Abstract: A method and apparatus is presented for providing transaction-level security. The method comprises determining security information associated with at least one object of a transaction and determining if a remote device is capable of providing a level of security indicated by at least a portion of the security information. The method further comprises transmitting the object to the remote device in response to determining that the remote device is capable of providing the level of security.

Abstract: A mechanism is provided for secure data storage in a distributed computing system by a client of the distributed computing system. A gateway device intercepts a data file from at least a portion of stream data during transmission. If the destination of the data file is the storage, the gateway device selects a set of analysis algorithms to determine whether the data file comprises sensitive data.

Abstract: The present invention relates to a method, a system, and an apparatus for protecting data in a computer network. A device is placed on a network edge in such a way, that all outgoing data has to pass through it. Separately, a set of protected files that are not allowed to leave the network is defined. The device checks the passing data for the presence of the data from the defined set (protected data). If a threshold amount of the protected data is present, the device interrupts the connection or takes another appropriate action.

Abstract: A system and method are disclosed for improving a statistical message classifier. A message may be tested with a machine classifier, wherein the machine classifier is capable of making a classification on the message. In the event the message is classifiable by the machine classifier, the statistical message classifier is updated according to the reliable classification made by the machine classifier. The message may also be tested with a first classifier. In the event that the message is not classifiable by the first classifier, it is tested with a second classifier, wherein the second classifier is capable of making a second classification. In the event that the message is classifiable by the second classifier, the statistical message classifier is updated according to the second classification.

Abstract: Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts.

Abstract: A method is provided for defining a filtering module between a first module processing information with a first sensitivity level, and a second module processing information with a second sensitivity level connected, in parallel with the filtering module, by a cryptographic module. The method includes defining a set of filtering rules in a language that can be compiled, defining the properties of messages whereof transmission is allowed between the first and second modules; validation processing the predefined set of rules, validating that a transmission authorization or refusal has in fact been provided by applying the set of rules to any information that may be provided at the input of the filtering module; compiling the predefined set of rules; and integrating the compiled set of rules into a rules database of the filtering module.

Abstract: In one embodiment, a method includes receiving authorization data at a local node of a network. The authorization data indicates a particular network address of a different node in the network and an authenticated user ID of a user of the different node. Resource profile data is retrieved based on the user ID. The resource profile data indicates all application layer resources on the network that the user is allowed to access. The particular network address is associated at the local node with the resource profile data for the user. A request from the particular network address for a requested application layer resource on the network is blocked based on the resource profile data associated with the particular network address.

Abstract: A device with a touch-sensitive display may be unlocked via gestures performed on the touch-sensitive display. The device is unlocked if contact with the display corresponds to a predefined gesture for unlocking the device. The device displays one or more unlock images with respect to which the predefined gesture is to be performed in order to unlock the device. The performance of the predefined gesture with respect to the unlock image may include moving the unlock image to a predefined location and/or moving the unlock image along a predefined path. The device may also display visual cues of the predefined gesture on the touch screen to remind a user of the gesture.

Abstract: Systems, methods, and other embodiments associated with flexible supplicant access control are described. One example method includes collecting a network information associated with a network to which an endpoint is to be communicatively coupled. The network information comprises a network identification and information to facilitate the evaluation of network threats. The example method may also include classifying the network based, at least in part, on the network information, to assign a variable level access parameter (VLAP) to the network based on the policy locally configured on the endpoint or centrally managed by the administrator. The VLAP may establish three or more access levels for the network at the endpoint. The example method may also include communicating the network identification and the network VLAP to a second endpoint, a security agent, a security application, and so on.

Abstract: An approach is provided for collecting and controlling access to network information. A network information anonymizer receives network information associated with a device, separates the network information into anonymized network information and user identifiable information, and enables access to the anonymized network information independently of the user identifiable information based on a privacy setting.

Abstract: A program for causing an information processing device to execute a process is recorded on a computer-readable storage medium. The process includes: obtaining an identification of a logged-in account; referencing information that associates an identification of an account with a virtual machine to be permitted to make a communication; recognizing a first virtual machine corresponding to the obtained identification by using the referenced information; executing one or a plurality of virtual machines on the information processing device that is a physical machine; determining whether or not a second virtual machine from which data is transmitted toward a network is the first virtual machine; allowing the data to pass through and transmitting the data toward the network if the second virtual machine is determined to be the first virtual machine; and discarding the data if the second virtual machine is determined not to be the first virtual machine.

Abstract: Embodiments of the invention provide a method and a system of detecting source code in a message being sent over a digital communication network to secure against unauthorized leakage of source code. The message is intercepted on a network device, placed into a memory on the network device, and divided into one or more segments, wherein each segment includes a predetermined number of lines of text from the message. For each segment, one or more syntax rules of a programming language is applied to the segment and a predetermined number of context lines of text before the segment and/or after the segment, to determine which of the syntax rules of the programming language are matched in the segment. A determination of whether the text message includes source code is provided based on the syntax rules that were matched.

Abstract: As provided herein, when using an untrusted network connection, a secure online environment can be created for a remote machine by connecting to a trusted computer with a trusted network connection. A proxy server is installed on a first computing device and shared encryption keys are generated for the first device and a portable storage device. A connection is initiated between a second computing device (e.g., remote device), connected to an untrusted network, and the first computing device, comprising initiating a proxy server protocol from the portable storage device (e.g., attached to the second device), using the second computing device. A secure connection between the first and second devices is created using the encryption keys.

Abstract: With migration of network technology and more and more requirements of user equipment for accessing to Internet, the network security faces more and more severe situation. There is provided a method for distributed security control in communication network system and the device thereof in order to improve security and operatability of network operator. In the method, firstly the network controller establishes a network security control mechanism, which is used for a second network device to check the validity of the data package from the user equipment; secondly, the network controller sends the network security control mechanism to the second network devices; lastly, the second network device checks the validity of the data package from the user equipment according to the network security control mechanism, and discards the data package if the data package is invalid.

Abstract: In one embodiment, apparatus and methods for a rekey process are disclosed. In certain rekey embodiments, when a key-generation protocol exchange is executed, instead of generating a single new security relationship, such as a Security Association or SA, a multiple set (e.g., 10) of new security relationships (e.g., SAs) are generated. An authorized device can then individually use these security relationships (e.g., SAs) as needed to securely communicate with each other. For example, a set of SAs can be efficiently programmed into an 802.1ae protocol ASIC for handling transmitted and received data packets. In the description herein, embodiments of the invention are described with respect to SA's, and this “SA” term is generally defined as any type of security relation that can be formed to allow a particular node to securely transmit packets or frames to another receiving node.

Abstract: A technique for providing computer security is described. The technique comprises providing network configuration information on a dynamic network; determining whether the network configuration information meets a criterion; and in the event the configuration information meets the criterion, configuring a decoy associated with the network.

Abstract: The system and method for passively identifying encrypted and interactive network sessions described herein may distribute a passive vulnerability scanner in a network, wherein the passive vulnerability scanner may observe traffic travelling across the network and reconstruct a network session from the observed traffic. The passive vulnerability scanner may then analyze the reconstructed network session to determine whether the session was encrypted or interactive (e.g., based on randomization, packet timing characteristics, or other qualities measured for the session). Thus, the passive vulnerability scanner may monitor the network in real-time to detect any devices in the network that run encrypted or interactive services or otherwise participate in encrypted or interactive sessions, wherein detecting encrypted and interactive sessions in the network may be used to manage changes and potential vulnerabilities in the network.

Abstract: A MACSec packet exposes selected tags in front of the MACSec tag. Different embodiments are directed to methods and apparatuses of various network nodes, that send, forward, and receive packets. Anther embodiment is the MACSec data structure on a computer readable medium. Another embodiment is the upgrade process of a legacy network.

Abstract: An arrangement analyzes a data stream to identify particular token sequences known to be of interest or malware. A preprocessing step organizes the malware tokens into a “graph” in which overlapping token sequences are interconnected with logic splices. The preprocessing is performed only once for a given set of malware targets. The resulting graph can be traversed quickly in runtime operation to identify malware token strings in the data stream.

Abstract: A device with a touch-sensitive display may be unlocked via gestures performed on the touch-sensitive display. The device is unlocked if contact with the display corresponds to a predefined gesture for unlocking the device. The device displays one or more unlock images with respect to which the predefined gesture is to be performed in order to unlock the device. The performance of the predefined gesture with respect to the unlock image may include moving the unlock image to a predefined location and/or moving the unlock image along a predefined path. The device may also display visual cues of the predefined gesture on the touch screen to remind a user of the gesture.

Abstract: The invention provides a method for trust relationship detection between a core and access network for a user equipment. The gist is that a security tunnel establishment procedure is used so one entity, be it part of the core network or be it the user equipment itself, is provided with information to determine whether the access network is trusted or untrusted. The information may comprise a first IP address/prefix, which is initially assigned to the user equipment, upon attaching to the access network. The necessary information may further comprise a second IP address/prefix, which is an address/prefix that is allocated at a trusted entity of the core network. Depending which entity determines the trust relationship of the access network, it might be necessary to transmit either the first IP address/prefix or the second IP address/prefix or the first and the second IP address/prefix using the security tunnel establishment procedure.

Abstract: A method for facilitating surveillance of a targeted user participating in communication sessions conducted over a communications network, such as a voice over Internet protocol (VoIP) network, that employs a session initiation protocol (SIP). The method includes receiving a subscription request from a third party subscriber, the subscription request identifying a targeted user to be monitored, monitoring communication sessions in which the targeted user is a participant, to detect SIP events corresponding to state transitions associated with the communication sessions.

Abstract: An information processing apparatus provided with a first information processing unit and a second information processing unit, wherein the first information processing unit infected by a virus is cleared and normal communication restored quickly without human operation. The virus infection is quickly detected by an external virus management function device through a first communication system, a communication suspension instruction is transferred through a different second communication system having a high security level to the first information processing unit, and communication by the first communication system is disconnected. Further, anti-virus solution information is transferred to the first processing unit through the second communication system, and virus removal in the first processing unit is carried out. Further, after removal, the disconnected communication is restarted.

Abstract: A method and system for authenticating the identity of a client device that is calling a remotely located server over a network. A client device inputs information pertaining to a hardware characteristic and a network address thereof into a cryptographic hash function stored on the client device. The hash function computes a unique registration ID hash code and presents it to the system server during a registration process. The system server then generates a digital certificate having a system-side key (i.e., public key). A client-side key (i.e., private key) is provided to the client device. For all future calls to the system server, the client device re-computes its registration ID hash code and then digitally signs it using its client-side key. The system server then uses its system-side key to examine the digitally signed registration ID hash code to authenticate the identity of the client device.

Abstract: In a communications network including a plurality of communication channels through which communications are configured to be transmitted between a plurality of network users, a method of managing communications to be transmitted to a particular user from the plurality of communication channels and/or network users, the method including: receiving a communication from a particular communication channel or another network user, the communication intended for transmission to a particular user; determining whether or not to transmit the communication to the particular user, based upon whether or not the communication satisfies one or more predefined characteristics relating to the particular communication channel and/or the other network user; and transmitting the communication to the particular user when the communication satisfies the predefined characteristics.

Abstract: A system and method for authenticating a user in a secure computer system. A client computer transmits a request for a sign-on page, the secure computer system responds by transmitting a prompt for a first user identifier, and the client computer transmits a request including a first identifier, a second identifier stored in an object stored at the client computer and a plurality of request header attributes. A server module authenticates the first and second user identifiers, and compares the transmitted plurality of request header attributes with request header attributes stored at the computer system and associated with the first and second user identifiers. If the first and second user identifiers are authenticated, and if a predetermined number of transmitted request header attributes match stored request header attributes, the server software module transmits a success message, and the user is allowed to access the secure computer system.

Abstract: A firewall cluster having three or more firewall processing nodes sharing the same shared IP address. Port numbers are assigned to the firewall processing nodes within the cluster and are used to distinguish between traffic sent to the cluster. Each network connection is assigned a destination port number. Each node receives the network connection and its assigned port number and determines if the assigned destination port number matches one of its assigned port numbers. If so, the node processes the network connection. If the assigned destination port number does not match one of its assigned port numbers, the network connection is discarded.

Abstract: A method and system for resolving addresses of a message including looking up, from a source directory, a group name associated with a message address of the message, looking up through a cache of user names mapped to user addresses, a user address for each of the looked up user names and returning an associated user address, and addressing the message to each looked up user addresses. Expanding group address by looking up user name in for group from source directory, looking up user address for each user name from user cache, addressing message to looked up user, address, and transmitting message to looked up user address.

Abstract: A method and apparatus for detecting preselected data embedded in electronically transmitted messages is described. In one embodiment, the method comprises monitoring messages electronically transmitted over a network for embedded preselected data and performing content searches on the messages to detect the presence of the embedded preselected data using an abstract data structure derived from the preselected data.

Abstract: Remote activation of covert service channels is provided. A remote host can initiate and establish a connection with a target host without exposing a service channel or communications port to an unauthenticated host. Triggers can be received by and sent to a host and an associated operating system, under direction of a stealth listener. The stealth listener provides can control and direct an operating system to respond to incoming data packets, but can also open and close ports to enable access to services on a host. Using a variety of transport mechanisms, protocols, and triggers to covertly enable a connection to be established between a service and a remote client, the disclosed techniques also enable reduction of processing and storage resources by reducing the amount of host or client-installed software.

Abstract: Systems, methods, and apparatus for network intrusion detection are provided. A device configured to facilitate network intrusion detection may include at least one memory and at least one processor. The at least one memory may be configured to store computer-executable instructions. The at least one processor may be configured to access the at least one memory and execute the computer-executable instructions to (i) identify a communication, the communication comprising one of (a) a communication received by the device or (b) a communication generated by the device; (ii) identify a type associated with the communication; (iii) determine, based at least in part upon the identified type, a list of acceptable content for the communication; (iv) analyze, based at least in part upon the determined list, the content of the communication; and (v) determine, based at least in part upon the analysis, whether the content is acceptable content.

Abstract: A scalable access filter that is used together with others like it in a virtual private network to control access by users at clients in the network to information resources provided by servers in the network. Each access filter uses a local copy of an access control data base to determine whether an access request is made by a user. Each user belongs to one or more user groups and each information resource belongs to one or more information sets. Access is permitted or denied according to access policies which define access in terms of the user groups and information sets. The first access filter in the path performs the access check, encrypts and authenticates the request; the other access filters in the path do not repeat the access check. The interface used by applications to determine whether a user has access to an entity is now an SQL entity. The policy server assembles the information needed for the response to the query from various information sources, including source external to the policy server.

Abstract: A translator is provided for translating predetermined portions of packet header information including an address of a data packet according to a cipher algorithm keyed by a cipher key derived by a key exchanger. A mapping device is also provided for mapping the address to a host table stored in memory. If the address does not match an entry in the host table, a security device is triggered.

Abstract: In embodiments of the present invention improved capabilities are described for detecting restricted content associated with retrieved content. The method and system may include receiving a client request for content, saving contextual information from the client request, presenting retrieved content in response to the client request, and presenting the contextual information from the client request, and retrieved content, to a scanning facility. The scanning facility may utilize the contextual information from the client request to aid in the detection of restricted content associated with retrieved content.

Abstract: A device with a touch-sensitive display may be unlocked via gestures performed on the touch-sensitive display. The device is unlocked if contact with the display corresponds to a predefined gesture for unlocking the device. The device displays one or more unlock images with respect to which the predefined gesture is to be performed in order to unlock the device. The performance of the predefined gesture with respect to the unlock image may include moving the unlock image to a predefined location and/or moving the unlock image along a predefined path. The device may also display visual cues of the predefined gesture on the touch screen to remind a user of the gesture.

Abstract: The present solution described herein is directed towards systems and methods to prevent cross-site request forgeries based on web form verification using unique identifiers. The present solution tags each form from a server that is served out in the response with a unique and unpredictable identifier. When the form is posted, the present solution enforces that the identifier being returned is the same as the one that was served out to the user. This prevents malicious unauthorized third party users from submitting a form on a user's behalf since they cannot guess the value of this unique identifier that was inserted.

Abstract: Embodiments facilitate confidential and secure sharing of anonymous user profile data to improve the delivery of customized content. Embodiments of the invention provide a data appliance to an entity such as a business to convert profile data about the business's customers into anonymous identifiers. A similar data appliance is provided to a content provider in one embodiment to generate identifiers for its user profile data. Because the anonymous identifiers are generated with the same anonymization method, identical identifiers are likely generated from profile data of the same users. Therefore, the identifiers can be used to anonymously match the customers of the business to the users of the content provider. Therefore, data can be shared to improve customized content such as advertisements that the business wishes to place with the content provider without requiring the business to disclose customer data in an unencrypted form, and any non-matched data can remain confidential.

Abstract: In certain embodiments, performing a defensive procedure involves receiving at a first speaker of a first autonomous system a path advertisement from a second speaker of a second autonomous system. The path advertisement advertises a path from the second speaker of the second autonomous system. It is determined whether the second autonomous system is a stub autonomous system and whether a path length of the path is greater than one. If the second autonomous system is a stub and the path length is greater than one, a defensive measure is performed for the path. Otherwise, a default procedure is performed for the path.

Abstract: A method for unlocking screen, a mobile electronic device using the same and a storage medium thereof are disclosed. First, at least two signal input areas on a touch screen of the mobile electronic device are defined. When an input signal is detected within at least one signal input areas, a moving range of a trajectory produced by the input signal is calculated. And the touch screen is unlocked when the moving range reaches the predetermined value. Thus, the present invention provides a user with more virtual manner to close the screen locking function so as to promote the usage convenience of the mobile electronic device.

Abstract: An apparatus includes a plurality of connection-source terminating units. Each of the plurality of connection-source terminating units constitutes an independent communication path coupled to a corresponding one of a plurality of connection-destination terminating units provided for a connection-destination apparatus. The apparatus establishes encryption information including first information used for encryption processing on communication performed via a plurality of the independent communication paths established between the apparatus and the connection-destination apparatus. The first information is used in common for all the plurality of the independent communication paths when packets are transmitted through the plurality of the independent communication paths established between the communication apparatus and the connection-destination apparatus.

Abstract: Systems and methods for inhibiting attacks with a network are provided. In some embodiments, methods for inhibiting attacks by forwarding packets through a plurality of intermediate nodes when being transmitted from a source node to a destination node are provided, the methods comprising: receiving a packet at one of the plurality of intermediate nodes; determining at the selected intermediate node whether the packet has been sent to the correct one of the plurality of intermediate nodes based on a pseudo random function; and forwarding the packet to the destination node, based on the determining. In some embodiments an intermediate node is selected based on a pseudo random function. In some embodiments, systems and methods for establishing access to a multi-path network are provided.

Abstract: A system, method and computer program product are provided for analyzing network traffic associated with network services. Initially, network traffic and metadata are collected from a network. Thereafter, the network traffic is analyzed utilizing the metadata.

Abstract: Methods and apparatuses to filter multimedia content are described. The multimedia content in one embodiment is analyzed for one or more parameters. The multimedia content in one embodiment is filtered based on the one or more parameters using a latent semantic mapping (“LSM”) filter. In one embodiment, the one or more parameters include information about a structure of the multimedia content. A tag that encapsulates the one or more parameters may be generated. Then, the tag is input into the latent semantic mapping filter. In one embodiment, the LSM filter is trained to recognize the multimedia content based on the one or more parameters. In one embodiment, more than two categories are provided for a multimedia content. The multimedia content is classified in more than two categories using the LSM filter. The multimedia content may be blocked based on the classifying.

Abstract: Methods and systems for managing data communications are described. The method includes receiving a data communication; analyzing the data communication to determine a particular type of sender or recipient activity associated with the data communication based at least in part on an application of a plurality of tests to the data communication; assigning a total risk level to the data communication based at least in part on one or more risks associated with the particular type of sender or recipient activity and a tolerance for each of the one or more risks; comparing the total risk level assigned to the data communication with a maximum total acceptable level of risk; and allowing the data communication to be delivered to a recipient in response to the comparison indicating that the total risk level assigned to the data communication does not exceed the maximum total acceptable level of risk.

Abstract: Computer-readable media and computerized methods for governing treatment of digital communications (e.g., emails and instant messages) upon identifying the communications as potentially phishing emails are provided. A service provider is employed to control behavior of an account that is assigned to an intended recipient of the communications. Controlling the behavior of the account is described in the context of a non-web mail server that renders a UI display, which is not dynamically configurable by the service provider. In one solution, controlling behavior alerts a user to the presence of communications identified as potentially phishing by aggregating these communications in a separate folder. In another solution, controlling behavior facilitates protecting the user by replacing the content of the potentially phishing communications with a warning message.

Abstract: A method for enabling efficient SSL handshakes through pre-computing of handshake messages, the method includes: receiving, by an appliance, a server certificate identifying a server; generating, by the appliance, at least one of: (i) an SSL server certificate message comprising the received server certificate, (ii) an SSL client certificate request message, and (iii) an SSL hello done message; storing, by the appliance, the generated messages; receiving, by the appliance from a client, an SSL client hello message identifying the server; and transmitting, by the appliance to the client, an SSL server hello message and at least one of the stored messages. Corresponding systems are also described.

Abstract: An e-mail firewall applies policies to messages between a first site and a plurality of second sites in accordance with administrator selectable policies. The firewall includes an SMTP relay and policy managers to enforce administrator selectable policies, such as encryption and decryption policies, a source/destination policy, a content policy and a first virus policy. Some policies are characterized by administrator selectable criteria, administrator selectable exceptions to the criteria and administrator selectable actions associated with the criteria and exceptions. Policy managers can include an access manager for restricting transmission of messages between the first and second sites in accordance with the source/destination policy, a content manager for restricting transmission of messages between the first and second sites in accordance with the content policy, and a virus manager for restricting transmission of messages between the first and second sites in accordance with the virus policy.

Abstract: The present invention supports a method for transmitting information packets across network firewalls. A trusted entity is provisioned with an address designation for a pinhole through the firewall during setup of a communication session between two communication devices. This pinhole address is used throughout the communication session between the two communication devices to transmit information packets onto and out of the communication network. Information packets addressed to the communication device inside the firewall are received by the trusted entity, which replaces address header information in the information packet with the address for the pinhole. The information packet is routed to the pinhole where it passes onto the network for routing to the communication device inside the firewall. Information packets transmitted from the network are also routed to the trusted entity for routing toward the communication device outside the firewall.

Abstract: A method for secure data communications in fax transmissions and computer network communications comprising a. Allowing the sender to receive confirmation that the receiver received the message without having to rely on the receiver accessing a web site; b. Enabling the sender to prove a message was sent to the intended receiver at the specified time/date; c. Enabling the sender to prove the content of the sent message; d. Enabling the receiver to know that the message originates from the purported sender without need to rely on encryption and digital signatures; e. Preventing the theft of digital signatures based on hardware that contains encryption keys and a surrounding processing in isolation so that malicious software cannot cheat the users by accessing said hardware; f. Preventing forgeries of source addresses of the senders which is applied to the sender's phone number, the sender's email addresses, and/or the sender's IP addresses.

Abstract: Techniques for dynamically configuring security mechanisms in a network can construct security perimeters that satisfy security needs at any given time while also efficiently spreading security functions among network elements and systems. In one technique, a network element comprises security function modules. Systems toward which the network element forwards data packets also comprise security function modules. A particular security function module on the network element begins in a state of deactivation. The network element determines whether a corresponding security function module on one of the systems is functioning in a satisfactory manner. If not, then the network element activates the particular security function module. While activated, the particular security function module may perform at least some of the security function operations that the corresponding security function module would have performed if the corresponding security function module was satisfactory.