Abstract: An electronic device for communication in a data network including a communication circuit adapted for performing the network communication, which communication includes controlling a plurality of network layers, the layers including a physical layer, a link layer and at least one higher order layer, the communication circuit includes a protective circuit for identifying unwanted data. The electronic device is characterized in that the protective circuit is arranged to monitor data during transmission of data from the electronic device, and identify unwanted data, and the communication circuit is adapted to avoid transmission of the unwanted data identified by the protective circuit. In this way the network is protected against excessive traffic, for example during a Denial of Service attack.

Abstract: In some implementations, a method for routing communication includes determining a binding interface for a communication session based on a forwarding information base (FIB) and a destination for the communication session. The communication session is from an application running on user equipment (UE), and the binding interface is included in a virtual private network (VPN) tunnel established through an Internet Protocol (IP) security (IPsec) interface. Whether to filter the communication session is determined based on which perimeter of the UE includes the binding interface and which perimeter of the UE includes the IPsec interface.

Abstract: A firewall/router is configured in a best practices approach for security and performance and, as such, greatly enables non-technical consumers to install it as a gateway point in a small network setting. Certain embodiments provide a means to monitor network usage, configure content filtering, schedule hours of access for certain networked devices and specify which network devices may connect to the WAN. It is envisioned that certain embodiments may also be capable of sending alerts to designated and configurable targets. WAN access may be granted or blocked or throttled on a per network device basis using parameters such as, but not limited to, time of day, throttling characteristics, and classification of the content being served by the target resource.

Abstract: A cloud-based firewall system and service is provided to protect customer sites from attacks, leakage of confidential information, and other security threats. In various embodiments, such a firewall system and service can be implemented in conjunction with a content delivery network (CDN) having a plurality of distributed content servers. The CDN servers receive requests for content identified by the customer for delivery via the CDN. The CDN servers include firewalls that examine those requests and take action against security threats, so as to prevent them from reaching the customer site. The CDN provider implements the firewall system as a managed firewall service, with the operation of the firewalls for given customer content being defined by that customer, independently of other customers. In some embodiments, a customer may define different firewall configurations for different categories of that customer's content identified for delivery via the CDN.

Abstract: A computer implemented method, and computer program product for requesting resources. The computer receives an assignment of an Internet protocol address. The computer compares a computer context of a client computer with an intranet access criterion to form a comparison result. The computer selects at least one preferred uniform resource identifier based on the comparison result, indicating the intranet is accessible. The computer transmits a request to a server using at least one preferred uniform resource identifier using a packet network.

Abstract: A system and method are provided to receive mirrored versions of transmissions sent by a node in response to initiating transmissions received by the node over a network. At least one mirrored response transmission sent from the node in response to at least one corresponding initiating transmission is analyzed to determine whether or not the corresponding at least one initiating transmission is malicious.

Abstract: Techniques for automatic firewall configuration in a virtual network environment are described. In one example embodiment, firewall rules are configured using virtual machine (VM) inventory objects. The firewall rules are then transformed by replacing the VM inventory objects in the configured firewall rules with associated Internet protocol (IP) addresses using an IP address management table (IPAM) table and a network address translation (NAT) table. The transformed firewall rules are then sent to a firewall engine for filtering communication from and to VMs running on a first machine on one or more computing networks and communication from and to VMs running on a second machine on one or more computing networks at a firewall according to the transformed firewall rules.

Abstract: A method may include receiving session control messages and counting the session control messages of a same type having a same transaction identifier (ID). The method may further include blocking the session control messages of the same type having the same transaction ID when the count exceeds a threshold number. The method may further include determining whether the blocked session control messages are associated with an anomalous event and, when the blocked session control messages are not associated with the anomalous event, increasing the threshold number.

Abstract: A system and method for providing security for a network connecting a source and a destination. The system and method provide a security and management system between the source and the destination which is configured to apply rules and policies which are specific to the user to the connection between the source and the destination. The user-specific policies are used to govern the security and management of each packet transmitted and received via the connection.

Abstract: Disclosed are a system for managing virtual private networks (VPNs) includes: terminals configured to transmit user data; a manager configured to transmit information for concealing networks and managing the VPNs; border gateways configured to decrypt the user data and perform a network address translation (NAT) procedure and a filtering procedure on the decrypted user data based on the information; and servers configured to receive the user data subjected to the NAT procedure and the filtering procedure, wherein the filtering procedure is a procedure discarding the user data to be transferred to the servers that are not allowed so as to allow the terminals to access only the allowed servers, the NAT procedure is a procedure changing an Internet protocol (IP) address used in a first network to an IP address used in a second network, and the first network and the second network are different networks.

Abstract: In some embodiments, techniques for computer security comprise receiving a message, receiving a user-originated request for an action, wherein the action is associated with the message, determining whether the message is trustworthy, and impairing performance of the action, if it is determined that the message is not trustworthy. In some embodiments, techniques for computer security comprise receiving a message, determining whether the message is trustworthy, rendering the message, if it is determined that the message is trustworthy, and rendering a restricted version of the message, if it is determined that the message is not trustworthy.

Abstract: According to one aspect, the subject matter described herein includes a method for communicating an encrypted data packet. The method includes steps occurring at a first gateway node. The method also includes receiving a data packet from a first host. The method further includes determining that a first security association (SA) instance associated with the data packet is in an inactive state. The method further includes identifying a second SA instance that is both associated with the data packet and in an active state. The method further includes forwarding the data packet to the second SA instance.

Abstract: Aspects of the invention are directed to a method and system for discovering business content transfer paths in a network using file transfer information, and for calculating business risk per network component in a network. A method according to an embodiment includes: obtaining file transfer information for a plurality of file transfers between a plurality of nodes within a network; generating a confidence of correlation for each pair of file transfers in the plurality of file transfers; determining interdependencies between the plurality of file transfers based on the confidence of correlation for each pair of file transfers; and determining a business content transfer path based on the interdependencies between the plurality of file transfers.

Abstract: A lightweight solution enables the exchange of multimedia information in a secure manner. Exchanged cryptographic material can be used to encipher multimedia message-oriented communications between devices. This lightweight solution can be used by common off the shelf devices such as smartphones, tablets, feature phones, or special purpose machine to machine devices for private communications, such as command and control, location services, video, audio, electronic attachments, etc. using insecure voice or data communication paths, such as MMS.

Abstract: A method for mitigating denial of service attacks may include filtering out invalid packets from the received packets using a first filtering module, allowing the valid packets to pass through the first filtering module, and allowing some invalid packets to pass through the first filtering module. The method may also include passing the valid packets and the remaining invalid packets from the first filtering module to a second filtering module, filtering out more of the invalid packets using the second packet filtering module, allowing the valid packets to pass through the second filtering module, and allowing some invalid packets to pass through the second filtering module. The method may additionally include passing the valid packets and the remaining invalid packets to a protocol stack to filter the remaining invalid packets and pass the valid packets through to an application.

Abstract: A network component comprising a hash generator configured to generate a first hash value using a first hash function and a packet, and generate a second hash value using a second hash function and the packet, a memory comprising a first hash table related to the first hash function and a second hash table related to the second hash function, the first and second hash tables comprising one or more entries, the one or more entries comprising a signature, a timestamp, and a path identification, a comparator configured to compare the first hash value and the second hash value with the one or more entries, and a forwarding decision module configured to forward the packet on a selected path.

Abstract: Systems and methods are provided for handling a malicious computer-related security event that occurs at central network access points of the Internet involving networks of autonomous and different internet service providers. A system includes a non-signature based security event detection software system operating on a first computer connected to a first network of a first internet service provider, where the non-signature based security event detection software system detects the security event by examining runtime state of the first computer. A security event management software system operates on a processor-based platform and has access to security event detection results generated by the non-signature based security event detection software system.

Abstract: A computer-implemented method for managing email configuration may include receiving a first email message from a first device, identifying device-type information in the first email message, identifying a second email message addressed to the first email address, and using the device-type information to select email-configuration information for the second email. The method may further include reformatting a body of the second email based on the email-configuration information, removing an attachment to the second email in response to the email-configuration information, providing a user with the email-configuration information for the second email message, and associating the device-type information with the first email address. A computer-implemented method for including email-configuration information in an email may involve identifying a first email message from a first user, including email-configuration information in the first email message, and sending the first email message to a first recipient.

Abstract: In a communication network, assume a first computing device is an end user device, a second computing device is a gateway server, and a third computing device is an application server. A method comprises the following steps. The second computing device authenticates one or more packets received from the first computing device. The second computing device marks the one or more packets with a first-layer identity before routing the one or more packets toward the third computing device such that the third computing device is able to authenticate the one or more packets from the first computing device by confirming an association between the first-layer identity and a second-layer identity. For example, the first-layer identity may comprise a link layer identity assigned to the first computing device and the second-layer identity may comprise an application layer identity assigned to the first computing device.

Abstract: A system and method for configuring client access to a network includes at a first port, accessing a first server on a first local area network associated with the first port. An authorized local area network other than the first local area network is determined to which an authorized connection can be properly made based on information in a client request. The first port is assigned to the authorized local area network. Communications are handled with a new client configuration in the authorized local area network.

Abstract: Provided are a method and apparatus for effectively fixing scrambled content. The method includes checking fixing information for a program map table (PMT) packet of packets constituting the content, the fixing information being used to fix a transformed part of the content; extracting location information of a next PMT packet containing fixing data for fixing the transformed part of the content from the fixing information of the PMT packet; and fixing the transformed part of the content by using the fixing data in the next PMT packet indicated by the extracted location information. Accordingly, it is possible to easily detect a location of the content, which stores the fixing information, thereby expediting fixing of the transformed content.

Abstract: A system and method of inter-router communication is described. The system and method include a routing protocol communication, configured to be sent between a plurality of routers on a network, and having a data plane update packet sent with a route update packet. The data plane update packet includes routing attributes corresponding to information export protocol signatures. A signature recognition module may be located on at least one of the routers in the network, and can store and recognize data packet signature patterns located in at least a portion of a payload of the data plane update packet. A data plane filter module can also be located on at least one of the routers, and can handle data packets according to filtering rules for specific data packet signature patterns.

Abstract: An authentication apparatus for detecting and preventing a source address spoofing packet, includes a packet reception unit configured to receive a packet from a previous node or a user host; a self-assurance type ID generation unit configured to generate a self-assurance type ID of a source node of the received packet; and a self-assurance type ID verification unit configured to determine whether the source address of the received packet has been spoofed. Further, the authentication apparatus includes a white list storage unit configured to store a reliable source node; a black list storage unit configured to store an unreliable source node; and a packet transmission unit configured to transmit the packet whose source has been verified through the self-assurance type ID verification unit to a next network node.

Abstract: There are provided a method and apparatus for defending a Distributed Denial-of-Service (DDoS) attack through abnormally terminated sessions. The DDoS attack defending apparatus includes: a session tracing unit configured to parse collected packets, to extract header information from the collected packets, to trace one or more abnormally terminated sessions corresponding to one of pre-defined abnormally terminated session cases, based on the header information, and then to count the number of the abnormally terminated sessions; and an attack detector configured to compare the number of the abnormally terminated sessions to a predetermined threshold value, and to determine whether a DDoS attack has occurred, according to the results of the comparison. Therefore, it is possible to significantly reduce a false-positive rate of detection of a DDoS attack and the amount of computation for detection of a DDoS attack.

Abstract: A method is provided for filtering unwanted packets in a communication system. The communication system includes a first network, a wireless network and at least one wireless communication device. An instruction to add an entry to a blocked list is received from a specific wireless device. The entry includes blocking criteria. A first packet is received from the first network. The first packet is destined for the specific wireless communication device. If the first packet exhibits the blocking criteria included in the blocked list, the first packet is discarded before it can be distributed by the wireless network.

Abstract: A method and access node for preventing spoofing while connecting subscribers to an Ethernet network. The access node includes a filter mechanism for filtering packets destined to subscribers attached to the access node. The filter mechanism includes a database of allocated IP destination addresses and MAC addresses. The filter mechanism blocks any packet directed to a subscriber but containing an incorrect IP or MAC address. The mechanism prevents users from changing their address information to illegally appropriate packets from other users or to disguise their identity.

Abstract: Methods, systems, and computer readable media for rapid filtering of opaque data traffic are disclosed. According to one method, the method includes receiving a packet containing a payload. The method also includes analyzing a portion of the payload for determining whether the packet contains compressed or encrypted data. The method further includes performing, if the packet contains compressed or encrypted data, at least one of sending the packet to an opaque traffic analysis engine for analysis, discarding the packet, logging the packet, or marking the packet.

Abstract: The presently disclosed subject matter includes, inter alia, a separation module being operatively connectible to a network device operable to facilitate data communication in a communication network, the separation module being configured to control data communication in the communication network, the separation module being assigned with a network-id associating the separation module with a given network environment; the separation module being further configured to tag a data packet received by the network device from a first direction, in order to associate the data packet with a given network environment; and determine whether a tag, associated with a data packet received by the network device from a second direction, is compatible with the assigned network-id, and if it is, remove the tag from the data packet and allow transmission of the data packet.

Abstract: A secure interconnection system between two public networks comprises at least one first router, a first firewall, a second router, a second firewall and a blade server, and a first virtual local area network containing the data streams exchanged between a first communications facility and a second communications facility, a second virtual local area network containing the management and maintenance streams of said system which are exchanged between a supervision center and the blade server and a third virtual local area network containing the authentication streams for said first communications facility which are exchanged between the said second firewall and said blade server, said virtual local area networks being designed so as to exhibit an empty intersection.

Abstract: Secure networking processes, such as packet encapsulation and decapsulation, can be executed upstream of a user or guest operating system provisioned on a host machine, where the user has substantially full access to that machine. The processing can be performed on a device such as a network interface card (NIC), which can have a separate network port for communicating with mapping systems or other devices across a cloud or secure network. A virtual image of the NIC can be provided to the user such that the user can still utilize at least some of the NIC functionality. In some embodiments, the NIC can work with a standalone processor or control host in order to offload much of the processing to the control host. The NIC can further handle headers and payload separately where possible, in order to improve the efficiency of processing the various packets.

Abstract: A SIP firewall defends an IMS network against SIP registration-based DoS/DDoS attacks by issuing fake authentication challenges when suspiciously high registration traffic is present. The fake authentication challenges include a predictive nonce that is to be used in the challenge response, thus forcing users to be state-aware and to issue the SIP registration requests from valid IP address in order to successfully respond to the fake authentication challenges. Upon confirming an association between the challenge response and the fake authentication challenges, the firewall opens a registration window to a protected node of the core network. In such manner, the firewall opens a registration window to (unauthenticated) legitimate users while stopping DDoS mode of registrations (or at least making them extremely difficult and costly) without impacting or involving the protected node.

Abstract: Apparatus, methods, and systems for use in analyzing a flow of network traffic between a first network and a second network are provided. One example method includes scanning the network traffic between the first and second networks. The network traffic includes a plurality of data packets. The method includes determining a character set included in each of the plurality of data packets, and storing an indication of each character set included in each scanned data packet.

Abstract: A method and apparatus is disclosed for increasing the security of computer networks through the use of an Intrusion and Misuse Deterrence System (IMDS) operating on the network. The IMDS is a system that creates a synthetic network complete with synthetic hosts and routers. It is comprised of a network server with associated application software that appears to be a legitimate portion of a real network to a network intruder. The IMDS consequently invites inquiry and entices the intruder away from the real network. Simulated services are configured to appear to be running on virtual clients with globally unique, class “C” IP addresses. Since there are no legitimate users of the virtual network simulated by the IMDS, all such activity must be inappropriate and can be treated as such. Consequently, the entire set of transactions by an intruder can be collected and identified rather than just those transactions that meet a predefined attack profile.

Abstract: A user equipment (UE) and method is provided having one or more components configured to receive a non-session initiation protocol (SIP) notification from a SIP entity and in response to send a ping request to the SIP entity, the one or more components further configured to receive a SIP request from the SIP entity. A network component and method is also provided that include one or more components configured to send a non-session initiation protocol (SIP) notification to a user equipment (UE) and to receive a ping request from the UE and further to send a SIP request to the UE.

Abstract: The present invention relates to an apparatus and a method for managing digital rights using virtualization technique, and more particularly to an apparatus and a method for enabling a user to access a desired text file in an independent area through a virtual machine corresponding to a licensed right for accessing the text file. The present invention comprises a virtual machine (VM) management unit for controlling a user access authorization function for accessing the text file in the area to which the virtualization technique is applied.

Abstract: A network system includes a security device and a network access device. The network access device is to receive a packet from a source node destined to a destination node, and to examine a data structure maintained by the network access device to determine whether the data structure stores a data member having a predetermined value, the data member indicating whether the packet should undergo security processing. If the data member matches the predetermined value, the packet is transmitted to a security device associated with the network access device to allow the security device to perform content inspection, and in response to a response received from the security device, the packet is routed to the destination node dependent upon the response. The packet is routed to the destination node without forwarding the packet to the security device.

Abstract: The inventive system and method for processing transactional data in a point of sale environment that has a video device, a POS terminal and an end recording device comprises a configuration tool, and a filtering unit having a filter comprising subfilters for filtering transactional data, such that the configuration tool creates the filter. The configuration tool can create and/or modify the filter based on user input, and this input can be through a web interface. In the alternative, the system also has at least one pre-defined set of rules accessible through a web interface, such that the configuration tool uses one of the pre-defined sets of rules to create the filter.

Abstract: Methods and systems for improved attack context data logging are provided. According to one embodiment, configuration information is received by a firewall device from a network administrator. The configuration information includes a number (N) of packets to capture by the firewall device responsive to an event detected by the firewall device that is potentially indicative of a threat or undesired activity. Multiple packets are received by the firewall device. The firewall device applies an attack detection algorithm, including one or more of a set of intrusion detection signatures, a set of malware detection signatures and a set of security policies, to the received packets. Responsive to the firewall device determining that a trigger packet is associated with a potential threat or potential undesired activity, the firewall device causes information regarding N packets of the received packets, inclusive of the trigger packet, to be stored in a log.

Abstract: A system, method, and computer program product are provided for displaying, via at least one user interface, at least one option for dropping packets in connection with the at least one networked device for attack prevention. In use, it is determined whether an occurrence in connection with the at least one networked device is capable of taking advantage of the at least one actual vulnerability to which the at least one networked device is actually vulnerable. Further, based on the user input, packets are dropped in connection with the occurrence in immediate response to the detection thereof, to prevent an attack prior to completion of patch installation.

Abstract: An e-mail relay provides message filtering services to an e-mail network. The e-mail relay monitors incoming communication and intercepts e-mail messages. The e-mail relay compares attributes of the messages to data derived from SPAM messages, which are stored in a SPAM database. The e-mail relay restricts the delivery of messages based on the comparison such as by restricting the delivery of messages having attributes close to those of SPAM messages from the SPAM database. The SPAM database is constructed by responding to user or administrator indications as to whether received messages are SPAM messages.

Abstract: A method and system for managing access to resources on a secured network is disclosed. The method includes reading packet information in respective packets of a packet communication received at a security node and applying one of the plurality of access rules. The method also includes determining whether the security node is to block the respective packets and/or the packet communication from reaching a resource on the secured network based on the applied access rule. If the security node is to block the respective packets and/or the packet communication, it is determined whether the applied access rule is a simulated access rule. Responsive to the applied access rule being a simulated access rule, the respective packets and/or the packet communication are passed towards the resource on the secured network and a log event is generated that indicates the security node blocked the respective packets and/or the packet communication.

Abstract: An apparatus comprising a processor configured to implement an anti-replay check for a plurality of received packets and a plurality of corresponding sequence numbers; and a circular buffer coupled to the processor and comprising a bitmap, wherein the bitmap is slided in a circular manner by updating a low index that points to a first sequence number for a first received packet and a high index that points to a last sequence number for a last received packet without bit-shifting, and wherein, when the update results in the new value of one of the low index and the high index exceeding the end of the circular buffer, the one of the low index and the high index wraps around from the beginning of the circular buffer.

Abstract: Techniques for packet classification for network routing are disclosed. In some embodiments, packet classification for network routing includes receiving packets associated with a new flow at a security controller from a network device, in which the network device performs packet forwarding; classifying the flow; and determining an action for the flow based on a policy (e.g., a security policy). In some embodiments, the network device is a Software Defined Network (SDN) network device (e.g., a packet forwarding device that supports the OpenFlow protocol or another protocol).

Abstract: Using geographical information in policy enforcement is disclosed. A request for a resource is received from a device. A policy to be applied to the request is determined based at least in part on geographical information associated with an IP address. The policy is enforced. The IP address may be either a source IP address or a destination IP address.

Abstract: A system for filtering a digital signal transmitted in a protocol featuring multi-level packetization from a first server to a second server. The first server is coupled to the second server via a one-way data link. The system includes a filter having an input for receiving the digital signal and an output. The filter is configured to analyze the digital video signal and determine whether the digital signal violates one or more predetermined criteria. The filter may be within the first server, or alternatively, within the second server. The predetermined criteria may be unauthorized security level information included within metadata transmitted with the digital video signal. The predetermined criteria may also be format information that, when not conformed to, indicates potential malware or other bad content included within the digital video signal. The filter provides low data transfer latency and/or decoupling of data filter latency from data transfer latency.

Abstract: An inventive system and method for creating source profiles to detect spoofed traffic comprises obtaining a routing path for data to traverse nodes using traffic profiles, each routing path comprising at least a target AS, initializing one or more AS sets with last hop ASes, enhancing the AS sets by connecting the AS sets to routers, for each enhanced AS set, filtering observed traffic flows, and using the filtered flows to associate enhanced AS sets with network monitoring points to create the source profiles. In one aspect, filtering flows comprise TCP session filtering and/or destination bogon filtering. In one aspect, the routers are border gateway protocol routers. In one aspect, the last hop ASes are one hop away from the target AS.

Abstract: Systems and methods for adding context to prevent data leakage over a computer network are disclosed. Data is classified and contextual information of the data is determined. A transmission policy is determined in response to the classification and contextual information. The data is either transmitted or blocked in response to the classification and the contextual information.

Abstract: A gateway host connected to a network can be programmed to control packet traffic from other hosts on the network. The gateway host sends spoof packets to one or more of the other hosts, rendering them as controlled hosts. Each controlled host, having received the spoof packets, sends network packets for an intended destination, which are intercepted by the gateway host. The spoof packets have caused reconfiguration of the packet routing by the controlled host, such that network packets are rerouted upon their being sent from the controlled host. The gateway host renders a decision on the network packet traffic.

Abstract: Secure content management is enabled as a cloud-based service through which security protection and policy enforcement may be implemented for both on-premise network users and roaming users. The global SCM service integrates the security functionalities—such as anti-virus, spyware, and phishing protection, firewall, intrusion detection, centralized management, and the like—that are typically provided by enterprise network SCM appliance hardware or servers into a cloud-based service that users reach via Internet-based points-of-presence (“POPs”). The POPs are configured with forward proxy servers, and in some implementations, caching and network acceleration components, and coupled to hubs which provide configuration management and identity management services such as active directory services.

Abstract: An example method is provided and, in an example embodiment, includes receiving a data packet at an ingress switch function, the data packet associated with a data packet flow; obtaining access control information associated with a destination of the data packet flow from a centralized service engine; and performing access filtering on the data packet flow at the ingress switch function using the access control information.