Abstract: A technology for use in an e-mail transmission apparatus capable of preventing or discovering ‘impersonation’ in e-mail transmission efficiently, in which an e-mail is sent not only to a receiving address, but also to a sending address set by a sender.

Abstract: A method for discovering computers connected to a computer network, including receiving a packet containing address information of a computer connected to the computer network that sent the packet, extracting the address information from the packet, and adding the address information to a database of discovered computers connected to the computer network.

Abstract: Embodiments of the present invention relate to systems, methods, and computer-storage media for suppressing Short Message Service (SMS) communications from a Short Message peer-to-peer (SMPP) client. A selected response algorithm is provided to the SMPP client from a server. A threshold of undesired SMS communications are detected from a SPAM originator that is communicated to the server by way of the SMPP client. A challenge is communicated to the SMPP client from the server. When a challenge response is not received at the server, communications received from the SMPP client are throttled. When the challenge response is received at the server and the challenge response is incorrect, communications received from the SMPP client are also throttled. When the received challenge response is correct, a SPAM originator source identifier is communicated to the SMPP client in order for the SMPP client to throttle communications received from the SPAM originator.

Abstract: Method and apparatus for mitigating routing misbehavior in a network is described. In one example, routing protocol traffic is received from a remote router destined for a local router. The routing protocol traffic is parsed to identify a subset of traffic. The subset of traffic is normalized to identify and correct misconfigured routing updates. The routing protocol traffic is provided to the local router. In one embodiment, the subset of traffic is normalized by at least one of detecting and correcting routing protocol semantics, detecting and correcting violations in routing policies, detecting and correcting routing anomalies, or mitigating routing instability.

Abstract: The present invention provides a system and method for use within a computer network that allows for automated provisioning, configuration, and maintenance of the servers and other devices connected to a computer network in accordance with established policies. This system and method make use of templates which represent security polices which are applicable to all devices within the system, a subset of the devices, or a particular type of device. In addition, the template structure includes conditional statements which allows for flexibility in defining the policies.

Abstract: Embodiments of an RFID security system and method are described herein. Embodiments include an RFID security server or appliance and RFID security software. In an embodiment, the RFID security server is placed between an RFID reader and an enterprise back-end. Thus the system operates at the point where the RFID data stream leaves the RF interface and enters a physical transmission medium before any other active components on the network (such as databases, middleware, routers). The RFID security server analyzes RFID tag data (including meta-data) received from the reader in-band and detects malware and errors in the data. RFID tag data containing malware or errors is blocked from entering the enterprise back-end. In an embodiment, analyzing RFID tag data includes generating a security stamp that is uniquely associated with the tag data. The security stamp is stored on the RFID tag, or alternatively, stored separately for later comparison in order to detect tampering.

Abstract: A security system with methodology providing verified secured individual end points is described.

Abstract: A method of establishing a secure communication channel between end nodes of an IP communication network via one or more intermediate nodes using the Secure Shell, SSH, protocol, the method comprising defining an SSH configuration file containing a plurality of sections, each section defining parameter values for a corresponding hop of the tunnel and an identification of the section defining parameter values for any subsequent hop. At that end node, a first instance of an SSH client is established, with the name of the configuration file being an initialization value for the first instance, and using the parameter values contained in a first section of the configuration file to establish a first SSH connection to the next node in the sequence.

Abstract: A wireless local area network system allows policy enforcement execution to be split between an access port and a centralized wireless controller. The policy may be of various types, including, but not limited to, a firewall policy, a QoS policy, a traffic shaping policy, and a bandwidth-management policy. On the AP, for all the traffic that is to be bridged or forwarded to specified ports, the policy table on the AP is checked. If it matches the policy table entry, then the specified action is taken. For all the traffic that gets forwarded to the controller by the AP, the match is checked with the policy table at the controller. If a match is detected, then the appropriate action specified by the policy is taken.

Abstract: An information processing apparatus is connectable via a network to service providing devices and a collecting apparatus. The information processing apparatus acquires a selection policy for selecting the devices that lay open to public types of providable services and service level information, and acquires service type information and the service level information from the collecting apparatus which detects the devices and collects the service type information including the types of providable services of the devices and the service level information. The devices capable of providing the accepted type of service are selected according to the selection policy.

Abstract: Authentication of an electronic communication apparatus capable of communicating data messages with a server according to a synchronization protocol includes providing an authentication method indicator that specifies an authentication method according to which the authentication is to be executed. The authentication method indicator is incorporated into a message that includes a plurality of authentication capabilities of the communication apparatus. The message is transmitted to the server according to an authentication protocol of the synchronization protocol.

Abstract: A system and method is disclosed for secure transmission of electronic information between two parties. A first data communication session between a first computing device and a second computing device, wherein the first data communication session is via a first communication protocol. Further, the first computing device transmits first information via the first communication protocol that is received by the second computing device via the first communication protocol. During the first communication session, a second data communication session is provided between the first computing device and the second computing device. The second communication session is via a second communication protocol, which is more secure than the first communication protocol. The first computing device transmits second information via the second communication protocol that is received by the second computing device the second information via the second communication protocol.

Abstract: A dual cryptographic keying system. In particular implementations, a method includes responsive to an initial session key negotiation, storing security association information for a tunnel in a security association memory; responsive to a session key renegotiation, storing security association information for the tunnel in a cache; decrypting received packets associated with the tunnel conditionally using the security association information in the cache or the security association information in the security association memory; and upon an expiration condition, overwriting the security association information, for the tunnel, in the security association memory with the security association information, for the tunnel, copied from the cache.

Abstract: The present invention provides an establishment of a trusted relationship between two mutually unknown communication parties in a communication system without the use of a trusted third party. The invention is based on non-interactive proofs-of-work being purpose-bound for establishing the trusted relationship and cryptographically signing information to be transferred between the communication parties using such proofs-of-work for the solving of a problem instance along with verifying the proofs-of-work and generating a session object for a trusted relationship, when the verifying yields an affirmative result.

Abstract: This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.

Abstract: The present invention is generally directed to a computer security management system that integrates a firewall with an intrusion detection system (IDS). In other words, the firewall and IDS of the present invention can be designed to communicate process or status information and packets with one another. The present invention can facilitate centralized control of the firewall and the IDS and can increase the speed at which packets are passed between a secured computer network and an external network. Increased packet processing speed can be achieved in several ways. For example, the firewall and IDS can process packets in series, in parallel, and sometimes singularly when one of the components is not permitted to process a packet. Alternatively, singular processing can also be performed when one component is permitted to pass a packet to the secured computer network without checking with the other component.

Abstract: One aspect involves receiving by a tag of wireless communications that utilize a first security provision, and wireless communications that utilize a second security provision different from the first security provision. A different aspect involves receiving by an entity of an authentication request that is based on a first digital certificate unknown to the entity, and determining by the entity, without external authentication of the first digital certificate, whether the first digital certificate is in a trust relationship with a second digital certificate that is different from the first digital certificate and that is known to the entity.

Abstract: A security token access device, a user device such as a computing device or communications device, and a method for managing multiple connections between multiple user devices and the access device. The access device maintains connection information, including security information, for each user device securely paired with the access device. Each time a new user device is paired with the access device, the access device transmits a notification to the user devices already paired to the user device. A user may provide instructions to the access device to terminate a pairing with one of the user devices by overwriting at least a portion of the connection information associated with the designated user device. A user device may further request a listing of all user devices currently paired with the access device.

Abstract: A dynamic address router may provide dynamically updated routing to a device with a dynamic network address as well as provide a security certificate for the device. The device may be routed using a subordinate domain name. The principal domain name and a security certificate may be held by a single service provider that may enable a simple setup and configuration mechanism, as well as to guarantee the authenticity of the security holder even though the holder may connect through a dynamic address connection.

Abstract: An agent on a network is preconfigured to automatically respond to neighborhood discovery by sending an advertisement having a spoof IPv6 address. A spoof IPv6 address includes a spoof NIC value that is a value that identifies a network interface card not being used on the network. Thus, upon receipt of the advertisement by the infected host computer system, malicious code on the infected host computer system probes the spoof IPv6 address space defined by a network section value of the spoof IPv6 address, the spoof NIC value, and the range of possible values of the assigned host ID value of the spoof IPv6 address. As there are no interfaces within the spoof IPv6 address space except that associated with the agent, propagation of the malicious code is slowed or defeated and connections are directed to the agent.

Abstract: Systems and methods for providing security and control of mobile communications device activity including at least one mobile communication device with software operable thereon for receiving rules provided by an authorized user of the device(s) and in accordance with those rules administering actions to provide for controlling and security data stored or generated on the device(s), including logging data and activities related to the mobile communications device, blocking and filtering calls, messages, websites, emails, and combinations thereof, via wireless communication with a remote server computer having a corresponding software module operable thereon for managing and implementing the rules.

Abstract: A firewall system employs signature validation hardware communicating via low level communication protocols and with inner and outer host computers, which have network protocol stacks and for implementing complex communication protocols with remote source and destination computers. The source computer has data checker and signature functionalities, which respectively check data and generate digital signatures for data to be transmitted. The inner host computer receives transmitted data and converts it to a lower protocol level at which the hardware operates. The hardware uses digital circuitry for protocols and checking. It validates signatures in data at a software application level, but only requires protocols that are simple and low level. The firewall system communicates with the source and destination computers via high performance connection media.

Abstract: A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device.

Abstract: A transmitting/receiving system includes a transmitting apparatus that transmits, to another apparatus, first encrypted data obtained by encrypting stream data including consecutive unit data items in accordance with a first encryption technique prescribing that, when the stream data is encrypted for each item, keys used for encrypting the items are updated, and a receiving apparatus that receives and decrypts the first data from the transmitting apparatus in accordance with a first decryption technique. The transmitting apparatus includes an encryptor that outputs second encrypted data obtained by generating data including a predetermined number of keys, and encrypting the data in accordance with a second encryption technique, a transmitter that transmits the second data from the encryptor to the receiving apparatus.

Abstract: A system and method for marking and controlling the transfer of information between several users (2i, 9i). An authority (3) marks information to be transmitted. A directory (4) or device containing the certificates of all users as well as the certificates of all the components of the architecture. A security office (5) is used to, a key management device (6a) and a privilege management device (6b).

Abstract: A system and method are disclosed for classifying a message. The method includes receiving the message, identifying all items of a certain type in the message, determining whether each of the items meets a criterion, and in the event that all the items are determined to meet the criterion, determining a classification of the message. The system includes an interface configured to receive the message, a processor coupled to the interface, configured to identify all items of a certain type in the message; determine whether each of the items meets a criterion; and in the event that all the items are determined to meet the criterion, determine a classification of the message.

Abstract: Techniques are disclosed for providing connection data related to a firewall. In one aspect, computer-readable media provide a method that includes receiving a request for a set of connection parameters of a firewall related to data packets processed by at least one non-CPU device of the firewall. The method further includes identifying raw data of a session table that corresponds to the requested connection parameters. The method additionally includes calculating a result for the requested connection parameters from the raw data, and providing the result in a format detailing a number of connections for each connection parameter.

Abstract: A computer-readable storage medium has a data structure stored thereon for constructing expressions representing software configurations to be applied to software. The data structure includes a first data field including data identifying a name of software setting for the application. A second data field includes data representing an assertion portion of an policy rule for configuring the configurations identified in the first data field to be applied to the software. The data structure also includes a third data field storing data representing an action portion of the policy rule. The second data field and the third data field form the policy rule. A fourth data field stores metadata describing the policy rule represented by the first data field, the second data field, and the third data field.

Abstract: In some networking situations, securing an inner packet of a tunnel packet requires an intermediary networking device knowing a destination address of the secured inner packet. Consequently, an identity of a secured network is known to others and presents a security risk. The provided technique addresses this risk by: i) establishing at a first security interface a first secured network connection between a first and second secured network, the connection established for a first packet addressed to a virtual security interface and destined for the second secured network; and ii) responding to a network condition by establishing at a second security interface at least one second secured network connection between the first and second secured network, the connection established for a second packet addressed to the virtual security interface and destined for the second secured network.

Abstract: A method, system, and computer program product for preventing network service attacks, including processing a message to validate the message for message version and syntax via a security firewall; canonicalizing the message and extracting a message header and body via a converter; converting the body into a Patricia Trie via the converter; and validating the header and the converted body for security via a comparator.

Abstract: A computing system can be optimized for high security, reliability and/or integrity. The computing system can include a multiple instruction stream, single data stream processor. The multiple instruction stream, single data stream processor can include a master instruction processing unit, fetch instruction processing units, a single bus interface/memory unit, and a single data processing unit. The computing system can also include a storage device or a memory. The processor can be utilized in numerous applications including avionics software applications.

Abstract: A virtual firewall system based on a common security policy and a method of controlling the same. The virtual firewall system includes one or more virtual security policy modules, each of which includes a local security policy database; a security policy determiner, which determines, from the one or more virtual security policy modules, a virtual security policy module corresponding to a packet received from outside; and a common security policy database, which stores security policies. Each of the one or more virtual security policy modules determines whether or not to apply a security policy of the common security policy database to the received packet, and when the security policy of the common security policy database is applied, does not apply the security policy of a local security policy database. An operator can easily and conveniently set and restore the system.

Abstract: A solution is proposed for distributing a software product to a set of data processing entities (such as endpoints) in a data processing system; the system includes a set of security applications (such as firewalls), which are adapted to control communications of the entities. A corresponding method starts with the step of determining a target configuration of the security applications for allowing execution of the software product on the entities. A software package (or more), being adapted to enforce the software product and the target configuration, is then built. The method continues by distributing the software package in the system, so as to cause the application of the software package for enforcing the software product on each entity and the target configuration of each security application.

Abstract: A network system can have a plurality of distributed software agents configured to collect events from network devices. In one embodiment, the agents are configured to aggregate the events. In one embodiment of the present invention, an agent includes a device interface to receive an event from a network device, a plurality of aggregation profiles, and an agent aggregate module to select one of the plurality of aggregation profiles, and increment an event count of an aggregate event representing the received event using the selected aggregation profile.

Abstract: According to an aspect of an embodiment, a method for controlling an apparatus for transferring data from a plurality of first devices to a second device via a network, the data being transferred by using a packet, the method comprises the steps of: extracting encryption information identifying method of encryption conveyed by a packet and destination information identifying destination of the packet transmitted from one of the first devices; counting the number of kinds of the destination information extracted from packets associated with the same encryption information, respectively; and determining an unauthorized communication when the number of kinds of the encryption information is less than a predetermined value.

Abstract: A method for buffering SSL handshake messages prior to computing a message digest for the SSL handshake includes: conducting, by an appliance with a client, an SSL handshake, the SSL handshake comprising a plurality of SSL handshake messages; storing, by the appliance, the plurality of SSL handshake messages; providing, by the appliance to a message digest computing device in response to receiving a client finish message corresponding to the SSL handshake, the plurality of SSL handshake messages; receiving, by the appliance from the message digest computing device, a message digest corresponding to the provided messages; determining by the appliance, the message digest matches a message digest included in the SSL client finish message; and completing, by the appliance with the client, the SSL handshake. Corresponding systems are also described.

Abstract: A Service Provider (SP) authentication method includes receiving a message from a subscriber-premises device, the message being compatible with an authentication protocol and being transported from the subscriber-premises device to a u-PE device operating in compliance with an IEEE 802.1x compatible protocol. Access to the SP network is either allowed or denied access based on a logical identifier contained in the message. It is emphasized that this abstract is provided to comply with the rules requiring an abstract that will allow a searcher or other reader to quickly ascertain the subject matter of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. 37 CFR 1.72(b).

Abstract: A communicating apparatus that is able to perform IP-FAX communication without making the user aware of the attack and without any difficulty, even if the device recognizes a DoS attack or the like. communication that uses a SIP server on a network is performed by a communicating unit. Unauthorized communication from the communication performed by the communicating unit is detected. A port number of a receiving port of the communicating unit is changed when the unauthorized communication is detected. it is determined whether or not the detected unauthorized communication has passed through the SIP server.

Abstract: Disclosed is a system and method for the sharing of intrusion-related information. The sharing of intrusion-related information occurs via a peering relationship between a first Internet Service Provider (ISP) and a second ISP. A first node associated with a first ISP transmits intrusion-related information to a second node associated with a second ISP. The first node identifies intrusion-related information meeting a first criteria. The first node then transmits the intrusion-related information to the second node. The intrusion-related information includes one or more of a list of attackers that previously probed the first node, the protocol used, the time of the probes, and the individual alarms raised.

Abstract: A system and method for performing asynchronous cryptographic operations. A cryptographic toolkit receives requests for cryptographic operations, and initiates the cryptographic operations within a thread of execution. The toolkit detects when the cryptographic operations are complete, retrieves the results, and returns the results to a calling program. The cryptographic operations are performed in an asynchronous manner, without blocking a calling program. The calling program can specify whether the requested operations are to be performed without blocking.

Abstract: The frequency of reading, by users, Web sites managed by Web masters is increased. A server computer of a service provider providing a variety of services can be accessed from one of the Web sites of registered Webmasters. The server computer registers a client who has accessed it through one of the Web sites. Only when the registered client accesses the service provider through the Web site, the client can receive any one of the services.

Abstract: Embodiments of the invention provide a trusted intermediary for use in a system in which access control decisions may be based at least in part on information provided in claims. The intermediary may request claims on behalf of a network resource to which access is requested, and submit the claims for a decision whether to grant or deny access. The decision may be based at least in part on one or more access control policies, which may be pre-set or dynamically generated. Because the intermediary requests the claims and submits the claims for an access control decision, the network resource (e.g., a server application) need not be configured to process claims information.

Abstract: A network device may manage communication sessions with clients so that attempts at the client to automatically keep the session alive can be ignored for purposes of timing out the session. The device may examine resource requests received from the client as uniform resource locators (URLs) and determine whether the URLs include a context variable. The device may determine whether to reset a timeout period for the communication session based on a presence of the context variable in the URL. At the client side, the context variable may be attached to URLs that are part of functions configured to automatically access the network device.

Abstract: In a hitless manual cryptographic key refresh scheme, a state machine is independently maintained at each network node. The state machine includes a first state, a second state, and a third state. In the first state, which is the steady state, a current cryptographic key is used both for generating signatures for outgoing packets and for authenticating signatures of incoming packets. In the second state, which is entered when a new cryptographic key is provisioned, the old (i.e. formerly current) key is still used for generating signatures for outgoing packets, however one or, if necessary, both of the old key and the newly provisioned key is used for authenticating signatures of incoming packets. In the third state, the new key is used for generating signatures for outgoing packets and either one or both of the old key and new key are used for authenticating signatures of incoming packets.

Abstract: In general, techniques are described for performing session layer pinhole management within a network security device. In accordance with the techniques, the network device includes a resource manager module and a Session Initiation Protocol (SIP) module. The SIP module receives a SIP message from a private server, the SIP message requesting a SIP session. In response to the SIP message, the SIP module via the resource manager module opens a pinhole to permit the SIP session and assigns via the resource manager module resources included within the resource pool to monitor each call occurring over the SIP session. The SIP module further determines whether each of the calls has completed based on an session layer characteristic of a subsequent SIP message associated with each call and based on the determination, returns via the resource manager module the resources assigned to monitor each completed call to the resource pool.

Abstract: A method, system and computer program product detect attempts to send significant amounts of information out via HTTP tunnels to rogue Web servers from within an otherwise firewalled network. A related goal is to help detect spyware programs. Filters, based on the analysis of HTTP traffic over a training period, help detect anomalies in outbound HTTP traffic using metrics such as request regularity, bandwidth usage, inter-request delay time, and transaction size.

Abstract: A system and method for automatically managing a connection between a user device and a security token access device. The access device is adapted to wirelessly communicate with a plurality of user devices and to be securely paired with at least one of the plurality of user devices, and is further adapted to maintain connection information relating to each of the plurality of user devices. The connection information comprises security information for each user device securely paired with the access device. The access device automatically manages a connection by maintaining a store of connection information comprising security information for each of a set of at least one securely paired user devices; determining whether one of the securely paired user devices is a stale device; and if it is determined that one of the securely paired user devices is a stale device, implementing a management protocol for handling the stale device.

Abstract: A system and method for controlling, by an outside entity, one or more devices associated with a location. A representative embodiment of the system architecture comprises an internal computer system through which a device may be remotely controlled by the outside entity during a communication session between the outside entity and the internal computer system through an external computer network. The external computer network can be the Internet. When the outside entity is requested to control the device, the outside entity's identity information is authenticated before the communication session is established. In a preferred embodiment, the internal computer system is protected by a firewall. The firewall allows the outside entity to access the internal computer system to control the device if the outside entity can provide proper identity information. The identity information of the outside entity may be a password that is recognized by the firewall.

Abstract: A client application (16) establishes in a client network (10), a first connection having a first security level, directly with a first port (1) of a server application (17) hosted in a server machine (13) linked to a server network (11), in order to send messages addressed to the server machine (13). The messages pass from the client network (10) to the server network (11) through a network layer (CR) of a gateway machine (9). In the gateway machine, a secure application proxy reroutes the messages from the first connection, in a way that is transparent for the client application, and establishes a second connection having a second security level with the server application; the second connection is unknown to the client application.

Abstract: A method for monitoring computer communications is disclosed. A packet sent from a sending node to a destination node is received at a monitoring node. It is determined whether the packet is encrypted.