Abstract: Methods and systems for blocking unwanted software downloads within a network. Such methods may thereby prevent (i) downloads of spyware from one or more identified locations, and/or (ii) certain outbound communications from the network and/or may also permit software downloads only from specified locations. In general, the policies are defined by rules specified by a network administrator or other user.

Abstract: A host computer system is categorized according to uniform resource locator (URL) information extracted from a digital certificate purportedly associated with said host. Thereafter, a secure communication session (e.g., an SSL session) with said host may be granted or denied according to results of the categorizing. If granted, messages associated with the secure session may be tunneled through a proxy without decryption, or, in some cases, even though the secure communication session was authorized messages may be decrypted at the proxy.

Abstract: The following subject matter provides a computer-implemented method and system for calculation of cost-effectiveness of countermeasures in mitigating the threats on a system through calculating risk of threats. The calculation is run on a model of assets, threats, vulnerabilities and countermeasures and enables the production of easy to understand reports and action item lists showing the financial value of threat risks and countermeasures priorities and cost-effectiveness.

Abstract: A system including a first module and a second module. The first module includes a linear feedback shift register (LFSR) and a permutator circuit. The LFSR outputs a pseudo-random sequence of digital values based on a stored key value. The permutator circuit operates on successive groups of input bits using the pseudo-random sequence. For each of said successive groups, the permutator circuit: (a) selects a bit permutation based on a respective one of the digital values in the pseudo-random sequence, (b) permutes the bits of the group using the selected bit permutation to obtain a resultant group of bits, and (c) transmits the resultant group onto an output bus. The second module also includes an LFSR and a permutator circuit that operate to invert the permutations applied by the first module. In a two-dimensional embodiment, the first module and second module may include additional circuitry for scrambling bits between groups.

Abstract: A microchip for a computer configured to connect to a one network of computers, the microchip comprising: a first internal hardware-based firewall, the first internal hardware-based firewall configured to deny access to a portion of the microchip from the network; a general purpose microprocessor including at least two general purpose cores or general purpose processing units; a first core or processing unit is located inside of the first internal hardware-based firewall; a second core or processing unit is located outside of at the first internal hardware-based firewall; the second core or processing unit is separate from the first internal hardware-based firewall; and a memory component located inside of a second internal hardware-based firewall that is located between said memory component and a core or processing unit with which said memory component is associated. The microchip can also include a plurality of dies.

Abstract: A multi-user e-mail messaging system is described that is interfaced through the Internet and includes a first user group sharing a first server, which first server is interfaced to the Internet. In this system, after an e-mail message has been originated by an originating user of the first user group, the e-mail message is directed onto an e-mail enhancement path, and additional content is added to the e-mail message using the e-mail enhancement path to produce an enhanced e-mail message. Thereafter, the enhanced e-mail message from the e-mail enhancement path to the intended recipient. In one feature, the path taken by an incoming e-mail message is different from an outgoing path taken by an e-mail message sent from the first user group. The outgoing path defined to the intended recipient includes the enhancement path.

Abstract: The flow of information to or from an application on a host machine is regulated by a trusted agent operating in conjunction with at least one security element, such as a firewall or a policy server. When a communication to or from the application is detected by the trusted agent, the trusted agent gathers information about the attempted communication, and formulates and sends a message based upon the gathered information to at least one security element. The security element makes a decision to permit or block at least part of the attempted communication based upon the message received from the trusted agent.

Abstract: Secure network communications between a source computer and a destination computer utilizing a firewall. The firewall determines a remote endpoint and the local physical memory address associated with a local endpoint included in the outbound request. The remote endpoint and the local physical memory address are hashed to generate an index value corresponding to an entry in an internal state table of the firewall. When an inbound request is received, the firewall determines a remote endpoint and the local physical memory address associated with a local endpoint included in the inbound request. The remote endpoint and the local physical memory address of the inbound request are hashed to generate an index value corresponding to an entry in the internal state table of the firewall. The firewall forwards the inbound request to the local endpoint if a matching entry is found in the internal state table at the index value.

Abstract: An apparatus for writing checksum information on a data content on a storage medium. The apparatus has a provider for providing checksum information based on the data content and a writer for writing the data content and the checksum information on the storage medium such that a baseline reader and an enhanced reader can read the data content, the enhanced reader can read and process the checksum information, and the baseline reader ignores, skips or does not read the checksum information.

Abstract: An intrusion detection system (“IDS”) device is described that includes a flow analysis module to receive a first packet flow from a client and to receive a second packet flow from a server. The IDS includes a forwarding component to send the first packet flow to the server and the second packet flow to the client and a stateful inspection engine to apply one or more sets of patterns to the first packet flow to determine whether the first packet flow represents a network attack. The IDS also includes an application identification module to perform an initial identification of a type of software application and communication protocol associated with the first packet flow and to reevaluate the identification of the type of software application and protocol according to the second packet flow. The IDS may help eliminate false positive and false negative attack identifications.

Abstract: Embodiments for validating protected data paths for digital rights management of digital objects are disclosed. Some embodiments disclosed herein may comprise processes or apparatus for transferring data from one or more peripherals to one or more computers or digital data processing systems for the latter to process, store, and/or further transfer and/or for transferring data from the computers or digital data processing systems to the peripherals. Some embodiments disclosed herein may comprise processes or apparatus for interconnecting or communicating between two or more components connected to an interconnection medium within a single computer or digital data processing system.

Abstract: A method for securing remote access to private networks includes a receiver intercepting from a data link layer a packet in a first plurality of packets destined for a first system on a private network. A filter intercepts from the data link layer a packet in a second plurality of packets transmitted from a second system on the private network, destined for an system on a second network. A transmitter in communication with the receiver and the filter performing a network address translation on at least one intercepted packet and transmitting the at least one intercepted packet to a destination.

Abstract: In embodiments of the present invention improved capabilities are described for providing data protection through the detection of tags associated with data or a file. In embodiments the present invention may provide for a step A, where data may be scanned that is intended to be communicated from the client computing facility. In response to step A, at step B, restricted data may be identified by identifying an absence of a tag associated with the data. And finally, in response to step B, at step C, an interruption to the intended communication may be caused.

Abstract: A device with a touch-sensitive display may be unlocked via gestures performed on the touch-sensitive display. The device is unlocked if contact with the display corresponds to a predefined gesture for unlocking the device. The device displays one or more unlock images with respect to which the predefined gesture is to be performed in order to unlock the device. The performance of the predefined gesture with respect to the unlock image may include moving the unlock image to a predefined location and/or moving the unlock image along a predefined path. The device may also display visual cues of the predefined gesture on the touch screen to remind a user of the gesture.

Abstract: A computer-implemented method may include receiving a request to access a network. The request may be sent from a virtual machine. The method may also include proxying the request to a network-access-control module, receiving a response from the network-access-control module, and transmitting the response to the virtual machine. Proxying the request to the network-access-control module may include assigning the virtual machine a virtual identifier. Proxying the request may also include creating a temporary interface. The temporary interface may be programmed to receive the response from the network-access-control module and transmit the response to the virtual machine. Various other methods, systems, and computer-readable media are also disclosed herein.

Abstract: A network apparatus which is connected to a network is disclosed. The network apparatus includes a managing unit which manages an address range in which addresses to be allocated to a destination network apparatus are registered and encryption parameters for encrypting data to be transmitted to the destination network apparatus so that the address range and the encryption parameters are related to each other, an address generating unit which generates an address for the destination network apparatus by selecting an address in the address range, and an encryption unit which encrypts the data to be transmitted to the address generated by the address generating unit based on the encryption parameters.

Abstract: An apparatus relays packets transferred over a network and discards an attack packet detected among the packets. The apparatus includes: an inspection-packet outputting unit that outputs, when detecting the attack packet, an inspection packet in which a transmission-source address contained in the attack packet is set as a destination address and a destination address contained in the attack packet is set as a transmission-source address; a filter table storing unit that stores, when acquiring a response packet for the inspection packet, a transmission-source address, a destination address, and identification information of an interface, which has received the response packet, that are contained in the response packet, in a filter table in an associated manner; and a transfer control unit that determines whether to transfer a packet as a transfer object based on the filter table.

Abstract: The prevention of impersonation attacks based on hijacked common gateway interface (CGI) session IDs is disclosed. In accordance with one embodiment, a secured communication channel is formed between a server and a client using an initial transport layer security (TLS) key. Additionally, an authenticated CGI session is formed over the secured communication channel based on an initial CGI session identifier (ID). Further, the initial CGI session ID and the initial TLS key are combined into a pair. Next, incoming data that includes an incoming CGI session ID is received via a secured communication channel. An incoming TLS key of the secured communication channel that carries the incoming CGI session ID is then retrieved. Based on the retrieved incoming TLS key, the incoming data is permitted to execute on the server when the incoming TLS key matches the initial TLS key of the pair.

Abstract: A process of information leakage prevention for sensitive information in a database table. Content to be inspected is extracted at a deployment point. The content is processed by a first fingerprinting module to determine if the content matches fingerprint signatures generated from database cells between a first threshold size and a second threshold size which is larger than the first threshold size. The content is also processed by a second fingerprinting module to determine if the content matches fingerprint signatures generated from database cells larger than the second threshold size. The content may also be filtered, and the filtered content processed with an exact match module to determine if the filtered content exactly matches data from cells smaller than the first threshold size. Other embodiments, aspects and features are also disclosed.

Abstract: An incoming network traffic manager circumstantially blocks incoming network traffic (103) containing code (107). The incoming network traffic manager (101) monitors (201) incoming network traffic (103) addressed to a target computer (105). The network traffic manager (101) detects (203) incoming network traffic (103) containing code (107). The network manager (101) blocks (205) incoming traffic (103) containing code (107) from reaching the target computer (105), responsive to circumstances being such that it is undesirable to allow incoming traffic (103) containing code (107) to reach the target computer (105).

Abstract: A system and method for monitoring secure digital data on a network are provided. An exemplary network monitoring system may include a network device in communication with a user and a network. Further, a server may be in communication with the network. A browser and monitoring program may be stored on the network device, and the network device may receive secure digital data from the network. The browser may convert the secure digital data or a portion thereof into source data, and the monitoring program may transfer the source data or a portion thereof to the server. In an exemplary embodiment, the monitoring program may include a service component and an interface program.

Abstract: Configuration data within a session border controller (SBC) is updated to support a new external node in an automatic fashion by a computer system. A user is prompted for an identity of a node external to the communication network that transfers the signaling, and a call processor internal to the communication network that receives and processes the signaling. The identities are then processed to select at least one session border controller (SBC), and configuration data is retrieved from the selected SBC. This configuration data from the selected is automatically updated to allow signaling from the external node to the call processor. Signaling received from the external node into the SBC, is then transferred the signaling to the call processor based on the updated configuration data.

Abstract: Described is a technique for detecting attacks on a data communications network having a plurality of addresses for assignment to data processing systems in the network. The technique involves identifying data traffic on the network originating at any assigned address and addressed to any unassigned address. Any data traffic so identified is inspected for data indicative of an attack. On detection of data indicative of an attack, an alert signal is generated.

Abstract: A first information processing apparatus encrypts data that it receives from a second information processing apparatus, and transmits the data thus encrypted to an external device. The second information processing apparatus transmits the data to the first information processing apparatus according to a data size that results after a data size being necessary for communication of the encrypted data is subtracted from a specified data size.

Abstract: Techniques for passing security configuration information between a security policy server and a client includes the client forming a request for security configuration information that configures the client for secure communications. The client is separated by an untrusted network from a trusted network that includes the security policy sever. A tag is generated that indicates a generic security configuration attribute. An Internet Security Association and Key Management Protocol (ISAKMP) configuration mode request message is sent to a security gateway on an edge of the trusted network connected to the untrusted network. The message includes the request in association with the tag. The gateway sends the request associated with the tag to the security policy server on the trusted network and does not interpret the request. The techniques allow client configuration extensions to be added by modifying the policy server or security client, or both, without modifying the gateway.

Abstract: Web-based authentication includes receiving a packet in a network switch having at least one associative store configured to forward packet traffic to a first one or more processors of the switch that are dedicated to cryptographic processing if a destination port of the packet indicates a secure transport protocol, and to a second one or more processors of the switch that are not dedicated to cryptographic processing if the destination port does not indicate a secure transport protocol. If a source of the packet is an authenticated user, the packet is forwarded via an output port of the switch, based on the associative store. If the source is an unauthenticated user, the packet is forwarded to the first one or more processors if the destination port indicates a secure transport protocol, and to the second one or more processors if the destination port does not indicate a secure transport protocol.

Abstract: An e-mail firewall applies policies to e-mail messages between a first site and second sites in accordance with administrator selectable policies. The firewall includes a simple mail transfer protocol relay for causing the e-mail messages to be transmitted between the first site and selected ones of the second sites. Policy managers enforce-administrator selectable policies relative to one or more of encryption and decryption, signature, source/destination, content and viruses.

Abstract: By arranging a redundancy means and a control means upstream from an encryption means which encrypts and decrypts the data to be stored in an external memory, the integrity of data may be ensured when the generation of redundancy information is realized by the redundancy means, and when the generation of a syndrome bit vector indicating any alteration of the data is implemented by the control means. What is preferred is a control matrix constructed from idempotent, thinly populated, circulant square sub-matrices only. By arranging redundancy and control means upstream from the encryption/decryption means, what is achieved is that both errors in the encrypted data and errors of the non-encrypted data may be proven, provided that they have occurred in the data path between the redundancy/control means and the encryption/decryption means.

Abstract: Content Based Routing with High Assurance MLS (multi-level security) methods and systems are described. In an embodiment, a security component receives content from a content provider. The security component can identify a security level of content metadata located within the content received from the content provider. A content router can receive a content descriptor from the content provider and an interest profile from a requesting system. The content router can utilize algorithms to create routing tables based on metadata in the content descriptor, and the interest profile. The content router can provide the content metadata to the requesting system based on the interest profile. A content filter can filter or sanitize the content metadata according to a security level of the requesting system before providing the content metadata to the requesting system.

Abstract: A communication apparatus used in a plurality of networks is disclosed. The communication apparatus includes a firewall which allows communication with outside of the communication apparatus when disabled, and prohibits communication with outside of the communication apparatus when enabled. Then, the communication apparatus includes a firewall control unit which acquires a first MAC address of a first default gateway provided for a predetermined specific network and a second MAC address of a second default gateway provided for a network in which the communication apparatus is being connected, and controls the firewall according to a result of comparison of the first MAC address and the second MAC address.

Abstract: A system for, and method of, generating a plurality of proxy identities to a given originator identity as a means of providing controlled access to the originator identity in electronic communications media such as e-mail and instant messaging.

Abstract: A continuously-arranged sensor system is provided that can eliminate a shift in timing between a determination signal of each sensor unit and sensor information relating to the determination signal. The continuously-arranged sensor system includes a network unit and a plurality of sensor units, which are connected by a serial transmission line and a parallel transmission line. In accordance with a command sent from the network unit, each sensor unit transmits the determination signal and the sensor information, provided at the same time as the determination signal, to the network unit via the serial transmission line. Therefore, the network unit can obtain the determination signal and the sensor information exhibited at the same time.

Abstract: A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical (MAC) address authentication of a user device being attached to the network, such as a user device being attached to a port of a network access device. The second level includes authentication of the user of the user device, such as user authentication in accordance with the IEEE 802.1x standard. The third level includes dynamic assignment of a user policy to the port based on the identity of the user, wherein the user policy is used to selectively control access to the port. The user policy may identify or include an access control list (ACL) or MAC address filter. Also, the user policy is not dynamically assigned if insufficient system resources are available to do so. Failure to pass a lower security level results in a denial of access to subsequent levels of authentication.

Abstract: A method for enabling efficient SSL handshakes through precomputing of handshake messages, the method includes: receiving, by an appliance, a server certificate identifying a server; generating, by the appliance, at least one of: (i) an SSL server certificate message comprising the received server certificate, (ii) an SSL client certificate request message, and (iii) an SSL hello done message; storing, by the appliance, the generated messages; receiving, by the appliance from a client, an SSL client hello message identifying the server; and transmitting, by the appliance to the client, an SSL server hello message and at least one of the stored messages. Corresponding systems are also described.

Abstract: Spam is identified by computing sender reputation derived from historical activity data across counts for various categories. A spam filter or machine learning system can be trained utilizing pre-categorized data in conjunction with activity data associated with a sender aggregated across at least one time period. This sender activity filter can be employed alone or in combination with other filters to facilitate classification of messages as spam or non-spam.

Abstract: A method and apparatus for creating a policy based on a pre-configured template is described. In one embodiment, source data having a tabular structure is identified. Further, one of multiple policy templates is used to automatically create a policy for detecting information from any one or more rows within the tabular structure of the source data.

Abstract: In one embodiment, a method comprises receiving, by a router in a network, a router advertisement message on a network link of the network; detecting within the router advertisement message, by the router, an advertised address prefix and an identified router having transmitted the router advertisement message within the network; determining, by the router, whether the identified router is authorized to at least one of advertise itself as a router, or advertise the advertised address prefix on the network link; and selectively initiating, by the router, a defensive operation against the identified router based on the router determining the identified router is not authorized to advertise itself as a router, or advertise the advertised address prefix on the network link.

Abstract: A management server acts as a repository for a plurality of user certificates corresponding to a plurality of users. When a user wishes to access a remote computer such as a secure-enabled host requiring a secure credential, his/her computer sends a request message to the management server. The management server may perform its own validity checking. In response to a request and conditioned on the management server authorizing access to a computing resource that requires an authorization credential, the management server delivers the requested credential and executable code, the authorization credential comprising information that enables access to the computing resource and the delivered executable code manages the lifecycle of the delivered authorization credential by allowing only temporary storage without caching of the delivered authorization credential.

Abstract: A system receives a first part of a response that includes a number of parts, determines whether there is a security issue associated with the first part of the response, stores the first part of the response when there is no security issue associated with the first part of the response, and causes the first part of the response to be transmitted toward a destination when there is no security issue associated with the first part of the response. The system also receives a last part of the response, combines the last part of the response with at least the first part of the response to obtain combined parts of the response, processes the combined parts of the response to determine whether there is a security issue associated with the combined parts of the response, and causes the last part of the response to be transmitted toward the destination when there is no security issue associated with the combined parts of the response.

Abstract: An email policy is applied in a policy manager, running on a mail server in a local area network, to determine whether an outgoing email message should be allowed to be transmitted to a destination address outside the local area network, for example over the internet. A digital signature is used in the policy manager, to determine if the sender is the sender indicated in the message itself. If so, a sender-dependent policy is applied.

Abstract: This specification describes technologies relating to imparting real-time priority-based network communications in an encrypted session. In general, aspects of the subject matter described can be embodied in methods that include establishing, based on cryptographic information in a reserved, random-data portion of a handshake communication, a session, receiving parameter values relating to a sub media stream, included in a header of a network communication, storing the parameter values, obtaining state information and a data payload included in a second network communication, identifying, from the state information, a purpose of the second network communication, and whether a header of the second network communication includes one or more new values corresponding to one or more of the parameters, updating one or more of the stored values based on the one or more new values, and processing the data payload based on the identified purpose and the stored parameter values.

Abstract: In one embodiment, a method includes receiving authorization data at a local node of a network. The authorization data indicates a particular network address of a different node in the network and an authenticated user ID of a user of the different node. Resource profile data is retrieved based on the user ID. The resource profile data indicates all application layer resources on the network that the user is allowed to access. The particular network address is associated at the local node with the resource profile data for the user. A request from the particular network address for a requested application layer resource on the network is blocked based on the resource profile data associated with the particular network address.

Abstract: A secure distributed single-login authentication system comprises a client and a server. The client collects authentication credentials from a user and tests credentials at a variety of potential authentication servers to check where the login is valid. It combines a password with a time-varying salt and a service-specific seed in a message digesting hash, generating a first hash value. The client sends the hash value with a user name and the time-varying salt to a selected server. The server extracts the user name and looks up the user name in the server's database. If an entry is found, it retrieves the password, performing the same hash function on the combination of user name, service-specific seed, and password to generate a second hash value, comparing the values. If the values match, the user is authenticated. Thus, the system never reveals the password to authentication agents that might abuse the information.

Abstract: The present invention provides a LAN device 20 having an internal function of controlling communication. A management representative of the LAN device 20 sets a protocol applicable for communication with regard to each of MAC addresses or IP addresses allocated to transmitter terminals and each of IP addresses allocated to receiver terminals. The LAN device transmits data in the case of the protocol applicable for communication, while not transmitting data in the case of any protocol inapplicable for communication.

Abstract: A server interacts with a sender to form a package which can include one or more attached data files to be sent to one or more recipients, and the server applies a policy established by a policy authority of the sender to the package. Since the sever both forms the package through interaction with the sender and applies the policy, any violations of the policy by the package can be brought to the sender's attention during an interactive session with the sender and before encryption of all or part of the package. As a result, the sender is educated regarding the policy of the sender's policy authority, and the sender can modify the package immediately to comport with the policy. The server delivers the package to the one or more intended recipients by sending notification to each recipient and including in such notification package identification data, e.g., a URL by which the package can be retrieved.

Abstract: A system and method for interconnecting networks. In one embodiment, a message is received from a first network to be communicated to a target device of a second network. Data within the message is identified. A determination is made whether the data is allowable based on a policy. The message is communicated to the target device of the second network in response to determining the data is allowed.

Abstract: The digital broadcast receiver comprises: a signal input unit for receiving a received broadcast wave; a demodulation unit for demodulating the broadcast wave; an external module; an external module I/F (Interface) for connecting the receiver to the external module; a decoding unit for extracting necessary information containing a target content from the received signal; an output unit for outputting actual video/audio; a control unit for controlling the entire receiver; and a user I/F for transmitting and receiving information to/from a user. Further, there are provided: a packet processing unit that is located between the demodulation unit and the external module I/F, that monitors all the packets contained in a TS, and that performs a predetermined processing on packets matched with a predetermined condition; and a TS selector that is located between the external module I/F and a bus line and that selects and outputs one designated TS of the two TSs.

Abstract: Embodiments of the invention are generally related to data processing, and more specifically to processing data retrieved from a database. A GUI screen displaying query results may provide for the selection of a data standard to be applied to the query results. An analysis routine may identify specific results that comport with a selected data standard and visually identify the specific query results that comport with the selected data standard.

Abstract: Web-based authentication includes receiving a packet in a network switch having at least one associative store configured to forward packet traffic to a first one or more processors of the switch that are dedicated to cryptographic processing if a destination port of the packet indicates a secure transport protocol, and to a second one or more processors of the switch that are not dedicated to cryptographic processing if the destination port does not indicate a secure transport protocol. If a source of the packet is an authenticated user, the packet is forwarded via an output port of the switch, based on the associative store. If the source is an unauthenticated user, the packet is forwarded to the first one or more processors if the destination port indicates a secure transport protocol, and to the second one or more processors if the destination port does not indicate a secure transport protocol.

Abstract: Methods and systems for adjusting control settings associated with filtering or classifying communications to a computer or a network. The adjustment of the control settings can include adjustment of policy and/or security settings associated with the computer or network. Ranges associated with the control settings can also be provided in some implementations.