Abstract: A security auditing computer system efficiently evaluates and reports security exposures in a target Web site hosted on a remote Web server system. The auditing system includes a crawler subsystem that constructs a first list of Web page identifiers representing the target Web site. An auditing subsystem selectively retrieves and audits Web pages based on a second list, based on the first. Retrieval is sub-selected dependent on a determined uniqueness of Web page identifiers relative to the second list. Auditing is further sub-selected dependent on a determined uniqueness of structural identifiers computed for each retrieved Web page, including structural identifiers of Web page components contained within a Web page. The computed structural identifiers are stored in correspondence with Web page identifiers and Web page component identifiers in the second list. A reporting system produces reports of security exposures identified through the auditing of Web pages and Web page components.

Abstract: An information processing device may receive a file selecting operation for selecting a particular file, and send the selected particular file and a registering request to a first server, the file information including identification information for identifying the selected particular file. The information processing device may obtain thumbnail image data of the selected particular file, receive the identification information from the first server, store the thumbnail image data and the identification information in association with one another, receive a first access operation for accessing K items of file information, send, to the first server, a first access request for accessing the K items of file information, so as to receive, from the first server, K items of the identification information, and display K items of thumbnail images.

Abstract: An information processing device may cause a display unit to display a first screen, in response to accepting an instruction for displaying the first screen. The first screen may include M pieces of first images indicating M pieces of data stored in a first storage unit of the information processing device and include a first background image. The information processing device may cause the display unit to display a second screen, in response to receiving, from a server device, N pieces of identification information for identifying N pieces of data stored in a second storage unit of the server device. The second screen may include N pieces of second images indicating the N pieces of identification information and include a second background image which is different from the first background image.

Abstract: In one exemplary aspect, a method of managing computer network traffic flow quality of service includes the step of configuring a configurable network device to provide a specified quality of service to a data packet with a specified quality of service configuration based on a quality of service classification port number in a data packet header of the data packet. At the source node, a data packet is generated. At the source node, replacing the destination port number in the data packet header with a quality of service classification port number. At the source node, the destination port number is included in an options field of the data packet's header. The data packet is communicated to the configurable network device. At the destination node, receiving the data packet, replacing the quality of service classification port number with the original destination port number, and forwarding the packet to a destination process.

Abstract: One embodiment of the present invention provides a system for facilitating establishment of connections between a local endpoint and a remote endpoint. During operation, the system sends, from the local endpoint, a single connection-request message to a proxy server, which forks the single connection-request message to a number of remote endpoints. The system receives one or more response messages from the remote endpoints. A respective response message carries address information associated with the remote endpoint. Upon receiving the response message, the system sends an acknowledgment corresponding to the received response message to the corresponding remote endpoint via the proxy server, and establishes a connection between the local endpoint and at least one remote endpoint.

Abstract: A method, a device, and a non-transitory storage medium to obtain a traffic volume value that indicates a volume of traffic to and/or from a radio node, a value that indicates a class of the radio node, or a received signal strength value that indicates a received signal strength of a macro signal received by the radio node; calculate a delay time value based on traffic volume value, the value that indicates the class, or the received signal strength value; and transmit the delay time value to the radio node, wherein the delay time value indicates a time period to wait, by the radio node, before attempting to authenticate and register with one or more network devices.

Abstract: A system for generating a second factor authorization for a request to access a web site includes a data store having a computer readable medium storing a program for generating the second factor authorization, and a processor. A packet receiving unit receives the request from a user device via a local network to access the web site via an external network. A trigger database stores the web site. A device database stores a rule associated with the user device for the web site, and a corresponding paired device with the user device. A second factor determination unit requests a second factor authorization from the corresponding paired device in response to the packet receiving unit receiving the request. A communication unit communicates the request to the external network in response to a valid assertion from the paired device based on the second factor authorization.

Abstract: Technologies are generally described for establishing secure communications to manage components of a control system. In some examples, upon receiving a request from a component to join a cluster of components, a class and instance of the component may be verified to authorize the component. A command to be transmitted from the component to another component of the cluster may be marked with a signature, where restrictions may be placed on a type of command that a particular class of component may transmit to one or more other classes of components. Based on the signature, a secure communication path between the components may be established by creating an encrypted virtual private network (VPN). The command may then be transmitted from the component to the other component through the secure communication path.

Abstract: Disclosed are a network-based device, method and computer-readable medium for providing registration macros in an IP multimedia subsystem (IMS). The method embodiment includes receiving an instruction from a user regarding a plurality of registration changes of customer Public User Identities at one or several pieces of equipment and implementing a macro such that the first step comprising at least one of a registration or de-registration and a second step comprising one of a registration or a de-registration both occur based on the instruction from the user.

Abstract: Attacks from automated scripts or processes, such as Web bots, can be dynamically blocked by monitoring dimensions of requests or submissions received by a system. Each host receiving requests can log information about the requests over a specified period of time. For each period of time, specified dimensions of the requests for that host can be analyzed to determine whether the number of requests having a common value for any of those dimensions meets or exceeds a specified threshold. If so, any requests having those specified dimension values can be automatically blocked for the next specified period of time. The requests can be automatically unblocked after that period of time if the requests do not again meet or exceed the threshold, but can be dynamically blocked for subsequent periods of time if the threshold is again met or exceeded.

Abstract: Systems, methods, and software for processing received network traffic content in view of content detection data and configuration data to either block, permit, or to further evaluate network traffic content when entering a network.

Abstract: A method of ad-hoc network communications comprises a computer server transmitting a communications session request to a primary logical communications device of a logical ad-hoc communications network. The logical ad-hoc communications network comprises the primary logical communications device and at least one secondary logical communications device that is registered to the primary logical communications device. The communications session request requests a communications session with one of the at least one secondary logical communications devices. Upon receipt of the communications session request, the primary logical communications device transmits to the one secondary logical communications device a session initiate message requesting the one secondary logical communications device initiate the communications session with the computer server.

Abstract: Methods, systems and computer readable media for granting class level trust in an open application programming interface (API) system is disclosed. The method includes defining a common information model (CIM) architecture, and the CIM architecture is configured with a CIM object manager (CIMOM) for managing client requests made through APIs. The APIs are handled by the CIMOM and the CIMOM accesses schemas that include one or more classes. The method includes applying trust level settings to particular ones of the one or more classes of the schemas, and the trust level settings define client permissions to the particular classes. The method further includes hiding the particular classes to clients that lack a trust level sufficient to access the particular classes. Clients that lack the trust level are serviced with classes that do not have the applied trust level settings.

Abstract: Systems and methods that provide a unified infrastructure over layer-2 networks are provided. A first frame is generated by an end point. The first frame comprises a proxy payload, a proxy association header and a frame header relating to a control proxy element. The first frame is sent over a first network to the control proxy element. A second frame is generated by the control proxy element. The second frame comprises the proxy payload and a proxy header. The first and second frames correspond to different layer-2 protocols. The control proxy element sends the second frame over a second network employing the layer-2 protocol of the second frame.

Abstract: Billing usage of a cloud computing environment is described. Usage is metered of one or more resources within the cloud computing environment by one or more users. The one or more users may be associated with at least one entity. The metered usage of one or more cloud resources is converted to a revenue-generating value. The revenue-generating value is billed to the at least one entity associated with the one or more users. Revenue is collected from the at least one entity for the metered usage of one or more cloud resources. The collected revenue is shared with a plurality of parties.

Abstract: The auditing of a device that includes a physical memory is disclosed. One or more hardware parameters that correspond to a hardware configuration is received. Initialization information is also received. The physical memory is selectively read and at least one result is determined. The result is provided to a verifier.

Abstract: A mobile telephone or other type of mobile communication device is configured to store a cryptographic credential within a secure hardware environment of the device. A script is provisioned for execution in the mobile communication device, the script comprising program code that executes at least in part within the secure hardware environment and is configured to utilize the cryptographic credential stored within the secure hardware environment. Prior to permitting the script to access the cryptographic credential, the secure hardware environment verifies an endorsement of the script. The endorsement may be provided by an issuer of the cryptographic credential. The cryptographic credential stored in the secure hardware environment may comprise a long-term credential and the script may be configured to generate a plurality of short-lived credentials based on the long-term credential.

Abstract: There are provided a method of automated managing an ordered set of security rules implemented at a plurality of security gateways and a system thereof. The method comprises obtaining data characterizing a connectivity request which may become allowable only upon changes of an initial rule-set, thus giving rise to an unfitting connectivity request; analyzing routing tables of the plurality of the security gateways; generating ranking the security gateways in accordance with their relevance to the unfitting connectivity request; selecting one or more security gateways with the highest ranking; and implementing a configuration change required in order to facilitate allowance of the unfitting connectivity request at the one or more selected security gateways.

Abstract: A network device is configured to receive a request, from a device, for private information associated with a user of a user device, on behalf of another user device. The network device may authenticate the device, the user device, and the other user device. The network device may request and receive the user's authorization to send the private information to the other user device. The network device may generate and send a token used to request the private information. The network device may receive the token from the device, determine that the token is valid, and send the private information.

Abstract: An authentication engine may be configured to receive an authentication request and credentials from a client. The authentication engine may then generate a proxy agent configured to interact with an identity provider to authenticate the client on behalf of the client, using the credentials. In this way, the authentication engine may receive an assertion of authentication of the client from the identity provider, by way of the proxy agent.

Abstract: An on-premise software application (“OPA”) is communicated with according to an action received from outside a firewall. The action concerns user account information maintained by the OPA. The OPA is installed on a device located inside the firewall. The action is received from a management server located outside the firewall. The action includes a portion that adheres to a standardized format. An OPA interface request is generated based on the action. The OPA interface request includes the standardized portion. The OPA interface request is sent to an agent/OPA interface.

Abstract: An exemplary method of providing network address translation (NAT) for GPRS tunneling protocol user plane (or GTP-U) traffic on a data center server supporting multiple radio bearers in a mobile network is disclosed. The method includes: receiving packets from a source node via a GTP-U tunnel; filtering ingress GTP-U packets from other types of packets; forwarding a respective ingress GTP-U packet with a public destination IP address to a first queue if a destination IP address matches a defined GTP-U public IP address for the destination node; extracting one or more ingress GTP-U packets and forwarding the packets to a user-land operating system process for inspection; performing NAT of the destination IP address; placing ingress GTP-U packets that have an internal IP address that identifies with a particular radio bearer into a second queue; and forwarding the ingress GTP-U packets via a radio bearer within a network for processing.

Abstract: Techniques for resource access authorization are described. In one or more implementations, an application identifier is used to control access to user resources by an application. A determination is made whether to allow the application to access the user resources by comparing an application identifier received from an authorization service with a system application identifier for the application obtained from a computing device on which the application is executing.

Abstract: A system and method for establishing a virtual network connection between an initiating computing device operated by an initiator and a target computing device operated by a target so that one of said computing devices is able to control the other of said computing devices. The system comprises a third party proxy to which the computing devices are connected. The third party proxy receives a request for a virtual network connection to said target computing device from said initiating computing device and requests initiator credentials for said initiating computing device and target credentials for said target computing device. Said credentials are delivered to the respective computing device. The system also comprises a core node configured to receive the credentials from the respective computing device, authenticate the received credentials, and if said credentials are authentic, establish the virtual network connection between said initiating computing device and said target computing device.

Abstract: A system for interactive network access approval includes a server, a first application running on a first device for requesting access to a website on the network, and a second application running on a second device for approving access to the website. The server receives a request via the first application for access to the website, immediately transmits the request to the second application, receives via the second application approval for access to the website, and immediately grants access to the website to the first application. A method for granting access to a website is also described.

Abstract: The method of operating a network includes receiving, by an authentication, authorization and accounting (AAA) proxy of the network, authentication information for user equipment from a first wireless access point, the AAA proxy being a proxy for an authentication, authorization and accounting (AAA) server in a radiocommunication network, transmitting, by the AAA proxy, at least the received authentication information to the radiocommunication network, receiving, by the AAA proxy, first key information from the radiocommunication network, generating, by the AAA proxy, second key information based on the first key information and third key information based on the second key information, storing, by the AAA proxy, the first and second key information, and transmitting, by the AAA proxy, the third key information to the first wireless access point, the third key information allowing the user equipment access to a network via the first wireless access point.

Abstract: A computer-implemented method for performing Internet site security analyzes may include (1) identifying a plurality of clients, each client within the plurality of clients connecting to the Internet from a different Internet Protocol address, (2) identifying a plurality of Internet sites targeted for a security assessment, and then, for each Internet site within the plurality of Internet sites, (3) selecting at least one client from the plurality of clients to use as a proxy for communicating with the Internet site, (4) communicating with the Internet site, using the client as a proxy, to gather information for a security analysis of the Internet site, and (5) performing the security analysis of the Internet site based at least in part on the gathered information. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An apparatus and method uses location based authentication of a user accessing a virtual machine (VM) by using the physical location of the virtual machine as a criteria for the authentication. When a user requires a logical partition to run in a known, specified physical location, the user specifies the physical location when the VM is created. The specified physical location is then incorporated into the user authentication process. Users are challenged and must know the physical location in order to be authenticated to the system. When a “disruptive event” in the cloud environment occurs that necessitates moving the VM to another location, the original physical location is stored so the virtualization manager later can automatically relocate the VM back to its original physical location.

Abstract: Methods and apparatus are disclosed for processing data packets using a router and a proxy in order to transparently proxy a connection between a client and a server. One method involves mapping a TCP connection to a connection ID and sending a segment from the TCP connection to a proxy, including the connection ID, a direction value and an identifier of an assigned proxy application, such that the segment appears to be from the connection. The method further involves a proxy creating and reading from an IP socket which corresponds to the segment, the connection ID, direction and assigned proxy application and then spoofing the segment using the connection ID, a second direction value, and an identifier of the assigned proxy application.

Abstract: Intrusion preludes may be detected (including detection using fabricated responses to blocked network requests), and particular sources of network communications may be singled out for greater scrutiny, by performing intrusion analysis on packets blocked by a firewall. An integrated intrusion detection system uses an end-node firewall that is dynamically controlled using invoked-application information and a network policy. The system may use various alert levels to trigger heightened monitoring states, alerts sent to a security operation center, and/or logging of network activity for later forensic analysis. The system may monitor network traffic to block traffic that violates the network policy, monitor blocked traffic to detect an intrusion prelude, and monitor traffic from a potential intruder when an intrusion prelude is detected.

Abstract: Methods and systems for a device in a network are disclosed. The methods and systems compare priority data of the device to priority data of a set of other devices in the network. In addition, the methods and systems determine the device has a priority greater than or equal to a priority of each device in the set of other devices based, at least in part, on the comparison. The methods and systems also select the device as an elected device based, at least in part, on the priority determination. In addition, the methods and systems transmit, using the elected device, a Wake-On-LAN command.

Abstract: A method for discovery profile based unified credential processing for disparate security domains can include loading a discovery profile specifying types of manageable resources to be discovered during discovery of manageable resources and authentication protocols for use in accessing each type of the resources. The method also can include discovering the resources across disparate security domains and selecting a discovered one of the resources in a particular one of the security domains for a systems management task. The method further can include transforming an authentication credential not specific to the particular one of the security domains to a mapped authentication credential specific to the particular one of the security domains and authenticating into the particular one of the security domains with the mapped authentication credential utilizing an authentication protocol specified by the profile in order to perform the systems management task on the selected discovered one of the resources.

Abstract: Described is an improved method, system, and computer program product for implementing an improved resequencer, along with related mechanisms and processes. A best efforts resequencing approach is described for determining a set of messages to process in a computing system.

Abstract: A method of operating a computing device that allows inspecting data that the device attempts to transmit over a network in an encrypted form for presence of malware, viruses or confidential information. The method includes intercepting a request from an application to an encryption component of an operating system to encrypt the data and acquiring encrypted data generated by the encryption component in response to the request. SSL or TLS protocol may be used for encryption. The request may be intercepted using API hooking. The data in an unencrypted form and an identifier of the encrypted data may be provided to a data inspection facility for establishing a correspondence between the unencrypted and encrypted data, using the identifier. The data inspection facility performs inspection of the unencrypted data to determine whether to allow transmission of the encrypted data over the network.

Abstract: A communication system includes a first relay device connected to a first network accessible by any user, and a second relay device connected to a second network accessible by a specific user. The first relay device includes a first receiver, a first authentication information acquisition unit, and a first transmitter. The first receiver receives an electronic certificate from a terminal device of the specific user. The first authentication information acquisition unit acquires authentication information. The first transmitter transmits the authentication information to a service device connected to the first network, and transmits the electronic certificate to the second relay device. The second relay device includes a second receiver, a second authentication information acquisition unit, and a second transmitter. The second receiver receives the electronic certificate. The second authentication information acquisition unit acquires authentication information.

Abstract: Deploying a software image from a source data-processing system on target data-processing entities of a target data-processing system, the software image including memory blocks being individually accessible, with a predefined subset of the memory blocks defining a bootstrap module. The deploying includes downloading the bootstrap module onto a main one of the target data-processing entities from the source data-processing system, booting the main target data-processing entity from the bootstrap module thereby loading a streaming driver in the bootstrap module, and serving each request of accessing a selected memory block of the software image on the main data-processing entity by the streaming driver.

Abstract: A method for execution by at least one server within a domain of a service provider. The method comprises receiving a first request from a communication device registered with the service provider. A response including a token is sent to the communication device. Then a second request is received, this one from an application server over a communication channel at least partly not within the domain of the service provider. The second request contains the token, which causes the at least one server to send a response to the application server, which response includes information about the communication device obtained based on the token. Use of the token facilitates customer access to data services and applications, while making the token anonymous safeguards the privacy of customer data.

Abstract: Authenticating a user to a first service to allow the user to access a resource provided by the first service. The resource is a protected resource requiring a general purpose credential (e.g. a user name and/or password) to access the resource. The method includes receiving at a second service, from the device, an ad-hoc credential. The ad-hoc credential is a credential that is particular to the device. The ad-hoc credential can be used to authenticate both the user and the device, but cannot be directly used to as authentication at the first service for the user to access the resource. The method further includes, at the second service, substituting the general purpose credential for the ad-hoc credential and forwarding the general purpose credential to the first service. As such the first service can provide the resource to the user at the device.

Abstract: A system, method and communication device configuration for sharing multimedia content between network devices, such as UPnP or UPnP/DLNA devices and mobile communication devices, across different local networks or subnets. One possible system arrangement or architecture is based on the communication devices forming groups and then sharing UPnP control messages across the groups. The system arrangement supports enabling group member access to UPnP devices that are in other group devices or reachable via other group devices. By enabling devices to form groups across wide-area networks and distribute UPnP messages within the group members, the system effectively extends the range of a UPnP network. Devices include an overlay middleware and an xDLNA application to provide the functionality to form or join a device group and communicate multimedia content with other devices in the group as if the devices are within the same local network.

Abstract: A policy is established comprising a condition having a multiphase attribute of a multiphase transaction. Phase specific policies are established for each phase in which the multiphase attribute may become known. The multiphase transaction is evaluated according to the phase specific policies at each phase of the multiphase transaction in which the multiphase attribute may become known until a policy decision of the policy is determined.

Abstract: Systems, methods and apparatuses of establishing an IPsec (Internet Protocol Security) VPN (Virtual Private Network) tunnel are disclosed. One method includes receiving, by a wireless mesh network access point, a user configuration, wherein the user configuration includes a type of traffic, determining an internal interface of the wireless mesh network access node based on the type of traffic, dynamically determining a local endpoint address for the IPsec VPN tunnel based on the selected internal interface, establishing the IPsec VPN tunnel through the selected internal interface of the wireless mesh network access node, and encapsulating non-IP packets of non-IP traffic within IP packets.

Abstract: Systems (100) and methods (2100) for identifying, deterring and/or delaying malicious attacks being waged on a Computer Network (“CN”). The methods involve implementing a Mission Plan (“MP”) at a first Network Node (“NN”). MP (1900, 1902) specifies that: a first IDentity Parameter (“IDP”) for a second NN has numerous possible values associated therewith; and at least two possible values are to be used in communications to and from the second NN in different timeslots of a time frame (2020-2026). At the first NN, a value for the first IDP, which is contained in a received packet, is compared with the possible values specified in MP to determine if the value is a “correct” value for a current timeslot. If it is determined that the value is not “correct” for the current timeslot, then the first NN performs actions to identify, deter or delay a possible malicious attack on CN.

Abstract: A check in communication is received from an agent running inside a firewall via a permitted firewall communication channel. The check in communication is received via the permitted firewall communication channel without modifying a firewall configuration. The check in communication is responding to with an instruction to be performed by the agent running inside the firewall, where the response is via the permitted firewall communication channel.

Abstract: The method of delegating authentication, within a chain of entities, relies upon a recording of at least a portion of a TLS handshake between a gateway device and user, in which the user needs access to a desired server. The method then relies upon re-verification of cryptographic evidence in the recorded portion of the TLS handshake, which is forwarded either (1) to the server to which access is desired, in which case the server re-verifies the recorded portion to confirm authentication, or, (2) to a third party entity, in which case the third party entity confirms authentication and provides credentials to the gateway server which then uses the credentials to authenticate to the server as the user.

Abstract: An isolation proxy server system separates a typical proxy server or reverse proxy server into two physical computing platforms. A first physical platform, a front end proxy server, receives requests from clients on an external network, but is unable to relay requests by originating corresponding requests on an internal network. A second physical platform, a back end proxy client, originates distinct work requests to the front end proxy server. The front end proxy server forward client requests to the back end proxy client in responses to the distinct work requests it receives from the back proxy client. The back end proxy client relays the client requests to a target server. Thus, the front end proxy server may not originate new requests to the server(s) in the protected zone, and the back end proxy client may not receive new requests from clients or from the front end proxy server.

Abstract: A system and method for providing a comprehensive security solution for databases through a reverse proxy, optionally featuring translating database queries across a plurality of different database platforms.

Abstract: One aspect of the invention is a method for providing restricted access to confidential services without impacting the security of a network. The method includes using a gateway to isolate one or more components providing confidential services from one or more other portions of an enterprise network. A first communication directed to a selected one of the one or more components may be received at the gateway. A determination may be made as to whether the first communication is user traffic or management traffic. The first communication may then be authenticated. If the first communication is user traffic, the first communication is forwarded to a component providing the confidential services. If the first communication is management traffic, the first communication is encrypted and forwarded to a component providing the confidential services. Additionally, components of the sub-network may be monitored to identify malicious changes.

Abstract: An infrastructure for securely communicating with electronic meters is described, which enables secure communication between a utility and a meter located at a customer, over a communication link or connection such as via a network. This enables messages to be sent from the utility to the meter and vice versa in a secure manner. The network provides a communication medium for communicating via the C12.22 protocol for secure metering. A cryptographic backend is used to cryptographically process messages to be sent to the meter and to similarly cryptographically process messages sent from the meter. By providing appropriate cryptographic measures such as key management, confidentiality and authentication, the meter can only interpret and process messages from a legitimate utility and the utility can ensure that the messages it receives are from a legitimate meter and contain legitimate information.

Abstract: Described herein is a technology for facilitating the integration of a collaboration environment. In some implementations, an activity associated with a business object is accessed via a work center. A request to post the activity is sent to a collaboration application. The collaboration application then returns an activity identifier, and the user is redirected to the activity identifier.

Abstract: The invention provides a method of and system for networked security, involving multiple clients and servers. Rather than relying on single server based authentication and/or single stream based data transmission, the invention breaks apart information before if leaves the User's computer so that intercepting any single electronic message does not provide the hacker with sufficient information to gain access. The invention splits the values (i.e. password, User name, card number for authorization; encrypted text for encryption, etc.) at the point of sender/external authorization client. These split values are encrypted with different keys and transmitted to multiple external authorization servers. The invention can be applied to any secure transmission, storage or authentication of data over a data network.