Abstract: A system capable of automated mapping between a connectivity request and an ordered security rule-set and a method of operating thereof. The system includes an interface operable to obtain data characterizing at least one connectivity request; a module for automated recognizing at least one rule within the rule-set, the rule controlling traffic requested in the at least one connectivity request, wherein the recognizing is provided by comparing a set of combinations specified in the connectivity request with a set of combinations specified in the rule and matching connectivity-related actions specified in the connectivity request; a module for automated evaluating relationship between traffic controlled by the recognized at least one rule and traffic requested in the at least one connectivity request; and a module for automated classifying, in accordance with evaluation results, the at least one connectivity request with respect to the at least one rules and/or vice versa.

Abstract: A technique for secure computation obfuscates program execution such that observers cannot detect what instructions are being run at any given time. Rather, program execution and memory access patterns are made to appear uniform. A processor operates based on encrypted inputs and produces encrypted outputs. In various examples, obfuscation is achieved by exercising computational circuits in a similar way for a wide range of instructions, such that all such instructions, regardless of their operational differences, affect the processor's power dissipation and processing time substantially uniformly. Obfuscation is further achieved by limiting memory accesses to predetermined time intervals, with memory interface circuits exercised regardless of whether a running program requires a memory access or not. The resulting processor thus reduces leakage of any meaningful information relating to the program or its inputs, which could otherwise be detectable to observers.

Abstract: Techniques are disclosed for hiding sensitive information from a provider of support services. In one embodiment, a first network device determines that network device information includes non-sensitive data and sensitive data. In response to the determining, the first network device generates mapping data that maps dummy information to the sensitive data. The first network device generates output data that comprises the non-sensitive data and the dummy data and sends the output data to a second network device. In other embodiments, the user may select the network parameters that are sensitive. The first network device may also receive first report data from the second network device that identifies a network problem and includes the dummy data and generate second report data by using the mapping data to replace the dummy information with the sensitive data.

Abstract: In one embodiment, a method includes receiving from a secure device, an encrypted rule at a first network device, receiving at the first network device, a packet containing at least one encrypted subfield from a second network device, the subfield encrypted based on a key received at the second network device from the secure device, and determining if the encrypted subfield matches the encrypted rule. An apparatus and logic are also disclosed herein.

Abstract: A method for applying a host security service to a network is described herein. The network may include a host device and a network device. The network device may receive a request for security-based filtering. The request includes filtering parameters that restrict traffic between the host device and the network device. It is determined whether the filtering parameters conflict with an initial filtering configuration. The filtering parameters may be applied to traffic through the network device.

Abstract: A computer or microchip comprising a central controller that connected by a secure control bus with the other parts of the computer or microchip, including a volatile random access memory (RAM) located in a portion of the computer or microchip that is connected to a network. The secure control bus is isolated from any input from the network and provides and ensures direct preemptive control by the central controller over the volatile random access memory (RAM). The direct preemptive control includes transmission of data and/or code to the volatile random access memory (RAM) or erasure of data and/or code in the volatile random access memory (RAM) and includes control of the connection between the central controller and the volatile random access memory (RAM) and between the volatile random access memory (RAM) and a microprocessor having a connection for the network.

Abstract: A selective barrier prevents undesired communication between a protected region and an unprotected region. Wireless communication is allowed within the protected region, while wireless communication is prevented between the protected region and any unprotected regions. Particular undesired message packets might be selected by business rules responsive to aspects of individual messages. Particular unprotected regions might be statically or dynamically determined. Alternatively, the selective barrier similarly operates to block undesired message packets from originating in any of the unprotected regions and successfully being received in the protected region.

Abstract: A referer verification apparatus and method for controlling web traffic having malicious code are provided. In the referer verification method, whether a referer is present in a Hypertext Transfer Protocol (HTTP) packet is determined. If it is determined that the referer is present in the HTTP packet, Uniform Resource Locators (URLs) are extracted from a referer web page corresponding to the referer. The referer is verified based on a URL corresponding to a referer verification request received from a server and the extracted URLs. A Completely Automated Public Test to tell Computers and Humans Apart (CAPTCHA) verification procedure conducted by a user is performed based on results of the verification of the referer.

Abstract: A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router.

Abstract: A method for securing remote access to private networks includes a receiver intercepting from a data link layer a packet in a first plurality of packets destined for a first system on a private network. A filter intercepts from the data link layer a packet in a second plurality of packets transmitted from a second system on the private network, destined for an system on a second network. A transmitter in communication with the receiver and the filter performing a network address translation on at least one intercepted packet and transmitting the at least one intercepted packet to a destination.

Abstract: A method for delivering encrypted content to a subscriber terminal on-demand through a communication network is provided. The method begins when SRM receives a request for content from the subscriber terminal. In response to the request, the SRM directs a video server to transmit the content as an unencrypted transport stream to an encryptor. The packets in the unencrypted transport stream include a header with a destination address associated with the subscriber terminal. The encryptor encrypts the content in the unencrypted transport stream to generate an encrypted transport stream. The encryptor also inserts in the packet headers of the packets in the encrypted transport stream the destination address associated with the subscriber terminal obtained from the packet headers in the unencrypted transport stream. Finally, the encrypted transport stream is transmitted to the subscriber terminal over the communication network.

Abstract: A method and system are described for collecting addresses for remotely accessible information sources. Messages, such as emails, carried by a messaging network (N1) are intercepted before reaching a destined terminal. Addresses for remotely accessible information sources (i.e. URLs) are identified from the intercepted email messages. The messages are analyzed to be classified as either a first type of message (e.g. spam or virus messages) or a second, different, type of message. If the intercepted message is classified as the first spam/virus type then data indicative of the identified address (URL) is transmitted to a filtering system (100) which controls access to the remotely accessible information sources. As a result, addresses (URLs) are gleaned from transmitted messages such as spam e-mail and supplied to a filtering system (100) which controls access to the resources accessible at those addresses.

Abstract: A method or system of receiving an electronic file containing content data in a predetermined data format, the method comprising the steps of: receiving the electronic file, determining the data format, parsing the content data, to determine whether it conforms to the predetermined data format, and if the content data does conform to the predetermined data format, regenerating the parsed data to create a regenerated electronic file in the data format.

Abstract: A computer or microchip securely controlled through a private network including a connection to a network of computers including the Internet; a separate connection to at least a private network of computers located in a hardware protected area of said computer or microchip, a first microprocessor, core or processing unit configured to connect to the connection to the network of computers including the Internet; a master controlling device for the computer or microchip located in the hardware protected area; and a secure control bus configured to connect at least said master controlling device with said microprocessor, core or processing unit, and isolated from input from the network and components other than said master controlling device. The master controlling device securely controls an operation executed by the microprocessor, core or processing unit, with secure control being provided through the private network to the private network connection through the secure control bus.

Abstract: Computer implemented methods and systems are provided for mediating access to content based on digital rights management. A request is received from a mobile device for a unit of content. A digital rights holder identity is identified for the mobile device by using a unique identifier for the mobile device. The unique identifier is an equipment identifier, an international mobile subscriber identity, a mobile subscriber identification number, or a mobile identification number. Whether the digital rights holder identity is associated with a right to receive the unit of content is determined. The unit of content is provided to the mobile device in response to a determination that the digital rights holder identity is associated with the right to receive the unit of content.

Abstract: A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria.

Abstract: Communication abuse prevention techniques are described. In an implementation, a reputation level for a communication is determined based on relation information for a sender and an intended recipient of the communication. A challenge is invoked that is to be completed by the sender before the communication is sent. The challenge is selected based on the reputation level for the communication. The communication is caused to be available for access based on successful completion of the challenge. Access to the communication is inhibited in response to a subsequent determination of the reputation level that indicates that the reputation level for the communication has changed to a new reputation level prior to the communication being accessed by the intended recipient. The subsequent determination is based on additional information associated with the sender of the communication.

Abstract: A two-stage anonymization process is applied to monitored network traffic in which unique user identifiers, such as the MSISDN (Mobile Station International Subscriber Directory Number), are extracted from the traffic and anonymized to generate an ASI (anonymized subscriber identifier). A strictly random RSI (random subscriber identifier) is generated and used to replace the ASI. The RSI is generated upon a first occurrence of an ASI and stored in a lookup table for utilization upon subsequent ASI occurrences. Use of the strictly random RSI enables various studies and analysis of user behavior to be performed at a heightened level of privacy protection as compared with conventional anonymization schemes that do not utilize strictly random identifiers.

Abstract: A method for obtaining peripheral information method is disclosed herein and includes steps of: receiving a request for obtaining peripheral information, and the request for obtaining peripheral information includes a connection request for access to a third-party website; obtaining the current location information of a mobile terminal according to the connection request; obtaining a link of the third-party website; obtaining the current location information of a mobile terminal according to the connection request; obtaining a link of the third-party website according to domain name information of the third-party website and the current location information of the mobile terminal; making the mobile terminal jump to a page of the third-party website, so as to obtain peripheral information based on the current location of the mobile terminal and the information is provided by the third-party website.

Abstract: A system and method implemented at a server system, for securely wiping a remote mobile device after the device registration has been removed from the server system. Prior to removal of the device registration from the server system, a “pre-packaged” command is created and stored at the server system. In the event that it is determined, after removal of the registration, that the device should be wiped or disabled, means are provided for an administrator to issue the previously stored command to the target mobile device.

Abstract: A system and method are provided for supporting storage and analysis by law enforcement agency premises equipment of intercepted network traffic. The system and method provide integrity of the intercepted network traffic stored in an archive in accordance with lawful intercept requirements by storing all of the intercepted traffic, both benign and malicious, in the archive in its original form. The system and method furthermore provide for security from any malicious data packets of the archive by separating the malicious packets from the benign packets and forwarding only the benign packets to analysis applications of the law enforcement agency premises equipment.

Abstract: A system including a user interface circuit, a classifier, a counter, and an action circuit. The user interface circuit is configured to receive a user input establishing a rule, wherein the rule describes (i) a characteristic of an event, and (ii) an action to initiate in response to a predetermined threshold being met. The classifier is configured to identify, based on the characteristic described in the rule, events that have the characteristic in a network device. The counter is configured to count a number of the events that have the characteristic in the network device as identified by classifier. The action circuit is configured to initiate the action described in the rule in response to the number of the events meeting the predetermined threshold in the rule.

Abstract: A system for, and method of, generating a plurality of proxy identities to a given originator identity as a means of providing controlled access to the originator identity in electronic communications media such as e-mail and instant messaging.

Abstract: A software firewall that may be configured using rules specified for types of network interfaces rather than individual network interfaces. The network types may be specified with type identifiers that have a readily understandable meaning to a user, facilitating ease of configuring the firewall. The network types could include, for example, wired, wireless and remote access. A rule specified based on a network type can be implemented for network interfaces of that network type. The implementation may be performed automatically and may be updated based on network location awareness information.

Abstract: Example methods and apparatus to enhance security in residential networks and residential gateways are disclosed. A disclosed example apparatus includes a transceiver to receive an Internet protocol (IP) packet, a first packet processing module associated with a protected IP address, the first packet processing module to be communicatively coupled to a first network device, a second packet processing module associated with a public IP address, the second packet processing module to be communicatively coupled to a second network device, and a packet diverter to route the received IP packet to the first packet processing module when the IP packet contains the protected IP address and to route the IP packet to the second packet processing module when the IP packet does not contain the protected IP address.

Abstract: A computer-implemented method for controlling access to digital media involves receiving a URL at a computer server system, decoding the URL, extracting a user ID of a user who submitted the URL and an image ID of an image that is accessible by the server system, using the user ID to determine whether the user who submitted the URL is authorized to access the image, and controlling access to the image by the user based on the determination of whether the user who submitted the URL is authorized to access the image.

Abstract: Users of a computer are prevented from directly accessing certain hardware for which a driver is installed on the computer. The users are provided a limited, indirect manner to access the hardware for a specific purpose or to do a specific job. One example of such hardware is a wireless hardware communication interface. The wireless activity of the computer may be restricted so that the wireless hardware communication interface is prevented from communicating with any devices compatible with the wireless hardware communication interface other than one or more specific devices.

Abstract: A method for locally authenticating a vehicle diagnostic tool with a vehicle using a challenge-response authentication scheme includes: receiving a pairing request from the vehicle diagnostic tool; presenting a user with a challenge through at least one of an audio system and an LCD display associated with the vehicle; receiving a response to the challenge from a user; and authenticating the vehicle diagnostic tool if the response from the user is identical to an expected response.

Abstract: In accordance with embodiments, there are provided methods and systems for providing communication authentication between cloud applications and on-premise applications. A method of embodiments includes receiving, from a cloud application at a cloud computing device, a first message at an application server of a server computing system, and parsing, at the application server, the first message to determine first identification information contained within the first message. The method further includes authenticating, at the application server, the first message by verifying the first identification information, and forwarding the first authenticated message to an on-premise application at a remote computing device.

Abstract: Roughly described, incoming data packets are delivered by the NIC directly to at least two user level endpoints. In an aspect, only filters that cannot be ambiguous are created in the NIC. In another aspect, the NIC maintains a filter table supporting direct delivery of incoming unicast and multicast data packets to one user level endpoint. Additional requests to join the same multicast group cause replacement of the NIC filter with one in the kernel. In another aspect, a NIC has limited capacity to maintain multicast group memberships. In response to a new multicast filter request, the kernel establishes it in the NIC only if the NIC still has sufficient capacity; otherwise it is established in the kernel.

Abstract: A method and apparatus for creating a policy based on a pre-configured template is described. In one embodiment, source data having a tabular structure is identified. Further, one of multiple policy templates is used to automatically create a policy for detecting information from any one or more rows within the tabular structure of the source data.

Abstract: A mobile communication device (1) is connectable to a memory device (MIF) that comprises a plurality of memorysectors (0-F), wherein at least one application is stored in at least one memory sector. the memory sectors are protected against unauthorized access 5 by sector keys (key A, key B, 4). The mobile communication device (1) comprises an applications manager (MAM) being adapted to disable the stored applications (TK1, AC1, AC2, TR2, TR3, CP1, TR4, AC3, TK3) when triggered by an external trigger event.

Abstract: A computer or microchip securely controlled-through a private network and including a secure private unit that is protected by an inner hardware-based access barrier or firewall that denies access to the private unit from a network of computers including the Internet, an unprotected public unit including a network connection, a separate private network connection for the private network in the private unit, a general purpose microprocessor, core or processing unit in the public unit, a master controlling device for the computer or microchip in the private unit; and a secure control bus connecting the master controlling device with the microprocessor, core or processing unit and isolated from input from the network and components of the public unit. The master controlling device securely controls an operation executed by the microprocessor, core or processing unit through the private network to the additional private network connection via the secure control bus.

Abstract: A method may include determining one or more rules and communicating the one or more rules to a firewall, where the firewall receives a data unit and determines, based on the one or more rules, whether to forward the data unit to a destination address; receiving a redirection of a device from the firewall when the firewall determines not to forward the data unit to the destination address; receiving an indication that the firewall did not forward the data unit to the destination address; and determining a new rule to allow the firewall to forward the data unit to the destination address and communicating the new rule to the firewall; and redirecting the device to the destination address.

Abstract: An e-mail firewall applies policies to e-mail messages between a first site and second sites in accordance with administrator selectable policies. The firewall includes a simple mail transfer protocol relay for causing the e-mail messages to be transmitted between the first site and selected ones of the second sites. Policy managers enforce-administrator selectable policies relative to one or more of encryption and decryption, signature, source/destination, content and viruses.

Abstract: A computer-implemented method for performing security scans may include 1) generating a first hash of a first file, 2) performing a first security scan on the first file, 3) storing the first hash to indicate a result of the first security scan of the first file, 4) identifying a second file and generating a second hash of the second file, 5) determining that the second hash of the second file is equivalent to the first hash of the first file and, in response, determining that the result of the first security scan of the first file applies to the second file, 6) identifying a third file and determining that the third file is volatile, and 7) performing a second security scan on the third file instead of generating a third hash of the third file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An apparatus for analyzing traffic is provided. The apparatus may precisely identify and analyze web traffic through 5 tuple-, HTTP-, and request/response pair-based packet analysis by monitoring the correlation between sessions.

Abstract: Systems, methods, and other embodiments associated with authentication via monitoring are described. One example method includes detecting a data flow in which indicia of identity (DFWIOI) travel between a first endpoint and a second endpoint. The DFWIOI may be partially encrypted. The example method may also include collecting an identity data associated with the DFWIOI from the DFWIOI, the first endpoint, the second endpoint, and so on. The example method may also include making an authentication policy decision regarding the DFWIOI based, at least in part, on the identity data. The example method may also include controlling a networking device associated with the DFWIOI based, at least in part, on the authentication policy decision.

Abstract: Architecture for generating a temporary account (e.g., an email address) with a user-supplied friendly name and a secret used to the sign the temporary account. For example, when a user wishes to create a temporary email address to use with an online organization, a friendly name is provided and the system generates a temporary email address including the friendly name. A signing component signs the temporary email address with a secret. One or more of these secrets can be provisioned prior to the user's creation of a friendly name, which eliminates propagation delay. During use, only incoming email messages having the temporary email address signed with the secret are validated. When the user revokes the temporary email address, the secret is revoked and the revocation is propagated to network gateways, rejecting any email sent to that address.

Abstract: A method includes receiving a policy via a network connection, wherein the policy includes at least one signature. Receiving a data communication message from a processor of a computing device via a system bus. Identifying a class, and selectively forwarding the data communication message based in part on the received policy and the identified class.

Abstract: A network authentication method, a client and a device are provided. The method includes: receiving SYN data sent by a client, where the SYN data includes a sequence number SEQ1 and a network parameter comprising an ID in the header of the SYN data; sending SYN_ACK data to the client, where the SYN_ACK data includes an acknowledgment number ACK2 obtained by carrying out a function transformation according to the network parameter; receiving RST data sent by the client, where the RST data includes a sequence number SEQ3 or an acknowledgment number ACK3, and the RST data further includes a network parameter the same as that of the SYN data; carrying out the function transformation according to the network parameter of the RST data to obtain a check value CHK; and passing the authentication of the client if CHK matches SEQ3 or ACK3.

Abstract: Architecture that provides additional data that can be obtained and employed in security models in order to provide security to services over the service lifecycle. The architecture automatically propagates security classifications throughout the lifecycle of the service, which can include initial deployment, expansion, moving servers, monitoring, and reporting, for example, and further include classification propagation from the workload (computer), classification propagation in the model, classification propagation according to the lineage of the storage location (e.g., virtual hard drive), status propagation in the model and classification based on data stored in the machine.

Abstract: A system for preventing the transmission of known and unknown electronic contents to and from servers or workstations connected to a common network. The system includes devices for means for interpreting the contents of a messaging protocol or application network protocol, for checking compliance of the electronic contents with the messaging protocol specification or application network protocol specification and for filtering the electronic content based on its functions.

Abstract: Web-based authentication includes receiving a packet in a network switch having at least one associative store configured to forward packet traffic to a first one or more processors of the switch that are dedicated to cryptographic processing if a destination port of the packet indicates a secure transport protocol, and to a second one or more processors of the switch that are not dedicated to cryptographic processing if the destination port does not indicate a secure transport protocol. If a source of the packet is an authenticated user, the packet is forwarded via an output port of the switch, based on the associative store. If the source is an unauthenticated user, the packet is forwarded to the first one or more processors if the destination port indicates a secure transport protocol, and to the second one or more processors if the destination port does not indicate a secure transport protocol.

Abstract: A method for buffering SSL handshake messages prior to computing a message digest for the SSL handshake includes: conducting, by an appliance with a client, an SSL handshake, the SSL handshake comprising a plurality of SSL handshake messages; storing, by the appliance, the plurality of SSL handshake messages; providing, by the appliance to a message digest computing device in response to receiving a client finish message corresponding to the SSL handshake, the plurality of SSL handshake messages; receiving, by the appliance from the message digest computing device, a message digest corresponding to the provided messages; determining by the appliance, the message digest matches a message digest included in the SSL client finish message; and completing, by the appliance with the client, the SSL handshake. Corresponding systems are also described.

Abstract: A method for injecting a security token into an authentication protocol response is disclosed. An authentication protocol response from a node requesting access to a network is intercepted. It is determined if the node complies with a health policy of the network. A security token is inserted into the authentication protocol response based on the compliance node.

Abstract: Systems and methods for securing a document for transmission are discussed. In one embodiment, a document is checked for an indication of confidentiality. The document is then passed to a secure driver, in response to a finding of the indication of confidentiality. The document is passed to a non-secure driver, in response to a failure to find the indication of confidentiality. The document is then transmitted after processing by the secure driver or the non-secure driver.

Abstract: In an embodiment, a data processing method comprises receiving, from a first computer, and storing at a service provider computer, a copy of a non-natively-executable computer program; generating and distributing a download link that is configured, when activated, to cause downloading of a dynamically generated natively executable installer program from the service provider computer; receiving a request based upon the download link, and in response, the service provider computer generating a natively executable installer program that comprises the non-natively-executable computer program file and, optionally a player or other support software and/or one or more bundled external software offers, and providing the installer program to the end user computer; receiving, from the installer program, a request for the non-natively-executable computer program; providing the non-natively-executable computer program from the service provider computer to the end user computer; and the method is performed by one or more

Abstract: A method and system for server-side key generation for non-token clients is described.

Abstract: Systems and methods of authenticating user access based on an access point to a secure data network include a secure data network having a plurality of a network access points serving as entry points for a user to access the secure data network using a user device. The user is associated with a user identity, each network access point with a network access point identity. The user uses a user device to send an access request, requesting access to the secure data network, to the network access point, which then sends an authentication request to an identity server. The identity server processes the authentication request, by validating the combination of the user identity and the network access point identity, and responds with an authentication response, granting or denying access, as communicated to the user device via an access response.