Security Protocols Patents (Class 726/14)
  • Publication number: 20110296520
    Abstract: According to certain aspects, a method for performing remote backup operations is provided that includes receiving a first unidirectional connection request from a media agent module to a proxy device within an enterprise network, through a firewall. The method also includes receiving a second unidirectional connection request from a remote device coupled to an untrusted network, such as through a second firewall. Secure connections are established from the media agent module to the proxy and from the remote device to the proxy. Additionally, the method can include routing with the proxy device backup data from the remote computing device to the media agent over the secured connections. The method also may include storing the backup data on a storage device within the enterprise network. In certain embodiments, during establishment of the secure connections, identification of the media agent or the storage device is not exposed to the untrusted network.
    Type: Application
    Filed: May 27, 2011
    Publication date: December 1, 2011
    Applicant: COMMVAULT SYSTEMS, INC.
    Inventor: Andrei Erofeev
  • Patent number: 8069247
    Abstract: An exemplary method includes detecting a request to launch an application on a device, accessing metadata associated with the application over a network, using the metadata to determine whether sufficient resources are available to launch the application on the device, and performing at least one action based on said determination. The at least one action may include launching the application on the device when sufficient resources are available or blocking a launch of the application on the device when sufficient resources are not available. In certain embodiments, the method is performed by the device. In certain embodiments, the device includes a set-top box configured to access a media service over the network. Corresponding methods, systems, apparatuses, and computer-readable media are also disclosed.
    Type: Grant
    Filed: December 31, 2008
    Date of Patent: November 29, 2011
    Assignee: Verizon Data Services LLC
    Inventors: Enrique Ruiz-Velasco, Prasad Raella, Manish Verma
  • Publication number: 20110289581
    Abstract: Trusted e-mail communication may be provided. A message source organization may be validated. When a message is received from the validated message source organization for a recipient organization, a determination may be made as to whether the recipient organization supports an attribution data extension. If so, the message may be transmitted to the recipient organization with an attribution element associated with the message source organization.
    Type: Application
    Filed: May 21, 2010
    Publication date: November 24, 2011
    Applicant: Microsoft Corporation
    Inventors: Gregory Gourevitch, Victor William Habib Boctor, Wilbert De Graaf
  • Patent number: 8065720
    Abstract: Methods and systems for managing secure communications are provided. An external client establishes secure communications with a secure site. During the secure session, the external client attempts to access potentially insecure references. These potentially insecure references are inspected before being made available to the external client. In some instances, the potentially insecure references are translated into secure references, which suppress normally occurring security warning messages that are issued to the external client. In other instances, the potentially insecure references are processed by a proxy on behalf of the external client and appear to the external client to occur within the secure session.
    Type: Grant
    Filed: January 6, 2004
    Date of Patent: November 22, 2011
    Assignee: Novell, Inc.
    Inventors: Hashem M. Ebrahimi, Stephen R Carter, Mel J Oyler
  • Patent number: 8065722
    Abstract: An automatic technique for generating signatures for malicious network traffic performs a cluster analysis of known malicious traffic to create a signature in the form of a state machine. The cluster analysis may operate on semantically tagged data collected by connection or session and normalized to eliminate protocol specific features. The signature extractor may generalize the finite-state machine signatures to match network traffic not previously observed.
    Type: Grant
    Filed: March 21, 2005
    Date of Patent: November 22, 2011
    Assignee: Wisconsin Alumni Research Foundation
    Inventors: Paul Robert Barford, Jonathon Thomas Giffin, Somesh Jha, Vinod Trivandrum Yegneswaran
  • Patent number: 8065726
    Abstract: The present disclosure provides a method for scalable anti-replay windowing. According to one exemplary embodiment, the method may include receiving at least one data packet having at least one new sequence number. The method may also include comparing the at least one new sequence number to an anti-replay window configured to prevent packet replay, the anti-replay window having at least one existing sequence number. The method may further include shifting the contents of the anti-replay window by varying the location of a starting index and an ending index. Of course, additional embodiments, variations and modifications are possible without departing from this embodiment.
    Type: Grant
    Filed: May 14, 2007
    Date of Patent: November 22, 2011
    Assignee: Intel Corporation
    Inventors: Paul Burkley, Keith Critchley
  • Patent number: 8065723
    Abstract: A disclosed network communication device corresponds to IP communications and is capable of performing IPsec communication. The network communication device includes a setting unit configured to obtain and set an operation mode specified by an administrator user; a detecting unit configured to detect a communication error caused by an incorrect portion in an IPsec setting; and a changing unit configured to change the IPsec setting, based on the operation mode set by the setting unit, to correct the incorrect portion or to cancel the IPsec communication, in the event that the communication error is detected.
    Type: Grant
    Filed: February 19, 2008
    Date of Patent: November 22, 2011
    Assignee: Ricoh Company, Ltd.
    Inventor: Takayuki Uchida
  • Publication number: 20110283351
    Abstract: Method and system that allows for the input of secure data through a non-secure means and preventing the accessing of the secure data through electronic subterfuge (i.e. Hacking). When this patent is utilized with the current state-of-the-art network security systems, it will be possible to preventing external and most internal accessing of secure computer systems, aka “Hacking.” The method and system can allow access to approved users and either prevents the access of secure information from users that do not have access and/or “kill” the processes of said users. The method and system is capable of detecting unauthorized access to systems and should an attack reach certain thresholds can allow the system to recover and prevent access beyond the specific boundary set. The method and system is also capable of apportioning data to users who may not have the necessary privileges for all of the information but who do need a portion of it.
    Type: Application
    Filed: April 18, 2011
    Publication date: November 17, 2011
    Inventor: James Thomas Hudson, JR.
  • Patent number: 8060939
    Abstract: A wireless network security system including a system data store capable of storing network default and configuration data, a wireless transmitter and a system processor. The system processor performs a network security method. An active defense request signal is received, typically from an intrusion detection system. The received request signal includes an indicator of an access point within the wireless computer network that is potentially compromised. In response to the received an active defense of the wireless network is triggered. The triggered active defense may be on or more of transmitting a jamming signal, transmitting a signal to introduce CRC errors, transmitting a signal to increase the difficulty associated with breaking the network encryption (typically by including in the signal packet appearing legitimate but containing randomized payloads, or transmitting a channel change request to the potentially compromised access point.
    Type: Grant
    Filed: April 23, 2008
    Date of Patent: November 15, 2011
    Assignee: AirDefense, Inc.
    Inventors: Michael T. Lynn, Scott Hrastar
  • Patent number: 8056126
    Abstract: An authentication system for an instruction processing apparatus includes first and second authentication portions each for performing user authentication at the time of using the instruction processing apparatus, and a controller which makes the first authentication portion execute the user authentication and switches from the first authentication portion to the second authentication portion when the user authentication by the first authentication portion cannot be established.
    Type: Grant
    Filed: December 23, 2004
    Date of Patent: November 8, 2011
    Assignee: Konica Minolta Business Technologies, Inc.
    Inventors: Toshihiko Otake, Daisuke Sakiyama, Takanobu Kuge, Hideyuki Matsuda
  • Patent number: 8055897
    Abstract: Embodiments for generating digital title and transmission information are disclosed.
    Type: Grant
    Filed: December 6, 2005
    Date of Patent: November 8, 2011
    Assignee: Lippershy Celestial LLC
    Inventors: Shabbir Khan, Alexander Cohen
  • Patent number: 8046829
    Abstract: A system and method is disclosed for dynamically and securely establishing a tunnel for a mobile device. In the preferred embodiments, the system and method operate to dynamically assign one or more tunnel endpoint addresses to a client which is not on the same IP-link as an authentication agent depending on an authentication result based on using an authentication protocol source port number in order to address communications.
    Type: Grant
    Filed: August 15, 2005
    Date of Patent: October 25, 2011
    Assignees: Toshiba America Research, Inc., Telcordia Technology, Inc.
    Inventor: Yoshihiro Oba
  • Patent number: 8046830
    Abstract: The present invention is generally directed towards a remote access architecture for providing peer-to-peer communications and remote access connectivity. In one embodiment, the remote access architecture of the present provides a method for establishing a direct connection between peer computing devices via a third computing device, such as a gateway.
    Type: Grant
    Filed: July 22, 2005
    Date of Patent: October 25, 2011
    Assignee: Citrix Systems, Inc.
    Inventors: Goutham P. Rao, Robert A. Rodriguez, Eric R. Brueggemann
  • Patent number: 8046823
    Abstract: Systems and methods are provided which implement a bridge server to provide user access to one or more secure applications. A bridge server of embodiments is disposed between a user and a secure application and invokes bridge server security protocols with respect to the user and secure application security protocols with respect to the secure application. In operation according to embodiments, client applications will link into a bridge server, the user will be authenticated by the bridge server, and a valid user will be correlated to an account of the secure application by the bridge server. Bridge servers of embodiments facilitate providing features with respect to secure application user access unavailable using the secure application security protocols.
    Type: Grant
    Filed: October 3, 2006
    Date of Patent: October 25, 2011
    Assignee: Stamps.com Inc.
    Inventors: Geoffrey Charles Begen, Keith David Bussell
  • Publication number: 20110258696
    Abstract: In one embodiment of the invention, a wireless network is adapted with a wireless network switch in communication with a plurality of access points, which are in communication with one or more stations. Coupled to the access points over an interconnect, the wireless network switch is adapted to receive a DEAUTHENTICATION message sent by one of the plurality of access points in the same coverage area of the station so as to detect the DEAUTHENTICATION message and to block communications between the plurality of access points and the station in response to determining that the DEAUTHENTICATION message is invalid.
    Type: Application
    Filed: June 24, 2011
    Publication date: October 20, 2011
    Inventors: Pradeep J. Iyer, Partha Narasimhan, Merwyn Andrade, John Taylor
  • Patent number: 8041946
    Abstract: A secure network server wherein both the forwarding process and the receiving process are created upon connection initialization, and the receiving process is held off from communicating with the source host until the forwarding process has created a connection with the destination host. This solves the problem of message loss when the destination host is unreachable.
    Type: Grant
    Filed: February 28, 2006
    Date of Patent: October 18, 2011
    Assignee: The Boeing Company
    Inventors: Kelly S. Bunn, Daniel D. Schnackenberg, Janell Schnackenberg, legal representative
  • Patent number: 8042168
    Abstract: Provided is a method of remotely maintaining a computer system connected to a first private network of a first organization from a maintenance computer connected to a second private network of a second organization. The first and second private networks are connected to a public network and protected from the public network by respective first and second external firewalls. The first private network is separated from the computer system using a separation firewall configured to block network traffic that initiates at the computer system and is directed to the first private network. An isolation pipe is established that extends from the separation firewall over the first private network to the first external firewall, using virtual-private-network technology. A request to log into the computer system is transmitted from the maintenance computer through the isolation pipe to the computer system.
    Type: Grant
    Filed: June 22, 2006
    Date of Patent: October 18, 2011
    Assignee: International Business Machines Corporation
    Inventor: Hilmar Roerig
  • Patent number: 8041940
    Abstract: In one aspect, a method to offload encryption processing in a storage area network (SAN) system includes determining whether a host is performing at a first performance level, offloading encryption processing at a processor if the host is not performing at a first performance level and performing encryption processing at the host if the host is performing at a first performance level.
    Type: Grant
    Filed: December 26, 2007
    Date of Patent: October 18, 2011
    Assignee: EMC Corporation
    Inventors: Assaf Natanzon, Shlomo Ahal
  • Patent number: 8042170
    Abstract: In a communication session in which data flows with encrypted data packets pass through a monitoring intermediary for data traffic control. The encrypted data packets include SPIs (Secured Parameter Indexes) which are used to identify SAs (Security Associations) for data decryption. During the initial signaling process for the communication session, the nodes seeking the communication session include the SPIs in the signaling messages and send the signaling messages through the monitoring intermediary which in turn matches the SPIs of the signaling messages with the corresponding SPIs extracted from the data packets. In enforcing data traffic control, the monitoring intermediary allows data flows to pass through if comparison matches in the SPIs are found. Otherwise, the data flows are rejected.
    Type: Grant
    Filed: July 12, 2005
    Date of Patent: October 18, 2011
    Assignee: QUALCOMM Incorporated
    Inventors: Arungundram C. Mahendran, Jun Wang, Raymond Tah-Sheng Hsu
  • Patent number: 8042172
    Abstract: Enabling a client computer to perform an operation is disclosed. Login information is received from a client computer. The login information is confirmed by querying a trusted agent on the client computer.
    Type: Grant
    Filed: February 2, 2006
    Date of Patent: October 18, 2011
    Assignee: EMC Corporation
    Inventors: Jeffery Gordon Heithcock, David William Barry, II, Dennis Bishop Jones
  • Patent number: 8040234
    Abstract: An appliance network has a service key accessory to facilitate remote diagnosis and service of an appliance.
    Type: Grant
    Filed: October 31, 2007
    Date of Patent: October 18, 2011
    Assignee: Whirlpool Corporation
    Inventors: Matthew P. Ebrom, Wallace J. Elston, III, Mark E. Glotzbach, Layne E. Heilman, Anthony E. Jenkins, Richard A. McCoy
  • Patent number: 8042148
    Abstract: A system for enforcing policy in a communication network includes a policy server which is operable to receive a request to invoke an application, receive a policy profile for a network user, and decide a proper allocation of network users based on the policy profile, the application, and available network resources. The policy server is further operable to communicate with a non-SIP application. The system also includes a network resource manager operably associated with the policy server and operable to monitor available network in the resources in the communication network. In addition, the network resource manager is functional to allocate network resource amongst a plurality of network users. The system also contains an application control point which is operably associated with the policy server and operable to communicate with a SIP application. The system is operable to use policy peering between the home and visited network to enable user-specific policies to be enforced while roaming.
    Type: Grant
    Filed: February 6, 2007
    Date of Patent: October 18, 2011
    Assignee: Cisco Technology, Inc.
    Inventors: Flemming Stig Andreasen, Jonathan D. Rosenberg
  • Publication number: 20110252462
    Abstract: A computer implemented method, system, and computer program product for authenticating a remote host to a firewall. The illustrative embodiments allow a requesting host separated from a target host by a firewall to determine, based on exception handling code, that an original request sent to the target host has been intercepted and blocked by the firewall. The illustrative embodiments also allow the requesting host to automatically provide credentials that authenticate the requesting host to the firewall. The illustrative embodiments are particularly applicable in situations when requests are invoked without any user interaction, such as when a timer expires. In such a case, there is no user to provide the needed credentials to authenticate the requesting host. The illustrative embodiments enable a requesting host to access a target host without requiring user intervention.
    Type: Application
    Filed: April 7, 2010
    Publication date: October 13, 2011
    Applicant: International Business Machines Corporation
    Inventors: James M. Bonanno, Steven D. Ims, Todd E. Kaplinger, Aaron J. Tarter
  • Publication number: 20110252470
    Abstract: A recommendation engine coupled to a server computer in communication with a plurality of hosts is described. The recommendation engine includes computer readable intrusion-protection instructions stored in a memory device, which cause a processor of said server computer to determine a current host-protection configuration for a target host; detect discrepancy between said current host-protection configuration and a prior host-protection configuration; install said current host-protection configuration in said target host upon detecting said discrepancy; record successive host-reconfiguration periods, a host reconfiguration period being a difference between successive instants of time at which a current host-protection configuration differs from a prior host-protection configuration; determine a monitoring period according to a value of at least one of said successive host-reconfiguration periods; and a scheduler for activating said intrusion-protection instructions according to said monitoring period.
    Type: Application
    Filed: June 23, 2011
    Publication date: October 13, 2011
    Inventor: Anthony Robert Durie
  • Patent number: 8037297
    Abstract: According to the present invention a telecommunication network with a first domain (PLMN-A) comprising at least one mobile application part protocol instance is connected to a gateway node (MSEGA) which is adapted to send and receive mobile application part messages and which is connectable to a second domain. The telecommunication network is remarkable in that the gateway node (MSEGA) is adapted to receive a mobile application part message from the first domain, to convert the received mobile application part message obtaining a secured mobile application part message, and to send the obtained message to the second domain. The gateway node (MSEGA) is further adapted to receive a secured mobile application part message from the second domain, to extract an unsecured mobile application part message from the received secured mobile application part message and to send the extracted message to the first domain.
    Type: Grant
    Filed: October 20, 2003
    Date of Patent: October 11, 2011
    Assignee: Telefonaktiebolaget L M Ericsson (Publ)
    Inventors: Reijo Pekkala, Juha Saaskilahti, Karl-Johan Wiren
  • Patent number: 8037520
    Abstract: Methods, apparatus, programs and signals for providing communications network security. The approach is based on using established “standard” protocols, but packets (or cells or frames) are deliberately malformed by the sender, optionally according to a predetermined rule (for example by inverting a packet check digit). A filter forwards only packets identified as being invalid, optionally in accordance with the rule; packets which are valid with respect to the “standard” protocol are dropped. The filter is preferably implemented in hardware to mitigate the risk of its being compromised by a malicious attack.
    Type: Grant
    Filed: September 12, 2006
    Date of Patent: October 11, 2011
    Assignee: Qinetiq Limited
    Inventors: Simon Robert Wiseman, Christopher James Cant
  • Patent number: 8037530
    Abstract: A translator is provided for translating predetermined portions of packet header information including an address of a data packet according to a cipher algorithm keyed by a cipher key derived by a key exchanger. A mapping device is also provided for mapping the address to a host table stored in memory. If the address does not match an entry in the host table, a security device is triggered.
    Type: Grant
    Filed: August 10, 2001
    Date of Patent: October 11, 2011
    Assignees: Verizon Corporate Services Group Inc., Raytheon BBN Technologies Corp.
    Inventors: Russell Andrew Fink, Matthew Aloysius Brannigan, Shelby Alana Evans, Aswin Morgan Almeida
  • Patent number: 8032934
    Abstract: The present invention discloses a network security system including a firewall arranged between the internal network and the external network, and a trusted node arranged between the firewall and the external network, which is used to provide a data channel between the internal network and the external network, and forward the data transported between the internal network and the external network; the firewall includes a first port configured at the internal network oriented side of the firewall and a second port configured at the external network oriented side of the firewall; and the trusted node includes a media-stream receiving port used to converge the data from the second port. The present invention also discloses a network security method.
    Type: Grant
    Filed: December 29, 2004
    Date of Patent: October 4, 2011
    Assignee: Huawei Technologies Co., Ltd.
    Inventors: Xianyi Chen, Ziqiang Wei, Jiaoli Wu, Enkui Wang, Lingfeng Xu
  • Publication number: 20110239291
    Abstract: Detecting and thwarting browser-based network intrusion attacks for intellectual property misappropriation is provided by enabling a local machine to direct retrieval of resources using uniform resource identifiers to a browser operating within a virtual machine whose internet protocol address is within a range external to a trusted network sub-circuit. Such a virtual machine is constrained by not having access to the Active Director Server of the trusted network. Such a virtual machine is constrained by not having access to other resources of the trusted network. Such a virtual machine is constrained by a monitor application which terminates the virtual machine if characteristics of intrusion or network attack are observed within the virtual machine.
    Type: Application
    Filed: March 26, 2010
    Publication date: September 29, 2011
    Applicant: BARRACUDA NETWORKS, INC.
    Inventor: SCOTT SOTKA
  • Patent number: 8028334
    Abstract: A firewall rule generation method, a load balancing rule generation method, and a wrapper generation method, for an Information Technology (IT) system, associated computer program products, and an associated processes for integrating computing infrastructure. The firewall rule generation method generates firewall rules allowing data transmission between a computer and a client, and subsequently assigns the firewall rules to firewalls of the IT system. The load balancing rule generation method assigns a load balancing mechanism to a load balanced group to which execution of an application is assigned, wherein the load balanced group has servers therein. For a client and computer having a communication protocol therebetween that is not allowed by a security policy, the wrapper generation method generates a communication protocol wrapper that opens a Transmission Control Protocol (TCP) connection between the client and the computer such that the TCP connection is allowed by the security policy.
    Type: Grant
    Filed: May 3, 2005
    Date of Patent: September 27, 2011
    Assignee: International Business Machines Corporation
    Inventors: Dmitry Andreev, Paul G. Greenstein, Galina Grunin, Gregory Vilshansky
  • Patent number: 8024771
    Abstract: A system and method for processing a request by a first control service using a first control specification language, and a second control service using a second control specification language includes steps of: receiving the request from a requestor; providing the request to the first and second control services; receiving a decision on the request from each of the first and second control services; and comparing the decisions. The first control specification language is an access control policy.
    Type: Grant
    Filed: September 19, 2007
    Date of Patent: September 20, 2011
    Assignee: International Business Machines Corporation
    Inventors: Peter Kenneth Malkin, Alan Michael Webb
  • Patent number: 8024788
    Abstract: A method and apparatus for passing data from a first application at a first security level to a second application in a second security level higher than the first security level is disclosed. A backchannel communications link is established between the first application and the second application, and the backchannel link is used to transmit information such as an acknowledgement message from the second application to the first application.
    Type: Grant
    Filed: May 31, 2007
    Date of Patent: September 20, 2011
    Assignee: The Boeing Company
    Inventors: Steven L. Arnold, Thomas E. Donofrio
  • Patent number: 8024488
    Abstract: A system verifies configuration of a device within a network via an exchange of verification credentials, which are requested, received and authenticated. The verification credentials indicate that a configuration of the device was acceptable at the time of creation of the verification credentials for that device. The verification credentials of the device are obtained through a certifying process. During the certifying process, the credential certifier receives a current device configuration of the device in the network, and evaluates the current device configuration of a device with respect to its role within a network. The verification credentials are issued to the requesting device and stored within a database. The device submits its verification credentials if being requested by the other peer it's communicating with when it enters the network. It also monitors the current device configuration and if there are changes, it invalidates the existing certification credentials and requests new one.
    Type: Grant
    Filed: March 2, 2005
    Date of Patent: September 20, 2011
    Assignee: Cisco Technology, Inc.
    Inventors: Joseph A. Salowey, Hao Zhou
  • Publication number: 20110225647
    Abstract: A cloud-based firewall system and service is provided to protect customer sites from attacks, leakage of confidential information, and other security threats. In various embodiments, such a firewall system and service can be implemented in conjunction with a content delivery network (CDN) having a plurality of distributed content servers. The CDN servers receive requests for content identified by the customer for delivery via the CDN. The CDN servers include firewalls that examine those requests and take action against security threats, so as to prevent them from reaching the customer site. The CDN provider implements the firewall system as a managed firewall service, with the operation of the firewalls for given customer content being defined by that customer, independently of other customers. In some embodiments, a customer may define different firewall configurations for different categories of that customer's content identified for delivery via the CDN.
    Type: Application
    Filed: December 10, 2010
    Publication date: September 15, 2011
    Applicant: AKAMAI TECHNOLOGIES, INC.
    Inventors: John Dilley, Prasanna Laghate, John Summers, Thomas Devanneaux
  • Patent number: 8020202
    Abstract: Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to internal hosts against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall receives incoming VoIP packets having a user alias (e.g., an email address) and an indication regarding a VoIP port of external interface. The packets are directed to an appropriate internal host by the firewall performing port address forwarding based on the port indication to a Session Initiation Protocol (SIP) server within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts.
    Type: Grant
    Filed: May 9, 2010
    Date of Patent: September 13, 2011
    Assignee: Fortinet, Inc.
    Inventor: Michael Xie
  • Patent number: 8020200
    Abstract: A network device receives control plane packets and data plane packets from a network. The network device includes a forwarding component that forwards the data plane packets in accordance with routing information maintained by a routing component. The forwarding component directs the control plane packets to a firewall component that processes the control plane packets to apply firewall services and detect network attacks. After processing, the firewall component loops the control plane packets back to the forwarding components for forwarding to the routing component. The firewall component may be a security service card.
    Type: Grant
    Filed: June 1, 2009
    Date of Patent: September 13, 2011
    Assignee: Juniper Networks, Inc.
    Inventors: Robert M. Krohn, Sankar Ramamoorthi, Michael Freed, Keith Holleman
  • Patent number: 8015603
    Abstract: A method for packet transmission in an MIP network is disclosed. A mobile node sends to a Home Agent (HA) a first Firewall Detection (FD) packet encapsulated with IP security (IPsec) protocol and a second FD packet encapsulated with the IPsec protocol and User Datagram Payload (UDP) protocol. The mobile node determines whether there is a firewall blocking an IPsec packet between the mobile node and the HA according to a Firewall Detection Reply (FDR) packet from the HA. If there is a firewall, packets are encapsulated with the UDP protocol and binding update and packet exchange are performed; otherwise, binding update and packet exchange are performed. A mobile node for packet transmission is also provided. Embodiments of the present invention enables the mobile node to exchange a packet with a correspondent node when there is a firewall not supporting the IPsec protocol between the mobile node and the HA.
    Type: Grant
    Filed: September 14, 2007
    Date of Patent: September 6, 2011
    Assignee: Huawei Technologies Co., Ltd.
    Inventors: Hongke Zhang, Sidong Zhang, Shen Yang, Wei Su, Yan Ren, Zuzhou Zheng, Yajuan Qin, Shuai Gao, Jianglin Wang, Ying Liu, Fuyou Miao
  • Publication number: 20110214175
    Abstract: In one aspect of the invention, a mobile node (MN) participates in a first return routability procedure with a home agent (HA) and a correspondent node (CN), including generating a first binding management key (Kbm). A first proof of knowledge (PoK) is generated by hashing the first Kbm. The MN participates in a second return routability procedure, including generating a second Kbm. A first binding update and binding acknowledgement (BU/BA) key is generated by hashing the second Kbm and the first PoK. A first binding update (BU) message is transmitted to the CN, where the second BU message is transmitted with the first BU/BA key. In response to a first binding acknowledgement (BA) message received from the CN, the MN authenticates the first BA message using the first BU/BA key.
    Type: Application
    Filed: June 3, 2010
    Publication date: September 1, 2011
    Applicant: Telefonaktiebolaget L M Ericsson (publ)
    Inventor: Wassim Haddad
  • Patent number: 7996894
    Abstract: A method is disclosed for providing security to a client-to-client communication. The method includes authenticating a first client and a second client with an access point device, transmitting the packet to the security device and modifying a destination media access control (MAC) address of a packet from the first client to a MAC address of a security device for a first network. The packet contains a destination internet protocol (IP) address of the second client. The access point device and the first and second clients belong to the first network. The security device is located between the first network and a second network.
    Type: Grant
    Filed: February 15, 2005
    Date of Patent: August 9, 2011
    Assignee: Sonicwall, Inc.
    Inventors: Zhong Chen, Joseph H. Levy, David M. Telehowski, Jin Shang
  • Patent number: 7992199
    Abstract: A communications scheme enables a central communications station to assist two communications systems located behind firewalls that prevent communication initiated from an external data network to establish direct communication with each other. In one embodiment, the systems separately establish communications with the central communications station and obtain from it the connection information (e.g., IP address, port, etc.) of the other. The systems then directly communicate with each other using the obtained connection information while pretending to be the central communications station. In another embodiment in which the firewalls include NAT devices that implement network address translation, the systems exchange connection information for establishing a new connection through the central communications station and then complete a three-way handshake with the assistance of the central communications station, thereby allowing the central communications station to remove itself from the communication.
    Type: Grant
    Filed: December 31, 2003
    Date of Patent: August 2, 2011
    Assignee: Honeywell International Inc.
    Inventors: Steven J. Winick, William R. Blum, Piotr Romanczyk
  • Patent number: 7992201
    Abstract: Dynamically selecting an endpoint for a tunnel into an enterprise computing infrastructure. A client dynamically selects a gateway (which may alternatively be referred to as a boundary device or server) as a tunnel endpoint for connecting over a public network (or, more generally, an untrusted network) into an enterprise computing infrastructure. The selection is made, in preferred embodiments, according to least-cost routing metrics pertaining to paths through the enterprise network from the selected gateway to a destination host. The least-cost routing metrics may be computed using factors such as the proximity of selectable tunnel endpoints to the destination host; stability or redundancy of network resources for this gateway; monetary costs of transmitting data over a path between the selectable tunnel endpoints and destination host; congestion on that path; hop count for that path; and/or latency or transmit time for data on that path.
    Type: Grant
    Filed: July 26, 2007
    Date of Patent: August 2, 2011
    Assignee: International Business Machines Corporation
    Inventors: M. Lynn Aldridge, Peter C. Dill, Ivan M. Heninger, John D. Kari, Clifford D. Marano, David M. Urgo
  • Patent number: 7992208
    Abstract: An estimate of a portion of network traffic that is nonconforming to a communication transmission control protocol is used to signal that a distributed denial of service attack may be occurring. Traffic flows are aggregated and packets are intentionally dropped from the flow aggregate in accordance with an assigned perturbation signature. The flow aggregates are observed to determine if the rate of arrival of packets that have a one-to-one transmission correspondence with the dropped packets are similarly responsive to the perturbation signature. By assigning orthogonal perturbation signatures to different routers, multiple routers may perform the test on the aggregate and the results of the test will be correctly ascertained at each router. Nonconforming aggregates may be redefined to finer granularity to determine the node on the network that is under attack, which may then take mitigating action.
    Type: Grant
    Filed: September 19, 2006
    Date of Patent: August 2, 2011
    Assignee: University of Maryland
    Inventors: Mehdi Kalantari Khandani, Mark A. Shayman
  • Patent number: 7987505
    Abstract: The invention relates to a method for triggering re-negotiation of a session when an Access Terminal moves from one access network (source AN) to another access network (target AN) having different capabilities in high rate packet data system. According to an exemplary embodiment of the invention, the source AN is allowed to store all the protocol subtypes, protocols and applications that AT is capable of and also allowing the AT to send this information in priority order during session negotiation and hence facilitating the transfer of this information from source AN to target AN during session transfer when AT moves from one AN to another AN. An alternate embodiment is to let the AT send the protocol subtypes, protocols and applications and other AT capable information to target AN after it moves to a new AN or by letting the Rev-A capable AN query the AT's capability information and then the AT providing this information.
    Type: Grant
    Filed: May 6, 2010
    Date of Patent: July 26, 2011
    Assignee: Samsung Electronics Co., Ltd.
    Inventors: Tirumala Sree Hari Vara Prasad Vadlapudi, Richa Dham
  • Patent number: 7986947
    Abstract: A device management network that supports roaming selectively conducts device management activities on a mobile device when it is roaming. The mobile device is capable of determining that it is roaming and communicating the information to the DM server in order to allow the DM server to execute an operator specified policy (or policies) to determine if device management activities need to be conducted when the device is roaming. Later, when the mobile device is no longer roaming, but back in the home network, then the mobile device communicates another message to the DM server to inform it (or other servers that need to know) that the mobile device is no longer roaming. In another embodiment, the DM server is capable of detecting that the mobile device is roaming and acts according to policies.
    Type: Grant
    Filed: June 28, 2006
    Date of Patent: July 26, 2011
    Assignee: Hewlett-Packard Development Company, L.P.
    Inventors: Glenn Hamasaki, Bindu Rama Rao
  • Patent number: 7986786
    Abstract: A computer platform is provided that comprises a processor and a cryptographic co-processor coupled to the processor. The computer platform further comprises a platform entity coupled to the processor. The platform entity establishes a secure relationship with the cryptographic co-processor that enables the platform entity to utilize cryptographic functions provided by the cryptographic co-processor.
    Type: Grant
    Filed: November 30, 2006
    Date of Patent: July 26, 2011
    Assignee: Hewlett-Packard Development Company, L.P.
    Inventors: Wael M. Ibrahim, Graeme J. Proudler, Liqun Chen, Manuel Novoa
  • Publication number: 20110179480
    Abstract: The problem we solve with this system is the spam on website's forms. Until now this problem has been solved with CAPTHCHAs that help to distinguish between the human users and spambots [0003]. The CAPTHCHAs approach is not a good solution because it does not prevent spambots to read and understand the content of CAPTCHAs. So web sites have to use more and more difficult CAPTCHAs, but human users can't read and understand them. The system, that is described here, provide a solution completely different to avoid spam on web's forms without annoying the human users. The spread of smart-phones increase the needs of an automatic anti spambot filter. When a web site receive a form compilation request ask to the system if it is a human user or a robot. The system check it without requiring the user to do anything. The system can work underneath the web page or it can publish an image on the web page. This image can be an advertising message.
    Type: Application
    Filed: January 20, 2010
    Publication date: July 21, 2011
    Inventor: Emanuele Rogledi
  • Publication number: 20110179481
    Abstract: Among other things, one or more systems and/or methods for a network aware firewall are disclosed. A method comprises accessing a first network connection from a client computer system and determining whether the first network connection is a first network type or a second network type. The method further comprises dynamically modifying security parameters associated with a firewall local to the client computer system in response to determining whether the network connection is the first network type or the second network type.
    Type: Application
    Filed: January 21, 2011
    Publication date: July 21, 2011
    Applicant: Microsoft Corporation
    Inventors: Rajesh K. Dadhia, Fabien J. Royer, Pradeep Bahl
  • Patent number: 7984294
    Abstract: A method and apparatus determine a trust level of a path through a plurality of routers by an endpoint by transmitting a path setup message requesting a path reservation for a first path through a subset of the routers, by receiving in response to transmission of the path setup message a trust level message containing trust level information inserted by each router in the first path through the subset, and by evaluating the inserted trust level information to determine if the first path has a sufficient trust level. Another method and apparatus gather trust level information from a router by receiving a trust level message into which a trust level of the router can be inserted, by inserting trust level information of the router into the trust level message, and by re-transmitting the trust level message on a designated path.
    Type: Grant
    Filed: April 14, 2005
    Date of Patent: July 19, 2011
    Assignee: Avaya Inc.
    Inventors: Christopher Michael Goringe, Muneyb Minhazuddin, Alexander Martin Scholte, James Schreuder
  • Patent number: 7984494
    Abstract: Provided is a computer system including: a first computer; a second computer including a second processor and a second memory; and a communication controller for controlling communication between the first and second computers, in which: upon reception of a packet from the first computer, the communication controller translates address information of the received packet to transfer the packet to the second computer; the second memory stores SA candidate information as SA information in which a part of the address information is unknown; and the second processor decrypts the packet encrypted by the first computer by using the SA candidate information upon reception of the encrypted packet from the first computer, and creates SA information based on the SA candidate information used for the decryption and the address information of the encrypted packet upon successful decryption of the encrypted packet.
    Type: Grant
    Filed: July 21, 2006
    Date of Patent: July 19, 2011
    Assignee: Hitachi, Ltd.
    Inventors: Masahiro Yoshizawa, Kazuma Yumoto, Kazuyoshi Hoshino
  • Patent number: 7984290
    Abstract: In an encryption communication using VPN technologies, a load on a VPN system becomes large if the number of communication terminals increases. When an external terminal accesses via an internal terminal an application server, processes become complicated because it is necessary to perform authentication at VPN and authentication at the application server. A management server is provided for managing external terminals, internal terminals and application servers. The management server authenticates each communication terminal and operates to establish an encryption communication path between communication terminals. Authentication of each terminal by the management server relies upon a validation server. When the external terminal performs encryption communication with the application server via the internal terminal, two encryption communication paths are established and used between the external terminal and internal terminal and between the internal terminal and application server.
    Type: Grant
    Filed: May 18, 2006
    Date of Patent: July 19, 2011
    Assignee: Hitachi, Ltd.
    Inventors: Yoko Hashimoto, Takahiro Fujishiro, Tadashi Kaji, Osamu Takata, Kazuyoshi Hoshino, Shinji Nakamura