Abstract: A system and method for communicating between a user device locator module and a user receiving device includes forming a secure connection with the user device locator module. The user receiving device communicates user identifier data and port data to the user device locator module. An authentication module authenticates the user data from the user device locator module and generates an authentication signal. The user device locator module registers the port data at the user device locator module in response to the authentication signal.

Abstract: A system providing methods for a device to apply a security policy required for connection to a network is described. In response to receipt of a request from a device for connection to a particular network, a current policy to apply to said device for governing the connection to this particular network is determined from a plurality of available security policies available to the device. This current policy to apply to said device is generated by merging a plurality of security policies available for governing connections. After said current policy is applied to the device, the connection from the device to this particular network is allowed to proceed.

Abstract: A network device receives control plane packets and data plane packets from a network. The network device includes a forwarding component that forwards the data plane packets in accordance with routing information maintained by a routing component. The forwarding component directs the control plane packets to a firewall component that processes the control plane packets to apply firewall services and detect network attacks. After processing, the firewall component loops the control plane packets back to the forwarding components for forwarding to the routing component. The firewall component may be a security service card.

Abstract: Methods and systems for access control systems such as firewalls. The system detects conflicts between two access control rules by finding all common variables between the two rules and determining if there are values for all the common variables that simultaneously satisfy both rules. If there are such values, and if the end result of the two rules are different, then the two rules are in conflict with one another.

Abstract: In a networked computer environment, a client is unencumbered from signature generating components, yet conversant to transmit signature-based documents in a signature-based metalanguage such as XML. The nonsigning client/user invokes a signature from a signature server to send a payload of data in a signed message format to a recipient also conversant in the metalanguage, according to the metalanguage format. The nonsigning client receives a signature block including a signature value from the server. The client identifies a payload for transmission according to the metalanguage. Employing the metalanguage interpreter in client, the client stores the payload data in the signature block without disrupting the signature and the data it covers in the signature block. The nonsigning client the sends the resulting signature message including the payload data and the signature value, in the metalanguage format, to the recipient destination conversant in the metalanguage.

Abstract: A system, including apparatuses and methods, for operating a subscription-based virtual computing services provider and for providing virtual computing services to subscribers thereto. The services provider enrolls subscribers to receive subscriber-selectable virtual computing services and provides such services to subscribers in exchange for the payment of a subscription fee based, at least in part, on the particularly selected computing services. The virtual computing services are provided through a communication network and accessible via subscriber devices having different degrees of robustness and via subscriber-selected user interfaces. A virtual non-volatile storage is allocated to each subscriber in a subscriber-selected storage capacity. The virtual non-volatile storage may be used for the storage and execution of software applications therein and/or for the storage of uploadable or downloadable data therein.

Abstract: A method and apparatus for providing securing a connection with a (Secure Sockets Layer) SSL/TLS-enabled server. In one embodiment, a web client establishes a new connection by initiating a communication with the SSL/TLS-enabled server. The communication includes a non-POST request. After the client negotiates the secured connection with the server in response to the non-POST request, the client submits a POST request to the SSL/TLS-enabled server via the secured connection.

Abstract: A method for implementing traffic management is provided that includes communicating a copy of one or more incoming packets and identifying a volume associated with the incoming packets in order to communicate feedback information to a main central processing unit (CPU), the feedback information signaling that an intrusion detection system (IDS) module is expending a designated amount of resources. The feedback information may be responded to by restricting a number of additional incoming packets that are received by the main CPU.

Abstract: The invention provides a method for preventing a denial-of-service attack on a responder during a security protocol key negotiation. The responder receives key negotiation requests designating a source port and source IP address. The responder only maintains state when a key negotiation request is received from an initiating computer with a valid, non-spoofed, source IP address. The responder further limits the number of in-process key negotiations for which the responder maintains state. If a key negotiation request is received from a valid source IP address and the responder has at least one established security association for that source IP address, the responder limits the number of ongoing key negotiations to a maximum number on a per port address basis for that source IP address.

Abstract: A method for performing a lookup of a packet against an access control list. In one example, the method includes receiving an access control list, partioning said list into two or more complementary sets, and for each set, forming a tree having one or more end nodes including filtering rules, and internal nodes representing decision points, thereby forming at least two trees. In one example, when a packet arrives, the two or more trees are traversed using the packet header information, wherein the decision points in the internal nodes are used to guide the packet selection down the trees to an end node.

Abstract: A method for managing a website is provided in which a web page including a malicious code is classified to be registered in a network firewall, so that a network terminal is prevented from being accessed to the web page including a malicious code. The method for managing a malicious-code spreading site using a firewall includes: analyzing a currently accessed website to determine whether the website includes a malicious code or not; when it is determined that the currently accessed website includes a malicious code, registering the website as a malicious-code spreading site; when a network terminal in a firewall requests for access to a website, determining whether the website is registered as a malicious-code spreading site; and, when the access requested website is registered as a malicious-code spreading site, preventing the access to the website.

Abstract: The presently disclosed architecture enables a service provider to support public voice VPN services over an IP VPN network. The architecture utilizes a customer VPN, a designated gateway for the customer VPN, an IP VPN transport network, and a Call Control Element/router Complex which uses IP technology to map between the IP VPN and the voice VPN. With such an arrangement, the customer VPN is extended to the gatekeeper of the Call Control Element/router Complex, thereby enabling the provision of voice VPN services over an IP network.

Abstract: An apparatus comprising a policy enforcement point (PEP) configured to enforce firewall policies in a network, and a policy decision point (PDP) coupled to the PEP and configured to manage the PEP based on at least one firewall policy option received from at least one node. Also disclosed is a network component comprising at least one processor configured to implement a method comprising receiving a request from a node regarding a firewall policy entry, authenticating the node, processing the request to manage a firewall using a firewall control protocol, and sending a reply to the node regarding processing the request. Also disclosed is a method comprising signaling a PDP to establish a session associated with a source address and a requested protocol, and receiving an indication when the session is allowed.

Abstract: A method and apparatus for providing network security using role-based access control is disclosed. A network device implementing such a method can include, for example, an access control list. Such an access control list includes an access control list entry, which, in turn, includes a user group field. Alternatively, a network device implementing such a method can include, for example, a forwarding table that includes a plurality of forwarding table entries. In such a case, at least one of the forwarding table entries includes a user group field.

Abstract: A method for use in relation to a security system includes receiving one or more items of information that each identify things or users associated with the security system, and forming a fixed portion of a security code using the one or more items of information. The fixed portion of the security code is stored in an apparatus that is configured to transmit the security code. A method and apparatus involving the receipt of such a security code are also disclosed. A method for use in relation to a security system includes generating a fixed portion of a security code, and setting a value of the fixed portion of the security code to a value that has a relationship to a fixed portion of a previously learned security code. The relationship indicates that the fixed portion of the security code is a replacement for the fixed portion of the previously learned security code. The fixed portion of the security code is stored in an apparatus that is configured to transmit the security code.

Abstract: Example embodiments provide for keeping an HTTP reply flow for a communication open such that portions of an overall response corresponding to a single request may be sent across the HTTP reply flow. As the various portions of the overall response become available at a corresponding service endpoint, the service appropriately encapsulates the messages and sends them to the requesting endpoint. The recipient or requesting endpoint of the response is then capable of reading the available portions of the response and appropriately decodes the embedded portions and is free to process these as appropriate. Accordingly, because only one request is made for several portions of a response valuable system resource are reserved for only requiring one authentication and/or validation of a requesting endpoint.

Abstract: Methods and apparatuses for integration of authentication and policy compliance enforcement. An enforcement agent may reside on a device. If an access assignment is provided to the device in conjunction with authentication, authorization to use the access granted may be restricted by the enforcement agent. In one embodiment a reduced-access assignment is made by an authenticator.

Abstract: A wireless network security system including a system data store capable of storing network default and configuration data, a wireless transmitter and a system processor. The system processor performs a network security method. An active defense request signal is received, typically from an intrusion detection system. The received request signal includes an indicator of an access point within the wireless computer network that is potentially compromised. In response to the received an active defense of the wireless network is triggered. The triggered active defense may be on or more of transmitting a jamming signal, transmitting a signal to introduce CRC errors, transmitting a signal to increase the difficulty associated with breaking the network encryption (typically by including in the signal packet appearing legitimate but containing randomized payloads, or transmitting a channel change request to the potentially compromised access point.

Abstract: Run-as credentials delegation using identity assertion is presented. A server receives a request from a client that includes the client's user identifier and password. The server authenticates the client and stores the client's user identifier without the corresponding password in a client credential storage area. The server determines if a run-as command is specified to communicate with a downstream server. If a run-as command is specified, the server retrieves a corresponding run-as identity which identifies whether a client credential type, a server credential type, or a specific identifier credential type should be used in the run-as command. The server retrieves an identified credential corresponding to the identified credential type, and sends the identified credential in an identity assertion token to a downstream server.

Abstract: A system is provided that includes at least one processor and instructions that when executed by the processor promote exchanging extensible authentication protocol (EAP) messages for authentication by sending a plurality of data packets formatted in accordance with an IEEE 802.15.4 standard. The EAP messages are encapsulated within a data field of the IEEE 802.15.4 standard data packet and wherein the encapsulated EAP message comprises an EAP header and a data portion.

Abstract: Communication traffic is processed by detecting an anomaly in the communication traffic. A first blocking measure A is applied to the anomalous traffic that stops the anomalous traffic. A second blocking measure is determined such that application of a logical combination of the first blocking measure A and the second blocking measure to the anomalous traffic stops the anomalous traffic.

Abstract: Security policies that regulate communication packets on a network may be segmented into independent sets, where each security policy of an independent set does not regulate communication packets other than those defined for that set. A management algorithm is performed separately for each independent set, rather than for all of the security policies together.

Abstract: A system, method and program code are disclosed for the unattended monitoring, retrieval and storage of online content by a mobile information processing system operating in a low power mode. An intelligent wireless modem is activated when a mobile information processing system is operating in a low power state. The intelligent wireless modem detects the availability of a predetermined wireless network and establishes a connection. Predetermined online sites and services are then monitored by an unattended online content processor for the identification, retrieval, and subsequent storage of predetermined content. The stored content is subsequently retrieved and presented to the user for review and other operations when the mobile information processing system enters an initialization state.

Abstract: In a networked system having a protected central server network connected to one or more satellite servers, the central server includes master data, and each satellite system includes replicated data derived from the master data. A corruption of at least a portion of the replicated data in one of the satellite servers is determined. Responsive to determining the corruption, at least the corrupted portion of the replicated data is replaced in the satellite server with data derived from the master data of the central server.

Abstract: System and computer program product for updating an SSL certificate for a server. First program instructions detect when a change has been made to a name, domain or IP address of the server and detect that the server is using an SSL certificate based on a name, domain or IP address applicable before the change. In response, the first program instructions notify an administrator that a change is required to the SSL certificate to reflect the change to the name, domain or IP address. Second program instructions respond to a request by the administrator, to automatically create a new SSL certificate signing request. The new SSL certificate signing request is a form which can be sent to an SSL certificate authority. Third program instructions respond to another request by the administrator, to send the new SSL certificate signing request to the SSL certificate authority.

Abstract: Systems and methods are described for authenticating users. One embodiment comprises a conversion system that includes a first interface, a processing system, and a second interface. The processing system receives a user ID and user credentials in a first protocol from a first communication device through the first interface. The processing system processes the user ID and a key to generate a computed password, and then derives credentials from the computed password. The processing system compares the user credentials to the derived credentials. If the user credentials and the derived credentials correspond, then the processing system authenticates the user. The processing system then generates new user credentials from the computed password according to a second protocol used by a second communication device, and transmits the user ID and the new user credentials to the second communication device through the second interface.

Abstract: A system in accordance with an embodiment of the invention includes a vulnerability detection system (VDS) and an intrusion detection system (IDS). The intrusion detection system leverages off of information gathered about a network, such as vulnerabilities, so that it only examines and alerts the user to potential intrusions that could actually affect the particular network. In addition, both the VDS and IDS may use rules in performing their respective analyses that are query-based and that are easy to construct. In particular, these rules may be based on a set of templates, which represent various entities or processes on the network.

Abstract: A system and method for secure data communication between users when logged on to a central server through a network. The system permits subscribers to the system to create associations with non-subscribers which permits those non-subscribers to access the system to send and receive secure data communication to the subscriber that created the association with the non-subscriber.

Abstract: An information processing apparatus includes: a connecting section; an information storage; a request accepting section; a searching section; a setting information storage; a determining section; and a process executing section.

Abstract: A method of communicating information between a first program and a second program over a network is described. The method includes relaying the information between the first program and a first communications program over a first network connection, relaying the information between the first communications program and a second communications program over a second network connection and relaying the information between the second communications program and the second program over a third network connection. Further, the first communications program creates the second network connection to the second communications program through a first firewall program, which prevents access to the first program initiated by the second program. Thus, the second network connection is initiated by the first communications program. The first communications program can be, for example, a protocol daemon and the second communications program can be, for example, a relay program.

Abstract: Security and mobility overlay architecture (SAMOA) includes security management and secure transport functions for fixed or mobile security subscriber units (SSUs). SSUs within SAMOA are authenticated, authorized, and provided with shared session keys by the security management function. The keys allow each SSU to communicate with the secure transport network, which provides secure connections to other SSUs. Because shared-key, rather than public-key session keys are preferably used, the problems associated with public-key certificate authorities and hierarchies are avoided. The security management function and the secure transport network can be layered efficiently on top of existing Internet protocol (IP) networks and are thus applicable to a wide range of systems that support IP, including 3G wireless, wireless LANs (e.g., 802.11x), wired LANs, and dial-up networks.

Abstract: A method and system for providing e-mail messages to a receiving e-mail application. The e-mail messages as sent from a sending e-mail application being secure and in opaque signed format. The opaque signed e-mail messages being converted to clear signed e-mail messages by decoding extracting message content and digital signatures. The clear signed e-mails being sent to a receiving e-mail application.

Abstract: Systems and methods for email monitoring and providing sender notification of security levels for outbound email recipients prior to transmission or sending of emails.

Abstract: A technique is disclosed for identifying network traffic. The traffic data is converted into a wave vector. The wave vector is compared with a wave template. It is then determined whether the wave vector is substantially similar to the wave template.

Abstract: Methods for enabling database privileges are provided. The methods eliminate strict dependency on tradition password, or “secret” based security systems. Instead, database privileges are enabled based on verifying information stored in one or more frames of a call stack corresponds to trusted security logic. In another embodiment, database privileges are enabled based on policies identified in the trusted security logic. The methods and techniques described herein provide a flexible and extensible mechanisms for verifying that trusted security logic has been executed prior to enabling database privileges.

Abstract: An application server enables a secure network interaction. The application server receives a request for the secure network interaction from a third-party server. In response, the application server determines a security procedure, such as an authentication procedure, and a client corresponding to the secure network interaction. The client includes a secure desktop agent (SDA). The application server sends a message to the client that activates the SDA. The SDA establishes a secure connection with the application server. The SDA receives user credentials in a secure desktop environment and transmits them to the application server over the secure connection. The application verifies the user credentials and sends a digitally-signed authenticated response to the third-party server.

Abstract: Systems, methods, and media for retransmitting data using the SRTP are provided. In some embodiments, methods for retransmitting data using the SRTP are provided. The methods include: receiving at least one data unit associated with a media session; determining the index of the at least one data unit; determining the session key of the media session using the index; authenticating the at least one data unit using the session key; and retransmitting the at least one data unit.

Abstract: Aspects of the subject matter described herein relate to providing file access in a multi-protocol environment. In aspects, a file server is operable to receive requests formatted according to two or more file access protocols. If a request is formatted according to a first file access protocol, the file server applies access rights associated with the file to an account associated with a requester to determine whether to grant access. If the request is formatted according to the second file access protocol, the file server may first attempt to find an account for the requester. If an account is not found, the file server may then grant access based on access rights associated with the file as applied to information in the request without consulting an account on the file server.

Abstract: In one embodiment, the present invention is directed to a processor-based device that prevents unauthorized use, comprising a processor for executing software instructions, software instructions defining at least one user application, a wireless communication subsystem that is operable to transmit and receive data utilizing a wireless protocol, and software instructions defining a security protocol process that is operable to prevent execution of the software instructions defining the at least one user application by the processor when a message is received via the wireless communication subsystem, wherein the message indicates that the processor-based device is not in possession of a rightful user.

Abstract: A system for providing targeted Web feed subscription suggestions calculated based on IP (“Internet Protocol”) addresses. Web feeds are automatically suggested to users based on the IP (Internet Protocol) address of the user's computer system and previous feed subscriptions made from other computer systems having similar IP addresses. Feed suggestions may be weighted based on differing levels of IP address similarity, in order to reflect differing levels of geographic proximity between users. Users may be permitted to expressly indicate which of their feed subscriptions are to be made public through the feed reader user interface when they make subscriptions. In response to such user indications, the disclosed system passes the IP address of the user's computer system to the centralized server system together with a name or other identifier of the feed that was subscribed to.

Abstract: In a method and system for increasing security when accessing a business system, a generic hub receives a request having a first transfer protocol from a user to access an application or application data maintained in an application server. In response to the user request, the generic hub verifies the authorization of the user to access the application server. If the user is authorized, a user interface to the application is presented to the user and input data is received from the user interface. The input data is checked for validity based on application-specific metadata and type checks bound to this metadata associated with fields in the user interface, and any extraneous or non-expected data is removed from the input data. The input data and user request of a first transfer protocol are tunneled to the application using a second transfer protocol.

Abstract: The claimed subject matter provides a system and/or a method that facilitates authenticating a data communication. An interface component can receive data related to a real time data communication between two or more clients. A verification component can employ a human interaction proof (HIP) to a client participating within the real time data communication, wherein a human identity of the client is authenticated as a function of a response to the HIP.

Abstract: An attack resistant continuous network service trustworthiness controller comprising: state estimation module(s), response selection module(s), actuation module(s), and client dispatcher communication module(s) for maintaining the availability and integrity of online server(s). The state estimation module(s) are configured to generate state estimate(s) for online server(s) using behavior data obtained using sensor module(s). The response selection module(s) are configured to determine corrective action(s) to maintain the availability and integrity of online server(s) when state estimate(s) indicate that the integrity of an online server(s) is compromised. The actuation module(s) are configured to activate actuator(s) based upon the corrective action(s). Client dispatcher communication module(s) are configured to communicate online server availability information to a client dispatcher.

Abstract: A method for preventing session initiation protocol (SIP) attacks is provided. The method includes receiving a plurality of SIP response messages comprising at least one pre-defined SIP response code, and extracting at least one user identifier from the plurality of SIP response messages. The method further includes computing at least one of a frequency of the plurality of SIP response messages and a count of the plurality of SIP response messages corresponding to each user identifier of the at least one user identifier. The method further includes calculating a degree of attack corresponding to each user identifier using at least one of the frequency and the count. The method further includes determining a monitoring interval for each user identifier based upon the degree of attack for monitoring the plurality of SIP response messages. An apparatus and a computer program product for preventing SIP attacks are also provided.

Abstract: A network system comprises a transaction network operative to provide a transaction with an end user; a trusted source of a security mechanism (e.g.

Abstract: Multiple levels of wireless network resource granting. A user who has an authorized key, e.g., an encryption key or a key indicating that they have paid for service, gets a first, better level of access to the network resources. One without the key is granted lesser access, e.g., less total bandwidth, less bandwidth speed, no access to files or the like.

Abstract: The invention features various techniques for managing transfers of information in public packet switched communications networks. In one aspect, the invention provides a system for identifying updated items of network-based information, such as pages, to users in a network. A master server receives the data from each of a plurality of network servers and merges them into one or more master logs. The logs have entries that pertaining to creation of or changing of pages of information. Another aspect of the invention features a system for implementing security protocols. A proxy server translates links from a protocol incompatible with the network tool to a protocol compatible with the network tool and back-translates the link. Another aspect of the invention features a system for managing authenticating credentials of a user. A proxy server manages a user's authenticating credentials automatically on behalf of the user.

Abstract: Methods and apparatus, including computer program products, are provided for using a relative timestamp to log activity in a distributed computing system. In one aspect, there is provided a computer-implemented method. The method may include receiving a message including a first timestamp representative of when the message is sent at a first processor. A second processor may generate an entry logging receipt of the received message. The second processor may determine a second timestamp representative of a time relative to the first timestamp. The second timestamp may be included as an entry at a log at the second processor.

Abstract: One embodiment of the present invention is a method for registering multiple addresses of record. The method comprises receiving a session initiation protocol register request. The session initiation protocol register request comprises a plurality of addresses of record and a contact address for a session initiation protocol endpoint. The method further comprises associating each of the plurality of addresses of record with the contact address for the session initiation protocol endpoint.

Abstract: One aspect involves receiving by a tag of wireless communications that utilize a first security provision, and wireless communications that utilize a second security provision different from the first security provision. A different aspect involves receiving by an entity of an authentication request that is based on a first digital certificate unknown to the entity, and determining by the entity, without external authentication of the first digital certificate, whether the first digital certificate is in a trust relationship with a second digital certificate that is different from the first digital certificate and that is known to the entity.