Abstract: A security token access device, a user device such as a computing device or communications device, and a method for managing multiple connections between multiple user devices and the access device. The access device maintains connection information, including security information, for each user device securely paired with the access device. Each time a new user device is paired with the access device, the access device transmits a notification to the user devices already paired to the user device. A user may provide instructions to the access device to terminate a pairing with one of the user devices by overwriting at least a portion of the connection information associated with the designated user device. A user device may further request a listing of all user devices currently paired with the access device.

Abstract: An example router device disclosed herein functions as a transport level proxy and application level proxy, is able to host both authenticated user and device sessions with stored session state and access control to resources for enhanced performance and ease of use. The device is able to function as a protocol proxy for improved performance and security. The device may be configured to implement a captive portal login mechanism, and may programmatically force unsecure LAN-side client requests to secure WAN-side connections. The device may execute an API for remote applications to utilize. The router device may pre-fetch content for client devices, and may communicate with other servers and peer routers to ascertain congestion on the WAN, and perform intelligent routing of WAN traffic based on the detected congestion. The device may also employ techniques to enhance privacy, virtualized address spaces, cookie filters, and traffic modification.

Abstract: A method and system for controlling access to an application being executed by a server. A time interval between the server's receipt times of a first request and a second request. The first and second requests are included in multiple requests for an access to the application. An adjustment value is selected based on the time interval and multiple historical time intervals. Each historical time interval is between the server's receipt times of two requests of the multiple requests. The two requests' receipt times are prior to the first and second requests' receipt times. An accumulator is adjusted with the adjustment value, resulting in the accumulator's value exceeding a predefined threshold. Access to the application is controlled via a warning, a delay in responding to the second request, a temporary halt in processing, or a permanent access denial in response to the accumulator's value exceeding the threshold.

Abstract: A multi-tenant data center environment includes a dedicated domain having at least one dedicated server associated with a client and a cloud domain having at least one cloud server associated with the client. The cloud server may have a public interface to a public network and a private interface to a private network. In turn, a network device is coupled between the dedicated domain and the public network, and is further coupled to the cloud server via the private network. A controller of the data center may be used to determine presence of the cloud server, and configure the network device to allow certain traffic to pass directly to the dedicated domain, while preventing other traffic from this direct path, based on access controls of the network device.

Abstract: An IMS system includes an IMS initiator user entity. The system includes an IMS responder user entity that is called by the initiator user entity. The system includes a calling side S-CSCF in communication with the caller entity which receives an INVITE having a first protection offer and parameters for key establishment from the caller entity, removes the first protection offer from the INVITE and forwards the INVITE without the first protection offer. The system includes a receiving end S-CSCF in communication with the responder user entity and the calling side S-CSCF which receives the INVITE without the first protection offer and checks that the responder user entity supports the protection, inserts a second protection offer into the INVITE and forwards the INVITE to the responder user entity, wherein the responder user entity accepts the INVITE including the second protection offer and answers with an acknowledgment having a first protection accept.

Abstract: A method is provided for electronically masking the geographic location of a client device in a communication network comprising the following steps: (a) mapping a communication from a first diverter node at a first location to a second diverter node at a second location, and (b) causing the communication to appear as originating from a client device at the second location when the communication is received by a destination device, wherein the second location is different from the first location. Also provided is a device that may be used to implement such a method.

Abstract: A computer-implemented method includes receiving, by one or more servers associated with an application marketplace, a policy that includes data that identifies one or more users, and a restricted permission. A request is received, by the servers associated with the application marketplace, to access one or more applications that are distributed through the application marketplace, wherein the request includes data that identifies a particular one of the users. One or more of the applications that are associated with the restricted permission are identified by the servers associated with the application marketplace, and access by the particular user to the applications that are associated with the restricted permission is restricted by the servers associated with the application marketplace.

Abstract: A method, system and apparatus for authenticating a communication request sent from a client computing device. The communication request is initially blocked by a firewall preventing delivery to a server. A first logging event corresponding to the communication request is created. The communication request and the logging event are stored in a firewall. The server is notified of the first logging event. The communication request corresponding to the first logging event is authenticated. A port in the firewall is enabled if the communication request is authenticated.

Abstract: Methods and apparatus, including computer program products, are provided for using a relative timestamp to log activity in a distributed computing system. In one aspect, there is provided a computer-implemented method. The method may include receiving a message including a first timestamp representative of when the message is sent at a first processor. A second processor may generate an entry logging receipt of the received message. The second processor may determine a second timestamp representative of a time relative to the first timestamp. The second timestamp may be included as an entry at a log at the second processor.

Abstract: A system and method for discovering security classifications of network areas includes representing actually allowed network flows and flows permitted by a security policy in a format that enables comparison. The actually allowed network flows and the security policy are provided in a networked computing environment including network areas, wherein each network area is a collection of one or more computing and network devices, and enterprise security policy defines security requirements for security classifications. An assignment of security classifications to network areas is determined by comparing the actually allowed network flows with the flows permitted by the security policy.

Abstract: Methods and systems are provided for improving a firewall implemented at a WLAN infrastructure device (WID). The WID includes a stateful firewall that implements firewall rules based on an ESSID of the WID to specify whether traffic is allowed to or from the ESSID. For example, in one implementation of such a firewall rule, packets that are required to be sent out on all wired ports can be blocked from being flooded out on WLANs (e.g., the packet is allowed to pass only to the wired ports). A method and system are provided for preventing a malicious wireless client device (WCD) that is transmitting undesirable traffic from using RF resources by deauthenticating the malicious WCD to remove it from the WLAN and blacklisting it to prevent it from rejoining the WLAN for a time period. Method and systems are also provided for either “on-demand” and/or predicatively communicating state information regarding an existing firewall session.

Abstract: Methods and apparatus for a configurable-quality random data service are disclosed. A method includes implementing programmatic interfaces enabling a determination of respective characteristics of random data to be delivered to one or more clients of a random data service of a provider network. The method includes implementing security protocols for transmission of random data to the clients, including a protocol for transmission of random data to trusted clients at devices within the provider network. The method further includes obtaining, on behalf of a particular client and in accordance with the determined characteristics, random data from one or more servers of the provider network, and initiating a transmission of the random data directed to a destination associated with the particular client.

Abstract: A network security monitoring apparatus and a network security monitoring system manages “permitted” or “not permitted” communication between nodes based on an access policy. A network security monitoring system includes nodes 31,32,33, application server 20, router 40, and network security monitoring apparatus 10 deployed in the network. The network security monitoring apparatus 10 judges whether the nodes are permitted to communicate with other nodes in the network or not based on the access policy, and repeatedly transmits data to block the communication between nodes judged as “not permitted” at fixed time intervals until the access policy is changed from “not permitted” to “permitted”. This invention enables to block communication between nodes defined as “not permitted” for communicating with other nodes in the access policy, and to allow communication between nodes defined as “permitted” for communicating with other nodes in the access policy.

Abstract: Systems and methods for providing automated computer support are described herein. One described method comprises receiving a plurality of snapshots from a plurality of computers, storing the plurality of snapshots in a data store, and creating an adaptive reference model based at least in part on the plurality of snapshots. The described method further comprises comparing at least one of the plurality of snapshots to the adaptive reference model, and identifying at least one anomaly based on the comparison.

Abstract: In a method and appliance for authenticating, by an appliance, a client to access a virtual network connection, based on an attribute of a client-side certificate, a client authentication certificate is requested from a client. A value of at least one field in the client authentication certificate received from the client is identified. One of a plurality of types of access is assigned responsive to an application of a policy to the identified value of the at least one field, each of the plurality of access types associated with at least one connection characteristic.

Abstract: JavaScript on webpages linked to by URLs in messages is identified and the JavaScript is extracted. The JavaScript is then subjected to a JavaScript execution and analysis process whereby the JavaScript is executed in the context of a simulated web browser. The behavior of the JavaScript is then analyzed to identify one or more of: any URLs to be redirected to; any further executable JavaScript; and any content dynamically written to the webpage. The results are then either recursed into or are recorded and used to aid in the identification of spam messages.

Abstract: Disclosed is a computer implemented method to report a bad host. A receiver host receives a packet from a sender host. The receiver host detects that the packet contains suspect hostile content. The receiver host transmits a negative trust report.

Abstract: A method is provided in one example embodiment that includes receiving metadata from a host over a metadata channel. The metadata may be correlated with a network flow and a network policy may be applied to the connection. In other embodiments, a network flow may be received from a host without metadata associated with the flow, and a discovery redirect may be sent to the host. Metadata may then be received and correlated with the flow to identify a network policy action to apply to the flow.

Abstract: A method for authorizing and accounting a host with multiple addresses in IPv6 Network includes: authorizing multiple addresses of the host respectively; charging the multiple addresses authorized of the host respectively. A system based on the above method includes: a network access server, for transmitting accounting information of multiple addresses of a host upon receiving authorization information; an Authentication, Authorization and Accounting (AAA) server, for authorizing the multiple addresses of the host respectively, and transmitting the authorization information to the network access server; receiving the accounting information transmitted from the network access server, and charging the multiple addresses according to the accounting information respectively.

Abstract: A method and apparatus for creating a policy based on a pre-configured template is described. In one embodiment, source data having a tabular structure is identified. Further, one of multiple policy templates is used to automatically create a policy for detecting information from any one or more rows within the tabular structure of the source data.

Abstract: A method and system for providing security to a Network Job Entry (NJE) network. A first NJE node and a third NJE node are connected by a second NJE node. The second NJE node conducts a security check of NJE packets traveling between the first and third NJE nodes. The security check performed by the second NJE node includes checking the userid of the person or job that sent the NJE packet, as well as the NJE data type. The NJE data type may be classified by the type of operation being performed, such as a batch job, sysout, command, message, as well as what application is being used. In one preferred embodiment, the security check includes checking the security level of the source of the data being transferred, such as a sensitive application. The security check can be based on the size of the data packet, such that excessively large data packets from a particular user are not permitted to be transmitted outside a secure NJE network.

Abstract: A Mandatory Access Control (MAC) aware firewall includes an extended rule set for MAC attributes, such as a security label or path. Application labels may be used to identify processes and perform firewall rule-checking. The firewall rule set may including conventional firewall rules, such as address checking, in addition to an extension for MAC attributes.

Abstract: A method of controlling an apparatus comprising a plurality of features and adapted to receive messages via a first network interface, wherein said method is implemented in a filter superposed on the top of an existing architecture of the apparatus. The method comprises the following steps: receiving network management message via said first network interface; interrogating said message in order to identify a feature said network management message relates to and filtering the received management message such that said management message is rejected if the identified feature is classified as disabled and said management message is allowed top go through if said feature is classified as enabled.

Abstract: A cloud center infrastructure system may include a service aggregator connected directly to a provider network. The service aggregator may be configured to receive, via the provider network, a data unit from a customer device, associated with a customer; identify a first device, associated with a first traffic processing service, based on a sequence of traffic processing services associated with the customer; and send the data unit to the first device, wherein the first device is located in a cloud services center, and wherein the first device is connected to the service aggregator over a Layer 2 connection.

Abstract: An e-mail firewall applies policies to e-mail messages between a first site and second sites in accordance with administrator selectable policies. The firewall includes a simple mail transfer protocol relay for causing the e-mail messages to be transmitted between the first site and selected ones of the second sites. Policy managers enforce-administrator selectable policies relative to one or more of encryption and decryption, signature, source/destination, content and viruses.

Abstract: A system inserts at least one notifying identifier in the computer system. The at least one notifying identifier provides execution information associated with the computer system. The system receives execution information from the at least one notifying identifier, the execution information identifies details associated with a traffic flow on the computer system. The system then generates a signature based on a deterministic link provided by the execution information provided by the at least one notifying identifier. The signature is utilized to prevent further damage caused to the computer system by at least one attack.

Abstract: In one embodiment, a security device receives one or more first unique identifications of packets sent by a first device to a second device for which a corresponding acknowledgment was purportedly returned by the second device to the first device. The security device also receives one or more second unique identifications of packets received by the second device from the first device and acknowledged by the second device to the first device. By comparing the first and second unique identifications, the security device may then determine whether acknowledgments received by the first device were truly returned from the second device based on whether the first and second unique identifications exactly match.

Abstract: An apparatus for analyzing traffic is provided. The apparatus may precisely identify and analyze web traffic through 5 tuple-, HTTP-, and request/response pair-based packet analysis by monitoring the correlation between sessions.

Abstract: A computer-implemented method for prioritizing the monitoring of malicious uniform resource locators for new malware variants may comprise: 1) identifying at least one malicious uniform resource locator, 2) collecting priority information relating to the malicious uniform resource locator, wherein the priority information comprises information relevant to prioritizing monitoring of the malicious uniform resource locator for new malware variants, 3) determining, based on the priority information, a monitoring-priority level for the malicious uniform resource locator, and then 4) allocating, based on the monitoring-priority level, a monitoring resource for monitoring the malicious uniform resource locator. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Architecture that provides additional data that can be obtained and employed in security models in order to provide security to services over the service lifecycle. The architecture automatically propagates security classifications throughout the lifecycle of the service, which can include initial deployment, expansion, moving servers, monitoring, and reporting, for example, and further include classification propagation from the workload (computer), classification propagation in the model, classification propagation according to the lineage of the storage location (e.g., virtual hard drive), status propagation in the model and classification based on data stored in the machine.

Abstract: A client-side user agent operates in conjunction with an identity selector to institute and exercise privacy control management over user identities managed by the identity selector. The user agent includes the combination of a privacy enforcement engine, a storage of rulesets expressing user privacy preferences, and a preference editor. The editor enables the user to direct the composition of privacy preferences relative to user identities. The preferences can be applied to individual cards and to categorized groups of attributes. The engine evaluates the proper rulesets against the privacy policy of a service provider. The privacy preferences used by the engine are determined on the basis of specifications in a security policy indicating the attribute requirements for claims that purport to satisfy the security policy.

Abstract: A method is provided in one example embodiment that includes intercepting a network flow to a destination node having a network address and sending a discovery query based on a discovery action associated with the network address in a firewall cache. A discovery result may be received and metadata associated with the flow may be sent to a firewall before releasing the network flow. In other embodiments, a discovery query may be received from a source node and a discovery result sent to the source node, wherein the discovery result identifies a firewall for managing a route to a destination node. Metadata may be received from the source node over a metadata channel. A network flow from the source node to the destination node may be intercepted, and the metadata may be correlated with the network flow to apply a network policy to the network flow.

Abstract: Enabling a client computer to perform an operation is disclosed. Login information is received from a client computer. The login information is confirmed by querying a trusted agent on the client computer.

Abstract: In general, techniques are described for seamlessly migrating a secure session established between a first computing device and a secure access appliance to a second computing device. In one example, a client computing device establishes a secure session with a secure access appliance. The client computing device receives a request via a communication channel from a second client computing device for secure session data for the first secure session usable by the second client computing device to establish a second secure session with the secure access appliance. The client computing device generates a message that includes the secure session data for the first secure session and sends the message to the second client computing device. Responsive to receiving the message, the second client computing device establishes a new secure session with the secure access appliance.

Abstract: An integrated virtual desktop and security management system provides the virtual desktop server functionality and, more importantly, security management for computing devices and servers in the corporate data network. The computing devices include computers running virtual desktop client software and computers running a complete operating system and applications. The system in this invention can intercept data packets exchanged among the computing devices and servers and also can scrutinize virtual machine computing and networking activities, and therefore, possess the capability of analyzing, logging, reporting, and permitting or denying computing and networking activities of devices in the corporate data network.

Abstract: A method of playing content across a network includes receiving, at a media player, an input from a user selecting media located on a network, sending a request across a network comprised of devices employing a common security protocol, the request to identify peer devices on the network, receiving a response across the network from a peer device, and accessing the media from a content memory of the peer device. A method of tracking valid peers on a secure media network, includes receiving, at a media player, an input from a user selecting media located on a peer device on the network, performing an authentication test of the peer player, determining if a latency associated with the peer player meets a criteria, and updating a latency log on the media player to include the peer player.

Abstract: A method for buffering SSL handshake messages prior to computing a message digest for the SSL handshake includes: conducting, by an appliance with a client, an SSL handshake, the SSL handshake comprising a plurality of SSL handshake messages; storing, by the appliance, the plurality of SSL handshake messages; providing, by the appliance to a message digest computing device in response to receiving a client finish message corresponding to the SSL handshake, the plurality of SSL handshake messages; receiving, by the appliance from the message digest computing device, a message digest corresponding to the provided messages; determining by the appliance, the message digest matches a message digest included in the SSL client finish message; and completing, by the appliance with the client, the SSL handshake. Corresponding systems are also described.

Abstract: A method is provided in one example embodiment and includes receiving a traffic flow at a tamper resistant environment from an application, where the tamper resistant environment is separated from a host operating system. The method also includes applying a security token to the traffic flow and sending the traffic flow to a server. In specific embodiments, a security module may add information about the application to traffic flow. A trapping module may monitor for a memory condition and identify the memory condition. The trapping module may also, responsive to identifying the memory condition, initiate a virtual environment for the application, and check the integrity of the traffic flow.

Abstract: The present invention relates to a system and method for facilitating access to secure network sites, such as sites providing secure financial information. An active software agent is utilized to fetch passwords and user identifiers from a user computing system and to use the passwords and identifiers to extract required information from the secure site. The password sites and identifiers are encrypted and an encryption key is stored at a network mode remote from the user's computer and is fetched in order to enable the passwords and identifiers to be decrypted so that the active agent can use them to obtain the required information.

Abstract: A data communication security system is disclosed that includes a network interface including a first security module implementing a first security architecture, and a second security module implementing a second security architecture different from the first security architecture. The network interface further includes a file-based application programming interface defining a plurality of attributes of the network interface and including at least one attribute associated with data security managed by one of the first and second security modules. The file-based application programming interface includes at least one attribute from among the plurality of attributes that is associated with selecting between the first or second security modules.

Abstract: Servers are configured to operate in two or more threshold security planes with each such threshold security plane implementing at least a portion of a corresponding threshold security protocol involving at least a subset of the servers. The servers are implemented on at least one processing device comprising a processor coupled to a memory. Multiple ones of the servers may be implemented on a single processing device, or each of the servers may be implemented on a separate processing device. At least one of the servers may be part of at least two of the threshold security planes. A given request for a protected resource is processed through each of the planes in order for a corresponding user to obtain access to the protected resource. By way of example, the security planes may comprise two or more of an authentication plane, an access control plane and a resource plane.

Abstract: Providing for employing a real time firewall to secure components of an automation control network from unauthorized communication to or from such components is disclosed herein. A monitoring component can inspect at least a portion of an instance of communication directed toward or originating from a component of the automation control network. Such inspection can, e.g., be a deep packet inspection based on information received from a communication request and/or response protocol. A filtering component can selectively admit or deny propagation of the instance of communication based on the inspection and a predetermined security criterion. In such a manner, the subject innovation can provide for limited access to network components from office network machines and for securing components of an automation control network from influence by unauthorized entities.

Abstract: At least one of an HTTP request message and an HTTP response message is intercepted. A corresponding HTTP message model includes a plurality of message model sections. A representation of the at least one of an HTTP request message and an HTTP response message is parsed into message sections in accordance with the message model sections of the HTTP message model. A plurality of security rules are bounds to the message model sections. The plurality of security rules each specify at least one action to be taken in response to a given condition, which is based, at least in part, on a corresponding given one of the message sections. The at least one of an HTTP request message and an HTTP response message is processed in accordance with the plurality of security rules. Techniques for developing rules for a web application server firewall are also provided.

Abstract: Methods and apparatus are provided for end-to-end security in heterogeneous networks. Hop-by-hop protection techniques ensure that each hop of a signaling path is satisfying one or more predefined security criteria. An end-to-end path is secured at each node by identifying a next hop in the end-to-end path; determining, in response to a received call setup request, if a vendor associated with the next hop in the end-to-end path has satisfied one or more predefined security criteria; and routing the call to the next hop if the vendor has satisfied the one or more predefined criteria. A look-up table can be used to determine whether a vendor has satisfied the one or more predefined security criteria. The look-up table can identify one or more of: (i) vendors that have achieved a predefined security rating; (ii) members in a predefined consortium or business group; and (iii) signatories to a predefined contract or technical specification.

Abstract: A system and method are disclosed for improving a statistical message classifier. A message may be tested with a machine classifier, wherein the machine classifier is capable of making a classification on the message. In the event the message is classifiable by the machine classifier, the statistical message classifier is updated according to the reliable classification made by the machine classifier. The message may also be tested with a first classifier. In the event that the message is not classifiable by the first classifier, it is tested with a second classifier, wherein the second classifier is capable of making a second classification. In the event that the message is classifiable by the second classifier, the statistical message classifier is updated according to the second classification.

Abstract: Embodiments of the present invention are directed to establishing and/or implementing firewall rules that may employ parameters based on connection security levels for a connection between devices. A firewall may thus provide greater granularity of security and integrate more closely with other security methods to provide better overall security with fewer conflicts.

Abstract: Devices, systems, methods, and other embodiments associated with processing commands according to authorization are described. In one embodiment, a chip includes an unsecure module configured to control unsecure firmware to process a command on data flowing in a datapath. The unsecure module processes commands from untrusted sources and trusted sources. The chip includes a secure module configured to determine if a command is from a trusted source and when the command is from a trusted source, the secure module controls secure firmware to further process the data flowing in the datapath. When the command is from an untrusted source, the secure module controls the secure firmware to not process the data flowing in the datapath.

Abstract: Structures and protocols are presented for signaling a status or decision concerning a wireless service or device within a region to a network participant or other communication device (smartphone or motor vehicle, e.g.).

Abstract: A system and method for providing persistence in a secure network access by using a client certificate sent by a client device to maintain the identity of a target. A security handshake is performed with a client device to establish a secure session. A target is determined. A client certificate is associated with the target. During subsequent secure sessions, the client certificate is used to maintain persistent communications between the client and a target. A session ID can be used in combination with the client certificate, by identifying the target based on the session ID or the client certificate, depending on which one is available in a client message.

Abstract: A communication network is operated by identifying at least one potential hijack autonomous system (AS) that can be used to generate a corrupt routing path from a source AS to a destination AS. For each of the at least one potential hijack AS the following operations are performed: identifying at least one regional AS that is configured to adopt the corrupt routing path from the source AS to the destination AS and determining a reflector AS set such that, for each reflector AS in the set, a source AS to reflector AS routing path and a reflector AS to destination AS routing path do not comprise any of the at least one regional AS. A reflector AS is then identified that is common among the at least one reflector AS set responsive to performing the identifying and determining operations for each, of the at least one potential hijack AS.