Abstract: A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device learns a current network policy of the dynamic virtualized network, where the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. Furthermore, the layer 3 physical network includes multiple network access devices. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy.

Abstract: A computer implemented method and computer program product for obtaining a secure route. A trusted host sets a node security association for a trusted host. The trusted host receives, at the trusted host, a client communication request directed to a destination host. The trusted host builds a secure route query comprising a trusted host address, a destination host address, and at least one security level, to form at least one secure route. The trusted host sends packets from the trusted host to the destination host based on the at least one secure route. The packets are responsive to the client communication request, and the packets each have a security label that matches the security level.

Abstract: A computer implemented method for obtaining a secure route. A trusted host sets a node security association for a trusted host. The trusted host receives, at the trusted host, a client communication request directed to a destination host. The trusted host builds a secure route query comprising a trusted host address, a destination host address, and at least one security level, to form at least one secure route. The trusted host sends packets from the trusted host to the destination host based on the at least one secure route. The packets are responsive to the client communication request, and the packets each have a security label that matches the security level.

Abstract: A method and apparatus that secures a dynamic virtualized network is described. In an exemplary embodiment, a device learns a current network policy of the dynamic virtualized network, where the dynamic virtualized network is a virtualized layer 2 network that is overlaid on a layer 3 physical network. In addition, the current network policy includes multiple network policy elements, where each of the multiple network policy elements identifies an authorized endpoint in the dynamic virtualized network. Furthermore, the layer 3 physical network includes multiple network access devices. The device further determines a network security policy for the dynamic virtualized network from the current network policy. The network security policy includes one or more second network policy elements that are a different network policy element than one of the multiple network policy elements of the current network policy.

Abstract: There is provided a method for optimizing a download of requested data to an electronic data processing unit that is currently receiving unrequested multicast data through a router included in a network. The unrequested multicast data corresponds to at least one multicast data group. Internet Group Management Protocol (IGMP) V2 Leave Messages are sent to the router for the at least one multicast data group. IGMP Membership Queries issued by the router for the at least one multicast data group are ignored, so as to cause the router to terminate a transmission of the unrequested multicast data to free up available bandwidth for the download of the requested data.

Abstract: A method for encrypting print jobs that includes receiving output data, encrypting the output data with a randomly-generated symmetric session key, generating a session key header by encrypting the randomly-generated symmetric session key using an asymmetric user public key, and encrypting the session key header using a server public key.

Abstract: In one implementation, a hub and spoke network is made up of hub network devices and spoke network devices. A security protocol channel is established between the hub and at least a first spoke. The hub receives a resolution request from the first spoke via the security protocol channel. The resolution request includes data indicative of a second endpoint. The hub queries a next hop client database for a WAN address of the second endpoint. The first endpoint and the second endpoint are geographically separated nodes of the same enterprise network. The hub sends a resolution reply to the first endpoint including the WAN address for the second endpoint. The hub also sends a message to the second endpoint including a WAN address of the first endpoint and a summary of the data packet received at the first endpoint.

Abstract: A method, apparatus, and computer-readable media are presented that provide a configuration for communications through network address translation. The configuration includes transmitting, by a first computer device, a packet that includes a predetermined value indicating that the first computer device supports an extension of a communications protocol, wherein the communications protocol is used for communications across a network translator device and the extension is capable of traversing network address translation.

Abstract: An information processing apparatus for determining whether or not to transmit a predetermined content to a reception apparatus connected to a network, in accordance with a response time taken to respond to a predetermined command, including: reception means receiving a response to a command; measuring means measuring the response time to the command; authentication means authenticating the reception apparatus; generation means generating authentication data to be inserted into the command; transmission means transmitting the command including predetermined one of the authentication data; storage means storing the authentication data contained in the command and the response data contained in the response; request means requesting the reception apparatus for transmission of the authentication data and the response data; and determination means determining whether the authentication data and the response data transmitted from the reception apparatus, and determining transmission permission/inhibition of a cont

Abstract: Techniques for integrating a security protocol in an application include receiving a web protocol request generated by the application at an interceptor, the interceptor configured to read and write the web protocol request; receiving a selection of a role comprising one or more validation aspects and a plurality of extended application components; based on reading the web protocol request, retrieving configuration data associated with the web protocol request; adding the plurality of extended application components using the configuration data; and executing the web protocol in the application using the selected role.

Abstract: A method, apparatus, and computer-readable media are presented that provide a configuration for communicating by a computer device with another computer device wherein network address translation that translate address information in packet headers can occur between the computer devices, and revealing, by the computer device to the other computer device, address information as seen by the computer device on its side of the network address translation, by including in a payload of a packet transmitted to the other computer device, an encoding of the address information as seen by the computer device.

Abstract: A method, apparatus, and computer-readable media are presented that provide a configuration for revealing occurrence of network address translation by receiving a packet that includes an encoding of a source port number and then determining whether a network address translation occurred on the packet by comparing the source port number against a predetermined port number.

Abstract: A system capable of automated mapping between a connectivity request and an ordered security rule-set and a method of operating thereof. The system includes an interface operable to obtain data characterizing at least one connectivity request; a module for automated recognizing at least one rule within the rule-set, the rule controlling traffic requested in the at least one connectivity request, wherein the recognizing is provided by comparing a set of combinations specified in the connectivity request with a set of combinations specified in the rule and matching connectivity-related actions specified in the connectivity request; a module for automated evaluating relationship between traffic controlled by the recognized at least one rule and traffic requested in the at least one connectivity request; and a module for automated classifying, in accordance with evaluation results, the at least one connectivity request with respect to the at least one rules and/or vice versa.

Abstract: Terminal certification means of a communication terminal manages a content and certification information on the content in association with each other. Upon access to a server associated with the execution of the content, request means sends the server a request including certification information associated with the content. In response to the request from the communication terminal, the server uses server certification means to certify the request. Access control means performs access control based on policy information stored in policy information storage means.

Abstract: A technique that simplifies managing and configuring firewalls by provisioning a vendor-neutral firewall in an MPLS-VPN service network. In one example embodiment, this is accomplished by creating a vendor-neutral firewall policy using a service activation tool residing in a host server. One of the one or more VPNs requiring the provisioning of the vendor-neutral firewall in the MPLS-VPN service network is then selected. The created vendor-neutral firewall policy is then transformed to form a vendor-specific firewall policy associated with the selected one of the one or more VPNs.

Abstract: Systems, methods, and computer readable media for detecting and mitigating address spoofing in messaging service transactions are disclosed. A messaging service firewall (MSF) separate from a short message service center (SMSC) receives a mobility management reply message (MMR) that is sent by a mobile location register element in response to an associated mobility management query (MMQ) and that includes a serving switch identifier. The MSF allocates a global title address (GTA) from a pool of GTAs and stores a correlation between the allocated GTA and the originating SMSC. The MSF replaces the serving switch identifier in the MMR with the allocated GTA and routes the modified MMR. The MSF then receives a messaging service message (MSM) that is addressed to the allocated GTA and that includes the purported originating SMSC. If the purported originating SMSC does not match the SMSC to which the GTA is correlated, the MSM is discarded.

Abstract: In some embodiments of the invention, techniques may make private identifiers for private network resources usable to establish connections to those private network resources from computing devices connected to an outside network. For example, when a computing device is connected to an outside network and attempting to contact a private network resource, DNS may be used to resolve a domain name for the private network resource to an IP address for an edge resource of the private network. Communications may be passed between the computing device and the edge resource according to protocols which embed the identifier originally used to identify the private network resource. The edge resource of the private network may analyze communications over the connection to determine this identifier, and use it to pass the communication to the desired private network resource.

Abstract: This invention relates to the area of Mobility and Handover between heterogeneous wireless networks. The scope of the invention also covers the case when the UE is capable of accessing both the WLAN and EUTRAN access systems simultaneously and also the case where the UE is not capable of accessing both the WLAN and EUTRAN access systems simultaneously. This invention provides a system and method to perform Mobility between the access systems with optimized authentication procedure using security context transfer between the access systems and also minimize the data loss by buffering the data during the handover. More specifically, this invention provides a system and method to support handover between the I-WLAN and the EUTRAN access systems.

Abstract: A system and method for controlling, by an outside entity, one or more devices associated with a location. A representative embodiment of the system architecture comprises an internal computer system through which a device may be remotely controlled by the outside entity during a communication session between the outside entity and the internal computer system through an external computer network. The external computer network can be the Internet. When the outside entity is requested to control the device, the outside entity's identity information is authenticated before the communication session is established.

Abstract: A method and apparatus for directing a client to establish a secure connection with a server across a public network. The server and the client exchange a Server Authentication Public Key, a Client Authentication Public Key, and a Remote Service Unique Identifier (RSUID) during a registration process. In one embodiment, the method includes the client transmitting to the server a client information package having the RSUID and a client challenge information package encrypted with the Server Authentication Public Key, the client receiving from the server a server information package having the RSUID and a server challenge information package and a portion of the received client challenge information encrypted with the Client Authentication Public Key, the client decrypting and verifying the server challenge information package with the Client Authentication Private Key, and, the client transmitting to the server an encrypted portion of the received client challenge information.

Abstract: Described are a secure geo-location obscurity network and ingress nodes, transit nodes and egress nodes used in such a network. In particular, a novel device is provided and comprises: a node for a network, the node comprising: a private portion for allowing high bandwidth secure private traffic to be received and transmitted by the node on a private pathway through the node; and a public portion for allowing low bandwidth secure public traffic to be received and transmitted by the node on a plurality of public pathways through the node.

Abstract: A method, system and computer program product for autonomic security configuration may include controlling a security configuration of at least one resource forming a solution based on a plurality of security requirements. The method may further include applying the plurality of security requirements across a plurality of resources independent of a resource type.

Abstract: A method and apparatus for a non-revealing do-not-contact list system in which a do-not-contact list of one-way hashed consumer contact information is provided to a set of one or more entities. The set of entities determine whether certain consumers wish to be contacted with the do-not-contact list without discovering actual consumer contact information.

Abstract: A system and method is disclosed which enables network administrators and the like to quickly analyze the data produced by log-producing devices such as network firewalls and routers. Unlike systems of the prior art, the system disclosed herein automatically parses and summarizes log data before inserting it into one or more databases. This greatly reduces the volume of data stored in the database and permits database queries to be run and reports generated while many types of attempted breaches of network security are still in progress. Database maintenance may also be accomplished automatically by the system to delete or archive old log data.

Abstract: The invention concerns a cryptographic key distribution system comprising a server node, a repeater network connected to the server node through a quantum channel, and a client node connected to the repeater network through a quantum channel; wherein in use: the repeater network and the client node cooperatively generate a transfer quantum key which is supplied to a system subscriber by the client node; the server node and the repeater network cooperatively generate a link quantum key; the repeater network encrypts the link quantum key based on the transfer quantum key and sends the encrypted link quantum key to the system subscriber through a public communication channel; the server node encrypts a traffic cryptographic key based on the link quantum key and a service authentication key and sends the encrypted traffic cryptographic key to the system subscriber through a public communication channel.

Abstract: Method and Apparatus for rapid scalable unified infrastructure system management platform are disclosed by discovery of compute nodes, network components across data centers, both public and private for a user; assessment of type, capability, VLAN, security, virtualization configuration of the discovered unified infrastructure nodes and components; configuration of nodes and components covering add, delete, modify, scale; and rapid roll out of nodes and components across data centers both public and private.

Abstract: Method and Apparatus for rapid scalable unified infrastructure system management platform are disclosed by discovery of compute nodes, network components across data centers, both public and private for a user; assessment of type, capability, VLAN, security, virtualization configuration of the discovered unified infrastructure nodes and components; configuration of nodes and components covering add, delete, modify, scale; and rapid roll out of nodes and components across data centers both public and private.

Abstract: Method and Apparatus for rapid scalable unified infrastructure system management platform are disclosed by discovery of compute nodes, network components across data centers, both public and private for a user; assessment of type, capability, VLAN, security, virtualization configuration of the discovered unified infrastructure nodes and components; configuration of nodes and components covering add, delete, modify, scale; and rapid roll out of nodes and components across data centers both public and private.

Abstract: A network device is provided. The network device is connected to a number of slave network devices. Each slave network device communicates with the network device by using an Internet protocol (IP) address. The network device includes an Internet protocol security (IPsec) module and a network address translation (NAT) module. The IPsec module establishes an IPsec tunnel to a network gateway in the Internet and retrieves an IPsec IP address corresponding to the IPsec tunnel. The NAT module converts the IP addresses of the slave network devices to the IPsec IP address, such that the slave network devices use the IPsec IP address to communicate with the network gateway through the IPsec tunnel.

Abstract: Method and Apparatus for rapid scalable unified infrastructure system management platform are disclosed by discovery of compute nodes, network components across data centers, both public and private for a user; assessment of type, capability, VLAN, security, virtualization configuration of the discovered unified infrastructure nodes and components; configuration of nodes and components covering add, delete, modify, scale; and rapid roll out of nodes and components across data centers both public and private.

Abstract: A method for efficiently decrypting asymmetric SSL pre-master keys is divided into a key agent component that runs in user mode, and an SSL driver running in kernel mode. The key agent can take advantage of multiple threads for decoding keys in a multi-processor environment, while the SSL driver handles the task of symmetric decryption of the SSL encrypted data stream. The method is of advantage in applications such as firewalls with deep packet inspection in which all encrypted data traffic passing through the firewall must be decrypted for inspection.

Abstract: Methods, servers, and systems for encoding security labels in a dynamic language value to allow cross script communications within client application while limiting the types of information that is allowed to be communicated back to a host server. Static analysis is performed during compilation, and the results are used to generate and insert additional code that updates, modifies and propagates labels (e.g., JavaScript labels) attached to values (e.g., JavaScript values) during execution of a program. To support popular language features that allow for strong integration with other web-based systems, malicious code is allowed to perform operations locally (e.g., on the client), and a detection and prevention mechanism identifies and stops malicious code from sending requests or gathered information over the network, naturalizing attacks and improving the security of applications that embed dynamic language code.

Abstract: Embodiments of the present invention disclose a method and an apparatus for security algorithm selection processing, a network entity, and a communication system. The method includes: receiving a service request message sent by user equipment; and according to a security protection requirement of the service request message, selecting a security algorithm from a security algorithm list supported by both the user equipment and a network entity, where security algorithm lists supported by the user equipment and/or the network entity are set separately based on different security protection requirements, or security algorithm lists supported by the user equipment and the network entity are used for indicating security capability of the user equipment and the network entity respectively.

Abstract: One embodiment of the present invention provides a system for providing exclusive access to a virtual private network (VPN) connection to an authorized application. During operation, the system creates a unique network namespace that is different from a default network namespace of a host system. The system then places a pseudo network interface associated with the VPN connection into the unique network namespace. Furthermore, the system places at least one socket for an authorized application into the unique network namespace. The system also precludes unauthorized applications on the host from accessing the unique network namespace, thereby facilitating exclusive access to the VPN connection by the authorized application.

Abstract: An example method includes forwarding user credentials from a virtual machine in a distributed virtual switch (DVS) network environment to a network element outside the DVS network environment, receiving a user policy from the AAA server, and facilitating enforcement of the user policy within the DVS network environment. The user credentials may relate to a user attempting to access the VM. In a specific embodiment, the user credentials are provided in a 802.1X packet. In a particular embodiment, a network access control (NAC) in the DVS network environment forwards the user credentials, receives the user policy, and facilitates the enforcement of the user policy. In one embodiment, the NAC is provisioned as another VM in the DVS network environment.

Abstract: A system and method that provides for protection of a CPU of a router, by establishing a management port on a router. Hosts which are connected to a non-management ports of the router are denied access to management functions of a CPU of the router. The system and method can utilize an application specific integrated circuit, in conjunction with a CAM-ACL, which analyzes data packets received on the ports of router, and the ASIC operates to drop data packets which are directed to the CPU of the router. This system and method operates to filter data packets which may be generated in attempts to hack in to control functions of a network device, and the operation does not require that the CPU analyze all received data packets in connection with determining access to the control functions of the router.

Abstract: Credentials sent over a back channel during the authentication of a user to a RESTful service can elevate the trust the recipient system can place in the user's identity. The addition of an identity credential of higher strength can increase confidence in user identities electronically presented with a lower strength credential.

Abstract: A proxy device such as a firewall uses an internal socket namespace such as a text string such that connection requests must be explicitly redirected to a listening socket in the alternate namespace in order to connect to a service. Because external connections cannot directly address the listening socket or service, greater security is provided than with traditional firewall or proxy devices. To receive a redirected proxy connection, a service process creates a listening socket and binds a name in an alternate namespace to the socket before listening for connections.

Abstract: Processing communications to and from multiple communications systems based on user preferences and based on presence information for one or more users of the communications systems is provided. A user who operates multiple communications systems may set preferences with each of the systems individually or through a centralized communications management system to control call processing to each of the systems based on prescribed user preferences and based on presence information for the user. In addition, communications applications associated with one or more communications systems may be automatically activated or functionally modified based on user preferences and/or user presence information.

Abstract: Discussed is a method of operating a CPNS (converged personal network service) gateway apparatus. The method includes transmitting a registration request message including user information to a server; transmitting an installation request message including the user information to a terminal; generating first authentication data on the basis of authentication information received by a user input; transmitting a trigger message including the first authentication data to the terminal; receiving a key assignment request message including second authentication data from the terminal in response to the trigger message; transmitting the received key assignment request message to the server; receiving a key assignment response message including a user key for the terminal in response to the key assignment request message; and transmitting the received key assignment response message to the terminal.

Abstract: A method and system for validating a form, that includes providing, to a client, the form comprising a primary token, receiving, in response to the client loading the page form, a request for a secondary token, providing the secondary token in response to receiving the request, and receiving the form comprising the primary token and a secondary token from a client. The method further includes validating the form, where validating the form includes obtaining a first primary token hash from the secondary token, applying a first hash function to the primary token to obtain a second primary token hash, and determining that the first primary token hash and the second primary token hash match. The method further includes accepting the form upon validating the form.

Abstract: A system for controlling selection of filters for protecting against vulnerabilities of a computer network includes a vulnerability management system analyzes the computer network and determines network vulnerabilities for the computer network. The vulnerability management system is configured to receive real-time data on a status of filters protecting against vulnerabilities of the computer network. A database contains a pre-generated mapping of network vulnerabilities to filters for protecting against the network vulnerabilities. The vulnerability management system enables user control of filters for protecting against vulnerabilities of the computer network based upon the determined network vulnerabilities of the computer network, the pre-generated mapping of network vulnerabilities to the filters for protecting against the network vulnerabilities and the real-time data on the status of the filters.

Abstract: Methods and systems for balancing load among firewall security devices (FSDs) are provided. According to one embodiment, a switch maintains session data the session entries of which represent established traffic sessions between a source and a destination and form an association between the traffic session and a particular FSD. A data packet of a traffic session from a client device directed to a target device is received at the switch. When none of the session entries are determined to correspond to the data packet, an FSD is selected to associate with the first traffic session by performing a load balancing function on at least a portion of the data packet. When a matching session entry exists, an FSD identified by the matching session entry is selected to process the data packet. The data packet is then caused to be processed by the selected firewall security device.

Abstract: A plurality of computer nodes communicates using seemingly random IP source and destination addresses and (optionally) a seemingly random discriminator field. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are rejected. In addition to “hopping” of IP addresses and discriminator fields, hardware addresses such as Media Access Control addresses can be hopped. The hopped addresses are generated by random number generators having non-repeating sequence lengths that are easily determined a-priori, which can quickly jump ahead in sequence by an arbitrary number of random steps and which have the property that future random numbers are difficult to guess without knowing the random number generator's parameters. Synchronization techniques can be used to re-establish synchronization between sending and receiving nodes.

Abstract: A process is disclosed in which all network traffic between a mobile device and an untrusted network arriving before the establishment of a VPN tunnel are dropped in response to rules imposed by the mobile device's operating system. Once a VPN tunnel is established all communication from the mobile device is secured, without an intervention on the part of the user of the device. A device supporting such a process is also disclosed.

Abstract: Active learning-based fraud detection techniques are provided in adaptive authentication systems. An authentication request from an authentication requestor is processed by receiving the authentication request from the authentication requester; comparing current data for the user associated with the user identifier with historical data for the user; generating an adaptive authentication result based on the comparison indicating a likelihood current user data is associated with a fraudulent user; and performing one or more additional authentication operations to improve learning if the request satisfies one or more predefined non-risk based criteria. The predefined non-risk based criteria comprises, for example, (i) the request receiving a riskiness score below a threshold based on current data and wherein the request was expected to have a risk score above a threshold, or (ii) the request being in a bucket having a number of tagged events below a threshold.

Abstract: A storage system stores information about a graph in an encrypted form. A query module can submit a token to the storage system to retrieve specified information about the graph, e.g., to determine the neighbors of an entity in the graph, or to determine whether a first entity is connected to a second entity, etc. The storage system formulates its reply to the token in a lookup result. Through this process, the storage system gives selective access to information about the graph to authorized agents, yet otherwise maintains the general secrecy of the graph from the perspective of unauthorized agents, including the storage system itself. A graph processing module can produce encrypted graph information by encrypting any representation of the graph, such as an adjacency matrix, an index, etc.

Abstract: Methods of communicatively connecting first and second endpoints are disclosed. One method includes transmitting from a first endpoint to a second endpoint a connection request, the connection request including an IP address of the second endpoint. The method further includes, based at least in part on the IP address of the second endpoint, selecting IPsec from among a plurality of available security protocols to first attempt to use in forming a tunnel between the first and second endpoints, and forming the tunnel between the first and second endpoints based on the connection request.

Abstract: A method or system of receiving an electronic file containing content data in a predetermined data format, the method comprising the steps of: receiving the electronic file, determining the data format, parsing the content data, to determine whether it conforms to the predetermined data format, and if the content data does conform to the predetermined data format, regenerating the parsed data to create a regenerated electronic file in the data format.

Abstract: A network element, method and computer program product is enabled to perform interactive connectivity checks in a mobility environment. Specifically, a network element comprises a discovery unit configured to identify a candidate defined as a combination of an internet protocol address and a port which the network element can use to communicate with a particular other network element. The network further comprises a mobile internet protocol signaling unit configured to submit a candidate identified by the discovery unit and to receive a candidate related to the other network element, and a simple traversal underneath network address translators protocol enabled unit configured to perform a connectivity check for a pair constituted by the submitted candidate and the received candidate by using the simple traversal underneath network address translators protocol.