Abstract: An appliance has a communication network with a plurality of nodes for executing commands to enable operation by components. A firewall is provided to restrict access to the commands by the nodes without a password.

Abstract: A content protection management system that enables interoperability with other Content Protection and DRM technologies. A managed security domain provides a simple, consistent and reliable experience to whole-home network subscribers. The architectural concept for the whole-home network includes an underlying control plane with an overlaying content security control plane running a particular DRM technology.

Abstract: A method and system for improving the security and control of internet/network web application processes, such as web applications. The invention enables validation of requests from web clients before the request reaches a web application server. Incoming web client requests are compared to an application model that may include an allowed navigation path within an underlying web application. Requests inconsistent with the application model are blocked before reaching the application server. The invention may also verify that application state data sent to application servers has not been inappropriately modified. Furthermore, the invention enables application models to be automatically generated by employing, for example, a web crawler to probe target applications. Once a preliminary application model is generated it can be operated in a training mode. An administrator may tune the application model by adding a request that was incorrectly marked as non-compliant to the application model.

Abstract: A method and apparatus for providing a secure domain name services by utilizing a hypervisor to provide an isolated execution environment in which a secure browser session can be instantiated. The secure browser session utilizes a secure DNS server to provide domain name services.

Abstract: A system and method in one embodiment includes modules for identifying an asset with a vulnerability risk, identifying a service running on a port on the asset, identifying a connection to the port, calculating an operational dependence role of the asset as a function of the service and the connection, and modifying the vulnerability risk based on the operational dependence role. Other embodiments include identifying a protocol of a data packet at the port, classifying the protocol into a protocol category with a protocol importance score, calculating a connection average for the asset, classifying the connection average into a connection category with a connection score, and calculating a service dependence score. Other embodiments include calculating a host dependence score, assigning a data importance score to data communicated by the asset, and calculating the operational dependence role as a function of the host dependence score and data importance score.

Abstract: A VPN gateway device is able to assign, manage, and terminate a large volume of connections from apps executing on devices, enabling a large scale per-app VPN mobile environment. When a mobile device user opens an app on a mobile device, a VPN gateway transmits a unique IP address to the app. The gateway also transmits an app federation cookie to the app. The app shares the app federation cookie with a second app. The VPN gateway then assigns the second app the same unique IP address. The gateway then transmits a range of ports to the first app. The app uses a port in the range of ports for data transmission from the device to the VPN gateway. The gateway receives a data transmission from the first app via a VPN and determines that the data transmission originated from the first app based on the source port.

Abstract: The present invention provides a unique way of implementing the SOCKS protocol for establishing connections through a firewall. In general, instead of having a SOCKS server implemented entirely in the firewall, SOCKS servers are implemented on both a server and a client, which are configured to communicate with each other through the firewall. The SOCKS servers on the server and client allow multiple objects on both the server and the client to communicate with each other through a single port through the firewall, wherein the SOCKS servers on the server and the client cooperate with each other and their respective objects to allow the objects to establish the connections.

Abstract: Disclosed are a system for managing virtual private networks (VPNs) includes: terminals configured to transmit user data; a manager configured to transmit information for concealing networks and managing the VPNs; border gateways configured to decrypt the user data and perform a network address translation (NAT) procedure and a filtering procedure on the decrypted user data based on the information; and servers configured to receive the user data subjected to the NAT procedure and the filtering procedure, wherein the filtering procedure is a procedure discarding the user data to be transferred to the servers that are not allowed so as to allow the terminals to access only the allowed servers, the NAT procedure is a procedure changing an Internet protocol (IP) address used in a first network to an IP address used in a second network, and the first network and the second network are different networks.

Abstract: According to one aspect, the subject matter described herein includes a method for communicating an encrypted data packet. The method includes steps occurring at a first gateway node. The method also includes receiving a data packet from a first host. The method further includes determining that a first security association (SA) instance associated with the data packet is in an inactive state. The method further includes identifying a second SA instance that is both associated with the data packet and in an active state. The method further includes forwarding the data packet to the second SA instance.

Abstract: Aspects of the invention are directed to a method and system for discovering business content transfer paths in a network using file transfer information, and for calculating business risk per network component in a network. A method according to an embodiment includes: obtaining file transfer information for a plurality of file transfers between a plurality of nodes within a network; generating a confidence of correlation for each pair of file transfers in the plurality of file transfers; determining interdependencies between the plurality of file transfers based on the confidence of correlation for each pair of file transfers; and determining a business content transfer path based on the interdependencies between the plurality of file transfers.

Abstract: An approach for providing secure communication services is disclosed. A secure (e.g., a Virtual Private Network (VPN)) tunnel from a source node over an access network, such as a satellite network, to a destination node, wherein the nodes are external to the network. A connection that supports a mechanism for enhancing performance of the network is established for a portion of the secure tunnel that traverses the network.

Abstract: A method at a computing client located behind a NAT and restrictive-access firewall, including establishing a control connection with a TCP TURN server utilizing a port capable of traversing the restrictive-access firewall; requesting an allocation of an client service identity from the TCP TURN server; and receiving, from the TCP TURN server, a response containing the client service identity, the client service identity being independent of any port used to communicate with the TCP TURN server. Further a method at a TCP TURN server, including listening on a first port for communications from a computing client, the computing client being behind a restrictive access firewall and the first port capable of traversing the restrictive-access firewall; establishing a control connection with the client on the first port; receiving a request for an allocation of an client service identity from the computing client; and sending a response containing the client service identity.

Abstract: A method, apparatus, and computer-readable media are presented that provide a configuration for communications through network address translation. The configuration includes receiving, by a computer device, a packet comprising a predetermined value indicating support by a node for an extension of a communications protocol, wherein the communications protocol is used for communications across a network translator device and the extension is capable of traversing network address translation, and in response to said receiving, determining that the node sending the packet supports the extension of the communications protocol.

Abstract: A method, apparatus, and computer-readable media are presented that provide a configuration for communications through network address translation. The configuration includes receiving, by a computer device, a packet comprising a predetermined value indicating support by a node for an extension of a communications protocol, wherein the communications protocol is used for communications across a network translator device and the extension is capable of traversing network address translation, and in response to said receiving, determining that the node sending the packet supports the extension of the communications protocol.

Abstract: Exemplary embodiments involve a computing system requesting and receiving a socket policy file from a policy file server via a secure socket connection, identifying that the security policy requires communicating with a content server via a secure socket connection, and communicating with the content server via a second secure socket connection. The socket policy file specifies a security policy governing socket connections to a content server over a transport protocol layer. Additional embodiments involve requesting a socket policy file via a non-secure socket connection, receiving (via the non-secure socket connection) a placeholder socket policy file requiring requests for socket policy files to be communicated via a secure socket connection, establishing a secure socket connection with the policy file server, and submitting a request for the socket policy file to the policy file server via the secure socket connection.

Abstract: According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received.

Abstract: Some embodiments of the invention are directed to techniques for determining whether a process on a computer system that is sending or receiving data, or is attempting to send or receive data, with another computer system is executing in kernel mode or user mode and providing an indicator of this determination to a security engine. In some embodiments, such an indication is provided to a security engine (e.g., a firewall) that implements a security policy based at least in part on whether the sending or receiving process is in kernel mode or user mode, and filter communications based on a process' operating mode. This enables a security engine to maintain security policies of greater specificity and thus improve security of a computer system.

Abstract: Disclosed are systems and methods to provide application acceleration as a service. In one embodiment, a system includes a head office to serve an enterprise application comprised of a collaborative document. The system also includes a branch office to request the collaborative document from the head office. The enterprise application may also include a computed document and/or a static document. In addition, the system also includes a set of Point of Presence (POP) locations between the head office and the branch office to communicate the collaborative document, the computed document and the static document on behalf of the head office from a closest POP location to the head office to a closest POP location to the branch office and then onward to the branch office.

Abstract: A low resource mobile device, such as a smart phone or a tablet running a mobile operating system, requests a cloud computer system to inspect a mobile application for malicious content. The cloud computer system downloads the mobile application from a mobile application source, and installs the mobile application in a virtual machine sandbox. The cloud computer system inspects the mobile application for malicious content while the mobile application executes in the virtual machines sandbox. The result of the inspection is sent to the user in accordance with a setting that may be indicated in a cloud sandbox agent running on the mobile device.

Abstract: A group video messaging method stores user information identifying authorized users of a video messaging system, and provides a user interface to the video messaging system. The user interface permits authorized users to transfer video files to the video messaging system for storage and retrieval, and to identify criteria for other authorized users to access each transferred video file. The method also stores in the video messaging system the video files transferred to the system by the authorized users; stores information identifying the user that transferred each stored video file to the video messaging system, and the criteria for authorized users to access the stored video files; and stores information identifying different groups of the authorized users and which of the stored video files are to be accessible to each of the authorized users or authorized user groups.

Abstract: Methods, systems, and computer-readable media for exception handling of interactive communications privileges governing interactive communications with entities outside a domain are disclosed. The interactive communications privileges may have been learned through domain administrator configuration or may have been self-learned without domain administrator input. The interactive communications privileges can be used to process interactive communications requests between entities inside a domain and entities outside the domain. Exceptions to the interactive communications privileges can be requested by user entities inside the domain for interactive communications with entities outside the domain. In this manner, if the interactive communications privileges are not sufficient according to user entities inside the domain, the user entities inside the domain can request exceptions for other interactive communications privileges with entities outside the domain.

Abstract: A method of operating a virtual computing system includes receiving at a security controller security data corresponding to a candidate virtual machine that is proposed to be included in a virtualization environment managed by a virtualization environment manager, comparing the security data of the candidate virtual machine to security data of other virtual machines in the virtualization environment, and in response to the comparison, recommending that the virtualization environment manager exclude the candidate virtual machine from the virtualization environment. Related systems and computer program products are disclosed.

Abstract: A data control system prevents non-point of sale devices (135, 155) from sending data over an external network (160) via a secure connection reserved for point of sale devices (125, 145), but allows non-point of sale devices (135, 155) to send data over the external network (160) other than via the secure connection. The secure connection is, for example, a virtual private network connection. The data control system may allow the data from non-point of sale devices (135, 155) to be sent only if it is not destined for a restricted destination. The restricted destination may be, for example, a payment host (170) or secure host (180) on the external network (160).

Abstract: A dynamic authentication broker is configured to process authentication requests received from a network access server formatted in any of a plurality of protocols and received over any of a plurality of ports. Processing authentication requests may include authenticating and/or authorizing a particular user, user device and/or network access server.

Abstract: There are provided a method and apparatus for defending a Distributed Denial-of-Service (DDoS) attack through abnormally terminated sessions. The DDoS attack defending apparatus includes: a session tracing unit configured to parse collected packets, to extract header information from the collected packets, to trace one or more abnormally terminated sessions corresponding to one of pre-defined abnormally terminated session cases, based on the header information, and then to count the number of the abnormally terminated sessions; and an attack detector configured to compare the number of the abnormally terminated sessions to a predetermined threshold value, and to determine whether a DDoS attack has occurred, according to the results of the comparison. Therefore, it is possible to significantly reduce a false-positive rate of detection of a DDoS attack and the amount of computation for detection of a DDoS attack.

Abstract: A data communication security system is disclosed that includes a network interface including a first security module implementing a first security architecture, and a second security module implementing a second security architecture different from the first security architecture. The network interface further includes a file-based application programming interface defining a plurality of attributes of the network interface and including at least one attribute associated with data security managed by one of the first and second security modules. The file-based application programming interface includes at least one attribute from among the plurality of attributes that is associated with selecting between the first or second security modules.

Abstract: Port security in some embodiments is a technique to apply to a particular port of a logical switching element such that the network data entering and existing the logical switching element through the particular logical port have certain addresses that the switching element has restricted the logical port to use. For instance, a logical switching element may restrict a particular logical port to one or more certain network addresses To enable a logical port of a logical switch for port security, the control application of some embodiments receives user inputs that designate a particular logical port and a logical switch to which the particular logical port belongs. The control application in some embodiments formats the user inputs into logical control plane data specifying the designation. The control application in some embodiments then converts the logical control plane data into logical forwarding data that specify port security functions.

Abstract: A system for managing access to resources in a plurality of servers by a plurality of client computers by using an operating system independent Secure Shell (SSH) protocol running in each server and using a central policy database that centrally stores access rules which specify access to the servers for a plurality of users/accounts. Each time a target server receives a user request to establish an SSH session, it retrieves associated access rules from the central policy database to obtain the latest access rules. Based on the retrieved rules and the identity of the user and the identity of the client computer, the target server determines whether the user has permission to establish the SSH session with the target server. Using a centralized database and requiring the servers to always retrieve the latest access rules from a central database provides consistent application of the access rules across all servers and all client computers.

Abstract: A secure interconnection system between two public networks comprises at least one first router, a first firewall, a second router, a second firewall and a blade server, and a first virtual local area network containing the data streams exchanged between a first communications facility and a second communications facility, a second virtual local area network containing the management and maintenance streams of said system which are exchanged between a supervision center and the blade server and a third virtual local area network containing the authentication streams for said first communications facility which are exchanged between the said second firewall and said blade server, said virtual local area networks being designed so as to exhibit an empty intersection.

Abstract: A method includes controlling security in a communication system that involves a node capable of routing traffic according to one or more security algorithms with respective security levels. The node is adapted to estimate at least one safety degree relating to the node, to select at least one security algorithm of the one or more security algorithms, depending on the estimated safety degree; and to activate the at least one security algorithm.

Abstract: Techniques and apparatus for utilizing bits in a translation look aside buffer (TLB) table to identify and access security parameters to be used in securely accessing data are provided. Any type of bits in the TLB may be used, such as excess bits in a translated address, excess attribute bits, or special purpose bits added specifically for security purposes. In some cases, the security parameters may include an index into a key table for use in retrieving a set of one or more keys to use for encryption and/or decryption.

Abstract: Techniques for configuring network security include obtaining non-packet flow information, evaluating a policy rule based on the obtained information, and proposing a security arrangement based on the evaluation. The non-packet flow information can include, for example, authentication information obtained during an Internet Key Exchange protocol session or information obtained from a layered service provider. Therefore, policies such as Internet Protocol security (IPsec) policies can be defined and implemented so that they more accurately reflect the network's security requirements.

Abstract: A SIP firewall defends an IMS network against SIP registration-based DoS/DDoS attacks by issuing fake authentication challenges when suspiciously high registration traffic is present. The fake authentication challenges include a predictive nonce that is to be used in the challenge response, thus forcing users to be state-aware and to issue the SIP registration requests from valid IP address in order to successfully respond to the fake authentication challenges. Upon confirming an association between the challenge response and the fake authentication challenges, the firewall opens a registration window to a protected node of the core network. In such manner, the firewall opens a registration window to (unauthenticated) legitimate users while stopping DDoS mode of registrations (or at least making them extremely difficult and costly) without impacting or involving the protected node.

Abstract: The present invention relates to an apparatus and a method for managing digital rights using virtualization technique, and more particularly to an apparatus and a method for enabling a user to access a desired text file in an independent area through a virtual machine corresponding to a licensed right for accessing the text file. The present invention comprises a virtual machine (VM) management unit for controlling a user access authorization function for accessing the text file in the area to which the virtualization technique is applied.

Abstract: Systems and method for sharing a file presented during a meeting are described. In some aspects, an operating system of a first client computing device of a presenter in an online meeting is monitored during the online meeting. The first client computing device of the presenter is engaged in screen sharing with a second client computing device of at least one other participant in the online meeting. That one or more files accessible via the operating system are being presented in the online meeting is determined based on the monitoring. The one or more files are provided to a set of users in response to determining that the one or more files are being presented in the online meeting.

Abstract: A computer-implemented method for filtering Internet access may include: 1) identifying a domain-name-system request from a client system, 2) identifying a filtering policy for the client system, 3) bundling the filtering policy with the domain-name-system request, and then 4) forwarding the bundled domain-name-system request to a domain-name-system server. Various other methods and systems are also disclosed.

Abstract: A firewall cluster comprises three or more firewall processing nodes, which report primary node status based on the reporting node's membership in a preexisting cluster. A controller uses the reported status to assign a primary node in the distributed firewall cluster. Reported primary node status includes reported primary node eligibility if the node is a member of a preexisting cluster, reported primary node status comprising reporting primary node ineligibility if the node is not a member of a preexisting cluster, reported primary node status if the node is a primary node in a preexisting cluster, and reported primary node eligibility in a node that has timed out.

Abstract: A system and method is provided which allows multicast communications encrypted using IPSec protocol to be received by receivers in a network. In order to allow the receivers to receive the encrypted multicast communication, the address information of the received multicast communication is modified to appear as a unicast communication being transmitted directly to the address of the receiver, such that the receiver may then decrypt the received multicast communication using IPSec decryption capabilities or may, alternatively, forward the received multicast communication in its encrypted state to other devices. The system and method further provide IPSec encryption key delivery to the receiver using an encrypted markup language file. Multiple keys may also be generated for a given IP address of a receiver with each key being generated for a particular multicasting hierarchical classification.

Abstract: An information management apparatus includes a first control information setting unit that sets first control information for permitting use of information within a destination terminal to the information; a second control information setting unit that sets second control information for permitting the destination terminal to forward the information to the information; a displaying permitting unit that controls, when information set with the first control information is received from a source terminal, to permit the information to be used locally within an apparatus; and a forwarding permitting unit that controls, when information set with the second control information is received from a source terminal, to permit the information to be forwarded.

Abstract: A network system according to the present invention includes a service providing server that provides an application service, a user terminal used by a user when using the application service, and a proxy server intervening between the service providing server and the user terminal. The user terminal includes a whitelist for an application in which at least a URL of the proxy server is described. The user terminal accesses the service providing server over the network and provides an application service to the user by starting the application program. When an access request to a URL of an access target specified by the application program is made during the provision of the application service, the user terminal compares the URL of the access target with a URL described in the whitelist for the application.

Abstract: An e-mail relay provides message filtering services to an e-mail network. The e-mail relay monitors incoming communication and intercepts e-mail messages. The e-mail relay compares attributes of the messages to data derived from SPAM messages, which are stored in a SPAM database. The e-mail relay restricts the delivery of messages based on the comparison such as by restricting the delivery of messages having attributes close to those of SPAM messages from the SPAM database. The SPAM database is constructed by responding to user or administrator indications as to whether received messages are SPAM messages.

Abstract: A method, system, and medium are provided for locating a lost mobile device utilizing a radio frequency signal associated with the lost mobile device. One embodiment of the method includes activating a signal on a lost mobile device. An identifier associated with the lost mobile device allows a locating mobile device to receive the signal from the lost mobile device and filter out interference. The strength of the signal is determined and a location of the lost mobile device is communicated to a user based on the strength of the signal.

Abstract: An apparatus comprising a processor configured to implement an anti-replay check for a plurality of received packets and a plurality of corresponding sequence numbers; and a circular buffer coupled to the processor and comprising a bitmap, wherein the bitmap is slided in a circular manner by updating a low index that points to a first sequence number for a first received packet and a high index that points to a last sequence number for a last received packet without bit-shifting, and wherein, when the update results in the new value of one of the low index and the high index exceeding the end of the circular buffer, the one of the low index and the high index wraps around from the beginning of the circular buffer.

Abstract: The present invention is directed toward secure access systems. Specifically, a method and system is provided that enhances the security of unidirectional communication protocols used in access control systems, such as the Wiegand protocol. The enhancements may include obfuscation of data, a two-way packet-mode communications, and blind synchronization of pseudo-random number generators.

Abstract: An inventive system and method for creating source profiles to detect spoofed traffic comprises obtaining a routing path for data to traverse nodes using traffic profiles, each routing path comprising at least a target AS, initializing one or more AS sets with last hop ASes, enhancing the AS sets by connecting the AS sets to routers, for each enhanced AS set, filtering observed traffic flows, and using the filtered flows to associate enhanced AS sets with network monitoring points to create the source profiles. In one aspect, filtering flows comprise TCP session filtering and/or destination bogon filtering. In one aspect, the routers are border gateway protocol routers. In one aspect, the last hop ASes are one hop away from the target AS.

Abstract: Secure management of electronic transactions is provided by a system server that is communicatively coupled to terminals configured as thin client devices (TCD) and to one or more application servers. A TCD completes a secure communications link with the system server, and transfers information concerning the identity of a user and account information from a secure transaction card (STC). Upon authentication, the system server drives the display of available applications at the TCD, allowing the user to select and engage in a desired transaction with the application server hosting the selected application. During the transaction, the system server brokers communications according to the different security schemes used by the TCD and the application server and, ultimately, stores a transaction ticket that memorializes the transaction. The transaction ticket can later be retrieved by presenting appropriate authentication information.

Abstract: A method and system for providing secure access to a remote file is disclosed. According to one embodiment, a portable memory device containing a secure desktop is provided to a user. The user has a user device that removably accepts the portable memory device. The user is allowed to securely access a dedicated storage of the cloud storage system that is created at a request from an administrator. The secure desktop runs independently from a user desktop of the user device. The user's access to a local storage of the user device is blocked while the secure desktop is running.

Abstract: A wireless access point employs a wireless configuration database for retrieving a stored wireless profile corresponding to a subscriber device from a remote location that enables the user to establish an Internet connection using their subscriber device with the same network identifiers and settings employed from the home wireless profile. The network identifier is typically an SSID (Service Set Identification), and labels the wireless configuration using a mnemonic name familiar to the user. The wireless configuration also denotes authentication and security (passphrase) tokens required for access, and would therefore enable the user to sign on at the remote wireless access point using the passphrase already known from their home WiFi arrangement. Subsequent attempts automatically establishing a connection to the subscriber device upon detection and authentication using the retrieved wireless profile without broadcasting an open SSID receivable by other wireless devices within range.

Abstract: A transparent proxy for malware detection includes a monitor module, a protocol determination module, a challenge generation module, a response determination module, and a data control module. The monitor module examines data originating from an application towards a remote server. The protocol determination module identifies the protocol type used for the data. The challenge generation module produces a challenge for the application based upon the protocol type, sends the challenge to the application, and maintains a state related to the data and the challenge. The response determination module makes a determination if an automatic non-interactive application response is received in response to the challenge from the application. The data control module allows the first data to continue to the remote server when the determination is valid. The data control module reports malware detection and blocks the data to continue to the remote server when the determination is invalid.

Abstract: Methods and apparatuses for a computerized system are disclosed. A data processing device receives information from at least one source of log information in the computerized system and detects, based at least in part on said received log information, at least one security protocol related event at a first host device, the at least one security protocol related event being initiated by a second host device. Information is then stored for determination of a trust relationship record based on the detected at least one security protocol related event and information of the second host device.