Abstract: Various technologies for sharing digital images within an instant messaging (IM) session between two users. In one implementation, a first user uploads a set of images to the second user. The set of images may be displayed as thumbnails on the displays of both users. By clicking on one of the thumbnails, either user may make the associated image appear as a larger image on both users' displays. In the event that both users click on different images simultaneously, or near-simultaneously, a protocol may be employed that selects which image is displayed.

Abstract: This specification describes technologies relating to imparting cryptographic information in network communications.

Abstract: Methods of enabling access to data using a portable electronic device within a private network protected by firewall are disclosed. The data may be transmitted in packets to the portable electronic device and may be consumed either instantly or subsequently. The methods may utilise either at least one web storage or an agent server.

Abstract: A method for capturing data packets sent on a network for evaluating response time performance, the network including a financial institution and a partner bank. The method includes associating a captured data packet sent to the partner bank with a captured data packet received from the partner bank, by comparing at least one coded field of a data portion of the captured data packet sent to the partner bank with at least one coded field of a captured data portion of the data packet received from the partner bank. The method also includes measuring a response time of the associated data packet received from the partner bank, relative to a transmission time of the captured data packet sent to the partner bank. The method further includes transmitting an alert message upon determining that the response time is not within an adjustable predetermined threshold, wherein the alert message includes data from a data portion of the associated data packets.

Abstract: A computer-implemented method may provide resource-access information. The computer-implemented method may include determining a resource-access scope of a software application and determining whether a resource is within the resource-access scope. The computer-implemented method may also include retrieving resource information associated with the resource from a resource-information database and providing a notification that indicates whether the resource is within the resource-access scope. The notification may comprise the resource information. Additional computer-implemented methods and systems are also disclosed.

Abstract: A network apparatus which is connected to a network is disclosed. The network apparatus includes a managing unit which manages an address range in which addresses to be allocated to a destination network apparatus are registered and encryption parameters for encrypting data to be transmitted to the destination network apparatus so that the address range and the encryption parameters are related to each other, an address generating unit which generates an address for the destination network apparatus by selecting an address in the address range, and an encryption unit which encrypts the data to be transmitted to the address generated by the address generating unit based on the encryption parameters.

Abstract: Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to internal hosts against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall receives incoming VoIP packets having a user alias (e.g., an email address) and an indication regarding a VoIP port of external interface. The packets are directed to an appropriate internal host by the firewall performing port address forwarding based on the port indication to a Media Gateway Control Protocol (MGCP) media gateway within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts.

Abstract: A method and apparatus for securely sharing content are provided, which can securely share the content without allowing access by unauthorized third parties. The method of securely sharing content includes a first domain, which has content that requires security among a plurality of domains logically generated on a hardware platform, sharing the content with at least one second domain, and if the second domain intends to write the content in a region in which writing is not permitted, preventing the writing of the content.

Abstract: A method for lawfully intercepting communication IP packets exchanged between terminals is provided. The method involves assigning an IP address associated with a telecommunication service provider to, for example, a sending terminal for use as its IP address in communications with a receiving terminal, the telecommunication service provider providing SIP proxy services for establishing communication between the sending and receiving terminals. The communication IP packets are intercepted in such a way that the terminals are unaware of the interception.

Abstract: The present patent disclosure describes a system and method for maintaining persistent secure connections between a terminal and a host. The system comprises a session manager component for storing session information associated with a terminal identifier (ID) of the terminal, the session information comprising a client connection ID for identifying a persistent secure client connection and a terminal connection ID for identifying a secure terminal connection. The system also comprises a connection manager component for establishing communication between the persistent secure client connection, identified by the client connection ID, and the secure terminal connection, identified by the terminal connection ID.

Abstract: Methods and apparatus for applying a single virtual private network (VPN) address to tunnels or connections associated with different access interfaces are disclosed. In one embodiment, a method includes establishing a first tunnel between a node and a VPN server. The first tunnel has a first address. The method also includes assigning a VPN address to the first tunnel, as well as establishing a second tunnel between the node and the VPN server. The second tunnel has a second address. The VPN address is assigned to the second tunnel, and VPN address is accessed by both the first address and the second address.

Abstract: Generally speaking, systems, methods and media for implementing a firewall control system responsive to process interrogations are disclosed. Embodiments of a method may include receiving a data request at a firewall where the data request is associated with a program and determining whether a process rule exists for the associated program, where the process rule includes a condition to be satisfied for a process of the user computer system. Embodiments may also include, in response to determining that a process rule does exist, determining a method for evaluating a status of the process and determining a current status of the process. Embodiments may also include determining whether the process rule is satisfied based on the current status of the process and using the determined evaluation method. Embodiments may also include, in response to determining whether the condition of the process rule is satisfied, performing one or more firewall actions.

Abstract: A system and method for monitoring secure digital data on a network are provided. An exemplary network monitoring system may include a network device in communication with a user and a network. Further, a server may be in communication with the network. A browser and monitoring program may be stored on the network device, and the network device may receive secure digital data from the network. The browser may convert the secure digital data or a portion thereof into source data, and the monitoring program may transfer the source data or a portion thereof to the server. In an exemplary embodiment, the monitoring program may include a service component and an interface program.

Abstract: A system, method and computer program product are provided for monitoring data traffic on one or more networks, determining the classification of the data based on an organization's classification rules, and assigning a classification to one or more entities involved in the transmission of the data, the classification being based at least in part on the classification of the data being transmitted. The classification rules may be based on an organization's classification categories of confidentiality, integrity and availability (CIA). The system, method and computer program product are also provided for implementing controls based on the classifications of the various entities, such as issuing an alert and/or preventing transmission of data if the data is transmitted between two entities that have different classifications.

Abstract: Generally speaking, systems, methods and media for implementing a firewall control system responsive to user authentications are disclosed. Embodiments of a method may include receiving a data request at a firewall where the data request is associated with a program. Embodiments may include determining whether an authentication plan is required to be matched for the associated program and, if so, accessing a stored authentication plan associated with the program and having one or more authentication records each having expected information relating to user access to a particular server. Embodiments may include accessing a current authentication plan from an authentication store, the current authentication plan having one or more authentication records each having information relating to user access to a particular server.

Abstract: A technique to mitigate low rate Denial-of-Service (DoS) attacks at routers in the Internet is described. In phase 1, necessary flow information from the packets traversing through the router is stored in fast memory; and in phase 2, stored flow information is periodically moved to slow memory from the fast memory for further analysis. The system detects a sudden increase in the traffic load of expired flows within a short period. In a network without low rate DoS attacks, the traffic load of all the expired flows is less than certain thresholds which are derived from real Internet traffic analysis. The system can also include a filtering solution to drop attack packets. The filtering scheme treats the long-lived flows in the Internet preferentially, and drops the attack traffic by monitoring the queue length if the queue length exceeds a threshold percent of the queue limit.

Abstract: The present solution reduces the attack surface of a server by selectively opening a server port for listening when a client has been authenticated/authorized via another machine or process, and directed to connect to the server in question. When not selectively listening on a port, the server does not listen or open ports for connections or otherwise minimizes the number of open ports. By selectively listening for connections, the server reduces the opportunity for hackers to attack the server process, and improves the security of the server. The ability to selectively listen on a port at specific times may be combined with additional meta information—like ticketing and prior authentication information to help further secure the server. The meta information may identify and ensure that only the correct remote endpoint is allowed to connect via the port.

Abstract: Systems and methods provide for secure communications between local and remote devices or networks in virtual private networks. Data can be communicated between the local and remote devices using the User Datagram Protocol (UDP) to reduce network overhead for the data communications. The UDP-based data communications are made secure and reliable by various techniques, for example: confirming that a packet sent by a source component is received by the receiving component, and guaranteeing packet sequencing by buffering packets as they are received and only delivering them to the target in the original sequence that they were sent from the source. Because TCP based communications are common, a TCP-style API can be used to enable programmers to more easily implement the UDP-based communications. Other embodiments of the invention relate to transport protocol enhancements for use within virtual private networks, including protocol mapping, protocol buffering, and protocol filtering.

Abstract: In embodiments of the present invention improved capabilities are described for systems, methods, and devices that determine whether a website request is from a proxy website or an anonymizer. Embodiments intercept a website request from an end point; identify at least one cookie present in said website request; analyze a predetermined characteristic of said website request, where the predetermined characteristic associated with the cookie; and apply a rule corresponding to said predetermined characteristic to make the determination as to whether the request is from a proxy website or anonymizer.

Abstract: A method and system for multicast and broadcast system (MCBCS) synchronization and macro diversity is provided. In an embodiment, an MBS Proxy creates the necessary messages with synchronization rules embedded therein. The messages are provided to an MBS Distributed DPF and a base station, which performs a final PHY frame construction for transmission. In another embodiment, the MBS Proxy provides the necessary information to the base station and the base station creates the messages, including the synchronization rules. In yet another embodiment, the base station receives raw IP packet information and synchronization information. In this last embodiment, the base station creates the packets and frames based on the information provided to it.

Abstract: A bilateral data transfer system comprising a first node, a second node, a first one-way link for unidirectional transfer of first data from the first node to the second node, and a second one-way link for unidirectional transfer of second data from the second node to the first node, wherein the unidirectional transfer of the first data across the first one-way link and the unidirectional transfer of the second data across the second one-way link are independently administered by the bilateral data transfer system. Under such bilateral data transfer system, each of the one-way data links may be subject to separately administered security restrictions and data filtering processes. Hence, it enables secure bilateral communications across different network security domains.

Abstract: Embodiments of the invention are directed to a firewall installer that receives a set of configuration instructions for configuring a firewall in a declarative format that describes one or more rules to be implemented by the firewall, and that automatically configures the firewall. Providing a firewall installer that is capable of configuring a firewall based upon declarative input rather than procedural process-oriented input facilitates administration of a firewall by allowing an administrator to specify desired firewall configuration at a higher, declarative level and frees the administrator from the need to specify procedures for implementing configuration changes in the firewall. In one embodiment of the invention, the firewall installer can receive and store input for configuring a firewall even when the firewall is not running, such that the firewall executes on those configuration changes when it next comes online.

Abstract: Methods and devices for instructing a subscriber identity module in a cellular communications network to process non-standard authentication information in a standard manner are disclosed. One embodiment of a method comprises receiving a first message authentication code (MAC) and an authentication management field (AMF) at a subscriber identity module as part of an authentication protocol, calculating a second MAC and determining whether the second MAC is equivalent to the first MAC. If the first and second MAC are not equivalent, the SIM calculates a third MAC and determines whether the first MAC is equivalent to the third MAC, and if so, the subscriber identity module processes the AMF in a predefined or standard manner.

Abstract: A security gateway receives messages rejected by a message filter based on a set of rules. The security gateway also receives attributes of the rejected messages that triggered the rules. The security gateway maintains frequencies with which the messages with a particular attribute were rejected by the rules. The security gateway finds rejected messages or attributes having a high frequency of occurrence. Since messages or attributes having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow messages that have similar attributes to pass through the gateway.

Abstract: Embodiments are directed towards providing protection to DNS servers against DNS flood attacks by causing a requesting device to perform multiple DNS lookup requests for resolving a resource record. A request from a network device for a resolution of a domain name may be received by a device interposed between the requesting network device and a DNS server. Upon receiving the request to resolve the domain name, the interposed device may respond with a CNAME that includes a cookie. The requesting device may then send another request that includes the cookie preceded CNAME. The interposed device may then validate the returned cookie returned in the CNAME and if valid, forward the domain name resolution request on to a DNS server. The response may then be forwarded to the requesting device.

Abstract: A system and method for automatically and dynamically initiating and establishing secure connections between a Server and a Client using a session control server (SCS). Both the Server and the Client are connected to an untrusted network (such as the Internet) through a Network Address Translator or Translation (NAT) router or a firewall. The SCS, independently trusted by both the Server and the Client, brokers the required connection parameters to establish a secure connection between the Server and the Client. The system and method does not require any user configuration on the Client and eliminates the need for the Server to accept explicit connection requests or packets from the Client, thereby allowing the Server firewall to always remain closed to all inbound traffic.

Abstract: A system that eliminates some of the security vulnerabilities in the prior art systems by using a new sequence of steps to perform initialization of the cable modem: Instead of performing authentication after the cable modem has been registered, the cable modem authentication step is performed immediately after the cable modem completes ranging. Thus an early authentication method and system are provided. The control of authentication is shifted from the cable modem to the CMTS. Instead of the CMTS relying on a Registration Request message (REG-REQ) to determine whether a cable modem must perform authentication (that is to determine if BPI+ is enabled) the CMTS configuration is what determines whether a cable modem must perform authentication.

Abstract: In one embodiment, a method includes receiving security context information relevant to a connection between a wireless network infrastructure component and a wireless client, wherein the security context information comprises at least, an identification of the wireless client, and wherein the security context information identifies any security protocols associated with the connection; validating the connection based on the security context information; and transmitting the security context information to one or more detector wireless access points.

Abstract: Recommending a security policy to a firewall, includes receiving a request from a firewall for a recommendation as to whether the firewall should allow or block a detected present communication for which the firewall does not have an existing security policy. Information about past blocked and allowed communications at other firewalls on a network is searched to identify past communications that are similar to the present communication. The identified past communications are assigned a respective positive or negative vote. A positive vote indicates a past communication was allowed and a negative vote indicates a past communication was not allowed. A positive recommendation is sent to the requesting firewall to allow the present communication if the positive votes outnumber the negative votes, and a negative recommendation is sent to the requesting firewall to block the present communication if the negative votes outnumber the positive votes.

Abstract: Communication abuse prevention techniques are described. In an implementation, a reputation level for a communication is determined based on relation information for a sender and an intended recipient of the communication. A challenge is invoked that is to be completed by the sender before the communication is sent. The challenge is selected based on the reputation level for the communication.

Abstract: A packet forwarding process, on a data communications device, forwards a packet to a plurality of destinations within a network from that data communications device using an “encrypt, then replicate” method. The packet forwarding process receives a packet that is to be transmitted to the plurality of destinations, and applies a security association to the packet using security information shared between the data communications device, and the plurality of destinations, to create a secured packet. The secured packet contains a header that has a source address and a destination address. The source address is inserted into the header, and then the packet forwarding process replicates the secured packet, once for each of the plurality of destinations. After replication, the destination address is inserted into the header, and the packet forwarding process transmits each replicated secured packet to each of the plurality of destinations authorized to maintain the security association.

Abstract: A flexible, scalable hardware and software platform that allows a service provider to easily provide internet services, virtual private network services, firewall services, etc., to a plurality of customers. One aspect provides a method and system for delivering security services. This includes connecting a plurality of processors in a ring configuration within a first processing system, establishing a secure connection between the processors in the ring configuration across an internet protocol (IP) connection to a second processing system to form a tunnel, and providing both router services and host services for a customer using the plurality of processors in the ring configuration and using the second processing system. A secure communications tunnel is formed by routing all packets for the tunnel through an encrypting router at the sending end to obtain encrypted packets, and routing the encrypted packets through a decrypting router at the receiving end of an IP connection.

Abstract: Communication nodes, acting as intermediate routers for communication packets transmitted between a source node and a destination node, are provided with different access rights to the fields of the routed communication packets. Routes of intermediate routers between the source node and the destination node are discovered and the identities of intermediate routers on the discovered routes are collected. The aggregate trust levels of the intermediate routers are computed allowing the most trusted route to be selected. Encryption keys are securely distributed to intermediate routers on the most trusted route based on the trust level of the intermediate routers and fields of the communication packets are encrypted with encryption keys corresponding to the assigned trust level. Intermediated nodes are thereby prevented from accessing selected fields of the communication packets.

Abstract: The present invention relates to systems, apparatus, and methods of securely transmitting data between a client and a server. The method includes receiving an initial security message from the client. The security message is to establish security between the server and the client. Further, the client's security parameters are set to enabled and not required. The method further includes forwarding the initial security message to the server and intercepting a security response from the server. The response includes security data and security parameters set to enabled and required. The method includes extracting the security data from the security response, and using the security data to establish a secure socket connection between the proxy server and the server. Furthermore, the method alters the request by changing the security parameters to not enabled and not required, and transmits the altered request and establishes a non-secure socket connection.

Abstract: A communication apparatus used in a plurality of networks is disclosed. The communication apparatus includes a firewall which allows communication with outside of the communication apparatus when disabled, and prohibits communication with outside of the communication apparatus when enabled. Then, the communication apparatus includes a firewall control unit which acquires a first MAC address of a first default gateway provided for a predetermined specific network and a second MAC address of a second default gateway provided for a network in which the communication apparatus is being connected, and controls the firewall according to a result of comparison of the first MAC address and the second MAC address.

Abstract: Embodiments of the present invention provide verification and/or authentication service engines that provide a customizable solution that can be “dialed” based on the risk level assigned to individual or grouped applications. The systems can also incorporate internal and external sources of data used to verify information provided by the user. It is dynamic and can pull information from a myriad of sources during the verification process, enabling credit reporting agencies (e.g., Equifax and others), FSPs, and other service providers to facilitate real-time approval and access to products and services.

Abstract: An exemplary computer-implementable method (300) transforms information to reduce or eliminate risk of exploitation of a software service and includes receiving information (304) in response to a request, transforming the information (308) to produce transformed information and sending the transformed information (312). An exemplary firewall server (112) includes server software (144, 148) that allows the firewall server (112) to receive information from a resource (104, 108) via a network and to send information to a client computer (114) and a browser protection component (264, 268) for transforming the information to prevent exploitation of a vulnerability of browser software (154) on the client computer (114). Various other exemplary methods, devices, systems, etc., are also disclosed.

Abstract: A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical (MAC) address authentication of a user device being attached to the network, such as a user device being attached to a port of a network access device. The second level includes authentication of the user of the user device, such as user authentication in accordance with the IEEE 802.1x standard. The third level includes dynamic assignment of a user policy to the port based on the identity of the user, wherein the user policy is used to selectively control access to the port. The user policy may identify or include an access control list (ACL) or MAC address filter. Also, the user policy is not dynamically assigned if insufficient system resources are available to do so. Failure to pass a lower security level results in a denial of access to subsequent levels of authentication.

Abstract: Systems and methods are provided for preserving the privacy of data contained in mirrored network traffic. The mirrored network traffic may comprise data that may be considered confidential, privileged, private, or otherwise sensitive data. For example, the data payload of a frame of mirrored network traffic may include private Voice over IP (VoIP) communications between users on one or more networks. The present invention provides various techniques for securing the privacy of data contained in the mirrored network traffic. Using the techniques of the present invention, network traffic comprising confidential, privileged, private, or otherwise sensitive data may be mirrored in such a manner as to provide for the privacy of such data over at least a portion if not all of the mirrored communications between the mirror source point and the mirror destination point.

Abstract: It is convenient to allow access to a private network, such as a corporate intranet, or outward facing extranet application, from an external network, such as the Internet. Unfortunately, if an internal authentication system is used to control access from the external network, it may be attacked, such as by a malicious party intentionally attempting multiple invalid authentications to ultimately result in an attacked account being locked out. To circumvent this, an authentication front-end, proxy, wrapper, etc. may be employed which checks for lockout conditions prior to attempting to authenticate security credentials with the internal authentication system.

Abstract: A system and method is disclosed which enables network administrators and the like to quickly analyze the data produced by log-producing devices such as network firewalls and routers. Unlike systems of the prior art, the system disclosed herein automatically parses and summarizes log data before inserting it into one or more databases. This greatly reduces the volume of data stored in the database and permits database queries to be run and reports generated while many types of attempted breaches of network security are still in progress. Database maintenance may also be accomplished automatically by the system to delete or archive old log data.

Abstract: A method in a communication system. The mobile station is provided with two or more separate subscriber modules having separate authentication identities. The modules are authenticated and a session key is established between these subscriber modules using the system as a trusted party. The invention improves the ability of the communication system to adjust to the varying operational conditions of the users, and user organizations.

Abstract: A method and apparatus for mitigating traffic increase due to both a proxy server and a network device transmitting response packets to a search request by multicast. The network device transmits to the proxy server information required for a client apparatus to communicate with the network device. When the proxy server is in a state where proxy-send of the information is possible, the network device restricts response to a search request by multicast from the client apparatus.

Abstract: An intrusion-prevention server supporting a set of hosts comprises data filters and an engine which uses a set of encoded rules for assigning data filters to hosts according to metadata characterizing the hosts. Each data filter corresponds to at least one intrusion pattern from among a set of intrusion patterns and the data filters are continuously updated as intrusion patterns change. Metadata acquired from a host varies with a changing state of the host. Acquisition of metadata from each host is streamlined to reduce communications between the server and the hosts and to minimize processing effort for both the server and the hosts.

Abstract: The auditing of authorization decisions is facilitated by integrating or coupling an audit policy to access control decisions. In an example implementation, an audit policy of an auditing scheme is coupled to a semantic framework of an access control scheme such that the audit policy is specified using at least a portion of the semantic framework. In another example implementation, audit policy rules include audit content rules that specify what audit information from any of the inputs, the outputs, or the internal data of authorization decisions is to be included in an audit record. In yet another example implementation, a semantic of an audit trigger rule comports with a semantic framework of an access request and of a logical evaluation for an authorization decision.

Abstract: A device receives an indication of detected attack traffic associated with a network, identifies a victim of the attack traffic, and selects a security platform for processing the attack traffic. The device also advertises a tunnel and routing tag information in the network for the selected security platform, receives the attack traffic via the advertised tunnel, and forwards the attack traffic to the selected security platform for processing. The device further receives processed traffic from the selected security platform, and forwards, via the network, the processed traffic to the victim.

Abstract: A method and apparatus for creating a policy based on a pre-configured template is described. In one embodiment, source data having a tabular structure is identified. Further, one of multiple policy templates is used to automatically create a policy for detecting information from any one or more rows within the tabular structure of the source data.

Abstract: Implementations of the present invention efficiently establish secure connections between a client and server, at least in part by authenticating the client and server early on in the connection setup phases. A client initiating a connection with a server identifies the secure communication protocols enabled at the client, and identifies these protocols in a connection request it sends to the server. The server processes the message and responds with a communication protocol it deems appropriate for the connection. The client and server then exchange appropriate authentication information, and then establish a connection session that implements the chosen communication protocol, and encrypts messages using the negotiated communication protocol. Additional implementations relate to reestablishing dropped connections behind virtual Internet Protocol addresses, without necessarily having to recommit much connection resource overhead.

Abstract: The invention relates to a method for triggering re-negotiation of a session when an Access Terminal moves from one access network (source AN) to another access network (target AN) having different capabilities in high rate packet data system. According to an exemplary embodiment of the invention, the source AN is allowed to store all the protocol subtypes, protocols and applications that AT is capable of and also allowing the AT to send this information in priority order during session negotiation and hence facilitating the transfer of this information from source AN to target AN during session transfer when AT moves from one AN to another AN. An alternate embodiment is to let the AT send the protocol subtypes, protocols and applications and other AT capable information to target AN after it moves to a new AN or by letting the Rev-A capable AN query the AT's capability information and then the AT providing this information.

Abstract: A central collector has appliance communication links to communicate with multiple appliances, and removable memory to store operational data retrieved from the appliances. When the memory is removed from the central collector and installed in a device capable of communication, the operational data can be communicated from the removable memory to a remote service center or a portable computing device.