Abstract: A data control system prevents non-point of sale devices (135, 155) from sending data over an external network (160) via a secure connection reserved for point of sale devices (125, 145), but allows non-point of sale devices (135, 155) to send data over the external network (160) other than via the secure connection. The secure connection is, for example, a virtual private network connection. The data control system may allow the data from non-point of sale devices (135, 155) to be sent only if it is not destined for a restricted destination. The restricted destination may be, for example, a payment host (170) or secure host (180) on the external network (160).

Abstract: A dynamic authentication broker is configured to process authentication requests received from a network access server formatted in any of a plurality of protocols and received over any of a plurality of ports. Processing authentication requests may include authenticating and/or authorizing a particular user, user device and/or network access server.

Abstract: There are provided a method and apparatus for defending a Distributed Denial-of-Service (DDoS) attack through abnormally terminated sessions. The DDoS attack defending apparatus includes: a session tracing unit configured to parse collected packets, to extract header information from the collected packets, to trace one or more abnormally terminated sessions corresponding to one of pre-defined abnormally terminated session cases, based on the header information, and then to count the number of the abnormally terminated sessions; and an attack detector configured to compare the number of the abnormally terminated sessions to a predetermined threshold value, and to determine whether a DDoS attack has occurred, according to the results of the comparison. Therefore, it is possible to significantly reduce a false-positive rate of detection of a DDoS attack and the amount of computation for detection of a DDoS attack.

Abstract: A low resource mobile device, such as a smart phone or a tablet running a mobile operating system, requests a cloud computer system to inspect a mobile application for malicious content. The cloud computer system downloads the mobile application from a mobile application source, and installs the mobile application in a virtual machine sandbox. The cloud computer system inspects the mobile application for malicious content while the mobile application executes in the virtual machines sandbox. The result of the inspection is sent to the user in accordance with a setting that may be indicated in a cloud sandbox agent running on the mobile device.

Abstract: A data communication security system is disclosed that includes a network interface including a first security module implementing a first security architecture, and a second security module implementing a second security architecture different from the first security architecture. The network interface further includes a file-based application programming interface defining a plurality of attributes of the network interface and including at least one attribute associated with data security managed by one of the first and second security modules. The file-based application programming interface includes at least one attribute from among the plurality of attributes that is associated with selecting between the first or second security modules.

Abstract: A secure interconnection system between two public networks comprises at least one first router, a first firewall, a second router, a second firewall and a blade server, and a first virtual local area network containing the data streams exchanged between a first communications facility and a second communications facility, a second virtual local area network containing the management and maintenance streams of said system which are exchanged between a supervision center and the blade server and a third virtual local area network containing the authentication streams for said first communications facility which are exchanged between the said second firewall and said blade server, said virtual local area networks being designed so as to exhibit an empty intersection.

Abstract: Port security in some embodiments is a technique to apply to a particular port of a logical switching element such that the network data entering and existing the logical switching element through the particular logical port have certain addresses that the switching element has restricted the logical port to use. For instance, a logical switching element may restrict a particular logical port to one or more certain network addresses To enable a logical port of a logical switch for port security, the control application of some embodiments receives user inputs that designate a particular logical port and a logical switch to which the particular logical port belongs. The control application in some embodiments formats the user inputs into logical control plane data specifying the designation. The control application in some embodiments then converts the logical control plane data into logical forwarding data that specify port security functions.

Abstract: A system for managing access to resources in a plurality of servers by a plurality of client computers by using an operating system independent Secure Shell (SSH) protocol running in each server and using a central policy database that centrally stores access rules which specify access to the servers for a plurality of users/accounts. Each time a target server receives a user request to establish an SSH session, it retrieves associated access rules from the central policy database to obtain the latest access rules. Based on the retrieved rules and the identity of the user and the identity of the client computer, the target server determines whether the user has permission to establish the SSH session with the target server. Using a centralized database and requiring the servers to always retrieve the latest access rules from a central database provides consistent application of the access rules across all servers and all client computers.

Abstract: A computer-implemented method for filtering Internet access may include: 1) identifying a domain-name-system request from a client system, 2) identifying a filtering policy for the client system, 3) bundling the filtering policy with the domain-name-system request, and then 4) forwarding the bundled domain-name-system request to a domain-name-system server. Various other methods and systems are also disclosed.

Abstract: A SIP firewall defends an IMS network against SIP registration-based DoS/DDoS attacks by issuing fake authentication challenges when suspiciously high registration traffic is present. The fake authentication challenges include a predictive nonce that is to be used in the challenge response, thus forcing users to be state-aware and to issue the SIP registration requests from valid IP address in order to successfully respond to the fake authentication challenges. Upon confirming an association between the challenge response and the fake authentication challenges, the firewall opens a registration window to a protected node of the core network. In such manner, the firewall opens a registration window to (unauthenticated) legitimate users while stopping DDoS mode of registrations (or at least making them extremely difficult and costly) without impacting or involving the protected node.

Abstract: Systems and method for sharing a file presented during a meeting are described. In some aspects, an operating system of a first client computing device of a presenter in an online meeting is monitored during the online meeting. The first client computing device of the presenter is engaged in screen sharing with a second client computing device of at least one other participant in the online meeting. That one or more files accessible via the operating system are being presented in the online meeting is determined based on the monitoring. The one or more files are provided to a set of users in response to determining that the one or more files are being presented in the online meeting.

Abstract: A method includes controlling security in a communication system that involves a node capable of routing traffic according to one or more security algorithms with respective security levels. The node is adapted to estimate at least one safety degree relating to the node, to select at least one security algorithm of the one or more security algorithms, depending on the estimated safety degree; and to activate the at least one security algorithm.

Abstract: The present invention relates to an apparatus and a method for managing digital rights using virtualization technique, and more particularly to an apparatus and a method for enabling a user to access a desired text file in an independent area through a virtual machine corresponding to a licensed right for accessing the text file. The present invention comprises a virtual machine (VM) management unit for controlling a user access authorization function for accessing the text file in the area to which the virtualization technique is applied.

Abstract: Techniques for configuring network security include obtaining non-packet flow information, evaluating a policy rule based on the obtained information, and proposing a security arrangement based on the evaluation. The non-packet flow information can include, for example, authentication information obtained during an Internet Key Exchange protocol session or information obtained from a layered service provider. Therefore, policies such as Internet Protocol security (IPsec) policies can be defined and implemented so that they more accurately reflect the network's security requirements.

Abstract: A system and method is provided which allows multicast communications encrypted using IPSec protocol to be received by receivers in a network. In order to allow the receivers to receive the encrypted multicast communication, the address information of the received multicast communication is modified to appear as a unicast communication being transmitted directly to the address of the receiver, such that the receiver may then decrypt the received multicast communication using IPSec decryption capabilities or may, alternatively, forward the received multicast communication in its encrypted state to other devices. The system and method further provide IPSec encryption key delivery to the receiver using an encrypted markup language file. Multiple keys may also be generated for a given IP address of a receiver with each key being generated for a particular multicasting hierarchical classification.

Abstract: A firewall cluster comprises three or more firewall processing nodes, which report primary node status based on the reporting node's membership in a preexisting cluster. A controller uses the reported status to assign a primary node in the distributed firewall cluster. Reported primary node status includes reported primary node eligibility if the node is a member of a preexisting cluster, reported primary node status comprising reporting primary node ineligibility if the node is not a member of a preexisting cluster, reported primary node status if the node is a primary node in a preexisting cluster, and reported primary node eligibility in a node that has timed out.

Abstract: Techniques and apparatus for utilizing bits in a translation look aside buffer (TLB) table to identify and access security parameters to be used in securely accessing data are provided. Any type of bits in the TLB may be used, such as excess bits in a translated address, excess attribute bits, or special purpose bits added specifically for security purposes. In some cases, the security parameters may include an index into a key table for use in retrieving a set of one or more keys to use for encryption and/or decryption.

Abstract: An information management apparatus includes a first control information setting unit that sets first control information for permitting use of information within a destination terminal to the information; a second control information setting unit that sets second control information for permitting the destination terminal to forward the information to the information; a displaying permitting unit that controls, when information set with the first control information is received from a source terminal, to permit the information to be used locally within an apparatus; and a forwarding permitting unit that controls, when information set with the second control information is received from a source terminal, to permit the information to be forwarded.

Abstract: A network system according to the present invention includes a service providing server that provides an application service, a user terminal used by a user when using the application service, and a proxy server intervening between the service providing server and the user terminal. The user terminal includes a whitelist for an application in which at least a URL of the proxy server is described. The user terminal accesses the service providing server over the network and provides an application service to the user by starting the application program. When an access request to a URL of an access target specified by the application program is made during the provision of the application service, the user terminal compares the URL of the access target with a URL described in the whitelist for the application.

Abstract: An e-mail relay provides message filtering services to an e-mail network. The e-mail relay monitors incoming communication and intercepts e-mail messages. The e-mail relay compares attributes of the messages to data derived from SPAM messages, which are stored in a SPAM database. The e-mail relay restricts the delivery of messages based on the comparison such as by restricting the delivery of messages having attributes close to those of SPAM messages from the SPAM database. The SPAM database is constructed by responding to user or administrator indications as to whether received messages are SPAM messages.

Abstract: The present invention is directed toward secure access systems. Specifically, a method and system is provided that enhances the security of unidirectional communication protocols used in access control systems, such as the Wiegand protocol. The enhancements may include obfuscation of data, a two-way packet-mode communications, and blind synchronization of pseudo-random number generators.

Abstract: A method, system, and medium are provided for locating a lost mobile device utilizing a radio frequency signal associated with the lost mobile device. One embodiment of the method includes activating a signal on a lost mobile device. An identifier associated with the lost mobile device allows a locating mobile device to receive the signal from the lost mobile device and filter out interference. The strength of the signal is determined and a location of the lost mobile device is communicated to a user based on the strength of the signal.

Abstract: An apparatus comprising a processor configured to implement an anti-replay check for a plurality of received packets and a plurality of corresponding sequence numbers; and a circular buffer coupled to the processor and comprising a bitmap, wherein the bitmap is slided in a circular manner by updating a low index that points to a first sequence number for a first received packet and a high index that points to a last sequence number for a last received packet without bit-shifting, and wherein, when the update results in the new value of one of the low index and the high index exceeding the end of the circular buffer, the one of the low index and the high index wraps around from the beginning of the circular buffer.

Abstract: Secure management of electronic transactions is provided by a system server that is communicatively coupled to terminals configured as thin client devices (TCD) and to one or more application servers. A TCD completes a secure communications link with the system server, and transfers information concerning the identity of a user and account information from a secure transaction card (STC). Upon authentication, the system server drives the display of available applications at the TCD, allowing the user to select and engage in a desired transaction with the application server hosting the selected application. During the transaction, the system server brokers communications according to the different security schemes used by the TCD and the application server and, ultimately, stores a transaction ticket that memorializes the transaction. The transaction ticket can later be retrieved by presenting appropriate authentication information.

Abstract: A method and system for providing secure access to a remote file is disclosed. According to one embodiment, a portable memory device containing a secure desktop is provided to a user. The user has a user device that removably accepts the portable memory device. The user is allowed to securely access a dedicated storage of the cloud storage system that is created at a request from an administrator. The secure desktop runs independently from a user desktop of the user device. The user's access to a local storage of the user device is blocked while the secure desktop is running.

Abstract: A wireless access point employs a wireless configuration database for retrieving a stored wireless profile corresponding to a subscriber device from a remote location that enables the user to establish an Internet connection using their subscriber device with the same network identifiers and settings employed from the home wireless profile. The network identifier is typically an SSID (Service Set Identification), and labels the wireless configuration using a mnemonic name familiar to the user. The wireless configuration also denotes authentication and security (passphrase) tokens required for access, and would therefore enable the user to sign on at the remote wireless access point using the passphrase already known from their home WiFi arrangement. Subsequent attempts automatically establishing a connection to the subscriber device upon detection and authentication using the retrieved wireless profile without broadcasting an open SSID receivable by other wireless devices within range.

Abstract: An inventive system and method for creating source profiles to detect spoofed traffic comprises obtaining a routing path for data to traverse nodes using traffic profiles, each routing path comprising at least a target AS, initializing one or more AS sets with last hop ASes, enhancing the AS sets by connecting the AS sets to routers, for each enhanced AS set, filtering observed traffic flows, and using the filtered flows to associate enhanced AS sets with network monitoring points to create the source profiles. In one aspect, filtering flows comprise TCP session filtering and/or destination bogon filtering. In one aspect, the routers are border gateway protocol routers. In one aspect, the last hop ASes are one hop away from the target AS.

Abstract: A transparent proxy for malware detection includes a monitor module, a protocol determination module, a challenge generation module, a response determination module, and a data control module. The monitor module examines data originating from an application towards a remote server. The protocol determination module identifies the protocol type used for the data. The challenge generation module produces a challenge for the application based upon the protocol type, sends the challenge to the application, and maintains a state related to the data and the challenge. The response determination module makes a determination if an automatic non-interactive application response is received in response to the challenge from the application. The data control module allows the first data to continue to the remote server when the determination is valid. The data control module reports malware detection and blocks the data to continue to the remote server when the determination is invalid.

Abstract: Methods and apparatuses for a computerized system are disclosed. A data processing device receives information from at least one source of log information in the computerized system and detects, based at least in part on said received log information, at least one security protocol related event at a first host device, the at least one security protocol related event being initiated by a second host device. Information is then stored for determination of a trust relationship record based on the detected at least one security protocol related event and information of the second host device.

Abstract: A computer implemented method for obtaining a secure route. A trusted host sets a node security association for a trusted host. The trusted host receives, at the trusted host, a client communication request directed to a destination host. The trusted host builds a secure route query comprising a trusted host address, a destination host address, and at least one security level, to form at least one secure route. The trusted host sends packets from the trusted host to the destination host based on the at least one secure route. The packets are responsive to the client communication request, and the packets each have a security label that matches the security level.

Abstract: There is provided a method for optimizing a download of requested data to an electronic data processing unit that is currently receiving unrequested multicast data through a router included in a network. The unrequested multicast data corresponds to at least one multicast data group. Internet Group Management Protocol (IGMP) V2 Leave Messages are sent to the router for the at least one multicast data group. IGMP Membership Queries issued by the router for the at least one multicast data group are ignored, so as to cause the router to terminate a transmission of the unrequested multicast data to free up available bandwidth for the download of the requested data.

Abstract: A computer implemented method and computer program product for obtaining a secure route. A trusted host sets a node security association for a trusted host. The trusted host receives, at the trusted host, a client communication request directed to a destination host. The trusted host builds a secure route query comprising a trusted host address, a destination host address, and at least one security level, to form at least one secure route. The trusted host sends packets from the trusted host to the destination host based on the at least one secure route. The packets are responsive to the client communication request, and the packets each have a security label that matches the security level.

Abstract: A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device learns a current network policy of the dynamic virtualized network, where the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. Furthermore, the layer 3 physical network includes multiple network access devices. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy.

Abstract: A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device learns a current network policy of the dynamic virtualized network, where the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. Furthermore, the layer 3 physical network includes multiple network access devices. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy.

Abstract: A method for encrypting print jobs that includes receiving output data, encrypting the output data with a randomly-generated symmetric session key, generating a session key header by encrypting the randomly-generated symmetric session key using an asymmetric user public key, and encrypting the session key header using a server public key.

Abstract: In one implementation, a hub and spoke network is made up of hub network devices and spoke network devices. A security protocol channel is established between the hub and at least a first spoke. The hub receives a resolution request from the first spoke via the security protocol channel. The resolution request includes data indicative of a second endpoint. The hub queries a next hop client database for a WAN address of the second endpoint. The first endpoint and the second endpoint are geographically separated nodes of the same enterprise network. The hub sends a resolution reply to the first endpoint including the WAN address for the second endpoint. The hub also sends a message to the second endpoint including a WAN address of the first endpoint and a summary of the data packet received at the first endpoint.

Abstract: A method, apparatus, and computer-readable media are presented that provide a configuration for communications through network address translation. The configuration includes transmitting, by a first computer device, a packet that includes a predetermined value indicating that the first computer device supports an extension of a communications protocol, wherein the communications protocol is used for communications across a network translator device and the extension is capable of traversing network address translation.

Abstract: An information processing apparatus for determining whether or not to transmit a predetermined content to a reception apparatus connected to a network, in accordance with a response time taken to respond to a predetermined command, including: reception means receiving a response to a command; measuring means measuring the response time to the command; authentication means authenticating the reception apparatus; generation means generating authentication data to be inserted into the command; transmission means transmitting the command including predetermined one of the authentication data; storage means storing the authentication data contained in the command and the response data contained in the response; request means requesting the reception apparatus for transmission of the authentication data and the response data; and determination means determining whether the authentication data and the response data transmitted from the reception apparatus, and determining transmission permission/inhibition of a cont

Abstract: Techniques for integrating a security protocol in an application include receiving a web protocol request generated by the application at an interceptor, the interceptor configured to read and write the web protocol request; receiving a selection of a role comprising one or more validation aspects and a plurality of extended application components; based on reading the web protocol request, retrieving configuration data associated with the web protocol request; adding the plurality of extended application components using the configuration data; and executing the web protocol in the application using the selected role.

Abstract: Terminal certification means of a communication terminal manages a content and certification information on the content in association with each other. Upon access to a server associated with the execution of the content, request means sends the server a request including certification information associated with the content. In response to the request from the communication terminal, the server uses server certification means to certify the request. Access control means performs access control based on policy information stored in policy information storage means.

Abstract: A method, apparatus, and computer-readable media are presented that provide a configuration for communicating by a computer device with another computer device wherein network address translation that translate address information in packet headers can occur between the computer devices, and revealing, by the computer device to the other computer device, address information as seen by the computer device on its side of the network address translation, by including in a payload of a packet transmitted to the other computer device, an encoding of the address information as seen by the computer device.

Abstract: A method, apparatus, and computer-readable media are presented that provide a configuration for revealing occurrence of network address translation by receiving a packet that includes an encoding of a source port number and then determining whether a network address translation occurred on the packet by comparing the source port number against a predetermined port number.

Abstract: A system capable of automated mapping between a connectivity request and an ordered security rule-set and a method of operating thereof. The system includes an interface operable to obtain data characterizing at least one connectivity request; a module for automated recognizing at least one rule within the rule-set, the rule controlling traffic requested in the at least one connectivity request, wherein the recognizing is provided by comparing a set of combinations specified in the connectivity request with a set of combinations specified in the rule and matching connectivity-related actions specified in the connectivity request; a module for automated evaluating relationship between traffic controlled by the recognized at least one rule and traffic requested in the at least one connectivity request; and a module for automated classifying, in accordance with evaluation results, the at least one connectivity request with respect to the at least one rules and/or vice versa.

Abstract: A technique that simplifies managing and configuring firewalls by provisioning a vendor-neutral firewall in an MPLS-VPN service network. In one example embodiment, this is accomplished by creating a vendor-neutral firewall policy using a service activation tool residing in a host server. One of the one or more VPNs requiring the provisioning of the vendor-neutral firewall in the MPLS-VPN service network is then selected. The created vendor-neutral firewall policy is then transformed to form a vendor-specific firewall policy associated with the selected one of the one or more VPNs.

Abstract: Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions are disclosed. A messaging service firewall (MSF) separate from a short message service center (SMSC) receives a mobility management reply message (MMR) that is sent by a mobile location register element in response to an associated mobility management query (MMQ) and that includes a serving switch identifier. The MSF allocates a global title address (GTA) from a pool of GTAs and stores a correlation between the allocated GTA and the originating SMSC. The MSF replaces the serving switch identifier in the MMR with the allocated GTA and routes the modified MMR. The MSF then receives a messaging service message (MSM) that is addressed to the allocated GTA and that includes the purported originating SMSC. If the purported originating SMSC does not match the SMSC to which the GTA is correlated, the MSM is discarded.

Abstract: In some embodiments of the invention, techniques may make private identifiers for private network resources usable to establish connections to those private network resources from computing devices connected to an outside network. For example, when a computing device is connected to an outside network and attempting to contact a private network resource, DNS may be used to resolve a domain name for the private network resource to an IP address for an edge resource of the private network. Communications may be passed between the computing device and the edge resource according to protocols which embed the identifier originally used to identify the private network resource. The edge resource of the private network may analyze communications over the connection to determine this identifier, and use it to pass the communication to the desired private network resource.

Abstract: This invention relates to the area of Mobility and Handover between heterogeneous wireless networks. The scope of the invention also covers the case when the UE is capable of accessing both the WLAN and EUTRAN access systems simultaneously and also the case where the UE is not capable of accessing both the WLAN and EUTRAN access systems simultaneously. This invention provides a system and method to perform Mobility between the access systems with optimized authentication procedure using security context transfer between the access systems and also minimize the data loss by buffering the data during the handover. More specifically, this invention provides a system and method to support handover between the I-WLAN and the EUTRAN access systems.

Abstract: Described are a secure geo-location obscurity network and ingress nodes, transit nodes and egress nodes used in such a network. In particular, a novel device is provided and comprises: a node for a network, the node comprising: a private portion for allowing high bandwidth secure private traffic to be received and transmitted by the node on a private pathway through the node; and a public portion for allowing low bandwidth secure public traffic to be received and transmitted by the node on a plurality of public pathways through the node.

Abstract: A method and apparatus for directing a client to establish a secure connection with a server across a public network. The server and the client exchange a Server Authentication Public Key, a Client Authentication Public Key, and a Remote Service Unique Identifier (RSUID) during a registration process. In one embodiment, the method includes the client transmitting to the server a client information package having the RSUID and a client challenge information package encrypted with the Server Authentication Public Key, the client receiving from the server a server information package having the RSUID and a server challenge information package and a portion of the received client challenge information encrypted with the Client Authentication Public Key, the client decrypting and verifying the server challenge information package with the Client Authentication Private Key, and, the client transmitting to the server an encrypted portion of the received client challenge information.

Abstract: A method and apparatus for a non-revealing do-not-contact list system in which a do-not-contact list of one-way hashed consumer contact information is provided to a set of one or more entities. The set of entities determine whether certain consumers wish to be contacted with the do-not-contact list without discovering actual consumer contact information.