Abstract: Exemplary network infrastructures and methods employing a Security Gateway utilize client authentication for use of a secure connection between an application client and an application server of a protected network. Once a secure connection has been set up, a Security Gateway can start a timer for establishing a period within which a password and username are to be received from the application client before traffic is allowed to exit the Security Gateway. If a username and password are provided while the timer is running, the Security Gateway can contact a single sign on (SSO) server to check whether the username and password are correct. If the username and password are valid, the Security Gateway can start relaying traffic externally to the application server. If an invalid username and password are provided or the timer times out before receipt of a username and password, the secure connection can be terminated.

Abstract: A system is configured to receive a first authentication request from a first device, authenticate the first device, establish a secure connection with the first device based on authenticating the first device, and receive, via the secure connection with the first device, a set of parameters from the first device. The first device is capable of generating an encryption key for a secure message, intended for a second device, based on the set of parameters. The system is also configured to receive a second authentication request from a second device, authenticate the second device and establish a secure connection with the second device based on receiving the second authentication request, and send, via the secure connection with the second device, the set of parameters to the second device. The second user device is capable of generating a decryption key for the secure message based on the set of parameters.

Abstract: Systems and methods for associating a first process with a first state and a first computing environment initialized according to a first set of parameters, wherein a first task is to be performed under a first security context. The method further comprising associating a second process with a second state and a second computing environment initialized according to a second set of parameters; in response to the first process submitting a first request, the second process spawning a third process which has the second state; wherein the third process sets a security context for the third process to the first security context and the third process sets the computing environment for the third process according to a first a set of parameters; executing the third process under the first security context and in association with the second state; and executing the first task in the first computing environment.

Abstract: An e-mail relay provides message filtering services to an e-mail network. The e-mail relay monitors incoming communication and intercepts e-mail messages. The e-mail relay compares attributes of the messages to data derived from SPAM messages, which are stored in a SPAM database. The e-mail relay restricts the delivery of messages based on the comparison such as by restricting the delivery of messages having attributes close to those of SPAM messages from the SPAM database. The SPAM database is constructed by responding to user or administrator indications as to whether received messages are SPAM messages.

Abstract: Systems and methods are described for using a client agent operating in a virtual private network environment to intercept HTTP communications. Methods include: intercepting at the network layer, by a client agent executing on a client, an HTTP request from an application executing on the client; modifying the HTTP request; and transmitting, via a transport layer connection, the modified HTTP request to a server. Additional methods may comprise adding, removing, or modifying at least one cookie in the HTTP request. Still other methods may comprise modifying at least one name-value pair contained in the HTTP request. Corresponding systems are also described.

Abstract: In one implementation, the number of half open session initiation protocol (SIP) sessions per-destination (e.g., SIP device) or globally is limited by SIP application layer gateway (ALG) as a SIP DoS/DDoS countermeasure. Compared with traditional SIP DoS/DDoS countermeasures, the proposed solution is simple to implement and, thus, less likely to degrade SIP ALG performance. Moreover, this solution automatically adapts to DoS/DDoS attack arrival rate, while at the same time not degrading legal SIP traffic even if throttling is enforced for the SIP device.

Abstract: Antivirus software detects malware on a computer and the landing time of the malware is determined; a time window around the landing time is determined. Optionally requiring the landing time of the malware to be before the installation time of the antivirus software eliminates false positives. Any files of the computer systems that have a creation time within the time window are suspect. If the prevalence value and the maturity value of the suspect file are below respective thresholds then it is concluded that the file is malware and it is deleted. No virus signature or virus pattern that matches the deleted file need be relied upon or used. The detected malware may be the original mother file or a dropped file. An online prevalence and maturity database is used. The launching time of the malware may be used instead of the landing time.

Abstract: An inventive system and method for creating source profiles to detect spoofed traffic comprises obtaining a routing path for data to traverse nodes using traffic profiles, each routing path comprising at least a target AS, initializing one or more AS sets with last hop ASes, enhancing the AS sets by connecting the AS sets to routers, for each enhanced AS set, filtering observed traffic flows, and using the filtered flows to associate enhanced AS sets with network monitoring points to create the source profiles. In one aspect, filtering flows comprise TCP session filtering and/or destination bogon filtering. In one aspect, the routers are border gateway protocol routers. In one aspect, the last hop ASes are one hop away from the target AS.

Abstract: A gateway device disposed at front stage before a server has a dispersion rule of data dispersed on server side and analyzes communication data to specify a server to be accessed finally, so that identification information of the specified server is added to packet option of IP layer to thereby omit higher-rank routing processing than IP layer of gateway devices on the way. Consequently, transfer processing of a gateway device at back stage can be performed at high speed and access passing through a network route intended by manager is possible.

Abstract: Method and computer storage media for sharing resources between a plurality of computing devices associated with a common non-enterprise network. A common set of credentials is stored on at least two or more of a plurality of computing devices that reside behind a routing device and are associated through a common non-enterprise network. Upon storing the common set of credentials, each of the two or more of a plurality of computing devices create a local account that contains, at least, the common set of credentials. The common set of credentials allow for the sharing, among the two or more of the plurality of computing devices, of resource that reside on or are associated with the computing devices.

Abstract: Secure management of electronic transactions is provided by a system server that is communicatively coupled to terminals configured as thin client devices (TCD) and to one or more application servers. A TCD completes a secure communications link with the system server, and transfers information concerning the identity of a user and account information from a secure transaction card (STC). Upon authentication, the system server drives the display of available applications at the TCD, allowing the user to select and engage in a desired transaction with the application server hosting the selected application. During the transaction, the system server brokers communications according to the different security schemes used by the TCD and the application server and, ultimately, stores a transaction ticket that memorializes the transaction. The transaction ticket can later be retrieved by presenting appropriate authentication information.

Abstract: A computer-implemented method for providing network access control in virtual environments. The method may include: 1) injecting a transient security agent into a virtual machine that is running on a host machine; 2) receiving, from the transient security agent, an indication of whether the virtual machine complies with one or more network access control policies; and 3) controlling network access of the virtual machine based on the indication of whether the virtual machine complies with the one or more network access control policies. Various other methods, systems, and computer-readable media are also disclosed herein.

Abstract: A method, an equipment, and a system for pushing network content are provided that relate to the field of communications technologies. The method for pushing network content includes: setting, by a user, selected network content as a feature of a mobile equipment according to the interest point of the user on a network portal, and pushing an identifier of the network content and setting information to the mobile equipment, so the mobile equipment obtains the corresponding network content according to the identifier of the network content, and sets the network content as an attribute of the mobile equipment according to the setting information. With the present invention, the mobile equipment automatically sets the attribute of the mobile equipment according to the received identifier of network content and setting information pushed by a network side, thereby reducing operations of the user, and improving the user experience.

Abstract: Systems and methods are provided for FAA-certified avionics devices to safely interface with non-certified mobile telecommunications devices before, during, and after flight. Data transmitted to the certified devices do not affect functionality of the certified device unless and until a user acknowledges and/or confirms the data on the certified device. Thus, the integrity of the certified device is maintained.

Abstract: A transparent proxy for malware detection includes a monitor module, a protocol determination module, a challenge generation module, a response determination module, and a data control module. The monitor module examines data originating from an application towards a remote server. The protocol determination module identifies the protocol type used for the data. The challenge generation module produces a challenge for the application based upon the protocol type, sends the challenge to the application, and maintains a state related to the data and the challenge. The response determination module makes a determination if an automatic non-interactive application response is received in response to the challenge from the application. The data control module allows the first data to continue to the remote server when the determination is valid. The data control module reports malware detection and blocks the data to continue to the remote server when the determination is invalid.

Abstract: A double firewalled system is disclosed for protecting remote enterprise servers that provide communication services to telecommunication network customers from unauthorized third parties. A first router directs all connection requests to one or more secure web servers, which may utilize a load balancer to efficiently distribute the session connection load among a high number of authorized client users. On the network side of the web servers, a second router directs all connection requests to a dispatcher server, which routes application server calls to a proxy server for the application requested. A plurality of data security protocols are also employed. The protocols provide for an identification of the user, and an authentication of the user to ensure the user is who he/she claims to be and a determination of entitlements that the user may avail themselves of within the enterprise system.

Abstract: Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services.

Abstract: An authentication includes a unit that issues right transfer information that is to be transmitted to a service providing device and a token that corresponds to the right transfer information and is to be transmitted to a service proxy access device on a basis of information about a user to whom a right is transferred and a condition under which the right is transferred, a unit that provides the token to the service proxy access device, and a unit that receives from the service providing device the token transferred from the service proxy access device and transmits to the service providing device the right transfer information that corresponds to the token and is kept by the authentication device.

Abstract: A method for achieving code domain isolation. A first set of data is received in a first domain format. The first set of data is changed to a second domain format. The first set of data in the second domain format is captured. The first set of data in the second domain format is changed to a third domain format. The first set of data in the third domain format is prepared for receipt by a user computer system.

Abstract: A security system for a computer network that has a plurality of devices connected thereto comprises a security subsystem, a master system and a secure link. The security subsystem is implemented on a first computer and is connected to at least some of the devices in the network. The security subsystem is configured to monitor activities of the at least some devices on the network and detect attacks on the at least some devices. The master system is implemented on a second computer which is different from the first computer. The master system monitors the integrity of the security subsystem and registers information pertaining to attacks detected by the security subsystem. The secure link is connected between the security subsystem and the master system. The master system monitors the integrity of the security subsystem and receives the information pertaining to the attacks through the secure link.

Abstract: Techniques for providing access to data in dynamic shared accounts are disclosed. In one particular exemplary embodiment, the techniques may be realized as a system for providing data in dynamic shared accounts. The system may comprise one or more processors communicatively coupled to a network. The one or more processors may be configured to identify a first user associated with an account, identify a second user to have access to the account associated with the first user in the event the first user is unavailable to access data or perform functions associated with the account, map the second user to the account, and provide the second user access to the account based on the mapping and with access privileges associated with the first user.

Abstract: A hardware secured flag mechanism which is activated by trusted Anti-Malware (AM) software. Upon being activated, the information handling system takes action to reduce user exposure even if the AM software is subsequently subverted. In certain embodiments, the flag mechanism is only reset by user intervention at a BIOS or other off-line mechanism. In certain embodiments, the flag mechanism may only be reset via a signed unlock key stored on an external memory device such as a universal serial bus (USB) key.

Abstract: A system is provided comprising at least one processor, a memory, and an application stored in the memory that, when executed, receives a first request from a client device for access to a first web service and accesses a policy associated with the first web service. The system also selects a second plurality of data elements from a first plurality of data elements based on the first request and based on the policy wherein the second plurality of data elements is associated with the first web service. The system also provides the second plurality of data elements to the client device and receives a second request from the client device for a first set of data values associated with the second plurality of data elements. The system also authenticates the second request and provides the first set of data values in response to the second request.

Abstract: There is provided a method for optimizing a download of requested data to an electronic data processing unit that is currently receiving unrequested multicast data through a router included in a network. The unrequested multicast data corresponds to at least one multicast data group. Internet Group Management Protocol (IGMP) V2 Leave Messages are sent to the router for the at least one multicast data group. IGMP Membership Queries issued by the router for the at least one multicast data group are ignored, so as to cause the router to terminate a transmission of the unrequested multicast data to free up available bandwidth for the download of the requested data.

Abstract: A technology for preventing network attacks. A service request is intercepted at an unaddressed port of a hidden device from a second device. The service request intended for a visible device is processed by the hidden device. A response may be provided based on the processing and sent to the second device.

Abstract: Systems and methods disclosed allow a permitting party to share personal information with a receiving party. The receiving party may use the information to authenticate the permitting party, assess the permitting party, determine if the permitting party is compatible with one or more other users associated with the receiving party, or validate the permitting party. The permitting party may define how much of the permitting party's personal information is shared, and/or limit the use of the information for one or more specific purposes. A requesting party may also set up criteria for the types of information it wants to review along with the intended use of the information. The systems and methods disclosed also enables permitting parties the ability to grant requesting parties access to requested information.

Abstract: A network media gateway is used to bridge trust between a Service Provider network and subscriber devices. The gateway is authenticated by the Service Provider by using knowledge of network topology. Subscriber devices are authenticated in response to subscriber input to the gateway via an interface. Trusted subscriber devices can be tightly coupled with the Service Provider network, thereby facilitating delivery of QoE. Mobile and remote subscriber devices may also be authenticated. The gateway may also facilitate establishment of VPNs for peer-to-peer communications, and dynamically adjustable traffic, policy and queue weightings based on usage patterns.

Abstract: A method for encrypting print jobs that includes receiving output data, encrypting the output data with a randomly-generated symmetric session key, generating a session key header by encrypting the randomly-generated symmetric session key using an asymmetric user public key, and encrypting the session key header using a server public key.

Abstract: A network access method, an authentication method, a communications system, and relevant devices are provided to support implicit authentication based on subscriber line information in Internet Protocol version 6 (IPv6). The authentication method includes: receiving a request message sent from an Access Node (AN), wherein the request message carries subscriber line information and a Link-Local Address (LLA); sending an access request to an Authentication, Authorization and Accounting (AAA) server according to the subscriber line information; receiving an authentication result indicating the authentication is successful; determining whether an address matching the LLA carried in the request has been stored in the BNG; and storing the LLA in the BNG, if the address matching the LLA is not stored in the BNG.

Abstract: A processing device receives an unauthenticated provisioning request from a hardware, wherein the processing device is in a first network zone that is accessible to the hardware resource. The processing device determines whether the hardware resource satisfies one or more provisioning criteria. Responsive to determining that the hardware resource satisfies the one or more provisioning criteria, the processing device forwards the provisioning request to a server residing behind a firewall in a second network zone that is inaccessible to the hardware resource, receives provisioning data from the server by the provisioning proxy, and forwards the provisioning data to the hardware resource.

Abstract: An information processing apparatus for determining whether or not to transmit a predetermined content to a reception apparatus connected to a network, in accordance with a response time taken to respond to a predetermined command, including: reception means receiving a response to a command; measuring means measuring the response time to the command; authentication means authenticating the reception apparatus; generation means generating authentication data to be inserted into the command; transmission means transmitting the command including predetermined one of the authentication data; storage means storing the authentication data contained in the command and the response data contained in the response; request means requesting the reception apparatus for transmission of the authentication data and the response data; and determination means determining whether the authentication data and the response data transmitted from the reception apparatus, and determining transmission permission/inhibition of a cont

Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.

Abstract: Embodiments of the invention provide a trusted intermediary for use in a system in which access control decisions may be based at least in part on information provided in claims. The intermediary may request claims on behalf of a network resource to which access is requested, and submit the claims for a decision whether to grant or deny access. The decision may be based at least in part on one or more access control policies, which may be pre-set or dynamically generated. Because the intermediary requests the claims and submits the claims for an access control decision, the network resource (e.g., a server application) need not be configured to process claims information.

Abstract: Methods and systems for third party client authentication of a client. A method includes displaying a user interface on a display of the client, the user interface including an option to select a supported credential type of a third party authentication server, receiving a command selecting the supported credential type, and sending credential information and the selected supported credential type to an authentication server for third party authentication by the third party authentication server. The third party authentication server may support a token-based authentication protocol for implementing single sign on (SSO).

Abstract: A security gateway appliance is configured to evaluate network traffic according to security rules that classify traffic flows according to specifically identified application programs responsible for producing and/or consuming the network traffic and to enforce policies in accordance with network traffic classifications. The appliance includes an on-box anti-virus/anti-malware engine, on-box data loss prevention engine and on-box authentication engine. One or more of these engines is informed by an on-box dynamic real tie rating system that allows for determined levels of scrutiny to be paid to the network traffic. Security gateways of this type can be clustered together to provide a set of resources for one or more networks, and in some instances as the backbone of a cloud-based service.

Abstract: The present invention relates to a nodes and methods for use in a Universal Plug and Play (UPnP) system to provide support for both UPnP security and mobility of security aware UPnP nodes. A gateway is arranged to provide remote access to a UPnP network to remote UPnP nodes via the gateway. The gateway comprises means for creating a virtual UPnP node for emulating internal presence of a remote UPnP node on the UPnP network. The virtual UPnP node is arranged to obtain and store security information associated with the remote UPnP node. The security information specifies how the remote UPnP node is authorized to interact with other UPnP nodes in the UPnP network. The security information may be used to filter messages from the UPnP network to the remote UPnP node.

Abstract: A technique that simplifies managing and configuring firewalls by provisioning a vendor-neutral firewall in an MPLS-VPN service network. In one example embodiment, this is accomplished by creating a vendor-neutral firewall policy using a service activation tool residing in a host server. One of the one or more VPNs requiring the provisioning of the vendor-neutral firewall in the MPLS-VPN service network is then selected. The created vendor-neutral firewall policy is then transformed to form a vendor-specific firewall policy associated with the selected one of the one or more VPNs.

Abstract: A security system may include a plurality of electronic devices, each having a unique identification (ID) associated therewith and configured to generate a temporary security code based upon the unique ID. The system may further include at least one mobile wireless communications device including a first Near-Field Communication (NFC) circuit, and a mobile controller configured to receive the temporary security code from a given electronic device from among the plurality of electronic devices. The system may also include an access control device associated with a personnel access position and including a second NFC sensor and a security controller. The security controller may be configured to receive the temporary security code from the first NFC sensor via NFC communications, selectively grant personnel access based upon the received temporary security code, and determine the unique ID associated with the given electronic device.

Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.

Abstract: A gateway system for implementing access to various media is provided in the invention, and the gateway system includes: a communication media access module, for establishing a communication link with the corresponding media access network; a Media Independent Handover Functions module, for seamless handover between accesses to various media; and a handover decision module, for selecting a target network for the seamless handover. The gateway system may also include an authentication module, for sharing the authentication information of the User Equipment. Two methods for implementing access to various media are further disclosed in the invention. By the provided gateway system and methods, the User Equipment can access various media via the gateway system, seamlessly hand over between accesses to various media and achieve the access to a service network using the shared authentication information.

Abstract: Methods and systems are provided for providing access to a cloud-based logging service to a user without requiring user registration. Methods and systems are also provided for providing cloud-based logging service to users by integrating the cloud-based logging service within a network security gateway appliance, thereby enabling the users to use the cloud-based logging service by accessing the gateway appliance. The cloud-based logging service can be accessed via an Application Programming Interface (API) without requiring user registration and allows easy and efficient access to log files, viewing of log files, and data security to stored log files and generated reports.

Abstract: Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services.

Abstract: A gateway device and methods performed therein to prevent unauthorized client devices from connecting to the host network of the gateway device is described. The gateway device does not respond right away to an individual client message sent to the gateway device. Instead, the gateway device only responds to a predetermined sequence of the client messages, which is only known to the gateway device and authorized client devices. Because the gateway device will not respond to random client messages and the likelihood that an unauthorized client device can correctly guess the predetermined sequence of the client messages is low, the risk of a malicious party being able to hack into the host network, for example, by using port scanning techniques, can be mitigated.

Abstract: Data can be scanned using a network managed appliance. The network managed appliance may integrate commercial hardware elements connected through a basic or simplified operating system environment expressly developed for the appliance, thus being more malware resistant and less vulnerable to attacks from the scanned data or other sources. The network managed appliance may be a self-contained apparatus with an integrated chassis, designed and configured as “single-purpose” device. Such appliances may be connected to an appliance management network including central management servers in communication with appliances in remote locations. The central management servers may ensure that scanning software and the definitions lists for each of the appliances are current and match an enterprise-approved configuration.

Abstract: Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions are disclosed. A messaging service firewall (MSF) separate from a short message service center (SMSC) receives a mobility management reply message (MMR) that is sent by a mobile location register element in response to an associated mobility management query (MMQ) and that includes a serving switch identifier. The MSF allocates a global title address (GTA) from a pool of GTAs and stores a correlation between the allocated GTA and the originating SMSC. The MSF replaces the serving switch identifier in the MMR with the allocated GTA and routes the modified MMR. The MSF then receives a messaging service message (MSM) that is addressed to the allocated GTA and that includes the purported originating SMSC. If the purported originating SMSC does not match the SMSC to which the GTA is correlated, the MSM is discarded.

Abstract: A method and an apparatus for performing and controlling speech recognition and enrolment are provided. The method for performing speech recognition and enrolment includes: receiving a Speech Enrolment Start Request and a Speech Recognition Request sent from a media gateway controller (MGC); performing speech recognition and enrolment according to the Speech Enrolment Start Request and the Speech Recognition Request, and obtaining a recognition and enrolment result; and feeding back the recognition and enrolment result to the MGC.

Abstract: A method and apparatus for safe web browsing is disclosed. More specifically, the method and apparatus comprises receiving a webpage associated with a uniform resource locator (URL) access request. The webpage may further comprise a referenced link or script. A determination is made if any of the URL, the referenced link or script within the webpage are deemed unacceptable. The webpage is transcoded to block access to at least one of the URL, the referenced link or script deemed unacceptable. The transcoded webpage is sent to a computer that requested access to the URL.

Abstract: The detection of web browser-based attacks using browser tests launched from a remote source is described. In one example, a digest is computed based on the content of an HTTP response message. The message is modified and sent to a client device that also computes a digest. The digests are compared to determine whether content has been modified by malware on the HTTP client. The results of the test are analyzed and defensive measures are taken.

Abstract: An appliance and method for authorizing a level of access of a client to a virtual private network connection, based on a client-side attribute includes the step of establishing, by an appliance, a control connection with a client upon receiving a client request to establish a virtual private network connection with a network. The appliance transmits, via the control connection, a request to the client to evaluate at least one clause of a security string, the at least one clause including an expression associated with a client-side attribute. The client transmits, via the control connection, a response to the appliance comprising a result of evaluating the at least one clause by the client. The appliance assigns the client to an authorization group based on the result of evaluation of the at least one clause.

Abstract: A system and method for a distributed multi-processing security gateway establishes a host side session, selects a proxy network address for a server, uses the proxy network address to establish a server side session, receives a data packet, assigns a central processing unit core from a plurality of central processing unit cores in a multi-core processor of the security gateway to process the data packet, processes the data packet according to security policies, and sends the processed data packet. The proxy network address is selected such that a same central processing unit core is assigned to process data packets from the server side session and the host side session. By assigning central processing unit cores in this manner, higher capable security gateways are provided.