Abstract: Provided are a computer program product, system, and method for selecting one of a plurality of scanner nodes to perform scan operations for an interface node receiving a file request. A list includes a plurality of scanner nodes in a network and for each scanner node a performance value. One of the scanner nodes in the list is selected based on the performance values of the scanner nodes and the file is transmitted to the selected scanner node to perform a scan operation with respect to the file. Indication is received from the selected scanner node performing the scan operation whether a subset of code in the file matches code in a definition set. The file request is processed to result in execution of the file request based on the indication of whether the subset of code in the file matches a definition in the definition set.

Abstract: A wide area network using the internet as a backbone utilizing specially selected ISX/ISP providers whose routers route packets of said wide area network along private tunnels through the internet comprised of high bandwidth, low hop-count data paths. Firewalls are provided at each end of each private tunnel which recognize IP packets addressed to devices at the other end of the tunnel and encapsulate these packets in other IP packets which have a header which includes as the destination address, the IP address of the untrusted side of the firewall at the other end of the tunnel. The payload sections of these packets are the original IP packets and are encrypted and decrypted at both ends of the private tunnel using the same encryption algorithm using the same key or keys.

Abstract: A packet filtering system able to streamline the filter conditions for filtering and to handle even IPsec, comprised of (i) a step of storing in a packet to be sent to a receiving side filtering information for use in filtering at the receiving side and sending this from the sending side and (ii) a step of receiving the packet from the sending side, detecting the filtering information stored in the packet, and use this for filtering at the receiving side. Further, this filtering information is comprised of a simple filter key.

Abstract: A method and system are used to transparently create an encrypted communications channel between a client device and a target device. Audio video communications between the client device and the target device are allowed over the encrypted communications channel once the encrypted communications channel is created. The method comprises: (1) receiving from the client device a request for a network address associated with the target device; (2) determining whether the request is requesting access to a device that accepts an encrypted channel connection with the client device; and (3) depending on the determination made in step (2) providing provisioning information required to initiate the creation of the encrypted communications channel between the client device and the target device such that the encrypted communications channel supports secure audio/video communications transmitted between the two devices.

Abstract: A digital content protection apparatus and method for digital rights management (DRM) are provided in which a content file including a plurality of content parts is imported such that a header is included which stores location information required for decoding each of the content parts. Therefore, the number of content parts constituting the content file can be recognized, and a license that is required for the use of each of the content parts can be acquired by analyzing header information without necessitating the parsing of the transport packets of the content file. Accordingly, preparation time for using content can be reduced.

Abstract: Access control methods include receiving an access authorization message from an authentication server computer at a blocking device that connects a first network to a second network, modifying access criteria of a transparent firewall at the blocking device responsive to the received access authorization message and operating the transparent firewall according to the modified access criteria to control transfer of messages between the first and second networks. The invention may also be implemented as apparatus and computer readable media.

Abstract: A system (101) for implementing redaction rules in compliance with an organization's privacy policy, where the system intercepts messages between an information source (103) and an information destination (102), modifies the message contents based on redaction rules (106) and forwards the redacted contents over to the client. The system also maintains a record of the redacted information and updates the contents of any message submitted by the client (102) in order to maintain database integrity.

Abstract: Disclosed are systems and methods for detecting unwanted electronic message transmissions on a communications network. These include establishing a database for storing metadata associated with message traffic according to at least the source addresses of the senders of electronic message transmissions. The disclosed principles also include monitoring electronic message transmissions at the certain location on the electronic communications network. Also, included is populating the database with metadata derived from analysis of the monitored electronic messages, where the metadata includes metadata derived by analyzing the contents of the monitored electronic messages.

Abstract: A script-based scan engine is embedded in a webpage requested by a client computer from a web server. The script-based scan engine may be embedded in the webpage by injecting the script-based scan engine in a header of the webpage in a computer security device between the client computer and the web server, or by integrating the script-based scan engine in the webpage as a library. The script-based scan engine executes in the client computer when the webpage is received by the client computer. The script-based scan engine scans the webpage for web threats, which may include malicious codes, exploits, and phishing, for example. The webpage is allowed to be rendered by a web browser in the client computer when the webpage is deemed safe by the script-based scan engine.

Abstract: A method of client authentication that includes receiving an Internet protocol source address of a client packet and determining a packet origination, a network connection point, and a network path of the client packet. The method further includes comparing the determined packet origination with at least one packet origination associated with the client, comparing the determined network connection point with at least one network connection point associated with the client, and assessing a compatibility between the determined network path and at least one of the determined packet origination or the determined network connection point. The method includes signaling execution of client authentication challenges when either of the two comparisons fails and/or the determined network path is incompatible with at least one of the determined packet origination or the determined network connection point.

Abstract: This disclosure provides a system and method for client authentication that allows a service provider to implement multiple authentication challenges to verify a user/client. The system includes an extractor, a comparer, and an attributer. The extractor receives an Internet protocol source address from a client and extracts a media access control address. The extractor also determines a source identifier of the client from the media access control address. The comparer compares the extracted media access control address with a client media access control address associated with the client, and signals execution of one or more client authentication challenges when the extracted media access control address fails to match the at least one client media access control address associated with the client. The attributer associates the source identifier with the client after successful execution of a client authentication challenge.

Abstract: Method, device, and computer program product are provided for differentiated treatment of incoming and outgoing emails based on a network server. A server receives a query from a gateway, and the query includes information about an email received by the gateway. The server obtains rules for processing the email of the query. The server determines an identity for the email based on the rules for processing the email. The server transmits the identity to the gateway to cause the gateway to send the email having the identity to a post office server. The email having the identity is configured to cause the post office server to process the email based on the identity.

Abstract: Community based defense, in which multiple security devices operate as a part of a single community in providing security defense i.e. avoiding redundant security checks and enables efficient deployment and utilization of resources. The devices in a community communicate with each other to determine their roles and the security policies to enforce, based on the specific role they have undertaken. Thus primary player may operate with a larger set of security policies. However, the secondary players (operating on smaller policy sets) may periodically check the operational status of the primary player and assumes the role of primary, if needed. Later, it may gracefully relinquish the temporary role back to former primary, once the primary is up and operational.

Abstract: According to a first aspect of the present invention there is provided a method of at least partly delegating processing of data in a machine-to-machine system to reduce computational load on a broker entity 11 while maintaining security of the data to be processed, the broker entity 11 serving as a link between a node 13 of a sensor network providing the data and an application node 12 requesting the data. In the method, at the broker entity 11, following receipt of a request for processed data from the application node 12, determining the node to provide the data to be processed, generating a data key for the data-providing node 13, generating a data-processing algorithm for processing the data in dependence upon the request, sending the data key to the data-providing node 13, and sending the data key and data-processing algorithm to a remote data-processing entity 15. At the data-providing node 13, encrypting the data using the data key and sending the encrypted data to the data-processing entity 15.

Abstract: Methods and systems for operation upon one or more data processors for assigning reputation to web-based entities based upon previously collected data.

Abstract: Classification of security sensitive information and application of customizable security policies are described, including classifying information as security sensitive information at an application level, the security sensitive information being associated with a security sensitive category, determining a security policy for the security sensitive information, the security policy being configured to secure the security sensitive information, and applying the security policy to the security sensitive information at the application level, the policy being based on the security sensitive category.

Abstract: An embodiment may include network controller circuitry to be comprised in a host computer that includes a host processor to execute an operating system environment. The circuitry may be coupled to the processor, receive at least one packet via a network, store at least one firewall filter parameter set, and execute, based at least in part upon the parameter set and packet, at least one firewall filter action involving, at least in part, the packet. The action may implement, at least in part, at least one firewall rule supplied by a firewall application to an interface of a driver associated with the circuitry. The application may be executed, at least in part, in the environment. The circuitry may generate and store the parameter set based at least in part upon at least one command from the driver. The command may be based at least in part upon the rule.

Abstract: A microchip for a computer configured to connect to at least one network of computers. The microchip includes at least a first internal hardware firewall configured to deny access to at least a first protected portion of said microchip from said network, and at least one general purpose microprocessor including at least two general purpose core or general purpose processing units. At least a first core or processing unit is located within the first protected portion of the microchip. At least a second core or processing unit is located within a second portion of the microchip that is not protected by at least said first internal hardware firewall. At least the second core or processing unit is separated from the first core or processing unit by at least the first internal hardware firewall and is located between at least the first internal hardware firewall and the at least one network.

Abstract: Enabling web filtering by authenticated group membership, role, or user identity is provided by embedding a uniform resource identifier into an electronic document requested by a client. A client browser will provide directory credentials to a trusted web filter apparatus enabling a policy controlled access to resources external to the trusted network. An apparatus comprises circuits for transmitting a uniform resource identifier to a client, receiving a request comprising authentication credentials, querying a policy database and determining a customized policy for access to an externally sourced electronic document or application. A computer-implemented technique to simplify web filter administrator tasks by removing a need to set each browsers settings or install additional software on each user terminal.

Abstract: A system includes a computing cloud comprising at least one data storage unit and at least one processing unit. The computing cloud is configured to connect to at least one client and monitor the traffic of the at least one client. The computing cloud is further configured to determine an operational mode of the client, compare the monitored traffic with an anticipated traffic pattern associated with the operational mode, and determine if a security threat is indicated based on the comparison.

Abstract: An implement method and device of a terminal call firewall is disclosed. According to the method, a call number is added into a blacklist list when it is determined that the call number is not in the blacklist list stored and an address list and it is determined that a call duration is less than a set call duration threshold. A device is disclosed for automatically blocking incoming calls to the terminal according to the method.

Abstract: Data traffic is routed from a customer edge (CE) router to an Ethernet services router via a generic routing encapsulation (GRE) tunnel. Upon routing the data traffic from the CE router to the Ethernet services router, the data traffic is routed from the Ethernet services router to an aggregation switch. Upon routing the data traffic from the Ethernet services router to the aggregation switch, the data traffic is routed from the aggregation switch to a service switch through a security module, the security module configured to filter the data traffic. The filtered data traffic is routed from the service switch to the Ethernet services router. Upon routing the filtered data traffic from the service switch to the Ethernet services router, the filtered data traffic is routed from the Ethernet services router to a provider edge (PE) router.

Abstract: A host rule mapping module in a firewall server may receive an update notification from a name server. The update notification may indicate a change to an address associated with a host name of a host machine. In response to receiving the update notification, the host rule mapping module may request a record corresponding to the host name identified in the update notification. The host rule mapping module may receive a contents of the record in response to the request from the name server, and update a firewall rule corresponding to the address identified in the update notification to include the contents of the record.

Abstract: An apparatus for establishing a virtual private network with an internet protocol multimedia subsystem (IMS) device that includes a key derivation module, a tunneling protocol module, a tunnel management module, and a security policies module. The apparatus includes a non-volatile memory configured to store a first routing table that maps host addresses and IMS addresses of security devices allowing access to those hosts, such that when an application running in the IMS device requests communication to a host address, the apparatus initiates a session with the IMS address to which the host address is mapped. The session is initiated by a message that includes a body that contains, for each tunneling protocol supported by the tunneling protocol module, data about the local tunnel endpoint (e.g.

Abstract: The present invention provides a star-connected network (C1-C4, P1-P8) having a number of peripheral nodes (P1-P8) and a central control arrangement (C1-C4). Each peripheral node has means for restricting communications across the network to the central control arrangement using a respective encrypted connection unless the peripheral node has received explicit authorisation from the control arrangement to set up a direct connection with another peripheral node.

Abstract: A computer-implemented method to detect a potentially malicious uniform resource locator (URL) is described. A presentation of a URL on a display of a computing device is detected. An actual URL associated with the URL presented on the display is obtained. The URL presented on the display is compared to the actual URL associated with the presented URL. If the URL presented on the display does not match the actual URL, the actual URL is prevented from being accessed.

Abstract: A network security system comprises a first component that generates an address for identifying a communicating device on a network. A second component receives the address generated by the first component and facilitates transitioning from an existent address to the generated address. Such transitioning is effectuated in order to protect the network against attack while providing seamless communications with respect to the communicating device.

Abstract: A computer-implemented method for alternating malware classifiers in an attempt to frustrate brute-force malware testing may include (1) providing a group of heuristic-based classifiers for detecting malware, wherein each classifier within the group differs from all other classifiers within the group but has an accuracy rate that is substantially similar to all other classifiers within the group, (2) including the group of classifiers within a security-software product, and (3) alternating the security-software product's use of the classifiers within the group in an attempt to frustrate brute-force malware testing by (a) randomly selecting and activating an initial classifier from within the group and then, upon completion of a select interval, (b) replacing the initial classifier with an additional classifier randomly selected from within the group. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: According to one embodiment, a conditional access (CA) control system comprises circuitry that is adapted to: (i) transmit information including a unique identifier assigned to a digital device and mating key generator values to the remote source, (ii) receive a mating key from the remote source, the mating key being based on the transmitted unique identifier and mating key generator values, the mating key being used to encrypt data used for scrambling either additional key information or program data prior to transmission to the digital device, and (iii) transmit the mating key generator values and the encrypted data to the digital device, the mating key generator values are used to regenerate the mating key in the digital device.

Abstract: A device with a touch-sensitive display may be unlocked via gestures performed on the touch-sensitive display. The device is unlocked if contact with the display corresponds to a predefined gesture for unlocking the device. The device displays one or more unlock images with respect to which the predefined gesture is to be performed in order to unlock the device. The performance of the predefined gesture with respect to the unlock image may include moving the unlock image to a predefined location and/or moving the unlock image along a predefined path. The device may also display visual cues of the predefined gesture on the touch screen to remind a user of the gesture.

Abstract: A method and an apparatus for encrypting/decrypting packet data of a precise time synchronization protocol and a time synchronization system are illustrated. The method is suitable for the time synchronization system using a precise time protocol. The time synchronization system includes a master node and a slave node, wherein the slave node synchronizes its time with the master node. In the method for encrypting/decrypting packet data of the precise time synchronization protocol, an encryption/decryption hardware device is disposed on the hardware protocol layer of each of the master node and the slave node. The hardware protocol layer is under the data link layer, and includes the data link layer. A synchronization message is encrypted by using the encryption/decryption hardware devices of the master node to generate a frame data, and the frame data is decrypted by using the encryption/decryption hardware devices of the slave node to obtain the synchronization message.

Abstract: An apparatus may include a processor configured to generate an access rights filter based upon a set of access rights settings. The processor may be further configured to generate an authorization key accepted by the generated access rights filter. The processor may be additionally configured to distribute one or more of the access rights filter and authorization key to an access rights management entity.

Abstract: A phishing processing method includes: an information input web page comprising an information input interface, through which information is transmitted to an information receiving address, is received. Determine if the information input web page is a phishing web page. If it is determined that the information input web page is the phishing web page, fake input information is transmitted to the information receiving address. When information for verification is received from an information transmitting address, if the received information for verification is the fake input information is determined. If the received information for verification is the fake input information, it is determined that the information transmitting address is a malicious address.

Abstract: One embodiment relates to a method of connection-rate filtering by a network device. Address resolution protocol (ARP) request packets received from a sub-network are monitored, and a copy of the received ARP request packets are sent to an agent program. The agent program determines a rate of ARP request packets sent by a host in the sub-network. Other embodiments are also disclosed.

Abstract: Erroneous deletion of data due to a collision of digest information during data de-duplication using digest information is prevented. When backup data is stored on a backup server 1100, digest information of the backup data is generated and stored in a digest information management table 4200. In addition, when a backup data storage request is made to the backup server 1100, a digest information verification control sub-program 1127 generates digest information of data to be backed up, and performs verification against the digest information of the backed up data already stored on the backup server 1100. If, by this verification, it is found that backed up data having the same digest information is already stored, de-duplication is realized by reusing the existing backed up data without newly storing the data to be backed up.

Abstract: Disclosed are various embodiments for detecting and responding to attacks on a computer network. One embodiment of such a method describes monitoring data communications transmitted to a target class of first computing nodes; in response to detecting a non-legitimate data communication to a computing node in the target class, determining whether the non-legitimate data communication is a form of attack on a network to which the computing nodes are connected; and in response to determining that the network is under attack, implementing new security measures for second computing nodes that are not part of the target class to protect the second computing nodes against the attack on the network while the attack is ongoing.

Abstract: The present disclosure relates to a method for executing, by a processor, a program read in a program memory, comprising steps of: detecting a program memory read address jump; providing prior to a jump address instruction for jumping a program memory read address, an instruction for storing the presence of the jump address instruction; and activating an error signal if an address jump has been detected and if the presence of a jump address instruction has not been stored. The present disclosure also relates to securing integrated circuits.

Abstract: In a data level security environment, the data level security mechanism operates on plaintext data. Data level security operations identify a point in the information stream where plaintext data is available for interception. Typically this is a point in the processing stream just after the native DBMS decryption functionality has been invoked. A database monitor intercepts and scrutinizes data in transit between an application and a database by identifying a transition point between the encrypted and plaintext data where the cryptographic operations are invoked, and transfers control of the data in transit to a database monitor application subsequent to the availability of the data in plaintext form.

Abstract: According to one aspect, the subject matter described herein includes a method for communicating an encrypted data packet. The method includes steps occurring at a first gateway node. The method also includes receiving a data packet from a first host. The method further includes determining that a first security association (SA) instance associated with the data packet is in an inactive state. The method further includes identifying a second SA instance that is both associated with the data packet and in an active state. The method further includes forwarding the data packet to the second SA instance.

Abstract: A firewall coordinates with devices in a network to create a distributed filtering system. The firewall detects an attack in the network, such as a distributed denial of service attack, and creates attack information defining characteristics of malicious packets used in the attack. The attack information is forwarded to the devices in the network. The devices use the attack information to configure themselves to detect packets having the characteristics of the malicious packets. After configuration, the devices detect and discard malicious packets.

Abstract: A system, method, and computer program product are provided for processing different content each stored in one of a plurality of queues. In use, a plurality of different content is identified for processing. Additionally, each of the different content is stored in one of a plurality of queues based on a classification thereof. Furthermore, the plurality of different content stored in the plurality of queues is processed.

Abstract: For an Internet Access Gateway operative between an area network and a public network, managing dynamic network sessions therebetween whereby a primary server on the public network in a primary session with a client of the area network initiates an additional session with an additional server on the public network, for which an unexpected data packet received at the gateway from the additional server is associated with the primary session, and accordingly allowed access to the area network through the gateway, provided the gateway received the data packet at an input port exceeding 1023, the additional session comprises a pre-defined Session Triggering Event, and at least one internal network component of the area network indicates willingness to receive the data packet. Wherefore, a preferred Application Level Gateway is thereby provided for firewall and NAT implementations to enhance network security.

Abstract: A system and method providing for appending of a note or instruction to the contents of an email such that the note or instructions is only appended to emails of selected recipients of a group of recipients, with only the email going to the other recipients of the group of recipients is provided.

Abstract: An information processing apparatus includes: a connecting section; an information storage; a request accepting section; a searching section; a setting information storage; a determining section; and a process executing section.

Abstract: The present invention provides a LAN device 20 having an internal function of controlling communication. A management representative of the LAN device 20 sets a protocol applicable for communication with regard to each of MAC addresses or IP addresses allocated to transmitter terminals and each of IP addresses allocated to receiver terminals. The LAN device transmits data in the case of the protocol applicable for communication, while not transmitting data in the case of any protocol inapplicable for communication.

Abstract: Methods and apparatuses that enroll a wireless device into an enterprise service with a management server addressed in a management profile are described. The enrollment may grant a control of configurations of the wireless device to the management server via the management profile. In response to receiving a notification from the management server, a trust of the notification may be verified against the management profile. If the trust is verified, a network session may be established with the management server. The network session may be secured via a certificate in the management profile. Management operations may be performed for management commands received over the secure network session to manage the configurations transparently to a user of the wireless device according to the control.

Abstract: A computer or microchip configured to be securely controlled through a secure control bus, including through a private network. The computer or microchip includes a secure private unit protected by an inner hardware-based access barrier or firewall; an unprotected public unit including at least one network connection configured to connect to a network; a separate private network connection located in the secure private unit; a microprocessor, core or processing unit configured for general purposes located in the unprotected public unit and separate from the access barrier or firewall; a secure control bus isolated from input from both the network and components of the unprotected public unit; and a master controlling device in the private unit being configured for securely controlling an operation executed by the microprocessor, core or processing unit via a connection to the secure control bus, including through the separate private network to the separate private network connection.

Abstract: The present disclosure provides distributed, multi-tenant Virtual Private Network (VPN) cloud systems and methods for mobile security and user based policy enforcement. In an exemplary embodiment, plural mobile devices are configured to connect to one or more enforcement or processing nodes over VPN connections. The enforcement or processing nodes are configured to perform content filtering, policy enforcement, and the like on some or all of the traffic from the mobile devices. The present invention is described as multi-tenant as it can connect to plural clients across different companies with different policies in a single distributed system. Advantageously, the present invention allows smartphone and tablet users to protect themselves from mobile malware, without requiring a security applications on the device. It allows administrators to seamless enforce policy for a user regardless of the device or network they are connecting to, as well as get granular visibility into the user's network behavior.

Abstract: A wireless network probe method intercepts a data packet sent from a certain station, which has established communication with an access point (AP) connected to a wireless network before a service set identifier (SSID) of the wireless network has been closed. The method further amends data in the data packet to generate two attacked data packets, transmits the two attacked data packets using a media control access (MAC) address of the certain station, to interrupt the communication between the AP and the certain station. Furthermore, the method intercepts a re-association data packet sent to the AP from the certain station, retrieves the SSID from the re-association data packet, and stores the SSID into a second station, so as to connect the second station to the wireless network.

Abstract: A security device for SIP communications operates to inhibit the effect of malicious attacks and/or inadvertent erroneous events on the provision of SIP-based services within a private network and between private and public networks. The security device acts as a conventional Firewall, NAT and PAT to isolate SIP User Agents on the private network from SIP User Agents on the public network and to Blacklist undesired callers. Also, the security device preferably includes a virus scanner to scan attachments to sessions and/or other communications to identify and block virus contaminated data and the security device includes a hardened SIP stack to scan for and detect malformed SIP messages to prevent malicious attacks and/or inadvertent erroneous messages from adversely impacting the operation of SIP services.