Abstract: An agent device is connected with one or more image-forming devices in a local network having a firewall provided therein. A management device carries out remote management of the image-forming devices in the local network through the Internet. The agent device includes a command receiving unit which starts connection with the management device and receives a management command from the management device via the firewall, the command being sent by the management device in response to the connection. An image-forming-device communication unit receives device-state information of a corresponding one of the image-forming devices according to the management command. A command response transmitting unit transmits the device-state information to the management device through the Internet.

Abstract: A computer-implemented method of enabling security in network resources provisioned as part of a service landscape instance is provided. The method includes initiating an orchestration process for creating a landscape service instance to provide services to a service subscriber over a data communications network. The method further includes deriving from the orchestration process at least one parameter, and generating at least one security configuration profile based upon the at least one parameter for at least one system of the landscape service instance.

Abstract: Systems, methods and apparatus for tunneling in a cloud based security system. In an aspect, tunnel session data describing authentication and unauthenticated sessions, and location data describing tunnel identifiers for tunnels, locations, and security policies specific to the locations are accessed. Tunnel packets are received, and for each tunnel packet it is determined, from the tunnel identifier associated with the packet, whether a session entry in the session data exists for the tunnel identified by the tunnel identifier. In response to determining that a session entry does not exist in the session data, then a session entry is created for the tunnel identifier, an authentication process to determine a location to be associated with the session entry is performed, and an entry in the location data for the location is associated with the session entry.

Abstract: A system and method for online content licensing and distribution is provided. A central website is accessible by content providers and content licensees via the Internet, and allows content providers to upload content to the central website. Licenses can be associated with uploaded content, and one or more licensees for the content can be designated. Royalty distributions can be defined and distributed to one or more recipients, and can be expressed as percentages of collected royalties or dollar amounts. An e-mail is automatically transmitted to a designated licensee which allows the licensee to access the uploaded content, pay for the content, and download the content. Collected payments are automatically distributed to one or more recipients in accordance with the royalty distributions. Suggested license fees for uploaded content can be generated and provided to the content provider, and uploaded content can be published to a third-party publication website or service.

Abstract: Application message payload data elements are transformed within a network infrastructure element such as a packet data router or switch. The network element has application message transformation logic for receiving one or more packets representing an input application message logically associated with OSI network model Layer 5 or above; extracting an application message payload from the input application message; identifying one or more first content elements in the application message payload; transforming the first content elements into one or more second content elements of an output application message; and forwarding the output application message to a destination that is identified in the input application message. Transformations performed in the network element can include field reordering, field enrichment, field filtering, and presentation transformation.

Abstract: A conditional access apparatus receives a filter condition from another conditional access apparatus to set the filter condition to a filter unit 1 thereof. When key information meeting the above-mentioned filter condition is outputted from the filter unit 1, the conditional access apparatus informs the key information to the other conditional access apparatus, and also informs the filter condition set to the filter unit 1 by the key information control unit 3 to the other conditional access apparatus and acquires key information meeting the above-mentioned filter condition from the other conditional access apparatus.

Abstract: A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

Abstract: Methods and systems for firewall/data protection that filters data packets in real time and without packet buffering are disclosed. A data packet filtering hub, which may be implemented as part of a switch or router, receives a packet on one link, reshapes the electrical signal, and transmits it to one or more other links. During this process, a number of filters checks are performed in parallel, resulting in a decision about whether each packet should or should not be invalidated by the time that the last bit is transmitted. To execute this task, the filtering hub performs rules-based filtering on several levels simultaneously, preferably with a programmable logic or other hardware device. Various methods for packet filtering in real time and without buffering with programmable logic are disclosed. The system may include constituent elements of a stateful packet filtering hub, such as microprocessors, controllers, and integrated circuits.

Abstract: A network authentication method, a method for a client to request authentication, a client, and a device are provided.

Abstract: A method and a system for transmitting confidential and non-confidential data blocks between intake units (1, 1?) and output units (3, 3?) of a communication system. The communication system has intake units (1) for confidential data blocks, intake units (1?) for non-confidential data blocks, output units (3) for confidential data blocks, and output units (3?) for non-confidential data blocks. A data distribution unit (2) transmits data blocks with confidential information from the intake units (1) for confidential information to the output units (3) for confidential information and data blocks with non-confidential information from the intake units (1?) for non-confidential information to the output units (3?) for non-confidential information.

Abstract: A system and method for performing a security check may include using at least one processor to periodically check a status of a flag, generate and store a baseline representation of modules stored on the device where the flag is determined to be set to a first state, and, where the flag is determined to be set to a second state, generate an active representation of modules stored on the first device, compare the active representation of modules to the baseline representation of modules, and, responsive to a determination in the comparing step of a difference between the baseline and active representations of modules, output an alert. The flag status may depend on an association of the device with one of a plurality of authorization policies, each mapped to one of the two states. Results of the comparison may be appended to an activity log of the device.

Abstract: A system and method for the secure storage and transmission of data is provided. A data aggregate device can be configured to receive secure data from a data source, such as a sensor, and encrypt the secure data using a suitable encryption technique, such as a shared private key technique, a public key encryption technique, a Diffie-Hellman key exchange technique, or other suitable encryption technique. The encrypted secure data can be provided from the data aggregate device to different remote devices over a plurality of segregated or isolated data paths. Each of the isolated data paths can include an optoisolator that is configured to provide one-way transmission of the encrypted secure data from the data aggregate device over the isolated data path. External data can be received through a secure data filter which, by validating the external data, allows for key exchange and other various adjustments from an external source.

Abstract: A method for detecting potential phishing URLs includes extracting a URL from a document, analyzing the URL context, and comparing the URL to stored trusted URLs and stored known phishing URLs. The URL context includes anchor text and surrounding content associated with the URL. The method further includes generating a phishing alert based on the comparing and the analyzing.

Abstract: An system for controlling access to a network by a user device. The system includes a criteria engine that generates a plurality of criteria to be monitored on the user device and a checker that generates at least one check for each of the plurality of criteria. The system further includes a profiler that retrieves a profile for the user device, the profile including the plurality of criteria and the at least one check for each of the plurality of criteria, a comparator that compares a summary of the retrieved profile to a summary of a profile received from the user device and a communicator that communicates a message to the user device based on the comparison.

Abstract: Detection of user accounts associated with spammer attacks may be performed by constructing a social graph of email users. Biggest connected components (BCC) of the social graph may be used to identify legitimate user accounts, as the majority of the users in the biggest connected components are legitimate users. BCC users may be used to identify more legitimate users. Using degree-based detection techniques and PageRank based detection techniques, the hijacked user accounts and spammer user accounts may be identified. The users' email sending and receiving behaviors may also be examined, and the subgraph structure may be used to detect stealthy attackers. From the social graph analysis, legitimate user accounts, malicious user accounts, and compromised user accounts can be identified.

Abstract: A computer-implemented method is provided for updating network security policy rules when network resources are provisioned in a service landscape instance. The method includes categorizing network resources in a service landscape instance based on a service landscape model. The method further includes responding to the provisioning of a network resource by automatically generating one or more security policy rules for a newly-provisioned network resource. Additionally, the method includes updating security policy rules of pre-existing network resources in the service landscape instance that are determined to be eligible to communicate with the newly-provisioned network resource so as to include the newly-provisioned network resource as a remote resource based on the service landscape model.

Abstract: Aspects of a method and system for traffic engineering in an IPSec secured network are provided. In this regard, a node in a network may be authenticated as a trusted third party and that trusted third party may be enabled to acquire security information shared between or among a plurality of network entities. In this manner, the trusted third party may parse, access and operate on IPSec encrypted traffic communicated between or among the plurality of network entities. Shared security information may comprise one or more session keys utilized for encrypting and/or decrypting the IPSec secured traffic. The node may parse IPSec traffic and identify a flow associated with the IPsec traffic. In this manner, the node may generate and/or communicate statistics pertaining to said IPSec secured traffic based on the flow with which the traffic is associated.

Abstract: Embodiments of the present invention provide a method, apparatus and system for selecting a wireless communication device for establishing a connection. The method according to some exemplary embodiments of the invention may include selecting a communication device for establishing a connection by determining whether one or more security-related characteristics of the communication device satisfy a security policy corresponding to a selected security class. Other embodiments are described and claimed.

Abstract: Multiple private advertising systems independently profile users while protecting user privacy and enabling content publishers to limit advertiser access to their content and user information. A client computer supports private profiling modules, each of which is associated with a different advertising network and is adapted to create a user profile based on the content accessed by the user. Content publishers specify profiling restrictions to limit access by private profiling modules to profiling information associated with their content. The profiling restrictions and profiling information may be included in the content or communicated separately to the client computer. Profiling restrictions and profiling information may be expressed in a markup language. Each private profiling module selects information items of interest to the user based on the user profile that it creates.

Abstract: The present invention provides a method and system of specifying and enforcing at least one run-time policy for at least one computer process executing on a computer system, where the computer system includes a computer operating system. In an exemplary embodiment, the method and system include (1) relating the policy with an executable file of the process, (2) associating the policy with a running instance of the process, and (3) enforcing the policy on the running instance.

Abstract: There is provided a method and system for detecting and responding to harmful traffic. The system includes a router determining whether or not received data is harmful traffic, by using a dynamic flow identification (DFI) function and a deep packet inspection (DPI) function, sending Cflowd information of the received data, and then encapsulating the received data when the received data is determined to be harmful traffic, a policy & resource control entity receiving the Cflowd information from the router, determining whether or not the received data is harmful traffic by using the received Cflowd information, and then sending a result of the determination to the router, and a security management server receiving the encapsulated data from the router, reconfirming whether or not the encapsulated data is harmful traffic, and then processing the encapsulated data.

Abstract: In a method and system for increasing security when accessing a business system, a generic hub receives a request having a first transfer protocol from a user to access an application or application data maintained in an application server. In response to the user request, the generic hub verifies the authorization of the user to access the application server. If the user is authorized, a user interface to the application is presented to the user and input data is received from the user interface. The input data is checked for validity based on application-specific metadata and type checks bound to this metadata associated with fields in the user interface, and any extraneous or non-expected data is removed from the input data. The input data and user request of a first transfer protocol are tunneled to the application using a second transfer protocol.

Abstract: A software firewall that may be simply configured using rules specified for types of network interfaces rather than individual network interfaces. The network types may be specified with type identifiers that have a readily understandable meaning to a user, facilitating ease of configuring the firewall. The network types could include, for example, wired, wireless and remote access. A rule specified based on a network type can be translated to firewall filters for network interfaces of that network type. The translation may be performed automatically and may be updated based on network location awareness information.

Abstract: The invention relates to a method of controlling access to multicast IP flows. Following connection to a collection equipment by a user terminal, the method consists in: transmitting an access authorization request message from said collection equipment to an access control server; and, subsequently, upon successful verification of the user access right, transmitting an access authorization acceptance message comprising at least one multicast filter from the server to the collection equipment or, in the absence of a successful verification, transmitting an access refusal message from the server to the collection equipment in order to inhibit the connection of the user terminal. The invention is suitable for multicast broadcasting over an IP, Internet and/or corporate network.

Abstract: A method for generating a secure association key (SAK), a method for realizing medium access control security (MACsec) and a network device are provided. The method for generating an SAK includes the following steps. A sending key selection protocol (KSP) instance sends a key selection protocol data unit (KSPDU) to the other KSP instances in the same secure connectivity association (CA). The KSPDU includes a secure connectivity association key identifier (CKI) of the instance and information about a MACsec level that the sending KSP instance belongs to. If the receiving KSP instance and the sending KSP instance belong to the CA with the same MACsec level, an SAK is generated based on the KSPDU. The MACsec of multiple levels in a communication network and the secure MACsec network communication with multiple levels are realized, thus ensuring the confidentiality of the network communication.

Abstract: There is described a method for transmitting synchronization messages, for example PTP messages of the IEEE 1588 standard, the PTP message being inserted into a data packet in line with the Internet Protocol, the data packet having an IP header, and the data packet having a UDP header. In this case, for the encrypted transmission on the PTP message, the data packet is addressed to a UDP port that is reserved for encrypted PTP messages, the data packet is provided with an additional S-PTP header that is provided for encryption, the PTP message is extended with a pseudo random number, and the PTP message is encrypted together with the pseudo random number.

Abstract: The invention relates to an electrical system of a motor vehicle with control apparatuses, which communicate with one another by means of a data bus. To recognize manipulations to the electrical system of a motor vehicle, in particular on the software of the control apparatuses of the electrical system, and to derive suitable measures, it is proposed that a master security module is provided in a first control apparatus and a client security module is provided in each case in a plurality of the further second control apparatuses, and the master security module of the first control apparatus, preferably a central gateway control apparatus, signs a message and sends the signed message to at least one of the second control apparatuses by means of the data bus. The client security module of the second control apparatus checks the signed message received from the master security module as to whether it comes from an authorized master security module.

Abstract: Data storage devices having one or more data security features are provided according to various embodiments of the present invention. In one embodiment, a data storage device comprises buffer and a buffer client. The buffer client comprises a scrambler configured to receive a configuration setting and a secret key on a certain event, to configure a scrambling function based on the received configuration setting, and to scramble data with the secret key using the scrambling function, wherein the buffer client is configured to write the scrambled data to the buffer.

Abstract: The present invention relates to a method for multi-core processor based packet classification on multiple fields. The invention specifically proposes three methods to select partition points, two associated methods to select dimensions, then receiving packet information after the data structure of classification is constructed, and searching the data structure of classification according to packet information to get matched results. The present invention can be implemented on many types of multi-core processor based platforms which ensure favorable performance and adaptive capabilities for different network applications, and significantly reduce the product cost of high-end routers and firewalls.

Abstract: The invention relates to a security border node (2a) for protecting a packet-based network from attacks, comprising: an anomaly detection unit (10) for performing an anomaly detection, in particular a statistical analysis, on session control messages (11), in particular on SIP messages contained in a packet stream (5) received in the security border node (2a). The security border node further comprises a message context provisioning unit (13) for providing at least one session control message (11) to the anomaly detection unit (10) together with message context information (12, 17, 24) related to a client (22) and/or to a session (23) to which the session control message (11, 11a to 11f) is attributed. The invention also relates to a method for protecting a packet-based network from attacks, to a computer program product, and to a packet-based network.

Abstract: A proxy server for downloading a data file for a client, such as an email client or web browser, including: a external proxy for downloading the data file for the client from an external server over a network, based on profile data associated with the client stored on the proxy server; a memory module for storing the data file; and an internal proxy for transferring the data file to the client when requested by the client. The external proxy operates asynchronously to the internal proxy, and the proxy server operates transparently with respect to the client.

Abstract: Techniques are described for the use of a cryptographic token to authorize a firewall to open a pinhole which permits certain network traffic to traverse firewalls. An initiating endpoint requests a token from a call controller, which authorizes a pinhole though the firewall. In response, the call controller may generate a cryptographic authorization token (CAT) sent towards the destination endpoint. The call controller may generate the token based on an authorization ID associated with the call controller, a shared secret known to both the call controller and the firewall, and data specific to the media flow for which authorization is requested.

Abstract: An anti-malware device and an operating method thereof are provided. The operating method includes: filtering by a first logic unit of the processor, input data based on a rule; and scanning by a second logic unit of the processor, for malware in the data, the filtering and the scanning being performed at the same time. Accordingly, the security of the packet data is tightened.

Abstract: Methods for scanning software for the existence of a licensing condition. Software may be uploaded, scanned and compared against known software stored in a datastore. If the uploaded software matches known software in the datastore, a license associated with the known software may be determined. The license may have information associated with it, such as a classification based on risk and obligations. The classification of the license, as well as the obligation information may be returned as a report to a requester that uploaded software to easily identify the risks associated with incorporating the software into a larger code base or project.

Abstract: Controlling packet sessions and QoS in a wireless network is disclosed. An apparatus provides application-specific packet sessions in the wireless network, with application-specific QoS parameters, without requiring the explicit cooperation of an application.

Abstract: A method comprises operations for receiving a binary data structure including a portion representing a protocol validation specification expressed in a respective protocol validation specification language and for receiving a security policy rule having an action part specifying that the binary data structure is to be used for verifying that application protocol payload of network packets complies with the protocol validation specification. After receiving the binary data structure and the security policy rule, an operation is performed for verifying that application protocol payload of received network packets complies with the protocol validation specification. Such verifying is initiated in response to determining that the security policy rule applies to the received network packets and such verifying includes validating the application protocol payload of the received network packets against the binary data structure.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to secure communications for multiple hosts in an address translation environment and provide a method, system and computer program product for IPsec SA management for multiple clients sharing a single network address. In one embodiment, a computer implemented method for IPsec SA management for multiple hosts sharing a single network address can include receiving a packet for IPsec processing for a specified client among the multiple clients sharing the single network address. A dynamic SA can be located among multiple dynamic SAs for the specified client using client identifying information exclusive of a 5-tuple produced for the dynamic SA. Finally, IPsec processing can be performed for the packet.

Abstract: A method for transmitting information effectively in a server/client network system is provided, the network system including a client placed behind a firewall and a server that provides the client with a predetermined service. The method includes the client generating a hole packet which is for making a hole in the firewall to allow a packet to pass through the firewall from the server, the hole being maintained for a certain period of time, and transmitting the hole packet to the firewall; and transmitting a packet from the server to the client through the hole made by the hole packet.

Abstract: Disclosed is a computer implemented method and apparatus to secure a routing path. A local node receives a request for secure route identification from an upstream node. Responsive to receiving a request for secure route identification, the local node transmits a local node security level and an authentication key to the upstream node. The local node determines whether at least one downstream node is authentic and has sufficient security level from a second-level downstream node. The local node may then establish a socket to the upstream node.

Abstract: A configuration information manager monitors attempts by processes to update non-structured storage of system configuration information, such as plain text files which contain system configuration information. When such an attempt is made, the configuration information manager makes a copy of the target file, and redirects the write operation to this copy. The configuration information manager then analyzes the process that did the writing, as well as the content that was written. If the process and/or the content is deemed to be suspicious, the changes will be logged and discarded, thus protecting the system. Should the changes be deemed legitimate, then the configuration information manager folds them into the real file, typically in an annotated manner, so as enable subsequent reversion of the changes as desired.

Abstract: A method and an apparatus for monitor mirroring in the display of data requiring confidentiality is disclosed, including a computer system, an identification unit that identifies the data requiring confidentiality, and a filter unit that filters the identified data requiring confidentiality, so that only the filtered data and data not requiring confidentiality are shown on the monitor. The screen content of the monitor can thereupon be mirrored onto a further monitor.

Abstract: The present invention provides methods to mitigate the problems associated with MAC address spoofing and denial of service attacks in an FTTH network system. The MAC address spoofing attack may occur when a computer hacker configures his computer to change the MAC address of a data signal to deceive the receiver of the signal's source address. The denial of service may occur when a computer hacker floods a file server with data packets. The present invention mitigates these attacks by modifying the software of certain components of the FTTH network system to enable the components to insert virtual MAC addresses, tags and codes into the data packets that identify a component of the communication related to the address of the source computer.

Abstract: A system and method for controlling the propagation of an email message includes defining at least a first email recipient and a second email recipient of the email message. A first email propagation policy associated with at least the first email recipient is defined, and a second email propagation policy associated with at least the second email recipient is defined. The email message is sent to the first email recipient and to the second email recipient.

Abstract: The present invention relates to a method of authenticating a user in a communication system comprising a user terminal and an authentication server which is capable of storing two types of nonce values, namely dedicated nonce values unique in the system and common nonce values shared between users in the system. In the method the authentication server receives (401) from the user terminal an access request. Then the authentication server uses a predefined criterion for determining the type of a first nonce value to be sent to the user terminal as a response to the access request. In case the predefined criterion is fulfilled, then a dedicated nonce value is sent, otherwise a common nonce value is sent (402). Then the authentication server receives (403) from the user terminal a response comprising a second nonce value and a response code to the first nonce value.

Abstract: A computer-implemented method for using reputation data to detect packed malware may include: 1) identifying a file downloaded from a portal, 2) determining that the file has been packed, 3) obtaining community-based reputation data for the file, 4) determining, by analyzing the reputation data, that instances of the file have been encountered infrequently (or have never been encountered) within the community, and then 5) performing a security operation on the file (by, for example, quarantining or deleting the file).

Abstract: A microchip comprising a first internal hardware-based firewall configured to deny access to a first portion of the microchip from a network; a general purpose microprocessor including two general purpose cores or general purpose processing units; at least two dies having been made by a separate fabrication processes and assembled into a package with separate die sections connected directly; and a memory component located inside of a second internal hardware-based firewall that is located between the memory component and one of the cores or processing units with which the memory component is associated. Wherein a first core is located within the first microchip portion protected by the first firewall; a second core is located within a second microchip portion not protected by the first firewall; and the second core is separated from the first core by the first firewall and is located between the first firewall and the network.

Abstract: An example embodiment of the present invention provides processes relating to self-initiated end-to-end monitoring for an authentication gateway. In one particular implementation, the authentication gateway periodically creates and stores a temporary logon for access to a network and then sends a message including the temporary logon over a secure connection to a client. When the client receives the temporary logon, the client responds to the message by attempting to access a configurable network site. The authentication gateway redirects the client to a captive portal which prompts the client for a logon and the client enters the temporary logon at the captive portal. Then upon validating the temporary logon against the stored temporary logon, the authentication gateway authorizes access to the network. If the client successfully accesses the site, the client sends a verification report to the authentication gateway indicating successful access. Otherwise, the client reports on the failed access.

Abstract: A method for processing packets in a computer undergoing transitioning from a first configuration of a firewall to a second configuration of the firewall is disclosed. Packets arriving in the computer are associated with the first configuration of the firewall existing in the computer, and after a second configuration of the firewall becomes available, the computer starts associating packets arriving in the computer with the second configuration of the firewall, and processing packets associated with the second configuration according to the second configuration of the firewall, while continuing processing the packets associated with the first configuration according to the first configuration of the firewall until all packets associated with the first configuration are processed. Packets are processed by a plurality of firewall processing modules asynchronously. First and second reference counts, counting numbers of packets processed according to respective firewall configuration are conveniently introduced.

Abstract: A software based wireless infrastructure system is provided. The system has a driver that communicates with the network stack and a network interface card (NIC), a station server in communication with the station driver and an 802.1X supplicant or an 802.1X authenticator. Each NIC provides station and/or access point functionality support. The driver drops packets that have been received if the packet has not been authenticated and associated. Packets that have been fragmented or encrypted are unfragmented and decrypted. An association manager is used in conjunction with a configuration table manager to associate stations and access points via management packets. A manager receives 802.1X data packets from the packet processor and sends them up to a station server that communicates with user mode applications and an 802.1X supplicant or an 802.1X authenticator that are used to authenticate and deauthenticate stations and access points. APIs are provided to enable communication between the components.

Abstract: Methods and apparatus for implementing input data security processing on user input data are disclosed. The user input data is entered on a webpage that contains a destination specification for an intermediary security service and an encrypted destination specification for a receiving module of the application program. The user input data is first sent to the intermediary security service for performing input data security processing on the user input data. If the user input data is deemed acceptable, the user input data is sent to the receiving module by decrypting the encrypted destination specification for the receiving module to obtain the destination specification for the receiving module and transmitting the user data to the receiving module using the destination specification for the receiving module.