Abstract: Methods and systems are disclosed for providing secure transmissions across a network comprising a transmitting device and a receiving device. At the transmitting device, a stream of watermark bits is generated. Next, a plurality of watermarks is generated, each of the plurality of watermarks comprising an index number and a portion of the stream of watermark bits. The watermarks are inserted into each header of a plurality of outgoing packets. At the receiving device, the plurality of outgoing packets are received and it is determined if a received packet is valid based on the watermark in the header of the received packet. The stream of watermark bits may be generated using a stream cipher such as RC4, a block cipher such as 3DES in CBC mode, or other equivalent pseudo-random stream generating techniques.

Abstract: The system and method described herein may provide unified transport and security protocols. In particular, the unified transport and security protocols may include a Secure Frame Layer transport and security protocol that includes stages for initially configuring a requester device and a responder device, identifying the requester device and the responder device to one another, and authenticating message frames communicated between the requester device and the responder device. Additionally, the unified transport and security protocols may further include a Secure Persistent User Datagram Protocol that includes modes for processing message frames received at the requester device and the responder device, recovering the requester device in response to packet loss, retransmitting lost packets sent between the requester device and the responder device, and updating location information for the requester device to restore a communications session between the requester device and the responder device.

Abstract: Systems and methods for providing Kerberos pre-authentication are presented. According to a method embodiment, a request for authentication is received from a principal of an authentication service. The principal in the authentication service is authenticated. A key associated with the authenticated principal in the authentication service is provided to a Kerberos Key Distribution Center (KDC).

Abstract: A method for establishing an encrypted communication channel between a first apparatus and a second apparatus by using a session management apparatus. The method includes: establishing a first encrypted communication channel between the session management apparatus and the first apparatus by performing mutual authentication between the session management apparatus and the first apparatus; establishing a second encrypted communication channel between the session management apparatus and the second apparatus by performing mutual authentication between the session management apparatus and the second apparatus; and exchanging key information between the first apparatus and the second apparatus via the first encrypted communication channel and the second encrypted communication channel so as to establish an encrypted communication channel between the first apparatus and the second apparatus.

Abstract: A method for digital copyright protection includes stream media server negotiation with a copyright center to generate copyright object RO, RO carrying copyright service regulations and establishing encrypted communication channel information; subscriber equipment receiving RO, through the establishing encrypted communication channel information carried by RO to establish encrypted communication channel with stream media server; and stream media server transmitting media stream to subscriber equipment. The present disclosure also discloses a DRM system, subscriber equipment and multi-media server.

Abstract: An e-mail firewall applies policies to e-mail messages between a first site and second sites in accordance with administrator selectable policies. The firewall includes a simple mail transfer protocol relay for causing the e-mail messages to be transmitted between the first site and selected ones of the second sites. Policy managers enforce-administrator selectable policies relative to one or more of encryption and decryption, signature, source/destination, content and viruses.

Abstract: A Radio Frequency based security system for providing security for wireless Local Area Networks (WLAN) that allows the creation and maintenance of arbitrarily shaped secure wireless access areas with boundaries around said wireless Local Area Network and prevents access to the said wireless LAN from outside the perimeter of the secure area. The system includes a plurality of perimeter Radio Frequency Sentry Devices (RFSDs) that are employed to establish the boundaries of said secure area around said wireless LAN. The wireless LAN being secured may be an industry standard IEEE 802.11a, 801.11b or 802.11g based wireless LAN or any other wireless LAN that uses packet based communication protocols. The said RFSDs may be stand-alone devices or they may be connected to a wired or wireless Local Area Network.

Abstract: The claimed subject matter provides a system and/or a method that facilitates authenticating a data communication. An interface component can receive data related to a real time data communication between two or more clients. A verification component can employ a human interaction proof (HIP) to a client participating within the real time data communication, wherein a human identity of the client is authenticated as a function of a response to the HIP.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for specifying a data network security policy. In one aspect, a system includes a device-agnostic firewall policy that defines one or more rules for regulating data traffic on a data network. The device-agnostic firewall policy includes a policy definition and a security component. The policy definition delineates regulation of the data network traffic to be implemented by a firewall and a policy token definition that delineates a token used in the policy definition. The security component is implemented in hardware, in software executed on a data processing device, or in a combination thereof and is configured to permit a first group of one or more individuals to change both the policy definition and the policy token definition and a second group of one or more individuals to change the policy token definition while restricting the second group from changing the policy definition.

Abstract: According to one embodiment, a television apparatus includes a receiving module, a display controller, a receiving controller, an obtaining module, a storage module, and a controller. The receiving module receives an operation for putting the television apparatus into a waiting state to connect to an external device. The display controller displays identification information identifying the television apparatus, security information generated randomly, and displays screen information received from the external device. The receiving controller receives the request for connection and the security information. The obtaining module obtains external-device identification information identifying the external device if communication with the external device is initiated. The storage module stores the external-device identification information.

Abstract: A device receives protected content and a license for the content, unprotects the content using an input key and retrieves a rule associated with the input key. The device then processes the content to create new content, retrieves at least one output key associated with the input key in the retrieved rule, protects the content using the output key and sends the newly protected content and the corresponding license. It is thus possible to impose a work flow as it is necessary for a device to store a particular key in order to access the content and as the rule imposes a particular output key depending on the input key. In a preferred embodiment, the content is scrambled using a symmetrical key that is encrypted by an asymmetrical key in the license. An alternate embodiment uses watermarking techniques instead of encryption. The invention finds particular use in video processing.

Abstract: A computing device receives a command to restrict access to encrypted data. The computing device generates a new record that can access the encrypted data. The computing device encrypts the record information for the new record using a public key of a trusted entity. The computing device prevents access to the encrypted data for a previously generated record or records.

Abstract: A security method and system for Layer Independent Passive Clustering (LIPC) is presented. The inventive method and system maintains the states in the LIPC cluster formation protocol while adding a ‘Trusworthy’ event to each state and provides a methodology that depends on the state of the transmitting node to quantify Trustworthy and derive a Trust Confidence Value (TCV) to represent the level of confidence in quantifying ‘Trustworthy’. The invention dynamically computes a degree of trustworthiness for each participating network node and eliminates nodes from participating in the PC cluster formation protocol and packet forwarding if they do not meet established trust metrics. The security solution can also apply to PC-based Mobile Ad hoc Networks (MANETs). The novel system and method applies a multidimensional set of security algorithms to protect the LIPC cluster formation protocol from malicious attacks that compromise cluster formation and secure routing.

Abstract: There is provided a computer-implemented method for authentication, the method comprising: defining a demanded level of security in an authorization service of a server; providing at least one authentication mechanism comprising at least one instance for at least one client; providing a policy comprising a security level for the at least one instance; receiving at least one request from the client to the server; authenticating the request based on the policy and the demanded level of security by the authentication service; and permitting the request if the demanded level of security is reached.

Abstract: According to one aspect, the subject matter described herein includes a method for communicating an encrypted data packet. The method includes steps occurring at a first gateway node. The method also includes receiving a data packet from a first host. The method further includes determining that a first security association (SA) instance associated with the data packet is in an inactive state. The method further includes identifying a second SA instance that is both associated with the data packet and in an active state. The method further includes forwarding the data packet to the second SA instance.

Abstract: The invention relates to a personal token including a microprocessor and a memory, said personal token storing and running a software entity which constitutes an end-point for communication over the internet. The software entity constitutes an end-point according to a signaling protocol over the internet and the signaling protocol is of the type intended when the session for real-time conferencing is initiated between end-points.

Abstract: An electronic messaging system, including: a first message transfer server for receiving a message for a party, mapping the destination address of the message to a trusted address for the party, and substituting the trusted address for the destination address; and a second message transfer server for establishing an authenticated transport session with the first message transfer server to receive the message and transfer the message to a location corresponding to the trusted address.

Abstract: System and method configured to provide an access management system configuration that provides the benefits of single sign-on while reducing internal hardware and administration maintenance costs. The system is reconfigured to provide an access control module that directs authentication network traffic such that access management agents are not required to be installed on the application server for each protected application. The system provides a redirection of a login request from the application server to an external security gateway that authenticates the user via policy and sends authenticated user credentials on a back channel to the access control module to obtain a session cookie which is redirected back to the user so the user can establish a session with the application. The solution reduces the plethora of agents to be maintained and upgraded in order to remain compatible with the evolving hosting software, reducing both hardware and administration maintenance costs.

Abstract: A network access method and system and a network connection device are provided. A network connection device connected between a first network and a second network obtains first network attribute information about a first network device according to an access request for accessing the second network from the first network device on the first network. The network connection device performs authentication on whether the first network device has a right to access the second network based on the first network attribute information. If the authentication is passed, the network connection device connects the first network device into the second network. If the authentication is not passed, the network connection device prohibits the first network device from accessing the second network.

Abstract: A method in one embodiment includes establishing a first secure tunnel between a scanner and a configuration manager, and a second secure tunnel between the scanner and a scan controller, where the scanner is located in a public network and the configuration manager and the scan controller are located in a private network, communicating scanner configuration information between the scanner and the configuration manager over the first secure tunnel, and communicating scan information between the scanner and the scan controller over the second secure tunnel. The secure tunnels may be established from within the private network, by forwarding a first origination port and a second origination port to a first destination port and a second destination port, respectively. The first and second origination ports may be located in the public network, and the first and second destination ports may be located in the private network.

Abstract: An information processing apparatus includes: a connecting section; an information storage; a request accepting section; a searching section; a setting information storage; a determining section; and a process executing section.

Abstract: An integrated series of security protocols is disclosed that protect remote user communications with remote enterprise services, and simultaneously protect the enterprises services from third parties. In the first layer, an implementation of the Secure Sockets Layer (SSL) version of HTTPS provides communications security, including authentication of the enterprise web server and the security of the transmitted data. The protocols provide for an identification of the user, and an authentication of the user to ensure the user is who he/she claims to be and a determination of entitlements that the user may avail themselves of within the enterprise system. Session security is described, particularly as to the differences between a remote user's copper wire connection to a legacy system and a user's remote connection to the enterprise system over a “stateless” public Internet, where each session is a single transmission, rather than an interval of time between logon and logoff, as is customary in legacy systems.

Abstract: The invention provides a data processing system for the support of secure networking on a single, virtualized hardware platform. The data processing system comprises a Network Interface Controller NIC to control access to a physical network; a first operating system comprising an NIC driver to manage the NIC, and a first Virtual Network Interface Controller VNIC driver. The system further comprises at least one second operating system comprising at least one second VNIC driver associated with a networking stack; and a Virtual Machine Monitor VMM to enable concurrent operation of the first and second operating systems, and to emulate a virtual network, the VMM comprising first and second VNICs to provide access to the virtual network by the first and second operating systems through the first and second VNIC drivers, respectively.

Abstract: A data security manager in a multi-nodal environment enforces processing constraints stored as security relationships that control how different pieces of a multi-nodal application (called execution units) are allowed to execute to insure data security. The security manager preferably checks the security relationships for security violations when new execution units start execution, when data moves to or from an execution unit, and when an execution unit requests external services. Where the security manager determines there is a security violation based on the security relationships, the security manager may move, delay or kill an execution unit to maintain data security.

Abstract: Communicating program data between a first device and a second device comprises disassembling a first program file comprising program data into at least one logical data unit, partitioning each of the at least one logical data unit into at least one protocol data unit and computing a first fingerprint over the payload portion of the at least one protocol data unit of the at least one logical data unit. The format of the at least one protocol data unit is defined by a communication protocol and includes a payload portion.

Abstract: An apparatus comprising a processor configured to implement an anti-replay check for a plurality of received packets and a plurality of corresponding sequence numbers; and a circular buffer coupled to the processor and comprising a bitmap, wherein the bitmap is slided in a circular manner by updating a low index that points to a first sequence number for a first received packet and a high index that points to a last sequence number for a last received packet without bit-shifting, and wherein, when the update results in the new value of one of the low index and the high index exceeding the end of the circular buffer, the one of the low index and the high index wraps around from the beginning of the circular buffer.

Abstract: A computer executed method is disclosed for sorting a plurality of internet protocol (IP) addresses. The method includes dividing the range of IP addresses into a plurality of clusters representing a plurality of contiguous sub-ranges, assigning each IP address to the cluster associated with the sub-range that includes that IP address, and assigning the IP addresses in each cluster to one of a plurality of pages. If one of the pages has a size less than a page size limit, the method includes duplicating on that page at least one of the IP addresses assigned to that page. For each page, the IP addresses assigned to that page are ordered by numeric value. A network appliance incorporating aspects of the method is also disclosed.

Abstract: A firewall cluster comprises three or more firewall processing nodes, which report primary node status based on the reporting node's membership in a preexisting cluster. A controller uses the reported status to assign a primary node in the distributed firewall cluster.

Abstract: A method is provided for constructing a packet classifier for a computer network system. The method includes: receiving a set of rules for packet classification, where a rule sets forth values for fields in a data packet and a decision for data packets having matching field values; representing the set of rules as a directed graph; partitioning the graph into at least two partitions; generating at least one lookup table for each partition of the graph; and instantiating the lookup tables from one partition on a first content-addressable memory and the lookup tables from the other partition on a second content-addressable memory device.

Abstract: Systems and methods of removing a tunnel created when a client having an active IP session with a first portal point in a first subnet of a network, disconnects from the first portal point and reconnects to a second portal point in a second subnet of the network, the client maintaining an IP address assigned to it by the first subnet, embodiments of the method including the steps of determining whether data is scheduled to transfer from the second portal point to the client; if no data is scheduled, disconnecting the client from the second portal point; deactivating the IP session, whereby the IP address is released to the first subnet; removing the tunnel; reconnecting the client to the second portal point; and activating a second IP session between the client and the second portal point, whereby a second IP address is assigned to the client by the second subnet.

Abstract: An agent device is connected with one or more image-forming devices in a local network having a firewall provided therein. A management device carries out remote management of the image-forming devices in the local network through the Internet. The agent device includes a command receiving unit which starts connection with the management device and receives a management command from the management device via the firewall, the command being sent by the management device in response to the connection. An image-forming-device communication unit receives device-state information of a corresponding one of the image-forming devices according to the management command. A command response transmitting unit transmits the device-state information to the management device through the Internet.

Abstract: A security device for SIP communications operates to inhibit the effect of malicious attacks and/or inadvertent erroneous events on the provision of SIP-based services within a private network and between private and public networks. The security device acts as a conventional Firewall, NAT and PAT to isolate SIP User Agents on the private network from SIP User Agents on the public network and to Blacklist undesired callers. Also, the security device preferably includes a virus scanner to scan attachments to sessions and/or other communications to identify and block virus contaminated data and the security device includes a hardened SIP stack to scan for and detect malformed SIP messages to prevent malicious attacks and/or inadvertent erroneous messages from adversely impacting the operation of SIP services.

Abstract: Systems, methods and apparatus for tunneling in a cloud based security system. In an aspect, tunnel session data describing authentication and unauthenticated sessions, and location data describing tunnel identifiers for tunnels, locations, and security policies specific to the locations are accessed. Tunnel packets are received, and for each tunnel packet it is determined, from the tunnel identifier associated with the packet, whether a session entry in the session data exists for the tunnel identified by the tunnel identifier. In response to determining that a session entry does not exist in the session data, then a session entry is created for the tunnel identifier, an authentication process to determine a location to be associated with the session entry is performed, and an entry in the location data for the location is associated with the session entry.

Abstract: Application message payload data elements are transformed within a network infrastructure element such as a packet data router or switch. The network element has application message transformation logic for receiving one or more packets representing an input application message logically associated with OSI network model Layer 5 or above; extracting an application message payload from the input application message; identifying one or more first content elements in the application message payload; transforming the first content elements into one or more second content elements of an output application message; and forwarding the output application message to a destination that is identified in the input application message. Transformations performed in the network element can include field reordering, field enrichment, field filtering, and presentation transformation.

Abstract: In one embodiment, a processor-implemented method for monitoring network traffic between a first device executing a software application and a second device coupled to the first device. The method includes: (a) the processor analyzing application-level data contained within traffic originating from and/or received by the first device, the application-level data including data provided to and/or provided by the software application; (b) based on the results of the analysis in step (a), the processor creating one or more access rules; (c) the processor receiving a request from the second device to access the first device, the request including application-level data; and (d) the processor determining whether the request received in step (c) complies with one or more of the access rules.

Abstract: Monitoring computer devices operating on a network is disclosed. Computer devices are all different and require monitoring settings that are tailored to their specific requirements. One example method of assigning a sample set to a network device operating on a network may include identifying the at least one network device, and identifying at least one object identifier associated with the at least one identified network device. The method may also include transmitting the at least one object identified to a memory location, and comparing the at least one object identifier to a plurality of sample sets and assigning relevancy scores to the plurality of sample sets based on the comparison. The method may also include assigning at least one sample set having a greater relevancy score than the other sample sets to the at least one network device. The sample sets may be SNMP sample sets.

Abstract: Methods and systems to bind a computer device to one or more computer systems, such that only an authorized computer system may access a protected portion of the device. A processor within the computer system may provide a proxy environment to interface between the device and a trusted environment of the computer system, such as a management environment that is secure from the proxy environment. The device may be configured to authenticate the trusted environment through the proxy environment, and to verify integrity of messages exchanged with the trusted environment through the proxy environment. Authentication may include a SSL and/or TSL handshake protocol. The device may be configured to authenticate a certificate, such as an X.509 certificate, a certificate chain, and/or a hash thereof. The device may include computer memory, a printer, display, circuit board, keyboard, mouse, pointing device, and/or other physical device.

Abstract: A communicating apparatus that is able to perform IP-FAX communication without making the user aware of the attack and without any difficulty, even if the device recognizes a DoS attack or the like. communication that uses a SIP server on a network is performed by a communicating unit. Unauthorized communication from the communication performed by the communicating unit is detected. A port number of a receiving port of the communicating unit is changed when the unauthorized communication is detected. it is determined whether or not the detected unauthorized communication has passed through the SIP server.

Abstract: An image processing apparatus includes a first partial information providing unit that provides first partial information to another device holding a first signing key KS corresponding to a first verification key KV, the first partial information constituting a part of a second verification key KV? (KV??KV) that is capable of verifying an electronic signature ? generated using the first signing key KS and being unable to identify the second verification key KV?; a second partial information acquisition unit that acquires second partial information which is generated by the another device using the first partial information and the first signing key KS, and which is unable to identify the first signing key KS and used for generating the remaining part of the second verification key KV?; and a second verification key generation unit that generates the second verification key KV? based on the first and second partial information.

Abstract: A system, method, and device optionally includes a server that is isolated from open networks which assigns secure random socket connections, e.g., communication ports that have randomly selected addresses that are hidden from accessing devices. Optionally, the secure random socket connections are dynamically assigned, i.e., the secure random socket connections are closed and opened with each command to access data secured by the server.

Abstract: An initiating device: generates a message having an ISAKMP-based header that includes a security parameter index (SPI) field; identifies a key in the SPI field of the ISKMP-based header; and sends the message to a responding device. The responding device: receives the message; extracts the key identifier; and when a shared key is selected using the key identifier, uses the selected shared key to establish, with the initiating device, a session having a secure tunnel.

Abstract: A data communication security system is disclosed that includes a network interface including a first security module implementing a first security architecture, and a second security module implementing a second security architecture different from the first security architecture. The network interface further includes a file-based application programming interface defining a plurality of attributes of the network interface and including at least one attribute associated with data security managed by one of the first and second security modules. The file-based application programming interface includes at least one attribute from among the plurality of attributes that is associated with selecting between the first or second security modules.

Abstract: The present invention relates to a method of providing a multicast broadcast service. A message for providing an MBS (Multicast Broadcast Service) between network constituent elements is defined by applying a message defined in a wireless channel, and functions and parameters to be performed by the network constituent elements are defined. Therefore, the MBS can be provided in a wideband wireless access network that is a field of a mobile communication system and includes a wire channel.

Abstract: A distributed and coordinated security system providing intrusion-detection and intrusion-prevention for the virtual machines (VMs) in a virtual server is described. The virtualization platform of the virtual server is enhanced with networking drivers that provide a “fast path” firewall function for pre-configured guest VMs that already have dedicated deep packet inspection security agents installed. A separate security VM is deployed to provide virtual security agents providing deep packet inspection for non pre-configured guest VMs. The network drivers are then configured to intercept the data traffic of these guest VMs and route it through their corresponding virtual security agents, thus providing a “slow-path” for intrusion detection and prevention.

Abstract: A method may include defining a filter for a network device, the filter including a rule and a particular number of prioritized fields, where at least one of the prioritized fields is formatted to accept input as a range of values. The method may also include receiving a rule modification for the filter, the rule modification including at least one input as a range of values, and performing a check for conflicts of the rule modification with the rule in the filter. The method may further include expanding the input range of values to form multiple rules equivalent to the rule modification with the input range of values, establishing backtracking links to integrate the multiple rules with the existing rule, and adding the multiple rules to the filter.

Abstract: A method for controlling a remote wireless device with a user device includes the user device sending a request message packet to the remote wireless device, where the remote wireless device verifies the request message packet and sends a reply message packet to the user device if the request message packet passes verification. The user device verifies the reply message packet and sends a control message packet to the remote wireless device if the reply message packet passes verification. The remote wireless device verifies the control message packet and sends an acknowledgment message packet to the user device if the control message packet passes verification.

Abstract: A system that facilitates enhancing security for a computer device by obtaining a link layer address of an IPv6 IPsec address. The system including a computer device having a software module, which performs the following steps: capturing multicast addresses and solicited multicast addresses for one or more IPv6 IPsec addresses; calculating the computer device identifier from the one or more multicast addresses and solicited multicast addresses; storing the computer device identifier for the one or more multicast addresses and solicited multicast addresses; sending a neighbor solicitation to one or more of the IPv6 IPsec addresses as a tentative target address simulating double address detection; capturing the neighbor advertisement response from the one or more IPv6 IPsec addresses and calculating a link-layer identifier; generating a neighbor cache with the link-layer identifier; and enabling IPv6 IPsec communication with the one or more IPv6 IPsec addresses using the link-layer identifier.

Abstract: A packet security method and apparatus adjusts a security level of the packet according to a feature of the packet. The packet security method includes detecting a feature of a packet to be transmitted, determining a security level of the packet according to the detected feature, and generating a security packet according to the determined security level. The feature of the packet is at least one of a destination address of the packet, a transfer protocol of the packet, a packet size, an application for the packet, and a designated security level for the packet. According to the method, the security function is adoptively applied according to the feature of the packet being transmitted, and thus flexibility can be provided in the application of the security function to achieve an efficient use of resources.

Abstract: A method for modifying one or more system resources is provided. One or more licenses for modifying one or more system resources on a client device can be acquired. An authenticator can be generated and stored on a remote server. The authenticator can be transferred to the client device. The client device can be connected to the remote server and the remote server can authenticate the client device via the authenticator. The remote server can confirm the availability of one or more licenses, and based on the availability of one or more licenses, modify one or more system resources disposed in, on, or about the client device. After modifying the one or more system resources the remote server can decrement the remaining license count.

Abstract: A system, a method and computer-readable media for establishing connectivity over a plurality of access technologies. A system is provided that includes a client device. The client device is configured to communicate over a network by utilizing at least two access technologies. The system also includes a gateway in communication with the client device. The gateway includes multiple access technology termination nodes configured to support communications utilizing multiple access technologies. The gateway also includes a registration manager configured to assign the client device an address for identifying the client device. The registration manager is further configured to maintain the address assigned to the client device when the client device switches from utilizing a first access technology to utilizing a second access technology.