Abstract: Provided are an apparatus and method for implementing an IPSec engine in IXDP2851. The apparatus for implementing an IPSec engine in IXDP2851 which is an IXP2850 network processor development platform, includes: a packet classifier/forwarding microblock classifying packets into an inbound packet and an outbound packet, using received packet information; determining whether IPSec processing should be performed on the inbound packet and the outbound packet, and performing packet forwarding on a packet not requiring the IPSec processing; an outbound IPSec processing microblock; an inbound IPSec processing microblock; and an IPSec forwarding microblock receiving packet information of a packet subjected to IPSec processing and performing forwarding on the corresponding packet.

Abstract: A method of storing a pattern matching policy and a method of controlling an alert message are provided.

Abstract: The present invention discloses methods, media, and perimeter gateways for encrypted-traffic URL filtering using address-mapping interception, methods including the steps of: providing a client system having a client application for accessing websites from web servers; upon the client application attempting to access an encrypted website, performing a name-to-address query to resolve a name of the encrypted website; intercepting address-mapping responses; creating a mapping between the name and at least one network address of the encrypted website; intercepting incoming encrypted traffic; extracting a server's network address from the incoming encrypted traffic; establishing a resolved name being accessed using the mapping; and filtering the resolved name. Preferably, the step of filtering includes redirecting the encrypted traffic. Preferably, the method further includes the step of: blocking all encrypted traffic for unresolved names.

Abstract: A security system that is associated with a customer network includes first, second, and third security perimeters. The first security perimeter includes a set of content delivery network (CDN) devices configured to provide first protection against a network attack associated with the customer network. The second security perimeter includes a set of mitigation devices configured to provide second protection in terms of mitigation services as a result of a network attack associated with the customer network. The third security perimeter includes a set of hierarchy devices configured to provide third protection against a network attack associated with the customer network.

Abstract: Improved system and approaches for permitting users of different organizations to access secured files (e.g., documents) are disclosed. These users can be part of a group that is shared across a plurality of file security systems. For example, at a first file security system, a user of the shared group can secure a file for restricted access by those users within the shared group. Subsequently, at a different file security system, another user of the shared group is able to access the content of the secured file.

Abstract: In response to a command to start restrictions on a communication service of a computer, the communication service is restricted by a countermeasures apparatus which replaces the communication address of a second computer, which has been stored in a first computer, with the communication address of the countermeasures apparatus, and replaces a communication address of the first computer, which has been stored in the second computer, with the communication address of the countermeasures apparatus. Accordingly, the countermeasures apparatus acquires a packet from the first computer to the second computer and determines whether or not this acquired packet is to be transmitted to the second computer.

Abstract: A system and method can deploy and manage software services in virtualized and non-virtualized environments. The system provides an enterprise application virtualization solution that allows for centralized governance and control over software and Java applications. The system uses a plurality of agents to manage the software processes and resources running in the computing environment. The system also uses a controller to collect data from the agents about the current operating performance of the computing environment and to deploy the services in a way that best honors the service level agreements of all deployed services. The communication between each of the plurality of agents and the controller is secured with a mutual authentication method.

Abstract: A firewall dynamically adapts to changes in a utility computing system. The utility computing system has multiple nodes that are dynamically provisioned in different roles. The different roles are best served by different security and/or Quality-of-Service (QoS) policies. The firewall selects and applies security and/or QoS policies to a node or group of nodes based on the roles provisioned to the node or group. The firewall detects when the provisioning of a node changes, and dynamically applies a new security and/or QoS policy to the node based on the new provisioning. The firewall thus provides adaptive network-level security and QoS functionality to a utility computing system.

Abstract: A method for offloading a secure protocol connection, involving establishing the secure protocol connection between a host system and a remote peer, offloading the secure protocol connection to a network interface card (NIC) to obtain an offloaded secure protocol connection, determining whether a packet is associated with the offloaded secure protocol connection, and if the packet is associated with the offloaded secure protocol connection, identifying the offloaded secure protocol connection, performing cryptographic operations on the packet using at least one secret key to obtain a processed packet, and returning a status of the processed packet to the host system.

Abstract: A method, and computer program product for providing dynamically tunneling over an unreliable protocol or a reliable protocol based on network conditions is presented. A connection between a source device and a destination device is established using a reliable protocol. An attempt is then made to utilize an unreliable protocol to communicate between the source device and the destination device. When the attempt to utilize an unreliable protocol is successful, then the unreliable protocol is used to transmit data between the source device and the destination device. When the attempt to utilize the unreliable protocol is unsuccessful, then the reliable protocol connection is used to transmit data between the source device and the destination device.

Abstract: A data control system prevents non-point of sale devices (135, 155) from sending data over an external network (160) via a secure connection reserved for point of sale devices (125, 145), but allows non-point of sale devices (135, 155) to send data over the external network (160) other than via the secure connection. The secure connection is, for example, a virtual private network connection. The data control system may allow the data from non-point of sale devices (135, 155) to be sent only if it is not destined for a restricted destination. The restricted destination may be, for example, a payment host (170) or secure host (180) on the external network (160).

Abstract: Systems and methods for handling restoration operations for a mobile device. A mobile device receives a kill pill command, wherein the command causes some or all data on the mobile device to be wiped. An indicator is stored to indicate that the kill pill command was sent to the mobile device. The indicator is used to determine whether a program should be wiped from the mobile device.

Abstract: An approach is provided for implementing IPsec in PEP environments. The approach generally involves preserving TCP header data contained in packets prior to IPsec encryption and making the TCP header data available to PEP applications. For example, TCP header data is identified in a packet that conforms to the TCP and a copy of the TCP header data is generated. Encrypted packet data is generated by encrypting at least a portion of the packet using IPsec. For example, the TCP header data and payload may be encrypted to generate the encrypted packet data. A modified copy of the TCP header data is generated by modifying length data contained in the copy of the TCP header data to reflect a length of at least the encrypted packet data. A new packet is generated that includes the modified copy of the TCP header data and the encrypted packet data.

Abstract: Disclosed are an authentication system and method thereof for a dial-up networking connection via a terminal. The authentication system includes a terminal for snooping an authentication request packet that includes an authentication ID and password of a computer requesting authentication, and for generating an acknowledge packet of the authentication request packet. The authentication method includes receiving an authentication request packet including an authentication ID and password by a terminal, generating an acknowledge packet by the terminal, and transmitting generated acknowledge packet from the terminal to the computer.

Abstract: A computer-implemented system for managing security using a SOAP message is provided. The system includes a SOAP message that has a security portion. The security portion of the SOAP message has at least one security component. The system includes a custom class and a handler. The custom class identifies the web services security version or draft of the security component within the SOAP message. The handler is operable based on the web services security version or draft related to the at least one security component promote processing of a security aspect of the SOAP message.

Abstract: A data processing method and device includes a data selecting unit of a GGSN selecting data received by the GGSN, which includes a GTP tunnel signaling packet and a normal data packet and performs corresponding processing in accordance with a type of the selected packet. A data information processing unit receives data transmitted from the data selecting unit and data transmitted from an external data network. The data selecting unit is added in the GGSN, so that the data with respect to the GTP tunnel is managed by categories, and the tunnel deleting notification packet is transmitted to the data information processing module in time, thus a wrong data forwarding is avoided, and the operation mode is simple. In other words, the data information processing module operates only in the routing mode; therefore, the failure rate of a single node is reduced, and the operation cost is lowered.

Abstract: A server is configured for preventing flood attacks by a client having sent a request, by dynamically generating a challenge to be performed by the client before the server will perform any work for the client. The challenge includes a dynamically generated computational request and a dynamically generated secure cookie. The server generates a first hash result based on hashing a first random number, having a prescribed length, with a second random number having a dynamically selected length. A secure cookie is generated based on hashing the first hash result with a prescribed secure key known only by the server, and a unique identifier for the request such as the client network address with a time stamp. The challenge requires the client to determine the second random number based on the first random number and the hash result. The server validates the challenge results using the secure cookie.

Abstract: Systems and methods are provided for preserving the privacy of data contained in mirrored network traffic. The mirrored network traffic may comprise data that may be considered confidential, privileged, private, or otherwise sensitive data. For example, the data payload of a frame of mirrored network traffic may include private Voice over IP (VoIP) communications between users on one or more networks. The present invention provides various techniques for securing the privacy of data contained in the mirrored network traffic. Using the techniques of the present invention, network traffic comprising confidential, privileged, private, or otherwise sensitive data may be mirrored in such a manner as to provide for the privacy of such data over at least a portion if not all of the mirrored communications between the mirror source point and the mirror destination point.

Abstract: Systems and methods for combating and thwarting attacks by cybercriminals are provided. Network security appliances interposed between computer systems and public networks, such as the Internet, are configured to perform defensive and/or offensive actions against botnets and/or other cyber threats. According to some embodiments, network security appliances may be configured to perform coordinated defensive and/or offensive actions with other network security appliances.

Abstract: The invention relates to a network interface system for interfacing a host system with a network. The network interface system includes a bus interface system, a media access control system, and a security system. The network interface offloads IPsec processing from the host processor. According to the invention, the security system includes two processors for encrypting and authenticating the outgoing data. Outgoing data packets are sent alternately to one or the other processor, whereby transmission processing can be accelerated relative to receive processing.

Abstract: System(s) and method(s) are provided for content management, e.g., exchange and manipulation, across devices provisioned through disparate network platforms. Devices can be mobile or stationary, and connect to provisioning network platforms through various network bearers. Through various secure protocols, a client component within a device secures access to content and provides secure delivery thereof Directives for content manipulation are also delivered securely. Delivery of contents and directives are performed from device to device, routed via gateway nodes within a network platform that provisions the device. In addition, or alternatively, content management can be implemented through an intermediary component, which can also validate devices and secure delivery of content or directives. Alarm signaling among devices provisioned through disparate network platforms also can be securely conveyed.

Abstract: To provide a packet transmitter apparatus which can transmit contents protected by a content protection technique such as DTCP or the like, using packets such as IP packets which have become widespread. The packet transmitter apparatus includes a transmitting condition setting management unit (404) which extracts at least one of charge information, playback control information and copy control information of AV data from the inputted non-AV data or AV data and generates, based on the extracted information, encryption mode information indicating an encryption mode which becomes a condition at the time of transmitting the AV data; an encrypted data generation unit (406) which generates encrypted data by encrypting, based on the transmitting condition, the inputted AV data and adding encryption information headers based on the encryption mode information to the encrypted AV data; and a packet generation unit (403) which generates packets by adding packet headers to the generated encrypted data.

Abstract: Methods and systems for secure communications are provided. Secure end-to-end connections are established as separate multiple secure connections, illustratively between a first system and an intermediate system and between a second system and an intermediate system. The multiple secure connections may be bound, by binding Internet Protocol Security Protocol (IPSec) Security Associations (SAs) for the multiple connections, for example, to establish the end-to-end connection. In the event of a change in operating conditions which would normally require the entire secure connection to be re-established, only one of the multiple secure connections which form the end-to-end connection is re-established. Separation of end-to-end connections in this manner may reduce processing resource requirements and latency normally associated with re-establishing secure connections.

Abstract: Managing and controlling the execution of software programs with a computing device to protect the computing device from malicious activities. A protector system implements a two-step process to ensure that software programs do not perform malicious activities which may damage the computing device or other computing resources to which the device is coupled. In the first phase, the protector system determines whether a software program has been previously approved and validates that the software program has not been altered. If the software program is validated during the first phase, this will minimize or eliminate security monitoring operations while the software program is executing during the second phase. If the software program cannot be validated, the protector system enters the second phase and detects and observes executing activities at the kernel level of the operating system so that suspicious actions can be anticipated and addressed before they are able to do harm to the computing device.

Abstract: It is convenient to allow access to a private network, such as a corporate intranet, or outward facing extranet application, from an external network, such as the Internet. Unfortunately, if an internal authentication system is used to control access from the external network, it may be attacked, such as by a malicious party intentionally attempting multiple invalid authentications to ultimately result in an attacked account being locked out. To circumvent this, an authentication front-end, proxy, wrapper, etc. may be employed which checks for lockout conditions prior to attempting to authenticate security credentials with the internal authentication system.

Abstract: A system and method attempts to access a portable electronic document using different methods depending on whether the user attempting access is in front of, or behind, a firewall.

Abstract: An apparatus is described comprising: a plurality of security processing resources for processing two or more different types of data traffic within a cryptographic processor; a first scheduler to provide a first type of data traffic to a first predefined subset of the security processing resources using a first scheduling technique; and a second scheduler to provide a second type of data traffic to a second predefined subset of the security processing resources using a second scheduling technique.

Abstract: Methods and systems for establishing secure TCP/IP communications for individual network connections include the steps of intercepting a conventional TCP SYN packet prior to transmission from a source node to a destination node, embedding unique identifiers into standard fields of the packet header, wherein the unique identifiers are associated with the specific connection attempt and wherein the unique identifiers identify the user account and/or the computer hardware initiating the communication attempt, then forwarding the modified TCP SYN packet to the destination node and intercepting the modified TCP SYN packet prior to arrival, determining whether secure communications are required based on the unique identifiers extracted from the packet headers, based on other TCP/IP information, and based on predefined rules associated with the same. If secure communications are required, such requirement is communicated within either an RST or a SYN-ACK back to the source node.

Abstract: Methods and apparatus for secure communications. The techniques feature receiving over the first connection a login credential for the server, generated by the server without the use of any information identifying a computer user. The techniques further feature establishing a second secure connection with the server using a secure protocol and the login credential provided by the server.

Abstract: A high-speed security device for network connected industrial controls provides hybrid processing in tandem hardware and software security components. The software security component establishes state-less data identifying each packet that requires high-speed processing and loads a data table in the hardware component. The hardware component may then allow packets matching data of the data table to bypass the software component while passing other non-matching packets to the software component for more sophisticated state analysis.

Abstract: A method of secure communication between a wireless device and a target network is presented, comprising receiving a communication addressed to a target network, the communication comprising a data payload and originating from a wireless device on a trusted wireless network, establishing a secure channel with the target network and sending the communication to the target network over the secure channel. The method can further comprise negotiating secure channel parameters with the target network, encrypting the data payload, adding data integrity protection to the communication, encapsulating the communication according to a VPN protocol, authenticating the wireless device as an authorized user of the private network and granting access to a target network resource.

Abstract: An apparatus is described comprising: a plurality of security processing resources for processing two or more different types of data traffic within a cryptographic processor; a first scheduler to provide a first type of data traffic to a first predefined subset of the security processing resources using a first scheduling technique; and a second scheduler to provide a second type of data traffic to a second predefined subset of the security processing resources using a second scheduling technique.

Abstract: A first application instance is associated with a protection domain based on credentials (e.g.: a signed certificate) associated with a set of application code that, when executed, gives rise to the application instance. The first application instance executes in a first execution context. An indication is received that the first application instance seeks access to protected functionality associated with a second execution context. In response to receiving the indication, a determining is made as to whether the first application instance has permission to access the protected functionality. The determination is made by determining the protection domain with which the first application instance is associated, and determining if the protection domain with which the first application instance is associated is in the set of one or more protection domains.

Abstract: A method for processing communication traffic includes receiving a data packet sent over a network from a source address and reading a value of an attribute from the data packet. The value is hashed to determine a key, which is used as an index in extracting a tag from a table of random values. A decision is made using the tag regarding forwarding of the communication traffic from the source address.

Abstract: The present invention is a method and a system that uses privacy-preserving distributed data stream mining algorithms for mining continuously generated data from different network sensors used to monitor data communication in a computer network. The system is designed to compute global network-threat statistics by combining the output of the network sensors using privacy-preserving distributed data stream mining algorithms.

Abstract: Embodiments related to security in networks are described and depicted.

Abstract: Methods and devices are provided for securely transmitting sensitive information over the Internet to and from a first device in a home network that lacks the ability to communicate according to a secure protocol. Communications between the first device and a second device within the home network may proceed according to a non-secure protocol, such as HTTP. However, the second device has the ability to communicate with the outside world via a secure protocol, such as HTTPS. Various implementations of the invention allow the first device to avail itself of the secure communications provided by the second device.

Abstract: An apparatus is described that associates categorization information with network traffic to facilitate application level processing through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a plurality of microcode controlled state machines, wherein at least one microcode state machine processes at least one input data field using a hash function to generate a hash identifier. This embodiment further includes a distribution circuit that routes input data to the plurality of microcode controlled state machines, such that at least one individual microcode controlled state machine applies a rule to the input data to produce the at least one input data field, and to produce modification instructions based on the hash identifier.

Abstract: A network security system can have a plurality of distributed software agents configured to collect security events from network devices. In one embodiment, the agents are configured to aggregate the security events. In one embodiment of the present invention, an agent includes a device interface to receive a security event from a network device, a plurality of aggregation profiles, and an agent aggregate module to select one of the plurality of aggregation profiles, and increment an event count of an aggregate event representing the received security event using the selected aggregation profile.

Abstract: An approach for adaptively providing network performance enhancing functions in a secure environment, such as a virtual private network, is disclosed. Traffic, for example, Internet Protocol (IP) packets, is received for transport over an access network (e.g., satellite network). Next, characteristics (e.g., latency) of the access network are determined. A connection (which supports the performance enhancing functions) is selectively established based on the determined characteristics for transport the received packets over the access network. An encrypted tunnel is provided over the established connection to transmit the received packets.

Abstract: Aspects for consumer product distribution in the embedded system market are described. The aspects include forming a secure network for distributing product digitation files capable of configuring operations of an adaptive computing engine (ACE), and providing an agent server within the secure network for controlling licenses of the product digitation files, wherein a separation of responsibility and control of the distributing and licensing exists.

Abstract: An apparatus and a method for synchronizing a Security Association (SA) state as SA information of a mobile communication terminal is lost are provided. In the method, an IPSec tunnel is established by performing an SA procedure with a server, and a secure port is obtained. A service request message is transmitted to the server via the obtained secure port, and an unsecure port is opened. When a service response message is received from the server, it is determined whether the service response message is received via the unsecure port. When the service response message is received via the unsecure port, the SA procedure is re-performed. Therefore, the terminal may use a service through a secure network without interruption, and reduce a waste of resources by avoiding unnecessary retransmission of a message for requesting a service.

Abstract: Flaws in information security infest modern software, and pervasive computing has made network systems vulnerable. Information security is constantly endangered by errors in protocol implementations. Testing a protocol implementation for errors directly from a network where a device implementing the protocol resides limits the coverage of protocols tested. In contrast, testing protocols from an access network that internetworks a customer premises with one or more service networks greatly expands the coverage of protocols tested. Accordingly, a method and corresponding apparatus are provided to test from the access network, testing both service network devices and customer premises devices, and the protocols implemented on those devices.

Abstract: A method, information processing system, and network limit access to an electronically available information asset. A request (304) from a source (204) to exchange an electronically available information asset with at least one destination (206) is received. An identity (306) associated with the source (204) and the destination (206) is established. A semantically augmented context (226) is generated. The semantically augmented context is information used to identify a meaning and a behavior of the context (226). The request is analyzed relative to the semantically augmented context (226) for determining whether the request is to be one of allowed and denied. The source (204) is allowed to exchange the electronically available information asset with the destination (206) when the request is determined to be allowed. The source (204) is prevented from exchanging the electronically available information asset with the destination (206) when the request is determined to be denied.

Abstract: A wireless communication system for use with a vehicle is disclosed. The communication system comprises a portable wireless device comprising a first manual interface device, the portable wireless device adapted to transmit an activation signal in response to manipulation of the first manual interface device, and an onboard wireless communication device for a vehicle. The onboard wireless communication device can be adapted to transmit Wi-Fi Protected Setup initiation signals in response to receiving the activation signal.

Abstract: The mobile communication terminal device has a security communication function, and includes a detection unit for detecting the security level of the destination of connection, and an announcing unit for announcing the detected security level. The user is able to confirm whether security is ensured at the connectee.

Abstract: Method and apparatus for analyzing source internet protocol (SIP) activity in a network is described. In one example, a SIP address is obtained. Log data collected over a predefined time period by a plurality of network facilities is automatically queried using the SIP address as parametric input to generate a report. The report includes sample activity for the SIP and statistics for targeted network facilities, firewall activity, targeted network spaces, and targeted IP addresses.

Abstract: Provided is a method for intercepting a message between a requesting web service and a source web service, validating the message, logging the result of the validations, and adding a security profile to the message. The method may also include examining the message to determine whether a security profile is embedded therein. If the message is valid, access to the message by the requesting web service is permitted. If the message is not valid, access to the message by the requesting web service is prevented.

Abstract: Two or more access control lists that are syntactically or structurally different may be compared for functional or semantic equivalence in order to configure a security policy on a network. A first access control list is programmatically determined to be functionally equivalent to a second access control list for purpose of configuring or validating security policies on a network. In one embodiment, a box data representation facilitates comparing entries and sub-entries of the lists.

Abstract: A data structure with endpoint address and security information. The data structure includes an address field that includes one or more endpoint addresses for an entity. The data structure further includes a security field that includes one or more keys for facilitating secure communications with the entity. The data structure may also be such that the contents of the address field and the security field are serialized in the data structure. The data structure may be extensible such that new address fields and security fields may be added.