response to receiving a content partial information response from the content provider IHS over a network, the caching engine generates a content-provider-side key using header information in the content partial information response. The caching engine performs a hashing operation on the content request using a combination of the user-side key and the content-provider-side key to produce a hashed content request, and uses the hashed content request to retrieve content from the cache.

Abstract: A system for securely transferring information from an industrial control system network, including, within the secure domain, one or more remote terminal units coupled by a first network, one or more client computers coupled by a second network, and a send server coupled to the first and second networks. The send server acts as a proxy for communications between the client computers and the remote terminals and transmits first information from such communications on an output. The send server also transmits a poll request to a remote terminal unit via the first network and transmits second information received in response to the poll on the output. The system also includes, outside the secure domain, a receive server having an input coupled to the output of the send server via a one-way data link. The receive server receives and stores the first and second information provided via the input.

Abstract: According to an aspect of the invention, an aggregator node is conceived for use in a network, wherein said aggregator node is arranged to aggregate encrypted data, and wherein said aggregator node comprises a secure element which is arranged to perform the aggregation of the encrypted data in a secure manner.

Abstract: According to one aspect, the subject matter described herein includes a method for communicating an encrypted data packet. The method includes steps occurring at a first gateway node. The method also includes receiving a data packet from a first host. The method further includes determining that a first security association (SA) instance associated with the data packet is in an inactive state. The method further includes identifying a second SA instance that is both associated with the data packet and in an active state. The method further includes forwarding the data packet to the second SA instance.

Abstract: This invention consists of a virtual air gap—VAG system developed in order to provide Internet and computer security. The virtual air gap system developed in this invention is characterized by the principal elements of: “Virtual air gap (14),” Internal security component (15), “External security component (16),” Message transfer mechanism of the system components positioned between internal and external security components (5, 6) and a shared memory (7), “Internal system (9) consisting of the internal security component and such other components (11) contained in the system, and connecting the same to the internal network (1),” External system (10) consisting of the external security component and such other components contained in the system, and connecting the same to the external network (2), and “Shared memory (7).

Abstract: A centralized distribution server comprises converter means for embedding content data into a digital delivery stream and transmitting means for transmitting said digital delivery stream to at least one of said subscriber terminals via a forward network channel. The at least one subscriber terminal comprises receiving means for receiving said digital delivery stream from said centralized server and interface means for enabling access to said digital delivery stream and/or the content data embedded therein by a subscriber.

Abstract: A system and method are provided for identifying inappropriate content in websites on a network. Unrecognized uniform resource locators (URLs) or other web content are accessed by workstations and are identified as possibly having malicious content. The URLs or web content may be preprocessed within a gateway server module or some other software module to collect additional information related to the URLs. The URLs may be scanned for known attack signatures, and if any are found, they may be tagged as candidate URLs in need of further analysis by a classification module.

Abstract: The present invention provides a technique for validating TCP communication between a client requesting resources and a server providing requested resources to protect the specified server from a denial of service attack wherein a plurality of clients initiate communication with a server, but do not complete the communication for the purpose of denying service to the server from other legitimate clients. Through systematic transmission regulation of TCP packets, an intermediary apparatus or set of apparatuses, can, to a high degree of certainty, validate client connections to protect the server from this saturated condition. The communication is then reproduced by the apparatus or apparatuses.

Abstract: A processing unit performs a predetermined process by a remote operation from a client device. A monitoring unit monitors a first port for an unencrypted communication with the processing unit and a second port for an encrypted communication with the processing unit, denies a connection request via the first port, and accepts a connection request via the second port. When a connection request encrypted with either one of the first port and the second port specified as a forwarding destination port is received, an encrypted communication unit decrypts the connection request and transfers decrypted connection request to the monitoring unit via the forwarding destination port.

Abstract: Inspection of encrypted network traffic where multiple network connections are monitored that carry encrypted data, but only a subset of the network connections are decrypted and inspected. Typically, only network connections that are associated with designated target users whose encrypted data is to be inspected are decrypted. A Network Monitor Center (NMC) dynamically establishes a list of rules for selection of encrypted data connections. The rules are provided to a Secure data Inspection Appliance (SIA) that accepts some or all of the network user encrypted traffic and checks it against a rule table. When detecting an encrypted connection that matches the rule table, the SIA decrypts the connection and provides a copy of the connection plain data to the NMC. The NMC then inspects the plain data for security threats. Once a security threat is found in a connection, the NMC applies predefined consequent actions to this connection.

Abstract: Method for providing a mesh key which can be used to encrypt messages between a first node and a second node of a mesh network, wherein a session key is generated when authenticating the first node in an authentication server, the first node and the authentication server or an authentication proxy server using a predefined key derivation function to derive the mesh key from said session key, which mesh key is transmitted to the second node.

Abstract: The present invention provides a facsimile apparatus which provides a facsimile function to a cooperative image forming apparatus connected to a network, the facsimile apparatus comprising a receiving unit configured to perform facsimile reception via a public line, a determining unit configured to, when the receiving unit receives data to be transferred to the cooperative image forming apparatus, determine whether a license of the cooperative image forming apparatus which can be provided with the facsimile function is valid or invalid, and a control unit configured to restrict transfer of the data to the cooperative image forming apparatus based on a determination result by the determining unit.

Abstract: The present invention provides a star-connected network (C1-C4, P1-P8) having a number of peripheral nodes (P1-P8) and a central control arrangement (C1-C4). Each peripheral node has means for restricting communications across the network to the central control arrangement using a respective encrypted connection unless the peripheral node has received explicit authorization from the control arrangement to set up a direct connection with another peripheral node.

Abstract: Particular embodiments generally relate to allowing access of non-secure elements through a non-secure channel when a top-level page was accessed through a secure connection. In one embodiment, a webpage is accessed over a secure channel. The webpage includes secure and non-secure elements. When a non-secure element for the webpage is determined, a client may message with the server to open a non-secure channel for accessing the non-secure element. For example, the client may request port information in the request. The server then can respond with port information for a non-secure channel. The client then accesses data for the non-secure element through the non-secure channel using the port information.

Abstract: A server receives identifying information of a user of a client device and data encrypted with a public key of a group, where the encrypted data includes an encrypted session key for secure content. The server determines whether the user is a member of the group using the identifying information of the user. If the user is a member of the group, the server decrypts the encrypted session key using a private key of the group, and causes the client device to obtain a session key to access the secure content.

Abstract: An information management apparatus includes a first control information setting unit that sets first control information for permitting use of information within a destination terminal to the information; a second control information setting unit that sets second control information for permitting the destination terminal to forward the information to the information; a displaying permitting unit that controls, when information set with the first control information is received from a source terminal, to permit the information to be used locally within an apparatus; and a forwarding permitting unit that controls, when information set with the second control information is received from a source terminal, to permit the information to be forwarded.

Abstract: A computationally-implemented method comprises obtaining at least a portion of data from a data source, determining a content of the data, determining an acceptability of an effect of content of the data at least in part via at least two virtual machine representations of at least a part of a real machine having at least one end-user specified preference, at least one of the at least two virtual machine representations operating at least in part on an individual core of a multi-core system, and displaying at least one data display option based on the determining an acceptability of a content of the data.

Abstract: The invention relates to a network and to a method of operating a network. The network comprises a plurality of stations each able to transmit and receive data so that the network can transmit data between stations via at least one selected intermediate station. The network further comprises a plurality of levels of stations including a first level comprising user and/or seed stations, a second level comprising auxiliary stations providing access to auxiliary networks, a third level comprising at least one location management station, and a fourth level comprising at least one authentication station. The method comprises transmitting, from or on behalf of a station on the first level requiring authentication, to an authentication station via one or more stations, an authentication request message. In response, the authentication station transmits authentication data to authenticate the station on the first level.

Abstract: An e-mail relay provides message filtering services to an e-mail network. The e-mail relay monitors incoming communication and intercepts e-mail messages. The e-mail relay compares attributes of the messages to data derived from SPAM messages, which are stored in a SPAM database. The e-mail relay restricts the delivery of messages based on the comparison such as by restricting the delivery of messages having attributes close to those of SPAM messages from the SPAM database. The SPAM database is constructed by responding to user or administrator indications as to whether received messages are SPAM messages.

Abstract: A method of detecting and responding to an email address harvest attack at an Internet Service Provider (ISP) email system includes counting a number of failed email address look-ups during a single Simple Mail Transfer Protocol (SMTP) session associated with an originating Internet Protocol (IP) address and responding to the originating IP address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold.

Abstract: A system and method for monitoring secure digital data on a network are provided. An exemplary network monitoring system may include a network device in communication with a user and a network. Further, a server may be in communication with the network. A browser and monitoring program may be stored on the network device, and the network device may receive secure digital data from the network. The browser may convert the secure digital data or a portion thereof into source data, and the monitoring program may transfer the source data or a portion thereof to the server. In an exemplary embodiment, the monitoring program may include a service component and an interface program.

Abstract: Methods for scanning software for the existence of a licensing condition. Software may be uploaded, scanned and compared against known software stored in a datastore. If the uploaded software matches known software in the datastore, a license associated with the known software may be determined. The license may have information associated with it, such as a classification based on risk and obligations. The classification of the license, as well as the obligation information may be returned as a report to a requester that uploaded software to easily identify the risks associated with incorporating the software into a larger code base or project.

Abstract: At least a portion of a transmission of an outgoing first email from a first email account to at least a second email account is encrypted. Second email address data is changed corresponding to the second email account to cause replies to the first email intended for the second email account to be sent to an intermediate device prior to being routed to the second email account. Replies to the first email are then sent to the intermediate device and sent over one or more encrypted channels. Replies to the first email including the changed email address data are decoded to identify the second email address data associated with the second email account. A reply to the first email is then sent to the second email account based on the identified second email address data.

Abstract: Methods and systems for cross-site scripting (XSS) defense are described herein. An embodiment includes, embedding one or more tags in content at a server to identify executable and non-executable regions in the content and transmitting the content with the tags to a client based on a request from the client. Another embodiment includes receiving content embedded with one or more permission tags from a server, processing the content and the permission tags, and granting permission to a browser to execute executable content in the content based on the permission tags. A method embodiment also includes receiving content embedded with one or more verify tags from a server, performing an integrity check using the verify tags and granting permission to a browser to execute executable content in the content based on the integrity check.

Abstract: A cache coherency controller, a system comprising such, and a method of its operation are disclosed. The coherency controller ensures that target-side security checking rules are not violated by the performance-improving processes commonly used in coherency controllers such as dropping, merging, invalidating, forwarding, and snooping. This is done by ensuring that requests marked for target-side security checking and any other requests to overlapping addresses are forwarded directly to the target-side security filter without modification or side effects.

Abstract: An apparatus and method for providing a security service for UI applications in a network system. In a network supporting a user interface, encryption-unneeded data is distinguished from data in which security identifier is specified, that indicates a need for security between a server and a communication device, and the distinguished data is transmitted over a security channel and a general channel separately.

Abstract: A system for connecting a first network device and a second network device includes one or more servers. The servers are configured to: (a) receive, from the first network device, a request to look up a network address of the second network device based on an identifier associated with the second network device; (b) determine, in response to the request, whether the second network device is available for a secure communications service; and (c) initiate a virtual private network communication link between the first network device and the second network device based on a determination that the second network device is available for the secure communications service, wherein the secure communications service uses the virtual private network communication link.