Abstract: A method for creating a secure link between any two endpoints in a network comprises: assigning a unique identifier to each endpoint of a network; for each endpoint in the network, transmitting the unique identifiers associated with each of the remaining endpoints in the network to said endpoint; establishing a secure link between a source endpoint and a destination comprising: transmitting a data-session establishment packet from the source endpoint to the destination endpoint via a symmetric NAT device; wherein the data-session establishment packet comprises the unique identifier associated with the source endpoint; performing a matching operation at the destination endpoint to match the unique identifier associated with the source endpoint with a unique identifier known to the destination endpoint; and upon matching of unique identifiers then creating a forwarding table entry for the destination endpoint based on the source address and source port associated with the source endpoint.

Abstract: A management appliance includes at least one processor; and a memory communicatively coupled to the at least one processor. The memory comprising executable code stored thereon such that the at least one processor, upon executing the executable code, is configured to: dispense an image corresponding to a virtual machine to a distributed computing system comprising a plurality of interconnected computing devices, such that at least one of the computing devices implements the virtual machine; establish a trusted relationship with the virtual machine; and provide an authenticated user with access to the virtual machine without further authentication credentials from the user.

Abstract: Embodiments of the present invention provide a method, system and computer program product for controlling expiration of electronic mail (e-mail) single store attachments. A method to control expiration of e-mail single store attachments can include sending an e-mail message, the e-mail message including one or more attachments, creating a single store linked e-mail message by removing the one or more attachments from the sent e-mail message and replacing each of the one or more attachments with a corresponding single store attachment link. The method further can include storing the removed one or more attachments in an attachment server, where each of the one or more attachments has an expiration date, sending the single store linked e-mail message having the one or more store attachment links to one or more recipients and deleting an attachment stored on the attachment server based upon its respective expiration date having expired. When there is e-mail activity (e.g., forward, reply, etc.

Abstract: Systems and methods are provided for detecting an anomalous condition in a virtual computing environment having a virtualization control system coupled to a physical server, disk drive, and networking resources, where the virtualization control system is configured to partition the physical resources into virtual resources including virtual processor, memory, and storage resources for a plurality of virtual servers. Contents of a plurality of virtual memory storage locations are determined, where the virtual memory storage locations span multiple virtual servers. A runtime state of the virtual environment is determined based on the contents of the virtual memory storage locations. The runtime state of the virtual environment is verified for correctness or compared with a baseline state to identify a deviation from the baseline state, and a corrective action is performed when the discrepancy meets a predetermined criteria.

Abstract: An approach is provided for causing an extension of secure emergency network resources via one or more trusted point of presence. The approach involves determining a networking context, wherein the networking context initiates a request to join an extension mesh network to a currently trusted network. The approach also involves determining a target network trust level associated with the networking context, the currently trusted network, or a combination thereof. The approach further involves selecting the extension mesh network based on the target network trust level. The approach also involves initiating a joining of the extension mesh network to the currently trusted network.

Abstract: An improved industrial automation system and communication system for implementation therein, and related methods of operation, are described herein. In at least some embodiments, the improved communication system allows communication in the form of messages between modules in different control or enterprise domains. Further, in at least some embodiments, such communications are achieved by providing a communication system including a manufacturing service bus having two internal service busses with a bridge between the internal busses. Also, in at least some embodiments, a methodology of synchronous messaging is employed.

Abstract: A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria.

Abstract: A method comprising dereferencing, in a web browser, a Uniform Resource Identifier (URI) comprising a web resource and a reflex tag, creating a request message comprising a request for the web resource and a reflex request corresponding to the reflex tag, wherein the reflex request is a request for address and port information from a web server comprising the web resource, encapsulating the request message in a transport message comprising an Internet Protocol (IP) address and a port of the web browser, transmitting the transport message to the web server, receiving a response message from the web server, wherein the response message comprises a second IP address and a second port number of the browser as seen by the web server, and determining a characteristic of at least one Network Address Translation (NAT) device coupled between the web browser and the web server based on the second IP address and second port number.

Abstract: A method for verifying receipt of data packets, including generating a plurality of data packets, wherein each of the plurality of data packets comprises entropy information, transmitting one or more of the plurality of data packets to a receiver, receiving a first hash from the receiver, wherein the first hash is based on the entropy information of the one or more of the plurality of data packets and validating the first hash to determine if the receiver received the one or more of the plurality of data packets. Systems and computer-readable media are also provided.

Abstract: A communication apparatus that is capable of enabling communication even when IPsec life time information is taken over. The communication apparatus is connected to a network via a network interface device and operates in a first power mode or a second power mode with less power consumption. A notification unit notifies the network interface device of IPsec life time information when shifting to the second power mode from the first power mode. A storage unit stores first time information showing time of shifting to the second power mode from the first power mode. An acquisition unit acquires the life time information from the network interface device when shifting to the first power mode from the second power mode. A correction unit corrects the life time information based on second time information showing time of shifting to the first power mode from the second power mode and the first time information.

Abstract: The disclosure concerns a method implemented by a processing device. The method includes performing a first execution by the processing device of a computing function based on one or more initial parameters stored in a first memory device. The execution of the computing function generates one or more modified values of at least one of the initial parameters, wherein during the first execution the one or more initial parameters are read from the first memory device and the one or more modified values are stored in a second memory device. The method also includes performing a second execution by the processing device of the computing function based on the one or more initial parameters stored in the first memory device.

Abstract: A method of providing access to a password-protected electronic control unit (ECU) using encryption includes generating a cryptographic key for the ECU using a master password, a serial number of the ECU, and a password-based key derivation function; converting the generated cryptographic key into an ECU password; and accessing data from the ECU using the ECU password.

Abstract: One embodiment of the present invention provides a system for privacy-preserving sharing of data for secure collaboration. During operation, the system obtains a first set of data describing network events associated with one or more network addresses. Next, the system negotiates with a potential partner to determine a metric for deciding whether to share data. The potential partner is associated with a second set of data describing network events. The system then computes a value for the metric in a privacy-preserving way, based on the first set of data and the second set of data. Subsequently, the system determines whether the metric value exceeds a predetermined threshold, and, responsive to determining that the metric value exceeds the predetermined threshold, the system shares the first set of data with the potential partner, while controlling how the data should be shared to optimize benefits and risks of collaboration.

Abstract: The present disclosure pertains to systems and methods for Ethernet-based management of optical networks using ONT management interface (OMCI). In one exemplary embodiment, an Ethernet-based protocol, such as Active Ethernet, is used to implement an ONT management interface (OMCI) between an optical line terminal (OLT) and a plurality of ONTs of a MON. Further, virtual local area networks (VLANs) are used to separate the traffic carried by the MON. Various techniques are described that permit ONT registration and creation of VLANs for the MON without requiring the use of gigabit PON (GPON) constructs, such as traffic containers (TCONTs) and dedicated GPON encapsulation method (GEM) ports.

Abstract: Apparatus and methods for downloading selected multimedia content and applications. In one embodiment, the apparatus and methods enable various options or functionalities for programming content over a home network. A web-based user interface on a consumer device controls a set-top box (STB) over a local home network is utilized. An initial process connects the consumer device to an application server for the necessary web software. After discovery of both the consumer device and the STB on the local home network, an initial page of the application is loaded and the application calls the web services on the STB via the home network to retrieve data and control the STB with a compatible web browser on the consumer device.

Abstract: Generally, this disclosure relates to adaptive interrupt moderation. A method may include determining, by a host device, a number of connections between the host device and one or more link partners based, at least in part, on a connection identifier associated with each connection; determining, by the host device, a new interrupt rate based at least in part on a number of connections; updating, by the host device, an interrupt moderation timer with a value related to the new interrupt rate; and configuring the interrupt moderation timer to allow interrupts to occur at the new interrupt rate.

Abstract: The present disclosure provides protection of customer data traveling across a network. A reverse cryptographic map (also referred to herein as a reverse crypto map) can be defined for a customer, where the reverse crypto map indicates how customer data should be protected. A reverse crypto map for a customer is applied to an interface of an edge device that is coupled to that customer's private subnet (or customer-facing interface). A reverse crypto map can be configured by a network administrator on a provider edge device, or can be pushed from a key server as part of group policy. A provider edge device can protect customer data by encrypting and decrypting the customer data according to the reverse crypto map. A provider edge device can also be configured with virtual routing and forwarding (VRF) tables that can be used to forward the VPN traffic flow across a provider network.

Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.

Abstract: A method controls the routing of service requests to a plurality of servers using a first routing distribution algorithm. The method includes waiting a first period of time for a designated server to respond to a service request, transmitting the service request to the designated server a second time, and waiting a second period to time for the designated server to respond to the service request assigned to the designated server, the second period of time being longer than the first period of time. The method also includes determining that the designated server has failed, rerouting the service request to a different server, and routing the service requests to the plurality of servers using a second routing distribution algorithm.

Abstract: Content inspection techniques are described. In one or more implementations, it is detected that an application executing on a computing device is calling a particular code element of a group of code elements to be used to process content. For example, the group of code elements can include a pre-specified group of code elements (e.g., functions and/or properties) that may enable access to particular functionalities of a computing device and thus are associated with a known security risk. It is then ascertained that the content is untrusted and, in response to ascertaining that the content is untrusted, the content is inspected to determine if the content is safe to be passed to the code element.

Abstract: Briefly, embodiments of methods or systems for providing enhancements to network security are disclosed.

Abstract: Various methods for server-side recordation and playback of a remote desktop session are provided. One example method may comprise receiving data related to a remote desktop protocol session. The method of this example embodiment may further comprise providing for storage of the data at a location other than the device associated with the remote desktop protocol client of the remote desktop protocol session. Furthermore, the method of this example embodiment may comprise receiving a request to reproduce the remote desktop protocol session. The method of this example embodiment may also comprise retrieving the data from storage. Additionally, the method of this example embodiment may comprise facilitating reproduction of at least a portion of the remote desktop protocol session based at least in part on the retrieved data. Similar and related example methods, apparatuses, systems, and computer program products are also provided.

Abstract: Techniques and apparatus for utilizing bits in a translation look aside buffer (TLB) table to identify and access security parameters to be used in securely accessing data are provided. Any type of bits in the TLB may be used, such as excess bits in a translated address, excess attribute bits, or special purpose bits added specifically for security purposes. In some cases, the security parameters may include an index into a key table for use in retrieving a set of one or more keys to use for encryption and/or decryption.

Abstract: A method provides cross enterprise communication in which intermediary communication components carry out cross enterprise communication. The method at a first sending enterprise includes: receiving a signed encrypted message from a sender within a first enterprise; validating the sender; decrypting the message; encrypting the message for receipt by a second enterprise; signing the encrypted message by the first enterprise; and sending the re-signed re-encrypted message to a second enterprise. The method at the second receiving enterprise includes: receiving a signed encrypted message from a first enterprise; validating that the first enterprise is the sender; decrypting the message; encrypting the message for receipt by one or more recipients at the second enterprise; signing the encrypted message by the second enterprise indicating that the message is from the first enterprise; and sending the re-signed re-encrypted message to the one or more recipients of the second enterprise.

Abstract: A job management server for managing a plurality of jobs to be executed by a virtual computer generated on a computer, a job management part to manage information on a job net which configures a plurality of jobs and allocate a plurality of jobs included in a job net to the virtual computer, and a recovery part to monitor an execution status of each of the plurality of jobs included in the job net and perform recovery processing, wherein the job management server is configured to: specify a target job for changing allocation, in a case where a failure has occurred in a first virtual computer to execute a first job included in the first job net; determine a performance of a virtual computer required to execute the target job.

Abstract: A file handle produced by a file server is encoded into a pseudo-pathname used as a substitute for a pathname in a network file access protocol for accessing a file in the file server. The method avoids repeating a directory lookup and may permit the network file access protocol to access a file that has been renamed since the file handle was produced. The method is particularly advantageous for enabling a file server to use a CIFS client for virus checking or backup of a file modified by an NFS client. In a preferred implementation, the encoding of the file handle into a pseudo-pathname involves converting the file handle to an ASCII hexadecimal format to produce a component name, and appending the component name to a special name of a pseudo-directory of file handles of files in a file system.

Abstract: A monitoring apparatus include a memory which stores a program for executing procedures and a processor coupled to the memory and executes the procedures based on the program, wherein the procedures includes detecting a destination of access from a server apparatus to a storage apparatus on the basis of a result of analysis of a packet transmitted and received between the storage apparatus and the server apparatus, the storage apparatus including a plurality of storage areas, the server apparatus executing a plurality of virtual servers, part of the plurality of storage areas being allocated to each of the plurality of virtual servers as an accessible storage area, and determining that abnormal access is performed from the server apparatus to the storage apparatus when the storage areas of the detected destination are beyond a certain criterion in the plurality of storage areas.

Abstract: Remote field testing of mobile communication devices is described herein. By way of example, network initiated data received at a mobile device or like device activated on a mobile network can be monitored. Further, an over the air (OTA) message sent by the mobile network to the monitored device can be identified. If pertinent to a test device or an application of the test device, the OTA message can be forwarded to the test device. In addition, an IP network, satellite network, or the other suitable remote network can be utilized to forward the OTA message. Accordingly, field testing can be implemented at a convenient place remote from the mobile network, reducing or avoiding time and cost associated with local field testing at wireless access points of the mobile network.

Abstract: Provided is a system in which two or more clients, each including an application program that transmits a network access request, and a server are able to communicate, wherein at least one client includes first control means for controlling the access request transmitted to the server, based on a security level assigned to the application program, and the server includes second control means for determining whether the first control means has been introduced to the client that has transmitted the access request, authorizing the access request when the determination result is positive, and controlling the access request based on a security level assigned to an access target when the determination result is negative.

Abstract: In order to provide secure user access to a device or service on a remote network, upon receipt of a request to access the device or service on a portal on a central server, a request is sent to a probe application installed on the remote network to establish a secure link to the central server. A message is then sent to the user directing the user to initiate a specific session request to the central server. The session request is cross connected to the probe application installed on the remote network over the secure link to establish a secure tunnel to the probe application. A secure user session is set up through the secure tunnel to the device or service via the probe application.

Abstract: A method for the transmission of a message by a server of a multimedia IP core network is disclosed. In one aspect, following the reception, by the server, of a request from a terminal to register with the core network, the registration request proposing an authentication method for the establishment of a secure tunnel between the terminal and an entity for the connection of the terminal to the core network. The transmission method may comprise identifying an access network used by the terminal for registering with the multimedia IP core network, drawing-up, according to the identified access network, a recommendation concerning the establishment or otherwise of the secure tunnel between the terminal and the connection entity for the authentication method, and inserting said recommendation into the message transmitted by the server.

Abstract: Implementations of the present invention efficiently establish secure connections between a client and server, at least in part by authenticating the client and server early on in the connection setup phases. A client initiating a connection with a server identifies the secure communication protocols enabled at the client, and identifies these protocols in a connection request it sends to the server. The server processes the message and responds with a communication protocol it deems appropriate for the connection. The client and server then exchange appropriate authentication information, and then establish a connection session that implements the chosen communication protocol, and encrypts messages using the negotiated communication protocol. Additional implementations relate to reestablishing dropped connections behind virtual Internet Protocol addresses, without necessarily having to recommit much connection resource overhead.

Abstract: Described in an example embodiment herein is a Multiple Application Container. Various embodiments of the Multiple Application Container may include, but are not limited to: (1) managed intranet access via a dedicated Virtual Private Network (VPN) tunnel shared amongst applications within the container, (2) managed file/data encryption, (3) native look and feel applications for the base Operating System (OS), (4) isolation from any non-OS based services on the device, and/or (5) Mobile Device Management (MDM) based capabilities, such as policy enforcement.

Abstract: The invention is directed to systems and methods for detecting the loss, theft or unauthorized use of a device and/or altering the functionality of the device in response. In one embodiment, a device monitors its use, its local environment, and/or its operating context to determine that the device is no longer within the control of an authorized user. The device may receive communications or generate an internal signal altering its functionality, such as instructing the device to enter a restricted use mode, a surveillance mode, to provide instructions to return the device and/or to prevent unauthorized use or unauthorized access to data. Additional embodiments also address methods and systems for gathering forensic data regarding an unauthorized user to assist in locating the unauthorized user and/or the device.

Abstract: A computing device includes: a processing unit; and memory encoding instructions that, when executed by the processing unit, cause the processing unit to: receive a request from a client computing device; establish a first secured connection to the client computing device; select a server computing device from a plurality of server computing devices to service the request from the client computing device, selection being made based, at least in part, upon load balancing considerations; establish a second secured connection to the server computing device, the second secured connection being separate from the first secured connection; and allow the client computing device to securely communicate with the server computing device through the first and second secured connections.

Abstract: A method for containing a threat in network environment using dynamic firewall policies is provided. In one example embodiment, the method can include detecting a threat originating from a first node having a source address in a network, applying a local firewall policy to block connections with the source address, and broadcasting an alert to a second node in the network. In more particular embodiments, an alert may be sent to a network administrator identifying the source address and providing remedial information. In yet other particular embodiments, the method may also include applying a remote firewall policy to the first node blocking outgoing connections from the first node.

Abstract: In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group.

Abstract: A method for connecting a first network device to a second network device includes receiving a request to resolve a network address of the second network device. The request includes a name associated with the second network device that corresponds to the network address. The request is evaluated to confirm that the name is registered with a name service that facilitates resolving the name and facilitates establishing communication links, which use encryption, between the first network device and the second network device over the network. It is determined whether the second network device is available to establish the communication link. If so, the communication link is automatically established, including sending a signal to a provisioning server to provision the first network device or the second network device with a resource for the communication link.

Abstract: Novel solutions for detecting and/or treating malware on a subscriber's premise network. Such solutions can include, but are not limited to, tools and techniques that can detect, and/or enable the detection of, malware infections on individual subscriber devices within the subscriber's network. In a particular embodiment, for example, a premise gateway, or other device on the subscriber's premise network, is configured to analyze packets traveling through the premise gateway and, based on that analysis, identify one or more subscriber devices that are infected with malware.

Abstract: A network element (NE) comprising a memory device configured to store instructions, and a processor configured to execute the instructions by dividing a first plurality of data packets of a data flow into a first plurality of sub-flows, and causing the first plurality of sub-flows to be transmitted to a second NE via a network, wherein the first plurality of sub-flows are transmitted using a first Internet Protocol Security (IPsec) security association (SA) cluster comprising a plurality of parallel sub-SAs. The disclosure also includes a NE comprising a processor configured to create an IPsec SA cluster comprising a first plurality of sub-SAs between the NE and a second NE using an internet key exchange (IKE) or an IKEv2, wherein the first sub-SAs are unidirectional, and wherein the first sub-SAs are configured to transport a first plurality of data packets in a common direction.

Abstract: A communication network is operated by receiving traffic from a user device at a gateway device associated with a gateway service provider, which manages gateways to both secure and insecure networks. The gateway uses security policies to determine if traffic is destined to the secure or insecure network and applies appropriate policies which cause the traffic to be routed, dropped, or analyzed.

Abstract: A method and a system are disclosed that enable an address at the edge router to be used to establish a multi-pipe virtual private network (MVPN) connecting controllers to multiple web enabled end user devices (EUDs) inside a security protected local area network (LAN). The EUDs connect to a central server (CS) outside the LAN during configuration establishing registration and identity (ID) for each EUD. Once the EUDs establish connection from inside the LAN, the CS is enabled to communicate with the EUDs using the address and ID provided during registration. The CS then acts as a facilitator establishing secure VPN connection between controllers in the cloud and the EUDs inside the LAN. CS further acts as a pass through for those LANs that do not allow direct connections to controllers outside the LAN. The CS continues to monitor the health of the overall system once connectivity is established.

Abstract: In one embodiment, a first instruction prescribing a setting for a feature is defined. A second instruction prescribing a first action is defined. A third instruction prescribing a second action is defined. It is determined whether the feature is present in a computing device, and if present, whether the feature is set to the setting. The first action is initiated if the feature is present and not set to the setting. The second action is initiated if the feature is not present.

Abstract: The communications management systems manage access to a local area network or network content by external users, applications, and devices. The systems and methods are implemented on a network appliance to manage content within the network and facilitate content transmission through a firewall that separates the network from a larger networking environment, such as the World Wide Web.

Abstract: It is so arranged that an encryption key can be shared with a communication apparatus that participates in a network anew, even in an ad-hoc-mode type of environment. In order to achieve this, a communication apparatus determines whether it possesses an encryption key shared with another communication apparatus and, in accordance with the result of the determination, initiates sharing process for sharing the encryption key with a first communication apparatus from the communication apparatus after the sharing process for sharing the encryption key has been initiated from the first communication apparatus.

Abstract: The present invention relates to key management in a secure microcontroller, and more particularly, to systems, devices and methods of automatically and transparently employing logic or physical address based keys that may also be transferred using dedicated buses. A cryptographic engine translates a logic address to at least one physical address, and processes a corresponding data word based on at least one target key. The target key is selected from a plurality of keys based on the logic or physical address. A universal memory controller stores each processed data word in the corresponding physical address within a memory. Each key is associated with a memory region within the memory, and therefore, the logic or physical address associated with a memory region may be used to automatically identify the corresponding target key. A dedicated secure link may be used to transport key request commands and the plurality of keys.

Abstract: Some embodiments provide a method for configuring a logical firewall in a hosting system that includes a set of nodes. The logical firewall is part of a logical network that includes a set of logical forwarding elements. The method receives a configuration for the firewall that specifies packet processing rules for the firewall. The method identifies several of the nodes on which to implement the logical forwarding elements. The method distributes the firewall configuration for implementation on the identified nodes. At a node, the firewall of some embodiments receives a packet, from a managed switching element within the node, through a software port between the managed switching element and the distributed firewall application. The firewall determines whether to allow the packet based on the received configuration. When the packet is allowed, the firewall the packet back to the managed switching element through the software port.

Abstract: A wide area network using the internet as a backbone utilizing specially selected ISX/ISP providers whose routers route packets of said wide area network along private tunnels through the internet comprised of high bandwidth, low hop-count data paths. Firewalls are provided at each end of each private tunnel which recognize IP packets addressed to devices at the other end of the tunnel and encapsulate these packets in other IP packets which have a header which includes as the destination address, the IP address of the untrusted side of the firewall at the other end of the tunnel. The payload sections of these packets are the original IP packets and are encrypted and decrypted at both ends of the private tunnel using the same encryption algorithm using the same key or keys.

Abstract: Systems, devices, and methods for outputting an alert on a mobile device to indicate the use of a weak hash function are disclosed herein. In one example embodiment, the method comprises receiving data (e.g. from a server) that identifies at least one first hash function, identifying a hash digest generated using a second hash function, determining if the second hash function is weak using the received data, and outputting an alert indicating that the second hash function is weak if it is determined that the second hash function is weak.

Abstract: Remote access for a terminal to a first network via a second network is managed; the first network being linked to the second network via a network apparatus. At the level of the network apparatus, there is received, from the terminal via the second network, a request for remote access to the first network indicating access information comprising a first parameter corresponding to a physical address of the terminal and a second parameter corresponding to a secret key of the gateway. The network apparatus thereafter decides whether the terminal is authorized to remotely access the first network on the basis of said access information. This network apparatus subsequently emits, bound for the terminal via the second network, a message indicating whether the terminal is authorized to remotely access the first network.