Abstract: A system and/or method that facilitates the installation and/or authentication of a device by invoking installation protocols and/or authentication protocols for a non-physical connection. A physical interface component provides a physical connection between at least one wireless device and at least one network entity in which the installation protocols and/or authentication protocols can be exchanged. The physical interface component can utilize a token key to establish multiple non-physical connections with multiple wireless devices. Additionally, the physical interface component can utilize a daisy chain scheme to install and/or authenticate a wireless device.

Abstract: Methods and systems for an intelligent network protection gateway (NPG) and network architecture are provided. According to one embodiment, a firewall provides network-layer protection to internal hosts against unauthorized access by hosts of an external network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses. The firewall changes data in headers of VoIP packets and corresponding data contents of the VoIP packets, to enable bi-directional VoIP communications. An external VoIP interface of the firewall receives incoming VoIP packets having a user alias (e.g., an email address) and an indication regarding a VoIP port of external interface. The packets are directed to an appropriate internal host by the firewall performing port address forwarding based on the port indication to a Session Initiation Protocol (SIP) server within the internal network that maintains a mapping of user aliases to private addresses of the internal hosts.

Abstract: A facility for setting and revoking policies is provided. The facility receives a request from a controlling process a request to set a policy on a controlled process, and determines whether the controlling process has privilege to set the policy on the controlled process. If the facility determines that the controlling process has privilege to set the policy on the controlled process, the facility sets the policy on the controlled process, which causes the policy to be applied to the controlled process to determine whether the controlled process has authorization to access one or more resources.

Abstract: A network of routers is monitored by a monitoring server. Each router implements various security mechanisms to secure the operation of the routers. For example, each router comprises control logic that implements a security protocol dictated, at least in part, by contents of at least two separate external storage devices, each storage device separate from, but coupled to, one of the ports of said router.

Abstract: A system includes a memory to store instructions and an autonomous system path (AS-path) and a processor. The processor executes instructions in the memory to determine an origin degree for each autonomous system in the AS-path, compare the origin degree of a first adjacent autonomous system in the AS-path with each subsequent autonomous system in the AS-path, and sum percentage increase values determined by comparing the origin degree of the first adjacent autonomous system in the AS-path with each subsequent autonomous system in the AS-path to determine a suspicion score for the AS-path.

Abstract: In one embodiment, a system for controlling a plurality of devices having at least two operating modes comprises a first software operating layer configured to control the operation of at least one of the devices in a first operational mode and a second software operating layer configured to control the operation of at least one of the devices in a second operational mode. In another embodiment, a control system for controlling a plurality of devices connected by a communications network comprises a user interface configured to receive the selection of a cycle of operation; a first system element isolated from the network and configured to implement the selected cycle of operation to define a first control state; and a second system element exposed to the network and configured to implement the selected cycle of operation to define a second control state.

Abstract: A system and method for providing secure access to a computer system. An access device divides the password into multiple segments and places them in data packets. In one embodiment, an authentication server has multiple addresses, and each packet is sent to a different address. The server then reassembles the password. In another embodiment, when the server receives a password, the server sends an index value back to the access device, which then accesses the server on another address indicated by the index value. Alternatively, the password is sent to multiple addresses for the server, and the server determines whether any of the received packets have been altered. The multiple password packets may be forced to follow different paths to the server, thereby denying hackers the ability to intercept all of the password characters or determine the inter-packet timing factor. The system is effective against passive and active hackers, Trojans, and phishing techniques.

Abstract: An integrated series of security protocols is disclosed that protect remote user communications with remote enterprise services, and simultaneously protect the enterprises services from third parties. In the first layer, an implementation of the Secure Sockets Layer (SSL) version of HTTPS provides communications security, including authentication of the enterprise web server and the security of the transmitted data. The protocols provide for an identification of the user, and an authentication of the user to ensure the user is who he/she claims to be and a determination of entitlements that the user may avail themselves of within the enterprise system. Session security is described, particularly as to the differences between a remote user's copper wire connection to a legacy system and a user's remote connection to the enterprise system over a “stateless” public Internet, where each session is a single transmission, rather than an interval of time between logon and logoff, as is customary in legacy systems.

Abstract: A method and apparatus for detection of network environment to aid policy selection for network access control. An embodiment of a method includes receiving a request to connect a device to a network and, if a security policy is received for the connection of the device, applying the policy for the device. If a security policy for the connection of the device is not received, the domain of the device is determined by determining whether the device is in an enterprise domain and determining whether the device is in a network access control domain, which allows selection of an appropriate domain/environment specific policy.

Abstract: Techniques for dynamically configuring security mechanisms in a network can construct security perimeters that satisfy security needs at any given time while also efficiently spreading security functions among network elements and systems. In one technique, a network element comprises security function modules. Systems toward which the network element forwards data packets also comprise security function modules. A particular security function module on the network element begins in a state of deactivation. The network element determines whether a corresponding security function module on one of the systems is functioning in a satisfactory manner. If not, then the network element activates the particular security function module. While activated, the particular security function module may perform at least some of the security function operations that the corresponding security function module would have performed if the corresponding security function module was satisfactory.

Abstract: Techniques for the remote authorization of secure operations are provided. A secure security system restricts access to a secure operation via an access key. An authorization acquisition service obtains the access key on request from the secure security system when an attempt is made to initiate the secure operation. The authorization acquisition service gains access the access key from a secure store via a secret. That is, the secret store is accessible via the secret. The secret is obtained directly or indirectly from a remote authorization principal over a network.

Abstract: Various aspects of the invention provide a method, apparatus, and software for selecting interconnectivity rules for a computer network environment and visualization on a display of a data processing system interconnectivity rules in an auto provisioning environment, including: selecting a network environment specification having characteristics describing the environment, the characteristics including: number of network security tiers, firewalls, and other network constraints; displaying a graphical representation of the selected network environment, including security tiers, and proposed firewalls, to a user on the display; selecting network objects for the selected network environment, the network objects being selected from a group of objects including: operating systems and other software applications having predefined or configurable characteristics including interconnectivity rules, and firewall rules; populating the displayed network environment with the selected objects; determining network interconn

Abstract: Objects on application servers are distributed to one or more application servers; a user is allowed to declare in a list which objects residing on each application server are to be protected; the list is read by an interceptor; responsive to exportation of a Common Object Request Broker Architecture (“CORBA”) compliant Interoperable Object Reference (“IOR”) for a listed object, the interceptor associates one or more application server security flags with interfaces to the listed objects by tagging components of the IOR with one or more security flags; and one or more security operations are performed by an application server according to the security flags tagged to the IOR when a client accesses an application server-stored object, the security operations including an operation besides establishing secure communications between the client process and the server-stored object.

Abstract: A method for obtaining data for intrusion detection obtains data after forward chain filtering of a firewall. Modes of obtaining the data include a socket communication mode and a character device work mode. The method for obtaining the data for intrusion detection obtains the data filtered by the firewall, and reduces false alarms. Moreover, the method obtains the data after a network address translation (NAT) operation, so as to locate an attacker and a victim correctly. The method further obtains a decrypted Internet Protocol Security (IPsec) data packet, so as to process an IPsec data stream normally.

Abstract: Described are computer-based methods and apparatuses, including computer program products, for scalable filtering and policing mechanism for protecting user traffic in a network. A data packet is filtered by a multi-tiered filtering and transmission system. Data packets matching the first tier filter are discarded. Data packets matching the second tier filter are transmitted to an output module based on a criterion. Data packets in the third tier filter are hashed into bins and data packets matching an entry in the bin are transmitted to the output module based on a criterion for the bin. Data packets in the fourth tier transmission system are transmitted to the output module based on a criterion. Data packets that do not meet the criterion for transmission to the output module are transmitted to an attack identification module which analyzes the data packets to identify attacks.

Abstract: In one embodiment, a data stream is scanned for presence of computer viruses using a stream-based protocol parser, a stream-based decoder/decompressor, and a stream-based pattern matching engine. The protocol parser may be configured to extract application layer content from the data stream to generate a file stream. The protocol parser may stream the file stream to the decoder/decompressor, which may decode/decompress the file stream to generate a plain stream. The decoder/decompressor may stream the plain stream to the pattern matching engine, which in turn may scan the plain stream for viruses. Advantageously, the aforementioned components may perform its function as soon as streaming data becomes available, without having to wait for the entirety of the data.

Abstract: Detection of a signature in a data packet comprises performing a pre-classification of the packet, using header information and particularly a 5-tuple access control list, into one of a multiplicity of flows and directing the payload of the packet to a respective one of a multiplicity of deterministic finite state machines each of which stores a plurality of signatures as a sequence of states and acts only on the respective flow.

Abstract: A method and apparatus for a surround security system is provided. The surround security system is embodied on a computer readable medium and includes a packet enforcement engine to screen packets to and from the network and a TCP/IP stack, an application enforcement engine to screen packets to and from the TCP/IP stack and applications on the computer system, a file monitor to verify integrity of files on the computer system and a vulnerability scanner to ensure that the computer system complies with a set level of security. The surround security system provides security which protects accesses through the TCP/IP stack for applications, and an operating system of the computer system.

Abstract: An authorization engine is provided in a remote device for mobile authorization using policy based access control. To ensure that remote devices can enforce consistent authorization policies even when the devices are not connected to the server, the remote device downloads the relevant authorization policies when the business objects are downloaded and enforces the policies when operations are invoked. The memory footprint of downloadable authorization policies is reduced to fit onto a resource-constrained remote device. A policy evaluation engine interprets and enforces the downloaded policies on the remote device using only the limited computational resources of the remote device.

Abstract: A system, method, and computer-usable medium for removing redundancy from packet classifiers. In a preferred embodiment of the present invention, a packet classifier is implemented as a sequence of rules. A redundancy manager marks at least one upward redundant rule and at least one downward redundant rule. The redundancy manager removes at least one rule marked as upward redundant and at least one rule marked as downward redundant.

Abstract: A method of identifying a distributed denial of service attack is described in which a rate profile is determined, where the rate profile corresponds to information transfer rates at which information is received from a network. A burst magnitude threshold based on this rate profile is then established. A burst duration profile characterizing periods of time during which the information transfer rate exceeds this burst magnitude threshold is also calculated, and a burst duration threshold is then defined based upon this burst duration profile. A distributed denial of service attack is identified when the information transfer rate exceeds the burst magnitude threshold for a period of time exceeding the burst duration threshold.

Abstract: An embodiment of the present invention is a technique to provide secure Virtual Private Network (VPN) connection. A VPN connection is established to a remote gateway via a network adapter using a Firmware on a platform. An event is generated to notify an operating system (OS) network driver through a bus interface port. A request from the OS network driver is responded to provide network information.

Abstract: A gateway for screening packets transferred over a network. The gateway includes a plurality of network interfaces, a memory and a memory controller. Each network interface receives and forwards messages from a network through the gateway. The memory temporarily stores packets received from a network. The memory controller couples each of the network interfaces and is configured to coordinate the transfer of received packets to and from the memory using a memory bus. The gateway includes a firewall engine coupled to the memory bus. The firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface. A local bus is coupled between the firewall engine and the memory providing a second path for retrieving packets from memory when the memory bus is busy.

Abstract: Various exemplary embodiments relate to a method and related network element including one or more of the following: receiving a plurality of packets belonging to an IP flow, the packets received in a network element in the telecommunications network; performing deep packet inspection (DPI) to identify an application protocol associated with the flow; when the application protocol is a peer-to-peer (P2P) protocol, performing DPI to extract a key from one or more of the packets in the flow, the key uniquely identifying a P2P content item; querying a P2P content database using the key, the P2P content database maintaining a mapping between keys and corresponding traffic management actions; and when the key is located in the P2P content database, performing the traffic management action associated with the key in the P2P content database.

Abstract: A wireless network security system including a system data store capable of storing network default and configuration data, a wireless transmitter and a system processor. The system processor performs a network security method. An active defense request signal is received, typically from an intrusion detection system. The received request signal includes an indicator of an access point within the wireless computer network that is potentially compromised. In response to the received an active defense of the wireless network is triggered. The triggered active defense may be on or more of transmitting a jamming signal, transmitting a signal to introduce CRC errors, transmitting a signal to increase the difficulty associated with breaking the network encryption (typically by including in the signal packet appearing legitimate but containing randomized payloads, or transmitting a channel change request to the potentially compromised access point.

Abstract: An evidence-based policy manager generates a permission grant set for a code assembly received from a resource location. The policy manager executes in a computer system (e.g., a Web client or server) in combination with the verification module and class loader of the run-time environment. The permission grant set generated for a code assembly is applied in the run-time call stack to help the system determine whether a given system operation by the code assembly is authorized. The policy manager may determine a subset of the permission grant set based on a subset of the received code assembly's evidence, in order to expedite processing of the code assembly. When the evidence subset does not yield the desired permission subset, the policy manager may then perform an evaluation of all evidence received.

Abstract: A markup language processing device processes markup language messages by receiving a message containing portions of tagged data formatted in a markup language and applying a transform selection rule set to at least one tagged rule selection data portion in the message to select at least one markup language transformation to apply to the tagged pre-transform data portion within the message. The markup language processing device applies the selected markup language transformation to transform the tagged pre-transform data portion to a tagged post-transform data portion according to a transformation function and then conditionally forwards the message. The markup language processing device operates on behalf of a computerized device that is not required to process the message due to operation of the at least one markup language transformation within the markup language processing device.

Abstract: A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router.

Abstract: A security gateway receives messages, such as URL requests, rejected by a message filter based on a set of rules. The security gateway maintains frequencies with which the messages were rejected by the rules. The security gateway finds rejected messages having a high frequency of occurrence. Since messages having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow similar messages to pass through the gateway.

Abstract: A protocol management system is capable of detecting certain message protocols and applying policy rules to the detected message protocols that prevent intrusion, or abuse, of a network's resources. In one aspect, a protocol message gateway is configured to apply policy rules to high level message protocols, such as those that reside at layer 7 of the ISO protocol stack.

Abstract: The present invention provides a method and system for secure access to computer equipment. An embodiment includes a secure access controller connected to a link between a transceiver (such as a modem) and the computer equipment. Public and private keys are used by the secure access controller and a remote user. The keys are provided to the secure access controller by an authentication server. Once the transceiver establishes a communication link with the user, the access controller uses these keys to authenticate packets issued by the user to the computer equipment. If the packet is authenticated, the access controller passes the packet to the computer equipment. Otherwise, the packet is discarded. Another embodiment includes a secure access controller having a plurality of ports for connection to a plurality of different pieces of computer equipment. The secure access controller thus intermediates communications between the modem and the plurality of different pieces of computer equipment.

Abstract: A technique for securing message traffic in a data network using a protocol such as IPsec, and more particularly various methods for distributing security policies among peer entities in a network while minimizing the passing and storage of detailed policy or key information except at the lowest levels of a hierarchy.

Abstract: An improved firewall for providing network security is described. The improved firewall provides for dynamic rule generation, as well using conventional fixed rules. This improvement is provided without significant increase in the processing time required for most packets. Additionally, the improved firewall provides for translation of IP addresses between the firewall and the internal network.

Abstract: A processing unit analyzes network traffic using a multi-timescale heuristic having multiple traffic windows. Each traffic window has a respective threshold value and a respective timescale. When a threshold value is exceeded, the processing unit triggers a network circuit breaker, causing a host platform to be isolated from the network.

Abstract: A system and method for providing secure access to a computer system. An access device divides the password into multiple segments and places them in data packets. In one embodiment, an authentication server has multiple addresses, and each packet is sent to a different address. The server then reassembles the password. In another embodiment, when the server receives a password, the server sends an index value back to the access device, which then accesses the server on another address indicated by the index value. Alternatively, the password is sent to multiple addresses for the server, and the server determines whether any of the received packets have been altered. The multiple password packets may be forced to follow different paths to the server, thereby denying hackers the ability to intercept all of the password characters or determine the inter-packet timing factor. The system is effective against passive and active hackers, Trojans, and phishing techniques.

Abstract: A method for communicating information packets from a first host system operating in a first security domain and in accordance with a non-secure communications protocol, using a dataguard, to a second host system operating in a second security domain different than the first security domain, and where the second host system is also operating in accordance with the non-secure communications protocol.

Abstract: A method for enhancing the security of cryptographic systems against side channel attacks and cryptanalysis is based on the concept of object hopping or dynamic transformation of elements between objects that share the same category and/or floating objects which facilitate object hopping. The use of floating objects and floating finite fields to facilitate field hopping is also disclosed. Further, the use of curve hopping and floating elliptic curves to facilitate curve hopping and/or key floating when keys used in cryptosystems are floated through floating fields are also used for enhancing the security of cryptographic systems.

Abstract: Run-as credentials delegation using identity assertion is presented. A server receives a request from a client that includes the client's user identifier and password. The server authenticates the client and stores the client's user identifier without the corresponding password in a client credential storage area. The server determines if a run-as command is specified to communicate with a downstream server. If a run-as command is specified, the server retrieves a corresponding run-as identity which identifies whether a client credential type, a server credential type, or a specific identifier credential type should be used in the run-as command. The server retrieves an identified credential corresponding to the identified credential type, and sends the identified credential in an identity assertion token to a downstream server.

Abstract: In some embodiments of the invention, techniques may make private identifiers for private network resources usable to establish connections to those private network resources from computing devices connected to an outside network. For example, when a computing device is connected to an outside network and attempting to contact a private network resource, DNS may be used to resolve a domain name for the private network resource to an IP address for an edge resource of the private network. Communications may be passed between the computing device and the edge resource according to protocols which embed the identifier originally used to identify the private network resource. The edge resource of the private network may analyze communications over the connection to determine this identifier, and use it to pass the communication to the desired private network resource.

Abstract: The invention relates to a system and a method for assigning access rights in a computer system. The system transforms an existing system of access rights to a more structured system. In many cases this is a prerequisite such that role-based administration can be used. The method identifies the existing system of access rights and identifies new roles by means of a correlation approach. New roles are created and all old roles are deleted. All direct access rights are avoided making an administration of the system easier and the computer system more secure.

Abstract: Systems and methods to passively scan a network are disclosed herein. The passive scanner sniffs a plurality of packets traveling across the network. The passive scanner analyzes information from the sniffed packets to build a topology of network devices and services that are active on the network. In addition, the passive scanner analyzes the information to detect vulnerabilities in network devices and services. Finally, the passive scanner prepares a report containing the detected vulnerabilities and the topology when it observes a minimum number of sessions. Because the passive scanner operates passively, it may operate continuously without burdening the network. Similarly, it also may obtain information regarding client-side and server side vulnerabilities.

Abstract: A system, method and computer program product are provided. In use, a peer-to-peer wireless network is advertised utilizing a granting node. Further, a requesting node is provided for connecting to the peer-to-peer wireless network. Thereafter, such requesting node is redirected to a portal. To this end, a software application is capable of being downloaded to the requesting node via the peer-to-peer wireless network utilizing the portal.

Abstract: Provided in a reception device (10) for receiving a transmission signal (US) in which, adhering to a communications protocol, reception data (ED) can be transmitted to the reception device (10) from a transmission device (2, 3) are reception means (12) for receiving the transmission signal (US), and evaluation means (16) for evaluating the received transmission signal (US) and for emitting a bit sequence (BFT) received in the transmission signal (US), which bit sequence (BFT) may contain bits of reception data (ED) transmitted from the transmission device (2, 3) but also bits (SB) occasioned by an interference to the transmission signal (US), and checking means (18) for checking whether the received bit sequence (BFT) infringes a rule of the communications protocol, wherein the reception device (10) is designed to continue with the reception of the transmission signal (US) and the checking of the received bit sequence (BFT) following the occurrence of an infringement of the communications protocol.

Abstract: A security-procuring method for making an item of communications equipment (E) secure, said item of communications equipment comprising an operating system core (K) and a set of software applications (A), said core including at least one IPv6 protocol stack (PS) making it possible to transmit incoming data packets from an input port (PIN) to an application (A) and to transmit outgoing data packets from an application (A) to an output port (POUT), said protocol stacks including a set of interfaces (HPRE, HIN, HOUT, HPOST) organized to enable external modules connected to them to access said data packets transmitted by said at least one protocol stack at determined points associated with said interfaces.

Abstract: A services broker provides session suspend and resume capabilities to a computer-supported multi-user session made up of associations between a plurality of participants and the services broker. The services broker includes: a memory; an input/output subsystem for transmission of session data and for communicating with the plurality of participants; a processor, operatively connected to the memory, for carrying out instructions. The instructions cause the processor to: receive a trigger event from at least one of the plurality of participants, the trigger event for resuming a suspending session; verify that the suspending session can be resumed; transmit a resume request to the plurality of participants; and re-establish associations among the plurality of participants. Additionally, the services broker will transmit a stored session state and stored session data to at least one environmental device for resuming the suspended session at the point where the suspended session ended.

Abstract: A method for detecting breaks in a border of a network is disclosed. The method may include monitoring network regulation and shaping traffic passing through the border. The method may also include providing, by a first confederate server on a first side of the border, a first connection request to a second confederate server on a second side of the border. Further, the method may include providing, by the second confederate server on the second side of the border, a second connection request to the first confederate server on the first side of the border. The method may also include executing a network diagnostic command if one or more of the first or second connection request is granted. Further, the method may also include copying any outputs of the network diagnostic command to a file.

Abstract: A system and method for establishing secure communications between two entities, such as a server and a client, may involve the use of an intermediate gateway. Each party may establish a secure communication link with the gateway, and the gateway may provide signed certificates to each party, each certificate identifying the gateway as the other party for purposes of the communication. The gateway may then facilitate the secure communications between the two parties, and may perform data translation on the communications. The identification information may be contained within the certificates used by the gateway.

Abstract: An electronic security scheme and security system for a communications network facilitates the preventing of unauthorized access to an internal resource of an entity's internal computer system. A server includes a first set of ports for communication between an external communications network and the server. The server has a second set of ports for communications between an internal communications network and the server. A first firewall is interposed between the server and the external communications network. The first firewall is coupled to the first set of ports to provide at least one interconnection between the first set of ports and the external communications network. A second firewall is interposed between the server and the internal communications network. In one embodiment, the second firewall is coupled to the second set of ports to provide in a nonnegative integer number of interconnections between the second of set ports and the internal communications network.

Abstract: A first application instance is associated with a protection domain based on credentials (e.g.: a signed certificate) associated with a set of application code that, when executed, gives rise to the application instance. The first application instance executes in a first execution context. An indication is received that the first application instance seeks access to protected functionality associated with a second execution context. In response to receiving the indication, a determining is made as to whether the first application instance has permission to access the protected functionality. The determination is made by determining the protection domain with which the first application instance is associated, and determining if the protection domain with which the first application instance is associated is in the set of one or more protection domains.

Abstract: A multiple key, multiple tiered network security system, method and apparatus provides at least three levels of security. The first level of security includes physical (MAC) address authentication of a user device being attached to the network, such as a user device being attached to a port of a network access device. The second level includes authentication of the user of the user device, such as user authentication in accordance with the IEEE 802.1x standard. The third level includes dynamic assignment of a user policy to the port based on the identity of the user, wherein the user policy is used to selectively control access to the port. The user policy may identify or include an access control list (ACL) or MAC address filter. Also, the user policy is not dynamically assigned if insufficient system resources are available to do so. Failure to pass a lower security level results in a denial of access to subsequent levels of authentication.