Abstract: The invention discloses a system to protect online streaming content by a content provider, by means of access authorization in the network operator's platform. The invention provides a solution to the problem of access authorization for streaming content, that is not exactly known with regards to description and/or location at the moment the access authorization is performed.

Abstract: A security system providing methodology for cooperative enforcement of security policies during SSL sessions is described. In one embodiment, for example, a method is described for controlling SSL (Secure Sockets Layer) communication, the method comprises steps of: defining rules indicating conditions under which a machine is permitted to participate in an SSL session; trapping an attempt by a particular application running on the machine to participate in an SSL session, by intercepting the particular application's attempt to provide authentication; determining whether the machine complies with the rules; allowing the attempt to succeed when the machine complies with the rules; and otherwise blocking the attempt when the machine does not comply with the rules.

Abstract: A method of performing encrypted WLAN communication is provided that comprises the steps of performing a connection set-up for the encrypted WLAN communication and performing data frame encapsulation and/or decapsulation during the encrypted WLAN communication. The connection set-up is performed by executing software-implemented instructions, and the data frame encapsulation and/or decapsulation is performed by operating single-purpose hardware. In embodiments, corresponding single-purpose hardware devices, integrated circuit chips, computer program products and computer systems are provided. The embodiments may provide an improved hardware/software architecture for 802.11i security enhancement.

Abstract: The systems and methods described herein include methods for providing resources over a data network. The methods may be embodied as processes operating on a computer server, wherein that server comprises a plurality of server platforms, each of which are truly equivalent in that each provides a functionally equivalent interface to a client. In one practice of the invention, a method responds to client requests by detecting a request from a client for access to a resource and by establishing a connection for communicating with the client. The method then identifies a server available for servicing the detected request, and determines whether state information is associated with the connection. The method then, grants the identified server with access to the state information and allows the identified server to create and transmit a response to the client, also allowing the identified server to update the state information.

Abstract: A method, apparatus, and computer instructions for responding to a threat condition within the network data processing system. A threat condition within the network data processing system is detected. At least one routing device is dynamically reconfigured within the network data processing system to isolate or segregate one or more infected data processing systems within the network data processing system. This dynamic reconfiguration occurs in response to the threat condition being detected.

Abstract: A security association architecture system of the present invention facilitates network data transfer by providing an internal portion of a security association database that can be quickly accessed to obtain security associations as well as an external component that stores the complete security association database. As a result, at least some security associations for incoming received frames and outgoing transmitted frames can be obtained from the internal portion located on a network interface device without accessing system memory, a host computer, and the like in order to obtain the security associations to perform security processing.

Abstract: In a hardware client for remote logon to a network, a two layer authentication protocol enables authorized users to log on while discouraging unauthorized users. The hardware client prevents logging on to the network if the hardware client is stolen. The hardware client itself is authenticated in the first authentication layer in order to establish a link to the network. Then a client computer authenticates in a second layer and further establishes a secure connection to the network. If the power of the hardware client goes off (as it would if or example it were unplugged for transport), then the authentication is not saved and therefore is lost. The hardware client must be reauthenticated before it can be used again.

Abstract: Methods, apparatus and program products for using historical contextual data in a ubiquitous computing environment. The historical contextual data can be dispersed among components in an environment or logging services as well as stored on a particular component or logging service. The historical contextual data can be used to help create or re-create component configurations within the relevant environment through the use of abstract applications and abstract components. Abstract applications can be specified to create connections with specific components. Abstract applications can also be generalized so that they need not create connections with specific components, but can create component connections that perform a desired function by determining which components to use from the available components, and how to connect the selected components to perform the function.

Abstract: According to the inventive method, a message is transmitted from an operating mobile radio network (NW2) to a terminal (MS1a) that identifies coding techniques (UEA-NW) supported by the operating mobile radio network in order to establish a connection between the terminal (MS1a) that supports a number (UEA-MS) of coding techniques and the operating mobile radio network (NW2). The terminal selects, if available, a coding technique (UEA) that is supported by the terminal and the operating mobile radio network (NW2), and the connection is operated using the coding technique selected by the terminal. If no coding technique is available that is supported by the terminal and the operating mobile radio network, the connection is operated uncoded only upon prior authorization.

Abstract: A system and method are disclosed for providing network traffic identification. In one embodiment, the method comprises receiving pattern matching data; comparing the pattern matching data with a pattern; and determining whether the pattern matching data matches the pattern. In one embodiment, the system comprises an interface configured to receive pattern matching data and a processor configured to: compare the pattern matching data with a pattern and determine whether the pattern matching data matches the pattern.

Abstract: A secure data broker has been developed, which provides a restricted message based data exchange between a client application and a secured information resource by allowing registered or verified messages to be brokered across a security barrier. In some configurations, both requests and responses are validated and brokered across the security barrier. In other configuration, either requests or responses are validated. To support validation, messages are formatted in accordance with a predefined message specification for at least part of a transaction path between a client application and an information resource accessed by the client application.

Abstract: A proxy device such as a firewall uses an internal socket namespace such as a text string such that connection requests must be explicitly redirected to a listening socket in the alternate namespace in order to connect to a service. Because external connections cannot directly address the listening socket or service, greater security is provided than with traditional firewall or proxy devices. To receive a redirected proxy connection, a service process creates a listening socket and binds a name in an alternate namespace to the socket before listening for connections.

Abstract: A trust manager receives client account information from a client, determines whether the client account information is valid, and determines whether the client is authorized to access one or more embedded devices that are in electronic communication with a security broker. The trust manager also receives security broker account information from the security broker, determines whether the security broker account information is valid, and determines whether the security broker is authorized to provide access to the embedded device(s). If the client account information from the client is valid and the client is authorized to access the embedded device(s), and if the security broker account information from the security broker is valid and the security broker is authorized to provide access to the embedded device(s), the trust manager establishes a secure trusted connection between the client and the security broker.

Abstract: A system for securing telephony communications between an enterprise telephony endpoint and a remote telephony endpoint includes an isolated packet-based network, an exposed packet-based network, and an isolation device. The isolated packet-based network has a plurality of enterprise telephony endpoints. The exposed packet-based network is coupled to a public packet-based network and has a call management device that can receive an unsecured session request from a remote telephony endpoint coupled to the public packet-based network, determine that the unsecured session request identifies one of the enterprise telephony endpoints, and establish a media link between the remote telephony endpoint and the isolation device.

Abstract: In order to create a highly-secured common key while a data error on a transmission path is corrected by an error correction code having remarkably high characteristics, in a quantum key distribution method of the invention, at first a communication apparatus on a reception side corrects the data error of reception data by a deterministic, stable-characteristics parity check matrix for a “Irregular-LDPC code.” The communication apparatus on the reception side and a communication apparatus on a transmission side discard a part of pieces of the common information according to public error correction information.

Abstract: A system, method and computer program product are provided. In use, a key is distributed to a plurality of nodes of a wireless network for use in securing the nodes during use of the wireless network. Further, the key is automatically updated at the nodes in the wireless network based on predetermined criteria.

Abstract: In a cryptographic system, a nonce is removed from a communication stream. The nonce is encrypted based on a shared secret. The encrypted nonce is inserted into the communication stream. The encrypted nonce is removed from the communication stream. The encrypted nonce is decrypted based on the shared secret formed by an authenticated key exchange. The decrypted nonce is inserted into the communication stream. The nonce may be an An value generated by a HDCP function. The authenticated key exchange may use Diffie-Hellman Key Exchange.

Abstract: A system and method is disclosed for collecting, storing and reporting raw log data from log-producing devices such as firewalls and routers. The log-producing devices may be both local and remote—i.e., linked to a raw log server via a LAN and/or a WAN. A log data analyzer at a remote location gathers log data from devices at that remote location into time-defined sets and then sends those sets over a WAN (which may be the Internet) to a raw log server using a first protocol. Local log-producing devices may send their log data to the log data analyzer via a LAN using a second protocol. The log data analyzer forwards the raw log data local devices to an appropriate log data analyzer for parsing, summarizing and storage in one or more databases. The raw log server combines local and remote sets of raw log data for a given time period and stores them in a storage area of raw log data.

Abstract: A method of implementing a firewall that receives a layer of policies from each of multiple entities with different levels of authority. The method evaluates received packets based on the received layers of policies. A layer of policies of a higher level of authority can accept a received packet, block the received packet, or delegate a decision of whether to accept or block the received packet to a layer of policies of a lower level of authority.

Abstract: Systems and methods for cryptographically processing data as a function of a Cartier pairing are described. In one aspect, a Cartier pairing is generated from two different abelian varieties or abelian varieties and an isogeny between them. Data is cryptographically processed based on the Cartier pairing.

Abstract: Methods and systems thereof for controlling access to resources are described. When a user attempts to access a resource via a remote interface such as a Web server, the request is initially evaluated by a source of policy definitions such as a policy server. This source returns a policy decision to the remote interface. The policy decision is stored in memory by the remote interface. The remote interface can then evaluate subsequent requests from the user for the resource using the stored policy decision instead of having to communicate again with the source for the policy decision. Enhancements to this approach are also described. Accordingly, policy definitions and decisions are more efficiently implemented.

Abstract: By introducing a hierarchical encryption scheme and the use of asymmetric cryptography, the critical information in message exchanges is concealed from unauthorized entities. This helps greatly in preventing man-in-the-middle attacks faced by inter-working. In addition, access control is conducted by introducing a network structure having a rule interpreter that is capable of mapping general rules to WLAN specific commands. It obviates the needs for mobile user's home network to understand information about every WLAN it is inter-worked with. A common interface independent of WLAN technologies could be used by the home network for all the WLANs. The above conception provides a solution to the problems of the protection of user identification information and access control in the inter-working of WLAN.

Abstract: An embodiment of the present invention provides a system that enables a user to securely invoke a REST (Representational State Transfer) API (Application Programming Interface) at an application server. A client can establish a secure communication channel with an application server, and can send a request to the application server to invoke the REST API. The client can then receive a security token from an authentication system in response to authenticating the user with the authentication system. Next, the client can receive a nonce and a timestamp from the application server. The client can then determine a security token digest using the security token, the nonce, and the timestamp. Next, the client can resend the request to the application server to invoke the REST API with the security token digest. The application server can invoke the REST API if the security token digest is valid.

Abstract: A system for client initiated authentication comprises a user agent client and a user agent server. The user agent client is operable to communicate a session initiation protocol request. The session initiation protocol request comprises an authenticate header and a require header that comprises a server authentication tag. The user agent server is operable to receive the session initiation protocol request. The user agent server is further operable to communicate a session initiation protocol response in response to the session initiation protocol request. The session initiation protocol response comprises an authorization header having a credential of the user agent server.

Abstract: Systems and methods for negotiating an encryption algorithm may be implemented in the context of encryption-based authentication protocols. The invention has the added benefit of providing a system an method that need not interfere with the standard operation of authentication protocols. A first computer, or client computer, can send a negotiation request to a second computer, or server computer. The negotiation request can specify that the client computer supports a selected encryption algorithm. In response, the server computer can return a subsession key for encryption using the selected encryption algorithm. Both client and server may then switch to encryption in the selected encryption algorithm, using the subsession key to encrypt future communications.

Abstract: When a system configuration is changed, a policy rule that should be modified as a result of the configuration change is modified without fail. A policy management apparatus 1 comprises a processing unit and a policy rule table 151 that stores at least one policy rule for each component of a computer system. For each component of the computer system, the processing unit performs a receiving step, in which a notification of a configuration change is received, a detection step, in which at least one component that is affected by the component configuration change received in the receiving step is detected, and a generation step, in which a policy rule corresponding to each of the components detected in the detection step is specified from the policy rule table 151 and a list of specified policy rules is generated.

Abstract: Included are embodiments for port enablement. One embodiment of a method includes inserting a streams module in a kernel space of a host device, the streams module being coupled to a stream head, the streams module coupled to a transmission control protocol (TCP) module and receiving a bind request on a socket, the bind request associated with an application. Embodiments also include determining a process name associated with the received bind request, determining, based on the determined process name, a meta-configuration rule for a firewall configuration of the application and utilizing the determined meta-configuration rule for the firewall configuration of the application.

Abstract: A system and method are provided for establishing a network communication session using fast authentication. In a network system a client or user device may establish a communication session with a server using full authentication. If the session is interrupted or discontinued and resumption of the session is requested, a session identifier of the previously established session may be compared to the session identifier of the requested session. If a match is detected, the session may be resumed using a fast authentication (or re-authentication) procedure such that the session is resumed more efficiently and expediently. Fast authentication may be performed, for example, even when the first session and the resumed second session are of different authentication layers, different types of network interfaces and/or different locations. Thus, a session, such as a TLS session, may resume functionality among multiple defined authentication protocols or technologies such as 802.1X, PANA or cellular based systems.

Abstract: Consumers may utilize computing devices to assist in the purchase and/or loyalty process, and in particular, the consumer may utilize a PDA to facilitate the purchase and/or loyalty process. During the purchase and/or loyalty process, the consumer may need to insure that any content downloaded or used in association with the PDA is secure in how it is collected, assembled, and delivered to the PDA device. This system and method secures the data from its source to when it is actually viewed or used by the authorized user. The PDA may have direct access to an Internet web site portal that offers secure personal content from a content provider, such as, for example, an on-line banking or financial institution. Using the web site portal, the content provider may offer personal or confidential data, such as financial information, to PDA users in a secure (e.g., encrypted) environment.

Abstract: The present invention provide for an algebraic mapping of a policy expression from a compact to a normalized form, both in Boolean and set formulations. The policy algebra is defined in such a way that policy alternatives within the normalized expression will be the same across equivalent compact expressions—regardless of how the assertions are arbitrarily constrained or what operators are used to constrain such equivalent expressions. Moreover, the present invention also provides a model for identifying alternatives that are equivalent by comparing only the root element names or QName of each assertion within an alternative. In addition, embodiments as described herein can utilize the identification of equivalent alternatives in order to create an intersection policy expression to limit alternatives of admissible behavior to those in common across both endpoints.

Abstract: Inventive embodiments relate to a method and apparatus for packet transmission control and packet charge data generation on wired/wireless network, especially, the apparatus can control the packet transmission and measure the amount of packet. The apparatus receives a packet data through a network and stores the packet data in a shared memory. After determining whether the packet data satisfies with a filtering rule, it deletes the packet data if the packet data satisfies with the filtering rule and transmits the packet data to destination otherwise. Then, it generates preliminary billing data corresponding to the packet data and transmits the preliminary billing data to a billing apparatus.

Abstract: In a hitless manual cryptographic key refresh scheme, a state machine may be independently maintained at each network node. The state machine may include a first state, a second state, and a third state. In the first state, which may be the steady state, a current cryptographic key may be used both for generating signatures for outgoing packets and for authenticating signatures of incoming packets. In the second state, which is entered when a new cryptographic key is provisioned, the old (i.e. formerly current) key may still be used for generating signatures for outgoing packets, however one or, if necessary, both of the old key and the newly provisioned key may be used for authenticating signatures of incoming packets. In the third state, the new key may be used for generating signatures for outgoing packets and either one or both of the old key and new key may be used for authenticating signatures of incoming packets.

Abstract: In one exemplary embodiment, a system for providing data access between an information source and a mobile communication device includes a transcoding system and a first network device. The transcoding system includes a plurality of transcoders, and each transcoder is operable to transcode information content from a respective first content type into a respective second content type. The first network device is in communication with the transcoding system and includes a connection handler system. The connection handler system is operable to receive connection data for a connection between the information source and the mobile communication device and to select a corresponding connection handler. The connection handler is operable to select one or more transcoders from the plurality of transcoders to transcode the information content.

Abstract: A system and method track short term and long term intervals to assess whether a voice message source is a likely source of voice spam. Upon detection of a spamming threshold, calls from the source are blocked until detection that a sufficient time interval has elapsed without generation of messages.

Abstract: An authenticated digital confirmation of an installation or an update of a licensed computer data product, for providing the licensor with a validation that the installation/update was carried out as intended, and conveying relevant details of the installation/update. The installation/updating facility (internal software, external hardware device, or combination thereof) examines and documents the pre-installation/update state of the target computer system, performs the installation/update, examines and documents the post-installation/update state, and generates the confirmation, which is a summary or digest of the process and the status thereof. The confirmation is securely authenticated and sent to the licensor for validation, to be used for order fulfillment, billing and accounting, and other purposes.

Abstract: Enabling media (audio/video) scenarios across firewalls typically requires opening up multiple UDP ports in an external firewall. This is so because RTP (Real Time Protocol, RFC 1889), which is the protocol used to carry media packets over IP network, requires a separate UDP receive port for each media source. Opening up multiple media ports on the external firewall is something that administrators are not comfortable doing as they consider it security vulnerability. The system and method according to the invention provides an alternate mechanism which changes RTP protocol a little and achieves a goal of traversing firewalls for media packets using a fixed number, namely two, of UDP ports.

Abstract: The present invention relates to a method and network element for providing secure access to a packet data network, wherein a first source information is derived from a message received from a terminal device (40, 60), and is compared with a second source information derived from a packet data unit used for conveying said message, or derived from a security association set up between the terminal device and the data network. A protection processing for protecting the packet data network from a fraudulent user attack is then initiated based on the comparing result. Thereby, a simple and efficient protection mechanism can be provided without sending any additional information or providing any additional fields in the message.

Abstract: A communication apparatus used in a plurality of networks is disclosed. The communication apparatus includes a firewall which allows communication with outside of the communication apparatus when disabled, and prohibits communication with outside of the communication apparatus when enabled. Then, the communication apparatus includes a firewall control unit which acquires a first MAC address of a first default gateway provided for a predetermined specific network and a second MAC address of a second default gateway provided for a network in which the communication apparatus is being connected, and controls the firewall according to a result of comparison of the first MAC address and the second MAC address.

Abstract: The present invention relates to a system and methodology to facilitate communications security in a distributed computing and applications environment. A pass-phrase is generated to wrap a strong set of security credentials that are employed to establish trusted relationships between entities such as a service provider and one or more partners seeking access to the provider. The pass-phrase is generally constructed from weaker cryptographic material and is generally transported or communicated separately from the wrapped security credentials. When the partner desires to access service resources, the pass-phrase is employed to unlock the strong set of security credentials contained within the wrapper. The unlocked security credentials are then utilized to establish encrypted communications channels between the service provider and the partner.

Abstract: An apparatus for charging in a network environment is provided that includes an access gateway encapsulation/decapsulation element operable to establish one or more packet data protocol (PDP) links on behalf of an end user and to perform encapsulation and decapsulation operations for one or more of the links associated with the end user. The access gateway encapsulation/decapsulation element is further operable to interface with a client services packet gateway (CSPG) that is operable to provide enhanced packet processing for the end user for requested information. The apparatus also includes an access gateway policy element operable to interface with the CSPG. The access gateway encapsulation/decapsulation element and the access gateway policy element cooperate to use one or more inter-module headers in order to coordinate the enhanced packet processing for one or more communication flows associated with the end user.

Abstract: A method for authenticating communication traffic includes receiving a Session Initiation Protocol (SIP) data packet sent over a network from a source address to a destination address, sending an outgoing SIP message to the source address, receiving an incoming SIP message in response to the outgoing SIP message and processing the incoming SIP response message so as to assess authenticity of the received SIP data packet.

Abstract: The present invention relates to a network intrusion detection and prevention system. The system includes: a signature based detecting device; an anomaly behavior based detecting device; and a new signature creating and verifying device disposed between the signature based detecting device and the anomaly behavior based detecting device, wherein if the anomaly behavior based detecting device detects network-attack-suspicious packets, the new signature creating and verifying device collects and searches the detected suspicious packets for common information, and then creates a new signature on the basis of the searched common information and at the same time, verifies whether or not the created new signature is applicable to the signature based detecting device, and then registers the created new signature to the signature based detecting device if it is determined that the created new signature is applicable.

Abstract: Methods and systems for data communication are disclosed and may include utilizing a multi-level lookup process for determining IPsec parameters from a security association database. The security association database may be stored in content addressable memory, and may include an Internet protocol address table, a security association lookup table, and a security association context table. The security association lookup and security association context tables may include a single table. An Internet protocol address table index may be looked up in the Internet protocol address table for a first lookup of the multi-level lookup process. A security protocol index may be looked up utilizing the Internet protocol address table index for a second lookup of the multi-level lookup process. The Internet protocol security parameters may be determined utilizing the security protocol index. IPsec processing may be performed utilizing the determined Internet protocol security parameters.

Abstract: The communication control device of the present invention includes: a communication parameter acquisition means (105) for acquiring communication parameters that specify the transmission origin of an outside apparatus based on existence information of the outside apparatus that is received from a communication network, an apparatus identifier acquisition means (104) for acquiring from the outside apparatus an apparatus identifier that is an identifier for the outside apparatus, a policy determination means (106) for determining a communication policy for permitting or prohibiting communication with the outside apparatus that is specified by the apparatus identifier, a communication selection rule combining means (107) for combining communication selection rules based on the communication policy and communication parameters, and a communication pass control means (108) for passing or blocking communication with the outside apparatus based on the communication selection rules that have been combined by the comm

Abstract: A method for a firewall-aware application to communicate its expectations to a firewall without requiring the firewall to change its policy or compromise network security. An application API is provided for applications to inform a firewall or firewalls of the application's needs, and a firewall API is provided that informs the firewall or firewalls of the application's needs. An interception module watches for connect and listen attempts by applications and services to the network stack on the local computer. The interception module traps these attempts and determines what user is making the attempt, what application or service is making the attempt, and conducts a firewall policy look-up to determine whether the user and/or application or service are allowed to connect to the network. If so, the interception module may instruct the host and/or edge firewall to configure itself for the connection being requested.

Abstract: Systems and methods for managing email are provided. Some of the email may be encrypted using identity-based-encryption (IBE) techniques. When an incoming IBE-encrypted message for a recipient in an organization is received by a gateway at the organization, the gateway may request an IBE private key from an IBE private key generator. The IBE private key generator may generate the requested IBE private key for the gateway. The gateway may use an IBE decryption engine to decrypt the incoming message. The decrypted message can be scanned for viruses and spam and delivered to the recipient. Outgoing email messages can also be processed. If indicated by message attributes or information provided by a message sender, an outgoing message can be encrypted using an IBE encryption engine and the IBE public key of a desired recipient.

Abstract: Methods and systems are described for providing a trust indicator associated with geospatial information from a network entity. In one embodiment, first geospatial information identifying a first geospatial region reported as associated with a first network entity is received. The first geospatial information is included in a message from the first network entity. Second geospatial information is received from a second network entity associated with the first network entity. The second geospatial information identifies a second geospatial region verified as associated with the second network entity. A geospatial relationship between the first geospatial region reported as associated with the first network entity and the second geospatial region verified as associated with the second network entity is determined. A trust indicator identifying a level of trust associated with the first geospatial region is generated based on the determined geospatial relationship.

Abstract: A network access method and system and a network connection device are provided. A network connection device connected between a first network and a second network obtains first network attribute information about a first network device according to an access request for accessing the second network from the first network device on the first network. The network connection device performs authentication on whether the first network device has a right to access the second network based on the first network attribute information. If the authentication is passed, the network connection device connects the first network device into the second network. If the authentication is not passed, the network connection device prohibits the first network device from accessing the second network.

Abstract: A data processing system features a hardware trusted platform module (TPM), and a virtual TPM (vTPM) manager. When executed, the vTPM manager detects a first request from a service virtual machine (VM) in the processing system, the first request to involve access to the hardware TPM (hTPM). In response, the vTPM manager automatically determines whether the first request should be allowed, based on filter rules identifying allowed or disallowed operations for the hTPM. The vTPM manager may also detect a second request to involve access to a software TPM (sTPM) in the processing system. In response, the vTPM manager may automatically determine whether the second request should be allowed, based on a second filter list identifying allowed or disallowed operations for the sTPM. Other embodiments are described and claimed.

Abstract: A system and method for communicating between a user device locator module and a user receiving device includes forming a secure connection with the user device locator module. The user receiving device communicates user identifier data and port data to the user device locator module. An authentication module authenticates the user data from the user device locator module and generates an authentication signal. The user device locator module registers the port data at the user device locator module in response to the authentication signal.